Time-Aware Security Intelligence for Federated Financial Systems: Deep Reinforcement Learning Against Temporal Poisoning Attacks

1. Introduction

1.1. Background

The financial industry is undergoing rapid digital transformation, with institutions increasingly relying on distributed machine learning techniques to improve fraud detection, risk management, and regulatory compliance. Federated learning (FL) has emerged as a promising paradigm to enable collaborative intelligence across banks, payment platforms, and other financial entities while maintaining data privacy [1,2,3]. By allowing participants to train shared models without centralizing raw data, FL provides a natural fit for sensitive financial applications where strict privacy regulations and competitive concerns prevent data sharing.

However, the adoption of FL in financial systems introduces significant security challenges. Recent studies highlight that FL is inherently vulnerable to poisoning and backdoor attacks, where malicious participants inject crafted updates to manipulate global models [4,5]. These attacks can be particularly damaging in financial environments, where small perturbations may lead to large-scale fraud or systemic risks. Beyond traditional single-round threats, researchers have uncovered persistent backdoor strategies that exploit temporal dependencies across multiple training rounds, allowing attackers to evade conventional defenses and achieve long-term stealth [6,7]. Such temporal vulnerabilities are especially critical in financial transaction streams, which naturally exhibit sequential correlations and evolving patterns.

To address these challenges, researchers have proposed robust aggregation methods and privacy-enhancing techniques to mitigate adversarial updates in FL. Approaches such as robust learning rate adjustment [8,9,10] and privacy-preserving backdoor defenses for heterogeneous data distributions [11] have demonstrated effectiveness under certain threat models. Nevertheless, most of these methods remain static and fail to capture multi-period adversarial strategies that unfold over time. Moreover, existing solutions often trade accuracy for security, limiting their practicality in high-stakes domains like finance where both precision and reliability are paramount.

Meanwhile, reinforcement learning (RL) has shown considerable potential for adaptive cybersecurity, offering dynamic decision-making in the face of evolving adversarial behaviors [12]. By framing defense coordination as a sequential decision problem, RL methods can enable financial FL systems to respond adaptively to temporal threats, balancing security enforcement with model utility. This motivates the development of integrated frameworks that combine multi-layered defenses with RL-based coordination to address sophisticated temporal backdoor attacks in financial federated learning environments.

1.2. Motivation and Contributions

Despite growing efforts to enhance the robustness of federated learning, several critical research gaps remain unaddressed in the context of financial systems:

1.

Existing security frameworks do not adequately account for temporal backdoor attacks that exploit sequential dependencies in financial transaction streams. Most defenses assume static or isolated threat models, overlooking coordinated multi-round adversarial strategies.

2.

Current defense mechanisms are largely single-layered and static, focusing either on aggregation robustness or anomaly detection, without integrating multiple complementary layers that can collectively enhance resilience against adaptive attackers.

3.

Few approaches incorporate dynamic coordination mechanisms to balance security and utility. Static thresholds or fixed strategies cannot adapt to changing adversarial intensity, heterogeneous client behaviors, and evolving network conditions.

To address these gaps, this work introduces DEFEND, a comprehensive defense framework for federated learning in financial systems. Our framework integrates temporal behavior analysis, robust statistical aggregation, and multi-scale verification into a multi-layered architecture, while employing a Markov Decision Process (MDP) formulation and reinforcement learning for adaptive coordination. The contributions of this paper are summarized as follows:

• We formalize temporal backdoor threats in federated financial learning by characterizing attack strategies that exploit multi-period dependencies across training rounds.
• We design a multi-layer defense architecture that combines temporal behavior profiling, robust aggregation, and multi-scale verification to jointly enhance detection accuracy and resilience.
• We formulate defense coordination as an MDP problem and develop an RL-based policy using Proximal Policy Optimization (PPO) to dynamically manage defense actions, balancing robustness and model performance.
• We validate DEFEND on multiple benchmark datasets (CIFAR-10, FEMNIST, MNIST) under varying degrees of heterogeneity and adversarial participation, demonstrating superior defense success rates and detection efficiency compared to state-of-the-art baselines.

The remainder of this paper is organized as follows. Section 2 reviews existing research on federated learning security, temporal attack detection, and multi-layer defense coordination. Section 3 describes the proposed DEFEND framework. Section 4 presents experimental evaluations. Section 6 concludes and outlines directions for future work.

2. Related Work

2.1. Federated Learning Security in Financial Systems

Federated learning security in financial systems has emerged as a critical research area addressing the inherent privacy and security challenges in distributed financial data processing environments [13,14,15,16,17,18,19,20,21]. Chen et al. [13] conducted an extensive survey identifying the intricate security challenges within federated learning frameworks, emphasizing vulnerabilities in communication links and potential cyber threats across decentralized networks. Their comprehensive analysis delves into various defensive strategies and explores applications across different sectors, contributing to the development of secure and efficient federated learning systems. To address specific financial fraud detection challenges, Aljunaid et al. [14] proposed an Explainable Federated Learning (XFL) model that integrates Shapley Additive Explanations (SHAP) and LIME techniques for enhanced interpretability while maintaining privacy compliance. Their approach achieved 99.95% accuracy with a miss rate of 0.05%, effectively eliminating false positives in financial fraud classification while preserving data privacy and regulatory compliance.

Building on decentralized security considerations, Hallaji et al. [15] performed a thorough security analysis of decentralized federated learning systems, studying possible variations of threats and adversaries while overviewing potential defense mechanisms. Their work addresses server-related threats elimination through blockchain technologies, though acknowledging new privacy challenges introduced by decentralized architectures. To enhance privacy preservation in financial technology applications, Xiong et al. [20] developed a Heterogeneous Privacy-Preserving Blockchain-Enabled Federated Learning (HPP-BEFL) system specifically designed for social fintech environments. Their novel PKI and identity-based heterogeneous authenticated asymmetric group key agreement (PKI-IB-HAAGKA) protocol effectively mitigates man-in-the-middle and inference attacks while addressing crypto system heterogeneity issues.

Recent advances have also explored credit risk assessment architectures [16], behavioral anomaly detection in dynamic transaction graphs [17], and blockchain-based knowledge enhancement mechanisms [22]. However, existing federated learning security frameworks lack comprehensive temporal attack detection mechanisms and fail to adequately address sophisticated backdoor attacks that exploit temporal patterns in financial data streams, which are essential for defending against coordinated multi-period adversarial strategies in distributed financial learning environments.

Table 1. Comparison of our work with related studies.

Ref

[13]

[23]

[15]

[20]

[24]

[25]

[26]

[27]

[14]

[28]

[29]

Proposed work

Feature

Financial application domain

✓

✓

✓

Federated learning framework

✓

✓

✓

✓

✓

✓

✓

✓

Temporal attack detection

✓

✓

✓

Multi-layer defense design

✓

✓

MDP/RL coordination

✓

✓

✓

Table 1. Comparison of our work with related studies.

Ref

[13]

[23]

[15]

[20]

[24]

[25]

[26]

[27]

[14]

[28]

[29]

Proposed work

Feature

Financial application domain

✓

✓

✓

Federated learning framework

✓

✓

✓

✓

✓

✓

✓

✓

Temporal attack detection

✓

✓

✓

Multi-layer defense design

✓

✓

MDP/RL coordination

✓

✓

✓

2.2. Temporal Attack Detection and Defense Mechanisms

Temporal attack detection and defense mechanisms have gained significant attention as adversaries increasingly exploit time-dependent vulnerabilities in distributed systems [24,25,30,31,32,33,34,35]. Zamanzadeh et al. [25] provided a comprehensive survey of deep learning approaches for time series anomaly detection, highlighting the importance of identifying anomalous patterns that indicate novel or unexpected events such as production faults and system defects. Their taxonomy encompasses anomaly detection strategies and deep learning models, highlighting the challenges presented by the large size and complexity of temporal patterns in time series data. Duan et al. [24] addressed practical cyber attack detection through Continuous Temporal Graph (CTG) neural networks in dynamic network systems, proposing an interaction-centered perspective that refines information interactions between network entities into CTG evolution processes. Their framework naturally incorporates new node access behaviors and presents a message aggregation scheme that fuses spatio-temporal neighborhoods with actual time distribution and historical states, demonstrating superior performance on ToN-IoT, UNSWNB15, CIC-Dark2020, and J.P. Morgan payment datasets.

To address zero-day attack challenges, Wu et al. [31] developed an active learning framework using Deep Q-Network (DQN) for intelligent sample selection with probability distribution analysis. Their approach integrates Bi-directional Long Short-Term Memory (BiLSTM) networks into the DQN model to analyze temporal correlations within static classification contexts, employing Euclidean distance functions for accurate sample labeling. Hammad et al. [33] explored deep reinforcement learning for adaptive cyber defense, implementing cutting-edge DRL techniques including Deep Q-Networks (DQN), Proximal Policy Optimization (PPO), and Twin Delayed Deep Deterministic Policy Gradient (TD3) for real-time threat discernment and neutralization across varied cyber threat scenarios ranging from malware invasions to phishing attacks and adversarial assaults.

Recent developments have also investigated spatio-temporal advanced persistent threat detection in cyber-physical power systems [30], advances in time-series anomaly detection algorithms and benchmarks [36], and security defense strategies for Internet of Things based on deep reinforcement learning [37]. However, existing temporal attack detection frameworks lack sophisticated multi-period pattern recognition capabilities and fail to address coordinated backdoor injection strategies that exploit temporal dependencies across distributed learning rounds, which are crucial for detecting and defending against sophisticated temporal poisoning attacks in federated financial learning environments.

2.3. Multi-Layer Defense and MDP-based Coordination

Multi-layer defense mechanisms and MDP-based coordination strategies have emerged as critical components for robust federated learning systems, addressing the need for comprehensive protection against sophisticated adversarial attacks [23,26,27,28,29,38,39,40,41,42]. Li et al. [28] proposed a Multi-layer Aggregation Backdoor Defense Framework (MABDF) that ensures secure model aggregation through adaptive similarity filtering, pruning mean aggregation, and subspace robust projection methods. Their three-layer architecture calculates pairwise cosine similarity between client updates with dynamic thresholds based on median and standard deviation, applies pruning mean aggregation to detect hidden gradient operations, and projects updates onto low-rank subspaces through singular value decomposition (SVD) to suppress backdoor neuron activation, achieving backdoor attack success rates below 3% while maintaining model accuracy decrease of no more than 1.5%. Uddin et al. [23] conducted a systematic literature review using the PRISMA framework, analyzing 244 studies across eight themes of robust federated learning including objective regularization, optimizer modification, differential privacy, client selection, and new aggregation algorithms, providing comprehensive insights into approaches for enhancing FL model robustness against adversarial attacks and noisy updates.

For dynamic policy coordination, Bello et al. [26] developed a security strategy incorporating zero-trust models with dynamic policy decisions through stochastic games and reinforcement learning techniques. Their approach employs Generalized Proximal Policy Optimization with sample reuse (GePPO) and its meta-learning variant GePPO-ML, along with Sample Dropout PPO with meta-learning (SDPPO-ML) for adaptive policy updates, demonstrating superior performance compared to baseline REINFORCE and PPO algorithms in next generation network security scenarios. Huang et al. [27] addressed Byzantine robustness in heterogeneous federated learning through Self-Driven Entropy Aggregation (SDEA), leveraging random public datasets to conduct robust aggregation by introducing learnable aggregation weights that minimize instance-prediction entropy while maximizing batch-prediction entropy to accommodate diverse client tendencies and detect Byzantine attackers effectively.

Recent advances have also explored multi-layered protection systems for cloud computing environments [39], safe reinforcement learning frameworks for risk-averse dispatch with frequency security constraints [40], and security metrics for assessing power grids against attacks from EV charging ecosystems using Markov decision processes [29,43]. However, existing multi-layer defense frameworks lack integrated temporal anomaly detection capabilities and fail to provide coordinated MDP-based defense mechanisms that can dynamically adapt to evolving temporal backdoor attack patterns while maintaining optimal resource allocation and system performance in distributed financial learning environments.

3. Method

This section presents our comprehensive framework for detecting and defending against temporal backdoor attacks in federated learning environments through sophisticated mathematical modeling approaches. Our methodology integrates three distinct temporal poisoning attack models, establishes a multi-objective optimization framework, employs advanced statistical analysis techniques, and formulates an MDP-based defense mechanism. The proposed system leverages deep mathematical foundations to achieve optimal detection and defense performance across diverse federated learning scenarios while maintaining computational efficiency and theoretical rigor. Method architecture is shown in the Figure 1.

3.1. Problem Formulation

Consider a federated learning system comprising N participating clients denoted as $\mathcal{C}=\{c_1,c_2,\dots ,c_N\}$, where each client $c_i$ maintains local dataset ${\mathcal{D}}_i={\left\{(x_{i,j},y_{i,j})\right\}}_{j=1}^{n_i}$ over a finite communication horizon T. The temporal data sequence for client $c_i$ is represented as ${\mathbf{X}}_i=\{x_i^1,x_i^2,\dots ,x_i^T\}$, where $x_i^t\in {\mathbb{R}}^m$ denotes the m-dimensional feature vector observed at communication round t. The corresponding ground truth labels are denoted as ${\mathbf{y}}_i=\{y_i^1,y_i^2,\dots ,y_i^T\}$, where $y_i^t\in \mathcal{Y}$ represents the true class label at round t from the label space $\mathcal{Y}$.

