The collaborative nature of federated learning (FL) poses a major threat in the form of manipulation of local training data and local updates, known as the Byzantine poisoning attack. To address this issue, many Byzantine-robust aggregation rules (AGRs) have been proposed to filter out or moderate suspicious local updates uploaded by Byzantine participants. This paper introduces a novel approach called AGRAMPLIFIER, aiming to simultaneously improve the robustness, fidelity, and efficiency of the existing AGRs. The core idea of AGRAMPLIFIER is to amplify the "morality" of local updates by identifying the most repressive features of each gradient update, which provides a clearer distinction between malicious and benign updates, consequently improving the detection effect. To achieve this objective, two approaches, namely AGRMP and AGRXAI, are proposed. AGRMP organizes local updates into patches and extracts the largest value from each patch, while AGRXAI leverages explainable AI methods to extract the gradient of the most activated features. By equipping AGRAMPLIFIER with the existing Byzantine-robust mechanisms, we successfully enhance the model's robustness, maintaining its fidelity and improving overall efficiency. AGRAMPLIFIER is universally compatible with the existing Byzantine-robust mechanisms. The paper demonstrates its effectiveness by integrating it with all mainstream AGR mechanisms. Extensive evaluations conducted on seven datasets from diverse domains against seven representative poisoning attacks consistently show enhancements in robustness, fidelity, and efficiency, with average gains of 40.08%, 39.18%, and 10.68%, respectively.

翻译：联邦学习的协作性质带来了重大威胁：本地训练数据和本地更新的操纵，即拜占庭中毒攻击。为解决此问题，研究者提出了多种拜占庭鲁棒聚合规则（AGRs），用以过滤或缓和拜占庭参与者上传的可疑局部更新。本文提出了一种名为AGRAMPLIFIER的新方法，旨在同时提升现有AGRs的鲁棒性、保真性和效率。AGRAMPLIFIER的核心思想是通过识别每个梯度更新的最大抑制特征来放大局部更新的“道德性”，从而更清晰地区分恶意更新与良性更新，进而增强检测效果。为实现此目标，提出了两种方法：AGRMP和AGRXAI。AGRMP将局部更新组织为补丁，并从每个补丁中提取最大值；而AGRXAI则利用可解释AI方法提取最大激活特征的梯度。通过将AGRAMPLIFIER与现有拜占庭鲁棒机制结合，我们成功增强了模型的鲁棒性，同时保持其保真性并提升整体效率。AGRAMPLIFIER与现有拜占庭鲁棒机制普遍兼容。本文通过将其与所有主流AGR机制集成，展示了其有效性。在涵盖不同领域的七个数据集上，针对七种代表性中毒攻击进行的广泛评估一致表明，鲁棒性、保真性和效率分别平均提升40.08%、39.18%和10.68%。