Privacy Auditing of Lithium-Ion Battery Ageing Model by Recovering Time-Series Data Using Gradient Inversion Attack in Federated Learning

Abstract

The exchange of gradients is a widely used method in modelling systems for machine learning (e.g., distributed training, federated learning) in privacy-sensitive domains. Unfortunately, there are still privacy risks in federated learning, as servers can reconstruct clients‘ training data through gradient inversion attacks. To protect against such attacks, we need to know when and how privacy is being undermined, largely due to the black box nature of deep neural networks. Although gradient inversion has been used to classify images and text data, its use in time-series is still largely unexplored. In this paper, we empirically evaluate the practicality of recovering lithium-ion battery time-series data from the gradients of a transformer-based model, both without and with differential privacy, in a time-series federated learning framework. It is especially significant in the case of electric vehicles (EVs). As shown in this paper, additional protection by differential privacy leads to the saturation of gradient inversion attacks, i.e., the reconstructed signal maintains a certain error level, depending on the applied privacy budget level. With this empirical evaluation, we provide insights into effective gradient perturbation directions, unfairness with respect to privacy, and privacy-preferred model initialisation.

1. Introduction

Federated learning (FL) [1,2,3] enables collaborative model training while preserving data privacy [4] by keeping the raw data decentralised. In each collaborative round, clients update the global model locally using private training data and then transmit gradients to the central parameter server [5] for aggregation (typically by averaging) and global update, thereby addressing privacy concerns by exposing the raw data [6]. After the aggregation of these updates by the central server, the new model parameters are sent back to the clients and the global training round is completed [7]. This method is particularly relevant for deep neural networks (DNNs), which are increasingly used in various applications due to their ability to model complex patterns [8]. However, training DNNs in an FL environment poses some challenges, particularly with respect to gradient sharing for model updates [9,10,11], which highlights the possibility of reconstructing the original input from the shared gradients (especially in the absence of protection methods) resulting from the transfer of model gradients and parameters.

However, recent studies [12,13] have shown that shared gradients in FL can be exploited by gradient inversion attacks (GIAs), which could allow attackers to reconstruct private training data. While much of the research has focused on the reconstruction of image and text data, in this paper, we explore the application of GIAs using a schematic approach of privacy auditing to time-series data [14,15] in the context of with and without differential privacy (DP).

The project involves data from lithium-ion batteries used in electric vehicles (EVs), where protecting user-sensitive information—such as mileage, usage patterns, and battery health—is a key concern. At the same time, it is essential to collaboratively train a common Artificial Intelligence (AI) model for battery behaviour prediction using federated learning (FL). Analysing time-series data, such as the ageing of lithium-ion batteries, plays a crucial role in understanding patterns in data over time. It enables the prediction and analysis of performance degradation, the optimisation of maintenance schedules, the improvement in reliability and useful life extension, not only in battery ageing but also in similar critical systems through data-driven decisions. Accurate predictions of battery ageing (e.g., capacity degradation or remaining useful life) can improve the safe and reliable operation of battery electric vehicles, facilitate eco-transportation systems in smart cities and recommend appropriate points of interest [16]. There is, therefore, great interest in extending or at least predicting the remaining lifetime of batteries [17]. Recent studies on the ageing of lithium-ion batteries (LIBs) (e.g., persistent degradation during their lifetime) include data-based modelling techniques such as empirical models, equivalent circuit models, machine learning-based and deep learning modelling approaches [18]. Machine learning models provide predictive capabilities for the ageing of LIBs, while deep learning models use algorithms such as deep neural networks.

To adapt GIAs for time-series data in FL, sequence modelling approaches such as transformer-based models or recurrent neural networks are used to capture temporal dependencies in the reconstructed data. Transformers in particular have a great capability in learning time-series and can be scaled for distributed, collaborative or FL scenarios [19].

We address the case where an adversary—such as a compromised or untrusted server—has access to the model updates (i.e., gradient updates, ΔW) from a single client prior to aggregation. In this setting, the adversary may attempt to exploit the exposed updates to reconstruct the client’s original input signal. Importantly, the number of federated learning (FL) clients is not a limiting factor in this attack model, as the adversary operates before any averaging or aggregation occurs.

