pith. sign in

arxiv: 2511.14715 · v3 · submitted 2025-11-18 · 💻 cs.LG · cs.AI· cs.CR· cs.DC· cs.MA

FLARE: Adaptive Multi-Dimensional Reputation for Robust Client Reliability in Federated Learning

Abolfazl Younesi , Leon Kiss , Zahra Najafabadi Samani , Juan Aznar Poveda , Thomas Fahringer This is my paper

Pith reviewed 2026-05-17 20:05 UTC · model grok-4.3

classification 💻 cs.LG cs.AIcs.CRcs.DCcs.MA
keywords federated learningByzantine attacksreputation systemadaptive thresholdmalicious client detectionmodel poisoningrobust aggregationdifferential privacy
0
0 comments X

The pith

FLARE replaces binary client filters with a continuous multi-dimensional reputation score and self-calibrating threshold to defend federated learning against adaptive attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tries to establish that federated learning can handle malicious clients more effectively by evaluating their reliability through a continuous score built from performance consistency, statistical anomalies, and temporal patterns rather than static binary decisions. A self-calibrating threshold adjusts the strictness of security based on how well the model is converging and recent attack levels. Client contributions are then weighted proportionally instead of being fully excluded, with local differential privacy applied during scoring. Experiments across MNIST, CIFAR-10, and SVHN with 100 clients show stronger resistance to label flipping, gradient scaling, adaptive attacks, ALIE, and a new statistical mimicry attack while preserving convergence speed. A sympathetic reader would care because this offers a practical path to keep collaborative training accurate without heavy overhead or complete client removal.

Core claim

FLARE transforms client reliability assessment from binary decisions to a continuous, multi-dimensional trust evaluation that integrates performance consistency, statistical anomaly indicators, and temporal behavior, combined with a self-calibrating adaptive threshold mechanism that adjusts security strictness based on model convergence and recent attack intensity, reputation-weighted aggregation with soft exclusion, and a Local Differential Privacy mechanism for scoring on privatized updates.

What carries the argument

The multi-dimensional reputation score capturing performance consistency, statistical anomaly indicators, and temporal behavior, paired with a self-calibrating adaptive threshold.

If this is right

  • FLARE maintains high model accuracy and converges faster than prior Byzantine-robust methods under label flipping, gradient scaling, adaptive attacks, ALIE, and statistical mimicry.
  • Robustness improves by up to 16 percent relative to baselines.
  • Model convergence stays within 30 percent of the non-attacked baseline.
  • Malicious-client detection remains strong with only minimal added computation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The soft-exclusion weighting may limit damage from occasional false positives on honest but atypical clients.
  • Similar continuous reputation tracking could apply to other distributed systems where participants have varying trustworthiness over time.
  • Adding automated dimension selection or learned weighting among the three factors might further improve resilience if fixed dimensions prove insufficient against future attacks.

Load-bearing premise

The three chosen reputation dimensions of performance consistency, statistical anomaly indicators, and temporal behavior together with the self-calibrating threshold will reliably separate malicious from honest clients even under previously unseen adaptive or mimicry strategies.

What would settle it

A new attack that consistently matches honest patterns across all three reputation dimensions while still degrading the global model would show the separation is incomplete.

Figures

Figures reproduced from arXiv: 2511.14715 by Abolfazl Younesi, Juan Aznar Poveda, Leon Kiss, Thomas Fahringer, Zahra Najafabadi Samani.

Figure 1
Figure 1. Figure 1: Comparison of client reliability assessment approaches in federated learning. Left: Previous static methods make binary inclusion/exclusion decisions that remain fixed throughout training, leading to false positives for honest clients with temporary issues or unique data distributions, while failing to detect adaptive attackers. Right: Our FLARE framework uses dynamic reputation scoring with continuous wei… view at source ↗
Figure 2
Figure 2. Figure 2: Our proposed 5-step framework for reputation-aware aggregation: (1) Compute per-client performance scores, (2) Dynamically adjust mixing coefficients wt j based on convergence progress and detected attack patterns, (3) Compute a weighted reputation score for each client using wt j , (4) Classify clients into trusted (fully included), suspicious (partially included), or untrusted (excluded), (5) Perform agg… view at source ↗
Figure 3
Figure 3. Figure 3: Reputation dynamics across training rounds for representative clients. The curves illustrate per-round scores (performance consistency r1, statistical anomaly r2, temporal behavior r3), the combined reputation Rt, the adaptive threshold τt, and the resulting soft-exclusion weight wt. Benign clients maintain high Rt and stable wt, while noisy-but-benign clients experience dips and recover. In contrast, mali… view at source ↗
Figure 4
Figure 4. Figure 4: Client Role Distribution for 100 Clients in a scenario where all 6 attack types might occur. We expect to have around 80 benign clients (pink box) and 20 malicious clients (green box), where each malicious client is assigned with one of 6 attack behaviors, meaning we expect (≈ 3) malicious clients for each attack pattern (orange box) We divide threats into two categories: standard and sophis￾ticated attack… view at source ↗
Figure 5
Figure 5. Figure 5: Comparison of detection performance (Precision, Recall, and F1- Score) of eight FL methods across six attack scenarios on MNIST: Adaptive, Byzantine Gradient, Gradient Scaling, Label Flip, ALIE, and SM Attack. Each subplot reports the average detection quality along with confidence intervals. Higher values indicate better detection effectiveness. Preservation changes accuracy only slightly, which again sug… view at source ↗
Figure 6
Figure 6. Figure 6: Convergence under attacks on MNIST, CIFAR-10, and SVHN (non￾IID, Dirichlet α=0.3). Figures 6b, 6c, and 6e show test accuracy over communication rounds for non-IID data under Adaptive attacks. Figures 6b, 6d, and 6f show test accuracy under Byzantine gradient attacks. FLARE consistently converges in the fewest rounds and attains the highest (or near￾highest) final accuracy across datasets. these adaptive, w… view at source ↗
Figure 8
Figure 8. Figure 8: Convergence and non-IID robustness without attacks on MNIST, CIFAR-10, and SVHN. Figures 8a, 8c, and 8e display the test accuracy over communication rounds for IID data. The legend indicates the first round at which each method achieves the study’s target accuracy (Conv). Figures 8b, 8d, and 8f report final test accuracy under non-IID data generated by a Dirichlet sampler with parameter α (smaller α means … view at source ↗
read the original abstract

