1
Gradient Leakage Attacks in Federated Learning:
Research Frontiers, Taxonomy and Future
Directions
Haomiao Yang, Member, IEEE, Mengyu Ge, Graduate Student Member, IEEE, Dongyun Xue, Kunlan Xiang,
Hongwei Li, Senior Member, IEEE, Rongxing Lu, Fellow, IEEE
Abstract—Federated learning (FL) is a distributed deep learn-
ing framework that has become increasingly popular in recent
years. Essentially, FL supports numerous participants and the pa-
rameter server to co-train a deep learning model through shared
gradients without revealing the private training data. Recent
studies, however, have shown that a potential adversary (either
the parameter server or participants) can recover private training
data from the shared gradients, and such behavior is called
gradient leakage attacks (GLAs). In this study, we first present
an overview of FL systems and outline the GLA philosophy.
We classify the existing GLAs into two paradigms: optimization-
based and analytics-based attacks. In particular, the optimization-
based approach defines the attack process as an optimization
problem, whereas the analytics-based approach defines the attack
as a problem of solving multiple linear equations. We present
a comprehensive review of the state-of-the-art GLA algorithms
followed by a detailed comparison. Based on the observations of
the shortcomings of the existing optimization-based and analytics-
based methods, we devise a new generation-based GLA paradigm.
We demonstrate the superiority of the proposed GLA in terms
of data reconstruction performance and efficiency, thus posing a
greater potential threat to federated learning protocols. Finally,
we pinpoint a variety of promising future directions for GLA.
Index Terms—Federated learning, gradients leakage attack,
analytics-based attacks, optimization-based attacks, generation-
based attacks
I. I NTRODUCTION
Conventional machine learning patterns require data to be
aggregated to the center before model training. However, after
deviating from the original data domain, the data could become
uncontrollable, leading to data privacy leakage and data secu-
rity risks. Federated learning (FL) [1] is a distributed machine
learning technique proposed by Google. Unlike traditional
machine learning, it does not require data to be centralized
in a single center, thus enabling distributed collaborative
training models and preserving data privacy. Due to its intrinsic
characteristics of preserving privacy and decentralization, FL
has been widely favored by various industries.
FL systems mainly consist of a central parameter server
and multiple participants. At each communication round, the
parameter server sends the model weights from the previous
round to the participants, who update the weights based on
their private data. Then, each participant sends the gradi-
ent of the global model back to the parameter server for
aggregation. Throughout this process, the central server has
access only to the gradients or model parameters uploaded
by the participants, and hence, data privacy is protected.
Authorized licensed use limited to: Ewha Womans Univ. Downloaded on June 12,2023 at 16:21:23 UTC from IEEE Xplore. Restrictions apply.
Unfortunately, several studies have shown that gradients still
implicitly contain information about the original data, making
it possible to steal private data [2], [6], [7]. We call such a
behavior gradient leakage attack (GLA).
To better understand GLA, we classify GLA into two
categories, optimization-based attacks and analytics-based at-
tacks. Among the optimization-based methods, the most rep-
resentative work is the deep leakage from gradients (DLG)
proposed by Zhu et al. [2]. They consider an honest but curious
parameter server as an adversary. To recover the original
image data from the gradients uploaded by the participants,
the adversary first randomly initializes a noisy image and
a random label (also called a dummy image and dummy
label, respectively). Then, the adversary optimizes the dummy
image and dummy label simultaneously to make the gradients
generated by the model close to the captured real gradients.
When the optimization process converges, the dummy image
and dummy label are considered to be the original private data.
The study by Phong et al. [3] is the groundbreaking work of
an analytics-based attack. They were the first to demonstrate
how to compute the raw input from a single-layer perceptron
analytically when only gradients are available. Fan et al. [4]
further extended this concept to a single convolutional layer
and proposed a closed-form algorithm. Unlike optimization-
based methods, analytics-based attacks are fast and accurate,
because the core insight is to solve one or more linear systems
of equations. In some large and complex deep learning models
such as ResNet and Transfomer-based models, however, the
analytics-based attack may face overdetermined and underde-
termined cases during the solution of linear equations.
In the existing literature related to GLA, many research
works are relatively independent and may overlap in attack
methods. Moreover, almost no work has broadly generalized
or classified GLA. A deeper and more thorough understanding
of GLA is indispensable before any type of FL services to
preserve data privacy can be offered to users. Therefore, a
comprehensive summary of state-of-the-art research on GLA is
necessary to guide more research directions, including defense
strategies, in the future.
In this study, we comprehensively investigate the state-of-
the-art GLA existing in FL. We first review the FL system
and outline the GLA philosophy by demonstrating that the
latest research efforts enable the definition of a complete
taxonomy of methods for reconstructing participants original
private data from gradients. We then give a brief overview

