Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Li, Tingxi, Ji, Mingfang, Rathnasuriya, Ravishka Shemal, Chen, Simin, Hu, Yitao, Yang, Wei
Format: Preprint
Veröffentlicht: 2026
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2605.10987
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866918494848679936
author Li, Tingxi
Ji, Mingfang
Rathnasuriya, Ravishka Shemal
Chen, Simin
Hu, Yitao
Yang, Wei
author_facet Li, Tingxi
Ji, Mingfang
Rathnasuriya, Ravishka Shemal
Chen, Simin
Hu, Yitao
Yang, Wei
contents Modern machine learning deployments increasingly compose specialized models into dynamic inference pipelines, where upstream components produce intermediate predictions that determine the workload and inputs of downstream components. The cost of processing an input is therefore not determined by any single model, but by two coupled factors: the per-inference cost of each invoked component and its workload volume. Because these pipelines run under hard real-time constraints, efficiency is a fundamental requirement for system availability. We show that this structure creates an efficiency-attack surface that existing methods targeting single models cannot exploit: on identical inputs and budgets, path-aware targeting inflates FLOPs by $2,407\times$ while the strongest single-model baseline achieves $117\times$ -- a $20\times$ gap attributable entirely to where the attack is directed. We formalize this as the adversarial path-selection problem and present AESOP, a framework combining vulnerability-guided path ranking with adaptive loss weighting. We evaluate AESOP on five pipelines plus a production-realistic deployment variant with batching, bounded buffering, and confidence-threshold defenses. AESOP achieves up to $2,407\times$ FLOPs and $419\times$ latency inflation in white-box setting and 58$\times$ FLOPs / 17$\times$ latency in gray-box settings. Under system-level defenses, the attack is not neutralized but redirected: pipelines are forced to choose between throughput collapse ($0.578 \to 0.006$ input/s) and $96.7\%$ data loss to sustain throughput.
format Preprint
id arxiv_https___arxiv_org_abs_2605_10987
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle AESOP: Adversarial Execution-path Selection to Overload Deep Learning Pipelines
Li, Tingxi
Ji, Mingfang
Rathnasuriya, Ravishka Shemal
Chen, Simin
Hu, Yitao
Yang, Wei
Machine Learning
Artificial Intelligence
Cryptography and Security
Modern machine learning deployments increasingly compose specialized models into dynamic inference pipelines, where upstream components produce intermediate predictions that determine the workload and inputs of downstream components. The cost of processing an input is therefore not determined by any single model, but by two coupled factors: the per-inference cost of each invoked component and its workload volume. Because these pipelines run under hard real-time constraints, efficiency is a fundamental requirement for system availability. We show that this structure creates an efficiency-attack surface that existing methods targeting single models cannot exploit: on identical inputs and budgets, path-aware targeting inflates FLOPs by $2,407\times$ while the strongest single-model baseline achieves $117\times$ -- a $20\times$ gap attributable entirely to where the attack is directed. We formalize this as the adversarial path-selection problem and present AESOP, a framework combining vulnerability-guided path ranking with adaptive loss weighting. We evaluate AESOP on five pipelines plus a production-realistic deployment variant with batching, bounded buffering, and confidence-threshold defenses. AESOP achieves up to $2,407\times$ FLOPs and $419\times$ latency inflation in white-box setting and 58$\times$ FLOPs / 17$\times$ latency in gray-box settings. Under system-level defenses, the attack is not neutralized but redirected: pipelines are forced to choose between throughput collapse ($0.578 \to 0.006$ input/s) and $96.7\%$ data loss to sustain throughput.
title AESOP: Adversarial Execution-path Selection to Overload Deep Learning Pipelines
topic Machine Learning
Artificial Intelligence
Cryptography and Security
url https://arxiv.org/abs/2605.10987