The client operational states are characterized by a discrete state space $\mathcal{S}=\{s_n,s_s,s_p\}$, where $s_n$ represents the normal operational state, $s_s$ indicates a suspicious state requiring further monitoring, and $s_p$ denotes a confirmed poisoned state. During the poisoning process, a subset of clients ${\mathcal{C}}_p\subset \mathcal{C}$ with cardinality $|{\mathcal{C}}_p|\le \kappa N$, where $\kappa \in (0,1)$ represents the maximum poisoning ratio, becomes compromised during specific time intervals ${\mathcal{T}}_p\subset \{1,2,\dots ,T\}$.

Each client $c_i$ is characterized by a resource profile ${\mathbf{R}}_i=(C_i^{max},M_i^{max},E_i^{max},B_i^{max})$, where $C_i^{max}$ represents maximum computational capacity, $M_i^{max}$ denotes memory capacity, $E_i^{max}$ indicates energy budget, and $B_i^{max}$ specifies communication bandwidth. The available resources at round t are denoted as ${\mathbf{R}}_i^t=(C_i^t,M_i^t,E_i^t,B_i^t)$, where each component satisfies $0\le {\mathbf{R}}_i^t\le {\mathbf{R}}_i$.

The fundamental objective of our detection framework is to minimize the overall detection error, formulated as a multi-objective optimization problem with temporal consistency constraints:

$${\mathcal{L}}_{\tau }=\sum _{i=1}^N\sum _{t=1}^T{\mathcal{l}}_d({\widehat{s}}_i^t,s_i^t)+{\lambda }_1\sum _{i\in {\mathcal{C}}_p}{\mathcal{l}}_t({\widehat{\mathcal{T}}}_{p,i},{\mathcal{T}}_{p,i})+{\lambda }_2{R}_{f,p}+{\lambda }_3{\int }_0^T\mathcal{C}\left(u\right)du+{\lambda }_4\mathcal{H}\left({\mathbf{s}}_t\right),$$

(1)

where ${\mathcal{l}}_d:\mathcal{S}\times \mathcal{S}\to {\mathbb{R}}_{\ge 0}$ represents the client state classification loss function, ${\widehat{s}}_i^t$ denotes the predicted client state, ${\mathcal{l}}_t$ quantifies the temporal localization error between predicted intervals ${\widehat{\mathcal{T}}}_{p,i}$ and true poisoning intervals ${\mathcal{T}}_{p,i}$, $R_{f,p}$ denotes the false positive penalty term, $\mathcal{C}\left(u\right)$ is the continuous cost function modeling resource consumption, $\mathcal{H}\left({\mathbf{s}}_t\right)$ represents the entropy regularization term for uncertainty quantification, and ${\lambda }_1,{\lambda }_2,{\lambda }_3,{\lambda }_4\in {\mathbb{R}}_{>0}$ are regularization coefficients that balance different objectives.

The temporal localization error is computed using a weighted Hausdorff distance:

$${\mathcal{l}}_t({\widehat{\mathcal{T}}}_{p,i},{\mathcal{T}}_{p,i})={\displaystyle \frac{1}{2}}\left[\underset{t\in {\widehat{\mathcal{T}}}_{p,i}}{max}\underset{\tau \in {\mathcal{T}}_{p,i}}{min}|t-\tau |+\underset{\tau \in {\mathcal{T}}_{p,i}}{max}\underset{t\in {\widehat{\mathcal{T}}}_{p,i}}{min}|t-\tau |\right],$$

(2)

which ensures both precision and recall in temporal poisoning interval detection.

3.2. Temporal Backdoor Attack Models

To comprehensively evaluate our detection framework, we design three sophisticated temporal backdoor strategies that exploit different characteristics of federated learning protocols. Each attack model represents a distinct threat vector commonly encountered in real-world federated environments, incorporating realistic constraints on attack capabilities and detectability thresholds.

3.2.1. Fixed-Period Data Poisoning Attack

The fixed-period data poisoning attack systematically injects backdoor triggers into client datasets during predetermined temporal windows, eventually culminating in significant global model degradation at coordinated trigger points. This attack strategy maintains stealth by concentrating the poisoning effect within specific time intervals while preserving normal behavior patterns outside attack periods.

For malicious client $c_i\in {\mathcal{C}}_p$ at communication round t, the poisoned local dataset ${\tilde{\mathcal{D}}}_i^t$ is constructed according to:

$${\tilde{\mathcal{D}}}_i^t=\left\{\begin{array}{cc}{\mathcal{D}}_i\cup {\mathcal{P}}_i^t\hfill & \mathrm{if}t\in {\mathcal{T}}_{\varphi },\hfill \\ {\mathcal{D}}_i\hfill & \mathrm{otherwise},\hfill \end{array}\right.$$

(3)

where ${\mathcal{T}}_{\varphi }=[t_s,t_e]\subset \{1,2,\dots ,T\}$ denotes the fixed attack interval, and the poisoned sample set ${\mathcal{P}}_i^t$ follows a sophisticated generation process incorporating temporal dynamics and spatial correlations.

The poisoned sample construction employs multi-dimensional trigger injection with harmonic modulation:

$${\mathcal{P}}_i^t=\left\{(x_j+{ϵ}_i^t\odot {\mathbf{a}}_i^t+\sum _{k=1}^K{\alpha }_{k}sin\left({\displaystyle \frac{2\pi k(t-t_s)}{|{\mathcal{T}}_{\varphi }|}}+{\varphi }_k\right){\mathbf{w}}_k,y_{\tau }):(x_j,y_j)\in {\mathcal{S}}_i^t\right\},$$

(4)

where ⊙ denotes element-wise multiplication, ${\mathbf{a}}_i^t\in {\mathbb{R}}^m$ represents the primary attack direction vector, K is the number of harmonic components, ${\alpha }_k,{\varphi }_k$ control amplitude and phase parameters, ${\mathbf{w}}_k\in {\mathbb{R}}^m$ are harmonic weight vectors, $y_{\tau }$ denotes the target label, and ${\mathcal{S}}_i^t\subset {\mathcal{D}}_i$ represents the selected subset for poisoning.

The time-dependent perturbation magnitude ${ϵ}_i^t$ follows an accumulative schedule incorporating memory effects and stochastic variations:

$${ϵ}_i^t={\alpha }_i\sum _{\tau =t_s}^t{\beta }^{t-\tau }{\gamma }_{\tau }·\mathbb{I}[\tau \in {\mathcal{T}}_{\varphi }]·exp\left(-{\displaystyle \frac{{(\tau -{\mu }_i)}^2}{2{\sigma }_i^2}}\right)·\left(1+{\delta }_i\sum _{j\in {\mathcal{N}}_i}{\zeta }_{i,j}^{\tau }\right),$$

(5)

where ${\alpha }_i>0$ represents the base accumulation rate, $\beta \in (0,1)$ is the temporal decay factor, ${\gamma }_{\tau }$ are stochastic scaling factors following a Markov chain with transition probabilities $P_{k,l}={\displaystyle \frac{exp\left({\theta }_{k,l}\right)}{{\sum }_{j}exp\left({\theta }_{k,j}\right)}}$, the Gaussian envelope ensures smooth temporal transitions with mean ${\mu }_i$ and variance ${\sigma }_i^2$, ${\delta }_i$ controls neighborhood influence, ${\mathcal{N}}_i$ represents neighboring clients, and ${\zeta }_{i,j}^{\tau }$ captures inter-client correlation effects.

3.2.2. Multi-Period Data Poisoning Attack

The multi-period data poisoning attack exploits temporal dependencies by distributing backdoor injection across multiple non-consecutive communication rounds, creating sophisticated interference patterns that evade single-period detection mechanisms while maintaining cumulative backdoor effectiveness.

The poisoned dataset construction employs period-specific trigger variations across disjoint temporal intervals ${\mathcal{T}}_{\mu }=\{{\mathcal{T}}_1,{\mathcal{T}}_2,\dots ,{\mathcal{T}}_K\}$ where ${\mathcal{T}}_j\cap {\mathcal{T}}_k=\varnothing$ for $j\ne k$:

$${\tilde{\mathcal{D}}}_i^t=\left\{\begin{array}{cc}{\mathcal{D}}_i\cup {\mathcal{P}}_{i,j}^t\hfill & \mathrm{if}t\in {\mathcal{T}}_j,j\in \{1,2,\dots ,K\},\hfill \\ {\mathcal{D}}_i\hfill & \mathrm{otherwise},\hfill \end{array}\right.$$

(6)

where period-specific poisoned samples ${\mathcal{P}}_{i,j}^t$ incorporate adaptive trigger patterns and cross-period consistency constraints.

The multi-dimensional periodic signal injection follows:

$${\mathcal{P}}_{i,j}^t=\left\{(x_l+{\gamma }_i{\mathbf{S}}_{i,j}^t+{\delta }_i{\mathbf{Q}}_{i,j}^t,y_{\tau }):(x_l,y_l)\in {\mathcal{S}}_{i,j}^t\right\},$$

(7)

where ${\gamma }_i,{\delta }_i\in {\mathbb{R}}_{>0}$ control injection intensities for primary and secondary periodic signals ${\mathbf{S}}_{i,j}^t$ and ${\mathbf{Q}}_{i,j}^t$ respectively.

The primary multi-dimensional periodic signal ${\mathbf{S}}_{i,j}^t$ is defined as:

$$\begin{array}{cc}\hfill {\mathbf{S}}_{i,j}^t& =\sum _{k=1}^{K_j}{\mathbf{A}}_{i,j,k}\odot sin\left({\displaystyle \frac{2\pi t}{P_{i,j,k}}}+{\varphi }_{i,j,k}\right)\odot {\mathbf{W}}_{i,j,k}^t\hfill \\ \hfill & +\sum _{l=1}^{L_j}{\mathbf{B}}_{i,j,l}\odot cos\left({\displaystyle \frac{2\pi t}{Q_{i,j,l}}}+{\psi }_{i,j,l}\right)\odot {\mathbf{V}}_{i,j,l}^t,\hfill \end{array}$$

(8)

where $K_j$ and $L_j$ represent the numbers of sine and cosine components for period j, ${\mathbf{A}}_{i,j,k},{\mathbf{B}}_{i,j,l}\in {\mathbb{R}}^m$ denote amplitude vectors, $P_{i,j,k},Q_{i,j,l}$ are fundamental periods, ${\varphi }_{i,j,k},{\psi }_{i,j,l}$ are phase shifts, and ${\mathbf{W}}_{i,j,k}^t,{\mathbf{V}}_{i,j,l}^t$ are time-varying weight vectors.

3.2.3. Model Weight Poisoning Attack

The model weight poisoning attack creates direct manipulation of local model parameters before transmission to the server, generating high-intensity anomalous parameter patterns that bypass data-level detection mechanisms while maintaining coordinated execution across multiple malicious clients.

The poisoned model update follows a multi-state regime-switching framework with sophisticated perturbation strategies:

$${\tilde{\theta }}_i^t=\left\{\begin{array}{cc}{\theta }_i^t+{\delta }_i^t\odot {\mathbf{n}}_i^t+{\eta }_i^t{\mathbf{m}}_i^t\hfill & \mathrm{if}{c}_i\in {\mathcal{C}}_p\mathrm{and}{M}_i^t=1,\hfill \\ {\theta }_i^t+{\displaystyle \frac{1}{2}}{\delta }_i^t\odot {\mathbf{n}}_i^t\hfill & \mathrm{if}{c}_i\in {\mathcal{C}}_p\mathrm{and}{M}_i^t=2,\hfill \\ {\theta }_i^t+{\epsilon }_i^t{\chi }_i^t\hfill & \mathrm{if}{c}_i\in {\mathcal{C}}_p\mathrm{and}{M}_i^t=3,\hfill \\ {\theta }_i^t\hfill & \mathrm{otherwise},\hfill \end{array}\right.$$

(9)

where $M_i^t\in \{1,2,3,4\}$ is a Markov chain state indicator controlling attack intensity, ${\delta }_i^t$ controls primary poisoning magnitude, ${\mathbf{n}}_i^t$ is the primary directional perturbation vector, ${\eta }_i^t$ controls secondary poisoning magnitude, ${\mathbf{m}}_i^t$ is the secondary perturbation vector, ${\epsilon }_i^t$ controls background noise magnitude, and ${\chi }_i^t$ represents background perturbations.

