Structural Compatibility Coefficient (SCC)
- Structural Compatibility Coefficient (SCC) is a normalized ratio that evaluates a model’s structural affinity to propagate fractal perturbations relative to static triggers in federated learning.
- It is estimated using an online gradient-response method based on probe data, with emphasis on layerwise sensitivities and multi-path feature fusion.
- Empirical studies show a strong correlation (Pearson 0.91) between SCC and attack success rates, underpinning its role in client ranking and perturbation scaling.
Structural Compatibility Coefficient (SCC) is a structure-aware metric introduced in federated learning backdoor research to characterize a model’s relative preference for fractal perturbations over ordinary, static trigger patterns (Jian et al., 4 Mar 2026). In that usage, SCC is not a generic perturbation-sensitivity score; it is a normalized comparative response ratio that asks whether a given architecture is especially favorable to the propagation and retention of fractal perturbations. The acronym is also highly ambiguous across adjacent literatures: it is used for strongly connected components, stress corrosion cracking, space charge compensation, and scalar coupling constant, while several papers discuss nearby compatibility quantities without defining an SCC as such [(Beneš et al., 2021); (Cui et al., 2020); (Caliskan et al., 2012); (Jian et al., 2020); (Devi et al., 2020); (Li, 9 Mar 2026)].
1. Definition and conceptual role
In the terminology of structure-aware distributed backdoor attacks, SCC is introduced alongside the Structural Responsiveness Score (SRS) (Jian et al., 4 Mar 2026). The distinction is explicit. SRS measures a model’s absolute perturbation responsiveness, whereas SCC measures its relative compatibility with fractal perturbations specifically. The paper formulates the underlying question as: given a model that can respond to perturbations, is its structure especially favorable to the propagation and retention of fractal perturbations?
The layerwise perturbation response is defined by
where denotes the output of the -th layer. On that basis,
with a layer weight reflecting the relative importance of each layer in the architecture. The text states that deeper layers and layers involved in residual or dense connections “are assigned higher weights” because they exert greater influence on final prediction (Jian et al., 4 Mar 2026).
SCC is then defined as the ratio of SRS under fractal perturbation to SRS under a traditional static trigger: This normalization is central to the paper’s interpretation. If both numerator and denominator are large, the model is generally sensitive; if the ratio is large, the model is specifically more compatible with fractal perturbations than with static ones. The paper states that
means the model responds more strongly to fractal perturbations than to traditional triggers, while
means the propagation of fractal perturbations is constrained in the given structure (Jian et al., 4 Mar 2026).
The proposed mechanism is explicitly architectural. Fractal perturbations are described as having “multi-scale self-similarity and broad-spectrum distribution in the frequency domain,” and architectures with residual shortcuts, dense reuse, or “multi-path feature fusion mechanisms” are presented as structurally more “friendly” to such perturbations (Jian et al., 4 Mar 2026). In that framing, SCC functions as a predictor of perturbation survivability: whether a fractal trigger can survive forward propagation, be reflected in gradients, be written into local updates, and persist through federated aggregation.
2. Mathematical formulation and operational estimation
The formal SCC definition is layer-Jacobian based, but the implementation in TFI does not compute SCC directly from internal layer Jacobians (Jian et al., 4 Mar 2026). Instead, the paper uses an online gradient-response-based estimator on a probe dataset sent by the server to clients. For client , the estimated SRS is
0
where 1 is the number of probe samples, 2 is the 3-th probe input, 4 is the task loss, and 5 denotes model parameters. The corresponding SCC estimate is
6
This operational definition matters because it makes SCC model-specific and client-specific, not purely architecture-only (Jian et al., 4 Mar 2026). The paper states that even when clients share the same topology, “differences in local data distributions, training states, and potential personalization modules can lead to substantial variation in perturbation responses.” Accordingly, SCC depends on the model, its current parameters, the probe data, the perturbation family, and the loss gradients.
