2602.16480v1

# SRFed: Mitigating Poisoning Attacks in Privacy-Preserving Federated Learning with Heterogeneous Data **Authors**: - Yiwen Lu1,2Corresponding Author (School of Mathematics, Nanjing University, Nanjing 210093, China) - 2E-mail: luyw@smail.nju.edu.cn ## Abstract Federated Learning (FL) enables collaborative model training without exposing clients’ private data, and has been widely adopted in privacy-sensitive scenarios. However, FL faces two critical security threats: curious servers that may launch inference attacks to reconstruct clients’ private data, and compromised clients that can launch poisoning attacks to disrupt model aggregation. Existing solutions mitigate these attacks by combining mainstream privacy-preserving techniques with defensive aggregation strategies. However, they either incur high computation and communication overhead or perform poorly under non-independent and identically distributed (Non-IID) data settings. To tackle these challenges, we propose SRFed, an efficient Byzantine-robust and privacy-preserving FL framework for Non-IID scenarios. First, we design a decentralized efficient functional encryption (DEFE) scheme to support efficient model encryption and non-interactive decryption. DEFE also eliminates third-party reliance and defends against server-side inference attacks. Second, we develop a privacy-preserving defensive model aggregation mechanism based on DEFE. This mechanism filters poisonous models under Non-IID data by layer-wise projection and clustering-based analysis. Theoretical analysis and extensive experiments show that SRFed outperforms state-of-the-art baselines in privacy protection, Byzantine robustness, and efficiency. ## I Introduction Federated learning (FL) has emerged as a promising paradigm for distributed machine learning, which enables multiple clients to collaboratively train a global model without sharing their private data. In a typical FL setup, multiple clients periodically train local models using their private data and upload model updates to a central server, which aggregates these updates to obtain a global model with enhanced performance. Due to its ability to protect data privacy, FL has been widely applied in real-world scenarios, such as intelligent driving [1, 2, 3, 4, 5], medical diagnosis [6, 7, 8, 9], and intelligent recommendation systems [10, 11, 12, 13]. Although FL avoids direct data exposure, it is not immune to privacy and security risks. Existing studies [14, 15, 16] have shown that the curious server may launch inference attacks to reconstruct sensitive data samples of clients from the model updates. This may lead to the leakage of clients’ sensitive information, e.g., medical diagnosis records, which can be exploited by adversaries for launching further malicious activities. Moreover, FL is also vulnerable to poisoning attacks [17, 18, 19]. The adversaries may manipulate some clients to execute malicious local training and upload poisonous model updates to mislead the global model [18, 20, 21]. This attack will damage the performance of the global model and lead to incorrect decisions in downstream tasks such as medical diagnosis and intelligent driving. To address privacy leakage issues, existing privacy-preserving federated learning (PPFL) methods primarily rely on techniques such as differential privacy (DP) [22, 23, 24, 25, 26], secure multi-party computation (SMC) [27, 28], and homomorphic encryption (HE) [29, 30]. However, DP typically leads to a reduction in global model accuracy, while SMC and HE incur substantial computational and communication overheads in FL. Recently, lightweight functional encryption (FE) schemes [31, 32] have been applied in FL. FE enables the server to aggregate encrypted models and directly obtain the decrypted results via a functional key, which avoids the accuracy loss in DP and the extra communication overhead in HE/SMC. However, existing FE schemes rely on third parties for functional key generation, which introduces potential privacy risks. To mitigate poisoning attacks, existing Byzantine-robust FL methods [33, 34, 35, 36] typically adopt defensive aggregation strategies, which filter out malicious model updates based on statistical distances or performance-based criteria. However, these strategies rely on the assumption that clients’ data distributions are homogeneous, leading to poor performance in non-independent and identically distributed (Non-IID) data settings. Moreover, they require access to plaintext model updates, which directly contradicts the design goal of PPFL [32]. Recently, privacy-preserving Byzantine-robust FL methods [37, 29] have been proposed to address both privacy and poisoning attacks. However, these methods still suffer from limitations such as accuracy loss, excessive overhead, and limited effectiveness in Non-IID environments, as they merely combine the PPFL with existing defensive aggregation strategies. As a result, there is still a lack of practical solutions that can simultaneously ensure privacy protection and Byzantine robustness in Non-IID data scenarios. To address the limitations of existing FL solutions, we propose a novel Byzantine-robust privacy-preserving FL method, SRFed. SRFed achieves efficient privacy protection and Byzantine robustness in Non-IID data scenarios through two key designs. First, we propose a new functional encryption scheme, DEFE, to protect clients’ model privacy and resist inference attacks from the server. Compared with existing FE schemes, DEFE eliminates reliance on third parties through distributed key generation and improves decryption efficiency by reconstructing the ciphertext. Second, we develop a privacy-preserving robust aggregation strategy based on secure layer-wise projection and clustering. This strategy resists the poisoning attacks in Non-IID data scenarios. Specifically, this strategy first decomposes client models layer by layer, projects each layer onto the corresponding layer of the global model. Then, it performs clustering analysis on the projection vectors to filter malicious updates and aggregates the remaining benign models. DEFE supports the above secure layer-wise projection computation and enables privacy-preserving model aggregation. Finally, we evaluate SRFed on multiple datasets with varying levels of heterogeneity. Theoretical analysis and experimental results demonstrate that SRFed achieves strong privacy protection, Byzantine robustness, and high efficiency. In summary, the core contributions of this paper are as follows. - We propose a novel secure and robust FL method, SRFed, which simultaneously guarantees privacy protection and Byzantine robustness in Non-IID data scenarios. - We design an efficient functional encryption scheme, which not only effectively protects the local model privacy but also enables efficient and secure model aggregation. - We develop a privacy-preserving robust aggregation strategy, which effectively defends against poisoning attacks in Non-IID scenarios and generates high-quality aggregated models. - We implement the prototype of SRFed and validate its performance in terms of privacy preservation, Byzantine robustness, and computational efficiency. Experimental results show that SRFed outperforms state-of-the-art baselines in all aspects. ## II Related Works ### II-A Privacy-Preserving Federated Learning To safeguard user privacy, current research on privacy-preserving federated learning (PPFL) mainly focuses on protecting gradient information. Existing solutions are primarily built upon four core technologies: Differential Privacy (DP) [22, 23, 24], Secure Multi-Party Computation (SMC) [27, 28], Homomorphic Encryption (HE) [29, 38, 30], and Functional Encryption (FE) [31, 32, 39, 40]. DP achieves data indistinguishability by injecting calibrated noise into raw data, thus ensuring privacy with low computational overhead. Miao et al. [24] proposed a DP-based ESFL framework that adopts adaptive local DP to protect data privacy. However, the injected noise inevitably degrades the model accuracy. To avoid accuracy loss, SMC and HE employ cryptographic primitives to achieve privacy preservation. SMC enables distributed aggregation while keeping local gradients confidential, revealing only the aggregated model update. Zhang et al. [27] introduced LSFL, a secure FL framework that applies secret sharing to split and transmit local parameters to two non-colluding servers for privacy-preserving aggregation. HE allows direct computation on encrypted data and produces decrypted results identical to plaintext computations. This property preserves privacy without sacrificing accuracy. Ma et al. [29] developed ShieldFL, a robust FL framework based on two-trapdoor HE, which encrypts all local gradients and achieves aggregation of encrypted gradients. Despite their strong privacy guarantees, SMC/HE-based FL methods incur substantial computation and communication overhead, posing challenges for large-scale deployment. To address these issues, FE has been introduced into FL. FE avoids noise injection and eliminates the high overhead caused by multi-round interactions or complex homomorphic operations. Chen et al. [31] proposed ESB-FL, an efficient secure FL framework based on non-interactive designated decrypter FE (NDD-FE), which protects local data privacy but relies on a trusted third-party entity. Yu et al. [40] further proposed PrivLDFL, which employs a dynamic decentralized multi-client FE (DDMCFE) scheme to preserve privacy in decentralized settings. However, both FE-based methods require discrete logarithm-based decryption, which is typically a time-consuming operation. To overcome these limitations, we propose a decentralized efficient functional encryption (DEFE) scheme that achieves privacy protection and high computational and communication efficiency. TABLE I: COMPARISON BETWEEN OUR METHOD WITH PREVIOUS WORK | Methods | Privacy Protection | Defense Mechanism | Efficient | Non-IID | Fidelity | | --- | --- | --- | --- | --- | --- | | ESFL [24] | Local DP | Local DP | ✓ | ✗ | ✗ | | PBFL [37] | CKKS | Cosine similarity | ✗ | ✗ | ✓ | | ESB-FL [31] | NDD-FE | ✗ | ✓ | ✗ | ✓ | | Median [35] | ✗ | Median | ✓ | ✗ | ✓ | | FoolsGold [33] | ✗ | Cosine similarity | ✓ | ✗ | ✓ | | ShieldFL [29] | HE | Cosine similarity | ✗ | ✗ | ✓ | | PrivLDFL [40] | DDMCFE | ✗ | ✓ | ✗ | ✓ | | Biscotti [41] | DP | Euclidean distance | ✓ | ✗ | ✗ | | SRFed | DEFE | Layer-wise projection and clustering | ✓ | ✓ | ✓ | - Notes: The symbol ”✓” indicates that it owns this property; ”✗” indicates that it does not own this property. ”Fidelity” indicates that the method has no accuracy loss when there is no attack. ”Non-IID” indicates that the method is Byzantine-Robust under Non-IID data environments. ### II-B Privacy-Preserving Federated Learning Against Malicious Participants To resist poisoning attacks, several defensive aggregation rules have been proposed in FL. FoolsGold [33], proposed by Fung et al. [33], reweights clients’ contributions by computing the cosine similarity of their historical gradients. Krum [34] selects a single client update that is closest, in terms of Euclidean distance, to the majority of other updates in each iteration. Median [35] mitigates the effect of malicious clients by taking the median value of each model parameter across all clients. However, the above aggregation rules require access to plaintext model updates. This makes them unsuitable for direct application in PPFL. To achieve Byzantine-robust PPFL, Shiyan et al. [41] proposed Biscotti. Biscotti leverages DP to protect local gradients while using the Krum algorithm to mitigate poisoning attacks. Nevertheless, the injected noise in DP reduces the accuracy of the aggregated model. To overcome this limitation, Zhang et al. [27] proposed LSFL. LSFL employs SMC to preserve privacy and uses Median-based aggregation for poisoning defense. However, its dual-server architecture introduces significant communication overhead. In addition, Ma et al. [29] and Miao et al. [37] proposed ShieldFL and PBFL, respectively. Both schemes adopt HE to protect local gradients and cosine similarity to defend against poisoning attacks. However, they suffer from high computational complexity and limited robustness under non-IID data settings. To address these challenges, we propose a novel Byzantine-robust and privacy-preserving federated learning method. Table I compares previous schemes with our method. ## III Problem Statement ### III-A System Model The system model of SRFed comprises two roles: the aggregation server and clients. - Clients: Clients are nodes with limited computing power and heterogeneous data. In real-world scenarios, data heterogeneity typically arises across clients (e.g., intelligent vehicles) due to differences in usage patterns, such as driving habits. Each client is responsible for training its local model based on its own data. To protect data privacy, the models are encrypted and submitted to the server for aggregation. - Server: The server is a node with strong computing power (e.g., service provider of intelligent vehicles). It collects encrypted local models from clients, conducts model detection, and then aggregates selected models and distributes the aggregated model back to clients for the next training round. ### III-B Threat Model We consider the following threat model: 1) Honest-But-Curious server: The server honestly follows the FL protocol but attempts to infer clients’ private data. Specifically, upon receiving encrypted local models from the clients, the server may launch inference attacks on the encrypted models and exploit intermediate computational results (e.g., layer-wise projections and aggregated outputs) to extract sensitive information of clients. 2) Malicious clients: We consider a FL scenario where a certain proportion of clients are malicious. These malicious clients conduct model poisoning attacks to poison the global model, thereby disrupting the training process. Specifically, we focus on the following attack types: - Targeted poisoning attack. This attack aims to poison the global model so that it incurs erroneous predictions for the samples of a specific label. More specifically, we consider the prevalent label-flipping attack [29]. Malicious clients remap samples labeled $l_{src}$ to a chosen target label $l_{tar}$ to obtain a poisonous dataset $D_{i}^{*}$ . Subsequently, they train local models based on $D_{i}^{*}$ and submit the poisonous models to the server for aggregation. As a result, the global model is compromised, leading to misclassification of source-label samples as the target label during inference. - Untargeted poisoning attack. This attack aims to degrade the global model’s performance on the test samples of all classes. Specifically, we consider the classic Gaussian Attack [27]. The malicious clients first train local models based on the clean dataset. Then, they inject Gaussian noise into the model parameters and submit the malicious models to the server. Consequently, the aggregated model exhibits low accuracy across test samples of all classes. ### III-C Design Goals Under the defined threat model, SRFed aims to ensure the following security and performance guarantees: - Confidentiality. SRFed should ensure that any unauthorized entities (e.g., the server) cannot infer clients’ private training data from the encrypted models or intermediate results. - Robustness. SRFed should mitigate poisoning attacks launched by malicious clients under Non-IID data settings while maintaining the quality of the final aggregated model. - Efficiency. SRFed should ensure efficient FL, with the introduced DEFE scheme and robust aggregation strategy incurring only limited computation and communication overhead. ## IV Building Blocks ### IV-A NDD-FE Scheme NDD-FE [31] is a functional encryption scheme that supports the inner-product computation between a private vector $\boldsymbol{x}$ and a public vector $\boldsymbol{y}$ . NDD-FE involves three roles, i.e., generator, encryptor, and decryptor, to elaborate on its construction. - NDD-FE.Setup( ${1}^{\lambda}$ ) $\rightarrow$ $pp$ : It is executed by the generator. It takes the security parameter ${1}^{\lambda}$ as input and generates the system public parameters $pp=(G,p,g)$ and a secure hash function $H_{1}$ . - NDD-FE.KeyGen( $pp$ ) $\rightarrow$ $(pk,sk)$ : It is executed by all roles. It takes $pp$ as input and outputs public/secret keys $(pk,sk)$ . Let $(pk_{1},sk_{1}),$ $(pk_{2i},sk_{2i})$ and $(pk_{3},sk_{3})$ denote the public/secret key pairs of the generator, the $i$ -th encryptor and the decryptor, respectively. - NDD-FE.KeyDerive( $pk_{1},sk_{1},\{pk_{2i}\}_{i=1,2,\dots,I},ctr,\boldsymbol{y},$ $aux$ ) $\rightarrow$ $sk_{\otimes}$ : It is executed by the generator. It takes $(pk_{1},sk_{1})$ , the $\{pk_{2i}\}_{i=1,2,\dots,I}$ of $I$ encryptors, an incremental counter $ctr$ , a vector $\boldsymbol{y}$ and auxiliary information $aux$ as input, and outputs the functional key $sk_{\otimes}$ . - NDD-FE.Encrypt( $pk_{1},sk_{2i},pk_{3},ctr,x_{i},aux$ ) $\rightarrow$ $c_{i}$ : It is executed by the encryptor. It takes $pk_{1},(pk_{2i},sk_{2i}),$ $pk_{3},ctr,aux$ , and the data $x_{i}$ as input, and outputs the ciphertext $c_{i}=pk_{1}^{r_{i}^{ctr}}\cdot pk_{3}^{x_{i}}$ , where $r_{i}^{ctr}$ is generated by $H_{1}$ . - NDD-FE.Decrypt( $pk_{1},sk_{\otimes},sk_{3},\{ct_{i}\}_{i=1,2,\dots,I},\boldsymbol{y}$ ) $\rightarrow$ $\langle\boldsymbol{x},\boldsymbol{y}\rangle$ : It is executed by the decryptor. It takes $pk_{1},sk_{\otimes},$ $sk_{3}$ , $\{ct_{i}\}_{i=1,2,\dots,I}$ and $\boldsymbol{y}$ as input. First, it outputs $g^{\langle\boldsymbol{x},\boldsymbol{y}\rangle}$ and subsequently calculates $\log(g^{\langle\boldsymbol{x},\boldsymbol{y}\rangle})$ to reconstruct the result of the inner product of $(\boldsymbol{x},\boldsymbol{y})$ . ### IV-B The Proposed Decentralized Efficient Functional Encryption Scheme We propose a decentralized efficient functional encryption (DEFE) scheme for more secure and efficient inner product operations. Our DEFE is an adaptation of NDD-FE in three aspects: - Decentralized authority: DEFE eliminates reliance on the third-party entities (e.g., the generator) by enabling encryptors to jointly generate the decryptor’s decryption key. - Mix-and-Match attack resistance: DEFE inherently restricts the decryptor from obtaining the true inner product results, which prevents the decryptor from launching inference attacks. - Efficient decryption: DEFE enables efficient decryption by modifying the ciphertext structure. This avoids the costly discrete logarithm computations in NDD-FE. We consider our SRFed system with one decryptor (i.e., the server) and $I$ encryptors (i.e., the clients). The $i$ -th encryptor encrypts the $i$ -th component $x_{i}$ of the $I$ -dimensional message vector $\boldsymbol{x}$ . The message vector $\boldsymbol{x}$ and key vector $\boldsymbol{y}$ satisfy $\|\boldsymbol{x}\|_{\infty}\leq X$ and $\|\boldsymbol{y}\|_{\infty}\leq Y$ , with $X\cdot Y<N$ , where $N$ is the Paillier composite modulus [42]. Decryption yields $\langle\boldsymbol{x},\boldsymbol{y}\rangle\bmod N$ , which equals the integer inner product $\langle\boldsymbol{x},\boldsymbol{y}\rangle$ under these bounds. Let $M=\left\lfloor\frac{1}{2}\left(\sqrt{\frac{N}{I}}\right)\right\rfloor$ . We assume $X,Y<M$ in DEFE. Specifically, the construction of the DEFE scheme is as follows. The notations are described in Table II. TABLE II: Notation Descriptions | Notations | Descriptions | Notations | Descriptions | | --- | --- | --- | --- | | $pk,sk$ | Public/secret key | $skf$ | Functional key | | $T$ | Total training round | $t$ | Training round | | $I$ | Number of clients | $C_{i}$ | The $i$ -th client | | $D_{i}$ | Dataset of $C_{i}$ | $D_{i}^{*}$ | Poisoned dataset | | $l$ | Model layer | $\zeta$ | Length of $W_{t}$ | | $W_{t}$ | Global model | $W_{t+1}$ | Aggregated model | | $W_{t}^{i}$ | Benign model | $(W_{t}^{i})^{*}$ | Poisonous model | | $|W_{t}^{(l)}|$ | Length of $W_{t}^{l}$ | $\lVert W_{t}^{(l)}\rVert$ | The Euclidean norm of $\lVert W_{t}^{(l)}\rVert$ | | $\eta$ | Hash noise | $H_{1}$ | Hash function | | $noise$ | Gaussian noise | $E_{t}^{i}$ | Encrypted update | | $V_{t}^{i}$ | projection vector | $OA$ | Overall accuracy | | $SA$ | Source accuracy | $ASR$ | Attack success rate | - $\textbf{DEFE.Setup}(1^{\lambda},X,Y)\rightarrow pp$ : It takes the security parameter $1^{\lambda}$ as input and outputs the public parameters $pp$ , which include the modulus $N$ , generator $g$ , and hash function $H_{1}$ . It initializes by selecting safe primes $p=2p^{\prime}+1$ and $q=2q^{\prime}+1$ with $p^{\prime},q^{\prime}>2^{l(\lambda)}$ (where $l$ is a polynomial in $\lambda$ ), ensuring the factorization hardness of $N=pq$ is $2^{\lambda}$ -hard and $N>XY$ . A generator $g^{\prime}$ is uniformly sampled from $\mathbb{Z}_{N^{2}}^{*}$ , and $g=g^{\prime 2N}\mod N^{2}$ is computed to generate the subgroup of $(2N)$ -th residues in $\mathbb{Z}_{N^{2}}^{*}$ . Hash function $H_{1}:\mathbb{Z}\times\mathbb{N}\times\mathcal{AUX}\rightarrow\mathbb{Z}$ is defined, where $\mathcal{AUX}$ denotes auxiliary information (e.g., task identifier, timestamp). - $\textbf{DEFE.KeyGen}(1^{\lambda},N,g)\rightarrow(pk_{i},sk_{i})$ : It is executed by $n$ encryptors. It takes $\lambda$ , $N$ , and $g$ as input, and outputs the corresponding key pair $(pk_{i},sk_{i})$ . For the $i$ -th encryptor, an integer $s_{i}$ is drawn from a discrete Gaussian distribution $D_{\mathbb{Z},\sigma}$ ( $\sigma>\sqrt{\lambda}\cdot N^{5/2}$ ), and the public key $h_{i}=g^{s_{i}}\mod N^{2}$ , forming key pair $(pk_{i}=h_{i},sk_{i}=s_{i})$ . - $\textbf{DEFE.Encrypt}(pk_{i},sk_{i},ctr,x_{i},aux)\rightarrow ct_{i}$ : It is executed by $I$ encryptors. It takes key pair $(pk_{i},sk_{i})$ , counter $ctr$ , data $x_{i}\in\mathbb{Z}$ , and $aux$ as input, and outputs noise-augmented ciphertext $ct_{i}\in\mathbb{Z}_{N^{2}}$ . Considering the multi-round training process of FL, each $i$ -th encryptor generates a noise value $\eta_{t,i}$ for the $t$ -th round following the recursive relation $\eta_{t,i}=H_{1}(\eta_{t-1,i},pk_{i},ctr)\mod M$ , where $ctr$ is an incremental counter. The initial noise $\eta_{0,i}$ is uniformly set across all encryptors via a single communication. Using the noise-augmented data $x^{\prime}_{i}=x_{i}+\eta_{t,i}$ and secret key $sk_{i}$ , the encryptor computes the ciphertext $ct_{i}^{\prime}=(1+N)^{x^{\prime}_{i}}\cdot g^{r_{i}^{ctr}}\mod N^{2}$ with $r_{i}^{ctr}=H_{1}(sk_{i},ctr,aux)$ and $aux\in\mathcal{AUX}$ . - $\textbf{DEFE.FunKeyGen}\bigl((pk_{i},sk_{i})_{i=1}^{I},ctr,y_{i},aux\bigr)\rightarrow skf_{i,\boldsymbol{y}}$ : It is executed by $I$ encryptors. Each encryptor computes its partial functional key $skf_{i,\boldsymbol{y}}$ . It takes the public/secret key pairs ${(pk_{i},sk_{i})}^{n}_{i=1}$ of encryptors and the $i$ -th component $y_{i}$ of the key vector $\boldsymbol{y}$ as inputs and outputs: $$ skf_{i,\boldsymbol{y}}=r_{i}^{ctr}y_{i}+\sum\nolimits_{j=1}^{i-1}\varphi^{i,j}-\sum\nolimits_{j=i+1}^{I}\varphi^{i,j}, \tag{1} $$ where $r_{i}^{ctr}=H_{1}(sk_{i},ctr,aux)$ and $\varphi^{i,j}=H_{1}(pk_{j}^{sk_{i}},ctr,$ $aux)$ . Note that $\varphi^{i,j}=\varphi^{j,i}$ . - $\textbf{DEFE.FunKeyAgg}\bigl(\{skf_{i,\boldsymbol{y}}\}^{I}_{i=1})\rightarrow skf_{\boldsymbol{y}}$ : It is executed by the decryptor. It inputs partial functional keys $skf_{i,\boldsymbol{y}}$ and derives the final functional key: $$ skf_{\boldsymbol{y}}=\sum\nolimits_{i=1}^{I}skf_{i,\boldsymbol{y}}=\sum\nolimits_{i=1}^{I}r_{i}^{ctr}\cdot y_{i}\in\mathbb{Z}. \tag{2} $$ - $\textbf{DEFE.AggDec}(skf_{\boldsymbol{y}},\{ct_{i}\}^{I}_{i=1})\rightarrow\langle\boldsymbol{x^{\prime}},\boldsymbol{y}\rangle$ : It is executed by the decryptor. It first computes $$ CT_{\boldsymbol{x^{\prime}}}=\left(\prod\nolimits_{i=1}^{I}ct_{i}^{y_{i}}\right)\cdot g^{-skf_{\boldsymbol{y}}}\mod N^{2}. \tag{3} $$ Then, it outputs $\log_{(1+N)}(CT_{\boldsymbol{x^{\prime}}})=\frac{CT_{\boldsymbol{x^{\prime}}}-1\mod N^{2}}{N}=\langle\boldsymbol{x^{\prime}},\boldsymbol{y}\rangle.$ - $\textbf{DEFE.UsrDec}(\langle\boldsymbol{x^{\prime}},\boldsymbol{y}\rangle,\{pk_{i}\}^{I}_{i=1},\boldsymbol{y},ctr)\rightarrow\langle\boldsymbol{x},\boldsymbol{y}\rangle$ : It is executed by $I$ encryptors. During FL processes, each encryptor maintains a $I$ -dimensional noise list $\texttt{$L_{t}$}=[\eta_{t,i}]^{I}_{i=1}$ for each training round $t$ . Based on this, each encryptor can obtain the true inner product value: $\langle\boldsymbol{x},\boldsymbol{y}\rangle=\langle\boldsymbol{x^{\prime}},\boldsymbol{y}\rangle-\sum_{i=1}^{I}\eta_{t,i}\cdot y_{i}.$ ## V System Design <details> <summary>x1.png Details</summary>  ### Visual Description \n ## Diagram: Privacy-Preserving Robust Model Aggregation ### Overview This diagram illustrates a system for privacy-preserving robust model aggregation, involving a server and multiple clients. It details the process of local model training on clients, secure aggregation on the server, and the handling of potentially malicious clients. The diagram is divided into three main sections: Server-side processing (top), Benign Local Training (bottom-left), and Malicious Local Training (bottom-right). The entire process is framed under the title "Privacy-Preserving Robust Model Aggregation". ### Components/Axes The diagram uses several visual components to represent data and processes: * **Models:** Represented as rectangular prisms, with different colors indicating their status (Benign, Malicious, Encrypted). * **Functional Keys:** Represented as key icons. * **Projection Vectors:** Represented as arrows. * **Clusters:** Represented as numbered groups (1, 2, K). * **Arrows:** Indicate the flow of data and processes. * **Boxes:** Delineate different stages or sections of the process. * **Labels:** Numbered labels (1-8) guide the flow of the process. The legend (top-right) defines the color coding: * **Green:** Benign model * **Red:** Malicious model * **Green with a lock:** Encrypted benign model * **Red with a lock:** Encrypted malicious model * **Blue:** Global model * **Key Icon:** Functional key * **Arrow:** Projection vector * **Red X:** Malicious * **Green Circle:** Benign ### Detailed Analysis or Content Details **Server-Side Processing (Top Section):** 1. **Global Model (①):** A blue rectangular prism representing the initial global model. 2. **Layer-wise Projection (⑥):** The global model is projected into multiple projection vectors (arrows). Each projection vector is associated with a rectangular prism, colored to indicate whether it's a benign or malicious model. 3. **Cluster Analysis (⑦):** The projection vectors are fed into a K-Means clustering algorithm. The diagram shows two clusters labeled "1" and "2", with "Top K-1 clusters" indicated below. Cosine similarity is used for clustering. 4. **Aggregation (⑧):** The clusters are aggregated, resulting in a new set of models. These models are then decrypted using "DEFE\_AggDec". The resulting models are blue (global model). **Benign Local Training (Bottom-Left Section):** 1. **Client 1, Client 2, Client i (①):** Represent multiple clients participating in the training process. 2. **Model Training (②):** Each client trains a local model. 3. **DEFE\_Encrypt (③):** The trained model is encrypted using "DEFE\_Encrypt". 4. **DEFE\_FunKeyGen (④):** A functional key is generated. **Malicious Local Training (Bottom-Right Section):** 1. **Malicious client c*, c* {i+1, ... , I} (⑤):** Represents malicious clients. 2. **Model Training (⑥):** Malicious clients train models, potentially using "Label-flipping attack & Gaussian attack". 3. **DEFE\_Encrypt (⑦):** The trained model is encrypted using "DEFE\_Encrypt". 4. **DEFE\_FunKeyGen (⑧):** A functional key is generated. ### Key Observations * The system distinguishes between benign and malicious clients. * Encryption is used to protect the privacy of the local models. * The server aggregates the models from multiple clients. * K-Means clustering is used to identify and potentially mitigate the impact of malicious models. * The "DEFE" modules (DEFE\_Encrypt, DEFE\_AggDec, DEFE\_FunKeyGen) play a crucial role in the privacy-preserving and robust aggregation process. * The malicious client section explicitly mentions "Label-flipping attack & Gaussian attack", indicating the types of attacks the system is designed to handle. ### Interpretation This diagram depicts a federated learning system designed to be robust against malicious participants. The core idea is to allow clients to train models locally, encrypt them, and send them to a central server for aggregation. The server uses techniques like K-Means clustering and functional keys to identify and mitigate the influence of malicious models. The "DEFE" modules likely implement differential privacy or other privacy-enhancing technologies to protect the data and models during the aggregation process. The use of K-Means suggests that the server attempts to group similar models together, potentially identifying outliers (malicious models) that deviate significantly from the norm. The functional keys likely provide a mechanism for secure aggregation, ensuring that the server can combine the models without learning the individual client's data. The explicit mention of "Label-flipping attack & Gaussian attack" highlights the system's focus on defending against common adversarial attacks in federated learning. The diagram suggests a layered approach to security, combining encryption, clustering, and functional keys to achieve both privacy and robustness. The entire system is designed to allow for collaborative model training while protecting the privacy of individual clients and ensuring the integrity of the aggregated model. </details> Figure 1: The workflow of SRFed. ### V-A High-Level Description of SRFed The workflow of SRFed is illustrated in Figure 1. Specifically, SRFed iteratively performs the following three steps: 1) Initialization. The server initializes the global model $W_{0}$ and distributes it to all clients (step ①). 2) Local training. In the $t$ -th training iteration, each client $C_{i}$ receives the global model $W_{t}$ from the server and performs local training on its private dataset to obtain the local model $W_{t}^{i}$ (step ②). To protect model privacy, $C_{i}$ encrypts the local model and gets the encrypted model $E_{t}^{i}$ (step ③). Then, $C_{i}$ generates the functional key $skf_{t}^{i}$ for model detection (step ④), and uploads the encrypted model and the functional key to the server (step ⑤). 3) Privacy-preserving robust model aggregation. Upon receiving all encrypted local models $\{E_{t}^{i}\}_{i=1,...,I}$ , the server computes a layer-wise projection vector $V_{t}^{i}$ for each model based on the global model $W_{t}$ (step ⑥). The server then performs clustering analysis on $\{V_{t}^{i}\}_{i=1,...,I}$ to filter malicious models and identify benign models (step ⑦). Finally, the server aggregates these benign clients to update the global model $W_{t+1}$ (step ⑧). ### V-B Construction of SRFed #### V-B 1 Initialization In this phase, the server first executes the $\textbf{DEFE.Setup}(1^{\lambda},X,$ $Y)$ algorithm to generate the public parameters $pp$ , which are then made publicly available. Each client $C_{i}$ ( $i\in[1,I]$ ) subsequently generates its key pair $(pk_{i},sk_{i})$ by executing the $\textbf{DEFE.KeyGen}(1^{\lambda},N,g)$ algorithm. Finally, the server distributes the initial global model $W_{0}$ to all clients. #### V-B 2 Local Training The local training phase consists of three components: model training, model encryption, and functional key generation. 1) Model Training: In the $t$ -th ( $t\in[1,T]$ ) training round, once receiving the global model $W_{t}$ , each client $C_{i}$ utilizes its local dataset $D_{i}$ to update $W_{t}$ and obtains model update $W_{t}^{i}$ . For benign clients, they minimize their local objective function $L_{i}$ to obtain $W_{t}^{i}$ , i.e., $$ W_{t}^{i}=\arg\min_{W_{t}}L_{i}(W_{t},D_{i}). \tag{4} $$ Malicious clients execute distinct update strategies based on their attack method. Specifically, to perform a Gaussian attack, malicious clients first conduct normal local training according to Equation (4) to obtain the benign model $W_{t}^{i}$ , and subsequently inject Gaussian noise $noise_{t}$ into it to produce a poisoned model $(W_{t}^{i})^{*}$ , i.e., $$ (W_{t}^{i})^{*}=W_{t}^{i}+noise_{t}. \tag{5} $$ In addition, to launch a label-flipping attack, malicious clients first poison their training datasets by flipping all samples labeled as $l_{\text{src}}$ to a target class $l_{\text{tar}}$ . They then perform local training on the poisoned dataset $D_{i}^{*}(l_{\text{src}}\rightarrow l_{\text{tar}})$ to derive the poisoned model $(W_{t}^{i})^{*}$ , i.e., $$ (W_{t}^{i})^{*}=\arg\min_{W_{t}^{i}}L_{i}\left(W_{t}^{i},D_{i}^{*}(l_{\text{src}}\rightarrow l_{\text{tar}})\right). \tag{6} $$ 2) Model Encryption: To protect the privacy information of the local model, the clients exploit the DEFE scheme to encrypt their local models. Specifically, the clients first parse the local model as $W_{t}^{i}=[W_{t}^{(i,1)},\dots,W_{t}^{(i,l)},\dots,W_{t}^{(i,L)}]$ , where $W_{t}^{(i,l)}$ denotes the parameter set of the $l$ -th model layer. For each parameter element $W_{t}^{(i,l)}[\varepsilon]$ in $W_{t}^{(i,l)}$ , client $C_{i}$ executes the $\textbf{DEFE.Encrypt}(pk_{i},sk_{i},ctr,W_{t}^{(i,l)}[\varepsilon])$ algorithm to generate the encrypted parameter $E_{t}^{(i,l)}[\varepsilon]$ , i.e., $$ E_{t}^{(i,l)}[\varepsilon]=(1+N)^{{W_{t}^{(i,l)}}^{\prime}[\varepsilon]}\cdot g^{{r_{i}}^{ctr}}\bmod N^{2}, \tag{7} $$ where ${W_{t}^{(i,l)}}^{\prime}[\varepsilon]$ is the parameter $W_{t}^{(i,l)}[\varepsilon]$ perturbed by a noise term $\eta$ , i.e., $$ {W_{t}^{(i,l)}}^{\prime}[\varepsilon]=W_{t}^{(i,l)}[\varepsilon]+\eta. \tag{8} $$ In SRFed, the noise $\eta$ remains fixed for all clients during the first $T-1$ training rounds, and is set to $0$ in the final training round. Specifically, $\eta$ is an integer generated by client $C_{1}$ using the hash function $H_{1}$ during the first iteration, and is subsequently broadcast to all other clients for model encryption. The magnitude of $\eta$ is constrained by: $$ m_{l}\cdot\eta^{2}\ll\lVert W_{0}^{(l)}\rVert^{2},\quad\forall l\in[1,L], \tag{9} $$ where $W_{0}^{(l)}$ denotes the $l$ -th layer model parameters of the initial global model $W_{0}$ , and $m_{l}$ represents the number of parameters in $W_{0}^{(l)}$ . Finally, the client $C_{i}$ obtains the encrypted local model $E_{t}^{i}=[E_{t}^{(i,1)},\dots,E_{t}^{(i,l)},\dots,E_{t}^{(i,L)}]$ . 3) Functional Key Generation: Each client $C_{i}$ generates a functional key vector $skf_{t}^{i}=[skf_{t}^{(i,1)},skf_{t}^{(i,2)},\dots,skf_{t}^{(i,L)}]$ to enable the server to perform model detection on encrypted models. Specifically, for the $l$ -th layer of the global model $W_{t}$ , client $C_{i}$ executes the $\textbf{DEFE.FunKeyGen}(pk_{i},sk_{i},ctr,W_{t}^{(l)}[\varepsilon])$ algorithm to generate element-wise functional keys, i.e., $$ skf_{t}^{(i,l,\varepsilon)}=r_{i}^{ctr}\cdot W_{t}^{(l)}[\varepsilon]=H_{1}(sk_{i},ctr,\varepsilon)\cdot W_{t}^{(l)}[\varepsilon], \tag{10} $$ where $W_{t}^{(l)}[\varepsilon]$ denotes the $\varepsilon$ -th parameter of $W_{t}^{(l)}$ . After processing all elements in $W_{t}^{(l)}$ , client $C_{i}$ obtains the set of element-wise functional keys $\{\{skf_{t}^{(i,l,\varepsilon)}\}_{\varepsilon=1}^{|W_{t}^{(l)}|}\}_{l=1}^{L}$ . Subsequently, the layer-level functional key is derived by aggregating the element-wise keys using the $\textbf{DEFE.FunKeyAgg}(\{skf_{t}^{(i,l,\varepsilon)}\}_{\varepsilon=1}^{|W_{t}^{(l)}|})$ algorithm, i.e., $$ skf_{t}^{(i,l)}=\sum\nolimits_{\varepsilon=1}^{|W_{t}^{(l)}|}skf_{t}^{(i,l,\varepsilon)}. \tag{11} $$ This procedure is repeated for all layers to obtain the complete functional key vector $skf_{t}^{i}$ for client $C_{i}$ . Finally, each client uploads the encrypted local model $E_{t}^{i}$ and the corresponding functional key $skf_{t}^{i}$ to the server for subsequent model detection and aggregation. #### V-B 3 Privacy-Preserving Robust Model Aggregation To resist poisoning attacks from malicious clients, SRFed implements a privacy-preserving robust aggregation strategy, which enables secure detection and aggregation of encrypted local models without exposing private information. As illustrated in Figure 1, the proposed method performs layer-wise projection and clustering analysis to identify abnormal updates and ensure reliable model aggregation. Specifically, in each training round, the local model $W_{t}^{i}$ and the global model $W_{t}$ are decomposed layer by layer. For each layer, the parameters are projected onto the corresponding layer of the global model, and clustering is performed on the projection vectors to detect anomalous models. After that, the server filters malicious models and aggregates the remaining benign updates. Unlike prior defenses that rely on global statistical similarity between model updates [33, 29, 35], our approach captures fine-grained parameter anomalies and conducts clustering analysis to achieve effective detection even under non-IID data distributions. 1) Model Detection: Once receiving $E_{t}^{i}$ and $skf_{t}^{i}$ from client $C_{i}$ , the server computes the projection $V_{t}^{(i,l)}$ of $W_{t}^{(i,l)^{\prime}}$ onto $W_{t}^{(l)}$ , i.e., $$ V_{t}^{(i,l)}=\frac{\langle W_{t}^{(i,l)^{\prime}},W_{t}^{(l)}\rangle}{\lVert W_{t}^{(l)}\rVert_{2}}. \tag{12} $$ Specifically, the server first executes the $\textbf{DEFE.AggDec}(skf_{t}^{(i,l)},$ $E_{t}^{(i,l)})$ algorithm, which effectively computes the inner product of $W_{t}^{(i,l)^{\prime}}$ and $W_{t}^{(l)}$ . This value is then normalized by $\lVert W_{t}^{(l)}\rVert_{2}$ to obtain $$ V_{t}^{(i,l)}=\frac{\textbf{DEFE.AggDec}(skf_{t}^{(i,l)},E_{t}^{(i,l)})}{\lVert W_{t}^{(l)}\rVert_{2}}. \tag{13} $$ By iterating over all $L$ layers, the server obtains the layer-wise projection vector $V_{t}^{i}=[V_{t}^{(i,1)},V_{t}^{(i,2)},\dots,V_{t}^{(i,L)}]$ corresponding to client $C_{i}$ . After computing projection vectors for all clients, the server clusters the set $\{V_{t}^{i}\}_{i=1}^{I}$ into $K$ clusters $\{\Omega_{1},\Omega_{2},\dots,\Omega_{K}\}$ using the K-Means algorithm. For each cluster $\Omega_{k}$ , the centroid vector $\bar{V}_{k}$ is computed, and the average cosine similarity $\overline{cs}_{k}$ between all vectors in the cluster and $\bar{V}_{k}$ is calculated. Finally, the $K-1$ clusters with the largest average cosine similarities are identified as benign clusters, while the remaining cluster is considered potentially malicious. 