Papers
Topics
Authors
Recent
Search
2000 character limit reached

Hammer and Anvil: Backdoor Defense in Federated Learning

Updated 10 July 2026
  • Hammer and Anvil is a defense framework that partitions backdoor attacks by the ℓ2-norm magnitude of client updates, using robust aggregation (Hammer) for large deviations and fine-tuning (Anvil) for small ones.
  • The framework concretely instantiates as Krum⁺, combining Krum's robust selection of benign updates with CSFT to ensure bounded byzantine robustness against adaptive attacks.
  • Empirical evaluations on CIFAR-10 demonstrate that Hammer and Anvil maintains high benign accuracy while reducing attack success rates using a small, clean server-side dataset.

Hammer and Anvil is a defense framework for backdoor robustness in federated learning that combines a robust-aggregation stage, the “Hammer,” with a post-training fine-tuning removal stage, the “Anvil,” to ensure that no “size” of backdoor-inserting update can slip through (Fenaux et al., 9 Sep 2025). In the formulation introduced in “Hammer and Anvil: A Principled Defense Against Backdoors in Federated Learning,” the central object is the 2\ell_2-norm gap between expected benign and malicious updates, Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_2, which partitions the attack space into large-magnitude updates that can be rejected or bounded by robust aggregation and small-magnitude updates that can be erased by clipped super-fine-tuning. The concrete instantiation Krum+^+—Krum as Hammer and CSFT as Anvil—is presented as a defense with both a byzantine-robustness bound and empirical resilience against a new adaptive adversary and state-of-the-art attacks (Fenaux et al., 9 Sep 2025).

1. Federated-learning setting and backdoor threat model

The framework is defined in a standard federated-learning setting with nn clients indexed by i=1,,ni = 1, \dots, n, of which up to m<n/2m < n/2 may be malicious (Fenaux et al., 9 Sep 2025). At round tt, the server holds global model parameters wtRkw_t \in \mathbb{R}^k. Client ii holds private data diDd_i \sim D, while malicious clients may additionally hold backdoor data Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_20. Each client computes a local update

Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_21

although for malicious Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_22, Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_23 may train on Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_24 or directly craft Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_25 to embed a backdoor.

Under standard FedAvg aggregation, the update rule is

Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_26

where Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_27 is the set of Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_28 participating clients. The threat arises because the distributed setting allows malicious clients to participate in training while modifying the model’s behavior in a targeted manner.

A backdoor trigger is a small pattern Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_29 inserted into inputs +^+0, so that the model labels +^+1 as a target class +^+2. The malicious objective is explicitly multi-objective:

+^+3

so that the global model remains accurate on clean data but mis-classifies any +^+4-triggered input as +^+5 (Fenaux et al., 9 Sep 2025).

This construction makes the backdoor problem distinct from generic byzantine corruption. The attacker is not merely degrading utility; the attacker aims to preserve benign accuracy while inducing a trigger-conditional failure mode. The paper further emphasizes that no defense against backdoor attacks has stood the test of time, especially against adaptive attackers, and introduces a new adaptive adversary with stronger capabilities, yielding attacks that only require one or two malicious clients out of +^+6 to break existing state-of-the-art defenses (Fenaux et al., 9 Sep 2025).

2. Magnitude-based decomposition: the Hammer and the Anvil principle

The key insight is that backdoor-inserting updates can be broadly split by their +^+7-norm magnitude +^+8 (Fenaux et al., 9 Sep 2025). Hammer and Anvil formalizes a two-regime defense strategy around this quantity.

The Hammer is a robust or clustering-based aggregator that excels at rejecting or bounding large-magnitude attacks. The examples given are Krum, median-of-means, and norm-bounding. The Anvil is a post-aggregation removal defense—“clipped super-fine-tuning” (CSFT)—that surgically removes small-magnitude backdoors by fine-tuning on a small clean dataset.

Two propositions structure the argument. Proposition 1 states that, as +^+9 increases, Hammer detects malicious updates as outliers and either discards them or limits their influence. Therefore, there exists a threshold nn0 such that any attack with nn1 is neutralized by Hammer. Proposition 2 states that, as nn2 decreases, the aggregated model converges ever closer to a clean-trained model, and a post-training fine-tune on a small clean set nn3 plus gradient clipping will erase any residual backdoor. Therefore, there exists a threshold nn4 such that any attack with nn5 is removed by Anvil (Fenaux et al., 9 Sep 2025).

