AFGI: Towards Accurate and Fast-convergent Gradient Inversion Attack in Federated Learning

TL;DR

This paper introduces AFGI, a novel gradient inversion attack that accurately and efficiently reconstructs high-resolution images in federated learning, highlighting privacy vulnerabilities and improving upon existing methods.

Contribution

The paper proposes AFGI, a new attack algorithm with label recovery and regularization components, achieving faster and more accurate image reconstruction in federated learning.

Findings

AFGI reduces inversion time by 85% on ImageNet.

It accurately reconstructs images with batch sizes up to 48.

The study exposes privacy risks in federated learning.

Abstract

Federated learning (FL) empowers privacypreservation in model training by only exposing users' model gradients. Yet, FL users are susceptible to gradient inversion attacks (GIAs) which can reconstruct ground-truth training data such as images based on model gradients. However, reconstructing high-resolution images by existing GIAs faces two challenges: inferior accuracy and slow-convergence, especially when duplicating labels exist in the training batch. To address these challenges, we present an Accurate and Fast-convergent Gradient Inversion attack algorithm, called AFGI, with two components: Label Recovery Block (LRB) which can accurately restore duplicating labels of private images based on exposed gradients; VME Regularization Term, which includes the total variance of reconstructed images, the discrepancy between three-channel means and edges, between values from exposed gradients and reconstructed images, respectively. The AFGI can be regarded as a white-box attack strategy to reconstruct images by leveraging labels recovered by LRB. In particular, AFGI is efficient that accurately reconstruct ground-truth images when users' training batch size is up to 48. Our experimental results manifest that AFGI can diminish 85% time costs while achieving superb inversion quality in the ImageNet dataset. At last, our study unveils the shortcomings of FL in privacy-preservation, prompting the development of more advanced countermeasure strategies.