Motivation for the research. The aim of this work is to find out whether the time series data of the LIB ageing model can be recovered by gradient inversion in a transformer-based architecture in an FL environment and how differential privacy can prevent privacy leakage. The following aspects are considered:

• It is important to model the ageing of LIBs using degradation prediction through machine learning to enable better monitoring and predictive maintenance, which is critical for optimising electric vehicle performance and extending battery useful life.
• The security of existing transformer-based models is critical in the context of the FL framework. By identifying and quantifying privacy leaks using GIAs in the training scenarios, sensitive battery time-series data can be protected.
• Many FL systems incorporate differential privacy. Investigating whether these protections are effective for transformer-based models using privacy auditing is essential for improving the security of FL.

Contributions. The main innovation of this work can be summarised as follows:

• The transformer-based time-series model for LIB ageing is trained, indicating its applicability in the energy sector to evaluate battery longevity, safety and remaining useful life.
• Differential privacy with Gaussian mechanism and with different multiplicative noise factors is incorporated into the battery ageing model to evaluate the privacy-preserving behaviour of the model against privacy leakage.
• The privacy auditing is elaborated using a model inversion approach. The reconstruction of LIB data from transformer-based model gradients is considered applicable in the case of FL. The model to be trained is inverted to extract information.

The rest of this article is organised as follows: The following section introduces the relevant background of the theoretical foundations of time-series federated learning, gradient inversion and differential privacy, including their mathematical definitions and basic properties. Section 3 describes the methodology used to reconstruct battery time series data from transformer-based model gradient updates. Section 4 presents the experimental results obtained under the considered conditions. Section 5 discusses the experimental results and identifies future research.

2. Background

This section presents the brief theoretical foundations for federated time-series learning, gradient inversion attacks and differential privacy.

2.1. Time-Series Federated Learning

Federated learning (FL) [1,2,3,6] is a collaborative learning paradigm that allows multiple clients (data owners) to train machine learning models without sharing the raw data. Instead of centralising the training dataset $D_{train}$, the data remains distributed among the clients, which train local models and exchange intermediate parameters with a central server. The global model $f_W$ is maintained on the central server, which coordinates the training process. At each iteration, the central server transmits the model parameters $W$ to a selected group of $k$ clients, which locally compute the gradients for their respective data samples. The server and the clients then perform a federated aggregation protocol [20] to compute the average gradients, which are used to update the global model using gradient descent.

A widely used optimisation algorithm in FL is federated averaging (FedAvg) [1,21,22], which extends the basic framework of FL by allowing clients to perform multiple local updates before communicating with the central server. The typical case where each client trains its model uniformly is that it trains the model for $T$ local steps over $n$ batches and updates its model parameters $t$ times before sending the update weights $W_t$ back to the central server. Since the reduction in communication overhead is crucial in FL, this approach can reduce communication rounds by a factor of 10 to 100 compared to traditional centralised training. This approach can lead to a reduction in the frequency of data transmission. Some studies report a 12.2-fold reduction in data transmission with comparable model performance [23]. In practical FL scenarios, FedAvg is preferred because clients can process multiple batches within a global round, which reconciles a trade-off between communication efficiency and convergence rate [24]. We define the model update difference as $\Delta W=W_t-W$, which represents the change of model parameters during one round. The FL process consists of multiple global rounds. At the beginning of a global round, the server sends the latest global model to the clients. The clients then train the latest model with their own data and send their training results, i.e., gradients or model updates, back to the server. A global federated round with model updates is shown in Figure 1.

The local training process usually follows the stochastic gradient descent algorithm, which iterates through the data in batches. A batch may contain the entire local dataset, but in the more general case, a batch is a subset of the local dataset and is also referred to as a mini-batch [25]. During an epoch, clients iterate over their entire training data once. A client can use its entire dataset in a single batch during one round, which then counts as one epoch. We focus on the more general mini-batch case, where the full dataset is split into several mini-batches and the client iterates over these mini-batches in multiple global rounds during an epoch.

