Adversarial Defense via Neural Oscillation inspired Gradient Masking

TL;DR

This paper introduces a novel bio-inspired neural oscillation mechanism in spiking neural networks to improve adversarial robustness, along with a gradient masking defense method that is computationally efficient and effective against various attacks.

Contribution

It proposes a new neural model with oscillation neurons for enhanced security and a gradient masking defense technique for SNNs, pioneering adversarial defense in this domain.

Findings

Oscillation neurons improve resistance to adversarial attacks.

Gradient masking effectively confuses attackers with less computational cost.

First work to apply gradient masking defense in SNNs.

Abstract

Spiking neural networks (SNNs) attract great attention due to their low power consumption, low latency, and biological plausibility. As they are widely deployed in neuromorphic devices for low-power brain-inspired computing, security issues become increasingly important. However, compared to deep neural networks (DNNs), SNNs currently lack specifically designed defense methods against adversarial attacks. Inspired by neural membrane potential oscillation, we propose a novel neural model that incorporates the bio-inspired oscillation mechanism to enhance the security of SNNs. Our experiments show that SNNs with neural oscillation neurons have better resistance to adversarial attacks than ordinary SNNs with LIF neurons on kinds of architectures and datasets. Furthermore, we propose a defense method that changes model's gradients by replacing the form of oscillation, which hides the original training gradients and confuses the attacker into using gradients of 'fake' neurons to generate invalid adversarial samples. Our experiments suggest that the proposed defense method can effectively resist both single-step and iterative attacks with comparable defense effectiveness and much less computational costs than adversarial training methods on DNNs. To the best of our knowledge, this is the first work that establishes adversarial defense through masking surrogate gradients on SNNs.