of the existing GLA, explain the starting point of the study
of this field, and what problems are addressed. Meanwhile,
we provide not only a classification of the existing GLA but
also a detailed consideration of the upsides and downsides. In
view of the shortcomings of the existing work, such as slow
data reconstruction and poor performance on large models,
we further propose a novel generation-based attack strategy.
Finally, we highlight some purposeful open questions and
consider future research directions that we believe will shed
new light on the field of GLAs.
II. P RELIMINARIES
A. Federated Learning
FL is a distributed machine learning framework that enables
data sharing and collaborative modeling while also ensuring
data privacy security and legal compliance. In general, there
are four phases of FL in each communication round. First,
the parameter server distributes the model parameters from
the previous round to each participant or some of them. In the
first communication round, the model parameters are randomly
initialized. Second, each selected participant feeds the local
data into the global model for training. Given the limited com-
putational resources of the participants, FL protocols typically
require only one iteration by the participants using stochastic
gradient descent. Third, all participants send the gradients or
model weights obtained by local training back to the parameter
server. Finally, the parameter server aggregates the gradients or
weights from all participants in the previous step and updates
the global model according to the equation (1), where |ni |
represents the amount of data on the i-th participants; m is the
number of participants; |N | is the sum of all |ni |; W stands
for shared gradient. The end of the FL process is marked by
the convergence of these iterative procedures over the model
parameters.

m
|ni |
Wt+1 = Wt − η ∇Wi
|N |
i snoop secretly on private data from that information.
B. GLA Philosophy
In general, any attack that obtains information about the
original data from the gradients can be called a gradient leak-
age attack. Specifically, from the gradients, the attacker can
infer the properties of the training data, class representatives
[5], labels [6], or even the data itself [2]. Because the first
attack on the inferred attribute is shallow and less threatening
[2], the last three attacks are already accurate to the details of
the original training data. Thus they pose a significant threat
to FL services. In this study, we focused on the latter three
GLAs.
Fig. 1 presents an overview of the FL system that suffers
from GLA. After a participant feeds the local data to the global
model and computes the gradient by backpropagation, the
gradient is passed back to the parameter server. To reduce the
communication overhead, participants compress the gradients
before uploading them.
Finally, an adversary can pose a threat to FL by exploiting
gradient information and global models to reconstruct private
data through various GLA algorithms.
Authorized licensed use limited to: Ewha Womans Univ. Downloaded on June 12,2023 at 16:21:23 UTC from IEEE Xplore. Restrictions apply.
2
Participant (Victim) Parameter server
Private training data Global model
Parameter
distribution
Gradients/Weights
Reconstructed data
Compression
2SWLRQDO GLA algorithms
Adversary
Uploaded gradients (server/participant)
Fig. 1. An illustration of the GLA process: The adversary (either the server or
the participant) reconstructs the private training data by accessing the shared
gradients
III. T HREAT MODEL
GLA is an attack method in which the adversary recovers
or reconstructs information related to the original training data
from the shared gradients. We define the threat model in terms
of two properties that are consistent with adversary capabil-
ities and background knowledge: adversary capabilities and
adversary knowledge. The capabilities of the adversary can be
further classified as active and passive attacks. The adversary
knowledge includes both auxiliary-free and auxiliary-based
attacks.
a) Adversary capability: An adversary in an active attack
scenario is usually highly capable. Specifically, not only does
an adversary have access to the gradients and model param-
eters, but it also can modify the model parameters and even
the model structure to make it easier for them to steal private
data. In contrast, passive adversaries are usually honest but
(1) curious, and they just use what information they can get and
b) Adversary knowledge: Typically, the adversary has
information only about the model parameters and the gradients
of the participants. The act of reconstructing private data from
this information alone is called an auxiliary-free attack. To
obtain more accurate reconstruction results, some adversaries
may exploit additional auxiliary information, including auxil-
iary datasets, batch normalization statistics information of the
global model, and pretrained generative adversarial networks
(GAN), which we refer to as auxiliary-based attacks. The
introduction of auxiliary information has become an important
part of the current research on FL systems [8], [9].
IV. S TATE - OF - THE - ART GLA METHODS
According to the attack techniques and the reconstruction
result, all state-of-the-art GLA methods can be divided into
two categories: optimization-based and analytics-based at-
tacks. Next, for each type of attack, we briefly review the
existing leading attack methods and discuss their strengths and
weaknesses. See TABLE I for a comparison of existing works.
 3

