To address the poor transferability of adversarial examples in black-box attacks—leading to low attack success rates—this paper proposes a transferability-enhancing method based on Neighborhood Gradient Information (NGI). We first reveal NGI’s critical role in improving cross-model transferability. Second, we design an example backtracking strategy coupled with multiple masking to concentrate iterative perturbations on non-discriminative regions and enrich effective gradient signals within few optimization steps. Third, we integrate neighborhood gradient estimation with momentum-based initialization to construct a lightweight, plug-and-play attack framework. Evaluated against multiple state-of-the-art defended models, our method achieves an average attack success rate of 95.2%, significantly outperforming existing approaches while introducing no additional computational overhead.

Deep neural networks (DNNs) are known to be susceptible to adversarial examples, leading to significant performance degradation. In black-box attack scenarios, a considerable attack performance gap between the surrogate model and the target model persists. This work focuses on enhancing the transferability of adversarial examples to narrow this performance gap. We observe that the gradient information around the clean image, i.e., Neighbourhood Gradient Information (NGI), can offer high transferability.Based on this insight, we introduce NGI-Attack, incorporating Example Backtracking and Multiplex Mask strategies to exploit this gradient information and enhance transferability. Specifically, we first adopt Example Backtracking to accumulate Neighbourhood Gradient Information as the initial momentum term. Then, we utilize Multiplex Mask to form a multi-way attack strategy that forces the network to focus on non-discriminative regions, which can obtain richer gradient information during only a few iterations. Extensive experiments demonstrate that our approach significantly enhances adversarial transferability. Especially, when attacking numerous defense models, we achieve an average attack success rate of 95.2%. Notably, our method can seamlessly integrate with any off-the-shelf algorithm, enhancing their attack performance without incurring extra time costs.