MPD-SGR: Robust Spiking Neural Networks with Membrane Potential Distribution-Driven Surrogate Gradient Regularization
Runhao Jiang, Chengzhi Jiang, Rui Yan, Huajin Tang
TL;DR
This paper addresses adversarial vulnerability in deep Spiking Neural Networks trained with surrogate gradients by linking robustness to the gradient magnitude governed by the interaction between membrane potential distribution (MPD) and the SG function. It derives an overlap-based SG magnitude $\Omega = \int_{-\gamma}^{\gamma} p(x)dx = \Phi\left(\frac{\mu+\gamma}{\sigma}\right) - \Phi\left(\frac{\mu-\gamma}{\sigma}\right)$ and proposes MPD-SGR, which regularizes the MPD to reduce this overlap. The authors provide a theoretical framework connecting robustness error to SG magnitude, and an explicit MPD-SGR loss $\mathcal{L}_{MPD-SGR}$ added to the task loss with weight $\eta$. Extensive experiments on CIFAR-10/100 and Tiny-ImageNet across VGG11 and WRN16 show improved adversarial robustness against white-box, black-box, and non-gradient perturbations, with strong generalization across SG functions and spike codes and without large clean-accuracy losses.
Abstract
The surrogate gradient (SG) method has shown significant promise in enhancing the performance of deep spiking neural networks (SNNs), but it also introduces vulnerabilities to adversarial attacks. Although spike coding strategies and neural dynamics parameters have been extensively studied for their impact on robustness, the critical role of gradient magnitude, which reflects the model's sensitivity to input perturbations, remains underexplored. In SNNs, the gradient magnitude is primarily determined by the interaction between the membrane potential distribution (MPD) and the SG function. In this study, we investigate the relationship between the MPD and SG and their implications for improving the robustness of SNNs. Our theoretical analysis reveals that reducing the proportion of membrane potentials lying within the gradient-available range of the SG function effectively mitigates the sensitivity of SNNs to input perturbations. Building upon this insight, we propose a novel MPD-driven surrogate gradient regularization (MPD-SGR) method, which enhances robustness by explicitly regularizing the MPD based on its interaction with the SG function. Extensive experiments across multiple image classification benchmarks and diverse network architectures confirm that the MPD-SGR method significantly enhances the resilience of SNNs to adversarial perturbations and exhibits strong generalizability across diverse network configurations, SG functions, and spike encoding schemes.