The poisoning intensity follows a multi-phase decay model coordinated across malicious clients:

$$\begin{array}{cc}\hfill {\delta }_i^t& ={\delta }_{m,i}{f}_i(t-t_{★,i})·\mathbb{I}[c_i\in {\mathcal{C}}_p],\hfill \end{array}$$

(10)

$$\begin{array}{cc}\hfill f_i\left(u\right)& =\left\{\begin{array}{cc}exp\left(-{\displaystyle \frac{u}{{\tau }_{d,1,i}}}\right)\hfill & \mathrm{if}0\le u\le T_{1,i},\hfill \\ exp\left(-{\displaystyle \frac{u-T_{1,i}}{{\tau }_{d,2,i}}}\right)\hfill & \mathrm{if}{T}_{1,i}<u\le T_{2,i},\hfill \\ exp\left(-{\displaystyle \frac{u-T_{2,i}}{{\tau }_{d,3,i}}}\right)\hfill & \mathrm{if}u>T_{2,i},\hfill \end{array}\right.\hfill \end{array}$$

(11)

where ${\delta }_{m,i}$ is the maximum intensity for client $c_i$, $t_{★,i}$ is the attack initiation time, ${\tau }_{d,j,i}$ are phase-specific decay time constants, and $T_{j,i}$ are phase transition times.

3.3. Multi-Layer Defense Framework

Our defense strategy employs a sophisticated three-tier detection architecture that combines temporal behavioral analysis, robust statistical aggregation, and multi-scale validation protocols to counter the identified attack vectors while maintaining theoretical guarantees and computational efficiency.

3.3.1. Temporal Behavioral Analysis Layer

The temporal analysis layer monitors client behavioral patterns across communication rounds through comprehensive statistical profiling and anomaly detection mechanisms incorporating both individual client dynamics and cross-client correlation analysis.

For each client $c_i$, we construct a multi-dimensional behavioral profile vector encompassing temporal features, historical patterns, connectivity measures, and uncertainty quantification:

$${\mathbf{b}}_i^t=[{\mathbf{F}}_i^t,{\mathbf{H}}_i^t,{\mathbf{C}}_i^t,{\mathbf{U}}_i^t,{\mathbf{R}}_i^t],$$

(12)

where ${\mathbf{F}}_i^t$ represents temporal features, ${\mathbf{H}}_i^t$ encodes historical patterns, ${\mathbf{C}}_i^t$ models connectivity, ${\mathbf{U}}_i^t$ quantifies uncertainty, and ${\mathbf{R}}_i^t$ captures resource utilization patterns.

The temporal feature vector ${\mathbf{F}}_i^t\in {\mathbb{R}}^{d_f}$ contains multi-scale statistical features extracted from recent communication windows:

$${\mathbf{F}}_i^t=[{\mu }_i^t,{\sigma }_i^t,{\varsigma }_i^t,{\kappa }_i^t,{\mathbf{F}}_{\omega ,i}^t,{\mathbf{F}}_{\psi ,i}^t,{\mathbf{F}}_{\xi ,i}^t],$$

(13)

where the statistical moments are computed using robust estimators across multiple time scales:

$$\begin{array}{cc}\hfill {\mu }_i^t& ={\displaystyle \frac{1}{w_f}}\sum _{\tau =t-w_f+1}^t{\parallel {\theta }_i^{\tau }\parallel }_F+{\displaystyle \frac{1}{w_s}}\sum _{\tau =t-w_s+1}^{t-w_f}{\parallel {\theta }_i^{\tau }\parallel }_F,\hfill \end{array}$$

(14)

$$\begin{array}{cc}\hfill {\sigma }_i^t& =\sqrt{{\displaystyle \frac{1}{w_f-1}}\sum _{\tau =t-w_f+1}^t{({\parallel {\theta }_i^{\tau }\parallel }_F-{\mu }_i^t)}^2+{ϵ}_{\sigma }},\hfill \end{array}$$

(15)

$$\begin{array}{cc}\hfill {\varsigma }_i^t& ={\displaystyle \frac{1}{w_f}}\sum _{\tau =t-w_f+1}^t{\left({\displaystyle \frac{{\parallel {\theta }_i^{\tau }\parallel }_F-{\mu }_i^t}{{\sigma }_i^t}}\right)}^3+{\rho }_{\varsigma }{\varsigma }_i^{t-1},\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill {\kappa }_i^t& ={\displaystyle \frac{1}{w_f}}\sum _{\tau =t-w_f+1}^t{\left({\displaystyle \frac{{\parallel {\theta }_i^{\tau }\parallel }_F-{\mu }_i^t}{{\sigma }_i^t}}\right)}^4-3+{\rho }_{\kappa }{\kappa }_i^{t-1},\hfill \end{array}$$

(17)

where $w_f$ and $w_s$ are short and long window sizes, ${ϵ}_{\sigma }$ prevents numerical instability, ${\rho }_{\varsigma },{\rho }_{\kappa }\in (0,1)$ provide temporal smoothing, ${\mathbf{F}}_{\omega ,i}^t\in {\mathbb{R}}^{d_{\omega }}$ contains dominant frequency components from spectral analysis, ${\mathbf{F}}_{\psi ,i}^t\in {\mathbb{R}}^{d_{\psi }}$ includes wavelet coefficients, and ${\mathbf{F}}_{\xi ,i}^t\in {\mathbb{R}}^{d_{\xi }}$ represents spectral entropy measures.

The anomaly detection mechanism employs multi-scale sliding window analysis with adaptive thresholding:

$${\mathcal{A}}_i^t=\underset{w\in \mathcal{W}}{\bigvee }\left[{\displaystyle \frac{1}{w}}\sum _{\tau =t-w+1}^t{\parallel {\mathbf{b}}_i^{\tau }-{\mathit{\mu }}_i^{t-w}\parallel }_{{\mathsf{\Sigma }}_i^{t-w}}>{\tau }_{\alpha }^w\right],$$

(18)

where $\mathcal{W}=\{w_1,w_2,\dots ,w_L\}$ contains multiple window sizes, ${\mathit{\mu }}_i^{t-w}$ and ${\mathsf{\Sigma }}_i^{t-w}$ represent historical mean and covariance computed through robust estimation, ${\parallel ·\parallel }_{\mathsf{\Sigma }}$ denotes the Mahalanobis distance, and ${\tau }_{\alpha }^w$ are scale-specific detection thresholds.

For multi-period attack detection, we implement a sophisticated pattern matching algorithm based on dynamic time warping:

$${\mathcal{P}}_i^t=\underset{P\in {\mathcal{P}}_{\mathrm{\Theta }}}{max}\mathrm{DTW}({\left\{{\mathcal{A}}_i^{\tau }\right\}}_{\tau =t-T_P+1}^t,P),$$

(19)

where ${\mathcal{P}}_{\mathrm{\Theta }}$ contains known attack pattern templates and DTW computes optimal alignment scores accounting for temporal distortions.

The DTW distance is computed through dynamic programming with warping constraints:

$$\begin{array}{cc}\hfill \mathrm{DTW}(\mathbf{X},\mathbf{Y})& =D[n_x,n_y],\hfill \end{array}$$

(20)

$$\begin{array}{cc}\hfill D[i,j]& =d({\mathbf{x}}_i,{\mathbf{y}}_j)+min\{D[i-1,j],D[i,j-1],D[i-1,j-1]\},\hfill \end{array}$$

(21)

$$\begin{array}{cc}\hfill \mathrm{s}.\mathrm{t}.|i-j|& \le W_{\mathrm{warp}},\hfill \end{array}$$

(22)

where $d({\mathbf{x}}_i,{\mathbf{y}}_j)$ is the local distance function, $n_x,n_y$ are sequence lengths, and $W_{\mathrm{warp}}$ constrains warping flexibility.

3.3.2. Robust Statistical Aggregation Layer

The aggregation layer employs Byzantine-robust techniques enhanced with temporal consistency constraints and multi-dimensional filtering to identify and mitigate malicious model updates while preserving the convergence properties of the global optimization process. The robust aggregation mechanism operates through sequential filtering stages incorporating geometric median estimation, distance-based outlier detection, and weighted consensus formation. The robust central tendency is established through iterative geometric median estimation:

$${\widehat{\mathit{\theta }}}_{\nu }^t=arg\underset{\mathit{\theta }}{min}\sum _{i=1}^N{\parallel \mathit{\theta }-{\theta }_i^t\parallel }_F,$$

(23)

solved using the accelerated Weiszfeld algorithm with momentum-based convergence enhancement:

$$\begin{array}{cc}\hfill {\mathit{\theta }}^{(k+1)}& ={\displaystyle \frac{{\sum }_{i=1}^N\frac{{\theta }_i^t}{\parallel {\mathit{\theta }}^{\left(k\right)}-{\theta }_i^t{\parallel }_F+ϵ}}{{\sum }_{i=1}^N\frac{1}{\parallel {\mathit{\theta }}^{\left(k\right)}-{\theta }_i^t{\parallel }_F+ϵ}}},\hfill \end{array}$$

(24)

$$\begin{array}{cc}\hfill {\mathit{\theta }}^{(k+1)}& \leftarrow {\mathit{\theta }}^{(k+1)}+{\alpha }_k({\mathit{\theta }}^{(k+1)}-{\mathit{\theta }}^{\left(k\right)}),\hfill \end{array}$$

(25)

where $ϵ$ prevents numerical instabilities and ${\alpha }_k$ provides adaptive momentum acceleration. Suspicious clients are identified through sophisticated distance-based analysis incorporating multiple statistical measures:

$${\mathcal{S}}^t=\left\{c_i:{\parallel {\theta }_i^t-{\widehat{\mathit{\theta }}}_{\nu }^t\parallel }_F>Q_{1-\alpha }({\{d_j^t\}}_{j=1}^N)+\beta ·\mathrm{IQR}({\{d_j^t\}}_{j=1}^N)\vee {\mathcal{A}}_i^t=\mathrm{True}\right\},$$

(26)

where $d_j^t={\parallel {\theta }_j^t-{\widehat{\mathit{\theta }}}_{\nu }^t\parallel }_F$, $Q_{1-\alpha }$ denotes the $(1-\alpha )$-quantile, IQR represents the interquartile range, $\beta >0$ controls filtering sensitivity, and ${\mathcal{A}}_i^t$ incorporates temporal anomaly detection results. The final global model incorporates temporal consistency constraints and reputation-based weighting:

$${\theta }^t=arg\underset{\mathit{\theta }}{min}\sum _{i\notin {\mathcal{S}}^t}{w}_i^t{\parallel \mathit{\theta }-{\theta }_i^t\parallel }_F^2+{\lambda }_{\tau }{\parallel \mathit{\theta }-{\theta }^{t-1}\parallel }_F^2+{\lambda }_{\nu }{\parallel \mathit{\theta }-{\widehat{\mathit{\theta }}}_{\nu }^t\parallel }_F^2,$$

(27)

where the client weights incorporate multi-factor scoring:

$$w_i^t={\displaystyle \frac{exp(-\gamma ·({\mathcal{A}}_i^t+\mathbb{I}[c_i\in {\mathcal{S}}^t]+{\mathcal{R}}_i^t))}{{\sum }_{j\notin {\mathcal{S}}^t}exp(-\gamma ·({\mathcal{A}}_j^t+\mathbb{I}[c_j\in {\mathcal{S}}^t]+{\mathcal{R}}_j^t))}},$$

(28)

and the reputation score ${\mathcal{R}}_i^t$ captures historical behavior patterns through multi-scale temporal weighting:

$${\mathcal{R}}_i^t=\sum _{k=1}^{K_r}{\omega }_k\sum _{\tau =max(1,t-w_k)}^{t-1}exp\left(-{\displaystyle \frac{t-\tau }{{\sigma }_k}}\right)\mathbb{I}\left[c_i\mathrm{flagged}\mathrm{at}\mathrm{round}\tau \right],$$

(29)

where $K_r$ is the number of temporal scales, ${\omega }_k$ are scale-specific weights, $w_k$ are window sizes, and ${\sigma }_k$ control exponential decay rates.

