GradViT: Gradient Inversion of Vision Transformers
This work addresses privacy risks in federated learning for computer vision, showing that vision transformers are more vulnerable than CNNs, but it is incremental as it builds on existing gradient inversion techniques.
The paper tackles the vulnerability of vision transformers to gradient inversion attacks by introducing GradViT, a method that reconstructs original data batches from model gradients with high fidelity, achieving new state-of-the-art results on ImageNet1K and MS-Celeb-1M datasets.
In this work we demonstrate the vulnerability of vision transformers (ViTs) to gradient-based inversion attacks. During this attack, the original data batch is reconstructed given model weights and the corresponding gradients. We introduce a method, named GradViT, that optimizes random noise into naturally looking images via an iterative process. The optimization objective consists of (i) a loss on matching the gradients, (ii) image prior in the form of distance to batch-normalization statistics of a pretrained CNN model, and (iii) a total variation regularization on patches to guide correct recovery locations. We propose a unique loss scheduling function to overcome local minima during optimization. We evaluate GadViT on ImageNet1K and MS-Celeb-1M datasets, and observe unprecedentedly high fidelity and closeness to the original (hidden) data. During the analysis we find that vision transformers are significantly more vulnerable than previously studied CNNs due to the presence of the attention mechanism. Our method demonstrates new state-of-the-art results for gradient inversion in both qualitative and quantitative metrics. Project page at https://gradvit.github.io/.