The Krum algorithm is a Byzantine-robust aggregation rule that selects a single client's model update as the new global model by choosing the vector whose parameters are closest, in Euclidean distance, to its nearest neighbors. This mechanism filters out statistical outliers, which are presumed to be from malicious or faulty clients attempting data poisoning or model sabotage. It provides formal Byzantine fault tolerance, guaranteeing convergence despite a bounded fraction of adversarial participants.
Glossary
Krum Algorithm

What is the Krum Algorithm?
The Krum algorithm is a Byzantine-robust aggregation rule designed to secure federated learning against malicious clients.
The algorithm operates by calculating, for each received update, the sum of squared distances to its n - f - 2 closest neighbors, where n is the total number of clients and f is the maximum tolerated malicious clients. The update with the smallest sum is selected. While highly robust, Krum discards all non-selected updates, which can reduce statistical efficiency. It is often used as a component in more advanced meta-aggregators like Bulyan or compared with other robust methods like Trimmed Mean and Median Aggregation.
Key Characteristics of the Krum Algorithm
The Krum algorithm is a Byzantine-robust aggregation rule designed to select a single, trustworthy client update in federated learning by identifying the vector closest to its neighbors, thereby filtering out malicious or faulty contributions.
Core Selection Mechanism
Krum operates by selecting a single client's model update as the new global model. For each client's parameter vector v_i, it calculates the sum of squared Euclidean distances to its n - f - 2 nearest neighbors, where n is the total number of clients and f is the assumed maximum number of Byzantine adversaries. The client whose vector has the smallest sum is chosen. This mechanism inherently assumes that honest updates form a cluster in parameter space, while malicious updates are outliers.
Byzantine Fault Tolerance Guarantee
The algorithm provides a formal guarantee: if the number of malicious clients f satisfies 2f + 2 < n, Krum's output is resilient to their influence. This means the aggregated update is close to the true average of the honest clients' updates in expectation, preventing a minority of adversaries from arbitrarily distorting the global model. This Byzantine fault tolerance (BFT) property is critical for security in open participation federated systems.
Computational and Communication Efficiency
- Communication: Only the selected client's full model vector is used, making the communication cost for the aggregated result equivalent to one model update.
- Computation: The server must compute pairwise Euclidean distances between all n client updates, resulting in an O(n²d) computational complexity, where d is the model dimension. This quadratic scaling can be a bottleneck for large federations.
- No Iterative Refinement: It is a single-shot selection rule, unlike iterative methods like coordinate-wise median.
Limitations and Practical Considerations
- Single-Update Selection: Discards information from all non-selected honest clients, which can slow convergence and increase sample complexity.
- Sensitivity to Hyperparameter
f: Performance degrades if the actual number of adversaries exceeds the assumed f. - Non-IID Data Impact: The geometric clustering assumption of honest updates can be violated under highly heterogeneous (non-IID) client data, potentially causing Krum to select a suboptimal, but non-malicious, update.
- High-Dimensional Distance Curse: Euclidean distance measures become less reliable in very high-dimensional spaces (large d).
Relation to Multi-Krum and Bulyan
Krum is often extended or used as a component in more advanced defenses:
- Multi-Krum: Selects a subset of m clients with the best (smallest) scores and averages their updates, improving statistical efficiency.
- Bulyan: A meta-aggregation defense that first uses Krum (or trimmed mean) to select a candidate set of updates, then applies a coordinate-wise trimmed mean to this set to produce the final robust update. This adds a second layer of filtering.
Typical Deployment Context
Krum is deployed in cross-silo or open participation federated learning scenarios where the central server cannot trust all clients. It is a foundational algorithm in the Federated Learning Attack Mitigation toolkit, specifically for countering data poisoning and model update poisoning attacks. It is often compared and benchmarked against other robust aggregators like median and trimmed mean.
Krum Algorithm vs. Other Robust Aggregation Methods
A feature comparison of the Krum algorithm against other prominent Byzantine-robust aggregation rules used in federated learning to defend against malicious or faulty clients.
| Aggregation Feature | Krum Algorithm | Trimmed Mean | Median Aggregation | Bulyan (Meta-Aggregation) |
|---|---|---|---|---|
Core Aggregation Mechanism | Selects single client update with minimal sum of distances to nearest neighbors | Computes coordinate-wise mean after discarding top/bottom fraction of values | Computes coordinate-wise median of all updates | Applies Krum/Trimmed Mean to select candidates, then applies coordinate-wise trimmed mean |
Byzantine Resilience Guarantee | Theoretical guarantees for limited adversarial clients | Strong statistical robustness to outliers | High resilience to extreme outliers | Enhanced guarantees by combining two robust methods |
Output Model Update | A single client's parameter vector | A synthetic average of a subset of clients | The median value per parameter | A synthetic average of a robustly selected subset |
Communication Efficiency (Server->Client) | Transmits one client's model | Transmits averaged synthetic model | Transmits median synthetic model | Transmits averaged synthetic model |
Computational Overhead on Server | O(n² * d) for n clients, d dimensions (pairwise distance calc) | O(n * d) (sorting per dimension) | O(n * d) (median per dimension) | O(n² * d) + O(m * d) for m candidates (two-stage) |
Handles Non-IID Data | Poor; selection can be biased by benign distribution shifts | Moderate; trimming may remove valid but extreme updates | Good; median is less sensitive to distribution skew | Moderate; depends on first-stage selection |
Defense Against Sybil Attacks (Multiple Fake Clients) | Weak; susceptible to colluding adversaries creating a plausible cluster | Moderate; trimming reduces but doesn't eliminate coordinated influence | Strong; median is hard to shift without majority control | Stronger; two-stage filtering increases collusion cost |
Common Hyperparameters | Number of Byzantine clients f to tolerate | Trimming fraction β | None | Number of candidates m, trimming fraction β |
Frequently Asked Questions
The Krum algorithm is a core defensive mechanism in federated learning, designed to ensure the integrity of the global model when some participants are malicious. These questions address its operation, strengths, and practical application.