3.3.3. Multi-Scale Validation Layer

The validation layer provides continuous monitoring of global model integrity through clean performance tracking, backdoor trigger detection, and coordinated response protocols incorporating sophisticated statistical testing and model rollback mechanisms. We maintain a held-out validation set ${\mathcal{D}}_{\upsilon }$ and track performance degradation through robust statistical testing:

$${\mathcal{L}}_c^t={\displaystyle \frac{1}{|{\mathcal{D}}_{\upsilon }|}}\sum _{(x,y)\in {\mathcal{D}}_{\upsilon }}\mathcal{l}(f_{{\theta }^t}\left(x\right),y),$$

(30)

with alert generation through sequential hypothesis testing:

$${\mathcal{A}}_c^t=\mathbb{I}[{\mathcal{L}}_c^t>{\mathcal{L}}_c^{t-1}+{\tau }_c]\vee \mathbb{I}[{\mathcal{L}}_c^t>{\mu }_{\beta }+{\sigma }_{\beta }·z_{{\alpha }_c}],$$

(31)

where ${\mu }_{\beta },{\sigma }_{\beta }$ characterize historical performance distribution and $z_{{\alpha }_c}$ is the critical value for significance level ${\alpha }_c$. We maintain a trigger detection dataset ${\mathcal{D}}_{\xi }=\left\{(x_j+{\delta }_k,y_j)\right\}$ covering potential trigger patterns and monitor:

$${\mathcal{L}}_{\beta }^t=\underset{y_{\tau }}{max}{\displaystyle \frac{1}{|{\mathcal{D}}_{\xi }|}}\sum _{(x_{\xi },y_{\pi })\in {\mathcal{D}}_{\xi }}\mathbb{I}[f_{{\theta }^t}\left(x_{\xi }\right)=y_{\tau }],$$

(32)

with backdoor detection alert:

$${\mathcal{A}}_{\beta }^t=\mathbb{I}[{\mathcal{L}}_{\beta }^t>{\tau }_{\beta }]\vee \mathbb{I}[{\displaystyle \frac{{\mathcal{L}}_{\beta }^t}{{\mathcal{L}}_c^t}}>{\tau }_{\rho }],$$

(33)

where ${\tau }_{\beta }$ and ${\tau }_{\rho }$ are detection thresholds for absolute and relative trigger activation rates. Upon alert generation, the system implements graduated response protocols through state transition mechanisms:

$${\mathcal{R}}^t=\left\{\begin{array}{cc}{\mathcal{M}}_e\hfill & \mathrm{if}{\mathcal{A}}_c^t\wedge \neg {\mathcal{A}}_{\beta }^t,\hfill \\ {\mathcal{I}}_c\hfill & \mathrm{if}{\mathcal{A}}_{\beta }^t\wedge {\mathcal{P}}_i^t>{\tau }_{\pi },\hfill \\ {\mathcal{R}}_{\theta }\hfill & \mathrm{if}{\mathcal{A}}_{\beta }^t\wedge {\mathcal{L}}_{\beta }^t>{\tau }_{\kappa },\hfill \\ {\mathcal{N}}_o\hfill & \mathrm{otherwise},\hfill \end{array}\right.$$

(34)

where ${\mathcal{M}}_e$ denotes enhanced monitoring, ${\mathcal{I}}_c$ represents client investigation, ${\mathcal{R}}_{\theta }$ implements model rollback, and ${\mathcal{N}}_o$ continues normal operation. The model rollback mechanism employs temporal checkpointing with integrity verification:

$${\theta }^t=\left\{\begin{array}{cc}{\theta }^{t-k_{★}}\hfill & \mathrm{if}{\mathcal{R}}^t={\mathcal{R}}_{\theta }\wedge \mathcal{V}\left({\theta }^{t-k_{★}}\right)>{\tau }_{\upsilon },\hfill \\ arg\underset{k\le K_{max}}{min}\mathcal{V}\left({\theta }^{t-k}\right)\hfill & \mathrm{if}{\mathcal{R}}^t={\mathcal{R}}_{\theta }\wedge \mathcal{V}\left({\theta }^{t-k_{★}}\right)\le {\tau }_{\upsilon },\hfill \\ {\theta }^t\hfill & \mathrm{otherwise},\hfill \end{array}\right.$$

(35)

where $k_{★}$ is determined by the severity of the detected anomaly, $\mathcal{V}(·)$ quantifies model integrity through comprehensive validation metrics, and $K_{max}$ bounds the maximum rollback distance.

3.4. MDP Framework for Defense Coordination

We formulate the temporal backdoor defense problem as a Markov Decision Process (MDP) defined as ${\mathcal{M}}_d=({\mathcal{S}}_d,{\mathcal{A}}_d,{\mathcal{P}}_d,{\mathcal{R}}_d,\gamma )$, where each component captures the sequential decision-making nature of coordinated defense mechanisms with comprehensive state representation and sophisticated action space design for optimal defense coordination.

3.4.1. Defense State Space Design

The defense environment state $s_t^d\in {\mathcal{S}}_d$ at communication round t encompasses comprehensive information about the federated system security status through multiple information channels:

$$s_t^d=\{{\mathbf{B}}_t,{\mathbf{D}}_t,{\mathbf{A}}_t,{\mathbf{S}}_t,{\mathbf{U}}_t,{\mathbf{R}}_t,{\mathbf{G}}_t\},$$

(36)

where ${\mathbf{B}}_t$ represents client behavioral profiles, ${\mathbf{D}}_t$ encodes detection history, ${\mathbf{A}}_t$ models anomaly indicators, ${\mathbf{S}}_t$ maintains security metrics, ${\mathbf{U}}_t$ quantifies uncertainty measures, ${\mathbf{R}}_t$ captures resource utilization, and ${\mathbf{G}}_t$ represents global system statistics.

The client behavioral profile matrix ${\mathbf{B}}_t\in {\mathbb{R}}^{N\times d_b}$ contains comprehensive behavioral features for all clients:

$${\mathbf{B}}_t[i,:]=[{\mathbf{b}}_i^t,\mathrm{\Delta }{\mathbf{b}}_i^t,\parallel {\mathbf{b}}_i^t-{\mathbf{b}}_i^{t-1}{\parallel }_2,\mathrm{rank}\left({\mathbf{b}}_i^t\right),{\mathbf{B}}_{\rho ,i}^t],$$

(37)

where ${\mathbf{b}}_i^t$ is the current behavioral profile, $\mathrm{\Delta }{\mathbf{b}}_i^t$ represents temporal changes, the norm captures profile stability, $\mathrm{rank}\left({\mathbf{b}}_i^t\right)$ indicates behavioral complexity, and ${\mathbf{B}}_{\rho ,i}^t$ encodes cross-client correlations.

The detection history matrix ${\mathbf{D}}_t\in {\mathbb{R}}^{N\times d_d}$ maintains weighted information about previous detection decisions with multi-scale temporal decay:

$${\mathbf{D}}_t[i,:]=\left[\sum _{k=1}^{K_d}{\omega }_{d,k}\sum _{\tau =max(1,t-w_{d,k})}^{t-1}{\omega }_d^{(t-\tau )/k}·\mathbb{I}[{\widehat{s}}_i^{\tau }=s_p],{\mathcal{R}}_i^t,{\mathcal{C}}_i^t,{\mathcal{V}}_i^t\right],$$

(38)

where $K_d$ is the number of temporal scales, ${\omega }_{d,k}$ are scale-specific weights, $w_{d,k}$ are scale-specific window sizes, ${\omega }_d\in (0,1)$ provides exponential temporal weighting, ${\mathcal{R}}_i^t$ represents reputation scores, ${\mathcal{C}}_i^t$ captures confidence levels, and ${\mathcal{V}}_i^t$ quantifies detection variance.

The anomaly indicator vector ${\mathbf{A}}_t\in {\mathbb{R}}^N$ captures multiple types of anomalies through ensemble-based detection:

$${\mathbf{A}}_t\left[i\right]={\alpha }_a{\mathcal{A}}_{\tau ,i}^t+{\beta }_a{\mathcal{A}}_{\sigma ,i}^t+{\gamma }_a{\mathcal{A}}_{\gamma ,i}^t+{\delta }_a{\mathcal{A}}_{\varsigma ,i}^t,$$

(39)

where ${\alpha }_a,{\beta }_a,{\gamma }_a,{\delta }_a$ are weighting coefficients, ${\mathcal{A}}_{\tau ,i}^t$ represents temporal anomalies, ${\mathcal{A}}_{\sigma ,i}^t$ captures statistical anomalies, ${\mathcal{A}}_{\gamma ,i}^t$ indicates geometric median deviations, and ${\mathcal{A}}_{\varsigma ,i}^t$ quantifies spectral anomalies.

The security metrics vector ${\mathbf{S}}_t\in {\mathbb{R}}^{d_s}$ tracks system-wide security indicators:

$${\mathbf{S}}_t=[{\xi }_t^g,{\xi }_t^h,{\xi }_t^c,{\xi }_t^z,{\xi }_t^{\theta },{\xi }_t^r],$$

(40)

where ${\xi }_t^g$ measures global model integrity, ${\xi }_t^h$ quantifies information entropy, ${\xi }_t^c$ captures aggregation consensus, ${\xi }_t^z$ indicates system stability, ${\xi }_t^{\theta }$ represents threat level assessment, and ${\xi }_t^r$ measures defense resilience.

3.4.2. Defense Action Space Formulation

The defense action space ${\mathcal{A}}_d$ encompasses coordinated defense decisions, resource allocation, and temporal control through a hierarchical structure:

$${\mathcal{A}}_d={\mathcal{A}}_{\delta }\times {\mathcal{A}}_{\mu }\times {\mathcal{A}}_{\alpha }\times {\mathcal{A}}_{\zeta },$$

(41)

where ${\mathcal{A}}_{\delta }$ represents detection actions, ${\mathcal{A}}_{\mu }$ determines mitigation strategies, ${\mathcal{A}}_{\alpha }$ controls resource allocation, and ${\mathcal{A}}_{\zeta }$ manages temporal adaptations.

The detection action space includes comprehensive detection strategies:

$${\mathcal{A}}_{\delta }={\{a_m,a_i,a_v,a_p,a_q,a_e\}}^N,$$

(42)

where $a_m$ denotes passive monitoring, $a_i$ represents detailed inspection, $a_v$ indicates verification protocols, $a_p$ triggers active probing, $a_q$ implements temporary isolation, and $a_e$ enforces permanent exclusion.

The mitigation action space operates on multiple defense strategies with coordination constraints:

$$\begin{array}{cc}\hfill {\mathcal{A}}_{\mu }& =\{\mathit{\mu }\in {[0,1]}^{N\times M}:\sum _{j=1}^M{\mu }_{i,j}=1\forall i,\sum _{i=1}^N{\mu }_{i,j}\le C_j\forall j\},\hfill \end{array}$$

(43)

$$\begin{array}{cc}\hfill {\mathcal{C}}_{\rho }& =\underset{i,j,k,l}{max}{\displaystyle \frac{{\mu }_{i,j}}{{\mu }_{k,l}}}\le {\zeta }_{\rho },\hfill \end{array}$$

(44)

where ${\mu }_{i,j}$ represents the intensity of mitigation strategy j applied to client i, M is the number of mitigation strategies including: enhanced monitoring ($j=1$), gradient clipping ($j=2$), noise injection ($j=3$), weight decay regularization ($j=4$), and adaptive learning rate scaling ($j=5$), $C_j$ bounds the total capacity for strategy j, ${\mathcal{C}}_{\rho }$ ensures coordination constraints, and ${\zeta }_{\rho }$ limits mitigation disparity.

The resource allocation space manages computational and communication resources across defense mechanisms:

$$\begin{array}{cc}\hfill {\mathcal{A}}_{\alpha }& =\{\mathit{\rho }\in {[0,1]}^{D\times R}:\sum _{r=1}^R{\rho }_{d,r}=1\forall d,{\rho }_{d,r}\ge {\rho }_{min}\forall d,r\},\hfill \end{array}$$

(45)

$$\begin{array}{cc}\hfill {\mathcal{E}}_{\eta }& =\sum _{d=1}^D\sum _{r=1}^R{\rho }_{d,r}{\mathcal{F}}_{d,r}\left({\mathbf{S}}_t\right)\ge E_{min},\hfill \end{array}$$

(46)

where ${\rho }_{d,r}$ represents the fraction of resource type r allocated to defense mechanism d, D is the number of defense mechanisms including: temporal analysis ($d=1$), statistical aggregation ($d=2$), and validation monitoring ($d=3$), R is the number of resource types including: CPU computation ($r=1$), memory storage ($r=2$), and communication bandwidth ($r=3$), ${\rho }_{min}$ ensures minimum allocation, ${\mathcal{F}}_{d,r}$ quantifies efficiency functions, and $E_{min}$ guarantees minimum defense effectiveness.

The temporal adaptation action space ${\mathcal{A}}_{\zeta }$ controls dynamic client participation and weight acceptance decisions:

$${\mathcal{A}}_{\zeta }=\{\mathit{\zeta }\in {\{0,1\}}^N:\sum _{i=1}^N{\zeta }_i\ge N_{min}\},$$

(47)

where ${\zeta }_i\in \{0,1\}$ indicates whether to accept model weights from client $c_i$ at the current round (1 for accept, 0 for reject), and $N_{min}$ ensures minimum participation for convergence. The temporal adaptation decision for each client is governed by:

$${\zeta }_i^t=\left\{\begin{array}{cc}0\hfill & \mathrm{if}{\mathcal{A}}_i^t=\mathrm{True}\wedge {\mathcal{P}}_i^t>{\tau }_{\zeta },\hfill \\ 0\hfill & \mathrm{if}{c}_i\in {\mathcal{S}}^t\wedge {\mathcal{R}}_i^t>{\tau }_{\rho },\hfill \\ \mathrm{Bernoulli}\left(p_i^t\right)\hfill & \mathrm{if}{\mathcal{A}}_i^t=\mathrm{True}\wedge {\mathcal{P}}_i^t\le {\tau }_{\zeta },\hfill \\ 1\hfill & \mathrm{otherwise},\hfill \end{array}\right.$$

(48)

where ${\tau }_{\zeta }$ and ${\tau }_{\rho }$ are rejection thresholds for anomaly scores and reputation scores respectively, and the stochastic acceptance probability is:

$$p_i^t=\sigma ({\alpha }_{\zeta }-{\beta }_{\zeta }{\mathcal{A}}_i^t-{\gamma }_{\zeta }{\mathcal{R}}_i^t-{\delta }_{\zeta }\parallel {\theta }_i^t-{\widehat{\theta }}_{\nu }^t{\parallel }_F),$$

(49)

where $\sigma (·)$ is the sigmoid function, and ${\alpha }_{\zeta },{\beta }_{\zeta },{\gamma }_{\zeta },{\delta }_{\zeta }$ are learned parameters that balance acceptance probability based on anomaly levels, reputation, and parameter deviation.

