

# Input-Triggered Hardware Trojan Attack on Spiking Neural Networks

Spyridon Raptis\*, Paul Kling\*, Ioannis Kaskampas\*, Ihsen Alouani†, Haralampos-G. Stratigopoulos\*

\*Sorbonne Université, CNRS, LIP6, Paris, France

†CSIT, Queen's University Belfast, Belfast, UK

**Abstract**—Neuromorphic computing based on spiking neural networks (SNNs) is emerging as a promising alternative to traditional artificial neural networks (ANNs), offering unique advantages in terms of low power consumption. However, the security aspect of SNNs is under-explored compared to their ANN counterparts. As the increasing reliance on AI systems comes with unique security risks and challenges, understanding the vulnerabilities and threat landscape is essential as neuromorphic computing matures. In this effort, we propose a novel input-triggered Hardware Trojan (HT) attack for SNNs. The HT mechanism is condensed in the area of one neuron. The trigger mechanism is an input message crafted in the spiking domain such that a selected neuron produces a malicious spike train that is not met in normal settings. This spike train triggers a malicious modification in the neuron that forces it to saturate, firing permanently and failing to recover to its resting state even when the input activity stops. The excessive spikes pollute the network and produce misleading decisions. We propose a methodology to select an appropriate neuron and to generate the input pattern that triggers the HT payload. The attack is illustrated by simulation on three popular benchmarks in the neuromorphic community. We also propose a hardware implementation for an analog spiking neuron and a digital SNN accelerator, demonstrating that the HT has a negligible area and power footprint and, thereby, can easily evade detection.

**Index Terms**—Neuromorphic computing, spiking neural networks, hardware security and trust, hardware Trojans.

## I. INTRODUCTION

Neuromorphic architectures having as basis spiking neural networks (SNNs) offer a fundamentally different approach in information processing compared to conventional artificial neural networks (ANNs). By mimicking the functionality of the biological brain, SNNs process data in an asynchronous, event-driven fashion. This property makes SNNs less computationally and energy-intensive, thus carrying promising opportunities for the increasingly demanding requirements of artificial intelligence (AI) [1], [2]. In particular, in SNNs the information is processed in the form of spike trains and is encoded in the timing between spikes or in the spike firing rate. Spikes are processed as soon as they are generated, thus offering real-time processing and a low-latency inference. Power is consumed only when a neuron fires a spike, allowing SNNs to achieve ultra low-power computations [1], [2]. Nowadays,

This work was supported by the French National Research Agency (ANR) and the UK Research and Innovation (UKRI), Engineering and Physical Sciences Research Council (EPSRC), through the European CHIST-ERA program under the project TruBrain (Grants N° ANR-23-CHR4-0004-01 and EP/Y03631X/1, respectively) and by the European Network of Excellence dAIEDGE (Grant N° 101120726).

there are intensive efforts in designing hardware platforms for neuromorphic computing [3]–[7].

With AI applications going mainstream, including in safety-critical and security-sensitive domains, there has been extensive interest in the security of the different architectures at different stages of their training and deployment pipeline [8]–[10]. The threat landscape includes: (a) misusing the AI system for malicious purposes, i.e., via adversarial [11] and backdoor attacks [12]; (b) stealing or reverse engineering the neural network model which is often considered an asset, for example via a power or timing side-channel attack [13]; (c) compromising the functionality of the AI application, i.e., via fault injection attacks [14] or Hardware Trojans (HTs) [15]; (d) and undermining the privacy, i.e., inference attacks [16] aiming at deducing sensitive information about the data or the model use. Security in AI should be a priority so as to ensure its safe integration into society, prevent misuse, and foster trust in this transformative technology. Specifically for SNNs, security threats that have been studied include adversarial attacks [17]–[24], backdoor attacks [25], fault injection attacks [26], side-channel attacks [27]–[29], and HTs [30].

In this work, we focus on the HT attack. A HT is a malicious modification of the hardware consisting of a triggering mechanism and a payload mechanism, i.e., the malicious functionality executed when the HT is triggered [31]. A plethora of HT designs has been proposed to date for different circuit classes that can be generic or specific within a circuit class. Consequently, a taxonomy is proposed according to the attacker, victim circuit type, attack insertion level (i.e., RTL, gate-level, transistor-level, layout level), trigger type (i.e., random, input-defined, always on), and payload (i.e., information leakage, performance degradation, function modification, denial-of-service) [32], [33]. An attacker aims at inserting a stealthy HT that evades known detection countermeasures, whereas a defender aims at preventing HT insertion or detecting the HT presence. HT designs range from simple ones, i.e., combinatorial and sequential [34], to more sophisticated ones, i.e., hidden side-channels [35], silicon wearout mechanisms [36], changing dopant polarity in active areas of transistors [37], siphoning charge from victim wires known as A2 attack [38], digital-to-analog attacks [39], leaking sensitive data through covert communication channels [40], etc.

In this work, we propose a novel SNN-specific HT attack where the payload is triggered through an input pattern. The proposed HT is condensed in the area within a single spiking

neuron. The triggering mechanism monitors the output of the neuron and activation happens when a specific spike pattern appears. We developed an algorithm that uses gradient back-propagation to craft a specific input in the spiking domain. This input, when propagated through the network layers, generates the desired specific spike pattern at the output of the target neuron. In other words, the HT is **externally activated** with its triggering being input-referred. The payload mechanism forces the victim neuron to saturate, producing non-stop spikes which spread through the network and propagate to the output to change the network’s decision. The saturation is permanent for any following input, resulting in high probability of misprediction, i.e., essentially the activation leads to denial-of-service. In [30], which is the only existing HT proposal for SNNs, the HT is activated when a neuron generates a given high number of spikes and the payload consists of causing bit flips in the on-chip memory storing the synaptic weights. Compared to [30], the proposed HT is localized and, thereby, it is much harder to detect by the defender. Furthermore, in [30], there was no hardware implementation. In this work, we propose hardware implementations for both SNN hardware design paradigms: analog and digital.

The remainder of this paper is structured as follows. In Section II, we present the threat model. The attack is described in Section III, including an overview of the working principle, the methodology to select the victim neuron, and the algorithm to generate the input trigger. In Section IV, we demonstrate simulation results. In Section V, we present the hardware implementations and results. In Section VI, we discuss possible countermeasures. Section VII concludes this paper.

## II. THREAT MODEL

**Context and Assumptions.** We consider a scenario where a client owns a proprietary spiking dataset and wants to train an SNN and deploy it on a hardware accelerator for a specific application. The client does not have the resources, i.e., GPU cluster, to train the model. The neuromorphic system provider offers cloud access for training as a part of the package to the client in a typical Machine Learning as a Service (MLaaS) setting. The adversary is the neuromorphic system provider. We assume the adversary has access to the SNN model architecture and dataset during the outsourced training phase. The SNN hardware accelerator is equipped with a compiler that maps the trained SNN model onto hardware-specific units.

**Adversary’s Capabilities.** The neuromorphic system provider, i.e. the adversary, has the following capabilities:

- (i) *Supply Chain Capability*: Similar to state-of-the-art HT threat model, we assume that during the design phase of the hardware accelerator, the adversary can insert a stealthy HT targeting specific hardware neurons.
- (ii) *Access to Model and Dataset*: By offering cloud-based training in a MLaaS setting, the adversary has access to both the SNN architecture and dataset provided by the client.

**Adversary’s Objectives.** The adversary’s main objective is to compromise the integrity of the SNN hardware accelerator



Fig. 1: Operating principle of proposed attack.

and its deployed application for own benefit, or is commissioned to do so by a third-party attacker, without raising suspicion. Specifically, the adversary aims to saturate a critical neuron in the SNN, causing a drastic accuracy drop **only when triggered**. The HT should remain dormant and undetected until the adversary (or a third-party attacker) applies the predefined input trigger. Once activated, the HT can disrupt the system’s performance or jeopardize the client’s application at a chosen time.

