FLAegis: Federated Learning Defense
- FLAegis is a federated learning defense framework that combines symbolic time-series transformation with FFT-based aggregation to mitigate indiscriminate poisoning attacks.
- Its two-layer server-side architecture first identifies malicious clients using SAX and spectral clustering, then aggregates benign updates using FFT to preserve model accuracy.
- The framework achieves near-perfect detection accuracy for various poisoning strategies while balancing defense robustness with computational efficiency.
FLAegis is a federated learning defense framework for poisoning resilience that combines symbolic time-series transformation and spectral clustering with a frequency-domain FFT-based aggregation layer. In its specific arXiv formulation, FLAegis is designed for a standard cross-device federated learning setting with a trusted server/aggregator, a set of clients participating in each round, and a subset of Byzantine clients that attempt to degrade the global model through poisoning attacks. The framework is explicitly targeted at indiscriminate (untargeted) accuracy-degrading attacks, rather than backdoor or other targeted attacks, and is evaluated as a two-layer server-side defense that first identifies suspicious clients and then robustly aggregates the remaining updates (Campos et al., 26 Aug 2025).
1. Definition, threat model, and problem setting
FLAegis addresses the security problem created by the decentralized training process in federated learning, where the server receives client-side model updates but does not observe the underlying local data. In the studied setup, one central server coordinates training over a set of clients per round, with a subset of those clients assumed to be Byzantine. A core assumption is , which is used both to justify majority-based cluster labeling and to support the interpretation that the smaller detected cluster is malicious (Campos et al., 26 Aug 2025).
The threat model follows the poisoning literature summarized in the source paper. Malicious clients may perform data poisoning or model poisoning, may attack in every round, and may collude by sharing local updates with one another. Their objective is indiscriminate degradation of global test accuracy rather than targeted class-level backdoors. The attackers are assumed not to know the server’s exact defense rule, including the FFT aggregation and identification pipeline (Campos et al., 26 Aug 2025).
The evaluated attacks comprise six representative poisoning strategies. They include Label Flipping, LIE (Little Is Enough), STATOPT (Static Optimization), Mimic, Min-max, and Min-sum. In this taxonomy, label flipping is a dirty-label data-poisoning method, whereas the others are model-poisoning attacks. Several of these attacks are explicitly collusive. LIE uses
STATOPT uses
and both Min-max and Min-sum use
Mimic instead copies a benign high-variance update to bias mean-based aggregation while retaining a benign-looking direction (Campos et al., 26 Aug 2025).
This positioning distinguishes FLAegis from several other lines of federated learning research. Some papers use the term “FLAegis” more broadly as a conceptual “shield” for flexible architecture aggregation, privacy-utility-efficiency control, trustworthy evaluation, or accountable FactSheet-based governance, but those usages are explicitly explanatory or hypothetical rather than the named two-layer poisoning defense introduced in 2025 (Park et al., 2024, Stricker et al., 8 May 2026, Baracaldo et al., 2022). This suggests that the proper encyclopedic referent of FLAegis is the two-stage anti-poisoning framework, while the broader “aegis” metaphor recurs across adjacent federated learning literatures.
2. Two-layer server-side architecture
FLAegis operates entirely at the server in two sequential layers. The first layer is an identification phase that uses SAX, cosine similarity, spectral clustering, and K-means to classify clients as benign or malicious. The second layer is a mitigation phase that applies an FFT-based robust aggregation function to the surviving client updates. The framework’s pseudocode is given in the source as Algorithm 1 (Campos et al., 26 Aug 2025).
At round , each client starts from the current global model , trains locally for one epoch on its local data, and returns client weights . The server then performs the identification stage on the full set of submitted weights. If multiple clusters are detected, the larger cluster is labeled benign and the smaller cluster malicious; if only one cluster is found, all clients are treated as benign. The server then aggregates only the benign set 0 through the FFT-based layer: 1 The resulting model is broadcast to all clients for the next round (Campos et al., 26 Aug 2025).
The following summary captures the two layers as described in the paper.
| Layer | Inputs | Output |
|---|---|---|
| Identification | Client weights, SAX strings, cosine similarity matrix | Benign client set 2 |
| Mitigation | Weights from 3 | Aggregated weights via FFT |
The design rationale is explicitly complementary. The identification layer attempts to exclude malicious clients before aggregation, while the FFT layer reduces the residual effect of adversaries that escape detection. The source paper also compares the full method against variants without SAX and without FFT, concluding that both components contribute materially to robustness, especially under optimization-based attacks and imperfect first-stage detection (Campos et al., 26 Aug 2025).
