Adversarially Robust Spiking Neural Networks Through Conversion

TL;DR

This work addresses the limited progress in scalable robust SNN training methods by proposing an adversarially robust ANN-to-SNN conversion algorithm and results show that this approach yields a scalable state-of-the-art solution for adversarially robust deep SNNs with low-latency.

Abstract

Spiking neural networks (SNNs) provide an energy-efficient alternative to a variety of artificial neural network (ANN) based AI applications. As the progress in neuromorphic computing with SNNs expands their use in applications, the problem of adversarial robustness of SNNs becomes more pronounced. To the contrary of the widely explored end-to-end adversarial training based solutions, we address the limited progress in scalable robust SNN training methods by proposing an adversarially robust ANN-to-SNN conversion algorithm. Our method provides an efficient approach to embrace various computationally demanding robust learning objectives that have been proposed for ANNs. During a post-conversion robust finetuning phase, our method adversarially optimizes both layer-wise firing thresholds and synaptic connectivity weights of the SNN to maintain transferred robustness gains from the pre-trained ANN. We perform experimental evaluations in a novel setting proposed to rigorously assess the robustness of SNNs, where numerous adaptive adversarial attacks that account for the spike-based operation dynamics are considered. Results show that our approach yields a scalable state-of-the-art solution for adversarially robust deep SNNs with low-latency.

Figures (5)

• Figure 1: Illustration of the impact of an adversarial attack on feed-forward SNNs with direct input coding. In this setting, the spiking representation of the input is generated after the first convolutional layer, where the input pixel intensities are applied as direct current to the neurons for $T$ time steps. We show one clean/adversarial test case from TinyImageNet against our VGG11 model ($T=30$) obtained via conversion. Left side depicts the clean input scenario, and the right side depicts an adversarial attack scenario. The first layer of this model consists of 64 Conv2D kernels, which outputs 262,144 LIF neuron activations (64 feature maps with 64$\times$64 spatial image resolution). Adversarial perturbations of magnitude $\epsilon=8/255$ (negative values are visualized darker and positive values are visualized brighter) are obtained in the input image pixel domain via spike-based BPTT. The change in the input is hardly visible for the adversarial image. However, this small change leads to a noticeable difference of the spiking output of the first convolutional layer on the fine temporal scale (see cyan and red zoom-in boxes). Neuron IDs are vectorized for illustration purposes.
• Figure 2: $\epsilon_3$-Robust accuracies under PGD$^{20}$ vs. $\beta$, with different baseline ANN standard AT perturbation levels.
• Figure 3: Evaluations on TinyImageNet, with comparisons to SNN-RAT ding2022snn, an RFGSM based mixed AT baseline from ding2022snn, BNTT kim2021revisiting, and a vanilla SNN with natural training. SNNs with LIF neurons ($\tau=0.99$) use soft-reset as in kim2021revisiting. In (a) we compare LIF-neuron models from the bottom half of the table in (b), using Ours with $T=30$.
• Figure 4: Coding efficiency comparisons of vanilla and adversarially robust SNNs.
• Figure 5: Square Attack Andriushchenko:2020 evaluations with limited number of queries for the baseline ANN (AT-$\epsilon_1$), end-to-end trained vanilla SNN, adversarially trained SNN-RAT, and ours (AT-$\epsilon_1$).