## III. PROPOSED ATTACK

### A. Principle of operation

We exploit a vulnerability that has its origin in spiking neuron faults and the error behavior they can produce at the network’s output [41]–[45]. The attack principle is illustrated in Fig. 1. The HT design is condensed in the area of one victim neuron, which we refer to as Trojan neuron. The Trojan neuron is selected such that when it behaves erroneously the accuracy of the network drops drastically. The faults that have the largest impact are dead neuron faults, i.e., the neuron halts processing any incoming spikes having a constant zero-spike output, and saturated neuron faults, i.e., the neuron fires spikes all the time, even without any external stimuli [46]. Herein, we consider a HT payload mechanism that forces the Trojan neuron to saturate, as this type of fault is the most lethal. This is because an always-on neuron pollutes the network with non-stop spikes, which can spread out quickly modifying the number or timing of output spikes based on which the network makes a decision. This HT payload choice will be justified with simulation experiments in Section IV-B. In Sections V-B and V-C, we demonstrate how neuron saturation can be implemented in both analog spiking neurons and digital SNN accelerators with negligible area and power footprint.

To select the Trojan neuron, the attacker performs a neuron fault injection experiment [47], [48] to identify the most critical neuron, as described in Section III-B. Note that the

output neurons are inherently critical. For example, in a classification application, there is one neuron per class. If a neuron saturates, the corresponding class is always selected. Given the relatively small number of neurons in the output layer, defenders can easily analyze and identify potential malicious hardware modifications. Consequently, a Trojan neuron is more effectively concealed within the larger hidden layers.

The HT triggering mechanism is a spike pattern checker that monitors the output of the Trojan neuron. The checker looks up for a specific spike pattern trigger and when it occurs the HT payload is applied to the Trojan neuron. This spike pattern is selected such that it is not met in normal operation so as to avoid accidental activation of the HT. This can be checked on the available dataset, but, in general, given the sparsity of spikes, using a spike pattern with many spikes will ensure that it will not be met. The spike pattern checker circuit design is described in Section V-A.

The HT is triggered externally. In Section III-C, we propose an algorithm to craft a spiking input that produces the desired spike pattern trigger at the output of the Trojan neuron. The algorithm uses gradient back-propagation to optimize an input with the loss function defined as the difference between the output of the Trojan neuron and the spike pattern trigger. The input can be viewed as a sequence of frames, with each frame having a number of pixels. A pixel can have a zero value or can carry a spike. Fig. 1 shows an example input from a vision dataset with blue (red) dots representing excitatory (inhibitory) spikes with positive (negative) polarity that increase (decrease) the membrane potential of the receiving neuron, making it more (less) likely to reach its threshold and spike.

We note the difference between this input trigger with respect to adversarial examples and triggers in backdoored models. In our case, the input trigger generates a spike pattern at the output of a pre-selected Trojan neuron. Adversarial attacks involve crafting small, carefully designed perturbations to an input that fools a trained model into making incorrect predictions. In backdoor attacks, malicious samples containing a trigger, i.e., images with a patch in the case of image recognition, are included in the dataset at training time. After training, a backdoor model correctly performs the task while makes incorrect predictions when the input contains the trigger. Therefore, to generate the proposed input trigger we require only the trained model, while adversarial attacks require in addition the dataset and backdoor attacks poison the dataset during training.

Fig. 1 summarizes the sequence of events when the attack is launched. The input trigger generates the spike pattern trigger at the output of the Trojan neuron. The spike pattern checker detects this trigger and the payload is applied to the Trojan neuron causing irreversible neuron saturation. The extra non-stop spikes that are generated due to the saturation mode propagate through the subsequent layers polluting the output spike trains and, thereby, leading to incorrect predictions.

Revisiting our threat model, the HT is implanted by the SNN hardware accelerator provider, e.g., the main adversary, during the design stage. At this stage, the adversary randomly selects

a neuron to serve as the Trojan neuron and inserts the HT trigger and payload mechanisms. When the victim outsources the SNN model and dataset to the adversary for training, the adversary identifies the critical neuron in the model through a fault injection campaign, selects the spike pattern trigger, and generates the input trigger. The compiler used to map the SNN model onto the hardware is manipulated such that the critical neuron is mapped onto the hardware Trojan neuron. Finally, the selected spike pattern trigger is programmed on chip. The adversary sends the Trojan-infected SNN hardware accelerator to the inconspicuous victim that can be compromised at any time by applying the input trigger. The adversary can disclose the input trigger to a third-party attacker upon request.

### B. Critical Neuron Identification

To select the Trojan neuron, the attacker can rely on a fault simulation experiment. Neuron saturation is known to be the worst-case, most catastrophic fault type, as discussed in Section III-A. Thus, the attacker can focus the analysis on this fault type. In Section IV-B, we perform fault injection for both saturated and dead neuron faults, confirming our hypothesis that saturated neuron faults are more lethal. The fault simulation experiment consists in cycling over all neurons and for one neuron at a time injecting a fault and performing inference on the complete dataset to assess the impact of the fault on the network's accuracy.

In our experiment, fault injection is performed in the Spike LAYer Error Reassignment (SLAYER) framework [49] by customizing the flow of computations. In SLAYER, the output of a layer is generated for a duration equal to the duration of the input before it is passed to the next layer. A dead neuron fault is emulated by setting the output spikes of the target neuron to zero before passing the layer's output to the next layer. Accordingly, a saturated neuron fault is emulated by forcing the target neuron to fire a spike at every time step of the global clock.

A fault is labeled as critical if one or more samples of the dataset are misclassified while previously they were correctly classified by the fault-free network, otherwise it is labeled as benign. A significant portion of faults end up being benign, whereas each critical fault results in a different accuracy drop. The analysis can be performed per layer to identify the most critical neuron per layer, i.e., the one which if it gets saturated causes the most detrimental effect on the network. These neurons become candidates for serving as the Trojan neuron. As already mentioned in Section III-A, to evade detection, it is suggested to place the Trojan neuron in one of the dense hidden layers.

### C. Input Trigger Generation

We interpret the input as being decomposed into frames of size  $W \times H$  over time and we denote it by  $I(t_k, x_{ij})$ , where  $t_k$  denotes a discrete time-step and  $x_{ij}$  denotes the spatial location on the frame,  $i = 1, \dots, W$  and  $j = 1, \dots, H$ . If the input has duration  $T$  and  $T_f$  denotes the global clock period,

then  $k = 1, \dots, T/T_f$ . At time-step  $t_k$ ,  $I(t_k, x_{ij}) = 1$  if  $x_{ij}$  carries a spike, otherwise  $I(t_k, x_{ij}) = 0$  denotes no spike.

Let  $O(t)$  denote the output spike train of the Trojan neuron, which is a binary vector, with  $O(t_k) = 1$  corresponding to a spike and  $O(t_k) = 0$  to no spike.

1) *Spike pattern trigger selection:* Let the spike pattern trigger be denoted by  $P(1 : d) \in \{0, 1\}^d$ , where  $d$  denotes its length, with  $P(i) = 1$  corresponding to a spike and  $P(i) = 0$  to no spike. Let  $[t_\alpha, t_\beta]$  be the time window when the matching between the Trojan neuron output and  $P$  is attempted, where  $1 \leq \alpha, \beta \leq T/T_f$ ,  $\alpha < \beta$ , and  $\beta - \alpha + 1 = d$ . In our implementation, without loss of generality, we define this time window to be  $[t_\alpha, t_\beta] = [1+T/T_f-d, T/T_f]$ , i.e., we consider the last  $d$  time-steps of the inference window.

The attacker needs to ensure that the probability of  $P$  occurring in normal operation is practically negligible. For this purpose, the complete dataset is applied to the SNN and the output  $O^i$  of the Trojan neuron is recorded, where  $i$  denotes the input sample index.  $P$  must have a Hamming distance of minimum one from every  $O^i((1+T/T_f-d) : T/T_f)$ :

$$d_H(O^i((1+T/T_f-d) : T/T_f), P) \geq 1, \forall i. \quad (1)$$

Another condition for selecting  $P$  is related to the refractory period  $\tau_{ref}$  of spiking neurons, referring to a period immediately following the generation of a spike during which the neuron is unable to fire another spike. This mechanism helps regulate the firing frequency of the neuron. It imposes that there should be  $\tau_{ref}$  0s between two consecutive 1s in  $P$ . This condition can be mathematically represented as:

$$P(i) * P(j) = 0, \forall j \in \{i+1, \dots, i+\tau_{ref}\}. \quad (2)$$

$P$  is selected to be a minimum length pattern that satisfies the conditions in Eqs. (1)-(2).

