AdRo-FL: Informed and Secure Client Selection for Federated Learning in the Presence of Adversarial Aggregator
Md. Kamrul Hossain, Walid Aljoby, Anis Elgabli, Ahmed M. Abdelmoniem, Khaled A. Harras
TL;DR
AdRo-FL tackles the dual challenge of defending against Biased Selection Attacks in Secure Aggregation and enabling informed, utility-based client selection for Federated Learning. It introduces two frameworks for cluster-oriented and distributed non-clustered client settings, combining a utility function that blends local loss and gradient norm with a two-phase, verifiable randomness process (VRF) to ensure BSA resistance while preserving performance. The approach includes cluster-level privacy thresholds, deadline-aware transmission, and 8-bit quantization to boost energy efficiency, yielding up to $1.85\times$ faster time-to-accuracy and up to $1.06\times$ higher final accuracy versus insecure baselines. Empirical results on MNIST, FMNIST, SVHN, and CIFAR-10 under high data heterogeneity demonstrate robust convergence and privacy guarantees, with practical implications for real-world deployments in regulated or resource-constrained environments.
Abstract
Federated Learning (FL) enables collaborative learning without exposing clients' data. While clients only share model updates with the aggregator, studies reveal that aggregators can infer sensitive information from these updates. Secure Aggregation (SA) protects individual updates during transmission; however, recent work demonstrates a critical vulnerability where adversarial aggregators manipulate client selection to bypass SA protections, constituting a Biased Selection Attack (BSA). Although verifiable random selection prevents BSA, it precludes informed client selection essential for FL performance. We propose Adversarial Robust Federated Learning (AdRo-FL), which simultaneously enables: informed client selection based on client utility, and robust defense against BSA maintaining privacy-preserving aggregation. AdRo-FL implements two client selection frameworks tailored for distinct settings. The first framework assumes clients are grouped into clusters based on mutual trust, such as different branches of an organization. The second framework handles distributed clients where no trust relationships exist between them. For the cluster-oriented setting, we propose a novel defense against BSA by (1) enforcing a minimum client selection quota from each cluster, supervised by a cluster-head in every round, and (2) introducing a client utility function to prioritize efficient clients. For the distributed setting, we design a two-phase selection protocol: first, the aggregator selects the top clients based on our utility-driven ranking; then, a verifiable random function (VRF) ensures a BSA-resistant final selection. AdRo-FL also applies quantization to reduce communication overhead and sets strict transmission deadlines to improve energy efficiency. AdRo-FL achieves up to $1.85\times$ faster time-to-accuracy and up to $1.06\times$ higher final accuracy compared to insecure baselines.