Reconstructing Training Data from Adapter-based Federated Large Language Models

TL;DR

This paper introduces a novel gradient inversion attack called UTR that can effectively reconstruct training data from adapter-based federated large language models, revealing privacy vulnerabilities despite their lightweight adaptation.

Contribution

The paper presents UTR, a new GIA tailored for adapter-based FedLLMs, demonstrating its effectiveness in reconstructing training data and challenging assumptions about privacy in lightweight models.

Findings

UTR achieves over 99% ROUGE scores in data reconstruction.

Adapter-based FedLLMs are vulnerable to privacy leaks despite low-rank adapters.

Prior GIAs fail under large batch settings, but UTR remains effective.

Abstract

Adapter-based Federated Large Language Models (FedLLMs) are widely adopted to reduce the computational, storage, and communication overhead of full-parameter fine-tuning for web-scale applications while preserving user privacy. By freezing the backbone and training only compact low-rank adapters, these methods appear to limit gradient leakage and thwart existing Gradient Inversion Attacks (GIAs). Contrary to this assumption, we show that low-rank adapters create new, exploitable leakage channels. We propose the Unordered-word-bag-based Text Reconstruction (UTR) attack, a novel GIA tailored to the unique structure of adapter-based FedLLMs. UTR overcomes three core challenges: low-dimensional gradients, frozen backbones, and combinatorially large reconstruction spaces by: (i) inferring token presence from attention patterns in frozen layers, (ii) performing sentence-level inversion within the low-rank subspace of adapter gradients, and (iii) enforcing semantic coherence through constrained greedy decoding guided by language priors. Extensive experiments across diverse models (GPT2-Large, BERT, Qwen2.5-7B) and datasets (CoLA, SST-2, Rotten Tomatoes) demonstrate that UTR achieves near-perfect reconstruction accuracy (ROUGE-1/2 > 99), even with large batch size settings where prior GIAs fail completely. Our results reveal a fundamental tension between parameter efficiency and privacy in FedLLMs, challenging the prevailing belief that lightweight adaptation inherently enhances security. Our code and data are available at https://github.com/shwksnshwowk-wq/GIA.