In black-box settings, GAN-based adversarial example generation suffers from limitations inherent to single-step perturbation—namely, weak attack strength and poor transferability. To address this, we propose Progressive Autoregressive AdvGAN (PA-AdvGAN), a novel framework that integrates a first-of-its-kind progressive autoregressive mechanism into the AdvGAN generator. This mechanism enables iterative, multi-round perturbation refinement, thereby overcoming the fundamental bottleneck of single-step generation and facilitating end-to-end, efficient adversarial synthesis. Theoretically grounded and empirically validated, PA-AdvGAN significantly improves both attack success rates and cross-model transferability. On Inception-v3, it achieves a generation throughput of 335.5 frames per second. Extensive evaluations on multiple black-box benchmarks demonstrate consistent superiority over state-of-the-art methods.

Deep neural networks have demonstrated remarkable performance across various domains. However, they are vulnerable to adversarial examples, which can lead to erroneous predictions. Generative Adversarial Networks (GANs) can leverage the generators and discriminators model to quickly produce high-quality adversarial examples. Since both modules train in a competitive and simultaneous manner, GAN-based algorithms like AdvGAN can generate adversarial examples with better transferability compared to traditional methods. However, the generation of perturbations is usually limited to a single iteration, preventing these examples from fully exploiting the potential of the methods. To tackle this issue, we introduce a novel approach named Progressive Auto-Regression AdvGAN (PAR-AdvGAN). It incorporates an auto-regressive iteration mechanism within a progressive generation network to craft adversarial examples with enhanced attack capability. We thoroughly evaluate our PAR-AdvGAN method with a large-scale experiment, demonstrating its superior performance over various state-of-the-art black-box adversarial attacks, as well as the original AdvGAN.Moreover, PAR-AdvGAN significantly accelerates the adversarial example generation, i.e., achieving the speeds of up to 335.5 frames per second on Inception-v3 model, outperforming the gradient-based transferable attack algorithms. Our code is available at: https://anonymous.4open.science/r/PAR-01BF/