A Two-Stage Data-Free Adversarial Patch Generation Framework

General adversarial patch generation (APG) methods rely on training datasets of target models and are not applicable to data-free scenarios. This article presents a two-stage APG framework that exploits a determined proxy dataset in place of an unknown training dataset. The proxy dataset selection stage calculates the proposed average patch saliency (APS) of each available dataset to select a high-APS proxy dataset that can guarantee patches' fooling abilities. Then, the patch generation stage applies the proposed data-free Expectation over Transformation (DF-EoT) as the APG method in case only low-APS datasets are available. Evaluation results show that the determined high-APS proxy datasets enable EoT (benchmark APG method) to generate patches of comparable fooling abilities to patches utilising training datasets, and DF-EoT can further improve the fooling abilities for both low-APS and high-APS proxy datasets. Specifically, DF-EoT enhances average targeted fooling rates (ATFR) of patches utilising a low-APS dataset from 42.71% of EoT to 78.34% on target model VGG-19 and increases ATFR from 62.57% to 84.33% with a high-APS dataset on Inception-v1.