TABLE I
A COMPREHENSIVE COMPARISON OF THE STATE - OF - THE - ART GLA METHODS

Method Taxonomy Capability Knowledge Batch Size Shared Comp 1 Res 2 Pre 3 Open 4 Year Remark

Phong et al., [3] Analytics Passive Auxiliary-free 1 Gradients No 20×20 No No 2017 Analytics founder
DMU-GAN [5] Optimization Active Auxiliary-free - Gradients No 64×64 No Yes 2017 Optimization pioneer
DLG [2] Optimization Passive Auxiliary-free Max:8 Gradients No 64×64 No Yes 2019 Optimization founder
iDLG [6] Optimization Passive Auxiliary-free Max:1 Gradients No 32×32 No Yes 2020 -
CPL [9] Optimization Passive Auxiliary-based Max:8 Gradients Yes 32×32 No Yes 2020 Strong assumption
IG [7] Optimization Passive Auxiliary-free Max:100 Gradients No 32×32 No Yes 2020 Known labels
Fan et al. [4] Analytics Passive Auxiliary-free 1 Gradients No 32×32 - No 2020 -
STG [8] Optimization Passive Auxiliary-based Max:48 Gradients No 224×224 Yes No 2021 BN statistics
R-gap [11] Analytics Passive Auxiliary-based 2 Gradients No 32×32 - Yes 2021 -
Fowl et al., [12] Analytics Active Auxiliary-free Max:512 Gradients No 224×224 Yes Yes 2021 Strong assumption
LLG [14] Analytics Passive Auxiliary-free Max:128 Gradients No - No Yes 2021 Labels only
Franziska et al., [13] Analytics Active Auxiliary-free 100 Gradients No 32×32 - No 2022 Success rate 0.4-0.6
DLM [10] Optimization Passive Auxiliary-free 1 Weights No 32×32 No No 2022 -
HCGLA [15] Optimization Passive Auxiliary-based Max:16 Gradients Yes 32×32 No Yes 2023 -
1 Comp is shorthand for compression and indicates whether the work has a scenario where gradient compression is considered.
2 Res indicated the private image resolution.
3 Pre, short for pretraining, indicates whether the attack can be applied to a federated learning scenario in which the model has been pre-trained.
4 Open indicates whether the work publish the code.
”-” indicates that it is not reported in the original article or is not applicable.

A. Optimization-based attack method a dummy image and a random label as a dummy label, and
then optimizes them to produce a gradient consistent with the
Optimization-based methods usually achieve data recon- captured gradient by gradient descent. Eq. (2) shows the core
struction by optimizing the original data according to the idea of DLG, where f denotes the global model, gc is the
gradients to make it close to the private training data. Hitaj et captured real gradient, η stands for learning rate, and xd and
al. are the pioneers of optimization-based methods [5]. They yd represent dummy inputs and dummy labels, respectively.
proposed Deep Models Under the GAN (DMU-GAN) which The four formulas shown in Eq. (2) are denoted from top to
first used the idea of GAN, assuming that only two parties are bottom: 1. Dummy data and dummy labels are fed into the
involved and one of them is a malicious client who intends to global model to obtain dummy gradients gd . 2. Calculate the
steal private training data by continuously optimizing the GAN Euclidean distance D, between the dummy gradient gd and the
to synthesize samples so that the mimetic gradient no longer captured real gradient gc . 3. Update xd by gradient descent
can be changed by the other client. The essence is to trick with the goal of minimizing D. Update yd by gradient descent
the victim into revealing more detailed information related to with the goal of minimizing D.
private data by influencing the learning process. Thus, it is an
⎧
attack that breaks the performance of the global model. Note ⎪
⎪ ∂L(f (xd , θ), yd )
⎪
⎪ gd ←
that while DMU-GAN does employ a generative network, its ⎪
⎨ ∂θ
core mechanism is distinct from generation-based methods D ←gd − gc 2 (2)
presented later in this article. The primary goal of generation- ⎪
⎪
⎪
⎪ x d ←x d − η∇ x D
based methods is to create synthetic data that closely resemble ⎪
⎩
d

