pith. sign in

arxiv: 2512.13647 · v2 · pith:2PDKGCS5new · submitted 2025-12-15 · 📡 eess.AS

REVERB-FL: Server-Side Adversarial and Reserve-Enhanced Federated Learning for Robust Audio Classification

Sathwika Peechara , Rajeev Sahay This is my paper

Pith reviewed 2026-05-21 16:31 UTC · model grok-4.3

classification 📡 eess.AS
keywords federated learningaudio classificationmodel poisoningadversarial trainingreserve setserver-side defensenon-IID dataconvergence analysis
0
0 comments X

The pith

REVERB-FL defends federated audio classifiers from poisoning by retraining on a small server reserve set and shows faster convergence than standard averaging.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

REVERB-FL adds a server-side defense to federated learning for audio classification that counters poisoning attacks from compromised clients. It keeps a small clean reserve set and uses pre- and post-aggregation retraining plus adversarial examples to reduce non-IID drift and bias in the global model without changing client behavior or the aggregation step. Theory shows the method converges faster and reaches lower steady-state error than plain federated averaging. Experiments on two audio datasets confirm it works under IID and non-IID partitions and against several local poisoning designs.

Core claim

REVERB-FL mitigates global model poisoning in federated audio classification by coupling a small reserve set with pre- and post-aggregation retraining and adversarial training at the server, counteracting non-IID drift and achieving faster convergence with reduced steady-state error relative to baseline federated averaging.

What carries the argument

The server-side reserve-set retraining loop, which refines the aggregated global model on clean or adversarially perturbed reserve data after each local round.

If this is right

  • REVERB-FL mitigates global model poisoning under multiple designs of local data poisoning.
  • It achieves faster convergence than baseline federated averaging on audio classification tasks.
  • It produces reduced steady-state error relative to federated averaging.
  • Effectiveness holds across IID and Dirichlet non-IID data partitions without client-side cost.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The server-only design could integrate directly into existing federated audio systems without protocol changes.
  • Similar reserve-set retraining might be tested on image or sensor classification to check if the convergence gains generalize.
  • Reducing reserve-set size below five percent while preserving defense strength would be a direct next measurement.

Load-bearing premise

The server holds a small clean reserve set that stays uncompromised and can be used repeatedly for retraining without privacy violations or client changes.

What would settle it

Run the framework without the reserve set or with a poisoned reserve set and check whether poisoning still succeeds and convergence reverts to baseline federated averaging rates.

Figures

Figures reproduced from arXiv: 2512.13647 by Rajeev Sahay, Sathwika Peechara.

Figure 1
Figure 1. Figure 1: Global accuracy over communication rounds on AudioMNIST dataset under (a) clean, (b) PGD, (c) AWGN, and (d) FGSM poisoning attacks with [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Global accuracy over communication rounds on UrbanSound8K dataset under (a) clean, (b) PGD, (c) AWGN, and (d) FGSM poisoning attacks with [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Global accuracy over communication rounds on AudioMNIST dataset under (a) clean, (b) PGD, (c) AWGN, and (d) FGSM poisoning attacks with [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Global accuracy over communication rounds on UrbanSound8K dataset under (a) clean, (b) PGD, (c) AWGN, and (d) FGSM poisoning attacks with [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
read the original abstract

Federated learning (FL) enables a privacy-preserving training paradigm for audio classification but is highly sensitive to client heterogeneity and poisoning attacks, where adversarially compromised clients can bias the global model and hinder the performance of audio classifiers. To mitigate the effects of model poisoning for audio signal classification, we present REVERB-FL, a lightweight, server-side defense that couples a small reserve set (approximately 5%) with pre- and post-aggregation retraining and adversarial training. After each local training round, the server refines the global model on the reserve set with either clean or additional adversarially perturbed data, thereby counteracting non-IID drift and mitigating potential model poisoning without adding substantial client-side cost or altering the aggregation process. We theoretically demonstrate the feasibility of our framework, showing faster convergence and a reduced steady-state error relative to baseline federated averaging. We validate our framework on two open-source audio classification datasets with varying IID and Dirichlet non-IID partitions and demonstrate that REVERB-FL mitigates global model poisoning under multiple designs of local data poisoning.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes REVERB-FL, a server-side defense for federated learning in audio classification. It couples a small (~5%) clean reserve set with pre- and post-aggregation retraining (optionally including adversarial perturbations) to mitigate model poisoning from compromised clients and counteract non-IID drift, without client-side changes. The work claims theoretical feasibility via faster convergence and reduced steady-state error relative to standard FedAvg, with empirical validation on two audio datasets under IID and Dirichlet partitions against multiple local data poisoning designs.

