Fine-Grained Iterative Adversarial Attacks with Limited Computation Budget

This work tackles a critical challenge in AI safety research under limited compute: given a fixed computation budget, how can one maximize the strength of iterative adversarial attacks? Coarsely reducing the number of attack iterations lowers cost but substantially weakens effectiveness. To fulfill the attainable attack efficacy within a constrained budget, we propose a fine-grained control mechanism that selectively recomputes layer activations across both iteration-wise and layer-wise levels. Extensive experiments show that our method consistently outperforms existing baselines at equal cost. Moreover, when integrated into adversarial training, it attains comparable performance with only 30% of the original budget. Adversarial attacks, which craft imperceptible perturbations to input data to degrade the performance of deep learning models, have become a central topic in the safety and robustness of AI systems. From the attack perspective, iterative adversarial methods such as Projected Gradient Descent (PGD) (Madry et al., 2017) are widely adopted as strong oracles to benchmark the robustness of modern neural networks.