ML Security PapersTowards Reliable Evaluation of Adversarial Robustness for Spiking Neural Networks
Jihang Wang 1,2, Dongcheng Zhao 1, Ruolin Chen 1,2, Qian Zhang 1,2,3, Yi Zeng 1,2,3
Published on arXiv
2512.22522
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Substantially increases attack success rates across diverse adversarial training schemes and SNN architectures, revealing that reported SNN robustness is significantly overestimated.
SA-PGD + ASSG
Novel technique introduced
Spiking Neural Networks (SNNs) utilize spike-based activations to mimic the brain's energy-efficient information processing. However, the binary and discontinuous nature of spike activations causes vanishing gradients, making adversarial robustness evaluation via gradient descent unreliable. While improved surrogate gradient methods have been proposed, their effectiveness under strong adversarial attacks remains unclear. We propose a more reliable framework for evaluating SNN adversarial robustness. We theoretically analyze the degree of gradient vanishing in surrogate gradients and introduce the Adaptive Sharpness Surrogate Gradient (ASSG), which adaptively evolves the shape of the surrogate function according to the input distribution during attack iterations, thereby enhancing gradient accuracy while mitigating gradient vanishing. In addition, we design an adversarial attack with adaptive step size under the $L_\infty$ constraint-Stable Adaptive Projected Gradient Descent (SA-PGD), achieving faster and more stable convergence under imprecise gradients. Extensive experiments show that our approach substantially increases attack success rates across diverse adversarial training schemes, SNN architectures and neuron models, providing a more generalized and reliable evaluation of SNN adversarial robustness. The experimental results further reveal that the robustness of current SNNs has been significantly overestimated and highlighting the need for more dependable adversarial training methods. The code is released at https://github.com/craree/ASSG-SNNs-Robustness-Evaluation
Key Contributions
- Adaptive Sharpness Surrogate Gradient (ASSG) that dynamically evolves surrogate function shape during attack iterations to mitigate vanishing gradients in SNNs
- Stable Adaptive Projected Gradient Descent (SA-PGD), an L∞-constrained adversarial attack with adaptive step size for faster, more stable convergence under imprecise gradients
- Theoretical analysis demonstrating that existing SNN adversarial robustness has been significantly overestimated due to unreliable gradient evaluation
🛡️ Threat Analysis
Paper's primary contribution is novel gradient-based adversarial attack methods (ASSG surrogate gradient and SA-PGD step-size adaptation) that increase attack success rates against SNNs at inference time — a direct input manipulation/evasion attack contribution.