The paper also gives an analytical decomposition of malicious contribution in which SCC complements SRS rather than replacing it. It abstracts the perturbation impact of client 7 as
8
and later writes the malicious aggregate contribution at round 9 as
0
A model can therefore have high SRS but SCC near 1, or high SCC with low absolute SRS. The framework uses both because the two quantities encode different structural properties (Jian et al., 4 Mar 2026).
3. Algorithmic use inside TFI
SCC is not merely descriptive in TFI; it is used directly for client ranking and perturbation scaling (Jian et al., 4 Mar 2026). After estimating 1 and 2 on candidate clients, the framework computes the utility score
3
where 4 is the client’s aggregation weight. Under a budget constraint, TFI greedily selects the highest-5 clients.
SCC also enters the frequency-domain perturbation embedding stage. The poisoned spectrum is formed as
6
and the embedding weight is scaled by SCC as
7
where 8 is the baseline perturbation strength, 9 is a sublinear amplification exponent, and 0 is a smooth frequency window suppressing high-frequency artifacts (Jian et al., 4 Mar 2026). In this design, higher-SCC clients are not only preferred for poisoning; they also receive stronger trigger embedding.
The algorithmic description in Algorithm 1 follows the same logic. The procedure is: construct 1, evaluate 2 and 3 for each client using 4, compute 5, select malicious clients under budget 6, and in each round set the adaptive perturbation magnitude through a function of 7, 8, and the temporal intensity schedule
9
The paper also gives the baseline-strength adaptation
0
with clipping to prevent excessive perturbations on highly sensitive clients (Jian et al., 4 Mar 2026).
The intended interpretation is that architectures with “low-attenuation propagation channels” and repeated feature reuse preserve the multi-scale structure of fractal perturbations better than models that attenuate local structured signals. SCC is the paper’s formal handle on that structure–perturbation coupling.
4. Empirical behavior and predictive value
The paper’s strongest quantitative claim is that SCC correlates strongly with attack success rate (ASR) (Jian et al., 4 Mar 2026). In the subsection “Structural Compatibility and Attack Efficiency,” it reports a Pearson correlation coefficient of 0.91 between SCC and ASR on CIFAR-10, and states that the same relationship persists on ImageNet-100. The associated plots compare SCC values and ASR trends under poisoning ratios of 5% and 10% on CIFAR-10, and 7% and 10% on ImageNet-100.
Across model families, ResNet-18, ResNet-50, and DenseNet-121 are consistently portrayed as high-SCC architectures, while VGG-16 and ViT-Base are treated as lower-SCC models (Jian et al., 4 Mar 2026). Under a fixed 10% poisoning ratio on CIFAR-10, TFI attains much higher ASR on the residual and dense models, whereas on ViT-Base the ASR is only 76.0%. The paper does not print exact SCC values for each architecture in the text, but it states that the ranking is clear in the SCC-versus-ASR figures.
The same structural reading appears in the poisoning-budget experiments. In the “Minimum Poisoning Ratio under Fixed ASR” subsection, with target
1
TFI requires only 5% poisoning on ResNet-18 and DenseNet-121, but around 12% poisoning on ViT-Base (Jian et al., 4 Mar 2026). The paper interprets this as evidence that high-SCC architectures achieve the same malicious objective at lower attack budget because fractal perturbations are better propagated and retained.
The ablation study provides the clearest operational validation. On CIFAR-10 with ResNet-18 at 5% poisoning, the full TFI reaches 89.2% ASR, 84.3% MTA, 18.5% detection rate, and 0.87 update similarity. When SCC-aware client selection is removed, ASR drops to 68.3%, detection rate rises to 35.7%, update similarity falls to 0.79, and retention drops to 76.6% (Jian et al., 4 Mar 2026). The paper explicitly states that this “confirms that prioritizing high-SCC clients is critical under low poisoning budgets.”
Defense-side results are presented in compatible terms. On CIFAR-10/ResNet-18 under differential privacy noise, ASR falls from 89.2% with no defense to 70.1% at 2, 58.7% at 3, and 37.8% at 4 (Jian et al., 4 Mar 2026). The theory section interprets attack feasibility as depending on whether the accumulated structure-weighted perturbation signal can overcome benign fluctuation and injected noise. Since SCC multiplies the adversarial contribution term, lowering effective structural compatibility pushes the system away from the attack-feasible regime.
