ML Security PapersSelectiveShield: Lightweight Hybrid Defense Against Gradient Leakage in Federated Learning
Borui Li , Li Yan , Jianmin Liu
Published on arXiv
2508.04265
Model Inversion Attack
OWASP ML Top 10 — ML03
Key Finding
SelectiveShield maintains high model utility in heterogeneous (non-IID) FL settings while substantially reducing gradient reconstruction risk, outperforming pure DP or full HE baselines on the utility-privacy-overhead trade-off.
SelectiveShield
Novel technique introduced
Federated Learning (FL) enables collaborative model training on decentralized data but remains vulnerable to gradient leakage attacks that can reconstruct sensitive user information. Existing defense mechanisms, such as differential privacy (DP) and homomorphic encryption (HE), often introduce a trade-off between privacy, model utility, and system overhead, a challenge that is exacerbated in heterogeneous environments with non-IID data and varying client capabilities. To address these limitations, we propose SelectiveShield, a lightweight hybrid defense framework that adaptively integrates selective homomorphic encryption and differential privacy. SelectiveShield leverages Fisher information to quantify parameter sensitivity, allowing clients to identify critical parameters locally. Through a collaborative negotiation protocol, clients agree on a shared set of the most sensitive parameters for protection via homomorphic encryption. Parameters that are uniquely important to individual clients are retained locally, fostering personalization, while non-critical parameters are protected with adaptive differential privacy noise. Extensive experiments demonstrate that SelectiveShield maintains strong model utility while significantly mitigating gradient leakage risks, offering a practical and scalable defense mechanism for real-world federated learning deployments.
Key Contributions
- Fisher-information-guided parameter sensitivity scoring that partitions model parameters into HE-protected (critical), locally retained (personalized), and DP-protected (non-critical) sets
- Collaborative negotiation protocol that resolves heterogeneous client mask conflicts by encrypting the intersection of local sensitivity masks, avoiding the union explosion problem in non-IID settings
- Secure aggregation design where no private HE key is ever exposed to clients, preventing insider decryption of other participants' updates
🛡️ Threat Analysis
The explicit threat model is gradient leakage: an adversary (e.g., curious server or participant) reconstructs sensitive training data from shared gradient updates. SelectiveShield defends against this data-reconstruction threat using selective HE for the most sensitive parameters and DP noise for the rest — a textbook ML03 defense in the federated learning setting.