1 Introduction

Nowadays, the exponential growth in fields, such as healthcare, the Internet of Things (IoT), and cloud computing, has highlighted the urgent need to protect data privacy. Traditional centralized approaches, where raw data are aggregated into a single cloud repository, face critical challenges in safeguarding sensitive information. For instance, in cloud-based medical systems, even advanced privacy techniques like differential privacy [1] or hybrid encryption [2] cannot fully eliminate risks during data transmission and storage, as adversaries may exploit model updates to infer private attributes [3]. Similarly, IoT-centric cloud environments demand lightweight yet robust protection mechanisms to balance security and efficiency, a challenge highlighted in [4], where centralized data processing struggles to scale for resource-constrained devices.

Compared with conventional Centralized Learning (CL), Federated Learning (FL) has advantages in terms of distributed storage, computing, and private data preservation [5, 6]. FL addresses these limitations by decentralizing the learning process: participants collaboratively train a shared model without exposing raw data, thereby inherently aligning with privacy-by-design principles. Unlike conventional cloud-based methods that rely on post hoc anonymization [7], FL minimizes attack surfaces by keeping data localized—a paradigm shift validated by recent studies showing FL’s superiority in reducing inference attacks by 40% compared to differential privacy-based cloud models [1]. Furthermore, FL’s efficiency in handling distributed data sources makes it particularly suited for IoT and edge computing scenarios [4], where bandwidth constraints and latency sensitivity preclude centralized solutions. Fan et al. [8] proposed a 5G IoT intrusion detection framework based on FL. In this frame, a network intrusion detection model is constructed based on a Convolutional Neural Network (CNN), and a powerful intrusion detection model is trained using FL. By integrating the strengths of distributed optimization and privacy preservation, FL not only mitigates risks inherent to cloud environments [2] but also paves the way for scalable, secure AI in critical applications ranging from real-time anomaly detection [3] to cross-institutional medical research [1]. In FL, training terminals update their trained local model parameters to the server. The server aggregates the parameters and trains a global model.

However, the global model is more vulnerable to poisoning attacks when the aggregation and update procedures are processed [9]. In view of the problem of poisoning attacks, researchers have recently carried out studies on its classification. Kaiouz et al. [10] showed that the modes of poison attacks include data and model poison attacks. Attackers can manipulate the training data in FL by injecting poisonous updates into the local model. This leads to the global model learning patterns from the poisoned data and working according to the attacker's intention. Poisoning attacks are highly destructive to the FL process as they can completely destroy or tamper with the model's accuracy.

Considering the impact of poisoning attacks, it is necessary to develop a defense method to protect FL systems from poisoning attacks. Generally, if a defense method can purify remote updates of local models and obtain a trusted joint model, it is considered successful [11]. Existing defense methods include identifying malicious uploads through an evaluation mechanism designed for local model updates or development based on Byzantine tolerance [12]. However, most of the existing defense methods only regard malicious updates of poisoning attacks as global exceptions in the FL system and do not evaluate the impact on each client. At the same time, many existing defense methods adopt synchronous methods, which cannot effectively detect an attacked client.

This paper proposes a new framework, the Federated Weighted Learning Algorithm (FWLA). FWLA integrates a residual test method to self-adjust and optimize the weight of each client during update process. It also fuses an asynchronous method for clients to upload parameters independently. Besides, the proposed FWLA framework is evaluated through theoretical analysis and comprehensive experiments. In summary, the main contributions of this paper are as follows:

  • A new architecture named FWLA is proposed in this paper. Specifically designed for the decentralized and privacy sensitive nature of FL, it introduces a dynamic client weighting mechanism to address the poisoning attacks in FL by improving the client update model mechanism and loss function.

  • By replacing synchronous aggregation with client-driven asynchronous updates, FWLA reduces communication latency by 62% and enables immediate poisoning detection through server residual testing. This addresses both efficiency bottlenecks and stealthy attack scenarios unique to FL systems.

  • Extensive empirical studies on 3 FL benchmark datasets are conducted to show the superiority of proposed FWLA algorithm.

The rest of this paper is organized as follows: Section 2 introduces some CL and FL algorithms, as well as FL poisoning attacks and defense methods. Section 3 analyzes the shortcomings of existing methods and the motivation for creating FWLA. In Section 4, the adaptive weighting factor and iterative and asynchronous training methods used by the FWLA are given. The performance of FWLA is tested and compared through experiments in Section 5. The proposed FWLA framework is summarized in Section 6.

2 Related Works

Over the years, there have been significant advances related to asynchronous training for FL and defense against poison attacks. Some outstanding advances will be introduced.

2.1 Centralized Learning and Federated Learning Algorithms

The CL algorithm considers the entire system as a unified entity and employs single-agent reinforcement learning for training. The Random Forest (RF) algorithm is a CL algorithm that has the advantages of fewer parameters and stronger antinoise ability, which is not easy to overfit [13]. Thus, RF has been widely mentioned in recent research [14]. Zhang et al. [15] proposed a Three-way Selection Random Forest (TSRF) algorithm based on decision boundary entropy, which does not lose randomness and reduces the impact of redundant attributes on decision results [16]. As a type of CL algorithm, Extreme Gradient Boosting (XGBoost) is an algorithm based on a gradient enhancement tree for tree boosting which avoids overfitting. Combined with classification and regression tree theory, XGBoost can be a very effective method for regression and classification problems. Qiu et al. proposed that XGBoost can symbolize a soft computing library that combines new algorithms with Gradient Boosting Decision Tree (GBDT) methods [17].

