Flashy Backdoor: Real-world Environment Backdoor Attack on SNNs with DVS Cameras

TL;DR

This work presents the first evaluation of backdoor attacks on SNN models in real-world physical environments, using event-based Dynamic Vision Sensor cameras and develops three novel backdoor attack methods, i.e., Framed, Strobing, and Flashy Backdoor, each progressively enhancing attack effectiveness and physical transferability.

Abstract

While security vulnerabilities in traditional Deep Neural Networks (DNNs) have been extensively studied, the susceptibility of Spiking Neural Networks (SNNs) to adversarial attacks remains mostly underexplored. Until now, the mechanisms to inject backdoors into SNN models have been limited to digital scenarios; thus, we present the first evaluation of backdoor attacks in real-world environments. We begin by assessing the applicability of existing digital backdoor attacks and identifying their limitations for deployment in physical environments. To address each of the found limitations, we present three novel backdoor attack methods on SNNs, i.e., Framed, Strobing, and Flashy Backdoor. We also assess the effectiveness of traditional backdoor procedures and defenses adapted for SNNs, such as pruning, fine-tuning, and fine-pruning. The results show that while these procedures and defenses can mitigate some attacks, they often fail against stronger methods like Flashy Backdoor or sacrifice too much clean accuracy, rendering the models unusable. Overall, all our methods can achieve up to a 100% Attack Success Rate while maintaining high clean accuracy in every tested dataset. Additionally, we evaluate the stealthiness of the triggers with commonly used metrics, finding them highly stealthy. Thus, we propose new alternatives more suited for identifying poisoned samples in these scenarios. Our results show that further research is needed to ensure the security of SNN-based systems against backdoor attacks and their safe application in real-world scenarios. The code, experiments, and results are available in our repository.

Figures (11)

• Figure 1: Workflow diagram of a LIF neuron, where $\mathbf{s}_j$ are the input spike trains, $\mathbf{u}_j$ are the membrane potentials of the presynaptic neurons, $\mathbf{u}_j$ are the synaptic weights, and $\mathbf{u}_i$ is the membrane potential of the neuron. When the membrane potential reaches the threshold $u_{th}$, the neuron fires an output spike $\mathbf{u}_{i}$.
• Figure 2: Principle of operation of a DVS described by Lichtsteiner et al. Lichtsteiner.
• Figure 3: Sample of a subject performing a clapping motion captured with our DVS camera.
• Figure 4: Example of a Framed trigger with a size of 10% of the total frame inserted in the top-left position of the first 2 frames.
• Figure 5: Principle of operation of the pixels of the DVS camera in the poisoned section where the trigger is inserted in the three first frames, leaving a gap between them to let the threshold reset.