Papers
Topics
Authors
Recent
Search
2000 character limit reached

NeuroStrike: Exploiting Neural Vulnerabilities

Updated 2 July 2026
  • NeuroStrike is an attack framework targeting neural systems by exploiting sparse, specialized safety neurons in LLMs and neuromorphic architectures.
  • It employs white-box and black-box methodologies, where pruning less than 0.6% of neurons can boost attack success rates from ~12% to ~76.9% in LLMs.
  • Neuromorphic attacks mimic legitimate spiking activity via weight tampering and input poisoning, threatening systems in autonomous vehicles, medical devices, and IoT.

NeuroStrike refers to two distinct, high-impact attack mechanisms revealed in recent security research targeting advanced neural systems: (1) neuron-level attacks undermining safety alignment in LLMs, and (2) neuromorphic mimicry attacks against brain-inspired computing hardware. Despite differing technical substrates, these approaches expose fundamental vulnerabilities in models and architectures that concentrate critical behaviors in sparse or specialized substructures, enabling attackers to neutralize safeguards with minimal intervention.

1. Neuron-Level Attacks on Aligned LLMs

NeuroStrike in the context of LLMs designates a generalizable attack framework that exploits the concentration of safety logic in sparse, specialized neurons—“safety neurons”—introduced by current alignment methods such as supervised fine-tuning (SFT) and reinforcement learning from human feedback (RLHF), including Group Relative Policy Optimization (GRPO). These safety neurons manifest as a latent subnetwork whose activations sharply distinguish malicious prompts XM\mathcal{X}_M from benign ones XB\mathcal{X}_B (Wu et al., 15 Sep 2025).

Formally, given MLP activations h(x)Rdh^{\ell}(x)\in\mathbb{R}^d at layer \ell, and using a threshold τ\tau, safety neurons are identified as:

S={iExXM[hi(x)]ExXB[hi(x)]>τ}S = \bigl\{\,i \mid \mathbb{E}_{x\in\mathcal{X}_M}[h^{\ell}_i(x)] - \mathbb{E}_{x\in\mathcal{X}_B}[h^{\ell}_i(x)] > \tau \bigr\}

These neurons are specialized (convey the "refuse" signal), sparse (<0.6%<0.6\% per layer), and their indices transfer across architectures, fine-tuning, distillation, and modality variations.

2. White-Box Attack Methodology

In a white-box scenario, where full model state and activation traces are available, NeuroStrike operates in two phases:

  1. Safety-Neuron Identification: Aggregating balanced sets of benign and malicious prompts, NeuroStrike records per-neuron activations, computes importance scores, and fits a linear probe (logistic regression) to distinguish prompt types. Neuron importances (wiw_i) are converted to zz-scores, with outliers (zi>zthr|z_i|>z_{\rm thr}, typically XB\mathcal{X}_B0) yielding XB\mathcal{X}_B1.
  2. Inference-Time Neuron Pruning: During inference, targeted neurons in set XB\mathcal{X}_B2 are zeroed in each forward pass:

XB\mathcal{X}_B3

Empirically, pruning less than XB\mathcal{X}_B4 of neurons elevates attack success rate (ASR) from XB\mathcal{X}_B5 (unaltered) to XB\mathcal{X}_B6, demonstrating that most safety logic is not redundantly enforced.

3. Black-Box LLM Profiling Attack

NeuroStrike introduces a black-box attack by leveraging the transferability of safety neuron indices:

  • Surrogate Training: A small LLM XB\mathcal{X}_B7 is trained (using SFT) to map generic malicious requests to jailbreak prompts. GRPO further tunes XB\mathcal{X}_B8, balancing rewards for jailbreak efficacy and low safety neuron activation (stealth), with reward:

XB\mathcal{X}_B9

  • Transfer and Deployment: Prompts that evade safety neurons on the surrogate reliably traverse black-box models with correlated safety neuron indices, requiring only binary pass/fail output for adaptation.

This approach achieves an average ASR of 63.7% against proprietary black-box systems, including variants from Google Gemini and xAI Grok, substantially higher than vanilla or manual jailbreaks.

4. Empirical Validation and Benchmarks

Extensive experiments were performed across more than 20 open-weight LLMs (LLaMA, Qwen, Phi, Gemma, DeepSeek, QwQ, and derivatives), fine-tuned models (e.g., UltraMedical, Doctor, Coder), distilled models, and multiple proprietary black-box deployments. Methodology includes:

  • Datasets: Balanced 7,000 benign / 7,000 malicious prompts for safety neuron identification; evaluation using StrongREJECT, HarmBench, TDC23-RedTeaming, and MaliciousInstruct datasets.
  • Multimodal Testing: NSFW image and text-to-image conversions.
  • Metrics: ASR, Safety-Neuron Ratio (h(x)Rdh^{\ell}(x)\in\mathbb{R}^d0), downstream utility on GLUE, HellaSwag, WinoGrande, ARC, OpenBookQA, CoLA.