FL is a decentralized machine learning solution for training data. Rjoub et al. [18] proposed the Federated Averaging (FedAVG) algorithm, which enables clients to perform multiple batch updates on their local data and then transmit the updated weights to the server. Then, the server obtains the average of the weights to export the global model of the next training iteration. In FedAVG, the server updates the global model by calculating the weighted average of the received local weight [19]. Zhao et al. [20] proposed that Federated Stochastic Gradient Descent (FedSGD) [5] can adopt a distributed stochastic gradient descent algorithm for collaborative optimization. After receiving the server's parameters, the clients update the training locally and upload the gradient to the server. Unlike the FedAvg algorithm, in the FedSGD algorithm, clients upload updated gradients instead of model parameters to the central aggregator. In this paper, the performance of several CL and FL algorithms is compared with that of FWLA.

2.2 Asynchronous Training of Federated Learning

Recently, asynchronous optimization has received increased attention in distributed learning. Asynchronous updating is more efficient and flexible than synchronous training, because clients can upload data separately.

Lian et al. [21] proposed the Asynchronous Decentralized Parallel Stochastic Gradient Decent algorithm (AD-PSGD), in which workers do not wait for all others and only communicate in a decentralized fashion, enabling wait-free computation and communication. Gamboa-Montero et al. [22] established an asynchronous, client-driven federated system in which the client decides when to upload its model to the server rather than having the server force the update. Chen et al. [23] proposed an asynchronous FL model, developed a lightweight node selection algorithm in the model, and proposed using iterative local selection of heterogeneous IoT nodes to participate in global learning aggregation. Local computing resources are limited by the number of generations and batch size in each iteration, thus completing the learning process more efficiently than the existing hypothetical synchronous update method. In this paper, the asynchronous training mode is fused in the new framework, and an iterative threshold is established to improve accuracy and training efficiency.

2.3 Defense Against Federated Learning Poisoning Attacks

Motivated by the aforementioned issues, defense against poisoning attacks in FL has recently become a hotspot. Generally, defense strategies can be classified into two categories [24]: identifying malicious uploads via evaluation mechanisms designed for local model updates and designing novel aggregation algorithms based on mathematical statistics. Wang et al. clearly demonstrated the two defense strategies. Tahmasebian et al. proposed an optimized truth inference method to evaluate the reliability of the updates of the local model before submission to the global model. The experiments showed that these methods are robust to malicious clients with label flipping, noisy data, and Byzantine attacks compared to that of conventional aggregation methods [25].

Based on the strategy mentioned above of designing novel aggregation algorithms, some other defense methods have been proposed. For example, in aggregation methods based on statistics, data are selected in a statistical manner using the trimmed mean, median, and Krum and Bulyan methods. In the trimmed mean method [26], each parameter of the model is selected independently. After the maximum and minimum value are removed, the mean value will be calculated and assigned to the aggregated parameter value. However, for the median method [26], the server sequences the \(j{\text{ - th}}\) parameter of \(m\) local models, and the median one is the \(j{\text{ - th}}\) parameter of the global model. Experiments have validated the effectiveness of the median and trimmed mean operations in an adversarial setting. In the Krum rule [27], among \(m\) local models, the model that is closest to others will be used as the global model, which limits the impact of malicious attackers. The Bulyan method [28] combines the Krum and trimmed mean methods, where the trimmed mean method is implemented and the Krum method is used for selection circularly through the updates. The Bulyan method does not suffer the fragility of existing aggregation rules and has a reasonable cost in terms of required batch size, which is the state-of-the-art method in defending against poisoning attacks. However, it was found that the trimming mean and median methods do not satisfy the precision and robustness targets. In addition, Krum and Bulyan methods may take longer to reduce defense efficiency. To improve the efficiency of defense against poisoning attacks, the defense method of residual test is proposed in FWLA.

The comparative analysis of the limitations between FWLA and existing methods is summarized in Table 1.

Table 1 Comparative analysis of limitations between FWLA and existing methods
Full size table

3 Motivation

After analyzing the two strategies for defending against poisoning attacks, it is found that the strategy that identifies malicious uploads via evaluation mechanisms designed for local model updates has the advantage of effectively identifying malicious nodes. However, these evaluation methods need to check the data submitted by customers, thus increasing the calculation time and resource consumption. In addition, collecting part of the data for the server as the basis for verification will cause privacy problems. The other strategy which designs novel aggregation algorithms has satisfactory convergence and an acceptable error rate in terms of the theory of specific objective functions. However, considerable computing resources will be consumed when the number of clients is large.

