Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Robust Spiking Neural Networks Against Adversarial Attacks

Shuai Wang, Malu Zhang, Yulin Jiang, Dehao Zhang, Ammar Belatreche, Yu Liang, Yimeng Shan, Zijian Zhou, Yang Yang, Haizhou Li

TL;DR

This study theoretically demonstrate that threshold-neighboring spiking neurons are the key factors limiting the robustness of directly trained SNNs, and proposes a Threshold Guarding Optimization (TGO) method, which increases SNNs'gradient sparsity, thereby reducing the theoretical upper bound of adversarial attacks.

Abstract

Spiking Neural Networks (SNNs) represent a promising paradigm for energy-efficient neuromorphic computing due to their bio-plausible and spike-driven characteristics. However, the robustness of SNNs in complex adversarial environments remains significantly constrained. In this study, we theoretically demonstrate that those threshold-neighboring spiking neurons are the key factors limiting the robustness of directly trained SNNs. We find that these neurons set the upper limits for the maximum potential strength of adversarial attacks and are prone to state-flipping under minor disturbances. To address this challenge, we propose a Threshold Guarding Optimization (TGO) method, which comprises two key aspects. First, we incorporate additional constraints into the loss function to move neurons' membrane potentials away from their thresholds. It increases SNNs' gradient sparsity, thereby reducing the theoretical upper bound of adversarial attacks. Second, we introduce noisy spiking neurons to transition the neuronal firing mechanism from deterministic to probabilistic, decreasing their state-flipping probability due to minor disturbances. Extensive experiments conducted in standard adversarial scenarios prove that our method significantly enhances the robustness of directly trained SNNs. These findings pave the way for advancing more reliable and secure neuromorphic computing in real-world applications.

Robust Spiking Neural Networks Against Adversarial Attacks

TL;DR

This study theoretically demonstrate that threshold-neighboring spiking neurons are the key factors limiting the robustness of directly trained SNNs, and proposes a Threshold Guarding Optimization (TGO) method, which increases SNNs'gradient sparsity, thereby reducing the theoretical upper bound of adversarial attacks.

Abstract

Spiking Neural Networks (SNNs) represent a promising paradigm for energy-efficient neuromorphic computing due to their bio-plausible and spike-driven characteristics. However, the robustness of SNNs in complex adversarial environments remains significantly constrained. In this study, we theoretically demonstrate that those threshold-neighboring spiking neurons are the key factors limiting the robustness of directly trained SNNs. We find that these neurons set the upper limits for the maximum potential strength of adversarial attacks and are prone to state-flipping under minor disturbances. To address this challenge, we propose a Threshold Guarding Optimization (TGO) method, which comprises two key aspects. First, we incorporate additional constraints into the loss function to move neurons' membrane potentials away from their thresholds. It increases SNNs' gradient sparsity, thereby reducing the theoretical upper bound of adversarial attacks. Second, we introduce noisy spiking neurons to transition the neuronal firing mechanism from deterministic to probabilistic, decreasing their state-flipping probability due to minor disturbances. Extensive experiments conducted in standard adversarial scenarios prove that our method significantly enhances the robustness of directly trained SNNs. These findings pave the way for advancing more reliable and secure neuromorphic computing in real-world applications.
Paper Structure (24 sections, 2 theorems, 57 equations, 5 figures, 5 tables)

This paper contains 24 sections, 2 theorems, 57 equations, 5 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Surrogate Gradient for direct trained SNNs
  5. Adversarial Attacks
  6. Methods
  7. Robustness Analysis of Directly Trained SNNs
  8. Threshold Guarding Optimization Method
  9. Membrane Potential Constraints
  10. Noisy Spike Neurons for Mitigating State-flip Probability
  11. Experiments
  12. Experiments Setting
  13. Compare with the SOTA methods
  14. Ablation Study
  15. Conclusion
  16. ...and 9 more sections

Key Result

Theorem 1

Let $V[t]$ be the membrane potential, $V_{\mathrm{th}}$ the threshold, and $\eta[t] \sim \mathcal{N}(0, \sigma^2)$ random perturbation. The probability $P_{\mathrm{flip}}$ of each neuron’s flipping is given by: where $\Phi$ denotes the cumulative distribution function (CDF) of the standard normal distribution.

Figures (5)

  • Figure 1: Red traces represent membrane potential dynamics of spiking neurons under adversarial attack. Only membrane potentials near thresholds undergo spike pattern transitions, while others remain unchanged.
  • Figure 2: Mechanism and working principle of the TGO method. (a) The TGO method combines membrane potential constraints with noisy LIF neuron models for adversarial defense. (b) Gradient-based adversarial attacks illustrate how disturbances affect input images. (c) The joint optimization of the objective and constraint functions drives neuron membrane potentials away from the firing threshold. (d) The noisy LIF model effectively reduces the probability of state flips caused by small input disturbances, enhancing model stability.
  • Figure 3: Performance comparison of TGO (ours) and SR with AT across different perturbation budgets $\epsilon$ and different $\lambda_{\text{max}}$. Experiments are conducted on CIFAR-100 dataset using WRN-16 architecture.
  • Figure 4: Comparison of membrane potential distributions and loss landscapes: The TGO-optimized SNN decreases membrane potentials near the threshold by approximately 40% and effectively circumvents adversarial traps during RFGSM attacks.
  • Figure 5: Heatmaps of $\nabla_x f_y$, where $f$ denotes a vanilla SNN or our TGO-optimized SNN.

Theorems & Definitions (2)

  • Theorem 1
  • Theorem 2