Recent advances in adversarial robustness rely on an abundant set of training data, where using external or additional datasets has become a common setting. However, in real life, the training data is often kept private for security and privacy issues, while only the pretrained weight is available to the public. In such scenarios, existing methods that assume accessibility to the original data become inapplicable. Thus we investigate the pivotal problem of data-free adversarial robustness, where we try to achieve adversarial robustness without accessing any real data. Through a preliminary study, we highlight the severity of the problem by showing that robustness without the original dataset is difficult to achieve, even with similar domain datasets. To address this issue, we propose DataFreeShield, which tackles the problem from two perspectives: surrogate dataset generation and adversarial training using the generated data. Through extensive validation, we show that DataFreeShield outperforms baselines, demonstrating that the proposed method sets the first entirely data-free solution for the adversarial robustness problem.

翻译：近年来，对抗鲁棒性方面的进展依赖于丰富的训练数据集，使用外部或额外数据集已成为常见设置。然而，在实际应用中，出于安全与隐私考虑，训练数据通常保持私有，仅预训练权重向公众开放。在此类场景下，现有假设可访问原始数据的方法不再适用。因此，我们研究了无需数据的对抗鲁棒性这一关键问题，旨在不访问任何真实数据的情况下实现对抗鲁棒性。通过初步研究，我们揭示了该问题的严重性：即使使用相似领域的数据集，脱离原始数据集仍难以实现鲁棒性。为解决此问题，我们提出DataFreeShield，从替代数据集生成和基于生成数据的对抗训练两个角度应对挑战。大量验证实验表明，DataFreeShield优于基线方法，证明该方法首次为对抗鲁棒性问题提供了完全无需数据的解决方案。