3) Model Aggregation: The server first maps the vectors in the selected $K-1$ clusters to their corresponding clients, generating a client list $L^{t}_{bc}$ and a weight vector $\gamma_{t}=(\gamma^{1}_{t},\dots,\gamma^{I}_{t})$ , where $$ \gamma^{i}_{t}=\begin{cases}1&\text{if }C_{i}\in L^{t}_{bc},\\ 0&\text{otherwise.}\end{cases} \tag{14} $$ The server then distributes $\gamma_{t}$ to all clients. Upon receiving $\gamma^{i}_{t}$ , each client $C_{i}$ locally executes the $\textbf{DEFE.FunKeyGen}(pk_{i},sk_{i},$ $ctr,\gamma^{i}_{t},aux)$ algorithm to compute the partial functional key $skf^{(i,\mathsf{Agg})}_{t}$ as $$ skf^{(i,\mathsf{Agg})}_{t}=r_{i}^{ctr}y^{i}_{t}+\sum_{j=1}^{i-1}\varphi^{i,j}-\sum_{j=i+1}^{n}\varphi^{i,j}. \tag{15} $$ Each client uploads $skf^{(i,\mathsf{Agg})}_{t}$ to the server. Subsequently, the server executes the $\textbf{DEFE.FunKeyAgg}\left((skf^{(i,\mathsf{Agg})}_{t})_{i=1}^{I}\right)$ to compute the aggregation key as $$ skf^{\mathsf{Agg}}_{t}=\sum_{i=1}^{I}skf^{(i,\mathsf{Agg})}_{t}. \tag{16} $$ Finally, the server performs layer-wise aggregation to obtain the noise-perturbed global model $W_{t+1}^{\prime}$ as $$ \displaystyle W_{t+1}^{(l)^{\prime}}[\varepsilon] \displaystyle=\frac{\text{DEFE.AggDec}\left(skf^{\mathsf{Agg}}_{t},\{E_{t}^{(i,l)}[\varepsilon]\}_{i=1}^{I}\right)}{n} \displaystyle=\frac{\langle(W_{t}^{(1,l)^{\prime}}[\varepsilon],\dots,W_{t}^{(I,l)^{\prime}}[\varepsilon]),\gamma_{t}\rangle}{n} \tag{17} $$ where $n$ denotes the number of 1-valued elements in $L^{t}_{bc}$ . The server then distributes $W_{t+1}^{\prime}$ to all clients for the $(t+1)$ -th training round. Note that $W_{t+1}^{\prime}$ is noise-perturbed, the clients must remove the perturbation to recover the accurate global model $W_{t+1}$ . They will execute the $\textbf{DEFE.UsrDec}(W_{t+1}^{(l)^{\prime}}[\varepsilon],\gamma_{t})$ algorithm to restore the true global model parameter $W_{t+1}^{(l)}[\varepsilon]=W_{t+1}^{(l)^{\prime}}[\varepsilon]-\eta$ . ## VI Analysis ### VI-A Confidentiality In this subsection, we demonstrate that our DEFE-based SRFed framework guarantees the confidentiality of clients’ local models under the Honest-but-Curious (HBCS) security setting. **Definition VI.1 (Decisional Composite Residuosity (DCR) Assumption[43])** *Selecting safe primes $p=2p^{\prime}+1$ and $q=2q^{\prime}+1$ with $p^{\prime},q^{\prime}>2^{l(\lambda)}$ , where $l$ is a polynomial in security parameter $\lambda$ , let $N=pq$ . The Decision Composite Residuosity (DCR) assumption states that, for any Probability Polynomial Time (PPT) adversary $\mathcal{A}$ and any distinct inputs $x_{0},x_{1}$ , the following holds: $$ |Pr_{win}(\mathcal{A},(1+N)^{x_{0}}\cdot g^{r_{i}^{ctr}}\mod N^{2},x_{0},x_{1})-\frac{1}{2}|=negl(\lambda), $$ where $Pr_{win}$ denotes the probability that the adversary $\mathcal{A}$ distinguishes ciphertexts.* **Definition VI.2 (Honest but Curious Security (HBCS))** *Consider the following game between an adversary $\mathcal{A}$ and a PPT simulator $\mathcal{A}^{*}$ , a protocol $\Pi$ is secure if the real-world view $\textbf{REAL}_{\mathcal{A}}^{\Pi}$ of $\mathcal{A}$ is computationally indistinguishable from the ideal-world view $\textbf{IDEAL}_{\mathcal{A}^{*}}^{\mathcal{F_{\Pi}}}$ of $\mathcal{A}^{*}$ , i.e., for all inputs $\hat{x}$ and intermediate results $\hat{y}$ from participants, it holds $\textbf{REAL}_{\mathcal{A}}^{\Pi}(\lambda,\hat{x},\hat{y})\overset{c}{\equiv}\textbf{IDEAL}_{\mathcal{A}^{*}}^{\mathcal{F_{\Pi}}}(\lambda,\hat{x},\hat{y})$ , where $\overset{c}{\equiv}$ denotes computationally indistinguishable.* **Theorem VI.1** *SRFed achieves Honest but Curious Security under the DCR assumption, which means that for all inputs $\{C_{t}^{i},{skf}_{t}^{i}\}_{i=1,...,I}$ and intermediate results ( $V_{t}^{i}$ , $W_{t+1}^{\prime}$ , $W_{T}$ ), SRFed holds: $\textbf{REAL}_{\mathcal{A}}^{SRFed}(C_{t}^{i},{skf}_{t}^{i},skf_{t}^{\mathsf{Agg}},V_{t}^{i},W_{t+1}^{\prime},W_{T})\overset{c}{\equiv}$ $\textbf{IDEAL}_{\mathcal{A}^{*}}^{\mathcal{F}_{SRFed}}(C_{t}^{i},{skf}_{t}^{i},skf_{t}^{\mathsf{Agg}},V_{t}^{i},W_{t+1}^{\prime},W_{T})$ .* * Proof:* To prove the security of SRFed, we just need to prove the confidentiality of the privacy-preserving defense strategy, since only it involves the computation of private data by unauthorized entities (i.e., the server). For the curious server, $\textbf{REAL}_{\mathcal{A}}^{SRFed}$ contains intermediate parameters and encrypted local models $\{C_{t}^{i}\}_{i=1,...,I}$ collected from each client during the execution of SRFed protocols. Besides, we construct a PPT simulator $\mathcal{A}^{*}$ to execute $\mathcal{F}_{SRFed}$ , which simulates each process of the privacy-preserving defensive aggregation strategy. The detailed proof is described below. Hyb 1 We initialize a series of random variables whose distributions are indistinguishable from $\textbf{REAL}_{\mathcal{A}}^{SRFed}$ during the real protocol execution. Hyb 2 In this hybrid, we change the behavior of simulated client $C_{i}$ $(i\in[1,I])$ . $C_{i}$ takes the selected random vector of random variables $\Theta_{W}$ as the local model $W_{t}^{i^{\prime}}$ , and uses the DEFE.Encrypt algorithm to encrypt $W_{t}^{i^{\prime}}$ . As only the original contents of ciphertexts have changed, it guarantees that the server cannot distinguish the view of $\Theta_{W}$ from the view of original $W_{t}^{i^{\prime}}$ according to the Definition (VI.1). Then, $C_{i}$ uses the DEFE.FunKeyGen algorithm to generate the key vector $skf_{t}^{i}=[skf_{t}^{(i,1)},skf_{t}^{(i,2)},\dots,skf_{t}^{(i,L)}].$ Note that each component of $skf_{t}^{i}$ essentially is the inner product result, thus revealing no secret information to the server. Hyb 3 In this hybrid, we change the input of the protocol of Secure Model Aggregation executed by the server with encrypted random variables instead of real encrypted model parameters. The server gets the plaintexts vector $V_{t}^{i}=[V_{t}^{(i,1)},V_{t}^{(i,2)},\dots,V_{t}^{(i,L)}]$ corresponding to $C_{i}$ , which is the layer-wise projection of $\Theta_{W}$ and $W_{t}$ . As the inputs $\Theta_{W}$ follow the same distribution as the real $W^{i^{\prime}}_{t}$ , the server cannot distinguish the $V_{t}^{i}$ between ideal world and real world without knowing further information about the inputs. Then, the server performs clustering based on $\{V_{t}^{i}\}^{I}_{i=1}$ to obtain $\{\Omega_{k}\}^{K}_{k=1}$ . Subsequently, it computes the average cosine similarity of all vectors within each cluster to their centroid, and assigns client weights accordingly. Since $\{V_{t}^{i}\}^{I}_{i=1}$ is indistinguishable between the ideal world and the real world, the intermediate variables calculated via $\{V_{t}^{i}\}^{I}_{i=1}$ above also inherit this indistinguishability. Hence, this hybrid is indistinguishable from the previous one. Hyb 4 In this hybrid, the aggregated model $W_{t+1}^{\prime}$ is computed by the DEFE.AggDec algorithm. $\mathcal{A}^{*}$ holds the view $\textbf{IDEAL}_{\mathcal{A}^{*}}^{\mathcal{F}_{SRFed}}$ $=$ $(C_{t}^{i},{skf}_{t}^{i},skf_{t}^{\mathsf{Agg}},V_{t}^{i},W_{t+1}^{\prime},W_{T})$ , where $skf_{t}^{\mathsf{Agg}}$ is obtained by the interaction of non-colluding clients and server, the full security property of DEFE and the non-colluding setting ensure the security of $skf_{t}^{\mathsf{Agg}}$ . Among the elements of intermediate computation, the local model $W_{t}^{i^{\prime}}$ is encrypted, which is consistent with the previous hybrid. Throughout the $T$ -round iterative process, the server obtains the noise-perturbed aggregated model $W_{t+1}^{\prime}=W_{t+1}+\eta$ via the secure model aggregation when $0\leq t<T-1$ . Thus, the server cannot infer the real $W_{t+1}$ , and cannot distinguish the $W_{t+1}^{\prime}$ between ideal world and real world. When $t=T-1$ , since the distribution of $\Theta_{W}$ remains identical to that of $W_{T}$ , the probability that the server can distinguish the final averaged aggregated model $W_{T}$ is negligible. Hence, this hybrid is indistinguishable from the previous one. Hyb 5 When $0\leq t<T$ , all clients further execute the DEFE.UsrDec algorithm to restore the $W_{t+1}$ . This process is independent of the server, hence this hybrid is indistinguishable from the previous one. The argument above proves that the output of $\textbf{IDEAL}_{\mathcal{A}^{*}}^{\mathcal{F}_{SRFed}}$ is indistinguishable from the output of $\textbf{REAL}_{\mathcal{A}}^{SRFed}$ . Thus, it proves that SRFed guarantees HBCS. ∎ ### VI-B Robustness To theoretically analyze the robustness of SRFed against poisoning attacks, we first prove the following theorem. **Theorem VI.2** *When the noise perturbation $\eta$ satisfies the constraint in (9), the clustering results of SRFed over all $T$ iterations remain approximately equivalent to those obtained using the original local models $\{W_{t}^{i}\}_{1,2,...,I}$ .* * Proof:* Let $\overline{\eta}$ be a vector of the same shape as $W_{t}^{(i,l)^{\prime}}$ with all entries equal to $\eta$ , and ${V_{t}^{i}}_{real}$ be the real projection vector derived from the noise-free models. We discuss the following three cases. ① $t=0:$ For any $i\in[1,I]$ , $W_{0}^{(i,l)^{\prime}}=W_{0}^{(i,l)}+\overline{\eta}$ , we have $$ \displaystyle V_{0}^{i} \displaystyle=\frac{\langle W_{0}^{(i,l)^{\prime}},W_{0}^{(l)}\rangle}{\lVert W_{0}^{(l)}\rVert_{2}}=\frac{\langle W_{0}^{(i,l)}+\overline{\eta},W_{0}^{(l)}\rangle}{\lVert W_{0}^{(l)}\rVert_{2}}={V_{0}^{i}}_{real}+\frac{\langle\overline{\eta},W_{0}^{(l)}\rangle}{\lVert W_{0}^{(l)}\rVert_{2}}. \tag{18} $$ Note that $\frac{\langle\overline{\eta},W_{0}^{(l)}\rangle}{\lVert W_{0}^{(l)}\rVert_{2}}$ is identical for any client, the clustering result of $\{V_{0}^{i}\}^{I}_{i=1}$ is entirely equivalent to that of $\{{V_{0}^{i}}_{real}\}^{I}_{i=1}$ based on the underlying computation of K-Means. ② $0<t<T:$ For any $i\in[1,I]$ , $W_{t}^{(i,l)^{\prime}}=W_{t}^{(i,l)}+\overline{\eta}$ . Correspondingly, $W_{t}^{(l)^{\prime}}=W_{t}^{(l)}+\overline{\eta}$ , and we have $$ \begin{split}V_{t}^{i}&=\frac{\langle W_{t}^{(i,l)^{\prime}},W_{t}^{(l)^{\prime}}\rangle}{\lVert W_{t}^{(l)^{\prime}}\rVert_{2}}\\ &=\frac{\langle W_{t}^{(i,l)},W_{t}^{(l)}\rangle+\langle W_{t}^{(i,l)},\overline{\eta}\rangle+\langle\overline{\eta},W_{t}^{(l)}\rangle+\langle\overline{\eta},\overline{\eta}\rangle}{\sqrt[]{\lVert W_{t}^{(l)}\rVert_{2}^{2}+2\langle W_{t}^{(l)},\overline{\eta}\rangle+\lVert\overline{\eta}\rVert_{2}^{2}}}.\end{split} \tag{19} $$ By combining the above equation with the constraint (9), $V_{t}^{i}$ is approximately equivalent to the real value of ${V_{t}^{i}}_{real}$ . ③ $t=T:$ For any $i\in[1,I]$ , $W_{T}^{(i,l)^{\prime}}=W_{T}^{(i,l)}$ . Correspondingly, $W_{T}^{(l)^{\prime}}=W_{T}^{(l)}+\overline{\eta}$ , and we have $$ \displaystyle V_{T}^{i} \displaystyle=\frac{\langle W_{T}^{(i,l)},W_{T}^{(l)^{\prime}}\rangle}{\lVert W_{T}^{(l)^{\prime}}\rVert_{2}}=\frac{\langle W_{T}^{(i,l)},W_{T}^{(l)}\rangle+\langle W_{T}^{(i,l)},\overline{\eta}\rangle}{\sqrt[]{\lVert W_{T}^{(l)}\rVert_{2}^{2}+2\langle W_{T}^{(l)},\overline{\eta}\rangle+\lVert\overline{\eta}\rVert_{2}^{2}}}. \tag{20} $$ Similarly, by combining the above equation with the constraint (9), $V_{T}^{i}$ is approximately equivalent to the real value of ${V_{T}^{i}}_{real}$ . Therefore, across all iterations, the clustering results based on $\{V_{t}^{i}\}$ closely approximate those derived from the original local models, confirming that the introduced perturbation does not affect model detection. ∎ Then, we introduce a key assumption, which has been proved in [37, 32]. This assumption reveals the essential difference between malicious and benign models and serves as a core basis for subsequent robustness analysis. **Assumption VI.1** *An error term $\tau^{(t)}$ exists between the average malicious gradients $\mathbf{W}_{t}^{i*}$ and the average benign gradients $\mathbf{W}_{t}^{i}$ due to divergent training objectives. This is formally expressed as: $$ \sum_{C_{i}\in\mathcal{M}}\mathbf{W}_{t}^{i*}=\sum_{C_{i}\in\mathcal{B}}\mathbf{W}_{t}^{i}+\tau^{(t)}. \tag{21} $$ The magnitude of $\tau^{(t)}$ exhibits a positive correlation with the number of iterative training rounds.* **Theorem VI.3** *SRFed guarantees robustness to malicious clients in non-IID settings, provided that most clients are benign.* * Proof:* In the secure model aggregation phase of SRFed, the server collects the encrypted model $C_{t}^{i}$ and the corresponding key vectors $skf_{t}^{i}$ from each client, then computes the projection $V_{t}^{(i,l)}$ of $W_{t}^{(i,l)}$ onto $W_{t}^{(l)}$ , i.e., $\frac{\langle W_{t}^{(i,l)},W_{t}^{(l)}\rangle}{\lVert W_{t}^{(l)}\rVert_{2}}$ . By iterating over $L$ layers, the server obtains the layer-wise projection vector $V_{t}^{i}=[V_{t}^{(i,1)},V_{t}^{(i,2)},\dots,V_{t}^{(i,L)}]$ corresponding to $C_{i}$ . Subsequently, the server performs clustering on the projection vectors $\{V_{t}^{i}\}^{I}_{i=1}$ . Based on the Assumption (VI.1), a non-negligible divergence $\tau^{(t)}$ emerges between benign and malicious local models, which grows with the number of iterations. Meanwhile, by independently projecting each layer’s parameters onto the corresponding layer of the global model, our operation eliminates cross-layer interference. This ensures that malicious modifications confined to specific layers can be detected significantly more effectively. Therefore, our clustering approach successfully distinguishes between benign and malicious models by grouping them into separate clusters. Due to significant distribution divergence, malicious models exhibit a lower average cosine similarity to their cluster center. Consequently, our scheme filters out the cluster containing malicious models by computing average cosine similarity, ultimately achieving robust to malicious clients. ∎ ### VI-C Efficiency **Theorem VI.4** *The computation and communication complexities of SRFed are $\mathcal{O}(T_{lt})+\mathcal{O}(\zeta T_{me-defe})+\mathcal{O}(T_{md-defe})+\mathcal{O}(T_{ma-defe})$ and $\mathcal{O}(I\zeta|w_{defe}|)+\mathcal{O}(IL|w|)$ , respectively.* * Proof:* To evaluate the efficiency of SRFed, we analyze its computational and communication overhead per training iteration and compare it with ShieldFL [29]. ShieldFL is an efficient PPFL framework based on the partially homomorphic encryption (PHE) scheme. The comparative results are presented in Table III. Specifically, the computational overhead of SRFed comprises four components: local training $\mathcal{O}(T_{lt})$ , model encryption $\mathcal{O}(\zeta T_{me-defe})$ , model detection $\mathcal{O}(T_{md-defe})$ , and model aggregation $\mathcal{O}(T_{ma-defe})$ . For model encryption, FE inherently offers a lightweight advantage over PHE, leading to $\mathcal{O}(\zeta T_{me-defe})<\mathcal{O}(\zeta T_{me-phe})$ . In terms of model detection, SRFed performs this process primarily on the server side using plaintext data, whereas ShieldFL requires multiple rounds of interaction to complete the encrypted model detection. This results in $\mathcal{O}(T_{md-defe})\ll\mathcal{O}(T_{md-phe})$ . Furthermore, SRFed enables the server to complete decryption and aggregation simultaneously. In contrast, ShieldFL necessitates aggregation prior to decryption and involves interactions with a third party, resulting in significantly higher overhead, i.e., $\mathcal{O}(T_{ma-defe})\ll\mathcal{O}(T_{ma-phe})$ . Overall, these characteristics collectively render SRFed more efficient than ShieldFL. The communication overhead of SRFed comprises two components: the encrypted models $\mathcal{O}(I\zeta|w_{defe}|)$ and key vectors $\mathcal{O}(IL|w|)$ uploaded by $I$ clients, where $\zeta$ denotes the model dimension, $L$ is the number of layers, $|w_{defe}|$ and $|w|$ are the communication complexity of a single DEFE ciphertext and a single plaintext, respectively. Since $|w|$ is significantly lower than $|w_{defe}|$ , and $|w_{defe}|$ and $|w_{phe}|$ are nearly equivalent, SRFed reduces the overall communication complexity by approximately $\mathcal{O}(12I\zeta|w_{phe}|)$ compared to ShieldFL. This reduction in overhead is primarily attributed to SRFed’s lightweight DEFE scheme, which eliminates extensive third-party interactions. ∎ TABLE III: Comparison of computation and communication overhead between different methods | Method | SRFed | ShieldFL | | --- | --- | --- | | Comp. | $\mathcal{O}(T_{lt})+\mathcal{O}(\zeta T_{me-defe})$ | $\mathcal{O}(T_{lt})+\mathcal{O}(\zeta T_{me-phe})$ | | $+\mathcal{O}(T_{ma-defe})$ | $+\mathcal{O}(\zeta T_{md-phe})$ | | | $+\mathcal{O}(T_{ma-defe})$ | $+\mathcal{O}(T_{md-phe})$ | | | Comm. | $\mathcal{O}(I\zeta|w_{defe}|)^{1}+\mathcal{O}(IL|w|)^{2}$ | $\mathcal{O}(13I\zeta|w_{phe}|)^{\mathrm{3}}$ | - Notes: ${}^{\mathrm{1,2,3}}|w_{defe}|$ , $|w|$ and $|w_{phe}|$ denote the communication complexity of a DEFE ciphertext, a plaintext, and a PHE ciphertext, respectively. ## VII Experiments ### VII-A Experimental Settings #### VII-A 1 Implementation We implement SRFed on a small-scale local network. Each machine in the network is equipped with the following hardware configuration: an Intel Xeon CPU E5-1650 v4, 32 GB of RAM, an NVIDIA GeForce GTX 1080 Ti graphics card, and a network bandwidth of 40 Mbps. Additionally, the implementation of the DEFE scheme is based on the NDD-FE scheme [31], and the code implementation of FL processes is referenced to [44]. #### VII-A 2 Dataset and Models We evaluate the performance of SRFed on two datasets: - MNIST [45]: This dataset consists of 10 classes of handwritten digit images, with 60,000 training samples and 10,000 test samples. Each sample is a grayscale image of 28 × 28 pixels. The global model used for this dataset is a Convolutional Neural Network (CNN) model, which includes two convolutional layers followed by two fully connected layers. - CIFAR-10 [46]: This dataset contains RGB color images across 10 categories, including airplane, car, bird, cat, deer, dog, frog, horse, boat, and truck. It consists of 50,000 training images and 10,000 test samples. Each sample is a 32 × 32 pixel color image. The global model used for this dataset is a CNN model, which includes three convolutional layers, one pooling layer, and two fully connected layers. #### VII-A 3 Baselines To evaluate the robustness of the proposed SRFed method, we conduct comparative experiments against several advanced baseline methods, including FedAvg [47], ShieldFL [29], PBFL [37], Median [35], Biscotti [41], and FoolsGold [33]. Furthermore, to evaluate the efficiency of SRFed, we compare it with representative methods such as ShieldFL [29] and ESB-FL [31]. #### VII-A 4 Experimental parameters In all experiments, the number of local clients is set to 20, the number of training rounds is set to 100, the batchsize is set to 64, and the number of local training epochs is set to 10. We use the stochastic gradient descent (SGD) to optimize the model, with a learning rate of 0.01 and a momentum of 0.5. Additionally, our experiments are conducted under varying levels of data heterogeneity, with the data distributions configured as follows: - MNIST: Two distinct levels of data heterogeneity are configured by sampling from a Dirichlet distribution with the parameters $\alpha=0.2$ and $\alpha=0.8$ , respectively, to simulate Non-IID data partitions across clients. - CIFAR-10: Two distinct levels of data heterogeneity are configured by sampling from a Dirichlet distribution with the parameters $\alpha=0.2$ and $\alpha=0.6$ , respectively, to simulate Non-IID data partitions across clients. #### VII-A 5 Attack Scenario In each benchmark, the adversary can control a certain proportion of clients to launch poisoning attacks, with the proportion varying across {0%, 10%, 20%, 30%, 40%, 50%}. The attack scenario parameters are configured as follows: - Targeted Poisoning Attack: we consider the mainstream label-flipping attack. For experiments on the MNIST dataset, the training samples originally labeled as ”0” are reassigned to the target label ”4”. For the CIFAR-10 dataset, the training samples originally labeled as ”airplane” are reassigned to the target label ”deer”. - Untargeted Poisoning Attack: We consider the commonly used Gaussian attack. In experiments, malicious clients inject noise that follows a Gaussian distribution $\mathcal{N}(0,0.5^{2})$ into their local model updates. #### VII-A 6 Evaluation Metrics For each benchmark experiment, we adopt the following evaluation metrics on the test dataset to quantify the impact of poisoning attacks on the aggregated model in FL. - Overall Accuracy (OA): It is the ratio of the number of samples correctly predicted by the model in the test dataset to the total number of predictions for all samples in the test dataset. - Source Accuracy (SA): It specifically refers to the ratio of the number of correctly predicted flip class samples by the model to the total number of flip class samples in the dataset. - Attack Success Rate (ASR): It is defined as the proportion of source-class samples that are misclassified as the target class by the aggregated model. <details> <summary>x2.png Details</summary>  ### Visual Description ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Algorithms ### Overview This line chart depicts the relationship between the attack ratio (percentage) and the accuracy (percentage) of several federated learning algorithms. The chart compares the performance of FedAvg, ShieldFL, PBFL, Median, Biscotti, FoolsGold, and a method labeled "Ours" under increasing attack conditions. ### Components/Axes * **X-axis:** "Attack ratio (%)" ranging from 0 to 50, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" ranging from approximately 84 to 97, with markers at 84, 86, 88, 90, 92, 94, 96. * **Legend:** Located in the bottom-left corner, listing the following algorithms with corresponding line colors: * FedAvg (Blue) * ShieldFL (Orange) * PBFL (Green) * Median (Purple) * Biscotti (Grey) * FoolsGold (Red) * Ours (Brown/Maroon) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, verified against the legend colors: * **FedAvg (Blue):** The line starts at approximately 96.2% accuracy at 0% attack ratio and sharply declines to approximately 84.5% at 50% attack ratio. It is a nearly linear downward slope. * (0%, 96.2%) * (10%, 95.8%) * (20%, 94.8%) * (30%, 93.5%) * (40%, 88.5%) * (50%, 84.5%) * **ShieldFL (Orange):** The line begins at approximately 96.1% accuracy at 0% attack ratio and gradually decreases to approximately 94.5% at 50% attack ratio. * (0%, 96.1%) * (10%, 95.9%) * (20%, 95.5%) * (30%, 95.2%) * (40%, 94.8%) * (50%, 94.5%) * **PBFL (Green):** The line starts at approximately 95.8% accuracy at 0% attack ratio and declines to approximately 86.5% at 50% attack ratio. * (0%, 95.8%) * (10%, 95.6%) * (20%, 94.8%) * (30%, 94.2%) * (40%, 90.5%) * (50%, 86.5%) * **Median (Purple):** The line begins at approximately 96.1% accuracy at 0% attack ratio and declines to approximately 88.5% at 50% attack ratio. * (0%, 96.1%) * (10%, 95.9%) * (20%, 95.3%) * (30%, 94.8%) * (40%, 92.5%) * (50%, 88.5%) * **Biscotti (Grey):** The line starts at approximately 96.2% accuracy at 0% attack ratio and declines to approximately 94.5% at 50% attack ratio. * (0%, 96.2%) * (10%, 96.0%) * (20%, 95.6%) * (30%, 95.3%) * (40%, 95.0%) * (50%, 94.5%) * **FoolsGold (Red):** The line begins at approximately 96.1% accuracy at 0% attack ratio and declines to approximately 95.0% at 50% attack ratio. * (0%, 96.1%) * (10%, 95.9%) * (20%, 95.5%) * (30%, 95.3%) * (40%, 95.2%) * (50%, 95.0%) * **Ours (Brown/Maroon):** The line starts at approximately 96.2% accuracy at 0% attack ratio and remains relatively stable, declining slightly to approximately 95.8% at 50% attack ratio. * (0%, 96.2%) * (10%, 96.1%) * (20%, 96.0%) * (30%, 95.9%) * (40%, 95.8%) * (50%, 95.8%) ### Key Observations * FedAvg exhibits the most significant drop in accuracy as the attack ratio increases, indicating high vulnerability. * "Ours" demonstrates the highest resilience to attacks, maintaining a relatively stable accuracy level across all attack ratios. * ShieldFL, Biscotti, and FoolsGold show relatively minor declines in accuracy, suggesting good robustness. * PBFL and Median show moderate declines in accuracy. ### Interpretation The chart demonstrates the varying levels of robustness of different federated learning algorithms against adversarial attacks. The "attack ratio" likely represents the proportion of malicious participants in the federated learning process. The results suggest that FedAvg is highly susceptible to attacks, while the proposed method ("Ours") offers significantly improved resilience. This could be due to the implementation of specific defense mechanisms within "Ours" that mitigate the impact of malicious contributions. The relatively stable performance of "Ours" indicates a potential advantage in real-world deployments where the presence of adversarial actors is a concern. The differences in performance between the algorithms highlight the importance of considering security and robustness when selecting a federated learning approach. The chart provides empirical evidence supporting the claim that "Ours" is a more secure and reliable federated learning algorithm compared to the others tested. </details> (a) MNIST ( $\alpha$ =0.2) <details> <summary>x3.png Details</summary>  ### Visual Description ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Defenses ### Overview This line chart compares the accuracy of several Federated Learning (FL) defense mechanisms under varying attack ratios. The x-axis represents the attack ratio (percentage), and the y-axis represents the accuracy (percentage). Six different defense strategies are plotted as lines, showing how their performance degrades as the attack ratio increases. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Scale ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Scale ranges from 70% to 96%, with markers at 70, 75, 80, 85, 90, 95. * **Legend (bottom-left):** Lists the defense mechanisms and their corresponding line colors: * FedAvg (blue) * ShieldFL (orange) * PBFL (green) * Median (purple) * Biscotti (grey) * FoolsGold (brown) * Ours (red) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, verified against the legend colors: * **FedAvg (blue):** The line is relatively flat, starting at approximately 94% accuracy at 0% attack ratio and decreasing slightly to around 92% at 50% attack ratio. * **ShieldFL (orange):** Starts at approximately 95% accuracy at 0% attack ratio. It remains relatively stable until around 30% attack ratio, then declines more rapidly, reaching approximately 90% at 50% attack ratio. * **PBFL (green):** Starts at approximately 95% accuracy at 0% attack ratio. It remains stable until approximately 40% attack ratio, then declines to around 91% at 50% attack ratio. * **Median (purple):** Starts at approximately 94% accuracy at 0% attack ratio. It remains relatively flat, decreasing slightly to around 92% at 50% attack ratio. * **Biscotti (grey):** Starts at approximately 94% accuracy at 0% attack ratio. It declines steadily, reaching approximately 89% at 50% attack ratio. * **FoolsGold (brown):** Starts at approximately 95% accuracy at 0% attack ratio. It remains stable until approximately 20% attack ratio, then declines sharply, reaching approximately 72% at 50% attack ratio. * **Ours (red):** Starts at approximately 95% accuracy at 0% attack ratio. It remains stable until approximately 30% attack ratio, then declines rapidly, reaching approximately 68% at 50% attack ratio. ### Key Observations * **FoolsGold and Ours** exhibit the most significant performance degradation as the attack ratio increases. * **FedAvg, ShieldFL, PBFL, and Median** demonstrate relatively robust performance, maintaining accuracy above 90% even at a 50% attack ratio. * **Biscotti** shows a moderate decline in accuracy with increasing attack ratio. * The most substantial drops in accuracy occur between 20% and 50% attack ratio for several methods. ### Interpretation The chart demonstrates the varying resilience of different Federated Learning defense mechanisms against adversarial attacks. The "attack ratio" likely represents the proportion of malicious participants in the federated learning process. The data suggests that some defenses (FedAvg, ShieldFL, PBFL, Median) are more effective at mitigating the impact of attacks than others (FoolsGold, Ours). The rapid decline in accuracy for FoolsGold and Ours indicates they are particularly vulnerable to attacks, potentially due to their underlying mechanisms being easily circumvented by malicious actors. The relatively stable performance of FedAvg, ShieldFL, PBFL, and Median suggests they incorporate more robust defenses against adversarial manipulation. The chart highlights the importance of selecting appropriate defense strategies based on the expected level of adversarial activity in a federated learning environment. The fact that all methods degrade with increasing attack ratio suggests that no defense is perfect, and a combination of strategies might be necessary for optimal security. </details> (b) MNIST ( $\alpha$ =0.8) <details> <summary>x4.png Details</summary>  ### Visual Description ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Algorithms ### Overview This line chart depicts the relationship between the attack ratio (percentage) and the accuracy (percentage) of several federated learning algorithms. The chart compares the performance of these algorithms under increasing adversarial conditions, represented by the attack ratio. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Ranges from approximately 55% to 76%, with markers at 55, 60, 65, 70, 75. * **Legend:** Located in the bottom-left corner, listing the following algorithms with corresponding line colors and markers: * FedAvg (Blue, Square) * ShieldFL (Orange, Circle) * PBFL (Green, Triangle) * Median (Purple, Diamond) * Biscotti (Gray, Star) * FoolsGold (Brown, Inverted Triangle) * Ours (Red, Circle with a dot in the center) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, verified against the legend colors: * **FedAvg (Blue, Square):** The line starts at approximately 69% accuracy at 0% attack ratio and slopes downward, reaching approximately 62% at 50% attack ratio. Data points (approximate): (0, 69), (10, 67), (20, 66), (30, 65), (40, 63), (50, 62). * **ShieldFL (Orange, Circle):** The line begins at approximately 75% accuracy at 0% attack ratio, decreases to around 73% at 10%, remains relatively stable around 72-73% between 10% and 40% attack ratio, and then drops to approximately 68% at 50% attack ratio. Data points (approximate): (0, 75), (10, 73), (20, 72.5), (30, 73), (40, 72), (50, 68). * **PBFL (Green, Triangle):** Starts at approximately 74% accuracy at 0% attack ratio, decreases to around 72% at 10%, remains relatively stable around 71-72% between 10% and 40% attack ratio, and then drops to approximately 68% at 50% attack ratio. Data points (approximate): (0, 74), (10, 72), (20, 71.5), (30, 71.5), (40, 71), (50, 68). * **Median (Purple, Diamond):** The line starts at approximately 68% accuracy at 0% attack ratio and consistently decreases, reaching approximately 62% at 50% attack ratio. Data points (approximate): (0, 68), (10, 66), (20, 65), (30, 64), (40, 63), (50, 62). * **Biscotti (Gray, Star):** The line shows a steep decline, starting at approximately 73% accuracy at 0% attack ratio and dropping to approximately 58% at 50% attack ratio. Data points (approximate): (0, 73), (10, 71), (20, 66), (30, 62), (40, 59), (50, 58). * **FoolsGold (Brown, Inverted Triangle):** The line starts at approximately 74% accuracy at 0% attack ratio and decreases to approximately 63% at 50% attack ratio. Data points (approximate): (0, 74), (10, 72), (20, 69), (30, 66), (40, 64), (50, 63). * **Ours (Red, Circle with a dot):** The line begins at approximately 75% accuracy at 0% attack ratio, decreases to around 73% at 10%, remains relatively stable around 72-73% between 10% and 40% attack ratio, and then drops to approximately 68% at 50% attack ratio. Data points (approximate): (0, 75), (10, 73), (20, 72.5), (30, 72.5), (40, 72), (50, 68). ### Key Observations * Biscotti exhibits the most significant performance degradation with increasing attack ratio. * FedAvg and Median show a relatively linear decrease in accuracy as the attack ratio increases. * ShieldFL, PBFL, and Ours demonstrate more resilience to attacks up to approximately 40% attack ratio, maintaining accuracy above 70%. * At 50% attack ratio, all algorithms experience a noticeable drop in accuracy, but ShieldFL, PBFL, and Ours still maintain a higher accuracy than FedAvg, Median, and Biscotti. ### Interpretation The chart demonstrates the vulnerability of federated learning algorithms to adversarial attacks. The "attack ratio" likely represents the proportion of malicious participants in the federated learning process. The algorithms' accuracy decreases as the attack ratio increases, indicating that the presence of malicious actors negatively impacts the model's performance. The varying slopes of the lines suggest different levels of robustness to attacks. Biscotti is particularly susceptible, while ShieldFL, PBFL, and "Ours" appear to be more resilient, potentially due to built-in defense mechanisms. The fact that all algorithms eventually suffer significant accuracy loss at a 50% attack ratio highlights the inherent challenges in securing federated learning systems against widespread malicious activity. The "Ours" algorithm performs comparably to ShieldFL and PBFL, suggesting it offers a similar level of protection against attacks. The chart provides valuable insights for selecting appropriate algorithms and developing robust defense strategies in federated learning environments. The data suggests that even with robust algorithms, a high attack ratio can severely compromise the integrity of the federated learning process. </details> (c) CIFAR10 ( $\alpha$ =0.2) <details> <summary>x5.png Details</summary>  ### Visual Description ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Defenses ### Overview This line chart depicts the relationship between the attack ratio (percentage) and the accuracy (percentage) of several federated learning defense mechanisms. The chart compares the performance of six different defense strategies – FedAvg, ShieldFL, PBFL, Median, Biscotti, FoolsGold, and "Ours" – under varying levels of attack. ### Components/Axes * **X-axis:** "Attack ratio (%)" ranging from 0 to 50, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" ranging from 62 to 76, with markers at 62, 64, 66, 68, 70, 72, 74, and 76. * **Legend:** Located in the bottom-left corner, listing the following defense mechanisms with corresponding line colors: * FedAvg (Blue) * ShieldFL (Orange) * PBFL (Green) * Median (Purple) * Biscotti (Gray) * FoolsGold (Brown) * Ours (Red) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, verified against the legend colors: * **FedAvg (Blue):** The line starts at approximately 75.5% accuracy at 0% attack ratio and decreases slightly to around 74.5% at 50% attack ratio. It remains relatively stable throughout. * **ShieldFL (Orange):** Starts at approximately 75.5% accuracy at 0% attack ratio, dips to around 73% at 20% attack ratio, and then stabilizes around 70.5% to 71% for the remaining attack ratios. * **PBFL (Green):** Begins at approximately 74.5% accuracy at 0% attack ratio, decreases to around 73% at 20% attack ratio, and then remains relatively stable around 72% to 73% for the rest of the attack ratios. * **Median (Purple):** Starts at approximately 73.5% accuracy at 0% attack ratio and shows a significant decline, reaching around 68% at 50% attack ratio. * **Biscotti (Gray):** Exhibits the most dramatic decline. It starts at approximately 73.5% accuracy at 0% attack ratio and plummets to around 63% at 50% attack ratio. * **FoolsGold (Brown):** Starts at approximately 74.5% accuracy at 0% attack ratio, decreases to around 72.5% at 30% attack ratio, and then stabilizes around 72% to 73% for the remaining attack ratios. * **Ours (Red):** Starts at approximately 75.5% accuracy at 0% attack ratio and shows a gradual decline, remaining above 72% even at 50% attack ratio, ending at approximately 72.5%. ### Key Observations * Biscotti demonstrates the most significant vulnerability to increasing attack ratios, experiencing a substantial drop in accuracy. * "Ours" consistently maintains the highest accuracy across all attack ratios, indicating its robustness. * FedAvg, ShieldFL, PBFL, and FoolsGold exhibit relatively stable performance, with moderate declines in accuracy as the attack ratio increases. * Median shows a more pronounced decline in accuracy compared to the aforementioned strategies. ### Interpretation The chart demonstrates the effectiveness of different defense mechanisms against attacks in a federated learning environment. The "Ours" strategy appears to be the most resilient, maintaining high accuracy even under significant attack pressure. Biscotti, conversely, is highly susceptible to attacks, suggesting a weakness in its defense approach. The other strategies offer varying degrees of protection, with FedAvg, ShieldFL, PBFL, and FoolsGold providing moderate defense, and Median offering less protection. The data suggests that the choice of defense mechanism is crucial for maintaining the integrity and reliability of federated learning systems in adversarial settings. The consistent performance of "Ours" highlights the importance of robust defense strategies in mitigating the impact of attacks. The steep decline of Biscotti suggests a potential design flaw or vulnerability that needs to be addressed. The chart provides valuable insights for researchers and practitioners seeking to enhance the security of federated learning applications. </details> (d) CIFAR10 ( $\alpha$ =0.6) Figure 2: The OA of the models obtained by four benchmarks under label-flipping attack. <details> <summary>x6.png Details</summary>  ### Visual Description ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Defenses ### Overview This line chart depicts the accuracy of several Federated Learning (FL) defense mechanisms as a function of the attack ratio. The chart compares the performance of FedAvg, ShieldFL, PBFL, Median, Biscotti, FoolsGold, and a method labeled "Ours". Accuracy is measured in percentage, and the attack ratio is also expressed as a percentage. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Ranges from 0% to 100%, with markers at 0, 20, 40, 60, 80, and 100. * **Legend:** Located in the bottom-left corner, listing the following defense mechanisms with corresponding line colors: * FedAvg (Blue) * ShieldFL (Orange) * PBFL (Green) * Median (Purple) * Biscotti (Grey) * FoolsGold (Red) * Ours (Brown/Maroon) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, verified against the legend colors: * **FedAvg (Blue):** The line starts at approximately 98% accuracy at 0% attack ratio. It remains relatively stable until approximately 30% attack ratio, where it begins a steep decline, reaching approximately 2% accuracy at 50% attack ratio. * **ShieldFL (Orange):** Starts at approximately 96% accuracy at 0% attack ratio. It remains stable until approximately 30% attack ratio, then declines to approximately 10% accuracy at 50% attack ratio. * **PBFL (Green):** Starts at approximately 98% accuracy at 0% attack ratio. It remains stable until approximately 30% attack ratio, then declines to approximately 85% accuracy at 40% attack ratio and approximately 0% accuracy at 50% attack ratio. * **Median (Purple):** Starts at approximately 98% accuracy at 0% attack ratio. It remains stable until approximately 30% attack ratio, then declines to approximately 80% accuracy at 40% attack ratio and approximately 0% accuracy at 50% attack ratio. * **Biscotti (Grey):** Starts at approximately 96% accuracy at 0% attack ratio. It remains stable until approximately 30% attack ratio, then declines to approximately 80% accuracy at 40% attack ratio and approximately 0% accuracy at 50% attack ratio. * **FoolsGold (Red):** Starts at approximately 98% accuracy at 0% attack ratio. It remains stable until approximately 30% attack ratio, then declines to approximately 70% accuracy at 40% attack ratio and approximately 0% accuracy at 50% attack ratio. * **Ours (Brown/Maroon):** Starts at approximately 99% accuracy at 0% attack ratio. It remains stable until approximately 40% attack ratio, then declines to approximately 70% accuracy at 50% attack ratio. ### Key Observations * All defense mechanisms exhibit a significant drop in accuracy as the attack ratio increases. * The "Ours" method maintains higher accuracy than the other methods at higher attack ratios (40-50%). * The most significant accuracy drops occur between 30% and 50% attack ratio for most methods. * FedAvg, ShieldFL, PBFL, Median, Biscotti, and FoolsGold all converge to near 0% accuracy at a 50% attack ratio. ### Interpretation The chart demonstrates the vulnerability of Federated Learning models to attacks, as evidenced by the declining accuracy with increasing attack ratios. The "Ours" method appears to be more robust against attacks, maintaining a higher level of accuracy even at a 50% attack ratio compared to the other defense mechanisms. This suggests that the "Ours" method provides a more effective defense against the type of attacks being simulated. The sharp decline in accuracy for all methods between 30% and 50% attack ratio indicates a critical threshold where the attacks become significantly more effective. The convergence of most methods to near-zero accuracy at 50% suggests a complete compromise of the model's integrity under a high attack load. The data suggests that while all defenses offer some initial protection, they are ultimately susceptible to attacks, and further research is needed to develop more resilient FL defense strategies. </details> (a) MNIST ( $\alpha$ =0.2) <details> <summary>x7.png Details</summary>  ### Visual Description ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Algorithms ### Overview This line chart depicts the accuracy of several Federated Learning (FL) algorithms under varying attack ratios. The x-axis represents the attack ratio (in percentage), and the y-axis represents the accuracy (also in percentage). The chart compares the performance of FedAvg, ShieldFL, PBFL, Median, Biscotti, FoolsGold, and a method labeled "Ours". ### Components/Axes * **X-axis:** "Attack ratio (%)" - Scale ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Scale ranges from 0% to 100%, with markers at 0, 20, 40, 60, 80, and 100. * **Legend:** Located in the bottom-left corner. Contains the following labels and corresponding colors: * FedAvg (Blue) - Represented by squares. * ShieldFL (Orange) - Represented by circles. * PBFL (Green) - Represented by triangles. * Median (Purple) - Represented by diamonds. * Biscotti (Black) - Represented by stars. * FoolsGold (Brown) - Represented by plus signs. * Ours (Red) - Represented by circles with an 'o' inside. ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, cross-referencing with the legend colors: * **FedAvg (Blue):** The line starts at approximately 97% accuracy at 0% attack ratio and remains relatively stable until approximately 40% attack ratio, where it begins to decline. At 50% attack ratio, the accuracy is approximately 88%. * **ShieldFL (Orange):** The line starts at approximately 98% accuracy at 0% attack ratio and remains stable until approximately 30% attack ratio, where it begins to decline. At 50% attack ratio, the accuracy is approximately 92%. * **PBFL (Green):** The line starts at approximately 98% accuracy at 0% attack ratio and remains stable until approximately 40% attack ratio, where it begins to decline sharply. At 50% attack ratio, the accuracy is approximately 50%. * **Median (Purple):** The line starts at approximately 97% accuracy at 0% attack ratio and remains stable until approximately 20% attack ratio, where it begins to decline. At 50% attack ratio, the accuracy is approximately 93%. * **Biscotti (Black):** The line starts at approximately 97% accuracy at 0% attack ratio and remains stable until approximately 20% attack ratio, where it begins to decline. At 50% attack ratio, the accuracy is approximately 93%. * **FoolsGold (Brown):** The line starts at approximately 98% accuracy at 0% attack ratio and remains stable until approximately 20% attack ratio, where it declines sharply to approximately 58% at 30% attack ratio. At 50% attack ratio, the accuracy is approximately 40%. * **Ours (Red):** The line starts at approximately 99% accuracy at 0% attack ratio and remains stable until approximately 20% attack ratio, where it declines sharply to approximately 0% at 30% attack ratio. At 50% attack ratio, the accuracy is approximately 38%. ### Key Observations * The "Ours" algorithm exhibits the most significant drop in accuracy as the attack ratio increases, falling to near 0% accuracy at 30% attack ratio. * ShieldFL, Median, and Biscotti demonstrate the most robust performance, maintaining relatively high accuracy even at 50% attack ratio. * PBFL and FoolsGold show a more moderate decline in accuracy, but are more susceptible to attacks than ShieldFL, Median, and Biscotti. * FedAvg shows a moderate decline in accuracy, falling between the robust algorithms and the more susceptible ones. ### Interpretation The chart demonstrates the vulnerability of Federated Learning algorithms to attacks, quantified by the "Attack ratio". The "Attack ratio" likely represents the proportion of malicious participants in the federated learning process. The "Ours" algorithm, while performing well under no attack, is highly susceptible to even a small attack ratio, suggesting a potential weakness in its defense mechanisms. ShieldFL, Median, and Biscotti appear to be the most resilient to attacks, indicating they incorporate effective defense strategies. The sharp decline in accuracy for "Ours" at 30% attack ratio suggests a critical threshold beyond which the algorithm's performance is severely compromised. The data suggests that robust defense mechanisms are crucial for ensuring the reliability and security of Federated Learning systems in adversarial environments. The differences in performance between the algorithms highlight the importance of considering attack resilience when selecting or designing FL algorithms. </details> (b) MNIST ( $\alpha$ =0.8) <details> <summary>x8.png Details</summary>  ### Visual Description \n ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Defenses ### Overview This line chart depicts the accuracy of several Federated Learning (FL) defense mechanisms as a function of the attack ratio. The x-axis represents the attack ratio (in percentage), and the y-axis represents the accuracy (in percentage). The chart compares the performance of "FedAvg", "ShieldFL", "PBFL", "Median", "Biscotti", "FoolsGold", and "Ours" under increasing attack conditions. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Scale ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Scale ranges from 0% to 80%, with markers at 0, 10, 20, 30, 40, 50, 60, 70, and 80. * **Legend:** Located in the bottom-left corner. The legend maps colors to the following defense mechanisms: * Blue Square: FedAvg * Orange Triangle: ShieldFL * Green Triangle: PBFL * Purple Diamond: Median * Gray Hexagon: Biscotti * Red Hexagon: FoolsGold * Red Circle: Ours ### Detailed Analysis The chart displays seven lines, each representing a different defense mechanism. * **FedAvg (Blue Square):** Starts at approximately 74% accuracy at 0% attack ratio. The line slopes downward, reaching approximately 16% accuracy at 50% attack ratio. Data points (approximate): (0, 74), (10, 65), (20, 48), (30, 46), (40, 20), (50, 16). * **ShieldFL (Orange Triangle):** Starts at approximately 77% accuracy at 0% attack ratio. The line initially decreases slightly, then drops more rapidly, reaching approximately 32% accuracy at 50% attack ratio. Data points (approximate): (0, 77), (10, 73), (20, 41), (30, 45), (40, 34), (50, 32). * **PBFL (Green Triangle):** Starts at approximately 75% accuracy at 0% attack ratio. The line decreases steadily, reaching approximately 14% accuracy at 50% attack ratio. Data points (approximate): (0, 75), (10, 68), (20, 52), (30, 52), (40, 35), (50, 14). * **Median (Purple Diamond):** Starts at approximately 63% accuracy at 0% attack ratio. The line decreases rapidly, reaching approximately 6% accuracy at 50% attack ratio. Data points (approximate): (0, 63), (10, 58), (20, 38), (30, 28), (40, 12), (50, 6). * **Biscotti (Gray Hexagon):** Starts at approximately 66% accuracy at 0% attack ratio. The line decreases steadily, reaching approximately 8% accuracy at 50% attack ratio. Data points (approximate): (0, 66), (10, 61), (20, 42), (30, 32), (40, 16), (50, 8). * **FoolsGold (Red Hexagon):** Starts at approximately 75% accuracy at 0% attack ratio. The line initially increases to a peak around 30% attack ratio, then decreases, reaching approximately 30% accuracy at 50% attack ratio. Data points (approximate): (0, 75), (10, 73), (20, 66), (30, 67), (40, 42), (50, 30). * **Ours (Red Circle):** Starts at approximately 73% accuracy at 0% attack ratio. The line decreases steadily, reaching approximately 32% accuracy at 50% attack ratio. Data points (approximate): (0, 73), (10, 70), (20, 49), (30, 44), (40, 34), (50, 32). ### Key Observations * All defense mechanisms experience a decrease in accuracy as the attack ratio increases. * "FoolsGold" exhibits a unique behavior, with accuracy initially increasing before decreasing. * "Median" and "Biscotti" show the most significant decline in accuracy with increasing attack ratio. * "ShieldFL", "Ours", and "PBFL" maintain relatively higher accuracy compared to others at higher attack ratios (40-50%). * "FedAvg" shows a consistent, linear decline in accuracy. ### Interpretation The chart demonstrates the vulnerability of Federated Learning systems to attacks and the effectiveness of different defense mechanisms in mitigating these attacks. The attack ratio represents the proportion of malicious participants in the federated learning process. The accuracy represents the performance of the model trained under these conditions. The varying slopes of the lines indicate different levels of robustness. A steeper slope suggests a more significant performance degradation under attack. The "FoolsGold" mechanism's initial increase in accuracy could be due to a specific attack pattern that it handles well at lower attack ratios, but it eventually becomes overwhelmed as the attack intensifies. The relatively stable performance of "ShieldFL", "Ours", and "PBFL" suggests that these mechanisms are more resilient to attacks, potentially due to their design principles. The rapid decline of "Median" and "Biscotti" indicates that these methods are easily compromised by malicious participants. The chart highlights the importance of choosing appropriate defense mechanisms based on the expected attack environment. Further investigation into the specific vulnerabilities exploited by the attacks and the underlying mechanisms of each defense strategy would be valuable. The data suggests that no single defense is universally effective, and a combination of strategies might be necessary to achieve robust security in Federated Learning systems. </details> (c) CIFAR10 ( $\alpha$ =0.2) <details> <summary>x9.png Details</summary>  ### Visual Description \n ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Algorithms ### Overview This line chart depicts the relationship between the attack ratio (percentage) and the accuracy (percentage) of several federated learning algorithms. The chart visually compares the robustness of these algorithms against adversarial attacks. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Ranges from 0% to 80%, with markers at 0, 10, 20, 30, 40, 50, 60, 70, and 80. * **Legend (bottom-left):** Lists the algorithms being compared, each associated with a unique line color and marker style: * FedAvg (Blue, square marker) * ShieldFL (Orange, circle marker) * PBFL (Green, triangle marker) * Median (Purple, diamond marker) * Biscotti (Brown, star marker) * FoolsGold (Red, inverted triangle marker) * Ours (Dark Red, circle marker) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, cross-referencing with the legend: * **FedAvg (Blue, square):** Starts at approximately 75% accuracy at 0% attack ratio. The line slopes downward sharply, reaching approximately 5% accuracy at 50% attack ratio. Approximate data points: (0, 75), (10, 62), (20, 42), (30, 30), (40, 12), (50, 5). * **ShieldFL (Orange, circle):** Starts at approximately 72% accuracy at 0% attack ratio. The line declines steadily, reaching approximately 2% accuracy at 50% attack ratio. Approximate data points: (0, 72), (10, 60), (20, 40), (30, 28), (40, 10), (50, 2). * **PBFL (Green, triangle):** Starts at approximately 74% accuracy at 0% attack ratio. The line declines moderately until 30% attack ratio, then drops sharply, reaching approximately 30% accuracy at 50% attack ratio. Approximate data points: (0, 74), (10, 65), (20, 45), (30, 32), (40, 30), (50, 30). * **Median (Purple, diamond):** Starts at approximately 73% accuracy at 0% attack ratio. The line declines rapidly, reaching approximately 0% accuracy at 40% attack ratio. Approximate data points: (0, 73), (10, 63), (20, 43), (30, 25), (40, 0), (50, 0). * **Biscotti (Brown, star):** Starts at approximately 73% accuracy at 0% attack ratio. The line declines rapidly, reaching approximately 0% accuracy at 40% attack ratio. Approximate data points: (0, 73), (10, 62), (20, 42), (30, 25), (40, 0), (50, 0). * **FoolsGold (Red, inverted triangle):** Starts at approximately 74% accuracy at 0% attack ratio. The line declines moderately, reaching approximately 68% accuracy at 50% attack ratio. Approximate data points: (0, 74), (10, 72), (20, 68), (30, 65), (40, 63), (50, 68). * **Ours (Dark Red, circle):** Starts at approximately 75% accuracy at 0% attack ratio. The line declines very slowly, maintaining approximately 70% accuracy at 50% attack ratio. Approximate data points: (0, 75), (10, 74), (20, 73), (30, 72), (40, 71), (50, 70). ### Key Observations * The "Ours" algorithm demonstrates the highest robustness to attacks, maintaining a relatively high accuracy even at a 50% attack ratio. * FedAvg, ShieldFL, Median, and Biscotti algorithms exhibit a significant drop in accuracy as the attack ratio increases, reaching near-zero accuracy at higher attack ratios. * PBFL shows a moderate decline in accuracy until 30% attack ratio, then a sharper decline. * FoolsGold shows the least sensitivity to attack ratio, maintaining a relatively stable accuracy throughout the range. ### Interpretation The chart demonstrates the varying levels of resilience of different federated learning algorithms against adversarial attacks. The "Ours" algorithm appears to be significantly more robust than the others, suggesting it incorporates mechanisms to mitigate the impact of malicious attacks on the model's accuracy. The rapid decline in accuracy for algorithms like FedAvg, ShieldFL, Median, and Biscotti indicates their vulnerability to even moderate levels of attacks. FoolsGold's stability suggests it may have inherent properties that make it less susceptible to these types of attacks, or that the attacks are not effective against it. The data suggests that the choice of algorithm is crucial in environments where adversarial attacks are a concern. The chart provides a comparative performance assessment, allowing for informed decision-making regarding algorithm selection in security-sensitive federated learning applications. The consistent performance of "Ours" suggests a potential area for further investigation and adoption in real-world deployments. </details> (d) CIFAR10 ( $\alpha$ =0.6) Figure 3: The SA of the models obtained by four benchmarks under label-flipping attack. ### VII-B Experimental Results #### VII-B 1 Robustness Evaluation of SRFed To evaluate the robustness of the proposed SRFed framework, we conduct a comparative analysis against the six baseline methods discussed in Section VII-A 3. Specifically, we first evaluate the overall accuracy (OA) of FedAvg, ShieldFL, PBFL, Median, Biscotti, FoolsGold, and SRFed under the label-flipping attacks. The results are presented in Figure 2. In the MNIST benchmarks with two levels of heterogeneity, the proposed SRFed consistently maintains a high OA across varying proportions of malicious clients. In the MNIST ( $\alpha$ =0.8) benchmark, all methods except Biscotti demonstrate relatively strong defense performance. Similarly, in the MNIST ( $\alpha$ =0.2) benchmark, all methods, except Biscotti, continue to perform