FedTruth: Dynamic Weight Aggregation

Updated 10 February 2026

The paper introduces FedTruth, a truth-discovery aggregation rule that jointly estimates the ground-truth model update and client reliability without relying on a trusted reference dataset.
It employs a convex optimization framework using coordinate descent to compute dynamic weights, robustly down-weighting malicious updates while preserving contributions from non-IID data.
Empirical evaluations on benchmarks such as MNIST and CIFAR-10 show that FedTruth maintains high accuracy under Byzantine and backdoor attacks, marking a significant advance in FL security.

Dynamic Weight Aggregation (FedTruth) is a truth-discovery–based aggregation rule for federated learning (FL), designed to defend against Byzantine and backdoor attacks by estimating a global model update and per-client reliability weights dynamically in each communication round. Unlike previous solutions, FedTruth does not require a trusted root dataset or rigid assumptions about client data distribution, instead co-estimating both the ground-truth model update and dynamic client weights based solely on the collection of observed local updates. This approach preserves contributions from all benign clients, even those whose data are underrepresented or highly non-IID, and robustly down-weights (but does not entirely discard) the influence of malicious updates (Ebron et al., 2023).

1. Overview and Distinction from Prior Aggregation Defenses

The objective of FedTruth is to uncover, at each round $t$ , a ground-truth global update $\Delta^*_t$ by leveraging all available local updates $\{\Delta_t^{(k)}\}_{k=1}^{n_t}$ , inferring both the aggregate model direction and client reliability. Traditional approaches such as trimmed-mean or median discard extreme per-coordinate updates, potentially losing rare-but-honest contributions. Cluster-based selectors (Krum, Bulyan, FoolsGold) operate under specific IID/non-IID distribution assumptions and may drop many meaningful updates. FLTrust, in contrast, relies on access to a trusted server dataset to generate a reference gradient for client weighting, which is often impractical.

FedTruth diverges from these paradigms by dispensing with any need for a trusted reference or dataset, instead constructing the truth “from scratch” each round via a joint estimation process that gives every client—regardless of its representative status—a reliability weight proportional to its estimated trustworthiness (Ebron et al., 2023).

2. Mathematical Formulation of Dynamic Aggregation Weights

FedTruth’s aggregation step comprises a convex optimization over both the ground-truth update and the vector of aggregation weights. Given $n_t$ updates $\Delta_t^{(1)}, \ldots, \Delta_t^{(n_t)} \in \mathbb{R}^d$ , the procedure is formulated as: $\min_{\Delta^*,\,\mathbf{p}} \sum_{k=1}^{n_t} g(p^{(k)})\, d(\Delta^*, \Delta^{(k)})$ subject to $\sum_{k=1}^{n_t} p^{(k)} = 1$ , with $p^{(k)} > 0$ .

Typical function choices are:

$d(\Delta^*, \Delta^{(k)}) = \|\Delta^* - \Delta^{(k)}\|^2 / \sigma^2$ , where $\sigma^2$ is the standard deviation of the updates.
$g(p) = -\log p$ .

The Lagrangian leads to closed-form coordinate-descent updates:

$p_t^{(k)} \leftarrow d(\Delta^*, \Delta_t^{(k)}) / \sum_{i} d(\Delta^*, \Delta_t^{(i)})$
Weight coefficients $w^{(k)} \propto g(p_t^{(k)}) = -\log p_t^{(k)}$ (normalized).
$\Delta^* \leftarrow \sum_{k=1}^{n_t} w^{(k)} \Delta_t^{(k)}$

Clients with updates far from the inferred truth receive smaller $p^{(k)}$ , reducing their impact in the aggregated model update (Ebron et al., 2023).

3. Algorithmic Workflow and Implementation Details

Each communication round of FedTruth proceeds as follows:

1. Initialize p^{(k)} ← 1/n_t for all k
2. Initialize Δ* ← ∑_{k} p^{(k)} Δ_t^{(k)}
3. repeat
     for k = 1…n_t: compute d_k ← d(Δ*, Δ_t^{(k)})
     Update p^{(k)} ← d_k / (∑_i d_i) for each k
     Set w^{(k)} ← g(p^{(k)}) / (∑_i g(p^{(i)}))
     Update Δ* ← ∑_{k=1}^{n_t} w^{(k)} ⋅ Δ_t^{(k)}
   until ‖Δ*_{new} – Δ*_{old}‖ < ε or max iterations reached
4. Return Δ*_t = Δ*
5. Update server model: w_{t+1} = w_t – η Δ*_t

This iterative refinement stops when the aggregated update stabilizes below a threshold, or after a fixed number of steps. The convexity of the underlying optimization, under mild conditions, ensures solution stability and convergence guarantees for the aggregation process (Ebron et al., 2023).