Meanwhile, Zhang et al. [29] presented an island loss function, which is commonly used at present. This method has good efficiency in terms of reducing the intraclass distance and improving the interclass distance. The island loss function is described as shown in Eq. (1)

$$l_{ECE} = l_{EL} + \lambda_{c} \cdot l_{CDL} \cdot l_{EDL} .$$
(1)

In Eq. (1), \(l_{EL}\) represents the exponential loss (EL), and \(\lambda_{c}\) represents the weight of cosine distance loss (CDL) in the island loss function. Using \(l_{CDL}\) for the cosine distance loss and \(l_{EDL}\) for the Euclidean distance loss (EDL), ECE is used in this formula to represent the combination of EL, CDL, and EDL. The calculation processes of \(l_{EL}\), \(l_{CDL}\), and \(l_{EDL}\) can be described by Eq. (2)

$$\begin{gathered} l_{EL} = \sum\limits_{i = 1}^{m} {\left( {_{ - e}^{{^{{ - \frac{1}{2}\left\| {x_{i} - c_{{y_{i} }} } \right\|^{2} }} }} + 1} \right)} \hfill \\ l_{CDL} = \sum\limits_{{c_{j} \in N}} {\sum\limits_{{c_{k} \in N,c_{k} \ne c_{j} }} {\left( {\frac{{c_{k} \cdot c_{j} }}{{\left\| {c_{k} } \right\|_{2} \left\| {c_{j} } \right\|_{2} }} + 1} \right)} } \hfill \\ l_{EDL} = \frac{1}{{\sum\limits_{{c_{j} \in N}} {\sum\limits_{{c_{k} \in N,c_{k} \ne c_{j} }} {\left( {\frac{{c_{k} \cdot c_{j} }}{{\left\| {c_{j} - c_{k} } \right\|_{2} \cdot p_{j} \cdot p_{k} }}} \right)} } }}. \hfill \\ \end{gathered}$$
(2)

In the equation above, \(x_{j}\) represents the features of the \(j{\text{ - th}}\) sample, \(y_{j}\) is the label of the \(j{\text{ - th}}\) sample, and \(c_{{y_{j} }}\) represents the center of the \(y_{j} {\text{ - th}}\) class. \(N\) is the total number of all classes, \(c_{k}\) represents the center of the \(k{\text{ - th}}\) class, and \(p_{k}\) means the ratio of the samples of the \(k{\text{ - th}}\) class in \(m\) samples.

However, while the island loss function method performs well to some extent, it still has some limitations: (1) the parameter \(c_{{y_{j} }}\) only represents the overall \(y_{j} {\text{ - th}}\) class and ignores the weight of different samples in the \(y_{j} {\text{ - th}}\) class (i.e., poisoned clients and normal clients). (2) \(p_{j}\) is only a proportion of the number of samples, but ignores the quality of the samples themselves. The FWLA proposed in this paper is designed to solve the above problems.

To further improve the efficiency of defense against poisoning attacks, a new local model update design is proposed in this paper. At the same time, to solve the problem of existing island functions, a new federated learning algorithm named FWLA is proposed, which has the following advantages:

  1. 1.

    FWLA synthetically considers the server and clients by combining evaluation methods and aggregation methods, and enhancing the robustness of the model, while the traditional algorithms are simply based on aggregation algorithms.

  2. 2.

    In FWLA, the weight of each client is self-adjusted during the updating process, and the client hit by poisoning attacks will be downweighted when the server computes the global model parameters.

  3. 3.

    Unlike the Bulyan method, which only uses iterative methods on each dimension, FWLA fuses asynchronous training methods and residual testing methods in the iterative process. In this way, each client can upload parameters independently to improve calculation efficiency and accuracy.

4 Method

4.1 Problem Formulation and Model Overview

Assume that there are N clients indexed by \(i\). \(D_{i}\) is the training datasets, \(D_{i}^{p}\) is the poisonous training datasets, and \(D_{i}^{c}\) is the clean training datasets. The number of local epochs is \(E\), and the local model of client \(i\) at epoch \(t\) is \(M_{i}^{t}\).

First, the server trains the global model \(M_{G}^{0}\), and then, the client \(i\) downloads the global model \(M_{G}^{0}\) and turns it into the local model \(M_{i}^{0}\). Then, \(N\) clients utilize their own local model \(M_{i}^{0}\) and local private training dataset \(D_{i}\) to train a new local model \(M_{i}^{t}\), \({\text{t}} \in (0,E)\). After that, the parameters of the local models are evaluated and updated to the server. These parameters are aggregated by some algorithms to form \(M_{a}^{t + 1}\), i.e., \(M_{a}^{t + 1} { = }f\left( {M_{1}^{t} ,M_{2}^{t} ,...,M_{N}^{t} } \right)\). The parameters of each local model could be updated by a synchronous or asynchronous method. If client \(i\) is an adversary, then \(D_{i}\) will become \(D_{i}^{p}\). Otherwise, \(D_{i}\) will become \(D_{i}^{c}\). If client \(i\) trains \(M_{i}^{t}\) with \(D_{i}^{p}\), \(M_{i}^{t}\) could be malicious. Furthermore, it could have an adverse impact on the global model.

In FWLA, the parameters of local models are evaluated and aggregated by two specific loss functions. Meanwhile, each client \(i\) has a weight \(w_{i}\), which can be modulated in FWLA to reduce the adverse impact of malicious \(M_{i}^{t}\). The asynchronous method is used to satisfy the demands of efficiency and flexibility with FWLA.

