ML Security PapersPrivacy in Federated Learning with Spiking Neural Networks
Dogukan Aksu , Jesus Martinez del Rincon , Ihsen Alouani
Published on arXiv
2511.21181
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
SNN gradients produce semantically degraded, temporally inconsistent reconstructions across all tested datasets and attack methods, demonstrating substantially lower gradient informativeness than ANN counterparts due to surrogate-gradient training and event-driven dynamics.
Spiking neural networks (SNNs) have emerged as prominent candidates for embedded and edge AI. Their inherent low power consumption makes them far more efficient than conventional ANNs in scenarios where energy budgets are tightly constrained. In parallel, federated learning (FL) has become the prevailing training paradigm in such settings, enabling on-device learning while limiting the exposure of raw data. However, gradient inversion attacks represent a critical privacy threat in FL, where sensitive training data can be reconstructed directly from shared gradients. While this vulnerability has been widely investigated in conventional ANNs, its implications for SNNs remain largely unexplored. In this work, we present the first comprehensive empirical study of gradient leakage in SNNs across diverse data domains. SNNs are inherently non-differentiable and are typically trained using surrogate gradients, which we hypothesized would be less correlated with the original input and thus less informative from a privacy perspective. To investigate this, we adapt different gradient leakage attacks to the spike domain. Our experiments reveal a striking contrast with conventional ANNs: whereas ANN gradients reliably expose salient input content, SNN gradients yield noisy, temporally inconsistent reconstructions that fail to recover meaningful spatial or temporal structure. These results indicate that the combination of event-driven dynamics and surrogate-gradient training substantially reduces gradient informativeness. To the best of our knowledge, this work provides the first systematic benchmark of gradient inversion attacks for spiking architectures, highlighting the inherent privacy-preserving potential of neuromorphic computation.
Key Contributions
- First systematic empirical benchmark of gradient inversion attacks (DLG, iDLG, GRNN) adapted to the spiking domain, incorporating surrogate gradient computation and multi-step temporal propagation
- Demonstrates that SNN gradients yield noisy, temporally inconsistent reconstructions that fail to recover meaningful structure, in stark contrast to ANN gradients which reliably expose private training content
- Proposes SNNs as privacy-preserving-by-design architectures for federated edge AI, motivated by the inherent decoupling between surrogate gradients and original inputs
🛡️ Threat Analysis
The paper's entire contribution revolves around gradient leakage attacks — an adversary reconstructing training data from gradients shared during federated learning. It adapts three canonical gradient inversion attacks (DLG, iDLG, GRNN) to the spiking domain and empirically measures reconstruction fidelity, making ML03 the unambiguous primary category.