Inferensys

Glossary

Krum Algorithm

The Krum algorithm is a Byzantine-robust aggregation rule for federated learning that selects a single client's model update by choosing the one whose parameter vector is closest, in Euclidean distance, to its nearest neighbors, thereby filtering out malicious or faulty updates.
ML engineer managing model training cluster on laptop, GPU utilization visible, technical deep learning setup.
FEDERATED LEARNING ATTACK MITIGATION

What is the Krum Algorithm?

The Krum algorithm is a Byzantine-robust aggregation rule designed to secure federated learning against malicious clients.

The Krum algorithm is a Byzantine-robust aggregation rule that selects a single client's model update as the new global model by choosing the vector whose parameters are closest, in Euclidean distance, to its nearest neighbors. This mechanism filters out statistical outliers, which are presumed to be from malicious or faulty clients attempting data poisoning or model sabotage. It provides formal Byzantine fault tolerance, guaranteeing convergence despite a bounded fraction of adversarial participants.

The algorithm operates by calculating, for each received update, the sum of squared distances to its n - f - 2 closest neighbors, where n is the total number of clients and f is the maximum tolerated malicious clients. The update with the smallest sum is selected. While highly robust, Krum discards all non-selected updates, which can reduce statistical efficiency. It is often used as a component in more advanced meta-aggregators like Bulyan or compared with other robust methods like Trimmed Mean and Median Aggregation.

BYZANTINE-ROBUST AGGREGATION

Key Characteristics of the Krum Algorithm

The Krum algorithm is a Byzantine-robust aggregation rule designed to select a single, trustworthy client update in federated learning by identifying the vector closest to its neighbors, thereby filtering out malicious or faulty contributions.

01

Core Selection Mechanism

Krum operates by selecting a single client's model update as the new global model. For each client's parameter vector v_i, it calculates the sum of squared Euclidean distances to its n - f - 2 nearest neighbors, where n is the total number of clients and f is the assumed maximum number of Byzantine adversaries. The client whose vector has the smallest sum is chosen. This mechanism inherently assumes that honest updates form a cluster in parameter space, while malicious updates are outliers.

02

Byzantine Fault Tolerance Guarantee

The algorithm provides a formal guarantee: if the number of malicious clients f satisfies 2f + 2 < n, Krum's output is resilient to their influence. This means the aggregated update is close to the true average of the honest clients' updates in expectation, preventing a minority of adversaries from arbitrarily distorting the global model. This Byzantine fault tolerance (BFT) property is critical for security in open participation federated systems.

03

Computational and Communication Efficiency

  • Communication: Only the selected client's full model vector is used, making the communication cost for the aggregated result equivalent to one model update.
  • Computation: The server must compute pairwise Euclidean distances between all n client updates, resulting in an O(n²d) computational complexity, where d is the model dimension. This quadratic scaling can be a bottleneck for large federations.
  • No Iterative Refinement: It is a single-shot selection rule, unlike iterative methods like coordinate-wise median.
04

Limitations and Practical Considerations

  • Single-Update Selection: Discards information from all non-selected honest clients, which can slow convergence and increase sample complexity.
  • Sensitivity to Hyperparameter f: Performance degrades if the actual number of adversaries exceeds the assumed f.
  • Non-IID Data Impact: The geometric clustering assumption of honest updates can be violated under highly heterogeneous (non-IID) client data, potentially causing Krum to select a suboptimal, but non-malicious, update.
  • High-Dimensional Distance Curse: Euclidean distance measures become less reliable in very high-dimensional spaces (large d).
05

Relation to Multi-Krum and Bulyan

Krum is often extended or used as a component in more advanced defenses:

  • Multi-Krum: Selects a subset of m clients with the best (smallest) scores and averages their updates, improving statistical efficiency.
  • Bulyan: A meta-aggregation defense that first uses Krum (or trimmed mean) to select a candidate set of updates, then applies a coordinate-wise trimmed mean to this set to produce the final robust update. This adds a second layer of filtering.
06

Typical Deployment Context

Krum is deployed in cross-silo or open participation federated learning scenarios where the central server cannot trust all clients. It is a foundational algorithm in the Federated Learning Attack Mitigation toolkit, specifically for countering data poisoning and model update poisoning attacks. It is often compared and benchmarked against other robust aggregators like median and trimmed mean.

BYZANTINE ROBUSTNESS COMPARISON

Krum Algorithm vs. Other Robust Aggregation Methods

A feature comparison of the Krum algorithm against other prominent Byzantine-robust aggregation rules used in federated learning to defend against malicious or faulty clients.

Aggregation FeatureKrum AlgorithmTrimmed MeanMedian AggregationBulyan (Meta-Aggregation)

Core Aggregation Mechanism

Selects single client update with minimal sum of distances to nearest neighbors

Computes coordinate-wise mean after discarding top/bottom fraction of values

Computes coordinate-wise median of all updates

Applies Krum/Trimmed Mean to select candidates, then applies coordinate-wise trimmed mean

Byzantine Resilience Guarantee

Theoretical guarantees for limited adversarial clients

Strong statistical robustness to outliers

High resilience to extreme outliers

Enhanced guarantees by combining two robust methods

Output Model Update

A single client's parameter vector

A synthetic average of a subset of clients

The median value per parameter

A synthetic average of a robustly selected subset

Communication Efficiency (Server->Client)

Transmits one client's model

Transmits averaged synthetic model

Transmits median synthetic model

Transmits averaged synthetic model

Computational Overhead on Server

O(n² * d) for n clients, d dimensions (pairwise distance calc)

O(n * d) (sorting per dimension)

O(n * d) (median per dimension)

O(n² * d) + O(m * d) for m candidates (two-stage)

Handles Non-IID Data

Poor; selection can be biased by benign distribution shifts

Moderate; trimming may remove valid but extreme updates

Good; median is less sensitive to distribution skew

Moderate; depends on first-stage selection

Defense Against Sybil Attacks (Multiple Fake Clients)

Weak; susceptible to colluding adversaries creating a plausible cluster

Moderate; trimming reduces but doesn't eliminate coordinated influence

Strong; median is hard to shift without majority control

Stronger; two-stage filtering increases collusion cost

Common Hyperparameters

Number of Byzantine clients f to tolerate

Trimming fraction β

None

Number of candidates m, trimming fraction β

KRUM ALGORITHM

Frequently Asked Questions

The Krum algorithm is a core defensive mechanism in federated learning, designed to ensure the integrity of the global model when some participants are malicious. These questions address its operation, strengths, and practical application.

The Krum algorithm is a Byzantine-robust aggregation rule that selects a single client's model update as the new global model by choosing the vector whose parameters are closest, in Euclidean distance, to its nearest neighbors, thereby filtering out statistical outliers and malicious submissions.

It operates under the Byzantine fault model, which assumes a fraction of clients (f) can send arbitrary, adversarial updates. For each received update vector, Krum calculates the sum of squared distances to its (n - f - 2) closest neighbors, where 'n' is the total number of clients. The update with the smallest sum of distances is deemed the most 'typical' and is selected as the global update for that round. This makes it highly resilient to data poisoning and model poisoning attacks where adversaries attempt to skew the model.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.