Significance. If the central claims hold, the result would offer a practical, lightweight server-only enhancement for robust FL-based audio classifiers in privacy-sensitive settings. The combination of poisoning mitigation with convergence benefits, while preserving the standard aggregation process, addresses two key barriers to deploying FL on heterogeneous audio data.

major comments (2)
  1. [Abstract / Theoretical Analysis] Abstract and theoretical analysis: the claims of faster convergence and reduced steady-state error relative to FedAvg rest on the reserve-set retraining step, yet the manuscript provides no explicit derivation showing how this step alters the standard FedAvg error bounds or convergence rate; the analysis appears to invoke unmodified FedAvg results.
  2. [Abstract] Abstract: the mitigation of global model poisoning under multiple local data poisoning designs is asserted to hold via the clean reserve set, but no sensitivity analysis, contamination experiments, or distributional mismatch tests are reported for the ~5% reserve set itself.
minor comments (2)
  1. [Methods] The description of adversarial perturbation generation and magnitude selection during reserve-set retraining lacks sufficient implementation detail for reproducibility.
  2. [Experiments] Empirical sections report performance on two datasets but omit error bars, number of random seeds, or statistical tests, weakening assessment of the reported gains.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. The comments identify key areas where additional rigor can strengthen the presentation of the theoretical analysis and the empirical validation of the reserve set. We address each major comment below and describe the planned revisions.

read point-by-point responses

  1. Referee: [Abstract / Theoretical Analysis] Abstract and theoretical analysis: the claims of faster convergence and reduced steady-state error relative to FedAvg rest on the reserve-set retraining step, yet the manuscript provides no explicit derivation showing how this step alters the standard FedAvg error bounds or convergence rate; the analysis appears to invoke unmodified FedAvg results.

    Authors: We appreciate the referee's observation. The manuscript's theoretical section builds on FedAvg convergence results while arguing that the server-side reserve-set retraining reduces effective client drift and poisoning bias, thereby improving the rate and steady-state error. However, we acknowledge that an explicit step-by-step derivation linking the retraining update to modified bounds is not provided in sufficient detail. In the revised version we will expand the theoretical analysis to include a formal derivation that isolates the contribution of the pre- and post-aggregation retraining steps and shows how they tighten the existing FedAvg error bounds under the stated assumptions on the reserve set. revision: yes

  2. Referee: [Abstract] Abstract: the mitigation of global model poisoning under multiple local data poisoning designs is asserted to hold via the clean reserve set, but no sensitivity analysis, contamination experiments, or distributional mismatch tests are reported for the ~5% reserve set itself.

    Authors: We thank the referee for highlighting this gap. The current experiments evaluate REVERB-FL against several poisoning attacks using a fixed ~5% clean reserve set, but they do not systematically vary reserve-set size, introduce controlled contamination, or test distributional mismatch between the reserve set and client data. We agree these analyses would strengthen the claims. In the revision we will add a dedicated sensitivity subsection that reports results for reserve-set sizes ranging from 1% to 10%, experiments with partial contamination of the reserve set, and tests under controlled distributional mismatch, all while keeping the server-only nature of the defense intact. revision: yes

