Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exploring the Vulnerabilities of Federated Learning: A Deep Dive into Gradient Inversion Attacks

Pengxin Guo, Runxi Wang, Shuang Zeng, Jinjing Zhu, Haoning Jiang, Yanran Wang, Yuyin Zhou, Feifei Wang, Hui Xiong, Liangqiong Qu

TL;DR

This work comprehensively analyzes gradient inversion attacks in federated learning by classifying GIAs into optimization-based (OP-GIA), generation-based (GEN-GIA), and analytics-based (ANA-GIA) categories, and by introducing theoretical bounds that relate reconstruction error to batch size and image resolution. It provides proofs of key results, including an error bound (Theorem 1) and a gradient-similarity proposition, and validates them through extensive experiments on CIFAR-10/100, ImageNet, and CelebA using multiple backbones and attack variants. The empirical results reveal OP-GIA as the most practical yet limited threat, GEN-GIA as highly dependent on external factors (e.g., pre-trained generators, activation functions), and ANA-GIA as effective but easily detectable, with additional findings on privacy leakage under PEFT. To mitigate these risks, the authors propose a three-stage defense pipeline—avoid Sigmoid activations and adopt more complex architectures, increase local batch steps, and implement client-side validation—along with strategic guidance for attack designers and a public repository for ongoing tracking. Overall, the paper delivers a nuanced taxonomy, supporting theory, and pragmatic defense recommendations to reduce gradient leakage in FL while highlighting areas for future investigation.

Abstract

Federated Learning (FL) has emerged as a promising privacy-preserving collaborative model training paradigm without sharing raw data. However, recent studies have revealed that private information can still be leaked through shared gradient information and attacked by Gradient Inversion Attacks (GIA). While many GIA methods have been proposed, a detailed analysis, evaluation, and summary of these methods are still lacking. Although various survey papers summarize existing privacy attacks in FL, few studies have conducted extensive experiments to unveil the effectiveness of GIA and their associated limiting factors in this context. To fill this gap, we first undertake a systematic review of GIA and categorize existing methods into three types, i.e., \textit{optimization-based} GIA (OP-GIA), \textit{generation-based} GIA (GEN-GIA), and \textit{analytics-based} GIA (ANA-GIA). Then, we comprehensively analyze and evaluate the three types of GIA in FL, providing insights into the factors that influence their performance, practicality, and potential threats. Our findings indicate that OP-GIA is the most practical attack setting despite its unsatisfactory performance, while GEN-GIA has many dependencies and ANA-GIA is easily detectable, making them both impractical. Finally, we offer a three-stage defense pipeline to users when designing FL frameworks and protocols for better privacy protection and share some future research directions from the perspectives of attackers and defenders that we believe should be pursued. We hope that our study can help researchers design more robust FL frameworks to defend against these attacks.

Exploring the Vulnerabilities of Federated Learning: A Deep Dive into Gradient Inversion Attacks

TL;DR

This work comprehensively analyzes gradient inversion attacks in federated learning by classifying GIAs into optimization-based (OP-GIA), generation-based (GEN-GIA), and analytics-based (ANA-GIA) categories, and by introducing theoretical bounds that relate reconstruction error to batch size and image resolution. It provides proofs of key results, including an error bound (Theorem 1) and a gradient-similarity proposition, and validates them through extensive experiments on CIFAR-10/100, ImageNet, and CelebA using multiple backbones and attack variants. The empirical results reveal OP-GIA as the most practical yet limited threat, GEN-GIA as highly dependent on external factors (e.g., pre-trained generators, activation functions), and ANA-GIA as effective but easily detectable, with additional findings on privacy leakage under PEFT. To mitigate these risks, the authors propose a three-stage defense pipeline—avoid Sigmoid activations and adopt more complex architectures, increase local batch steps, and implement client-side validation—along with strategic guidance for attack designers and a public repository for ongoing tracking. Overall, the paper delivers a nuanced taxonomy, supporting theory, and pragmatic defense recommendations to reduce gradient leakage in FL while highlighting areas for future investigation.

