Byzantine-Resilient Aggregation is a class of robust aggregation rules that ensures a federated learning system continues to converge to an accurate global model even when a subset of participating clients are adversarial, faulty, or sending arbitrarily corrupted updates. Unlike standard Federated Averaging (FedAvg), which is highly vulnerable to a single malicious update, these algorithms use statistical selection or median-based operations to filter out anomalous gradients before model integration.
Glossary
Byzantine-Resilient Aggregation

What is Byzantine-Resilient Aggregation?
A class of robust aggregation rules designed to maintain global model convergence even when a subset of participating clients are malicious or send corrupted updates in a federated learning system.
Key algorithms include Krum, which selects the single update that is closest to its neighbors in vector space, and Trimmed Mean or Median, which operate coordinate-wise to discard extreme values. These methods are critical for Federated Model Security in multi-institutional healthcare networks where a compromised edge device or a malicious actor could otherwise poison the global diagnostic model, ensuring Byzantine Fault Tolerance without requiring prior identification of the adversarial clients.
Key Byzantine-Resilient Aggregation Algorithms
A survey of the primary algorithmic defenses that ensure global model convergence in federated learning systems even when a fraction of participating nodes are adversarial, faulty, or sending arbitrary updates.
Krum
A distance-based aggregation rule that selects a single local model update as the global update. Krum computes the sum of squared Euclidean distances from each candidate update to its n - b - 2 closest neighbors, where b is the estimated number of Byzantine clients. The update with the minimal sum is chosen.
- Byzantine Tolerance: Tolerates up to
bByzantine clients out ofntotal clients, provided2b + 2 < n. - Selection Mechanism: Discards updates that are geometric outliers, assuming honest updates cluster together in parameter space.
- Computational Complexity:
O(n^2 * d)wheredis the number of model parameters, making it expensive for high-dimensional models. - Variant: Multi-Krum averages the top-
mscoring updates instead of selecting a single one, improving convergence stability.
Trimmed Mean
A coordinate-wise aggregation strategy that sorts each model parameter independently across all client updates, discards the largest and smallest b values, and computes the mean of the remaining values.
- Mechanism: For each weight in the model, the top
band bottombvalues are removed before averaging. - Byzantine Tolerance: Effective against sign-flipping attacks and additive noise, but vulnerable to more subtle, coordinated perturbations.
- Assumption: Relies on the distribution of honest updates being symmetric and concentrated around the true mean.
- Practical Use: Often combined with differential privacy noise addition to provide a dual privacy-robustness guarantee.
Median
The simplest robust aggregation operator. For each model parameter coordinate, the server computes the median of the values received from all clients, replacing the arithmetic mean entirely.
- Breakdown Point: Theoretically achieves the optimal breakdown point of 50%, meaning it can tolerate up to just under half of clients being Byzantine.
- Limitation: In high-dimensional, non-i.i.d. settings, the coordinate-wise median does not guarantee convergence because it ignores the joint distribution of parameters.
- Variant: Geometric Median computes a single vector that minimizes the sum of Euclidean distances to all client updates, preserving the joint structure. This is typically solved via Weiszfeld's algorithm.
Bulyan
A two-phase meta-aggregator designed to combine the strong outlier resistance of Krum with the variance reduction of Trimmed Mean. It specifically defends against a high-dimensional attack that can defeat coordinate-wise methods.
- Phase 1: Iteratively applies Krum to select a subset of
thetacandidate updates, wherethetais chosen such that the subset is guaranteed to contain a majority of honest updates. - Phase 2: Applies a variant of Trimmed Mean to the selected subset, discarding the extreme values per coordinate.
- Guarantee: Provides provable convergence under a stronger Byzantine resilience model than either Krum or Trimmed Mean alone.
- Cost: High computational overhead due to the iterative application of Krum.
RSA (Robust Stochastic Aggregation)
A regularization-based approach that frames robust aggregation as a penalized optimization problem. Instead of filtering updates, the server adds a penalty term to the aggregation objective that is small for honest updates and large for outliers.
- Mechanism: Uses robust loss functions like Huber loss or Tukey's biweight during the aggregation step to down-weight the influence of extreme gradient values.
- Advantage: Does not require pre-specifying the number of Byzantine clients
b. - Integration: Can be implemented as a drop-in replacement for the mean in standard FedAvg.
- Trade-off: The choice of regularization hyperparameter
lambdais critical and often requires federated hyperparameter tuning.
RAGE (Robust Aggregation with Gradient Estimation)
A server-side defense that maintains a momentum-based estimate of the true global gradient direction and rejects client updates that deviate significantly from this historical trajectory.
- Core Idea: Byzantine updates are likely to be inconsistent with the recent history of honest gradient directions.
- Detection: Computes the cosine similarity between each incoming update and the server's running gradient estimate. Updates below a threshold are discarded.