well when facing a malicious client proportion ranging from 0% to 40%. Biscotti’s poor performance is due to the fact that, in Non-IID data scenarios, the model distributions trained by benign clients are more scattered, which can lead to their incorrect elimination. In the CIFAR-10 dataset benchmarks with different levels of heterogeneity, the OA of all methods fluctuates as the proportion of malicious clients increases. However, SRFed generally maintains better performance compared to the other methods, owing to the effectiveness of its robust aggregation strategy. We further compare the SA of the global models achieved by different methods in the four benchmarks under label-flipping attacks. SA accurately measures the defense effectiveness of different methods against poisoning attacks, as it specifically reveals the model’s accuracy on the samples of the flipping label. The experimental results are presented in Figure 3. In the MNIST ( $\alpha=0.2$ ) benchmark, SRFed demonstrates a significant advantage in defending against label-flipping attacks. Especially, when the attack ratio reaches 50%, SRFed achieves a SA of 70%, while the SA of all other methods drops to nearly 0% even though their OA remaining above 80%. SRFed is the only method to sustain a high SA across all attack ratios, underscoring its superior Byzantine robustness even in scenarios with extreme data heterogeneity and high attack ratios. In the MNIST ( $\alpha=0.8$ ) benchmark, SRFed also outperforms other baselines. In the CIFAR-10 ( $\alpha=0.2$ ) benchmark, although SRFed still outperforms the other methods, its performance gradually deteriorates as the proportion of malicious clients increases. This demonstrates that defending against poisoning attacks in scenarios with a high attack ratio and extremely heterogeneous data remains a significant challenge. In the CIFAR-10 ( $\alpha=0.6$ ) benchmark, SRFed maintains a high level of performance as the proportion of malicious clients increases (SA $\geq$ 70%), while the SA of all other methods sharply declines and eventually approaches 0%. This superior performance is attributed to the robust aggregation strategy of SRFed, which performs layer-wise projection and clustering analysis on client models. This enables more accurate detection of local parameter anomalies compared to baselines. We also evaluate the ASR of the models obtained by different methods across four benchmarks, with the experimental results presented in Figure 4. As the attack ratio increases, we can observe that the ASR trend exhibits a negative correlation with the SA trend. Notably, our proposed SRFed consistently demonstrates optimal performance across all four benchmarks, showing minimal performance fluctuations across varying attack ratios. <details> <summary>x10.png Details</summary>  ### Visual Description ## Chart: Attack Success Rate (ASR) vs. Attack Ratio for Federated Learning Defenses ### Overview The image presents a line chart comparing the Attack Success Rate (ASR) of different Federated Learning (FL) defense mechanisms against varying Attack Ratios. The chart visualizes how effectively each defense strategy mitigates attacks as the proportion of malicious participants increases. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "ASR (%)" - Ranges from 0% to 100%, with markers at 0, 20, 40, 60, 80, and 100. * **Legend (Top-Left):** Lists the different defense mechanisms being compared: * FedAvg (Blue, dashed line with square markers) * ShieldFL (Orange, dashed line with circle markers) * PBFL (Green, dashed line with triangle markers) * Median (Gray, solid line with diamond markers) * Biscotti (Black, solid line with asterisk markers) * FoolsGold (Brown, dashed line with plus markers) * Ours (Red, solid line with circle markers) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, cross-referencing with the legend colors: * **FedAvg (Blue):** Starts at approximately 0% ASR at 0% attack ratio. Remains at 0% until approximately 20% attack ratio, then rises sharply to approximately 95% ASR at 50% attack ratio. * **ShieldFL (Orange):** Starts at approximately 0% ASR at 0% attack ratio. Remains at 0% until approximately 30% attack ratio, then increases to approximately 15% ASR at 40% attack ratio, and reaches approximately 95% ASR at 50% attack ratio. * **PBFL (Green):** Starts at approximately 0% ASR at 0% attack ratio. Remains at 0% until approximately 30% attack ratio, then increases to approximately 15% ASR at 40% attack ratio, and reaches approximately 95% ASR at 50% attack ratio. * **Median (Gray):** Starts at approximately 0% ASR at 0% attack ratio. Remains at 0% until approximately 20% attack ratio, then rises sharply to approximately 95% ASR at 50% attack ratio. * **Biscotti (Black):** Starts at approximately 0% ASR at 0% attack ratio. Remains at 0% until approximately 20% attack ratio, then rises sharply to approximately 95% ASR at 50% attack ratio. * **FoolsGold (Brown):** Starts at approximately 0% ASR at 0% attack ratio. Remains at 0% until approximately 40% attack ratio, then increases to approximately 5% ASR at 50% attack ratio. * **Ours (Red):** Starts at approximately 0% ASR at 0% attack ratio. Remains at 0% until approximately 30% attack ratio, then increases to approximately 10% ASR at 40% attack ratio, and reaches approximately 25% ASR at 50% attack ratio. ### Key Observations * Most defense mechanisms (FedAvg, ShieldFL, PBFL, Median, Biscotti) exhibit a sharp increase in ASR after approximately 20-30% attack ratio, indicating a vulnerability to attacks when a significant portion of participants are malicious. * FoolsGold demonstrates the most resilience, maintaining a very low ASR even at a 50% attack ratio. * The proposed defense ("Ours") consistently shows a lower ASR compared to other defenses, especially at higher attack ratios, suggesting improved robustness. * ShieldFL and PBFL have identical curves. ### Interpretation The chart demonstrates the effectiveness of different Federated Learning defense mechanisms against adversarial attacks. The ASR represents the probability of a successful attack, and the Attack Ratio represents the proportion of malicious participants in the FL system. The sharp increase in ASR for most defenses at higher attack ratios suggests that these defenses are susceptible to collusion or coordinated attacks when a substantial number of participants are compromised. FoolsGold appears to be the most robust defense, likely due to its specific design principles. The proposed defense ("Ours") shows promising results, offering a lower ASR across the tested attack ratios, indicating a potential improvement in the security of Federated Learning systems. The identical curves for ShieldFL and PBFL suggest that these two defenses are either functionally equivalent or share a common underlying mechanism. Further investigation would be needed to determine the exact relationship between them. The chart highlights the importance of developing robust defense mechanisms that can withstand attacks even in scenarios with a high proportion of malicious participants. </details> (a) MNIST ( $\alpha$ =0.2) <details> <summary>x11.png Details</summary>  ### Visual Description \n ## Line Chart: Attack Success Rate (ASR) vs. Attack Ratio for Federated Learning Defenses ### Overview This image presents a line chart comparing the Attack Success Rate (ASR) of various federated learning defense mechanisms against increasing attack ratios. The chart visualizes how effectively each defense strategy mitigates attacks as the proportion of malicious participants grows. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "ASR (%)" - Ranges from 0% to 100%, with markers at 0, 20, 40, 60, 80, and 100. * **Legend (Top-Left):** Lists the different defense mechanisms being compared: * FedAvg (Blue, dashed line with square markers) * ShieldFL (Orange, dashed line with circle markers) * PBFL (Green, dashed line with triangle markers) * Median (Gray, solid line with star markers) * Biscotti (Brown, solid line with diamond markers) * FoolsGold (Purple, dashed line with inverted triangle markers) * Ours (Red, solid line with circle markers) ### Detailed Analysis Let's analyze each line's trend and extract approximate data points. * **FedAvg (Blue):** The line remains relatively flat from 0% to 20% attack ratio, around 0-5% ASR. It then sharply increases from 20% to 50%, reaching approximately 40% ASR at 50%. * (0%, ~2%) * (10%, ~3%) * (20%, ~5%) * (30%, ~10%) * (40%, ~25%) * (50%, ~40%) * **ShieldFL (Orange):** Similar to FedAvg, it stays low (0-5% ASR) until 20% attack ratio. It then increases more gradually, reaching approximately 35% ASR at 50%. * (0%, ~1%) * (10%, ~2%) * (20%, ~3%) * (30%, ~10%) * (40%, ~25%) * (50%, ~35%) * **PBFL (Green):** Remains very low (0-2% ASR) until 40% attack ratio. It then experiences a steep increase, reaching approximately 50% ASR at 50%. * (0%, ~1%) * (10%, ~1%) * (20%, ~1%) * (30%, ~2%) * (40%, ~10%) * (50%, ~50%) * **Median (Gray):** Shows a consistent ASR of approximately 95% across all attack ratios. * (0%, ~95%) * (10%, ~95%) * (20%, ~95%) * (30%, ~95%) * (40%, ~95%) * (50%, ~95%) * **Biscotti (Brown):** Maintains a low ASR (0-5%) up to 20% attack ratio. It then increases moderately, reaching approximately 20% ASR at 50%. * (0%, ~1%) * (10%, ~2%) * (20%, ~3%) * (30%, ~5%) * (40%, ~10%) * (50%, ~20%) * **FoolsGold (Purple):** Similar to Biscotti, it stays low (0-5%) until 20%. It then increases, reaching approximately 30% ASR at 50%. * (0%, ~1%) * (10%, ~1%) * (20%, ~2%) * (30%, ~5%) * (40%, ~15%) * (50%, ~30%) * **Ours (Red):** Remains consistently very low (0-2% ASR) across all attack ratios. * (0%, ~1%) * (10%, ~1%) * (20%, ~1%) * (30%, ~1%) * (40%, ~2%) * (50%, ~2%) ### Key Observations * The "Median" defense consistently exhibits a very high ASR (around 95%), indicating it is highly vulnerable to attacks regardless of the attack ratio. * The proposed defense ("Ours") demonstrates the lowest ASR across all attack ratios, suggesting it is the most robust against the tested attacks. * FedAvg, ShieldFL, Biscotti, and FoolsGold show a gradual increase in ASR as the attack ratio increases, indicating some vulnerability. * PBFL is very effective at low attack ratios but experiences a sharp increase in ASR at higher ratios. ### Interpretation The chart demonstrates the effectiveness of different defense mechanisms in federated learning against adversarial attacks. The "Ours" defense stands out as significantly more resilient than the other methods tested, maintaining a low ASR even with a 50% attack ratio. The high ASR of the "Median" defense suggests it is not a viable option for secure federated learning. The varying performance of other defenses (FedAvg, ShieldFL, PBFL, Biscotti, FoolsGold) highlights the trade-offs between robustness and other factors like computational cost or communication overhead. The sharp increase in ASR for PBFL at higher attack ratios suggests it may be susceptible to specific attack strategies that exploit its vulnerabilities when a significant portion of participants are malicious. This data suggests that the proposed defense ("Ours") offers a substantial improvement in security for federated learning systems. The chart provides a clear visual comparison of the defenses, allowing for informed decision-making regarding security strategies in federated learning environments. </details> (b) MNIST ( $\alpha$ =0.8) <details> <summary>x12.png Details</summary>  ### Visual Description ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Defenses ### Overview This line chart compares the accuracy of several Federated Learning (FL) defense mechanisms against varying attack ratios. The x-axis represents the attack ratio (percentage), and the y-axis represents the accuracy (percentage). Six different defense strategies are plotted as lines, allowing for a visual comparison of their performance under increasing attack pressure. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Scale ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Scale ranges from 0% to 70%, with markers at 0, 10, 20, 30, 40, 50, 60, and 70. * **Legend (Top-Right):** * FedAvg (Blue line with square markers) * ShieldFL (Orange line with asterisk markers) * PBFL (Green line with triangle markers) * Median (Purple line with circle markers) * Biscotti (Brown line with diamond markers) * FoolsGold (Red line with plus markers) * Ours (Maroon line with 'x' markers) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, verified against the legend colors: * **FedAvg (Blue):** Starts at approximately 1% accuracy at 0% attack ratio. The line slopes upward, reaching approximately 18% accuracy at 20% attack ratio, 22% at 30% attack ratio, 55% at 40% attack ratio, and 72% at 50% attack ratio. * **ShieldFL (Orange):** Begins at approximately 0% accuracy at 0% attack ratio. The line increases steadily, reaching approximately 17% accuracy at 20% attack ratio, 24% at 30% attack ratio, 62% at 40% attack ratio, and 68% at 50% attack ratio. * **PBFL (Green):** Starts at approximately 0% accuracy at 0% attack ratio. The line increases gradually, reaching approximately 12% accuracy at 20% attack ratio, 23% at 30% attack ratio, 56% at 40% attack ratio, and 60% at 50% attack ratio. * **Median (Purple):** Starts at approximately 0% accuracy at 0% attack ratio. The line increases slowly, reaching approximately 15% accuracy at 20% attack ratio, 25% at 30% attack ratio, 47% at 40% attack ratio, and 48% at 50% attack ratio. * **Biscotti (Brown):** Starts at approximately 0% accuracy at 0% attack ratio. The line increases sharply, reaching approximately 43% accuracy at 20% attack ratio, then drops to approximately 28% at 30% attack ratio, and increases to approximately 32% at 50% attack ratio. * **FoolsGold (Red):** Starts at approximately 0% accuracy at 0% attack ratio. The line increases sharply, reaching approximately 43% accuracy at 20% attack ratio, then drops to approximately 28% at 30% attack ratio, and increases to approximately 32% at 50% attack ratio. * **Ours (Maroon):** Starts at approximately 0% accuracy at 0% attack ratio. The line increases sharply, reaching approximately 17% accuracy at 20% attack ratio, 72% at 40% attack ratio, and 74% at 50% attack ratio. ### Key Observations * "Ours" consistently demonstrates the highest accuracy across all attack ratios, particularly excelling at higher attack ratios (40% and 50%). * Biscotti and FoolsGold show a similar pattern: a rapid initial increase in accuracy followed by a significant drop at 30% attack ratio, and a slight recovery. * FedAvg, ShieldFL, and PBFL exhibit more gradual and consistent increases in accuracy with increasing attack ratio. * The accuracy of all methods is relatively low at low attack ratios (0-10%). ### Interpretation The chart demonstrates the effectiveness of the proposed defense mechanism ("Ours") in maintaining accuracy under increasing adversarial attacks in a Federated Learning environment. The significant performance gap between "Ours" and other methods suggests a robust defense against attack ratio. The peculiar behavior of Biscotti and FoolsGold, with their initial high accuracy followed by a drop, could indicate a vulnerability to specific attack patterns or a sensitivity to the attack ratio. The consistent improvement of FedAvg, ShieldFL, and PBFL suggests they offer some level of protection, but are less effective than "Ours". The low accuracy values at low attack ratios might indicate inherent vulnerabilities in the FL system itself, or the difficulty of detecting attacks at very low levels. The chart highlights the importance of developing robust defense mechanisms to ensure the integrity and reliability of Federated Learning systems. </details> (c) CIFAR10 ( $\alpha$ =0.2) <details> <summary>x13.png Details</summary>  ### Visual Description \n ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Defense Mechanisms ### Overview This line chart depicts the accuracy of several Federated Learning (FL) defense mechanisms against varying attack ratios. The x-axis represents the attack ratio (in percentage), and the y-axis represents the accuracy (also in percentage). Six different defense mechanisms are compared: FedAvg, ShieldFL, PBFL, Median, Biscotti, FoolsGold, and "Ours" (presumably a novel method). ### Components/Axes * **X-axis:** "Attack ratio (%)" - Scale ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Scale ranges from 0% to 80%, with markers at 0, 10, 20, 30, 40, 50, 60, 70, and 80. * **Legend:** Located in the top-left corner, listing the following defense mechanisms with corresponding line colors: * FedAvg (Blue) * ShieldFL (Orange) * PBFL (Green) * Median (Purple) * Biscotti (Grey) * FoolsGold (Brown) * Ours (Red) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, verified against the legend colors: * **FedAvg (Blue):** The line starts at approximately 0% accuracy at 0% attack ratio. It increases steadily, reaching approximately 74% accuracy at 50% attack ratio. * **ShieldFL (Orange):** Starts at 0% accuracy at 0% attack ratio. It rises sharply, reaching approximately 75% accuracy at 50% attack ratio. * **PBFL (Green):** Starts at 0% accuracy at 0% attack ratio. It increases rapidly, reaching approximately 72% accuracy at 50% attack ratio. * **Median (Purple):** Starts at 0% accuracy at 0% attack ratio. It increases steadily, reaching approximately 72% accuracy at 50% attack ratio. * **Biscotti (Grey):** Starts at 0% accuracy at 0% attack ratio. It increases slowly, reaching approximately 30% accuracy at 50% attack ratio. * **FoolsGold (Brown):** Starts at 0% accuracy at 0% attack ratio. It increases slowly, reaching approximately 25% accuracy at 50% attack ratio. * **Ours (Red):** Starts at 0% accuracy at 0% attack ratio. It increases slowly and consistently, reaching approximately 24% accuracy at 50% attack ratio. Approximate data points (Attack Ratio, Accuracy): * **0% Attack Ratio:** All methods are at approximately 0% accuracy. * **10% Attack Ratio:** FedAvg ~ 20%, ShieldFL ~ 25%, PBFL ~ 25%, Median ~ 25%, Biscotti ~ 10%, FoolsGold ~ 10%, Ours ~ 10%. * **20% Attack Ratio:** FedAvg ~ 45%, ShieldFL ~ 50%, PBFL ~ 45%, Median ~ 45%, Biscotti ~ 20%, FoolsGold ~ 15%, Ours ~ 15%. * **30% Attack Ratio:** FedAvg ~ 60%, ShieldFL ~ 65%, PBFL ~ 60%, Median ~ 60%, Biscotti ~ 25%, FoolsGold ~ 20%, Ours ~ 18%. * **40% Attack Ratio:** FedAvg ~ 70%, ShieldFL ~ 72%, PBFL ~ 68%, Median ~ 68%, Biscotti ~ 28%, FoolsGold ~ 22%, Ours ~ 22%. * **50% Attack Ratio:** FedAvg ~ 74%, ShieldFL ~ 75%, PBFL ~ 72%, Median ~ 72%, Biscotti ~ 30%, FoolsGold ~ 25%, Ours ~ 24%. ### Key Observations * FedAvg, ShieldFL, PBFL, and Median consistently exhibit significantly higher accuracy compared to Biscotti, FoolsGold, and "Ours" across all attack ratios. * ShieldFL appears to perform slightly better than other methods at higher attack ratios (40% and 50%). * Biscotti, FoolsGold, and "Ours" show very limited improvement in accuracy as the attack ratio increases. * The performance gap between the top-performing methods (FedAvg, ShieldFL, PBFL, Median) and the