Fine-Grained Iterative Adversarial Attacks with Limited Computation Budget

ICLR 2026 Conference SubmissionAnonymous Authors

OpenReview Score: 6.0 Download Report PDF

Adversarial AttackEfficiencyRobustness

This work tackles a critical challenge in AI safety research under limited compute: given a fixed computation budget, how can one maximize the strength of iterative adversarial attacks? Coarsely reducing the number of attack iterations lowers cost but substantially weakens effectiveness. To fulfill the attainable attack efficacy within a constrained budget, we propose a fine-grained control mechanism that selectively recomputes layer activations across both iteration-wise and layer-wise levels. Extensive experiments show that our method consistently outperforms existing baselines at equal cost. Moreover, when integrated into adversarial training, it attains comparable performance with only 30% of the original budget.

Abstract:

Disclaimer

This report is AI-GENERATED using Large Language Models and WisPaper (A scholar search engine). It analyzes academic papers' tasks and contributions against retrieved prior work. While this system identifies POTENTIAL overlaps and novel directions, ITS COVERAGE IS NOT EXHAUSTIVE AND JUDGMENTS ARE APPROXIMATE. These results are intended to assist human reviewers and SHOULD NOT be relied upon as a definitive verdict on novelty.

NOTE that some papers exist in multiple, slightly different versions (e.g., with different titles or URLs). The system may retrieve several versions of the same underlying work. The current automated pipeline does not reliably align or distinguish these cases, so human reviewers will need to disambiguate them manually.

If you have any questions, please contact: mingzhang23@m.fudan.edu.cn

Overview

Overall Novelty Assessment

The paper proposes a fine-grained control mechanism that selectively recomputes layer activations across iteration-wise and layer-wise dimensions to maximize adversarial attack strength under fixed computational budgets. It resides in the 'Iteration and Computation Budget Control' leaf, which contains only four papers total, indicating a relatively sparse research direction within the broader taxonomy. This leaf focuses specifically on managing iteration count and computational resources during attack generation, distinguishing it from query-based black-box methods or gradient-free approaches that populate neighboring branches.

The taxonomy reveals that the paper's immediate neighbors address related but distinct efficiency challenges. Sibling works in the same leaf likely tackle iteration reduction or adaptive step sizing, while nearby leaves such as 'Query-Efficient Black-Box Attacks' optimize query counts rather than white-box iteration budgets, and 'Gradient-Free and Evolutionary Optimization' eschews gradient-based iteration altogether. The 'Enhanced Attack Generation Methods' branch explores novel perturbation strategies without explicit budget constraints, and 'Adversarial Training and Robustness Enhancement' examines defense-side efficiency. The paper's focus on selective recomputation bridges iteration control with layer-wise granularity, a niche not explicitly covered by the taxonomy's other efficiency-oriented categories.

Among the three contributions analyzed, the literature search examined twenty-two candidates total, with no refutable pairs identified. The fine-grained control mechanism was assessed against two candidates, the spiking forward computation scheme against ten, and the combinatorial optimization perspective against ten, all yielding zero refutations. This suggests that within the limited search scope—top-K semantic matches plus citation expansion—no prior work directly overlaps with the proposed techniques. However, the small candidate pool and sparse taxonomy leaf indicate that the search may not have captured all relevant efficiency-focused adversarial attack literature, leaving open the possibility of undiscovered overlaps.

Given the limited search scope and the sparse population of the taxonomy leaf, the work appears to occupy a relatively underexplored niche in adversarial attack efficiency. The absence of refutations among twenty-two candidates suggests novelty within the examined literature, though the small sample size and narrow leaf structure mean this assessment is provisional. A more exhaustive search across adjacent efficiency-oriented branches might reveal closer prior work or clarify the paper's incremental versus foundational contributions.

