Towards Reliable Evaluation of Adversarial Robustness for Spiking Neural Networks

TL;DR

This paper introduces a new framework and methods for more reliable evaluation of adversarial robustness in Spiking Neural Networks, addressing gradient vanishing issues and providing more accurate attack success assessments.

Contribution

It proposes the Adaptive Sharpness Surrogate Gradient (ASSG) and a stable adaptive attack method, improving the reliability of adversarial robustness evaluation for SNNs.

Findings

Current SNN robustness has been overestimated.

The proposed methods increase attack success rates significantly.

The framework offers a more dependable evaluation of SNN adversarial robustness.

Abstract

Spiking Neural Networks (SNNs) utilize spike-based activations to mimic the brain's energy-efficient information processing. However, the binary and discontinuous nature of spike activations causes vanishing gradients, making adversarial robustness evaluation via gradient descent unreliable. While improved surrogate gradient methods have been proposed, their effectiveness under strong adversarial attacks remains unclear. We propose a more reliable framework for evaluating SNN adversarial robustness. We theoretically analyze the degree of gradient vanishing in surrogate gradients and introduce the Adaptive Sharpness Surrogate Gradient (ASSG), which adaptively evolves the shape of the surrogate function according to the input distribution during attack iterations, thereby enhancing gradient accuracy while mitigating gradient vanishing. In addition, we design an adversarial attack with adaptive step size under the $L_\infty$ constraint-Stable Adaptive Projected Gradient Descent (SA-PGD), achieving faster and more stable convergence under imprecise gradients. Extensive experiments show that our approach substantially increases attack success rates across diverse adversarial training schemes, SNN architectures and neuron models, providing a more generalized and reliable evaluation of SNN adversarial robustness. The experimental results further reveal that the robustness of current SNNs has been significantly overestimated and highlighting the need for more dependable adversarial training methods. The code is released at https://github.com/craree/ASSG-SNNs-Robustness-Evaluation