4.2 The Proposed Method

Each client uploads training data to the server asynchronously in FWLA. Thus, the detection of clients can be accelerated. The client and server obtain the loss functions \(L_{{\text{C}}}^{{\text{t}}}\) and \(L_{{\text{S}}}^{{\text{t}}}\) generated by training. The proposed FWLA combines Eqs. (1) and (2). On this basis, the use of \(EL\) to represent the loss of the server is proposed, and the loss function of the client is in the form of \(CDL \cdot EDL\). When the client's loss function deviates greatly from the center, it can be determined that it has been poisoned. Thus, the weights of malicious clients are reduced, so that the server cannot overstudy the attacked samples. The global loss functions \(L_{{\text{S - Gross}}}^{{\text{t}}}\) and \(L_{{\text{C - Gross}}}^{{\text{t}}}\) and training loss functions \(L_{{\text{C}}}^{{\text{t}}}\) and \(L_{{\text{S}}}^{{\text{t}}}\) are iterated. The iterative process can gradually reduce the weights of poisoned clients. As long as the server receives uploads from 80% of clients, it updates the global model and distributes it to the client. When the server loss is less than \(10^{{{ - }4}}\) in 10 epochs, the training is ended. The framework of the FWLA can be seen in Fig. 1.

Fig. 1
figure 1

Framework of FWLA

Full size image

Illustration of FWLA framework in Fig. 1:

  • Server: Initializes the global model, performs residual testing, and dynamically adjusts client weights.

  • Clients: Asynchronously train local models.

  • Key Operations:

① Initialize the global model on the server and broadcast it to the client;

② Asynchronous training of local models on the client side and uploading to the server;

③ Perform residual testing and calculate loss function;

④ Dynamically adjust weights and update the global model;

⑤ Perform global aggregation to generate the final global model and end the training.

As illustrated in Fig. 1, FWLA operates through three phases: (1) global model initialization, (2) asynchronous client updates with residual testing, and (3) dynamic aggregation. During phase 1, the server distributes the initial model \(M_{G}^{{}}\) to all clients. In phase 2, each client \(i\) trains locally on \(D_{i}\) and asynchronously uploads parameters, which are immediately evaluated by the server via residual testing (Eq. 4-7). Finally, phase 3 assigns adaptive weights \(w_{i}\) (Eq. 15-16) to suppress malicious clients, ensuring robust global updates. The above methods can be depicted as follows.

4.2.1 The Computation of Adaptive Weighted Factors

Consider the Gauss‒Markov model proposed in the literature [30]

$$Y = X\beta + e,\;\;{\text{E}}(e) = 0,\;\;{\text{Cov}}(e) = \sigma^{2} {\text{V}}{.}$$
(3)

Referring to this model [25], Eq. (4) is proposed to test the residual error

$$L = AX + \Delta ,$$
(4)

where \(L{ = }\left( {L_{1} , \cdots ,L_{n} } \right)^{{\text{T}}}\) is the \(n \times 1\) observation vector, \(A{ = }\left( {a_{1} , \cdots a_{n} } \right)^{{\text{T}}}\) is the \(n \times t\) column full-rank design matrix, \({\text{rank}}\left( A \right) = t\), \(X\) is the \(t \times 1\) unknown parameter vector, and \(\Delta { = }\left( {\Delta_{1} , \cdots ,\Delta_{n} } \right)^{{\text{T}}}\) is the \(n \times 1\) random error vector.

The random nature of the error △ can be described as

$$E(\Delta ) = AX,D(\Delta ) = \sigma_{0}^{2} P^{ - 1} ,$$
(5)

where \(\sigma_{0}^{2}\) is the unknown unit weight variance factor, and the weight matrix \(P\,{ = }\,{\text{diag}}\,{(}p_{1} {,} \cdots ,p_{n} {)}\).

According to the least-squares (LS) principle [31], the estimation of unknown parameters is

$$\hat{X} = (A^{T} PA)^{ - 1} A^{T} PL.$$
(6)

The corresponding residuals are

$$V = A\hat{X} - L = - RL,$$
(7)

where \(R = I_{n} - A(A^{T} PA)^{ - 1} A^{T} P\) is the adjustment factor matrix.

We multiply both sides of Eq. (4) by \(R\) at the same time to obtain

$$R\Delta \,\, = \,\,RL.$$
(8)

Equation (8) indicates that there is no approximation between the true error and the observed value. Since R is rank deficient, it cannot be solved directly by the LS principle, which shows that Eq. (4) is insufficient. To solve this problem, the idea of quasistable adjustment is used in this paper to construct a new objective function by considering quasi-observations [32]. Suppose \(r(r> t)\), quasi-observations are selected and the corresponding observation equation is

$$L_{r} = A{}_{r}X_{r} + \Delta_{r} .$$
(9)

Using the LS principle, it is easy to obtain the equation

$$A_{r}^{T} Q_{r}^{ - 1} V_{r} = 0,$$
(10)

where \(Q\) and \(V\) are the corresponding cofactor matrix and residual vector, respectively.

If the quasi-observation value is reasonably selected, the corresponding observation will be cleaned and pollution-free and the corresponding residual can be replaced by the true error as follows:

$$A_{r}^{T} Q_{r}^{ - 1} \Delta_{r} = 0.$$
(11)

The combined Eq. (8) can be derived

$$\left\{ {\begin{array}{*{20}c} {R\Delta = RL} \\ {G\Delta = 0} \\ \end{array} } \right.,$$
(12)

where \(G = A_{r}^{T} Q_{r}^{ - 1} W\), \(\Delta r\,{ = }\,W\Delta\), \(W\) denotes the transformation matrix between \(\Delta r\) and \(\Delta\). It can be seen from Eq. (10) that \(\Delta r\) is a part of \(\Delta\) and \(W\) is a \(r \times n\) dimensional matrix composed of 0 and 1.

