Byzantine-Robust Federated Learning

Updated 11 January 2026

Byzantine-robust federated learning frameworks are methods that secure global model convergence despite a fraction of adversarial clients by employing robust aggregation techniques.
They use algorithmic defenses like coordinate-trimming, norm-based screening, and loss-based greedy selection to filter out malicious updates and ensure provable convergence.
The framework further integrates differential privacy and fairness measures, delivering empirical accuracy improvements of up to 20% under strong adversarial attacks.

A Byzantine-robust federated learning (FL) framework encompasses algorithmic, statistical, and privacy-preserving techniques designed to ensure model integrity in collaborative settings, even in the presence of adversarial (Byzantine) clients. These frameworks address the challenge that a fraction of participants may arbitrarily manipulate their local updates, aiming either to corrupt the global model, bias predictions, or extract information about other participants’ data. State-of-the-art Byzantine-robust FL frameworks are typically characterized by a combination of robust aggregation rules, adaptive client screening, compatibility with fairness and privacy objectives, and, in some systems, provable convergence guarantees and empirical validation under strong attack models.

1. Core Principles: Byzantine Robustness in Federated Learning

Byzantine-robust FL frameworks are designed to guarantee correct global model convergence and high accuracy when a nontrivial subset of clients injects arbitrary or malicious updates. The central goal is to minimize the global empirical loss: $F(w) = \sum_{i=1}^N p_i f_i(w),$ where $p_i$ encodes the weighting (usually by local dataset size) and $f_i$ is the local empirical risk. Byzantine-robustness necessitates strategies for detecting and mitigating manipulated gradients or model updates that deviate from the typical distribution of honest clients.

Adversarial models typically assume up to an $\alpha$ fraction of clients per round may be Byzantine, without any statistical constraint except their fraction. Attacks may include high-norm injection, sign-flipping, label-flipping, or more subtle targeted manipulations, with the most stringent frameworks making no assumption on the structure or knowledge of malicious updates.

2. Screening and Robust Aggregation: Algorithmic Mechanisms

A canonical defensive primitive is robust aggregation via coordinate-trimming, norm-based screening, or reference loss filtering:

Two-sided Norm Based Screening (TNBS) (Basharat et al., 5 Mar 2025):

At each round $t$ , the server collects client gradients $g_i$ .
Gradients with the $l$ lowest or $h$ highest $\ell_2$ -norms are discarded, with $l,h$ typically set proportionally to the attack budget $\alpha N$ .
The remaining updates are aggregated:

$g_{\text{agg}} = \frac{1}{N-l-h} \sum_{i \notin S_\text{low} \cup S_\text{high}} g_i$

yielding a trimmed robust mean update.

Loss-based Greedy Selection (FedGreed) (Kritharakis et al., 25 Aug 2025):

The server holds a trusted dataset $\mathcal{D}_\text{ref}$ .
Each client update is scored by its reference-set loss.
Clients are sorted, and the subset achieving minimal loss under aggregation is greedily selected.
This method operates without prior knowledge of the Byzantine fraction and is robust to arbitrary data heterogeneity.

Coordinate-wise Median and Trimmed-Mean (Tao et al., 2023):

Each coordinate is aggregated using median or by removing a $\beta$ fraction of the highest and lowest values, tolerating up to $\beta N$ outliers.
Particularly effective in clustered settings and in high-dimensions with strong adversarial contamination.

Similarity and Reference-based Filtering (Rahmati et al., 3 Jan 2026, Nie et al., 2024):

Similarity-based mechanisms (e.g., cosine similarity, Euclidean norm, or dynamic scoring) measure consistency with robustly aggregated reference updates or trusted server-side models.
Combined with reputation mechanisms or circuit-encoded validity checks, these can exclude up to 40–50% Byzantine clients.

Clipping and Momentum Mechanisms (Zhang et al., 2023):

Gradient clipping restricts the $\ell_2$ -norm to a fixed threshold, bounding Byzantine influence in any direction.
Local momentum and top- $k$ sparsification further reduce the impact of adversarial or noisy updates, while preserving convergence rates.

3. Convergence Guarantees and Theoretical Analysis

Byzantine-robust FL frameworks provide explicit nonasymptotic convergence guarantees for both convex and nonconvex global objectives under standard smoothness and strong convexity assumptions. For TNBS (Basharat et al., 5 Mar 2025), let $l+h=2\alpha N$ and assume $f_i$ is $L$ -smooth:

Nonconvex setting: The expected squared gradient norm satisfies

$\frac{1}{T} \sum_{t=0}^{T-1} \mathbb{E}\left[\|\nabla F(w_t)\|^2\right] \leq \frac{2(F(w_0)-F^*)}{\eta T} + \frac{\sigma^2 d}{N-l-h},$

ensuring $O(1/\epsilon)$ rate to $\epsilon$ -stationarity.

Convex setting: If $\alpha<1/3$ and $\eta=O(1/\sqrt{T})$ ,

$\mathbb{E}[F(w_T)] - F^* \leq O(1/\sqrt{T}) + \frac{\sigma^2 d}{N-l-h}.$

The bias term depends on the strength of differential privacy noise and the number of retained (non-screened) clients.

