ML Security PapersPractical Feasibility of Gradient Inversion Attacks in Federated Learning
Viktor Valadi 1, Mattias Åkesson 1, Johan Östman 1,2, Fazeleh Hoseini 3,1, Salman Toor 4,1, Andreas Hellander 4,1
Published on arXiv
2508.19819
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Under realistic production FL settings, gradient inversion does not achieve meaningful image reconstruction from modern architectures, challenging the narrative that it poses a critical privacy threat.
Gradient inversion attacks are often presented as a serious privacy threat in federated learning, with recent work reporting increasingly strong reconstructions under favorable experimental settings. However, it remains unclear whether such attacks are feasible in modern, performance-optimized systems deployed in practice. In this work, we evaluate the practical feasibility of gradient inversion for image-based federated learning. We conduct a systematic study across multiple datasets and tasks, including image classification and object detection, using canonical vision architectures at contemporary resolutions. Our results show that while gradient inversion remains possible for certain legacy or transitional designs under highly restrictive assumptions, modern, performance-optimized models consistently resist meaningful reconstruction visually. We further demonstrate that many reported successes rely on upper-bound settings, such as inference mode operation or architectural simplifications which do not reflect realistic training pipelines. Taken together, our findings indicate that, under an honest-but-curious server assumption, high-fidelity image reconstruction via gradient inversion does not constitute a critical privacy risk in production-optimized federated learning systems, and that practical risk assessments must carefully distinguish diagnostic attack settings from real-world deployments.
Key Contributions
- Systematic empirical evaluation of gradient inversion attacks across canonical vision architectures (image classification and object detection) at contemporary resolutions under realistic FL training conditions
- Demonstrates that many reported gradient inversion successes rely on upper-bound assumptions (inference mode, architectural simplifications) not present in production systems
- Establishes that modern, performance-optimized FL models consistently resist high-fidelity image reconstruction, reframing gradient inversion as a lower practical risk than prior literature suggests
🛡️ Threat Analysis
Gradient inversion attacks are directly a model inversion / training data reconstruction threat: an honest-but-curious server adversary reconstructs client training images from shared gradients. The paper evaluates this specific attack class across architectures and tasks in federated learning.