Hammer and Anvil: Backdoor Defense in Federated Learning
- Hammer and Anvil is a defense framework that partitions backdoor attacks by the ℓ2-norm magnitude of client updates, using robust aggregation (Hammer) for large deviations and fine-tuning (Anvil) for small ones.
- The framework concretely instantiates as Krum⁺, combining Krum's robust selection of benign updates with CSFT to ensure bounded byzantine robustness against adaptive attacks.
- Empirical evaluations on CIFAR-10 demonstrate that Hammer and Anvil maintains high benign accuracy while reducing attack success rates using a small, clean server-side dataset.
Hammer and Anvil is a defense framework for backdoor robustness in federated learning that combines a robust-aggregation stage, the “Hammer,” with a post-training fine-tuning removal stage, the “Anvil,” to ensure that no “size” of backdoor-inserting update can slip through (Fenaux et al., 9 Sep 2025). In the formulation introduced in “Hammer and Anvil: A Principled Defense Against Backdoors in Federated Learning,” the central object is the -norm gap between expected benign and malicious updates, , which partitions the attack space into large-magnitude updates that can be rejected or bounded by robust aggregation and small-magnitude updates that can be erased by clipped super-fine-tuning. The concrete instantiation Krum—Krum as Hammer and CSFT as Anvil—is presented as a defense with both a byzantine-robustness bound and empirical resilience against a new adaptive adversary and state-of-the-art attacks (Fenaux et al., 9 Sep 2025).
1. Federated-learning setting and backdoor threat model
The framework is defined in a standard federated-learning setting with clients indexed by , of which up to may be malicious (Fenaux et al., 9 Sep 2025). At round , the server holds global model parameters . Client holds private data , while malicious clients may additionally hold backdoor data 0. Each client computes a local update
1
although for malicious 2, 3 may train on 4 or directly craft 5 to embed a backdoor.
Under standard FedAvg aggregation, the update rule is
6
where 7 is the set of 8 participating clients. The threat arises because the distributed setting allows malicious clients to participate in training while modifying the model’s behavior in a targeted manner.
A backdoor trigger is a small pattern 9 inserted into inputs 0, so that the model labels 1 as a target class 2. The malicious objective is explicitly multi-objective:
3
so that the global model remains accurate on clean data but mis-classifies any 4-triggered input as 5 (Fenaux et al., 9 Sep 2025).
This construction makes the backdoor problem distinct from generic byzantine corruption. The attacker is not merely degrading utility; the attacker aims to preserve benign accuracy while inducing a trigger-conditional failure mode. The paper further emphasizes that no defense against backdoor attacks has stood the test of time, especially against adaptive attackers, and introduces a new adaptive adversary with stronger capabilities, yielding attacks that only require one or two malicious clients out of 6 to break existing state-of-the-art defenses (Fenaux et al., 9 Sep 2025).
2. Magnitude-based decomposition: the Hammer and the Anvil principle
The key insight is that backdoor-inserting updates can be broadly split by their 7-norm magnitude 8 (Fenaux et al., 9 Sep 2025). Hammer and Anvil formalizes a two-regime defense strategy around this quantity.
The Hammer is a robust or clustering-based aggregator that excels at rejecting or bounding large-magnitude attacks. The examples given are Krum, median-of-means, and norm-bounding. The Anvil is a post-aggregation removal defense—“clipped super-fine-tuning” (CSFT)—that surgically removes small-magnitude backdoors by fine-tuning on a small clean dataset.
Two propositions structure the argument. Proposition 1 states that, as 9 increases, Hammer detects malicious updates as outliers and either discards them or limits their influence. Therefore, there exists a threshold 0 such that any attack with 1 is neutralized by Hammer. Proposition 2 states that, as 2 decreases, the aggregated model converges ever closer to a clean-trained model, and a post-training fine-tune on a small clean set 3 plus gradient clipping will erase any residual backdoor. Therefore, there exists a threshold 4 such that any attack with 5 is removed by Anvil (Fenaux et al., 9 Sep 2025).
