Certified Adversarial Robustness for Rate Encoded Spiking Neural Networks

As shown in Tab.1, compared to constant-encoded SNN, rate-encoded SNN seems to have a significant loss in its clean accuracy. I think this will significantly hinder the practical application of rate-encoded SNN.

Ans: Indeed, it is well known that rate-encoding has the limitation of lower clean accuracy, especially for low latency inference. However, we would like to emphasize that the proposed connection to randomized smoothing reveals that by better approximating the smooth classifier (i.e., using larger m), we can improve the accuracy of the rate-encoded classifier across different training strategies. Thus, our results improve the evaluation of rate-encoded classifier ( CIFAR-10 CLEAN: 79.55 (m=1) to 83.22 (m=10), CIFAR-100 CLEAN: 50.9 (m=1) to 55.27 (m=10)), which was not observed earlier. Fig 1(a) reports the improvement in accuracy of rate-encoded models with m.

Further, as we can see in Fig 1(d), the accuracy of the constant encoded models quickly breaks down under small adversarial perturbations, while rate-encoded models continue to offer better robust accuracy. Thus, under the threat of adversarial attacks, one can find the rate-encoded models more suitable compared to their constant encoded counterpart.

In Tab.1, the author's comparative perspective is that the robustness of constant-encoded SNN under PGD (C) is weaker than that of rate-encoded SNN under PGD (R), so rate-encoded SNN is better. However, I noticed that the robustness of constant-encoded SNN is better than that of rate-encoded SNN under GN attacks, and at the same time, constant-encoded SNN maintains good defense against FGSM (R) and PGD (R). Therefore, it seems that the so-called superior robustness of rate-encoded SNN does not have a good generalization effect, and it cannot maintain good defense ability under different attacks, which is an obvious limitations.

Ans: First, we would like to highlight that fgsm(R)/pgd(R) attacks are ineffective against constant encoded models, similar to the ineffectiveness of the fgsm(C)/pgd(C) attacks against the rate-encoded models. The reason behind this is discussed in detail to answer the questions from reviewer 77u8.

The reported results in Table 1 with GN attack uses Gaussian perturbation: $x+\delta$, where $\delta \sim N(0,\sigma^2)$, with $\sigma= 8/255 \approx 0.031$. The better results of the constant encoded models against Gaussian noise attacks quickly break down as we increase the strength of the attacks, as computed in the table below. For example, at $\sigma=0.1$, CLEAN(R) with m=10, provides 21.77% higher accuracy than CLEAN(C)+RAT.

We have now included the above table in the appendix of the paper. We would also like to emphasize that while comparing the empirical robust accuracy of two models, we compare the minimum accuracy obtained by a model across any attack, as some attacks can be weak for one model but strong for another. This can be further seen from Table 5 (recently included in the appendix following suggestions from NxbL), where we implement adversarial attacks using different back-propagation algorithms.

The bound is conducted through repeated sampling (m times), which is a statistic boundary instead of a rigorous boundary. Please make it clearly.

Ans: Following the randomized smoothing framework, we estimate the output of the smooth classifier g, and probabilities $\underline{p_a}, \overline{p_b}$, through Monte Carlo estimation as given in eqn. (9). As stated after theorem 1, these bounds are obtained with high probability. This was further discussed in section 3.3, where we point to the proofs for the confidence of the estimates as obtained by Algorithms 1 and 2.

The robust training framework is not clear. Based on my understanding, the robust training is more like adding noise to inputs repeatedly to conduct the boundary, which seems trivial.

Ans: In simple words, the adversarial training framework trains the models on adversarial perturbed images $x+\delta$, along with the original label y. Here, the adversarial perturbation $\delta$ for each image $x$ is calculated separately for each image, with respect to the present model weight obtained after each epoch. In theoretical formulation, the adversarial training is given as a min-max problem, where the inner maximization is performed over image perturbation and the outer minimization is done over the model weights, as described in eqn. (16).

Algorithmically, adversarial training differs from vanilla robust training in the sense that the perturbed image $x+\delta$ is found through some adversarial attack (e.g., FGSM/PGD) computed on the present model predictions, approximating the inner maximization. In contrast, in the robust training framework, the perturbation $\delta$ is a noise, possibly independent of the image $x$.

