Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Gradient Inversion Transcript: Leveraging Robust Generative Priors to Reconstruct Training Data from Gradient Leakage

Xinping Chen, Chen Liu

TL;DR

This work tackles the privacy risk of gradient leakage in distributed and federated learning by proposing Gradient Inversion Transcript (GIT), a generative attack whose architecture adapts to the leaked model and can be trained offline to reconstruct training data from gradients. GIT comes in two variants—Exact-GIT and Coarse-GIT—offering a principled, architecture-aware inversion that can also serve as a priors for iterative gradient matching, accelerating convergence and improving reconstruction quality. Across CIFAR-10, ImageNet, and facial datasets with LeNet, ResNet, and ViT backbones, GIT outperforms existing baselines in direct inference and enhances optimization-based reconstructions when used as priors, while remaining robust under inaccurate gradients, distribution shifts, and parameter discrepancies. The results underscore practical privacy implications for federated learning and provide a flexible, offline-trained framework for gradient-to-input inversion that can adapt to diverse network architectures while maintaining efficiency and robustness.

Abstract

We propose Gradient Inversion Transcript (GIT), a novel generative approach for reconstructing training data from leaked gradients. GIT employs a generative attack model, whose architecture is tailored to align with the structure of the leaked model based on theoretical analysis. Once trained offline, GIT can be deployed efficiently and only relies on the leaked gradients to reconstruct the input data, rendering it applicable under various distributed learning environments. When used as a prior for other iterative optimization-based methods, GIT not only accelerates convergence but also enhances the overall reconstruction quality. GIT consistently outperforms existing methods across multiple datasets and demonstrates strong robustness under challenging conditions, including inaccurate gradients, data distribution shifts and discrepancies in model parameters.

Gradient Inversion Transcript: Leveraging Robust Generative Priors to Reconstruct Training Data from Gradient Leakage

TL;DR

This work tackles the privacy risk of gradient leakage in distributed and federated learning by proposing Gradient Inversion Transcript (GIT), a generative attack whose architecture adapts to the leaked model and can be trained offline to reconstruct training data from gradients. GIT comes in two variants—Exact-GIT and Coarse-GIT—offering a principled, architecture-aware inversion that can also serve as a priors for iterative gradient matching, accelerating convergence and improving reconstruction quality. Across CIFAR-10, ImageNet, and facial datasets with LeNet, ResNet, and ViT backbones, GIT outperforms existing baselines in direct inference and enhances optimization-based reconstructions when used as priors, while remaining robust under inaccurate gradients, distribution shifts, and parameter discrepancies. The results underscore practical privacy implications for federated learning and provide a flexible, offline-trained framework for gradient-to-input inversion that can adapt to diverse network architectures while maintaining efficiency and robustness.

Abstract

We propose Gradient Inversion Transcript (GIT), a novel generative approach for reconstructing training data from leaked gradients. GIT employs a generative attack model, whose architecture is tailored to align with the structure of the leaked model based on theoretical analysis. Once trained offline, GIT can be deployed efficiently and only relies on the leaked gradients to reconstruct the input data, rendering it applicable under various distributed learning environments. When used as a prior for other iterative optimization-based methods, GIT not only accelerates convergence but also enhances the overall reconstruction quality. GIT consistently outperforms existing methods across multiple datasets and demonstrates strong robustness under challenging conditions, including inaccurate gradients, data distribution shifts and discrepancies in model parameters.

Paper Structure

This paper contains 32 sections, 15 equations, 8 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Input Data Reconstruction by Back-Propagation
  4. A General Framework
  5. Modularized Input Data Reconstruction
  6. GIT: Gradient Inverse Transcript
  7. Experiments
  8. Comparison with Baselines
  9. Direct Inference by Generative Models
  10. Optimization-Based Data Reconstruction Using Generative Models as Priors
  11. Reconstruction Under Challenging Situations
  12. Inaccurate Gradients
  13. Distribution Shift
  14. Discrepancies in Model Parameters
  15. Ablation Studies
  16. ...and 17 more sections

Figures (8)

  • Figure 1: A flowchart of problem settings for GIT. The attacker hacks the channel of one client to inject data and utilizes the obtained input-gradient pair to train generative models. The attacker aims to reconstruct the data from both the hacked client and other clients by shared gradients.
  • Figure 2: An MIMO layer.
  • Figure 3: The red curve represents convergence curve of $l_2$ distance between weights of the generative model and the leaked model. The blue curve represents the convergence curve of MSE between reconstructed input and the ground truth input. The experiment is conducted on CIFAR-10 using Exact-GIT.
  • Figure 4: The figure illustrates the reconstructed images for IG when the leaked model is LeNet and the dataset is CIFAR-10. Varying levels of noise are applied to the gradients. The results depict IG’s reconstructions between the 200th and 300th optimization iterations.
  • Figure 5: The convergence curve of DLG with and without an image prior. The leaked model is ResNet. The vertical axis indicates the distance between the dummy gradients and the corresponding ground-truth gradients.
  • ...and 3 more figures