Federated learning is known for its capability to safeguard participants' data privacy. However, recently emerged model inversion attacks (MIAs) have shown that a malicious parameter server can reconstruct individual users' local data samples through model updates. The state-of-the-art attacks either rely on computation-intensive search-based optimization processes to recover each input batch, making scaling difficult, or they involve the malicious parameter server adding extra modules before the global model architecture, rendering the attacks too conspicuous and easily detectable. To overcome these limitations, we propose Scale-MIA, a novel MIA capable of efficiently and accurately recovering training samples of clients from the aggregated updates, even when the system is under the protection of a robust secure aggregation protocol. Unlike existing approaches treating models as black boxes, Scale-MIA recognizes the importance of the intricate architecture and inner workings of machine learning models. It identifies the latent space as the critical layer for breaching privacy and decomposes the complex recovery task into an innovative two-step process to reduce computation complexity. The first step involves reconstructing the latent space representations (LSRs) from the aggregated model updates using a closed-form inversion mechanism, leveraging specially crafted adversarial linear layers. In the second step, the whole input batches are recovered from the LSRs by feeding them into a fine-tuned generative decoder. We implemented Scale-MIA on multiple commonly used machine learning models and conducted comprehensive experiments across various settings. The results demonstrate that Scale-MIA achieves excellent recovery performance on different datasets, exhibiting high reconstruction rates, accuracy, and attack efficiency on a larger scale compared to state-of-the-art MIAs.

翻译：联邦学习以其保护参与者数据隐私的能力而闻名。然而，近期出现的模型逆向攻击（MIA）表明，恶意参数服务器可通过模型更新重构单个用户的本地数据样本。现有最先进的攻击方法要么依赖计算密集型的搜索优化过程来恢复每个输入批次，导致难以扩展；要么要求恶意参数服务器在全局模型架构前添加额外模块，使得攻击过于明显且易被检测。为克服这些局限，我们提出Scale-MIA——一种新型MIA，即使在系统受到鲁棒安全聚合协议保护的情况下，也能从聚合更新中高效且准确地恢复客户端的训练样本。与现有将模型视为黑箱的方法不同，Scale-MIA认识到机器学习模型复杂架构与内部工作机制的重要性，将潜在空间识别为隐私泄露的关键层级，并将复杂的恢复任务分解为创新的两步过程以降低计算复杂度。第一步利用精心设计的对抗性线性层，通过闭式求逆机制从聚合模型更新中重构潜在空间表征（LSR）；第二步将整个输入批次从LSR中恢复出来，通过将其输入微调后的生成式解码器实现。我们在多种常用机器学习模型上实现了Scale-MIA，并在不同设置下开展了全面实验。结果表明，与现有最先进MIA相比，Scale-MIA在不同数据集上均展现出优异的恢复性能，在更大规模上实现了高重构率、高准确率和高攻击效率。