Federated Learning (FL) has emerged as a compelling paradigm for privacy-preserving distributed machine learning, allowing multiple clients to collaboratively train a global model by transmitting locally computed gradients to a central server without exposing their private data. Nonetheless, recent studies find that the gradients exchanged in the FL system are also vulnerable to privacy leakage, e.g., an attacker can invert shared gradients to reconstruct sensitive data by leveraging pre-trained generative adversarial networks (GAN) as prior knowledge. However, existing attacks simply perform gradient inversion in the latent space of the GAN model, which limits their expression ability and generalizability. To tackle these challenges, we propose \textbf{G}radient \textbf{I}nversion over \textbf{F}eature \textbf{D}omains (GIFD), which disassembles the GAN model and searches the hierarchical features of the intermediate layers. Instead of optimizing only over the initial latent code, we progressively change the optimized layer, from the initial latent space to intermediate layers closer to the output images. In addition, we design a regularizer to avoid unreal image generation by adding a small ${l_1}$ ball constraint to the searching range. We also extend GIFD to the out-of-distribution (OOD) setting, which weakens the assumption that the training sets of GANs and FL tasks obey the same data distribution. Furthermore, we consider the challenging OOD scenario of label inconsistency and propose a label mapping technique as an effective solution. Extensive experiments demonstrate that our method can achieve pixel-level reconstruction and outperform competitive baselines across a variety of FL scenarios.

翻译：联邦学习（FL）作为一种保护隐私的分布式机器学习范式，允许客户端通过向中央服务器传输本地计算的梯度来协作训练全局模型，而无需暴露私有数据。然而，最新研究表明FL系统中交换的梯度同样面临隐私泄露风险——攻击者可利用预训练生成对抗网络（GAN）作为先验知识，通过反演共享梯度重构敏感数据。但现有攻击仅在GAN模型的潜在空间进行梯度反演，限制了其表达能力与泛化能力。针对这些挑战，我们提出\textbf{特}征\textbf{域}梯度\textbf{反}演（GIFD）方法：该方法将GAN模型拆解，在中间层的层次化特征空间进行搜索。不同于仅优化初始潜在编码，我们逐步切换优化层——从初始潜在空间逐步过渡至更接近输出图像的中间层。此外，我们设计正则化器，通过将搜索范围约束在较小的${l_1}$球内，避免生成非真实图像。我们还将GIFD扩展至分布外（OOD）场景，削弱了GAN与FL任务训练集服从相同数据分布的假设。进一步针对标签不一致这一具有挑战性的OOD场景，提出标签映射技术作为有效解决方案。大量实验表明，该方法可实现像素级重构，并在多种FL场景中显著超越现有基线方法。