Membership Privacy Evaluation in Deep Spiking Neural Networks
Jiaxin Li, Gorka Abad, Stjepan Picek, Mauro Conti
TL;DR
This work assesses membership privacy in deep Spiking Neural Networks (SNNs) by evaluating eight Membership Inference Attacks (MIAs) across neuromorphic and static datasets. It demonstrates that SNNs trained on neuromorphic data are generally more vulnerable to MIAs than ANNs, while converting ANNs to SNNs can reduce attack effectiveness at a modest cost to accuracy. The study also explores how hyperparameters (neuron types, surrogate functions, optimizers, learning rates, time steps) influence MIA performance, and shows that data augmentation can substantially lower MIAs but cannot fully prevent leakage. These findings highlight privacy risks in SNNs and point to practical defense avenues such as ANN-to-SNN conversion and carefully designed augmentations, while signaling the need for stronger privacy-preserving strategies in neuromorphic learning systems.
Abstract
Artificial Neural Networks (ANNs), commonly mimicking neurons with non-linear functions to output floating-point numbers, consistently receive the same signals of a data point during its forward time. Unlike ANNs, Spiking Neural Networks (SNNs) get various input signals in the forward time of a data point and simulate neurons in a biologically plausible way, i.e., producing a spike (a binary value) if the accumulated membrane potential of a neuron is larger than a threshold. Even though ANNs have achieved remarkable success in multiple tasks, e.g., face recognition and object detection, SNNs have recently obtained attention due to their low power consumption, fast inference, and event-driven properties. While privacy threats against ANNs are widely explored, much less work has been done on SNNs. For instance, it is well-known that ANNs are vulnerable to the Membership Inference Attack (MIA), but whether the same applies to SNNs is not explored. In this paper, we evaluate the membership privacy of SNNs by considering eight MIAs, seven of which are inspired by MIAs against ANNs. Our evaluation results show that SNNs are more vulnerable (maximum 10% higher in terms of balanced attack accuracy) than ANNs when both are trained with neuromorphic datasets (with time dimension). On the other hand, when training ANNs or SNNs with static datasets (without time dimension), the vulnerability depends on the dataset used. If we convert ANNs trained with static datasets to SNNs, the accuracy of MIAs drops (maximum 11.5% with a reduction of 7.6% on the test accuracy of the target model). Next, we explore the impact factors of MIAs on SNNs by conducting a hyperparameter study. Finally, we show that the basic data augmentation method for static data and two recent data augmentation methods for neuromorphic data can considerably (maximum reduction of 25.7%) decrease MIAs' performance on SNNs.