Dealing Doubt: Unveiling Threat Models in Gradient Inversion Attacks under Federated Learning, A Survey and Taxonomy

TL;DR

This paper surveys gradient inversion attacks in federated learning, emphasizing threat models involving malicious entities, and introduces a taxonomy to categorize and analyze these attacks and defenses.

Contribution

It provides a comprehensive taxonomy of gradient inversion attacks in federated learning, focusing on malicious threat models and highlighting gaps in existing defenses.

Findings

Malicious server and client attacks can bypass current defenses.

Existing attack strategies are effective against honest-but-curious models.

Open problems include developing robust defenses against malicious attacks.

Abstract

Federated Learning (FL) has emerged as a leading paradigm for decentralized, privacy preserving machine learning training. However, recent research on gradient inversion attacks (GIAs) have shown that gradient updates in FL can leak information on private training samples. While existing surveys on GIAs have focused on the honest-but-curious server threat model, there is a dearth of research categorizing attacks under the realistic and far more privacy-infringing cases of malicious servers and clients. In this paper, we present a survey and novel taxonomy of GIAs that emphasize FL threat models, particularly that of malicious servers and clients. We first formally define GIAs and contrast conventional attacks with the malicious attacker. We then summarize existing honest-but-curious attack strategies, corresponding defenses, and evaluation metrics. Critically, we dive into attacks with malicious servers and clients to highlight how they break existing FL defenses, focusing specifically on reconstruction methods, target model architectures, target data, and evaluation metrics. Lastly, we discuss open problems and future research directions.