Key outcomes:

  • White-box pruning: h(x)Rdh^{\ell}(x)\in\mathbb{R}^d1 neuron removal increases ASR h(x)Rdh^{\ell}(x)\in\mathbb{R}^d2; pruning h(x)Rdh^{\ell}(x)\in\mathbb{R}^d3 of safety neurons h(x)Rdh^{\ell}(x)\in\mathbb{R}^d4 ASR.
  • Multimodal LLMs: Text-identified neuron pruning yields h(x)Rdh^{\ell}(x)\in\mathbb{R}^d5 T2I ASR and h(x)Rdh^{\ell}(x)\in\mathbb{R}^d6 NSFW image ASR.
  • Transfer: Baseline h(x)Rdh^{\ell}(x)\in\mathbb{R}^d7 fine-tuned models ASR h(x)Rdh^{\ell}(x)\in\mathbb{R}^d8; ASR on distilled models h(x)Rdh^{\ell}(x)\in\mathbb{R}^d9.
  • Defenses: Against Perplexity filter, SmoothLLM, and LSE, NeuroStrike reaches \ell0 ASR.
  • Utility impact: Downstream task performance decreases by at most \ell1pp on hard benchmarks.

5. Theoretical and Practical Implications

NeuroStrike reveals that the concentration of safety-critical logic in sparse latent subnetworks introduces single points of failure. Attack scalability arises from rapid probe-based discovery (\ell2 neurons) and minimal pruning burden. Generality is supported by transferability across model size, architecture, modality, and fine-tuning/distillation lineages.

Limitations:

  • White-box attacks require internal access or supply-chain presence.
  • Black-box attacks depend on surrogate-target similarity; distributional mismatches can lower ASR.
  • Models with distributed (less sparse) safety logic require increased neuron pruning, partially mitigating attack efficacy.

Proposed defenses include diffusing safety logic via multi-objective alignment, scattering safety among Mixture-of-Experts submodels, runtime monitoring of suppression patterns, random neuron masking, and model-integrity attestation.

6. NeuroStrike in Neuromorphic Computing

In neuromorphic systems, NeuroStrike refers to Neuromorphic Mimicry Attacks (NMAs), which exploit the event-driven, stochastic nature of spiking neural hardware (Ravipati, 21 May 2025). Attackers mimic legitimate neural activity through:

  • Synaptic Weight Tampering: Perturbations \ell3 are crafted with matching first- and second-order statistics to legitimate STDP updates:

\ell4

  • Input Poisoning: Low-amplitude waveforms are injected on a subset \ell5 of sensory channels to induce imperceptible spike-rate deviations:

\ell6

Both methods ensure attack traces blend with system-intrinsic variability, measured via Mahalanobis distance \ell7 on feature vectors \ell8 over sliding windows. The Stealth Factor (\ell9) formalizes attack detectability by normal anomaly detectors.

Simulated evaluations on 1,000-neuron SNNs indicate high attack success (weight tampering τ\tau0, input poisoning τ\tau1), low detection rates by standard IDSs (τ\tau2), and moderate success for neural-specific anomaly detection (τ\tau3).

Practical systems at risk include autonomous vehicles, medical implants, and IoT edge devices, due to persistence of neural perturbations across firmware updates and online learning events.

Defensive mechanisms: neural-specific anomaly detection (Gaussian windowed statistics, Mahalanobis threshold), cryptographically signed weight updates using hardware security modules, challenge–response pattern testing, synaptic mapping diversity, and layered neuromorphic-network IDS fusion.

7. Summary and Research Significance

NeuroStrike encompasses a class of attacks on both software-aligned LLMs and neuromorphic hardware that exploit sparsity and specialization in neural substrates to defeat safety, alignment, or security protocols. The research underscores the necessity for distributed, redundant, and architecture-integrated safety approaches in both deep learning and neuromorphic engineering. The identified vulnerabilities motivate ongoing work in diversifying alignment signals, securing neural state transitions, and developing robust, multi-layered anomaly detection strategies to safeguard future adaptive intelligent systems (Wu et al., 15 Sep 2025, Ravipati, 21 May 2025).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (2)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to NeuroStrike.