ML Security PapersRobust Spiking Neural Networks Against Adversarial Attacks
Shuai Wang 1, Malu Zhang 1,2, Yulin Jiang 1, Dehao Zhang 1, Ammar Belatreche 3, Yu Liang 1, Yimeng Shan 1, Zijian Zhou 1, Yang Yang 1, Haizhou Li 2,4
Published on arXiv
2602.20548
Input Manipulation Attack
OWASP ML Top 10 — ML01
Key Finding
TGO achieves state-of-the-art adversarial robustness for directly trained SNNs across multiple attack scenarios with no additional computational overhead at inference time
Threshold Guarding Optimization (TGO)
Novel technique introduced
Spiking Neural Networks (SNNs) represent a promising paradigm for energy-efficient neuromorphic computing due to their bio-plausible and spike-driven characteristics. However, the robustness of SNNs in complex adversarial environments remains significantly constrained. In this study, we theoretically demonstrate that those threshold-neighboring spiking neurons are the key factors limiting the robustness of directly trained SNNs. We find that these neurons set the upper limits for the maximum potential strength of adversarial attacks and are prone to state-flipping under minor disturbances. To address this challenge, we propose a Threshold Guarding Optimization (TGO) method, which comprises two key aspects. First, we incorporate additional constraints into the loss function to move neurons' membrane potentials away from their thresholds. It increases SNNs' gradient sparsity, thereby reducing the theoretical upper bound of adversarial attacks. Second, we introduce noisy spiking neurons to transition the neuronal firing mechanism from deterministic to probabilistic, decreasing their state-flipping probability due to minor disturbances. Extensive experiments conducted in standard adversarial scenarios prove that our method significantly enhances the robustness of directly trained SNNs. These findings pave the way for advancing more reliable and secure neuromorphic computing in real-world applications.
Key Contributions
- Theoretical analysis showing threshold-neighboring spiking neurons are the primary robustness bottleneck in directly trained SNNs, defining upper limits on adversarial attack strength
- Threshold Guarding Optimization (TGO): loss constraints that push membrane potentials away from firing thresholds, increasing gradient sparsity and reducing adversarial attack potential
- Introduction of noisy spiking neurons that convert deterministic firing to probabilistic, reducing state-flipping probability under minor disturbances with zero inference-time overhead
🛡️ Threat Analysis
Proposes a defense (Threshold Guarding Optimization) specifically against adversarial input perturbations that cause misclassification in SNNs at inference time — directly addresses gradient-based evasion attacks like FGSM and PGD.