Abstract

Federated Learning (FL) has emerged as a promising privacy-preserving collaborative model training paradigm without sharing raw data. However, recent studies have revealed that private information can still be leaked through shared gradient information and attacked by Gradient Inversion Attacks (GIA). While many GIA methods have been proposed, a detailed analysis, evaluation, and summary of these methods are still lacking. Although various survey papers summarize existing privacy attacks in FL, few studies have conducted extensive experiments to unveil the effectiveness of GIA and their associated limiting factors in this context. To fill this gap, we first undertake a systematic review of GIA and categorize existing methods into three types, i.e., \textit{optimization-based} GIA (OP-GIA), \textit{generation-based} GIA (GEN-GIA), and \textit{analytics-based} GIA (ANA-GIA). Then, we comprehensively analyze and evaluate the three types of GIA in FL, providing insights into the factors that influence their performance, practicality, and potential threats. Our findings indicate that OP-GIA is the most practical attack setting despite its unsatisfactory performance, while GEN-GIA has many dependencies and ANA-GIA is easily detectable, making them both impractical. Finally, we offer a three-stage defense pipeline to users when designing FL frameworks and protocols for better privacy protection and share some future research directions from the perspectives of attackers and defenders that we believe should be pursued. We hope that our study can help researchers design more robust FL frameworks to defend against these attacks.

Paper Structure

This paper contains 52 sections, 3 theorems, 18 equations, 43 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Analysis of Gradient Inversion Attacks
  3. Optimization-based GIA
  4. Generation-based GIA
  5. Optimizing Latent Vector $z$
  6. Optimizing Generator's Parameters $W$
  7. Training an Inversion Generation Model
  8. Analytics-based GIA
  9. Manipulating Model Architecture
  10. Manipulating Model Parameters
  11. Attacks under Parameter-Efficient Fine-Tuning
  12. Extension to Practical FedAvg
  13. Evaluation
  14. Experimental Setup
  15. Optimization-based GIA
  16. ...and 37 more sections

Key Result

Theorem 1

If $f$ is $\mu$ strong convex and $L$-smooth, choose step-size $\eta \leq \sqrt{\frac{2}{\mu+L}}$, then Algorithm algo:opt_based_gia obtains $\hat{\bm{x}}$ satisfying the following convergence guarantees: where $C, H, W$ denote the image resolution, $B$ is the batch size, and $\kappa$ is the upper bound of $\|\nabla_{\hat{\bm{x}}} f({\hat{\bm{x}}}) - \frac{1}{T}\sum_{t=1}^T \nabla_{\hat{\bm{x}}}

Figures (43)

  • Figure 1: Taxonomy of existing GIA methods. The existing GIA methods can be divided into three types: optimization-based GIA (OP-GIA), which works by minimizing the distance between received gradients and gradients computed from dummy data; generation-based GIA (GEN-GIA), which utilizes a generator to reconstruct input data; and analytics-based GIA (ANA-GIA), which aims to recover input data in closed form. Moreover, GEN-GIA can be further divided into three categories: optimizing the latent vector $\bm{z}$, optimizing the generator’s parameters $\bm{W}$, and training an inversion generation model. ANA-GIA can be further divided into two categories: manipulating model architecture and manipulating model parameters.
  • Figure 2: Reconstruction results of the linear layer. Neuron $i$ is activated by a single image, resulting in an accurate reconstruction, while neuron $j$, activated by two images, leads to a reconstruction that is a combination of both images.
  • Figure 3: (a) Reconstruction results of IG evaluated on models in different training states on various datasets with different image resolutions and batch sizes. (b) Reconstruction results of IG with different network architectures on the CIFAR-100 dataset. The shaded region represents the standard deviation. These results show that a larger batch size, higher image resolution, more complicated network architecture, and better model training state lead to worse OP-GIA performance.
  • Figure 4: t-SNE visualization of gradients of different CIFAR-100 data points on untrained and trained models. It shows that the gradients are more similar for the trained model than the untrained model.
  • Figure 5: Reconstruction results of IG on the CIFAR-10 dataset with a batch size of 4. From left to right, the number of images with the same label are 0, 2, 3, and 4. The first row represents the ground truth, while the second row shows the reconstruction results. These results indicate that more same labels in one batch lead to worse OP-GIA performance.
  • ...and 38 more figures

Theorems & Definitions (7)

  • Theorem 1
  • Remark 1
  • Proposition 1
  • Remark 2
  • proof
  • proof
  • Proposition 2