2) *Input trigger generation algorithm:* The objective of the input trigger generation algorithm is to craft an input  $I_{tr}$  such that  $d_H(O((1+T/T_f-d) : T/T_f), P) = 0$ . We formulate the following optimization problem:

$$I_{tr} = \arg \min_{I,T} d_H(O((1+T/T_f-d) : T/T_f), P). \quad (3)$$

For the optimization we use the Adam optimizer [50]. The challenge is to deal with the non-differentiable spike events that prevent the direct use of traditional gradient-based optimization. For this purpose, we use the Gumbel-Softmax [51], [52] and Straight Through Estimator (STE) [53] techniques. More specifically, we consider a randomly initialized real-valued input  $I_{real}$ . It is first passed through the Gumbel-Softmax function that provides a differentiable approximation of a binary input,  $I_{soft}$ , in the range  $(0, 1)$ :

$$I_{soft} = \text{GumbelSoftmax}(I_{real}, \tau), \quad (4)$$

where  $\tau$  is the temperature parameter of the Gumbel-Softmax function that controls the sharpness of the approximation. Lower temperature leads to values closer to binary, whereas higher temperature leads to values closer to each other. In our algorithm, this parameter is adaptive. In order to perform the

---

### Algorithm 1: Input trigger generation pseudo-algorithm

---

**Data:** SNN model, dataset, global clock period  $T_f$ , Trojan neuron, neurons' refractory period  $\tau_{ref}$ , maximum optimization time  $t_{limit}$

**Result:** Input trigger  $I_{tr}$

Perform full inference and record Trojan neuron outputs  $O^i$ ;

Define  $P$  of minimum length  $d$  that satisfies the conditions in Eqs. (1)-(2);

Randomize a real-valued input  $I_{real}$  with duration  $T = d \times T_f$ ;

$t \leftarrow$  current time;

$t_{limit} \leftarrow$  current time +  $t_{limit}$ ;

**while**  $\mathcal{L} \neq 0 \wedge t < t_{limit}$  **do**

- Generate the binary input  $I$  from  $I_{real}$  using Eqs. (4)-(5);
- Perform a forward pass and calculate  $\mathcal{L}$  in Eq. (6);
- if**  $\mathcal{L} = 0$  **then**

  - $I_{tr} \leftarrow I$ ;

- Perform a backward pass and use Eq. (7) to refine  $I_{real}$ ;
- $t \leftarrow$  current time;

If  $\mathcal{L} \neq 0$ , then repeat with  $T = T + 1$  and/or use a more sparse  $P$ ;

---

forward pass through the SNN model, we need to convert  $I_{soft}$  into the binary input  $I$ . This is achieved with the STE function that binarizes  $I_{soft}$  using a threshold 0.5:

$$I = \text{STE}(I_{soft}). \quad (5)$$

A forward pass is performed to compute the output  $O$  of the Trojan neuron and subsequently the objective function:

$$\mathcal{L} = d_H(O((1+T/T_f-d) : T/T_f), P) \quad (6)$$

Thereafter, in the backward pass we compute the gradient of  $\mathcal{L}$  with respect to the input  $I$ . For this purpose, we use the same back-propagation flow as during the training of the SNN model, i.e., starting from the layer of the Trojan neuron, gradients with respect to the input of the layers are propagated layer by layer moving backward to the input. When we reach the input, the STE function passes on the incoming gradient as if it was an identity function. In the next step, the Adam optimizer makes corrections to  $I_{real}$  using the learning rule:

$$I_{real} \leftarrow I_{real} - lr * \nabla_{I_{real}} \mathcal{L}, \quad (7)$$

where  $lr$  is the learning rate.

Algorithm 1 shows the complete input trigger generation pseudo-algorithm. If there is no improvement of the objective function after some time  $t_{limit}$ , to help convergence, we repeat the algorithm by increasing the input duration by one time step and/or making the trigger pattern sparser while still satisfying the Hamming distance and refractory period conditions.

## IV. SIMULATION RESULTS

### A. Case studies

The attack is demonstrated by simulation at the application level using three common benchmark datasets in the neuromorphic domain, namely the MNIST [54], IBM DVS128 Gesture [55], and Spiking Heidelberg Digits (SHD) [56] datasets. MNIST is a spiking version of the original frame-based MNIST dataset containing 70K images of handwritten digits from 0 to 9. It was produced by moving a Dynamic Vision Sensor (DVS) while it views MNIST images on an LCD monitor. The IBM DVS128 Gesture dataset was produced by a



Fig. 2: SNN architecture for the NMNIST dataset.



Fig. 3: SNN architecture for the IBM DVS128 Gesture dataset.



Fig. 4: SNN architecture for the SHD dataset.

TABLE I: SNN characteristics.

|                          | <b>NMNIST</b>           | <b>IBM</b>                | <b>SHD</b>              |
|--------------------------|-------------------------|---------------------------|-------------------------|
| Prediction accuracy      | 98.19%                  | 86.36%                    | 76.59%                  |
| # Output classes         | 10                      | 11                        | 20                      |
| # Neurons                | 1790                    | 25099                     | 404                     |
| Input spatial dimension  | $2 \times 34 \times 34$ | $2 \times 128 \times 128$ | $700 \times 1 \times 1$ |
| Input temporal dimension | 300 ms                  | 1.45 s                    | 1 s                     |
| Size training set        | 60K                     | 1080                      | 8332                    |
| Size testing set         | 10K                     | 261                       | 2088                    |

DVS capturing 11 different hand and arm gestures performed by 29 individuals under 3 different lighting conditions. The SHD dataset consists of 10420 audio recordings of spoken digits from 0 to 9 in German and English languages converted into spike trains. The SNN model architectures for the classification of the three datasets are shown in Figs. 2, 3 and 4. The SNNs for the MNIST and IBM DVS128 Gesture datasets are convolutional, while the SNN for the SHD dataset is fully-connected. The training of the SNN models was conducted using the SLAYER framework [49]. Training and inference are accelerated on an NVIDIA A100 GPU. Table I summarizes the main SNN characteristics.

#### B. Trojan neuron selection

Table II shows the partition of dead and saturated neuron faults into critical and benign, as well as the total fault simulation time. We observe that the critical saturated neuron faults outnumber the critical dead neuron faults for every SNN. This implies that a neuron becoming dead may not affect the classification accuracy, but if the same neuron becomes saturated then the accuracy may drop. We also observe that, for a given fault type, the critical faults outnumber the benign faults, except for the IBM SNN and dead neuron fault type.

Fig. 5 shows the effect of each fault type on each neuron per layer for the NMNIST SNN. Each sub-plot of Fig. 5 corresponds to one layer. The first two layers are convolutional, whereas the last three are fully-connected. For convolutional

TABLE II: Fraction of critical and benign faults for each fault type.

|                                  | <b>NMNIST</b> | <b>IBM</b>    | <b>SHD</b>      |
|----------------------------------|---------------|---------------|-----------------|
| Critical Dead Neuron Faults      | 1324          | 2501          | 390             |
| Critical Saturated Neuron Faults | 1598          | 22877         | 404             |
| Benign Dead Neuron Faults        | 466           | 22598         | 14              |
| Benign Saturated Neuron Faults   | 192           | 2222          | 0               |
| Fault Simulation Time            | $\sim 1$ day  | $\sim 2$ days | $\sim 0.5$ days |

TABLE III: Maximum accuracy drop noticed across all neurons and fault types for each layer. In all cases, the most critical fault is a saturated neuron fault.

|         | <b>NMNIST</b> | <b>IBM</b> | <b>SHD</b> |
|---------|---------------|------------|------------|
| Layer 1 | 3.99%         | 69.32%     | 71.42%     |
| Layer 2 | 0.61%         | 2.65%      | 66.43%     |
| Layer 3 | 1.97%         | 77.27%     | 70.23%     |
| Layer 4 | 89.29%        | 77.27%     | 72.08%     |
| Layer 5 | 89.29%        | -          | -          |

layers, the y-axis corresponds to the node (i.e., feature map) index and the x-axis corresponds to the neuron position within the node. For illustration purposes, the node neuron matrix is vectorized, i.e., the neuron positions within a node are flattened into a row. For the fully-connected layers, each row of the plot corresponds to one neuron. In summary, each rectangle in Fig. 5 corresponds to one neuron and the color of the rectangle indicates the classification accuracy drop if the neuron suffers from the fault according to the color map on the right-hand side.

