ML Security PapersFedIDM: Achieving Fast and Stable Convergence in Byzantine Federated Learning through Iterative Distribution Matching
He Yang , Dongyi Lv , Wei Xi , Song Ma , Hanlin Gu , Jizhong Zhao
Published on arXiv
2604.15115
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
Achieves fast and stable convergence while maintaining model utility under state-of-the-art Byzantine attacks with large proportions of malicious clients
FedIDM
Novel technique introduced
Most existing Byzantine-robust federated learning (FL) methods suffer from slow and unstable convergence. Moreover, when handling a substantial proportion of colluded malicious clients, achieving robustness typically entails compromising model utility. To address these issues, this work introduces FedIDM, which employs distribution matching to construct trustworthy condensed data for identifying and filtering abnormal clients. FedIDM consists of two main components: (1) attack-tolerant condensed data generation, and (2) robust aggregation with negative contribution-based rejection. These components exclude local updates that (1) deviate from the update direction derived from condensed data, or (2) cause a significant loss on the condensed dataset. Comprehensive evaluations on three benchmark datasets demonstrate that FedIDM achieves fast and stable convergence while maintaining acceptable model utility, under multiple state-of-the-art Byzantine attacks involving a large number of malicious clients.
Key Contributions
- Attack-tolerant condensed data generation via iterative distribution matching
- Robust aggregation with negative contribution-based rejection to filter malicious updates
- Fast and stable convergence under large-scale Byzantine attacks
🛡️ Threat Analysis
Defends against Byzantine attacks in federated learning where malicious clients submit corrupted model updates to degrade global model performance—this is data poisoning via malicious gradients/updates.