Bulyan is a two-stage, meta-aggregation Byzantine defense algorithm for federated learning. It first applies a primary robust aggregation rule, such as Krum or trimmed mean, to select a subset of candidate model updates from participating clients. This initial filtering step removes the most egregious outliers. In the second stage, Bulyan computes the coordinate-wise trimmed mean of the selected candidates to produce the final, robust global model update, offering strong resilience against adversarial updates.
Glossary
Bulyan

What is Bulyan?
Bulyan is a robust meta-aggregation defense designed to secure federated learning against Byzantine attacks from malicious or faulty clients.
The algorithm's strength lies in its layered defense, combining the outlier rejection of distance-based rules with the statistical robustness of trimming. By operating on a pre-filtered set, the final coordinate-wise trimming is applied to a cleaner distribution, making it highly effective even when a significant fraction of clients are Byzantine. This makes Bulyan a cornerstone technique for securing federated learning in untrusted, decentralized environments where data privacy prevents direct inspection of client contributions.
Key Features of Bulyan
Bulyan is a two-stage meta-aggregation defense designed to produce a correct global model update in federated learning even when a significant fraction of clients are malicious (Byzantine). It combines the strengths of existing robust methods for superior resilience.
Two-Stage Meta-Aggregation
Bulyan operates in two distinct phases to filter malicious updates. First, it applies a primary robust aggregation rule (like Krum or Trimmed Mean) not once, but repeatedly to select a set of 'candidate' updates deemed trustworthy. Second, it computes a coordinate-wise trimmed mean across this filtered candidate set to produce the final global update. This layered approach provides stronger theoretical guarantees than using either stage alone.
Resilience to Adaptive Adversaries
Unlike simpler defenses, Bulyan is specifically designed to withstand adaptive Byzantine adversaries. These are attackers that can observe the aggregation mechanism and craft malicious updates designed to bypass it. By using the trimmed mean in its second stage—which is robust to arbitrary values in any single coordinate—Bulyan limits the influence an adversary can have on any individual model parameter, even if their update passes the first-stage filter.
Theoretical Guarantees
Bulyan provides formal convergence guarantees under Byzantine faults. Research demonstrates that when the fraction of malicious clients is bounded (specifically, less than a quarter of the total clients in the original formulation), Bulyan ensures the global model converges to a point close to the optimum achievable without any attackers. This guarantee holds even when the benign clients' data is non-IID (not independently and identically distributed).
Parameter n and m Selection
The algorithm's robustness is controlled by two key hyperparameters:
- n: The number of candidate updates selected in the first stage.
- m: The number of extreme values to trim from each side per coordinate in the second-stage trimmed mean.
These parameters are set based on the estimated maximum fraction of Byzantine clients. Choosing
ntoo small reduces the utility of the candidate set, while settingmincorrectly can either leave the system vulnerable or discard too many benign updates. Proper configuration is critical for balancing robustness and model performance.
Comparison to Krum & Trimmed Mean
Bulyan was proposed to address limitations of its constituent algorithms:
- Krum: Selects only one update, discarding all other information from benign clients, which is inefficient and can slow convergence.
- Trimmed Mean: Effective per-coordinate but vulnerable if adversaries concentrate their attack on a single parameter dimension. Bulyan mitigates these weaknesses: its first stage uses Krum's neighbor-scoring to filter out blatant outliers, while its second stage uses trimmed mean's coordinate-wise robustness to handle residual attacks, creating a more comprehensive defense.
Computational & Communication Overhead
The primary trade-off for Bulyan's robustness is increased computational cost on the aggregation server. The first stage requires calculating pairwise Euclidean distances between all client updates, an O(N²) operation where N is the number of clients per round. The second stage involves sorting values for each model parameter. While this overhead is manageable for moderate-sized models and client batches, it can become significant for very large models (e.g., LLMs) or massive federations, necessitating optimized implementations or approximations.
Bulyan vs. Other Byzantine Robust Aggregation Methods
A feature comparison of the Bulyan meta-aggregation defense against other prominent Byzantine-robust aggregation rules used in federated learning.
| Feature / Metric | Bulyan | Krum | Trimmed Mean | Median |
|---|---|---|---|---|
Aggregation Type | Meta-aggregation (two-stage) | Single-point selection | Coordinate-wise statistical | Coordinate-wise statistical |
Core Mechanism | Selects candidates via a robust rule (e.g., Krum), then applies coordinate-wise trimmed mean | Selects the update vector closest to its nearest neighbors | Discards a fraction of extreme values in each dimension, then computes the mean | Selects the middle value in each parameter dimension across all updates |
Byzantine Resilience Guarantee | Strong theoretical guarantees under the assumption f < (n-2)/4 for n clients | Theoretical guarantees for f < (n-2)/2 | Theoretical guarantees for f < n/2 | Theoretical guarantees for f < n/2 |
Handles Non-IID Data | Moderate (second stage smoothing helps) | Poor (single selection amplifies client drift) | Good (statistical smoothing per dimension) | Good (statistical smoothing per dimension) |
Communication Cost per Round | High (requires full update vectors from all selected candidates) | Low (transmits only the single selected update) | Medium (requires all updates for per-dimension calculation) | Medium (requires all updates for per-dimension calculation) |
Computational Complexity | High (O(n²d) for selection + O(nd log n) for trimming) | High (O(n²d) for pairwise distance calculations) | Medium (O(nd log n) for per-dimension sorting) | Medium (O(nd log n) for per-dimension sorting) |
Output Stability | High (second stage reduces variance from first-stage selection) | Low (output can jump between different clients) | High | High |
Common Use Case | High-security environments requiring maximum robustness | Scenarios with extreme outlier updates and lower non-IID severity | General-purpose robust aggregation with balanced performance | Environments with very heavy-tailed or adversarial update distributions |
Frequently Asked Questions
Bulyan is a powerful meta-aggregation defense designed to secure federated learning against Byzantine clients—participants that send arbitrary, faulty, or malicious model updates. This FAQ addresses its core mechanisms, applications, and trade-offs.