the target data distribution without requiring any optimization
process. In contrast, DMU-GAN focuses on deceiving the
victim by actively manipulating the learning process, which
involves continuous optimization of the GAN in response to
the victim’s model updates. This iterative process is the main
reason for classifying DMU-GAN as an optimization-based
method, despite the presence of a generative network.
Although DMU-GAN can generate data similar to private
datasets, it is unable to extract individual data points. Zhu et
al. proposed the DLG method [2] for the first time, which
realized the exact reconstruction of private data instead of
just reconstructing similar data. Since then, optimization-based
studies have focused on DLG for further improvement. DLG
regards the attack process as a problem of jointly optimiz-
ing input data and labels. The attack procedure is that the
adversary first randomly initializes a random noisy image as
yd ←yd − η∇yd D
Zhao et al. found that the labels can be directly inferred
from the gradient of the last fully connected network without
optimization and proposed iDLG [6], thus reducing the search
space of DLG optimization and improving the efficiency of
data reconstruction. iDLG however, can infer labels only when
the batch size is 1. Based on iDLG, Geiping et al. proposed IG
[7] and assumed that the label information of private data is
known, which focuses on optimizing the image. Specifically,
IG replaced the Euclidean distance of DLG, which measures
the difference between the dummy and real gradients, with
cosine similarity. They analyzed which layers of the neural
network model contained the most information about the
original data. Having seen the potential of GLA through IG,
the recent work on see through the gradients (STG) proposed
by Yin et al. [8] first pushed the boundaries toward high-

Authorized licensed use limited to: Ewha Womans Univ. Downloaded on June 12,2023 at 16:21:23 UTC from IEEE Xplore. Restrictions apply.

resolution, multi-batch GLA scenarios. They first proposed a
method to infer the labels of all images in a batch (but it was
limited to the condition that there were no duplicate labels).
They then used multiple independent optimization processes
to improve the quality of the optimization, in a penalty term
was added to the dummy image and statistical information
from the batch normalization layer was used to co-optimize
the dummy image to find an enhanced reconstruction of the
original data batch.
In a real FL scenario, direct transmission of the original full
gradient is very resource-consuming, so it is more desirable
for participants to compress local gradients before sending
them back to the server to reduce communication overhead.
Gradient compression inevitably brings information loss, so in
DLG, Zhu et al. [2] also noted gradient compression as a good
defense measure and reported that when the retained gradient
is 70% of the original one, the adversary can no longer
reconstruct the private data. Considering gradient compression,
Wei et al. proposed the client privacy leakage (CPL) method
[9]. Specifically, they discarded the use of random noise as an
initialization method for dummy images and proposed the use
of real natural images to compensate for some of the infor-
mation loss caused by gradient compression. CPL, however,
requires that the adversary’s auxiliary dataset overlaps with the
private training dataset. In a recent study, Yang et al. proposed
HCGLA [15] and implemented GLA for the scenario where
gradients are highly compressed. In particular, they address
the problem of requiring demanding auxiliary datasets in CPL
by first performing a shallow attack, which is to infer some
features of the original data from the compressed gradients,
and then using these information to initialize the dummy data.
In addition, HCGLA also proposes specific optimization objec-
tive functions for gradient compression scenarios to improve
the accuracy of data reconstruction.
B. Analytics-based attack method
Unlike optimization-based methods, analytics-based meth-
ods typically obtain raw private data by solving a linear system
of equations. As a result, these methods reconstruct data faster
and more accurately. Phong et al. [3], as the originators of
the analytics-based approach, first showed how to compute
the original input from the gradient. The core idea is to
divide the gradient of the weights and the gradient of the
bias to reconstruct the original input. Their work is limited
to a single-layer neural network, however, and the batch size
can be only 1. Moreover, it is required that the bias term
exists and is not zero. Fan et al. [4] further extended the
analytics-based approach to bias attacks, that is, instead of a
perfect reconstruction, they used analytical methods to obtain
a slightly different reconstruction from the original data. Their
work broadened the work of Phong et al. from a single
fully connected network to a multilayer convolutional network.
Overall, the core idea of these early analytics-based works
is to recover the input of a fully connected layer from the
gradient.
Both of these methods work only on shallow networks,
meaning that the parameter scale of the model is only in the
Authorized licensed use limited to: Ewha Womans Univ. Downloaded on June 12,2023 at 16:21:23 UTC from IEEE Xplore. Restrictions apply.
4
tens of thousands of levels and the number of layers is small.
To handle complex deep networks in real-world scenarios,
Zhu et al. proposed the R-gap [11], which formulated a rank
analysis method to estimate the feasibility of performing GLA
given a network architecture. The R-gap can be interpreted as
a closed-form recursive procedure to recover raw data from
gradients in a deep neural network. R-gap, however, does not
address the batch input problem.
Active adversaries were first introduced by Fowl et al. [12]
by side-connecting a huge fully connected network to the
original global model and then directly obtaining a verbatim
copy of the input data without solving the hard inverse
problem. Although this approach has been shown to be able
to recover the original data even for batch size under 512 and
image resolutions up to 224×224, the additional large network
structures added by the adversary have exactly the same
weight values, which leads to player awareness. To improve
the problem that the active attacker Fowl et al. is inherently
detectable, Franziska et al. [13] proposed the concept of trap
weights, which means that the adversary modifies only the
initial weight parameter distribution, and the success rate of the
attack is improved by changing the initial weight distribution.
Recovering labels is another important task in GLA, because
most attack methods to recover the original image require
recovering the labels at the beginning. Therefore, recovering
batch labels from gradients, especially when labels are dupli-
cated, is a task worth exploring. Motivated by this, Wainakh et
al. proposed a heuristic algorithm label leakage from gradients
(LLG) [14] to solve the problem of duplicate labels. According
to the authors, the insight behind LLG is that the number of
the same labels in a batch affects the numerical magnitude of
the gradient, and by approximately quantizing this value, it is
possible to infer the number of identical labels in a batch. The
drawback of LLG is that it works only for untrained networks.
V. A COMPREHENSIVE COMPARISON
Table I provides a comprehensive comparison of the existing
GLA. Generally, when applying GLA, optimization-based
methods are more time-consuming and require a lot more com-
putational resources than analytics-based methods. The former
often requires thousands of iterations, and tens of thousands
of high-resolution images, on the order of hours, whereas the
latter produces the raw input in milliseconds, regardless of
the image resolution. In addition, if the original image can
be restored by the analytics-based methods, they are lossless
(except for R-gap [11] due to an error accumulation). Despite
the high-speed and high-quality nature of the analytics-based
methods, there is significantly more research is needed on
optimization-based methods because analytics-based methods
tend to have more limitations in implementation. For example,
the method proposed by Fowl et al. [12] can recover high
quality raw data, but it is unrealistic to assume that the
adversary has the ability to modify the initialization model.
Although Franziska et al. [13] weakened this assumption, the
client also could identify the adversary by simply examining
the distribution of the initial weight. The methods by Phong
et al. [3] and Fan et al. [4] have strong concealment, but

