Suchul Lee, Journal of Internet Computing and Services, Vol. 27, No. 1, pp. 67-78, Feb. 2026
10.7472/jksii.2026.27.1.67, Full Text:  HTML
Keywords: Federated learning, Federated Adversarial Training, Non-IID, Byzantine-robust Aggregation, Differential privacy

Abstract

We re-define robustness in Federated Learning (FL) under an expanded threat model that spans test-time adversarial examples, training-time data/model poisoning and Byzantine behaviors, and privacy attacks. We analyze how non-IID data, partial participation, and constrained communication/computation interact with inner adversary generation and global aggregation, yielding concurrent drops in natural/robust accuracy and convergence instability. Building on this diagnosis, we survey recent progress in Federated Adversarial Training (FAT) across design axes—calibration and decision-boundary shaping, representation alignment and knowledge transfer, aggregation coupling and certification, and personalization and efficiency—highlighting mechanisms, gains, and limitations. We further show that Byzantine-robust aggregation can bias learning under non-IID by truncating normal variability, and we discuss the structural privacy–communication/compute–robustness trade-offs from a multi-objective perspective. Finally, we present an attack–defense mapping and evaluation guidelines to improve comparability and reproducibility, providing a foundation for future work that jointly optimizes calibration/alignment with aggregation, privacy, and certification in robust FL.

Statistics
Cite this article