Equation (12) can be solved by the Lagrange extreme value function [24]

$$\Omega = (R\Delta - RL)^{T} (RP^{ - 1} ) - (R\Delta - RL) + 2\lambda^{T} G\Delta .$$
(13)

The difference between the sample data and the center is

$$\overline{\Delta } = (PR + G^{T} G)^{ - 1} PRL.$$
(14)

Using the above theoretical analysis, the center of the \(k{\text{ - th}}\) class \(c_{k}\) and its corresponding weight \(p_{k}\) can be calculated using Eqs. (13) and (14), respectively, where \(L_{k}^{{}}\) represents all the sample data in client \(C\)

$$c_{k} = (PR + G^{T} G)^{ - 1} PRL_{k}^{{}}$$
(15)
$$p_{k} = \frac{1}{{(PR + G^{T} G)^{ - 1} PRc_{k} }}.$$
(16)

4.2.2 The Iteration of Parameters

The parameters of the server and client loss functions \(L_{{\text{S}}}\) and \(L_{{{\text{C}}_{{\text{i}}} }}\) are iteratively updated by Eqs. (17) and (18), respectively

$$L_{S - Gross}^{t + 1} = L_{S}^{t} + \sum\limits_{i = 1}^{n} {w_{i} \cdot L_{{C_{i} - Gross}}^{t} }$$
(17)
$$L_{{C_{i} - Gross}}^{t + 1} \, = \,L_{S - Gross}^{t + 1} \, + \,\lambda_{i} \cdot \,L_{{C_{i} }}^{t + 1} .$$
(18)

In Eq. (17), \(L_{{\text{S - Gross}}}^{{\text{t + 1}}}\) is the gross loss function of the server at rand \(t{ + }1\) and \(L_{S}^{t}\) is the corresponding loss function at rand \(t\) that is produced by training the server. \(w_{i}\) is the weight of the \(i{\text{ - th}}\) client loss function, and \(L_{{C_{{\text{i}}} {\text{ - Gross}}}}^{{\text{t}}}\) is the gross loss function of the \(i{\text{ - th}}\) client at rand \(t\). Assume there are \(n\) clients in total, \(w_{i}\) should meet two requirements: \(w_{i} \ge 0\) and \(\sum {_{{i\, = \,1}}^{n} } w_{i} = 1\). In Eq. (18), \(L_{{C_{{\text{i}}} - {\text{Gross}}}}^{{{\text{t + }}1}}\) is the gross loss function of the \(i{\text{ - th}}\) client at rand \(t{ + }1\), \(L_{{C_{{\text{i}}} }}^{{\text{t + 1}}}\) is the corresponding loss function produced by training the \(i{\text{ - th}}\) client, and \({\uplambda }_{i}\) is the ratio of the data amount in the \(i{\text{ - th}}\) client among all the clients.

The iterative process for the server and client is as follows: The server maintains a benchmark dataset with precise labels. First, the server trains a global model with the benchmark dataset to generate \(L_{{\text{S}}}^{{0}}\). At this stage, \(t = 0\), \(w_{i} = \frac{1}{n}\) and \(L_{{{\text{C}}_{{\text{i}}} {\text{ - Gross}}}}^{{0}} { = 0}\). The server produces the gross loss function \(L_{{\text{S - Gross}}}^{{1}}\), using Eq. (17). Next, each client downloads the global model and trains the local model, generating the local loss function \(L_{{{\text{C}}_{{\text{i}}} }}^{{1}}\). The \(i{\text{ - th}}\) client's gross loss function \(L_{{{\text{C}}_{{\text{i}}} {\text{ - Gross}}}}^{{1}}\) is produced using Eq. (18). The client's training parameters are then uploaded to the server, which trains for a second round and produces \(L_{{\text{S}}}^{{1}}\), with \(t = 1\) and \({\text{w}}_{{\text{i}}}\) updated. Finally, \(L_{{\text{S - Gross}}}^{{2}}\) is updated with Eq. (17).

After that, the testing accuracy of the benchmark dataset is set as the reference for back propagation (BP) [33]. The server will estimate the benchmark with the model parameters from the clients, and the clients will estimate their local dataset with the model parameters from the server. When iteratively calculating the parameters \(L_{{\text{S - Gross}}}\) and \(L_{{{\text{C}}_{{\text{i}}} {\text{ - Gross}}}}\) during the \(t\) rounds, the poisoned \(L_{{{\text{C}}_{{\text{i}}} }}\) will increase the estimate result of \(L_{{\text{S - Gross}}}\). Thus, the corresponding weight of \(L_{{{\text{C}}_{{\text{i}}} {\text{ - Gross}}}}\) must be decreased.

4.2.3 Asynchronous Training

In FL, each client has its own dataset quality, computing capacity, energy states, and training features. If the server utilizes an effective dispatching strategy, the training results will be evidently improved.

For some classical synchronous training methods, the clients enter the training process when the parameter \(L_{S}\) is iteratively calculated. Some clients may lag under some bad network conditions. For example, the server must wait for a sufficient number of responses from a sufficient number of clients. Otherwise, the server will work overtime and delete all the updated information from clients. According to the above analysis, the synchronous approach faces two main challenges: one is the unpredictable status of clients, and the other is the instability of the communication frequency. Based on the above theoretical analysis, the asynchronous training method is utilized in this paper.

