This work addresses the limitation of existing gradient-based adversarial attacks, which often generate high-loss non-adversarial samples due to poorly designed objective functions. To overcome this issue, the authors propose Sequential Difference Maximization (SDM), a novel approach that reformulates the attack objective as maximizing the gap between an upper bound on the probabilities of non-target classes and the probability of the true class. SDM introduces a three-level optimization framework—comprising cycles, phases, and steps—that progressively combines Negative Probability Loss and Directional Probability Difference Ratio (DPDR) loss to iteratively approximate optimal adversarial perturbations. Experimental results demonstrate that SDM significantly outperforms state-of-the-art methods in both attack success rate and cost efficiency.

Gradient-based attacks are important methods for evaluating model robustness. However, since the proposal of APGD, it has been difficult for such methods to achieve significant breakthroughs. To achieve such an effect, we first analyze the issue of "high-loss non-adversarial examples" that degrades attack performance in previous methods, and prove that this issue arises from inappropriate objectives for adversarial example generation. Subsequently, we reconstruct the objective as "maximizing the difference between the non-ground-truth label probability upper bound and the ground-truth label probability", and proposes a novel and powerful gradient-based attack method named Sequential Difference Maximization (SDM). SDM establishes a three-layer optimization framework of "cycle-stage-step". It adopts the negative probability loss function and the Directional Probability Difference Ratio (DPDR) loss function in the initial and subsequent optimization stages, respectively, and approaches the ideal objective of adversarial example generation via stage-wise sequential optimization. Experiments demonstrate that compared with previous state-of-the-art methods, SDM not only achieves stronger attack performance but also exhibits superior cost-effectiveness. The code is available at https://github.com/X-L-Liu/ICML-SDM.