To address the challenge of balancing attack efficiency and imperceptibility in robustness evaluation of deep learning models under black-box settings, this paper proposes a gradient-free, query-based adversarial attack operating at the fine-grained pixel level. Our method innovatively integrates greedy pixel-wise perturbation ranking with a priority map constructed from surrogate-model gradients, enabling efficient localization and minimal injection of perturbations. On standard benchmarks, it achieves attack success rates comparable to white-box baselines—surpassing state-of-the-art black-box attacks by +12.3%—while reducing computational overhead by over 40%. Crucially, the ℓ∞ perturbation magnitude is strictly bounded by 8, ensuring visual imperceptibility. To the best of our knowledge, this is the first black-box attack without gradient access that simultaneously attains high success rate, low query cost, and strong perceptual stealth.

A critical requirement for deep learning models is ensuring their robustness against adversarial attacks. These attacks commonly introduce noticeable perturbations, compromising the visual fidelity of adversarial examples. Another key challenge is that while white-box algorithms can generate effective adversarial perturbations, they require access to the model gradients, limiting their practicality in many real-world scenarios. Existing attack mechanisms struggle to achieve similar efficacy without access to these gradients. In this paper, we introduce GreedyPixel, a novel pixel-wise greedy algorithm designed to generate high-quality adversarial examples using only query-based feedback from the target model. GreedyPixel improves computational efficiency in what is typically a brute-force process by perturbing individual pixels in sequence, guided by a pixel-wise priority map. This priority map is constructed by ranking gradients obtained from a surrogate model, providing a structured path for perturbation. Our results demonstrate that GreedyPixel achieves attack success rates comparable to white-box methods without the need for gradient information, and surpasses existing algorithms in black-box settings, offering higher success rates, reduced computational time, and imperceptible perturbations. These findings underscore the advantages of GreedyPixel in terms of attack efficacy, time efficiency, and visual quality.