FedLAD: Linear Algebra-based FL Defense
- The paper introduces FedLAD, a defense that recasts federated aggregation as a linear algebra optimization, using RREF to extract an independent basis of client updates.
- FedLAD filters out malicious and redundant contributions by leveraging the structure of the row-space, thereby preserving honest update directions in a star-topology system.
- Experimental results show that FedLAD maintains high model accuracy and near-zero attack success rates even with high fractions of adversarial clients, compared to standard robust aggregation methods.
Linear Algebra-based Detection (FedLAD) is a defence method for federated learning that targets targeted data poisoning under Sybil attacks by recasting model aggregation as a linear problem and then solving a linear algebra optimisation challenge on client updates (Xiong et al., 4 Aug 2025). In the formulation presented for a synchronous, star-topology federated learning system, the server observes only submitted local models and identifies potential attacks by extracting the independent linear combinations from the original linear combinations, thereby filtering out redundant and malicious elements before re-aggregation. The method is situated within the broader literature on robust federated aggregation, but its defining feature is the use of row-reduced echelon form (RREF) to select a basis of client updates rather than relying on clustering, coordinate-wise robust statistics, or distance-based exclusion.
1. Problem setting and threat model
FedLAD is defined for a synchronous, star-topology federated learning system in which a central server orchestrates communication rounds and standard FedAvg is used by default (Xiong et al., 4 Aug 2025). In the experimental setup, 10 devices participate in each round, a random subset up to all 10 may be sampled, and the analysis also covers the case in which all clients submit updates simultaneously. The baseline aggregation rule is
where is the -th client’s local model at round , and is the set of participating clients.
The adversarial model is targeted label-flipping on a portion of training data. Each malicious client solves
where are locally corrupted flipped labels. The attack is explicitly collusive: the adversary may control up to 80% of the clients by spawning Sybils, and all malicious clients follow a common flipped-label backdoor strategy. The server does not know which updates are benign or malicious and has no access to raw data.
FedLAD assumes that honest benign updates live in some low-dimensional subspace whose basis is preserved even if some malicious updates are present. This assumption is central to the method’s logic: the server need not identify malicious clients directly if it can recover a basis for the row space that preserves honest directions. A plausible implication is that FedLAD is most effective when benign updates remain sufficiently structured despite data heterogeneity.
2. Linear-algebraic formulation of aggregation
The core idea is to model any federated aggregation rule as a linear combination of local models (Xiong et al., 4 Aug 2025). In the notation of the method,
with and 0, where each flattened client model is a vector 1. The set 2 spans a subspace 3.
FedLAD distinguishes linearly independent from dependent vectors. A set of vectors is linearly independent if the only coefficients 4 satisfying 5 are all 6. Any vector outside a chosen basis is dependent and can be written as a linear combination of basis vectors. In the FedLAD interpretation of federated learning, dependent updates add no new direction to the span of benign models, while malicious updates often appear as perturbations or near-duplicates within the same low-dimensional span.
The operational step is to assemble the matrix
7
whose rows are the flattened local models 8. FedLAD then computes the RREF of 9. The nonzero pivot rows in the RREF correspond to a basis of the row space, and all non-pivot rows are discarded. The resulting aggregation retains only the basis index set 0 and computes
1
FedLAD uses uniform weights on the basis vectors, under the intuition that independent directions are equally informative. This uniform reweighting is a defining design choice of the defence.
3. Algorithmic procedure
At each round, FedLAD receives row vectors 2, flattens all model parameters into a single 3-dimensional vector per client, and assembles the update matrix 4 (Xiong et al., 4 Aug 2025). The serial RREF computation then proceeds column by column. For each column, the method searches rows at or below the current row index for the maximum absolute entry, swaps that row into pivot position if the maximum is nonzero, scales the pivot row to make the pivot entry equal to 5, and cross-cancels all other rows so that the pivot column is zero everywhere else. The algorithm records pivot columns and advances the row index until all pivots are found.
This procedure yields a pivot set that defines the basis index set. Aggregation is then performed only over those basis rows. In this sense, FedLAD transforms federated defence into basis extraction: rather than downweighting suspicious updates, it eliminates all rows deemed dependent under the row-space representation.
The paper also presents a parallel RREF implementation through sub-matrix splitting. The matrix 6 is divided into 7 sub-matrices along columns or rows so that each submatrix has roughly 8 columns. Each thread computes RREF serially on its assigned block and extracts pivot rows. The non-zero pivot rows from all threads are stacked into a new matrix 9, and the same procedure is repeated if 0 still exceeds the per-CPU threshold. The final RREF is claimed to give the same pivot set as serial RREF on the original 1, with the justification framed in terms of rank preservation and uniqueness of RREF.
The complexity discussion in the paper states serial RREF as 2 in a simplified count of row-by-column passes, while the parallel version, assuming 3 CPUs and a balanced 4-ary tree, has depth 5 and total cost approximately
6
with additional communication overhead for splitting and merging.
4. Theoretical basis and robustness claims
The theoretical justification rests on the redundancy of dependent rows and the uniqueness of RREF (Xiong et al., 4 Aug 2025). The paper’s informal lemma states that if 7 is a basis for 8, then any 9 not in the basis can be written as a linear combination of the others, so discarding 0 does not reduce the span. Because the global model is itself a linear combination of client updates, the same span can in principle be reconstructed from the basis alone.