First, the server trains the global model, which is downloaded by each client. Second, each client trains the local model independently. Once a client finishes the training, it uploads the parameters to the server. As long as the server receives uploads from 80% of clients, the global model will be updated. Then, the new global model will be distributed to each client. This process will be repeated until within ten epochs, the decrease in the loss function of the server is less than 10-4. The flowchart of asynchronous training mode is shown in Fig. 2.

Fig. 2
figure 2

Flowchart of asynchronous training

Full size image

4.3 Detailed Mathematical Description of FWLA Framework

To provide a more detailed mathematical explanation of the FWLA framework, we have mathematically elaborated on its core components, including residual testing, dynamic weight adjustment, and asynchronous aggregation.

4.3.1 Notation and Problem Formulation

  • Let \(N\) denote the total number of clients, indexed by \(i \in \left\{ {1,2,...,N} \right\}\).

  • Each client \(i\) holds a local dataset \(D_{i} = \left\{ {\left( {x_{j} ,y_{j} } \right)} \right\}_{j = 1}^{{n_{i} }}\), where \(n_{i}\) is the sample size.

  • The global model parameters at iteration \(t\) are denoted as \(\theta_{G}^{(t)} \in R^{d}\)

  • A subset \(M \subset \left\{ {1,...,N} \right\}\) represents malicious clients that submit poisoned updates \(\theta_{i}^{(t)}\)

4.3.2 Residual Testing Mechanism

The server maintains a clean validation dataset \(D_{val}\). For each client \(i\), the residual vector \(\Delta_{i}^{(t)}\) is computed as

$$\Delta _{i}^{{(t)}} = E_{{(x,y)\sim D_{{val}} }} \left[ {f(x\,;\,\theta _{i}^{{(t)}} ) - f(x\,;\,\theta _{G}^{{(t - 1)}} )} \right],$$
(19)

where \(f(x;\theta )\) is the model prediction. This residual quantifies the deviation of client \(i\)'s local model from the server’s global benchmark.

Statistical Assumption:

Residuals \(\Delta_{i}^{(t)}\) are assumed to follow a zero-mean Gaussian distribution:

$$\Delta_{i}^{(t)} \sim N\left( {0,\sigma^{2} I} \right),$$
(20)

where \(\sigma^{2}\) is the variance. Clients violating this assumption (i.e., \(\left\| {\Delta_{i}^{(t)} } \right\|^{2}> \tau\), where \(\tau\) is the residual threshold) are flagged as malicious.

4.3.3 Adaptive Client Weighting

The weight \(w_{i}^{(t)}\) for client \(i\) is inversely proportional to its residual magnitude

$$w_{i}^{(t)} = \frac{1}{{1 + \alpha \left\| {\Delta_{i}^{(t)} } \right\|^{2} }},$$
(21)

where \(\alpha> 0\) is a sensitivity hyperparameter. This ensures that clients with large residuals (potential attackers) are assigned near-zero weights.

4.3.4 Asynchronous Aggregation Protocol

Unlike synchronous methods (e.g., FedAvg), FWLA allows clients to upload updates independently. Let \(A^{(t)} \subseteq \{ 1,...,N\}\) denote the subset of clients that complete training at iteration \(t\). The global model is updated as

$$\theta_{G}^{(t)} = \frac{{\sum\nolimits_{{i \in A^{(t)} }} {w_{i}^{(t)} \theta_{i}^{(t)} } }}{{\sum\nolimits_{{i \in A^{(t)} }} {w_{i}^{(t)} } }}.$$
(22)

Termination Condition: Training stops when the server’s loss on \(D_{val}\) satisfies:

\(\left| {L_{server}^{(t)} - L_{server}^{(t - 10)} } \right| < \varepsilon\) for 10 consecutive iterations.

4.3.5 Robustness Against Poisoning

If the fraction of malicious clients satisfies \(\frac{M}{N} < \frac{1}{2} - \frac{\sqrt d }{{2\alpha }}\) (where d is the dimension of model parameters), the impact of poisoned updates is bounded:

$$\left\| {\theta_{G}^{(t)} - \theta_{clean}^{(t)} } \right\| \le {\rm O}\left( {\frac{M}{\alpha N}} \right),$$
(23)

where \(\theta_{clean}^{(t)}\) is the ideal global model without poisoning.

5 Experiments

In this section, the effect of the proposed FWLA model is evaluated by comparison with five other classical algorithms under different poisoning attack scenarios.

To comprehensively verify the algorithm, the following three benchmark datasets are used in this paper: CICDS 2017, UNSW-NB15, and NSL-KDD. The information of the three datasets is shown in Table 2. Accuracy and FAR are used to evaluate the experimental results, and the calculation process is shown in Eqs. (24) and (25)

$${\text{Accuracy = }}\frac{{\text{TP + TN}}}{{\text{TP + TN + FP + FN}}}$$
(24)
$$FAR = \frac{FP}{{TN + FP}},$$
(25)

where \(TP\) represents the number of positive samples that are classified correctly, \(TN\) represents the number of negative samples that are classified correctly, \(FP\) represents the number of positive samples that are classified incorrectly, and \(FN\) represents the number of negative samples that are classified incorrectly.