For every SNN, we recorded the most critical fault type at each layer resulting in the maximum accuracy drop. In all cases, the most critical fault type was neuron saturation confirming our choice to use neuron saturation as HT payload. The maximum accuracy drop noticed per layer is summarized in Table III. The impact severity of the fault is shown to be higher in the last layers.

Based on these results, the attacker can choose the Trojan neuron in one of the hidden layers. Looking at Table III, for the MNIST SNN, the Trojan neuron can be selected as the most critical neuron in the fourth layer that has 84 neurons, resulting in an accuracy drop of 89.29% when the HT is activated. For the IBM SNN, we can choose the most critical neuron in the first or third layer, resulting in accuracy drop of 69.32% and 77.27%, respectively. For the SHD SNN, the Trojan neuron can be placed in any hidden layer as they all have the same number of neurons, and the accuracy drop will be at least 66.43%.

#### C. Input-trigger generation and payload

Without loss of generality, we demonstrate the input trigger generation algorithm for the IBM SNN. We selected the most critical neuron of layer 1 to be the Trojan neuron. Layer 1 is convolutional having 16 nodes of dimension  $32 \times 32$  (see Fig. 3). The specific spatial location of the Trojan neuron is (2,4) in the sixth node. The global clock period is  $T_f=1$  ms and the selected trigger pattern at the output of the Trojan neuron is “1010101010” having duration 10 ms, i.e., a length of  $d=10$ . The resultant optimized input trigger has duration  $T=15$  ms and is composed of 15 frames. The optimization algorithm took around 2 minutes to converge. Fig. 6 shows



Fig. 5: Accuracy drop per neuron per layer for saturated and dead neuron faults.

four snapshots of the input trigger at 1, 3, 8, and 10 ms, with blue (red) dots indicating spikes with positive (negative) polarity. It was verified that this spike pattern trigger never occurs when passing the  $1080+261=1341$  available samples



Fig. 6: Snapshots of the input trigger.



Fig. 7: Spiking activity before and after the HT activation for the same dataset sample.

in the dataset that have duration 1.45 s (see Table I).

As an illustration, we select an input sample that gets misclassified after HT activation. Fig. 7 shows the spiking activity per layer when applying this input sample before and after HT activation. The sequence of applied inputs is as follows: first, the input sample is applied; next, a zero input is introduced to reset the membrane potential of all neurons; then, the input trigger is applied, setting the Trojan neuron to permanent saturation; following this, a sleep mode is repeated; finally, the same input sample is reapplied to observe the effect of the HT. Each plot corresponds to one layer and each row to one neuron. Each row is a raster plot displaying with dots the timing of spike events occurrence for this neuron. The normal HT-free spiking activity is shown on the left-hand side of the plots, the spiking activity when applying the short-duration input trigger is shown in the middle, and the spiking activity after HT activation is shown on the right-hand side. Note



Fig. 8: Spike count difference before and after the HT activation for the same dataset sample.

that the spiking activity when applying the input trigger is not important as the goal is only to deliver the spike pattern trigger to the Trojan neuron. In layer 1, green dots indicate the Trojan neuron saturation. For all other layers, red dots indicate extra spikes generated due to HT activation. As it can be seen, the HT activation pollutes the network with several extra spikes altering the spike distribution at the output layer 4. The decision is class 5 (left arm clockwise gesture), but after HT activation the winning neuron is the one that corresponds to class 1 (right hand wave gesture).

As another illustration, Fig. 8 shows for each neuron in each layer the spike count difference across the complete 1.45 s duration of the input sample before and after the HT activation. The Trojan neuron saturation is easily recognizable in layer 1. At layer 4, we observe that after HT activation the neuron corresponding to class 5 (left arm clockwise gesture), which was the winning class during nominal operation, gives no spikes (high negative spike count), while the neuron corresponding to class 1 (right hand wave gesture), gives more than extra 100 spikes (high positive spike count), leading to a misleading decision about which input hand gesture has occurred.

## V. HARDWARE IMPLEMENTATIONS

Herein, we present the hardware implementations of the HT trigger and payload mechanisms. For the payload, we distinguish between analog and digital SNN hardware designs, while the trigger is common for both design paradigms. For the analog design paradigm, we consider an analog spiking neuron at transistor level and we show that the payload mechanism is simply a switch that cuts off one transistor. This approach can be easily adapted for any analog spiking neuron design [57]. For the digital design paradigm, we consider the design in [6] and insert the payload mechanism into a path that is commonly found in all practical hardware platforms for



Fig. 9: HT trigger mechanism.

neuromorphic computing [7], making it a generic approach virtually applicable to all these architectures. We make a full demonstration of the HT operation on FPGA and we measure the area and power footprint of the HT.

### A. HT Trigger mechanism

The trigger mechanism is essentially a spike pattern checker. It takes as input the hard-coded spike pattern trigger and the Trojan neuron's output spike train and, when there is a match between the two, it generates a 1-bit trigger signal that delivers the payload back to the Trojan neuron. Fig. 9 shows a possible design compatible with the Address-Event Representation (AER) protocol [58], which is a widely adopted standard in SNN hardware design. In the AER protocol, spikes are discrete events represented by the address (*neuron\_id, t*) of the emitting neuron. A neuron that emits a spike, rather than sending the actual spike waveform to the target neurons, it sends its address to a router which is then responsible for forwarding the spike to the target neurons. Essentially AER replaces physical connections between neurons with virtual connections, thus enabling a denser integration of neurons, reduced data transmission given the spike sparsity, and reduced power consumption. In Fig. 9, the Trojan neuron is represented by its address *id*. When it emits a spike, a 1 is shifted into the serial register, otherwise a 0 is shifted. At any moment, the register contains the Trojan neuron's running spike output train of length equal to the spike pattern trigger. The AND gates perform the checking and an SR-Latch is used to store the trigger activation so as to permanently deliver the payload to the Trojan neuron.

### B. HT Payload mechanism for analog designs

Fig. 10 shows the transistor-level design of an analog Integrate & Fire (I&F) spiking neuron adapted from [59]. The neuron takes as input incoming spikes in current mode  $I_{syn}$ , integrates them on capacitor  $C_m$ , and when the capacitor voltage  $V_m$  reaches a certain threshold  $V_{ref}$ , the neuron sends a spike request signal  $Rqst$  to the AER block. The AER block



Fig. 10: HT Payload implementation for an analog spiking neuron.



Fig. 11: Neuron saturation after HT triggering.

acknowledges back the request with signal *Ack* which resets the neuron so that it can fire again.

During the charging time of the capacitor, transistors  $M_{p1}$  and  $M_{n4}$  are off, and transistor  $M_{p2}$  is on. As  $V_m$  increases towards  $V_{ref}$ , the output of the comparator  $n_1$  starts changing state and switches on two transistors: (i)  $M_{p1}$ , which slowly introduces a positive feedback current that accelerates the charging of the capacitor; and (ii)  $M_{n3}$  through node  $n_2$ , which offers a brief surge in the comparator bias current. These actions combined speed up the transition time of the comparator output. Once the transition is complete, i.e., node  $n_1$  is low and node  $n_2$  is high, node  $n_3$  goes low and a spike request signal is sent to the AER block by pulling up line  $Rqst$ . When the acknowledgment is received,  $Ack$  pulls up node  $n_4$  which has three main effects on the neuron circuit: (i) it turns transistor  $M_{n2}$  on to keep the comparator bias current high during the back transitioning; (ii) it turns off transistor  $M_{p2}$  which cuts off the positive feedback path to the capacitor; and (iii) it turns transistor  $M_{n4}$  on to reset  $V_m$  to  $V_{reset}$  so that the neuron is able to fire again. Transistor  $M_{p3}$  has been added to produce an analog spike waveform when  $Ack$  is received.