The resulting attack window is the interval 6. If 7, that window vanishes. This suggests that the defense is not tied to a single heuristic signal; instead, it is organized around complementary failure modes. Large deviations are filtered by robust aggregation, whereas small deviations are assumed to remain sufficiently close to the clean trajectory that post hoc benign fine-tuning can wash them out.
The approach is therefore described as principled because it combines two defenses orthogonal in their underlying principle to produce a combined defense that, given the right set of parameters, must succeed against any attack (Fenaux et al., 9 Sep 2025). The conceptual contribution is less a new isolated mechanism than a partition of the attack space by update magnitude.
3. Krum8: concrete construction of the combined defense
The paper’s special case sets Hammer = Krum and Anvil = CSFT, yielding Krum9 (Fenaux et al., 9 Sep 2025). Krum operates at each federated round on the set of updates 0.
For each 1, Krum computes the score
2
where 3 is the set of the 4 clients whose updates are closest to 5 in Euclidean distance. Krum then selects
6
sets 7, and updates
8
Operationally, the server computes pairwise distances 9 for all 0, forms the nearest-neighbor set 1, evaluates the score for each candidate update, and returns the lowest-score update as the round update. The intended effect is to select an update embedded in the honest cluster rather than an outlier.
CSFT is applied after 2 federated rounds have produced 3. The server possesses a small clean fine-tuning set 4 of size 5, for example 6–7 of total samples (Fenaux et al., 9 Sep 2025). Given hyper-parameters clip threshold 8 and a learning-rate schedule 9 over 0 epochs, CSFT initializes 1, computes the gradient 2, clips it as
3
sets the learning rate according to the super-fine schedule, and updates
4
After 5 epochs it returns 6.
The combined defense is correspondingly simple. At each round 7, the server distributes 8 to 9 clients, collects their updates 0, and sets
1
After 2 rounds, the server applies
3
This decomposition is significant because the two stages act on different objects. Krum is a round-wise aggregator over client updates, whereas CSFT is a post-training model repair procedure over server-held clean data. The orthogonality of these mechanisms is the basis for the claimed complementarity.
4. Formal guarantees, thresholds, and parameter effects
By design, Krum tolerates up to 4 Byzantine clients. Under the classical analysis cited in the paper, if at most 5 updates are arbitrary, Krum still selects one of the honest updates. Thus for large-6 attacks with 7, Krum8 has the same byzantine-robustness bound:
9
For small-0 attacks with 1, CSFT fine-tunes the model on purely benign data, and because 2 is the threshold below which the backdoor weight signature is smaller than the noise floor introduced by fine-tuning and clipping, the residual backdoor is erased in 3 epochs (Fenaux et al., 9 Sep 2025).
The combined statement is:
4
The proof sketch in the paper is correspondingly bifurcated. If 5, the malicious updates lie far from the honest cluster, so Krum’s outlier detection discards them or fails to select them. If 6, then the final model after federated training is within 7 of a clean model, and CSFT with gradient clipping re-centers 8 at the honest optimum, washing out any backdoor (Fenaux et al., 9 Sep 2025).
The parameter choices are presented as follows. The number of malicious clients 9 must satisfy 0 for Krum’s guarantee. The size of the fine-tuning set 1 is stated as 2–3 of total samples, yielding minimal benign-accuracy loss and full backdoor removal; fewer samples can suffice but may overfit, while more samples give diminishing returns. The clipping threshold 4 is typically 5–6; too small degrades accuracy, too large lets backdoor gradients slip through. The CSFT duration is 7 epochs, after which accuracy stabilizes and ASR remains low. The learning-rate schedule is a cyclical sawtooth between 8 and 9, which helps escape local minima induced by the backdoor (Fenaux et al., 9 Sep 2025).