their attack methods cannot reconstruct data from the current
popular neural network model.
Since in optimization-based methods the adversary is es-
sentially passive and difficult to detect, and they are less
restrictive than analytics-based methods, their range of ap-
plications is also wider than in analytics-based methods.
Unlike the analytics-based approach, the GLA defined by
the optimization-based is a nonconvex optimization problem.
Although the LBFGS optimizer (based on the quasi-Newton
method) is able to find the global optimal point in DLG [2],
follow-up work proved that LBFGS would fail completely
for larger networks and high-resolution inputs [8]. Therefore,
more GLA methods [7]–[9] choose the Adam optimizer for
optimization. Optimization to a global optimum, however,
is not easy in the case of large batch sizes and gradient
compression. Among the current optimization methods, the
research direction has focused on improving the reconstruction
quality in different FL setting scenarios. Generally, better
reconstruction results can be obtained in scenes with auxiliary
information. Additional auxiliary information can reduce the
chance that the optimization task will get stuck at a local
optimum or that the initialization point will be located at a
point at which the convergence is easier.
VI. GLA BASED ON GENERATION
A common problem with current optimization-based meth-
ods is that the optimization demands an enormous amount
of computational time. In contrast, analytics-based methods
can recover data at the millisecond level, but they have many
limitations in practice. It is natural to ask: whether there is a
fast way to implement the GLA without being too restrictive?
One approach that seems plausible is to use a generative
network to directly generate the private training image. How-
ever, most current methods using generative networks still have
an optimization process, but only the optimization space is
reduced compared to traditional GLA. Therefore, if we are
not starting from an optimization point of view, but from a
direct generation, we would like to be able to input gradient
information and then directly generate the original image. We
refer to this kind of GLA as generation-based method.
However, since the shared gradients tend to be large and
irregular, it is not practical to flatten and feed them directly
into a generative network.Inspired by Phong et al. [3] and
Fan et al. [4], we can first quickly recover the input of the
last fully connected layer by the analytics-based method. This
is feasible in real-world scenarios, because in classification
tasks, the global model often consists of a feature extractor
concatenated with fully connected layers. Once the input of
the fully connected layer is computed, we can transform it
to the original input feature map, since in the threat model,
the global model architecture is known to the adversary. After
that, we can train a generator whose input is the feature map
and which output is the original image. Note that when there
are no duplicate labels in the batch, each data in the batch
recovers its feature map individually. Fig. 2 illustrates how we
trained the generative model, where the generative network is
similar to the inverse ResNet, using transposed convolutions
Authorized licensed use limited to: Ewha Womans Univ. Downloaded on June 12,2023 at 16:21:23 UTC from IEEE Xplore. Restrictions apply.
5
for upsampling from the feature maps to get the original input
image. Eq. (3) gives the loss function of the generative network
trained by the adversary, where gθ (·) represents the generative
network, z represents the feature map, c(·) is the feature
extraction network, and T V (·) stands for total variance loss.
Fig. 2. Schematic of how the generative network is trained
L = X − gθ (z)2 + z − c(gθ (z))2 + T V (gθ (z)) (3)
Once the generative network is trained on the auxiliary
dataset of the adversary, the generative-based gradient leakage
attack can be performed. Fig. 3 demonstrates the attack
paradigm of the generative-based method. In this method, the
adversary first separates the locations of the original batch data
corresponding to the gradient matrix of the fully connected
layer according to the process of inferring the labels in the
STG [8], and then separates and extracts the feature maps
using the analytics-based method of Phong [3] and Fan et al.
[4]. Finally, the inferred feature map is input into the trained
generative network to obtain the reconstructed data.
Fig. 3. Generation-based GLA
Fig. 5 shows the reconstruction results of the generation-
based method and DLG [2], IG [7], and STG [8] with a batch
size of 8 and a gradient compression ratio of 1%. Table II
records the reconstructed image numerical metrics. We uses
MSE (Mean Squared Error), PSNR (Peak Signal-to-Noise Ra-
tio), SSIM (Structural Similarity Index), and LPIPS (Learned
Perceptual Image Patch Similarity) to evaluate the final recon-
struction performance. Among which MSE and PSNR measure
the difference between the original and reconstructed images
in terms of mean error and signal-to-noise ratio, respectively.
SSIM evaluates the structural similarity between the original
and reconstructed images, where a score of 1 represents perfect
similarity. LPIPS measures the perceptual similarity between
images by comparing them based on learned representations of
human perception. Even in the gradient compression scenario,
the generation-based method not only achieved better data
reconstruction quality than the mainstream optimization-based
methods, but also completed the reconstruction in only a
 6

