FEEL-SNN: Robust Spiking Neural Networks with Frequency Encoding and Evolutionary Leak Factor

1. The innovation point of this work is not clear compared with StoG [11].

We highlight the innovation of our theoretical analysis compared to StoG from two key perspectives:

1. Theoretical focus. For the regularizer $|\epsilon \odot \nabla_x \mathcal{L}(x)|_1$ in Eq. 5, StoG focuses on perturbation constraints during SNN signal transmission. In contrast, we analyze the effects of input noise and spiking neuron parameters on this regularizer (shown in Eq. 6). This shift in focus allows us to explore how these factors theoretically constrain the regularizer, offering a different perspective on enhancing robustness.

2. Implementation of theoretical framework. Unlike StoG's stochastic gating factor, we introduce a frequency encoding method to eliminate perturbation inputs. Tab. 1 (main paper) shows our method further enhances StoG's robustness, demonstrating that our method and idea do not conflict with StoG. Moreover, while prior studies empirically explored parameters like firing threshold [12] and leak factor [31] on SNN robustness, our robust constraint framework offers a theoretical basis for these findings.

In summary, our work advances the theoretical understanding of input noise and spiking neuron parameters to SNN robustness and proposes an innovative frequency encoding method. We will update our revised version to state the contribution of the adversarial loss constraint introduced in StoG to our theoretical analysis while emphasizing the distinctions and innovations of our approach.

2. The cognitive motivation of FE is inconsistent with dynamic parameters proposed later.

The concept of selective visual attention in [8] is described as "visual attention focuses on one region of the visual field at a time", closely resembling the retinal coding rather than a cognitive process, as described in lines 173-174. Inspired by this, we propose FE to capture different frequency information at different time steps in SNNs, and EL is used to better learn the correlation between information of different frequencies across time steps.

Furthermore, FE and EL methods are two contributions of our work, which can be used independently and in combination to further improve the robustness of SNNs.

3. Lack of performance when using the EL method alone.

We have now included the performance of our EL alone in Tab. R2 of the rebuttal appendix. It is evident that both FE and EL effectively enhance the robustness of the original methods, with FEEL further improving robustness on this foundation. For instance, under a PGD attack, the original RAT method achieves 8.87% accuracy, while our FE increases robustness to 9.70%, EL to 11.39%, and FEEL to 12.36%. This illustrates the effectiveness of each module of our method.

4. What is the difference between the EL method and DLIF [C]

Our EL and DLIF [C] optimize the leak factor to improve SNN robustness but differ in motivation and implementation.

1. Motivation, DLIF uses a dynamic leak factor to reduce perturbation transmission, while our approach leverages it to capture correlations across time steps via frequency encoding, thus enhancing the learning capability of SNNs further against perturbations.
2. Implementation, DLIF dynamically learns the leak factor at each time step but shares it across neurons within a layer. our EL learns the optimal leak factor across time steps and among individual neurons within the same layer, leading to greater robustness, as described in lines 74-78, 212-213.

While both methods aim to enhance robustness through leak factor optimization, our EL method achieves superior results, as shown in Tab. R7. We will cite DLIF [C] in our revision to clarify the differences.

Table R7: Performance (white-box attack) comparison with DLIF[C] (CIFAR100 with the same experimental setting in Tab.1 of [C]).

5. How did the author train a network containing frequency domain filtering (FE)?

We would like to clarify that our frequency masking operation is a data preprocessing step and does not participate in model training. As shown in Eq. 10 and Fig. 2a, after frequency mask crops information from high-frequency to low-frequency at different time steps (Eq. 7, 8, 9), the frequency domain images are converted back to the spatial domain images with varying frequency information at different time steps (Eq. 10). These images are then used for training. Therefore, our backpropagation method remains identical to standard training methods, using the surrogate gradient $\frac{\partial O}{\partial u} = \frac{1}{\gamma^2} \max \left( 0, \gamma - |u - V_{th}| \right)$ based on BPTT rule. More training settings are detailed in lines 218, 450-454 of the main paper and in the code provided in Supplementary Materials.

6. Whether FE disrupts the low energy consumption characteristics of spiking neural networks.

As addressed in the previous question, our FE functions as a data preprocessing method and does not participate in model training. Therefore, FE does not disrupt the low-energy performance of SNNs.

7. It is necessary for the adversarial model with and without FE modules to be used as attack models in the validation of the paper.

