ML Security PapersTime Is All It Takes: Spike-Retiming Attacks on Event-Driven Spiking Neural Networks
Yi Yu 1, Qixing Zhang 1, Shuhan Ye 1, Xun Lin 2, Qianshan Wei 3, Kun Wang 1, Wenhan Yang 4, Dacheng Tao 1, Xudong Jiang 1
Published on arXiv
2602.03284
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
Achieves over 90% attack success rate on DVS-Gesture while touching fewer than 2% of spikes under B0 budget, defeating even timing-aware adversarially trained models.
Spike-Retiming Attack (PIL)
Novel technique introduced
Spiking neural networks (SNNs) compute with discrete spikes and exploit temporal structure, yet most adversarial attacks change intensities or event counts instead of timing. We study a timing-only adversary that retimes existing spikes while preserving spike counts and amplitudes in event-driven SNNs, thus remaining rate-preserving. We formalize a capacity-1 spike-retiming threat model with a unified trio of budgets: per-spike jitter $\mathcal{B}_{\infty}$, total delay $\mathcal{B}_{1}$, and tamper count $\mathcal{B}_{0}$. Feasible adversarial examples must satisfy timeline consistency and non-overlap, which makes the search space discrete and constrained. To optimize such retimings at scale, we use projected-in-the-loop (PIL) optimization: shift-probability logits yield a differentiable soft retiming for backpropagation, and a strict projection in the forward pass produces a feasible discrete schedule that satisfies capacity-1, non-overlap, and the chosen budget at every step. The objective maximizes task loss on the projected input and adds a capacity regularizer together with budget-aware penalties, which stabilizes gradients and aligns optimization with evaluation. Across event-driven benchmarks (CIFAR10-DVS, DVS-Gesture, N-MNIST) and diverse SNN architectures, we evaluate under binary and integer event grids and a range of retiming budgets, and also test models trained with timing-aware adversarial training designed to counter timing-only attacks. For example, on DVS-Gesture the attack attains high success (over $90\%$) while touching fewer than $2\%$ of spikes under $\mathcal{B}_{0}$. Taken together, our results show that spike retiming is a practical and stealthy attack surface that current defenses struggle to counter, providing a clear reference for temporal robustness in event-driven SNNs. Code is available at https://github.com/yuyi-sd/Spike-Retiming-Attacks.
Key Contributions
- Formalizes a capacity-1 spike-retiming threat model with three budget types (B∞ per-spike jitter, B1 total delay, B0 tamper count) plus timeline consistency and non-overlap constraints
- Projected-in-the-loop (PIL) optimization that uses differentiable soft retiming for backpropagation while enforcing feasible discrete schedules in the forward pass
- Demonstrates >90% attack success on DVS-Gesture while modifying fewer than 2% of spikes, and shows effectiveness against timing-aware adversarial training defenses
🛡️ Threat Analysis
Proposes adversarial input manipulation (spike-retiming) that causes misclassification at inference time via projected-in-the-loop gradient optimization — a novel evasion attack targeting SNN temporal computation.