Split learning is a privacy-preserving machine learning technique that partitions a deep neural network across two entities: a client holding sensitive data and a server with greater compute resources. The client executes the initial network layers on raw data locally, then transmits only the intermediate activations (smashed data) to the server, which completes the forward pass, calculates the loss, and backpropagates gradients to the cut layer. The raw data never leaves the client device, providing a fundamental privacy guarantee distinct from federated learning.
Glossary
Split Learning

What is Split Learning?
Split learning is a distributed deep learning paradigm where a neural network is partitioned between a client and a server, with the client processing initial layers and only sending intermediate activations, not raw data, to the server.
Unlike federated learning, where each client trains a full model locally, split learning reduces the client's computational burden by offloading the majority of the network to the server. This makes it ideal for resource-constrained environments such as mobile devices or IoT sensors in financial fraud detection. The technique can be combined with differential privacy or homomorphic encryption to further protect the intermediate activations from inversion attacks, ensuring that collaborative model training across banks or payment processors does not expose sensitive transaction details.
Key Features of Split Learning
Split learning partitions a deep neural network between a client and server, enabling collaborative training without exposing raw data. Only intermediate activations—not sensitive inputs—are transmitted.
Network Partitioning
The neural network is divided at a specific cut layer. The client retains the initial layers and processes raw data locally, producing smashed data (intermediate activations). Only these activations, not the original inputs, are sent to the server, which holds the remaining layers. This architecture ensures that sensitive transaction details never leave the client's secure environment.
Gradient Isolation
During backpropagation, gradients flow only through the server's portion of the network up to the cut layer. The server computes the gradient of the loss with respect to the activations and sends this gradient back to the client. The client then completes backpropagation locally. Raw gradients on client data are never exposed to the server, mitigating gradient leakage attacks.
Label Privacy
In the U-shaped split learning configuration, labels can also reside on the client side. The server processes the intermediate activations and returns a representation, but the final classification layer and loss computation occur on the client. This prevents the server from ever accessing ground-truth labels, a critical advantage for fraud detection where labeled cases are highly sensitive.
Sequential Training
Unlike federated learning's parallel client updates, split learning operates sequentially. Each client completes a full forward and backward pass before the next client begins. While this introduces latency, it eliminates the need for synchronous aggregation rounds and reduces communication overhead, making it suitable for scenarios with limited client bandwidth or intermittent connectivity.
Model Confidentiality
Neither party has access to the complete model architecture or parameters. The client never sees the server's layers, and the server never sees the client's layers. This bidirectional model privacy is valuable when financial institutions collaborate on fraud detection but wish to protect proprietary model intellectual property on both sides.
Communication Efficiency
Split learning transmits only intermediate activations and gradients at the cut layer, not entire model weights. The size of these tensors depends on the cut layer dimension and batch size, which can be tuned. For deep networks with wide early layers, the communication cost can be significantly lower than federated learning, which requires transmitting full model updates.
Split Learning vs. Federated Learning
A technical comparison of two distributed machine learning paradigms for privacy-preserving collaborative model training without exposing raw data.
| Feature | Split Learning | Federated Learning | Secure Multi-Party Computation |
|---|---|---|---|
Network Topology | Sequential client-server partitioning | Parallel client-server aggregation | Peer-to-peer cryptographic circuit |
Raw Data Exposure | Only intermediate activations (smashed data) shared | Only model updates (gradients) shared | Encrypted secret shares exchanged |
Client Compute Requirement | Moderate (forward pass on initial layers) | High (full local training loop) | Very High (cryptographic operations) |
Model Architecture Dependency | Requires specific layer partitioning | Model-agnostic | Requires arithmetic circuit representation |
Label Availability | Labels held only by server | Labels held locally by clients | Labels can be distributed or centralized |
Communication Pattern | Sequential per-batch forward/backward | Parallel per-round update exchange | Multi-round interactive protocol |
Gradient Leakage Risk | Moderate (activations can be inverted) | High (gradients leak training data) | Negligible (information-theoretic security) |
Scalability to Many Clients | Limited (sequential bottleneck) | Excellent (parallel aggregation) | Poor (quadratic communication overhead) |
Split Learning in Financial Fraud Detection
Split learning is a distributed deep learning paradigm where a neural network is partitioned between a client and a server. The client processes initial layers on raw transaction data and sends only intermediate activations—not the data itself—to the server, which completes the computation. This architecture is uniquely suited for financial fraud detection, where banks must collaborate on model training without exposing sensitive customer transaction records.