Federated learning (FL) enables collaborative model training while preserving data privacy. However, it remains vulnerable to malicious clients who compromise model integrity through Byzantine attacks, data poisoning, or adaptive adversarial behaviors. Existing defense mechanisms rely on static thresholds and binary classification, failing to adapt to evolving client behaviors in real-world deployments. We propose FLARE, an adaptive reputation-based framework that transforms client reliability assessment from binary decisions to a continuous, multi-dimensional trust evaluation. FLARE integrates: (i) a multi-dimensional reputation score capturing performance consistency, statistical anomaly indicators, and temporal behavior, (ii) a self-calibrating adaptive threshold mechanism that adjusts security strictness based on model convergence and recent attack intensity, (iii) reputation-weighted aggregation with soft exclusion to proportionally limit suspicious contributions rather than eliminating clients outright, and (iv) a Local Differential Privacy (LDP) mechanism enabling reputation scoring on privatized client updates. We further introduce a highly evasive Statistical Mimicry (SM) attack, a benchmark adversary that blends honest gradients with synthetic perturbations and persistent drift to remain undetected by traditional filters. Extensive experiments with 100 clients on MNIST, CIFAR-10, and SVHN demonstrate that FLARE maintains high model accuracy and converges faster than state-of-the-art Byzantine-robust methods under diverse attack types, including label flipping, gradient scaling, adaptive attacks, ALIE, and SM. FLARE improves robustness by up to 16% and preserves model convergence within 30% of the non-attacked baseline, while achieving strong malicious-client detection performance with minimal computational overhead. https://github.com/Anonymous0-0paper/FLARE

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 3 minor

Summary. The manuscript proposes FLARE, an adaptive multi-dimensional reputation framework for client reliability in federated learning. It computes a continuous reputation score from three dimensions (performance consistency, statistical anomaly indicators, temporal behavior), applies a self-calibrating threshold that adjusts based on convergence and recent attack intensity, performs reputation-weighted aggregation with soft exclusion, and incorporates local differential privacy on updates. The authors introduce a new Statistical Mimicry (SM) attack and report experiments with 100 clients on MNIST, CIFAR-10, and SVHN under label-flipping, scaling, ALIE, adaptive, and SM attacks, claiming up to 16% robustness gains and convergence within 30% of the clean baseline.

Significance. If the central claims hold, FLARE would represent a meaningful advance over static-threshold Byzantine defenses by enabling continuous, adaptive trust evaluation that can respond to evolving client behavior. The GitHub code release is a clear strength for reproducibility, and the SM attack provides a useful new benchmark. The significance is tempered by the need to demonstrate that the chosen dimensions and adaptation logic generalize beyond the author-designed test cases.

major comments (3)
  1. [§3.2] §3.2: The three reputation dimensions are combined via fixed weights w_p, w_s, w_t whose values are stated without derivation from first principles or ablation showing robustness to changes; this choice is load-bearing for the claim that the score reliably separates malicious clients under unseen mimicry strategies.
  2. [§4.1] §4.1, Eq. (7): The adaptive threshold T_t is defined as a function of observed model drift and recent attack intensity, but no analysis or bound is given showing that an adversary who can influence the observed drift rate cannot drive T_t to a value that admits malicious updates; this directly affects the generalization claim.
  3. [Table 3] Table 3 and §5.3: Strong detection and accuracy results are shown for the authors' own SM attack, yet no experiments evaluate against independently designed mimicry or evasion strategies that could more closely match the statistical and temporal signatures; this is central to the robustness claims.
minor comments (3)
  1. [§3] Notation for the reputation score R_i(t) is introduced in §3 without an explicit equation reference; adding a numbered equation would improve clarity.
  2. [§3.4] The description of the LDP mechanism in §3.4 does not specify the privacy budget ε used in the reported experiments; this detail should be added for reproducibility.
  3. [Figure 4] Figure 4 caption does not state the number of independent runs or error bars; adding this information would strengthen the presentation of convergence curves.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the detailed and insightful comments. These observations help clarify where additional justification and experiments can strengthen the presentation of FLARE's multi-dimensional reputation mechanism and adaptive threshold. We address each major comment below and indicate planned revisions.