The resulting attack window is the interval nn6. If nn7, that window vanishes. This suggests that the defense is not tied to a single heuristic signal; instead, it is organized around complementary failure modes. Large deviations are filtered by robust aggregation, whereas small deviations are assumed to remain sufficiently close to the clean trajectory that post hoc benign fine-tuning can wash them out.

The approach is therefore described as principled because it combines two defenses orthogonal in their underlying principle to produce a combined defense that, given the right set of parameters, must succeed against any attack (Fenaux et al., 9 Sep 2025). The conceptual contribution is less a new isolated mechanism than a partition of the attack space by update magnitude.

3. Krumnn8: concrete construction of the combined defense

The paper’s special case sets Hammer = Krum and Anvil = CSFT, yielding Krumnn9 (Fenaux et al., 9 Sep 2025). Krum operates at each federated round on the set of updates i=1,,ni = 1, \dots, n0.

For each i=1,,ni = 1, \dots, n1, Krum computes the score

i=1,,ni = 1, \dots, n2

where i=1,,ni = 1, \dots, n3 is the set of the i=1,,ni = 1, \dots, n4 clients whose updates are closest to i=1,,ni = 1, \dots, n5 in Euclidean distance. Krum then selects

i=1,,ni = 1, \dots, n6

sets i=1,,ni = 1, \dots, n7, and updates

i=1,,ni = 1, \dots, n8

Operationally, the server computes pairwise distances i=1,,ni = 1, \dots, n9 for all m<n/2m < n/20, forms the nearest-neighbor set m<n/2m < n/21, evaluates the score for each candidate update, and returns the lowest-score update as the round update. The intended effect is to select an update embedded in the honest cluster rather than an outlier.

CSFT is applied after m<n/2m < n/22 federated rounds have produced m<n/2m < n/23. The server possesses a small clean fine-tuning set m<n/2m < n/24 of size m<n/2m < n/25, for example m<n/2m < n/26–m<n/2m < n/27 of total samples (Fenaux et al., 9 Sep 2025). Given hyper-parameters clip threshold m<n/2m < n/28 and a learning-rate schedule m<n/2m < n/29 over tt0 epochs, CSFT initializes tt1, computes the gradient tt2, clips it as

tt3

sets the learning rate according to the super-fine schedule, and updates

tt4

After tt5 epochs it returns tt6.

The combined defense is correspondingly simple. At each round tt7, the server distributes tt8 to tt9 clients, collects their updates wtRkw_t \in \mathbb{R}^k0, and sets

wtRkw_t \in \mathbb{R}^k1

After wtRkw_t \in \mathbb{R}^k2 rounds, the server applies

wtRkw_t \in \mathbb{R}^k3

This decomposition is significant because the two stages act on different objects. Krum is a round-wise aggregator over client updates, whereas CSFT is a post-training model repair procedure over server-held clean data. The orthogonality of these mechanisms is the basis for the claimed complementarity.

4. Formal guarantees, thresholds, and parameter effects

By design, Krum tolerates up to wtRkw_t \in \mathbb{R}^k4 Byzantine clients. Under the classical analysis cited in the paper, if at most wtRkw_t \in \mathbb{R}^k5 updates are arbitrary, Krum still selects one of the honest updates. Thus for large-wtRkw_t \in \mathbb{R}^k6 attacks with wtRkw_t \in \mathbb{R}^k7, KrumwtRkw_t \in \mathbb{R}^k8 has the same byzantine-robustness bound:

wtRkw_t \in \mathbb{R}^k9

For small-ii0 attacks with ii1, CSFT fine-tunes the model on purely benign data, and because ii2 is the threshold below which the backdoor weight signature is smaller than the noise floor introduced by fine-tuning and clipping, the residual backdoor is erased in ii3 epochs (Fenaux et al., 9 Sep 2025).

The combined statement is:

ii4

The proof sketch in the paper is correspondingly bifurcated. If ii5, the malicious updates lie far from the honest cluster, so Krum’s outlier detection discards them or fails to select them. If ii6, then the final model after federated training is within ii7 of a clean model, and CSFT with gradient clipping re-centers ii8 at the honest optimum, washing out any backdoor (Fenaux et al., 9 Sep 2025).

The parameter choices are presented as follows. The number of malicious clients ii9 must satisfy diDd_i \sim D0 for Krum’s guarantee. The size of the fine-tuning set diDd_i \sim D1 is stated as diDd_i \sim D2–diDd_i \sim D3 of total samples, yielding minimal benign-accuracy loss and full backdoor removal; fewer samples can suffice but may overfit, while more samples give diminishing returns. The clipping threshold diDd_i \sim D4 is typically diDd_i \sim D5–diDd_i \sim D6; too small degrades accuracy, too large lets backdoor gradients slip through. The CSFT duration is diDd_i \sim D7 epochs, after which accuracy stabilizes and ASR remains low. The learning-rate schedule is a cyclical sawtooth between diDd_i \sim D8 and diDd_i \sim D9, which helps escape local minima induced by the backdoor (Fenaux et al., 9 Sep 2025).

