Your Neighbors Know: Leveraging Local Neighborhoods for Backdoor Detection in Decentralized Learning

arxiv: 2605.19969 · v1 · pith:GXH7MQ73new · submitted 2026-05-19 · 💻 cs.LG

Your Neighbors Know: Leveraging Local Neighborhoods for Backdoor Detection in Decentralized Learning

Sayan Biswas , Antoine Boutet , Davide Frey , Romaric Gaudel , Rachid Guerraoui , Maxime Jacovella , Anne-Marie Kermarrec , Dimitri Ler\'ev\'erend

show 2 more authors

Fran\c{c}ois Ta\"iani Martijn de Vos

This is my paper

Pith reviewed 2026-05-20 07:30 UTC · model grok-4.3

classification 💻 cs.LG

keywords backdoor detectiondecentralized learningdistributed machine learningmodel poisoningtrigger consistencyneighborhood analysisstructural similarity

0 comments p. Extension

pith:GXH7MQ73 Add to your LaTeX paper

What is a Pith Number?

\usepackage{pith}
\pithnumber{GXH7MQ73}

Prints a linked pith:GXH7MQ73 badge after your title and writes the identifier into PDF metadata. Compiles on arXiv with no extra files. Learn more

The pith

Decentralized learning nodes detect backdoor attacks by sharing potential triggers among neighbors and filtering those with consistent patterns.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Decentralized learning lets nodes train a shared model together without any central server, but this direct collaboration opens the door to backdoor attacks that leave normal behavior intact while adding secret malicious responses to chosen triggers. The paper describes Argus, a defense in which each node inspects incoming model updates for candidate triggers and passes those candidates to its immediate neighbors. A structural similarity metric then separates real backdoors, which produce matching patterns across nodes, from false alarms that vary because of each node's private data. Updates that fail the test are dropped and nodes that keep sending them are eventually removed from the group. The method includes proofs that this filtering step keeps the overall training convergence rate close to the rate achieved by undefended decentralized learning.

Core claim

Argus is a backdoor detection framework native to decentralized learning in which nodes locally identify candidate triggers, exchange them with neighbors, and apply a structural similarity metric to retain only those triggers that appear consistently, thereby rejecting malicious updates with high probability while preserving convergence guarantees comparable to standard decentralized learning.

What carries the argument

The structural similarity metric applied to triggers shared among neighboring nodes, which separates consistent true backdoor patterns from inconsistent false positives induced by data heterogeneity.

If this is right

The defense requires neither a central coordinator nor advance knowledge of the trigger.
Attack success rates fall by up to 90 percentage points while model utility remains within 5 points of an omniscient oracle.
The defense grows more effective as data heterogeneity across nodes increases.
Persistent malicious nodes are eventually evicted after repeated rejections.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Neighborhood consistency checks could be applied to detect other poisoning attacks in peer-to-peer training systems.
The approach may require adjustments when node participation changes rapidly or when neighbor sets are small.
Testing against adaptive attackers who try to mimic data heterogeneity would clarify remaining limits.

Load-bearing premise

False positive triggers from data heterogeneity exhibit inconsistencies across participants while true backdoor triggers produce consistent patterns that the similarity metric can reliably separate.

What would settle it

An experiment that injects a backdoor whose trigger is deliberately made to look different to different nodes and then measures whether the similarity scores for the true trigger fall below the detection threshold.

Figures

Figures reproduced from arXiv: 2605.19969 by Anne-Marie Kermarrec, Antoine Boutet, Davide Frey, Dimitri Ler\'ev\'erend, Fran\c{c}ois Ta\"iani, Martijn de Vos, Maxime Jacovella, Rachid Guerraoui, Romaric Gaudel, Sayan Biswas.

**Figure 1.** Figure 1: The average Attack Success Rate (ASR) of the backdoor attack in a 16-node network with one attacker, using the CIFAR-10 dataset in a NIID setting. This is done without compromising the model’s accuracy on normal, clean inputs [7]. In DL, such backdoor triggers are continuously injected and spread across the network through seemingly legitimate model updates [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗

**Figure 2.** Figure 2: The workflow of ARGUS during a single round in DL as executed by an honest node. 2 Background and problem formulation We now introduce the standard DL algorithm and backdoors, and then elaborate on the shortcomings of existing approaches that defend against backdoor attacks in collaborative ML algorithms. Decentralized learning. A set of n nodes collaboratively trains a model fθ to minimize the global risk… view at source ↗

**Figure 3.** Figure 3: Example True Positive (TP) and FP reverse-engineered triggers from CIFAR-10 when the real backdoor trigger is a bottomright 3 × 3 pixel square. since detecting nodes are tracing the same implanted trigger. This is formulated in the insight below: Insight 1 (Structural similarity of recovered triggers). Let τˆa and τˆb be triggers reverse-engineered by two honest nodes given the same update. (TP) If the up… view at source ↗

**Figure 4.** Figure 4: Empirical FP vs. TP trigger similarities on CIFAR-10 (α = 0.5, m = 2 attacker nodes, n = 16 nodes) and calibrated threshold ξ = 0.42. only the image dimensions (H, W), the clipping size k, the SSIM window size w and the model architecture, with no access to the trigger or training data. Motivated by Insight 1, we model FP triggers as independent samples from a Gaussian random field with correlation σ on th… view at source ↗

**Figure 5.** Figure 5: Local detection alone is unsatisfactory. The CA (left, ↑ is better), rejection rate (middle, ↓ is better) and ASR (right, ↓ is better) for CIFAR-10 with m = 2 attackers out of n = 16 nodes, and for varying heterogeneity levels. We consider different baseline settings and report std over 3 seeds. (while showing minimal loss on the easier FEMNIST task). On the attack side, ARGUS reduces ASR to below 7% on CI… view at source ↗

**Figure 6.** Figure 6: The per-neighbor trust state machine maintained by each (honest) node. [PITH_FULL_IMAGE:figures/full_fig_p017_6.png] view at source ↗

**Figure 7.** Figure 7: Empirical FP vs. TP similarities (additional settings). We consider IID (left) and α = 0.25 (right) heterogeneity levels, using the CIFAR-10 dataset [PITH_FULL_IMAGE:figures/full_fig_p019_7.png] view at source ↗

**Figure 8.** Figure 8: Backdoor propagation and persistence in DL. Experiments on CIFAR-10 with a 3- regular network of 16 nodes (α = 0.5) and m = 1 attacker node. Left: Average ASR of honest nodes with varying malicious updates rejection rates, and when rejecting no malicious updates. The solid line indicates the average ASR across all honest nodes whereas the dashed line considers the ASR of nodes that are directly connected t… view at source ↗

**Figure 9.** Figure 9: Various trigger types. We vary their shape, position and size. Actual triggers are colored in gray to be more inconspicuous. nodes can somehow identify and reject 50% or 75% of the malicious updates, the backdoor still propagates and is effective, with the average ASR for all nodes reaching 55% and 34% on average, respectively. Thus, [PITH_FULL_IMAGE:figures/full_fig_p022_9.png] view at source ↗

**Figure 10.** Figure 10: Evolution of the function ψpfp for different values of pfp. We represent the behavior on the eigenvalues (µ2, µn) for a given 3-regular graph with 16 nodes. Thus, we get: max k≥2 ψpfp (µk) = max ψpfp (µ2) , ψpfp (µn) [PITH_FULL_IMAGE:figures/full_fig_p029_10.png] view at source ↗

read the original abstract

Decentralized learning (DL) is an emerging machine learning paradigm where nodes collaboratively train models without a central server. However, the collaborative nature of DL makes it vulnerable to backdoor attacks, where a model is taught to behave normally on standard inputs while executing hidden, malicious actions when encountering data with specific triggers. Backdoor attacks in DL remain understudied and existing defenses often overlook DL constraints. We introduce Argus, a novel backdoor detection framework native to DL that requires neither a central coordinator nor prior knowledge of the trigger. In Argus, honest nodes locally analyze received model updates to identify potential backdoor triggers. Nodes then collectively share their triggers with their neighbors and use a structural similarity metric to separate true backdoors from false alarms induced by data heterogeneity. A key insight is that false positive triggers exhibit inconsistencies across participants while true positive ones show consistent patterns. Model updates that fail this collaborative test are rejected, and persistently malicious senders are eventually evicted. We provide the first theoretical convergence guarantees for a DL-specific backdoor detection mechanism, showing that filtering out suspicious model updates with high probability preserves a convergence rate comparable to standard DL. We implement and evaluate Argus on three standard datasets and against three state-of-the-art baselines. Across settings, Argus reduces attack success rates by up to 90 points compared to no defense, while preserving model utility within 5 percentage points of an omniscient oracle. Furthermore, the effectiveness of Argus compared to baselines improves as data heterogeneity increases.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Argus gives decentralized learning its first native backdoor detector that skips central servers and trigger knowledge, backed by convergence guarantees and experiments that improve with heterogeneity.

