Fine-Grained Iterative Adversarial Attacks with Limited Computation Budget
Zhichao Hou, Weizhi Gao, Xiaorui Liu
TL;DR
This paper introduces a fine-grained control mechanism for iterative adversarial attacks that maximizes attack strength within limited computational budgets, outperforming baselines and enabling effective adversarial training with reduced costs.
Contribution
It proposes a novel layer-wise and iteration-wise recomputation method to enhance attack efficacy under compute constraints, a significant advancement in resource-efficient adversarial attack strategies.
Findings
Outperforms existing baselines at equal computational cost.
Enables adversarial training with only 30% of the original budget.
Achieves comparable attack effectiveness with reduced computation.
Abstract
This work tackles a critical challenge in AI safety research under limited compute: given a fixed computation budget, how can one maximize the strength of iterative adversarial attacks? Coarsely reducing the number of attack iterations lowers cost but substantially weakens effectiveness. To fulfill the attainable attack efficacy within a constrained budget, we propose a fine-grained control mechanism that selectively recomputes layer activations across both iteration-wise and layer-wise levels. Extensive experiments show that our method consistently outperforms existing baselines at equal cost. Moreover, when integrated into adversarial training, it attains comparable performance with only 30% of the original budget.
Peer Reviews
Decision·ICLR 2026 Poster
1 The claim addresses a practically important problem: iterative adversarial attacks (and adversarial training) are expensive, especially for larger models/datasets. 2 The redundancy study is a good supporting piece: showing that intermediate activations across iterations become similar, giving plausibility to “skip some computations” idea.
1 Computation Budget Definition Ambiguity. The proposed method claims reduced computational cost by selectively skipping layer computations based on activation similarity. However, to determine whether to skip a layer, one must first assess the change in activations, which itself appears to require computing the activation. The paper does not clarify how this comparison is implemented without incurring similar cost to a standard forward pass. Consequently, the reported budget may underestimate t
- The paper is well-written and easy to read. - The contribution is novel and interesting.
**Missing important baselines induces vague lack of contemporaneity:** The paper compares against standard iterative attacks (PGD, MI-FGSM, I-FGSM) but omits stronger, widely-used robust evaluation suites such as AutoAttack (AA) [ext_ref_1]. Without AA (or similar), it’s hard to evaluate the actual impact of Spiking-PGD. AutoAttack is now a de-facto standard for robust evaluation, and since it only allows modifying iterations, skipping it weakens the claim that Spiking-PGD genuinely expands the
1.The work demonstrates strong originality and innovation. 2.The method is elegantly designed. 3.The paper is well-structured and clearly written.
1.The paper lacks a released code repository, which limits reproducibility. 2.My main concern is that since the proposed method reuses and stores previous activations, it is likely to increase memory consumption. As GPU memory is often a more critical bottleneck than time, corresponding experiments or analyses on memory overhead should be included. 3.The vision experiments are limited to ResNet-18; it is recommended to include and discuss more diverse architectures, especially Transformer-based
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning · Smart Grid Security and Resilience · Security and Verification in Computing