Towards Effective and Sparse Adversarial Attack on Spiking Neural Networks via Breaking Invisible Surrogate Gradients

TL;DR

The paper tackles the vulnerability of Spiking Neural Networks (SNNs) to gradient-based adversarial attacks in the presence of invisible surrogate gradients and binary dynamic inputs from Dynamic Vision Sensors. It introduces two key innovations: a potential-dependent surrogate gradient (PDSG) that adapts to membrane-potential distributions and a sparse dynamic attack (SDA) that crafts highly sparse perturbations for binary dynamic frames, using a generation-reduction paradigm. Empirically, PDSG achieves $100\%$ ASR on ImageNet and SDA attains $82\%$ ASR on CIFAR10DVS with only $0.24\%$ of pixels perturbed, outperforming state-of-the-art SNN attacks while maintaining attack imperceptibility. These results demonstrate stronger threat models for SNNs and motivate targeted defenses to improve robustness in neuromorphic systems.

Abstract

Spiking neural networks (SNNs) have shown their competence in handling spatial-temporal event-based data with low energy consumption. Similar to conventional artificial neural networks (ANNs), SNNs are also vulnerable to gradient-based adversarial attacks, wherein gradients are calculated by spatial-temporal back-propagation (STBP) and surrogate gradients (SGs). However, the SGs may be invisible for an inference-only model as they do not influence the inference results, and current gradient-based attacks are ineffective for binary dynamic images captured by the dynamic vision sensor (DVS). While some approaches addressed the issue of invisible SGs through universal SGs, their SGs lack a correlation with the victim model, resulting in sub-optimal performance. Moreover, the imperceptibility of existing SNN-based binary attacks is still insufficient. In this paper, we introduce an innovative potential-dependent surrogate gradient (PDSG) method to establish a robust connection between the SG and the model, thereby enhancing the adaptability of adversarial attacks across various models with invisible SGs. Additionally, we propose the sparse dynamic attack (SDA) to effectively attack binary dynamic images. Utilizing a generation-reduction paradigm, SDA can fully optimize the sparsity of adversarial perturbations. Experimental results demonstrate that our PDSG and SDA outperform state-of-the-art SNN-based attacks across various models and datasets. Specifically, our PDSG achieves 100% attack success rate on ImageNet, and our SDA obtains 82% attack success rate by modifying only 0.24% of the pixels on CIFAR10DVS. The code is available at https://github.com/ryime/PDSG-SDA .

Figures (10)

• Figure 1: Illustration of the challenges of attacking SNNs. The invisible SGs hinder the attacker to perform gradient-based attacks. The incompatible gradients describe that the floating-point gradients are difficult to be converted to binary perturbations.
• Figure 2: Illustration of the pre-processing procedure for both static and dynamic input of SNNs. For static inputs, the RGB image is encoded by direct or Poisson encoding to extend the temporal dimension. For dynamic inputs, event stream is captured by DVS, where $t$ denotes the time of the event, $x,y$ is the coordinates, and $p$ is the polarity. Then the event stream is aggregated into several integer frames, and each polarity corresponds to a channel. The integer frames will be further binarized to binary frames for hardware compatibility.
• Figure 3: (a) Illustration of our PDSG under different distributions of membrane potential. (b) The scatter diagram of the gradients and the frequency curve of membrane potential in the penultimate layer of ResNet18. The gradients cluster on the left side of the threshold, causing imbalanced gradients. (c) The scatter diagram of the gradients after calibration. The distribution of the gradients is balanced around the threshold, urging the attack to pay equal attention to the gradients on the both sides of the threshold.
• Figure 4: Illustration of our sparse dynamic attack. (a) In the generation process, we select contributing gradients through their signs, achieve top-$k$ significant gradients and calculate their FDs to add perturbations. (b) In the reduction process, we sort the contributing FDs calculated by the generation process, then adopt binary search to find $p_2$ which makes the example cease to be adversarial after removed.
• Figure 5: (a) Effectiveness of various offsets in the calibration of our PDSG. We adopt FGSM ($\epsilon=8/255$) to perform attacks. (b) Impact of diverse timesteps in attacking ResNet18 on CIFAR10.