lower-performing ones (Biscotti, FoolsGold, "Ours") widens as the attack ratio increases. ### Interpretation The data suggests that the defense mechanisms represented by FedAvg, ShieldFL, PBFL, and Median are substantially more effective at mitigating the impact of attacks on Federated Learning models than Biscotti, FoolsGold, and the proposed "Ours" method. The consistent high accuracy of the former group indicates their robustness against increasing attack ratios. The relatively flat lines for Biscotti, FoolsGold, and "Ours" suggest that these methods either offer minimal protection or are easily circumvented by the attacks being simulated. The fact that their accuracy barely improves with increasing attack ratio implies they do not scale well in defending against more aggressive attacks. The slight edge of ShieldFL at higher attack ratios could indicate a specific advantage in handling more sophisticated attack strategies. The overall trend highlights the importance of selecting robust defense mechanisms in Federated Learning environments to maintain model accuracy and reliability in the face of adversarial threats. The "Ours" method, while potentially novel, appears to underperform compared to established techniques. Further investigation into its design and implementation is warranted to understand its limitations. </details> (d) CIFAR10 ( $\alpha$ =0.6) Figure 4: The ASR of the models obtained by four benchmarks under label-flipping attack. Finally, we evaluate the OA of the models of different methods under the Gaussian attack. The experimental results are shown in Figure 5. We observe that SRFed consistently achieves optimal performance across all four benchmarks. Furthermore, as the attack ratio increases, SRFed exhibits minimal fluctuations in OA. Specifically, in the MNIST ( $\alpha=0.2$ ) and MNIST ( $\alpha=0.8$ ) benchmarks, all methods maintain an OA above 90% when the attack ratio is $\leq$ 20%. However, when the attack ratio $\geq$ 30%, only SRFed and Median retain an OA above 90%, demonstrating their effective defense against poisoning attacks under high malicious client ratios. In the CIFAR-10 ( $\alpha=0.2$ ) and CIFAR-10 ( $\alpha=0.6$ ) benchmarks, while the OA of most methods drops below 30% as the attack ratio increases, SRFed consistently maintains high accuracy across all attack rates, demonstrating its robustness against extreme client ratios and heterogeneous data distributions. <details> <summary>x14.png Details</summary>  ### Visual Description \n ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Defenses ### Overview This image presents a line chart comparing the accuracy of several federated learning defense mechanisms under varying attack ratios. The x-axis represents the attack ratio (as a percentage), and the y-axis represents the accuracy (also as a percentage). Six different defense strategies are plotted, allowing for a direct comparison of their resilience to attacks. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Scale ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Scale ranges from 65% to 95%, with markers at 65, 70, 75, 80, 85, 90, and 95. * **Legend (bottom-left):** Lists the defense mechanisms and their corresponding line colors: * FedAvg (Blue Square) * ShieldFL (Orange Diamond) * PBFL (Green Triangle) * Median (Purple Circle) * Biscotti (Gray Star) * FoolsGold (Brown Inverted Triangle) * Ours (Red Circle) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, verified against the legend colors: * **FedAvg (Blue Square):** The line slopes downward, indicating decreasing accuracy with increasing attack ratio. * 0% Attack: ~94% Accuracy * 10% Attack: ~93% Accuracy * 20% Attack: ~91% Accuracy * 30% Attack: ~88% Accuracy * 40% Attack: ~85% Accuracy * 50% Attack: ~82% Accuracy * **ShieldFL (Orange Diamond):** The line shows a more rapid decline in accuracy compared to FedAvg. * 0% Attack: ~94% Accuracy * 10% Attack: ~92% Accuracy * 20% Attack: ~89% Accuracy * 30% Attack: ~84% Accuracy * 40% Attack: ~78% Accuracy * 50% Attack: ~72% Accuracy * **PBFL (Green Triangle):** The line initially remains relatively stable, then declines sharply after 30% attack ratio. * 0% Attack: ~94% Accuracy * 10% Attack: ~93% Accuracy * 20% Attack: ~91% Accuracy * 30% Attack: ~88% Accuracy * 40% Attack: ~80% Accuracy * 50% Attack: ~75% Accuracy * **Median (Purple Circle):** The line exhibits a moderate downward slope, similar to FedAvg but slightly steeper. * 0% Attack: ~94% Accuracy * 10% Attack: ~92% Accuracy * 20% Attack: ~90% Accuracy * 30% Attack: ~86% Accuracy * 40% Attack: ~83% Accuracy * 50% Attack: ~80% Accuracy * **Biscotti (Gray Star):** This line demonstrates a very steep decline in accuracy, becoming significantly lower than other methods at higher attack ratios. * 0% Attack: ~94% Accuracy * 10% Attack: ~92% Accuracy * 20% Attack: ~88% Accuracy * 30% Attack: ~78% Accuracy * 40% Attack: ~68% Accuracy * 50% Attack: ~65% Accuracy * **FoolsGold (Brown Inverted Triangle):** The line shows a moderate decline in accuracy, similar to Median. * 0% Attack: ~94% Accuracy * 10% Attack: ~93% Accuracy * 20% Attack: ~91% Accuracy * 30% Attack: ~88% Accuracy * 40% Attack: ~84% Accuracy * 50% Attack: ~80% Accuracy * **Ours (Red Circle):** This line exhibits the most stable accuracy across all attack ratios, showing the smallest decline. * 0% Attack: ~94% Accuracy * 10% Attack: ~94% Accuracy * 20% Attack: ~93% Accuracy * 30% Attack: ~91% Accuracy * 40% Attack: ~90% Accuracy * 50% Attack: ~89% Accuracy ### Key Observations * The "Ours" defense mechanism consistently outperforms all other methods across all attack ratios, maintaining a high level of accuracy even under significant attack. * Biscotti is the most vulnerable defense, experiencing a dramatic drop in accuracy as the attack ratio increases. * FedAvg, Median, and FoolsGold show similar performance, with moderate declines in accuracy. * ShieldFL and PBFL exhibit intermediate vulnerability, declining more rapidly than FedAvg but less drastically than Biscotti. ### Interpretation The chart demonstrates the effectiveness of the proposed defense mechanism ("Ours") against attacks in a federated learning environment. The consistently high accuracy suggests that this method is robust and can maintain performance even when a significant portion of the participating clients are compromised. The stark contrast between "Ours" and Biscotti highlights the importance of choosing a resilient defense strategy. The data suggests that the proposed defense is superior in mitigating the impact of attacks on model accuracy. The relatively stable performance of "Ours" could be due to a more sophisticated attack mitigation strategy, such as robust aggregation rules or anomaly detection. The rapid decline of Biscotti suggests it may be susceptible to a specific type of attack or lack sufficient defenses against malicious participants. The chart provides valuable insights for practitioners seeking to deploy secure federated learning systems. </details> (a) MNIST ( $\alpha$ =0.2) <details> <summary>x15.png Details</summary>  ### Visual Description ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Algorithms ### Overview This image presents a line chart comparing the accuracy of several Federated Learning (FL) algorithms under varying attack ratios. The x-axis represents the attack ratio (percentage), and the y-axis represents the accuracy (percentage). The chart displays how each algorithm's performance degrades as the attack ratio increases. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Scale ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Scale ranges from 70% to 96%, with markers at 70, 75, 80, 85, 90, 95. * **Legend:** Located in the bottom-left corner, listing the following algorithms with corresponding line colors: * FedAvg (Blue) * ShieldFL (Orange) * PBFL (Green) * Median (Purple) * Biscotti (Grey) * FoolsGold (Yellow) * Ours (Red) ### Detailed Analysis Here's a breakdown of each algorithm's performance based on the chart: * **FedAvg (Blue):** Starts at approximately 94.5% accuracy at 0% attack ratio. The line slopes downward, reaching approximately 88% accuracy at 50% attack ratio. * **ShieldFL (Orange):** Begins at approximately 94% accuracy at 0% attack ratio. The line declines steadily, reaching approximately 84% accuracy at 50% attack ratio. * **PBFL (Green):** Starts at approximately 93% accuracy at 0% attack ratio. The line shows a significant drop, reaching approximately 84% accuracy at 50% attack ratio. * **Median (Purple):** Starts at approximately 94% accuracy at 0% attack ratio. The line declines moderately, reaching approximately 87% accuracy at 50% attack ratio. * **Biscotti (Grey):** Starts at approximately 93.5% accuracy at 0% attack ratio. The line declines sharply, reaching approximately 80% accuracy at 50% attack ratio. * **FoolsGold (Yellow):** Starts at approximately 93% accuracy at 0% attack ratio. The line declines very sharply, reaching approximately 72% accuracy at 50% attack ratio. * **Ours (Red):** Starts at approximately 95% accuracy at 0% attack ratio. The line remains relatively flat, maintaining approximately 94.5% accuracy even at 50% attack ratio. ### Key Observations * The "Ours" algorithm consistently outperforms all other algorithms across all attack ratios. * FoolsGold exhibits the most significant performance degradation with increasing attack ratio. * FedAvg, ShieldFL, PBFL, and Median show similar performance degradation patterns, but with varying degrees of severity. * Biscotti shows a more pronounced decline than FedAvg, ShieldFL, and Median. * The performance of all algorithms decreases as the attack ratio increases, as expected. ### Interpretation The data suggests that the proposed algorithm ("Ours") is significantly more robust to attacks in a Federated Learning setting compared to the other algorithms tested. The flat line representing "Ours" indicates that its accuracy remains stable even with a 50% attack ratio, implying a strong defense mechanism. The sharp decline in accuracy for FoolsGold suggests it is highly vulnerable to attacks. The other algorithms demonstrate varying levels of vulnerability, with ShieldFL and Median showing relatively better resilience than Biscotti and PBFL. The relationship between the algorithms is clear: they represent different approaches to Federated Learning, and their performance under attack highlights the effectiveness of their respective defense strategies. The outlier is clearly "Ours", which stands out due to its consistent high accuracy. This could be due to a novel defense mechanism or a more robust training procedure. The chart demonstrates the importance of considering security and robustness when deploying Federated Learning systems, as even a moderate attack ratio can significantly impact performance. The results suggest that the "Ours" algorithm is a promising solution for mitigating the risks associated with adversarial attacks in Federated Learning. </details> (b) MNIST ( $\alpha$ =0.8) <details> <summary>x16.png Details</summary>  ### Visual Description ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Algorithms ### Overview This line chart depicts the relationship between the attack ratio (percentage) and the accuracy (percentage) of several federated learning algorithms. The chart compares the robustness of these algorithms against adversarial attacks, where the attack ratio represents the proportion of malicious participants in the federated learning system. ### Components/Axes * **X-axis:** "Attack ratio (%)" - Ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Ranges from 0% to 70%, with markers at 10, 20, 30, 40, 50, 60, and 70. * **Legend (bottom-left):** Lists the algorithms being compared: * FedAvg (Blue, square markers) * ShieldFL (Orange, triangle markers) * PBFL (Green, triangle markers) * Median (Purple, circle markers) * Biscotti (Brown, square markers) * FoolsGold (Red, triangle markers) * Ours (Red, circle markers) ### Detailed Analysis Here's a breakdown of each algorithm's performance based on the chart: * **Ours (Red, circle markers):** Starts at approximately 69% accuracy at 0% attack ratio and remains relatively stable, decreasing slightly to approximately 67% at 50% attack ratio. This line is nearly horizontal. * **FoolsGold (Red, triangle markers):** Starts at approximately 69% accuracy at 0% attack ratio and decreases to approximately 64% at 50% attack ratio. This line has a slight negative slope. * **Biscotti (Brown, square markers):** Starts at approximately 68% accuracy at 0% attack ratio and decreases to approximately 56% at 50% attack ratio. This line has a moderate negative slope. * **Median (Purple, circle markers):** Starts at approximately 68% accuracy at 0% attack ratio and decreases sharply to approximately 24% at 50% attack ratio. This line has a steep negative slope. * **PBFL (Green, triangle markers):** Starts at approximately 66% accuracy at 0% attack ratio and decreases very sharply to approximately 10% at 50% attack ratio. This line has a very steep negative slope. * **ShieldFL (Orange, triangle markers):** Starts at approximately 64% accuracy at 0% attack ratio and decreases sharply to approximately 30% at 50% attack ratio. This line has a steep negative slope. * **FedAvg (Blue, square markers):** Starts at approximately 64% accuracy at 0% attack ratio and decreases sharply to approximately 10% at 50% attack ratio. This line has a very steep negative slope. ### Key Observations * The "Ours" algorithm demonstrates the highest and most stable accuracy across all attack ratios. * FedAvg, PBFL, and ShieldFL are the most vulnerable to attacks, experiencing a significant drop in accuracy as the attack ratio increases. * FoolsGold and Biscotti show intermediate vulnerability, with a moderate decrease in accuracy. * Median shows a significant drop in accuracy, but is less vulnerable than FedAvg, PBFL, and ShieldFL. * There is a clear trend of decreasing accuracy as the attack ratio increases for all algorithms except "Ours". ### Interpretation The data suggests that the "Ours" algorithm is significantly more robust to adversarial attacks in a federated learning setting compared to the other algorithms tested. The near-horizontal line representing "Ours" indicates that its performance is largely unaffected by the presence of malicious participants. The steep declines in accuracy for algorithms like FedAvg, PBFL, and ShieldFL highlight their vulnerability to attacks, suggesting that they are easily compromised by even a moderate proportion of malicious actors. The chart demonstrates the importance of developing robust federated learning algorithms that can maintain accuracy and reliability in the face of adversarial attacks. The "Ours" algorithm appears to offer a promising solution, potentially due to its inherent design or defense mechanisms. The differences in performance between the algorithms likely stem from their underlying approaches to aggregation, privacy preservation, or attack detection. Further investigation into the specific mechanisms of each algorithm would be necessary to fully understand the reasons for these observed differences. </details> (c) CIFAR10 ( $\alpha$ =0.2) <details> <summary>x17.png Details</summary>  ### Visual Description ## Line Chart: Accuracy vs. Attack Ratio for Federated Learning Defenses ### Overview This line chart depicts the accuracy of several Federated Learning (FL) defense mechanisms as a function of the attack ratio. The x-axis represents the attack ratio (percentage of compromised clients), and the y-axis represents the accuracy (percentage). The chart compares the performance of FedAvg, ShieldFL, PBFL, Median, Biscotti, FoolsGold, and a method labeled "Ours". ### Components/Axes * **X-axis:** "Attack ratio (%)" - Scale ranges from 0% to 50%, with markers at 0, 10, 20, 30, 40, and 50. * **Y-axis:** "Accuracy (%)" - Scale ranges from 0% to 80%, with markers at 10, 20, 30, 40, 50, 60, 70, and 80. * **Legend:** Located in the bottom-left corner. Contains the following labels and corresponding colors: * FedAvg (Blue) * ShieldFL (Orange) * PBFL (Green) * Median (Purple) * Biscotti (Grey) * FoolsGold (Pink) * Ours (Red) ### Detailed Analysis Here's a breakdown of each line's trend and approximate data points, verified against the legend colors: * **FedAvg (Blue):** Starts at approximately 81% accuracy at 0% attack ratio. The line slopes sharply downward, reaching approximately 52% at 20% attack ratio, 12% at 40% attack ratio, and approximately 8% at 50% attack ratio. * **ShieldFL (Orange):** Starts at approximately 79% accuracy at 0% attack ratio. The line initially decreases slightly, then remains relatively stable until approximately 30% attack ratio (around 70% accuracy). After 30%, it declines rapidly, reaching approximately 18% at 50% attack ratio. * **PBFL (Green):** Starts at approximately 78% accuracy at 0% attack ratio. The line decreases steadily, reaching approximately 68% at 20% attack ratio, 40% at 40% attack ratio, and approximately 10% at 50% attack ratio. * **Median (Purple):** Starts at approximately 80% accuracy at 0% attack ratio. The line decreases gradually, reaching approximately 75% at 20% attack ratio, 56% at 40% attack ratio, and approximately 15% at 50% attack ratio. * **Biscotti (Grey):** Starts at approximately 78% accuracy at 0% attack ratio. The line decreases steadily, reaching approximately 65% at 20% attack ratio, 35% at 40% attack ratio, and approximately 18% at 50% attack ratio. * **FoolsGold (Pink):** Starts at approximately 78% accuracy at 0% attack ratio. The line remains relatively stable until approximately 30% attack ratio (around 76% accuracy). After 30%, it declines, reaching approximately 20% at 50% attack ratio. * **Ours (Red):** Starts at approximately 81% accuracy at 0% attack ratio. The line remains almost flat, maintaining approximately 78-80% accuracy throughout the entire range of attack ratios (0% to 50%). ### Key Observations * The "Ours" method demonstrates significantly higher accuracy compared to all other methods as the attack ratio increases. It maintains a stable accuracy level even at a 50% attack ratio. * FedAvg is the most vulnerable to attacks, experiencing a rapid decline in accuracy with increasing attack ratios. * ShieldFL and FoolsGold show some resilience up to a 30% attack ratio, but their accuracy drops significantly beyond that point. * PBFL, Median, and Biscotti exhibit a more gradual decline in accuracy as the attack ratio increases, but still fall significantly below "Ours". ### Interpretation The data suggests that the proposed "Ours" defense mechanism is substantially more robust against attacks in a Federated Learning environment than the other methods tested. The consistent high accuracy across all attack ratios indicates a strong ability to mitigate the impact of compromised clients. The stark contrast between "Ours" and FedAvg highlights the importance of implementing defense mechanisms in FL systems, as a naive approach (FedAvg) is highly susceptible to attacks. The varying degrees of resilience among ShieldFL, PBFL, Median, Biscotti, and