Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Practical Feasibility of Gradient Inversion Attacks in Federated Learning

Viktor Valadi, Mattias Åkesson, Johan Östman, Fazeleh Hoseini, Salman Toor, Andreas Hellander

TL;DR

This paper investigates the practical privacy risk of gradient inversion attacks in federated learning for image-based tasks, questioning the prevalence of high-fidelity reconstructions in production-like systems. It adopts a realism-driven methodology, evaluating modern architectures across ImageNet-scale data and object-detection tasks, while analyzing how architectural choices, training dynamics, and attacker assumptions constrain leakage. The key contributions include large-scale cross-architecture evaluation showing that canonical modern vision models largely resist meaningful gradient inversion under realistic training, a principled framework distinguishing feasible leakage from upper-bound demonstrations, and controlled initialization studies that separate gradient information from priors. The findings have practical implications for privacy risk assessment in FL, suggesting that gradient inversion is not a critical threat in production-grade vision systems, though they also highlight the need to explore subtler leakage channels and distributional information beyond full data reconstruction.

Abstract

Gradient inversion attacks are often presented as a serious privacy threat in federated learning, with recent work reporting increasingly strong reconstructions under favorable experimental settings. However, it remains unclear whether such attacks are feasible in modern, performance-optimized systems deployed in practice. In this work, we evaluate the practical feasibility of gradient inversion for image-based federated learning. We conduct a systematic study across multiple datasets and tasks, including image classification and object detection, using canonical vision architectures at contemporary resolutions. Our results show that while gradient inversion remains possible for certain legacy or transitional designs under highly restrictive assumptions, modern, performance-optimized models consistently resist meaningful reconstruction visually. We further demonstrate that many reported successes rely on upper-bound settings, such as inference mode operation or architectural simplifications which do not reflect realistic training pipelines. Taken together, our findings indicate that, under an honest-but-curious server assumption, high-fidelity image reconstruction via gradient inversion does not constitute a critical privacy risk in production-optimized federated learning systems, and that practical risk assessments must carefully distinguish diagnostic attack settings from real-world deployments.

Practical Feasibility of Gradient Inversion Attacks in Federated Learning

TL;DR

This paper investigates the practical privacy risk of gradient inversion attacks in federated learning for image-based tasks, questioning the prevalence of high-fidelity reconstructions in production-like systems. It adopts a realism-driven methodology, evaluating modern architectures across ImageNet-scale data and object-detection tasks, while analyzing how architectural choices, training dynamics, and attacker assumptions constrain leakage. The key contributions include large-scale cross-architecture evaluation showing that canonical modern vision models largely resist meaningful gradient inversion under realistic training, a principled framework distinguishing feasible leakage from upper-bound demonstrations, and controlled initialization studies that separate gradient information from priors. The findings have practical implications for privacy risk assessment in FL, suggesting that gradient inversion is not a critical threat in production-grade vision systems, though they also highlight the need to explore subtler leakage channels and distributional information beyond full data reconstruction.

Abstract

Gradient inversion attacks are often presented as a serious privacy threat in federated learning, with recent work reporting increasingly strong reconstructions under favorable experimental settings. However, it remains unclear whether such attacks are feasible in modern, performance-optimized systems deployed in practice. In this work, we evaluate the practical feasibility of gradient inversion for image-based federated learning. We conduct a systematic study across multiple datasets and tasks, including image classification and object detection, using canonical vision architectures at contemporary resolutions. Our results show that while gradient inversion remains possible for certain legacy or transitional designs under highly restrictive assumptions, modern, performance-optimized models consistently resist meaningful reconstruction visually. We further demonstrate that many reported successes rely on upper-bound settings, such as inference mode operation or architectural simplifications which do not reflect realistic training pipelines. Taken together, our findings indicate that, under an honest-but-curious server assumption, high-fidelity image reconstruction via gradient inversion does not constitute a critical privacy risk in production-optimized federated learning systems, and that practical risk assessments must carefully distinguish diagnostic attack settings from real-world deployments.

Paper Structure

This paper contains 37 sections, 1 equation, 7 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. Federated Learning
  4. Privacy in ML
  5. Gradient Inversion Attacks
  6. Related Work
  7. Gradient Inversion Attacks
  8. Training dynamics, stochasticity, and normalization effects
  9. Architecture-level analyses of privacy
  10. Extended threat models
  11. Method
  12. Motivation and Scope: From Demonstrations to Risk Assessment
  13. Threat Model
  14. Attack Method
  15. Auxiliary Attack Enablers and Scope
  16. ...and 22 more sections

Figures (7)

  • Figure 1: Gradient inversion feasibility across modern ImageNet architectures in their canonical setting. Reconstructions for a range of modern vision architectures, trained and evaluated on ImageNet at 224×224 resolution. Despite favorable conditions and extensive optimization, only Swin-T yields partial reconstructions with recognizable structure. The remaining architectures either collapse to unstructured noise or, at best, recover weak global color statistics without semantic content, illustrating that modern, performance-optimized architectures largely resist practical gradient inversion.
  • Figure 2: Validation of gradient inversion under training-mode BatchNorm. Columns compare pre-activation and post-activation ResNet18 architectures, while rows vary whether BatchNorm running statistics are shared with the server and the attack methodology. Notably, post-activation ResNet18 consistently produces reconstructions that contain no meaningful semantic information, highlighting a strong architectural dependence of gradient inversion feasibility.
  • Figure 4: Controlled initialization study on CIFAR-10. Each reconstruction is initialized from the target image with increasing levels of random noise (top row) and optimized using gradient inversion under identical attack settings. While more informative starting points generally lead to improved reconstructions, these improvements are likely attributable to pixel-level smoothing effects induced by the total-variation regularizer rather than to additional information extracted from the gradients. For difficult architectures such as ViT-B/16, MaxViT-T, and ConvNeXt-T, meaningful recovery occurs only when the initialization already contains substantial semantic structure. In some cases, particularly for MaxViT-T and ViT-B/16, optimization can even degrade reconstruction quality relative to the starting point, indicating that guided optimization may refine or smooth existing structure but does not reliably extract new semantic information from the gradients.
  • Figure 5: Gradient inversion on YOLOv8-nano variants on the COCO dataset. Under highly favorable assumptions, the unmodified YOLOv8-nano model remains resistant to inversion (b), and a ResNet-style pre-activation training-mode variant likewise fails (c). Meaningful reconstruction is observed only after substantial simplifications using ResNet BasicBlocks and inference-mode training (d).
  • Figure : (a) Original .
  • ...and 2 more figures