In this paper, we investigate the dynamics-aware adversarial attack problem of adaptive neural networks. Most existing adversarial attack algorithms are designed under a basic assumption -- the network architecture is fixed throughout the attack process. However, this assumption does not hold for many recently proposed adaptive neural networks, which adaptively deactivate unnecessary execution units based on inputs to improve computational efficiency. It results in a serious issue of lagged gradient, making the learned attack at the current step ineffective due to the architecture change afterward. To address this issue, we propose a Leaded Gradient Method (LGM) and show the significant effects of the lagged gradient. More specifically, we reformulate the gradients to be aware of the potential dynamic changes of network architectures, so that the learned attack better "leads" the next step than the dynamics-unaware methods when network architecture changes dynamically. Extensive experiments on representative types of adaptive neural networks for both 2D images and 3D point clouds show that our LGM achieves impressive adversarial attack performance compared with the dynamic-unaware attack methods. Code is available at https://github.com/antao97/LGM.

翻译：本文研究了自适应神经网络的动力学感知对抗攻击问题。现有大多数对抗攻击算法基于一个基本假设——网络架构在攻击过程中保持不变。然而，这一假设对于近年来提出的诸多自适应神经网络并不成立，此类网络会根据输入自适应地停用非必要的执行单元以提升计算效率。这导致梯度滞后问题，使得当前步骤学习到的攻击因后续架构变化而失效。为解决该问题，我们提出了有导梯度法（LGM），并展示了滞后梯度的显著影响。具体而言，我们重新构造了梯度，使其能够感知网络架构潜在的动态变化，从而使学习到的攻击在架构动态变化时比不考虑动态性的方法更有效地"引导"下一步骤。在面向二维图像和三维点云的典型自适应神经网络上开展的大量实验表明，与忽略动态性的攻击方法相比，我们提出的LGM实现了令人印象深刻的对抗攻击性能。代码已开源至https://github.com/antao97/LGM。