read point-by-point responses

  1. Referee: [§3.2] §3.2: The three reputation dimensions are combined via fixed weights w_p, w_s, w_t whose values are stated without derivation from first principles or ablation showing robustness to changes; this choice is load-bearing for the claim that the score reliably separates malicious clients under unseen mimicry strategies.

    Authors: We agree that the choice of fixed weights merits explicit justification and sensitivity analysis. The weights were determined through preliminary tuning to reflect the relative reliability of each dimension across initial attack scenarios. In the revised manuscript we will add an ablation study that varies w_p, w_s, and w_t over a range of values and reports the resulting detection F1 scores and final model accuracy under the SM attack as well as label-flipping and ALIE. This will demonstrate that performance remains stable within a reasonable neighborhood of the reported weights. revision: yes

  2. Referee: [§4.1] §4.1, Eq. (7): The adaptive threshold T_t is defined as a function of observed model drift and recent attack intensity, but no analysis or bound is given showing that an adversary who can influence the observed drift rate cannot drive T_t to a value that admits malicious updates; this directly affects the generalization claim.

    Authors: This point correctly identifies a gap in the current analysis. While the self-calibrating rule is motivated by the desire to relax strictness once convergence stabilizes, we do not provide a formal bound on an adversary's ability to inflate observed drift. In revision we will expand the discussion of Eq. (7) with additional empirical simulations that inject controlled drift manipulation and report the resulting threshold trajectory and attack success rate. We will also add a limitations paragraph acknowledging that a tight theoretical guarantee remains an open question. revision: partial

  3. Referee: [Table 3] Table 3 and §5.3: Strong detection and accuracy results are shown for the authors' own SM attack, yet no experiments evaluate against independently designed mimicry or evasion strategies that could more closely match the statistical and temporal signatures; this is central to the robustness claims.

    Authors: We accept that evaluating only against the author-introduced SM attack limits the strength of the generalization claim. The SM attack was constructed to combine statistical mimicry with persistent temporal drift, but we agree that testing against other published evasion techniques would be valuable. In the revised version we will include results against at least two additional mimicry-style attacks drawn from recent literature (e.g., variations of gradient matching or stealthy poisoning) and report the corresponding detection and accuracy metrics in an expanded Table 3. revision: yes

Circularity Check

0 steps flagged

No significant circularity; claims rest on independent empirical evaluation

full rationale

The paper defines FLARE through four explicit components (multi-dimensional reputation from performance consistency, statistical anomalies, and temporal behavior; self-calibrating threshold based on convergence and attack intensity; reputation-weighted aggregation; LDP on updates) and introduces the SM attack as a new benchmark. Robustness numbers (up to 16% improvement, convergence within 30% of baseline) are reported from experiments across MNIST/CIFAR-10/SVHN under label-flipping, scaling, ALIE, adaptive, and SM attacks. No equation or step reduces the final performance metrics to a fitted parameter, self-citation chain, or definitional equivalence with the inputs. The weighting and threshold logic are presented as design choices validated externally by the testbed rather than derived tautologically from the same data.

Axiom & Free-Parameter Ledger

2 free parameters · 1 axioms · 1 invented entities

The framework rests on several design decisions for how to combine the three reputation signals and how to map recent attack intensity into threshold adjustments; these are not derived from external benchmarks or formal proofs.

free parameters (2)
  • dimension weights for reputation score
    Relative importance of performance consistency, statistical anomaly, and temporal behavior must be chosen or tuned.
  • adaptive threshold scaling factors
    Parameters that translate model convergence state and attack intensity into security strictness.
axioms (1)
  • domain assumption Client updates contain measurable statistical and temporal signals that distinguish malicious from honest behavior under the tested attack models.
    Invoked when defining the multi-dimensional reputation components.
invented entities (1)
  • Statistical Mimicry (SM) attack no independent evidence
    purpose: Highly evasive benchmark adversary that blends honest gradients with synthetic perturbations and persistent drift.
    New attack introduced to test the defense; no independent evidence of its prevalence outside this paper.

pith-pipeline@v0.9.0 · 5628 in / 1458 out tokens · 37080 ms · 2026-05-17T20:05:08.858932+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. \mathsf{VISTA}: Decentralized Machine Learning in Adversary Dominated Environments

    cs.LG 2026-05 unverdicted novelty 6.0

    VISTA adaptively tunes consistency thresholds in decentralized SGD so that the system converges asymptotically like standard SGD even when adversaries dominate the worker pool.