The proof sketch invokes standard basis properties: a set is linearly dependent if one member is a combination of others; a basis is a minimal independent spanning set; and RREF extracts the pivot rows that form a basis of the row space. Accordingly, non-pivot rows can be removed without changing the row-space span. FedLAD’s defence logic depends on the proposition that malicious or redundant updates can be removed if they do not contribute genuinely new independent directions.
The robustness claims are stated with explicit caveats. RREF is unique for any matrix, so the pivot set is determined by 1. The paper further states that as long as at least one honest direction survives among the pivots, the global model remains free of malicious influence in that subspace. It also argues that FedLAD can tolerate a high fraction of malicious clients because redundancy in model updates is plentiful and only a small independent subset is needed. This suggests that the method is not majority-based in the conventional sense; its resilience depends more on span structure than on a benign numerical majority.
At the same time, the method does not claim universal identifiability. If malicious clients alone span the subspace, or if honest updates are contained in the span of malicious updates, FedLAD cannot distinguish them. The paper notes that this occurs in practice only when honest coverage is extremely small, but the limitation is structural rather than merely empirical.
5. Experimental evaluation and comparative position
The reported evaluation covers image classification and natural language processing tasks, with CIFAR-10 and CIFAR-100 using ResNet-18 and AG_NEWS using a 3-layer feed-forward net with 95 811 input tokens, 64 hidden units, and 4 classes (Xiong et al., 4 Aug 2025). For CIFAR-10 and CIFAR-100, local epochs are 2, global rounds are 40, and the data are non-IID via Dirichlet2. For AG_NEWS, local epochs are 2, global rounds are 20, and the same Dirichlet3 partitioning is used. The malicious ratio is varied over 4, with 5 clients randomly selected to flip two target labels in their local data each round.
The baselines are Sherpa, CONTRA, Median, Trimmed Mean, and Krum. The evaluation metrics are Attack Success Rate (ASR), defined as the fraction of malicious inputs whose flipped labels are predicted as the attacker’s chosen target, and Model Accuracy (MA), defined as classification accuracy on the clean test set.
The key findings reported are specific. FedLAD maintains ASR approximately 6 until the malicious ratio is approximately 7 on CIFAR-10 and AG_NEWS, and approximately 8 on CIFAR-100. All baselines spike in ASR once the ratio exceeds approximately 9 to 0. In terms of MA, FedLAD preserves more than 90% test accuracy up to malicious ratio 1 and drops only when honest coverage is too small, whereas baselines suffer more than 20% accuracy loss at 2. Running time is also reported: serial FedLAD is approximately 245–280 minutes, parallel FedLAD approximately 63–74 minutes for the CIFAR tasks, while baselines run in 44–60 minutes.
The comparison to prior defences is framed around methodological failure modes. Clustering-based approaches such as Sherpa and CONTRA rely on grouping similar updates and fail when malicious clients form the majority cluster above 50%. Coordinate-wise robust rules such as Median and Trimmed Mean require that most coordinates be unaffected, and Krum assumes at most 3 malicious clients when selecting the update with the smallest total distance to 4 peers. FedLAD’s comparative claim is that it does not rely on a majority being honest, but only on honest updates spanning some directions.
6. Limitations, related meanings, and broader context
FedLAD introduces a substantial per-round overhead because it adds one RREF computation per round instead of a simple sum or average (Xiong et al., 4 Aug 2025). In serial form, this cost is substantial for large model dimension 5; the parallel form is presented as the practical route to scalability. The method also assumes that the shared honest span remains low-dimensional and uncorrupted. Highly heterogeneous honest data may expand that span, weakening the basis-extraction premise. The current implementation uses equal weighting of pivots, and the paper identifies blending with Trimmed Mean or Krum on the pivot set as future work.
A recurrent misconception arises from the acronym itself. In the 2025 literature, “FedLAD” also denotes “FedLAD: A Modular and Adaptive Testbed for Federated Log Anomaly Detection,” a unified platform for training and evaluating log anomaly detection models under federated learning constraints (Liao et al., 9 Dec 2025). That system concerns log-specific preprocessing, benchmark datasets such as BGL, HDFS, and Thunderbird, LAD models such as DeepLog, LogAnomaly, and NeuralLog, and a self-adaptive MAPE loop for training control. It is unrelated to the poisoning-defence method except for the acronym. The linear-algebra-based method discussed here is specifically “Linear Algebra-based Detection,” whereas the log-analysis platform uses “FedLAD” as shorthand for federated log anomaly detection.
The wider phrase “linear-algebra-based detection” also appears in other domains. For example, linear detection in massive MIMO relies on Gram-matrix formation and inversion, with zero-forcing and MMSE detectors expressed through 6 and related matrix operations (Hsueh et al., 2024). That literature is relevant only at the level of computational analogy: it underscores that basis extraction, matrix inversion, and linear combinations are general linear-algebraic primitives, but it does not define the federated poisoning defence.
Within federated learning, FedLAD is therefore best understood as a basis-extraction defence that interprets client updates as vectors in 7, computes a row-space basis through RREF, and re-aggregates only the independent rows. Its significance lies in shifting the defence objective from majority filtering to subspace preservation, with empirical evidence indicating robustness across malicious node ratios from 0.2 to 0.8 and explicit limitations when honest coverage becomes too small (Xiong et al., 4 Aug 2025).