Inferensys

Glossary

Krum

A Byzantine-resilient aggregation rule that selects the single local update with the smallest sum of squared distances to its nearest neighbors to filter out malicious gradients in distributed machine learning.
Developer working on RAG retrieval system, document chunks visible on screen, technical workspace with code editor.
BYZANTINE-RESILIENT AGGREGATION

What is Krum?

Krum is a Byzantine-resilient aggregation rule for distributed machine learning that selects a single local update as the global model by identifying the vector with the minimal sum of squared Euclidean distances to its closest neighbors, effectively filtering out malicious gradients.

Krum operates on the geometric intuition that honest gradient updates from non-IID data will cluster together in vector space, while Byzantine (arbitrarily malicious) updates will appear as outliers. For each candidate update among n participants, the algorithm computes the sum of squared distances to its n - f - 2 nearest neighbors, where f is the maximum number of tolerated Byzantine workers. The update minimizing this local distance score is selected as the global model for that round, inherently discarding poisoned or erratic vectors without requiring prior knowledge of the attack strategy.

The algorithm provides provable Byzantine resilience under the assumption that the honest gradients are concentrated around a common mean and that 2f + 2 < n. Unlike Federated Averaging (FedAvg), which is vulnerable to a single malicious update skewing the mean, Krum's selection-based mechanism guarantees convergence even when up to f workers are adversarial. Variants like Multi-Krum extend this by averaging the top m closest updates to improve statistical efficiency, trading a marginal increase in vulnerability for faster convergence in high-dimensional, non-convex federated learning environments.

KRUM AGGREGATION EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about the Krum Byzantine-resilient aggregation rule, its mechanism, and its role in securing federated learning against malicious actors.

The Krum aggregation rule is a Byzantine-resilient algorithm designed to select a single honest gradient update from a set of n local updates, even when up to f of those updates are malicious. It operates by calculating, for each local update vector V_i, the sum of squared Euclidean distances to its n - f - 2 closest neighboring vectors. The update with the minimum sum of distances is selected as the global model's update for that round. This mechanism assumes that honest updates will naturally cluster together in the parameter space, while arbitrary or adversarial Byzantine gradients will appear as geometric outliers. By selecting the vector that is closest to its neighbors, Krum effectively filters out poisoned updates without requiring prior knowledge of the attack strategy, providing a foundational defense in federated learning security.

Byzantine-Resilient Aggregation

Key Properties of Krum

Krum is a foundational aggregation rule for distributed machine learning that selects a single, representative model update from a cluster, effectively neutralizing the influence of malicious or arbitrarily faulty nodes without requiring prior knowledge of the attack.

01

Distance-Based Selection Logic

Krum operates on a simple geometric intuition: a benign gradient update will be close to many other benign updates, while a malicious one will be an outlier. The algorithm computes the sum of squared Euclidean distances from each local update to its n - f - 2 closest neighbors, where n is the total number of nodes and f is the maximum number of tolerated Byzantine nodes. The update with the smallest cumulative distance score is selected as the global model update for that round, effectively ignoring poisoned or erratic vectors.

02

Byzantine Fault Tolerance Guarantee

Krum provides a formal resilience guarantee against Byzantine failures in synchronous distributed systems. The algorithm is proven to converge under the assumption that the number of malicious nodes f satisfies 2f + 2 < n. This means Krum can tolerate up to (n-3)/2 adversarial nodes. Unlike median-based aggregation, Krum's selection of a single, complete update vector prevents an attacker from shifting the aggregate even slightly by injecting a carefully crafted malicious gradient.

03

Computational Complexity Profile

The time complexity of Krum is O(n² * d), where n is the number of workers and d is the dimensionality of the gradient vector. This quadratic scaling with the number of nodes arises from the need to compute pairwise distances between all submitted updates. While this is computationally heavier than simple averaging, it is a necessary trade-off for the strong Byzantine resilience. For very large d, the distance computation dominates, making Krum most practical in cross-silo settings with a moderate number of high-value nodes.

04

Multi-Krum Variant

A key limitation of the original Krum is that it discards all but one update, wasting the computational work of benign nodes. Multi-Krum addresses this by iteratively applying the Krum selection rule. After the first vector is selected, it is removed from the candidate pool, and the process repeats to select m vectors. The final global update is the arithmetic mean of these m selected vectors. This variant improves statistical efficiency and convergence speed while retaining strong Byzantine resilience.

05

Vulnerability to Dimensionality Attacks

Krum's Euclidean distance metric becomes less discriminative in high-dimensional spaces, a phenomenon known as the curse of dimensionality. In very deep neural networks with millions of parameters, the distance between any two gradient vectors can become nearly uniform, making it harder to distinguish outliers. Furthermore, a sophisticated adversary can craft omniscient attacks that generate a malicious gradient appearing closer to the benign cluster than some legitimate updates, potentially subverting the selection process in extreme high-dimensional regimes.

06

Practical Deployment in Federated Learning

Krum is particularly suited for cross-silo federated learning scenarios with a small, known number of institutional participants (e.g., hospitals or banks) where the trust model is adversarial. In these settings, the O(n² * d) complexity is manageable, and the strong Byzantine guarantee is critical. It is less suited for cross-device settings with thousands of mobile devices due to the quadratic scaling and the assumption that the server can identify and enumerate all potential nodes to compute the n - f - 2 neighborhood size.

BYZANTINE-RESILIENT AGGREGATION COMPARISON

Krum vs. Other Aggregation Rules

Comparative analysis of Krum against other aggregation rules used in federated learning to tolerate Byzantine failures and malicious gradient updates.

FeatureKrumMulti-KrumTrimmed MeanMedianBulyan

Core Mechanism

Selects single vector with minimal sum of squared distances to n-f-2 closest neighbors

Averages m Krum-selected vectors iteratively

Removes fraction of extreme values per coordinate then averages

Computes coordinate-wise median of all updates

Combines Krum selection with trimmed mean for enhanced resilience

Byzantine Tolerance (f attackers)

Up to f < n/2

Up to f < n/2

Up to f < n/2

Up to f < n/2

Up to f < n/4

Computational Complexity

O(n² · d)

O(m · n² · d)

O(n · d · log n)

O(n · d)

O(n² · d + n · d · log n)

Output Type

Single local update

Averaged vector

Averaged vector

Coordinate-wise median

Averaged vector

Vulnerability to Dimensional Attacks

Resilient via Euclidean distance

Resilient via Euclidean distance

Vulnerable to per-coordinate manipulation

Vulnerable to per-coordinate manipulation

Resilient via Krum pre-filtering

Convergence Rate

Slower due to single-update selection

Improved over Krum

Comparable to FedAvg

Comparable to FedAvg

Slower due to two-stage filtering

Statistical Efficiency

Low; discards majority of updates

Moderate; uses m updates

High; retains most updates

Moderate; discards extremes

Moderate; discards outliers then trims

Hyperparameter Sensitivity

Low; only requires f estimate

Moderate; requires f and m

Moderate; requires trimming fraction β

None

High; requires f, m, and trimming fraction

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.