There is a limited amount of research on SNN attacks (except adversarial input-based attacks). Similar to classical systems, the adversary can manipulate the supply voltage or inject voltage glitches in the SNN systems. This is likely for (1) an external adversary who has physical possession of the device or the power port, (2) an insider adversary with access to a power port or laser gun to inject the fault. In this paper, we study seven attacks under black box and white box scenarios.

SNNs consist of layers of spiking neurons that are connected to adjacent neurons using synaptic weights (Figure 1). The neurons between adjacent layers exchange information in the form of spike trains. The critical parameters for SNN operation include the timing of the spikes and the strengths of the synaptic weights between neurons. Each neuron includes a membrane, whose potential increases when the neuron received an input spike. When this membrane potential reaches a pre-designed threshold, the neuron fires an output spike. Various neuron models such as I&F, Hodgkin-Huxley, and spike response exist with different membrane and spike-generation operations. In this work, we have implemented two flavors of I&F neuron to showcase the power-based attacks.

In this work, we have used Leaky Integrate and Fire (LIF) neuron models where the temporal dynamics are represented by: τ mem ∂ v t ∂ t = − v t + v rest + I t (1)

Here, v(t) is the membrane potential, τ _mem is the membrane time constant, v _rest is the resting potential and I(t) represents the summation of inputs from all synaptic inputs to the neuron. When the membrane voltage reaches a pre-designed vth(t), it fires an output spike and its membrane potential resets to v _reset . The neuron’s membrane potential is fixed for a refractory period of δ _ref . For neural network implementation, we have used the (Diehl et al., 2015) LIF neuron feature of adaptive thresholding scheme where each neuron follows these temporal dynamics: v t h t = θ 0 + θ t τ theta ∂ θ t ∂ t = − θ t (2) Here, the constant θ ₀ > v _rest , v _reset and τ _theta is the adaptive threshold time constant. When a neuron receives a spike, θ(t) is increased by a constant value of θ ₊ and then decays exponentially as shown in Eq. 2.

Hebbian Learning: In Hebbian learning (Hebb, 2005), correlated activation of pre- and post-synaptic neurons leads to the strengthening of synaptic weights between two neurons. The basic Hebbian learning rule is expressed as: Δ w = η × y x , w × x (3) Here Δw denotes the change in synaptic weight, x refers to the array of input spikes on the neuron’s synapses, η is the learning rate, and w is the synaptic weight associated with the neuron. Term y (x, w) denotes the post-synaptic activation of the neuron which is a function of the input and the weights.

In this work, all neuron models are implemented and analyzed on HSPICE using PTM 65 nm technology.

We have investigated the power attacks under the following cases:

The input current spikes of each neuron are fed using a current driver as described in Section 2.4.3. The driver is designed with V _DD = 1 V and outputs SNN input current spikes of 200 nA amplitude and 25 ns spike width. An adversary can attack a normal driver operation by modulating the V _DD .

Figure 4B shows the effect of modulating the V _DD from 0.8 to 1.2 V (corresponding to a −/+ 20% change). The corresponding output spike amplitude ranges from 136 nA for 0.8V _DD (−32% change) to 264 nA for 1.2V _DD (+32% change). We subjected our neuron designs under these input spike amplitude modulations while keeping the input spiking rate constant at 40 MHz. Figure 4C shows the effect on output spike rate for the Axon Hillock neuron where the time-to-spike (V _out ) becomes faster by 24.7% under V _DD = 1.2 V and I _in = 264 nA and becomes slower by 53.7% under V _DD = 0.8 V and I _in = 136 nA. Similarly, Figure 4C also shows the effect on output spike rate for the voltage amplifier I&F neuron where the time-to-spike (V _out ) becomes faster by 6.7% under V _DD = 1.2 V and I _in = 264 nA and becomes slower by 14.5% under V _DD = 0.8 V and I _in = 136 nA.