3. Identification layer: SAX, cosine similarity, and spectral clustering
The first layer begins by treating each client’s flattened model weights as a one-dimensional time series and converting that sequence into a symbolic representation using SAX (Symbolic Aggregate approXimation). For each client 4, the server flattens 5, applies a SAX discretization into 45 symbols, and produces a symbolic string: 6
The paper illustrates the result as strings such as "CBCCBBCCACBBBAAAABAA" (Campos et al., 26 Aug 2025).
Within the standard SAX pipeline described in the source material, the weight sequence is segmented and mapped into equidistant bands. The result is a discretized symbolic series that suppresses small numerical fluctuations while preserving larger structural deviations. The stated purpose is to amplify the differences between benign and malicious models. The paper’s interpretation is that benign clients, trained under similar protocols, tend to occupy consistent symbolic bands, whereas malicious clients—particularly under optimized poisoning—are more likely to shift many segments into different bands, producing more distinguishable symbolic patterns under cosine similarity (Campos et al., 26 Aug 2025).
After SAX transformation, FLAegis computes a pairwise cosine similarity matrix
7
yielding
8
This matrix is then processed by spectral clustering. The paper describes the standard Laplacian construction,
9
with 0 and diagonal degree matrix 1, followed by eigendecomposition and K-means in the spectral embedding (Campos et al., 26 Aug 2025).
The operational decision rule is simple. If spectral clustering finds only one cluster, the server assumes no malicious clients and sets 2. If more than one cluster is found, the method explicitly runs K-means into two clusters 3, and—using the assumption 4—labels the larger cluster benign: 5 The smaller cluster is discarded as malicious (Campos et al., 26 Aug 2025).
The source paper’s ablation indicates that SAX materially improves detection for Min-max and Min-sum, especially at 20–40% malicious participation, whereas Mimic remains harder because malicious clients deliberately replicate a benign high-variance update. This clarifies a common misconception: the identification layer is not presented as universally perfect; rather, it is designed to make malicious behavior more separable on average and is intentionally backed by a second robust aggregation stage (Campos et al., 26 Aug 2025).
4. Mitigation layer: FFT-based robust aggregation
Once the benign set 6 has been selected, FLAegis applies an FFT-based robust aggregation method derived from the authors’ prior work “FedRDF.” This aggregation is coordinate-wise. For each layer 7 and parameter index 8, the server forms the vector of corresponding parameter values across benign clients: 9 It then computes
0
constructs a density function from frequency magnitudes, identifies the point of maximum density or highest frequency, and maps that dominant component back to the original domain to obtain the aggregated parameter value (Campos et al., 26 Aug 2025).
The paper presents this as a frequency-domain robust statistic. The intuition given is that outlying client updates correspond to irregular or low-density frequency components, while the dominant component reflects the most consistent value among the retained clients. The aggregation is repeated coordinate-wise across all layers and parameters to form the new global model (Campos et al., 26 Aug 2025).
In standard FedAvg notation, one may write aggregation as
1
FLAegis replaces both the participating client set and the operator. Only benign clients 2 are aggregated, and the averaging operator is replaced by the FFT estimator: 3 This is a structural departure from classic robust aggregation rules that only modify the aggregation operator while leaving the client pool unchanged (Campos et al., 26 Aug 2025).
The paper’s ablations indicate that FFT alone already provides substantial robustness and is often the second-best method overall, but it degrades as the malicious ratio grows. The identification layer therefore serves to reduce the effective adversarial fraction before the FFT layer is applied. This suggests a division of labor: spectral clustering handles coarse exclusion, while FFT handles residual contamination.
5. Empirical evaluation and comparative performance
The reported experiments are implemented in Flower on FEMNIST using a character-recognition CNN with three convolutional layers, a fully connected layer with 128 neurons and ReLU, and an output layer with 62 neurons and softmax. The federated configuration uses 50 random clients drawn from the LEAF split of FEMNIST, with all 50 clients active every round, 50 rounds of training, 1 epoch per client per round, Adam with learning rate 0.001, and batch size 64 (Campos et al., 26 Aug 2025).
