In Federated Learning (FL) and many other distributed training frameworks, collaborators can hold their private data locally and only share the network weights trained with the local data after multiple iterations. Gradient inversion is a family of privacy attacks that recovers data from its generated gradients. Seemingly, FL can provide a degree of protection against gradient inversion attacks on weight updates, since the gradient of a single step is concealed by the accumulation of gradients over multiple local iterations. In this work, we propose a principled way to extend gradient inversion attacks to weight updates in FL, thereby better exposing weaknesses in the presumed privacy protection inherent in FL. In particular, we propose a surrogate model method based on the characteristic of two-dimensional gradient flow and low-rank property of local updates. Our method largely boosts the ability of gradient inversion attacks on weight updates containing many iterations and achieves state-of-the-art (SOTA) performance. Additionally, our method runs up to $100\times$ faster than the SOTA baseline in the common FL scenario. Our work re-evaluates and highlights the privacy risk of sharing network weights. Our code is available at https://github.com/JunyiZhu-AI/surrogate_model_extension.

翻译：在联邦学习（FL）及众多其他分布式训练框架中，协作者可将私有数据保留在本地，仅共享经多轮局部迭代训练后生成的网络权重。梯度反演是一类能够从梯度中恢复原始数据隐私的攻击方法。看似联邦学习可通过多轮局部迭代中梯度累积的特性，为权重更新提供抵御梯度反演攻击的防护。本文提出了一种将梯度反演攻击系统性扩展到联邦学习权重更新场景的规范化方法，从而更充分地揭示联邦学习固有隐私保护机制中的漏洞。具体而言，我们基于二维梯度流特性与局部更新的低秩性质，提出了一种代理模型方法。该方法显著增强了针对包含多轮迭代的权重更新的梯度反演攻击能力，并实现了当前最优（SOTA）性能。此外，在典型联邦学习场景下，本方法的运行速度较SOTA基线提升高达100倍。本研究重新评估并强调了共享网络权重的隐私风险。我们的代码开源在：https://github.com/JunyiZhu-AI/surrogate_model_extension。