Bulyan is a two-stage, meta-aggregation Byzantine-robust defense for federated learning. It first applies a primary robust aggregation rule (like Krum or trimmed mean) to select a subset of candidate updates deemed trustworthy. In its second stage, Bulyan computes a coordinate-wise trimmed mean across this candidate set to produce the final, robust global model update. This layered approach filters out malicious updates in the first stage and further mitigates residual influence from any remaining outliers in the second.
How it works:
- Candidate Selection: From all
nclient updates, a base robust aggregator (e.g., Krum) is applied(n - f - 2)times, each time selecting one candidate update and removing it from the pool. This yields a multiset of(n - f - 2)candidate vectors. - Meta-Aggregation: For each model parameter coordinate (dimension) independently, the highest and lowest
βvalues among the candidates are discarded. The mean of the remaining values is computed, forming the final aggregated update for that coordinate.
This process guarantees theoretical resilience against up to f malicious clients under certain assumptions, making the global model robust to data poisoning and model corruption attacks.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Bulyan operates within a broader ecosystem of defensive techniques designed to secure federated learning against malicious actors. These related concepts form the foundation of Byzantine-robust and privacy-preserving aggregation.
Byzantine Robust Aggregation
The overarching class of algorithms to which Bulyan belongs. These methods are designed to produce a correct global model update even when a fraction of participating clients are malicious or faulty, sending arbitrary or adversarial updates. The core challenge is achieving statistical resilience without assuming honest majority.
- Goal: Tolerate Byzantine failures (arbitrary behavior).
- Key Insight: Use robust statistics (e.g., median, trimmed mean) or geometric consensus (e.g., Krum) to filter outliers.
- Trade-off: Resilience often comes at the cost of statistical efficiency, especially under heavy attack.
Krum Algorithm
A foundational Byzantine-robust aggregation rule that Bulyan uses in its first selection phase. Krum selects a single client's model update as the global update by choosing the one whose parameter vector is closest, in Euclidean distance, to its nearest neighbors.
- Mechanism: For each candidate update, sum the distances to its n - f - 2 nearest neighbors (where f is the max faulty clients). The update with the smallest sum is selected.
- Property: Provides theoretical guarantees against a bounded number of Byzantine clients.
- Limitation: Uses only one update per round, wasting information from other honest clients. Bulyan addresses this by using Krum to select a subset of candidates.
Trimmed Mean Aggregation
A robust statistical method central to Bulyan's second aggregation phase. For each model parameter (coordinate), a fixed fraction β of the highest and lowest values from the candidate updates are discarded. The mean of the remaining values is computed to form the final global update for that coordinate.
- Process: Applied coordinate-wise across the model's parameter vector.
- Robustness: Highly effective against value corruption attacks where adversaries submit updates with extreme parameter values.
- Bulyan's Use: Applies trimmed mean to the set of updates pre-filtered by Krum, creating a meta-aggregation that is resilient to both directional and magnitude-based attacks.
Median Aggregation
A simpler Byzantine-robust baseline where the server computes the coordinate-wise median of all received client updates. It is highly resilient to extreme outlier values but can have high variance.
- Comparison to Bulyan: Median is a single-step aggregation. Bulyan's two-step process (select then trim) often achieves lower variance and better convergence because it first removes likely malicious updates geometrically (via Krum) before applying a robust statistic.
- Use Case: Effective when a large proportion of clients are honest, as the median is a breakdown point statistic.
Data Poisoning Defense
The broader defensive category against attacks where malicious clients manipulate their local training data to corrupt the global model. Bulyan is a primary defense against the model update poisoning that results from data poisoning.
- Attack Vector: Adversaries corrupt local datasets to produce malicious gradients/updates.
- Bulyan's Role: Mitigates the effect of poisoned updates by robust aggregation, acting as a server-side shield. It does not prevent local poisoning but prevents the poisoned updates from significantly altering the global model.
- Complementary Techniques: Often paired with client-side validation or trust scoring for a layered defense.
Byzantine Fault Tolerance (BFT)
A classical distributed systems property that federated learning borrows from. A BFT system can reach correct consensus despite a subset of participants behaving arbitrarily (Byzantine).
- Relation to FL: In federated learning, "consensus" is on the global model parameters. Bulyan provides a form of BFT for this consensus problem.
- Difference: Traditional BFT (e.g., PBFT) uses cryptographic voting and replication. FL BFT (like Bulyan) uses statistical and geometric methods on high-dimensional vectors, as model updates are large and voting is impractical.
- Guarantee: Bulyan provides statistical BFT, ensuring convergence to a good model under bounded adversarial influence.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us