Enhancing Robustness of Federated Learning via Server Learning
| Authors | Van Sy Mai et al. |
| Year | 2026 |
| Field | Machine Learning |
| arXiv | 2604.03226 |
| Download | |
| Categories | cs.LG, cs.AI |
Abstract
This paper explores the use of server learning for enhancing the robustness of federated learning against malicious attacks even when clients' training data are not independent and identically distributed. We propose a heuristic algorithm that uses server learning and client update filtering in combination with geometric median aggregation. We demonstrate via experiments that this approach can achieve significant improvement in model accuracy even when the fraction of malicious clients is high, even more than in some cases, and the dataset utilized by the server is small and could be synthetic with its distribution not necessarily close to that of the clients' aggregated data.
Engineering Breakdown
Plain English
This paper addresses a critical vulnerability in federated learning systems: their susceptibility to poisoning attacks from malicious clients, especially when client data distributions are non-IID (non-independent and identically distributed). The authors propose a hybrid defense combining server-side learning with client update filtering and geometric median aggregation, enabling the system to maintain model accuracy even when over 50% of clients are adversarial. The key innovation is that the server can learn effectively using only a small, potentially synthetic dataset that doesn't need to match the clients' data distribution, making this practical for real deployments where the server has limited data.
Core Technical Contribution
The core novelty is decoupling server robustness from data distribution alignment through a heuristic algorithm that leverages server learning as an active defense mechanism rather than passive aggregation. Unlike prior Byzantine-robust aggregation methods that rely purely on statistical properties (median, trimming), this approach uses the server's own learning process to identify and filter suspicious client updates before aggregation. The combination of geometric median aggregation with server-side learning creates a two-level defense: geometric median is inherently robust to outliers, while server learning provides an additional filtering layer that adapts to the specific attack patterns in the current round. This allows protection even when malicious clients compose the majority, which previous methods struggle with.
How It Works
The algorithm operates in rounds where clients perform local training on their non-IID data and send updates to the server. The server first trains its own model on its available (possibly synthetic) dataset, then uses this training process to evaluate and filter incoming client updates—updates that would harm the server's objective are downweighted or removed before aggregation. The filtered updates are then aggregated using geometric median, which finds the point minimizing the sum of distances to all updates, naturally rejecting extreme outliers from poisoned clients. The server model serves a dual purpose: it both defends against attacks through filtering and contributes a training signal that guides the overall aggregation toward models that work well on the server's data. Crucially, this filtering works even when the server's data distribution diverges significantly from the client aggregate, because the server is optimizing for a concrete objective rather than assuming distributions match.
Production Impact
undefined
Limitations and When Not to Use This
The paper assumes the server has access to at least a small dataset, even if synthetic or out-of-distribution—it cannot defend when the server is completely blind to the task domain. The approach's effectiveness against adaptive adversaries is unclear; intelligent attackers who know the server's defense mechanism could potentially craft updates that fool both the filtering and geometric median components, yet the paper doesn't thoroughly evaluate this threat model. The method's robustness guarantees appear empirical rather than theoretical—there are no formal Byzantine-resilience bounds proving it works under specific attack assumptions. Additionally, the paper doesn't fully explore the computational overhead of repeated server training and update evaluation at scale (thousands of clients), nor does it compare wall-clock convergence speed against faster but less robust alternatives. The synthetic data assumption also needs validation: what happens when synthetic data is severely misspecified or when generating it for complex domains (language, images) requires significant effort?
Research Context
This work builds on decades of Byzantine-robust aggregation research (coordinate-wise median, trimmed mean, multi-Krum) and more recent advances combining aggregation with filtering strategies for federated learning. It extends the geometric median approach, which has shown robustness to L2-bounded adversaries, by pairing it with an active learning component—the server model acts as both a verifier and a training signal. The paper advances the frontier of non-IID robustness, a known weakness of prior Byzantine-robust methods that often assumed identically distributed client data. This opens a research direction around leveraging server-side compute and limited data as a defense layer, potentially applicable beyond Byzantine robustness to label noise, covariate shift, and other distributional challenges in federated settings.
:::tip Subscribe Get weekly breakdowns of papers like this in AI Letters - the newsletter for engineers building production AI systems. :::