  2. OpenCLAW-Nexus: A Self-Reinforcing Trust Framework for Byzantine-Resilient Decentralized Federated Learning

    cs.NI 2026-04 unverdicted novelty 5.0

    OpenCLAW-Nexus uses a single discounted Beta-reputation model to unify reputation-based node selection, Rep-FedAvg aggregation, and reputation-aware BFT consensus, achieving Byzantine resilience in decentralized FL wi...

Reference graph

Works this paper leans on

70 extracted references · 70 canonical work pages · cited by 2 Pith papers

  1. [1]

    Reputation- based federated learning algorithm for fairness and security in internet of vehicles,

    C. Guo, X. Zhang, L. Zhang, C. Gong, H. Xu, and Z. Han, “Reputation- based federated learning algorithm for fairness and security in internet of vehicles,”IEEE Internet of Things Journal, 2025

    work page 2025

  2. [2]

    Fedmar: A privacy-preserving and robust server-side multi-stage federated learning,

    L. Shi, Y . Gao, C. Chen, S. Huang, J. Zhao, X. Hu, and V . C. Leung, “Fedmar: A privacy-preserving and robust server-side multi-stage federated learning,”IEEE Internet of Things Journal, 2025

    work page 2025

  3. [3]

    Incentive mech- anism for reliable federated learning: A joint optimization approach to combining reputation and contract theory,

    J. Kang, Z. Xiong, D. Niyato, S. Xie, and J. Zhang, “Incentive mech- anism for reliable federated learning: A joint optimization approach to combining reputation and contract theory,”IEEE Internet of Things Journal, vol. 6, no. 6, pp. 10 700–10 714, 2019

    work page 2019

  4. [4]

    Healthcare 5.0: An industry 5.0 perspective for next-generation medical systems with synergistic integration of iot, ai, and 6g,

    A. Younesi, E. Oustad, M. Ansari, T. Fahringer, and R. Buyya, “Healthcare 5.0: An industry 5.0 perspective for next-generation medical systems with synergistic integration of iot, ai, and 6g,” Internet of Things, vol. 35, p. 101815, 2026. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2542660525003294 IEEE INTERNET OF THINGS, VOL....

    work page 2026

  5. [5]

    Communication-Efficient Learning of Deep Networks from Decentralized Data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y. Arcas, “Communication-Efficient Learning of Deep Networks from Decentralized Data,” inProceedings of the 20th International Conference on Artificial Intelligence and Statistics, ser. Proceedings of Machine Learning Research, A. Singh and J. Zhu, Eds., vol. 54. PMLR, 20–22 Apr 2017, pp. 1273–1282. [...

    work page 2017

  6. [6]

    Federated learning: Challenges, methods, and future directions,

    T. Li, A. K. Sahu, A. Talwalkar, and V . Smith, “Federated learning: Challenges, methods, and future directions,”IEEE signal processing magazine, vol. 37, no. 3, pp. 50–60, 2020

    work page 2020

  7. [7]

    Advances and open problems in federated learning,

    P. Kairouzet al., “Advances and open problems in federated learning,”

    work page

  8. [8]

    Advances and open problems in federated learning,

    [Online]. Available: https://arxiv.org/abs/1912.04977

    work page arXiv 1912

  9. [9]

    Cnn-feet: Efficient cnn in federated learning for energy- efficiency in emerging fault-tolerant fog-edge environments,

    A. Younesi, M. Barati, M. Ansari, M. A. Fazli, A. Ejlali, M. Shafique, and J. Henkel, “Cnn-feet: Efficient cnn in federated learning for energy- efficiency in emerging fault-tolerant fog-edge environments,”Authorea Preprints, 2024

    work page 2024

  10. [10]

    Threats tofederated learning: A survey

    L. Lyu, H. Yu, and Q. Yang, “Threats to federated learning: A survey,” arXiv preprint arXiv:2003.02133, 2020

    work page arXiv 2003

  11. [11]

    How to backdoor federated learning,

    E. Bagdasaryan, A. Veit, Y . Hua, D. Estrin, and V . Shmatikov, “How to backdoor federated learning,” inInternational conference on artificial intelligence and statistics. PMLR, 2020, pp. 2938–2948

    work page 2020

  12. [12]

    Performance and behavior characterization of amazon ec2 spot instances,

    T.-P. Pham, S. Ristov, and T. Fahringer, “Performance and behavior characterization of amazon ec2 spot instances,” in2018 IEEE 11th International Conference on Cloud Computing (CLOUD), 2018, pp. 73– 81

    work page 2018

  13. [13]

    Evolutionary multi-objective workflow scheduling for volatile resources in the cloud,

    T.-P. Pham and T. Fahringer, “Evolutionary multi-objective workflow scheduling for volatile resources in the cloud,”IEEE Transactions on Cloud Computing, vol. 10, no. 3, pp. 1780–1791, 2022

    work page 2022

  14. [14]

