Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Gradient Puppeteer: Adversarial Domination in Gradient Leakage Attacks through Model Poisoning

Kunlan Xiang, Haomiao Yang, Meng Hao, Shaofeng Li, Haoxin Wang, Zikang Ding, Wenbo Jiang, Tianwei Zhang

TL;DR

This paper tackles privacy risks in Federated Learning by reframing Active Gradient Leakage Attacks (AGLAs) through a backdoor-theoretic lens centered on per-sample gradient contributions, encapsulated by the parameter $\lambda$. It identifies fundamental limitations of prior AGLAs—partial batch coverage and detectability—and proposes Enhanced Gradient Global Vulnerability (EGGV), which poisons the global model and uses a gradient projector and discriminator to uniformly amplify leakage across all samples. The authors prove the existence of optimal poisoned parameters and derive stealth guarantees, while extensive experiments show EGGV achieves complete batch reconstruction and outperforms state-of-the-art methods by about 43% in PSNR and 45% in D-SNR. These results highlight a new class of privacy risks in FL and motivate the development of robust defenses against balanced, stealthy gradient-poisoning attacks.

Abstract

In Federated Learning (FL), clients share gradients with a central server while keeping their data local. However, malicious servers could deliberately manipulate the models to reconstruct clients' data from shared gradients, posing significant privacy risks. Although such active gradient leakage attacks (AGLAs) have been widely studied, they suffer from two severe limitations: (i) coverage: no existing AGLAs can reconstruct all samples in a batch from the shared gradients; (ii) stealthiness: no existing AGLAs can evade principled checks of clients. In this paper, we address these limitations with two core contributions. First, we introduce a new theoretical analysis approach, which uniformly models AGLAs as backdoor poisoning. This analysis approach reveals that the core principle of AGLAs is to bias the gradient space to prioritize the reconstruction of a small subset of samples while sacrificing the majority, which theoretically explains the above limitations of existing AGLAs. Second, we propose Enhanced Gradient Global Vulnerability (EGGV), the first AGLA that achieves complete attack coverage while evading client-side detection. In particular, EGGV employs a gradient projector and a jointly optimized discriminator to assess gradient vulnerability, steering the gradient space toward the point most prone to data leakage. Extensive experiments show that EGGV achieves complete attack coverage and surpasses state-of-the-art (SOTA) with at least a 43% increase in reconstruction quality (PSNR) and a 45% improvement in stealthiness (D-SNR).

The Gradient Puppeteer: Adversarial Domination in Gradient Leakage Attacks through Model Poisoning

TL;DR

This paper tackles privacy risks in Federated Learning by reframing Active Gradient Leakage Attacks (AGLAs) through a backdoor-theoretic lens centered on per-sample gradient contributions, encapsulated by the parameter . It identifies fundamental limitations of prior AGLAs—partial batch coverage and detectability—and proposes Enhanced Gradient Global Vulnerability (EGGV), which poisons the global model and uses a gradient projector and discriminator to uniformly amplify leakage across all samples. The authors prove the existence of optimal poisoned parameters and derive stealth guarantees, while extensive experiments show EGGV achieves complete batch reconstruction and outperforms state-of-the-art methods by about 43% in PSNR and 45% in D-SNR. These results highlight a new class of privacy risks in FL and motivate the development of robust defenses against balanced, stealthy gradient-poisoning attacks.

Abstract

In Federated Learning (FL), clients share gradients with a central server while keeping their data local. However, malicious servers could deliberately manipulate the models to reconstruct clients' data from shared gradients, posing significant privacy risks. Although such active gradient leakage attacks (AGLAs) have been widely studied, they suffer from two severe limitations: (i) coverage: no existing AGLAs can reconstruct all samples in a batch from the shared gradients; (ii) stealthiness: no existing AGLAs can evade principled checks of clients. In this paper, we address these limitations with two core contributions. First, we introduce a new theoretical analysis approach, which uniformly models AGLAs as backdoor poisoning. This analysis approach reveals that the core principle of AGLAs is to bias the gradient space to prioritize the reconstruction of a small subset of samples while sacrificing the majority, which theoretically explains the above limitations of existing AGLAs. Second, we propose Enhanced Gradient Global Vulnerability (EGGV), the first AGLA that achieves complete attack coverage while evading client-side detection. In particular, EGGV employs a gradient projector and a jointly optimized discriminator to assess gradient vulnerability, steering the gradient space toward the point most prone to data leakage. Extensive experiments show that EGGV achieves complete attack coverage and surpasses state-of-the-art (SOTA) with at least a 43% increase in reconstruction quality (PSNR) and a 45% improvement in stealthiness (D-SNR).

Paper Structure

This paper contains 20 sections, 3 theorems, 26 equations, 8 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Passive Gradient Leakage Attack (PGLA)
  4. Active Gradient Leakage Attack (AGLA)
  5. Background
  6. Federated Learning
  7. Threat Model
  8. Motivation
  9. Backdoor-theoretical Analysis
  10. Enhanced Gradient Global Vulnerability
  11. Attack Overview
  12. Problem Formulation
  13. Detailed Solution
  14. Optimal Model for the Gradient Leakage
  15. Theoretical Guarantee of Stealthiness
  16. ...and 5 more sections

Key Result

Theorem 1

Let $F(x)=xW+b$ be the classification model with one FC layer, where $x$ is the input data, $W$ is the weight matrix, and $b$ is the bias vector, and the corresponding model output is $\hat{y}=F(x)$. Suppose $\ell(\hat{y}, y)$ is the loss function between the model output $\hat{y}$ and the ground-tr where ${\partial \ell(\hat{y}_i^k,y_i)}/{\partial\hat{y}_i^k}$ denotes the partial derivative of th

Figures (8)

  • Figure 1: Illustration of the core principles and reconstruction outcomes of Fishing wen2022fishing, SEER Garov2024Hiding, and EGGV (Ours). Each cylinder denotes the gradient space of a batch, with inner circle sizes indicating per-sample information retention. Existing AGLAs amplify a few samples while suppressing others, leading to partial recovery. In contrast, EGGV (Ours) uniformly enhances the feature of all samples in the gradient, enabling full-batch reconstruction.
  • Figure 2: Fundamental principle comparison between EGGV and gradient-biased AGLAs.
  • Figure 3: Overview of the proposed EGGV, consisting of three steps: ① poison the model parameters to make its gradient space vulnerable; ② distribute poisoned model and gather vulnerable gradients; ③ implement existing GLAs on these gradients.
  • Figure 4: Visual reconstruction of IG on the model with EGGV poisoning, Xavier initialization, and He initialization.
  • Figure 5: Bar chart of D-SNR value of gradients generated by models with three naive initialization methods (Random, Xavier, He) and three poisoning methods (Fishing, SEER, EGGV) on 100 same batches. Lower values indicate greater stealthiness. EGGV achieves a highly stealthy, closely approaching D-SNR of standard initialization methods.
  • ...and 3 more figures

Theorems & Definitions (7)

  • Theorem 1
  • proof
  • Theorem 2
  • proof
  • Theorem 3: Gradient Uniformity and Stealthiness
  • proof
  • Remark 1