pith. sign in

arxiv: 2308.06822 · v3 · pith:DPZ6ZE6Pnew · submitted 2023-08-13 · 💻 cs.LG · cs.AI· cs.CR· math.OC

Approximate and Weighted Data Reconstruction Attack in Federated Learning

Yongcun Song , Ziqi Wang , Enrique Zuazua This is my paper

Pith reviewed 2026-05-24 07:14 UTC · model grok-4.3

classification 💻 cs.LG cs.AIcs.CRmath.OC
keywords federated learningdata reconstruction attackFedAvgprivacy leakageimage reconstructionBayesian optimizationlayer-wise weighting
0
0 comments X

The pith

An interpolation approximation of intermediate updates plus layer-wise weighting makes data reconstruction attacks effective against the standard FedAvg federated learning protocol.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes that most prior reconstruction attacks break down on FedAvg because clients perform multiple local steps before sharing parameters. It introduces an interpolation method that estimates the missing intermediate updates and a layer-specific weighted loss whose coefficients are chosen by Bayesian optimization. Experiments on image data show that the resulting approximate and weighted attack recovers higher-fidelity client images than existing techniques under the same FedAvg setting. If the approach holds, it demonstrates that the privacy protection commonly assumed for horizontal federated averaging is weaker than previously thought when the server observes only final-round parameters.

Core claim

The authors show that an interpolation-based approximation generates usable estimates of clients' intermediate model updates during local training, while a layer-wise weighted loss function, with weights found by Bayesian optimization, further improves the quality of reconstructed training images. Together these components constitute the approximate and weighted attack (AWA) that substantially raises reconstruction metrics relative to prior methods when applied to FedAvg.

What carries the argument

Interpolation-based approximation of intermediate client updates together with a layer-wise weighted loss whose coefficients are tuned by Bayesian optimization.

If this is right

  • Attacks become practical against the most common horizontal FedAvg protocol rather than only single-step or vertical variants.
  • Reconstruction quality improves across multiple evaluation metrics for image data compared with existing state-of-the-art methods.
  • The attack works from the final shared parameters without needing access to every local step.
  • Bayesian optimization can be used to select layer weights that respect neural-network structure.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Defenses in federated learning may need to account for the number of local steps or add noise that survives interpolation.
  • The success of the attack suggests that the choice of local epochs is itself a privacy parameter that should be tuned or hidden.
  • Similar interpolation-plus-weighting ideas could be tested on non-image modalities or on other aggregation schemes such as FedProx.

Load-bearing premise

The linear or simple interpolation of intermediate client updates is accurate enough to support high-quality reconstruction, and the layer weights found on one model and dataset transfer to others.

What would settle it

Running the attack on standard image datasets under FedAvg while disabling either the interpolation step or the learned layer weights and measuring whether reconstruction metrics fall back to the level of prior methods.

Figures

Figures reproduced from arXiv: 2308.06822 by Enrique Zuazua, Yongcun Song, Ziqi Wang.

Figure 1
Figure 1. Figure 1: Cumulative minimum loss f(Q) of Bayesian opti￾mization in four cases. The numerical comparisons of the above three data reconstruction attack methods for Cases 1-4 are presented in [PITH_FULL_IMAGE:figures/full_fig_p009_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Comparison of the reconstruction results achieved [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗
Figure 4
Figure 4. Figure 4: Evaluation metrics of our AWA method in four [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
read the original abstract

Federated Learning (FL) is a distributed learning paradigm that enables multiple clients to collaborate on building a machine learning model without sharing their private data. Although FL is considered privacy-preserved by design, recent data reconstruction attacks demonstrate that an attacker can recover clients' training data based on the parameters shared in FL. However, most existing methods fail to attack the most widely used horizontal Federated Averaging (FedAvg) scenario, where clients share model parameters after multiple local training steps. To tackle this issue, we propose an interpolation-based approximation method, which makes attacking FedAvg scenarios feasible by generating the intermediate model updates of the clients' local training processes. Then, we design a layer-wise weighted loss function to improve the data quality of reconstruction. We assign different weights to model updates in different layers concerning the neural network structure, with the weights tuned by Bayesian optimization. Finally, experimental results validate the superiority of our proposed approximate and weighted attack (AWA) method over the other state-of-the-art methods, as demonstrated by the substantial improvement in different evaluation metrics for image data reconstructions.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that an interpolation-based approximation of intermediate client updates enables data reconstruction attacks on multi-step FedAvg, and that a layer-wise weighted reconstruction loss (with weights found by Bayesian optimization) yields substantial improvements over prior methods on image datasets, as measured by standard reconstruction metrics.

