Robust Spiking Neural Networks Against Adversarial Attacks
Shuai Wang, Malu Zhang, Yulin Jiang, Dehao Zhang, Ammar Belatreche, Yu Liang, Yimeng Shan, Zijian Zhou, Yang Yang, Haizhou Li
TL;DR
This paper introduces a novel method called Threshold Guarding Optimization (TGO) that significantly improves the robustness of Spiking Neural Networks against adversarial attacks by modifying neuron potentials and firing mechanisms.
Contribution
The study identifies threshold-neighboring neurons as key factors limiting SNN robustness and proposes TGO to enhance security against adversarial disturbances.
Findings
TGO increases SNN robustness in adversarial scenarios.
Neurons' membrane potentials are effectively moved away from thresholds.
Probabilistic firing reduces state-flipping under minor disturbances.
Abstract
Spiking Neural Networks (SNNs) represent a promising paradigm for energy-efficient neuromorphic computing due to their bio-plausible and spike-driven characteristics. However, the robustness of SNNs in complex adversarial environments remains significantly constrained. In this study, we theoretically demonstrate that those threshold-neighboring spiking neurons are the key factors limiting the robustness of directly trained SNNs. We find that these neurons set the upper limits for the maximum potential strength of adversarial attacks and are prone to state-flipping under minor disturbances. To address this challenge, we propose a Threshold Guarding Optimization (TGO) method, which comprises two key aspects. First, we incorporate additional constraints into the loss function to move neurons' membrane potentials away from their thresholds. It increases SNNs' gradient sparsity, thereby…
Peer Reviews
Decision·ICLR 2026 Poster
- This paper is well-written and logically structured, making complex concepts accessible and easy to follow. - This paper provides a mathematical analysis linking “threshold-neighboring neurons” to adversarial vulnerability, which is a novel and interesting framework for SNN robustness research. - The authors demonstrate the effectiveness of the proposed TGO method across a wide range of adversarial attack scenarios. The experiments span multiple datasets, network architectures, and adversarial
- The method introduces additional hyper-parameters such as coefficient parameter $\lambda$ and noise level $\sigma$. However, the effectiveness of the $\lambda$ scheduling and sensitivity of the noise level $\sigma$ is missing. - The paper does not report the additional training cost introduced by the TGO compared to baselines such as adversarial trainings (AT, RAT). **Limitation** According to the reported results, the proposed method appears to reduce clean accuracy, indicating a potential
1.The reasoning of the paper is clear and coherent. Reducing the number of threshold-neighboring spiking neurons provides a new insight in enhancing the robustness of SNNs. 2.The theoretical analysis of the paper is reasonable. 3.The improvement of TGO is significant, improving the robustness effectively. (Only if the experimental results are convincing, see weaknesses below)
1. In Line 021 in abstract and Line 061 in introduction, the authors mentioned their method can enhance ‘gradient sparsity’. Normally the sparsity corresponds to L0-norm [1]. However, in Theorem 1, the author aims to optimize L2-norm of the Jacobian matrix, which is inconsistent to optimizing the gradient sparsity. The term ‘sparsity’ seems inappropriate. 2. What is Figure 2 used for? The main text does not mention or introduce Figure 2, leaving Figure 2 alone. What is $H[t]$ in Figure 2(a) and
**S1.** The idea is straightforward and easy to understand. **S2.** The authors conduct extensive experiments, including Expectation over Transformation (EoT) and loss landscape analysis. **S3.** As shown in the tables, TGO achieves the best robustness performance compared with state-of-the-art (SOTA) training strategies.
**W1.** The explanation of the idea is unnecessarily complicated. In particular, Theorem 2 seems redundant — it is difficult to follow due to the heavy notation, and after reading the proof in the appendix, it appears to be a straightforward extension of Theorem 1. **W2.** I believe the proof of Theorem 3 may be incorrect. According to Appendix E, the flipping probability from 1 to 0 should be expressed as the conditional probability and the same applies to the flipping probability from 0 to 1.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdvanced Memory and Neural Computing · Ferroelectric and Negative Capacitance Devices · Neural Networks and Reservoir Computing