    Byzantine resilient federated multi-task representation learning,

    T. Le and S. Moothedath, “Byzantine resilient federated multi-task representation learning,” 2025. [Online]. Available: https://arxiv.org/abs/ 2503.19209

    work page arXiv 2025

  15. [15]

    Decentralized federated learning: Balancing communication and computing costs,

    W. Liu, L. Chen, and W. Zhang, “Decentralized federated learning: Balancing communication and computing costs,”IEEE Transactions on Signal and Information Processing over Networks, vol. 8, pp. 131–143, 2022

    work page 2022

  16. [16]

    When feder- ated learning meets privacy-preserving computation,

    J. Chen, H. Yan, Z. Liu, M. Zhang, H. Xiong, and S. Yu, “When feder- ated learning meets privacy-preserving computation,”ACM Computing Surveys, vol. 56, no. 12, pp. 1–36, 2024

    work page 2024

  17. [17]

    The impact of adversarial attacks on federated learning: A survey,

    K. N. Kumar, C. K. Mohan, and L. R. Cenkeramaddi, “The impact of adversarial attacks on federated learning: A survey,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 46, no. 5, pp. 2672– 2691, 2023

    work page 2023

  18. [18]

    Distributed momentum for byzantine-resilient stochastic gradient descent,

    E.-M. El Mhamdi, R. Guerraoui, and S. L. A. Rouault, “Distributed momentum for byzantine-resilient stochastic gradient descent,” in9th International Conference on Learning Representations, ICLR, 2021, pp. 4–8

    work page 2021

  19. [19]

    Byzantine machine learning made easy by resilient averaging of mo- mentums,

    S. Farhadkhani, R. Guerraoui, N. Gupta, R. Pinot, and J. Stephan, “Byzantine machine learning made easy by resilient averaging of mo- mentums,” inInternational Conference on Machine Learning. PMLR, 2022, pp. 6246–6283

    work page 2022

  20. [20]

    Byzantine-robust dis- tributed learning: Towards optimal statistical rates,

    D. Yin, Y . Chen, R. Kannan, and P. Bartlett, “Byzantine-robust dis- tributed learning: Towards optimal statistical rates,” inInternational conference on machine learning. Pmlr, 2018, pp. 5650–5659

    work page 2018

  21. [21]

    Byzantine-resilient high-dimensional fed- erated learning,

    D. Data and S. N. Diggavi, “Byzantine-resilient high-dimensional fed- erated learning,”IEEE Transactions on Information Theory, vol. 69, no. 10, pp. 6639–6670, 2023

    work page 2023

  22. [22]

    Ma- chine learning with adversaries: Byzantine tolerant gradient descent,

    P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer, “Ma- chine learning with adversaries: Byzantine tolerant gradient descent,” Advances in neural information processing systems, vol. 30, 2017

    work page 2017

  23. [23]

    Byzantine-robust decentralized federated learning,

    M. Fang, Z. Zhang, Hairi, P. Khanduri, J. Liu, S. Lu, Y . Liu, and N. Gong, “Byzantine-robust decentralized federated learning,” inPro- ceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security, 2024, pp. 2874–2888

    work page 2024

  24. [24]

    Fedinv: Byzantine-robust federated learning by inversing local model updates,

    B. Zhao, P. Sun, T. Wang, and K. Jiang, “Fedinv: Byzantine-robust federated learning by inversing local model updates,” inProceedings of the AAAI Conference on Artificial Intelligence, vol. 36, no. 8, 2022, pp. 9171–9179

    work page 2022

  25. [25]

    Carefl: Contribution guided byzantine-robust federated learning,

    Q. Dong, S. Yang, Z. Dai, Y . Gao, S. Wang, Y . Cao, A. Fu, and W. Susilo, “Carefl: Contribution guided byzantine-robust federated learning,”IEEE Transactions on Information Forensics and Security, vol. 19, pp. 9714– 9729, 2024

    work page 2024

  26. [26]

    Reputation- based federated learning algorithm for fairness and security in internet of vehicles,

    C. Guo, X. Zhang, L. Zhang, C. Gong, H. Xu, and Z. Han, “Reputation- based federated learning algorithm for fairness and security in internet of vehicles,”IEEE Internet of Things Journal, vol. 12, no. 21, pp. 44 502– 44 520, 2025

    work page 2025

  27. [27]

    Local differential privacy-based federated learning for internet of things,

    Y . Zhao, J. Zhao, M. Yang, T. Wang, N. Wang, L. Lyu, D. Niyato, and K.-Y . Lam, “Local differential privacy-based federated learning for internet of things,”IEEE Internet of Things Journal, vol. 8, no. 11, pp. 8836–8853, 2020

    work page 2020

  28. [28]