Circularity Check

0 steps flagged

No significant circularity; REVERB-FL procedure and analysis are self-contained

full rationale

The paper introduces REVERB-FL as a new server-side procedure that applies pre- and post-aggregation retraining on an assumed clean reserve set, then analyzes its effect on convergence relative to standard FedAvg. No equations or claims reduce a prediction or result to a fitted parameter by construction, nor do they rely on self-citations whose content is itself unverified or load-bearing for the central result. The theoretical statements are presented as extensions of existing FedAvg analysis rather than self-referential definitions, and the reserve-set mechanism is an explicit modeling assumption rather than a derived quantity. The derivation chain therefore remains independent of its own outputs.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The framework depends on the existence of an untainted server-side reserve set and standard convergence properties of federated averaging; no explicit free parameters or new physical entities are introduced in the abstract.

axioms (1)
  • standard math Standard federated averaging convergence assumptions hold under the described non-IID partitions
    Invoked to support the claim of faster convergence and reduced steady-state error.
invented entities (1)
  • Reserve set no independent evidence
    purpose: Server-side clean data used for pre- and post-aggregation retraining to counteract drift and poisoning
    Introduced as a core component of the defense; no independent evidence outside the method is provided.

pith-pipeline@v0.9.0 · 5722 in / 1286 out tokens · 47519 ms · 2026-05-21T16:31:43.728297+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

45 extracted references · 45 canonical work pages · 5 internal anchors

  1. [1]

    Federated Learning for Mobile Keyboard Prediction

    A. Hard, K. Rao, R. Mathews, F. Beaufays, S. Augenstein, H. Eichner, C. Kiddon, and D. Ramage, “Federated learning for mobile keyboard prediction,”CoRR, vol. abs/1811.03604, 2018. [Online]. Available: http://arxiv.org/abs/1811.03604

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  2. [2]

    Communication-efficient learning of deep networks from decentralized data,

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-efficient learning of deep networks from decentralized data,” inArtificial intelligence and statistics, 2017, pp. 1273–1282

    work page 2017

  3. [3]

    Analyzing federated learning through an adversarial lens,

    A. N. Bhagoji, S. Chakraborty, P. Mittal, and S. Calo, “Analyzing federated learning through an adversarial lens,” inProceedings of the 36th International Conference on Machine Learning, 2019, pp. 634–643

    work page 2019

  4. [4]

    Survey on federated learning threats: concepts, taxonomy on attacks and defences, experimental study and challenges,

    N. Rodr’iguez-Barroso, D. J. L’opez, M. V . Luz’on, F. Herrera, and E. Mart ´ınez-C´amara, “Survey on federated learning threats: concepts, taxonomy on attacks and defences, experimental study and challenges,” ArXiv, vol. abs/2201.08135, 2022

    work page arXiv 2022

  5. [5]

    FedRDF: A Robust and Dynamic Aggregation Function Against Poisoning Attacks in Federated Learning ,

    E. M. Campos, A. Gonzalez-Vidal, J. L. Hernandez-Ramos, and A. Skarmeta, “ FedRDF: A Robust and Dynamic Aggregation Function Against Poisoning Attacks in Federated Learning ,”IEEE Transactions on Emerging Topics in Computing, vol. 13, no. 01, pp. 48–67, 2025

    work page 2025

  6. [6]

    A robust approach for securing audio classification against adversarial attacks,

    M. Esmaeilpour, P. Cardinal, and A. Lameiras Koerich, “A robust approach for securing audio classification against adversarial attacks,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 2147–2159, 2020

    work page 2020

  7. [7]

    The impact of adversarial attacks on federated learning: A survey,

    K. N. Kumar, C. K. Mohan, and L. R. Cenkeramaddi, “The impact of adversarial attacks on federated learning: A survey,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 46, no. 5, pp. 2672– 2691, 2024

    work page 2024

  8. [8]

    Mitigating evasion attacks in federated learning based signal classifiers,

    S. Wang, R. Sahay, A. Piaseczny, and C. G. Brinton, “Mitigating evasion attacks in federated learning based signal classifiers,”IEEE Transactions on Network Science and Engineering, vol. 12, no. 5, pp. 3933–3947, 2025

    work page 2025

  9. [9]

    Federated learning: A signal processing perspective,

    T. Gafni, N. Shlezinger, K. Cohen, Y . C. Eldar, and H. V . Poor, “Federated learning: A signal processing perspective,”IEEE Signal Processing Magazine, vol. 39, no. 3, pp. 14–41, 2022

    work page 2022

  10. [10]

