Table of Contents
Fetching ...

Time Is All It Takes: Spike-Retiming Attacks on Event-Driven Spiking Neural Networks

Yi Yu, Qixin Zhang, Shuhan Ye, Xun Lin, Qianshan Wei, Kun Wang, Wenhan Yang, Dacheng Tao, Xudong Jiang

TL;DR

This work introduces spike-retiming, a timing-only adversarial threat on event-driven SNNs that preserves spike counts and amplitudes while re-timing spikes within budgets $B_ fty$, $B_1$, and $B_0$. The authors formalize feasibility (timeline and capacity-1 non-overlap) and develop a projected-in-the-loop (PIL) optimization framework that uses differentiable soft retiming and a strict projection to enforce hard constraints. Through extensive experiments on CIFAR10-DVS, DVS-Gesture, and N-MNIST across binary and integer event grids, the attack achieves high success rates even under adversarial training, with integer grids offering more robustness than binary. The results highlight a temporal vulnerability in event-driven SNNs and underscore the need for timing-aware defenses and robustness benchmarks, as simple rate-based defenses are largely ineffective against such timing perturbations. The work provides a concrete, scalable reference for evaluating temporal robustness in neuromorphic systems and demonstrates that spike timing is a critical axis for both attack and defense planning in SNNs.

Abstract

Spiking neural networks (SNNs) compute with discrete spikes and exploit temporal structure, yet most adversarial attacks change intensities or event counts instead of timing. We study a timing-only adversary that retimes existing spikes while preserving spike counts and amplitudes in event-driven SNNs, thus remaining rate-preserving. We formalize a capacity-1 spike-retiming threat model with a unified trio of budgets: per-spike jitter $\mathcal{B}_{\infty}$, total delay $\mathcal{B}_{1}$, and tamper count $\mathcal{B}_{0}$. Feasible adversarial examples must satisfy timeline consistency and non-overlap, which makes the search space discrete and constrained. To optimize such retimings at scale, we use projected-in-the-loop (PIL) optimization: shift-probability logits yield a differentiable soft retiming for backpropagation, and a strict projection in the forward pass produces a feasible discrete schedule that satisfies capacity-1, non-overlap, and the chosen budget at every step. The objective maximizes task loss on the projected input and adds a capacity regularizer together with budget-aware penalties, which stabilizes gradients and aligns optimization with evaluation. Across event-driven benchmarks (CIFAR10-DVS, DVS-Gesture, N-MNIST) and diverse SNN architectures, we evaluate under binary and integer event grids and a range of retiming budgets, and also test models trained with timing-aware adversarial training designed to counter timing-only attacks. For example, on DVS-Gesture the attack attains high success (over $90\%$) while touching fewer than $2\%$ of spikes under $\mathcal{B}_{0}$. Taken together, our results show that spike retiming is a practical and stealthy attack surface that current defenses struggle to counter, providing a clear reference for temporal robustness in event-driven SNNs. Code is available at https://github.com/yuyi-sd/Spike-Retiming-Attacks.

Time Is All It Takes: Spike-Retiming Attacks on Event-Driven Spiking Neural Networks

TL;DR

This work introduces spike-retiming, a timing-only adversarial threat on event-driven SNNs that preserves spike counts and amplitudes while re-timing spikes within budgets , , and . The authors formalize feasibility (timeline and capacity-1 non-overlap) and develop a projected-in-the-loop (PIL) optimization framework that uses differentiable soft retiming and a strict projection to enforce hard constraints. Through extensive experiments on CIFAR10-DVS, DVS-Gesture, and N-MNIST across binary and integer event grids, the attack achieves high success rates even under adversarial training, with integer grids offering more robustness than binary. The results highlight a temporal vulnerability in event-driven SNNs and underscore the need for timing-aware defenses and robustness benchmarks, as simple rate-based defenses are largely ineffective against such timing perturbations. The work provides a concrete, scalable reference for evaluating temporal robustness in neuromorphic systems and demonstrates that spike timing is a critical axis for both attack and defense planning in SNNs.

Abstract

Spiking neural networks (SNNs) compute with discrete spikes and exploit temporal structure, yet most adversarial attacks change intensities or event counts instead of timing. We study a timing-only adversary that retimes existing spikes while preserving spike counts and amplitudes in event-driven SNNs, thus remaining rate-preserving. We formalize a capacity-1 spike-retiming threat model with a unified trio of budgets: per-spike jitter , total delay , and tamper count . Feasible adversarial examples must satisfy timeline consistency and non-overlap, which makes the search space discrete and constrained. To optimize such retimings at scale, we use projected-in-the-loop (PIL) optimization: shift-probability logits yield a differentiable soft retiming for backpropagation, and a strict projection in the forward pass produces a feasible discrete schedule that satisfies capacity-1, non-overlap, and the chosen budget at every step. The objective maximizes task loss on the projected input and adds a capacity regularizer together with budget-aware penalties, which stabilizes gradients and aligns optimization with evaluation. Across event-driven benchmarks (CIFAR10-DVS, DVS-Gesture, N-MNIST) and diverse SNN architectures, we evaluate under binary and integer event grids and a range of retiming budgets, and also test models trained with timing-aware adversarial training designed to counter timing-only attacks. For example, on DVS-Gesture the attack attains high success (over ) while touching fewer than of spikes under . Taken together, our results show that spike retiming is a practical and stealthy attack surface that current defenses struggle to counter, providing a clear reference for temporal robustness in event-driven SNNs. Code is available at https://github.com/yuyi-sd/Spike-Retiming-Attacks.
Paper Structure (70 sections, 40 equations, 8 figures, 17 tables, 2 algorithms)

This paper contains 70 sections, 40 equations, 8 figures, 17 tables, 2 algorithms.

Figures (8)

  • Figure 1: Attack overview. (a) Original event stream. (b) Previous attacks add/remove spikes under a $0$-norm, limited to binary grids. (c) Ours move spikes on each event timeline, preserving counts and amplitudes, supports multiple norm types, and can be applied to both binary and integer grids.
  • Figure 2: Time-shift distribution (exclude $0$).
  • Figure 3: Visualization of DVS-Gesture across selected frames (Frame 3/6 in odd/even rows). Origin shows the clean frame (positive in green, negative in blue), Ours shows the retimed frame under a fixed retiming budget, Diff highlights changes (new in green, removed in red, unchanged in gray, polarity swap in yellow), and Shift (pos) / Shift (neg) map per-polarity time shifts (delay in red, advance in blue, zero in gray, no spike in black). Shift color intensity scales with the absolute shift.
  • Figure 4: Results of TRADES V.s. PGD AT.
  • Figure 5: Accuracy V.s. budget curve on binary grid.
  • ...and 3 more figures

Theorems & Definitions (1)

  • Definition 1: Spike Timing Attack