Sneaky Spikes: Uncovering Stealthy Backdoor Attacks in Spiking Neural Networks with Neuromorphic Data

TL;DR

This work analyzes backdoor vulnerabilities in spiking neural networks (SNNs) that process neuromorphic data, introducing four trigger paradigms—static, moving, smart, and dynamic—and shows attacks achieving up to 100% attack success rate with minimal loss of clean accuracy. It extends backdoor evaluation to neuromorphic domains, adapts several image-domain defenses (ABS, STRIP, spectral signatures, fine-pruning), and reveals substantial limitations of these defenses on SNNs, especially for dynamic and motion-based triggers. A key contribution is the dynamic, sample-specific backdoor that leverages a spiking autoencoder to produce invisible perturbations under a small $\ abla_\infty \leq \gamma$, balancing stealth and efficacy via a trade-off parameter $\$. The work also includes a user study and SSIM-based stealthiness assessment, demonstrating that dynamic triggers can be nearly invisible to humans, and provides open-source code for reproducibility, underscoring the need for SNN-specific defense strategies. Overall, the study highlights critical security gaps in neuromorphic deployments and points to future work in developing robust defenses tailored to SNNs and time-encoded data.

Abstract

Deep neural networks (DNNs) have demonstrated remarkable performance across various tasks, including image and speech recognition. However, maximizing the effectiveness of DNNs requires meticulous optimization of numerous hyperparameters and network parameters through training. Moreover, high-performance DNNs entail many parameters, which consume significant energy during training. In order to overcome these challenges, researchers have turned to spiking neural networks (SNNs), which offer enhanced energy efficiency and biologically plausible data processing capabilities, rendering them highly suitable for sensory data tasks, particularly in neuromorphic data. Despite their advantages, SNNs, like DNNs, are susceptible to various threats, including adversarial examples and backdoor attacks. Yet, the field of SNNs still needs to be explored in terms of understanding and countering these attacks. This paper delves into backdoor attacks in SNNs using neuromorphic datasets and diverse triggers. Specifically, we explore backdoor triggers within neuromorphic data that can manipulate their position and color, providing a broader scope of possibilities than conventional triggers in domains like images. We present various attack strategies, achieving an attack success rate of up to 100% while maintaining a negligible impact on clean accuracy. Furthermore, we assess these attacks' stealthiness, revealing that our most potent attacks possess significant stealth capabilities. Lastly, we adapt several state-of-the-art defenses from the image domain, evaluating their efficacy on neuromorphic data and uncovering instances where they fall short, leading to compromised performance.

Figures (18)

• Figure 1: Input samples containing a static trigger (\ref{['fig:s_trigger_1']}, \ref{['fig:s_trigger_3']}, and \ref{['fig:s_trigger_5']}) and a smart backdoor mask for $c=2$ (\ref{['fig:smart']}).
• Figure 2: Overview of the dynamic moving attack.
• Figure 3: \ref{['fig:asr_smart_false_false']} and \ref{['fig:asr_smart_true_false']} show the smart triggers in the most active area, using the least and most common polarity. In \ref{['fig:asr_smart_false_true']} and \ref{['fig:asr_smart_true_true']}, we show the smart triggers in the least active area, using the least and most common polarity.
• Figure 4: ASR and clean accuracy degradation of dynamic triggers. Dashed lines represent the ASR, and solid lines represent the clean accuracy. Blue corresponds to N-MNIST, orange to CIFAR10-DVS, green to DVS128-Gesture, and red to N-Caltech101.
• Figure 5: Normalized entropy of different triggers and datasets.