The Krum algorithm is a Byzantine-robust aggregation rule that selects a single client's model update as the new global model by choosing the vector whose parameters are closest, in Euclidean distance, to its nearest neighbors, thereby filtering out statistical outliers and malicious submissions.
It operates under the Byzantine fault model, which assumes a fraction of clients (f) can send arbitrary, adversarial updates. For each received update vector, Krum calculates the sum of squared distances to its (n - f - 2) closest neighbors, where 'n' is the total number of clients. The update with the smallest sum of distances is deemed the most 'typical' and is selected as the global update for that round. This makes it highly resilient to data poisoning and model poisoning attacks where adversaries attempt to skew the model.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
The Krum algorithm operates within a broader ecosystem of defenses designed to secure federated learning against adversarial clients and data corruption. These related techniques address complementary threat vectors.
Byzantine Robust Aggregation
A class of server-side algorithms designed to produce a correct global model update even when a fraction of participating clients are malicious or faulty, sending arbitrary or adversarial updates. These algorithms do not rely on identifying the attacker but on constructing an update resilient to their influence.
- Core Principle: Tolerates a bounded fraction f of Byzantine clients.
- Mechanisms: Includes geometric methods (like Krum), coordinate-wise statistical aggregation (Median, Trimmed Mean), and meta-aggregation (Bulyan).
- Goal: Ensure convergence to a useful model despite sabotage, backdoors, or model corruption attempts.
Trimmed Mean Aggregation
A robust statistical aggregation rule where, for each model parameter dimension, the server discards a fraction β of the highest and lowest values from the received client updates. The mean of the remaining values is then computed to form the global update for that parameter.
- Process: Applied coordinate-wise across the update vector.
- Robustness: Effective against value-corruption attacks where malicious clients send extreme scalar values for specific parameters.
- Contrast with Krum: While Krum selects a single client's vector, Trimmed Mean aggregates a subset of values per dimension, often providing smoother convergence.
Bulyan
A meta-aggregation Byzantine defense that combines a robust aggregator with a second filtering step. First, it uses a base robust rule (e.g., Krum or Multi-Krum) to select a set of n - 2f candidate updates from n clients, where f is the tolerance limit. Then, it computes the coordinate-wise trimmed mean of these candidates to produce the final robust global update.
- Design: Mitigates the limitations of single-step aggregators; designed to be a strong Byzantine resilient aggregator.
- Advantage: Can defend against more sophisticated colluding attacks that might bypass Krum alone.
- Relation: Often cited alongside Krum as part of the evolution of geometric defense mechanisms.
Gradient Inspection
A server-side defense technique that analyzes the statistics, distribution, or geometry of submitted client model updates (gradients) to detect anomalies indicative of malicious behavior or poor data quality. This is a broader category that includes methods like norm bounding and PCA-based outlier detection.
- Common Techniques:
- Norm Clipping: Bounding the L2-norm of each update to limit the influence of any single client.
- Cosine Similarity: Measuring the directional alignment of an update with a reference (e.g., the update median).
- PCA/Clustering: Identifying updates that fall outside dense clusters in the high-dimensional gradient space.
- Role: Often used as a pre-filtering step before applying an aggregation rule like Krum.
Trust Scoring
A dynamic defense mechanism that assigns and updates a credibility score to each federated client based on the historical quality and consistency of their updates. The server uses these scores to weight client contributions during aggregation, diminishing the influence of unreliable or malicious participants over time.
- Scoring Basis: Can be based on update similarity to a robust aggregate, data quality metrics, or contribution to model improvement.
- Contrast with Krum: Krum makes a binary selection/deselection per round based on spatial proximity. Trust scoring employs a continuous, historical weighting system.
- Synergy: Trust scores can be used to pre-select clients for Krum's distance calculations, making it more efficient.
Byzantine Fault Tolerance (BFT)
A property of a distributed system, inherited from classical distributed computing, to correctly reach consensus on a global state despite a subset of participants behaving arbitrarily or maliciously. In federated learning, the "state" is the global model parameters.
- Formal Guarantee: Provides a theoretical framework for algorithms like Krum, specifying the maximum fraction of faulty clients (f) that can be tolerated.
- Consensus vs. Aggregation: Traditional BFT (e.g., PBFT) aims for exact replica agreement. Federated BFT aims for a statistically robust aggregate of high-dimensional vectors.
- Foundation: Krum and related algorithms are Byzantine-robust aggregation rules that provide BFT for the specific consensus problem of model averaging.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us