Taxonomy

Core-task Taxonomy Papers

Claimed Contributions

Contribution Candidate Papers Compared

Refutable Paper

Research Landscape Overview

Core task: Efficient iterative adversarial attack generation under limited computation budget. The field is organized around several major branches that reflect different facets of adversarial machine learning. Attack Optimization and Efficiency Techniques focuses on reducing computational overhead through methods like adaptive step sizing, momentum-based updates (e.g., Adaptive Moment FGSM[12]), and iteration control strategies that avoid redundant computations (e.g., Stop Walking Circles[19]). Enhanced Attack Generation Methods explores novel perturbation strategies and gradient manipulation to improve attack success rates, while Transfer-Based and Data-Free Attacks address scenarios where direct model access is unavailable. Domain-Specific and Constrained Attack Scenarios tailors attacks to particular modalities such as audio, text, or graphs, and Adversarial Robustness and Defense examines training regimes and detection mechanisms. Attack Evaluation and Analysis provides benchmarks and theoretical insights, with a smaller Peripheral and Cross-Domain Topics branch covering tangential applications. Within the optimization-focused branches, a central tension emerges between achieving high attack success with minimal iterations and maintaining transferability or imperceptibility. Works like DE-CW Algorithm[3] and Accelerated Attack Generation[2] exemplify efforts to compress the attack budget through algorithmic refinement, while Resource-Limited Adaptive Training[4] and Constrained Transfer Attacks[5] explore trade-offs when computational resources are severely restricted. Fine-Grained Iterative Attacks[0] sits squarely in the Iteration and Computation Budget Control cluster, emphasizing precise control over iteration steps to balance efficiency and effectiveness. Compared to neighbors like Stop Walking Circles[19], which diagnoses and eliminates cyclic gradient behavior, or Room[24], which optimizes perturbation allocation, Fine-Grained Iterative Attacks[0] appears to prioritize granular tuning of the iterative process itself, offering a complementary perspective on how to best allocate limited computational steps without sacrificing attack quality.

Claimed Contributions

Fine-grained control mechanism for iterative adversarial attacks

2 retrieved papers

The authors introduce a mechanism that controls computation in adversarial attacks at both iteration and layer granularity, selectively deciding when to recompute activations. This contrasts with existing coarse-grained approaches that uniformly reduce iterations across all layers.

2 retrieved papers

Spiking forward computation scheme with virtual surrogate gradient

10 retrieved papers

The authors propose an event-driven spiking mechanism that adaptively skips layer computations when activation changes are small, combined with a virtual surrogate gradient method that maintains gradient flow during backpropagation when activations are reused.

10 retrieved papers

Combinatorial optimization perspective on adversarial attack computation

10 retrieved papers

The authors formalize iterative adversarial attacks as a combinatorial optimization problem over layer-wise computation masks, demonstrating that existing early-stopping strategies represent a restricted subproblem of a more expressive fine-grained formulation.

10 retrieved papers

Core Task Comparisons

Comparisons with papers in the same taxonomy category

[12] Generate adversarial examples by adaptive moment iterative fast gradient sign method PDF

Jiebao Zhang, Wenhua Qian, Ren-qi Nie, Jinde Cao, Dan Xu, Rencan Nie (2023)

[19] Stop Walking in Circles! Bailing Out Early in Projected Gradient Descent PDF

Doldo, Philip, Everett, Derek, Khanna, Amol, Nguyen, Andre T., Raff, Edward (2025)

[24] Room: Adversarial machine learning attacks under real-time constraints PDF

Amira Guesmi, Khaled N. Khasawneh, Nael Abu-Ghazaleh, Ihsen Alouani, Nael B. Abu-Ghazaleh (2022)

Contribution Analysis

Detailed comparisons for each claimed contribution

Contribution

Fine-grained control mechanism for iterative adversarial attacks

[58] A Pruning Method Combined with Resilient Training to Improve the Adversarial Robustness of Automatic Modulation Classification Models PDF

Cannot Refute

[59] Boosting Adversarial Robustness with CLAT: Criticality Leveraged Adversarial Training PDF

Cannot Refute

Contribution

Spiking forward computation scheme with virtual surrogate gradient

[60] Event-based backpropagation can compute exact gradients for spiking neural networks PDF

Cannot Refute

[61] Efficient event-based delay learning in spiking neural networks PDF

Cannot Refute

[62] Self-supervised learning of event-based optical flow with spiking neural networks PDF

Cannot Refute

[63] Training spiking neural networks with event-driven backpropagation PDF

Cannot Refute

[64] Adaptive Gradient-Based Timesurface for Event-based Detection PDF

Cannot Refute

[65] Loss shaping enhances exact gradient learning with eventprop in spiking neural networks PDF

