AFGI: Towards Accurate and Fast-convergent Gradient Inversion Attack in Federated Learning

TL;DR

This paper tackles privacy leakage in horizontal federated learning by addressing the slow convergence and accuracy issues of gradient inversion attacks when batch labels duplicate. It introduces AFGI, an attack framework with a Label Recovery Block (LRB) to accurately recover repeated labels and a VME regularization term set (total variation, three-channel mean, and edge regularization) to speed up and stabilize reconstruction, formalized by minimizing $1 - \cos(\nabla W',\nabla W) + \mathbf{R}_{reg}$. The key contributions are (i) LRB, which improves label recovery accuracy over prior GIAs, (ii) the VME regularization terms that accelerate convergence and improve image fidelity, and (iii) extensive experiments on ImageNet showing substantial time savings (up to $85\%$) and high-quality reconstructions for batch sizes up to $K=48$. The results reveal notable privacy vulnerabilities in FL and highlight the need for stronger defenses to protect gradient information in practical deployments.

Abstract

Federated learning (FL) empowers privacypreservation in model training by only exposing users' model gradients. Yet, FL users are susceptible to gradient inversion attacks (GIAs) which can reconstruct ground-truth training data such as images based on model gradients. However, reconstructing high-resolution images by existing GIAs faces two challenges: inferior accuracy and slow-convergence, especially when duplicating labels exist in the training batch. To address these challenges, we present an Accurate and Fast-convergent Gradient Inversion attack algorithm, called AFGI, with two components: Label Recovery Block (LRB) which can accurately restore duplicating labels of private images based on exposed gradients; VME Regularization Term, which includes the total variance of reconstructed images, the discrepancy between three-channel means and edges, between values from exposed gradients and reconstructed images, respectively. The AFGI can be regarded as a white-box attack strategy to reconstruct images by leveraging labels recovered by LRB. In particular, AFGI is efficient that accurately reconstruct ground-truth images when users' training batch size is up to 48. Our experimental results manifest that AFGI can diminish 85% time costs while achieving superb inversion quality in the ImageNet dataset. At last, our study unveils the shortcomings of FL in privacy-preservation, prompting the development of more advanced countermeasure strategies.

Figures (9)

• Figure 1: The workflow of $\textbf{AFGI}$. The initialization of $\hat{x}$ is a gray image and $\hat{y}$ is derived from two sources as $G_1$ ($L_k$) and the output of $\textbf{LRB}$ ($L_{LRB}$). The cosine similarity loss function with three regularization terms to compute the loss and gradients values. Finally, the $\hat{x}$ with the minimum loss value is closed to the ground-truth image.
• Figure 2: The layers in the LRB are based on the ResNet-50 model.
• Figure 3: Comparing the results of $\hat{x}$ under the batch size of 1. Figures (a) and (f) depict ground-truth images $x$. Figures (b), (c), (d), (e), (g), (h), (i), and (j) showcase $\hat{x}$ under different GIAs strategies.
• Figure 4: The results of $\hat{x}$ with a batch size of 1. We reconstruct the 5000-th, 7000-th, and 9000-th images of the ImageNet validation set in $\textbf{AFGI}$.
• Figure 5: Ablation study of each regularization term at a batch size of 1. Ground-truth images are shown in figure (a) and (f), while the others are reconstructed using different regularization terms.