Privacy in Federated Learning with Spiking Neural Networks
Dogukan Aksu, Jesus Martinez del Rincon, Ihsen Alouani
TL;DR
This work investigates privacy risks of gradient leakage in federated learning when using spiking neural networks. By adapting three gradient-inversion attacks to the spike domain and benchmarking against ANNs across image and event-based data, the authors show that SNNs yield noisy, temporally inconsistent reconstructions with substantially lower semantic recovery. The main findings indicate that temporal encoding and surrogate-gradient training inherently reduce gradient information leakage, suggesting a privacy-preserving-by-design aspect of neuromorphic computation in FL. The results have practical implications for deploying on-device learning on energy-constrained devices, potentially reducing the reliance on costly privacy defenses while maintaining performance. Future work is directed at formal privacy guarantees and exploring how SNNs interact with differential privacy budgets.
Abstract
Spiking neural networks (SNNs) have emerged as prominent candidates for embedded and edge AI. Their inherent low power consumption makes them far more efficient than conventional ANNs in scenarios where energy budgets are tightly constrained. In parallel, federated learning (FL) has become the prevailing training paradigm in such settings, enabling on-device learning while limiting the exposure of raw data. However, gradient inversion attacks represent a critical privacy threat in FL, where sensitive training data can be reconstructed directly from shared gradients. While this vulnerability has been widely investigated in conventional ANNs, its implications for SNNs remain largely unexplored. In this work, we present the first comprehensive empirical study of gradient leakage in SNNs across diverse data domains. SNNs are inherently non-differentiable and are typically trained using surrogate gradients, which we hypothesized would be less correlated with the original input and thus less informative from a privacy perspective. To investigate this, we adapt different gradient leakage attacks to the spike domain. Our experiments reveal a striking contrast with conventional ANNs: whereas ANN gradients reliably expose salient input content, SNN gradients yield noisy, temporally inconsistent reconstructions that fail to recover meaningful spatial or temporal structure. These results indicate that the combination of event-driven dynamics and surrogate-gradient training substantially reduces gradient informativeness. To the best of our knowledge, this work provides the first systematic benchmark of gradient inversion attacks for spiking architectures, highlighting the inherent privacy-preserving potential of neuromorphic computation.