Time-series federated learning: This approach combines the power of federated learning with specialised techniques for time-series analysis. Recent advances in the field of federated learning of time-series have focused on innovative data transformation techniques and modelling architectures to improve prediction accuracy while preserving data privacy. One way is to transform data by using language models for time-series analysis. Liu et al. [26] propose Time-FFM, which transforms time-series into text tokens, enabling the use of pre-trained language models for forecasting tasks. This approach enables the creation of a federated foundation model for time-series forecasting while addressing the problems of data scarcity and privacy. Abdel-Sater and Hamza [27] proposed FedTime, a federated large-scale language model tailored for long-range time series prediction that incorporates channel independence and patching to preserve the semantic information locally. Chen et al. [28] proposed Time-FFM, a federated foundation model that uses a prompt adaptation module to dynamically adapt the domain. In addition, hybrid models have been developed [29] that attempt to combine the strengths of neural networks with time-series and image data analysis.

2.2. Gradient Inversion Attacks

Despite the promise of privacy in FL, recent work has shown that the heuristic of sending gradient updates instead of training samples actually provides a false sense of security. In their seminal work, Zhu et al. [30] proposed the Deep Leakage from Gradients method and showed that it is possible for the server to recover the entire batch of training samples when the aggregated gradients are transmitted. Their attack matched the gradients of the reconstructed data and the original gradients leaked from federated learning.

Even if the clients and the server only exchange intermediate learning results, such as models or gradient updates, it has been shown that sensitive information can be derived from local training datasets in FL systems [31,32]. Furthermore, it has been shown that an attacker who gains possession of gradient updates can launch a gradient inversion attack to recover the training patterns used by the clients to generate the gradients [30]. In gradient inversion attacks, it is generally assumed that the attacker is an honest but curious server.

There are studies demonstrating gradient-based inversion attacks using vision transformers (ViTs) [18]. The authors found that vision transformers are significantly more vulnerable than previously studied CNNs due to the presence of the attention mechanism. Gradient inversion attacks in the time-series domain have also gained attention recently, as they are an important privacy concern in FL systems. These attacks aim to reconstruct sensitive data from shared gradient updates, which could compromise the privacy guarantees for federated learning [33]. Li et al. [34] proposed Temporal Gradient Attacks with Robust Optimisation—an optimisation-based reconstruction. This method leverages multiple temporal gradients to enhance reconstruction performance, even for large batch sizes and complex models.

Gradient inversion attacks (GradInvs) are the reconstruction process for solving an optimisation problem that aims to make dummy gradients similar to real gradients. In a GradInv, the attacker observes the gradients that the model has shared during training and attempts to recover the original data or labels. This is usually performed by minimising the distance between the ground truth gradients and the gradients generated by the guessed inputs [25,35,36]. The attacker primarily tries to minimise the distance between a randomly initialised sample gradient and the true gradient shared in FL [37]. This method is known as an iterative reconstruction process and basically solves a dual-optimisation objective [30,38]:

$$x_i^{*}=\arg mi{n}_{\widehat{x}}{\left|\left|G_i^t-\widehat{G}\right|\right|}^2$$

(1)

$$y_i^{*}=\arg mi{n}_{\widehat{y}}{\left|\left|G_i^t-\widehat{G}\right|\right|}^2$$

(2)

where $G_i^t$ is the true gradient and $\widehat{G}$ is the dummy gradient computed from randomly instantiated data $\left(\widehat{x},\widehat{y}\right)$. Attacks are typically considered successful if the correct values are found, i.e., meaning the attacker can recover at least one signal from the batch.

By combining iteration and optimisation approaches, GradInvs, based on iterative optimisation, attempt to reconstruct the private data during the training of a neural network [35]. This process consists of the following: in the forward pass, $x^{\prime }$ represents an input (possibly modified or the attacker’s input); $W_1,b_1,\dots ,W_{L, }{b}_L$ denote the weights (W) and biases (b) of the layers of the neural network, from the first layer 1 to layer $L$. ${\sigma }_1(·),\dots {\sigma }_L(·)$ are activation functions applied at each layer; $a_1,\dots a_L$ are the activation outputs of each layer. The input $x^{\prime }$ is passed through the network layer by layer, undergoing a transformation of weights, biases and activation functions. The final layer produces an output $y^{\prime }$, which is the target output or label.