    Repunet: A reputation system for mitigating malicious clients in dfl,

    I. M. Penalva, E. T. M. Beltr ´an, M. G. P ´erez, and A. H. Celdr ´an, “Repunet: A reputation system for mitigating malicious clients in dfl,” arXiv preprint arXiv:2506.19892, 2025

    work page arXiv 2025

  29. [29]

    Reputation-aware federated learning client selection based on stochastic integer programming,

    X. Tan, W. C. Ng, W. Y . B. Lim, Z. Xiong, D. Niyato, and H. Yu, “Reputation-aware federated learning client selection based on stochastic integer programming,”IEEE Transactions on Big Data, vol. 10, no. 6, pp. 953–964, 2022

    work page 2022

  30. [30]

    Reputation-aware multi-agent drl for secure hierarchical federated learning in iot,

    N. M. Al-Maslamani, M. Abdallah, and B. S. Ciftler, “Reputation-aware multi-agent drl for secure hierarchical federated learning in iot,”IEEE Open Journal of the Communications Society, vol. 4, pp. 1274–1284, 2023

    work page 2023

  31. [31]

    Label inference attacks against vertical federated learning,

    C. Fu, X. Zhang, S. Ji, J. Chen, J. Wu, S. Guo, J. Zhou, A. X. Liu, and T. Wang, “Label inference attacks against vertical federated learning,” in31st USENIX security symposium (USENIX Security 22), 2022, pp. 1397–1414

    work page 2022

  32. [32]

    Sophon: Byzantine-robust federated learning via dual trust mechanism,

    X. Gui, G. Yu, J. Wang, Z. Yan, W. Wang, C. Domeniconi, and L. Cui, “Sophon: Byzantine-robust federated learning via dual trust mechanism,” IEEE Transactions on Dependable and Secure Computing, pp. 1–12, 2025

    work page 2025

  33. [33]

    Secure model aggregation against poisoning attacks for cross-silo federated learning with robust- ness and fairness,

    Y . Mao, Z. Ye, X. Yuan, and S. Zhong, “Secure model aggregation against poisoning attacks for cross-silo federated learning with robust- ness and fairness,”IEEE Transactions on Information Forensics and Security, vol. 19, pp. 6321–6336, 2024

    work page 2024

  34. [34]

    Toward secure federated learning for iot using drl-enabled reputation mechanism,

    N. M. Al-Maslamani, B. S. Ciftler, M. Abdallah, and M. M. Mahmoud, “Toward secure federated learning for iot using drl-enabled reputation mechanism,”IEEE Internet of Things Journal, vol. 9, no. 21, pp. 21 971– 21 983, 2022

    work page 2022

  35. [35]

    Robust federated learning: Maximum correntropy aggregation against byzantine attacks,

    Z. Luan, W. Li, M. Liu, and B. Chen, “Robust federated learning: Maximum correntropy aggregation against byzantine attacks,”IEEE Transactions on Neural Networks and Learning Systems, vol. 36, no. 1, pp. 62–75, 2025

    work page 2025

  36. [36]

    Feddmc: Efficient and robust federated learning via detecting malicious clients,

    X. Mu, K. Cheng, Y . Shen, X. Li, Z. Chang, T. Zhang, and X. Ma, “Feddmc: Efficient and robust federated learning via detecting malicious clients,”IEEE Transactions on Dependable and Secure Computing, vol. 21, no. 6, pp. 5259–5274, 2024

    work page 2024

  37. [37]

    Fedid: Enhancing federated learning security through dynamic identification,

    S. Huang, Y . Li, C. Chen, Y . Gao, and X. Hu, “Fedid: Enhancing federated learning security through dynamic identification,”IEEE Trans- actions on Pattern Analysis and Machine Intelligence, 2025

    work page 2025

  38. [38]

    Sherpa: Ex- plainable robust algorithms for privacy-preserved federated learning in future networks to defend against data poisoning attacks,

    C. Sandeepa, B. Siniarski, S. Wang, and M. Liyanage, “Sherpa: Ex- plainable robust algorithms for privacy-preserved federated learning in future networks to defend against data poisoning attacks,” in2024 IEEE Symposium on Security and Privacy (SP). IEEE, 2024, pp. 4772–4790

    work page 2024

  39. [39]

    Dual defense: Enhancing pri- vacy and mitigating poisoning attacks in federated learning,

    R. Xu, S. Gao, C. Li, J. Joshi, and J. Li, “Dual defense: Enhancing pri- vacy and mitigating poisoning attacks in federated learning,”Advances in Neural Information Processing Systems, vol. 37, pp. 70 476–70 498, 2024

    work page 2024

  40. [40]

    Byzantine-resilient federated learning at edge,

    Y . Tao, S. Cui, W. Xu, H. Yin, D. Yu, W. Liang, and X. Cheng, “Byzantine-resilient federated learning at edge,”IEEE Transactions on Computers, vol. 72, no. 9, pp. 2600–2614, 2023

    work page 2023

  41. [41]

    On the byzantine robustness of clustered federated learning,

    F. Sattler, K.-R. M ¨uller, T. Wiegand, and W. Samek, “On the byzantine robustness of clustered federated learning,” inICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2020, pp. 8861–8865

    work page 2020

  42. [42]

