Fluently Lying: Adversarial Robustness Can Be Substrate-Dependent

TL;DR

This paper reveals that adversarial robustness in object detectors can depend on the underlying neural substrate, with some models showing detection count preservation despite severe accuracy drops under attack.

Contribution

It provides the first evidence that adversarial failure modes are substrate-dependent, challenging assumptions in current defense strategies.

Findings

EMS-YOLO retains over 70% detections despite mAP dropping from 0.528 to 0.042

QC appears only in one of four tested SNN architectures

Standard defenses fail to detect or mitigate Quality Corruption in EMS-YOLO

Abstract

The primary tools used to monitor and defend object detectors under adversarial attack assume that when accuracy degrades, detection count drops in tandem. This coupling was assumed, not measured. We report a counterexample observed on a single model: under standard PGD, EMS-YOLO, a spiking neural network (SNN) object detector, retains more than 70% of its detections while mAP collapses from 0.528 to 0.042. We term this count-preserving accuracy collapse Quality Corruption (QC), to distinguish it from the suppression that dominates untargeted evaluation. Across four SNN architectures and two threat models (l-infinity and l-2), QC appears only in one of the four detectors tested (EMS-YOLO). On this model, all five standard defense components fail to detect or mitigate QC, suggesting the defense ecosystem may rely on a shared assumption calibrated on a single substrate. These results provide, to our knowledge, the first evidence that adversarial failure modes can be substrate-dependent.