In Table 1, column GN implements robust training with Gaussian noise, while columns FGSM and PGD implement adversarial training with respective attacks. To our knowledge, we are the first to report adversarial training results with rate-encoded SNNs, which beats the prior adversarial training results with constant encoded SNNs, as reproduced in Table 1. Further, we show that the results of the rate-encoded classifiers can be improved with the better approximation of the smooth classifier (m=1 vs. m=10)

The labels in experiments are misleading, i.e. I did not find RAT in tables.

Ans: For each dataset CIFAR-10 and CIFAR-100, we report 4 sets of results in Table 1. Namely, constant encoding, constant encoding with RAT, rate-encoding with m=1, and m=10. Under each set there are four training methods, namely CLEAN (training with clean data), GN (training with Gaussian noise), FGSM (adv. training with FGSM attack), PGD (adv. training with PGD attack)

Please discuss [1]

Ans: The work adopts the existing certified training framework of IBP-CROWN based on bound-propagation, to the Heaviside function used in the SNN network, dubbed as S-IBP and S-CROWN. It is an important line of work, which we have now included in the related work section of the paper.

We thank the reviewer for the detailed comments on the paper. We have carefully considered the suggestions and tried to incorporate them. We acknowledge the reference to the existing literature and promise to add them to the future version of the paper. We agree that the connection between encoding and robustness has been explored in various studies. However, we would like to emphasize that our work goes beyond the empirical observations of robustness and provides a provable robustness guarantee for rate-encoded SNNs against adversarial perturbations. We would like to briefly discuss the referred works:

RGA[1] explores the rate-encoded nature of spikes that govern information propagation within SNN layers and argues that the rate of spikes is sufficient to encode the information. Following your recommendation, we have incorporated the RGA back-propagation technique, along with its close cousin called Backward Pass Through Rate (BPTR) as given in SNN-RAT(Ding et al., 2022). Thus, for each adversarial attack, we now have three implementations, namely, BPTT, BPTR, and RGA, reported in Table 5, which is now updated in the appendix of the paper.

HIRE-SNN[2] explore specially crafted input noise to the constant coded inputs, where the noise is updated within the time-steps. We did not compare with this work directly, for (i). the robust training results were demonstrated on constant-encoding (ii). Under constant encoding, SNN-RAT (Table 4 of their paper) shows superior performance against adversarial attacks. However, we refer to their work in our related work section as they compare the spiking activity of constant and rate-encoded SNNs.

The work Rate Coding Or Direct Coding[3] compares the accuracy of rate-encoded and constant encoded SNN trained with clean images under FGSM and PGD attacks and show superior accuracy of rate-encoded SNNs under different attack radius (Fig. 3 of their paper). This is consistent with our claims of superior robustness of rate-encoded SNNs. Our experimental contribution adds to their work (i). by including adversarial training of (smooth) rate-encoded classifier, (ii). by showing a smooth approximation of rate-encoded SNNs can significantly improve the performance of rate-encoded SNNs.

Analysis of converted SNNs The theory of randomized smoothing holds irrespective of the base classifier that we choose. That is, whether we use the base classifier $f$ (in eqn. 6) from an adversarially trained model or a converted model, the corresponding smooth classifier g, will be robust against adversarial perturbation, i.e., $g(x+\delta) = g(x)$. However, if the base classifier is unfit, the prediction $g(x)$ can be incorrect, leading to poor clean and robust accuracy.

With your suggestion, we conducted experiments with ANN-to-SNN converted VGG-16 models on the CIFAR-10 dataset using a recent conversion technique [Bu et. al. 2021]. We find that under rate-encoding, converted SNNs do not have good clean accuracy at small latency T, which is rather a limitation of the base classifier trained to work with direct inputs, without Bernoulli noise. This can even happen to constant encoded SNN trained on clean images if we add large Gaussian noise to the input (please see the table provided in reply to reviewer FaRA )

Constant Encoding

Rate Encoding

It is interesting to note that, while the clean accuracy of rate encoding is lower than that of directly trained SNNs, the robust accuracy (minimum accuracy across among the attacks) of rate encoding surpasses that of SNNs with constant encoding. (ii). the clean accuracy of rate encoding keeps improving larger T, but the robust accuracy initially increases (due to better prediction) but eventually drops, possibly due to the effect of T as found in our theory. (T=4: 11.49, T=32:16.36, T=64: 18, T=128: 15.76) A similar observation was made in directly trained SNNs, as given in Table 4 in the appendix, where we evaluated the models at T=4 vs T=8. (iii) A similar drop in robust accuracy for constant encoded models may hint at the rate-encoded nature of spikes in general SNN layers, as reported by [1].