The HT payload mechanism is simply a switch controlling transistor  $M_{p1}$ . When the trigger pattern is detected, the switch short-circuits  $M_{p1}$  making it permanently stuck-on. This artificially induced defect provokes a constant high feedback current to the capacitor, so the capacitor is always charging even without a current from the incoming synapses. This causes the neuron to saturate as shown by the transistor-level simulation of Fig. 11.

### C. HT Payload mechanism for digital designs

**Node design.** Modern SNN hardware accelerator designs adopt the architecture shown in Fig. 12 [7]. Groups of processing elements, i.e., neurons, and data storage, i.e., neuron parameters and synaptic weights, are co-located into cores. This aligns to the near-memory computing principle reducing the overhead of memory access latency and energy consumption. A network-on-chip (NoC) architecture is used to interconnect the many cores and route the spike events based on the AER protocol.



Fig. 12: SNN hardware accelerator architecture [7].



- A : [Sel=PASS] Wait trigger pattern
- B : [Sel=PASS] Send spike requests from non-Trojan neurons
- C : [Sel=PASS] Wait end of spike requests from non-Trojan neurons
- D : [Sel=MSK] Send fake spike request from Trojan neuron
- E : [Sel=MSK] Wait end of fake spike request from Trojan neuron and return to state B in the next time step

Fig. 13: Neuromorphic core architecture embedding the HT payload.

Fig. 13 shows a minimal, generic, block-level schematic of the neuromorphic core, along with the HT payload mechanism shown in red color. In the general case, the core comprises several neurons, for example for implementing a feature map. Incoming spikes from other cores are received by the input scheduler which forwards them to the target neurons in this core based on the spike addresses and network connectivity. At every time step of the internal clock, incoming spikes arriving at this time step are processed sequentially. The neuronal dynamics are implemented into the controller. Specifically, let us consider a source neuron in some other core that sends a spike to a target neuron in this core. When the spike arrives, the controller accesses the memory where the neuron membrane potentials and the synaptic weight are stored. The synaptic weight connecting the source and target neurons is retrieved by the controller which uses it to modulate the incoming spike. Then, the controller calculates the spike's contribution to the target neuron's membrane potential and updates it, checking if it exceeds the threshold. In this case, the neuron emits a spike which is managed by the output scheduler and the controller resets the membrane potential to its resting state so that the neuron can fire again. The output scheduler needs only the address that represents the spike so that it forwards the spike to the right destination neurons according to the network connectivity. It sends a spike request  $Rqst$  to the AER block and then sends back to the controller an acknowledgment



Fig. 14: SNN model for card symbol recognition.

signal *Ack* to process the next spike.

**Payload design.** The HT payload mechanism is placed between the controller and output scheduler, illustrated in red color in Fig. 13. It is a generic implementation compatible with practical SNN hardware platforms [7] and independent of the neuronal dynamics and network connectivity. Specifically, the payload is composed of 3 multiplexers in the paths of the spike address and the *Rqst* and *Ack* signals, with the multiplexers being controlled by the 1-bit *Sel* signal whose two states are defined by a Finite State Machine (FSM).

The operation of the HT payload mechanism is as follows. The FSM includes 5 states, namely *A*, *B*, *C*, *D* and *E*, as shown in Fig. 13. While the Trojan is dormant the FSM is at state *A* with *Sel* = PASS which makes the multiplexers transparent, passing the address and signals *Rqst* and *Ack* as normal. When the spike pattern trigger appears, the FSM enters state *B* where at every time step it is checked if any incoming spike has a non-Trojan neuron destination. These true spikes are being processed normally during state *C*, which waits for their processing to be over and then the FSM enters state *D*. In case of no true incoming spikes, the FSM enters state *D* directly after *B*. During state *D*, the *Sel* signal changes to *MSK* mode, masking the normal operation by sending a fake spike emission request from the Trojan neuron. Finally, during state *E*, the FSM waits until the fake spike emission is completed and returns to state *B* in the next time step. In this way, at every time step the payload mechanism forces the Trojan neuron to emit a fake spike, while the operation of all other neurons in the core is not affected.

#### D. FPGA Implementation

The HT trigger and payload mechanisms shown in Figs. 9 and 13 were designed and integrated into the VHDL code of the SNN hardware accelerator described in [6]. This SNN hardware accelerator follows the design paradigm shown in Fig. 12 [7] and the AER spiking communication protocol. The benchmark is card symbol recognition with input acquired from a DVS sensor [60]. The SNN model, shown in Fig. 14, is convolutional with four output neurons corresponding to the four card symbols (Hearts, Diamonds, Clubs and Spades). The nominal classification accuracy is 85%. The Trojan neuron was selected to be neuron (0,0) of the first node in the first layer. The SNN hardware accelerator designs



Fig. 15: HT impact on output spiking neurons measured on the FPGA.

TABLE IV: FPGA Resource utilization.

|             | Nominal Design | Trojan-infected Design |
|-------------|----------------|------------------------|
| LUT         | 44704          | 44766                  |
| LUTRAM      | 1404           | 1404                   |
| FFs         | 45764          | 45756                  |
| BRAM        | 28             | 28                     |
| IO          | 8              | 8                      |
| BUFG        | 3              | 3                      |
| Total Power | $3.516W$       | $3.517W$               |

with and without the HT were implemented onto a *Zync UltraScale+ MPSoC ZCU104* FPGA board.

The HT, once activated, has a catastrophic effect on the classification accuracy which drops from 85% to 25%. The output neuron corresponding to Hearts always wins the competition, that is, the network always predicts Hearts. The impact on the output spike trains is illustrated in Fig. 15 which shows the per-neuron spike difference between the HT-free and HT-infected designs for 40 input card samples. The Trojan neuron saturation causes output neuron 1 to spike excessively while output neuron 4 spikes far less.

Table IV shows the footprint of the HT in terms of area overhead and power consumption before its activation. As it can be seen, the HT has minimal impact on the FPGA's resources. A 0.138% increase in LUTs is noticed because of the added FSM. The tiny decrease in FFs is explained by the resource utilization optimization during synthesis. The increase of power consumption due to the continuous operation of the trigger pattern checker is as low as 1 mW, i.e., a 0.028% power overhead. The results prove that the HT design is indeed very stealthy having a negligible area and power footprint. Note that this overhead is fixed and independent of the size of the SNN model. Thus, as SNN models grow larger, the relative overhead will decrease even further.

## VI. COUNTERMEASURES

According to our threat model, the defender possesses the SNN model, dataset, and SNN hardware accelerator which may be compromised by the HT. However, the defender lacks knowledge of the input trigger and must rely solely on post-silicon detection countermeasures. We distinguish two categories of countermeasures, namely generic and SNN-specific.

### A. Generic countermeasures

1) *Reverse engineering:* It involves de-packaging, de-layering and imaging the chip to extract the layout and

functionality [61], [62]. Thereafter, the HT can be uncovered with detailed inspection. As SNN hardware accelerators have a modular architecture based on identical nodes, the Trojan neuron may stand out despite the small footprint of the HT mechanism. However, reverse engineering is destructive, time-consuming, and expensive. An adaptive attacker can still bypass this countermeasure using a camouflaging approach by implementing the HT mechanism in all cores to have the same layout, while enabling it exclusively for the core that contains the Trojan neuron.

