Neuromorphic Mimicry Attacks (NMAs)

• Neuromorphic Mimicry Attacks (NMAs) are security threats that covertly manipulate the state of neuromorphic systems by exploiting the event-driven and stochastic nature of spiking neural networks.
• They employ techniques such as input-stream manipulation, hardware-level timing mimicry, and adversarial example generation to bypass conventional anomaly detectors.
• Applications in neuromorphic vision and secure embedded systems highlight the need for advanced detection methods and robust defense protocols.

Neuromorphic Mimicry Attacks (NMAs) are a class of security threats that exploit the unique computational and physical properties of neuromorphic systems, including spiking neural networks (SNNs) and their hardware substrates such as memristive in-memory computing architectures. By deliberately crafting perturbations—at the inputs, system timing, or device state level—that statistically or functionally resemble legitimate neural or device-driven noise, NMAs achieve covert manipulation, model extraction, or system subversion while remaining largely undetectable by conventional or naive anomaly detectors. NMAs encompass data-poisoning backdoors, adversarial examples, hardware-level tampering, and side-channel camouflage, all optimized for the event-driven, sparse, and stochastic nature of brain-inspired computing.

1. Formal Definition and Theoretical Model

An NMA is an attack $A = (A_w, A_x)$ that modifies the neuromorphic system's state (synaptic weights $S$ and/or input event stream $X$) to $(S', X')$ such that the compromised output $Y'=f(S', X')$ is adversarially manipulated, yet the statistical signature of $(S', X')$ remains within the natural variability of benign system operation. The formal constraint is

$$D\bigl( P(\phi(S', X')), \; P(\phi(S, X)) \bigr) \leq \varepsilon_s,$$

where $\phi$ denotes feature extraction (e.g., spike rates, latencies), $P(\cdot)$ is the empirical distribution, $D$ is a divergence metric (KL, total variation), and $S$0 sets the stealth threshold (Ravipati, 21 May 2025). The attack objective is to maximize the probability of success (e.g., targeted classification error, model extraction) under this statistical constraint and additional adversary-specific operational constraints.

Mechanistically, NMAs leverage the event-domain characteristics of SNNs. The system is often realized as a composition of leaky integrate-and-fire (LIF) spiking neurons, where membrane potential $S$1 and synaptic conductance $S$2 in hardware evolve under both algorithmic and device-level stochasticity (Sorrentino et al., 23 Jan 2026). In SNN implementations with spike-timing-dependent plasticity (STDP), small covert weight changes or carefully-timed input spikes can manipulate function without exceeding detection thresholds on observable statistics.

2. Attack Methodologies

2.1 Input-Stream and Backdoor Injection

NMAs against SNNs frequently implement labeled backdoors by injecting "trigger" spike patterns into a small fraction $S$3 of the training event streams. Each event stream $S$4 is typically a four-dimensional tensor $S$5 (time, polarity, height, width), and trigger insertion is realized by adding or flipping spike events in a structured or dynamic manner. Variants include (Abad et al., 2023):

• Static square triggers: Fixed spatio-polarity patterns.
• Moving triggers: Temporally shifting patterns to evade static anomaly detection.
• Smart triggers: Locate the most active subregion and use least-frequent polarity to minimize detection.
• Dynamic autoencoder-based triggers: Unique, per-input triggers generated by a spiking autoencoder, constrained in $S$6 norm for imperceptibility.

2.2 Hardware and Timing-Level Mimicry

At the hardware-software interface, NMAs manipulate memristive state or exploit device-specific timing for stealth. Approaches include (Sorrentino et al., 23 Jan 2026, Ravipati, 21 May 2025):

• Weight tampering: Small, random perturbations to a subset of synaptic weights ($S$710%) that induce misbehavior without shifting network statistics outside normal operational envelopes.
• Sensory poisoning: Injection of low-rate, temporally coordinated spikes into the input stream to mimic background sensor or device noise.
• Timing-based mimicry: Injection of faults or triggers precisely synchronized to expected membrane potential transitions or retention drift, blending seamlessly into stochastic device signatures.
• Device-level camouflage: Hardware Trojans activated only under specific combinations of temperature, voltage, and spike statistics.

2.3 Adversarial Example Generation

NMAs also encompass adversarial example techniques tailored for neuromorphic settings, such as the Spike-PTSD methodology (Jin et al., 2 Apr 2026). These attacks operate at the spike-train level, perturbing only a small subset (1–5%) of neurons in critical layers to mirror abnormal biological firing (as observed in PTSD), achieved through spike-scaling transformations and dual loss optimization that couples adversarial success to bio-plausibility regularization.

2.4 Dynamic Vision Sensor (DVS) Event Attacks

Attacks on event-camera streams (DVS) leverage sparsity and temporal structure. Techniques such as Sparse Attack, Frame Attack, Corner Attack, Dash Attack, and Mask-Filter-Aware Dash Attack introduce carefully crafted events that mimic natural DVS noise patterns, optimized to bypass even advanced spatio-temporal and rate-based noise filters (Marchisio et al., 2021).

