ML Security PapersEnhancing Gradient Inversion Attacks in Federated Learning via Hierarchical Feature Optimization
Hao Fang 1, Wenbo Yu 1, Bin Chen 2, Xuan Wang 2, Shu-Tao Xia 1, Qing Liao 2, Ke Xu 1
Published on arXiv
2604.00955
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
Achieves pixel-level reconstruction of private training data from gradients, outperforming baseline gradient inversion attacks across FL scenarios including out-of-distribution settings
GIFD (Gradient Inversion over Feature Domains)
Novel technique introduced
Federated Learning (FL) has emerged as a compelling paradigm for privacy-preserving distributed machine learning, allowing multiple clients to collaboratively train a global model by transmitting locally computed gradients to a central server without exposing their private data. Nonetheless, recent studies find that the gradients exchanged in the FL system are also vulnerable to privacy leakage, e.g., an attacker can invert shared gradients to reconstruct sensitive data by leveraging pre-trained generative adversarial networks (GAN) as prior knowledge. However, existing attacks simply perform gradient inversion in the latent space of the GAN model, which limits their expression ability and generalizability. To tackle these challenges, we propose \textbf{G}radient \textbf{I}nversion over \textbf{F}eature \textbf{D}omains (GIFD), which disassembles the GAN model and searches the hierarchical features of the intermediate layers. Instead of optimizing only over the initial latent code, we progressively change the optimized layer, from the initial latent space to intermediate layers closer to the output images. In addition, we design a regularizer to avoid unreal image generation by adding a small ${l_1}$ ball constraint to the searching range. We also extend GIFD to the out-of-distribution (OOD) setting, which weakens the assumption that the training sets of GANs and FL tasks obey the same data distribution. Furthermore, we consider the challenging OOD scenario of label inconsistency and propose a label mapping technique as an effective solution. Extensive experiments demonstrate that our method can achieve pixel-level reconstruction and outperform competitive baselines across a variety of FL scenarios.
Key Contributions
- Hierarchical feature optimization in GAN intermediate layers instead of just latent space for gradient inversion
- L1 ball regularizer to constrain feature search and avoid unrealistic reconstructions
- Label mapping technique to handle out-of-distribution scenarios with label inconsistency between GAN training and FL tasks
🛡️ Threat Analysis
Core contribution is a gradient inversion attack that reconstructs private training data from shared gradients in federated learning — this is a model inversion/data reconstruction attack where the adversary (server) reverses gradients to recover client data.