AESOP Attack Inflates FLOPs 20x More Than Single-Model Methods
A new adversarial attack, AESOP (Adversarial Execution-path Selection to Overload Deep Learning Pipelines), exploits the efficiency-attack surface of modern ML inference pipelines. These pipelines chain specialized models where upstream outputs determine downstream workload. AESOP selects execution paths to maximize computational cost, achieving a 2,407× FLOPs inflation on identical inputs and budgets, compared to 117× for the strongest single-model baseline—a 20× gap. The attack targets path-aware selection rather than individual models, formalizing adversarial path-selection as a new vulnerability. The paper is published on arXiv (2605.10987).
Key facts
- AESOP attack targets dynamic inference pipelines with multiple models.
- Achieves 2,407× FLOPs inflation vs. 117× for single-model baseline.
- Exploits coupling of per-inference cost and workload volume.
- Formalizes adversarial path-selection problem.
- Published on arXiv with ID 2605.10987.
- Attack works under hard real-time constraints.
- Existing methods cannot exploit this efficiency-attack surface.
- 20× gap attributable to attack direction.
Entities
Institutions
- arXiv