Data Poisoning-based Backdoor Attack Framework against Supervised Learning Rules of Spiking Neural Networks

TL;DR

Data poisoning-based backdoor attacks on Spiking Neural Networks (SNNs) trained with supervised learning rules are analyzed, revealing that SNNs lose inherent robustness under backdoor threats and that backdoor information can migrate through conversion with rates often exceeding $99\%$. The authors present a generic attack framework applicable to BP-based ($\mathcal{LR_B}$), conversion-based ($\mathcal{LR_C}$), and hybrid ($\mathcal{LR_H}$) learning, and demonstrate high attack success across image and neuromorphic datasets while examining robustness, migration, and time overhead. Key findings show that all three rules are vulnerable, though LR_H offers relatively stronger resilience; migration during conversion is a major vulnerability, and defenses such as detection via voltage/spike patterns and elimination via fine-tuning show practical potential. The work underscores the need for secure SNN training protocols and outlines defense directions and future research on robust learning rules and attack mitigation.

Abstract

Spiking Neural Networks (SNNs), the third generation neural networks, are known for their low energy consumption and high robustness. SNNs are developing rapidly and can compete with Artificial Neural Networks (ANNs) in many fields. To ensure that the widespread use of SNNs does not cause serious security incidents, much research has been conducted to explore the robustness of SNNs under adversarial sample attacks. However, many other unassessed security threats exist, such as highly stealthy backdoor attacks. Therefore, to fill the research gap in this and further explore the security vulnerabilities of SNNs, this paper explores the robustness performance of SNNs trained by supervised learning rules under backdoor attacks. Specifically, the work herein includes: i) We propose a generic backdoor attack framework that can be launched against the training process of existing supervised learning rules and covers all learnable dataset types of SNNs. ii) We analyze the robustness differences between different learning rules and between SNN and ANN, which suggests that SNN no longer has inherent robustness under backdoor attacks. iii) We reveal the vulnerability of conversion-dependent learning rules caused by backdoor migration and further analyze the migration ability during the conversion process, finding that the backdoor migration rate can even exceed 99%. iv) Finally, we discuss potential countermeasures against this kind of backdoor attack and its technical challenges and point out several promising research directions.

Figures (18)

• Figure 1: Breaking model robustness through data poisoning and backdoor attacks based on data poisoning
• Figure 2: Overview of the generic backdoor framework for supervised learning rules of SNNs. Note that the dotted arrows in the figure indicate the forward direction of the attack process. After the Data poisoning step, the orange arrow, purple arrow, and blue arrow represent the backdoor injection process for $\mathcal{LR_B}$, $\mathcal{LR_C}$, and $\mathcal{LR_H}$, respectively.
• Figure 3: Attack performance on SNNs with IF neurons trained by ($\mathcal{LR_B}$) on MNIST (a)-(b) and CIFAR10 (c)-(d).
• Figure 4: Attack performance on SNNs with LIF neurons trained by $\mathcal{LR_B}$ on MNIST (a) and CIFAR10 (b).
• Figure 5: Backdoor attack performance on VGG11 with LIF neurons trained by $\mathcal{LR_B}$ on N-MNIST N-MNIST, CIFAR10-DVS CIFAR10-DVS, and DVS128Gesture DVS128Gesture.