5. Related compatibility notions and acronym ambiguity
The term “Structural Compatibility Coefficient” is not stable across fields. In some papers it is absent and only nearby compatibility constructs appear; in others the acronym SCC refers to something entirely different.
| Usage | Meaning | Source |
|---|---|---|
| SCC | Structural Compatibility Coefficient | (Jian et al., 4 Mar 2026) |
| Compatibility via 5 | Geometric compatibility of austenite and martensite | (Devi et al., 2020) |
| 6, 7 | Compatibility functional and structural compatibility threshold | (Li, 9 Mar 2026) |
| SCC | Strong compatibility coupling | (Towhidi et al., 2022) |
| SCC | Strongly connected components | (Beneš et al., 2021) |
| SCC | Stress corrosion cracking | (Saravanan et al., 2020, Cui et al., 2020) |
| SCC | Space charge compensation | (Caliskan et al., 2012) |
| SCC | Scalar coupling constant | (Jian et al., 2020) |
Several of these nearby notions are structurally related but not terminologically identical. In the Heusler-alloy study, the paper does not define an SCC; the closest exact descriptor is the geometric compatibility condition between cubic austenite and tetragonal martensite, encoded in the transformation matrix 8 and judged primarily by whether
9
or, in practice, whether 0 is close to 1 (Devi et al., 2020). In the operator-theoretic optimization paper, there is likewise no SCC; the closest equivalent is the compatibility functional
1
together with the threshold
2
Other papers use the acronym in unrelated ways. In atomistic–continuum coupling, SCC means strong compatibility coupling, an exact atom–node interface matching condition rather than a scalar score (Towhidi et al., 2022). In graph algorithms it denotes strongly connected components (Beneš et al., 2021). In corrosion mechanics it denotes stress corrosion cracking (Saravanan et al., 2020, Cui et al., 2020). In accelerator design it means space charge compensation (Caliskan et al., 2012), and in NMR prediction it means scalar coupling constant (Jian et al., 2020). A plausible implication is that the federated-learning SCC should be cited with its full name on first use to avoid immediate cross-domain ambiguity.
6. Interpretation boundaries and limitations
The federated-learning SCC is explicitly a relative compatibility measure for fractal perturbations, not a universal architecture index (Jian et al., 4 Mar 2026). Its numerator and denominator are tied to a specific comparison: 3 The paper notes that one could generalize the same ratio form to other perturbation families by replacing the numerator perturbation type, but it does not do so. SCC, as defined there, therefore measures comparative structural affinity for one perturbation family against one baseline family.
The operational estimate 4 also depends on probe data and current model state. The paper states that SCC is architecture-related but not architecture-only, since local data distributions, training states, and personalization modules can materially alter perturbation responses (Jian et al., 4 Mar 2026). It follows that SCC is sensitive to deployment context, not only to nominal backbone design.
The manuscript further contains typographical corruption in several displayed equations, especially parentheses and braces in the SCC formulas (Jian et al., 4 Mar 2026). The intended meanings are described as unambiguous from context, but this places some interpretive burden on the reader. The paper also presents SCC mainly empirically and heuristically; it does not provide a formal theorem proving that multi-path networks must yield higher SCC. Its strongest support is instead empirical: cross-architecture ranking, the reported Pearson correlation of 0.91 with ASR on CIFAR-10, and the large ablation gap when SCC-aware client selection is removed.
Within those limits, SCC serves as the paper’s principal structure-aware metric for explaining why the same poisoning budget and the same fractal trigger can be highly effective in some architectures yet much weaker in others (Jian et al., 4 Mar 2026). It is defined as a normalized response ratio, estimated through gradient-response differences on probe data, used directly in client selection and perturbation scaling, and interpreted as a predictor of perturbation survivability under federated aggregation.