    Machine learning with adversaries: byzantine tolerant gradient descent,

    P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer, “Machine learning with adversaries: byzantine tolerant gradient descent,” inPro- ceedings of the 31st International Conference on Neural Information Processing Systems, 2017, p. 118–128

    work page 2017

  11. [11]

    Byzantine-robust dis- tributed learning: Towards optimal statistical rates,

    D. Yin, Y . Chen, R. Kannan, and P. Bartlett, “Byzantine-robust dis- tributed learning: Towards optimal statistical rates,” inProceedings of the 35th International Conference on Machine Learning, 2018, pp. 5650– 5659

    work page 2018

  12. [12]

    The hidden vulnera- bility of distributed learning in byzantium,

    E. M. E. Mhamdi, R. Guerraoui, and S. Rouault, “The hidden vulnera- bility of distributed learning in byzantium,” inInternational conference on machine learning. PMLR, 2018, pp. 3521–3530

    work page 2018

  13. [13]

    Draco: Byzantine-resilient distributed training via redundant gradients,

    L. Chen, H. Wang, Z. Charles, and D. Papailiopoulos, “Draco: Byzantine-resilient distributed training via redundant gradients,” inIn- ternational Conference on Machine Learning, 2018, pp. 903–912

    work page 2018

  14. [14]

    Byzantine-robust and communication- efficient distributed non-convex learning over non-iid data,

    X. He, H. Zhu, and Q. Ling, “Byzantine-robust and communication- efficient distributed non-convex learning over non-iid data,” in2022 IEEE International Conference on Acoustics, Speech and Signal Pro- cessing (ICASSP), 2022, pp. 5223–5227

    work page 2022

  15. [15]

    Fedrra: Reputation- aware robust federated learning against poisoning attacks,

    L. Yi, X. Shi, W. Wang, G. Wang, and X. Liu, “Fedrra: Reputation- aware robust federated learning against poisoning attacks,” in2023 International Joint Conference on Neural Networks (IJCNN), 2023, pp. 1–8

    work page 2023

  16. [16]

    Environmental sound classification with convolutional neural networks,

    K. J. Piczak, “Environmental sound classification with convolutional neural networks,” in2015 IEEE 25th International Workshop on Ma- chine Learning for Signal Processing (MLSP), 2015, pp. 1–6

    work page 2015

  17. [17]

    Spectrogram transformers for audio classification,

    Y . Zhang, B. Li, H. Fang, and Q. Meng, “Spectrogram transformers for audio classification,” in2022 IEEE International Conference on Imaging Systems and Techniques (IST), 2022, pp. 1–6

    work page 2022

  18. [18]

    Self-supervised learning of audio representations from audio-visual data using spatial alignment,

    S. Wang, A. Politis, A. Mesaros, and T. Virtanen, “Self-supervised learning of audio representations from audio-visual data using spatial alignment,”IEEE Journal of Selected Topics in Signal Processing, vol. 16, no. 6, pp. 1467–1479, 2022

    work page 2022

  19. [19]

    Very deep convolutional neural networks for raw waveforms,

    W. Dai, C. Dai, S. Qu, J. Li, and S. Das, “Very deep convolutional neural networks for raw waveforms,” in2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2017, pp. 421– 425

    work page 2017

  20. [20]

    Robust federated learning against adversarial attacks for speech emotion recognition,

    Y . Chang, S. Laridi, Z. Ren, G. Palmer, B. W. Schuller, and M. Fisichella, “Robust federated learning against adversarial attacks for speech emotion recognition,” 2022. [Online]. Available: https: //arxiv.org/abs/2203.04696

    work page arXiv 2022

  21. [21]

    Feder- ated semi-supervised learning for industrial sound analysis and keyword spotting,

    S. Grollmisch, T. K ¨ollmer, A. Yaroshchuk, and H. Lukashevich, “Feder- ated semi-supervised learning for industrial sound analysis and keyword spotting,” in2025 IEEE International Conference on Acoustics, Speech, and Signal Processing Workshops (ICASSPW), 2025, pp. 1–5

    work page 2025

  22. [22]