2) *Testing*: Logic testing has been proposed to expose HTs in digital designs [63], [64]. The aim is to develop a dedicated automatic test pattern generation (ATPG) tool to generate test patterns that sensitize suspicious and seldom-activated paths, knowing that HTs are triggered by rare conditions to avoid detection. However, such a tool requires a gate-level hardware model which is not available to the defender according to our threat model. We can envision instead developing an equivalent ATPG tool in the spiking domain implemented in the software framework used to build and train the SNN model. Using this tool, the defender generates a compact set of spatio-temporal inputs to maximize coverage of Trojan activation. This can be done in the defender's premises as it does not involve training. With our algorithm, generating one input to trigger a given Trojan requires the trained model and takes up a few minutes. In our case, the exhaustive number of inputs to guarantee maximum coverage is  $d * N * 2^d$ , where  $N$  is the number of neurons and  $d$  is the length of the trigger spike pattern, which is unknown to the defender. For example, considering the MNIST SNN that has  $N = 1790$  and a trigger spike pattern of  $d \leq 10$ , the number of inputs is  $\approx 18.33 * 10^6$ , which is huge making exhaustive coverage impossible. The defender can reduce this space by performing fault injection to identify critical neurons and focus the analysis only on those [47], [48]. Given the large search space, the tool should incorporate statistical methods. Developing an efficient tool can be an area of future research. The generated test inputs by the tool are applied to the SNN accelerator chip and, if it functions after the complete test, then the defender can presume that it is HT-free.

3) *Statistical side-channel fingerprinting*: Another widely used method for HT detection is statistical side-channel fingerprinting. The idea is to obtain physical chip measurements such that in this measurement space the footprints of HT-infected and HT-free chips are well distinguished [65]–[71]. The boundary can be allocated using an one-class classifier trained with the HT-free chip instances. For example, for SNNs, parametric measurements can include power supply transient signals, regional supply currents, timing variations of output spike trains, etc. The aim is that these measurements capture the always-on operation of the trigger pattern checker and the loading of the Trojan neuron due to the addition of the payload mechanism. However, this approach requires a golden chip or at least a trusted hardware model, thus it is not applicable under our threat model. Besides, the minimal footprint of the proposed HT makes it challenging

to distinguish from noise and normal variations.

4) *Side-channel analysis*: There exist other non-destructive side-channel analyses that can detect the HT, e.g., optical circuit analysis [72], electromagnetic emanation (EM) measurements [73]–[75], thermal map analysis [76], backscattering [77], and laser probing [78]. For these analyses a golden chip model is preferred but not mandatory. They can be effective given that the trigger pattern checker is always-on while neurons fire sparsely.

## B. SNN specific counter-measures

1) *Neuron monitoring*: The neurons' outputs could be monitored for flagging neuron saturation in real-time. After detection, the application can be suspended to prevent misleading decisions. For example, in the context of fault detection, it is proposed to count the number of spikes for groups of neurons at the feature map level, and use these spike counts as features to the input of a classifier which is trained to detect abnormal spiking activity [79]. However, the necessary hardware provisions to record internal spikes are typically not available in SNN hardware accelerators. Even if this was case, the attacker can easily manipulate the output of the Trojan neuron before it is fed to the spike counter so as to fool the classifier.

2) *Input filters*: The input trigger is an out-of-distribution input with respect to typical inputs met during the application, meaning that it differs from normal spatial and temporal spike patterns. To this end, we can envision adding a filter to the input of the SNN that screens out incoming outlier inputs. Such input filters have been proposed for pre-processing the inputs to reduce background noise and improve the overall accuracy of the SNN task [80], [81], but also to detect adversarial attacks [21]. However, these filters are not yet adapted to SNN hardware accelerators. The main challenge is to reduce the percentage of false positives.

## VII. CONCLUSION

We proposed an input-triggered HT attack in SNNs. The HT trigger and payload mechanisms are condensed around one Trojan neuron. The trigger is a spike pattern at the output of the Trojan neuron delivered by the input trigger message and the payload saturates the Trojan neuron, with the continuous spikes propagating to the SNN output and changing its decision. We proposed a methodology to select the Trojan neuron and an algorithm to generate the input trigger. We also proposed a generic hardware implementation of the HT mechanisms for both analog and digital design paradigms. The attack is shown by simulation on three popular SNN benchmarks and on an FPGA implementation of an SNN hardware accelerator. The FPGA implementation results demonstrated a very stealthy HT of 0.028% power consumption increase having a tiny area footprint of only 0.138% LUTs. In terms of future work, we plan to focus on countermeasures, in particular an ATPG tool in the spiking domain and an on-line input filter which seem the most promising defenses.