In frameworks with reference-set loss filtering (Kritharakis et al., 25 Aug 2025), sublinear convergence in nonconvex objectives and $O(1/T)$ rates in convex settings are established, with optimality gaps determined by the variance of honest updates and the reference dataset approximation error.

4. Privacy and Fairness Integration

Modern Byzantine-robust federated frameworks combine adversarial resilience with formal privacy and fairness guarantees:

Differential Privacy (DP): Clients add i.i.d. Gaussian noise to their clipped updates:

$\tilde{g}_i = g_i + \mathcal{N}(0, \sigma^2 I),$

where $\sigma^2 = 2C^2 \ln(1.25/\delta)/\epsilon^2$ for $(\epsilon,\delta)$ -DP and $C$ is the clipping norm (Basharat et al., 5 Mar 2025, Zhang et al., 2023, Rahmati et al., 3 Jan 2026). DP calibration can be performed analytically, and DP noise is applied prior to any aggregation or screening.

Fairness via $q$ -Fair Federated Learning: The global objective is skewed to up-weight high-loss clients:

$H(w) = \sum_{i=1}^N p_i \frac{1}{q+1} f_i(w)^{q+1},$

resulting in empirical accuracy variance reduction and improved worst-case client fairness (Basharat et al., 5 Mar 2025).

Multi-party Secure Aggregation and Post-Quantum Security: In mission-critical domains (e.g., IoT), secure aggregation using lattice-based (CRYSTALS-Kyber) cryptography supports DP guarantees and robustness against quantum adversaries with minimal overhead (Rahmati et al., 3 Jan 2026, Velicheti et al., 2021). Real-time systems demonstrate aggregation latencies <1s and effective defense against up to 40% adversaries.
Adaptive Clipping (ABBR): Low-dimensional projection plus adaptive per-update clipping in the original model space ensures that malicious filters passing the initial screen have minimal impact (Zhang et al., 19 Dec 2025). This approach leverages randomized projections to reduce computational overhead while preserving DP and robustness.

5. Empirical Validation and Practical Considerations

Extensive empirical studies across MNIST, CIFAR-10, Fashion-MNIST, EMNIST, and industry IoT datasets consistently demonstrate the superiority or parity of state-of-the-art Byzantine-robust frameworks over classical robust means, median, Krum, and trimmed-mean baselines:

Under strong attacks (sign/label flipping, Gaussian, targeted adversarial perturbations), frameworks like TNBS (Basharat et al., 5 Mar 2025), FedGreed (Kritharakis et al., 25 Aug 2025), and ABBR (Zhang et al., 19 Dec 2025) uniformly retain $>5$ % higher accuracy or achieve up to $20$ percentage point improvements compared to competitors.
Privacy-preserving variants using differential privacy and secure aggregation enable practical defense with negligible or modest decreases in utility (e.g., accuracy >85% at $\epsilon \approx 0.5$ ).
Fairness enhancements (e.g., q-FFL) substantially reduce the variance of per-client accuracy under both benign and attack scenarios.

Typical parameter selection involves:

Setting $l=h \approx \alpha N$ for a conservative estimate of the Byzantine fraction.
Cross-validating $\alpha$ under variable attack rates to balance retention of honest gradients with robustness.
Monitoring the distribution of honest update norms during an initial warm-up phase for screening threshold calibration.

6. Limitations and Extensions

Byzantine-robust frameworks inevitably introduce trade-offs:

Overly aggressive screening or clipping risks discarding informative updates from benign but statistically atypical clients, especially under strong non-IID distributions or high local update variance.
Excessive privacy noise can reduce accuracy, particularly in small-population or highly heterogeneous settings.
The assumption of a fixed or upper-bounded fraction of Byzantine clients limits adaptivity to dynamic adversary rates; recent work advocates for incorporating real-time client reputation or score-based dynamic screening (Rahmati et al., 3 Jan 2026).
Reference-set-based and two-sided screening approaches require careful parameter calibration to avoid under-utilization of honest contributions.

Further integration of communication efficiency (compression and communication-constrained FL) is addressed via robust-compatible compression schemes such as the Johnson-Lindenstrauss transform, shown not to amplify adversarial influence (Xia et al., 18 Aug 2025).

7. Outlook and State of the Art

The integration of robust aggregation (e.g., TNBS, coordinate-wise median/trim, loss-based greedy selection), differentially-private local update mechanisms, adaptive screening or reputation scoring, and fairness-enhancing objectives synthesizes a mature framework for trustworthy federated learning. Current state-of-the-art methods provide simultaneous formal guarantees for robustness, privacy, and fairness, with bounded optimality gaps under minimal or realistic adversary assumptions and without reliance on sensitive or impractical server-held validation data (Basharat et al., 5 Mar 2025, Kritharakis et al., 25 Aug 2025, Zhang et al., 19 Dec 2025).

These advances have catalyzed the adoption of federated learning in high-stakes domains—finance, critical industrial control, and real-time edge intelligence—where strong adversarial resilience is essential. Remaining challenges include further optimization of screening parameter adaptivity, privacy-accuracy trade-offs, efficiency in extremely high-dimensional or large-scale deployments, and the unification of horizontal and vertical FL robustness methodologies.