    General or specific? investigating effective privacy protection in federated learning for speech emotion recognition,

    C. Tan, Y . Cao, S. Li, and M. Yoshikawa, “General or specific? investigating effective privacy protection in federated learning for speech emotion recognition,” in2023 IEEE International Conference on Acous- tics, Speech and Signal Processing (ICASSP), 2023, pp. 1–5

    work page 2023

  23. [23]

    Measuring the Effects of Non-Identical Data Distribution for Federated Visual Classification

    T.-M. H. Hsu, H. Qi, and M. Brown, “Measuring the effects of non-identical data distribution for federated visual classification,” 2019. [Online]. Available: https://arxiv.org/abs/1909.06335

    work page internal anchor Pith review Pith/arXiv arXiv 2019

  24. [24]

    Federated optimization in heterogeneous networks,

    T. Li, A. K. Sahu, M. Zaheer, M. Sanjabi, A. Talwalkar, and V . Smith, “Federated optimization in heterogeneous networks,”Proceedings of Machine learning and systems, vol. 2, pp. 429–450, 2020

    work page 2020

  25. [25]

    Personalized federated learning with theoretical guarantees: a model-agnostic meta-learning approach,

    A. Fallah, A. Mokhtari, and A. Ozdaglar, “Personalized federated learning with theoretical guarantees: a model-agnostic meta-learning approach,” inProceedings of the 34th International Conference on Neural Information Processing Systems, 2020

    work page 2020

  26. [26]

    SCAFFOLD: Stochastic controlled averaging for federated learning,

    S. P. Karimireddy, S. Kale, M. Mohri, S. Reddi, S. Stich, and A. T. Suresh, “SCAFFOLD: Stochastic controlled averaging for federated learning,” inProceedings of the 37th International Conference on Machine Learning, vol. 119, 2020, pp. 5132–5143

    work page 2020

  27. [27]

    Explaining and Harnessing Adversarial Examples

    I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” 2015. [Online]. Available: https: //arxiv.org/abs/1412.6572

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  28. [28]

    Towards Deep Learning Models Resistant to Adversarial Attacks

    A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” 2019. [Online]. Available: https://arxiv.org/abs/1706.06083

    work page internal anchor Pith review Pith/arXiv arXiv 2019

  29. [29]

    How potent are evasion attacks for poisoning federated learning-based signal classifiers?

    S. Wang, R. Sahay, and C. G. Brinton, “How potent are evasion attacks for poisoning federated learning-based signal classifiers?” inICC 2023- IEEE International Conference on Communications, 2023, pp. 2376– 2381

    work page 2023

  30. [30]

    Knowledge distillation based defense for audio trigger backdoor in federated learning,

    Y .-W. Chen, B.-H. Ke, B.-Z. Chen, S.-R. Chiu, C.-W. Tu, and J.-J. Kuo, “Knowledge distillation based defense for audio trigger backdoor in federated learning,” in2023 IEEE Global Communications Conference, 2023, pp. 4271–4276

    work page 2023

  31. [31]

    Personalized federated learn- ing with moreau envelopes,

    C. T. Dinh, N. H. Tran, and T. D. Nguyen, “Personalized federated learn- ing with moreau envelopes,” inProceedings of the 34th International Conference on Neural Information Processing Systems, 2020

    work page 2020

  32. [32]

    Ensemble adversarial training: Attacks and defenses,

    F. Tram `er, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh, and P. McDaniel, “Ensemble adversarial training: Attacks and defenses,”

    work page

  33. [33]

    Available: https://arxiv.org/abs/1705.07204

    [Online]. Available: https://arxiv.org/abs/1705.07204

    work page arXiv

  34. [34]

    Adversarial machine learning in industry: A systematic literature review,

    F. V . Jedrzejewski, L. Thode, J. Fischbach, T. Gorschek, D. Mendez, and N. Lavesson, “Adversarial machine learning in industry: A systematic literature review,”Computers & Security, vol. 145, p. 103988, 2024

    work page 2024

  35. [35]

