Median Aggregation is a robust statistical method used as the server-side aggregation rule in federated learning. For each parameter (coordinate) of the model, the server collects the values from all client updates, sorts them, and selects the median value to form the new global parameter. This process is repeated independently across all model dimensions. Unlike Federated Averaging (FedAvg), which computes a mean, the median's inherent property of ignoring extreme values makes it highly resistant to Byzantine faults and data poisoning attacks from malicious clients submitting arbitrarily large or small updates.
Glossary
Median Aggregation

What is Median Aggregation?
Median Aggregation is a Byzantine-robust federated learning technique where the server computes the coordinate-wise median of all received client model updates to form the new global model, which is highly resilient to extreme outlier values.
The technique provides Byzantine robustness with strong theoretical guarantees, tolerating a significant fraction of adversarial clients—typically just under 50%. Its computational simplicity makes it practical for large-scale deployment. However, Median Aggregation can be less statistically efficient than the mean when all clients are honest, as it discards information from all but the central values. It is often compared with other robust methods like Trimmed Mean Aggregation and the Krum algorithm within the broader category of Byzantine Robust Aggregation defenses.
Key Characteristics of Median Aggregation
Median Aggregation is a server-side defense mechanism in federated learning that replaces the standard averaging of client model updates with a coordinate-wise median calculation, providing inherent resilience to extreme outlier values.
Coordinate-Wise Operation
The algorithm operates independently on each parameter dimension of the model update vector. For a given parameter (e.g., weight W_i), the server collects all values for W_i from the N client updates, sorts them, and selects the median value. This process is repeated for every parameter in the model. This per-coordinate approach is crucial because a malicious update may only corrupt a subset of parameters, and median aggregation can filter those specific dimensions without discarding the entire client contribution.
Breakdown Point of 50%
Median aggregation has a theoretical breakdown point of 50%. This means the global model update remains correct (unbiased towards the malicious values) as long as fewer than half of the participating clients in a given round are Byzantine (malicious or faulty). If malicious clients constitute a majority (>50%), they can control the median value. This property makes it suitable for scenarios with a known, bounded minority of adversaries.
- Key Implication: The system's robustness is defined by the client selection strategy for each round.
Resilience to Arbitrary Outliers
Unlike the mean, the median is highly resistant to extreme values. In federated learning, a malicious client can submit an update with arbitrarily large magnitudes (e.g., setting a parameter to 1,000,000) in an attempt to skew the global model. During coordinate-wise median calculation, this extreme value will simply sit at one end of the sorted list and be ignored, provided it's not the majority. This makes median aggregation a robust defense against sign-flipping attacks and scaling attacks, where adversaries multiply their updates by a large constant.
Convergence Under Heterogeneity
While robust, median aggregation can have slower convergence rates compared to FedAvg under non-IID (Independent and Identically Distributed) data. The median is a non-linear operator, and its application disrupts the theoretical convergence guarantees of standard stochastic gradient descent. Research shows it converges under assumptions of bounded client dissimilarity. In practice, it may require more communication rounds to achieve target accuracy, representing a trade-off between robustness and statistical efficiency.
Computational and Communication Cost
The primary cost is computational on the server. For a model with P parameters and N client updates per round, the server must sort N values for each of the P parameters, leading to a time complexity of O(P * N log N). This is more expensive than FedAvg's O(P * N) but is generally manageable for the central server. Communication costs remain identical to standard federated learning: clients send full model updates, and the server broadcasts the new global model.
Common Variants and Enhancements
Pure coordinate-wise median is often enhanced or combined with other techniques:
- Trimmed Median: Discards a fraction of the highest and lowest values in each dimension before taking the median of the remainder, offering even higher robustness.
- Median-of-Means: Clients are partitioned into groups, the mean is computed within each group, and then the median of those group means is taken. This can improve statistical efficiency.
- Meta-Algorithms (Bulyan): Uses median (or other robust aggregators) to select a candidate set of updates, then applies a second aggregation (like trimmed mean) for final refinement.
How Median Aggregation Works: A Step-by-Step Mechanism
Median Aggregation is a server-side defense mechanism in federated learning that uses coordinate-wise statistical median calculations to form a global model update resilient to extreme outliers from malicious or faulty clients.
The server receives the local model update vectors from all participating clients at the end of a training round. For each individual parameter (weight or bias) in the model, the server collects the corresponding scalar value from every client's update vector. It then sorts this list of values for that specific parameter coordinate and selects the statistical median—the middle value—to form the corresponding parameter in the new global model. This coordinate-wise median operation is repeated independently for every parameter in the model architecture.
This mechanism provides Byzantine fault tolerance because the median is inherently robust to extreme values. A malicious client can submit an arbitrarily large or small update for a parameter, but as long as the majority of clients are honest, the median value remains anchored within the range of honest updates. The final aggregated global update is therefore a vector composed of the median value from each parameter dimension, effectively filtering out adversarial outliers without requiring explicit anomaly detection rules for each submission.
