Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fluently Lying: Adversarial Robustness Can Be Substrate-Dependent

Daye Kang, Hyeongboo Baek

Abstract

The primary tools used to monitor and defend object detectors under adversarial attack assume that when accuracy degrades, detection count drops in tandem. This coupling was assumed, not measured. We report a counterexample observed on a single model: under standard PGD, EMS-YOLO, a spiking neural network (SNN) object detector, retains more than 70% of its detections while mAP collapses from 0.528 to 0.042. We term this count-preserving accuracy collapse Quality Corruption (QC), to distinguish it from the suppression that dominates untargeted evaluation. Across four SNN architectures and two threat models (l-infinity and l-2), QC appears only in one of the four detectors tested (EMS-YOLO). On this model, all five standard defense components fail to detect or mitigate QC, suggesting the defense ecosystem may rely on a shared assumption calibrated on a single substrate. These results provide, to our knowledge, the first evidence that adversarial failure modes can be substrate-dependent.

Fluently Lying: Adversarial Robustness Can Be Substrate-Dependent

Abstract

The primary tools used to monitor and defend object detectors under adversarial attack assume that when accuracy degrades, detection count drops in tandem. This coupling was assumed, not measured. We report a counterexample observed on a single model: under standard PGD, EMS-YOLO, a spiking neural network (SNN) object detector, retains more than 70% of its detections while mAP collapses from 0.528 to 0.042. We term this count-preserving accuracy collapse Quality Corruption (QC), to distinguish it from the suppression that dominates untargeted evaluation. Across four SNN architectures and two threat models (l-infinity and l-2), QC appears only in one of the four detectors tested (EMS-YOLO). On this model, all five standard defense components fail to detect or mitigate QC, suggesting the defense ecosystem may rely on a shared assumption calibrated on a single substrate. These results provide, to our knowledge, the first evidence that adversarial failure modes can be substrate-dependent.

Paper Structure

This paper contains 25 sections, 2 equations, 3 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Neuromorphic hardware constraints.
  4. SNN object detection and robustness.
  5. Adversarial attacks on ANN detectors.
  6. Experimental Setup
  7. Preliminaries
  8. Models
  9. Metrics
  10. Attack Protocol
  11. Quality Corruption
  12. A New Failure Mode: Quality Corruption
  13. The Substrate Is the Variable
  14. Quality Corruption Requires Gradient Access
  15. Probing the Membrane: A Diagnostic Probe
  16. ...and 10 more sections

Figures (3)

  • Figure 1: Suppression vs. Quality Corruption. Same image, same PGD ($\varepsilon{=}8/255$). (a) Clean: five correct detections. (b) ANN baseline (YOLOv3-tiny): all detections vanish. (c) Hardware-deployable SNN (EMS-YOLO): five detections remain, none correct. A count-based monitor reports normal operation in both (a) and (c).
  • Figure 2: Quality Corruption emerges only in EMS-YOLO, the single hardware-deployable pipeline tested. QCI across three perturbation budgets; EMS-YOLO transitions from suppression to extreme QC ($\text{QCI}{=}+63.0$ at $\varepsilon{=}8$) while all other models remain near $\text{QCI}{=}0$. Key numerical values in \ref{['tab:qc_main']} (full $\varepsilon$-sweep in supplementary).
  • Figure 3: Per-image heterogeneity of Quality Corruption. Per-image QCI for EMS-YOLO under PGD ($\varepsilon{=}8/255$, 980 images with ${\geq}1$ clean detection; per-image QCI definition in \ref{['sec:setup_metrics']}). $88\%$ of images are corruption-dominant, $12\%$ suppression-dominant. Median${}=33$; range $-254$ to $+1{,}300$.