What problem does this paper attempt to address?

The problem that this paper attempts to solve is in Federated Learning (FL), how to recover training data, especially images and labels, from shared gradient or weight information. Although Federated Learning aims to protect user privacy by sharing local models rather than raw data, research shows that attackers can still use shared gradient information to reconstruct private data. Therefore, this research aims to break through the limitations of existing methods and propose more widely applicable data recovery methods, especially in the following aspects: 1. **Handling duplicate labels**: Existing methods cannot handle the situation where there are duplicate labels in batch - processed data, while this paper proposes a method that can handle this situation. 2. **Jointly evaluating the quality of image and label recovery**: Previous studies evaluated image recovery and label recovery tasks independently and did not explore the mutual influence between them. This paper takes into account the correlation between the two simultaneously. 3. **Recovering images from weight differences**: Existing methods are limited when using the FedAvg algorithm with batch size and local rounds greater than 1. This paper attempts to overcome these limitations. ### Specific problem description #### 1. Challenges in data recovery - Existing methods cannot handle the situation where there are duplicate labels in batch - processed data. - Image recovery and label recovery tasks are usually evaluated independently and their mutual influence has not been discussed. - The methods for recovering images from weight differences are very limited, especially under the FedAvg algorithm, where the batch size and local rounds are usually greater than 1. #### 2. Proposed solutions - **Zero - sample batch label recovery**: A zero - sample batch label recovery method that is not restricted by label distribution is proposed. - **Improving image initialization and regularization**: Two regularization terms (cropping and scaling) are introduced to improve the quality of image reconstruction, and a specific image initialization method is recommended. - **Multi - update consistency**: The consistency of multiple updates is utilized to improve the recovery results. - **Recovering data from weights**: A framework is designed to recover data from shared gradients and weights, especially for applications in the FedAvg scenario. - **Image alignment**: Image alignment is performed based on image similarity to eliminate the ambiguity caused by inconsistent order. ### Method overview #### 3.1 Reconstruction function The reconstruction attack is defined as an optimization problem, including gradient - matching loss and auxiliary regularization terms: \[ \hat{x}^*, \hat{y}^*=\arg \min_{\hat{x}, \hat{y}}\left[L_{g m}(\hat{x}, \hat{y}, W, \nabla W)+R_{a u x}(\hat{x})\right] \] #### 3.2 Zero - sample batch label recovery By analyzing the gradient information of the fully - connected layer, a zero - sample batch label recovery method is proposed to solve the problem of duplicate labels. #### 3.3 Auxiliary regularization To ensure that the recovered image pixel values are reasonable, two regularization terms are introduced: \[ R_{c l i p}(\hat{x})=\|\hat{x}-\text { clip }(\hat{x})\|^{2} \] \[ R_{s c a l e}(\hat{x})=\|\hat{x}-\text { scale }(\hat{x})\|^{2} \] #### 3.4 Multi - update consistency By increasing the number of known weight and gradient pairs, the accuracy of the recovery results is improved. #### 3.4 Multi - update consistency By increasing the number of known weight and gradient pairs, the accuracy of the recovery results is improved. #### 3.5 Recovering data from weights For the FedAvg algorithm, a method for recovering data from weight updates is proposed, using the average model difference as a fake gradient. #### 3.6 Image alignment Image alignment is performed based on image similarity to reduce the ambiguity caused by inconsistent order. ### Experimental results The experimental results show that the method proposed in this paper is significantly superior to the existing GradInversion method on the CIFAR - 10 and ImageNet datasets, especially when dealing with duplicate labels and large - batch data.