NeuroStrike: Exploiting Neural Vulnerabilities
- NeuroStrike is an attack framework targeting neural systems by exploiting sparse, specialized safety neurons in LLMs and neuromorphic architectures.
- It employs white-box and black-box methodologies, where pruning less than 0.6% of neurons can boost attack success rates from ~12% to ~76.9% in LLMs.
- Neuromorphic attacks mimic legitimate spiking activity via weight tampering and input poisoning, threatening systems in autonomous vehicles, medical devices, and IoT.
NeuroStrike refers to two distinct, high-impact attack mechanisms revealed in recent security research targeting advanced neural systems: (1) neuron-level attacks undermining safety alignment in LLMs, and (2) neuromorphic mimicry attacks against brain-inspired computing hardware. Despite differing technical substrates, these approaches expose fundamental vulnerabilities in models and architectures that concentrate critical behaviors in sparse or specialized substructures, enabling attackers to neutralize safeguards with minimal intervention.
1. Neuron-Level Attacks on Aligned LLMs
NeuroStrike in the context of LLMs designates a generalizable attack framework that exploits the concentration of safety logic in sparse, specialized neurons—“safety neurons”—introduced by current alignment methods such as supervised fine-tuning (SFT) and reinforcement learning from human feedback (RLHF), including Group Relative Policy Optimization (GRPO). These safety neurons manifest as a latent subnetwork whose activations sharply distinguish malicious prompts from benign ones (Wu et al., 15 Sep 2025).
Formally, given MLP activations at layer , and using a threshold , safety neurons are identified as:
These neurons are specialized (convey the "refuse" signal), sparse ( per layer), and their indices transfer across architectures, fine-tuning, distillation, and modality variations.
2. White-Box Attack Methodology
In a white-box scenario, where full model state and activation traces are available, NeuroStrike operates in two phases:
- Safety-Neuron Identification: Aggregating balanced sets of benign and malicious prompts, NeuroStrike records per-neuron activations, computes importance scores, and fits a linear probe (logistic regression) to distinguish prompt types. Neuron importances () are converted to -scores, with outliers (, typically 0) yielding 1.
- Inference-Time Neuron Pruning: During inference, targeted neurons in set 2 are zeroed in each forward pass:
3
Empirically, pruning less than 4 of neurons elevates attack success rate (ASR) from 5 (unaltered) to 6, demonstrating that most safety logic is not redundantly enforced.
3. Black-Box LLM Profiling Attack
NeuroStrike introduces a black-box attack by leveraging the transferability of safety neuron indices:
- Surrogate Training: A small LLM 7 is trained (using SFT) to map generic malicious requests to jailbreak prompts. GRPO further tunes 8, balancing rewards for jailbreak efficacy and low safety neuron activation (stealth), with reward:
9
- Transfer and Deployment: Prompts that evade safety neurons on the surrogate reliably traverse black-box models with correlated safety neuron indices, requiring only binary pass/fail output for adaptation.
This approach achieves an average ASR of 63.7% against proprietary black-box systems, including variants from Google Gemini and xAI Grok, substantially higher than vanilla or manual jailbreaks.
4. Empirical Validation and Benchmarks
Extensive experiments were performed across more than 20 open-weight LLMs (LLaMA, Qwen, Phi, Gemma, DeepSeek, QwQ, and derivatives), fine-tuned models (e.g., UltraMedical, Doctor, Coder), distilled models, and multiple proprietary black-box deployments. Methodology includes:
- Datasets: Balanced 7,000 benign / 7,000 malicious prompts for safety neuron identification; evaluation using StrongREJECT, HarmBench, TDC23-RedTeaming, and MaliciousInstruct datasets.
- Multimodal Testing: NSFW image and text-to-image conversions.
- Metrics: ASR, Safety-Neuron Ratio (0), downstream utility on GLUE, HellaSwag, WinoGrande, ARC, OpenBookQA, CoLA.
Key outcomes:
- White-box pruning: 1 neuron removal increases ASR 2; pruning 3 of safety neurons 4 ASR.
- Multimodal LLMs: Text-identified neuron pruning yields 5 T2I ASR and 6 NSFW image ASR.
- Transfer: Baseline 7 fine-tuned models ASR 8; ASR on distilled models 9.
- Defenses: Against Perplexity filter, SmoothLLM, and LSE, NeuroStrike reaches 0 ASR.
- Utility impact: Downstream task performance decreases by at most 1pp on hard benchmarks.
5. Theoretical and Practical Implications
NeuroStrike reveals that the concentration of safety-critical logic in sparse latent subnetworks introduces single points of failure. Attack scalability arises from rapid probe-based discovery (2 neurons) and minimal pruning burden. Generality is supported by transferability across model size, architecture, modality, and fine-tuning/distillation lineages.
Limitations:
- White-box attacks require internal access or supply-chain presence.
- Black-box attacks depend on surrogate-target similarity; distributional mismatches can lower ASR.
- Models with distributed (less sparse) safety logic require increased neuron pruning, partially mitigating attack efficacy.
Proposed defenses include diffusing safety logic via multi-objective alignment, scattering safety among Mixture-of-Experts submodels, runtime monitoring of suppression patterns, random neuron masking, and model-integrity attestation.
6. NeuroStrike in Neuromorphic Computing
In neuromorphic systems, NeuroStrike refers to Neuromorphic Mimicry Attacks (NMAs), which exploit the event-driven, stochastic nature of spiking neural hardware (Ravipati, 21 May 2025). Attackers mimic legitimate neural activity through:
- Synaptic Weight Tampering: Perturbations 3 are crafted with matching first- and second-order statistics to legitimate STDP updates:
4
- Input Poisoning: Low-amplitude waveforms are injected on a subset 5 of sensory channels to induce imperceptible spike-rate deviations:
6
Both methods ensure attack traces blend with system-intrinsic variability, measured via Mahalanobis distance 7 on feature vectors 8 over sliding windows. The Stealth Factor (9) formalizes attack detectability by normal anomaly detectors.
Simulated evaluations on 1,000-neuron SNNs indicate high attack success (weight tampering 0, input poisoning 1), low detection rates by standard IDSs (2), and moderate success for neural-specific anomaly detection (3).
Practical systems at risk include autonomous vehicles, medical implants, and IoT edge devices, due to persistence of neural perturbations across firmware updates and online learning events.
Defensive mechanisms: neural-specific anomaly detection (Gaussian windowed statistics, Mahalanobis threshold), cryptographically signed weight updates using hardware security modules, challenge–response pattern testing, synaptic mapping diversity, and layered neuromorphic-network IDS fusion.
7. Summary and Research Significance
NeuroStrike encompasses a class of attacks on both software-aligned LLMs and neuromorphic hardware that exploit sparsity and specialization in neural substrates to defeat safety, alignment, or security protocols. The research underscores the necessity for distributed, redundant, and architecture-integrated safety approaches in both deep learning and neuromorphic engineering. The identified vulnerabilities motivate ongoing work in diversifying alignment signals, securing neural state transitions, and developing robust, multi-layered anomaly detection strategies to safeguard future adaptive intelligent systems (Wu et al., 15 Sep 2025, Ravipati, 21 May 2025).