Cannot Refute

[66] jaxsnn: Event-driven gradient estimation for analog neuromorphic hardware PDF

Cannot Refute

[67] Event-based backpropagation for analog neuromorphic hardware PDF

Cannot Refute

[68] Asynchronous bioplausible neuron for spiking neural networks for event-based vision PDF

Cannot Refute

[69] Sparseprop: Efficient event-based simulation and training of sparse recurrent spiking neural networks PDF

Cannot Refute

Contribution

Combinatorial optimization perspective on adversarial attack computation

[29] Efficient Combinatorial Optimization for Word-Level Adversarial Textual Attack PDF

Cannot Refute

[49] Mind your solver! on adversarial attack and defense for combinatorial optimization PDF

Cannot Refute

[50] A truthful pricing-based defending strategy against adversarial attacks in budgeted combinatorial multi-armed bandits PDF

Cannot Refute

[51] Evolutionary many-objective optimization based on adversarial decomposition PDF

Cannot Refute

[52] Adversarial combinatorial bandits with switching cost and arm selection constraints PDF

Cannot Refute

[53] Enhancing network resilience through machine learning-powered graph combinatorial optimization: Applications in cyber defense and information diffusion PDF

Cannot Refute

[54] A word is worth a thousand dollars: Adversarial attack on tweets fools stock predictions PDF

Cannot Refute

[55] Efficient Resource Allocation under Adversary Attacks: A Decomposition-Based Approach PDF

Cannot Refute

[56] Composite Adversarial Attacks PDF

Cannot Refute

[57] Adversarial attacks on graph neural networks based spatial resource management in p2p wireless communications PDF

Cannot Refute

Fine-Grained Iterative Adversarial Attacks with Limited Computation Budget

Overview

Overall Novelty Assessment

Taxonomy

Research Landscape Overview

Claimed Contributions

Core Task Comparisons

[12] Generate adversarial examples by adaptive moment iterative fast gradient sign method PDF

[19] Stop Walking in Circles! Bailing Out Early in Projected Gradient Descent PDF

[24] Room: Adversarial machine learning attacks under real-time constraints PDF

Contribution Analysis

Fine-grained control mechanism for iterative adversarial attacks

[58] A Pruning Method Combined with Resilient Training to Improve the Adversarial Robustness of Automatic Modulation Classification Models PDF

[59] Boosting Adversarial Robustness with CLAT: Criticality Leveraged Adversarial Training PDF

Spiking forward computation scheme with virtual surrogate gradient

[60] Event-based backpropagation can compute exact gradients for spiking neural networks PDF

[61] Efficient event-based delay learning in spiking neural networks PDF

[62] Self-supervised learning of event-based optical flow with spiking neural networks PDF

[63] Training spiking neural networks with event-driven backpropagation PDF

[64] Adaptive Gradient-Based Timesurface for Event-based Detection PDF

[65] Loss shaping enhances exact gradient learning with eventprop in spiking neural networks PDF

[66] jaxsnn: Event-driven gradient estimation for analog neuromorphic hardware PDF

[67] Event-based backpropagation for analog neuromorphic hardware PDF

[68] Asynchronous bioplausible neuron for spiking neural networks for event-based vision PDF

[69] Sparseprop: Efficient event-based simulation and training of sparse recurrent spiking neural networks PDF

Combinatorial optimization perspective on adversarial attack computation

[29] Efficient Combinatorial Optimization for Word-Level Adversarial Textual Attack PDF

[49] Mind your solver! on adversarial attack and defense for combinatorial optimization PDF

[50] A truthful pricing-based defending strategy against adversarial attacks in budgeted combinatorial multi-armed bandits PDF

[51] Evolutionary many-objective optimization based on adversarial decomposition PDF

[52] Adversarial combinatorial bandits with switching cost and arm selection constraints PDF

[53] Enhancing network resilience through machine learning-powered graph combinatorial optimization: Applications in cyber defense and information diffusion PDF

[54] A word is worth a thousand dollars: Adversarial attack on tweets fools stock predictions PDF

[55] Efficient Resource Allocation under Adversary Attacks: A Decomposition-Based Approach PDF

[56] Composite Adversarial Attacks PDF

[57] Adversarial attacks on graph neural networks based spatial resource management in p2p wireless communications PDF

Table of Contents