GI-NAS: Boosting Gradient Inversion Attacks Through Adaptive Neural Architecture Search

TL;DR

This paper introduces GI-NAS, a novel method that uses neural architecture search to improve gradient inversion attacks in federated learning, revealing significant privacy vulnerabilities without relying on prior domain knowledge.

Contribution

The paper pioneers the application of neural architecture search to gradient inversion attacks, enhancing attack adaptability and effectiveness in realistic, heterogeneous data scenarios.

Findings

GI-NAS outperforms existing methods in reconstructing private data.

It maintains high attack performance under high-resolution images and defense strategies.

First to apply NAS to gradient inversion, exposing new privacy risks.

Abstract

Gradient Inversion Attacks invert the transmitted gradients in Federated Learning (FL) systems to reconstruct the sensitive data of local clients and have raised considerable privacy concerns. A majority of gradient inversion methods rely heavily on explicit prior knowledge (e.g., a well pre-trained generative model), which is often unavailable in realistic scenarios. This is because real-world client data distributions are often highly heterogeneous, domain-specific, and unavailable to attackers, making it impractical for attackers to obtain perfectly matched pre-trained models, which inevitably suffer from fundamental distribution shifts relative to target private data. To alleviate this issue, researchers have proposed to leverage the implicit prior knowledge of an over-parameterized network. However, they only utilize a fixed neural architecture for all the attack settings. This would hinder the adaptive use of implicit architectural priors and consequently limit the generalizability. In this paper, we further exploit such implicit prior knowledge by proposing Gradient Inversion via Neural Architecture Search (GI-NAS), which adaptively searches the network and captures the implicit priors behind neural architectures. Extensive experiments verify that our proposed GI-NAS can achieve superior attack performance compared to state-of-the-art gradient inversion methods, even under more practical settings with high-resolution images, large-sized batches, and advanced defense strategies. To the best of our knowledge, we are the first to successfully introduce NAS to the gradient inversion community. We believe that this work exposes critical vulnerabilities in real-world federated learning by demonstrating high-fidelity reconstruction of sensitive data without requiring domain-specific priors, forcing urgent reassessment of FL privacy safeguards.