While security vulnerabilities in traditional Deep Neural Networks (DNNs) have been extensively studied, the susceptibility of Spiking Neural Networks (SNNs) to adversarial attacks remains mostly underexplored. Until now, the mechanisms to inject backdoors into SNN models have been limited to digital scenarios; thus, we present the first evaluation of backdoor attacks in real-world environments. We begin by assessing the applicability of existing digital backdoor attacks and identifying their limitations for deployment in physical environments. To address each of the found limitations, we present three novel backdoor attack methods on SNNs, i.e., Framed, Strobing, and Flashy Backdoor. We also assess the effectiveness of traditional backdoor procedures and defenses adapted for SNNs, such as pruning, fine-tuning, and fine-pruning. The results show that while these procedures and defenses can mitigate some attacks, they often fail against stronger methods like Flashy Backdoor or sacrifice too much clean accuracy, rendering the models unusable. Overall, all our methods can achieve up to a 100% Attack Success Rate while maintaining high clean accuracy in every tested dataset. Additionally, we evaluate the stealthiness of the triggers with commonly used metrics, finding them highly stealthy. Thus, we propose new alternatives more suited for identifying poisoned samples in these scenarios. Our results show that further research is needed to ensure the security of SNN-based systems against backdoor attacks and their safe application in real-world scenarios. The code, experiments, and results are available in our repository.

翻译：尽管传统深度神经网络（DNN）的安全漏洞已得到广泛研究，但脉冲神经网络（SNN）对抗性攻击的脆弱性在很大程度上仍未得到充分探索。迄今为止，向SNN模型注入后门的机制仅限于数字场景；因此，我们首次对现实环境中的后门攻击进行了评估。我们首先评估了现有数字后门攻击的适用性，并指出了其在物理环境中部署的局限性。针对发现的每个局限性，我们提出了三种针对SNN的新型后门攻击方法，即帧式、频闪式和闪回式后门。我们还评估了适用于SNN的传统后门处理流程和防御措施（如剪枝、微调和精细剪枝）的有效性。结果表明，虽然这些流程和防御措施可以缓解某些攻击，但它们往往无法应对闪回式后门等更强的方法，或者会牺牲过多的干净准确率，导致模型无法使用。总体而言，我们所有方法在保持每个测试数据集高干净准确率的同时，攻击成功率最高可达100%。此外，我们使用常用指标评估了触发器的隐蔽性，发现其具有高度隐蔽性。因此，我们提出了更适合在这些场景中识别污染样本的新替代方案。我们的结果表明，需要进一步研究以确保基于SNN的系统免受后门攻击，并保障其在现实场景中的安全应用。代码、实验和结果均在我们的代码库中公开。