pith. sign in

arxiv: 2508.12672 · v4 · submitted 2025-08-18 · 💻 cs.LG · cs.AI

Robust Federated Learning under Adversarial Attacks via Loss-Based Client Clustering

Emmanouil Kritharakis , Dusan Jakovetic , Antonios Makris , Konstantinos Tserpes This is my paper

Pith reviewed 2026-05-18 23:00 UTC · model grok-4.3

classification 💻 cs.LG cs.AI
keywords federated learningByzantine robustnessclient clusteringadversarial attacksrobust aggregationloss-based methodsdistributed machine learning
0
0 comments X p. Extension

The pith

Loss-based client clustering on a trusted side dataset bounds optimality gaps in federated learning under Byzantine attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper develops a federated learning algorithm that uses losses computed on the server's trustworthy side dataset to cluster clients and isolate adversarial updates. This approach functions effectively with only the server and one honest client, without needing to know the number of malicious participants in advance. Theoretical results establish that the method maintains bounded optimality gaps even when facing strong adversarial attacks. Experiments on MNIST, FMNIST, and CIFAR-10 show that it surpasses standard robust baselines including Krum and trimmed mean across label flipping, sign flipping, and Gaussian noise attacks.

Core claim

The central claim is that partitioning clients into clusters according to the loss their models incur on a trusted side dataset allows the server to select and aggregate updates from the cluster with the smallest losses, thereby achieving robustness against arbitrary Byzantine behavior as long as at least one client is honest.

What carries the argument

Loss-based client clustering that groups clients by evaluating their model updates on the server's side dataset and then aggregates from the lowest-loss cluster.

If this is right

  • The optimality gap remains bounded under strong Byzantine attacks.
  • The algorithm significantly outperforms Mean, Trimmed Mean, Median, Krum, and Multi-Krum on image classification tasks.
  • It handles various attack strategies including label flipping, sign flipping, and addition of Gaussian noise.
  • Only two honest participants are required for the method to work effectively.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The clustering technique may connect to broader problems in robust distributed optimization where trusted reference data is available.
  • Extensions could test the method's sensitivity to the size or quality of the side dataset in practical deployments.

Load-bearing premise

The server has a trustworthy side dataset for computing client losses and there exists at least one honest client besides the server.

What would settle it

If experiments show that under Gaussian noise attacks on CIFAR-10 the proposed clustering method yields higher test error than the Multi-Krum baseline, the performance superiority claim would be falsified.

Figures

Figures reproduced from arXiv: 2508.12672 by Antonios Makris, Dusan Jakovetic, Emmanouil Kritharakis, Konstantinos Tserpes.

Figure 1
Figure 1. Figure 1: Conceptual view of the proposed loss-based FL defense framework. The [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Centralized accuracy over 50 FL rounds on MNIST, comparing 6 defense [PITH_FULL_IMAGE:figures/full_fig_p013_2.png] view at source ↗
read the original abstract

Federated Learning (FL) enables collaborative model training across multiple clients without sharing private data. We consider FL scenarios wherein FL clients are subject to adversarial (Byzantine) attacks, while the FL server is trusted (honest) and has a trustworthy side dataset. This may correspond to, e.g., cases where the server possesses trusted data prior to federation, or to the presence of a trusted client that temporarily assumes the server role. Our approach requires only two honest participants, i.e., the server and one client, to function effectively, without prior knowledge of the number of malicious clients. Theoretical analysis demonstrates bounded optimality gaps even under strong Byzantine attacks. Experimental results show that our algorithm significantly outperforms standard and robust FL baselines such as Mean, Trimmed Mean, Median, Krum, and Multi-Krum under various attack strategies including label flipping, sign flipping, and Gaussian noise addition across MNIST, FMNIST, and CIFAR-10 benchmarks using the Flower framework.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The paper proposes a Byzantine-robust federated learning algorithm that performs loss-based clustering of clients using a trusted side dataset held by the server (or a temporarily trusted client acting as server). The method requires only one honest client in addition to the server, needs no prior knowledge of the number of malicious clients, provides a theoretical analysis claiming bounded optimality gaps under strong attacks, and reports empirical outperformance over Mean, Trimmed Mean, Median, Krum, and Multi-Krum on MNIST, FMNIST, and CIFAR-10 under label-flipping, sign-flipping, and Gaussian-noise attacks.