few seconds. Overall, because the generation-based method

is less restrictive and can be applied to gradient compression
scenarios with high reconstruction efficiency, we believe that
this is one of the future research directions.

Fig. 5. Combined generation-optimization data reconstruction results

compared to optimization-based methods for GLA. By directly

generating the private training image through a generative
network and bypassing the need for an extensive optimization
process, this method significantly reduces the time required
for refactoring. Furthermore, the generation-based approach
is less restrictive and can be applied to gradient compression
scenarios, which makes it a more versatile option. Moreover,
Fig. 4. Comparison of reconstruction results
combining the generation-based method with optimization-
based techniques can further enhance the quality of data re-
TABLE II construction, offering a promising direction for future research.
T HE NUMERIC RESULTS OF DIFFERENT GLA WHEN THE BATCH SIZE IS 8 Thus, the generation-based approach presents a powerful alter-
AND A GRADIENT COMPRESSION RATIO OF 1%
native to optimization-based methods, with its superior speed,
MSE ↓ PSNR ↑ SSIM ↑ LPIPS ↓ Time(s/batch) ↓ flexibility, and potential for improving data reconstruction
quality in GLA.
DLG [2] 0.1470 19.1715 0.0143 0.7586 1650
IG [7] 0.0912 10.3980 0.2338 0.6541 13610
STG [8] 0.0601 15.5830 0.3889 0.4188 14852 VII. F UTURE RESEARCH DIRECTIONS
Generation-based 0.0132 18.7460 0.4543 0.5150 1.72
In terms of GLA, we identified three directions that deserve
further exploration.
One another potential approach to enhance the quality First, all GLAs assume that the task scenario is a classifica-
of data reconstruction is to combine generation-based and tion problem, with image classification based tasks being the
optimization-based methods. In this method, the image gener- majority, which are based on cross-entropy loss. In some of the
ated by the generation-based approach serves as the initial im- other types of mainstream tasks in the image domain, such as
age, which is then iteratively optimized using an optimization- object detection, and semantic segmentation, the hybrid loss is
based approach. This promising approach can further im- used. Most of the current GLA methods are difficult to apply to
prove the quality of data reconstruction. Figure 5 displays hybrid loss scenarios, however; thus, they cannot attack other
the reconstruction results of our proposed generation-based types of task scenarios effectively. Moreover, in recognition
method combined with three optimization-based methods at and segmentation tasks, models often skip the upstream feature
a compression rate of 1%. Meanwhile, Table III provides map directly to the downstream part of the network, which is
numerical measurements of the reconstruction results. These similar to the skip connections mentioned by Fowl et al. [12]
results demonstrate that, compared to the simple generation- and may leak more information. Therefore, understanding how
based method, the combined reconstruction method signifi- to implement GLA for more task genres is a potential research
cantly improves image quality, as indicated by the increase in direction.
SSIM and LPIPS values. Second, the global models in the current GLA lack diversity
TABLE III
and basically only include small networks such as LeNet or
T HE NUMERIC RESULTS OF COMBINED GENERATION - OPTIMIZATION DATA custom ConvNet with few convolutional layers and fully con-
RECONSTRUCTION nected layers. Even for the most complex and large networks,
it is the norm to use only ResNet. Recently, Transformer
MSE↓ PSNR↑ SSIM↑ LPIPS↓ Time(s/batch)↓ architecture-based models have become popular in computer
Generation + DLG 0.0216 16.6650 0.4337 0.3392 1667 vision tasks and achieved better results than traditional con-
Generation + IG 0.0435 13.6186 0.3539 0.5607 13632 volutional neural network (CNN) models. Although some
Generation + STG 0.0310 15.0836 0.4745 0.3810 14865 works have attempted to extend the existing GLA methods
to Transformers, many drawbacks remain. For example, the
In conclusion, the generation-based approach offers a existing research can attack only single-layer self-attention
unique set of benefits in terms of speed and scalability when or shallow Transformers. Therefore, to make the application

