ADF-LoRA: Defense & Decentralized Fine-Tuning

• ADF-LoRA comprises two frameworks: one defending LoRa signal classification in IoT with CNNs/FNNs and the other enabling decentralized fine-tuning via low-rank aggregation.
• The adversarial defense framework employs FGSM-driven training, achieving robust classification with minimal clean accuracy loss despite sophisticated perturbations.
• The decentralized fine-tuning method alternates low-rank updates across clients, mitigating cross-client interference and improving accuracy in non-IID, serverless settings.

ADF-LoRA refers to two distinct frameworks in recent literature: (1) Adversarial Defense Framework for LoRa signal classification in IoT settings (Sagduyu et al., 30 Dec 2024) and (2) Alternating Low-Rank Aggregation for decentralized federated fine-tuning of large-scale models (Wang et al., 23 Nov 2025). Each provides methodology and algorithms aimed at resilience (security against adversarial threats) or robustness/stability in distributed optimization via low-rank matrix operations. This entry surveys both frameworks comprehensively.

1. Adversarial Defense Framework for LoRa Signal Classification

ADF-LoRA in the context of wireless security addresses identification and authentication of LoRa devices. The framework leverages deep learning classifiers—convolutional neural networks (CNNs) and fully connected neural networks (FNNs)—to process raw I/Q samples (arranged as $2\times32$ tensors per packet). The key tasks are: (1) device identification and (2) classification of packets as legitimate or rogue.

Three model types are implemented:

• Single-task CNN: 70,000 parameters; Conv2D, flatten, dense layers, dropout, final SoftMax.
• Single-task FNN: 6,500 parameters; dense layers and dropout.
• Multi-task CNN/FNN: shared trunk with two task-specific heads; joint loss $L_{\rm multi} = w_1 L_1 + w_2 L_2$ with $w_1 = w_2 = 0.5$.

No input normalization or feature engineering is applied.

2. Threat Model and Attack Mechanisms

Rogue Packet Generation

Adversaries record legitimate I/Q samples and apply Gaussian kernel density estimation, $h = 10^{-3}$, to synthesize rogue signals. Amplitude shifts up to $\pm2\,\mathrm{dB}$ and phase offsets $\leq\pi/30$ are imposed. Fidelity to legitimate samples is measured via Jensen–Shannon divergence (≈ 0.0096).

Adversarial Attacks

Classification vulnerability is assessed with the Fast Gradient Sign Method (FGSM). Untargeted perturbations are $\delta = \epsilon\, \mathrm{sign}(\nabla_x L_i)$, targeted are $- \epsilon\, \mathrm{sign}(\nabla_x L_i)$, budget $\epsilon$ set by perturbation-to-signal ratio (PSR), with typical attacks successful for PSR $\in [-3,0]$ dB.

Both individual (single-task) and hybrid (multi-task; joint gradient weighted by $\gamma_1 = \gamma_2 = 0.5$) perturbations are used.

3. ADF-LoRA Adversarial Training Algorithm

ADF-LoRA defends by adversarial training, augmenting each batch with FGSM-generated samples. The robust optimization problem solved each batch is: $$\min_\theta \mathbb{E}_{(x,y)} [\max_{\|\delta\|_\infty \leq \epsilon} L(x+\delta, y; \theta)]$$ For each mini-batch, $\Delta = \epsilon\,\mathrm{sign}(\nabla_X L)$ is computed; adversarial batch $X_{\rm adv} = X+\Delta$. The training loss is $$L_{\rm total} = (1-\alpha) L(X,Y) + \alpha L(X_{\rm adv},Y)$$ with $\alpha \approx 0.5$. Standard Adam optimizer is used for 50 epochs; $\epsilon$ matches attack PSR.

4. Quantitative Impact and Robustness

Attack success probability (ASP) before and after adversarial training demonstrates effectiveness. Clean accuracy reductions are minor (2–6 points). Selected metrics:

Model	ASP before	ASP after	Clean-acc.
CNN	0.987	0.003	0.960
FNN	0.920	0.0002	0.971
Multi-task CNN (Task 2)	0.723	0.060	0.950
Multi-task FNN (Task 2)	0.689	0.124	0.957

The ASP curve shifts toward zero under adversarial training. This reflects robust classification despite significant adversarial perturbations.

