Over-the-air federated learning (OTA-FL) improves communication efficiency by exploiting the superposition property of wireless channels, but this same property also creates a critical security vulnerability: the parameter server (PS) cannot access individual local updates, making it difficult to identify and exclude poisoned gradients. The challenge is further exacerbated under non-independent and identically distributed (Non-IID) training data, where benign gradient drift can closely resemble malicious updates. In this paper, we propose a two-stage robust aggregation framework for defending against backdoor attacks in OTA-FL. Under our scheme, each client is first assigned a modality-aware multi-indicator trust score, where the specific indicators are selected according to the data modality (e.g., waveform, text, image) and model architecture to capture the most discriminative footprint of backdoor updates. Based on this score, the PS then performs trust-based multiple access (TBMA) to separate clients into trusted, suspicious, and malicious categories. Suspicious clients are further examined through PS-side layer-wise inspection and a longitudinal reputation mechanism. Experimental results on several datasets demonstrate that the proposed methodology effectively suppresses stealthy backdoor attacks, including bounded-scaling attacks, Euclidean-constrained attacks, Cosine-constrained attacks, and Neurotoxin, while maintaining competitive main-task accuracy.

翻译：空口联邦学习（OTA-FL）利用无线信道的叠加特性提升通信效率，但该特性也带来了关键安全漏洞：参数服务器（PS）无法访问各客户端本地更新，导致难以识别和排除中毒梯度。在非独立同分布（Non-IID）训练数据场景下，良性梯度漂移与恶意更新高度相似，进一步加剧了挑战。本文提出一种两阶段鲁棒聚合框架，用于防御OTA-FL中的后门攻击。在该方案中，每个客户端首先被分配与数据模态感知的多指标信任评分，其中具体指标根据数据模态（如波形、文本、图像）和模型架构进行选择，以捕捉后门更新最具鉴别力的特征。基于该评分，PS通过信任多址接入（TBMA）将客户端分类为可信、可疑和恶意三类。对可疑客户端，进一步通过PS端逐层检查和纵向信誉机制进行排查。在多个数据集上的实验结果表明，该方法能有效抑制包括有界缩放攻击、欧氏约束攻击、余弦约束攻击及Neurotoxin在内的隐蔽后门攻击，同时保持较高的主任务准确率。