Federated Learning (FL) has emerged as a prominent paradigm for privacy-preserving distributed training. However, particularly in non-IID and open-participation environments, FL remains highly vulnerable to model poisoning, specifically backdoor attacks. Existing defenses, such as robust aggregation and representation-learning approaches, often struggle against colluding adversaries and adaptive attack strategies, leading to model performance degradation and the propagation of malicious updates. To address these challenges, we propose FLAURA, a robust FL defense framework incorporating adaptive trust evaluation and hybrid aggregation. FLAURA operates within the penultimate-layer representation (PLR) space, integrating a dual-level trust evaluation mechanism. At the global level, it leverages the geometric median of PLRs to robustly estimate the global distribution center, thereby effectively mitigating systematic shifts induced by malicious clusters. At the local level, it employs Maximum Mean Discrepancy (MMD) combined with curvature-based knee point detection to adaptively determine trust boundaries. This design effectively distinguishes benign data heterogeneity from malicious perturbations without requiring prior knowledge of the fraction of adversaries. Furthermore, FLAURA implements a hybrid mechanism of hard filtering and soft weighting to exclude low-trust updates while preserving beneficial model diversity. Extensive experiments on the FMNIST, CIFAR-10, and CIFAR-100 datasets demonstrate that FLAURA significantly outperforms state-of-the-art baselines, reducing attack success rates and target-label confidence while maintaining high accuracy on clean data.
Yang Xiao (Tue,) studied this question.