read the letter

Colleague, Argus claims to be the first backdoor detection system designed from the ground up for decentralized learning. It avoids any central point and does not require knowing the trigger pattern ahead of time. Instead, each node checks updates it receives, shares possible triggers with its direct neighbors, and applies a structural similarity measure to decide which ones are likely real attacks because they look the same everywhere. The work stands out for delivering theoretical convergence results under this filtering process. It shows that rejecting suspicious updates with high probability keeps the overall training converging at a rate similar to the undefended case. The experiments back this up across three datasets and against three baselines, with attack success falling sharply and model accuracy staying close to what an ideal defender would achieve. Notably, the gap to baselines widens as data becomes more heterogeneous, which runs counter to the usual story in this area. The main question is whether the similarity metric can reliably separate the cases when data distributions vary strongly. The approach assumes that genuine backdoors produce consistent trigger patterns across nodes while false alarms do not. If local data changes how the trigger activates in the model update, a real attack could appear inconsistent and get missed. The paper states that performance improves with heterogeneity, so the analysis must limit how much the trigger representation can differ. Checking the precise invariance properties of the metric and the conditions in the proof would clarify if this holds. This paper is aimed at the decentralized and federated learning community focused on robustness. It brings together a practical mechanism with formal guarantees, so it merits a serious referee who can verify the proof details and experimental controls. I would send it to peer review.

Referee Report

1 major / 1 minor

Summary. The paper introduces Argus, a backdoor detection framework for decentralized learning. Nodes locally analyze received model updates for potential triggers, share candidate triggers with neighbors, and apply a structural similarity metric to retain only consistent (true positive) triggers while discarding inconsistent ones induced by data heterogeneity. Malicious updates are rejected and persistent attackers evicted. The work supplies the first theoretical convergence guarantees for a DL-native backdoor filter, showing that high-probability rejection of suspicious updates preserves a convergence rate comparable to undefended DL. Empirical evaluation on three datasets against three baselines reports attack-success-rate reductions of up to 90 points with utility loss bounded within 5 points of an omniscient oracle, with relative gains increasing under higher heterogeneity.

Significance. If the theoretical guarantees hold under the stated assumptions and the empirical controls are sound, the contribution is substantial: it supplies the first provably convergent defense that is native to the decentralized setting and requires neither a central coordinator nor trigger knowledge. The counter-intuitive claim that detection improves with heterogeneity, if rigorously supported, would be a notable insight for heterogeneous DL deployments.

major comments (1)

[Theoretical guarantees] Theoretical guarantees section: the high-probability filtering premise used to establish convergence rests on the claim that the structural similarity metric reliably separates consistent true-positive triggers from inconsistent false positives. The manuscript must supply explicit conditions or invariance properties on how data heterogeneity affects trigger encoding in local updates; without such bounds the premise can fail when heterogeneity alters trigger representations, producing false negatives that invalidate the stated convergence rate.

minor comments (1)

[Abstract] Abstract: the three datasets and three baselines are not named; explicit identification would aid readers.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive and detailed review of our manuscript. We address the major comment on the theoretical guarantees below and have revised the manuscript to incorporate additional formal conditions.

read point-by-point responses

Referee: [Theoretical guarantees] Theoretical guarantees section: the high-probability filtering premise used to establish convergence rests on the claim that the structural similarity metric reliably separates consistent true-positive triggers from inconsistent false positives. The manuscript must supply explicit conditions or invariance properties on how data heterogeneity affects trigger encoding in local updates; without such bounds the premise can fail when heterogeneity alters trigger representations, producing false negatives that invalidate the stated convergence rate.

Authors: We agree that the original presentation of the high-probability filtering argument would benefit from explicit conditions linking data heterogeneity to trigger encoding. In the revised manuscript we have added Assumption 3.2, which bounds the total variation distance between any pair of local data distributions by a constant H. Under this assumption we prove (new Lemma 3.4) that the structural similarity metric applied to candidate triggers is invariant to heterogeneity-induced shifts for true-positive triggers while remaining sensitive to inconsistency for false positives. The lemma yields an explicit lower bound of 1 - exp(-k) on the probability of correct separation, where k denotes the number of neighbors. This bound is then substituted into the existing convergence theorem, producing a convergence rate identical to the undefended case up to an additive term linear in H. The full proof appears in the new Appendix C. We believe these additions directly resolve the concern while preserving the paper's core claims. revision: yes

Circularity Check

0 steps flagged

Derivation is self-contained with no circular reductions

full rationale

The paper introduces Argus as a novel framework for backdoor detection in decentralized learning. It relies on local analysis of model updates and a structural similarity metric to distinguish true backdoors (consistent patterns) from false positives (inconsistencies due to heterogeneity). Theoretical convergence guarantees are provided, claimed as the first for DL-specific mechanisms. The abstract and description do not show any step where a prediction or result is equivalent to its inputs by construction, nor load-bearing self-citations that reduce the central claim. The method is presented as independent, with effectiveness improving under heterogeneity, suggesting the core logic is not circular.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Detection logic rests on the domain assumption that real backdoors produce cross-node consistency while heterogeneity-induced false positives do not; no new physical entities or free parameters are explicitly introduced in the abstract.

axioms (1)

domain assumption True backdoor triggers produce consistent patterns across honest nodes despite data heterogeneity.
This consistency assumption is the basis for using structural similarity to filter updates and is invoked in the description of the collaborative test.

pith-pipeline@v0.9.0 · 5847 in / 1243 out tokens · 57108 ms · 2026-05-20T07:30:16.752688+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/AbsoluteFloorClosure.lean absolute_floor_iff_bare_distinguishability echoes

?

echoes
ECHOES: this paper passage has the same mathematical shape or conceptual pattern as the Recognition theorem, but is not a direct formal dependency.

Nodes then collectively share their triggers with their neighbors and use a structural similarity metric to separate true backdoors from false alarms induced by data heterogeneity. A key insight is that false positive triggers exhibit inconsistencies across participants while true positive ones show consistent patterns.

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

65 extracted references · 65 canonical work pages · 2 internal anchors

[1]

Xiangru Lian, Ce Zhang, Huan Zhang, Cho-Jui Hsieh, Wei Zhang, and Ji Liu. Can de- centralized algorithms outperform centralized algorithms? a case study for decentralized parallel stochastic gradient descent.Advances in Neural Information Processing Systems, 30, 2017. URL https://proceedings.neurips.cc/paper_files/paper/2017/file/ f75526659f31040afeb61cb7...

work page 2017
[2]

Decentralized federated learning: Fundamentals, state of the art, frameworks, trends, and challenges.IEEE Communications Surveys & Tutorials, 25(4):2983–3013, 2023

Enrique Tomás Martínez Beltrán, Mario Quiles Pérez, Pedro Miguel Sánchez Sánchez, Ser- gio López Bernal, Gérôme Bovet, Manuel Gil Pérez, Gregorio Martínez Pérez, and Alberto Huer- tas Celdrán. Decentralized federated learning: Fundamentals, state of the art, frameworks, trends, and challenges.IEEE Communications Surveys & Tutorials, 25(4):2983–3013, 2023

work page 2023
[3]

Epidemic Learning: Boosting Decentralized Learning with Randomized Communication.Advances in Neural Information Processing Systems, 36:36132–36164, De- cember 2023

Martijn De V os, Sadegh Farhadkhani, Rachid Guerraoui, Anne-marie Kermarrec, Rafael Pires, and Rishi Sharma. Epidemic Learning: Boosting Decentralized Learning with Randomized Communication.Advances in Neural Information Processing Systems, 36:36132–36164, De- cember 2023

work page 2023
[4]

Decentralized learning in healthcare: a review of emerging techniques.IEEE Access, 11:54188–54209, 2023

Chamani Shiranthika, Parvaneh Saeedi, and Ivan V Baji´c. Decentralized learning in healthcare: a review of emerging techniques.IEEE Access, 11:54188–54209, 2023

work page 2023
[5]