    A little is enough: Circumventing defenses for distributed learning,

    M. Baruch, G. Baruch, and Y . Goldberg, “A little is enough: Circumventing defenses for distributed learning,” 2019. [Online]. Available: https://arxiv.org/abs/1902.06156

    work page arXiv 2019

  43. [43]

    A reliability-aware resource provisioning scheme for real-time industrial applications in a fog-integrated smart factory,

    S. Dehnavi, H. R. Faragardi, M. Kargahi, and T. Fahringer, “A reliability-aware resource provisioning scheme for real-time industrial applications in a fog-integrated smart factory,”Microprocessors and Microsystems, vol. 70, pp. 1–14, 2019. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0141933118304629

    work page 2019

  44. [44]

    Local model poisoning attacks to{Byzantine-Robust}federated learning,

    M. Fang, X. Cao, J. Jia, and N. Gong, “Local model poisoning attacks to{Byzantine-Robust}federated learning,” in29th USENIX security symposium (USENIX Security 20), 2020, pp. 1605–1622

    work page 2020

  45. [45]

    Bsr-fl: An efficient byzantine-robust privacy-preserving federated learn- ing framework,

    H. Zeng, J. Li, J. Lou, S. Yuan, C. Wu, W. Zhao, S. Wu, and Z. Wang, “Bsr-fl: An efficient byzantine-robust privacy-preserving federated learn- ing framework,”IEEE Transactions on Computers, vol. 73, no. 8, pp. 2096–2110, 2024

    work page 2096

  46. [46]

    Privacy-preserving and byzantine-robust federated learning framework using permissioned blockchain,

    H. Kasyap and S. Tripathy, “Privacy-preserving and byzantine-robust federated learning framework using permissioned blockchain,”Expert systems with applications, vol. 238, p. 122210, 2024

    work page 2024

  47. [47]

    Dp-brem: differentially-private and byzantine-robust federated learning with client momentum,

    X. Gu, M. Li, and L. Xiong, “Dp-brem: differentially-private and byzantine-robust federated learning with client momentum,”arXiv preprint arXiv:2306.12608, 2023. IEEE INTERNET OF THINGS, VOL. X, NO. X, APRIL. 2025 15

    work page arXiv 2023

  48. [48]

    Lotto: secure participant selection against adversarial servers in federated learning,

    Z. Jiang, P. Ye, S. He, W. Wang, R. Chen, and B. Li, “Lotto: secure participant selection against adversarial servers in federated learning,” in33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 343–360

    work page 2024

  49. [49]

    Understanding byzantine robustness in federated learning with a black-box server,

    F. Zhao, Y . Xie, X. Ren, B. Ding, S. Yang, and Y . Li, “Understanding byzantine robustness in federated learning with a black-box server,”

    work page

  50. [50]

    Available: https://arxiv.org/abs/2408.06042

    [Online]. Available: https://arxiv.org/abs/2408.06042

    work page arXiv

  51. [51]

    Advancing hybrid defense for byzantine attacks in federated learning,

    K. Yue, R. Jin, C.-W. Wong, and H. Dai, “Advancing hybrid defense for byzantine attacks in federated learning,” 2025. [Online]. Available: https://arxiv.org/abs/2409.06474

    work page arXiv 2025

  52. [52]

    Byzantine-robust federated learning: An overview with focus on developing sybil-based attacks to backdoor augmented secure aggregation protocols,

    A. Deshmukh, “Byzantine-robust federated learning: An overview with focus on developing sybil-based attacks to backdoor augmented secure aggregation protocols,” 2024. [Online]. Available: https: //arxiv.org/abs/2410.22680

    work page arXiv 2024

  53. [53]

    Drop: Poison dilution via knowledge distillation for federated learning,

    G. Syros, A. Suri, F. Koushanfar, C. Nita-Rotaru, and A. Oprea, “Drop: Poison dilution via knowledge distillation for federated learning,” 2025. [Online]. Available: https://arxiv.org/abs/2502.07011

    work page arXiv 2025

  54. [54]

    Model poisoning attacks to federated learning via multi-round consistency,

    Y . Xie, M. Fang, and N. Z. Gong, “Model poisoning attacks to federated learning via multi-round consistency,” 2025. [Online]. Available: https://arxiv.org/abs/2404.15611

    work page arXiv 2025

  55. [55]

    Privacy- preserving federated learning with malicious clients and honest-but- curious servers,

    J. Le, D. Zhang, X. Lei, L. Jiao, K. Zeng, and X. Liao, “Privacy- preserving federated learning with malicious clients and honest-but- curious servers,”IEEE Transactions on Information Forensics and Security, vol. 18, pp. 4329–4344, 2023

    work page 2023

  56. [56]

    Characterizing, modeling and predicting dynamic resource availability in a large scale multi- purpose grid,