## REFERENCES

- [1] K. Roy, A. Jaiswal, and P. Panda, "Towards spike-based machine intelligence with neuromorphic computing," *Nature*, vol. 575, no. 7784, pp. 607–617, Nov. 2019.
- [2] C. D. Schuman, S. R. Kulkarni, M. Parsa, J. P. Mitchell, P. Date, and B. Kay, "Opportunities for neuromorphic computing algorithms and applications," *Nat. Comput. Sci.*, vol. 2, no. 1, pp. 10–19, Jan. 2022.
- [3] S. B. Furber, F. Galluppi, S. Temple, and L. A. Plana, "The SpiNNaker Project," *Proc. IEEE*, vol. 102, no. 5, pp. 652–665, May 2014.
- [4] P. A. Merolla *et al.*, "A million spiking-neuron integrated circuit with a scalable communication network and interface," *Science*, vol. 345, no. 6197, pp. 668–673, Aug. 2014.
- [5] M. Davies *et al.*, "Loihi: A neuromorphic manycore processor with on-chip learning," *IEEE Micro*, vol. 38, no. 1, pp. 82–99, Jan./Feb. 2018.
- [6] L. A. Camuñas-Mesa, Y. L. Domínguez-Cordero, A. Linares-Barranco, T. Serrano-Gotarredona, and B. Linares-Barranco, "A configurable event-driven convolutional node with rate saturation mechanism for modular convnet systems implementation," *Front. Neurosci.*, vol. 12, Feb. 2018, Article 63.
- [7] A. Shrestha, H. Fang, Z. Mei, D. P. Rider, Q. Wu, and Q. Qiu, "A survey on neuromorphic computing: Models and hardware," *IEEE Circuits Syst. Mag.*, vol. 22, no. 2, pp. 6–35, Secondquarter 2022.
- [8] S. Qiu, Q. Liu, S. Zhou, and W. Huang, "Adversarial attack and defense technologies in natural language processing: A survey," *Neurocomputing*, vol. 492, pp. 278–307, Jul. 2022.
- [9] D. Wang, W. Yao, T. Jiang, G. Tang, and X. Chen, "A survey on physical adversarial attack in computer vision," *arXiv:2209.14262*, 2022.
- [10] N. Carlini and D. Wagner, "Towards evaluating the robustness of neural networks," in *Proc. IEEE Symp. Secur. Priv. (SP)*, Aug. 2017, pp. 39–57.
- [11] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow, and R. Fergus, "Intriguing properties of neural networks," *arXiv:1312.6199v4*, 2014.
- [12] T. Gu, K. Liu, B. Dolan-Gavitt, and S. Garg, "BadNets: Evaluating backdooring attacks on deep neural networks," *IEEE Access*, vol. 7, pp. 47230–47244, Apr. 2019.
- [13] W. Hua, Z. Zhang, and G. E. Suh, "Reverse engineering convolutional neural networks through side-channel information leaks," in *Proc. 55th ACM/ESDA/IEEE Design Autom. Conf. (DAC)*, Jun. 2018.
- [14] A. S. Rakin, Z. He, and D. Fan, "Bit-flip attack: Crushing neural network with progressive bit search," in *2019 IEEE/CVF Int. Conf. Comput. Vis. (ICCV)*, Oct./Nov. 2019, pp. 1211–1220.
- [15] J. Clements and Y. Lao, "Hardware trojan design on neural networks," in *Proc. IEEE Int. Symp. Circuits Syst. (ISCAS)*, May 2019.
- [16] N. Carlini *et al.*, "Extracting training data from large language models," in *Proc. 30th USENIX Secur. Symp.*, Aug. 2021, pp. 2633–2650.
- [17] A. Bagheri, O. Simeone, and B. Rajendran, "Adversarial training for probabilistic spiking neural networks," in *IEEE Int. Workshop Signal Process. Adv. Wireless Commun. (SPAWC)*, Jun. 2018.
- [18] J. Büchel, G. Lenz, Y. Hu, S. Sheik, and M. Sorbaro, "Adversarial attacks on spiking convolutional neural networks for event-based vision," *Front. Neurosci.*, vol. 16, Dec. 2022.
- [19] S. Sharmin, P. Panda, S. S. Sarwar, C. Lee, W. Ponghiran, and K. Roy, "A comprehensive analysis on adversarial robustness of spiking neural networks," in *Proc. Int. Jt. Conf. Neural Netw. (IJCNN)*, Jul. 2019.
- [20] R. El-Allami, A. Marchisio, M. Shafique, and I. Alouani, "Securing deep spiking neural networks against adversarial attacks through inherent structural parameters," in *Proc. Design Autom. Test Europe Conf. (DATE)*, Feb. 2021, pp. 774–779.
- [21] A. Marchisio, G. Pira, M. Martina, G. Masera, and M. Shafique, "DVS-Attacks: Adversarial attacks on dynamic vision sensors for spiking neural networks," in *Proc. Int. Jt. Conf. Neural Netw. (IJCNN)*, Jul. 2021.
- [22] L. Liang *et al.*, "Exploring adversarial attack in spiking neural networks with spike-compatible gradient," *IEEE Trans. Neural Netw. Learn. Syst.*, vol. 34, no. 5, pp. 2569–2583, May 2023.
- [23] A. Marchisio, G. Nanfa, F. Khalid, M. A. Hanif, M. Martina, and M. Shafique, "Is spiking secure? a comparative study on the security vulnerabilities of spiking and deep neural networks," in *Proc. Int. Jt. Conf. Neural Netw. (IJCNN)*, Jul. 2020.
- [24] O. Nomura, Y. Sakemi, T. Hosomi, and T. Morie, "Robustness of spiking neural networks based on time-to-first-spike encoding against adversarial attacks," *IEEE Trans. Circuits Syst. II: Express Br.*, vol. 69, no. 9, pp. 3640–3644, Sep. 2022.
- [25] G. Abad, O. Ersoy, S. Picek, and A. Urbeta, "Sneaky spikes: Uncovering stealthy backdoor attacks in spiking neural networks with neuromorphic data," in *Proc. Symp. Netw. Distrib. Syst. (NDSS)*, Feb. 2024.
- [26] K. Nagarajan, J. Li, S. S. Ensan, M. N. I. Khan, S. Kannan, and S. Ghosh, "Analysis of power-oriented fault injection attacks on spiking neural networks," in *Proc. Design Autom. Test Europe Conf. (DATE)*, Mar. 2022, pp. 861–866.
- [27] L. C. Garaffa, A. Aljuffri, C. Reinbrecht, S. Hamdioui, M. Taouil, and J. Sepulveda, "Revealing the secrets of spiking neural networks: The case of izhikevich neuron," in *Proc. Euromicro Conf. Digit. Syst. Des. (DSD)*, Sep. 2021, pp. 514–518.
- [28] K. Nagarajan, R. Roy, R. O. Topaloglu, S. Kannan, and S. Ghosh, "SCANN: Side channel analysis of spiking neural networks," *Cryptography*, vol. 7, no. 2, Mar. 2023.
- [29] B. Goswami, T. Das, and M. Suri, "Experimental investigation of side-channel attacks on neuromorphic spiking neural networks," *IEEE Embed. Syst. Lett.*, vol. 16, no. 2, pp. 231–234, Jun. 2024.
- [30] V. Venceslai, A. Marchisio, I. Alouani, M. Martina, and M. Shafique, "Neuroattack: Undermining spiking neural networks security through externally triggered bit-flips," in *Proc. Int. Jt. Conf. Neural Netw. (IJCNN)*, Jul. 2020.
- [31] S. Bhunia and M. M. Tehranipoor (Eds.), *The Hardware Trojan War: Attacks, Myths, and Defenses*, Springer International Publishing, 2018.
- [32] M. Tehranipoor and F. Koushanfar, "A survey of hardware trojan taxonomy and detection," *IEEE Des. Test Comput.*, vol. 27, no. 1, pp. 10–25, Jan./Feb. 2010.
- [33] R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor, "Trustworthy hardware: Identifying and classifying hardware trojans," *Computer*, vol. 43, no. 10, pp. 39–46, Oct. 2010.
- [34] S. Bhunia, M. S. Hsiao, M. Banga, and S. Narasimhan, "Hardware trojan attacks: Threat analysis and countermeasures," *Proc. IEEE*, vol. 102, no. 8, pp. 1229–1247, Jul. 2014.
- [35] L. Lin, T. Güneysoy, M. Kasper, C. Paar, and W. Burleson, *Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering*, Berlin, Germany: Springer, 2009.
- [36] Y. Shiyankovskii, F. Wolff, A. Rajendran, C. Papachristou, D. Weyer, and W. Clay, "Process reliability based trojans through NBTI and HCI effects," in *NASA/ESA Conf. Adapt. Hardw. Syst.*, Jun. 2010, pp. 215–222.
- [37] G. T. Becker, F. Regazzoni, C. Paar, and W. P. Burleson, "Stealthy dopant-level hardware trojans: Extended version," *J. Cryptograph. Eng.*, vol. 4, no. 1, pp. 19–31, Apr. 2014.
- [38] K. Yang, M. Hicks, Q. Dong, T. Austin, and D. Sylvester, "A2: analog malicious hardware," in *Proc. IEEE Symp. Secur. Privacy (SP)*, May 2016, pp. 18–37.
- [39] M. Elshamy *et al.*, "Digital-to-analog hardware Trojan attacks," *IEEE Trans. Circuits Syst. I, Reg. Papers*, vol. 69, no. 2, pp. 573–586, Feb. 2022.
- [40] A. R. Díaz-Rizo, A. Abdellazim, H. Aboushady, and H.-G. Stratigopoulos, "Covert communication channels based on hardware trojans: Open-source dataset and AI-based detection," in *Proc. IEEE Int. Symp. Hardw.-Oriented Secur. Trust (HOST)*, May 2024, pp. 101–106.
- [41] T. Spyrou, S. A. El-Sayed, E. Afacan, L. A. Camuñas-Mesa, B. Linares-Barranco, and H.-G. Stratigopoulos, "Neuron fault tolerance in spiking neural networks," in *Proc. Design Autom. Test Europe Conf. (DATE)*, Feb. 2021, pp. 743–748.
- [42] H.-Y. Tseng, I.-W. Chiu, M.-T. Wu, and J. C.-M. Li, "Machine learning-based test pattern generation for neuromorphic chips," in *Proc. IEEE/ACM Int. Conf. Comput.-Aided Design (ICCAD)*, Nov. 2021.
- [43] R. V. W. Putra, M. A. Hanif, and M. Shafique, "SoftSNN: Low-cost fault tolerance for spiking neural network accelerators under soft errors," in *Proc. 59th Design Autom. Conf. (DAC)*, Jul. 2022, p. 151–156.
- [44] S. A. El-Sayed, T. Spyrou, L. A. Camuñas-Mesa, and H.-G. Stratigopoulos, "Compact functional testing for neuromorphic computing circuits," *IEEE Trans. Comput.-Aided Design Integr. Circuits Syst.*, vol. 42, no. 7, pp. 2391–2403, 2023.
- [45] S. Raptis and H.-G. Stratigopoulos, "Minimum time maximum fault coverage testing of spiking neural networks," in *Proc. Design, Automat. Test Eur. Conf. Exhib. (DATE)*, Mar./Apr. 2025.
- [46] S. A. El-Sayed, T. Spyrou, E. Afacan, L. A. Camuñas-Mesa, B. Linares-Barranco, and H.-G. Stratigopoulos, "Spiking neuron hardware-level