Systematizing decentralization and privacy: Lessons from 15 years of research and deployments.Proceedings on Privacy Enhancing Technologies, 2017(4):404–426, October 2017

Carmela Troncoso, Marios Isaakidis, George Danezis, and Harry Halpin. Systematizing decentralization and privacy: Lessons from 15 years of research and deployments.Proceedings on Privacy Enhancing Technologies, 2017(4):404–426, October 2017. ISSN 2299-0984. doi: 10.1515/popets-2017-0056. URLhttp://dx.doi.org/10.1515/popets-2017-0056

work page doi:10.1515/popets-2017-0056 2017
[6]

Cheng Fang, Zhixiong Yang, and Waheed U. Bajwa. Bridge: Byzantine-resilient decentralized gradient descent.IEEE Transactions on Signal and Information Processing over Networks, 8: 610–626, 2022. doi: 10.1109/TSIPN.2022.3188456

work page doi:10.1109/tsipn.2022.3188456 2022
[7]

Badnets: Evaluating backdooring attacks on deep neural networks.IEEE Access, 7:47230–47244, 2019

Tianyu Gu, Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. Badnets: Evaluating backdooring attacks on deep neural networks.IEEE Access, 7:47230–47244, 2019. doi: 10.1109/ACCESS.2019.2909068

work page doi:10.1109/access.2019.2909068 2019
[8]

Backdoor attacks and defenses in federated learning: State-of-the-art, taxonomy, and future directions.IEEE Wireless Communi- cations, 30(2):114–121, 2022

Xueluan Gong, Yanjiao Chen, Qian Wang, and Weihan Kong. Backdoor attacks and defenses in federated learning: State-of-the-art, taxonomy, and future directions.IEEE Wireless Communi- cations, 30(2):114–121, 2022

work page 2022
[9]

Backdoor attacks and defense mechanisms in federated learning: A survey.Information Fusion, 123:103248, 2025

Zhaozheng Li, Jiahe Lan, Zheng Yan, and Erol Gelenbe. Backdoor attacks and defense mechanisms in federated learning: A survey.Information Fusion, 123:103248, 2025

work page 2025
[10]

Back- door attacks in peer-to-peer federated learning.ACM Trans

Georgios Syros, Gokberk Yar, Simona Boboila, Cristina Nita-Rotaru, and Alina Oprea. Back- door attacks in peer-to-peer federated learning.ACM Trans. Priv. Secur., 28(1), December 2024. ISSN 2471-2566. doi: 10.1145/3691633. URLhttps://doi.org/10.1145/3691633

work page doi:10.1145/3691633 2024
[11]

Can decen- tralized algorithms outperform centralized algorithms? a case study for decentralized parallel stochastic gradient descent

Xiangru Lian, Ce Zhang, Huan Zhang, Cho-Jui Hsieh, Wei Zhang, and Ji Liu. Can decen- tralized algorithms outperform centralized algorithms? a case study for decentralized parallel stochastic gradient descent. In I. Guyon, U. V on Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, editors,Advances in Neural Information Processing S...

work page 2017
[12]

How to backdoor federated learning

Eugene Bagdasaryan, Andreas Veit, Yiqing Hua, Deborah Estrin, and Vitaly Shmatikov. How to backdoor federated learning. In Silvia Chiappa and Roberto Calandra, editors,Proceedings of the Twenty Third International Conference on Artificial Intelligence and Statistics, volume 108 ofProceedings of Machine Learning Research, pages 2938–2948. PMLR, 26–28 Aug 2...

work page 2020
[13]

Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y . Zhao. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In2019 IEEE Symposium on Security and Privacy (SP), pages 707–723, 2019. doi: 10.1109/SP.2019.00031. URLhttps://ieeexplore.ieee.org/document/8835365

work page doi:10.1109/sp.2019.00031 2019
[14]

CRFL: certifiably robust federated learning against backdoor attacks

Chulin Xie, Minghao Chen, Pin-Yu Chen, and Bo Li. CRFL: certifiably robust federated learning against backdoor attacks. In Marina Meila and Tong Zhang, editors,Proceedings of the 38th International Conference on Machine Learning, ICML 2021, 18-24 July 2021, Virtual Event, Proceedings of Machine Learning Research, pages 11372–11382. PMLR, 2021. URL http://...

work page 2021
[15]

Data free backdoor attacks

Bochuan Cao, Jinyuan Jia, Chuxuan Hu, Wenbo Guo, Zhen Xiang, Jinghui Chen, Bo Li, and Dawn Song. Data free backdoor attacks. In A. Globerson, L. Mackey, D. Belgrave, A. Fan, U. Paquet, J. Tomczak, and C. Zhang, editors,Advances in Neural Information Processing Systems, volume 37, pages 23881–23911. Curran Associates, Inc., 2024. doi: 10.52202/079017-0753....

work page doi:10.52202/079017-0753 2024
[16]

Machine learning with adversaries: Byzantine tolerant gradient descent

Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. Machine learning with adversaries: Byzantine tolerant gradient descent. In I. Guyon, U. V on Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, edi- tors,Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc., 2017. URL https:/...

work page 2017
[17]

Bartlett

Dong Yin, Yudong Chen, Kannan Ramchandran, and Peter L. Bartlett. Byzantine-robust distributed learning: Towards optimal statistical rates. InInternational Conference on Machine Learning, 2018

work page 2018
[18]

FLAME: Taming Backdoors in Federated Learning

Thien Duc Nguyen, Phillip Rieger, Huili Chen, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Shaza Zeitouni, Farinaz Koushanfar, Ahmad-Reza Sadeghi, and Thomas Schneider. FLAME: Taming Backdoors in Federated Learning. In31st USENIX Security Symposium (USENIX Security 22), pages 1415–1432, 2022. IS...

work page 2022
[19]

Deepsight: Mitigating backdoor attacks in federated learning through deep model inspection

Phillip Rieger, Thien Duc Nguyen, Markus Miettinen, and Ahmad-Reza Sadeghi. Deepsight: Mitigating backdoor attacks in federated learning through deep model inspection. In29th Annual Network and Distributed System Security Symposium, NDSS 2022, San Diego, California, USA, April 24-28, 2022. The Internet Society, 2022. URL https://www.ndss-symposium.org/ nd...

work page 2022
[20]

2023 International Joint Conference on Neural Networks (IJCNN) , year =

Thuy Dung Nguyen, Anh Duy Nguyen, Thanh-Hung Nguyen, Kok-Seng Wong, Huy Hieu Pham, Truong Thao Nguyen, and Phi Le Nguyen. Fedgrad: Mitigating backdoor attacks in federated learning through local ultimate gradients inspection. In2023 International Joint Conference on Neural Networks (IJCNN), pages 01–10, 2023. doi: 10.1109/IJCNN54540.2023.10191655

work page doi:10.1109/ijcnn54540.2023.10191655 2023
[21]

Mitigating backdoors in federated learning with fld.2024 5th International Seminar on Artificial Intelligence, Networking and In- formation Technology (AINIT), pages 530–535, 2023

Yihang Lin, Pengyuan Zhou, Zhiqian Wu, and Yong Liao. Mitigating backdoors in federated learning with fld.2024 5th International Seminar on Artificial Intelligence, Networking and In- formation Technology (AINIT), pages 530–535, 2023. URLhttps://api.semanticscholar. org/CorpusID:257255592

work page 2024
[22]

Pa- rameter disparities dissection for backdoor defense in heterogeneous federated learn- ing

Wenke Huang, Mang Ye, Zekun Shi, Guancheng Wan, He Li, and Bo Du. Pa- rameter disparities dissection for backdoor defense in heterogeneous federated learn- ing. In A. Globerson, L. Mackey, D. Belgrave, A. Fan, U. Paquet, J. Tom- czak, and C. Zhang, editors,Advances in Neural Information Processing Systems, volume 37, pages 120951–120973. Curran Associates...

work page 2024
[23]

BoBa: Boosting Backdoor Detection through Data Distribution Inference in Federated Learning

Ning Wang, Shanghao Shi, Yang Xiao, Yimin Chen, Y . Thomas Hou, and Wenjing Lou. Boba: Boosting backdoor detection through data distribution inference in federated learning.CoRR, abs/2407.09658, 2024. doi: 10.48550/ARXIV .2407.09658. URL https://doi.org/10. 48550/arXiv.2407.09658

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv 2024
[24]

Feddlad: A federated learning dual- layer anomaly detection framework for enhancing resilience against backdoor attacks

