What problem does this paper attempt to address?

### What problem does this paper attempt to solve? This paper aims to explore the privacy - protecting characteristics of neuromorphic architectures (especially spiking neural networks, SNNs) when facing model inversion attacks (MI). Specifically, the paper attempts to answer the following questions: 1. **Do neuromorphic architectures have an inherent privacy - protecting ability?** - The paper hypothesizes that due to the non - differentiable characteristics in SNNs (such as spike - based operations), they may have a natural resistance to gradient attacks, thus providing better privacy protection. 2. **How to evaluate and compare the performance of SNNs and traditional artificial neural networks (ANNs) in terms of privacy protection?** - The paper proposes and develops two new model inversion attack methods for SNNs: BrainLeaks - v1 and BrainLeaks - v2, and verifies the effectiveness of these attacks through experiments to evaluate the privacy - protecting performance of SNNs. 3. **What are the privacy risks of neuromorphic architectures on different datasets?** - Researchers conducted experiments on multiple static and dynamic datasets, including face recognition, digit classification, and gesture recognition tasks, to fully understand the privacy - protecting ability of SNNs in different application scenarios. ### Main contributions - **First systematic study**: This is the first rigorous study on the privacy vulnerability of SNNs under model inversion attacks. - **Innovative attack methods**: Two new attack methods, BrainLeaks - v1 and BrainLeaks - v2, are proposed, which respectively solve the incompatibility problem between continuous gradients and discrete spike inputs. - **Experimental verification**: Through extensive experiments, it is shown that SNNs do exhibit stronger privacy - protecting ability in some cases, but there are still significant privacy risks in other cases. ### Formula summary - **Membrane potential update formula for LIF neurons**: \[ \nu[n]=\alpha\cdot\nu[n - 1]+\sum_k\omega_k\cdot I_k[n]-O[n - 1]\cdot\theta \] where \(\nu[n]\) is the membrane potential, \(\alpha\) is the leak decay factor, \(I_k[n]\) is the input spike from the presynaptic neuron, \(\omega_k\) is the corresponding synaptic weight, and \(\theta\) is the threshold. - **Activation function**: \[ O[n]= \begin{cases} 1&\text{if }\nu[n]>\theta\\ 0&\text{otherwise} \end{cases} \] - **Loss function in MI attack**: \[ L_{id}=1 - M_y(\hat{x}) \] where \(M_y(\hat{x})\) represents the posterior probability that model \(M\) predicts input \(\hat{x}\) as label \(y\). - **Gradient estimation in BrainLeaks - v2**: \[ \nabla_{X_p}L\approx\frac{\sum_{i = 1}^K e^{-L_i}\cdot\nabla_{X_s^i}L}{\sum_{i = 1}^K e^{-L_i}} \] ### Conclusion Although SNNs exhibit stronger privacy - protecting ability than ANNs in some cases, they still face significant privacy risks. This indicates that further research and development of more effective privacy - protecting mechanisms are required, especially in the emerging field of neuromorphic computing.