Robust Federated Learning via Byzantine Filtering over Encrypted Updates

Federated Learning (FL) aims to train a collaborative model while preserving data privacy. However, the distributed nature of this approach still raises privacy and security issues, such as the exposure of sensitive data due to inference attacks and the influence of Byzantine behaviors on the trained model. In particular, achieving both secure aggregation and Byzantine resilience remains challenging, as existing solutions often address these aspects independently. In this work, we propose to address these challenges through a novel approach that combines homomorphic encryption for privacy-preserving aggregation with property-inference-inspired meta-classifiers for Byzantine filtering. First, following the property-inference attacks blueprint, we train a set of filtering meta-classifiers on labeled shadow updates, reproducing a diverse ensemble of Byzantine misbehaviors in FL, including backdoor, gradient-inversion, label-flipping and shuffling attacks. The outputs of these meta-classifiers are then used to cancel the Byzantine encrypted updates by reweighting. Second, we propose an automated method for selecting the optimal kernel and the dimensionality hyperparameters with respect to homomorphic inference, aggregation constraints and efficiency over the CKKS cryptosystem. Finally, we demonstrate through extensive experiments the effectiveness of our approach against Byzantine participants on the FEMNIST, CIFAR10, GTSRB, and acsincome benchmarks. More precisely, our SVM filtering achieves accuracies between $90$% and $94$% for identifying Byzantine updates at the cost of marginal losses in model utility and encrypted inference runtimes ranging from $6$ to $24$ seconds and from $9$ to $26$ seconds for an overall aggregation.

💡 Research Summary

This paper tackles two fundamental security challenges in federated learning (FL): protecting client updates from privacy‑leaking attacks and ensuring robustness against Byzantine participants who submit malicious updates. Existing solutions typically address secure aggregation (e.g., via secure multiparty computation or homomorphic encryption) and Byzantine resilience (e.g., Krum, Trimmed‑Mean) separately, leading to sub‑optimal trade‑offs and high computational overhead when combined.

The authors propose a unified framework that couples Fully Homomorphic Encryption (FHE) based on the CKKS scheme with a property‑inference inspired meta‑classifier for Byzantine filtering. The workflow is as follows: (1) each client encrypts its model update using CKKS and sends the ciphertext to the server; (2) the server performs homomorphic averaging of all encrypted updates without decryption; (3) a set of Support Vector Machine (SVM) meta‑classifiers, trained on a large collection of labeled “shadow” updates, evaluates the encrypted averaged update to infer whether each client’s contribution exhibits a malicious property. The properties correspond to four representative Byzantine attacks—backdoor injection, gradient inversion, label‑flipping, and shuffling. (4) The server assigns a filter weight (P_i^t) to each client based on the SVM output; malicious updates receive near‑zero weight, effectively cancelling them in the final aggregation. All these steps are performed on encrypted data, preserving client privacy throughout the training process.

A key technical contribution is the automated selection of CKKS parameters (polynomial degree, scaling factor, slot count) that balance homomorphic inference accuracy, computational efficiency, and the constraints of the chosen kernel for the SVM. The authors conduct a grid search over model architectures and embedding dimensions to identify configurations that enable fast linear kernel evaluations on ciphertexts.

Experimental evaluation spans four datasets (FEMNIST, CIFAR‑10, GTSRB, ACSIncome) and four model families (ResNet, VGG, custom CNN, MLP). The meta‑classifier achieves F1‑scores between 90 % and 94 % for single‑attack detection and 96 % when two distinct attack groups (backdoor + gradient ascent) act simultaneously. Model utility loss is modest (1–2 % absolute accuracy drop) compared to a non‑robust baseline. End‑to‑end encrypted aggregation, including SVM inference, takes 6–24 seconds per round depending on dataset and model size—approximately 1.5–2× slower than plain FedAvg but substantially faster than prior FHE‑based robust aggregators that require homomorphic sorting or median computation.

The approach also integrates seamlessly with differential privacy (DP‑SGD). Experiments with ε = 1.0 DP show only a slight degradation in detection performance (F1 ≈ 88–92 %), confirming that the method can coexist with post‑deployment privacy guarantees.

Compared with outlier‑exclusion methods, the proposed meta‑classifier does not rely on an honest‑majority assumption and is robust to non‑IID data distributions because the shadow training set is generated from diverse local data splits. Unlike proof‑based verification schemes, it avoids heavyweight zero‑knowledge proof generation, making it more practical for real‑world FL deployments.

Limitations include the need for an upfront, potentially expensive shadow‑model generation and CKKS parameter tuning phase, and scalability concerns for scenarios with thousands of clients where ciphertext size and homomorphic computation may become bottlenecks. Future work could explore hierarchical aggregation, adaptive parameter selection, and continual learning of the meta‑classifier to handle novel attack vectors.

In summary, the paper presents a novel, privacy‑preserving Byzantine‑resilient FL framework that leverages CKKS homomorphic encryption and property‑inference meta‑learning. It demonstrates high detection accuracy, limited utility loss, and acceptable runtime overhead, thereby advancing the state of the art in secure federated learning.