Binbin Ding, Penghui Yang, and Sheng-Jun Huang. Feddlad: A federated learning dual- layer anomaly detection framework for enhancing resilience against backdoor attacks. In Proceedings of the Thirty-Fourth International Joint Conference on Artificial Intelligence, IJCAI 2025, Montreal, Canada, August 16-22, 2025, pages 5021–5029. ijcai.org, 2025. doi: 10.2...

work page doi:10.24963/ijcai.2025/559 2025
[25]

A multi-granularity clustering approach for federated backdoor defense with the adam optimizer

Jidong Yuan, Qihang Zhang, Naiyue Chen, Shengbo Chen, and Baomin Xu. A multi-granularity clustering approach for federated backdoor defense with the adam optimizer. InInternational Joint Conference on Artificial Intelligence, 2025

work page 2025
[26]

Detecting backdoor attacks in federated learning via direction alignment inspection

Jiahao Xu, Zikai Zhang, and Rui Hu. Detecting backdoor attacks in federated learning via direction alignment inspection. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 20654–20664, June 2025

work page 2025
[27]

Lockdown: Backdoor defense for federated learning with isolated subspace training

Tiansheng Huang, Sihao Hu, Ka-Ho Chow, Fatih Ilhan, Selim Furkan Tekin, and Ling Liu. Lockdown: Backdoor defense for federated learning with isolated subspace training. In Thirty-seventh Conference on Neural Information Processing Systems, 2023. URL https: //openreview.net/forum?id=V5cQH7JbGo

work page 2023
[28]

Baffle: Backdoor detection via feedback-based federated learning

Sebastien Andreina, Giorgia Azzurra Marson, Helen Möllering, and Ghassan Karame. Baffle: Backdoor detection via feedback-based federated learning. In2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS), pages 852–863, 2021. doi: 10.1109/ ICDCS51616.2021.00086

work page arXiv 2021
[29]

Fedgame: A game-theoretic defense against backdoor attacks in federated learning

Jinyuan Jia, Zhuowen Yuan, Dinuka Sahabandu, Luyao Niu, Arezoo Rajabi, Bhaskar Ra- masubramanian, Bo Li, and Radha Poovendran. Fedgame: A game-theoretic defense against backdoor attacks in federated learning. In A. Oh, T. Naumann, A. Glober- son, K. Saenko, M. Hardt, and S. Levine, editors,Advances in Neural Informa- tion Processing Systems, volume 36, pa...

work page
[30]

URL https://proceedings.neurips.cc/paper_files/paper/2023/file/ a6678e2be4ce7aef9d2192e03cd586b7-Paper-Conference.pdf

work page 2023
[31]

BackdoorIndicator: Leveraging OOD Data for Proactive Backdoor Detection in Federated Learning

Songze Li and Yanbo Dai. BackdoorIndicator: Leveraging OOD Data for Proactive Backdoor Detection in Federated Learning. In33rd USENIX Security Symposium (USENIX Security 24), pages 4193–4210, 2024. ISBN 978-1-939133-44-1

work page 2024
[32]

Crowdguard: Federated backdoor detection in federated learning

Phillip Rieger, Torsten Krauß, Markus Miettinen, Alexandra Dmitrienko, and Ahmad-Reza Sadeghi. Crowdguard: Federated backdoor detection in federated learning. In31st Annual Network and Distributed System Security Symposium, NDSS 2024, San Diego, California, USA, February 26 - March 1, 2024. The In- ternet Society, 2024. URL https://www.ndss-symposium.org/...

work page 2024
[33]

HoneyFL: Using Honeypots to Catch Backdoors in Federated Learning.IET Image Processing, 19(1):e70201, 2025

Haibin Zheng, Wenjie Shen, and Jinyin Chen. HoneyFL: Using Honeypots to Catch Backdoors in Federated Learning.IET Image Processing, 19(1):e70201, 2025. ISSN 1751-9667. doi: 10.1049/ipr2.70201

work page doi:10.1049/ipr2.70201 2025
[34]

DeTrigger: A Gradient-Centric Approach to Backdoor Attack Mitigation in Federated Learning

Kichang Lee, Yujin Shin, Jonghyuk Yun, Songkuk Kim, Jun Han, and JeongGil Ko. Detrigger: A gradient-centric approach to backdoor attack mitigation in federated learning, 2025. URL https://arxiv.org/abs/2411.12220

work page internal anchor Pith review Pith/arXiv arXiv 2025
[35]

El Mahdi El-Mhamdi, Sadegh Farhadkhani, Rachid Guerraoui, Arsany Guirguis, Lê-Nguyên Hoang, and Sébastien Rouault. Collaborative learning in the jungle (decentralized, byzan- tine, heterogeneous, asynchronous and nonconvex learning).Advances in neural information processing systems, 34:25044–25057, 2021. 12

work page 2021
[36]

Muffliato: Peer-to- peer privacy amplification for decentralized optimization and averaging.Advances in Neural Information Processing Systems, 35:15889–15902, 2022

Edwige Cyffers, Mathieu Even, Aurélien Bellet, and Laurent Massoulié. Muffliato: Peer-to- peer privacy amplification for decentralized optimization and averaging.Advances in Neural Information Processing Systems, 35:15889–15902, 2022

work page 2022
[37]

Noiseless privacy-preserving decentralized learning.Proceedings on Privacy Enhancing Technologies, 2025

Sayan Biswas, Mathieu Even, Anne-Marie Kermarrec, Laurent Massoulié, Rafael Pires, Rishi Sharma, and Martijn de V os. Noiseless privacy-preserving decentralized learning.Proceedings on Privacy Enhancing Technologies, 2025

work page 2025
[38]

Low-cost privacy-preserving decentralized learning.Proceedings on Privacy Enhancing Technologies, 2025

Sayan Biswas, Davide Frey, Romaric Gaudel, Anne-Marie Kermarrec, Dimitri Lerévérend, Rafael Pires, Rishi Sharma, and François Taïani. Low-cost privacy-preserving decentralized learning.Proceedings on Privacy Enhancing Technologies, 2025

work page 2025
[39]

Badfl: Mit- igating model poisoning in decentralized federated learning.IEEE Transactions on Computers, 74:3968–3979, 2025

Yuan Yuan, Anhao Zhou, Xiao Zhang, Yifei Zou, Yangguang Shi, and Dongxiao Yu. Badfl: Mit- igating model poisoning in decentralized federated learning.IEEE Transactions on Computers, 74:3968–3979, 2025. URLhttps://api.semanticscholar.org/CorpusID:281078519

work page 2025
[40]

FL- WBC: Enhancing robustness against model poisoning attacks in federated learning from a client perspective

Jingwei Sun, Ang Li, Louis DiValentin, Amin Hassanzadeh, Yiran Chen, and Hai Li. FL- WBC: Enhancing robustness against model poisoning attacks in federated learning from a client perspective. In A. Beygelzimer, Y . Dauphin, P. Liang, and J. Wortman Vaughan, editors, Advances in Neural Information Processing Systems, 2021. URL https://openreview.net/ forum...

work page 2021
[41]

A discrete- time multi-hop consensus protocol for decentralized federated learning.IEEE Access, 11: 80613–80623, 2023

Danilo Menegatti, Alessandro Giuseppi, Sabato Manfredi, and Antonio Pietrabissa. A discrete- time multi-hop consensus protocol for decentralized federated learning.IEEE Access, 11: 80613–80623, 2023. doi: 10.1109/ACCESS.2023.3299443

work page doi:10.1109/access.2023.3299443 2023
[42]

Secure aggregation meets sparsification in decentralized learning.arXiv preprint arXiv:2405.07708, 2024

Sayan Biswas, Anne-Marie Kermarrec, Rafael Pires, Rishi Sharma, and Milos Vujasi- novic. Secure aggregation meets sparsification in decentralized learning.arXiv preprint arXiv:2405.07708, 2024

work page arXiv 2024
[43]

Decentralized federated learning with energy harvesting devices.IEEE Transactions on Wireless Communications, 25:15392–15407, 2026

Kai Zhang, Xuanyu Cao, and Khaled B Letaief. Decentralized federated learning with energy harvesting devices.IEEE Transactions on Wireless Communications, 25:15392–15407, 2026

work page 2026
[44]

Bovik, H.R

Zhou Wang, A.C. Bovik, H.R. Sheikh, and E.P. Simoncelli. Image quality assessment: from error visibility to structural similarity.IEEE Transactions on Image Processing, 13(4):600–612,

work page
[45]

