CENSOR: Defense Against Gradient Inversion via Orthogonal Subspace Bayesian Sampling

TL;DR

This paper introduces CENSOR, a novel defense mechanism for federated learning that uses orthogonal subspace perturbations to protect against gradient inversion attacks while preserving model performance.

Contribution

CENSOR leverages high-dimensional orthogonal subspace perturbations and Bayesian sampling to defend against gradient inversion attacks in large neural networks.

Findings

Effective against advanced gradient inversion attacks

Maintains high model utility with minimal accuracy loss

Validated on three datasets with comprehensive evaluations

Abstract

Federated learning collaboratively trains a neural network on a global server, where each local client receives the current global model weights and sends back parameter updates (gradients) based on its local private data. The process of sending these model updates may leak client's private data information. Existing gradient inversion attacks can exploit this vulnerability to recover private training instances from a client's gradient vectors. Recently, researchers have proposed advanced gradient inversion techniques that existing defenses struggle to handle effectively. In this work, we present a novel defense tailored for large neural network models. Our defense capitalizes on the high dimensionality of the model parameters to perturb gradients within a subspace orthogonal to the original gradient. By leveraging cold posteriors over orthogonal subspaces, our defense implements a refined gradient update mechanism. This enables the selection of an optimal gradient that not only safeguards against gradient inversion attacks but also maintains model utility. We conduct comprehensive experiments across three different datasets and evaluate our defense against various state-of-the-art attacks and defenses. Code is available at https://censor-gradient.github.io.