3.4.3. Defense Transition Dynamics

The state transition probabilities ${\mathcal{P}}_d:{\mathcal{S}}_d\times {\mathcal{A}}_d\times {\mathcal{S}}_d\to [0,1]$ capture the stochastic evolution of the defense environment under coordinated security actions:

$${\mathcal{P}}_d\left(s_{t+1}^d\right|s_t^d,a_t^d)=\prod _{j=1}^{\left|\mathbf{s}\right|}{\mathcal{P}}_j\left(s_{t+1,j}^d\right|s_t^d,a_t^d),$$

(50)

where the factorization assumes conditional independence across state components given the current state and action.

The behavioral profile transition dynamics incorporate temporal evolution and defense interventions:

$$\begin{array}{cc}\hfill {\mathcal{P}}_{\mathbf{B}}\left({\mathbf{B}}_{t+1}\right|s_t^d,a_t^d)& =\prod _{i=1}^N\mathcal{N}\left({\mathbf{b}}_{i,t+1}\right|{\mathit{\mu }}_{b,i}^t+{\mathbf{W}}_b{a}_{\delta ,i}^t,{\mathsf{\Sigma }}_{b,i}^t),\hfill \end{array}$$

(51)

$$\begin{array}{cc}\hfill {\mathit{\mu }}_{b,i}^t& ={\mathbf{A}}_b{\mathbf{b}}_i^t+{\mathbf{B}}_b{\mathbf{h}}_i^t+{\mathbf{c}}_b,\hfill \end{array}$$

(52)

$$\begin{array}{cc}\hfill {\mathbf{h}}_i^t& =tanh({\mathbf{U}}_h{\mathbf{b}}_i^{t-1}+{\mathbf{V}}_h{a}_{\delta ,i}^{t-1}+{\mathbf{b}}_h),\hfill \end{array}$$

(53)

where ${\mathbf{A}}_b,{\mathbf{B}}_b,{\mathbf{W}}_b$ are learned transition matrices, ${\mathbf{h}}_i^t$ represents latent behavioral states, ${\mathbf{U}}_h,{\mathbf{V}}_h$ control temporal dependencies, and ${\mathsf{\Sigma }}_{b,i}^t$ captures uncertainty in behavioral evolution.

The detection history transitions incorporate memory decay and decision outcomes:

$${\mathcal{P}}_{\mathbf{D}}\left({\mathbf{D}}_{t+1}\right|s_t^d,a_t^d)=\prod _{i=1}^N\delta ({\mathbf{d}}_{i,t+1}-{\mathbf{T}}_d({\mathbf{d}}_{i,t},a_{\delta ,i}^t,{\omega }_t)),$$

(54)

where $\delta (·)$ is the Dirac delta function, ${\mathbf{T}}_d$ represents the deterministic update function, and ${\omega }_t$ captures environmental stochasticity.

3.4.4. Defense Reward Function Design

The defense reward function ${\mathcal{R}}_d:{\mathcal{S}}_d\times {\mathcal{A}}_d\times {\mathcal{S}}_d\to \mathbb{R}$ incorporates multiple defense objectives through a sophisticated multi-criteria framework:

$$\begin{array}{cc}\hfill {\mathcal{R}}_d(s_t^d,a_t^d,s_{t+1}^d)& ={\lambda }_1\sum _{i=1}^N{R}_{\delta ,i}(s_t^d,a_t^d,s_{t+1}^d)+{\lambda }_2\sum _{i=1}^N{R}_{\mu ,i}(s_t^d,a_t^d)\hfill \\ \hfill & +{\lambda }_3{R}_{\sigma }(s_t^d,a_t^d,s_{t+1}^d)+{\lambda }_4{R}_{\eta }\left(a_t^d\right)\hfill \\ \hfill & -{\lambda }_5{R}_{\kappa }\left(a_t^d\right)-{\lambda }_6{R}_{\varphi }(s_t^d,a_t^d,s_{t+1}^d),\hfill \end{array}$$

(55)

where the reward components capture detection accuracy, mitigation effectiveness, security improvement, operational efficiency, resource costs, and system disruption.

The detection reward incorporates accuracy, timeliness, and confidence weighting:

$$\begin{array}{cc}\hfill R_{\delta ,i}(s_t^d,a_t^d,s_{t+1}^d)& =\mathbb{I}[s_i^{*}=s_p]·\mathbb{I}[a_{\delta ,i}\in \{a_i,a_v,a_p\}]·{\eta }_{\delta }\hfill \\ \hfill & ·e^{-{\lambda }_{\tau }(t-t_{\pi ,i})}·(1-{\mathbf{U}}_t\left[i\right])·{\mathcal{W}}_{\nu }^i,\hfill \end{array}$$

(56)

where $s_i^{*}$ represents the true client state, ${\eta }_{\delta }$ is the base detection reward, ${\lambda }_{\tau }$ controls temporal decay, $t_{\pi ,i}$ is the actual attack start time, ${\mathbf{U}}_t\left[i\right]$ quantifies detection uncertainty, and ${\mathcal{W}}_{\nu }^i$ captures network effect weighting.

The mitigation reward measures the effectiveness of applied defense strategies:

$$R_{\mu ,i}(s_t^d,a_t^d)=\sum _{j=1}^M{\mu }_{i,j}·{\mathcal{E}}_j({\mathbf{S}}_t,{\mathbf{A}}_t\left[i\right])·\mathbb{I}[a_{\delta ,i}\ne a_m]·{\eta }_{\mu },$$

(57)

where ${\mathcal{E}}_j$ quantifies the effectiveness of mitigation strategy j given system state and anomaly levels, and ${\eta }_{\mu }$ is the base mitigation reward.

The security reward tracks overall system security improvement:

$$R_{\sigma }(s_t^d,a_t^d,s_{t+1}^d)=\sum _{k=1}^{d_s}{\omega }_k^{\sigma }max(0,{\mathbf{S}}_{t+1}\left[k\right]-{\mathbf{S}}_t\left[k\right])+{\eta }_{\sigma }{\mathcal{I}}_{\theta }^t,$$

(58)

where ${\omega }_k^{\sigma }$ are security metric weights, ${\mathbf{S}}_t\left[k\right]$ represents individual security metrics, ${\eta }_{\sigma }$ is the threat mitigation reward, and ${\mathcal{I}}_{\theta }^t$ indicates successful threat neutralization.

3.4.5. Defense Policy Optimization

The optimal defense policy ${\pi }^{*}:{\mathcal{S}}_d\to {\mathcal{A}}_d$ is learned through advanced reinforcement learning techniques incorporating temporal credit assignment and multi-objective optimization:

$${\pi }^{*}=arg\underset{\pi }{max}{\mathbb{E}}_{\tau \sim \pi }\left[\sum _{t=0}^{T-1}{\gamma }^t{\mathcal{R}}_d(s_t^d,a_t^d,s_{t+1}^d)\right],$$

(59)

where $\tau$ represents a trajectory, $\gamma \in (0,1)$ is the discount factor, and the expectation is taken over the policy-induced distribution.

The policy optimization employs actor-critic architecture with attention mechanisms:

$$\begin{array}{cc}\hfill {\pi }_{\theta }\left(a_t^d\right|s_t^d)& =\mathrm{softmax}({\mathbf{W}}_{\pi }{\mathbf{h}}_{\pi }^t+{\mathbf{b}}_{\pi }),\hfill \end{array}$$

(60)

$$\begin{array}{cc}\hfill {\mathbf{h}}_{\pi }^t& =\mathrm{Attention}({\mathbf{Q}}_{\pi },{\mathbf{K}}_{\pi },{\mathbf{V}}_{\pi })+{\mathbf{f}}_{\pi }\left(s_t^d\right),\hfill \end{array}$$

(61)

$$\begin{array}{cc}\hfill V_{\varphi }\left(s_t^d\right)& ={\mathbf{W}}_V{\mathbf{h}}_V^t+b_V,\hfill \end{array}$$

(62)

where ${\mathbf{h}}_{\pi }^t,{\mathbf{h}}_V^t$ are attention-enhanced hidden representations, ${\mathbf{f}}_{\pi }$ encodes state features, and $\theta ,\varphi$ are learnable parameters.

Algorithm 1 DEFEND: DEep Federated Ensemble Network Defense
1: Input: Client updates ${\left\{{\theta }_i^t\right\}}_{i=1}^N$, historical profiles ${\left\{{\mathbf{b}}_i^{t-1}\right\}}_{i=1}^N$, defense state $s_{t-1}^d$, hyperparameters ${\lambda }_{\tau },{\lambda }_{\nu },\gamma$, window sizes $\mathcal{W}$, detection thresholds $\left\{{\tau }_{\alpha }^w\right\}$;
2: Output: Aggregated model ${\theta }^t$, updated profiles ${\left\{{\mathbf{b}}_i^t\right\}}_{i=1}^N$, defense action $a_t^d$;
3: for each client $c_i$ do
4:     Compute temporal profile ${\mathbf{b}}_i^t$	▹ Equation (12)
5:     Calculate statistical moments $\{{\mu }_i^t,{\sigma }_i^t,{\varsigma }_i^t,{\kappa }_i^t\}$	▹ Equation (14)-(17)
6:     Detect temporal anomalies ${\mathcal{A}}_i^t$	▹ Equation (18)
7:     Check multi-period patterns ${\mathcal{P}}_i^t$	▹ Equation (19)
8: end for
9: Construct defense state $s_t^d$	▹ Equation (36)
10: Select defense action $a_t^d\sim {\pi }_{\theta }\left(a_t^d\right|s_t^d)$	▹ Equation (60)
11: Determine client participation ${\left\{{\zeta }_i^t\right\}}_{i=1}^N$	▹ Equation (48)
12: Compute geometric median ${\widehat{\mathit{\theta }}}_{\nu }^t$ for active clients	▹ Equation (23)
13: Apply Weiszfeld algorithm with updates	▹ Equation (24)-(25)
14: Perform outlier detection to identify ${\mathcal{S}}^t$	▹ Equation (26)
15: Calculate client weights $\left\{w_i^t\right\}$ for participating clients	▹ Equation (28)
16: Execute weighted aggregation ${\theta }^t$	▹ Equation (27)
17: Monitor clean performance ${\mathcal{L}}_c^t$	▹ Equation (30)
18: Check trigger responses ${\mathcal{L}}_{\beta }^t$	▹ Equation (32)
19: Generate alerts $\{{\mathcal{A}}_c^t,{\mathcal{A}}_{\beta }^t\}$	▹ Equation (31)-(33)
20: if  ${\mathcal{A}}_c^t\vee {\mathcal{A}}_{\beta }^t$then
21:     Execute graduated response ${\mathcal{R}}^t$	▹ Equation (34)
22:     Update reputation scores	▹ Equation (29)
23:     if ${\mathcal{R}}^t={\mathcal{R}}_{\theta }$ then
24:         Perform model rollback	▹ Equation (35)
25:     end if
26: end if
27: Compute reward $r_t^d={\mathcal{R}}_d(s_t^d,a_t^d,s_{t+1}^d)$	▹ Equation (55)
28: Update policy parameters $\theta$ and value function $\varphi$ using PPO
29: Store experience tuple $(s_t^d,a_t^d,r_t^d,s_{t+1}^d)$ in replay buffer
30: return ${\theta }^t$, ${\left\{{\mathbf{b}}_i^t\right\}}_{i=1}^N$, $a_t^d$;

The complete defense framework integrates all components into a cohesive algorithm that executes at each communication round through coordinated multi-layer processing and decision making:

We analyze the computational complexity of Algorithm 1 by examining each component separately and providing theoretical bounds for the overall framework execution. The computation of behavioral profiles for all clients in lines 3-6 requires $O(N·d_f·w_{max})$ operations, where $d_f$ is the feature dimension and $w_{max}=max(w_f,w_s)$ is the maximum window size. The anomaly detection using Equation (18) across multiple window sizes has complexity $O(N·|\mathcal{W}|·d_b^2)$ due to Mahalanobis distance computations, where $d_b$ is the behavioral profile dimension. The DTW-based pattern matching in Equation (19) requires $O(N·|{\mathcal{P}}_{\mathrm{\Theta }}|·T_P^2)$ operations for N clients and $|{\mathcal{P}}_{\mathrm{\Theta }}|$ pattern templates. State construction according to Equation (36) has complexity $O(N·d_s)$ where $d_s$ is the total state dimension. Policy evaluation using the attention mechanism from Equation (60)-(61) requires $O(d_s^2+d_a·d_s)$ operations, where $d_a$ is the action space dimension. The geometric median computation via the Weiszfeld algorithm in lines 10-11 has complexity $O(K_{\mathrm{iter}}·N_{\mathrm{active}}·d)$ where $K_{\mathrm{iter}}$ is the number of iterations, $N_{\mathrm{active}}={\sum }_{i=1}^N{\zeta }_i^t$ is the number of participating clients, and d is the model parameter dimension. Outlier detection using Equation (26) requires $O(N_{\mathrm{active}}^2·d)$ for pairwise distance computations. The weighted aggregation from Equation (27) has complexity $O(N_{\mathrm{active}}·d)$. Clean performance monitoring using Equation (30) requires $O\left(\right|{\mathcal{D}}_{\upsilon }|·d)$ operations for model evaluation. Trigger detection from Equation (32) has complexity $O\left(\right|{\mathcal{D}}_{\xi }|·|\mathcal{Y}|·d)$ where $\left|\mathcal{Y}\right|$ is the number of possible target labels. Model rollback using Equation (35) when triggered requires $O(K_{max}·d)$ operations. Reward computation using Equation (55) has complexity $O(N·M)$ where M is the number of mitigation strategies. Policy and value function updates require $O(d_{\theta }+d_{\varphi })$ operations where $d_{\theta },d_{\varphi }$ are the parameter dimensions. The total computational complexity per communication round is:

$$\mathcal{O}(N·max(N·d,\left|\mathcal{W}\right|·d_b^2,|{\mathcal{P}}_{\mathrm{\Theta }}|·T_P^2)+K_{\mathrm{iter}}·N_{\mathrm{active}}·d+|{\mathcal{D}}_{\upsilon }|·d+|{\mathcal{D}}_{\xi }|·|\mathcal{Y}|·d),$$

(63)

which scales quadratically with the number of clients in the worst case due to pairwise distance computations, but remains practical for moderate-scale federated deployments with $N\le 100$ clients and efficient implementation of geometric median algorithms. The temporal adaptation mechanism in line 9 reduces the effective computational load by filtering out suspicious clients early, leading to $N_{\mathrm{active}}<N$ in most scenarios, thereby improving overall efficiency.

4. Experiment

This section presents comprehensive experimental evaluations to validate the effectiveness of our proposed DEFEND framework against temporal backdoor attacks in federated learning environments. We conduct extensive experiments across multiple datasets, network architectures, and attack scenarios to demonstrate the robustness and practical applicability of our multi-layer defense mechanism.

4.1. Experimental Setup

We evaluate our framework on three widely-used federated learning benchmarks: CIFAR-10, FEMNIST, and MNIST. These datasets represent diverse application domains with varying data characteristics and complexity levels. To simulate realistic federated environments, we consider both Independent and Identically Distributed (IID) and Non-IID data distributions across clients. For Non-IID scenarios, we employ Dirichlet distribution with concentration parameters $\alpha \in \{0.1,0.5,1.0\}$, where smaller values indicate higher data heterogeneity. The client population varies from 10 to 50 participants to assess scalability across different federation sizes. We evaluate defense performance under various threat models by varying the malicious client ratio $\kappa \in \{0.1,0.2,0.3,0.4\}$, representing scenarios where 10% to 40% of participants are compromised.

We employ two representative deep learning architectures: MobileNet V2 for lightweight mobile applications and ResNet-18 for standard computer vision tasks. The detailed experimental parameters and hyperparameter configurations are summarized in Table 2.

We implement the three temporal backdoor attack strategies described in Section 3.2: fixed-period data poisoning, multi-period data poisoning, and model weight poisoning attacks. For fixed-period attacks, malicious clients inject backdoor triggers during rounds 20-40 with poisoning ratio $\rho =0.1$. Multi-period attacks distribute poisoning across three disjoint intervals: rounds 10-15, 25-30, and 45-50, maintaining the same total poisoning budget. Model weight poisoning attacks apply Gaussian perturbations with magnitude ${\delta }_i^t\in [0.001,0.01]$ following the decay schedule in Equation (11). Trigger patterns consist of 3×3 pixel patches with intensity variations, and target labels are randomly selected from classes not present in the victim’s local data distribution.

4.2. Evaluation Metrics

We employ three comprehensive metrics to evaluate the performance of our DEFEND framework from multiple perspectives:

4.2.1. Clean Accuracy under Defense

The clean accuracy under defense measures the model’s classification performance on benign test samples when the defense framework is actively protecting against malicious clients, using the held-out validation set ${\mathcal{D}}_{\upsilon }$:

$$A_c^T={\displaystyle \frac{1}{|{\mathcal{D}}_{\upsilon }|}}\sum _{(x,y)\in {\mathcal{D}}_{\upsilon }}\mathbb{I}[f_{{\theta }^T}\left(x\right)=y],$$

(64)

where ${\theta }^T$ represents the final global model after T communication rounds, and $f_{{\theta }^T}$ denotes the model’s prediction function. Higher values indicate better preservation of normal task performance under defense conditions.

4.2.2. Defense Success Rate

The defense success rate quantifies the effectiveness of our defense framework by measuring the proportion of triggered samples that do not produce the attacker’s target label, using the trigger detection dataset ${\mathcal{D}}_{\xi }$:

$$S_d^T=1-\underset{y_{\tau }}{max}{\displaystyle \frac{1}{|{\mathcal{D}}_{\xi }|}}\sum _{(x_{\xi },y_{\pi })\in {\mathcal{D}}_{\xi }}\mathbb{I}[f_{{\theta }^T}\left(x_{\xi }\right)=y_{\tau }],$$

(65)

where $x_{\xi }$ represents samples with injected triggers, $y_{\pi }$ are the original labels, and $y_{\tau }$ represents the target labels across all possible attack targets. Higher $S_d^T$ values indicate more effective defense against backdoor attacks.

4.2.3. Temporal Detection Efficiency

The temporal detection efficiency measures the framework’s ability to rapidly and accurately identify malicious clients by considering both detection accuracy and temporal responsiveness:

$$E_d={\displaystyle \frac{1}{|{\mathcal{C}}_p|}}\sum _{c_i\in {\mathcal{C}}_p}{\displaystyle \frac{\mathbb{I}[\exists t\in \{t_{a,i},\dots ,T\}:{\widehat{s}}_i^t=s_p\wedge s_i^t=s_p]}{t_{d,i}-t_{a,i}+1}},$$

(66)

where $t_{d,i}$ is the communication round when client $c_i$ is first correctly classified as poisoned state $s_p$, $t_{a,i}$ is the round when client $c_i$ begins malicious behavior, and ${\mathcal{C}}_p$ represents the set of malicious clients. The indicator function ensures only successful detections are counted. Higher $E_d$ values indicate faster and more accurate malicious client identification.

4.3. Implementation Details

Our DEFEND framework is implemented using PyTorch 2.1.0 and Python 3.9. All experiments are conducted on NVIDIA A100 GPUs with 40GB memory. The MDP-based defense coordination employs Proximal Policy Optimization (PPO) for policy learning with clip ratio 0.2 and entropy coefficient 0.01. The geometric median computation uses the accelerated Weiszfeld algorithm with momentum coefficient ${\alpha }_k=0.9$ and convergence tolerance $ϵ={10}^{-6}$.

For behavioral profile construction, we extract spectral features using Fast Fourier Transform (FFT) with window size 32, and wavelet coefficients using Daubechies-4 wavelets with 3 decomposition levels. The pattern matching employs Dynamic Time Warping with warping constraint $W_{\mathrm{warp}}=5$ and Euclidean local distance function.

The validation set ${\mathcal{D}}_{\upsilon }$ comprises 10% of the total training data, randomly sampled and held out from all clients. The trigger detection dataset ${\mathcal{D}}_{\xi }$ contains 1000 samples per class with systematically generated trigger patterns covering various spatial positions and intensities.

Each experimental configuration is repeated 5 times with different random seeds, and results are reported with 95% confidence intervals. Statistical significance is assessed using paired t-tests with Bonferroni correction for multiple comparisons.

5. Results

5.1. MDP Policy Learning Performance

Figure 2 demonstrates the training performance of different reinforcement learning algorithms used in our MDP-based defense coordination framework. We compare three algorithms: Proximal Policy Optimization (PPO), Soft Actor-Critic (SAC), and Genetic Algorithm (GA) across different network architectures and data heterogeneity levels.

The experimental results reveal several important insights about the effectiveness of different reinforcement learning approaches for defense policy optimization. PPO consistently achieves the highest cumulative rewards across all configurations, demonstrating superior learning efficiency and stability in the complex multi-objective defense environment. The algorithm shows rapid convergence within the first 150 episodes and maintains stable performance thereafter, reaching peak rewards around 3800-4000 across different settings.

SAC exhibits competitive performance with gradual learning progression, ultimately achieving comparable final rewards to PPO but requiring more episodes for convergence. The continuous learning curve suggests that SAC benefits from its off-policy nature and entropy regularization, particularly evident in scenarios with higher data heterogeneity (lower $\alpha$ values). The algorithm demonstrates consistent improvement throughout training, reaching final rewards between 3200-3600.

GA shows relatively stable but lower performance compared to the other two approaches, with rewards plateauing around 2000-2800 across all configurations. While GA provides baseline performance guarantees and avoids local optima through population-based exploration, it lacks the sophisticated gradient-based optimization capabilities needed for complex sequential decision-making in the defense scenario.

The impact of data heterogeneity (controlled by $\alpha$) appears more pronounced in ResNet-18 configurations compared to MobileNet V2, where PPO maintains consistently high performance regardless of the heterogeneity level. This suggests that the lightweight MobileNet V2 architecture provides more robust defense policy learning under varying data distribution conditions, while ResNet-18 benefits from the additional model capacity when dealing with homogeneous data distributions ($\alpha =1.0$).

5.2. Clean Accuracy Preservation Performance

Figure 3 illustrates the evolution of clean accuracy under defense across different reinforcement learning algorithms, network architectures, and data heterogeneity settings. This metric evaluates how well each algorithm maintains model utility for legitimate tasks while defending against temporal backdoor attacks.

The results demonstrate significant differences in how each reinforcement learning algorithm balances security and utility preservation. PPO consistently achieves superior clean accuracy performance, reaching and maintaining accuracy levels between 0.85-0.95 across most configurations after approximately 200 training episodes. The algorithm shows remarkable stability in preserving model utility while implementing defense mechanisms, with particularly strong performance in homogeneous data distributions ($\alpha =1.0$).

SAC exhibits competitive clean accuracy preservation with gradual but steady improvement throughout training. The algorithm demonstrates robust performance across heterogeneous data settings, achieving final accuracy values between 0.82-0.92. SAC’s continuous learning approach proves particularly effective in MobileNet V2 configurations, where it matches or occasionally exceeds PPO’s performance, suggesting that the off-policy learning strategy works well with lightweight architectures.

GA shows the most variable performance with significant fluctuations throughout training episodes. While GA occasionally achieves high accuracy spikes (up to 0.95 in some configurations), it struggles to maintain consistent performance, with accuracy frequently dropping to 0.4-0.6 range. This instability indicates that population-based optimization may be less suitable for maintaining the delicate balance between defense effectiveness and model utility preservation in federated learning environments.

The impact of data heterogeneity reveals interesting patterns across architectures. ResNet-18 shows greater sensitivity to heterogeneity levels, with more pronounced performance differences between $\alpha =0.1$ and $\alpha =1.0$ configurations. In contrast, MobileNet V2 demonstrates more robust performance across different heterogeneity levels, particularly with PPO and SAC algorithms, suggesting that lightweight architectures may provide inherent advantages for federated defense scenarios.

Notably, the clean accuracy preservation performance correlates with the reward optimization patterns observed in Figure 2, confirming that higher cumulative rewards in the MDP framework translate to better utility preservation during defense operations. This validates our multi-objective reward formulation that balances security improvements with model performance maintenance.

5.3. Defense Effectiveness Evaluation

We evaluate the defense effectiveness of our DEFEND framework using two key metrics: Defense Success Rate ($S_d^T$) and Temporal Detection Efficiency ($E_d$) across various system configurations. The following tables present comprehensive results under different combinations of client population sizes, data heterogeneity levels, malicious client ratios, and network architectures.

Table 3 and Table 4 demonstrate that ResNet-18 exhibits strong sensitivity to data heterogeneity levels under fixed malicious conditions ($\kappa$ = 0.2). The Defense Success Rate improves substantially from highly heterogeneous ($\alpha$ = 0.1) to homogeneous ($\alpha$ = 1.0) distributions, with improvements ranging from 9.1% to 8.8% across different client population sizes. The Temporal Detection Efficiency shows even more pronounced improvements of 14.1% to 13.3%, indicating that homogeneous data distributions significantly enhance the temporal behavioral analysis layer’s ability to identify malicious patterns. The consistent performance gains with increased client population size suggest that ResNet-18 benefits from larger federation scales for improved defense coordination.