Bovik, Hamid R

doi: 10.1109/TIP.2003.819861. URL https://ieeexplore.ieee.org/document/ 1284395

work page doi:10.1109/tip.2003.819861 2003
[46]

Larsson and Nicolò Michelusi

Erik G. Larsson and Nicolò Michelusi. Unified Analysis of Decentralized Gradient Descent: A Contraction Mapping Framework.IEEE Open Journal of Signal Processing, 6:507–529, 2025. ISSN 2644-1322. doi: 10.1109/OJSP.2025.3557332

work page doi:10.1109/ojsp.2025.3557332 2025
[47]

A Unified Theory of Decentralized SGD with Changing Topology and Local Updates

Anastasia Koloskova, Nicolas Loizou, Sadra Boreiri, Martin Jaggi, and Sebastian Stich. A Unified Theory of Decentralized SGD with Changing Topology and Local Updates. InPro- ceedings of the 37th International Conference on Machine Learning, pages 5381–5393. PMLR, November 2020

work page 2020
[48]

Learning multiple layers of features from tiny images.University of Toronto, 05 2012

Alex Krizhevsky. Learning multiple layers of features from tiny images.University of Toronto, 05 2012

work page 2012
[49]

Deep residual learning for image recognition

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition. In2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 770–778, 2016. doi: 10.1109/CVPR.2016.90

work page doi:10.1109/cvpr.2016.90 2016
[50]

Brendan McMahan, Virginia Smith, and Ameet Talwalkar

Sebastian Caldas, Sai Meher Karthik Duddu, Peter Wu, Tian Li, Jakub Koneˇcný, H. Brendan McMahan, Virginia Smith, and Ameet Talwalkar. Leaf: A benchmark for federated settings,

work page
[51]

URLhttps://arxiv.org/abs/1812.01097

work page arXiv
[52]

Lecun, L

Y . Lecun, L. Bottou, Y . Bengio, and P. Haffner. Gradient-based learning applied to document recognition.Proceedings of the IEEE, 86(11):2278–2324, 1998. doi: 10.1109/5.726791

work page doi:10.1109/5.726791 1998
[53]

Ya Le and Xuan S. Yang. Tiny imagenet visual recognition challenge, 2015. URL http: //vision.stanford.edu/teaching/cs231n/reports/2015/pdfs/yle_project.pdf. 13

work page 2015
[54]

Global update tracking: A decentralized learning algorithm for heterogeneous data

Sai Aparna Aketi, Abolfazl Hashemi, and Kaushik Roy. Global update tracking: A decentralized learning algorithm for heterogeneous data. In A. Oh, T. Naumann, A. Globerson, K. Saenko, M. Hardt, and S. Levine, editors,Advances in Neural Information Processing Systems, volume 36, pages 48939–48961. Curran Associates, Inc., 2023. URL https://proceedings.neuri...

work page 2023
[55]

Averaging rate scheduler for decen- tralized learning on heterogeneous data

Sai Aparna Aketi, Sakshi Choudhary, and Kaushik Roy. Averaging rate scheduler for decen- tralized learning on heterogeneous data. InThe Second Tiny Papers Track at ICLR 2024, 2024. URLhttps://openreview.net/forum?id=w9ZzNmWmjA

work page 2024
[56]

Toward cleansing backdoored neural networks in federated learning

Chen Wu, Xian Yang, Sencun Zhu, and Prasenjit Mitra. Toward cleansing backdoored neural networks in federated learning. In2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS), pages 820–830, 2022. doi: 10.1109/ICDCS54860.2022.00084

work page doi:10.1109/icdcs54860.2022.00084 2022
[57]

Unlearning backdoor attacks in federated learning

Chen Wu, Sencun Zhu, Prasenjit Mitra, and Wei Wang. Unlearning backdoor attacks in federated learning. In2024 IEEE Conference on Communications and Network Security (CNS), pages 1–9, 2024. doi: 10.1109/CNS62487.2024.10735680

work page doi:10.1109/cns62487.2024.10735680 2024
[58]

Does differential privacy defeat data poisoning? In ICLR 2021 Workshop on Distributed and Private Machine Learning (DPML), 2021

Matthew Jagielski and Alina Oprea. Does differential privacy defeat data poisoning? In ICLR 2021 Workshop on Distributed and Private Machine Learning (DPML), 2021. URL https://dp-ml.github.io/2021-workshop-ICLR/files/23.pdf. Workshop paper

work page 2021
[59]

Robust anomaly detection and backdoor attack detection via differential privacy

Min Du, Ruoxi Jia, and Dawn Song. Robust anomaly detection and backdoor attack detection via differential privacy. InInternational Conference on Learning Representations, 2020. URL https://openreview.net/forum?id=SJx0q1rtvS

work page 2020
[60]

Decentralized learning made easy with decentralizepy

Akash Dhasade, Anne-Marie Kermarrec, Rafael Pires, Rishi Sharma, and Milos Vujasinovic. Decentralized learning made easy with decentralizepy. InProceedings of the 3rd Workshop on Machine Learning and Systems, EuroMLSys ’23, page 34–41. ACM, May 2023. doi: 10.1145/3578356.3592587. URLhttp://dx.doi.org/10.1145/3578356.3592587

work page doi:10.1145/3578356.3592587 2023
[61]

S. Boyd, A. Ghosh, B. Prabhakar, and D. Shah. Randomized gossip algorithms.IEEE Transactions on Information Theory, 52(6):2508–2530, June 2006. ISSN 1557-9654. doi: 10.1109/TIT.2006.874516. 14 A Symbol table We provide a table summarizing all the symbols used throughout this work in Table 2. Table 2: List of symbols used in this work. Symbol Description S...

work page doi:10.1109/tit.2006.874516 2006
[62]

,M following Equation (1)

Sample M independent pairs of null triggers (τ (m) a ,τ (m) b ) for m= 1,. . .,M following Equation (1)

work page
[63]

For each pair, apply top-k clipping and compute sim(τ (m) a ,τ (m) b ) with window size w (also see Section 3.2.2)

work page
[64]

1 K 2 j # + X i∈N(j) E δt i,j K 2 i . By d-regularity and exchangeability across neighbors (symmetry), we have that for any fixed ℓ∈ N(j): X i∈N(j) E δt i,j K 2 i =dE

Setξat the desired quantileqof the resulting similarity distribution. We use M= 10 000 and q= 0.99 for our experiments. This is a one-time, offline, pre-run computation that doesnotdepend on any training data or the model weights, and runs in a few seconds on a single CPU. D.3 Calibration across datasets The clipping parameterkand window sizeware set cons...

work page
[65]

Guidelines: • The answer [N/A] means that the paper does not involve crowdsourcing nor research with human subjects

Institutional review board (IRB) approvals or equivalent for research with human subjects Question: Does the paper describe potential risks incurred by study participants, whether such risks were disclosed to the subjects, and whether Institutional Review Board (IRB) approvals (or an equivalent approval/review based on the requirements of your country or ...

work page

[1] [1]

Xiangru Lian, Ce Zhang, Huan Zhang, Cho-Jui Hsieh, Wei Zhang, and Ji Liu. Can de- centralized algorithms outperform centralized algorithms? a case study for decentralized parallel stochastic gradient descent.Advances in Neural Information Processing Systems, 30, 2017. URL https://proceedings.neurips.cc/paper_files/paper/2017/file/ f75526659f31040afeb61cb7...

work page 2017

[2] [2]

Decentralized federated learning: Fundamentals, state of the art, frameworks, trends, and challenges.IEEE Communications Surveys & Tutorials, 25(4):2983–3013, 2023

Enrique Tomás Martínez Beltrán, Mario Quiles Pérez, Pedro Miguel Sánchez Sánchez, Ser- gio López Bernal, Gérôme Bovet, Manuel Gil Pérez, Gregorio Martínez Pérez, and Alberto Huer- tas Celdrán. Decentralized federated learning: Fundamentals, state of the art, frameworks, trends, and challenges.IEEE Communications Surveys & Tutorials, 25(4):2983–3013, 2023

work page 2023

[3] [3]

Epidemic Learning: Boosting Decentralized Learning with Randomized Communication.Advances in Neural Information Processing Systems, 36:36132–36164, De- cember 2023

Martijn De V os, Sadegh Farhadkhani, Rachid Guerraoui, Anne-marie Kermarrec, Rafael Pires, and Rishi Sharma. Epidemic Learning: Boosting Decentralized Learning with Randomized Communication.Advances in Neural Information Processing Systems, 36:36132–36164, De- cember 2023

work page 2023

[4] [4]

