FedRACE: A Hierarchical and Statistical Framework for Robust Federated Learning

Thank you for your detailed and constructive feedback.

Q1. … problem–method alignment…framework specificity…

Answer: We agree that the connection between the stated problem and our solution should be clearer. Freezing the backbone and fine tuning only the task head reduces computation and communication but creates a new attack surface: small and concentrated weight updates that standard defenses fail to detect. To address this issue we designed two components. HStat Net refines the frozen features so that malicious updates become separable from benign updates, and DevGuard detects abnormal clients by measuring class wise deviance in those refined features. We will make this connection more explicit in the camera ready version.

Although our experiments focus on head only fine tuning, FedRACE can also support other parameter efficient methods. HStat Net can refine features produced by adapter or prompt tuning, and DevGuard can monitor any small trainable module. Standard defenses are not designed for such settings, as methods like Multi-krum and Trimmed-mean look for large, layer wide deviations, while head only tuning produces sparse, low dimensional updates. FedRACE instead evaluates class specific projections, which remain sensitive even to small perturbations in the head.

Finally, while our experiments target classification, the same principles extend to other tasks. For regression, Gaussian deviance can be applied to the refined features. For generative tasks, output distribution comparison can be used. Because FedRACE operates on refined representations rather than on a fixed architecture, it can integrate into a broad range of parameter efficient federated learning frameworks.

Q2. …task-head fine-tuning…parameter-effcient fine-tuning…

Answer: Fine tuning only the task head is a common federated learning workflow. It allows clients to personalize large pre trained models on edge devices with low overhead. By freezing the backbone, each client updates and transmits only the head weights, which keeps both computation and communication costs minimal and aligns with typical FL constraints such as limited bandwidth and computation. Adapter tuning and prompt tuning can reduce the number of trainable parameters further, but they introduce new modules or modify embeddings within the frozen layers. Our design focuses on the standard head only approach to highlight and secure the attack surface created when tuning a small subset of parameters.

FedRACE’s two components can also support other fine tuning methods. HStat Net can refine features produced by adapters or prompts, and DevGuard can compute deviance on any small trainable subnetwork. We chose head only tuning as our case study because it is a widely used FL baseline, but the same principles extend to other parameter efficient techniques. We will clarify this generality in the camera ready version.

Q3. … full model update assumptions… sparse head only constraints…

Answer: Most existing federated learning defenses, such as Trimmed-mean, Multi-krum and FLShield, are designed for full model updates. They assume that each client submits large, high dimensional weight deltas that can be filtered or reweighted. For example, Trimmed-mean discards extreme parameter values before averaging, and Multi-krum selects updates with minimal aggregate distance to others. FLShield instead validates each client’s updated model on a held out dataset to detect and remove malicious contributions.

When clients fine tune only the task head, the backbone remains frozen and updates are sparse and low dimensional. These updates lack the variance and scale that full model defenses rely on. Distance based filters cannot capture subtle deviations in a few hundred parameters, and validation based methods become impractical because even small head updates require full model inference on a reference set, adding latency and computation that edge devices often cannot afford.

FedRACE addresses these constraints by refining frozen backbone features into compact class aware embeddings using HStat Net, and then detecting abnormal clients through class wise deviance in DevGuard. By operating in a learned representation space rather than on raw weights, FedRACE remains sensitive to head only perturbations and avoids the high overhead of full model validation. We will emphasize this distinction more clearly in the camera ready version.

Thank you again for your thoughtful comments.

Thank you for your detailed and constructive feedback.

