SVDefense: Effective Defense against Gradient Inversion Attacks via Singular Value Decomposition

TL;DR

SVDefense addresses gradient inversion attacks in federated learning by employing a triad of SV-based techniques: Self-Adaptive Energy Threshold to tailor privacy protection to client imbalance, Channel-Wise Weighted Approximation to preserve training-critical gradient information while suppressing leakage, and Layer-Wise Weighted Aggregation to improve global utility under non-IID data. The framework irreversibly perturbs the entire gradient space through truncation and weighting, and adapts per-client thresholds via entropy of singular-value distributions. Comprehensive evaluations on EMNIST, CIFAR-10, HAR, and KWS, plus a real-world embedded FL testbed, show SVDefense outperforms baselines in both accuracy and defense effectiveness, while maintaining practical computational cost and reducing communication overhead. The work demonstrates the feasibility of deploying robust GIAs defenses on resource-constrained devices and provides pathways for extending SVDefense to broader DL architectures and domains.

Abstract

Federated learning (FL) enables collaborative model training without sharing raw data but is vulnerable to gradient inversion attacks (GIAs), where adversaries reconstruct private data from shared gradients. Existing defenses either incur impractical computational overhead for embedded platforms or fail to achieve privacy protection and good model utility at the same time. Moreover, many defenses can be easily bypassed by adaptive adversaries who have obtained the defense details. To address these limitations, we propose SVDefense, a novel defense framework against GIAs that leverages the truncated Singular Value Decomposition (SVD) to obfuscate gradient updates. SVDefense introduces three key innovations, a Self-Adaptive Energy Threshold that adapts to client vulnerability, a Channel-Wise Weighted Approximation that selectively preserves essential gradient information for effective model training while enhancing privacy protection, and a Layer-Wise Weighted Aggregation for effective model aggregation under class imbalance. Our extensive evaluation shows that SVDefense outperforms existing defenses across multiple applications, including image classification, human activity recognition, and keyword spotting, by offering robust privacy protection with minimal impact on model accuracy. Furthermore, SVDefense is practical for deployment on various resource-constrained embedded platforms. We will make our code publicly available upon paper acceptance.

Figures (17)

• Figure 1: An illustration of SVDefense. While the adversary may attempt to reconstruct user data using the gradients uploaded by an undefended client, our defense hinders the data reconstruction by uploading the gradients protected by SVDefense. The blue and yellow blocks represent the original and truncated gradients in our defense, respectively.
• Figure 2: Comparison of non-adaptive and adaptive GIAs against the Prune defense zhu2019deep.
• Figure 3: Impact of class imbalance on attack effectiveness. Lower MSE and higher PSNR indicate stronger attack performance.
• Figure 4: Overview of the proposed SVDefense. On the server side, $\nabla \mathbf{\Theta}_{m,l}$ denotes client $m$'s reconstructed gradients at layer $l$, $\nabla \mathbf{\Theta}_{g,l}$ is the global gradients at layer $l$, and $p_{m,l}$ represents the layer-wise aggregation weight.
• Figure 5: Entropy of singular value distribution vs. class balance ratio.