BrainLeaks: On the Privacy-Preserving Properties of Neuromorphic Architectures against Model Inversion Attacks
Hamed Poursiami, Ihsen Alouani, Maryam Parsa
TL;DR
This work investigates the privacy of neuromorphic architectures against Model Inversion (MI) attacks. It formalizes the MI threat in spiking domains and introduces two spike-aware attacks, BrainLeaks-v1 and BrainLeaks-v2, to reconstruct inputs from Spiking Neural Networks (SNNs) and compare them with conventional Artificial Neural Networks (ANNs). BrainLeaks-v1 leverages surrogate gradients projected into the spiking domain via gradient binarization and G2S-inspired steps, while BrainLeaks-v2 models inputs as Bernoulli parameters and employs Natural Evolution Strategies (NES) for gradient estimation with a sparsity penalty, yielding robust inversions across static and event-based data. Across MNIST, AT&T Face, N-MNIST, and DvsGesture datasets, results show SNNs can be more privacy-preserving in some contexts but remain vulnerable, especially to BrainLeaks-v2, underscoring the need for privacy-aware design in neuromorphic systems and further study of MI risks in spiking computation.
Abstract
With the mainstream integration of machine learning into security-sensitive domains such as healthcare and finance, concerns about data privacy have intensified. Conventional artificial neural networks (ANNs) have been found vulnerable to several attacks that can leak sensitive data. Particularly, model inversion (MI) attacks enable the reconstruction of data samples that have been used to train the model. Neuromorphic architectures have emerged as a paradigm shift in neural computing, enabling asynchronous and energy-efficient computation. However, little to no existing work has investigated the privacy of neuromorphic architectures against model inversion. Our study is motivated by the intuition that the non-differentiable aspect of spiking neural networks (SNNs) might result in inherent privacy-preserving properties, especially against gradient-based attacks. To investigate this hypothesis, we propose a thorough exploration of SNNs' privacy-preserving capabilities. Specifically, we develop novel inversion attack strategies that are comprehensively designed to target SNNs, offering a comparative analysis with their conventional ANN counterparts. Our experiments, conducted on diverse event-based and static datasets, demonstrate the effectiveness of the proposed attack strategies and therefore questions the assumption of inherent privacy-preserving in neuromorphic architectures.