Summary
This week's theme centers on privacy evaluation in federated learning, where shared gradients, parameters, or predictions can leak sensitive information even when raw data stays on-device. Representative papers broaden the attack surface from gradient inversion to transfer-learning-specific reconstruction, diffusion-based recovery from noise-perturbed gradients, and source inference that attributes a record to a particular client. New progress this week pushes gradient inversion toward more scalable settings via activation recovery and revisits label inference vulnerabilities in vertical federated learning.
Situation
Federated learning enables collaborative training across distributed data holders by sharing only model updates rather than raw data, but multiple lines of work demonstrate that these communicated signals still encode sensitive information. Gradients can support data reconstruction attacks, and even shared parameters or predictions can reveal which participant owns a given training record.
The threat model in most representative work is a curious server that exploits normal training communications, though some settings also consider active model manipulation. Recent attacks move beyond the early gradient-matching limitations on large batches, complex models, and high-resolution images: one paper targets federated transfer learning through intermediate-representation recovery, another uses conditional diffusion models to reconstruct images from noise-perturbed gradients, and a third extends privacy analysis from membership inference to source inference of the client itself. Together, these works frame federated learning privacy evaluation as a problem of understanding what training updates reveal about both data content and data provenance.
Infographic (English)
Progress
ARES: Scalable and Practical Gradient Inversion Attack in Federated Learning through Activation Recovery <See Details on Fugu-MT>
Proposes a gradient inversion attack (ARES) that recovers activations to scale reconstruction to practical FL batch sizes and model architectures. Compared with prior methods limited to small batches or requiring model manipulation, this approach targets scalability through activation recovery without altering the model.
Revisiting Label Inference Attacks in Vertical Federated Learning: Why They Are Vulnerable and How to Defend <See Details on Fugu-MT>
Revisits label inference attacks in vertical federated learning, showing that well-trained bottom models do not guarantee effective attacks and proposing a zero-overhead layer-adjustment defense. Shifts attention from input reconstruction and membership/source inference to label leakage in the vertical FL setting, while introducing a lightweight mitigation.
Outlook
Near-term work will likely continue pushing federated-learning privacy attacks toward realistic deployment conditions. This week's activation-recovery inversion result reinforces the trajectory already visible in intermediate-representation matching and diffusion-based methods: more scalable reconstruction on larger models and batches, and better recovery even under gradient perturbation. Concrete next steps suggested by the representative papers include intermediate-representation priors that require less representative data, improved sparsity objectives for classification-head leakage, and multi-round attacks that identify the most informative communication stage.
A second direction is broadening privacy evaluation beyond input reconstruction. This week's vertical-FL label inference paper extends the trend from membership and source inference toward additional leakage targets, while highlighting the need for lightweight defenses. Future work is likely to characterize which architectures and communication layers are intrinsically vulnerable, and to evaluate low-overhead mitigations—such as layer adjustment or regularization—against the known privacy-utility tradeoffs of differential privacy.
Infographic (English)
References
- Source Inference Attacks: Beyond Membership Inference Attacks in Federated Learning - Authors: Hongsheng Hu, Xuyun Zhang, Zoran Salcic, Lichao Sun, Kim-Kwang Raymond Choo, Gillian Dobbie, / <See Details on Fugu-MT> / License: CC-BY-4.0
- MAUI: Reconstructing Private Client Data in Federated Transfer Learning - Authors: Ahaan Dabholkar, Atul Sharma, Z. Berkay Celik, Saurabh Bagchi, / <See Details on Fugu-MT> / License: CC-BY-4.0
- Enhanced Privacy Leakage from Noise-Perturbed Gradients via Gradient-Guided Conditional Diffusion Models - Authors: Jiayang Meng, Tao Huang, Hong Chen, Chen Hou, Guolong Zheng, / <See Details on Fugu-MT> / License: CC-BY-4.0