Deep neural networks are highly vulnerable to adversarial examples that inputs with small, carefully crafted perturbations that cause misclassification, making adversarial attacks an essential tool for robustness evaluation. Existing black-box attacks fall into three categories: query-only, transfer-only, and query-and-transfer, and vary in perturbation pattern and optimization strategy. However, no prior method jointly achieves query-and-transfer guidance, pixel-wise sparsity, and training-free direct optimization, leaving a gap between black-box flexibility and white-box precision. We present GreedyPixel, a new attack framework that fills this gap by combining a surrogate-derived pixel priority map with greedy, per-pixel optimization refined by query feedback. This design reduces the exponential brute-force search space to a tractable linear procedure, guarantees monotonic loss decrease and convergence to a coordinate-wise optimum, and concentrates perturbations on robust, semantically meaningful pixels to improve perceptual quality. Extensive experiments on CIFAR-10 and ImageNet under both white-box and black-box settings demonstrate that GreedyPixel achieves state-of-the-art attack success rates and produces visually imperceptible perturbations. Our results show that GreedyPixel bridges the precision gap between white-box and black-box attacks and provides a practical framework for fine-grained robustness evaluation. The implementation is available at https://github.com/azrealwang/greedypixel.

翻译：深度神经网络极易受到对抗样本的攻击，这些输入经过微小、精心设计的扰动即可导致误分类，使得对抗攻击成为鲁棒性评估的重要工具。现有黑盒攻击可分为三类：仅查询型、仅迁移型和查询-迁移结合型，其扰动模式和优化策略各异。然而，尚无方法能同时实现查询与迁移引导、像素级稀疏性以及免训练的直接优化，导致黑盒攻击的灵活性与白盒攻击的精确性之间存在差距。我们提出GreedyPixel这一新型攻击框架，通过结合代理模型生成的像素优先级映射与基于查询反馈的贪婪逐像素优化，填补了这一空白。该设计将指数级暴力搜索空间简化为可处理的线性过程，保证损失单调下降并收敛至坐标最优解，同时将扰动集中于鲁棒且语义显著的像素以提升感知质量。在CIFAR-10和ImageNet数据集上进行的白盒与黑盒场景广泛实验表明，GreedyPixel实现了最先进的攻击成功率，并生成视觉不可察的扰动。我们的研究证明GreedyPixel弥合了白盒与黑盒攻击的精度差距，为细粒度鲁棒性评估提供了实用框架。实现代码公开于https://github.com/azrealwang/greedypixel。