Median Aggregation vs. Other Robust Aggregation Methods
A technical comparison of core Byzantine-robust aggregation rules used in federated learning to defend against malicious or faulty clients.
| Aggregation Method | Median Aggregation | Trimmed Mean | Krum | Bulyan (Meta-Aggregation) |
|---|---|---|---|---|
Core Statistical Principle | Coordinate-wise median | Coordinate-wise mean after trimming extremes | Geometric outlier rejection via nearest neighbors | Multi-step: Krum/Trimmed Mean selection, then coordinate-wise trimmed mean |
Byzantine Resilience Guarantee | High for < 50% malicious clients | High for < 50% malicious clients (depends on trim fraction) | Theoretical guarantee for specific adversarial models | Stronger than constituent methods; resilient to targeted attacks |
Computational Complexity (Server-Side) | O(n log n) per parameter (sorting) | O(n log n) per parameter (sorting for trimming) | O(n² * d) where d is model dimension (pairwise distance calculations) | O(n² * d + n log n) (Krum + Trimmed Mean) |
Communication Overhead | Standard (full vector updates) | Standard (full vector updates) | Standard (full vector updates) | Standard (full vector updates) |
Handles Non-IID Data | Moderate (robust to skewed value distributions) | Good (trimming reduces skew impact) | Poor (distance metrics assume IID-like consistency) | Variable (depends on first-step selection) |
Sensitive to Hyperparameters | No | Yes (trimming fraction β) | Yes (number of selected neighbors f) | Yes (parameters of both constituent methods) |
Outputs a Single Client's Update? | No (synthetic vector) | No (synthetic vector) | Yes (selects one supposedly 'honest' update) | No (synthetic vector from filtered set) |
Common Weakness / Attack Vector | Less efficient with high benign variance; targeted median attacks possible | Requires accurate estimate of malicious fraction β; vulnerable if β is mis-specified | Vulnerable to colluding Sybil attacks that create a cluster of malicious updates | High computational cost; complex parameter tuning |
Frequently Asked Questions
Median Aggregation is a core defensive technique in federated learning, designed to withstand malicious or faulty clients. These questions address its mechanics, advantages, and practical implementation.
Median Aggregation is a Byzantine-robust federated learning algorithm where the central server computes the coordinate-wise median of all received client model updates to form the new global model. Unlike Federated Averaging (FedAvg), which computes the mean, the median is highly resilient to extreme outlier values, making it effective against data poisoning and model poisoning attacks from adversarial clients. For each parameter in the model (e.g., each weight in a neural network), the server collects all values submitted by clients for that specific parameter, sorts them, and selects the middle value (the median). This process is repeated independently for every parameter dimension, creating a robust aggregated update vector.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Median Aggregation is a core defense within a broader ecosystem of techniques designed to secure federated learning against malicious actors and faulty devices. These related terms define the specific threats, alternative defenses, and complementary privacy mechanisms used in production systems.
Byzantine Robust Aggregation
A class of server-side algorithms designed to produce a correct global model update even when a predetermined fraction of participating clients are malicious or faulty and send arbitrary updates. This is the overarching defensive category to which Median Aggregation belongs.
- Goal: Achieve Byzantine fault tolerance in distributed optimization.
- Key Challenge: The server cannot trust individual updates and must aggregate them robustly.
- Examples: Includes Median, Krum, Bulyan, and Trimmed Mean.
Trimmed Mean Aggregation
A robust statistical aggregation rule where, for each model parameter (coordinate), the server discards a fraction (β) of the highest and lowest values from all client updates before computing the mean of the remaining values.
- Comparison to Median: More statistically efficient than the median when the distribution of honest updates is symmetric and outliers are few, but less robust to extreme outliers on both sides of the distribution.
- Parameter: The trimming fraction β must be set based on the expected fraction of malicious clients.
Krum Algorithm
A Byzantine-robust aggregation rule that selects a single client's model update as the global update. It chooses the vector whose Euclidean distance to its nearest neighbors is the smallest, effectively filtering out statistical outliers.
- Mechanism: For each client update, sum the distances to its n - f - 2 closest neighbors, where n is total clients and f is the tolerated number of malicious clients. The update with the smallest sum is selected.
- Use Case: Highly effective when malicious updates are designed to be colluding and shift the mean, but computationally more expensive than coordinate-wise methods.
Bulyan
A meta-aggregation Byzantine defense that combines a robust selection rule with a robust averaging rule. First, it uses Krum or Multi-Krum to select a subset of candidate updates deemed trustworthy. Then, it applies a coordinate-wise trimmed mean to this subset to produce the final global update.
- Advantage: Provides stronger theoretical guarantees than Krum alone, as the second averaging step further mitigates the influence of any remaining outliers within the selected set.
- Robustness: Proven to be resilient against a higher proportion of adversarial clients under certain attack models.
Gradient Inspection
A server-side defense technique that analyzes the statistics and distribution of submitted client model updates (gradients) to detect anomalies indicative of malicious behavior or poor data quality.
- Common Methods: Checking update norms (L2, L-infinity), comparing against a running mean/covariance, and using dimensionality reduction (like PCA) to visualize clusters of updates.
- Limitation: Sophisticated attacks can craft updates that appear statistically normal (stealthy poisoning) to evade simple inspection, necessitating more advanced geometric or spectral analysis.
Trust Scoring
A dynamic defense mechanism that assigns a credibility score to each federated client based on the historical quality and consistency of their updates. This score is then used to weight their contribution during aggregation.
- How it works: Scores can be based on update similarity to a robust aggregate (like the median), contribution to model improvement on a held-out validation set, or behavioral consistency over time.
- Synergy with Median: A trust score can be used to perform a weighted median, where updates from higher-trust clients have more influence, creating an adaptive, reputation-based robust aggregation system.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us