Adversarial robustness of deep autoencoders (AEs) has received less attention than that of discriminative models, although their compressed latent representations induce ill-conditioned mappings that can amplify small input perturbations and destabilize reconstructions. Existing white-box attacks for AEs, which optimize norm-bounded adversarial perturbations to maximize output damage, often stop at suboptimal attacks. We observe that this limitation stems from vanishing adversarial loss gradients during backpropagation through ill-conditioned layers, caused by near-zero singular values in their Jacobians. To address this issue, we introduce GRILL, a technique that locally restores gradient signals in ill-conditioned layers, enabling more effective norm-bounded attacks. Through extensive experiments across multiple AE architectures, considering both sample-specific and universal attacks under both standard and adaptive attack settings, we show that GRILL significantly increases attack effectiveness, leading to a more rigorous evaluation of AE robustness. Beyond AEs, we provide empirical evidence that modern multimodal architectures with encoder-decoder structures exhibit similar vulnerabilities under GRILL.

翻译：深度自编码器（AEs）的对抗鲁棒性相较于判别模型受到的关注较少，尽管其压缩的潜在表示会引发病态映射，从而放大微小的输入扰动并破坏重建的稳定性。现有的针对自编码器的白盒攻击方法通过优化范数有界的对抗扰动以最大化输出损害，但往往止步于次优攻击。我们观察到，这一局限源于对抗损失梯度在通过病态层反向传播时消失，这是由这些层雅可比矩阵中接近零的奇异值所导致的。为解决此问题，我们提出了GRILL技术，该技术可在病态层中局部恢复梯度信号，从而实现更有效的范数有界攻击。通过对多种自编码器架构进行广泛实验，并在标准及自适应攻击设置下同时考虑样本特定攻击和通用攻击，我们证明GRILL能显著提升攻击有效性，从而为自编码器的鲁棒性评估提供更严格的基准。除自编码器外，我们提供的实证证据表明，采用编码器-解码器结构的现代多模态架构在GRILL下也表现出类似的脆弱性。