Significance. If the approximation accuracy and generalization of the weights hold, the result would show that standard FedAvg remains vulnerable to reconstruction even after multiple local steps, strengthening the case for privacy defenses in the most common FL protocol. The empirical focus and use of Bayesian optimization for layer weights are concrete contributions, but the absence of direct validation for the interpolation step limits how much weight the reported gains can carry.

major comments (2)
  1. [Method (interpolation approximation)] The interpolation formula for generating intermediate updates (presented in the method section) is load-bearing for the central claim that AWA works on realistic multi-step FedAvg; however, the manuscript reports only end-to-end reconstruction metrics and does not quantify approximation error (e.g., per-step L2 distance to ground-truth intermediates) or include an oracle-intermediate ablation. Without these, it is impossible to separate the contribution of the weighting scheme from the possibility that the attack is succeeding on a weaker single-step surrogate.
  2. [Experiments (results tables/figures)] Table/figure reporting the main results (image reconstruction metrics) asserts superiority over SOTA, yet the experimental section provides no controls or sensitivity analysis for the Bayesian optimization of layer weights or for the choice of interpolation points; this leaves open whether the gains are robust or tied to dataset-specific hyperparameter search.
minor comments (2)
  1. [Method (weighted loss)] Notation for the layer-wise weights and the combined loss could be clarified with an explicit equation numbering the per-layer contributions.
  2. [Abstract] The abstract states 'substantial improvement in different evaluation metrics' without naming the metrics or datasets in the summary paragraph; a short list would improve readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our work. We address each major comment below and commit to revisions that strengthen the presentation of the interpolation method and experimental robustness.

read point-by-point responses

  1. Referee: [Method (interpolation approximation)] The interpolation formula for generating intermediate updates (presented in the method section) is load-bearing for the central claim that AWA works on realistic multi-step FedAvg; however, the manuscript reports only end-to-end reconstruction metrics and does not quantify approximation error (e.g., per-step L2 distance to ground-truth intermediates) or include an oracle-intermediate ablation. Without these, it is impossible to separate the contribution of the weighting scheme from the possibility that the attack is succeeding on a weaker single-step surrogate.

    Authors: We agree that quantifying the interpolation error and providing an oracle ablation would better isolate the contributions. The current manuscript prioritizes end-to-end metrics to demonstrate practical attack success on multi-step FedAvg. In revision we will add per-step L2 error analysis on representative runs where ground-truth intermediates can be computed, plus an oracle-intermediate ablation on a subset of experiments. These additions will clarify the approximation's role while preserving the focus on realistic settings. revision: yes

  2. Referee: [Experiments (results tables/figures)] Table/figure reporting the main results (image reconstruction metrics) asserts superiority over SOTA, yet the experimental section provides no controls or sensitivity analysis for the Bayesian optimization of layer weights or for the choice of interpolation points; this leaves open whether the gains are robust or tied to dataset-specific hyperparameter search.

    Authors: We acknowledge the need for sensitivity controls. We will expand the experimental section with additional results showing performance across multiple independent Bayesian optimization runs (different seeds and initializations) and across varied numbers and placements of interpolation points. These controls will demonstrate that the reported gains are robust rather than artifacts of specific hyperparameter choices. revision: yes

Circularity Check

0 steps flagged

No circularity; empirical method with independent experimental validation

full rationale

The paper proposes an interpolation approximation for multi-step FedAvg client updates followed by a layer-weighted reconstruction loss whose weights are obtained via Bayesian optimization on the attack objective. Reported gains are measured by separate image reconstruction metrics (e.g., PSNR, SSIM) against ground-truth data and against prior attack methods. No derivation, equation, or performance claim reduces by construction to the fitted interpolation parameters or the optimized weights; the evaluation remains external to the attack hyperparameters. No self-citation load-bearing steps or uniqueness theorems appear in the provided text. The work is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

1 free parameters · 0 axioms · 0 invented entities

The central claim rests on the unstated premise that the interpolation approximation is faithful enough for the attack objective and that the Bayesian-optimized layer weights transfer; no free parameters are explicitly named in the abstract beyond the optimization procedure itself.

free parameters (1)
  • layer-wise weights
    Weights assigned to different layers in the reconstruction loss, chosen via Bayesian optimization on the attack objective.

pith-pipeline@v0.9.0 · 5721 in / 1160 out tokens · 19716 ms · 2026-05-24T07:14:46.982110+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

27 extracted references · 27 canonical work pages · 2 internal anchors

  1. [1]