Authorized licensed use limited to: Ewha Womans Univ. Downloaded on June 12,2023 at 16:21:23 UTC from IEEE Xplore. Restrictions apply.

scenarios of GLA more diverse, extending GLA from CNN to
networks based on Transformer architecture remains a topic
of interest.
Third, GLA must consider more realistic FL scenarios,
including gradient transformation, vertical FL and transfer
learning. In practical FL, gradients often are transformed to
reduce communication bandwidth or to defend against GLA,
including clipping, compression, and adding noise. However,
most of the current studies do not consider these issues. In
addition, vertical FL has greater application in industry, but
little research has been done in GLA. Finally, instead of
training a model from scratch, the popular machine learning
paradigm prefers transfer learning strategies. This means that
the upstream network does not generate gradients, which
would lose a large amount of information, and current main-
stream GLA methods rarely achieve data reconstruction when
such essential information is lost. Overall, it makes sense to
perform GLA in a more realistic scenario.
We conclude by emphasizing the need for further research
into GLA defense strategies. Currently, the two dominant
defense methods involve adding Gaussian noise to gradients
and implementing cryptographic-based methods. However, the
former comes at the expense of model accuracy, and finding
a balance remains challenging. The latter not only requires
modifying the model structure but also consumes significant
bandwidth and storage resources when updating the global
model. Recently, a study discovered that inserting a variational
module before the output layer could interfere with gradients,
ensuring the accuracy of the model while also resisting GLA.
This method is only effective on fully connected neural
networks and small convolutional neural networks. Thus, it
is imperative for future research to concentrate on devising
robust, secure, and comprehensive countermeasures against
gradient leakage attacks.
VIII. C ONCLUSION
Gradient leakage in federated learning is a problem that
has attracted much attention in recent years. In this study, we
provided a comprehensive summary of state-of-the-art gradient
leakage attacks. Depending on whether the adversary views
the attack pattern as solving a linear equation or an opti-
mization problem, we generalized all current attack paradigms
into two taxonomies: optimization-based and analytics-based
approaches. We extensively compared the two existing attack
paradigms, and based on their shortcomings, we proposed
a novel generation-based approach that combines the ad-
vantages of optimization-based and analytics-based methods
to achieve satisfactory results. Finally, we encapsulated four
directions worthy of future research based on current open
questions in GLA related research.
ACKNOWLEDGMENTS
This work was supported in part by the National Key R&D
Program of China (2022YFB4501200, 2021YFB3101302,
2021YFB3101300), in part by tthe National Natural Sci-
ence Foundation of China (62072081, 62072078, U2033212),
Authorized licensed use limited to: Ewha Womans Univ. Downloaded on June 12,2023 at 16:21:23 UTC from IEEE Xplore. Restrictions apply.
7
in part by the Key-Area Research and Development Pro-
gram of Guangdong Province (2020B0101360001), in part
by Fundamental Research Funds for Chinese Central Uni-
versities (ZYGX2020ZB027), in part by CCF-Ant Group
Research Fun, the Sichuan Science and Technology Program
(2020JDTD0007), and in part by the Sichuan Science and
Technology Program (grant no. 2022ZHCG0037).
R EFERENCES
[1] H. B. McMahan et al., “Communication-efficient learning of deep net-
works from decentralized data,” Proc. PMLR, pp. 1273-1282, 2017.
