PRISM-FCP: Byzantine-Resilient Federated Conformal Prediction via Partial Sharing

TL;DR

Extensive experiments demonstrate that PRISM-FCP maintains nominal coverage guarantees under Byzantine attacks while avoiding the interval inflation observed in standard FCP with reduced communication, providing a robust and communication-efficient approach to federated uncertainty quantification.

Abstract

We propose PRISM-FCP (Partial shaRing and robust calIbration with Statistical Margins for Federated Conformal Prediction), a Byzantine-resilient federated conformal prediction framework that utilizes partial model sharing to improve robustness against Byzantine attacks during both model training and conformal calibration. Existing approaches address adversarial behavior only in the calibration stage, leaving the learned model susceptible to poisoned updates. In contrast, PRISM-FCP mitigates attacks end-to-end. During training, clients partially share updates by transmitting only $M$ of $D$ parameters per round. This attenuates the expected energy of an adversary's perturbation in the aggregated update by a factor of $M/D$, yielding lower mean-square error (MSE) and tighter prediction intervals. During calibration, clients convert nonconformity scores into characterization vectors, compute distance-based maliciousness scores, and downweight or filter suspected Byzantine contributions before estimating the conformal quantile. Extensive experiments on both synthetic data and the UCI Superconductivity dataset demonstrate that PRISM-FCP maintains nominal coverage guarantees under Byzantine attacks while avoiding the interval inflation observed in standard FCP with reduced communication, providing a robust and communication-efficient approach to federated uncertainty quantification.

Figures (5)

• Figure 1: Illustration of how partial sharing attenuates Byzantine perturbations.
• Figure 2: Histograms illustrating the effect of different Byzantine attacks during the calibration phase: (a) efficiency attack (adversaries report all-zero normalized scores), (b) coverage attack (adversaries report all-one normalized scores), and (c) random attack (adversaries add Gaussian noise to their scores).
• Figure 3: Distribution of maliciousness scores $m_k$ (cf. \ref{['eq:mal_score']}) under different calibration-phase Byzantine attacks. Byzantine clients (red) attain markedly larger scores than benign clients, enabling reliable outlier filtering.
• Figure 4: Illustrative prediction intervals under (a) efficiency, (b) coverage, and (c) random attacks. The true target values are shown as dashed lines, while prediction intervals from FCP and PRISM-FCP ($M/D = 0.3$) are shown in red and green, respectively.
• Figure 5: Quantile deviation $|\hat{q}_{1-\alpha} - q^\star_{1-\alpha}|$ of PRISM-FCP versus sharing ratio $M/D$ under different types of Byzantine attacks.

Theorems & Definitions (32)

• Remark 1: Scope of the linear model
• Remark 2: Stochastic vs. adversarial attack model
• Remark 3: Handling unknown $|{\mathcal{S}}_B|$
• Lemma 1: Mean convergence
• Lemma 2: Mean-square convergence
• Lemma 3: Steady-state MSE decomposition
• Remark 4: Interpretation of the MSE decomposition
• Lemma 4: Partial sharing attenuates Byzantine contribution
• Lemma 5: Lipschitz continuity of residuals
• Proof