In this paper, we investigate the dynamics-aware adversarial attack problem of adaptive neural networks. Most existing adversarial attack algorithms are designed under a basic assumption -- the network architecture is fixed throughout the attack process. However, this assumption does not hold for many recently proposed adaptive neural networks, which adaptively deactivate unnecessary execution units based on inputs to improve computational efficiency. It results in a serious issue of lagged gradient, making the learned attack at the current step ineffective due to the architecture change afterward. To address this issue, we propose a Leaded Gradient Method (LGM) and show the significant effects of the lagged gradient. More specifically, we reformulate the gradients to be aware of the potential dynamic changes of network architectures, so that the learned attack better "leads" the next step than the dynamics-unaware methods when network architecture changes dynamically. Extensive experiments on representative types of adaptive neural networks for both 2D images and 3D point clouds show that our LGM achieves impressive adversarial attack performance compared with the dynamic-unaware attack methods. Code is available at https://github.com/antao97/LGM.

翻译：本文研究了自适应神经网络的动力学感知对抗攻击问题。现有大多数对抗攻击算法都基于一个基本假设——攻击过程中网络架构是固定的。然而，这一假设不适用于近年来提出的许多自适应神经网络，这些网络会根据输入自适应地停用不必要的执行单元以提高计算效率。这导致严重的梯度滞后问题，使得当前步骤学习的攻击因后续架构变化而失效。为解决这一问题，我们提出了引导梯度法（LGM），并展示了梯度滞后的显著影响。具体而言，我们对梯度进行重新公式化，使其能够感知网络架构潜在的动态变化，从而在架构动态变化时，所学习的攻击能比非动力学感知方法更好地“引导”下一步骤。在面向二维图像和三维点云的典型自适应神经网络上开展的大量实验表明，相较于非动力学感知攻击方法，我们的LGM取得了令人瞩目的对抗攻击性能。代码已开源在https://github.com/antao97/LGM。