Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

ARES: Scalable and Practical Gradient Inversion Attack in Federated Learning through Activation Recovery

Zirui Gong, Leo Yu Zhang, Yanjun Zhang, Viet Vo, Tianqing Zhu, Shirui Pan, Cong Wang

Abstract

Federated Learning (FL) enables collaborative model training by sharing model updates instead of raw data, aiming to protect user privacy. However, recent studies reveal that these shared updates can inadvertently leak sensitive training data through gradient inversion attacks (GIAs). Among them, active GIAs are particularly powerful, enabling high-fidelity reconstruction of individual samples even under large batch sizes. Nevertheless, existing approaches often require architectural modifications, which limit their practical applicability. In this work, we bridge this gap by introducing the Activation REcovery via Sparse inversion (ARES) attack, an active GIA designed to reconstruct training samples from large training batches without requiring architectural modifications. Specifically, we formulate the recovery problem as a noisy sparse recovery task and solve it using the generalized Least Absolute Shrinkage and Selection Operator (Lasso). To extend the attack to multi-sample recovery, ARES incorporates the imprint method to disentangle activations, enabling scalable per-sample reconstruction. We further establish the expected recovery rate and derive an upper bound on the reconstruction error, providing theoretical guarantees for the ARES attack. Extensive experiments on CNNs and MLPs demonstrate that ARES achieves high-fidelity reconstruction across diverse datasets, significantly outperforming prior GIAs under large batch sizes and realistic FL settings. Our results highlight that intermediate activations pose a serious and underestimated privacy risk in FL, underscoring the urgent need for stronger defenses.

ARES: Scalable and Practical Gradient Inversion Attack in Federated Learning through Activation Recovery

Abstract

Federated Learning (FL) enables collaborative model training by sharing model updates instead of raw data, aiming to protect user privacy. However, recent studies reveal that these shared updates can inadvertently leak sensitive training data through gradient inversion attacks (GIAs). Among them, active GIAs are particularly powerful, enabling high-fidelity reconstruction of individual samples even under large batch sizes. Nevertheless, existing approaches often require architectural modifications, which limit their practical applicability. In this work, we bridge this gap by introducing the Activation REcovery via Sparse inversion (ARES) attack, an active GIA designed to reconstruct training samples from large training batches without requiring architectural modifications. Specifically, we formulate the recovery problem as a noisy sparse recovery task and solve it using the generalized Least Absolute Shrinkage and Selection Operator (Lasso). To extend the attack to multi-sample recovery, ARES incorporates the imprint method to disentangle activations, enabling scalable per-sample reconstruction. We further establish the expected recovery rate and derive an upper bound on the reconstruction error, providing theoretical guarantees for the ARES attack. Extensive experiments on CNNs and MLPs demonstrate that ARES achieves high-fidelity reconstruction across diverse datasets, significantly outperforming prior GIAs under large batch sizes and realistic FL settings. Our results highlight that intermediate activations pose a serious and underestimated privacy risk in FL, underscoring the urgent need for stronger defenses.
Paper Structure (27 sections, 1 theorem, 28 equations, 24 figures, 4 tables, 2 algorithms)

This paper contains 27 sections, 1 theorem, 28 equations, 24 figures, 4 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Preliminary
  3. Gradient Inversion Attacks
  4. Defenses Against Gradient Inversion Attacks
  5. Threat Model and Attack Scope
  6. Method
  7. Motivation
  8. Overview
  9. Noisy Sparse Recovery
  10. Multiple Samples Recovery
  11. Attack Implementation and Recovery Rate
  12. Experiments
  13. Experimental Setup
  14. Performance Comparison with Baselines
  15. Performance Under Different Defenses
  16. ...and 12 more sections

Key Result

Theorem 1

Let $\alpha$ be an $s$-sparse vector, and let $A$ be a measurement matrix satisfying the RIP of order $2s$. Then, the solution $\tilde{\alpha}$ to Eq. eq: l1 recovers $\alpha$ with the error bounded by where $s$ is the sparsity of $\alpha$, $d$ is the ambient dimension of $\alpha$, $s \log(d/s)$ quantifies the effective dimension of the sparse signal, and $m$ is the number of effective measuremen

Figures (24)

  • Figure 1: Recovery results obtained using activation matching (optimizing activation discrepancy) and pseudoinverse (approximating inverse).
  • Figure 2: Overview of ARES attack. The method consists of two main stages: (a) the attacker initializes network with malicious parameters to facilitate information leakage; (b) using gradients returned by the client, the attacker first recovers activations through linear layer leakage and then reconstructs input samples via noisy sparse recovery.
  • Figure 3: Top: forward pass through the network. Bottom: sparse vector recovery via $\ell_1$ optimization. The bias term is omitted for clarity.
  • Figure 4: Upper bound of the squared recovery error with varying numbers of convolutional layers.
  • Figure 5: Bias values are set to divide the projected inputs into $k$ equal-probability bins.
  • ...and 19 more figures

Theorems & Definitions (4)

  • Definition 1: Linear Component and Nonlinearity of a Function plan2016generalized
  • Definition 2: Restricted Isometry Property candes2008restricted
  • Theorem 1: Recovery Error plan2016generalized
  • proof