Papers
Topics
Authors
Recent
Search
2000 character limit reached

FedGreed: Byzantine-Robust Aggregation

Updated 9 July 2026
  • FedGreed is a Byzantine-robust aggregation method for federated learning, using a trusted dataset to evaluate and rank client model updates.
  • It employs a greedy, loss-based prefix search that adaptively constructs the global model without requiring prior knowledge of the number of Byzantine clients.
  • Empirical results demonstrate its effectiveness under label flipping and Gaussian noise attacks, particularly in heterogeneous, non-IID settings.

FedGreed is a Byzantine-robust aggregation method for federated learning in which a trusted central server uses a small trusted reference dataset to evaluate client-returned models, orders those models by server-side loss, and greedily constructs the next global model by averaging only the highest-ranked clients for as long as the trusted loss continues to improve (Kritharakis et al., 25 Aug 2025). In the formulation provided for the method, the server does not require prior knowledge of the number or fraction of Byzantine clients, and the design target is heterogeneous, non-IID federated learning rather than settings in which honest client updates are assumed to be tightly clustered (Kritharakis et al., 25 Aug 2025).

1. Problem formulation and system assumptions

FedGreed is defined in a standard centralized federated learning architecture with one trusted server and NN clients. At round tt, the server broadcasts the current global model xtRdx^t \in \mathbb{R}^d; each client initializes from xtx^t, performs R1R \ge 1 local optimization steps such as SGD or Adam on its own local objective, and returns an updated local model xit+1x_i^{t+1}, or an attacked version of it, to the server (Kritharakis et al., 25 Aug 2025).

The target objective is the population loss

f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],

where F(x,a)F(x,a) is the per-sample loss and aPa \sim P is drawn from the unknown data distribution. Because PP is not directly available, the method distinguishes between two empirical surrogates. Client tt0 has local data tt1 and local empirical loss

tt2

while the server has a trusted approximation

tt3

constructed from a small trusted server-held dataset (Kritharakis et al., 25 Aug 2025).

A defining assumption is that client data may be non-IID: each client’s data may come from its own distribution tt4, not necessarily equal to tt5. This heterogeneity is central to the method’s motivation. The paper argues that many robust aggregators rely on geometric closeness among honest updates, but under non-IID data honest client models can naturally differ substantially, making distance-based defenses less reliable (Kritharakis et al., 25 Aug 2025).

The threat model is strong. Byzantine clients may behave arbitrarily, the server is trusted and not attacked, and the server can evaluate candidate models with tt6. The model actually received from client tt7 is

tt8

where tt9 is arbitrary (Kritharakis et al., 25 Aug 2025). The paper further assumes that at every round at least one client is honest.

2. Greedy loss-based aggregation rule

FedGreed aggregates client models or model parameters rather than being formulated primarily as a gradient aggregator. For each received model xtRdx^t \in \mathbb{R}^d0, the server computes the trusted-loss score

xtRdx^t \in \mathbb{R}^d1

Clients are then sorted in ascending order of trusted loss,

xtRdx^t \in \mathbb{R}^d2

where xtRdx^t \in \mathbb{R}^d3 denotes the client with the smallest server-side loss, xtRdx^t \in \mathbb{R}^d4 the second-smallest, and so on (Kritharakis et al., 25 Aug 2025).

The method is motivated as a tractable approximation to the combinatorial subset-selection problem

xtRdx^t \in \mathbb{R}^d5

Instead of optimizing over all subsets, FedGreed restricts attention to prefix subsets induced by the trusted-loss ordering. Its candidate family is

xtRdx^t \in \mathbb{R}^d6

Thus the server only tests the best single client, the average of the best two, the average of the best three, and so forth (Kritharakis et al., 25 Aug 2025).

The greedy construction begins from the best individual client model,

xtRdx^t \in \mathbb{R}^d7

At stage xtRdx^t \in \mathbb{R}^d8, the server forms

xtRdx^t \in \mathbb{R}^d9

which is exactly the average of the top xtx^t0 ranked models. If

xtx^t1

the candidate is accepted and xtx^t2 is updated; otherwise the procedure stops. The next global model is then

xtx^t3

This means that the selected subset size is determined adaptively by trusted-loss improvement rather than by a fixed corruption budget or a fixed top-xtx^t4 rule (Kritharakis et al., 25 Aug 2025).

A common misconception is to treat FedGreed as a generic filtering heuristic over arbitrary update diagnostics. In the paper’s formulation, the ranking criterion is specifically the server-side evaluation loss xtx^t5 on trusted data, and the greedy stopping rule is likewise defined entirely through that trusted loss (Kritharakis et al., 25 Aug 2025).

3. Theoretical claims and what is explicitly provided

The theoretical presentation is narrower than the headline claims might suggest. The paper repeatedly states that, under standard assumptions, FedGreed has convergence guarantees, bounded degradation, and bounded optimality gaps in both convex and non-convex regimes, and that the analysis depends on smoothness, stochastic gradient noise assumptions, and the approximation quality of xtx^t6 to the population loss xtx^t7 (Kritharakis et al., 25 Aug 2025). It also states that one can bound the expected averaged squared norm of the true population gradient in the non-convex case.

