Fluently Lying: Adversarial Robustness Can Be Substrate-Dependent

The primary tools used to monitor and defend object detectors under adversarial attack assume that when accuracy degrades, detection count drops in tandem. This coupling was assumed, not measured. We report a counterexample observed on a single model: under standard PGD, EMS-YOLO, a spiking neural network (SNN) object detector, retains more than 70% of its detections while mAP collapses from 0.528 to 0.042. We term this count-preserving accuracy collapse Quality Corruption (QC), to distinguish it from the suppression that dominates untargeted evaluation. Across four SNN architectures and two threat models (l-infinity and l-2), QC appears only in one of the four detectors tested (EMS-YOLO). On this model, all five standard defense components fail to detect or mitigate QC, suggesting the defense ecosystem may rely on a shared assumption calibrated on a single substrate. These results provide, to our knowledge, the first evidence that adversarial failure modes can be substrate-dependent.

Key Contributions

Introduces Quality Corruption (QC) - a count-preserving accuracy collapse failure mode where detectors retain 70%+ detections while mAP drops from 0.528 to 0.042
Proposes QCI metric to measure count-accuracy coupling, revealing substrate-dependent adversarial failure modes in spiking neural networks
Demonstrates that five standard defense components fail on EMS-YOLO, suggesting defense ecosystems may rely on substrate-specific assumptions

🛡️ Threat Analysis

Input Manipulation Attack

Paper evaluates standard PGD adversarial attacks (gradient-based input manipulation) causing misclassification in object detectors at inference time. The primary contribution is discovering a new failure mode (Quality Corruption) under this standard attack.

Details

Domains

vision

Model Types

cnn

Threat Tags

white_boxinference_timeuntargeteddigital

Applications

2025 0 cit.

Input Manipulation Attack

92%