On the Privacy-Preserving Properties of Spiking Neural Networks with Unique Surrogate Gradients and Quantization Levels
Ayana Moshruba, Shay Snyder, Hamed Poursiami, Maryam Parsa
TL;DR
This paper investigates privacy preservation in Spiking Neural Networks (SNNs) under Membership Inference Attacks (MIAs), comparing full-precision SNNs to quantized ANNs and SNNs. It evaluates two main strategies—activation/weight quantization and diverse surrogate gradients—across five datasets, using ROC-AUC as the privacy metric and assessing the privacy-accuracy trade-off. Results show that quantization improves privacy for both architectures with minimal accuracy loss, while full-precision SNNs remain more private than quantized ANNs. Among surrogate gradients, Spike Rate Escape offers the best balance of privacy protection and accuracy, whereas Arctangent tends to increase MIA vulnerability; overall, these findings reinforce the intrinsic privacy advantages of SNNs and highlight the importance of quantization and gradient choice in shaping privacy outcomes.
Abstract
As machine learning models increasingly process sensitive data, understanding their vulnerability to privacy attacks is vital. Membership inference attacks (MIAs) exploit model responses to infer whether specific data points were used during training, posing a significant privacy risk. Prior research suggests that spiking neural networks (SNNs), which rely on event-driven computation and discrete spike-based encoding, exhibit greater resilience to MIAs than artificial neural networks (ANNs). This resilience stems from their non-differentiable activations and inherent stochasticity, which obscure the correlation between model responses and individual training samples. To enhance privacy in SNNs, we explore two techniques: quantization and surrogate gradients. Quantization, which reduces precision to limit information leakage, has improved privacy in ANNs. Given SNNs' sparse and irregular activations, quantization may further disrupt the activation patterns exploited by MIAs. We assess the vulnerability of SNNs and ANNs under weight and activation quantization across multiple datasets, using the attack model's receiver operating characteristic (ROC) curve area under the curve (AUC) metric, where lower values indicate stronger privacy, and evaluate the privacy-accuracy trade-off. Our findings show that quantization enhances privacy in both architectures with minimal performance loss, though full-precision SNNs remain more resilient than quantized ANNs. Additionally, we examine the impact of surrogate gradients on privacy in SNNs. Among five evaluated gradients, spike rate escape provides the best privacy-accuracy trade-off, while arctangent increases vulnerability to MIAs. These results reinforce SNNs' inherent privacy advantages and demonstrate that quantization and surrogate gradient selection significantly influence privacy-accuracy trade-offs in SNNs.