The adversary can also corrupt normal SNN operation using the externally supplied V _DD which can modulate the SNN’s membrane threshold voltage. In the ideal condition, the V _DD is 1 V and the threshold voltage of both the Axon Hillock neuron and the I&F neuron are designed to be 0.5 V. Figure 5A shows that the membrane threshold voltage changes with V _DD . In the case of the Axon Hillock neuron the change in threshold ranges from −17.91% for V _DD = 0.8V to +16.76% for V _DD = 1.2V. When V _DD is modified, the switching threshold of the inverters in the Axon Hillock neuron is also proportionally affected. A lower (higher) V _DD lowers (increases) the switching threshold of the inverters and leads to a faster (slower) output spike. Similarly, the change in threshold ranges from −18.01% to +17.14% when V _DD is swept from 0.8 to 1.2 V for the voltage amplifier I&F neuron. Note that the change in threshold for the I&F neuron is due to V _thr signal (Figure 5A) which is derived using a simple resistor-based voltage division of V _DD . Therefore, V _thr scales linearly with V _DD .

The change in membrane threshold modulates the output spike rate of the affected SNN neurons. Figures 5B,C show the change in time-to-spike under V _DD manipulation while the input spikes (I _in ) to the neuron are held at a constant amplitude of 200 nA and a rate of 40 MHz. The time-to-spike for the Axon Hillock ranges from 17.91% faster to 16.76% slower. Similarly, the time-to-spike for I&F neuron ranges from 17.05% faster to 23.53% slower.

We have implemented the Diehl and Cook SNN (Diehl et al., 2015) using the BindsNET (Hazan et al., 2018) network library with PyTorch Tensor to test the effect of power-based attacks. The SNN is implemented with 3 neuron layers (Figure 6), namely input layer, excitatory layer (EL), and inhibitory layer (IL). We employ this SNN for digit classification of the MNIST dataset which consists of digit images of pixel dimension 28 × 28. Each input image is converted to Poisson-spike trains and fed to the excitatory neurons in an all-to-all connection, where each input spike is fed to each excitatory neuron. The excitatory neurons are 1-to-1 connected with the inhibitory neurons (Figure 6). Each neuron in the IL is in turn connected to all the neurons in the EL, except the one it received a connection from. The architecture performs supervised learning. For our experiments, the EL and IL have 100 neurons each and all experiments are conducted on 1,000 Poisson-encoded training images with fixed learning rates of 0.000 1 and 0.01 for pre-synaptic and post-synaptic events, respectively. The batch size is set to 32 and training samples are iterated only once as configured in (Hazan et al., 2018). Other key design parameters for the implemented SNN are shown in Table 1. Additional details on the neuron layers, learning method, and SNN parameters can be found in (Hazan et al., 2018). The baseline classification accuracy for attack-free SNN is 75.92% with 60 K training images.

In Section 3.2, it is shown that the adversary can manipulate the input spike amplitudes for the SNN neurons. This in turn changes the membrane voltage by a different rate for the same number of input spikes. This manipulation of the rate of change of membrane voltage changes the time-to-spike for the neuron (as shown in Figure 4C).

The key parameters that are used for threshold manipulation are threshold voltage potential (θ ₀) and membrane reset potential (V _reset ). Using our power-based attacks the threshold can be manipulated in two possible ways:

From our analysis, we conclude following:

The baseline synaptic learning rates of the SNN implemented (shown in Table 1) are 10^–2 and 10^–4 for η _post and η _pre, respectively. We subject the neurons in the implemented SNN with adversarial threshold range variation of −50% to +50%. The learning rates of the SNN is varied by 1 8 X to 2X under the adversarial attack to determine its effect on classification accuracy. Figure 12A depicts the change in STDP learning curve with learning rate. It is seen that increasing (decreasing) η causes a greater (lower) change in synaptic weight (Δw) for the same spike timing difference (Δt). Figure 13 depicts the final average classification accuracy after training the SNN with 60 K samples under different η and threshold (Vth) values. The highest accuracy is observed for SNN with learning rate as 0.5η which recovers the baseline accuracy by 0.83%. The lowest accuracy is observed for SNN with learning rate as 2η which further degrades the accuracy by 3.61%. Lowering the learning rate proportionally reduces the change in weight (Δw) per synaptic update minimizing the effect of adversarial power-based attacks on STDP learning. Similarly, increasing η causes a higher Δw and leads to a more pronounced effect on the final classification accuracy. For Attacks 1 and 2, where accuracy loss of 1.9 and 2.7% was observed, this method recovers accuracy degradation by 43 and 31%, respectively.

The baseline synaptic trace decay constant (τ) (Table 1) is 20 ms. We vary τ from 0.25X to 1.5X under our adversarial power attack to determine its effect on classification accuracy. Figure 12B shows that increasing (decreasing) τ causes a shallower (steeper) slope to the STDP curve and correspondingly a lower (higher) change in synaptic weight (Δw) for the same spike timing difference (Δt). Figure 14 shows the final average classification accuracy after training the SNN with 60 K samples under different τ and threshold (Vth) values. It is seen that the highest accuracy is observed for SNN with trace decay constant of 0.25τ which improves average classification accuracy by 0.81%. The lowest accuracy is observed for SNN with trace decay constant of 1.25τ which further degrades classification accuracy by −0.26%. Lowering the trace decay constant causes a steeper STDP curve and effectively reduces the window of spike timing difference (Δt) within which the synaptic weights are updated. Therefore, lowering the frequency of updates correspondingly minimizes the effect of power-based attacks on STDP learning. Similarly, increasing τ causes a wider update window and leads to a more pronounced effect on final classification accuracy. For Attack 1 and 2, where accuracy loss of 1.9 and 2.7% is observed, this method recovers accuracy degradation by 42 and 30%, respectively.

In the baseline SNN implementation, we utilized 100 neurons (n) in the IL and EL each. We increase the range of neurons per layer to include n = 50, 150, 225, and 400 to study its effect on classification accuracy under adversarial threshold variation. Figure 15 shows the final classification accuracy observed under different n and Vth. Ideally, a greater number of neurons increases the classification accuracy. Here we see that n = 150 maximizes the accuracy under most of the Vth cases and improves average classification accuracy by 0.94%. Further increasing n to 225 and 400 leads to a degradation in accuracy. The worst case is observed when n = 400, where the average accuracy degrades by 17.18%. This can be attributed to the fact that a higher number of neurons under attack have a more pronounced negative effect on SNN training. Ideally, the designer should increase n only up to a point where the increase in output accuracy caused by a higher n is greater than the accuracy degradation faced by a greater number of neurons under attack. For Attack 1 and 2, where accuracy loss of 1.9 and 2.7% is observed, this method recovers accuracy degradation by 47 and 34%, respectively.

We propose a current driver that produces neuron input spikes of constant amplitude (Figure 16A). Here the negative input terminal of the op-amp is forced to a reference voltage that leads the positive terminal to be virtually connected to the reference voltage (V _Ref ). The current through M _P1 transistor is V _Ref /R ₁ and the negative feedback of the amplifier forces the gate voltage of M _P1 to satisfy the current equation of the transistor. Since V _GS and Vth of M _P1 and M _P2 transistors are the same, M _P2 passes the same current as M _P1. Note, we have used long channel transistors to reduce the effect of channel length modulation. The power overhead incurred for the proposed robust current driver compared to the unsecured version is 3%. Note that the area overhead of the robust driver is negligible compared to the area of unsecured driver since the neuron capacitors occupy the majority of the area.