Decentralized learning in healthcare: a review of emerging techniques.IEEE Access, 11:54188–54209, 2023

Chamani Shiranthika, Parvaneh Saeedi, and Ivan V Baji´c. Decentralized learning in healthcare: a review of emerging techniques.IEEE Access, 11:54188–54209, 2023

work page 2023

[5] [5]

Systematizing decentralization and privacy: Lessons from 15 years of research and deployments.Proceedings on Privacy Enhancing Technologies, 2017(4):404–426, October 2017

Carmela Troncoso, Marios Isaakidis, George Danezis, and Harry Halpin. Systematizing decentralization and privacy: Lessons from 15 years of research and deployments.Proceedings on Privacy Enhancing Technologies, 2017(4):404–426, October 2017. ISSN 2299-0984. doi: 10.1515/popets-2017-0056. URLhttp://dx.doi.org/10.1515/popets-2017-0056

work page doi:10.1515/popets-2017-0056 2017

[6] [6]

Cheng Fang, Zhixiong Yang, and Waheed U. Bajwa. Bridge: Byzantine-resilient decentralized gradient descent.IEEE Transactions on Signal and Information Processing over Networks, 8: 610–626, 2022. doi: 10.1109/TSIPN.2022.3188456

work page doi:10.1109/tsipn.2022.3188456 2022

[7] [7]

Badnets: Evaluating backdooring attacks on deep neural networks.IEEE Access, 7:47230–47244, 2019

Tianyu Gu, Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. Badnets: Evaluating backdooring attacks on deep neural networks.IEEE Access, 7:47230–47244, 2019. doi: 10.1109/ACCESS.2019.2909068

work page doi:10.1109/access.2019.2909068 2019

[8] [8]

Backdoor attacks and defenses in federated learning: State-of-the-art, taxonomy, and future directions.IEEE Wireless Communi- cations, 30(2):114–121, 2022

Xueluan Gong, Yanjiao Chen, Qian Wang, and Weihan Kong. Backdoor attacks and defenses in federated learning: State-of-the-art, taxonomy, and future directions.IEEE Wireless Communi- cations, 30(2):114–121, 2022

work page 2022

[9] [9]

Backdoor attacks and defense mechanisms in federated learning: A survey.Information Fusion, 123:103248, 2025

Zhaozheng Li, Jiahe Lan, Zheng Yan, and Erol Gelenbe. Backdoor attacks and defense mechanisms in federated learning: A survey.Information Fusion, 123:103248, 2025

work page 2025

[10] [10]

Back- door attacks in peer-to-peer federated learning.ACM Trans

Georgios Syros, Gokberk Yar, Simona Boboila, Cristina Nita-Rotaru, and Alina Oprea. Back- door attacks in peer-to-peer federated learning.ACM Trans. Priv. Secur., 28(1), December 2024. ISSN 2471-2566. doi: 10.1145/3691633. URLhttps://doi.org/10.1145/3691633

work page doi:10.1145/3691633 2024

[11] [11]

Can decen- tralized algorithms outperform centralized algorithms? a case study for decentralized parallel stochastic gradient descent

Xiangru Lian, Ce Zhang, Huan Zhang, Cho-Jui Hsieh, Wei Zhang, and Ji Liu. Can decen- tralized algorithms outperform centralized algorithms? a case study for decentralized parallel stochastic gradient descent. In I. Guyon, U. V on Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, editors,Advances in Neural Information Processing S...

work page 2017

[12] [12]

How to backdoor federated learning

Eugene Bagdasaryan, Andreas Veit, Yiqing Hua, Deborah Estrin, and Vitaly Shmatikov. How to backdoor federated learning. In Silvia Chiappa and Roberto Calandra, editors,Proceedings of the Twenty Third International Conference on Artificial Intelligence and Statistics, volume 108 ofProceedings of Machine Learning Research, pages 2938–2948. PMLR, 26–28 Aug 2...

work page 2020

[13] [13]

Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y . Zhao. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In2019 IEEE Symposium on Security and Privacy (SP), pages 707–723, 2019. doi: 10.1109/SP.2019.00031. URLhttps://ieeexplore.ieee.org/document/8835365

work page doi:10.1109/sp.2019.00031 2019

[14] [14]

CRFL: certifiably robust federated learning against backdoor attacks

Chulin Xie, Minghao Chen, Pin-Yu Chen, and Bo Li. CRFL: certifiably robust federated learning against backdoor attacks. In Marina Meila and Tong Zhang, editors,Proceedings of the 38th International Conference on Machine Learning, ICML 2021, 18-24 July 2021, Virtual Event, Proceedings of Machine Learning Research, pages 11372–11382. PMLR, 2021. URL http://...

work page 2021

[15] [15]

Data free backdoor attacks

Bochuan Cao, Jinyuan Jia, Chuxuan Hu, Wenbo Guo, Zhen Xiang, Jinghui Chen, Bo Li, and Dawn Song. Data free backdoor attacks. In A. Globerson, L. Mackey, D. Belgrave, A. Fan, U. Paquet, J. Tomczak, and C. Zhang, editors,Advances in Neural Information Processing Systems, volume 37, pages 23881–23911. Curran Associates, Inc., 2024. doi: 10.52202/079017-0753....

work page doi:10.52202/079017-0753 2024

[16] [16]

Machine learning with adversaries: Byzantine tolerant gradient descent

Peva Blanchard, El Mahdi El Mhamdi, Rachid Guerraoui, and Julien Stainer. Machine learning with adversaries: Byzantine tolerant gradient descent. In I. Guyon, U. V on Luxburg, S. Bengio, H. Wallach, R. Fergus, S. Vishwanathan, and R. Garnett, edi- tors,Advances in Neural Information Processing Systems, volume 30. Curran Associates, Inc., 2017. URL https:/...

work page 2017

[17] [17]

Bartlett

Dong Yin, Yudong Chen, Kannan Ramchandran, and Peter L. Bartlett. Byzantine-robust distributed learning: Towards optimal statistical rates. InInternational Conference on Machine Learning, 2018

work page 2018

[18] [18]

FLAME: Taming Backdoors in Federated Learning

Thien Duc Nguyen, Phillip Rieger, Huili Chen, Hossein Yalame, Helen Möllering, Hossein Fereidooni, Samuel Marchal, Markus Miettinen, Azalia Mirhoseini, Shaza Zeitouni, Farinaz Koushanfar, Ahmad-Reza Sadeghi, and Thomas Schneider. FLAME: Taming Backdoors in Federated Learning. In31st USENIX Security Symposium (USENIX Security 22), pages 1415–1432, 2022. IS...

work page 2022

[19] [19]

Deepsight: Mitigating backdoor attacks in federated learning through deep model inspection

Phillip Rieger, Thien Duc Nguyen, Markus Miettinen, and Ahmad-Reza Sadeghi. Deepsight: Mitigating backdoor attacks in federated learning through deep model inspection. In29th Annual Network and Distributed System Security Symposium, NDSS 2022, San Diego, California, USA, April 24-28, 2022. The Internet Society, 2022. URL https://www.ndss-symposium.org/ nd...

work page 2022

[20] [20]

2023 International Joint Conference on Neural Networks (IJCNN) , year =

Thuy Dung Nguyen, Anh Duy Nguyen, Thanh-Hung Nguyen, Kok-Seng Wong, Huy Hieu Pham, Truong Thao Nguyen, and Phi Le Nguyen. Fedgrad: Mitigating backdoor attacks in federated learning through local ultimate gradients inspection. In2023 International Joint Conference on Neural Networks (IJCNN), pages 01–10, 2023. doi: 10.1109/IJCNN54540.2023.10191655

work page doi:10.1109/ijcnn54540.2023.10191655 2023

[21] [21]

Mitigating backdoors in federated learning with fld.2024 5th International Seminar on Artificial Intelligence, Networking and In- formation Technology (AINIT), pages 530–535, 2023

Yihang Lin, Pengyuan Zhou, Zhiqian Wu, and Yong Liao. Mitigating backdoors in federated learning with fld.2024 5th International Seminar on Artificial Intelligence, Networking and In- formation Technology (AINIT), pages 530–535, 2023. URLhttps://api.semanticscholar. org/CorpusID:257255592

work page 2024

[22] [22]

Pa- rameter disparities dissection for backdoor defense in heterogeneous federated learn- ing

