8 research outputs found
Exploring Adversarial Attack in Spiking Neural Networks with Spike-Compatible Gradient
Recently, backpropagation through time inspired learning algorithms are
widely introduced into SNNs to improve the performance, which brings the
possibility to attack the models accurately given Spatio-temporal gradient
maps. We propose two approaches to address the challenges of gradient input
incompatibility and gradient vanishing. Specifically, we design a gradient to
spike converter to convert continuous gradients to ternary ones compatible with
spike inputs. Then, we design a gradient trigger to construct ternary gradients
that can randomly flip the spike inputs with a controllable turnover rate, when
meeting all zero gradients. Putting these methods together, we build an
adversarial attack methodology for SNNs trained by supervised algorithms.
Moreover, we analyze the influence of the training loss function and the firing
threshold of the penultimate layer, which indicates a "trap" region under the
cross-entropy loss that can be escaped by threshold tuning. Extensive
experiments are conducted to validate the effectiveness of our solution.
Besides the quantitative analysis of the influence factors, we evidence that
SNNs are more robust against adversarial attack than ANNs. This work can help
reveal what happens in SNN attack and might stimulate more research on the
security of SNN models and neuromorphic devices
Learning Spiking Neural Network from Easy to Hard task
Starting with small and simple concepts, and gradually introducing complex
and difficult concepts is the natural process of human learning. Spiking Neural
Networks (SNNs) aim to mimic the way humans process information, but current
SNNs models treat all samples equally, which does not align with the principles
of human learning and overlooks the biological plausibility of SNNs. To address
this, we propose a CL-SNN model that introduces Curriculum Learning(CL) into
SNNs, making SNNs learn more like humans and providing higher biological
interpretability. CL is a training strategy that advocates presenting easier
data to models before gradually introducing more challenging data, mimicking
the human learning process. We use a confidence-aware loss to measure and
process the samples with different difficulty levels. By learning the
confidence of different samples, the model reduces the contribution of
difficult samples to parameter optimization automatically. We conducted
experiments on static image datasets MNIST, Fashion-MNIST, CIFAR10, and
neuromorphic datasets N-MNIST, CIFAR10-DVS, DVS-Gesture. The results are
promising. To our best knowledge, this is the first proposal to enhance the
biologically plausibility of SNNs by introducing CL
Adversarial Defense via Neural Oscillation inspired Gradient Masking
Spiking neural networks (SNNs) attract great attention due to their low power
consumption, low latency, and biological plausibility. As they are widely
deployed in neuromorphic devices for low-power brain-inspired computing,
security issues become increasingly important. However, compared to deep neural
networks (DNNs), SNNs currently lack specifically designed defense methods
against adversarial attacks. Inspired by neural membrane potential oscillation,
we propose a novel neural model that incorporates the bio-inspired oscillation
mechanism to enhance the security of SNNs. Our experiments show that SNNs with
neural oscillation neurons have better resistance to adversarial attacks than
ordinary SNNs with LIF neurons on kinds of architectures and datasets.
Furthermore, we propose a defense method that changes model's gradients by
replacing the form of oscillation, which hides the original training gradients
and confuses the attacker into using gradients of 'fake' neurons to generate
invalid adversarial samples. Our experiments suggest that the proposed defense
method can effectively resist both single-step and iterative attacks with
comparable defense effectiveness and much less computational costs than
adversarial training methods on DNNs. To the best of our knowledge, this is the
first work that establishes adversarial defense through masking surrogate
gradients on SNNs
DVS-Attacks: Adversarial Attacks on Dynamic Vision Sensors for Spiking Neural Networks
Spiking Neural Networks (SNNs), despite being energy-efficient when
implemented on neuromorphic hardware and coupled with event-based Dynamic
Vision Sensors (DVS), are vulnerable to security threats, such as adversarial
attacks, i.e., small perturbations added to the input for inducing a
misclassification. Toward this, we propose DVS-Attacks, a set of stealthy yet
efficient adversarial attack methodologies targeted to perturb the event
sequences that compose the input of the SNNs. First, we show that noise filters
for DVS can be used as defense mechanisms against adversarial attacks.
