Deep Leakage with Generative Flow Matching Denoiser

Federated Learning (FL) has emerged as a powerful paradigm for decentralized model training, yet it remains vulnerable to deep leakage (DL) attacks that reconstruct private client data from shared model updates. While prior DL methods have demonstrated varying levels of success, they often suffer from instability, limited fidelity, or poor robustness under realistic FL settings. We introduce a new DL attack that integrates a generative Flow Matching (FM) prior into the reconstruction process. By guiding optimization toward the distribution of realistic images (represented by a flow matching foundation model), our method enhances reconstruction fidelity without requiring knowledge of the private data. Extensive experiments on multiple datasets and target models demonstrate that our approach consistently outperforms state-of-the-art attacks across pixel-level, perceptual, and feature-based similarity metrics. Crucially, the method remains effective across different training epochs, larger client batch sizes, and under common defenses such as noise injection, clipping, and sparsification. Our findings call for the development of new defense strategies that explicitly account for adversaries equipped with powerful generative priors.

Key Contributions

• Novel deep leakage attack that integrates a generative Flow Matching foundation model as a prior to guide gradient-based private data reconstruction toward realistic image distributions.
• Demonstrated consistent outperformance over state-of-the-art gradient inversion attacks across pixel-level (MSE/PSNR), perceptual (LPIPS/SSIM), and feature-based (FID) similarity metrics.
• Attack remains effective under realistic FL settings: multiple training epochs, larger client batch sizes, and common defenses (noise injection, gradient clipping, sparsification).

🛡️ Threat Analysis

Details

Similar Papers