The evaluation compares FLAegis with SignGuard, FedDMC, LoMar, plain FedAvg, pure FFT, and FFT-enhanced variants of the baselines. The attacks are the six poisoning strategies already listed. The principal outcomes reported are detection accuracy and final model accuracy under attack (Campos et al., 26 Aug 2025).
For detection accuracy, the source paper reports that FLAegis reaches 100% detection across nonzero malicious ratios for LIE, STATOPT, and Label Flipping. For Min-max and Min-sum, detection is lower at 10% malicious participation but rises to near-perfect values, approximately 0.95–0.99, at 20–40% malicious clients. For Mimic, detection decreases from approximately 0.94 at 10% malicious to approximately 0.82 at 40% malicious. The paper contrasts this with weaker or less stable behavior from SignGuard, FedDMC, and LoMar depending on the attack family (Campos et al., 26 Aug 2025).
For final model accuracy, the paper reports that baseline FedAvg without defense has clean accuracy of approximately 0.845 and drops sharply under attack. By contrast, FLAegis maintains accuracy around 0.83 across attacks and malicious ratios up to 40%, with the main exception of Mimic, where accuracy is around 0.81. When all methods are equipped with FFT aggregation, FLAegis remains the best-performing configuration, while pure FFT is typically second-best but degrades more strongly for Min-max, Min-sum, and LIE as the malicious ratio increases (Campos et al., 26 Aug 2025).
The paper’s ablation studies reinforce the role of each layer. Without SAX, robustness under Min-max and Min-sum declines, especially at higher malicious ratios. Without FFT, performance drops in cases where detection is imperfect, including Mimic and lower malicious ratios for optimization-based attacks. A plausible implication is that the architecture is less a single detector than a deliberately redundant defense stack.
6. Scope, limitations, and related interpretations of the term
FLAegis is evaluated for untargeted poisoning and explicitly not for backdoor or other targeted attacks. This is important because several neighboring federated learning defenses focus on backdoor resilience under either i.i.d. or non-i.i.d. assumptions. For example, Celtibero is a layered aggregation defense aimed at poisoning and backdoor attacks, including Model Replacement, DBA, and Neurotoxin, and is explicitly designed for non-i.i.d settings (Molina-Coronado, 2024). By contrast, the named FLAegis method is scoped to indiscriminate degradation attacks and relies on the majority assumption 4 (Campos et al., 26 Aug 2025).
The paper also acknowledges several limitations. The cluster-size heuristic fails if malicious clients reach or exceed 50% of participants. Mimic remains comparatively difficult because malicious clients deliberately imitate benign high-variance weights. The use of 45 SAX bands is fixed and not theoretically tuned; the paper notes that too few bands could oversmooth differences and too many could overfit noise. The computation is modest at 50 clients but would become heavier for very large federations because similarity-matrix construction and spectral clustering scale poorly relative to simple averaging. Finally, the method assumes the server has access to individual client updates. Strong secure aggregation would therefore be incompatible with the framework as described, and robustness under differential privacy noise is not studied (Campos et al., 26 Aug 2025).
A further point of clarification concerns the name itself. In later and adjacent federated learning discussions, “FLAegis” is sometimes used as a general metaphor for an FL “shield”: one account maps it onto accountable FactSheet-based auditing (Baracaldo et al., 2022), another onto centralized-equivalent evaluation via aggregatable measures (Stricker et al., 8 May 2026), others onto privacy-efficiency control inspired by parallel DP and HE partitioning (Wu et al., 17 Sep 2025) or architecture-flexible aggregation and backdoor dilution (Park et al., 2024). Those usages do not denote the same algorithmic object. In the strict bibliographic sense, however, FLAegis refers to the two-layer defense framework based on SAX + spectral clustering and FFT-based aggregation introduced in 2025 (Campos et al., 26 Aug 2025).
Taken together, the available literature places FLAegis within a broader movement toward multi-layered federated learning defenses that combine explicit detection with robust aggregation, rather than relying on either strategy alone. The specific method’s contribution is to operationalize that idea with symbolic transformation, spectral graph partitioning, and a frequency-domain aggregation rule in a setting with non-IID FEMNIST data and collusive poisoning attacks (Campos et al., 26 Aug 2025).