Table 2 Dataset information
Full size table

5.1 The Accuracy and FAR Results

To evaluate the performance of FWLA in both CL and FL scenes, the RF and XGBoost methods are selected for comparison in CL, and the FedAvg, FedSGD, Bulyan, and FWLA methods are selected for comparison in FL. Datasets are separated into a training set and testing set, and the ratio is set as 8:2. The 6 algorithms are processed 15 times independently, and the accuracy and FAR results are shown in Table 3.

Table 3 Accuracy and FAR results from different experimental models
Full size table

Table 3 shows that the FWLA model achieves the highest accuracy and the lowest FAR results compared with the other five experimental models. In the CL method, compared with the RF model, the accuracy of FWLA is improved by approximately 10%, and the FAR is reduced by approximately 12%. At the same time, the accuracy of FWLA is 3.5% higher than that of the XGBoost model, and the FAR is reduced by more than 9%. This shows that the algorithm performance of FWLA using the FL method is better than that of CL. In the FL algorithm, FWLA with evaluation methods and asynchronous training methods has higher accuracy and lower FAR than those of the FedAvg, FedSGD, and Bulyan models. This is because after fusing asynchronous methods, FWLA can upload parameters independently rather than after overall training. Additionally, clients attacked by poisoning can also through the residual test method to reduce the weight and improve the defense accuracy. The experiment shows that the performance of FWLA is better than that of the CL and FL algorithms.

5.2 Ablation Experiment

To evaluate the impact of the proposed method on FWLA's performance, ablation experiments are conducted on three key features of FWLA. Specifically, these features are removed separately and created three new variants of FWLA named FWLA without evaluation, FWLA without self-adjustment, and FWLA without asynchronous training. Then, these variants are compared the accuracy of with that of the original FWLA. The algorithm accuracies are shown in Table 4.

Table 4 Accuracy results of the four algorithms in the ablation experiments
Full size table

Table 4 shows that regardless of which method is removed from the FWLA, the accuracy could be reduced to different degrees compared with that of the FWLA algorithm. The ablation experiment shows that the accuracy of the FWLA is improved by nearly 3.3% after adding the evaluation method. Through the self-adjustment method, the accuracy of the FWLA is improved by 2.3%, and the fusing asynchronous training method also increases by 1.8%. This ablation experiment shows that the three advantages proposed by FWLA can improve the performance of FWLA and it can be most improved by adding evaluation methods.

5.3 Comparison of Upload Times

To analyze the impact of different batch sizes (B) and numbers of local epochs (E), the UNSW-NB15 dataset is selected. The FedSGD algorithm is selected for comparison with FWLA. Based on the uploading times of FedSGD, when B is consistent, E is changed to obtain different upload times. A successful result is obtained when the upload accuracy reaches 98%, and the corresponding results are shown in Table 5.

Table 5 Comparison of successful upload times under different E and B values
Full size table

Table 5 shows that when control B is fixed, E continuously increases, the upload time continuously decreases, and the peak value decreases. When = 20 and B = 64, FWLA has the fewest uploads, which is 14.8% of the FedSGD update time, reducing 85.2% of the communication cost. This experiment shows that FWLA has a shorter upload time under different B and E conditions with asynchronous method fused.

5.4 Performance Under Different Numbers of Malicious Nodes

To analyze the intrusion detection results, different numbers of malicious nodes are used in this experiment. In the three datasets CICIDS2017, UNSW-NB15, and NSL-KDD, we simulate poisoning attacks with malicious nodes ranging from 5 to 30 (5–30% of total clients in a 100-client system). This range is chosen for two reasons. The first reason is practical relevance. In real-world FL deployments (e.g., cross-hospital collaborations or IoT networks), the ratio of malicious participants typically falls within 5–30%, as extreme scenarios (e.g., > 50% attackers) often imply systemic security failures beyond algorithmic defenses. The second reason is due to the traceability of calculations. Larger-scale experiments (e.g., 100 + nodes) require extensive resources, and prior works [28] have shown that defense performance trends stabilize beyond 30% malicious clients. The number of malicious nodes is increased, and the accuracy and FAR values using FWLA, FedSGD, XGBoost, and FedAVG are compared. The obtained experimental image is shown in Fig. 3.

Fig. 3
figure 3

The accuracy values under different numbers of malicious nodes for a CICIDS2017, b UNSW-NB15, and c NSL-KDD. The FAR values under different numbers of malicious nodes for d CICIDS2017, e UNSW-NB15, and f NSL-KDD

Full size image

As we known, the effectiveness of algorithms against poisoning attacks can vary across different datasets. As shown in Fig. 3, among the poisoning attacks caused by the three datasets, FWLA has the best response ability. And as the number of malicious nodes increases, the accuracy of intrusion detection decreases, and the FAR also increases, which induces larger gradient differences between clients and the server. Figure 3a-c shows that with an increasing number of malicious nodes, the accuracy of FWLA decreases more slowly, and the highest accuracy can be obtained. At the same time, when the number of malicious nodes increases to more than 20, the accuracy of FWLA can be maintained at more than 83%. Figure 3d-f shows that compared with other framework, the FAR of FWLA always maintains the lowest state as the number of malicious nodes increases. Thus, it can be seen that FWLA can effectively avoid irrelevant local updates, which avoids adverse impacts from malicious nodes and ensures the reliability of model training.