However, the text provided for the method does not include the exact theorem statements, lemma numbering, assumptions in fully explicit form, proof sketches, convergence rates, or constants. The paper explicitly says that detailed rigorous assumptions, theorems, and proofs are omitted, and that details are omitted for brevity (Kritharakis et al., 25 Aug 2025). Accordingly, the strongest precise statement that can be made is that the method claims such guarantees rather than presenting a mathematically self-contained theory in the text available here.

What is explicit is the intra-round monotonicity mechanism with respect to the trusted loss. Within the greedy search at a given round, the server only accepts a larger prefix average if it strictly improves xtx^t8. This guarantees that the final output of the round is at least as good in trusted loss as the best accepted candidate encountered so far. The paper’s intended interpretation is that if xtx^t9 is a sufficiently accurate proxy for R1R \ge 10, then such trusted-loss progress translates into useful optimization progress on the underlying learning problem (Kritharakis et al., 25 Aug 2025). This suggests a robustness argument based on semantic evaluation against trusted data rather than on pairwise geometry among client updates.

An additional theoretical nuance is that FedGreed does not require prior knowledge of the number or fraction of Byzantine clients. This differentiates it from methods whose selection or trimming rules depend on a corruption budget known in advance. The paper presents that corruption-budget independence as a central gap addressed by the method (Kritharakis et al., 25 Aug 2025).

4. Robustness model, attack scenarios, and limitations

FedGreed is evaluated under two attack classes. The first is label flipping, described as a targeted data-poisoning attack in which adversarial clients relabel class R1R \ge 11 as

R1R \ge 12

where R1R \ge 13 is the number of classes. The second is Gaussian noise injection, an untargeted Byzantine model-poisoning attack in which malicious clients perturb their updates by

R1R \ge 14

with

R1R \ge 15

Although this attack is written in delta-update notation, the aggregation algorithm itself is still presented in terms of returned client models (Kritharakis et al., 25 Aug 2025).

The robustness rationale is simple but restrictive. A client model that performs poorly on the trusted dataset receives a large R1R \ge 16, is ranked low, and is unlikely to be admitted into the accepted prefix because including it typically worsens R1R \ge 17. Conversely, a model that behaves well on the trusted data can be admitted even if it is geometrically distant from other honest models, which is intended to make the method more suitable for non-IID settings than distance-based defenses (Kritharakis et al., 25 Aug 2025).

The paper explicitly claims that the method can operate when malicious clients are the majority and reports experiments with up to R1R \ge 18 malicious clients. It also states that FedGreed can remain effective even when only one honest client exists per round, provided R1R \ge 19 is informative enough to distinguish useful from harmful models (Kritharakis et al., 25 Aug 2025).

At the same time, the paper does not claim uniform dominance. A specific failure mode is discussed for rare, highly skewed non-IID settings, especially under Gaussian noise attack. In such cases, even the best honest client may deviate substantially from the average honest direction, and a malicious update may obtain a trusted loss similar to those of strongly skewed honest clients. The paper states that FedGreed still has bounded error in theory, but that the bound may become so loose under high skewness that test accuracy becomes poor (Kritharakis et al., 25 Aug 2025). This is an important limitation rather than a minor caveat.

A second limitation concerns the trusted dataset itself. The method depends on a server-held trusted reference set, yet the experimental section reports no ablation on trusted dataset size and no sensitivity study for that design choice (Kritharakis et al., 25 Aug 2025). A plausible implication is that deployment quality depends materially on how representative that trusted dataset is, but the supplied text does not quantify that dependence.

5. Empirical evaluation

All experiments were conducted in the Flower federated learning framework. The evaluation uses three image-classification datasets—MNIST, Fashion-MNIST (FMNIST), and CIFAR-10—and CNN models from the Flower repository: one CNN for CIFAR-10 and one CNN for MNIST and FMNIST (Kritharakis et al., 25 Aug 2025).

The federated protocol uses 10 clients and 50 communication rounds. All defenses are active from round 1, while the attack begins at round 10 and remains active thereafter. The paper investigates both SGD and Adam for local training and adopts Adam because it yielded slightly better accuracy; default optimizer hyperparameters are used. The text does not explicitly discuss partial participation, and the experiments appear to use full participation among the 10 clients (Kritharakis et al., 25 Aug 2025).

Data heterogeneity is induced with a Dirichlet partitioning strategy. The concentration parameter is xit+1x_i^{t+1}0 for strongly skewed, highly heterogeneous settings and xit+1x_i^{t+1}1 for mildly skewed, moderately heterogeneous settings. Three adversarial regimes are tested: 3, 5, and 8 malicious clients out of 10 total clients. Thus the strongest scenario has 80% malicious clients (Kritharakis et al., 25 Aug 2025).

The server-held dataset is split evenly into two subsets. One subset is used to evaluate each individual client model and the intermediate aggregates produced during the FedGreed search; the other is used to evaluate the final global model’s centralized accuracy each round. The same evaluation set is used across all defense methods for fairness. The exact size of the trusted evaluation subset is not reported explicitly (Kritharakis et al., 25 Aug 2025).

