ML Security PapersUncovering Privacy Vulnerabilities through Analytical Gradient Inversion Attacks
Tamer Ahmed Eltaras 1, Qutaibah Malluhi 2, Alessandro Savino 1,3, Stefano Di Carlo 1,3, Adnan Qayyum 2,3
Published on arXiv
2509.18871
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Successful gradient inversion attacks can be executed with fewer than 5% of the gradient constraints previously deemed necessary in convolutional layers
R-CONV extensions (Analytical GIA)
Novel technique introduced
Federated learning has emerged as a prominent privacy-preserving technique for leveraging large-scale distributed datasets by sharing gradients instead of raw data. However, recent studies indicate that private training data can still be exposed through gradient inversion attacks. While earlier analytical methods have demonstrated success in reconstructing input data from fully connected layers, their effectiveness significantly diminishes when applied to convolutional layers, high-dimensional inputs, and scenarios involving multiple training examples. This paper extends our previous work \cite{eltaras2024r} and proposes three advanced algorithms to broaden the applicability of gradient inversion attacks. The first algorithm presents a novel data leakage method that efficiently exploits convolutional layer gradients, demonstrating that even with non-fully invertible activation functions, such as ReLU, training samples can be analytically reconstructed directly from gradients without the need to reconstruct intermediate layer outputs. Building on this foundation, the second algorithm extends this analytical approach to support high-dimensional input data, substantially enhancing its utility across complex real-world datasets. The third algorithm introduces an innovative analytical method for reconstructing mini-batches, addressing a critical gap in current research that predominantly focuses on reconstructing only a single training example. Unlike previous studies that focused mainly on the weight constraints of convolutional layers, our approach emphasizes the pivotal role of gradient constraints, revealing that successful attacks can be executed with fewer than 5\% of the constraints previously deemed necessary in certain layers.
Key Contributions
- Analytical algorithm to reconstruct training samples directly from convolutional layer gradients, including with non-fully invertible activations (ReLU), without needing to reconstruct intermediate layer outputs
- Extension of the analytical approach to high-dimensional input data, broadening applicability to complex real-world datasets
- Analytical mini-batch reconstruction method, addressing the gap where prior work reconstructed only single training examples
🛡️ Threat Analysis
The paper's primary contribution is gradient inversion attacks in federated learning — an adversary reconstructs participants' private training data from shared gradients. This directly maps to ML03's 'gradient leakage / reconstruction attacks in federated learning' definition.