Gradient inversion (GI) attacks present a threat to the privacy of clients in federated learning (FL) by aiming to enable reconstruction of the clients' data from communicated model updates. A number of such techniques attempts to accelerate data recovery by first reconstructing labels of the samples used in local training. However, existing label extraction methods make strong assumptions that typically do not hold in realistic FL settings. In this paper we present a novel label recovery scheme, Recovering Labels from Local Updates (RLU), which provides near-perfect accuracy when attacking untrained (most vulnerable) models. More significantly, RLU achieves high performance even in realistic real-world settings where the clients in an FL system run multiple local epochs, train on heterogeneous data, and deploy various optimizers to minimize different objective functions. Specifically, RLU estimates labels by solving a least-square problem that emerges from the analysis of the correlation between labels of the data points used in a training round and the resulting update of the output layer. The experimental results on several datasets, architectures, and data heterogeneity scenarios demonstrate that the proposed method consistently outperforms existing baselines, and helps improve quality of the reconstructed images in GI attacks in terms of both PSNR and LPIPS.

翻译：梯度反演（GI）攻击对联邦学习（FL）中客户端的隐私构成威胁，其目的在于通过通信模型更新重建客户端的数据。许多此类技术试图通过首先重建本地训练所用样本的标签来加速数据恢复。然而，现有的标签提取方法做出了强烈假设，这些假设通常在现实的FL场景中不成立。本文提出了一种新颖的标签恢复方案——从本地更新中恢复标签（RLU），在攻击未训练（最易受攻击）模型时能够实现近乎完美的准确率。更重要的是，即使在现实世界中，当FL系统中的客户端运行多个本地轮次、在异构数据上训练并使用各种优化器最小化不同目标函数时，RLU仍能实现高性能。具体而言，RLU通过求解一个最小二乘问题来估计标签，该问题源于对训练轮次中数据点标签与输出层更新结果之间相关性的分析。在多个数据集、架构和数据异构性场景上的实验结果表明，所提方法始终优于现有基线，并在PSNR和LPIPS指标上提升了GI攻击中重建图像的质量。