Spiking neural networks (SNNs) have attracted much attention for their high energy efficiency and for recent advances in their classification performance. However, unlike traditional deep learning approaches, the analysis and study of the robustness of SNNs to adversarial examples remain relatively underdeveloped. In this work, we focus on advancing the adversarial attack side of SNNs and make three major contributions. First, we show that successful white-box adversarial attacks on SNNs are highly dependent on the underlying surrogate gradient technique, even in the case of adversarially trained SNNs. Second, using the best surrogate gradient technique, we analyze the transferability of adversarial attacks on SNNs and other state-of-the-art architectures like Vision Transformers (ViTs) and Big Transfer Convolutional Neural Networks (CNNs). We demonstrate that the adversarial examples created by non-SNN architectures are not misclassified often by SNNs. Third, due to the lack of an ubiquitous white-box attack that is effective across both the SNN and CNN/ViT domains, we develop a new white-box attack, the Auto Self-Attention Gradient Attack (Auto-SAGA). Our novel attack generates adversarial examples capable of fooling both SNN and non-SNN models simultaneously. Auto-SAGA is as much as $91.1\%$ more effective on SNN/ViT model ensembles and provides a $3\times$ boost in attack effectiveness on adversarially trained SNN ensembles compared to conventional white-box attacks like Auto-PGD. Our experiments and analyses are broad and rigorous covering three datasets (CIFAR-10, CIFAR-100 and ImageNet), five different white-box attacks and nineteen classifier models (seven for each CIFAR dataset and five models for ImageNet).

翻译：脉冲神经网络（SNN）因其高能效和近年来分类性能的进步而备受关注。然而，与传统深度学习方法不同，针对SNN在对抗样本下的鲁棒性分析和研究仍相对滞后。本文聚焦于推进SNN的对抗攻击研究，并做出三项主要贡献。首先，我们发现，即使在经过对抗训练的SNN中，成功的白盒对抗攻击仍高度依赖于底层替代梯度技术。其次，基于最优的替代梯度技术，我们分析了SNN对抗攻击的迁移性，并将其与视觉Transformer（ViT）和大规模迁移卷积神经网络（CNN）等前沿架构进行对比。结果表明，非SNN架构生成的对抗样本很少导致SNN误分类。第三，由于缺乏一种在SNN和CNN/ViT领域均有效的通用白盒攻击，我们提出了一种新型白盒攻击方法——自动自注意力梯度攻击（Auto-SAGA）。该攻击能同时生成欺骗SNN和非SNN模型的对抗样本。在SNN/ViT模型集成上，Auto-SAGA的有效性相比传统白盒攻击（如Auto-PGD）提升高达91.1%，并在经过对抗训练的SNN集成上实现了3倍的攻击效果提升。我们的实验与分析覆盖三个数据集（CIFAR-10、CIFAR-100和ImageNet）、五种白盒攻击方法及十九个分类器模型（每个CIFAR数据集七个，ImageNet五个），具有广泛的严谨性。