GI-PIP: Do We Require Impractical Auxiliary Dataset for Gradient Inversion Attacks?
This work addresses a critical threat to real-world Federated Learning by making attacks more feasible with less data, though it is incremental in improving existing attack methods.
The paper tackles the problem of gradient inversion attacks in Federated Learning by proposing GI-PIP, a method that reduces the need for impractical auxiliary data, achieving a 16.12 dB PSNR recovery using only 3.8% of ImageNet data compared to over 70% for GAN-based methods.
Deep gradient inversion attacks expose a serious threat to Federated Learning (FL) by accurately recovering private data from shared gradients. However, the state-of-the-art heavily relies on impractical assumptions to access excessive auxiliary data, which violates the basic data partitioning principle of FL. In this paper, a novel method, Gradient Inversion Attack using Practical Image Prior (GI-PIP), is proposed under a revised threat model. GI-PIP exploits anomaly detection models to capture the underlying distribution from fewer data, while GAN-based methods consume significant more data to synthesize images. The extracted distribution is then leveraged to regulate the attack process as Anomaly Score loss. Experimental results show that GI-PIP achieves a 16.12 dB PSNR recovery using only 3.8% data of ImageNet, while GAN-based methods necessitate over 70%. Moreover, GI-PIP exhibits superior capability on distribution generalization compared to GAN-based methods. Our approach significantly alleviates the auxiliary data requirement on both amount and distribution in gradient inversion attacks, hence posing more substantial threat to real-world FL.