4. Robustness Properties of Dynamic Weight Aggregation

Dynamic aggregation weights derived in FedTruth confer several robustness benefits:

Targeted down-weighting of outliers: Malicious or poisoned client updates that deviate significantly from the emerging consensus direction are automatically assigned small $p^{(k)}$ , reducing their influence on $\Delta^*_t$ .
Preservation of non-IID diversity: Honest updates from underrepresented or minority data distributions are not forcibly trimmed, as in median/mean-based rules, provided they are not consistently far from the true update direction.
Collusion resistance: Adversarial clients must coordinate to move the consensus truth direction. As long as the fraction of malicious clients remains below 50%, their collective effect is overwhelmed by the aggregation mechanism.
Convergent optimization: The coordinate descent protocol is convex under standard conditions, providing formal stability claims for the obtained weights and truth update (Ebron et al., 2023).

5. Empirical Evaluation and Benchmark Comparisons

FedTruth was evaluated on MNIST, Fashion-MNIST, and CIFAR-10 under various levels of non-IID data partitioning (label bias up to 0.8) and with up to 40% malicious clients per round. Several poisoning and backdoor attacks were considered:

Byzantine attacks: Model-boosting, Gaussian noise, model amplification, constraint-&-scale.
Backdoor attacks: Distributed backdoor (DBA), edge-case, and PGD, each in multiple variants.

Performance metrics included main-task (clean) accuracy, backdoor success rate, rounds to convergence, and aggregation runtime. Notable findings include:

Under model-boosting Byzantine attacks (30–40% malicious), FedTruth and FedTruth-layer maintain main-task accuracy within 1–2% of clean baseline (∼98% MNIST), while FedAvg, Trimmed Mean, and Median fail to converge.
For large-variance Gaussian attacks, FedTruth matches FLTrust in robustness, despite requiring no server-side trusted data.
In challenging backdoor attack settings, FedTruth reduces backdoor success below a 40% threshold within 50 rounds, outperforming FedAvg, FLTrust, and median-based strategies, which may reach 50–90% backdoor accuracy.
When label bias is moderate (≤0.8) and adversarial fraction ≤30%, performance remains robust; degradation appears with near-maximal non-IID or >50% adversaries.
Full-model FedTruth aggregation requires approximately 3 sec/round for CIFAR-10, compared to <0.05 sec for FedAvg/Median/FLTrust and ~0.7 sec for Krum. Layer-wise variants incur a 2–3× overhead (Ebron et al., 2023).

6. Limitations, Assumptions, and Prospects

Key limitations and underlying assumptions include:

Majority-bonafide assumption: FedTruth expects fewer than half the participating clients each round are malicious. If adversaries control a majority, especially with collusion or Sybil attacks yielding near-identical updates, they can subvert the discovered truth.
Sensitivity to non-IID extremes: In highly imbalanced splits, where rare-class data is concentrated in a handful of clients, these groups may be down-weighted as outliers. Tuning $g$ and $d$ functions or incorporating hybrid schemes can partially address this.
Computational costs: Aggregation is slower than vanilla averaging and scales linearly with model size, with further increases for layer-wise instantiations.
Distance function flexibility: Defense efficacy can be enhanced by combining multiple distance metrics (e.g., Euclidean and cosine) to mitigate sophisticated attack types involving scale or direction manipulation.
Extensibility: Not yet applied to asynchronous FL, privacy-preserved aggregation, or cross-silo scenarios. Potential enhancements include long-term client reliability tracking and accelerated optimization within the truth-discovery step (Ebron et al., 2023).

7. Relationship to Broader Adaptive Aggregation Methods

Dynamic weight aggregation as instantiated in FedTruth fits within a broader trend of self-tuning aggregation rules in federated learning. Methods such as FedAWA adaptively optimize weights based on client vector alignment and global model stability without proxy data, focusing on data heterogeneity rather than on adversarial robustness (Shi et al., 20 Mar 2025). In contrast, FedTruth’s truth-discovery formulation is explicitly targeted at Byzantine and backdoor threat models, jointly estimating the global update and client reliabilities with strong performance under both IID and non-IID splits.

FedTruth thus exemplifies a generic, convex, data-driven approach to robust aggregation in federated learning, marking a substantial advance in defending against sophisticated model-poisoning attacks without reliance on external validation information or highly restrictive distributional assumptions (Ebron et al., 2023).

Markdown Upgrade to Chat

References (2)

Identifying the Truth of Global Model: A Generic Solution to Defend Against Byzantine and Backdoor Attacks in Federated Learning (full version) (2023)

FedAWA: Adaptive Optimization of Aggregation Weights in Federated Learning Using Client Vectors (2025)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Dynamic Weight Aggregation (FedTruth).