Bayesian Robust Aggregation for Federated Learning
Aleksandr Karakulev, Usama Zafar, Salman Toor, Prashant Singh
TL;DR
This work tackles Byzantine robustness in federated learning by introducing a Bayesian robust aggregation that marginalizes over client honesty probabilities. It casts aggregation as maximizing a marginal likelihood via an ELBO with a variational posterior over binary indicators, yielding EM-style updates for the global weight, scale, and client posteriors. The approach adapts to the number of malicious clients without extra hyperparameters and achieves strong performance against both untargeted and backdoor attacks across MNIST, FMNIST, and CIFAR-10, often matching or surpassing specialized defenses like Krum. Importantly, it preserves normal performance in benign settings, enabling practical deployment in dynamic adversarial environments.
Abstract
Federated Learning enables collaborative training of machine learning models on decentralized data. This scheme, however, is vulnerable to adversarial attacks, when some of the clients submit corrupted model updates. In real-world scenarios, the total number of compromised clients is typically unknown, with the extent of attacks potentially varying over time. To address these challenges, we propose an adaptive approach for robust aggregation of model updates based on Bayesian inference. The mean update is defined by the maximum of the likelihood marginalized over probabilities of each client to be `honest'. As a result, the method shares the simplicity of the classical average estimators (e.g., sample mean or geometric median), being independent of the number of compromised clients. At the same time, it is as effective against attacks as methods specifically tailored to Federated Learning, such as Krum. We compare our approach with other aggregation schemes in federated setting on three benchmark image classification data sets. The proposed method consistently achieves state-of-the-art performance across various attack types with static and varying number of malicious clients.