Thanks for your suggestion. The relevant experiments are included in our main paper. Fig. 3 and Fig. 4 illustrate the performance of the vanilla model with and without FE under white-box and black-box attacks, respectively. Tab. 1 presents the performance of SOTA robust SNNs with and without FE under white-box attacks. We have now added the performance of adversarial models ($i.e.$, AT [13] and RAT [9]) with and without FE under black-box attacks in Tab. R5 of the rebuttal appendix. All experimental results confirm that FE effectively enhances the robustness of the model.

Thanks for your further comment. We address your concern in two parts:

1. This means that FE can also be added to the ANN-based image classifier and has little to do with the characteristics of the SNN itself.

Since ANN-based image classifiers lack temporal characteristics and timesteps, we construct five training datasets for ANN-based methods: (1) images generated by FE using all timesteps (similar to data augmentation), and (2) images generated by FE at each of four individual timesteps.

We have already evaluated the models' performance using these five training datasets, with the results presented below (can also be found in Tab. 2 of the main paper). These results suggest that applying FE without considering temporal characteristics is less effective.

Table 2: Effect of different training datasets generated by FE. The attack is PGD with perturbation $\epsilon=4/255$, iterative step $\alpha=0.01$, and iterative step $k=4$. The dataset is CIFAR100 with $T = 4$, the network is VGG11.

Please note that the models referenced in Tab. 2 are SNNs, used to ensure a fair comparison for validating frequency mask strategies, rather than to assess the effectiveness of adding FE to ANN-based classifiers. Due to the rush time, we are unable to conduct experiments on ANN models. We will perform a fair comparison by adding FE to ANNs and will include the results and discussions in the final version.

2. How do you implement the adversarial attack when FE is employed?

In our study, we implement the adversarial attack by applying adversarial perturbations to the image domain before the FE module, aligning with the first scenario you mentioned. We achieve the differentiable conditions of FE by:

• According to Eq. 7-10 of the main paper, the formulation of our FE is as follows: $\tilde{x} = \mathcal{F}^{-1} \left( \mathcal{M} \odot \mathcal{F}(x) \right),$ where $x$ is the original image, $\tilde{x}$ is the FE-encoded image, $\mathcal{F}$ and $\mathcal{F}^{-1}$ represent the Discrete Fourier Transform (DFT) and Inverse-DFT (Eq. 7 and Eq. 10), and $\mathcal{M}$ is the frequency mask (Eq. 8 and Eq. 9).
• Both $\mathcal{F}$ and $\mathcal{F}^{-1}$ are differentiable [33] and can be directly implemented using the torch.fft.fft2(x) function in the PyTorch framework.
• The frequency mask operation $\mathcal{M} \odot \mathcal{F}(x)$ involves element-wise multiplication of the frequency domain image $\mathcal{F}(x)$ with the 0, 1 matrix $\mathcal{M}$ of the same size, which is also differentiable, as implemented in [15].

Thus, adversarial perturbations can be generated directly through these differentiable operations.

We will revise the paper to incorporate the above explanation as follows (revised or newly added contents are in bold):

In line 193 of Section 4.2:

“In summary, the proposed FE method, as described in Eq. 10, allows us to control the frequency mask radius $r$ at each time step, enabling the suppression of different frequency ranges. Since the DFT ($\mathcal{F}$), IDFT ($\mathcal{F}^{-1}$) (Eq. 7 and Eq. 10) and frequency mask operation ($\mathcal{M} \odot \mathcal{F}(x)$, Eq. 8 ) are differentiable [33,15], the FE module can be directly utilized to generate adversarial perturbations. Therefore, the adversarial perturbations are applied to the image domain before FE.”

In line 239 of Section 5.1:

“The attack methods include adversarial attacks ($i.e.$, FGSM, PGD with random start, BIM, and CW, for both white-box and black-box attacks) and common noise attack ($i.e.$, gaussian noise, GN). In our study, the adversarial perturbations are applied to the image domain before FE, leveraging the differentiable property of the FE module.”

Reference

[15] Lirong He, Qingzhong Ai, Yuqing Lei, Lili Pan, Yazhou Ren, and Zenglin Xu. Edge enhancement improves adversarial robustness in image classification. Neurocomputing, 518:122–132, 2023.

[33] Duraisamy Sundararajan. The discrete Fourier transform: theory, algorithms and applications. World Scientific, 2001.

We are glad to have such a nice discussion with you. Thanks for your insightful suggestions which significantly help improve the quality of our work. We feel quite encouraged!

I truly appreciate the effort the author has put into this work. However, I find that Table 2 does not fully convey a sense of dynamics to me. Upon revisiting Table 2, it gave me an opportunity to reflect further on your statement: "This superiority stems from our frequency encoding, which simulates selective visual attention in the biological nervous system, thereby enhancing the model’s robustness more effectively." (above Table 2 in the main content).