In addition to robust neuron design, we also propose a technique to voltage glitching attack directed at an individual neuron layer. This is done by introducing a dummy neuron within each neuron layer (shown in Figure 17A). In our design, the input of the dummy neuron is connected to a current driver that constantly drives spiking inputs of 200 nA amplitude and spike width of 100 ns. The spikes repeat every 200 ns and do not depend on the spiking of the neurons from the previous layer. Under ideal conditions, the number of output spikes for a fixed sampling period for each dummy neuron should be identical. Figure 17B shows the effect of V _DD change on the dummy neuron’s output for both the I&F and AH neurons over a sampling period of 100 ms. It is seen that for both neurons, the number of dummy output spikes differs by ≥ 10 % as compared to the baseline. Note that this method is only effective against localized V _DD change. For the SNN implemented in Section 4, the area and power overhead for the proposed dummy neuron detection mechanism is ∼1% each.

In this study, we have analyzed the impact of power-based attacks on integrate-and-fire CMOS-based neurons, that are most commonly employed for contemporary SNN architectures. But each CMOS-based neuron requires tens of transistors and therefore incurs a large area and a high power consumption. Neurons based on emerging technology such as memristors, ferroelectric devices, and phase change memories can address the above challenges. Integrate-and-fire neurons using memristors have been proposed (Mehonic and Kenyon, 2016) and (Lashkare et al., 2018) where short voltage pulses (input spikes) are employed to increase the conductance of the memristor device. When the conductance reaches a critical value (threshold), the neuron fires a spike, and the conductance is reset. Varying the supply voltage would cause the amplitude of the input spikes to increase/decrease and correspondingly cause the neuron to fire faster/slower. Once the neuron fires, the conductance is reset using a reset pulse that is also V _DD dependent. Varying the supply voltage would also lead to improper reset operation. Multiple works (Mulaosmanovic et al., 2018; Chen et al., 2019; Dutta et al., 2019) have proposed ferroelectric devices for neuromorphic computing. In (Mulaosmanovic et al., 2018) a controlled electric field is applied to reversibly tune the polarization state of the ferroelectric material. When a series of short voltage pulses are applied consecutively, it causes an incremental nucleation of nanodomains in the ferroelectric layer. When a critical number of nanodomains are nucleated, it leads to an abrupt polarization reversal which corresponds to the neuron firing. It is shown that the rate of nucleation depends on the amplitude and duration of the input voltage pulses. Therefore, the proposed power-based attacks can corrupt the spiking rate and inject faults in ferroelectric neurons as well. In the case of phase change memories (PCM), the effective thickness of the amorphous region of the chalcogenide can be considered equivalent to the membrane potential of a neuron. In (Sebastian et al., 2014; Tuma et al., 2016), it is shown that the amorphous region can be grown precisely by controlling the input voltage pulse. Consecutive voltage pulses can allow controlled crystallization and ultimately leads to an abrupt change in PCM conductance which corresponds to the neuron firing. It is also shown that the firing rate of the PCM neurons can be controlled by manipulating the amplitude of the voltage pulses. Therefore, our power-based attacks can corrupt the spiking rate and inject faults in PCM-based neurons as well.

Although this work analyzes the impact of power-based fault injection attacks on SNNs, these attacks can be extended to other NNAs as well. Very limited research has been conducted on physical attacks (i.e., power-based) on traditional NNAs res such as DNNs. In (Breier et al., 2018) and (Hou et al., 2020), the authors study physical fault injection attacks into the hidden layers of DNNs using laser injection techniques to demonstrate image misclassification. In (Benevenuti et al., 2018), the authors characterize each network layer of an ANN under a laser beam by placing them separately on an FPGA floorplan. The authors demonstrate significant degradation in classification accuracy under these laser-based attacks. The proposed power-based attacks can be extended to other types of ANNs by analyzing the effect of V _DD variation on the operation of neurons. The ANN can then be implemented with these neurons under attack and the corresponding accuracy change due to their faulty behavior can be determined. This analysis can be the subject of future study.