Deep neural networks are vulnerable to adversarial examples, i.e., carefully perturbed inputs designed to mislead the network at inference time. Recently, adversarial patch, with perturbations confined to a small and localized patch, emerged for its easy accessibility in real-world attack. However, existing attack strategies require training data on which the deep neural networks were trained, which makes them unsuitable for practical attacks since it is unreasonable for an attacker to obtain the training data. In this paper, we propose a data independent approach to generate adversarial patches (DiAP). The goal is to craft adversarial patches that can fool the target model on most of the images without any knowledge about the training data distribution. In the absence of data, we carry out non-targeted attacks by fooling the features learned at multiple layers of the deep neural network, and then employ the potential information of non-targeted adversarial patches to craft targeted adversarial patches. Extensive experiments demonstrate impressive attack success rates for DiAP. Particularly in the blackbox setting, DiAP outperforms state-of-the-art adversarial patch attack methods. The patches generated by DiAP also function well in real physical scenarios, and could be created offline and then broadly shared.

深度神经网络容易受到对抗性示例的攻击，例如，精心设计的扰动输入旨在在推理时误导网络。最近，由于其易于在现实世界中进行攻击的能力而出现了对抗性补丁，其摄动仅限于一个小的局部补丁。但是，现有的攻击策略需要在其上训练了深度神经网络的训练数据，这使它们不适合实际攻击，因为攻击者获取训练数据是不合理的。在本文中，我们提出了一种与数据无关的方法来生成对抗性补丁（DiAP）。目的是制作对抗性补丁，以欺骗大多数图像上的目标模型，而无需任何有关训练数据分布的知识。在没有数据的情况下，我们通过欺骗在深度神经网络的多层学习的特征来进行非目标攻击，然后利用非目标对抗补丁的潜在信息来制作目标对抗补丁。大量实验表明，DiAP的攻击成功率令人印象深刻。尤其是在黑盒设置中，DiAP的性能优于最新的对抗补丁攻击方法。DiAP生成的补丁程序在实际物理场景中也能很好地运行，并且可以脱机创建然后广泛共享。DiAP的性能优于最新的对抗补丁攻击方法。DiAP生成的补丁程序在实际物理场景中也能很好地运行，并且可以脱机创建然后广泛共享。DiAP的性能优于最新的对抗补丁攻击方法。DiAP生成的补丁程序在实际物理场景中也能很好地运行，并且可以脱机创建然后广泛共享。