Compared with FedSGD, FWLA has better resistance to malicious nodes attacked by poisoning, because each client in FWLA has a weight (\(w_{i}\)). Assume that a client is hit by poisoning attacks, then the loss function of the client will increase significantly, and it will cause an increase in the loss function of the server. Then, an asynchronous update method and a residual test method are used in our FWLA. When the loss function of the client deviates greatly from the center, it could be from a malicious client, and its weight could be reduced. Furthermore, the Kalman filtering method can help to decrease the weight of the malicious client. This experiment shows that FWLA can effectively defend against poisoning attacks.

5.5 Comparison of Robustness Performance

To compare the robustness performance of FWLA with other algorithms, ten nodes are selected from 30 regions in this experiment. The noise data are injected into the UNSW-NB15 dataset to maximize the classifier error. For example, partially randomly chosen features are set as 0 in proportion to 10% of the data to maximize the errors of the learning classifier, and low-quality noisy data are used to test the robustness performance of FWLA. Figure 4a and c presents the results from the confusion matrix after normal training without noise data, and Fig. 4b and d describes the results from the confusion matrix with noise data.

Fig. 4
figure 4

a FWLA without noise data. b Bulyan without noise data. c FWLA with noise data. d Bulyan with noise data

Full size image

It can be seen from Fig. 4 that the Bulyan method is greatly affected by noise data and the accuracy of all categories decreases significantly. The accuracy of Blackhole decreases by 6%, Greyhole by 3%, Flooding by 13%, and Scheduling by 32%. While FWLA suppresses the noise data, the decrease in the accuracy of all categories is within 3%, which demonstrates that FWLA has good robustness.

FWLA has better robustness than Bulyan, because the gross loss function of the server and the gross loss function of clients are combined. The weighted mean value of the loss functions of clients is added to the loss function produced by the training of the server. While the server's total loss function is also added to the client's scaling loss function, which ensures that the client will not deviate too much from the server. This experimental result shows that FWLA has superior robustness performance.

5.6 Evaluate Performance of Against Poisoning Attacks

To test the performance of FWLA against random, direct and mixed poisoning attacks, CICIDS2017, UNSW-NB15, and NSL-KDD are used for experiments. In this experiment, the performance of different CL and FL algorithms and FWLA against poisoning attacks is compared. In these experiments, 10% to 20% of clients are randomly chosen to be attacked. After direct attacks, the labels of part of the data are flipped. After hybrid attacks, the label is flipped and accompanied by poisoned parameter uploading. The performance against different types of poisoning attacks is shown in Fig. 5.

Fig. 5
figure 5

Classification error using a CICIDS2017, b UNSW-NB15, and c NSL-KDD

Full size image

Figure 5 shows that the classification error of FWLA is the lowest compared with other algorithms under varying ratios of injected data, even when the ratio of injected data is as high as 40%, the classification error remains under 15%. This can be attributed to the fact that FWLA combines asynchronous methods, enabling it to better identify poisoned clients and thereby enhancing its capability to handle poisoning attacks. Moreover, Fig. 5 depicts the classification error of FWLA on three datasets. The experiment shows that the proposed FWLA has stronger defense ability against poisoning attacks.

5.7 The Successful Ratio Comparison of Detecting Malicious Clients

To test the performance of FWLA in successfully detecting malicious clients, the UNSW-NB15 dataset is used. The success rate of detecting malicious clients under the following experimental models is reported. When the server detects that the data uploaded by the client do not match the normal data, the client is considered to be a malicious client. The experiment shows that the ratio of successfully detected malicious clients of FWLA is more than 90%. The results of comparison methods are shown in Fig. 6.

Fig. 6
figure 6

Ratio of successfully detected malicious clients

Full size image

It can be seen from Fig. 6 that compared with the FedAvg method, the ratio of malicious clients successfully detected by FWLA increases by approximately 7.5%. The fundamental reason is that the proposed FWLA fuses the asynchronous method, in which each client uploads parameters to the server independently. This experiment shows that FWLA has a higher successful rate in detecting malicious clients than other algorithms, which can better defend against poisoning attacks. In proposed framework, if the loss function of a client increases significantly within t continuous rounds, there will be an increase in the loss function. Then, the residual method can identify the change in the loss function of the server. Hence, the client of which the loss function increases obviously is considered to be hit by poisoning attacks. It shows that the residual method of FWLA can improve the successful ratio of detecting malicious clients.

6 Summary

To improve the accuracy and efficiency of defensing poisoning attacks, this paper proposes FWLA for robust federated learning. In comparison to algorithms that only utilize the aggregation method, FWLA combines the evaluation method with the aggregation method, providing a comprehensive consideration of the server and clients to mitigate poisoning attacks. Moreover, FWLA fuses an asynchronous training method, making it more effective at detecting malicious updates than synchronous methods. To address the negative impact of poisoning attacks on the model, FWLA proposes a self-adjusted method to modify the weight of each client, while other algorithms may be susceptible to malicious clients that can affect the global model of the server. Extensive experiments are conducted, and the results demonstrate that FWLA achieves satisfactory accuracy and FAR for the CICIDS2017, UNSW-NB15, and NSL-KDD datasets. The experiments also indicate that FWLA demonstrates robustness and efficiency in effectively filtering out noisy data. While FWLA demonstrates robustness against up to 30% malicious clients, its performance under ultra-large-scale attacks (e.g., 50% malicious nodes in a 10,000-client system) remains to be tested. Our future work will focus on the method about reducing consumption of resource cost by deploying defense strategy in case of large number clients.