Q1. …privacy of class centroids…

Answer: In additional experiments we measured privacy leakage from class centroid sharing on CIFAR 100 using a membership inference attack. With partial fine tuning only, the attacker success rate was 63.82%. When using FedRACE, this rate decreased to 48.37%. This confirms that sharing class centroids exposes less information than sending raw weight updates. Two design choices explain why FedRACE limits membership inference. First, class centroids aggregate feature vectors over all samples in a class, which dilutes the influence of any single example and removes individual patterns that an attacker could exploit. Second, HStat Net’s projection layer together with the frozen backbone produces features that capture global class structure rather than memorizing specific inputs. Because the Statistical Net sees only aggregated class data and the Task Net is not over optimized on individual samples, overfitting is reduced. As a result, membership inference, which relies on detecting overfitted or unique sample behaviors, becomes less effective under our framework.

Q2. … computational overhead…large number of clients…

Answer: We ran new experiments on CIFAR 100 with 128 clients, measuring all runtimes on the same GPU (NVIDIA RTX 4500). For FedRACE, the full two stage local training takes 247ms per client per round on average. The server’s DevGuard step adds 34ms in total. By comparison, FLShield requires about 185ms per client per round for local model updates and 163ms per client per round for server validation on a held out set. These results show that FedRACE provides strong robustness while adding only modest extra computation on the client side and much lower server overhead than FLShield, making it more efficient at large scale. Full runtime results across different baselines will be included in the camera‑ready version.

Q3. … partial knowledge by attackers…colluding attackers…

Answer: In additional experiments, we evaluated two recent adaptive attacks, IBA and A3FL, under the DBA threat model. Against IBA, FedRACE reduced attack success to 1.4% with a 94.5% true positive rate; against A3FL, attack success dropped to 1.6% with a 93.1% true positive rate.

We then simulated a stealth backdoor targeting only the Statistical Net ($s$). Each malicious client injected a fixed trigger pattern into a subset of training images, relabeled them with the target class, and updated only $s$ during local two-stage training while freezing the backbone and Task Net ($h$). This left clean accuracy unchanged but forced triggered inputs into feature regions mapped by $h$ to the attacker’s target class. With 25% malicious clients on CIFAR-100, FedRACE achieved a 94.3% true positive rate and a 2.47% attack success rate, while clean accuracy remained 76.95%, owing to the median-based design in Equation (12) and randomized majority voting. Without defense, this attack yielded a 59.6% success rate on triggered inputs.

Finally, in collusion experiments where 25% of clients submitted identical poisoned centroids, randomized majority voting reduced attack success from 45.9% to 9.8%, with an 87.6% true positive rate. These results confirm that attackers cannot evade detection without severely compromising their effectiveness, even with partial knowledge of DevGuard or through collusion. Extended evaluations will be included in the camera ready version.

Q4. …$d=256$…rational…ablation study…

Answer: We set the Statistical Net output dimension to $d = 256$ to balance representational power and computational cost. A larger dimension captures more class structure but increases centroid size and GLM fitting time, while a smaller dimension reduces overhead but weakens the deviance signal. To validate this choice we ran an additional ablation study on CIFAR 100 with d set to 64, 128, 256, and 512. At $d = 64$, global accuracy was 76.05% and the true positive rate was 94.0%. At $d = 128$, accuracy rose to 76.81% with a true positive rate of 95.5%. At $d = 256$, accuracy reached 77.21% and the true positive rate was 96.8%. At $d = 512$, accuracy was 77.25% and the true positive rate was 97.22%. The gain from 256 to 512 was marginal but doubled both the upload cost and the fitting time. Therefore, $d = 256$ provides the best trade off between robustness and efficiency. The camera ready version will include complete ablation results.

Q5. …assumption…measurable prediction deviation…

Answer: Our core assumption is that any attack that causes misclassification must alter the model’s conditional class probabilities in a way that deviance residuals can detect. As shown in Tables 4 and 5, we tested this on CIFAR 100 with 64 clients, including 16 malicious clients (25% adversarial rate). We evaluated five backdoor attacks: Min Max, IPMA, TLFA, DBA, and ECBA. In all cases, DevGuard achieved over 95% true positive rate and kept attack success below 1%, while clean accuracy remained high. From a theoretical perspective, an attacker cannot keep the class wise output distributions for both clean and poisoned inputs identical without duplicating the benign model’s parameters exactly. This is impossible once the attack changes model behavior. As a result, any genuine backdoor necessarily produces nonzero class wise deviance, which supports our assumption.

