Papers
Topics
Authors
Recent
Search
2000 character limit reached

AdaBFL: Multi-Layer Defensive Adaptive Aggregation for Bzantine-Robust Federated Learning

Published 30 Apr 2026 in cs.LG, cs.AI, and cs.CR | (2604.27434v1)

Abstract: Federated learning (FL) is a popular distributed learning paradigm in machine learning, which enables multiple clients to collaboratively train models under the guidance of a server without exposing private client data. However, FL's decentralized nature makes it vulnerable to poisoning attacks, where malicious clients can submit corrupted models to manipulate the system. To counter such attacks, although various Byzantine-robust methods have been proposed, these methods struggle to provide balanced defense against multiple types of attacks or rely on possessing the dataset in the server. To deal with these drawbacks, thus, we propose an effective multi-layer defensive adaptive aggregation for Bzantine-robust federated learning (AdaBFL) based on a novel three-layer defensive mechanism, which can adaptively adjust the weights of defense algorithms to counter complex attacks. Moreover, we provide convergence properties of our AdaBFL method under the non-convex setting on non-iid data. Comprehensive experiments across multiple datasets validate the superiority of our AdaBFL over the comparable algorithms.

Authors (3)

Summary

  • The paper introduces AdaBFL, a defense framework combining client filtering, parameter clipping, and derivative model synthesis for enhanced Byzantine-robustness in FL.
  • It achieves robust performance under various attacks—including label flipping, Gaussian noise, and collusive attacks—maintaining low test error even with 40% malicious clients.
  • The approach offers theoretical convergence of O(1/√T) in non-convex, non-iid settings, suggesting practical reliability in real-world federated learning deployments.

AdaBFL: Multi-Layer Defensive Adaptive Aggregation for Byzantine-Robust Federated Learning

Motivation and Problem Setting

Federated Learning (FL) coordinates decentralized model training across multiple clients while preserving data privacy. However, FL's distributed nature exposes the global model to poisoning attacks where malicious clients submit corrupted updates, undermining reliability and performance. Classical aggregation defenses—mean, Krum, Trimmed-mean, and Median—fail to provide robust resistance across the full spectrum of sophisticated poisoning vectors (Figure 1), particularly under non-iid data or collusive (Sybil) attack settings where statistical anomaly detection is insufficient. Figure 1

Figure 1: Typical attack vectors in FL, including the Sybil scenario where coordinated malicious clients bypass statistical defenses by manipulating update direction and scale.

The core problem addressed is designing an aggregation framework resilient to multiple types of Byzantine attacks—including label flipping, Gaussian noise, backdoor, and collusion attacks—without reliance on server-held validation data or strong distributional assumptions, and with theoretical convergence guarantees under non-convex, non-iid regimes.

AdaBFL Architecture: Multi-Layer Defense and Adaptive Aggregation

AdaBFL is introduced as a multi-layer adaptive defense framework, combining three orthogonal strategies: malicious client filtering, parameter clipping, and derivative model synthesis (Figure 2). Its architecture is visualized in Figure 3. Figure 2

Figure 2: AdaBFL (d) extends standard Byzantine defenses (a–c) by integrating benign model synthesis and dynamic weight adjustment, enabling heightened robustness.

Figure 3

Figure 3: System model of AdaBFL, in which multiple defense layers interact, all driven by client updates and adaptive aggregation on the server side.

Core Components

  1. Malicious Client Filtering: Updates from clients are compared to the mean of others through a distance-based criterion. Models significantly deviating in direction or magnitude are filtered. The filtering threshold decays exponentially with time, addressing convergence and reducing false positives as training progresses.
  2. Parameter Clipping: Trimmed-mean aggregation is applied across parameter dimensions of the surviving client set. Extreme values are removed, limiting the effect of outliers in any parameter dimension.
  3. Derivative Model Synthesis: From the filtered benign client set, AdaBFL identifies clients whose models are farthest from extremes in parameter space, designating them as highly trustworthy. Synthetic updates are constructed by replicating these trusted models and merging them with the original benign set, followed by an additional round of trimmed-mean aggregation.
  4. Adaptive Fusion: Outputs from all three components are adaptively weighted—using statistics measuring the impact of each defense—before final aggregation. Weights are dynamically updated by monitoring discrepancies between mean and trimmed-mean, as well as the synthesized model, using either threshold-based or threshold-free schemes. Momentum techniques further enhance adaptation stability.

Configurations of serial (AdaBFL-1, AdaBFL-2) and parallel (AdaBFL-3) deployments of these layers are explored (Figure 4). This strategy ensures defense redundancy and complements the weaknesses of any single detection/mitigation approach. Figure 4

Figure 4: Configurations of the three-layer defense: AdaBFL-1 and -2 use series architectures, AdaBFL-3 employs a parallel design, all consuming benign client inputs.

