Dealing Doubt: Unveiling Threat Models in Gradient Inversion Attacks under Federated Learning, A Survey and Taxonomy
Yichuan Shi, Olivera Kotevska, Viktor Reshniak, Abhishek Singh, Ramesh Raskar
TL;DR
This survey addresses gradient inversion attacks in federated learning under realistic malicious threat models, extending beyond honest-but-curious servers to malicious servers and clients. It formalizes GIAs, contrasts attack scenarios, and introduces a threat-model-based taxonomy that groups attacks by reconstruction method (analytical decomposition, gradient sparsification, gradient isolation) and by participant type. The paper also analyzes defenses (cryptographic, obfuscation, sanitization) and evaluation metrics (pixel-, perceptual-, and domain-specific measures), highlighting how malicious participants can bypass secure aggregation and DP, thereby motivating stronger, more realistic defenses. The work provides guidance on evaluating privacy leakage in practical FL deployments, and outlines future directions toward improved evaluation, attack realism, and defense robustness, including decentralized FL as a potential resilience strategy.
Abstract
Federated Learning (FL) has emerged as a leading paradigm for decentralized, privacy preserving machine learning training. However, recent research on gradient inversion attacks (GIAs) have shown that gradient updates in FL can leak information on private training samples. While existing surveys on GIAs have focused on the honest-but-curious server threat model, there is a dearth of research categorizing attacks under the realistic and far more privacy-infringing cases of malicious servers and clients. In this paper, we present a survey and novel taxonomy of GIAs that emphasize FL threat models, particularly that of malicious servers and clients. We first formally define GIAs and contrast conventional attacks with the malicious attacker. We then summarize existing honest-but-curious attack strategies, corresponding defenses, and evaluation metrics. Critically, we dive into attacks with malicious servers and clients to highlight how they break existing FL defenses, focusing specifically on reconstruction methods, target model architectures, target data, and evaluation metrics. Lastly, we discuss open problems and future research directions.