ML Security PapersSpectralKrum: A Spectral-Geometric Defense Against Byzantine Attacks in Federated Learning
Aditya Tripathi 1, Karan Sharma 1, Rahul Mishra 2, Tapas Kumar Maiti 1
Published on arXiv
2512.11760
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
SpectralKrum matches or exceeds baselines against directional and subspace-aware Byzantine attacks (adaptive-steer, buffer-drift) but provides no consistent advantage over simpler statistical aggregators when malicious updates are spectrally indistinguishable from benign ones (label-flip, min-max), across 56,000+ training rounds
SpectralKrum
Novel technique introduced
Federated Learning (FL) distributes model training across clients who retain their data locally, but this architecture exposes a fundamental vulnerability: Byzantine clients can inject arbitrarily corrupted updates that degrade or subvert the global model. While robust aggregation methods (including Krum, Bulyan, and coordinate-wise defenses) offer theoretical guarantees under idealized assumptions, their effectiveness erodes substantially when client data distributions are heterogeneous (non-IID) and adversaries can observe or approximate the defense mechanism. This paper introduces SpectralKrum, a defense that fuses spectral subspace estimation with geometric neighbor-based selection. The core insight is that benign optimization trajectories, despite per-client heterogeneity, concentrate near a low-dimensional manifold that can be estimated from historical aggregates. SpectralKrum projects incoming updates into this learned subspace, applies Krum selection in compressed coordinates, and filters candidates whose orthogonal residual energy exceeds a data-driven threshold. The method requires no auxiliary data, operates entirely on model updates, and preserves FL privacy properties. We evaluate SpectralKrum against eight robust baselines across seven attack scenarios on CIFAR-10 with Dirichlet-distributed non-IID partitions (alpha = 0.1). Experiments spanning over 56,000 training rounds show that SpectralKrum is competitive against directional and subspace-aware attacks (adaptive-steer, buffer-drift), but offers limited advantage under label-flip and min-max attacks where malicious updates remain spectrally indistinguishable from benign ones.
Key Contributions
- SpectralKrum algorithm combining rolling PCA subspace estimation with Krum geometric neighbor selection to filter Byzantine updates in non-IID FL settings
- Orthogonal energy filtering step that flags updates deviating from the learned benign optimization manifold using a data-driven residual threshold
- Rigorous empirical characterization of when spectral geometry aids Byzantine defense (directional/subspace-aware attacks) and when it fails (spectrally indistinguishable attacks like label-flip and min-max)
🛡️ Threat Analysis
Directly defends against Byzantine clients in FL who send arbitrarily corrupted model updates (sign-flip, label-flip, min-max, adaptive-steer, buffer-drift) to degrade the global model — classic Byzantine/poisoning attacks in federated learning. SpectralKrum is a robust aggregation method specifically designed to detect and filter these malicious updates.