Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Energy-Latency Attacks: A New Adversarial Threat to Deep Learning

Hanene F. Z. Brachemi Meftah, Wassim Hamidouche, Sid Ahmed Fezza, Olivier Deforges

TL;DR

This survey addresses the vulnerability of deep neural networks to energy-latency attacks, a class of adversarial methods that deliberately inflate computation and energy to degrade service or trigger DoS. It organizes attacks into inference- and training-stage categories, detailing white-box and black-box variants across diverse architectures (regular DNNs, input-adaptive nets, object detectors, neural ODEs, SNNs, and decoder-based NLP models). The authors compile a comprehensive set of evaluation metrics, compare attack strategies, and review defenses, highlighting open challenges such as defense effectiveness, measurement reliability, transferability, and practical attack accessibility. The work emphasizes the practical implications for sustainable AI deployment and motivates robust, generalized defenses alongside targeted defenses tailored to specific architectures and deployment scenarios.

Abstract

The growing computational demand for deep neural networks ( DNNs) has raised concerns about their energy consumption and carbon footprint, particularly as the size and complexity of the models continue to increase. To address these challenges, energy-efficient hardware and custom accelerators have become essential. Additionally, adaptable DNN s are being developed to dynamically balance performance and efficiency. The use of these strategies became more common to enable sustainable AI deployment. However, these efficiency-focused designs may also introduce vulnerabilities, as attackers can potentially exploit them to increase latency and energy usage by triggering their worst-case-performance scenarios. This new type of attack, called energy-latency attacks, has recently gained significant research attention, focusing on the vulnerability of DNN s to this emerging attack paradigm, which can trigger denial-of-service ( DoS) attacks. This paper provides a comprehensive overview of current research on energy-latency attacks, categorizing them using the established taxonomy for traditional adversarial attacks. We explore different metrics used to measure the success of these attacks and provide an analysis and comparison of existing attack strategies. We also analyze existing defense mechanisms and highlight current challenges and potential areas for future research in this developing field. The GitHub page for this work can be accessed at https://github.com/hbrachemi/Survey_energy_attacks/

Energy-Latency Attacks: A New Adversarial Threat to Deep Learning

TL;DR

This survey addresses the vulnerability of deep neural networks to energy-latency attacks, a class of adversarial methods that deliberately inflate computation and energy to degrade service or trigger DoS. It organizes attacks into inference- and training-stage categories, detailing white-box and black-box variants across diverse architectures (regular DNNs, input-adaptive nets, object detectors, neural ODEs, SNNs, and decoder-based NLP models). The authors compile a comprehensive set of evaluation metrics, compare attack strategies, and review defenses, highlighting open challenges such as defense effectiveness, measurement reliability, transferability, and practical attack accessibility. The work emphasizes the practical implications for sustainable AI deployment and motivates robust, generalized defenses alongside targeted defenses tailored to specific architectures and deployment scenarios.

Abstract

The growing computational demand for deep neural networks ( DNNs) has raised concerns about their energy consumption and carbon footprint, particularly as the size and complexity of the models continue to increase. To address these challenges, energy-efficient hardware and custom accelerators have become essential. Additionally, adaptable DNN s are being developed to dynamically balance performance and efficiency. The use of these strategies became more common to enable sustainable AI deployment. However, these efficiency-focused designs may also introduce vulnerabilities, as attackers can potentially exploit them to increase latency and energy usage by triggering their worst-case-performance scenarios. This new type of attack, called energy-latency attacks, has recently gained significant research attention, focusing on the vulnerability of DNN s to this emerging attack paradigm, which can trigger denial-of-service ( DoS) attacks. This paper provides a comprehensive overview of current research on energy-latency attacks, categorizing them using the established taxonomy for traditional adversarial attacks. We explore different metrics used to measure the success of these attacks and provide an analysis and comparison of existing attack strategies. We also analyze existing defense mechanisms and highlight current challenges and potential areas for future research in this developing field. The GitHub page for this work can be accessed at https://github.com/hbrachemi/Survey_energy_attacks/

Paper Structure

This paper contains 25 sections, 24 equations, 6 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Brief Overview of Adversarial Attacks
  4. Towards Energy-latency Attacks
  5. Energy-latency Attack Strategies
  6. Inference Stage Attacks
  7. White-box
  8. Sponge attacks on regular dnns
  9. Sponge attacks on input-adaptive dnns
  10. Sponge attacks in object detection
  11. Sponge attacks on neural ode networks
  12. Sponge attacks on snn
  13. Attacks against Decoder-Based Text Generation Models
  14. Black-box
  15. TRAINING STAGE ATTACKS (POISONING)
  16. ...and 10 more sections

Figures (6)

  • Figure 1: Categorization of adversarial attacks based on objective, control, and stage. *Chen et al.chen2023stealthy have a distinct objective of increasing training time and cost, unlike mainstream methodologies in the literature that focus on increasing inference time and energy.
  • Figure 2: Different attack scenarios throughout the model lifecycle.
  • Figure 3: Visualization of the SlowFormer navaneet2023slowformer energy attack on the efficient A-ViT-Small yin2022vit. The attack is realized by adding a patch on the top left corner of the image. The selected patches on the clean inputs' column refer to the selected patches of the efficient vit on the clean image, while the selected patches in the adversarial input column refer to the resulting selected patches by the same efficient vit on the adversarial version of the input. The SlowFormer attack recovers most of the pruned tokens by the efficient vit, which cancels its optimization aspect and induces increased computational and power consumption.
  • Figure 4: Overview of the proposed sponge attack shumailov2021sponge in the black-box setup. The adversary uses a ga to create sponge samples. Then, they iteratively test samples against the model and generate new sponge samples by combining the most effective ones based on the measured response latency or consumed energy of the model.
  • Figure 5: Comparison of energy ratios across four scenarios: two cnn models namely ResNet-18 and MobileNet-V2 trained on two datasets namely CIFAR-10 and Tiny-ImageNet, evaluated using different sparsity-based attack methods developed in the literature. The box plots illustrate the distribution of energy ratios computed on the test set for each model-dataset-attack combination.
  • ...and 1 more figures