CENSOR: Defense Against Gradient Inversion via Orthogonal Subspace Bayesian Sampling

Table of Contents

• Overview
• Paper
• Install required packages
• Baselines
• Download models
• How to Run the Code
• Citation
• Acknowledgement
• Special thanks to...

Overview

• This is the PyTorch implementation for NDSS 2025 paper "CENSOR: Defense Against Gradient Inversion via Orthogonal Subspace Bayesian Sampling".
• Take-Away: CENSOR perturbs gradients within a subspace orthogonal to the original gradient.

Results

Install required packages

# Create python environment (optional)
conda env create -f env.yml
conda activate censor 

Baselines

This repo contains the code for the following baselines:

• Attacks
  • IG: Inverting gradients-how easy is it to break privacy in federated learning?
  • GI: See through gradients: Image batch recovery via gradinversion
  • GGL: Auditing privacy defenses in federated learning via generative gradient leakage
  • GIAS: Gradient inversion with generative image prior
  • GIFD: Gifd: A generative gradient inversion method with feature domain optimization
• Defenses
  • Noise: Differentially private federated learning: A client level perspective
  • Clipping: Gradient-leakage resilient federated learning
  • Sparcification: Sparse Communication for Distributed Gradient Descent
  • Soteria: Soteria: Provable Defense Against Privacy Leakage in Federated Learning From Representation Perspective
  • CENSOR (Ours): CENSOR: Defense Against Gradient Inversion via Orthogonal Subspace Bayesian Sampling

Download models

• download the shape_predictor_68_face_landmarks.dat from here to the root censor directory.
• download the stylegan2-ffhq-config-f.pt from here to the /inversefed/genmodels/stylegan2_io/ directory.

How to Run the Code

python run_rec.py --config $CONFIG_PATH

Example command for evaluating CENSOR with BigGAN:

python run_rec.py --config configs_biggan.yml

Citation

Please cite our work as follows for any purpose of usage.

@inproceedings{zhang2025censor,
  title={CENSOR: Defense Against Gradient Inversion via Orthogonal Subspace Bayesian Sampling},
  author={Zhang, Kaiyuan and Cheng, Siyuan and Shen, Guangyu and Ribeiro, Bruno and An, Shengwei and Chen, Pin-Yu and Zhang, Xiangyu and Li, Ninghui},
  booktitle={32nd Annual Network and Distributed System Security Symposium, {NDSS} 2025},
  year = {2025},
}

Acknowledgement

Part of the code is adapted from the following repos. We express great gratitude for their contribution to our community!

• Inverting Gradients
• ILO
• GGL
• GIFD_Gradient_Inversion_Attack

The BigGAN implementation, we use PyTorch official implementation and weights. For StyleGAN2, we adapt this Pytorch implementation, which is based on the official Tensorflow code.

Special thanks to...