Attacking the Spike: On the Transferability and Security of Spiking Neural Networks to Adversarial Examples

· Source: cs.NE updates on arXiv.org · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy, Computer Vision & Pattern Recognition · Depth: Expert, quick

Summary

Nuo Xu et al. introduce the Mixed Dynamic Spiking Estimation (MDSE) attack, a novel method designed to exploit vulnerabilities in Spiking Neural Networks (SNNs) and other deep learning models to adversarial examples. The research highlights that successful white-box adversarial attacks on SNNs are highly dependent on the underlying surrogate gradient estimator, even for SNNs that have undergone adversarial training. Current attack methods fail to leverage multiple surrogate gradient estimators for SNNs or reliably generate adversarial examples that simultaneously fool both SNN and non-SNN models like Vision Transformers (ViTs) and CNNs. MDSE addresses these limitations by employing a dynamic gradient estimation scheme, enabling it to exploit multiple estimators and create adversarial examples effective across SNN and non-SNN architectures. Experiments across CIFAR-10, CIFAR-100, and ImageNet datasets, involving nineteen classifier models, demonstrate MDSE's superior efficacy, achieving up to 91.4% greater effectiveness on SNN/ViT model ensembles and a 3x boost on adversarially trained SNN ensembles compared to conventional white-box attacks like Auto-PGD. The implementation is publicly available.

Key takeaway

For AI Security Engineers evaluating Spiking Neural Network (SNN) robustness, you should recognize that current adversarial training methods may be insufficient. The MDSE attack demonstrates that exploiting multiple surrogate gradient estimators significantly boosts attack efficacy, even against adversarially trained SNNs. You must consider dynamic gradient estimation vulnerabilities and explore ensemble defenses for SNNs and hybrid SNN/non-SNN systems to enhance your models' resilience against sophisticated adversarial examples.

Key insights

Adversarial attacks on SNNs are highly dependent on surrogate gradient estimators, and a new method, MDSE, exploits this for cross-model effectiveness.

Principles

Method

The Mixed Dynamic Spiking Estimation (MDSE) attack uses a dynamic gradient estimation scheme to fully exploit multiple surrogate gradient estimator functions, generating adversarial examples that simultaneously fool SNN and non-SNN models.

In practice

Topics

Code references

Best for: Research Scientist, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.NE updates on arXiv.org.