These thresholds and hyper-parameters define the operational regime of the method. A plausible implication is that the defense’s effectiveness depends not only on the existence of the Hammer/Anvil split, but also on whether practical parameter settings bring Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_200 and Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_201 sufficiently close that the intermediate window is negligible.

5. Experimental evaluation and empirical behavior

The reported experimental setup uses CIFAR-10 with Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_202k train and Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_203k test samples, Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_204 clients, and Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_205 participants per round (Fenaux et al., 9 Sep 2025). The number of malicious clients is varied over Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_206. Fine-tuning sets Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_207 have size Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_208 (Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_209) or Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_210 (Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_211). The attacks include artificial triggers—BadNet patch and blended whole-image triggers—together with adaptive attacks against Krum, MoM, and norm-bounding, plus state-of-the-art attacks DBA, Neurotoxin, and model-replacement. The metrics are benign accuracy on the CIFAR-10 test set and attack success rate (ASR), defined as the percentage of Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_212-triggered inputs classified as the target Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_213.

The core CIFAR-10 results are sharply differentiated across defense configurations. Hammer alone, instantiated as Krum, yields ASR Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_214 for Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_215. Anvil alone, instantiated as CSFT, fails for Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_216 large-Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_217 attacks with ASR Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_218. KrumΔ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_219 obtains ASR Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_220 in all Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_221 configurations formed by Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_222 and two trigger types, with Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_223 benign-accuracy loss. Against DBA, Neurotoxin, and model-replacement, KrumΔ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_224 defends with nearly zero ASR (Fenaux et al., 9 Sep 2025).

Additional studies characterize the hyper-parameter sensitivities. When varying Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_225, accuracy plateaus beyond Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_226 samples, and ASR falls below Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_227 for Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_228. When varying Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_229, the method needs approximately Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_230 fine-tuning epochs, and monitoring clean-accuracy convergence suffices to stop. Under non-IID data with Dirichlet Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_231 and on MNIST, KrumΔ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_232 remains effective with Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_233 accuracy loss (Fenaux et al., 9 Sep 2025).

These results support the central empirical claim that the two components cover regimes that each fails to handle in isolation. Krum alone does not prevent successful backdoors in the tested setting, while CSFT alone is insufficient for large-Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_234 attacks at higher attacker counts. The combined defense is presented as the first federated backdoor defense with both theory and practice aligned against adaptive attackers (Fenaux et al., 9 Sep 2025).

6. Trade-offs, limitations, and prospective extensions

The trade-offs are stated directly. Hammer and Anvil requires a small clean dataset Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_235 at the server, incurs extra computation through CSFT for Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_236 epochs, and relies on tuning hyper-parameters Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_237, although those hyper-parameters are described as robust over wide ranges (Fenaux et al., 9 Sep 2025). These costs are structurally tied to the Anvil stage: without server-side clean data and post-training compute, the second half of the defense cannot be instantiated.

The limitations are equally explicit. If the server has no clean data, Anvil is unavailable. Extremely stealthy attacks at Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_238 could in principle slip through if the two thresholds separate. As-is, Krum operates only when Δ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_239 (Fenaux et al., 9 Sep 2025). The theoretical framing therefore does not eliminate all adversarial possibilities; rather, it identifies the conditions under which large- and small-magnitude attacks are each covered.

The extensions proposed in the paper preserve the same architectural principle while changing one or both components. The Hammer could be replaced with a stronger Hammer, for example FLAME’s clustering. The Anvil could be improved by combining pruning or lottery-ticket fine-tuning. The framework could be adapted to other data modalities such as NLP and speech, and personalization could be explored by applying Anvil per-user (Fenaux et al., 9 Sep 2025).

Taken together, these points position Hammer and Anvil as a modular template rather than a single fixed algorithm. The broader significance lies in the claim that large updates are filtered by a robust aggregator and small updates are ground to dust by post-processing fine-tuning, with KrumΔ=E[benign updates]E[malicious updates]2\Delta = \|E[\text{benign updates}] - E[\text{malicious updates}]\|_240 serving as the concrete demonstration that the two-stage construction can achieve provably bounded byzantine robustness plus empirical backdoor removal in every scenario studied (Fenaux et al., 9 Sep 2025).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Hammer and Anvil.