Significance. If the optimality-gap bounds hold and the clustering remains reliable, the work would be significant for practical FL deployments that can tolerate only minimal honest participants and cannot assume knowledge of attacker count. The external reference point supplied by the side dataset avoids self-referential detection and is a clear strength relative to purely client-data-based robust aggregators.

major comments (1)
  1. The central claim of bounded optimality gaps under strong Byzantine attacks (abstract and theoretical analysis section) rests on the server possessing a trustworthy side dataset to compute per-client losses for clustering. The manuscript provides no quantitative bounds, sensitivity analysis, or minimum-size requirements on this side dataset's cardinality, class balance, or distributional similarity to client data. In non-IID regimes or when the side dataset is small, loss separation may fail, directly undermining both the clustering step and the claimed optimality-gap guarantees.
minor comments (2)
  1. The experimental section would benefit from reporting standard deviations or confidence intervals across multiple random seeds rather than single-run point estimates.
  2. Notation for the loss-based clustering threshold and the exact attack models (e.g., fraction of Byzantine clients) should be defined consistently between the theoretical analysis and the experimental setup.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback. We address the single major comment below and have revised the manuscript to incorporate additional analysis on the side dataset.

read point-by-point responses

  1. Referee: The central claim of bounded optimality gaps under strong Byzantine attacks (abstract and theoretical analysis section) rests on the server possessing a trustworthy side dataset to compute per-client losses for clustering. The manuscript provides no quantitative bounds, sensitivity analysis, or minimum-size requirements on this side dataset's cardinality, class balance, or distributional similarity to client data. In non-IID regimes or when the side dataset is small, loss separation may fail, directly undermining both the clustering step and the claimed optimality-gap guarantees.

    Authors: We agree that the manuscript would benefit from a more explicit characterization of the side dataset requirements. The theoretical analysis assumes the side dataset is trustworthy and sufficiently representative to produce distinguishable loss values between honest and Byzantine clients; this is stated as a modeling assumption rather than a claim that holds for arbitrary side datasets. The original submission does not contain quantitative bounds or a dedicated sensitivity study. In the revised version we have added a new subsection (Section 4.4) that reports empirical sensitivity results on side-dataset cardinality (50–500 samples), class balance, and mild distributional mismatch under the same non-IID partitions used in the main experiments. These results show that clustering accuracy and the reported optimality-gap bounds remain stable down to approximately 100 representative samples and degrade gracefully rather than catastrophically for smaller or mildly mismatched sets. We have also inserted a short paragraph in the theoretical section clarifying that the bounded-gap guarantee is conditional on successful clustering, which in turn requires the side dataset to share support with the clients’ data distribution. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivation relies on external trusted side dataset as independent reference

full rationale

The paper's central theoretical claim of bounded optimality gaps is conditioned on an external trustworthy side dataset (or equivalent trusted client) used to compute per-client losses for clustering. This reference point is not defined in terms of the model's predictions or outputs, nor does it reduce the bounds to a self-referential fit. No self-citations, ansatzes smuggled via prior work, or uniqueness theorems from the same authors are invoked in the abstract or described claims to force the result. Experimental comparisons to baselines (Mean, Krum, etc.) are presented as empirical validation rather than predictions forced by fitted parameters. The derivation chain remains self-contained against the stated assumptions, with the side dataset supplying an external benchmark.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on the existence of a trusted side dataset at the server and the presence of at least one honest client; no free parameters or invented entities are mentioned in the abstract.

axioms (2)
  • domain assumption Server has access to a trustworthy side dataset usable for loss evaluation
    Explicitly stated as a prerequisite for the clustering approach to function.
  • domain assumption At least one client is honest in addition to the server
    The method is described to require only two honest participants.

pith-pipeline@v0.9.0 · 5709 in / 1344 out tokens · 53739 ms · 2026-05-18T23:00:12.218116+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. A Comparative Study of Federated Learning Aggregation Strategies under Homogeneous and Heterogeneous Data Distributions

    cs.LG 2026-05 unverdicted novelty 2.0

    Federated aggregation strategies show distinct performance trade-offs in accuracy, loss, and efficiency depending on whether client data distributions are homogeneous or heterogeneous.

