New MDSE attack breaks SNN defenses with 91.4% higher success rate
Spiking neural networks are vulnerable to a new attack that also fools ViTs and CNNs.
A research team led by Nuo Xu has published a comprehensive study on the security of spiking neural networks (SNNs) against adversarial examples. Their work, now appearing in *Neurocomputing*, introduces the Mixed Dynamic Spiking Estimation (MDSE) attack. The key insight is that existing white-box attacks on SNNs fail because they rely on a single surrogate gradient estimator during training, leaving a blind spot. The MDSE attack dynamically combines multiple gradient estimators to craft adversarial examples that fool not only SNNs but also Vision Transformers (ViTs) and CNNs simultaneously.
Across rigorous experiments on CIFAR-10, CIFAR-100, and ImageNet using 19 classifier models, MDSE outperformed conventional attacks like Auto-PGD by up to 91.4% on SNN/ViT model ensembles and delivered a 3x boost on adversarially trained SNN ensembles. This work exposes two significant gaps: no prior attack exploited multiple surrogate gradient estimators for SNNs, and no single-model attack could reliably fool both SNN and non-SNN models. The findings underscore the need for more robust defense mechanisms in the rapidly growing field of neuromorphic computing.
- MDSE uses dynamic gradient estimation to exploit multiple surrogate gradient estimators, overcoming a key limitation of prior SNN attacks.
- Achieves up to 91.4% higher success rate on SNN/ViT ensembles and 3x improvement over Auto-PGD on adversarially trained SNNs.
- Tested on 19 models across three datasets (CIFAR-10, CIFAR-100, ImageNet), demonstrating cross-architecture transferability.
Why It Matters
SNNs promise energy-efficient AI, but this attack reveals major security flaws that must be addressed before deployment.