The backward pass and gradient calculation: $\nabla a_1,\dots ,\nabla a_L$ represents the gradient of the loss with respect to the activation at each layer. The direction of backpropagation is indicated by the flow of these gradients, which are computed and propagated backwards from the output layer to the input layer to update the parameters of the model during the optimisation process. For example, $\partial a_2/\partial a_1$ represents the gradient of $a_2$ with respect to $a_1$ a1. $\nabla W_1^{\prime },b_1^{\prime }\dots ,\nabla W_L^{\prime },b_L^{\prime }$ are the gradients of the loss with respect to the weights and biases of each layer. These gradients indicate how much each weight and biases contribute to the overall loss. $\nabla x^{\prime }$ represents the gradients of the loss with respect to the input $x^{\prime }$. The gradients calculated in the backward pass (∇W′ and $b^{\prime }$) are used to update the weights and biases. This is represented by the “matching” process.

2.3. Protecting Time-Series Data with Differential Privacy

The astonishing success of gradient leakage research has triggered the start of an intense race between attackers [38,39,40,41,42] and defenders of privacy [43,44,45,46]. In response to the increase in privacy violating attacks in FL, many privacy preserving strategies have been proposed to mitigate the risk of information leakage from gradient perturbation, which has been proposed using differential privacy [47,48,49] by adding Gaussian noise to gradients [36] and gradient clipping, which limits the magnitude of gradients to reduce the risk of an inversion attack that exploits extreme gradient values [37] before they are shared to obfuscate sensitive information, they all offer little or no theoretical privacy guarantees. This is partly due to the fact that there is no mathematically rigorous attacker model, and the defences are empirically evaluated against known attacks [4]. This also leads to a variety of proposed defence techniques, such as gradient pruning, i.e., gradient compression by reducing gradient precession, which can make inversion harder while maintaining accuracy techniques [36].

Differential privacy: According to the definition, differential privacy (DP) is a formal mathematical framework designed to protect the privacy of individuals in a dataset while still allowing useful statistical analysis and machine learning.

$$Pr\left[ℳ\left(D\right)\in \mathit{S}\right]\le e^{ϵ}\times Pr\left[ℳ\left(D^{\prime }\right)\in \mathit{S}\right]+\delta$$

(3)

$ℳ$—the randomisation algorithm (mechanism).

$D,D^{\prime }$—two datasets that differ by one individual’s data.

$\mathit{S}$—all possible sets of outputs.

$Pr$—denotes the probability of the algorithm producing a specific result.

$ϵ$—the privacy budget. A smaller value means stronger privacy.

$\delta —$the failure probability error.

Differential privacy ensures that adding or removing a single individual’s data does not significantly change the outcome of a computation. This means an attacker cannot determine whether any specific individual’s data is present in the dataset. Another important issue is the trade-off between data utility and privacy guarantee in DP, which is represented by the privacy guarantee, denoted by the privacy budget $ϵ$ and the failure probability error $\delta$ for $\left(ϵ,\delta \right)$-DP, also known as approximate DP. The privacy budget is obtained by adding noise to the data sampled from the Gaussian distribution or the Laplace distribution [50]. The description of the distribution being used is called the mechanism [51]. The Gaussian mechanism is central to DP, mainly due to its tighter composition when compared to the Laplace mechanism.

A Gaussian noise with mean $\mu =0$ and variance ${\sigma }^2$ is added to the query results, where ${\sigma }^2$ depends on the sensitivity and privacy parameters $ϵ$ and $\delta$. The sensitivity is the maximum change in query output when data is added/removed. This is a significant benefit, since the $L^2$ sensitivity can be much smaller than the $L^1$ sensitivity. The Gaussian mechanism has relatively thin tails, which results in a significantly improved composition. This is the greatest advantage of the Gaussian mechanism: when answering a large number of queries, it tends to require much less noise for the same level of privacy [50].