Reference graph

Works this paper leans on

24 extracted references · 24 canonical work pages · cited by 1 Pith paper · 1 internal anchor

  1. [1]

    arXiv preprint arXiv:2402.12780 (2024)

    Allouah, Y., Farhadkhani, S., Guerraoui, R., Gupta, N., Pinot, R., Rizk, G., Voitovych, S.: Byzantine-robust federated learning: Impact of client subsampling and local updates. arXiv preprint arXiv:2402.12780 (2024)

    work page arXiv 2024

  2. [2]

    In: Advances in Neural Information Processing Systems

    Baruch, G., Baruch, M., Goldberg, Y.: A little is enough: Circumventing defenses for distributed learning. In: Advances in Neural Information Processing Systems. vol. 32 (2019)

    work page 2019

  3. [3]

    In: Advances in Neural Informa- tion Processing Systems

    Blanchard, P., El Mhamdi, E.M., Guerraoui, R., Stainer, J.: Machine learning with adversaries: Byzantine tolerant gradient descent. In: Advances in Neural Informa- tion Processing Systems. vol. 30 (2017)

    work page 2017

  4. [4]

    In: Advances in Neural Information Processing Systems

    Bottou, L., Bousquet, O.: The tradeoffs of large scale learning. In: Advances in Neural Information Processing Systems. vol. 20 (2007)

    work page 2007

  5. [5]

    Fltrust: Byzantine- robust federated learning via trust bootstrapping,

    Cao,X.,Fang,M.,Liu,J.,Gong,N.Z.:Fltrust:Byzantine-robustfederatedlearning via trust bootstrapping. arXiv preprint arXiv:2012.13995 (2020)

    work page arXiv 2012

  6. [6]

    In: 29th USENIX security symposium (USENIX Se- curity 20)

    Fang, M., Cao, X., Jia, J., Gong, N.: Local model poisoning attacks to{Byzantine- Robust} federated learning. In: 29th USENIX security symposium (USENIX Se- curity 20). pp. 1605–1622 (2020)

    work page 2020

  7. [7]

    In: Proceedings of the International Conference on Machine Learn- ing

    Guerraoui, R., Rouault, S., et al.: The hidden vulnerability of distributed learning in byzantium. In: Proceedings of the International Conference on Machine Learn- ing. pp. 3521–3530. PMLR (2018)

    work page 2018

  8. [8]

    In: Proceedings of the ACM Symposium on Cloud Computing

    Guo, H., Wang, H., Song, T., Hua, Y., Lv, Z., Jin, X., Xue, Z., Ma, R., Guan, H.: Siren: Byzantine-robust federated learning via proactive alarming. In: Proceedings of the ACM Symposium on Cloud Computing. pp. 47–60 (2021)

    work page 2021

  9. [9]

    Artificial Intelligence Review 57(8), 204 (2024)

    Hu, K., Gong, S., Zhang, Q., Seng, C., Xia, M., Jiang, S.: An overview of imple- menting security and privacy in federated learning. Artificial Intelligence Review 57(8), 204 (2024)

    work page 2024

  10. [10]

    Krizhevsky, A., Hinton, G., et al.: Learning multiple layers of features from tiny images. Tech. rep., University of Toronto (2009)

    work page 2009

  11. [11]

    http://yann.lecun.com/exdb/ mnist/ (2010), aT&T Labs

    LeCun, Y.: Mnist handwritten digit database. http://yann.lecun.com/exdb/ mnist/ (2010), aT&T Labs

    work page 2010

  12. [12]

    IEEE Transactions on Big Data (2023)

    Li, S., Ngai, E.C.H., Voigt, T.: An experimental study of byzantine-robust aggre- gation schemes in federated learning. IEEE Transactions on Big Data (2023)

    work page 2023

  13. [13]

    IEEE signal processing magazine37(3), 50–60 (2020)

