Reconstruction attacks and defenses are essential in understanding the data leakage problem in machine learning. However, prior work has centered around empirical observations of gradient inversion attacks, lacks theoretical groundings, and was unable to disentangle the usefulness of defending methods versus the computational limitation of attacking methods. In this work, we propose a strong reconstruction attack in the setting of federated learning. The attack reconstructs intermediate features and nicely integrates with and outperforms most of the previous methods. On this stronger attack, we thoroughly investigate both theoretically and empirically the effect of the most common defense methods. Our findings suggest that among various defense mechanisms, such as gradient clipping, dropout, additive noise, local aggregation, etc., gradient pruning emerges as the most effective strategy to defend against state-of-the-art attacks.

翻译：重构攻击与防御对于理解机器学习中的数据泄露问题至关重要。然而，先前的研究主要集中于对梯度反演攻击的实证观察，缺乏理论基础，且未能区分防御方法的有效性与攻击方法的计算局限性。在本工作中，我们提出了一种联邦学习场景下的强重构攻击。该攻击能够重构中间特征，并与大多数现有方法良好结合，且性能优于它们。基于这一更强的攻击，我们从理论和实证两方面深入研究了最常见防御方法的效果。我们的发现表明，在梯度裁剪、Dropout、加性噪声、局部聚合等各种防御机制中，梯度剪枝成为抵御最先进攻击的最有效策略。