These thresholds and hyper-parameters define the operational regime of the method. A plausible implication is that the defense’s effectiveness depends not only on the existence of the Hammer/Anvil split, but also on whether practical parameter settings bring 00 and 01 sufficiently close that the intermediate window is negligible.
5. Experimental evaluation and empirical behavior
The reported experimental setup uses CIFAR-10 with 02k train and 03k test samples, 04 clients, and 05 participants per round (Fenaux et al., 9 Sep 2025). The number of malicious clients is varied over 06. Fine-tuning sets 07 have size 08 (09) or 10 (11). The attacks include artificial triggers—BadNet patch and blended whole-image triggers—together with adaptive attacks against Krum, MoM, and norm-bounding, plus state-of-the-art attacks DBA, Neurotoxin, and model-replacement. The metrics are benign accuracy on the CIFAR-10 test set and attack success rate (ASR), defined as the percentage of 12-triggered inputs classified as the target 13.
The core CIFAR-10 results are sharply differentiated across defense configurations. Hammer alone, instantiated as Krum, yields ASR 14 for 15. Anvil alone, instantiated as CSFT, fails for 16 large-17 attacks with ASR 18. Krum19 obtains ASR 20 in all 21 configurations formed by 22 and two trigger types, with 23 benign-accuracy loss. Against DBA, Neurotoxin, and model-replacement, Krum24 defends with nearly zero ASR (Fenaux et al., 9 Sep 2025).
Additional studies characterize the hyper-parameter sensitivities. When varying 25, accuracy plateaus beyond 26 samples, and ASR falls below 27 for 28. When varying 29, the method needs approximately 30 fine-tuning epochs, and monitoring clean-accuracy convergence suffices to stop. Under non-IID data with Dirichlet 31 and on MNIST, Krum32 remains effective with 33 accuracy loss (Fenaux et al., 9 Sep 2025).
These results support the central empirical claim that the two components cover regimes that each fails to handle in isolation. Krum alone does not prevent successful backdoors in the tested setting, while CSFT alone is insufficient for large-34 attacks at higher attacker counts. The combined defense is presented as the first federated backdoor defense with both theory and practice aligned against adaptive attackers (Fenaux et al., 9 Sep 2025).
6. Trade-offs, limitations, and prospective extensions
The trade-offs are stated directly. Hammer and Anvil requires a small clean dataset 35 at the server, incurs extra computation through CSFT for 36 epochs, and relies on tuning hyper-parameters 37, although those hyper-parameters are described as robust over wide ranges (Fenaux et al., 9 Sep 2025). These costs are structurally tied to the Anvil stage: without server-side clean data and post-training compute, the second half of the defense cannot be instantiated.
The limitations are equally explicit. If the server has no clean data, Anvil is unavailable. Extremely stealthy attacks at 38 could in principle slip through if the two thresholds separate. As-is, Krum operates only when 39 (Fenaux et al., 9 Sep 2025). The theoretical framing therefore does not eliminate all adversarial possibilities; rather, it identifies the conditions under which large- and small-magnitude attacks are each covered.
The extensions proposed in the paper preserve the same architectural principle while changing one or both components. The Hammer could be replaced with a stronger Hammer, for example FLAME’s clustering. The Anvil could be improved by combining pruning or lottery-ticket fine-tuning. The framework could be adapted to other data modalities such as NLP and speech, and personalization could be explored by applying Anvil per-user (Fenaux et al., 9 Sep 2025).
Taken together, these points position Hammer and Anvil as a modular template rather than a single fixed algorithm. The broader significance lies in the claim that large updates are filtered by a robust aggregator and small updates are ground to dust by post-processing fine-tuning, with Krum40 serving as the concrete demonstration that the two-stage construction can achieve provably bounded byzantine robustness plus empirical backdoor removal in every scenario studied (Fenaux et al., 9 Sep 2025).