    Federated adversarial defense with adver- sarial training and personalized evaluation,

    L. Yan, Q. Zhu, and X. Zhai, “Federated adversarial defense with adver- sarial training and personalized evaluation,” in2025 2nd International Conference on Digital Media, Communication and Information Systems (DMCIS), 2025, pp. 121–124

    work page 2025

  36. [36]

    Short term spectral analysis, synthesis, and modification by discrete fourier transform,

    J. Allen, “Short term spectral analysis, synthesis, and modification by discrete fourier transform,”IEEE Transactions on Acoustics, Speech, and Signal Processing, vol. 25, no. 3, pp. 235–238, 1977

    work page 1977

  37. [37]

    A dirichlet process mixture of dirichlet distributions for classification and prediction,

    N. Bouguila and D. Ziou, “A dirichlet process mixture of dirichlet distributions for classification and prediction,” in2008 IEEE Workshop on Machine Learning for Signal Processing, 2008, pp. 297–302

    work page 2008

  38. [38]

    Federated Learning with Non-IID Data

    Y . Zhao, M. Li, L. Lai, N. Suda, D. Civin, and V . Chandra, “Federated learning with non-iid data,”arXiv preprint arXiv:1806.00582, 2018

    work page internal anchor Pith review Pith/arXiv arXiv 2018

  39. [39]

    On the convergence of fedavg on non-iid data,

    X. Li, K. Huang, W. Yang, S. Wang, and Z. Zhang, “On the convergence of fedavg on non-iid data,” in8th International Conference on Learning Representations, 2020

    work page 2020

  40. [40]

    Tackling the objective inconsistency problem in heterogeneous federated optimiza- tion,

    J. Wang, Q. Liu, H. Liang, G. Joshi, and H. V . Poor, “Tackling the objective inconsistency problem in heterogeneous federated optimiza- tion,”Advances in neural information processing systems, vol. 33, pp. 7611–7623, 2020. 12

    work page 2020

  41. [41]

    A new look and convergence rate of federated multitask learning with laplacian regularization,

    C. T. Dinh, T. T. Vu, N. H. Tran, M. N. Dao, and H. Zhang, “A new look and convergence rate of federated multitask learning with laplacian regularization,”IEEE Transactions on Neural Networks and Learning Systems, vol. 35, no. 6, pp. 8075–8085, 2022

    work page 2022

  42. [42]

    Audiomnist: Exploring explainable artificial intelligence for audio analysis on a simple benchmark,

    S. Becker, J. Vielhaben, M. Ackermann, K.-R. M ¨uller, S. Lapuschkin, and W. Samek, “Audiomnist: Exploring explainable artificial intelligence for audio analysis on a simple benchmark,”Journal of the Franklin Institute, vol. 361, no. 1, pp. 418–428, 2024

    work page 2024

  43. [43]

    A dataset and taxonomy for urban sound research,

    J. Salamon, C. Jacoby, and J. P. Bello, “A dataset and taxonomy for urban sound research,” inProceedings of the 22nd ACM International Conference on Multimedia, 2014, p. 1041–1044

    work page 2014

  44. [44]

    Mitigating poisoning attacks in federated learning through deep one- class classification,

    A. Zhang, P. Zhao, W. Lu, Y . Zhou, W. Zhang, and G. Zhang, “Mitigating poisoning attacks in federated learning through deep one- class classification,”IEEE Transactions on Cognitive Communications and Networking, pp. 1–1, 2025

    work page 2025

  45. [45]

    Udfed: A universal defense scheme for various poisoning attacks on federated learning,

    J. Deng, C. Li, N. Zhang, J. Yang, and J. Gao, “Udfed: A universal defense scheme for various poisoning attacks on federated learning,” IEEE Transactions on Information Forensics and Security, vol. 20, pp. 10 480–10 494, 2025. APPENDIXA PROOF OFTHEOREM1 Notation recap.The global objective isφ(θ) = 1 N PN n=1 φn(θ)with optimal minimizer value φ⋆ = min θ φ(...

    work page 2025