Exploring the Vulnerabilities of Federated Learning: A Deep Dive into Gradient Inversion Attacks

Figure 1. Taxonomy of existing GIA methods. The existing GIA methods can be divided into three types: optimization-based GIA (OP-GIA), which works by minimizing the distance between received gradients and gradients computed from dummy data; generation-based GIA (GEN-GIA), which utilizes a generator to reconstruct input data; and analytics-based GIA (ANA-GIA), which aims to recover input data in closed form. Moreover, GEN-GIA can be further divided into three categories: optimizing the latent vector z, optimizing the generator’s parameters W, and training an inversion generation model. ANA-GIA can be further divided into two categories: manipulating model architecture and manipulating model parameters. We also provide a public repository to continually track developments in this fast-evolving field: Awesome-Gradient-Inversion-Attacks.

Table 1. Comparison of different types of GIA methods in terms of influence factors, reconstruction results, and extra reliance of each type of method. Influence factors include batch size, image resolution, model training state, the number of the same labels in one batch data, network architecture, and practical FedAvg with multiple local training steps. Reconstruction results include whether the reconstruction results are the original inputs and the visual quality of the reconstruction results.

Taxonomy		Influence Factors						Reconstruction Results		Extra Reliance
		Batch Size	Image Resolution	# Same Label	Model Training State	Network Architecture	Practical FedAvg	Original Inputs?	Visual Quality
OP-GIA	-	✓	✓	✓	✓	✓	✓	Yes	Low	No
GEN-GIA	Opti. Lat. Vec.	✕	✕	✕	✕	✕	✕	No	High	Trained Generator
	Opti. Gen. Para.	✓	✓	✓	✓	✓	✓	Yes	Middle	Sigmoid Activation
	Train. Inv. Mod.	✓	✓	✓	✕	✓	✓	Yes	Low	Auxiliary Dataset
ANA-GIA	Manip. Mod. Arch.	✕	✕	✕	✕	✕	✕	Yes	High	Malicious Server
	Manip. Mod. Para.	✕	✓	✕	✓	✓	✕	Yes	Middle	Malicious Server

Key Findings

Figure 2. left. Reconstruction results of IG evaluated on models in different training states on various datasets with different image resolutions and batch sizes. right. Reconstruction results of IG with different network architectures on the CIFAR-100 dataset. The shaded region represents the standard deviation. These results show that a larger batch size, higher image resolution, more complicated network architecture, and better model training state lead to worse OP-GIA performance.

Figure 3. Reconstruction results of GGL. (a)-(c) Reconstruction results on the ImageNet dataset: (a) with different batch sizes and model training states; (b) under practical FedAvg scenario; (c) with random Gaussian noise. The ground truth for (b) and (c) is similar to (a) and is omitted. (d) Reconstruction results on the CIFAR-100 dataset with a batch size of one and an untrained model. These results show that when optimizing the latent vector z, GEN-GIA can generate semantically similar images and is not affected by the factors influencing OP-GIA. However, it heavily relies on the pre-trained generator and only can achieve semantic-level recovery.

Figure 4. left. Reconstruction results of CI-Net evaluated on ResNet-18 with different activation functions on various datasets with different batch sizes. right. Reconstruction results of CI-Net on ImageNet with different resolutions under the Sigmoid activation function. These results show that GEN-GIA with optimizing the generator's parameters W is affected by the factors that influence OP-GIA. Moreover, it only works when the target model adopts the Sigmoid activation function and fails with other activation functions.

Figure 5. left. Reconstruction results of LTI evaluated on different models with different training states on CIFAR-10 with different batch sizes. right. Reconstruction results of LTI on different datasets with different resolutions on LeNet. These results show that when training an inversion generation model, GEN-GIA can achieve pixel-level attacks but is influenced by most of the factors that affect OP-GIA, except for the model's training state.

Table 2. The number of reconstruction images of Robbing the Fed with 1000 bins on different batch sizes. It shows that ANA-GIA, when manipulating model architecture, can achieve great attack performance irrespective of batch size, image resolution, or model training state, provided it adopts a relatively large number of bins.

Batch Size	CIFAR-10	CIFAR-100	ImageNet
1	64/64	64/64	64/64
8	63/64	64/64	64/64
32	60/64	61/64	64/64
64	60/64	60/64	61/64

Figure 6. Reconstruction results of Fishing on ImageNet with different image resolutions and model training states, and network architectures. These results show that the attack performance of ANA-GIA, which manipulates model parameters, is not affected by batch size but worsens with larger image resolutions, worse model training states, and more complicated model architectures.

Figure 7. left. Reconstruction results of Eq. (7) evaluated on the ViT-base fine-tuned with LoRA on different datasets with different batch sizes. right. Reconstruction results of Eq. (7) evaluated on different ViT architectures fine-tuned with LoRA on the CIFAR-100 dataset. These results show that attackers can breach privacy on low-resolution images but fail with high-resolution ones under PEFT. Moreover, smaller models are better at protecting privacy.

Based on our experimental findings, we provide a three-stage defense pipeline for users when designing FL frameworks and protocols for better privacy protection:

Our code is available in this repository: GIA. For newly proposed attack methods, we encourage you to use our repository to compare their performance with other methods. Similarly, for newly proposed defense methods, we encourage you to use our repository to evaluate their defense capabilities.