Afterwards, we implement several attacks and test them in the presence of two
types of noise filters for DVS cameras. The experimental results show that the
filters can only partially defend the SNNs against our proposed DVS-Attacks.
Using the best settings for the noise filters, our proposed Mask Filter-Aware
Dash Attack reduces the accuracy by more than 20% on the DVS-Gesture dataset
and by more than 65% on the MNIST dataset, compared to the original clean
frames. The source code of all the proposed DVS-Attacks and noise filters is
released at https://github.com/albertomarchisio/DVS-Attacks.Comment: Accepted for publication at IJCNN 202
Benchmarking Spiking Neural Network Learning Methods with Varying Locality
Spiking Neural Networks (SNNs), providing more realistic neuronal dynamics,
have shown to achieve performance comparable to Artificial Neural Networks
(ANNs) in several machine learning tasks. Information is processed as spikes
within SNNs in an event-based mechanism that significantly reduces energy
consumption. However, training SNNs is challenging due to the
non-differentiable nature of the spiking mechanism. Traditional approaches,
such as Backpropagation Through Time (BPTT), have shown effectiveness but comes
with additional computational and memory costs and are biologically
implausible. In contrast, recent works propose alternative learning methods
with varying degrees of locality, demonstrating success in classification
tasks. In this work, we show that these methods share similarities during the
training process, while they present a trade-off between biological
plausibility and performance. Further, this research examines the implicitly
recurrent nature of SNNs and investigates the influence of addition of explicit
recurrence to SNNs. We experimentally prove that the addition of explicit
recurrent weights enhances the robustness of SNNs. We also investigate the
performance of local learning methods under gradient and non-gradient based
adversarial attacks
Adversarial Examples Detection with Bayesian Neural Network
In this paper, we propose a new framework to detect adversarial examples
motivated by the observations that random components can improve the smoothness
of predictors and make it easier to simulate the output distribution of a deep
neural network. With these observations, we propose a novel Bayesian
adversarial example detector, short for BATer, to improve the performance of
adversarial example detection. Specifically, we study the distributional
difference of hidden layer output between natural and adversarial examples, and
propose to use the randomness of the Bayesian neural network to simulate hidden
layer output distribution and leverage the distribution dispersion to detect
adversarial examples. The advantage of a Bayesian neural network is that the
output is stochastic while a deep neural network without random components does
not have such characteristics. Empirical results on several benchmark datasets
against popular attacks show that the proposed BATer outperforms the
state-of-the-art detectors in adversarial example detection
Recommended from our members
Exploring Adversarial Attack in Spiking Neural Networks With Spike-Compatible Gradient.
Spiking neural network (SNN) is broadly deployed in neuromorphic devices to emulate brain function. In this context, SNN security becomes important while lacking in-depth investigation. To this end, we target the adversarial attack against SNNs and identify several challenges distinct from the artificial neural network (ANN) attack: 1) current adversarial attack is mainly based on gradient information that presents in a spatiotemporal pattern in SNNs, hard to obtain with conventional backpropagation algorithms; 2) the continuous gradient of the input is incompatible with the binary spiking input during gradient accumulation, hindering the generation of spike-based adversarial examples; and 3) the input gradient can be all-zeros (i.e., vanishing) sometimes due to the zero-dominant derivative of the firing function. Recently, backpropagation through time (BPTT)-inspired learning algorithms are widely introduced into SNNs to improve the performance, which brings the possibility to attack the models accurately given spatiotemporal gradient maps. We propose two approaches to address the above challenges of gradient-input incompatibility and gradient vanishing. Specifically, we design a gradient-to-spike (G2S) converter to convert continuous gradients to ternary ones compatible with spike inputs. Then, we design a restricted spike flipper (RSF) to construct ternary gradients that can randomly flip the spike inputs with a controllable turnover rate, when meeting all-zero gradients. Putting these methods together, we build an adversarial attack methodology for SNNs. Moreover, we analyze the influence of the training loss function and the firing threshold of the penultimate layer on the attack effectiveness. Extensive experiments are conducted to validate our solution. Besides the quantitative analysis of the influence factors, we also compare SNNs and ANNs against adversarial attacks under different attack methods. This work can help reveal what happens in SNN attacks and might stimulate more research on the security of SNN models and neuromorphic devices