Papers
Topics
Authors
Recent
Search
2000 character limit reached

FoggyTrust: Robust Federated Learning with Hierarchical Trust Networks

Published 26 Jun 2026 in cs.LG and cs.DC | (2606.27622v1)

Abstract: Byzantine-robust federated learning seeks to protect distributed model training from malicious or corrupted clients without requiring access to their private data. FLTrust addresses this challenge by introducing a trusted server-side root dataset that assigns trust scores to client updates for more robust aggregation. In this work, we propose FOGGYTRUST, a hierarchical extension of FLTrust that localizes trust computation to fog nodes, allowing the framework to better handle globally heterogeneous data while preserving robustness within locally homogeneous client groups. We further show that this two-level architecture can simultaneously address distribution mismatch in trust estimation and client drift across groups by combining local trust-based aggregation with heterogeneity-aware global optimizers such as FedAdam and SCAFFOLD. Across benchmark datasets, FOGGYTRUST achieves its strongest gains on more challenging heterogeneous settings, particularly on CIFAR-10 under Krum and Trim attacks, where it achieves an over 50% improvement over FLTrust. We also test FOGGYTRUST in a real-world safari dataset to show the promise of hierarchical trust networks for robust federated learning in socially impactful, safety-critical settings such as distributed wildlife monitoring.

Summary

  • The paper introduces FoggyTrust, a two-level framework that localizes trust scoring via fog nodes to counter adversarial attacks in non-iid federated learning.
  • It demonstrates significant performance gains—over 50% improvement in challenging settings—by mitigating client drift and optimizing trust at both local and global levels.
  • The approach integrates flexible aggregation methods such as SCAFFOLD and FedAdam, offering practical resilience for safety-critical and real-world deployments.

FoggyTrust: Hierarchical Robustness in Federated Learning under Data Heterogeneity

Introduction and Motivation

Federated Learning (FL) has become a paradigm of choice for distributed machine learning, allowing decentralized clients to collaboratively train models without sharing raw data. A chronic weakness of FL is its vulnerability to Byzantine clients, whose local updates may be adversarially manipulated, undermining robust aggregation and global model convergence. Existing aggregation schemes—Krum, Trimmed Mean, Median—offer statistical robustness but break down under adaptive optimization-based attacks that strategically align malicious gradients. FLTrust addresses this by bootstrapping trust from a centrally curated root dataset, scoring client updates by their alignment with server-side gradients. However, this method presupposes global data homogeneity—a strong, often violated assumption in practical systems where local data distributions are highly non-iid and clustered according to hidden structure (e.g., geography, device type).

FoggyTrust advances Byzantine-resilient federated learning by proposing a two-level trust network. Rather than computing trust centrally, FoggyTrust localizes trust estimation via per-cluster (“fog node”) reference datasets, exploiting the observation that real-world data is often only locally homogeneous. The hierarchical aggregation is further generalized to include second-level optimizers capable of correcting for inter-cluster drift.

Architecture and Methodology

FoggyTrust’s architecture consists of three key levels: clients, fog nodes, and a global server. Each fog node represents a cluster of clients presumed to be locally homogeneous; a root dataset, tailored to each fog node, is used to compute a trust score for clients' updates analogously to FLTrust but confined to its subgroup. Fog nodes perform FLTrust aggregation across their clients, then transmit their locally aggregated updates to the global server. The server aggregates fog node updates via an arbitrary optimizer—vanilla FedAvg, adaptive optimizers such as FedAdam, or variance-reducing schemes such as SCAFFOLD—allowing modular adaptation to the degree of heterogeneity across clusters. Figure 1

Figure 1: High-level overview of FoggyTrust, depicting per-fog node trust-localized aggregation followed by a second-level optimizer at the global server.

This structure ensures trust scores are based on contextually relevant data distributions, mitigating the mismatch that undermines the reliability of global trust in FLTrust under heterogeneous data. The separation of local and global aggregation also enables tackling client drift, a key failure mode in FedAvg under non-iid distributions, by deploying advanced aggregation schemes like SCAFFOLD or FedAdam at the upper layer.

Empirical Evaluation

Evaluation spans standard FL benchmarks (MNIST, Fashion-MNIST, CIFAR-10) under four attack types—local model poisoning (Krum, Trim, Scaling) and data poisoning (Label Flipping)—and a real-world heterogeneous dataset (Snapshot Safari), using both convolutional and ResNet-20 architectures. Clients are clustered according to their predominant label or geographical context, reflecting realistic local homogeneity.