The noise added to achieve DP is calibrated based on the privacy budget $ϵ$ when querying or releasing information from the dataset. Allocation strategies in DP aim to optimise the balance between data utility and privacy protection. For time-series data, we want to ensure that the release of the model outputs does not reveal sensitive information about individual time steps. Using the Gaussian mechanism for the allocation strategies requires specific approaches to handle temporal correlation and evolving sensitivity. The key strategies for allocation of privacy budgets in the context of time-series data are temporal sensitivity-driven allocation [52], uniform privacy budget allocation [53], non-uniform budgeting [54] and dynamic sensitivity [54]. In this paper, we use DP with the Gaussian mechanism to extend the testing against gradient inversion attacks.

3. Methodology

This section presents the methodology for reconstructing time-series data from FL model gradient updates.

3.1. Problem Definition and Our Approach

In our study, we extracted a separate matching dataset from a battery that was excluded from the training and validation sets. This subset was then used to calculate the FL gradients by combining discrete signal components. Other techniques could also be explored, such as training a separate DL model to reconstruct the input signal from the FL model updates or using an analytical approach. This could be further explored in future work. Figure 2 below shows the process of signal recovery from the DL model.

We integrate the process described above into a federated learning (FL) framework, both with and without differential privacy (DP). To assess the privacy risks, we perform a model inversion auditing scheme [4], which evaluates how much information about individual data records can be inferred from the model’s outputs—e.g., confidence scores or gradients. In this way, the extent of privacy leakage in the system can be quantified. For privacy auditing, we employ a signal reconstruction algorithm. The corresponding pseudo-algorithm is listed in Algorithm 1.

Algorithm 1. Signal reconstruction pseudo-algorithm explained

1.  Random initial signal generation s[n]. 2.  Generation of signal updates u[n]. Start the process of generating a new signal update. At this point, various techniques can be used, including training a DL model. 3.  Validation check (matching with FL model update from 1 client). Determine whether the generated signal is valid (s[n] corresponding model update calculation $\nabla W^{\prime }$ and matching with FL gradients $\nabla W$; we used the Mean Squared Error (MSE) criterion, defined as $E\left[{\left(\nabla W^{\prime }-\nabla W\right)}^2\right]$; it should provide an improvement compared to the previous step). If yes, then go to 4. Signal update. If not, then return to 2. Generation of signal update. 4.  Signal update. Update the existing signal with the newly generated signal. s[n + 1] = s[n] + u[n] If the gradients are still not close enough, return to 2. Generation of signal Update s[n + 1] = s[n] 5.  End of the process. The signal update process is complete (if the MSE is smaller than a user-defined recovery threshold $\delta$, i.e., $E\left[{\left(\nabla W^{\prime }-\nabla W\right)}^2\right]<\delta$, or after a user-defined number of maximum iterations N).

The algorithm encapsulates the process and begins with the generation of a random signal, step 1. Then a loop begins, which is continued until the gradients are close enough to each other. This involves generating a signal update step 2 and checking whether the update is valid for step 3. If it is not valid, a new update is generated until a valid one is found. The signal is then updated with the valid update (4). A check is made to see whether the gradients are close enough to each other; if not, the process is repeated. As soon as the gradients are close enough to each other, the loop is exited and the reconstructed signal is returned. It is an iterative process consisting of different stages that lead back to previous stages depending on the conditions met. This solves the gradient matching problem and restores the unknown signal. In the signal update stage, the various techniques can be used to generate updates, including training a deep learning (DL) model that leads to reinforcement learning.

In our experiments, we used the following: (1) a simple technique of signal recovery with the generation of random signal updates to show that gradient inversion can also be solved, and (2) a discrete set of probing signals with parameter change. The second approach could solve gradient inversion in specific cases, where the probe set consisting of dedicated signals for gradient matching is representative.

3.2. Experimental Details

In our experiments, we investigated signal recovery from FL model updates with and without differential privacy. For our attacks, we used a deep neural network transformer model. This setup simulates a GIA threat, where a server-side adversary can observe raw model updates and attempt to reconstruct private input data. A recent study [55] has shown that transformers can be successfully used to process time-series signals. For example, for classifying time-series using positional encoding and attention over time [56] or combining trend/seasonality decomposition with attention using auto-correlation attention mechanism [57], or using patch-based encoding, inspired by the Vision Transformer on multivariate time-series forecasting benchmarks. Transformer-based methods are increasingly applied to time-series data due to their ability to capture long-range dependencies and interactions, which is particularly beneficial for tasks such as prediction, anomaly detection and classification.