Table 5 and Table 6 reveal the critical impact of malicious client ratios on ResNet-18 defense performance under moderate heterogeneity ($\alpha$ = 0.5). The Defense Success Rate shows a clear linear degradation as malicious ratios increase, with performance dropping from 0.972 to 0.803 (17.4% decrease) at the largest federation size. More concerning is the dramatic decline in Temporal Detection Efficiency, which drops from 0.864 to 0.554 (35.9% decrease), approaching the theoretical limits of Byzantine fault tolerance. This indicates that while our framework maintains reasonable attack prevention capabilities even at high malicious ratios, the speed and accuracy of malicious client identification becomes significantly compromised beyond $\kappa$ = 0.3.

Table 7 and Table 8 show that MobileNet V2 maintains competitive defense performance despite its lightweight architecture, achieving 10.6% improvement in Defense Success Rate and 14.3% improvement in Temporal Detection Efficiency from heterogeneous to homogeneous distributions. While the absolute values are slightly lower than ResNet-18, MobileNet V2 demonstrates more consistent relative improvements across different client population sizes, with smaller confidence intervals indicating greater stability. The architecture shows particular resilience in heterogeneous environments, making it well-suited for resource-constrained federated deployments where data distribution control is limited.

Table 9 and Table 10 demonstrate that MobileNet V2 exhibits similar vulnerability patterns to ResNet-18 under increasing malicious ratios, but with notably more stable degradation characteristics. The Defense Success Rate decreases by 18.8% from $\kappa$ = 0.1 to $\kappa$ = 0.4, while Temporal Detection Efficiency drops by 37.1%, comparable to ResNet-18’s performance degradation. However, MobileNet V2 shows consistently smaller confidence intervals across all configurations, indicating more predictable and stable defense behavior. This stability advantage becomes particularly valuable in dynamic federated environments where malicious client ratios may fluctuate over time, providing more reliable defense guarantees compared to the higher-capacity but more variable ResNet-18 architecture.

6. Conclusions

This paper presents DEFEND, a comprehensive multi-layer defense framework that counters temporal backdoor attacks in federated learning through sophisticated mathematical modeling and reinforcement learning techniques. Our primary contributions include three distinct temporal attack models, a three-tier defense architecture combining behavioral analysis with robust aggregation, and a novel MDP-based approach for adaptive defense coordination. Experimental evaluation demonstrates strong performance with Defense Success Rates reaching 0.956 ± 0.010 for ResNet-18 and 0.940 ± 0.012 for MobileNet V2, while maintaining clean accuracy levels between 0.85-0.95. The framework shows resilience across different data heterogeneity levels and client populations, though performance degrades when malicious ratios exceed 30

The framework has limitations including quadratic computational complexity and reduced effectiveness against highly coordinated attacks approaching Byzantine fault tolerance limits. Future research should focus on developing more efficient algorithms, adaptive threshold mechanisms, and extensions to other domains beyond computer vision. As federated learning expands into critical applications, robust defense mechanisms like DEFEND become essential for maintaining system integrity and user trust in distributed machine learning paradigms.

Appendix A.1. Fundamental Byzantine Robustness Theorem

Theorem A1 

(Byzantine Robustness of DEFEND Framework). Consider a federated learning system with N participating clients where at most f clients are Byzantine adversaries satisfying $f<N/2$. Let ${\mathcal{C}}_h$ denote honest clients and ${\mathcal{C}}_p$ denote Byzantine clients with $|{\mathcal{C}}_p|=f$. Under the DEFEND framework with geometric median aggregation (23) and statistical outlier detection (26), the global model parameter ${\theta }^t$ converges to within an ϵ-neighborhood of the optimal solution ${\theta }^{*}$ with high probability.

Specifically, for any $ϵ>0$ and confidence parameter $\delta \in (0,1)$, there exists a finite round $T_0$ such that for all $t\ge T_0$:

$$\mathbb{P}\left[{\parallel {\theta }^t-{\theta }^{*}\parallel }_F\le ϵ+2\xi +\mathcal{O}\left(\sqrt{{\displaystyle \frac{log(1/\delta )}{N}}}\right)\right]\ge 1-\delta ,$$

(A1)

where ξ bounds the geometric median estimation error, provided:

1. 

The Byzantine client fraction satisfies $f\le \lfloor (N-1)/2\rfloor$;

2. 

The geometric median approximation error is bounded: ${\parallel {\widehat{\mathit{\theta }}}_{\nu }^t-{\overline{\theta }}_h^t\parallel }_F\le \xi$, where ${\overline{\theta }}_h^t$ represents the mean of honest client updates;

3. 

The outlier detection mechanism achieves controlled error rates: false positive rate $\alpha \le 0.05$ and false negative rate $\beta \le 0.1$.

Proof. 

The proof proceeds through four main steps: (1) establishing the breakdown point properties of geometric median, (2) analyzing the statistical concentration of honest client updates, (3) bounding the outlier detection accuracy, and (4) proving convergence under Byzantine presence.

Step 1: Breakdown Point Analysis of Geometric Median

The geometric median ${\widehat{\mathit{\theta }}}_{\nu }^t$ defined in (23) possesses a breakdown point of exactly $1/2$, meaning it can tolerate up to $\lfloor (N-1)/2\rfloor$ arbitrary outliers without complete failure. This fundamental property ensures robustness against Byzantine adversaries when $f<N/2$.

For the geometric median computation, let ${\overline{\theta }}_h^t={\displaystyle \frac{1}{N-f}}{\sum }_{i\in {\mathcal{C}}_h}{\theta }_i^t$ denote the empirical mean of honest client updates. By the robustness property of geometric median, we have:

$${\parallel {\widehat{\mathit{\theta }}}_{\nu }^t-{\overline{\theta }}_h^t\parallel }_F\le {\displaystyle \frac{2f}{N-f}}·\underset{i\in {\mathcal{C}}_h}{max}{\parallel {\theta }_i^t-{\overline{\theta }}_h^t\parallel }_F.$$

(A2)

Since honest clients follow the true learning dynamics, their updates concentrate around the optimal direction. Under standard federated learning assumptions with bounded gradient variance, we have:

$$\underset{i\in {\mathcal{C}}_h}{max}{\parallel {\theta }_i^t-{\overline{\theta }}_h^t\parallel }_F\le \sigma \sqrt{{\displaystyle \frac{2log\left(N\right)}{n_{min}}}},$$

(A3)

with probability at least $1-N^{-1}$, where $\sigma$ is the gradient noise parameter and $n_{min}$ is the minimum local dataset size.

Step 2: Statistical Concentration of Honest Updates

For honest clients $c_i\in {\mathcal{C}}_h$, their local model updates ${\theta }_i^t$ are generated through standard gradient descent on local data. Under the assumption of sub-Gaussian gradient noise with parameter ${\sigma }^2$, we can establish concentration bounds.

Let $\nabla F_i\left({\theta }^{t-1}\right)$ denote the true local gradient for client $c_i$. The empirical gradient computed from local data satisfies:

$$\mathbb{P}\left[{\parallel \nabla {\widehat{F}}_i\left({\theta }^{t-1}\right)-\nabla F_i\left({\theta }^{t-1}\right)\parallel }_F\ge t\right]\le 2exp\left(-{\displaystyle \frac{n_i{t}^2}{2{\sigma }^{2}d}}\right),$$

(A4)

where d is the model parameter dimension and $n_i$ is the local dataset size for client $c_i$.

The local update deviation from the ideal direction can be bounded by:

$${\parallel {\theta }_i^t-{\theta }_{\mathrm{ideal}}^t\parallel }_F\le \eta {\parallel \nabla {\widehat{F}}_i\left({\theta }^{t-1}\right)-\nabla F_i\left({\theta }^{t-1}\right)\parallel }_F+\eta L_F{\parallel {\theta }^{t-1}-{\theta }^{*}\parallel }_F,$$

(A5)

where $\eta$ is the learning rate and $L_F$ is the Lipschitz constant from the smoothness assumption.

Step 3: Outlier Detection Accuracy Analysis

Our outlier detection mechanism (26) identifies suspicious clients based on their distance from the geometric median. For a client $c_i$, define the detection statistic:

$$d_i^t={\parallel {\theta }_i^t-{\widehat{\mathit{\theta }}}_{\nu }^t\parallel }_F.$$

(A6)

Under the null hypothesis that client $c_i$ is honest, $d_i^t$ follows a distribution characterized by the concentration properties established in Step 2. The detection threshold ${\tau }_{\alpha }$ is set based on quantiles of this null distribution as defined in (26).

For honest clients, the false positive probability is bounded by:

$$\mathbb{P}[c_i\in {\mathcal{S}}^t|c_i\in {\mathcal{C}}_h]\le \alpha +exp\left(-{\displaystyle \frac{n_i{({\tau }_{\alpha }-\mathbb{E}\left[d_i^t\right])}^2}{2{\sigma }^{2}d}}\right),$$

(A7)

where $\alpha$ is the nominal false positive rate.

For Byzantine clients with significantly deviating updates, the detection probability satisfies:

$$\mathbb{P}[c_j\in {\mathcal{S}}^t|c_j\in {\mathcal{C}}_p]\ge 1-\beta ,$$

(A8)

provided their update magnitude exceeds the detection threshold by a sufficient margin, where $\beta$ is the false negative rate.

Step 4: Convergence Analysis Under Byzantine Presence

After outlier detection and removal, the weighted aggregation operates on the filtered client set. With high probability $1-\delta$, the set $\{c_1,\dots ,c_N\}\setminus {\mathcal{S}}^t$ contains predominantly honest clients.

The weighted aggregation (27) yields:

$${\theta }^t=arg\underset{\mathit{\theta }}{min}\sum _{i\notin {\mathcal{S}}^t}{w}_i^t{\parallel \mathit{\theta }-{\theta }_i^t\parallel }_F^2+{\lambda }_{\tau }{\parallel \mathit{\theta }-{\theta }^{t-1}\parallel }_F^2+{\lambda }_{\nu }{\parallel \mathit{\theta }-{\widehat{\mathit{\theta }}}_{\nu }^t\parallel }_F^2.$$

(A9)

The solution can be expressed as:

$${\theta }^t={\displaystyle \frac{{\sum }_{i\notin {\mathcal{S}}^t}{w}_i^t{\theta }_i^t+{\lambda }_{\tau }{\theta }^{t-1}+{\lambda }_{\nu }{\widehat{\mathit{\theta }}}_{\nu }^t}{{\sum }_{i\notin {\mathcal{S}}^t}{w}_i^t+{\lambda }_{\tau }+{\lambda }_{\nu }}}.$$

(A10)

Since the filtered set predominantly contains honest clients, we can decompose the aggregation error as:

$$\begin{array}{cc}\hfill {\parallel {\theta }^t-{\theta }^{*}\parallel }_F\le & {\parallel {\theta }^t-\mathbb{E}\left[{\theta }^t\right]\parallel }_F+{\parallel \mathbb{E}\left[{\theta }^t\right]-{\theta }^{*}\parallel }_F.\hfill \end{array}$$

(A11)

The concentration term is bounded using Azuma-Hoeffding inequality for weighted sums:

$${\parallel {\theta }^t-\mathbb{E}\left[{\theta }^t\right]\parallel }_F\le \mathcal{O}\left(\sqrt{{\displaystyle \frac{log(1/\delta )}{|\{c_1,\dots ,c_N\}\setminus {\mathcal{S}}^t|}}}\right),$$

(A12)

with probability at least $1-\delta$.

The bias term is controlled by the geometric median approximation error and temporal regularization:

$${\parallel \mathbb{E}\left[{\theta }^t\right]-{\theta }^{*}\parallel }_F\le 2\xi +{\displaystyle \frac{{\lambda }_{\tau }}{{\lambda }_{\nu }}}{\parallel {\theta }^{t-1}-{\theta }^{*}\parallel }_F.$$

(A13)

The temporal regularization coefficient ${\lambda }_{\tau }/{\lambda }_{\nu }<1$ ensures contraction, leading to convergence as $t\to \infty$.

Combining the concentration and bias bounds establishes (A1), completing the proof. □

Appendix A.2. Corollaries and Extensions

Corollary A1 

(Finite-Sample Convergence Rate). Under the conditions of Theorem A1, the DEFEND framework achieves ϵ-convergence in at most

$$T(ϵ,\delta )=\mathcal{O}\left({\displaystyle \frac{log({\parallel {\theta }^0-{\theta }^{*}\parallel }_F/ϵ)}{log(1/(1-{\lambda }_{\tau }/{\lambda }_{\nu }))}}+log(1/\delta )\right)$$

(A14)

communication rounds with probability at least $1-\delta$.

Proof. 

The proof follows from iterating the contraction property in (A13) and using the union bound over all communication rounds. □

Corollary A2 

(Optimality of Byzantine Tolerance). The Byzantine tolerance threshold $f<N/2$ in Theorem A1 is optimal. No algorithm can guarantee convergence when $f\ge N/2$ in the worst case.

Proof. 

This follows from the fundamental impossibility results in Byzantine fault tolerance. When $f\ge N/2$, Byzantine clients can coordinate to completely overwhelm honest clients, making any aggregation rule vulnerable to manipulation. □

Appendix A.3. Robustness Under Stronger Attack Models

Lemma A1 

(Robustness Against Coordinated Attacks). The DEFEND framework maintains its robustness guarantees even when Byzantine clients coordinate their attacks, provided they cannot observe the geometric median computation in real-time.

