Inferensys

Glossary

Deep Leakage from Gradients (DLG)

An optimization-based attack that reconstructs private training data from shared model gradients by iteratively matching dummy inputs to the observed gradient updates.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
GRADIENT INVERSION ATTACK

What is Deep Leakage from Gradients (DLG)?

An optimization-based attack that reconstructs private training data from shared model gradients by iteratively matching dummy inputs to the observed gradient updates.

Deep Leakage from Gradients (DLG) is an optimization-based attack that reconstructs private training data from publicly shared gradients in distributed learning. The adversary initializes dummy inputs and labels, computes their gradients, and minimizes the distance between these dummy gradients and the actual observed gradients using gradient matching. Through iterative optimization, the dummy data converges to closely resemble the private training samples, exposing sensitive information without direct access to the dataset.

The attack exploits the fact that gradients encode detailed information about their corresponding inputs. DLG uses an L-BFGS optimizer to minimize the Euclidean distance between real and synthetic gradients, requiring fewer iterations than prior methods. Defenses include gradient perturbation, gradient clipping, and secure aggregation protocols that prevent adversaries from observing individual gradient updates in plaintext.

ATTACK MECHANICS

Key Characteristics of DLG

Deep Leakage from Gradients (DLG) is an optimization-based attack that reconstructs private training data from shared model gradients. The following cards break down its core algorithmic properties and operational requirements.

01

Iterative Gradient Matching

The core mechanism of DLG is an iterative optimization loop that minimizes the distance between dummy gradients and real observed gradients. The attacker initializes a pair of dummy inputs and labels with random noise, performs a forward and backward pass on the shared model, and computes the loss between the resulting dummy gradients and the actual shared gradients. By backpropagating this matching loss into the dummy inputs themselves, the attacker progressively refines the dummy data until it visually converges to the original private training sample. The optimization objective is typically defined as minimizing the L2 distance or cosine similarity loss between the real gradient vector and the synthetic gradient vector.

< 100
Iterations to Converge
02

White-Box Access Requirement

DLG operates under a strong threat model requiring full white-box access to the model architecture and its current parameter weights. The attacker must be able to compute exact gradients by executing the model's forward and backward passes locally. This distinguishes DLG from black-box attacks like Model Inversion or Membership Inference, which only require query access to confidence scores. In a federated learning context, this assumption holds because the central server or a malicious participant inherently possesses the model weights and receives the raw gradient updates from honest clients.

Full Access
Threat Model
03

High-Fidelity Image Reconstruction

DLG is particularly devastating against computer vision models trained with small batch sizes. The attack can reconstruct pixel-level details of the private training images, including fine-grained textures, background elements, and even text present in the original sample. Reconstruction quality is quantitatively measured using metrics such as:

  • Peak Signal-to-Noise Ratio (PSNR): Measures pixel-space fidelity.
  • Structural Similarity Index (SSIM): Evaluates perceptual structure, luminance, and contrast.
  • Learned Perceptual Image Patch Similarity (LPIPS): Uses deep features to assess perceptual similarity more aligned with human vision.
> 30 dB
Typical PSNR Achieved
04

Sensitivity to Batch Size

The fidelity of DLG reconstruction is inversely correlated with the batch size used during training. When gradients are averaged over a large batch of diverse samples, the aggregated gradient signal becomes a blurred superposition of many data points, making it difficult to disentangle individual inputs. DLG is most effective when the batch size is 1, allowing exact reconstruction. As batch size increases, the attack degrades rapidly, often requiring modifications like Inverting Gradients (IG) or analytical separation techniques to handle multi-sample batches.

Batch Size 1
Optimal Attack Condition
05

Label Inference from Gradients

DLG does not require prior knowledge of the ground-truth labels. The attack analytically extracts the correct label directly from the shared gradients of the final classification layer. For models trained with cross-entropy loss, the gradient with respect to the logits reveals the difference between the softmax probabilities and the one-hot encoded true label. By identifying the index with the minimum gradient value in the logit layer, the attacker can deterministically infer the correct label before initiating the input reconstruction process. This eliminates the need to jointly optimize for both inputs and labels.

100%
Label Recovery Accuracy
ATTACK COMPARISON

DLG vs. Other Gradient Inversion Attacks

A technical comparison of Deep Leakage from Gradients against other prominent gradient inversion and data reconstruction attacks based on their mechanisms, requirements, and performance characteristics.

FeatureDeep Leakage from Gradients (DLG)Improved DLG (iDLG)Inverting Gradients (IG)

Optimization Objective

L-BFGS on Euclidean distance between real and dummy gradients

Analytical extraction of ground-truth label + L-BFGS on gradient distance

Cosine similarity loss with total variation and group consistency regularization

Label Recovery Required

Batch Size Capability

Single image only

Single image only

Up to 48 images (with priors)

Convergence Time (CIFAR-10)

~100-500 iterations

~50-200 iterations

~2,400-24,000 iterations

Reconstruction Fidelity (PSNR)

~15-20 dB

~18-25 dB

~25-35 dB

Requires Batch Normalization Statistics

Architecture Agnostic

Analytical Label Extraction

DEEP LEAKAGE FROM GRADIENTS

Frequently Asked Questions

Clear, technical answers to the most common questions about the DLG attack, its variants, and the defenses that protect federated learning systems from gradient-based data reconstruction.

Deep Leakage from Gradients (DLG) is an optimization-based privacy attack that reconstructs private training data from publicly shared model gradients. The attack works by first initializing a pair of dummy inputs and dummy labels, then performing a forward pass through the target model to compute dummy gradients. An iterative optimization loop minimizes the Euclidean distance between these dummy gradients and the real observed gradients. Because the gradient is a function of the input data, the optimization process forces the dummy inputs to converge toward the original private training samples. The attack exploits the fact that gradients encode detailed per-sample information, and with sufficient optimization steps, the reconstructed images or text become visually indistinguishable from the originals. DLG is particularly effective against models trained with small batch sizes, where individual sample information is not averaged away.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.