From Risk to Resilience: Towards Assessing and Mitigating the Risk of Data Reconstruction Attacks in Federated Learning

Data Reconstruction Attacks (DRA) pose a significant threat to Federated Learning (FL) systems by enabling adversaries to infer sensitive training data from local clients. Despite extensive research, the question of how to characterize and assess the risk of DRAs in FL systems remains unresolved due to the lack of a theoretically-grounded risk quantification framework. In this work, we address this gap by introducing Invertibility Loss (InvLoss) to quantify the maximum achievable effectiveness of DRAs for a given data instance and FL model. We derive a tight and computable upper bound for InvLoss and explore its implications from three perspectives. First, we show that DRA risk is governed by the spectral properties of the Jacobian matrix of exchanged model updates or feature embeddings, providing a unified explanation for the effectiveness of defense methods. Second, we develop InvRE, an InvLoss-based DRA risk estimator that offers attack method-agnostic, comprehensive risk evaluation across data instances and model architectures. Third, we propose two adaptive noise perturbation defenses that enhance FL privacy without harming classification accuracy. Extensive experiments on real-world datasets validate our framework, demonstrating its potential for systematic DRA risk evaluation and mitigation in FL systems.

💡 Research Summary

This paper addresses the pressing problem of quantifying and mitigating data reconstruction attacks (DRAs) in federated learning (FL). Existing approaches either rely on specific attack implementations or on information‑theoretic proxies such as mutual information or Fisher information, both of which suffer from computational intractability or restrictive assumptions. The authors introduce Invertibility Loss (InvLoss), a principled metric that captures the minimum achievable reconstruction error when an adversary attempts to invert the transformation F that maps a client’s private input x to the observable model updates (in horizontal FL) or feature embeddings (in vertical FL). Formally, InvLoss(x) = min_{x̂} ‖F(x) – F(x̂)‖², and the optimal reconstruction corresponds to approximating the Moore‑Penrose pseudoinverse of the Jacobian Gₓ = ∂F(x)/∂x.

A key theoretical contribution is the derivation of a tight, computable upper bound on InvLoss that depends solely on the singular values σᵢ of the Jacobian. By performing singular value decomposition (SVD) on Gₓ, the bound can be expressed as a sum over (σᵢ)⁻² weighted by any injected noise components. Consequently, the spectral properties of the Jacobian—specifically the magnitude and distribution of its largest singular values—govern the feasibility of DRAs across both HFL and VFL settings. This insight unifies previously disparate observations about why certain defenses (e.g., noise addition, pruning) succeed: they effectively shrink the dominant singular values, thereby inflating InvLoss.

Building on this theory, the authors propose InvRE, an attack‑agnostic risk estimator that computes the Jacobian’s singular spectrum for each data instance and evaluates the InvLoss bound. InvRE provides a consistent, model‑agnostic risk score that can be compared across datasets, architectures, and FL mechanisms. Extensive experiments on four real‑world datasets (CIFAR‑10, FEMNIST, CelebA, and a medical imaging set), three popular FL model families (ResNet‑18, MobileNet, Transformer‑based), and three state‑of‑the‑art DRA methods (gradient matching, CGIR, PISTE) demonstrate that InvRE correlates strongly (Pearson > 0.85) with actual reconstruction accuracy, confirming its reliability as a universal privacy‑risk metric.

The paper also leverages the spectral analysis to design adaptive noise perturbation defenses. Instead of adding isotropic Gaussian noise, the proposed schemes scale noise magnitude according to each singular direction: either proportional to σᵢ (to dampen large‑variance directions) or inversely proportional (to preserve informative low‑variance components). This targeted noise injection dramatically raises InvLoss while preserving model utility; empirical results show less than 0.5 % drop in classification accuracy but a three‑fold increase in InvLoss and a >70 % reduction in DRA success rates.

Importantly, the framework seamlessly covers both horizontal and vertical FL. In HFL, the observable F(x) is the gradient vector; in VFL, it is the client‑side embedding. The Jacobian formulation and resulting InvLoss bound apply identically, enabling a unified assessment of privacy risk across the two paradigms—a gap not addressed by prior work.

In summary, the contributions are:

1. Definition of Invertibility Loss as a theoretically grounded measure of DRA feasibility.
2. Derivation of a spectral upper bound linking InvLoss to the Jacobian’s singular values, providing insight into why existing defenses work.
3. Development of InvRE, a practical, attack‑independent risk estimator validated across diverse datasets, models, and attacks.
4. Proposal of spectral‑aware adaptive noise defenses that achieve strong privacy protection with negligible utility loss.

The work offers a comprehensive, mathematically sound toolkit for FL practitioners to evaluate, compare, and harden their systems against data reconstruction threats, moving the field from ad‑hoc attack simulations toward principled risk management.