As a data set, we used the data set on the ageing of lithium-ion batteries [58], which is described in more detail in the next subsection. All tasks are implemented using the Python 3.10.16 programming language and the PyTorch 2.5.1 machine learning library. Differential privacy is implemented using the OPACUS Privacy Engine Toolbox.

In our experiments, we first trained transformer-based battery RUL estimation models (with 6 transformer-encoder blocks) under different DP levels. The experiments were performed with a learning rate of 0.0001 and the Adam optimiser. This process generated gradients/model updates and simulated an FL use case. We then applied GradInv methods to recover the input signals responsible for the model updates. The results are presented in more detail in the next section.

The input signal is composed of the current I[n] and the voltage U[n], which are concatenated to form a tensor of the shape (B, 30, 128), where B represents the batch size. The output consists of the time-series of the discharge capacitance $\Delta C$ with a shape of (B, 1920). In addition, the outputs of the transformer layer can be connected to layers that are responsible for estimating the battery’s remaining useful life (RUL), such as linear classification layers (LC). The structure of the model used is shown in Figure 3.

When considering time series data, special aspects must be taken into account, such as temporal dependencies, possible periodicity and sensitivity to timing. In FL, for example, each client could have time series data from different time periods or from different sensors. The model updates would encapsulate patterns in these sequences.

3.3. Dataset

In our experiments, we evaluated the performance of attack and defence strategies on a time-series standard benchmark dataset for testing lithium-ion battery ageing based on electrical vehicle real-driving profiles [58]. Battery data is time-series, which has temporal dependencies and patterns. These batteries, the predominant energy storage system in electric vehicles, are subject to inevitable degradation during storage and use [59]. Diagnosis of battery ageing and remaining useful life (RUL), which enables robust development and fine-tuning of battery ageing models, is critical for ensuring operational safety, maintenance planning and modelling of diagnostic methods [60].

Key aspects of EV battery ageing dataset include real-world driving and diagnostic test data from 10 INR21700-M50T commercial lithium-ion battery cells (manufactured by Samsung SDI, Seoul, Republic of Korea) tested over a 23-month period using various constant current (CC) and constant voltage (CV) charging protocols at charge rates of C/4, C/2, 1C and 3C. The discharge ageing profiles mimic a typical electric vehicle driving pattern in the form of an Urban Dynamometer Schedule (UDDS), which brings the battery‘s state of charge (SOC) from 80% to 20%.

The ageing data set contains the following values of the INR21700 M50T batteries: charge and discharge curves; capacity retention over multiple cycles; voltage profiles during cycling; current rates used for charging and discharging; temperature data during cycling, etc. More information can be found in the paper Pozatto et al. [58].

We focus on the transformer DL architecture for time series tasks and give as input current I(t) and voltage U(t) and as output discharge capacitance ∆C for a defined time window W (discrete samples of all these parameters). The output of the DNN correlates with the state of depreciation of the battery and the remaining utilisation time, RUL. We want to protect this actual information.

In our experiments, the dataset is split into a training set and a validation set in a ratio of 70:30, which is a common practice for a balanced trade-off between learning and evaluation practice in transformer architectures with time-series data. In the case of signal recovery with discrete waveforms, a separate, independent matching/probing set is created from this dataset.

4. Experimental Results and Analysis

In this section, we present a description of the results obtained. We experimentally investigate the gradient inversion attack method without and with differential privacy to recover time-series data. In our experiments, the range of time-series data is the recovered domain. We evaluate gradient reconstruction on time-series data for battery ageing tasks, and we used two specific gradient inversion techniques: (1) signal recovery with randomised signal updates and (2) signal recovery with a discrete matching set.

4.1. Differential Privacy Impact on Deep Learning Training Process

We analysed the effects of the battery ageing model without and with different levels of data protection using differential privacy. The battery ageing model was trained to predict the gradients (i.e., the rate of change) of battery capacity based on the training data. Figure 4 shows the loss of mean squared error (MSE) over 20 epochs for three different training scenarios in a transformer-based model.