- fault modeling,” in *Proc. IEEE Int. Symp. On-Line Test. Robust Syst. Des. (IOLTS)*, Jul. 2020.
- [47] A. B. Gogebakan, E. Maglano, A. Carpegna, A. Ruospo, A. Savino, and S. Di Carlo, “SpikingJET: Enhancing fault injection for fully and convolutional spiking neural networks,” in *Proc. IEEE Int. Symp. On-Line Test. Robust Syst. Des. (IOLTS)*, Jul. 2024.
- [48] T. Spyrou, S. Hamdioui, and H.-G. Stratigopoulos, “SpikeFI: A fault injection framework for spiking neural networks,” *arXiv*:2412.06795, 2024.
- [49] S. B. Shrestha and G. Orchard, “SLAYER: Spike layer error reassignment in time,” in *Proc. Adv. Neural Inf. Process. Syst. (NeurIPS)*, Dec. 2018, pp. 1412–1421.
- [50] D. P. Kingma and J. Ba, “Adam: A method for stochastic optimization,” *arXiv*:1412.6980, 2017.
- [51] C. J. Maddison, A. Mnih, and Y. W. Teh, “The concrete distribution: A continuous relaxation of discrete random variables,” in *Proc. Int. Conf. Learn. Represent. (ICLR)*, Nov. 2017.
- [52] E. Jang, S. Gu, and B. Poole, “Categorical reparameterization with gumbel-softmax,” in *Proc. Int. Conf. Learn. Represent. (ICLR)*, Feb. 2017.
- [53] Y. Bengio, N. Léonard, and A. Courville, “Estimating or propagating gradients through stochastic neurons for conditional computation,” *arXiv*:1308.3432, 2013.
- [54] G. Orchard, A. Jayawant, G. K. Cohen, and N. Thakor, “Converting static image datasets to spiking neuromorphic datasets using saccades,” *Front. Neurosci.*, vol. 9, Nov. 2015, Article 437.
- [55] A. Amir *et al.*, “A low power, fully event-based gesture recognition system,” in *Proc. IEEE Conf. Comput. Vis. Pattern Recognit. (CVPR)*, Jul. 2017.
- [56] B. Cramer, Y. Stradmann, J. Schemmel, and F. Zenke, “The Heidelberg spiking data sets for the systematic evaluation of spiking neural networks,” *IEEE Trans. Neural Netw. Learn. Syst.*, vol. 33, no. 7, pp. 2744–2757, Jul. 2022.
- [57] G. Indiveri *et al.*, “Neuromorphic silicon neuron circuits,” *Front. Neurosci.*, vol. 5, May 2011, Article 73.
- [58] K. A. Boahen, “Point-to-point connectivity between neuromorphic chips using address events,” *IEEE Trans. Circuits Syst. II: Analog Digit. Signal Process.*, vol. 47, no. 5, pp. 416–434, May 2000.
- [59] R. Serrano-Gotarredona, T. Serrano-Gotarredona, A. Acosta-Jimenez, and B. Linares-Barranco, “A neuromorphic cortical-layer microchip for spike-based event processing vision systems,” *IEEE Trans. Circuits Syst. I Reg. Papers*, vol. 53, no. 12, pp. 2548–2566, Dec. 2006.
- [60] T. Serrano-Gotarredona and B. Linares-Barranco, “Poker-DVS and MNIST-DVS. their history, how they were made, and other details,” *Front. Neurosci.*, vol. 9, Dec. 2015.
- [61] M. Fyriaki *et al.*, “Hardware reverse engineering: Overview and open challenges,” in *Proc. IEEE Int. Verification Security Workshop (IVSW)*, Jul. 2017, pp. 88–94.
- [62] B. Lippmann *et al.*, “Integrated flow for reverse engineering of nanoscale technologies,” in *Proc. 24th Asia and South Pacific Design Automat. Conf.*, Jan. 2019, p. 82–89.
- [63] R. S. Chakraborty, F. Wolff, S. Paul, C. Papachristou, and S. Bhunia, *MERO: A Statistical Approach for Hardware Trojan Detection*, Berlin, Germany: Springer, 2009.
- [64] M. A. Nourian, M. Fazeli, and D. Hely, “Hardware trojan detection using an advised genetic algorithm based logic testing,” *J. Electron. Test.: Theory Appl.*, vol. 34, no. 4, pp. 461–470, Aug. 2018.
- [65] D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, and B. Sunar, “Trojan detection using IC fingerprinting,” in *Proc. IEEE Symp. Secur. Privacy (SP)*, May 2007, pp. 296–310.
- [66] R. Rad, J. Plusquellic, and M. Tehranipoor, “Sensitivity analysis to hardware trojans using power supply transient signals,” in *Proc. IEEE Int. Workshop Hardw.-Oriented Secur. Trust (HOST)*, Jun. 2008, pp. 3–7.
- [67] L. Lin, W. Burleson, and C. Paar, “MOLES: Malicious off-chip leakage enabled by side-channels,” in *Proc. IEEE/ACM Int. Conf. Comput.-Aided Design (ICCAD)*, Nov. 2009, pp. 117–122.
- [68] D. Du, S. Narasimhan, R. S. Chakraborty, and S. Bhunia, “Self-referencing: A scalable side-channel approach for hardware trojan detection,” in *Proc. Cryptograph. Hardw. Embedded Syst. (CHES)*, Aug. 2010, pp. 173–187.
- [69] F. Koushanfar and A. Mirhoseini, “A unified framework for multimodal submodular integrated circuits trojan detection,” *IEEE Trans. Inf. Forensics Security*, vol. 6, no. 1, pp. 162–174, Dec. 2011.
- [70] S. Narasimhan *et al.*, “Hardware trojan detection by multiple-parameter side-channel analysis,” *IEEE Trans. Comput.*, vol. 62, no. 11, pp. 2183–2195, Aug. 2013.
- [71] Y. Liu, K. Huang, and Y. Makris, “Hardware trojan detection through golden chip-free statistical side-channel fingerprinting,” in *Proc. Design Autom. Conf. (DAC)*, Jun. 2014.
- [72] F. Stellari, P. Song, A. J. Weger, J. Culp, A. Herbert, and D. Pfeiffer, “Verification of untrusted chips using trusted layout and emission measurements,” in *Proc. IEEE Int. Symp. Hardw.-Oriented Secur. Trust*, May 2014, pp. 19–24.
- [73] O. Söll, T. Korak, M. Muehlberghuber, and M. Hutter, “EM-based detection of hardware trojans on FPGAs,” in *Proc. IEEE Int. Symp. Hardw.-Oriented Secur. Trust*, May 2014, pp. 84–87.
- [74] X. T. Ngo, Z. Najm, S. Bhasin, S. Guillet, and J.-L. Danger, “Method taking into account process dispersion to detect hardware trojan horse by side-channel analysis,” *J. Cryptograph. Eng.*, vol. 6, no. 3, pp. 239–247, Sep. 2016.
- [75] J. He, Y. Zhao, X. Guo, and Y. Jin, “Hardware trojan detection through chip-free electromagnetic side-channel statistical analysis,” *IEEE Trans. Very Large Scale Integr. (VLSI) Syst.*, vol. 25, no. 10, pp. 2939–2948, Oct. 2017.
- [76] Y. Tang, S. Li, L. Fang, X. Hu, and J. Chen, “Golden-chip-free hardware trojan detection through quiescent thermal maps,” *IEEE Trans. Very Large Scale Integr. (VLSI) Syst.*, vol. 27, no. 12, pp. 2872–2883, Dec. 2019.
- [77] L. N. Nguyen, C.-L. Cheng, M. Prvulovic, and A. Zajić, “Creating a backscattering side channel to enable detection of dormant hardware trojans,” *IEEE Trans. Very Large Scale Integr. (VLSI) Syst.*, vol. 27, no. 7, pp. 1561–1574, Jul. 2019.
- [78] A. Stern, D. Mehta, S. Tajik, U. Guin, F. Farahmandi, and M. Tehraniipoor, “SPARTA-COTS: A laser probing approach for sequential trojan detection in COTS integrated circuits,” in *IEEE Phys. Assur. Insp. Electron. (PAINE)*, Dec. 2020.
- [79] T. Spyrou and H.-G. Stratigopoulos, “On-line testing of neuromorphic hardware,” in *Proc. IEEE Eur. Test Symp. (ETS)*, May 2023.
- [80] V. Padala, A. Basu, and G. Orchard, “A noise filtering algorithm for event-based asynchronous change detection image sensors on truenorth and its implementation on truenorth,” *Front. Neurosci.*, vol. 12, Mar. 2018, Article 118.
- [81] A. Linares-Barranco *et al.*, “Low latency event-based filtering and feature extraction for dynamic vision sensors in real-time FPGA applications,” *IEEE Access*, vol. 7, pp. 134926–134942, Sep. 2019.