We have now included these results in Table 7 in the appendix of the paper.

We are grateful to the reviewer for detailed review and insightful comments. We list our answers below:

Specify algorithmic novelty: As suggested by the reviewer, we now mention in the paper, that the algorithm novelty lies in adapting the randomized smoothing technique for rate-encoded SNN. More concretely, (i) Table 1, improves the accuracy of rate-encoded classifiers through better approximation of the smooth classifier, i.e., we could observe results with m=10, are better than m=1. (ii) Adversarial training of rate-encoded classifier, by employing rate-encoded adversarial attacks are also reported first time to our knowledge.

State-of-the-art: We intend to say the state-of-art in adversarial training, we compare our results with another existing adversarial training algorithm, SNN-RAT, and show improvement in robust accuracy (i.e., minimum empirical accuracy found under any attack). (FGSM(C):39.75, FGSM(C)+RAT: 42.76 vs. FGSM(R): 51.63)

Comparison of certified and empirical robustness: We agree with the reviewer to discuss this gap in detail in the paper. However, we would like highlight, that the certified radius for robustness in Table 3 is obtained under $l_1$-norm, while figure 1(d) reports attack radius under $l_\infty$-norm, as customary for the FGSM/PGD attacks. Thus, these results can not be plotted together unless we perform some bound transfer for the certified radius.

Training Details: As suggested by the reviewer, we have added all the training hyper-parameters/details in the appendix. We answer more specific questions next.

Why do fgsm(R) and pgd(R) attacks not work on models trained with constant encoding?

Ans: We would like to clarify how fgsm(R) works on a constant encoded model. To find the perturbation $\delta$, we use rate-encoding of $x$, compute the loss, perform the gradient ascent step, and find $\delta$. Now the perturbed image stands to be $x+\delta$, which we evaluate with constant encoding. Thus, $C/R$ here stands for the encoding used to compute the attack, however, once the attack is found, the perturbed input is evaluated with default model encoding.

We observe, when a model is trained on a particular encoding and the attack also uses the same encoding, the attacks are more effective in fooling the model parameters. As $\delta$ found in this process is not informative enough, fgsm(R)/pgd(R) attacks are not able to find effective perturbation on a constant encoded model. And similarly, fgsm(C)/pgd(C) do not work well on the rate-encoded models. Please see this answer in conjunction with the next answer.

As one tests attacks on both encodings (C/R), it might be good also to have clean (C/R). Ans: As clarified above, although the attack fgsm(R) uses rate encoding to find $\delta$, the perturbed image $x+\delta$ is evaluated using the model encoding. Thus, while evaluating a clean image, since there is no attack involved, we chose the same encoding as the model encoding.

However, as the reviewer suggests, we can always evaluate a model trained with constant encoding with rate encoding, and vice versa. But as the true model weights are not trained on these inputs, the clean accuracies are not good enough. We report the accuracies below:

CIFAR-10, Train: Constant Encoding

CIFAR-10, Train: Rate Encoding

The results further explain the reason fgsm(R) attack does not work well with constant encoded models, as to compute the perturbation, we should start with output which is correct. As the clean accuracy with the opposite encoding is itself not very good, the perturbations found by the attack are not effective.

However, the result that rate-encoding does not work on a model trained with constant encoding should not be seen as a limitation of the rate-encoding technique. The randomized smoothing technique only guarantees that the prediction of the smooth classifier will not change upon perturbation of the input, which does not require that the prediction of the smooth classifier in the first place is correct. To obtain robustness along with correct prediction, we need to supply a good base classifier, such as the different classifiers (adversarially) trained with rate encoding.