Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Robust and Efficient Adversarial Defense in SNNs via Image Purification and Joint Detection

Weiran Chen, Qi Xu

TL;DR

This work tackles adversarial vulnerability in Spiking Neural Networks (SNNs) by introducing an end-to-end image purification pre-processing module paired with an adversarial detection mechanism, inspired by visual masking and filtering. The purification network comprises a Noise-level Estimation SNN (NeSNN) and a Reconstruction SNN (RecSNN) to remove imperceptible noise, while a detector uses an $L_{\infty}$-norm criterion to decide when to pass purified images to the classifier. The authors propose a composite loss with Charbonnier reconstruction, KL regularization, an asymmetric noise-estimation term, and a total-variation penalty, and demonstrate efficient training (e.g., FGSM-based generation, 75 epochs for purification) that reduces computational overhead compared to multi-step PGD methods. Empirically, the approach yields competitive or superior defense performance across CIFAR-10/100, SVHN, and Tiny-ImageNet, with notable improvements in white-box and black-box robustness and substantial reductions in resource usage, validating its practicality for resource-constrained neuromorphic deployment.

Abstract

Spiking Neural Networks (SNNs) aim to bridge the gap between neuroscience and machine learning by emulating the structure of the human nervous system. However, like convolutional neural networks, SNNs are vulnerable to adversarial attacks. To tackle the challenge, we propose a biologically inspired methodology to enhance the robustness of SNNs, drawing insights from the visual masking effect and filtering theory. First, an end-to-end SNN-based image purification model is proposed to defend against adversarial attacks, including a noise extraction network and a non-blind denoising network. The former network extracts noise features from noisy images, while the latter component employs a residual U-Net structure to reconstruct high-quality noisy images and generate clean images. Simultaneously, a multi-level firing SNN based on Squeeze-and-Excitation Network is introduced to improve the robustness of the classifier. Crucially, the proposed image purification network serves as a pre-processing module, avoiding modifications to classifiers. Unlike adversarial training, our method is highly flexible and can be seamlessly integrated with other defense strategies. Experimental results on various datasets demonstrate that the proposed methodology outperforms state-of-the-art baselines in terms of defense effectiveness, training time, and resource consumption.

Robust and Efficient Adversarial Defense in SNNs via Image Purification and Joint Detection

TL;DR

This work tackles adversarial vulnerability in Spiking Neural Networks (SNNs) by introducing an end-to-end image purification pre-processing module paired with an adversarial detection mechanism, inspired by visual masking and filtering. The purification network comprises a Noise-level Estimation SNN (NeSNN) and a Reconstruction SNN (RecSNN) to remove imperceptible noise, while a detector uses an -norm criterion to decide when to pass purified images to the classifier. The authors propose a composite loss with Charbonnier reconstruction, KL regularization, an asymmetric noise-estimation term, and a total-variation penalty, and demonstrate efficient training (e.g., FGSM-based generation, 75 epochs for purification) that reduces computational overhead compared to multi-step PGD methods. Empirically, the approach yields competitive or superior defense performance across CIFAR-10/100, SVHN, and Tiny-ImageNet, with notable improvements in white-box and black-box robustness and substantial reductions in resource usage, validating its practicality for resource-constrained neuromorphic deployment.

Abstract

Spiking Neural Networks (SNNs) aim to bridge the gap between neuroscience and machine learning by emulating the structure of the human nervous system. However, like convolutional neural networks, SNNs are vulnerable to adversarial attacks. To tackle the challenge, we propose a biologically inspired methodology to enhance the robustness of SNNs, drawing insights from the visual masking effect and filtering theory. First, an end-to-end SNN-based image purification model is proposed to defend against adversarial attacks, including a noise extraction network and a non-blind denoising network. The former network extracts noise features from noisy images, while the latter component employs a residual U-Net structure to reconstruct high-quality noisy images and generate clean images. Simultaneously, a multi-level firing SNN based on Squeeze-and-Excitation Network is introduced to improve the robustness of the classifier. Crucially, the proposed image purification network serves as a pre-processing module, avoiding modifications to classifiers. Unlike adversarial training, our method is highly flexible and can be seamlessly integrated with other defense strategies. Experimental results on various datasets demonstrate that the proposed methodology outperforms state-of-the-art baselines in terms of defense effectiveness, training time, and resource consumption.
Paper Structure (14 sections, 4 equations, 4 figures, 3 tables, 1 algorithm)

This paper contains 14 sections, 4 equations, 4 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Methodology
  3. Architecture of Image Purification and Detection
  4. Proposed Loss Function
  5. Purification Network Training and Complexity Analysis
  6. Adversarial Detection
  7. Experiments
  8. Experiment Setup
  9. Comparison with State of the Arts
  10. Noise Robustness
  11. White-box Robustness
  12. Black-box Robustness
  13. Evaluate with Stronger Attacks and Integrated Defense
  14. Conclusion

Figures (4)

  • Figure 1: Evaluations of CNN and SNN on common image corruptions and perturbations using the CIFAR-10/100 datasets.
  • Figure 2: (a) Overview of joint detecting and denoising adversarial perturbations. (b) The architecture of the RecSNN. (c) Spike activation function in image classification model: Multi-Level Firing (MLF) feng2022multi.
  • Figure 3: The $L_{\infty}$ norm frequency distribution of clean and FGSM-based adversarial samples before and after the denoising network on CIFAR-10/100 training datasets.
  • Figure 4: The evaluation of the stronger PGD attack (step size: 2/255) on CIFAR-100 and SVHN. No defense: “Baseline”.