I’m curious about how the model represents or emulates selectivity in the retina. I wanted to share some paragraphs for your reference and to hear your thoughts on this matter. From my perspective, selective attention should be more of a data-driven approach.

"A number of studies have measured the influence of selective attention on the coding of visual stimuli by single neurons (e.g., Spitzer et al., 1988; McAdams & Maunsell 1999, 2000; Reynolds & Chelazzi 2004) and populations of single neurons (Cohen & Maunsell 2009, 2010), and they have discovered that attention appears to increase the information conveyed about stimuli. Moreover, attention-driven increases in coding appear to be specific to behavioral conditions in which an animal’s perceptual sensitivity per se, rather than simple response bias, is increased (Luo & Maunsell 2015)."

This content is from your reference [8]. If you delve into [8], you’ll find that "selective attention is defined behaviorally as a relative improvement in psychophysical performance for attended versus unattended stimuli," which seems different from "closely resembling the retinal coding rather than a cognitive process" as mentioned in the authors’ rebuttal. I would gently suggest that the authors reconsider including the bio-inspired aspect if it is not fully aligned with common viewpoints.

We sincerely appreciate your insightful feedback, which will greatly improve our paper. While there may be potential misleading in References [8] and [E] as they share the same title but have different authors, we agree with your suggestion that selective attention should be more of a data-driven approach. We agree that the current version lacks a comprehensive exploration of this viewpoint, and we will remove the bio-inspired aspects that do not fully align with common viewpoints in our revised version. Thank you for providing us with a learning opportunity and potential exploration directions for future research. Thank you once again for your time and efforts.

References

[8] Desimone, R., & Duncan, J. (1995). Neural mechanisms of selective visual attention. Annual review of neuroscience, 18(1):193–222.

[E] Moore, T., & Zirnsak, M. (2017). Neural mechanisms of selective visual attention. Annual review of psychology, 68(1), 47-72.

1. Please provide more evidence or analysis to support the performance improvement by FE.

We would like to show our FE not only improves defense accuracy but also maintains clean accuracy from both data observation and additional experimental validation.

1. Data observation. We visualize the frequency spectrums of CIFAR10 images alongside the added GN, FGSM, PGD, BIM, and CW noise in Fig. R1 of the rebuttal appendix. As illustrated in Fig. R1, the information of the original image is concentrated in the low-frequency region (center area of the second column), while the noise information spans from low-frequency (center area) to high-frequency (edge area) regions (third to fifth columns). The proposed FE removes noise by progressively cropping information from high-frequency to low-frequency regions over time steps. (as $r$ in Eq. 9 of the main paper gradually decreases over time). Since the information of the original image is concentrated in the low-frequency region, this method minimizes the loss of valid information from the original image.

2. Experimental validation. To further verify the effectiveness of FE, we compare it with an alternative strategy, Inverse-FE (IFE), which crops information from low-frequency to high-frequency over time steps. As shown in Tab. R6 below, IFE causes a significant drop in clean accuracy (64.81% vs. vanilla 92.64%). This demonstrates that a substantial amount of valid information is lost, verifying that valid information is concentrated in the low-frequency area. In contrast, FE not only effectively removes noise (21.56% vs. vanilla 15.59% when under PGD attack) but also minimizes the loss of valid information (92.26% vs. vanilla 92.64%).

Table 6: Performance (%) of the proposed Frequency Encoding (FE) and the alternative strategy Inverse-FE (IFE). The perturbation $\epsilon=4/255$ for all attacks, and iterative step $k=4$, step size $\alpha=0.01$ for PGD. The dataset is CIFAR10 with time step $T=4$, the network is VGG11.

2. Please clarify why not minimize $\lambda$ directly.

We did not minimize $\lambda$ directly as it would negatively impact clean accuracy on original images. This is supported by both theoretical analysis and experimental validation.

1. Theoretical analysis. According to Eq. 2 of the main paper, the leak factor controls the residual membrane potential between time steps. A smaller leak factor may lead to a weakened temporal modeling capability of the SNN, leading to a decline in network performance [A]. Considering the leak factor's dual role in original information transmission (Eq. 2) and robustness enhancement (Eq. 6), we propose an evolutionary leak factor (EL). The EL dynamically learns the optimal robustness leak factor across different time steps and neurons, which also increases the expression capability of SNN, helping maintain clean accuracy and improving robustness.

