Hear No Evil: Detecting Gradient Leakage by Malicious Servers in Federated Learning

TL;DR

This paper analyzes malicious gradient leakage attacks in federated learning, revealing their limitations in effectiveness and stealth, and proposes a simple detection method to enhance privacy protection.

Contribution

It provides the first comprehensive analysis of malicious gradient leakage attacks and introduces a lightweight client-side detection mechanism for federated learning.

Findings

Attacks are limited in effectiveness and detectability in realistic settings.

Malicious attacks cannot be both highly effective and stealthy simultaneously.

A simple detection method can effectively flag suspicious updates.

Abstract

Recent work has shown that gradient updates in federated learning (FL) can unintentionally reveal sensitive information about a client's local data. This risk becomes significantly greater when a malicious server manipulates the global model to provoke information-rich updates from clients. In this paper, we adopt a defender's perspective to provide the first comprehensive analysis of malicious gradient leakage attacks and the model manipulation techniques that enable them. Our investigation reveals a core trade-off: these attacks cannot be both highly effective in reconstructing private data and sufficiently stealthy to evade detection -- especially in realistic FL settings that incorporate common normalization techniques and federated averaging. Building on this insight, we argue that malicious gradient leakage attacks, while theoretically concerning, are inherently limited in practice and often detectable through basic monitoring. As a complementary contribution, we propose a simple, lightweight, and broadly applicable client-side detection mechanism that flags suspicious model updates before local training begins, despite the fact that such detection may not be strictly necessary in realistic FL settings. This mechanism further underscores the feasibility of defending against these attacks with minimal overhead, offering a deployable safeguard for privacy-conscious federated learning systems.