EPS
← All batches·2605.10987

AESOP: Adversarial Execution-path Selection to Overload Deep Learning Pipelines

topic: general_safetytop score: 100released: 2026-05-13first surfaced: 2026-05-13arXivPDFthreats2026-05-13

Authors: Tingxi Li, Mingfang Ji, Ravishka Shemal Rathnasuriya et al.

arXiv · PDF

Summary

The authors demonstrate a new adversarial attack on ML inference pipelines that route inputs through different models depending on upstream predictions (e.g., a classifier decides which specialist model to invoke next). Traditional adversarial examples target individual models, but AESOP exploits the pipeline structure itself: it crafts inputs that route through the most computationally expensive path, inflating compute costs by up to 2,407× compared to benign inputs. The attack works even when defenses like batching, buffering, and confidence thresholds are in place — forcing the system to choose between throughput collapse or massive data loss.

Main takeaways:

  • Pipeline architectures create a new attack surface: adversarial examples can steer execution through expensive branches, not just fool individual models.
  • AESOP achieves 2,407× FLOPs inflation and 419× latency inflation in white-box settings; 58×/17× in gray-box (partial knowledge) settings.
  • Path-aware targeting is 20× more effective than strongest single-model baseline (2,407× vs. 117× FLOPs inflation).
  • System-level defenses don't neutralize the attack — they shift the failure mode to either throughput collapse (0.578 → 0.006 input/s) or 96.7% data loss to maintain throughput.
  • Highlights a fundamental efficiency-availability tradeoff in dynamic inference pipelines under adversarial conditions.

Relevance

Tangential to my work on conditional behavior in language models — both involve systems that route through different execution paths based on context (their pipeline routing vs. my persona-switching), but their focus is adversarial compute inflation rather than behavioral installation or persona mechanics.

Threat model

Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses adversarial.

Abstract

arXiv:2605.10987v1 Announce Type: new Abstract: Modern machine learning deployments increasingly compose specialized models into dynamic inference pipelines, where upstream components produce intermediate predictions that determine the workload and inputs of downstream components. The cost of processing an input is therefore not determined by any single model, but by two coupled factors: the per-inference cost of each invoked component and its workload volume. Because these pipelines run under hard real-time constraints, efficiency is a fundamental requirement for system availability. We show that this structure creates an efficiency-attack surface that existing methods targeting single models cannot exploit: on identical inputs and budgets, path-aware targeting inflates FLOPs by $2,407\times$ while the strongest single-model baseline achieves $117\times$ -- a $20\times$ gap attributable entirely to where the attack is directed. We formalize this as the adversarial path-selection problem and present AESOP, a framework combining vulnerability-guided path ranking with adaptive loss weighting. We evaluate AESOP on five pipelines plus a production-realistic deployment variant with batching, bounded buffering, and confidence-threshold defenses. AESOP achieves up to $2,407\times$ FLOPs and $419\times$ latency inflation in white-box setting and 58$\times$ FLOPs / 17$\times$ latency in gray-box settings. Under system-level defenses, the attack is not neutralized but redirected: pipelines are forced to choose between throughput collapse ($0.578 \to 0.006$ input/s) and $96.7%$ data loss to sustain throughput.