Go to DBLP homepageWeight-space noise for privacy-robustness trade-offs in federated learning
Abstract: Federated learning systems face a fundamental tension between adversarial robustness and privacy preservation. Traditional adversarial training methods enhance robustness but can compromise privacy by making models more susceptible to inference attacks. This paper introduces a weight-space noise approach to address privacy-robustness trade-offs in federated learning. Our method combines server-side federated adversarial adaptation with distributed Gaussian noise injection during model transmission, providing formal differential privacy guarantees while maintaining adversarial robustness. We establish theoretical foundations through weight-space smoothing analysis, demonstrating certified robustness bounds and privacy composition properties across multiple communication rounds. The key insight is that adding Gaussian noise to model weights (rather than inputs) enables simultaneous privacy protection and robustness certification, via randomized-smoothing theory adapted to the weight domain. Experimental evaluation on medical imaging datasets (pathology, meningioma, and glioma classification) shows that our approach achieves robustness comparable to conventional adversarial training methods, while requiring fewer retraining samples and providing stronger privacy guarantees. The distributed noise mechanism reduces attack success rates by up to 27% compared to baseline methods, while maintaining computational efficiency with only 4–5% overhead per federated round. Our theoretical analysis provides certified \(\ell _2\) robustness guarantees and establishes privacy bounds that degrade gracefully with the number of communication rounds.
External IDs:dblp:journals/nca/DarziSO25
Loading