Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

BadSNN: Backdoor Attacks on Spiking Neural Networks via Adversarial Spiking Neuron

Abdullah Arafat Miah, Kevin Vu, Yu Bi

TL;DR

This work addresses backdoor threats in Spiking Neural Networks by exploiting the hyperparameters of spiking neurons, notably $V_{\text{thr}}$ and $\tau$, to embed a backdoor without input data poisoning. The authors propose BadSNN, a two-part approach combining malicious spike poisoning during training with a trigger-optimization pipeline (via $\mathcal{T}_p$ and $\mathcal{T}_o$) to activate the backdoor on inference, extended to neuromorphic data with a temporally varying trigger $\mathcal{T}_s$. Empirical results across four datasets and multiple architectures show strong attack effectiveness (high ASR and controlled CA degradation) and robustness to several defenses, with ablations illustrating parameter regimes that balance stealth and impact. The findings underscore a new threat surface in SNNs and emphasize the need for defenses that account for spiking-neuron hyperparameters and trigger-learning dynamics.

Abstract

Spiking Neural Networks (SNNs) are energy-efficient counterparts of Deep Neural Networks (DNNs) with high biological plausibility, as information is transmitted through temporal spiking patterns. The core element of an SNN is the spiking neuron, which converts input data into spikes following the Leaky Integrate-and-Fire (LIF) neuron model. This model includes several important hyperparameters, such as the membrane potential threshold and membrane time constant. Both the DNNs and SNNs have proven to be exploitable by backdoor attacks, where an adversary can poison the training dataset with malicious triggers and force the model to behave in an attacker-defined manner. Yet, how an adversary can exploit the unique characteristics of SNNs for backdoor attacks remains underexplored. In this paper, we propose \textit{BadSNN}, a novel backdoor attack on spiking neural networks that exploits hyperparameter variations of spiking neurons to inject backdoor behavior into the model. We further propose a trigger optimization process to achieve better attack performance while making trigger patterns less perceptible. \textit{BadSNN} demonstrates superior attack performance on various datasets and architectures, as well as compared with state-of-the-art data poisoning-based backdoor attacks and robustness against common backdoor mitigation techniques. Codes can be found at https://github.com/SiSL-URI/BadSNN.

BadSNN: Backdoor Attacks on Spiking Neural Networks via Adversarial Spiking Neuron

TL;DR

This work addresses backdoor threats in Spiking Neural Networks by exploiting the hyperparameters of spiking neurons, notably and , to embed a backdoor without input data poisoning. The authors propose BadSNN, a two-part approach combining malicious spike poisoning during training with a trigger-optimization pipeline (via and ) to activate the backdoor on inference, extended to neuromorphic data with a temporally varying trigger . Empirical results across four datasets and multiple architectures show strong attack effectiveness (high ASR and controlled CA degradation) and robustness to several defenses, with ablations illustrating parameter regimes that balance stealth and impact. The findings underscore a new threat surface in SNNs and emphasize the need for defenses that account for spiking-neuron hyperparameters and trigger-learning dynamics.

Abstract

Spiking Neural Networks (SNNs) are energy-efficient counterparts of Deep Neural Networks (DNNs) with high biological plausibility, as information is transmitted through temporal spiking patterns. The core element of an SNN is the spiking neuron, which converts input data into spikes following the Leaky Integrate-and-Fire (LIF) neuron model. This model includes several important hyperparameters, such as the membrane potential threshold and membrane time constant. Both the DNNs and SNNs have proven to be exploitable by backdoor attacks, where an adversary can poison the training dataset with malicious triggers and force the model to behave in an attacker-defined manner. Yet, how an adversary can exploit the unique characteristics of SNNs for backdoor attacks remains underexplored. In this paper, we propose \textit{BadSNN}, a novel backdoor attack on spiking neural networks that exploits hyperparameter variations of spiking neurons to inject backdoor behavior into the model. We further propose a trigger optimization process to achieve better attack performance while making trigger patterns less perceptible. \textit{BadSNN} demonstrates superior attack performance on various datasets and architectures, as well as compared with state-of-the-art data poisoning-based backdoor attacks and robustness against common backdoor mitigation techniques. Codes can be found at https://github.com/SiSL-URI/BadSNN.
Paper Structure (20 sections, 8 equations, 6 figures, 2 tables)

This paper contains 20 sections, 8 equations, 6 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related works
  3. Methodology
  4. Threat Model
  5. Preliminaries
  6. Proposed Attack
  7. Backdoor Training
  8. Trigger Optimization
  9. Extension to Neuromorphic Data
  10. Inference
  11. Experiments
  12. Experimental Settings
  13. Attack Effectiveness
  14. Attack Robustness
  15. Ablation Studies
  16. ...and 5 more sections

Figures (6)

  • Figure 1: Overview of the proposed BadSNN.
  • Figure 2: Effect of membrane potential threshold ($V_{thr}$) on ResNet-19 performance for CIFAR-10: (a) test accuracy degradation and (b) average spike count per sample across all LIF neuron layers.
  • Figure 3: CA/ASR heatmaps for different $V_{\text{thr}}^t$ and $\tau^t$.
  • Figure 4: Attack effectiveness analysis for different poisoning ratios and perturbation magnitudes.
  • Figure 5: Different images from CIFAR-10, GTSRB, and CIFAR-100 with their corresponding triggered versions.
  • ...and 1 more figures

Theorems & Definitions (1)

  • Remark 1