    Fed- erated Learning: Challenges, Methods, and Future Directions,

    T. Li, A. K. Sahu, A. Talwalkar, and V . Smith, “Fed- erated Learning: Challenges, Methods, and Future Directions,” IEEE Signal Processing Magazine , vol. 37, no. 3, pp. 50–60, 2020, ISSN : 1558-0792

    work page 2020

  2. [2]

    Communication-Efficient Learning of Deep Networks from Decentralized Data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-Efficient Learning of Deep Networks from Decentralized Data,” in Proceed- ings of the 20th International Conference on Artificial Intelligence and Statistics, PMLR, 2017, pp. 1273–1282

    work page 2017

  3. [3]

    Federated learning of predictive models from federated Electronic Health Records,

    T. S. Brisimi, R. Chen, T. Mela, A. Olshevsky, I. C. Paschalidis, and W. Shi, “Federated learning of predictive models from federated Electronic Health Records,” International Journal of Medical Informatics , vol. 112, pp. 59–67, 2018, ISSN : 1386-5056

    work page 2018

  4. [4]

    Federated Learning for Healthcare Informat- ics,

    J. Xu, B. S. Glicksberg, C. Su, P . Walker, J. Bian, and F. Wang, “Federated Learning for Healthcare Informat- ics,” Journal of Healthcare Informatics Research , vol. 5, no. 1, pp. 1–19, 2021, ISSN : 2509-498X

    work page 2021

  5. [5]

    Federated Learning on the Road Autonomous Con- troller Design for Connected and Autonomous Ve- hicles,

    T. Zeng, O. Semiari, M. Chen, W. Saad, and M. Bennis, “Federated Learning on the Road Autonomous Con- troller Design for Connected and Autonomous Ve- hicles,” IEEE Transactions on Wireless Communications , vol. 21, no. 12, pp. 10 407–10 423, 2022,ISSN : 1558-2248

    work page 2022

  6. [6]

    Improved Gradient In- version Attacks and Defenses in Federated Learning,

    J. Geng, Y. Mou, Q. Li, et al., “Improved Gradient In- version Attacks and Defenses in Federated Learning,” IEEE Transactions on Big Data , pp. 1–13, 2023, ISSN : 2332-7790

    work page 2023

  7. [7]

    AGIC: Approximate Gradient Inversion Attack on Federated Learning,

    J. Xu, C. Hong, J. Huang, L. Y. Chen, and J. De- couchant, “AGIC: Approximate Gradient Inversion Attack on Federated Learning,” in 2022 41st In- ternational Symposium on Reliable Distributed Systems (SRDS), 2022, pp. 12–22. 11

    work page 2022

  8. [8]

    See through gradients: Image batch recovery via gradinversion,

    H. Yin, A. Mallya, A. Vahdat, J. M. Alvarez, J. Kautz, and P . Molchanov, “See through gradients: Image batch recovery via gradinversion,” in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021, pp. 16 337–16 346

    work page 2021

  9. [9]

    Deep Leakage from Gra- dients,

    L. Zhu, Z. Liu, and S. Han, “Deep Leakage from Gra- dients,” in Advances in Neural Information Processing Systems, vol. 32, Curran Associates, Inc., 2019

    work page 2019

  10. [10]

    iDLG: Improved deep leakage from gradients,

    B. Zhao, K. R. Mopuri, and H. Bilen, “iDLG: Im- proved Deep Leakage from Gradients,” arXiv preprint arXiv:2001.02610, 2020

    work page arXiv 2001

  11. [11]

    Inverting Gradients - How easy is it to break privacy in federated learning?

    J. Geiping, H. Bauermeister, H. Dr ¨oge, and M. Moeller, “Inverting Gradients - How easy is it to break privacy in federated learning?” In Advances in Neural Informa- tion Processing Systems, vol. 33, Curran Associates, Inc., 2020, pp. 16 937–16 947

    work page 2020

  12. [12]

    SAPAG: A Self- Adaptive Privacy Attack From Gradients,

    Y. Wang, J. Deng, D. Guo, et al. , “SAPAG: A Self- Adaptive Privacy Attack From Gradients,” arXiv preprint arXiv:2009.06228, 2020

    work page arXiv 2009

  13. [13]

    Gradient In- version with Generative Image Prior,

    J. Jeon, J. Kim, K. Lee, S. Oh, and J. Ok, “Gradient In- version with Generative Image Prior,” in Advances in Neural Information Processing Systems , vol. 34, Curran Associates, Inc., 2021, pp. 29 898–29 908

    work page 2021

  14. [14]