[2] L. Zhu, Z. Liu, and S. Han, “Deep leakage from gradients,” Advances in
Neural Info. Processing Systems, pp. 14747–14756, 2019.
[3] Phong, L. T et al., “Privacy-preserving deep learning: Revisited and
enhanced,” Proc. ATIS, pp. 100-110, 2017.
[4] L. Fan et al., “Rethinking privacy preserving deep learning: How to
evaluate and thwart privacy attacks,” Federated Learning: Privacy and
Incentive, vol. 12500, pp. 32-50, 2020.
[5] B. Hitaj, G. Ateniese, and F. Perez-Cruz, “Deep models under the GAN:
Information leakage from collaborative deep learning,” Proc. ACM CCS,
pp. 603-618, 2017.
[6] B. Zhao, K. R. Mopuri, and H. Bilen, “idlg: Improved deep
leakage from gradients,” accessed on 8 Jan, 2020, available:
https://arxiv.org/pdf/2001.02610.pdf.
[7] J. Geiping et al., “Inverting gradients-how easy is it to break privacy
in federated learning,” Advances in Neural Info. Processing Systems, pp.
16937-16947, 2020.
[8] H. Yin et al., “See through gradients: Image batch recovery via gradin-
version,” Proc. IEEE CVPR, pp. 16337-16346, 2021.
[9] W. Wei et al., “A framework for evaluating gradient leakage at-
tacks in federated learning,” accessed on 22 Apr, 2020, available:
https://arxiv.org/pdf/2004.10397.pdf.
[10] Z. Zhao, M. Luo, and W. Ding, “Deep leakage from model
in federated learning,” accessed on 10 Jun, 2022, available:
https://arxiv.org/pdf/2206.04887.pdf.
[11] J. Zhu, and M. Blaschko, “R-gap: Recursive gradient attack on privacy,”
accessed on 15 Oct, 2020, available: https://arxiv.org/pdf/2010.07733.pdf.
[12] Fowl et al., “Robbing the fed: Directly obtaining private data in federated
learning with modified models,” accessed on 25 Oct, 2021, available:
https://arxiv.org/pdf/2110.13057.pdf.
[13] F. Boenisch et al., “When the curious abandon honesty: Feder-
ated learning is not private,” accessed on 6 Dec, 2021, available:
https://arxiv.org/pdf/2112.02918.pdf.
[14] A. Wainakh et al., “User label leakage from gradients in
federated learning,” accessed on 19 May, 2021, available:
https://arxiv.org/pdf/2105.09369.pdf.
[15] H. Yang et al., “Using Highly Compressed Gradients in Federated
Learning for Data Reconstruction Attacks,” IEEE Trans. Info. Forensics
and Security, vol. 18, pp. 818-830, 2023.
B IOGRAPHIES
HAOMIAO YANG is currently a Professor with the School of
Computer Science and Engineering and the Center for Cyber
Security, University of Electronic Science and Technology of
China (UESTC). His research interests include cryptography,
cloud security, and cybersecurity for aviation communication.
MENGYU GE is currently pursuing his M.S. degree in School
of Computer Science, UESTC. His research interests include
cloud computing, IoT and AI security.
DONGYUN XUE is currently studying for his M.S. degree in
School of Computer Science, UESTC. His research interests
include security and privacy of outsourcing data and deep
learning.
KUNLAN XIANG is currently pursuing the M.S. degree in
School of Computer Science, UESTC. Her research interests
include cloud security and IoT security.
 8

HONGWEI LI is currently the Head and a Professor at Depart-

ment of Information Security, School of Computer Science and
Engineering, UESTC. His research interests include network
security and applied cryptography.
RONGXING LU (Fellow, IEEE) is currently the Mastercard
IoT Research Chair, a University Research Scholar, and an
Associate Professor at the Faculty of Computer Science (FCS),
University of New Brunswick (UNB), Canada. His research
interests include applied cryptography, privacy enhancing tech-
nologies, and the IoT-big data security and privacy.

Authorized licensed use limited to: Ewha Womans Univ. Downloaded on June 12,2023 at 16:21:23 UTC from IEEE Xplore. Restrictions apply.