defense 2025

MPD-SGR: Robust Spiking Neural Networks with Membrane Potential Distribution-Driven Surrogate Gradient Regularization

Runhao Jiang ¹, Chengzhi Jiang ¹, Rui Yan ², Huajin Tang ¹

¹ Zhejiang University

² Zhejiang University of Technology

2 citations · 35 references · arXiv

Published on arXiv

2511.12199

Input Manipulation Attack

OWASP ML Top 10 — ML01

Key Finding

MPD-SGR regularization significantly improves SNN adversarial resilience across multiple image classification benchmarks and network configurations by constraining membrane potential distribution away from the gradient-available region of the surrogate gradient function.

MPD-SGR

Novel technique introduced

The surrogate gradient (SG) method has shown significant promise in enhancing the performance of deep spiking neural networks (SNNs), but it also introduces vulnerabilities to adversarial attacks. Although spike coding strategies and neural dynamics parameters have been extensively studied for their impact on robustness, the critical role of gradient magnitude, which reflects the model's sensitivity to input perturbations, remains underexplored. In SNNs, the gradient magnitude is primarily determined by the interaction between the membrane potential distribution (MPD) and the SG function. In this study, we investigate the relationship between the MPD and SG and their implications for improving the robustness of SNNs. Our theoretical analysis reveals that reducing the proportion of membrane potentials lying within the gradient-available range of the SG function effectively mitigates the sensitivity of SNNs to input perturbations. Building upon this insight, we propose a novel MPD-driven surrogate gradient regularization (MPD-SGR) method, which enhances robustness by explicitly regularizing the MPD based on its interaction with the SG function. Extensive experiments across multiple image classification benchmarks and diverse network architectures confirm that the MPD-SGR method significantly enhances the resilience of SNNs to adversarial perturbations and exhibits strong generalizability across diverse network configurations, SG functions, and spike encoding schemes.

Key Contributions

Theoretical framework formally connecting robustness error to surrogate gradient magnitude and membrane potential distribution in SNNs
Novel MPD-SGR regularization method that reduces the proportion of membrane potentials within the gradient-available range of the SG function to lower adversarial sensitivity
Demonstrated generalizability of MPD-SGR across diverse SNN architectures, SG function variants, and spike encoding schemes on multiple image classification benchmarks

🛡️ Threat Analysis

Input Manipulation Attack

The paper's primary contribution is a defense against adversarial input perturbations targeting SNNs at inference time. It analyzes how gradient magnitude determines sensitivity to adversarial examples and proposes MPD-SGR regularization to reduce that sensitivity — a direct defense against input manipulation attacks.

Details

Domains

vision

Model Types

cnn

Threat Tags

white_boxinference_timedigital

Applications

image classification

Read PDF arXiv DOI

MPD-SGR: Robust Spiking Neural Networks with Membrane Potential Distribution-Driven Surrogate Gradient Regularization

Key Contributions

🛡️ Threat Analysis

Details

Similar Papers

Protecting the Neural Networks against FGSM Attack Using Machine Unlearning

IoUCert: Robustness Verification for Anchor-based Object Detectors

Learning Better Certified Models from Empirically-Robust Teachers

DeepProv: Behavioral Characterization and Repair of Neural Networks via Inference Provenance Graph Analysis

Boosting the Robustness-Accuracy Trade-off of SNNs by Robust Temporal Self-Ensemble

Laws of Learning Dynamics and the Core of Learners

S2O: Enhancing Adversarial Training with Second-Order Statistics of Weights

Tight Robustness Certification through the Convex Hull of $\ell_0$ Attacks