3. Threat Models and Targeted Systems

The core threat models for NMAs span white-, gray-, and black-box scenarios:

• Training-time backdoors: The adversary has white-box or semi-white-box control during outsourced SNN training, enabling precise insertion of triggers and label flips (Abad et al., 2023).
• Hardware-level manipulation: The adversary may access hardware for fault injection, side-channel observation, or targeted MEMRISTOR stress (e.g., row-hammer analogs) (Sorrentino et al., 23 Jan 2026).
• Input-stream manipulation: Black-box access to system I/O suffices for event-stream or side-channel mimicry, given sufficient knowledge or access to system statistics (Ravipati, 21 May 2025).

Targeted domains include neuromorphic vision, autonomous driving, sensor fusion, and embedded secure computation—contexts in which event-driven and hardware-efficient SNNs are increasingly deployed.

4. Quantitative Impact and Benchmarks

Empirical studies demonstrate extremely high attack success rates (ASR), frequently reaching 95–100% with negligible clean-accuracy drops and minimal statistical detectability:

Attack	Dataset	ASR (%)	Clean Accuracy Drop (%)	Stealth Metric (SSIM/Detectability)
Static trigger	N-MNIST	100	<1	SSIM ≈ 98%
Smart trigger	CIFAR10-DVS	≥99	≤4	SSIM up to 99.9% (dynamic trigger)
Spike-PTSD	CIFAR10-DVS	99.4	<5 (perturbed neurons)	Only 1–5% of neurons perturbed
Dash attack	NMNIST	0 (acc.)	≥65 (accuracy loss)	Border events mimic DVS noise
Weight tamper	Simulated SNN	92	≈5	Spike freq. var. increase <1%

Detection remains challenging: human study shows only 4% dynamic-trigger detection at $S$8, and neural-specific anomaly detectors can reach 85% attack detection while generic IDS remain below 20% (Abad et al., 2023, Ravipati, 21 May 2025, Marchisio et al., 2021).

5. Defense Mechanisms and Limitations

5.1 Adapted Classic Defenses

Image-domain backdoor and adversarial defenses, including ABS, STRIP, Spectral Signatures, and Fine-Pruning, are largely ineffective in neuromorphic contexts (Abad et al., 2023). They either yield high false positives (ABS), fail due to low entropy (STRIP), or do not separate poisoned from clean clusters in spike-dominated latent space (Spectral Signatures).

5.2 SNN/Neuromorphic-Specific Defenses

More promising are cross-layer and device-aware defenses:

• Neural anomaly detection: Monitors spike frequency and weight change distributions, flagging z-score outliers. Achieved up to 85% detection; however, certain input-poisoning attacks still evade at least 15% of the time (Ravipati, 21 May 2025).
• Secure learning protocols: Weight updates are signed and verified with hardware root keys; Merkle-tree-based tamper logs limit unauthorized changes. Detection rates improve to 60% for weight tampering but remain only 30% effective for sensory injection attacks.
• Side-channel, timing, and power profiling: Correlate spiking statistics with hardware power/timing traces; ring oscillator sensors can detect unusual power drops not attributable to legitimate spikes (Sorrentino et al., 23 Jan 2026).
• Coding/randomization approaches: Cryptographically seeded spike timing jitter and weight randomization can disrupt precomputed mimicry triggers, but introduce nontrivial energy or performance tradeoffs.

5.3 Filtering-Based Defenses for Event Streams

Spatio-temporal filtering (Background Activity Filter, Mask Filter) can block some attacks if perturbations are dense or naively accumulated, but fail against attacks designed to mimic peripheral flicker or DVS hot-pixel statistics (e.g., Mask-Filter-Aware Dash) (Marchisio et al., 2021). Rate-limited, spatially-sparse perturbations systematically bypass threshold-based masking.

6. Open Challenges and Future Research Directions

There remain several pressing open problems and recommended research lines:

• Cross-layer benchmarks: Realistic, open-source testbeds combining full SNN simulation, hardware-level noise, and variability models are lacking; a standard "Mimicry Challenge Suite" is needed (Sorrentino et al., 23 Jan 2026).
• Energy-robust security: Many defense techniques consume additional energy or increase latency, directly competing with the energy efficiency priorities of neuromorphic hardware.
• Hardware/software co-design: Coordinated integration of PUF/PRNG primitives, secure update protocols, and randomized encodings is necessary to balance real-time constraints with robust protection.
• Material-level robustness: Close collaboration between device physicists and system security researchers is required to understand vulnerability amplification or mitigation arising from memristor heterogeneity and nonlinearity.
• Compositional threat evaluation: NMAs co-occur with classic adversarial, model extraction, and membership inference attacks. Comprehensive, domain-specific evaluations are essential.

A plausible implication is that any deployment of neuromorphic event-driven systems, especially where training or hardware handling is outsourced or not physically secured, must be systematically vetted against diverse and sophisticated NMAs using both statistical and structural model audits. Technological and procedural innovations tailored to the event-driven, bio-inspired paradigm are critical for robust, trustworthy neuromorphic computing (Abad et al., 2023, Sorrentino et al., 23 Jan 2026, Ravipati, 21 May 2025, Jin et al., 2 Apr 2026, Marchisio et al., 2021).