ARES: Scalable and Practical Gradient Inversion Attack in Federated Learning through Activation Recovery

TL;DR

The paper introduces ARES, a scalable gradient inversion attack that reconstructs training data from federated learning models without architectural changes, revealing significant privacy risks.

Contribution

ARES is the first practical attack that recovers training samples from large batches in FL without modifying model architecture, using sparse recovery and activation disentanglement techniques.

Findings

Achieves high-fidelity reconstruction on CNNs and MLPs

Outperforms prior GIAs under large batch sizes

Establishes theoretical recovery guarantees

Abstract

Federated Learning (FL) enables collaborative model training by sharing model updates instead of raw data, aiming to protect user privacy. However, recent studies reveal that these shared updates can inadvertently leak sensitive training data through gradient inversion attacks (GIAs). Among them, active GIAs are particularly powerful, enabling high-fidelity reconstruction of individual samples even under large batch sizes. Nevertheless, existing approaches often require architectural modifications, which limit their practical applicability. In this work, we bridge this gap by introducing the Activation REcovery via Sparse inversion (ARES) attack, an active GIA designed to reconstruct training samples from large training batches without requiring architectural modifications. Specifically, we formulate the recovery problem as a noisy sparse recovery task and solve it using the generalized Least Absolute Shrinkage and Selection Operator (Lasso). To extend the attack to multi-sample recovery, ARES incorporates the imprint method to disentangle activations, enabling scalable per-sample reconstruction. We further establish the expected recovery rate and derive an upper bound on the reconstruction error, providing theoretical guarantees for the ARES attack. Extensive experiments on CNNs and MLPs demonstrate that ARES achieves high-fidelity reconstruction across diverse datasets, significantly outperforming prior GIAs under large batch sizes and realistic FL settings. Our results highlight that intermediate activations pose a serious and underestimated privacy risk in FL, underscoring the urgent need for stronger defenses.