Robust Spiking Neural Networks Against Adversarial Attacks

The Big Picture: The "Neuromorphic" City

Imagine a futuristic city called Neuromorphia. Unlike our current cities (which run on standard computers), this city runs on Spiking Neural Networks (SNNs).

The Old Way (Standard Computers): Think of a standard computer like a busy highway where cars (data) are constantly flowing, burning fuel (energy) even when there's no traffic.
The New Way (SNNs): Neuromorphia is like a smart, event-driven city. The "neurons" (citizens) only speak up (fire a "spike") when something important happens. If nothing is happening, they stay silent. This makes the city incredibly energy-efficient, perfect for battery-powered devices like smartwatches or drones.

The Problem: The "Ticklish" Neighbors

The researchers discovered a major weakness in this city. While the citizens are efficient, they are too sensitive.

Imagine a specific group of citizens standing right on the edge of a cliff (the Threshold).

The Threshold: This is the line a citizen must cross to shout "I see something!" (fire a spike).
The Vulnerability: Most citizens are far from the cliff. But some are standing right on the edge.
The Attack: A hacker (an Adversarial Attack) doesn't need to push the whole city. They just need to blow a tiny, almost invisible gust of wind (a tiny bit of noise) at those people standing on the edge.
The Result: Because they are so close to the edge, that tiny wind knocks them over. They flip from "Silent" to "Shouting" (or vice versa). This tiny flip confuses the whole city's decision-making, causing a self-driving car to think a stop sign is a speed limit sign.

The paper proves that these "edge-dwellers" are the weak link. They set the limit on how strong an attack the city can withstand.

The Solution: The "Threshold Guarding" Method (TGO)

To fix this, the researchers proposed a two-part security system called Threshold Guarding Optimization (TGO). Think of it as a city planner redesigning the neighborhood to make it harder for hackers to cause chaos.

1. Moving the Citizens Away from the Cliff (Membrane Potential Constraints)

The Analogy: Imagine the city planner realizes people standing on the cliff are dangerous. So, they build a fence and a wide safety zone. They force the citizens to stand far away from the edge.
How it works: The researchers add a rule to the training process: "If your energy level (membrane potential) gets too close to the shouting threshold, you get a penalty."
The Result: The citizens naturally settle in the middle of the room, far from the cliff. Now, a tiny gust of wind won't knock them over. They need a huge push to change their state. This makes the city much harder to trick.

2. Adding a "Fog of War" (Noisy Spiking Neurons)

The Analogy: Even with the safety zone, what if a hacker finds someone who still got too close? The second part of the plan is to introduce a little bit of fog (random noise) into the air.
How it works: In a normal city, if you are just past the line, you shout. If you are just before it, you stay silent. It's a strict, binary switch. The researchers changed the rules: "Now, there's a little fog. Even if you are slightly past the line, you might not shout immediately. It's a bit random."
The Result: This turns a rigid, brittle switch into a smooth, fuzzy one. A tiny push from a hacker might make a citizen slightly more likely to shout, but it won't guarantee a flip. The "fog" absorbs the shock, preventing the tiny wind from causing a catastrophic state change.

The Results: A Stronger City

The researchers tested this new security system in a virtual lab using standard image datasets (like CIFAR-10, which is like a photo album of cats, dogs, and cars).

Before TGO: When hackers used powerful attacks (like PGD or FGSM), the standard SNNs collapsed. Their accuracy dropped to near zero. They were easily tricked.
After TGO: The new "Guarded" SNNs held their ground. Even under heavy attacks, they kept recognizing the images correctly.
- In some tests, they improved their defense by 10% to 20% compared to the best existing methods.
- Crucially, this didn't make the city slower or more expensive to run. It's a "free" upgrade in security.

Why This Matters

This paper is a big deal because it explains why these efficient, bio-inspired computers are currently fragile and gives a practical recipe to make them robust.

Real World Impact: As we start putting these efficient chips into real-world devices (like medical implants, autonomous drones, or smart home cameras), they need to be secure. We don't want a hacker to trick a pacemaker or a drone with a tiny, invisible signal.
The Takeaway: By moving the "citizens" away from the edge and adding a little "fog" to the system, we can build neuromorphic computers that are not only energy-efficient but also tough enough to survive in a hostile digital world.

1. Problem Statement

Spiking Neural Networks (SNNs) are recognized for their energy efficiency and bio-plausibility, making them ideal for neuromorphic computing. However, directly trained SNNs (using surrogate gradient methods) suffer from significant robustness issues when facing adversarial attacks, similar to Artificial Neural Networks (ANNs).

The authors identify a specific theoretical bottleneck: threshold-neighboring spiking neurons.

The Vulnerability: Neurons whose membrane potentials ( $V[t]$ ) are close to their firing threshold ( $V_{th}$ ) are highly sensitive.
The Consequence: These neurons establish the theoretical upper bound for the strength of adversarial attacks. Under minor disturbances, they are prone to "state-flipping" (changing from firing to silent or vice versa), which cascades through the network to alter the final output.
The Gap: Existing defense strategies (like Adversarial Training) often incur high computational costs or lack a unified theoretical analysis of why SNNs are vulnerable in this specific manner.