Wenke Huang, Mang Ye, Zekun Shi, Guancheng Wan, He Li, and Bo Du. Pa- rameter disparities dissection for backdoor defense in heterogeneous federated learn- ing. In A. Globerson, L. Mackey, D. Belgrave, A. Fan, U. Paquet, J. Tom- czak, and C. Zhang, editors,Advances in Neural Information Processing Systems, volume 37, pages 120951–120973. Curran Associates...

work page 2024

[23] [23]

BoBa: Boosting Backdoor Detection through Data Distribution Inference in Federated Learning

Ning Wang, Shanghao Shi, Yang Xiao, Yimin Chen, Y . Thomas Hou, and Wenjing Lou. Boba: Boosting backdoor detection through data distribution inference in federated learning.CoRR, abs/2407.09658, 2024. doi: 10.48550/ARXIV .2407.09658. URL https://doi.org/10. 48550/arXiv.2407.09658

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv 2024

[24] [24]

Feddlad: A federated learning dual- layer anomaly detection framework for enhancing resilience against backdoor attacks

Binbin Ding, Penghui Yang, and Sheng-Jun Huang. Feddlad: A federated learning dual- layer anomaly detection framework for enhancing resilience against backdoor attacks. In Proceedings of the Thirty-Fourth International Joint Conference on Artificial Intelligence, IJCAI 2025, Montreal, Canada, August 16-22, 2025, pages 5021–5029. ijcai.org, 2025. doi: 10.2...

work page doi:10.24963/ijcai.2025/559 2025

[25] [25]

A multi-granularity clustering approach for federated backdoor defense with the adam optimizer

Jidong Yuan, Qihang Zhang, Naiyue Chen, Shengbo Chen, and Baomin Xu. A multi-granularity clustering approach for federated backdoor defense with the adam optimizer. InInternational Joint Conference on Artificial Intelligence, 2025

work page 2025

[26] [26]

Detecting backdoor attacks in federated learning via direction alignment inspection

Jiahao Xu, Zikai Zhang, and Rui Hu. Detecting backdoor attacks in federated learning via direction alignment inspection. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pages 20654–20664, June 2025

work page 2025

[27] [27]

Lockdown: Backdoor defense for federated learning with isolated subspace training

Tiansheng Huang, Sihao Hu, Ka-Ho Chow, Fatih Ilhan, Selim Furkan Tekin, and Ling Liu. Lockdown: Backdoor defense for federated learning with isolated subspace training. In Thirty-seventh Conference on Neural Information Processing Systems, 2023. URL https: //openreview.net/forum?id=V5cQH7JbGo

work page 2023

[28] [28]

Baffle: Backdoor detection via feedback-based federated learning

Sebastien Andreina, Giorgia Azzurra Marson, Helen Möllering, and Ghassan Karame. Baffle: Backdoor detection via feedback-based federated learning. In2021 IEEE 41st International Conference on Distributed Computing Systems (ICDCS), pages 852–863, 2021. doi: 10.1109/ ICDCS51616.2021.00086

work page arXiv 2021

[29] [29]

Fedgame: A game-theoretic defense against backdoor attacks in federated learning

Jinyuan Jia, Zhuowen Yuan, Dinuka Sahabandu, Luyao Niu, Arezoo Rajabi, Bhaskar Ra- masubramanian, Bo Li, and Radha Poovendran. Fedgame: A game-theoretic defense against backdoor attacks in federated learning. In A. Oh, T. Naumann, A. Glober- son, K. Saenko, M. Hardt, and S. Levine, editors,Advances in Neural Informa- tion Processing Systems, volume 36, pa...

work page

[30] [30]

URL https://proceedings.neurips.cc/paper_files/paper/2023/file/ a6678e2be4ce7aef9d2192e03cd586b7-Paper-Conference.pdf

work page 2023

[31] [31]

BackdoorIndicator: Leveraging OOD Data for Proactive Backdoor Detection in Federated Learning

Songze Li and Yanbo Dai. BackdoorIndicator: Leveraging OOD Data for Proactive Backdoor Detection in Federated Learning. In33rd USENIX Security Symposium (USENIX Security 24), pages 4193–4210, 2024. ISBN 978-1-939133-44-1

work page 2024

[32] [32]

Crowdguard: Federated backdoor detection in federated learning

Phillip Rieger, Torsten Krauß, Markus Miettinen, Alexandra Dmitrienko, and Ahmad-Reza Sadeghi. Crowdguard: Federated backdoor detection in federated learning. In31st Annual Network and Distributed System Security Symposium, NDSS 2024, San Diego, California, USA, February 26 - March 1, 2024. The In- ternet Society, 2024. URL https://www.ndss-symposium.org/...

work page 2024

[33] [33]

HoneyFL: Using Honeypots to Catch Backdoors in Federated Learning.IET Image Processing, 19(1):e70201, 2025

Haibin Zheng, Wenjie Shen, and Jinyin Chen. HoneyFL: Using Honeypots to Catch Backdoors in Federated Learning.IET Image Processing, 19(1):e70201, 2025. ISSN 1751-9667. doi: 10.1049/ipr2.70201

work page doi:10.1049/ipr2.70201 2025

[34] [34]

DeTrigger: A Gradient-Centric Approach to Backdoor Attack Mitigation in Federated Learning

Kichang Lee, Yujin Shin, Jonghyuk Yun, Songkuk Kim, Jun Han, and JeongGil Ko. Detrigger: A gradient-centric approach to backdoor attack mitigation in federated learning, 2025. URL https://arxiv.org/abs/2411.12220

work page internal anchor Pith review Pith/arXiv arXiv 2025

[35] [35]

El Mahdi El-Mhamdi, Sadegh Farhadkhani, Rachid Guerraoui, Arsany Guirguis, Lê-Nguyên Hoang, and Sébastien Rouault. Collaborative learning in the jungle (decentralized, byzan- tine, heterogeneous, asynchronous and nonconvex learning).Advances in neural information processing systems, 34:25044–25057, 2021. 12

work page 2021

[36] [36]

Muffliato: Peer-to- peer privacy amplification for decentralized optimization and averaging.Advances in Neural Information Processing Systems, 35:15889–15902, 2022

Edwige Cyffers, Mathieu Even, Aurélien Bellet, and Laurent Massoulié. Muffliato: Peer-to- peer privacy amplification for decentralized optimization and averaging.Advances in Neural Information Processing Systems, 35:15889–15902, 2022

work page 2022

[37] [37]

Noiseless privacy-preserving decentralized learning.Proceedings on Privacy Enhancing Technologies, 2025

Sayan Biswas, Mathieu Even, Anne-Marie Kermarrec, Laurent Massoulié, Rafael Pires, Rishi Sharma, and Martijn de V os. Noiseless privacy-preserving decentralized learning.Proceedings on Privacy Enhancing Technologies, 2025

work page 2025

[38] [38]

Low-cost privacy-preserving decentralized learning.Proceedings on Privacy Enhancing Technologies, 2025

Sayan Biswas, Davide Frey, Romaric Gaudel, Anne-Marie Kermarrec, Dimitri Lerévérend, Rafael Pires, Rishi Sharma, and François Taïani. Low-cost privacy-preserving decentralized learning.Proceedings on Privacy Enhancing Technologies, 2025

work page 2025

[39] [39]

Badfl: Mit- igating model poisoning in decentralized federated learning.IEEE Transactions on Computers, 74:3968–3979, 2025

Yuan Yuan, Anhao Zhou, Xiao Zhang, Yifei Zou, Yangguang Shi, and Dongxiao Yu. Badfl: Mit- igating model poisoning in decentralized federated learning.IEEE Transactions on Computers, 74:3968–3979, 2025. URLhttps://api.semanticscholar.org/CorpusID:281078519

work page 2025

[40] [40]

FL- WBC: Enhancing robustness against model poisoning attacks in federated learning from a client perspective

Jingwei Sun, Ang Li, Louis DiValentin, Amin Hassanzadeh, Yiran Chen, and Hai Li. FL- WBC: Enhancing robustness against model poisoning attacks in federated learning from a client perspective. In A. Beygelzimer, Y . Dauphin, P. Liang, and J. Wortman Vaughan, editors, Advances in Neural Information Processing Systems, 2021. URL https://openreview.net/ forum...

work page 2021

[41] [41]

A discrete- time multi-hop consensus protocol for decentralized federated learning.IEEE Access, 11: 80613–80623, 2023