    Li, T., Sahu, A.K., Talwalkar, A., Smith, V.: Federated learning: Challenges, meth- ods, and future directions. IEEE signal processing magazine37(3), 50–60 (2020)

    work page 2020

  14. [14]

    In: 2021 IEEE 27th International Conference on Parallel and Distributed Systems (ICPADS)

    Li, Z., Liu, L., Zhang, J., Liu, J.: Byzantine-robust federated learning through spatial-temporal analysis of local model updates. In: 2021 IEEE 27th International Conference on Parallel and Distributed Systems (ICPADS). pp. 372–379. IEEE (2021) 16 E. Kritharakis et al

    work page 2021

  15. [15]

    In: Proceedings of the AAAI Conference on Artificial Intelligence

    Lu, Y., Chen, L., Zhang, Y., Zhang, Y., Han, B., Cheung, Y.m., Wang, H.: Feder- ated learning with extremely noisy clients via negative distillation. In: Proceedings of the AAAI Conference on Artificial Intelligence. vol. 38, pp. 14184–14192 (2024)

    work page 2024

  16. [16]

    In: Proceedings of the 20th International Conference on Artificial Intelligence and Statistics

    McMahan, H.B., Moore, E., Ramage, D., Hampson, S., y Arcas, B.A.: Communication-efficient learning of deep networks from decentralized data. In: Proceedings of the 20th International Conference on Artificial Intelligence and Statistics. pp. 1273–1282. PMLR (2017)

    work page 2017

  17. [17]

    IEEE Transactions on Parallel and Distributed Systems 33(3), 630–641 (2021)

    Mills, J., Hu, J., Min, G.: Multi-task federated learning for personalised deep neu- ral networks in edge computing. IEEE Transactions on Parallel and Distributed Systems 33(3), 630–641 (2021)

    work page 2021

  18. [18]

    Mokhtari, A., Daneshmand, H., Lucchi, A., Hofmann, T., Ribeiro, A.: Adaptive newtonmethodforempiricalriskminimizationtostatisticalaccuracy.In:Advances in Neural Information Processing Systems. vol. 29 (2016)

    work page 2016

  19. [19]

    arXiv preprint arXiv:2003.00295 (2020)

    Reddi, S., Charles, Z., Zaheer, M., Garrett, Z., Rush, K., Konečn` y, J., Ku- mar, S., McMahan, H.B.: Adaptive federated optimization. arXiv preprint arXiv:2003.00295 (2020)

    work page arXiv 2003

  20. [20]

    Tang, M., Ning, X., Wang, Y., Sun, J., Wang, Y., Li, H., Chen, Y.: Fedcor: Correlation-based active client selection strategy for heterogeneous federated learn- ing.In:ProceedingsoftheIEEE/CVFConferenceonComputerVisionandPattern Recognition. pp. 10102–10111 (2022)

    work page 2022

  21. [21]

    Ieee Access 11, 10708–10722 (2023)

    Xia, G., Chen, J., Yu, C., Ma, J.: Poisoning attacks in federated learning: A survey. Ieee Access 11, 10708–10722 (2023)

    work page 2023

  22. [22]

    Fashion-MNIST: a Novel Image Dataset for Benchmarking Machine Learning Algorithms

    Xiao, H., Rasul, K., Vollgraf, R.: Fashion-mnist: A novel image dataset for bench- marking machine learning algorithms. arXiv preprint arXiv:1708.07747 (2017)

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  23. [23]

    In: Proceedings of the Conference on Uncertainty in Artificial Intelligence

    Xie, C., Koyejo, O., Gupta, I.: Fall of empires: Breaking byzantine-tolerant sgd by inner product manipulation. In: Proceedings of the Conference on Uncertainty in Artificial Intelligence. pp. 261–270. PMLR (2020)

    work page 2020

  24. [24]

    In: Proceedings of the 35th International Conference on Machine Learning

    Yin, D., Chen, Y., Kannan, R., Bartlett, P.: Byzantine-robust distributed learn- ing: Towards optimal statistical rates. In: Proceedings of the 35th International Conference on Machine Learning. vol. 80, pp. 5650–5659. PMLR (2018)

    work page 2018