Data Poisoning-based Backdoor Attack Framework against Supervised Learning Rules of Spiking Neural Networks

Lingxin Jin,Meiyu Lin,Wei Jiang,Jinyu Zhan
2024-09-24
Abstract:Spiking Neural Networks (SNNs), the third generation neural networks, are known for their low energy consumption and high robustness. SNNs are developing rapidly and can compete with Artificial Neural Networks (ANNs) in many fields. To ensure that the widespread use of SNNs does not cause serious security incidents, much research has been conducted to explore the robustness of SNNs under adversarial sample attacks. However, many other unassessed security threats exist, such as highly stealthy backdoor attacks. Therefore, to fill the research gap in this and further explore the security vulnerabilities of SNNs, this paper explores the robustness performance of SNNs trained by supervised learning rules under backdoor attacks. Specifically, the work herein includes: i) We propose a generic backdoor attack framework that can be launched against the training process of existing supervised learning rules and covers all learnable dataset types of SNNs. ii) We analyze the robustness differences between different learning rules and between SNN and ANN, which suggests that SNN no longer has inherent robustness under backdoor attacks. iii) We reveal the vulnerability of conversion-dependent learning rules caused by backdoor migration and further analyze the migration ability during the conversion process, finding that the backdoor migration rate can even exceed 99%. iv) Finally, we discuss potential countermeasures against this kind of backdoor attack and its technical challenges and point out several promising research directions.
Cryptography and Security,Neural and Evolutionary Computing
What problem does this paper attempt to address?
### What problems does this paper attempt to solve? This paper aims to explore the security and robustness issues of Spiking Neural Networks (SNNs) under back - door attacks. Specifically, the main research objectives include: 1. **Propose a general back - door attack framework based on data poisoning**: This framework can attack existing supervised learning rules and is applicable to all types of SNN - learnable datasets, including traditional image datasets and brain - like datasets. 2. **Analyze the differences in robustness under different learning rules**: Verify the performance of different supervised learning rules (such as back - propagation - based learning rules, transfer learning rules, and hybrid learning rules) under back - door attacks through experiments, and reveal the vulnerability of SNNs in these attacks. 3. **Study the back - door transferability**: Especially in the model conversion process, analyze the transferability of back - door information, and find that in some cases, the back - door transfer rate even exceeds 99%. 4. **Explore defense measures**: Propose preliminary methods for detecting and eliminating back - door attacks, verify their effectiveness through experiments, and point out possible future research directions. ### Paper background As the third - generation neural network, SNNs are known for their low energy consumption and high robustness, and are gradually showing the ability to compete with artificial neural networks (ANNs) in many fields. However, although SNNs show high robustness against adversarial sample attacks, they still have security risks in the face of more covert threats such as back - door attacks. Therefore, studying the security of SNNs under back - door attacks is of great significance. ### Main contributions - **Propose a general back - door attack framework**: It covers the mainstream supervised learning rules (back - propagation - based, transfer, and hybrid learning rules) and takes into account all SNN - learnable data types. - **Reveal the vulnerability of different learning rules**: It is found that all learning rules become vulnerable under back - door attacks, although they show a certain degree of robustness in adversarial sample attacks. - **In - depth analysis of back - door transferability**: It shows the security vulnerabilities in the current transfer - dependent learning methods. - **Propose preliminary defense methods**: Including detection methods based on cumulative voltage and output pulse sequences and basic elimination methods based on fine - tuning, and verify their feasibility through experiments. ### Conclusion This is the first systematic study on the impact of data - poisoning - based back - door attacks on SNNs' supervised learning rules. By constructing a general attack framework, the author not only reveals the vulnerability of SNNs under back - door attacks but also provides an important reference direction for future security research.