Fluently Lying: Adversarial Robustness Can Be Substrate-Dependent
This work reveals a substrate-dependent adversarial failure mode in object detection, which is incremental as it challenges a specific assumption in defense mechanisms.
The paper tackles the assumption that detection count and accuracy degrade together in adversarial attacks on object detectors, reporting a counterexample where an SNN detector retains over 70% of detections while mAP collapses from 0.528 to 0.042, termed Quality Corruption. This phenomenon was observed only in one of four SNN architectures tested, and standard defenses failed to detect or mitigate it, suggesting adversarial failure modes can be substrate-dependent.
The primary tools used to monitor and defend object detectors under adversarial attack assume that when accuracy degrades, detection count drops in tandem. This coupling was assumed, not measured. We report a counterexample observed on a single model: under standard PGD, EMS-YOLO, a spiking neural network (SNN) object detector, retains more than 70% of its detections while mAP collapses from 0.528 to 0.042. We term this count-preserving accuracy collapse Quality Corruption (QC), to distinguish it from the suppression that dominates untargeted evaluation. Across four SNN architectures and two threat models (l-infinity and l-2), QC appears only in one of the four detectors tested (EMS-YOLO). On this model, all five standard defense components fail to detect or mitigate QC, suggesting the defense ecosystem may rely on a shared assumption calibrated on a single substrate. These results provide, to our knowledge, the first evidence that adversarial failure modes can be substrate-dependent.