In the first scenario (a), shown by the blue line, the model is evaluated without using the DP mechanism. The MSE loss decreases smoothly and reaches almost zero at the end of training, indicating a good performance of the model without privacy constraints. In the second scenario (b), we investigate the behaviour of the model using DP with the noise multiplier 1.1, represented by the green line. We chose the noise multiplier 1.1 that is noise with standard deviation 1.1 times the gradient clipping norm because it represents a moderate level of noise added to the gradients: high enough to provide privacy, but not so high that it destroys the learning signal. With the noise multiplier 1.1, we still protect individual training sequences (battery degradation profile) and allow our model to learn meaningful ageing dynamics. The loss rises from 0.01 to 0.05 MSE in the worst case, compared to the non-DP model, and the curve shows a more oscillating pattern and slower convergence. This is to be expected due to the noise that makes the gradients stochastic and unstable. In the third scenario (c), we increase the noise level in the model with a noise multiplier of 1.15, which is represented by the orange line. This leads to a higher variance of the noise added to the gradients and more gradient perturbations during training.

4.2. Signal Reconstruction with Gradient Inversion Attack Versus Deep Learning Level

The recovery of private data can be viewed as an iterative optimisation process utilising gradient descent.

Figure 5 shows an iterative optimisation, where each iteration k refines the estimate of the signal as a function of the error magnitude of the recovery iterations k, in a process called iterative randomised signal updating. (a) The blue curve shows the error magnitude when no noise is added to the signal and serves as a baseline. (b, c) The green and orange curves represent scenarios where noise is added at two different levels. In the first method, the MSE error reaches saturation at 0.05 × 10⁻⁵ without DP and saturation at 0.15 × 10⁻⁵ MSE with DP. In the second method, the saturation is 1 × 10⁻¹⁰ without DP and 0.1 × 10⁻⁸ with DP. In all cases, the error magnitude decreases rapidly during the first few recovery iterations. However, the final error magnitude is higher for the curves with DP noise (b, c) and increases with increasing noise level. The moderate noise level of 1.1 that we chose (b) leads to a slightly higher error after convergence. In contrast, the higher noise level 1.15 (c) leads to more distortion and thus a larger final error magnitude. In the absence of any noise (a), the recovery process perfectly matches the true values. It is summarised in

Table 1. GIA saturation MSE values.

DP Levels	GIA with Random Updates	GIA with Probe Set
No DP	~0.05 × 10−5	~1 × 10−10
DP 1.1	~0.08 × 10−5	~0.02 × 10−8
DP 1.15	~0.15 × 10−5	~0.1 × 10−8

.

As can be seen in Figure 6, the original signal (a, blue line) and the recovered signal (b, green line) represent the output after some processing. Initially, the blue line matches the original signal, but there is a sudden deviation around time step 60, followed by a gradual recovery. As time progresses, however, the green line deviates from the original signal. The recovery signal follows the recovery signal very closely at the beginning, which shows that the recovery technique works well for early time steps. Beyond time step 60, the recovered signal continues to grow but does not exactly match the original signal. The recovery process is partially successful, but cannot maintain accuracy across all time steps, especially after a sudden drop (e.g., time step = 60). The significant deviations around time step 60 indicate either noise, a loss of information or an error in the recovery at this point.

5. Discussion and Future Research

This paper presents a field data-based framework for battery health management in FL scenarios, which not only provides an important basis for on-board battery health monitoring and prediction, but also paves the way for second-life assessment of batteries. It explores the privacy concerns of battery health management based on AI modelling.

The FL approach enables the development of a common AI model while preserving the privacy of user data. However, gradient inversion attacks can potentially reconstruct user data from deep learning model updates, which raises privacy concerns. As shown in this paper, additional protection by differential privacy DP leads to saturation in gradient inversion attacks, i.e., the reconstructed signal maintains a certain error level depending on the applied DP protection levels.

Future research could investigate more advanced GIA methods, such as training attack networks with reinforcement learning or using the foundation models for gradient inversion attacks. Furthermore, the attention mechanisms in transformers could be investigated as they are self-explanatory.