Spikewhisper: Temporal Spike Backdoor Attacks on Federated Neuromorphic Learning over Low-power Devices

TL;DR

The paper identifies a novel temporal backdoor threat in Federated Neuromorphic Learning (FedNL) and proposes Spikewhisper, a Time Division Multiplexing-based attack that distributes local triggers across multiple neuromorphic timeslices; the global trigger is formed as $T_{\mathrm{global}}=\sum_{i=1}^{K} T_{\mathrm{local},i}$, and the attack’s efficacy scales with trigger duration and temporal utilization $U$. Extensive experiments on N-MNIST and CIFAR10-DVS show Spikewhisper achieves attack success rates above $99\%$ with minimal impact on main task accuracy, outperforming temporally centralized attacks, and remain effective under Non-IID data distributions. The study highlights significant security risks in FedNL for edge intelligence and motivates development of defenses tailored to spiking neural networks and temporal backdoor strategies. Overall, the work advances understanding of how temporal structure in neuromorphic data can be exploited and lays a foundation for future defense research in federated neuromorphic security.

Abstract

Federated neuromorphic learning (FedNL) leverages event-driven spiking neural networks and federated learning frameworks to effectively execute intelligent analysis tasks over amounts of distributed low-power devices but also perform vulnerability to poisoning attacks. The threat of backdoor attacks on traditional deep neural networks typically comes from time-invariant data. However, in FedNL, unknown threats may be hidden in time-varying spike signals. In this paper, we start to explore a novel vulnerability of FedNL-based systems with the concept of time division multiplexing, termed Spikewhisper, which allows attackers to evade detection as much as possible, as multiple malicious clients can imperceptibly poison with different triggers at different timeslices. In particular, the stealthiness of Spikewhisper is derived from the time-domain divisibility of global triggers, in which each malicious client pastes only one local trigger to a certain timeslice in the neuromorphic sample, and also the polarity and motion of each local trigger can be configured by attackers. Extensive experiments based on two different neuromorphic datasets demonstrate that the attack success rate of Spikewispher is higher than the temporally centralized attacks. Besides, it is validated that the effect of Spikewispher is sensitive to the trigger duration.

Figures (8)

• Figure 1: Overview of Temporal Spike Backdoor Attacks on FedNL. In the training phase, the Central Server aggregates parameters from local benign and malicious participants in the previous round $t$, updating the global SNN model parameters $\omega_{t+1}$. The attackers use only a subset of the global trigger's temporal sequence as the local trigger for implementing the backdoor attack. In the inference phase, all clients with the global SNN model will misclassify input with the global trigger into the target class.
• Figure 2: The Leaky-Integrate-and-Fire Behavior of Spiking Neuron $i$.
• Figure 3: Static trigger and moving trigger used in Spikewhisper.
• Figure 4: Neuromorphic Data Samples (one frame of each sample).
• Figure 5: Spikewhisper and Temporally Centralized Attacks (TCA) on the N-MNIST dataset