How Network Partitioning Works
In split learning, a deep neural network is divided into two segments at a designated cut layer. The client-side segment processes raw input data—such as transaction logs or account activity—through its initial layers and produces a compressed smashed data representation. This intermediate activation tensor is transmitted to the server, which runs the remaining layers and computes the loss. During backpropagation, gradients flow only from the server's cut layer back to the client, ensuring the server never accesses raw inputs.
- Client-side: Embedding layers, initial convolutions, or feature extractors
- Server-side: Dense classification layers, fraud scoring heads
- Cut layer: The precise network depth where the partition occurs, a critical hyperparameter balancing privacy and communication cost
Privacy Guarantees vs. Federated Learning
Unlike federated learning, where each participant trains a full local model and shares weight updates, split learning ensures the server never receives model parameters or raw data from the client. The client retains full control over its network segment, and the server only sees smashed data—a non-invertible, compressed representation. This provides stronger privacy guarantees against gradient leakage attacks and model inversion attacks.
- Federated learning risk: Raw gradients can be inverted to reconstruct training samples
- Split learning advantage: Activations are further from the input space, making reconstruction significantly harder
- Complementary technique: Can be combined with differential privacy noise injection at the cut layer for formal privacy budgets
Fraud Detection Use Case: Cross-Bank Collaboration
Multiple financial institutions can jointly train a fraud detection model without pooling customer data. Each bank operates the client-side network on its proprietary transaction records, extracting behavioral features locally. The smashed data from all banks is sent to a central server—operated by a consortium or regulator—that trains the server-side classifier on the combined, anonymized representations.
- Money mule detection: Banks share activation patterns of suspected mule accounts without revealing account holder identities
- Synthetic identity fraud: Collaborative pattern recognition across institutions identifies fabricated identities that span multiple banks
- Regulatory compliance: Aligns with GDPR, CCPA, and financial privacy regulations by design
U-Shaped Split Learning Configuration
In the U-shaped configuration, the network is partitioned so that both the initial layers and the final classification layers reside on the client side, while only a middle segment runs on the server. This is particularly valuable for fraud detection because the sensitive label information—which transactions are fraudulent—also remains on the client side.
- Client holds: Input layers and output classification head
- Server processes: Intermediate representation layers only
- Benefit: Neither raw data nor fraud labels are exposed to the server, maximizing label privacy
Communication Efficiency and Latency Trade-offs
Split learning reduces communication overhead compared to federated learning because only smashed data and gradients at the cut layer are exchanged—not full model weights. However, the sequential nature of client-server interaction introduces latency. For real-time fraud scoring, this requires careful engineering of the cut layer depth and network architecture.
- Smashed data size: Typically orders of magnitude smaller than raw input or full model parameters
- Sequential bottleneck: Each training step requires client-server round-trip, unlike the parallel local training in federated learning
- Mitigation: SplitFed hybrid architectures combine split learning's privacy with federated learning's parallel training efficiency
Adversarial Robustness Considerations
While split learning protects raw data, the smashed data representations can still leak information. An honest-but-curious server could train an adversarial reconstructor to approximate client inputs from activations. Defensive techniques include:
- Distance correlation minimization: Training the client network to produce activations that are statistically decorrelated from inputs
- Noise injection: Adding calibrated Laplace or Gaussian noise at the cut layer to achieve formal differential privacy guarantees
- Activation clipping: Bounding the range of transmitted activations to limit information capacity
- Cut layer selection: Deeper cut layers produce more abstract, less invertible representations
Frequently Asked Questions
Concise answers to the most common technical questions about split learning architectures, their privacy guarantees, and their application in collaborative fraud detection.
Split learning is a distributed deep learning paradigm where a neural network is partitioned between a client and a server, with the client processing initial layers and only sending intermediate activations—not raw data—to the server. The architecture works by splitting a model at a specific cut layer. The client-side network processes sensitive input data locally, computes the activations up to the cut layer, and transmits these smashed data representations to the server. The server then completes the forward pass through the remaining layers, computes the loss, and performs backpropagation. Crucially, only the gradients at the cut layer are sent back to the client, which then completes its own backward pass locally. This ensures that raw transaction data, personally identifiable information, or proprietary features never leave the client's secure environment, making it fundamentally different from federated learning where complete model weights are shared.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the cryptographic and distributed learning techniques that enable collaborative fraud detection without exposing sensitive transaction data.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us