- Resilience: Effective against model replacement and backdoor attacks that attempt to steer the model toward a malicious objective.
- Statefulness: Requires the server to maintain persistent state across rounds, adding a minor storage overhead.
Frequently Asked Questions
Clear, technically precise answers to the most common questions about securing federated learning against adversarial clients and corrupted updates.
Byzantine-Resilient Aggregation is a class of robust aggregation rules designed to maintain global model convergence in federated learning even when a subset of participating clients are malicious, faulty, or sending arbitrarily corrupted updates. Unlike standard Federated Averaging (FedAvg), which computes a simple weighted mean and is highly vulnerable to a single poisoned update, Byzantine-resilient operators function by statistically filtering out outliers before aggregation. The mechanism typically involves the central server analyzing the geometry of received gradient vectors or weight updates. Algorithms like Krum select the single update that is closest to its neighbors in vector space, effectively ignoring isolated malicious contributions. Trimmed Mean independently sorts each coordinate of the update vectors and discards the extreme values before averaging the remainder. Median aggregation replaces the mean with the coordinate-wise median, which is inherently robust to outliers. These methods are provably resilient up to a theoretical bound, typically tolerating less than 50% of clients being Byzantine, though practical security often requires a much lower fraction for stable convergence.
Byzantine-Resilient vs. Standard Aggregation
A comparison of aggregation strategies in federated learning, contrasting standard averaging with Byzantine-resilient rules designed to maintain convergence in the presence of malicious or faulty clients.
| Feature | Standard Aggregation (FedAvg) | Krum | Trimmed Mean |
|---|---|---|---|
Core Mechanism | Weighted average of all client updates | Selects the single update closest to its neighbors in vector space | Sorts coordinate values and discards extremes before averaging |
Byzantine Fault Tolerance | |||
Max Malicious Clients Tolerated | 0% | Up to 33% of total clients | Up to 25% of total clients |
Computational Overhead | O(n) linear with client count | O(n²) pairwise distance computation | O(n log n) per-coordinate sorting |
Convergence Under Attack | Diverges or produces arbitrary model | Provably converges to near-optimal model | Provably converges to near-optimal model |
Communication Efficiency | High (single round aggregation) | Moderate (requires full update vectors) | High (operates on update vectors directly) |
Best Suited For | Trusted, homogeneous environments | High-security cross-silo healthcare networks | Large-scale cross-device deployments |
Vulnerability to Sybil Attacks | High (single malicious update can dominate) | Low (selection-based, not average-based) | Moderate (coordinated attacks on coordinate extremes) |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding Byzantine-Resilient Aggregation requires familiarity with the threat models it mitigates and the robust algorithms that enable secure convergence in adversarial federated learning environments.
Byzantine Fault Tolerance
The foundational system property that Byzantine-resilient aggregation aims to achieve. It describes a distributed system's ability to reach consensus and continue operating correctly even when some components fail arbitrarily or act maliciously. In federated learning, this means the global model must converge despite clients sending corrupted gradients, random noise, or coordinated adversarial updates designed to poison the model.
Trimmed Mean Aggregation
A coordinate-wise robust aggregation strategy that sorts each dimension of the received gradient vectors independently and discards the largest and smallest k values before averaging the remainder. This simple yet effective defense assumes that malicious updates will manifest as extreme values. It is computationally efficient but can struggle against omniscient adversaries who craft Byzantine updates that fall within the benign distribution's range while still corrupting the model.
Median Aggregation
A highly robust, coordinate-wise aggregation rule that replaces the weighted mean with the coordinate-wise median of all client updates. It is provably resilient to arbitrary corruption from up to 50% of clients minus one. While offering strong theoretical guarantees, Median aggregation can significantly slow convergence in high-dimensional, non-IID settings because it ignores the magnitude of updates and only considers their central rank, discarding useful gradient information from honest outliers.
Data Poisoning Attacks
The primary threat vector that Byzantine-resilient aggregation defends against. In a model poisoning attack, an adversary controls one or more clients and manipulates their local training data or directly crafts malicious model updates to corrupt the global model. Goals include:
- Targeted poisoning: Causing misclassification on a specific trigger (backdoor).
- Untargeted poisoning: Maximizing global model error.
- Gradient scaling: Amplifying malicious updates to overpower honest contributions.
Federated Secure Aggregation
A complementary cryptographic protocol often confused with Byzantine resilience. Secure Aggregation (SecAgg) uses secret sharing to ensure the central server can only compute the sum of client updates without inspecting individual contributions, protecting privacy. However, SecAgg provides no defense against poisoning; a malicious client can still submit a corrupted update, and the server cannot audit it. Production systems often layer Byzantine-resilient rules on top of SecAgg for combined privacy and robustness.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us