2. Experimental validation. We compare EL with two alternative strategies. The first strategy sets all leak factors to 0. The second strategy, adds L2 regularization to the EL to further constrain the leak factor. As shown in Tab. R1 of the rebuttal appendix, a small leak factor significantly reduces clean accuracy (vanilla 92.64% vs. FEEL ($||\lambda||_2$) 88.52% vs. FEEL ($\lambda=0.0$) at 81.76%), consistent with theoretical analysis above. Besides, a small leak factor does increase the robustness of SNN ($e.g.$, under PGD attack, FEEL ($\lambda=0.0$) is 63.80%, FEEL ($||\lambda||_2$) is 29.98%, compared to vanilla 15.59%). This also aligns with the proposed robustness framework (Eq. 6) by demonstrating that controlling the leak factor improves robustness. And our EL method ensures improvements in both robustness and original accuracy ($e.g.$, the PGD defense accuracy of FEEL (learnable $\lambda$) is 30.27%, compared to 15.59% for vanilla, and the clean accuracy of FEEL (learnable $\lambda$) is 92.73%, compared to 92.64% for vanilla).

3. The performance of the proposed method when under RGA attack[B].

We expand the results in Tab. 1 of the main paper with the RGA strategy [B]. As results shown in Tab. R4 of the rebuttal appendix, under a PGD attack with RGA, AT+FEEL improves accuracy to 10.83%, compared to 8.57% for AT alone. Similar improvements are observed with other attacks. These results confirm that our methods (FE and FEEL) achieve state-of-the-art defense accuracy and enhance the robustness of existing approaches, even against SNN-specific attacks. This is because our FEEL method, which introduces frequency encoding and learnable leak factors, increases the complexity of spiking neurons, effectively countering attacks.

Sorry for the ambiguous comment of my first question in Weaknesses. My question is how the authors conclude that a smaller leaky factor will increase robustness based on Eq. 6? It seems that if you directly reduce the leaky factor, the gradient term will also change and it may also affect the whole equation. Could the authors explain more about that?

1. Could the authors explain more about why a smaller leak factor will increase robustness based on Eq. 6, since the change of term 1 may affect other terms in Eq. 6?

We would like to discuss how the leak factor affects other terms in Eq. 6 in two cases: 1) leak factor $\lambda$ as a hyperparameter predefined before neural network training and 2) leak factor $\lambda$ as a learnable parameter during neural network training (the proposed implementation).

1. CASE 1: $\lambda$ is a fixed value during neural network training (similar to $\epsilon$ in term 1). Hence, it will not affect other terms in Eq. 6. To validate the correctness of our theoretical framework ($i.e.$, smaller term 1 results in less perturbation in the output), we conduct additional experiments, training different neural networks with different fixed $\lambda$ (keep the remaining settings the same as that reported in experimental settings in the main paper). As results shown in Tab. R1 (rebuttal appendix), a smaller $\lambda$ results in a more robust model, indicating that smaller term 1 results in less output perturbation. As can also be observed from Tab. R1 (rebuttal appendix), a smaller $\lambda$ could bring performance degradation for clean inputs, $i.e.$, from 92.26% at $\lambda=1.0$ to 81.76% at $\lambda=0.0$. Therefore, we implement the leak factor as a learnable parameter to mitigate performance degradation.

2. CASE 2: $\lambda$ is a learnable parameter updated within neural network training. It is not easy to directly analyze the influence of $\lambda$ on other terms in Eq. 6 due to their complex relationship. Therefore, we analyze the influence by validating whether term 1 for robustness improvement affects term 2 or term 3's effectiveness for the same goal. To be specific, as analyzed in line 160, RAT [9] (weights regularization) is essentially minimizing term 2. We implement another comparison method which is implemented by adding a gradient constraint via the L2 norm (gradient penalty regularization (GP), same implementation as that in [D]) to minimize term 3. We compare these two methods to two alternatives of our methods. These two alternatives are implemented by additionally optimizing $\lambda$ for methods RAT and GP (keeping remaining parts unchanged), represented as RAT+EL and GP+EL, respectively. As shown in Tab. 1 (main paper) and Tab. R1, Tab.R2 (rebuttal appendix), RAT+EL and GP+EL significantly improve the robustness of RAT and GP, across different attack types and datasets, respectively. These results show that leveraging term 1 for robustness improvement does not interfere with term 2 or term 3’s effectiveness for the same goal, indicating that the leak factor does not affect other terms in Eq. 6.

In summary, results in both cases indicate that the leak factor does not affect other terms in Eq. 6 on SNN robustness. We would like to discuss this with you in the reviewer-author discussion period if you have further questions.

2. The robustness improvement is not significant. Sometimes robustness performance of FEEL is even worse than FE.

We would like to show that our robustness improvement is consistent and significant in two aspects. Kindly note that FE is essentially to fix $\lambda=1$.