Robustness to Adversarial Attacks

FoggyTrust demonstrates pronounced robustness to local model poisoning attacks, especially on challenging and heterogeneous tasks, evidenced by substantial accuracy improvements relative to FLTrust on CIFAR-10 under Krum and Trim attacks—both optimized to subvert gradient direction. Specifically, performance gains exceed 50% on these attack settings, affirming that localized trust assessment in FoggyTrust thwarts attacks that defeat global trust bootstrapping. Figure 2

Figure 2: Relative robustness of FoggyTrust versus FLTrust under multiple attacks on CIFAR-10, highlighting superiority under Krum and Trim attacks.

On simpler datasets (MNIST, Fashion-MNIST), differences between methods are attenuated due to lower data complexity and less pronounced non-iidness.

Modularity via Hierarchical Aggregation

The flexibility of FoggyTrust’s two-level architecture is underscored by experiments using diverse global aggregators. SCAFFOLD at the global level consistently yields increased resilience by correcting server-side drift, particularly in high-variance clusters and under adversarial gradient manipulations. In contrast, FedAdam, which adapts server updates to client group variability, demonstrates nuanced improvements, suggesting further potential through custom optimizer design at each hierarchical layer.

Limitations under Silent Data Poisoning

While FoggyTrust excels against optimization-based poisoning attacks, its efficacy against data poisoning attacks (e.g., label flipping) is diminished—mirroring the generic challenge in distinguishing plausibly structured but semantically tainted gradients. In scenarios with high-variance or few clients per fog node, trust-score reliability degrades, limiting discrimination between benign and malicious local updates.

Real-World Applicability

The use of Snapshot Safari—a massive, real-world, multicamera wildlife dataset characterized by spatially clustered heterogeneity—validates the practical promise of FoggyTrust. Fog node partitioning according to biome (semi-desert, savanna, grassland) mimics natural clustering. Here, FoggyTrust narrows the gap in robustness between naively robust (FedAvg) and trust-based (FLTrust) aggregation, though intra-group variance (e.g., due to weather, illumination) limits its upper bound effectiveness. Figure 3

Figure 3: Illustration of the Snapshot Safari camera trap environment partitions exploited by FoggyTrust for fog node assignment.

Figure 4

Figure 4: Relative FL robustness on Snapshot Safari under various attack scenarios, comparing FLTrust and FoggyTrust.

Discussion and Implications

FoggyTrust demonstrates that localizing trust estimation is both practical and highly effective under realistic, non-iid settings—where global trust bootstrapping is inherently brittle. Hierarchical design provides modularity, allowing integration of state-of-the-art optimization techniques (e.g., SCAFFOLD, FedAdam) at different levels, and affording principled robustness against both adaptive and non-adaptive adversaries. The partitioned trust structure maps naturally to real-world deployments (e.g., geographically clustered devices or edge clouds), improving resilience with minimal loss of model fidelity.

These findings carry specific implications for safety-critical deployments (e.g., distributed surveillance, sensor networks), where resilience to adversarial clients is paramount yet data heterogeneity is the norm. However, the technique requires careful calibration: the size and representativeness of fog node datasets, the client-to-fog cluster ratio, and the complexity of second-level aggregation all impact system robustness and computational overhead. Silent data poisoning remains an open challenge, requiring further innovation in trust scoring or data validation under plausible but adversarial label shifts.

Future Directions

Key future research avenues include:

  • Automated, data-driven fog node discovery to optimize the tradeoff between intra-group homogeneity and inter-group heterogeneity.
  • Adaptive trust bootstrapping combining meta-learned or adversarially trained roots.
  • Joint optimization of trust estimation and aggregation, potentially exploring end-to-end differentiable frameworks.
  • In-depth systems analysis of communication bandwidth, scalability, and latency under hierarchical architectures in large-scale deployments.
  • Enhanced defenses against subtle data poisoning, possibly leveraging representation learning consistency or reverse verification.

Conclusion

FoggyTrust provides strong empirical and theoretical evidence that hierarchical trust networks, with localized aggregation and modular global optimization, substantially enhance federated learning robustness under realistic data heterogeneity. Its architecture offers a clear template for addressing both security and optimization challenges in next-generation federated systems, while highlighting persistent vulnerabilities under silent data poisoning. The method is especially suitable for real-world, safety-critical settings requiring both trustworthiness and adaptability.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 5 likes about this paper.