Proof. 

Coordinated attacks can increase the correlation between Byzantine updates but cannot change the fundamental breakdown point of the geometric median. The proof follows the same structure as Theorem A1 with modified concentration bounds for correlated adversarial behavior. □

Appendix B.1. Preliminaries and Algorithm Description

The Weiszfeld algorithm solves the geometric median problem defined in (23):

$${\widehat{\mathit{\theta }}}_{\nu }^t=arg\underset{\mathit{\theta }}{min}\sum _{i=1}^N{\parallel \mathit{\theta }-{\theta }_i^t\parallel }_F.$$

(A15)

Our accelerated version incorporates momentum-based acceleration as defined in (24) and (25). Let $\{{\theta }_1^t,\dots ,{\theta }_N^t\}$ denote the set of client updates at communication round t, and assume they are distinct with probability 1.

Definition A1 

(Weiszfeld Iteration Operator). The Weiszfeld iteration operator $\mathcal{T}:{\mathbb{R}}^d\to {\mathbb{R}}^d$ is defined as:

$$\mathcal{T}\left(\mathit{\theta }\right)={\displaystyle \frac{{\sum }_{i=1}^N\frac{{\theta }_i^t}{\parallel \mathit{\theta }-{\theta }_i^t{\parallel }_F+ϵ}}{{\sum }_{i=1}^N\frac{1}{\parallel \mathit{\theta }-{\theta }_i^t{\parallel }_F+ϵ}}},$$

(A16)

where $ϵ>0$ is the regularization parameter to avoid division by zero.

Appendix B.2. Main Convergence Theorem

Theorem A2 

(Convergence of Accelerated Weiszfeld Algorithm). Consider the accelerated Weiszfeld algorithm defined by (24) and (25) applied to compute the geometric median of client updates $\{{\theta }_1^t,\dots ,{\theta }_N^t\}\subset {\mathbb{R}}^d$. Let ${\widehat{\mathit{\theta }}}_{\nu }^{t*}$ denote the unique geometric median. Then:

1. 

Linear Convergence: The algorithm converges linearly to ${\widehat{\mathit{\theta }}}_{\nu }^{t*}$ with rate $\rho \in (0,1)$ where

$${\parallel {\mathit{\theta }}^{(k+1)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}\parallel }_F\le \rho {\parallel {\mathit{\theta }}^{\left(k\right)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}\parallel }_F;$$

(A17)

2. 

Iteration Complexity: The number of iterations required to achieve ϵ-accuracy is

$$K\left(ϵ\right)=\mathcal{O}\left(\sqrt{\kappa }log\left({\displaystyle \frac{\parallel {\mathit{\theta }}^{\left(0\right)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}{\parallel }_F}{ϵ}}\right)\right),$$

(A18)

where κ is the condition number of the problem;

3. 

Acceleration Benefit: The momentum acceleration reduces the convergence constant by a factor of $(1-\sqrt{\mu /L})$ where μ and L are the strong convexity and Lipschitz parameters.

Proof. 

The proof is structured in four main parts: (1) establishing strong convexity of the geometric median objective, (2) proving contraction properties of the Weiszfeld operator, (3) analyzing momentum acceleration, and (4) deriving iteration complexity bounds.

Part 1: Strong Convexity Analysis

The geometric median objective function is:

$$f\left(\mathit{\theta }\right)=\sum _{i=1}^N{\parallel \mathit{\theta }-{\theta }_i^t\parallel }_F.$$

(A19)

For $\mathit{\theta }\ne {\theta }_i^t$ (which occurs with probability 1), the function f is twice differentiable. The Hessian matrix is:

$${\nabla }^{2}f\left(\mathit{\theta }\right)=\sum _{i=1}^N{\displaystyle \frac{1}{\parallel \mathit{\theta }-{\theta }_i^t{\parallel }_F}}\left(I-{\displaystyle \frac{(\mathit{\theta }-{\theta }_i^t){(\mathit{\theta }-{\theta }_i^t)}^T}{\parallel \mathit{\theta }-{\theta }_i^t{\parallel }_F^2}}\right).$$

(A20)

Lemma A2 (Strong Convexity Parameter). 

The objective function $f\left(\mathit{\theta }\right)$ is strongly convex with parameter

$$\mu =\underset{i=1,\dots ,N}{min}{\displaystyle \frac{1}{{\parallel \mathit{\theta }-{\theta }_i^t\parallel }_F+ϵ}}\ge {\displaystyle \frac{1}{D_{max}+ϵ}},$$

(A21)

where $D_{max}={max}_{i,j}{\parallel {\theta }_i^t-{\theta }_j^t\parallel }_F$ is the diameter of the client update set.

Proof of Lemma A2. 

Each term in the Hessian corresponds to a projection onto the orthogonal complement of $(\mathit{\theta }-{\theta }_i^t)$. The minimum eigenvalue is achieved when $\mathit{\theta }$ is furthest from all client updates, giving the stated bound. □

Part 2: Contraction Analysis of Weiszfeld Operator

The Weiszfeld operator can be interpreted as a proximal gradient step. Define the subdifferential of f at $\mathit{\theta }$:

$$𝜕f\left(\mathit{\theta }\right)=\sum _{i=1}^N{\displaystyle \frac{\mathit{\theta }-{\theta }_i^t}{{\parallel \mathit{\theta }-{\theta }_i^t\parallel }_F+ϵ}}.$$

(A22)

Lemma A3 (Contraction Property). 

The Weiszfeld operator $\mathcal{T}$ is a contraction mapping with contraction factor

$${\rho }_{base}=1-{\displaystyle \frac{\mu }{L}}\le 1-{\displaystyle \frac{1}{L(D_{max}+ϵ)}},$$

(A23)

where L is the Lipschitz constant of $\nabla f$.

Proof of Lemma A3. 

The Weiszfeld iteration can be written as:

$${\mathit{\theta }}^{(k+1)}={\mathit{\theta }}^{\left(k\right)}-{\alpha }^{\left(k\right)}\nabla f\left({\mathit{\theta }}^{\left(k\right)}\right),$$

(A24)

where ${\alpha }^{\left(k\right)}={\left({\sum }_{i=1}^N{\displaystyle \frac{1}{{\parallel {\mathit{\theta }}^{\left(k\right)}-{\theta }_i^t\parallel }_F+ϵ}}\right)}^{-1}$ is an adaptive step size.

By the strong convexity of f, we have:

$$f\left({\mathit{\theta }}^{(k+1)}\right)\le f\left({\mathit{\theta }}^{\left(k\right)}\right)-{\displaystyle \frac{\mu }{2}}{\parallel {\mathit{\theta }}^{(k+1)}-{\mathit{\theta }}^{\left(k\right)}\parallel }_F^2.$$

(A25)

The optimality condition $\nabla f\left({\widehat{\mathit{\theta }}}_{\nu }^{t*}\right)=0$ combined with strong convexity yields:

$${\parallel {\mathit{\theta }}^{(k+1)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}\parallel }_F^2\le (1-\mu /L){\parallel {\mathit{\theta }}^{\left(k\right)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}\parallel }_F^2.$$

(A26)

□

Part 3: Momentum Acceleration Analysis

The momentum-accelerated version from (25) follows the heavy ball method:

$${\mathit{\theta }}^{(k+1)}\leftarrow {\mathit{\theta }}^{(k+1)}+{\alpha }_k({\mathit{\theta }}^{(k+1)}-{\mathit{\theta }}^{\left(k\right)}),$$

(A27)

where ${\alpha }_k$ is the momentum coefficient.

Lemma A4 (Acceleration Benefit). 

With optimally chosen momentum parameter

$${\alpha }_k={\displaystyle \frac{\sqrt{L}-\sqrt{\mu }}{\sqrt{L}+\sqrt{\mu }}},$$

(A28)

the accelerated convergence rate becomes

$${\rho }_{\mathrm{acc}}={\displaystyle \frac{\sqrt{L}-\sqrt{\mu }}{\sqrt{L}+\sqrt{\mu }}}={\displaystyle \frac{\sqrt{\kappa }-1}{\sqrt{\kappa }+1}},$$

(A29)

where $\kappa =L/\mu$ is the condition number.

Proof of Lemma A4. 

The momentum method can be analyzed using the potential function approach. Define:

$${\mathrm{\Phi }}^{\left(k\right)}=f\left({\mathit{\theta }}^{\left(k\right)}\right)-f\left({\widehat{\mathit{\theta }}}_{\nu }^{t*}\right)+{\displaystyle \frac{\beta }{2}}{\parallel {\mathit{\theta }}^{\left(k\right)}-{\mathit{\theta }}^{(k-1)}\parallel }_F^2,$$

(A30)

for appropriate constant $\beta >0$.

The momentum parameter choice ensures:

$${\mathrm{\Phi }}^{(k+1)}\le {\left({\displaystyle \frac{\sqrt{\kappa }-1}{\sqrt{\kappa }+1}}\right)}^2{\mathrm{\Phi }}^{\left(k\right)}.$$

(A31)

This implies the stated convergence rate for the function values, which translates to the parameter convergence rate through strong convexity. □

Part 4: Iteration Complexity Derivation

To achieve $ϵ$-accuracy: ${\parallel {\mathit{\theta }}^{\left(k\right)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}\parallel }_F\le ϵ$, we need:

$${\rho }_{\mathrm{acc}}^k{\parallel {\mathit{\theta }}^{\left(0\right)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}\parallel }_F\le ϵ.$$

(A32)

Taking logarithms:

$$k\ge {\displaystyle \frac{log({\parallel {\mathit{\theta }}^{\left(0\right)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}\parallel }_F/ϵ)}{log(1/{\rho }_{\mathrm{acc}})}}.$$

(A33)

Using the approximation $log(1/{\rho }_{\mathrm{acc}})\approx 2/\sqrt{\kappa }$ for large $\kappa$:

$$k=\mathcal{O}\left(\sqrt{\kappa }log\left({\displaystyle \frac{\parallel {\mathit{\theta }}^{\left(0\right)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}{\parallel }_F}{ϵ}}\right)\right).$$

(A34)

This completes the proof of all three statements in Theorem A2.□

Appendix B.3. Practical Implementation Considerations

Lemma A5 

(Numerical Stability). The regularization parameter ϵ in Definition A1 can be chosen as $ϵ=\mathcal{O}\left({10}^{-6}\right)$ without significantly affecting the convergence rate, provided the condition number κ is bounded.

Proof. 

The regularization affects the strong convexity parameter by at most $ϵ/D_{max}$, which is negligible for practical choices of $ϵ$ relative to the client update diameter $D_{max}$. □

Corollary A3 

(Distributed Implementation). The Weiszfeld algorithm can be implemented in a distributed manner where each iteration requires only $\mathcal{O}\left(N\right)$ communication complexity to exchange current iterate and compute weighted average.

Proof. 

Each iteration of the Weiszfeld algorithm requires computing the weighted average in (A16), which can be done with a single round of communication where each client sends its current update ${\theta }_i^t$ and receives the current iterate ${\mathit{\theta }}^{\left(k\right)}$. □

Appendix B.4. Robustness Under Approximate Computation

Theorem A3 

(Robustness to Computation Errors). Suppose each Weiszfeld iteration is computed with additive error $e^{\left(k\right)}$ satisfying ${\parallel e^{\left(k\right)}\parallel }_F\le \delta$ for some $\delta >0$. Then the algorithm still converges to within $\mathcal{O}(\delta /\mu )$ of the true geometric median ${\widehat{\mathit{\theta }}}_{\nu }^{t*}$.

Proof. 

The proof follows by modifying the contraction analysis in Lemma A3 to account for the additional error terms in each iteration. The modified iteration becomes:

$${\mathit{\theta }}^{(k+1)}=\mathcal{T}\left({\mathit{\theta }}^{\left(k\right)}\right)+e^{\left(k\right)}.$$

(A35)

The contraction property still holds with an additional bias term:

$${\parallel {\mathit{\theta }}^{(k+1)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}\parallel }_F\le \rho {\parallel {\mathit{\theta }}^{\left(k\right)}-{\widehat{\mathit{\theta }}}_{\nu }^{t*}\parallel }_F+\delta .$$

(A36)

Taking the limit as $k\to \infty$ shows that the algorithm converges to within $\delta /(1-\rho )=\mathcal{O}(\delta /\mu )$ of the true geometric median. □

Appendix B.5. Integration with DEFEND Framework

Corollary A4 

(Convergence in DEFEND Context). When integrated into the DEFEND framework, the Weiszfeld algorithm for computing ${\widehat{\mathit{\theta }}}_{\nu }^t$ in (23) achieves the complexity bound from Theorem A2 at each communication round t, with the condition number κ determined by the spread of honest client updates.

Proof. 

The condition number $\kappa$ in each communication round depends on the ratio $L/\mu$ where L and $\mu$ are determined by the distribution of client updates $\{{\theta }_1^t,\dots ,{\theta }_N^t\}$. Under the assumptions of bounded client update variance, $\kappa$ remains bounded across communication rounds, ensuring consistent convergence performance. □