Gradient inversion attack enables recovery of training samples from model gradients in federated learning (FL), and constitutes a serious threat to data privacy. To mitigate this vulnerability, prior work proposed both principled defenses based on differential privacy, as well as heuristic defenses based on gradient compression as countermeasures. These defenses have so far been very effective, in particular those based on gradient compression that allow the model to maintain high accuracy while greatly reducing the effectiveness of attacks. In this work, we argue that such findings underestimate the privacy risk in FL. As a counterexample, we show that existing defenses can be broken by a simple adaptive attack, where a model trained on auxiliary data is able to invert gradients on both vision and language tasks.

翻译：梯度反演攻击能够从联邦学习（FL）的模型梯度中恢复训练样本，对数据隐私构成严重威胁。为缓解这一漏洞，先前研究提出了基于差分隐私的原则性防御方法，以及基于梯度压缩的启发式防御策略作为应对措施。这些防御方法至今效果显著，尤其是基于梯度压缩的方法，在保持模型高精度的同时，极大地降低了攻击的有效性。本研究认为，此类发现低估了联邦学习中的隐私风险。作为反例，我们证明现有防御可被一种简单的自适应攻击所突破——在辅助数据上训练的模型能够同时逆向恢复视觉任务和语言任务中的梯度。