Thank you again for your thoughtful comments.

Thank you for your detailed and constructive feedback.

Q1. … two-stage training…alternative representation-learning baselines…

Answer: In the paper, we show that the two-stage training of HStat Net improves feature quality, as measured by Fisher’s Criterion and Mutual Information. Table 2 reports a $3.34\times$ improvement in Fisher’s Criterion and a $2.02\times$ increase in Mutual Information. These results indicate that hierarchical refinement creates a more structured and linearly separable feature space. The two-stage procedure trains the Statistical Net s and the Task Net h in separate steps. This reduces interference between the two modules and supports stable convergence. It also allows new clients to join more easily, since in many cases fine-tuning only the Task Net h is sufficient to reach strong performance, as shown in Table 3.

To add a new baseline, we carried out an additional experiment with SimCLR. In this setting, clients pre-train a backbone with SimCLR augmentations, then fine-tune the task head and apply DevGuard under the DBA threat model on CIFAR 100. With HStat Net, FedRACE achieves 77.21% accuracy, 0.36% backdoor accuracy, a 96.8% true positive rate, and a 10.1% false positive rate. When HStat Net is replaced by SimCLR features, accuracy decreases to 75.36%, backdoor accuracy increases to 1.5%, and the true positive rate drops to 93.7%. These results confirm that HStat Net yields higher quality class features than SimCLR in this setting.

Q2. …comparison with model-output consistency detectors…

Answer: In the paper, we compare FedRACE with established defenses such as Multi-krum, Trimmed-mean, FedRoLA, FLAIR, and FLShield. Table 4 shows that FedRACE consistently outperforms these methods across multiple attack scenarios. To further evaluate recent consistency-based defenses, we conducted additional experiments with FL GPR and FedDetect under the DBA threat model on CIFAR 100. FedRACE achieves 77.21% accuracy with 0.36% backdoor accuracy. In comparison, FL GPR achieves 74.57% accuracy with 3.18% backdoor accuracy, and FedDetect achieves 75.82% accuracy with 2.33% backdoor accuracy. These results demonstrate that FedRACE provides stronger robustness than these consistency-based detectors.

Q3. …privacy…communication cost….

Answer: In additional experiments we measured privacy leakage from class centroid sharing on CIFAR 100 using a membership inference attack. With partial fine tuning only, the attacker success rate was 63.82%. When using FedRACE, this rate decreased to 48.37%. This confirms that sharing class centroids exposes less information than sending raw weight updates. Two design choices explain why FedRACE limits membership inference. First, class centroids aggregate feature vectors over all samples in a class, which dilutes the influence of any single example and removes individual patterns that an attacker could exploit. Second, HStat Net’s projection layer together with the frozen backbone produces features that capture global class structure rather than memorizing specific inputs. Because the Statistical Net sees only aggregated class data and the Task Net is not over optimized on individual samples, overfitting is reduced. As a result, membership inference, which relies on detecting overfitted or unique sample behaviors, becomes less effective under our framework.

In Section 3.1, we explain how HStat Net adds a compact projection layer on top of the frozen feature extractor to refine representations. In Section 3.2 we describe how DevGuard fits a generalized linear model to the Task Net outputs to compute deviance based consistency scores. This design keeps client computation light and avoids heavy on device processing. We also measured the communication cost per round. FedRACE requires each client to upload one centroid vector for each class it holds. In the worst case a client holds all 100 classes. Each centroid vector has 256 dimensions ($d = 256$ in Section 4.1) and each entry uses 4 bytes, which adds about 0.10MB. In practice most clients hold fewer classes, so the actual upload cost is lower. Even in the worst case the extra 0.10MB is small compared to typical uplink capacity.

Thank you again for your thoughtful comments.