Danilo Menegatti, Alessandro Giuseppi, Sabato Manfredi, and Antonio Pietrabissa. A discrete- time multi-hop consensus protocol for decentralized federated learning.IEEE Access, 11: 80613–80623, 2023. doi: 10.1109/ACCESS.2023.3299443

work page doi:10.1109/access.2023.3299443 2023

[42] [42]

Secure aggregation meets sparsification in decentralized learning.arXiv preprint arXiv:2405.07708, 2024

Sayan Biswas, Anne-Marie Kermarrec, Rafael Pires, Rishi Sharma, and Milos Vujasi- novic. Secure aggregation meets sparsification in decentralized learning.arXiv preprint arXiv:2405.07708, 2024

work page arXiv 2024

[43] [43]

Decentralized federated learning with energy harvesting devices.IEEE Transactions on Wireless Communications, 25:15392–15407, 2026

Kai Zhang, Xuanyu Cao, and Khaled B Letaief. Decentralized federated learning with energy harvesting devices.IEEE Transactions on Wireless Communications, 25:15392–15407, 2026

work page 2026

[44] [44]

Bovik, H.R

Zhou Wang, A.C. Bovik, H.R. Sheikh, and E.P. Simoncelli. Image quality assessment: from error visibility to structural similarity.IEEE Transactions on Image Processing, 13(4):600–612,

work page

[45] [45]

Bovik, Hamid R

doi: 10.1109/TIP.2003.819861. URL https://ieeexplore.ieee.org/document/ 1284395

work page doi:10.1109/tip.2003.819861 2003

[46] [46]

Larsson and Nicolò Michelusi

Erik G. Larsson and Nicolò Michelusi. Unified Analysis of Decentralized Gradient Descent: A Contraction Mapping Framework.IEEE Open Journal of Signal Processing, 6:507–529, 2025. ISSN 2644-1322. doi: 10.1109/OJSP.2025.3557332

work page doi:10.1109/ojsp.2025.3557332 2025

[47] [47]

A Unified Theory of Decentralized SGD with Changing Topology and Local Updates

Anastasia Koloskova, Nicolas Loizou, Sadra Boreiri, Martin Jaggi, and Sebastian Stich. A Unified Theory of Decentralized SGD with Changing Topology and Local Updates. InPro- ceedings of the 37th International Conference on Machine Learning, pages 5381–5393. PMLR, November 2020

work page 2020

[48] [48]

Learning multiple layers of features from tiny images.University of Toronto, 05 2012

Alex Krizhevsky. Learning multiple layers of features from tiny images.University of Toronto, 05 2012

work page 2012

[49] [49]

Deep residual learning for image recognition

Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. Deep residual learning for image recognition. In2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pages 770–778, 2016. doi: 10.1109/CVPR.2016.90

work page doi:10.1109/cvpr.2016.90 2016

[50] [50]

Brendan McMahan, Virginia Smith, and Ameet Talwalkar

Sebastian Caldas, Sai Meher Karthik Duddu, Peter Wu, Tian Li, Jakub Koneˇcný, H. Brendan McMahan, Virginia Smith, and Ameet Talwalkar. Leaf: A benchmark for federated settings,

work page

[51] [51]

URLhttps://arxiv.org/abs/1812.01097

work page arXiv

[52] [52]

Lecun, L

Y . Lecun, L. Bottou, Y . Bengio, and P. Haffner. Gradient-based learning applied to document recognition.Proceedings of the IEEE, 86(11):2278–2324, 1998. doi: 10.1109/5.726791

work page doi:10.1109/5.726791 1998

[53] [53]

Ya Le and Xuan S. Yang. Tiny imagenet visual recognition challenge, 2015. URL http: //vision.stanford.edu/teaching/cs231n/reports/2015/pdfs/yle_project.pdf. 13

work page 2015

[54] [54]

Global update tracking: A decentralized learning algorithm for heterogeneous data

Sai Aparna Aketi, Abolfazl Hashemi, and Kaushik Roy. Global update tracking: A decentralized learning algorithm for heterogeneous data. In A. Oh, T. Naumann, A. Globerson, K. Saenko, M. Hardt, and S. Levine, editors,Advances in Neural Information Processing Systems, volume 36, pages 48939–48961. Curran Associates, Inc., 2023. URL https://proceedings.neuri...

work page 2023

[55] [55]

Averaging rate scheduler for decen- tralized learning on heterogeneous data

Sai Aparna Aketi, Sakshi Choudhary, and Kaushik Roy. Averaging rate scheduler for decen- tralized learning on heterogeneous data. InThe Second Tiny Papers Track at ICLR 2024, 2024. URLhttps://openreview.net/forum?id=w9ZzNmWmjA

work page 2024

[56] [56]

Toward cleansing backdoored neural networks in federated learning

Chen Wu, Xian Yang, Sencun Zhu, and Prasenjit Mitra. Toward cleansing backdoored neural networks in federated learning. In2022 IEEE 42nd International Conference on Distributed Computing Systems (ICDCS), pages 820–830, 2022. doi: 10.1109/ICDCS54860.2022.00084

work page doi:10.1109/icdcs54860.2022.00084 2022

[57] [57]

Unlearning backdoor attacks in federated learning

Chen Wu, Sencun Zhu, Prasenjit Mitra, and Wei Wang. Unlearning backdoor attacks in federated learning. In2024 IEEE Conference on Communications and Network Security (CNS), pages 1–9, 2024. doi: 10.1109/CNS62487.2024.10735680

work page doi:10.1109/cns62487.2024.10735680 2024

[58] [58]

Does differential privacy defeat data poisoning? In ICLR 2021 Workshop on Distributed and Private Machine Learning (DPML), 2021

Matthew Jagielski and Alina Oprea. Does differential privacy defeat data poisoning? In ICLR 2021 Workshop on Distributed and Private Machine Learning (DPML), 2021. URL https://dp-ml.github.io/2021-workshop-ICLR/files/23.pdf. Workshop paper

work page 2021

[59] [59]

Robust anomaly detection and backdoor attack detection via differential privacy

Min Du, Ruoxi Jia, and Dawn Song. Robust anomaly detection and backdoor attack detection via differential privacy. InInternational Conference on Learning Representations, 2020. URL https://openreview.net/forum?id=SJx0q1rtvS

work page 2020

[60] [60]

Decentralized learning made easy with decentralizepy

Akash Dhasade, Anne-Marie Kermarrec, Rafael Pires, Rishi Sharma, and Milos Vujasinovic. Decentralized learning made easy with decentralizepy. InProceedings of the 3rd Workshop on Machine Learning and Systems, EuroMLSys ’23, page 34–41. ACM, May 2023. doi: 10.1145/3578356.3592587. URLhttp://dx.doi.org/10.1145/3578356.3592587

work page doi:10.1145/3578356.3592587 2023

[61] [61]

S. Boyd, A. Ghosh, B. Prabhakar, and D. Shah. Randomized gossip algorithms.IEEE Transactions on Information Theory, 52(6):2508–2530, June 2006. ISSN 1557-9654. doi: 10.1109/TIT.2006.874516. 14 A Symbol table We provide a table summarizing all the symbols used throughout this work in Table 2. Table 2: List of symbols used in this work. Symbol Description S...

work page doi:10.1109/tit.2006.874516 2006

[62] [62]

,M following Equation (1)

Sample M independent pairs of null triggers (τ (m) a ,τ (m) b ) for m= 1,. . .,M following Equation (1)

work page

[63] [63]

For each pair, apply top-k clipping and compute sim(τ (m) a ,τ (m) b ) with window size w (also see Section 3.2.2)

work page

[64] [64]

1 K 2 j # + X i∈N(j) E δt i,j K 2 i . By d-regularity and exchangeability across neighbors (symmetry), we have that for any fixed ℓ∈ N(j): X i∈N(j) E δt i,j K 2 i =dE

Setξat the desired quantileqof the resulting similarity distribution. We use M= 10 000 and q= 0.99 for our experiments. This is a one-time, offline, pre-run computation that doesnotdepend on any training data or the model weights, and runs in a few seconds on a single CPU. D.3 Calibration across datasets The clipping parameterkand window sizeware set cons...

work page

[65] [65]

Guidelines: • The answer [N/A] means that the paper does not involve crowdsourcing nor research with human subjects

Institutional review board (IRB) approvals or equivalent for research with human subjects Question: Does the paper describe potential risks incurred by study participants, whether such risks were disclosed to the subjects, and whether Institutional Review Board (IRB) approvals (or an equivalent approval/review based on the requirements of your country or ...

work page