Addressing the challenge of adversarial attacks against object detectors in black-box, gradient-free, and physically deployable settings, this paper proposes the first fully black-box, gradient-agnostic, naturalistic physical patch attack method grounded in a pre-trained GAN’s image manifold. Our approach optimizes the patch representation within the GAN’s latent space via black-box query-driven search, jointly modeling digital robustness and physical-domain distortions—including lighting variations, viewpoint changes, and print degradation—to achieve model-agnostic attack generation. Evaluated on mainstream detectors (e.g., YOLOv5, Faster R-CNN), the digital attack reduces mAP by over 60%; physical experiments using printed patches also significantly degrade detection performance. Compared to four state-of-the-art black-box attack methods, ours achieves superior attack success rate, cross-model transferability, and physical feasibility—demonstrating both theoretical rigor and practical deployability.

Adversarial attacks on deep-learning models have been receiving increased attention in recent years. Work in this area has mostly focused on gradient-based techniques, so-called"white-box"attacks, wherein the attacker has access to the targeted model's internal parameters; such an assumption is usually unrealistic in the real world. Some attacks additionally use the entire pixel space to fool a given model, which is neither practical nor physical (i.e., real-world). On the contrary, we propose herein a direct, black-box, gradient-free method that uses the learned image manifold of a pretrained generative adversarial network (GAN) to generate naturalistic physical adversarial patches for object detectors. To our knowledge this is the first and only method that performs black-box physical attacks directly on object-detection models, which results with a model-agnostic attack. We show that our proposed method works both digitally and physically. We compared our approach against four different black-box attacks with different configurations. Our approach outperformed all other approaches that were tested in our experiments by a large margin.