5. Practical Considerations, Limitations, and Future Directions

Recommended hyperparameters: $\epsilon$ should match expected attack PSR, 50 training epochs suffice with 5k samples, no data augmentation required (though optional for larger-scale deployments).

Limitations include specialization to FGSM; stronger iterative attacks (PGD, CW) and more diverse attack scenarios remain open problems. Potential future avenues are defensive distillation, randomized smoothing, curriculum learning, online continual learning for incremental device insertion, and robustness testing under variable channel or unseen attack conditions.

6. Alternating Low-Rank Aggregation for Decentralized Federated Fine-Tuning

ADF-LoRA also denotes a fine-tuning algorithm for decentralized federated learning (DFL) (Wang et al., 23 Nov 2025). LoRA injects a low-rank matrix update $\Delta W = B A$ into each weight of a large pre-trained model, often for NLP tasks. In centralized FL, FedAvg of $(A_i, B_i)$ inadvertently introduces cross-client interference (bilinear cross terms $B_i A_j$ for $i \neq j$), leading to instability in non-iid settings.

RoLoRA introduced alternating block-coordinates in centralized FL—optimizing $A$ or $B$ while freezing its complement, with global synchronized mixing—eliminating cross terms. In DFL, naïve extension fails due to:

• Phase-State Mismatch: Stale $B_i$ values across clients.
• Block-wise Drift: Unsynchronized inactive block diverges during its off-phase.

ADF-LoRA addresses these by mixing both $A$ and $B$ at every round, regardless of which block was locally optimized. This restores the cross-term suppression seen in centralized FL.

7. Algorithmic Structure and Analysis in Decentralized Settings

Each client $i$ at round $t$ maintains $(A_i^t, B_i^t)$. Gradient step is performed on the active block (as determined by phase $T$), then both blocks undergo peer-to-peer mixing: $$A_i^{t+1} = \sum_j w_{ij} A_j^{t+\frac{1}{2}}, \qquad B_i^{t+1} = \sum_j w_{ij} B_j^{t+\frac{1}{2}}$$ where $w_{ij}$ are entries of a symmetric, doubly stochastic mixing matrix over the client graph.

Convergence analysis under standard smoothness and spectral gap assumptions shows $O(1/(KT))$ stationarity with geometrically vanishing consensus error.

8. Experimental Results and Hyperparameter Ablation

Evaluation on GLUE—SST-2, QNLI, QQP, MNLI—using RoBERTa-Large with LoRA adapters on Q/V projections ($r=8$), 10-clients per task, non-IID splits, AdamW. Baselines: naïve LoRA, FFA-LoRA, RoLoRA, and ADF-LoRA (various $T$).

Summary of test accuracies after 150 rounds:

Method	SST-2	QNLI	QQP	MNLI	Average
LoRA	0.9482	0.8970	0.8077	0.7304	0.8458
FFA-LoRA	0.9329	0.8758	0.7926	0.7058	0.8268
RoLoRA	0.9354	0.8685	0.7915	0.7184	0.8284
ADF-LoRA (T=5)	0.9422	0.8826	0.8129	0.7624	0.8505

ADF-LoRA (T=5) delivers the highest average accuracy (0.8505). Moderate switching interval $T=5$ best balances block coordination with optimization flexibility, outperforming both very frequent ($T=1$) and delayed ($T=20$) switching.

9. Broader Implications and Future Directions

ADF-LoRA provides a robust and theoretically sound mechanism for applying alternating low-rank fine-tuning in decentralized peer-to-peer federated optimization, preventing phase-state mismatch and block-wise drift. It empirically outperforms alternatives in non-IID, serverless topologies.

Limitations stem from assumptions of static, symmetric mixing matrices and non-adaptive optimizers; extension to time-varying directed graphs, asynchronous protocols, and scaling to very large models is an open research direction. Adaptive phase switching policies are a suggested refinement. This constitutes a promising mechanism for reliable distributed model adaptation in heterogeneous multi-client settings.