    F. Nadeem, R. Prodan, and T. Fahringer, “Characterizing, modeling and predicting dynamic resource availability in a large scale multi- purpose grid,” in2008 Eighth IEEE International Symposium on Cluster Computing and the Grid (CCGRID), 2008, pp. 348–357

    work page 2008

  57. [57]

    Local privacy and statistical minimax rates,

    J. C. Duchi, M. I. Jordan, and M. J. Wainwright, “Local privacy and statistical minimax rates,” in2013 IEEE 54th Annual Symposium on Foundations of Computer Science, 2013, pp. 429–438

    work page 2013

  58. [58]

    2014.The Algorithmic Foundations of Differential Privacy

    C. Dwork and A. Roth, “The algorithmic foundations of differential privacy,”Found. Trends Theor. Comput. Sci., vol. 9, no. 3–4, p. 211–407, Aug. 2014. [Online]. Available: https://doi.org/10.1561/0400000042

    work page doi:10.1561/0400000042 2014

  59. [59]

    Federated learning on non-iid data silos: An experimental study,

    Q. Li, Y . Diao, Q. Chen, and B. He, “Federated learning on non-iid data silos: An experimental study,” in2022 IEEE 38th international conference on data engineering (ICDE). IEEE, 2022, pp. 965–978

    work page 2022

  60. [60]

    Fednoisy: Federated noisy label learning benchmark,

    S. Liang, J. Huang, J. Hong, D. Zeng, J. Zhou, and Z. Xu, “Fednoisy: Federated noisy label learning benchmark,” 2025. [Online]. Available: https://arxiv.org/abs/2306.11650

    work page arXiv 2025

  61. [61]

    Learning multiple layers of features from tiny images,

    A. Krizhevsky, G. Hintonet al., “Learning multiple layers of features from tiny images,” 2009

    work page 2009

  62. [62]

    Gradient-based learning applied to document recognition,

    Y . LeCun, L. Bottou, Y . Bengio, and P. Haffner, “Gradient-based learning applied to document recognition,”Proceedings of the IEEE, vol. 86, no. 11, pp. 2278–2324, 2002

    work page 2002

  63. [63]

    Reading digits in natural images with unsupervised feature learning,

    Y . Netzer, T. Wang, A. Coates, A. Bissacco, B. Wu, A. Y . Nget al., “Reading digits in natural images with unsupervised feature learning,” inNIPS workshop on deep learning and unsupervised feature learning, vol. 2011, no. 5. Granada, 2011, p. 7

    work page 2011

  64. [64]

    Sok: Benchmarking poisoning attacks and defenses in federated learning,

    H. Zhang, Y . Liu, X. He, J. Wu, T. Cong, and X. Huang, “Sok: Benchmarking poisoning attacks and defenses in federated learning,”

    work page

  65. [65]

    Available: https://arxiv.org/abs/2502.03801

    [Online]. Available: https://arxiv.org/abs/2502.03801

    work page arXiv

  66. [66]

    arXiv preprint arXiv:2012.13995 , year=

    X. Cao, M. Fang, J. Liu, and N. Z. Gong, “Fltrust: Byzantine- robust federated learning via trust bootstrapping,”arXiv preprint arXiv:2012.13995, 2020

    work page arXiv 2012

  67. [67]

    {FLAME}: Taming backdoors in federated learning,

    T. D. Nguyen, P. Rieger, H. Chen, H. Yalame, H. M ¨ollering, H. Fer- eidooni, S. Marchal, M. Miettinen, A. Mirhoseini, S. Zeitouniet al., “{FLAME}: Taming backdoors in federated learning,” in31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 1415–1432

    work page 2022

  68. [68]

    Byzantine-resilient secure federated learning,

    J. So, B. G ¨uler, and A. S. Avestimehr, “Byzantine-resilient secure federated learning,”IEEE Journal on Selected Areas in Communications, vol. 39, no. 7, pp. 2168–2181, 2021. Abolfazl Younesi(Student Member, IEEE) is cur- rently pursuing a PhD at the University of Inns- bruck. He is a member of the Distributed and Parallel Systems Group (DPS) at the Depa...

    work page 2021

  69. [69]

    Liberalization of Telecommuni- cations

    She has been a postdoctoral researcher and university assistant since 2023 in the Distributed and Parallel Systems group at the University of Innsbruck, Austria. She has actively contributed to several national and European Union projects. Her main research interests include resource manage- ment and performance optimization in cloud, fog, and edge comput...

    work page 2023

  70. [70]

    His research in- terests include Distributed Systems, Cyber-Physical Systems (CPS), Internet of Things, Artificial Intelli- gence, and Wireless networks and communications

    He is currently a postdoctoral researcher at the Distributed and Parallel Systems group of the University of Innsbruck, Austria. His research in- terests include Distributed Systems, Cyber-Physical Systems (CPS), Internet of Things, Artificial Intelli- gence, and Wireless networks and communications. Thomas Fahringer(Member, IEEE) received the PhD degree ...

    work page 1993