To address the low efficiency of adversarial example generation in robustness evaluation of computer vision models, this paper proposes a multi-stage gradient optimization framework. Methodologically, it introduces (1) a directional probability difference ratio (DPDR) loss function that explicitly maximizes the margin between the upper bound of non-target class probabilities and the true-class probability; (2) a hierarchical “cyclic–stage–step” optimization architecture that progressively suppresses irrelevant class responses to incrementally strengthen attack potency; and (3) joint optimization of the negative true-class probability and DPDR loss to balance attack success rate and computational efficiency. Extensive experiments on ImageNet and other benchmarks demonstrate that the method surpasses state-of-the-art approaches in attack success rate, query efficiency, and cross-model transferability. Moreover, it significantly enhances the defensive performance of adversarial training.

Efficient adversarial attack methods are critical for assessing the robustness of computer vision models. In this paper, we reconstruct the optimization objective for generating adversarial examples as "maximizing the difference between the non-true labels' probability upper bound and the true label's probability," and propose a gradient-based attack method termed Sequential Difference Maximization (SDM). SDM establishes a three-layer optimization framework of "cycle-stage-step." The processes between cycles and between iterative steps are respectively identical, while optimization stages differ in terms of loss functions: in the initial stage, the negative probability of the true label is used as the loss function to compress the solution space; in subsequent stages, we introduce the Directional Probability Difference Ratio (DPDR) loss function to gradually increase the non-true labels' probability upper bound by compressing the irrelevant labels' probabilities. Experiments demonstrate that compared with previous SOTA methods, SDM not only exhibits stronger attack performance but also achieves higher attack cost-effectiveness. Additionally, SDM can be combined with adversarial training methods to enhance their defensive effects. The code is available at https://github.com/X-L-Liu/SDM.