Federated Learning (FL) has emerged as a promising privacy-preserving collaborative model training paradigm without sharing raw data. However, recent studies have revealed that private information can still be leaked through shared gradient information and attacked by Gradient Inversion Attacks (GIA). While many GIA methods have been proposed, a detailed analysis, evaluation, and summary of these methods are still lacking. Although various survey papers summarize existing privacy attacks in FL, few studies have conducted extensive experiments to unveil the effectiveness of GIA and their associated limiting factors in this context. To fill this gap, we first undertake a systematic review of GIA and categorize existing methods into three types, i.e., \textit{optimization-based} GIA (OP-GIA), \textit{generation-based} GIA (GEN-GIA), and \textit{analytics-based} GIA (ANA-GIA). Then, we comprehensively analyze and evaluate the three types of GIA in FL, providing insights into the factors that influence their performance, practicality, and potential threats. Our findings indicate that OP-GIA is the most practical attack setting despite its unsatisfactory performance, while GEN-GIA has many dependencies and ANA-GIA is easily detectable, making them both impractical. Finally, we offer a three-stage defense pipeline to users when designing FL frameworks and protocols for better privacy protection and share some future research directions from the perspectives of attackers and defenders that we believe should be pursued. We hope that our study can help researchers design more robust FL frameworks to defend against these attacks.

翻译：联邦学习（Federated Learning, FL）作为一种无需共享原始数据的隐私保护协作模型训练范式，已展现出巨大潜力。然而，近期研究表明，私有信息仍可能通过共享的梯度信息泄露，并遭受梯度反演攻击（Gradient Inversion Attacks, GIA）。尽管已有多种GIA方法被提出，但目前仍缺乏对这些方法的详细分析、评估与总结。虽然已有各类综述论文总结了FL中现有的隐私攻击，但鲜有研究通过大量实验来揭示GIA在此背景下的有效性及其相关限制因素。为填补这一空白，我们首先对GIA进行了系统性回顾，并将现有方法分为三类，即\textit{基于优化的}GIA（OP-GIA）、\textit{基于生成的}GIA（GEN-GIA）和\textit{基于分析的}GIA（ANA-GIA）。随后，我们全面分析与评估了FL中这三类GIA，深入探讨了影响其性能、实用性和潜在威胁的因素。我们的研究结果表明，尽管性能不尽如人意，OP-GIA仍是最具实用性的攻击设定；而GEN-GIA存在诸多依赖，ANA-GIA则易于被检测，两者均不实用。最后，我们为用户在设计FL框架和协议以提升隐私保护时，提供了一个三阶段防御流程，并从攻击者与防御者的角度分享了一些我们认为值得探索的未来研究方向。我们希望本研究能帮助研究人员设计更鲁棒的FL框架以抵御此类攻击。