1. Consistent improvement over FE by an alternative implementation for all attack types. As discussed in our response to Question 1, an alternative implementation is to strictly adhere to the theoretical framework of Eq. 6, $i.e.$, set the leak factor to 0. As can be observed from Tab. R1 (rebuttal appendix), FEEL ($\lambda=0.0$) can achieve consistent robustness improvement over FE. This observation validates the effectiveness of our theoretical framework.

2. Significant improvement over FE and SOTA methods by the proposed implementation for average performance across different attack types ($i.e.$, FGSM, PGD, BIM, and CW). As can be observed from Fig. 3 and Fig. 4 (main paper), FEEL significantly outperforms FE (black: 6.8% over 4.2%, white: 10.8% over 4.9%, CIFAR10, VGG11, T=4). Furthermore, as described in Tab. 1 (main paper), the average improvement of StoG+FEEL (5.8%) and StoG+FE (4.6%) are 1.6 and 1.2 times larger than the improvement achieved by the SOTA method StoG [11] over vanilla method (3.6%).

3. The additional training/inference cost of the proposed method.

We would like to introduce the training/inference cost of our method in terms of 1) Training/inference time and 2) Convergence speed comparison and analysis.

1. Training/inference time. Tab. R3 (rebuttal appendix) presents the training/inference time of the proposed method and other SOTA methods, which demonstrates that the training time added by our method is less than other methods, under the same experimental settings (detailed in lines 218, 450-454 in the main paper). Compared to StoG [11], which optimizes additional stochastic gating factors for SNN robustness, our method demonstrates more efficient training times. Particularly, our method has a significant advantage over adversarial training methods such as AT [13] and RAT [9], since our method does not need additional adversarial data for training.

2. Convergence speed comparison and analysis. As shown in Fig. R2 (rebuttal appendix), incorporating our FEEL module results in faster convergence of the training loss. This may be due to the fact that our EL increases the learning ability of the network, making it converge faster.

In summary, these observations further confirm the superiority of our approach in terms of training and inference costs.

Dear Reviewer uyY9:

Following extensive communication and discussion with the other two reviewers, they acknowledged the contribution of our work and subsequently raised their scores to positive. In light of this and the detailed responses provided in our rebuttal, we hope our feedback has adequately addressed your concerns. We sincerely request your reconsideration of our manuscript.

If you have any further questions or comments, we would be pleased to provide additional responses. We understand the approaching deadline for author-reviewer discussion and are afraid you may get further comments we cannot respond in time due to the closing of the system. However, we will try our best to discuss or address the potential issues you may raise in the final version of our paper.

Below, we concisely summarize our responses to your concerns to facilitate a quick review.

• Theoretical Framework: Your first concern relates to the rationality of our theoretical framework. To address this, we provide two cases: (1) treating the leak factor as a hyperparameter and (2) treating it as a learnable parameter. These cases illustrate that the leak factor in term 1 does not affect other terms within the framework, ensuring model robustness.
• Method Performance: Your second concern pertains to the performance of our method. We present an alternative implementation based on theoretical analysis and the average performance of FE and FEEL across various attack types, demonstrating that our robustness improvements are consistent and significant.
• Training/Inference Costs: Your third concern involves the costs associated with training and inference. We compare (1) training/inference time and (2) convergence speed to confirm the superiority of our approach in these aspects.

We look forward to hearing from you soon.

Best regards,

Authors of paper 3953

Dear Reviewer uyY9：

We feel incredibly fortunate to have received such valuable comments from experts like yourself. Because you and the other two reviewers all with the highest confidence scores and provide very professional suggestions to further improve the quality of our paper.

Following thorough discussions with the other two reviewers, we have gained significant insights, and both other reviewers raised their initial ratings, from 6 to 7 and from 4 to 5, respectively. These positive feedbacks are really encouraging.

We are eager to engage with you and learn from your perspectives. We will await your reply until the deadline and will respond promptly to any additional concerns you may have.

We look forward to your feedback.

Best regards,

The Authors of Paper 3953

Dear Reviewer uyY9:

Thanks for your constructive suggestions on our work. Given that the discussion period is closing in the next 3 hours, if you have any further questions, please feel free to reach out to us. We will remain attentive to any new concerns and will respond promptly.

In the event that we do not receive any feedback, we assure you that all rebuttal content will be incorporated into the final version of our paper, and we will release the relevant code to ensure the reproducibility of our experiments.

Once again, we sincerely appreciate your time and contribution to improving our paper.

We look forward to your feedback.

Best regards,

The Authors of Paper 3953