FoolsGold suggest that different defense strategies offer varying levels of protection, and the optimal choice may depend on the specific threat model and system constraints. The fact that most methods degrade in performance as the attack ratio increases is expected, as a higher proportion of malicious clients can exert a greater influence on the global model. This chart provides compelling evidence for the effectiveness of the "Ours" method and underscores the critical need for robust defense mechanisms in Federated Learning. </details> (d) CIFAR10 ( $\alpha$ =0.6) Figure 5: The OA of the models obtained by four benchmarks under Gaussian attack. In summary, SRFed demonstrates strong robustness against poisoning attacks under different Non-IID data settings and attack ratios, thus achieving the design goal of robustness. #### VII-B 2 Efficiency Evaluation of SRFed Learning Overheads. We evaluate the efficiency of the proposed SRFed in obtaining a qualified aggregated model. Specifically, we compare SRFed with two baseline methods, i.e., ESB-FL and ShieldFL. These two methods respectively utilize NDD-FE and HE to ensure privacy protection for local models. The experiments are conducted on MNIST with no malicious clients. For each method, we conduct 10 training tasks and calculate the average time consumed in each phase, along with the average communication time across all participants. The results are summarized in Table IV. The experimental results demonstrate that SRFed reduces the total time overheads throughout the entire training process by 58% compared to ShieldFL. This reduction can be attributed to two main factors: 1) DEFE in SRFed offers a significant computational efficiency advantage over HE in ShieldFL, with faster encryption and decryption, as shown in the ”Local training” and ”Privacy-preserving robust model aggregation” phases in Table IV. 2) The privacy-preserving robust model aggregation is handled solely by the server, which avoids the overhead of multi-server interactions in ShieldFL. Compared to ESB-FL, SRFed reduces the total time overhead by 22% even though it incorporates an additional privacy-preserving model detection phase. This is attributed to its underlying DEFE scheme, which significantly enhances decryption efficiency. As a result, SRFed achieves a 71% reduction in execution time during the privacy-preserving robust model aggregation phase, even with the added overhead of model detection. In summary, SRFed achieves an efficient privacy-preserving FL process, achieving the design goal of efficiency. TABLE IV: Comparison of time consumption between different frameworks | Framework | SRFed | ShieldFL | ESB-FL | | --- | --- | --- | --- | | Local training 1 | 19.51 h | 14.23 h | 5.16 h | | Privacy-preserving | 9.09 h | 51.97 h | 31.43 h | | robust model aggregation 2 | | | | | Node communication | 0.09 h | 1.51 h | 0.09 h | | Total time | 28.69 h | 67.71 h | 36.68 h | | Accuracy | 98.90% | 97.42% | 98.68% | TABLE V: Time overhead of proposed DEFE | Operations | DEFE | NDD-FE | HE | | --- | --- | --- | --- | | (for a model) | (SRFed) | (ESB-FL) | (shieldFL) | | Encryption | 28.37 s | 2.53 s | 18.87 s | | Inner product | 8.97 s | 56.58 s | 30.15 s | | Decryption | - | - | 3.10 s | Efficiency Evaluation of DEFE. We further evaluate the efficiency of the DEFE scheme within SRFed by conducting experiments on the CNN model of the MNIST dataset. Specifically, we compare the DEFE scheme with the NDD-FE scheme used in ESB-FL [31] and the HE scheme used in ShieldFL [29]. For these schemes, we calculate their average time required for different operations, i.e., encryption, inner product computation, and decryption, over 100 test runs. The results are presented in Table V. It is evident that the DEFE scheme offers a substantial efficiency advantage in terms of inner product computation. Specifically, the inner product time of DEFE is reduced by 84% compared to NDD-FE and by 70% compared to HE. Furthermore, DEFE directly produces the final plaintext result during inner product computation, avoiding the need for interactive decryption in HE. Combined with the results in Table IV, it is clear that although the encryption time of DEFE is slightly higher, its highly efficient decryption process significantly reduces the overall computation overhead. Thus, DEFE guarantees the high efficiency of SRFed. ## VIII Conclusion In this paper, we address the challenges of achieving both privacy preservation and Byzantine robustness in FL under Non-IID data distributions, and propose a novel secure and efficient FL method SRFed. Specifically, we design a DEFE scheme that enables efficient model encryption and non-interactive decryption, which eliminates third-party dependency and defends against server-side inference attacks. Second, we develop a privacy-preserving robust aggregation mechanism based on secure layer-wise projection and clustering, which effectively filters malicious updates and mitigates poisoning attacks in data heterogeneous environments. Theoretical analysis and extensive experimental results demonstrate that SRFed achieves superior performance compared to state-of-the-art baselines in terms of privacy protection, Byzantine resilience, and system efficiency. In future work, we will explore the extension of SRFed to practical FL scenarios, such as vertical FL, edge computing, and personalized FL. ## References - [1] R. Lan, Y. Zhang, L. Xie, Z. Wu, and Y. Liu, ‘Bev feature exchange pyramid networks-based 3d object detection in small and distant situations: A decentralized federated learning framework,” Neurocomputing, vol. 583, p. 127476, 2024. - [2] T. Zeng, O. Semiari, M. Chen, W. Saad, and M. Bennis, ‘Federated learning on the road autonomous controller design for connected and autonomous vehicles,” IEEE Transactions on Wireless Communications, vol. 21, no. 12, pp. 10 407–10 423, 2022. - [3] V. P. Chellapandi, L. Yuan, C. G. Brinton, S. H. Żak, and Z. Wang, ‘Federated learning for connected and automated vehicles: A survey of existing approaches and challenges,” IEEE Transactions on Intelligent Vehicles, vol. 9, no. 1, pp. 119–137, 2024. - [4] Y. Fu, X. Tang, C. Li, F. R. Yu, and N. Cheng, ‘A secure personalized federated learning algorithm for autonomous driving,” Trans. Intell. Transport. Sys., vol. 25, no. 12, p. 20378–20389, Dec. 2024. - [5] G. Li, J. Gan, C. Wang, and S. Peng, ‘Stateless distributed stein variational gradient descent method for bayesian federated learning,” Neurocomputing, vol. 654, p. 131198, 2025. - [6] G. Hu, S. Song, Y. Kang, Z. Yin, G. Zhao, C. Li, and J. Tang, ‘Federated client-tailored adapter for medical image segmentation,” IEEE Transactions on Information Forensics and Security, vol. 20, pp. 6490–6501, 2025. - [7] X. Wu, J. Pei, C. Chen, Y. Zhu, J. Wang, Q. Qian, J. Zhang, Q. Sun, and Y. Guo, ‘Federated active learning for multicenter collaborative disease diagnosis,” IEEE Transactions on Medical Imaging, vol. 42, no. 7, pp. 2068–2080, 2023. - [8] A. Rauniyar, D. H. Hagos, D. Jha, J. E. Håkegård, U. Bagci, D. B. Rawat, and V. Vlassov, ‘Federated learning for medical applications: A taxonomy, current trends, challenges, and future research directions,” IEEE Internet of Things Journal, vol. 11, no. 5, pp. 7374–7398, 2024. - [9] T. Deng, C. Huang, M. Cai, Y. Liu, M. Liu, J. Lin, Z. Shi, B. Zhao, J. Huang, C. Liang, G. Han, Z. Liu, Y. Wang, and C. Han, ‘Fedbcd: Federated ultrasound video and image joint learning for breast cancer diagnosis,” IEEE Transactions on Medical Imaging, vol. 44, no. 6, pp. 2395–2407, 2025. - [10] C. Wu, F. Wu, L. Lyu et al., ‘A federated graph neural network framework for privacy-preserving personalization,” Nature Communications, vol. 13, no. 1, p. 3091, 2022. - [11] Y. Hao, X. Chen, W. Wang, J. Liu, T. Li, J. Wang, and W. Pedrycz, ‘Eyes on federated recommendation: Targeted poisoning with competition and its mitigation,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 10 173–10 188, 2024. - [12] Z. Li, C. Li, F. Huang, X. Zhang, J. Weng, and P. S. Yu, ‘Lapglp: Approximating infinite-layer graph convolutions with laplacian for federated recommendation,” IEEE Transactions on Information Forensics and Security, vol. 20, pp. 8178–8193, 2025. - [13] X. Liu, Y. Chen, and S. Pang, ‘Defending against membership inference attack for counterfactual federated recommendation with differentially private representation learning,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 8037–8051, 2024. - [14] A. V. Galichin, M. Pautov, A. Zhavoronkin, O. Y. Rogov, and I. Oseledets, ‘Glira: Closed-box membership inference attack via knowledge distillation,” IEEE Transactions on Information Forensics and Security, vol. 20, pp. 3893–3906, 2025. - [15] W. Issa, N. Moustafa, B. Turnbull, and K.-K. R. Choo, ‘Rve-pfl: Robust variational encoder-based personalized federated learning against model inversion attacks,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 3772–3787, 2024. - [16] G. Liu, Z. Tian, J. Chen, C. Wang, and J. Liu, ‘Tear: Exploring temporal evolution of adversarial robustness for membership inference attacks against federated learning,” IEEE Transactions on Information Forensics and Security, vol. 18, pp. 4996–5010, 2023. - [17] F. Hu, A. Zhang, X. Liu, and M. Li, ‘Dampa: Dynamic adaptive model poisoning attack in federated learning,” IEEE Transactions on Information Forensics and Security, vol. 20, pp. 12 215–12 230, 2025. - [18] H. Zhang, J. Jia, J. Chen, L. Lin, and D. Wu, ‘A3fl: Adversarially adaptive backdoor attacks to federated learning,” in Advances in Neural Information Processing Systems, A. Oh, T. Naumann, A. Globerson, K. Saenko, M. Hardt, and S. Levine, Eds., vol. 36. Curran Associates, Inc., 2023, pp. 61 213–61 233. - [19] B. Wang, Y. Tian, Y. Guo, and H. Li, ‘Defense against poisoning attacks on federated learning with neighborhood coulomb force,” IEEE Transactions on Information Forensics and Security, pp. 1–1, 2025. - [20] H. Zeng, T. Zhou, X. Wu, and Z. Cai, ‘Never too late: Tracing and mitigating backdoor attacks in federated learning,” in 2022 41st International Symposium on Reliable Distributed Systems (SRDS), 2022, pp. 69–81. - [21] Y. Jiang, B. Ma, X. Wang, G. Yu, C. Sun, W. Ni, and R. P. Liu, ‘Preventing harm to the rare in combating the malicious: A filtering-and-voting framework with adaptive aggregation in federated learning,” Neurocomputing, vol. 604, p. 128317, 2024. - [22] L. Sun, J. Qian, and X. Chen, ‘Ldp-fl: Practical private aggregation in federated learning with local differential privacy,” in Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, IJCAI-21, Z.-H. Zhou, Ed. International Joint Conferences on Artificial Intelligence Organization, 8 2021, pp. 1571–1578, main Track. - [23] C. Liu, Y. Tian, J. Tang, S. Dang, and G. Chen, ‘A novel local differential privacy federated learning under multi-privacy regimes,” Expert Systems with Applications, vol. 227, p. 120266, 2023. - [24] Y. Miao, R. Xie, X. Li, Z. Liu, K.-K. R. Choo, and R. H. Deng, ‘ E fficient and S ecure F ederated L earning scheme (esfl) against backdoor attacks,” IEEE Trans. Dependable Secur. Comput., vol. 21, no. 5, p. 4619–4636, Sep. 2024. - [25] R. Zhang, W. Ni, N. Fu, L. Hou, D. Zhang, Y. Zhang, and L. Zheng, ‘Principal angle-based clustered federated learning with local differential privacy for heterogeneous data,” IEEE Transactions on Information Forensics and Security, vol. 20, pp. 9328–9342, 2025. - [26] X. Tang, L. Peng, Y. Weng, M. Shen, L. Zhu, and R. H. Deng, ‘Enforcing differential privacy in federated learning via long-term contribution incentives,” IEEE Transactions on Information Forensics and Security, vol. 20, pp. 3102–3115, 2025. - [27] Z. Zhang, L. Wu, C. Ma, J. Li, J. Wang, Q. Wang, and S. Yu, ‘LSFL: A lightweight and secure federated learning scheme for edge computing,” IEEE Trans. Inf. Forensics Secur., vol. 18, pp. 365–379, 2023. - [28] L. Chen, D. Xiao, Z. Yu, and M. Zhang, ‘Secure and efficient federated learning via novel multi-party computation and compressed sensing,” Information Sciences, vol. 667, p. 120481, 2024. - [29] Z. Ma, J. Ma, Y. Miao, Y. Li, and R. H. Deng, ‘Shieldfl: Mitigating model poisoning attacks in privacy-preserving federated learning,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 1639–1654, 2022. - [30] A. Ebel, K. Garimella, and B. Reagen, ‘Orion: A fully homomorphic encryption framework for deep learning,” in Proceedings of the 30th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2, ser. ASPLOS ’25. New York, NY, USA: Association for Computing Machinery, 2025, p. 734–749. - [31] B. Chen, H. Zeng, T. Xiang, S. Guo, T. Zhang, and Y. Liu, ‘Esb-fl: Efficient and secure blockchain-based federated learning with fair payment,” IEEE Transactions on Big Data, vol. 10, no. 6, pp. 761–774, 2024. - [32] H. Zeng, J. Li, J. Lou, S. Yuan, C. Wu, W. Zhao, S. Wu, and Z. Wang, ‘Bsr-fl: An efficient byzantine-robust privacy-preserving federated learning framework,” IEEE Transactions on Computers, vol. 73, no. 8, pp. 2096–2110, 2024. - [33] C. Fung, C. J. M. Yoon, and I. Beschastnikh, ‘The limitations of federated learning in sybil settings,” in 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). San Sebastian: USENIX Association, Oct. 2020, pp. 301–316. - [34] P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer, ‘Machine learning with adversaries: byzantine tolerant gradient descent,” in Proceedings of the 31st International Conference on Neural Information Processing Systems, ser. NIPS’17. Red Hook, NY, USA: Curran Associates Inc., 2017, p. 118–128. - [35] D. Yin, Y. Chen, R. Kannan, and P. Bartlett, ‘Byzantine-robust distributed learning: Towards optimal statistical rates,” in Proceedings of the 35th International Conference on Machine Learning, ser. Proceedings of Machine Learning Research, J. Dy and A. Krause, Eds., vol. 80. PMLR, 10–15 Jul 2018, pp. 5650–5659. - [36] Q. Dong, Y. Bai, M. Su, Y. Gao, and A. Fu, ‘Drift: Dct-based robust and intelligent federated learning with trusted privacy,” Neurocomputing, vol. 658, p. 131697, 2025. - [37] Y. Miao, Z. Liu, H. Li, K.-K. R. Choo, and R. H. Deng, ‘Privacy-preserving byzantine-robust federated learning via blockchain systems,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 2848–2861, 2022. - [38] M. Gong, Y. Zhang, Y. Gao, A. K. Qin, Y. Wu, S. Wang, and Y. Zhang, ‘A multi-modal vertical federated learning framework based on homomorphic encryption,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 1826–1839, 2024. - [39] H. Zeng, J. Lou, K. Li, C. Wu, G. Xue, Y. Luo, F. Cheng, W. Zhao, and J. Li, ‘Esfl: Accelerating poisonous model detection in privacy-preserving federated learning,” IEEE Transactions on Dependable and Secure Computing, vol. 22, no. 4, pp. 3780–3794, 2025. - [40] B. Yu, J. Zhao, K. Zhang, J. Gong, and H. Qian, ‘Lightweight and dynamic privacy-preserving federated learning via functional encryption,” Trans. Info. For. Sec., vol. 20, p. 2496–2508, Feb. 2025. - [41] M. Shayan, C. Fung, C. J. M. Yoon, and I. Beschastnikh, ‘Biscotti: A blockchain system for private and secure federated learning,” IEEE Transactions on Parallel and Distributed Systems, vol. 32, no. 7, pp. 1513–1525, 2021. - [42] S. Agrawal, B. Libert, and D. Stehle, ‘Fully secure functional encryption for inner products, from standard assumptions,” in Proceedings, Part III, of the 36th Annual International Cryptology Conference on Advances in Cryptology — CRYPTO 2016 - Volume 9816, no. 1. Berlin, Heidelberg: Springer-Verlag, Aug 2016, p. 333–362. - [43] P. Paillier, ‘Public-key cryptosystems based on composite degree residuosity classes,” in Advances in Cryptology — EUROCRYPT ’99, J. Stern, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1999, pp. 223–238. - [44] N. M. Jebreel, J. Domingo-Ferrer, D. Sánchez, and A. Blanco-Justicia, ‘Lfighter: Defending against label-flipping attacks in federated learning (code repository),” 2024, accessed: Please replace with actual access date, e.g., 2024-10-01. [Online]. Available: https://github.com/najeebjebreel/LFighter - [45] Y. LeCun, C. Cortes, and C. J. Burges, ‘The mnist database,” http://yann.lecun.com/exdb/mnist/, accessed: Nov. 1, 2023. - [46] A. Krizhevsky and G. Hinton, ‘Learning multiple layers of features from tiny images,” University of Toronto, Tech. Rep. TR-2009-1, 2009. [Online]. Available: https://www.cs.toronto.edu/~kriz/cifar.html - [47] B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, ‘Communication-efficient learning of deep networks from decentralized data,” in Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, AISTATS 2017, 20-22 April 2017, Fort Lauderdale, FL, USA, ser. Proceedings of Machine Learning Research, A. Singh and X. J. Zhu, Eds., vol. 54. PMLR, 2017, pp. 1273–1282. <details> <summary>Aphoto.jpeg Details</summary>  ### Visual Description \n ## Photograph: Portrait of a Man ### Overview The image is a head-and-shoulders portrait of a young man, likely a professional headshot. The background is a plain white. The subject is facing forward, looking directly at the camera. ### Components/Axes There are no axes, legends, or scales present in this image. It is a photograph, not a chart or diagram. ### Detailed Analysis or Content Details The man has dark hair, styled with a slight wave. His eyes are brown. He is wearing a dark suit jacket, a white dress shirt, and a blue striped tie. The tie has approximately 6-8 dark blue stripes of varying width. The lighting is soft and even, with minimal shadows. The image appears to be digitally processed, with a focus on smoothing skin tones. There is a small, light pink rectangular element in the top-left corner of the image. It contains a symbol that appears to be a stylized flower or star. ### Key Observations The image is a standard portrait format, suggesting its purpose is identification or professional representation. The subject's attire and pose indicate a formal or business context. The image quality is high, suggesting it was taken with a professional camera and processed for optimal presentation. ### Interpretation The photograph is likely intended to present a positive and professional image of the subject. The neutral background and direct gaze create a sense of confidence and approachability. The image lacks any factual data or quantifiable information; it is purely representational. The pink element in the top-left corner could be a watermark or a branding element associated with the photographer or the subject's organization. Without further context, it is difficult to determine the specific purpose or meaning of the image beyond its basic function as a portrait. The image is a visual communication tool, designed to convey a specific impression of the subject. </details> Yiwen Lu received the B.S. degree from the School of Mathematics and Statistics, Central South University (CSU), Changsha, China, in 2021. He is currently working toward the Ph.D. degree in mathematics with the School of Mathematics, Nanjing University (NJU), Nanjing, China. His research interests include number theory, cryptography, and artificial intelligence security.