The baselines are Mean, Trimmed Mean, Median, Krum, and Multi-Krum. Baseline hyperparameters are specified as follows: Krum and Multi-Krum receive the true number of malicious clients as parameter xit+1x_i^{t+1}2, Multi-Krum selects a number of updates equal to the number of benign clients, and Trimmed Mean uses xit+1x_i^{t+1}3 (Kritharakis et al., 25 Aug 2025). This matters because FedGreed is compared against baselines that are given the true corruption level, whereas FedGreed itself does not use that information.

The primary metric is centralized accuracy on the server evaluation subset. Reported values are mean centralized accuracy averaged over rounds after attack onset, described as rounds from 10 onward, and averaged over three independent federated simulations with different random seeds for adversarial client sampling (Kritharakis et al., 25 Aug 2025).

Empirically, the paper reports three broad findings. First, in no-attack settings, FedGreed is competitive with strong baselines and does not materially hurt clean training. Second, under label flipping, FedGreed is usually the best or among the best across datasets and heterogeneity levels. Third, under Gaussian noise, FedGreed is dramatically stronger than most baselines in many settings, especially on FMNIST and MNIST under mild heterogeneity, while still encountering difficult high-skew Gaussian-noise cases, particularly on CIFAR-10 with xit+1x_i^{t+1}4 (Kritharakis et al., 25 Aug 2025).

For CIFAR-10 under label flipping, the paper gives explicit FedGreed accuracies across all malicious-client counts and both heterogeneity levels. The reported values are: xit+1x_i^{t+1}5 and xit+1x_i^{t+1}6 for xit+1x_i^{t+1}7, xit+1x_i^{t+1}8 and xit+1x_i^{t+1}9 for f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],0, and f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],1 and f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],2 for f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],3, corresponding to f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],4 and f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],5, respectively (Kritharakis et al., 25 Aug 2025). In the no-attack condition on CIFAR-10, FedGreed is described as being around f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],6 depending on f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],7, with example values f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],8 and f(x)=E[F(x,a)],f(x) = \mathbb{E}[F(x,a)],9 for F(x,a)F(x,a)0, F(x,a)F(x,a)1 and F(x,a)F(x,a)2 for F(x,a)F(x,a)3, and F(x,a)F(x,a)4 and F(x,a)F(x,a)5 for F(x,a)F(x,a)6 (Kritharakis et al., 25 Aug 2025).

6. Relation to neighboring “greedy” and similarly named methods

The label “FedGreed” can be confused with several adjacent lines of work, but those methods solve different problems.

GreedyFed is a client-selection method for communication-efficient federated learning. It uses a server-side validation set, approximate Shapley values, round-robin initialization, and then greedy top-F(x,a)F(x,a)7 client selection based on cumulative value estimates under communication-round constraints (Singhal et al., 2023). FedGreed, by contrast, does not greedily choose which clients will participate in a future round; it greedily selects which already returned client models should enter the current aggregation, using trusted-loss evaluation on a reference dataset (Kritharakis et al., 25 Aug 2025).

FedCG is another neighboring method in which the client-selection component is greedy, but the objective is diversity or representativeness of gradient information under non-IID data, combined with adaptive compression-ratio control under communication budgets (Jiang et al., 2022). Its greedy rule arises from submodular maximization with a F(x,a)F(x,a)8 approximation guarantee, whereas FedGreed’s greedy rule is a trusted-loss-improving prefix search over received models (Jiang et al., 2022).

FedGES belongs to a different problem class entirely: federated Bayesian network structure learning. It embeds Greedy Equivalence Search into a client-server loop and exchanges graph structures rather than data, parameters, gradients, or sufficient statistics (Torrijos et al., 3 Feb 2025). Its relevance is mainly terminological, because it is a federated greedy method but not a federated learning aggregator for neural-network models.

A concise comparison is helpful:

Method Core object of greediness Primary purpose
FedGreed Prefix subset of client-returned models ranked by trusted loss Byzantine-robust aggregation in FL
GreedyFed Top-F(x,a)F(x,a)9 clients ranked by cumulative Shapley value Communication-efficient client selection
FedCG Greedy representative client subset under a submodular objective Joint client selection and compression
FedGES Evolving Bayesian-network structures Federated BN structure learning

Another nearby but conceptually opposite line is self-centered attack design. FedThief studies Self-Centered Federated Learning, in which malicious clients degrade the global model while improving their own private model through divergence-aware ensemble techniques (Zhang et al., 30 Aug 2025). FedGreed is a defense-side aggregation strategy against Byzantine behavior, not a selfish attack framework.

Taken together, these comparisons situate FedGreed as a loss-based robust aggregator that uses trusted side information to avoid both corruption-budget assumptions and geometric-clustering assumptions. Its distinctive contribution is not generic “greediness” but a specific greedy acceptance rule defined over trusted evaluation loss on a server-held dataset (Kritharakis et al., 25 Aug 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to FedGreed.