Imperceptible adversarial attacks have recently attracted increasing research interests. Existing methods typically incorporate external modules or loss terms other than a simple $l_p$-norm into the attack process to achieve imperceptibility, while we argue that such additional designs may not be necessary. In this paper, we rethink the essence of imperceptible attacks and propose two simple yet effective strategies to unleash the potential of PGD, the common and classical attack, for imperceptibility from an optimization perspective. Specifically, the Dynamic Step Size is introduced to find the optimal solution with minimal attack cost towards the decision boundary of the attacked model, and the Adaptive Early Stop strategy is adopted to reduce the redundant strength of adversarial perturbations to the minimum level. The proposed PGD-Imperceptible (PGD-Imp) attack achieves state-of-the-art results in imperceptible adversarial attacks for both untargeted and targeted scenarios. When performing untargeted attacks against ResNet-50, PGD-Imp attains 100$\%$ (+0.3$\%$) ASR, 0.89 (-1.76) $l_2$ distance, and 52.93 (+9.2) PSNR with 57s (-371s) running time, significantly outperforming existing methods.

翻译：不可感知对抗攻击近来日益受到研究关注。现有方法通常在攻击过程中引入除简单$l_p$范数之外的外部模块或损失项以实现不可感知性，而我们认为此类额外设计可能并非必要。本文重新思考了不可感知攻击的本质，并从优化角度提出了两种简单而有效的策略，以释放常见且经典的攻击方法PGD在不可感知性方面的潜力。具体而言，我们引入动态步长以最小攻击代价寻找被攻击模型决策边界的最优解，并采用自适应早停策略将对抗扰动的冗余强度降至最低。所提出的PGD-Imperceptible（PGD-Imp）攻击在无目标与有目标场景的不可感知对抗攻击中均取得了最先进的结果。在对ResNet-50进行无目标攻击时，PGD-Imp实现了100$\%$（+0.3$\%$）的攻击成功率、0.89（-1.76）的$l_2$距离、52.93（+9.2）的峰值信噪比以及57秒（-371秒）的运行时间，显著优于现有方法。