The collaborative nature of federated learning (FL) poses a major threat in the form of manipulation of local training data and local updates, known as the Byzantine poisoning attack. To address this issue, many Byzantine-robust aggregation rules (AGRs) have been proposed to filter out or moderate suspicious local updates uploaded by Byzantine participants. This paper introduces a novel approach called AGRAMPLIFIER, aiming to simultaneously improve the robustness, fidelity, and efficiency of the existing AGRs. The core idea of AGRAMPLIFIER is to amplify the "morality" of local updates by identifying the most repressive features of each gradient update, which provides a clearer distinction between malicious and benign updates, consequently improving the detection effect. To achieve this objective, two approaches, namely AGRMP and AGRXAI, are proposed. AGRMP organizes local updates into patches and extracts the largest value from each patch, while AGRXAI leverages explainable AI methods to extract the gradient of the most activated features. By equipping AGRAMPLIFIER with the existing Byzantine-robust mechanisms, we successfully enhance the model's robustness, maintaining its fidelity and improving overall efficiency. AGRAMPLIFIER is universally compatible with the existing Byzantine-robust mechanisms. The paper demonstrates its effectiveness by integrating it with all mainstream AGR mechanisms. Extensive evaluations conducted on seven datasets from diverse domains against seven representative poisoning attacks consistently show enhancements in robustness, fidelity, and efficiency, with average gains of 40.08%, 39.18%, and 10.68%, respectively.

翻译：联邦学习的协作特性使其面临重大威胁——可通过操纵本地训练数据和本地更新实现的拜占庭投毒攻击。为应对该问题，学术界提出了多种拜占庭鲁棒聚合规则（AGR），用于过滤或缓和拜占庭参与者上传的可疑本地更新。本文提出一种名为AGRAMPLIFIER的创新方法，旨在同时提升现有AGR的鲁棒性、保真度与效率。其核心思想是通过识别每个梯度更新中最具抑制性的特征来放大本地更新的"道德性"，从而更清晰地区分恶意更新与良性更新，进而提升检测效果。为实现该目标，本文提出AGRMP与AGRXAI两种方案：AGRMP将本地更新组织为补丁并提取各补丁的最大值，AGRXAI则利用可解释性AI方法提取最具激活特征的梯度。通过将AGRAMPLIFIER嵌入现有拜占庭鲁棒机制，我们成功增强了模型鲁棒性，维持了其保真度并提升了整体效率。该方案与现有拜占庭鲁棒机制普遍兼容，本文通过将其集成至所有主流AGR机制验证其有效性。在七个跨领域数据集上针对七种代表性投毒攻击的广泛评估表明，该方法在鲁棒性、保真度与效率方面均获得提升，平均增益分别为40.08%、39.18%和10.68%。