2. Methodology: Threshold Guarding Optimization (TGO)

To address the vulnerability of threshold-neighboring neurons, the authors propose Threshold Guarding Optimization (TGO), a two-pronged approach that modifies the training process without adding inference overhead.

A. Membrane Potential Constraints (Gradient Sparsity)

The first component aims to push membrane potentials away from the firing threshold to reduce the Jacobian norm of the network, thereby lowering the theoretical upper bound of adversarial perturbations.

Mechanism: An additional constraint term is added to the loss function. This term penalizes neurons where the membrane potential $V[t]$ is within a margin $\delta$ of the threshold $V_{th}$ .
Dynamic Regularization: A hyperparameter $\lambda$ controls the strength of this constraint. Instead of using a fixed value, the authors employ a dynamic cosine annealing schedule for $\lambda$ . It starts low to allow parameter exploration and increases over epochs to strictly enforce the "guarding" of the threshold.
Goal: Maximize the distance between $V[t]$ and $V_{th}$ , increasing gradient sparsity and reducing the network's sensitivity to input perturbations.

B. Noisy Spiking Neurons (Probabilistic Firing)

The second component addresses the remaining neurons that inevitably stay near the threshold due to loss function requirements.

Mechanism: The authors introduce Noisy-LIF (Leaky Integrate-and-Fire) neurons. Gaussian white noise ( $\xi[t] \sim \mathcal{N}(0, \sigma^2)$ ) is added to the membrane potential dynamics.
Theoretical Basis: This transitions the firing mechanism from deterministic to probabilistic. Theoretical analysis (Theorem 1 & 2) shows that as noise level $\sigma$ increases, the probability of state-flipping ( $P_{flip}$ ) for small perturbations decreases monotonically when the potential is near the threshold.
Goal: Create a "buffer" effect where minor disturbances do not immediately trigger a state flip, stabilizing the network's output.

3. Key Contributions

Theoretical Analysis: The paper provides a rigorous mathematical proof demonstrating that threshold-neighboring neurons are the primary factor limiting SNN robustness. It establishes that these neurons define the upper bound of adversarial attack strength ( $R_{adv}$ ) and are the most likely to flip states under noise.
TGO Framework: Proposes a novel optimization method combining membrane potential constraints (to distance potentials from thresholds) and noisy neurons (to probabilistically suppress state flips).
State-of-the-Art (SOTA) Performance: The method achieves SOTA robustness across multiple datasets (CIFAR-10, CIFAR-100, DVS-CIFAR10) and architectures (VGG-11, WRN-16) under various attack scenarios (FGSM, RFGSM, PGD, APGD, MTPGD).
Efficiency: Unlike many robust training methods, TGO introduces no additional computational overhead during inference.

4. Experimental Results

The authors evaluated TGO using three training strategies: Vanilla (BPTT), Adversarial Training (AT), and Regularized Adversarial Training (RAT).

Performance on CIFAR-10/100:
- Under Vanilla (BPTT) training, TGO improved robustness against FGSM and RFGSM attacks by 10–20% compared to standard SNNs.
- When combined with AT and RAT, TGO consistently outperformed other robustness methods (e.g., Gradient Sparsity Regularization, DLIF, StoG). For example, on WRN-16 with RAT, TGO achieved 54.59% accuracy against PGD7 attacks, compared to 23.90% for the baseline.
Advanced Attacks: TGO demonstrated superior resilience against Auto-PGD (APGD) and Multi-Targeted PGD (MTPGD), even when Expectation over Transformation (EoT) was used to counter gradient masking.
Neuromorphic Datasets: On the DVS-CIFAR10 event-based dataset, TGO+AT reduced the Attack Success Rate (ASR) from 44.32% (standard AT) to 31.0%.
Ablation Studies:
- Both the Membrane Constraint (MC) and Noisy-LIF (NLIF) components individually improved robustness.
- Combined, they showed a synergistic effect, significantly outperforming the sum of individual parts.
- Visualization of loss landscapes showed TGO models have smoother gradients and fewer local optima compared to vanilla SNNs.

5. Significance

This work is significant for the field of neuromorphic computing and AI security for several reasons:

Theoretical Insight: It moves beyond empirical observation to provide a theoretical explanation for SNN vulnerability, linking membrane potential distribution directly to adversarial robustness bounds.
Practical Deployment: By ensuring the method adds no inference cost, it offers a viable path for deploying secure SNNs on resource-constrained edge devices (e.g., IoT, autonomous sensors).
Robust Edge Intelligence: The findings pave the way for more reliable SNNs in real-world applications where adversarial environments are a concern, bridging the gap between bio-plausible computing and security requirements.

In conclusion, the paper argues that by "guarding" the threshold—keeping neurons away from the firing line and making the firing process probabilistic—SNNs can achieve robustness comparable to or exceeding that of ANNs without sacrificing their energy efficiency advantages.