Theoretical Analysis

Under standard FL assumptions—LL-smooth global functions, bounded gradient variance (σ2\sigma^2), and bounded inter-client heterogeneity (τ2\tau^2)—AdaBFL achieves an O(1/T)O(1/\sqrt{T}) convergence rate for the expected gradient norm in the non-convex setting, matching classical methods. The analysis incorporates aggregation errors induced by the adaptive, multi-layer structure and bounds them proportionally to the variance and client diversity, ensuring both utility and robustness in adversarial or non-iid environments.

Empirical Evaluation

The empirical study systematically benchmarks AdaBFL against nine established aggregation rules (FedAvg, Median, Trimmed-mean, GAS, Gau, FoundationFL variants) across seven varied datasets (Tiny ImageNet, MNIST, Fashion-MNIST, HAR, CIFAR-10, PetImage, Shakespeare):

  • Attack Scenarios: Label flipping, Gaussian, Trim, Krum, Min-Max, Scaling, and Sybil attacks; both targeted and untargeted.
  • Non-IID and Asynchronicity: Tested under increasing non-iid levels, different sizes of client populations, varying malicious fractions, asynchronous update arrival, and synthetic update ratios.

Strong Claims and Results

AdaBFL consistently matched or improved upon baseline test error in benign conditions and maintained low test error under all attack types up to 40% malicious clients on MNIST, Fashion-MNIST, and CIFAR-10. Notably, where Median and FoundationFL failed against high fractions or sophisticated collusive attacks, AdaBFL exhibited substantial tolerance, maintaining utility and preventing critical failure modes.

For instance, on MNIST in the presence of Gaussian and Trim attacks, AdaBFL yielded test errors of $0.009$–$0.011$ versus $0.473$–$0.900$ for Trimmed-mean, and $0.019$–$0.011$ for FoundationFL+Median. Across all datasets (Table and main text), robustness under both single and combined attack vectors is superior, with numerically stable error rates regardless of data heterogeneity or system asynchrony. Figure 5

Figure 5

Figure 5

Figure 5

Figure 5

Figure 5

Figure 5

Figure 5

Figure 5

Figure 5: AdaBFL demonstrates resilience as the fraction of malicious clients increases, particularly under Gaussian, Trim, and Sybil attacks on MNIST.

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6

Figure 6: AdaBFL exhibits stable robustness and low error rates as non-iid data level increases, outperforming other defenses under adversarial conditions.

Figure 7

Figure 7

Figure 7

Figure 7

Figure 7

Figure 7

Figure 7

Figure 7

Figure 7

Figure 7: AdaBFL maintains low error rates despite increases in client-server asynchrony, contrasting with the degraded robustness of classical methods.

Figure 8

Figure 8

Figure 8

Figure 8

Figure 8

Figure 8

Figure 8

Figure 8

Figure 8

Figure 8: Performance of AdaBFL remains stable as total number of clients scales, even with a fixed malicious fraction.

Figure 9

Figure 9

Figure 9

Figure 9

Figure 9

Figure 9

Figure 9

Figure 9

Figure 9

Figure 9: The anti-attack performance of AdaBFL is preserved regardless of the fraction of synthetic updates, indicating insensitivity to this hyperparameter.

Additional Insights

  • AdaBFL’s performance is robust to changes in aggregation hyperparameters (σ2\sigma^20, σ2\sigma^21, σ2\sigma^22, σ2\sigma^23).
  • Series and parallel defense architectures have trade-offs: serial (AdaBFL-1) generally achieved marginally better error rates, but all are effective up to 40% malicious ratio.
  • At malicious ratios σ2\sigma^24, AdaBFL outperforms Median and other baselines, resisting several classes of attacks where all other methods fail.
  • Momentum-based and threshold-free adaptive schemes (Algorithm variations) show further improvements in stability and final error across adversarial scenarios.

Implications and Future Directions

AdaBFL demonstrates that multi-perspective, adaptively fused Byzantine-robust aggregation significantly enhances the resilience of FL systems without reliance on privacy-compromising server-side validation data. Its architecture generalizes and subsumes many existing defense strategies, offering both practical robustness and theoretical convergence guarantees.

Theoretically, the work opens directions for more granular client trust assignment, further automation and adaptation of aggregation strategies in dynamic threat environments, and formal compositional analysis of layered defenses. Practically, AdaBFL's insensitivity to global hyperparameters and strong performance at large scale position it as a candidate for integration in real-world FL deployments—especially in high-stakes contexts (finance, medical, cross-silo FL) where adversarial risk is non-negligible.

For future AI developments, these mechanisms—potentially extended with even richer model provenance analytics and cryptographic verifiability—can be expected to become a standard component of federated and decentralized learning infrastructure, as threat models and system complexity further evolve.

Conclusion

AdaBFL presents a comprehensive, adaptive, and theoretically grounded approach to Byzantine-robust FL. By integrating filtering, fine-grained parameter aggregation, and benign model amplification, AdaBFL achieves error rates matching benign baselines while maintaining robust performance under a variety of adversarial and system heterogeneity challenges. The design and empirical results substantiate AdaBFL as an effective foundation for secure and trustworthy federated learning in adversarial environments.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.