Gradient Inversion Attacks invert the transmitted gradients in Federated Learning (FL) systems to reconstruct the sensitive data of local clients and have raised considerable privacy concerns. A majority of gradient inversion methods rely heavily on explicit prior knowledge (e.g., a well pre-trained generative model), which is often unavailable in realistic scenarios. To alleviate this issue, researchers have proposed to leverage the implicit prior knowledge of an over-parameterized network. However, they only utilize a fixed neural architecture for all the attack settings. This would hinder the adaptive use of implicit architectural priors and consequently limit the generalizability. In this paper, we further exploit such implicit prior knowledge by proposing Gradient Inversion via Neural Architecture Search (GI-NAS), which adaptively searches the network and captures the implicit priors behind neural architectures. Extensive experiments verify that our proposed GI-NAS can achieve superior attack performance compared to state-of-the-art gradient inversion methods, even under more practical settings with high-resolution images, large-sized batches, and advanced defense strategies.

翻译：梯度反演攻击通过反演联邦学习系统中传输的梯度来重构本地客户端的敏感数据，已引发严重的隐私担忧。多数梯度反演方法严重依赖显式先验知识（例如预训练良好的生成模型），而这在实际场景中往往难以获取。为缓解此问题，研究者提出利用过参数化网络的隐式先验知识。然而，现有方法仅对所有攻击设置采用固定的神经架构，这会阻碍隐式架构先验的自适应运用，从而限制其泛化能力。本文通过提出基于神经架构搜索的梯度反演方法，进一步挖掘此类隐式先验知识，其能自适应搜索网络并捕获神经架构背后的隐式先验。大量实验证实，即使在高分辨率图像、大批次规模及先进防御策略等更实际的设置下，我们提出的GI-NAS仍能取得优于当前最先进梯度反演方法的攻击性能。