Dynamics-aware Adversarial Attack of Adaptive Neural Networks

TL;DR

This paper introduces a novel gradient-based attack method tailored for adaptive neural networks that change architecture dynamically, significantly improving attack effectiveness over traditional methods.

Contribution

We propose the Leaded Gradient Method (LGM), a new approach that accounts for network architecture changes during adversarial attacks, addressing the lagged gradient issue.

Findings

LGM outperforms existing attack methods on adaptive neural networks.

Effective on both 2D image and 3D point cloud models.

Demonstrates robustness against dynamic architecture changes.

Abstract

In this paper, we investigate the dynamics-aware adversarial attack problem of adaptive neural networks. Most existing adversarial attack algorithms are designed under a basic assumption -- the network architecture is fixed throughout the attack process. However, this assumption does not hold for many recently proposed adaptive neural networks, which adaptively deactivate unnecessary execution units based on inputs to improve computational efficiency. It results in a serious issue of lagged gradient, making the learned attack at the current step ineffective due to the architecture change afterward. To address this issue, we propose a Leaded Gradient Method (LGM) and show the significant effects of the lagged gradient. More specifically, we reformulate the gradients to be aware of the potential dynamic changes of network architectures, so that the learned attack better "leads" the next step than the dynamics-unaware methods when network architecture changes dynamically. Extensive experiments on representative types of adaptive neural networks for both 2D images and 3D point clouds show that our LGM achieves impressive adversarial attack performance compared with the dynamic-unaware attack methods. Code is available at https://github.com/antao97/LGM.