    A Framework for Evaluating Client Privacy Leakages in Federated Learning,

    W. Wei, L. Liu, M. Loper, et al. , “A Framework for Evaluating Client Privacy Leakages in Federated Learning,” in Computer Security – ESORICS 2020 , L. Chen, N. Li, K. Liang, and S. Schneider, Eds., ser. Lec- ture Notes in Computer Science, Cham: Springer In- ternational Publishing, 2020, pp. 545–566, ISBN : 978-3- 030-58951-6

    work page 2020

  15. [15]

    On the limited memory BFGS method for large scale optimization,

    D. C. Liu and J. Nocedal, “On the limited memory BFGS method for large scale optimization,” Mathe- matical Programming, vol. 45, no. 1, pp. 503–528, 1989, ISSN : 1436-4646

    work page 1989

  16. [16]

    Adam: A Method for Stochastic Optimization

    D. P . Kingma and J. Ba, “Adam: A Method for Stochas- tic Optimization,” arXiv preprint arXiv:1412.6980, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  17. [17]

    Labeled Faces in the Wild: A Database forStudying Face Recognition in Unconstrained En- vironments,

    G. B. Huang, M. Mattar, T. Berg, and E. Learned- Miller, “Labeled Faces in the Wild: A Database forStudying Face Recognition in Unconstrained En- vironments,” in Workshop on Faces in ’Real-Life’ Images: Detection, Alignment, and Recognition, 2008

    work page 2008

  18. [18]

    Learning multiple layers of features from tiny images,

    A. Krizhevsky and G. Hinton, “Learning multiple layers of features from tiny images,” 2009

    work page 2009

  19. [19]

    A Tutorial on Bayesian Optimization

    P . I. Frazier, “A Tutorial on Bayesian Optimization,” arXiv preprint arXiv:1807.02811, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  20. [20]

    Calin, Deep Learning Architectures: A Mathematical Approach (Springer Series in the Data Sciences)

    O. Calin, Deep Learning Architectures: A Mathematical Approach (Springer Series in the Data Sciences). Cham: Springer International Publishing, 2020, ISBN : 978-3- 030-36720-6 978-3-030-36721-3

    work page 2020

  21. [21]

    Shallowing Deep Networks: Layer-Wise Pruning Based on Feature Representa- tions,

    S. Chen and Q. Zhao, “Shallowing Deep Networks: Layer-Wise Pruning Based on Feature Representa- tions,” IEEE Transactions on Pattern Analysis and Ma- chine Intelligence, vol. 41, no. 12, pp. 3048–3056, 2019, ISSN : 1939-3539

    work page 2019

  22. [22]

    Deep residual learning for image recognition,

    K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” in Proceedings of the IEEE Conference on Computer Vision and Pattern Recog- nition, 2016, pp. 770–778

    work page 2016

  23. [23]

    C. E. Rasmussen and C. K. I. Williams, Gaussian Processes for Machine Learning (Adaptive Computation and Machine Learning). Cambridge, Mass: MIT Press, 2006, ISBN : 978-0-262-18253-9

    work page 2006

  24. [24]

    On Bayesian methods for seeking the extremum,

    J. Mo ˇckus, “On Bayesian methods for seeking the extremum,” in Optimization Techniques IFIP Technical Conference: Novosibirsk, July 1–7, 1974 , Springer, 1975, pp. 400–404, ISBN : 3-662-37713-6

    work page 1974

  25. [25]

    Efficient Global Optimization of Expensive Black-Box Func- tions,

    D. R. Jones, M. Schonlau, and W. J. Welch, “Efficient Global Optimization of Expensive Black-Box Func- tions,” Journal of Global Optimization , vol. 13, no. 4, pp. 455–492, 1998, ISSN : 1573-2916

    work page 1998

  26. [26]

    Image Quality Assessment through FSIM, SSIM, MSE and PSNR—A Comparative Study,

    U. Sara, M. Akter, and M. S. Uddin, “Image Quality Assessment through FSIM, SSIM, MSE and PSNR—A Comparative Study,” Journal of Computer and Commu- nications, vol. 7, no. 3, pp. 8–18, 2019

    work page 2019

  27. [27]

    Image quality assessment: From error visibility to structural similarity,

    Z. Wang, A. Bovik, H. Sheikh, and E. Simoncelli, “Image quality assessment: From error visibility to structural similarity,” IEEE Transactions on Image Pro- cessing, vol. 13, no. 4, pp. 600–612, 2004, ISSN : 1941- 0042

    work page 2004