Existing projection-based white-box adversarial attacks (e.g., PGD) suffer from high computational overhead and slow convergence when evaluating neural network robustness under ℓₚ-norm constraints. Method: This paper proposes an efficient white-box adversarial attack based on an improved Frank–Wolfe (FW) algorithm, the first systematic exploration of FW for ℓₚ-constrained adversarial example generation. It eliminates explicit projection by introducing a gradient-driven feasible direction update strategy, leveraging full gradient access in a white-box setting. The method is validated across logistic regression, CNNs, and Vision Transformers. Results: Experiments on MNIST and CIFAR-10 demonstrate superior attack success rates and faster convergence (fewer iterations) than PGD under identical perturbation budgets. Moreover, the generated adversarial examples exhibit significantly stronger cross-model transferability. This work establishes a projection-free, computationally efficient paradigm for adversarial robustness evaluation.

The construction of adversarial attacks for neural networks appears to be a crucial challenge for their deployment in various services. To estimate the adversarial robustness of a neural network, a fast and efficient approach is needed to construct adversarial attacks. Since the formalization of adversarial attack construction involves solving a specific optimization problem, we consider the problem of constructing an efficient and effective adversarial attack from a numerical optimization perspective. Specifically, we suggest utilizing advanced projection-free methods, known as modified Frank-Wolfe methods, to construct white-box adversarial attacks on the given input data. We perform a theoretical and numerical evaluation of these methods and compare them with standard approaches based on projection operations or geometrical intuition. Numerical experiments are performed on the MNIST and CIFAR-10 datasets, utilizing a multiclass logistic regression model, the convolutional neural networks (CNNs), and the Vision Transformer (ViT).