Membership Privacy Evaluation in Deep Spiking Neural Networks
摘要
Although Artificial Neural Networks (ANNs) have achieved remarkable success in multiple tasks, e.g., face recognition and object detection, Spiking Neural Networks (SNNs) have recently attracted attention due to their low power consumption, fast inference, and event-driven properties. It is well-known that ANNs are vulnerable to the Membership Inference Attack (MIA), but whether the same applies to SNNs has not been explored. In this paper, we evaluate the membership privacy of SNNs by considering eight MIAs, seven of which are inspired by MIAs against ANNs. Our evaluation results show that SNNs are more vulnerable (maximum 10% higher in terms of balanced attack accuracy) than ANNs when both are trained with neuromorphic datasets (with time dimension). On the other hand, when training ANNs or SNNs with static datasets, the vulnerability depends on the dataset used. If we convert ANNs trained with static datasets to SNNs, the accuracy of MIAs drops (maximum 11.5% with a reduction of 7.6% on the test accuracy of the target model). Next, we explore the impact factors of MIAs on SNNs by conducting a hyperparameter study. Finally, we show that the basic data augmentation method for static datasets and two recent data augmentation methods for neuromorphic datasets can considerably (maximum reduction of 25.7%) decrease MIAs’ performance on SNNs. Regardless, the accuracy of MIAs could still be between 51.7% and 66.4% with data augmentation, indicating data augmentation cannot fully prevent MIAs on SNNs.