### I221994 | Muhammad Qasim
### I222066 | Ayaan Khan
### I222018 | Ahmad Luqman

## Import Required Libraries

In [1]:
import copy
import random
import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
import seaborn as sns
from tqdm import trange
from collections import namedtuple

import torch
import torch.nn as nn
import torch.optim as optim
from torch.utils.data import DataLoader, Subset
import torchvision
import torchvision.transforms as transforms

from sklearn.decomposition import PCA
from sklearn.svm import OneClassSVM
from sklearn.cluster import AgglomerativeClustering
from sklearn.neighbors import KNeighborsClassifier

# Configure plotting
sns.set_style('whitegrid')
plt.rcParams['figure.figsize'] = (12, 6)

print("Libraries imported successfully!")
print(f"PyTorch version: {torch.__version__}")
print(f"CUDA available: {torch.cuda.is_available()}")

Libraries imported successfully!
PyTorch version: 2.7.0+cu126
CUDA available: True


In [2]:
def auror_defense(grad_vectors, attention_heads=4):
    """
    AUROR: Multi-head attention mechanism to identify malicious updates
    Uses self-attention to weigh client contributions
    
    Args:
        grad_vectors: List of gradient vectors from clients
        attention_heads: Number of attention heads
    
    Returns:
        benign_mask: Boolean array indicating benign clients
    """
    n_clients = len(grad_vectors)
    X = np.array(grad_vectors)
    
    # Simplified multi-head attention
    head_scores = []
    
    for h in range(attention_heads):
        # Random projection for each head
        np.random.seed(42 + h)
        proj_dim = min(100, X.shape[1] // 2)
        W = np.random.randn(X.shape[1], proj_dim) * 0.01
        
        # Project gradients
        X_proj = X @ W
        
        # Compute attention scores (similarity to mean)
        mean_proj = np.mean(X_proj, axis=0)
        scores = np.zeros(n_clients)
        
        for i in range(n_clients):
            # Cosine similarity to mean
            scores[i] = np.dot(X_proj[i], mean_proj) / (
                np.linalg.norm(X_proj[i]) * np.linalg.norm(mean_proj) + 1e-8
            )
        
        head_scores.append(scores)
    
    # Average scores across heads
    avg_scores = np.mean(head_scores, axis=0)
    
    # Select top clients (above median)
    threshold = np.median(avg_scores)
    benign_mask = avg_scores >= threshold
    
    return benign_mask

In [3]:
def rfa_defense(grad_vectors, max_iter=100, tol=1e-5):
    """
    RFA: Uses geometric median instead of mean (more robust to outliers)
    Weierstrass algorithm for geometric median computation
    
    Args:
        grad_vectors: List of gradient vectors from clients
        max_iter: Maximum iterations for geometric median
        tol: Convergence tolerance
    
    Returns:
        benign_mask: Boolean array indicating benign clients
    """
    n_clients = len(grad_vectors)
    X = np.array(grad_vectors)
    
    # Compute geometric median using Weierstrass algorithm
    median = np.median(X, axis=0)  # Initialize with coordinate median
    
    for iteration in range(max_iter):
        prev_median = median.copy()
        
        # Compute distances to current median
        distances = np.linalg.norm(X - median, axis=1)
        
        # Avoid division by zero
        distances = np.maximum(distances, 1e-8)
        
        # Weighted update
        weights = 1.0 / distances
        weights = weights / np.sum(weights)
        
        median = np.sum(X * weights[:, np.newaxis], axis=0)
        
        # Check convergence
        if np.linalg.norm(median - prev_median) < tol:
            break
    
    # Compute distances to geometric median
    distances_to_median = np.linalg.norm(X - median, axis=1)
    
    # Use MAD (Median Absolute Deviation) for robust thresholding
    mad = np.median(np.abs(distances_to_median - np.median(distances_to_median)))
    threshold = np.median(distances_to_median) + 2.5 * mad
    
    benign_mask = distances_to_median <= threshold
    
    return benign_mask

## Model Definitions

In [4]:
class SimpleCNN(nn.Module):
    """Simple CNN for MNIST and Fashion-MNIST"""
    def __init__(self, input_channels=1, num_classes=10):
        super().__init__()
        self.conv = nn.Sequential(
            nn.Conv2d(input_channels, 32, 3, padding=1),
            nn.ReLU(),
            nn.MaxPool2d(2),
            nn.Conv2d(32, 64, 3, padding=1),
            nn.ReLU(),
            nn.MaxPool2d(2)
        )
        self.fc = nn.Sequential(
            nn.Flatten(),
            nn.Linear(64*7*7 if input_channels==1 else 64*8*8, 128),
            nn.ReLU(),
            nn.Linear(128, num_classes)
        )
    
    def forward(self, x):
        return self.fc(self.conv(x))

def get_resnet18(num_classes=10):
    """ResNet18 adapted for CIFAR-10"""
    model = torchvision.models.resnet18(pretrained=False)
    model.conv1 = nn.Conv2d(3, 64, kernel_size=3, stride=1, padding=1, bias=False)
    model.maxpool = nn.Identity()
    model.fc = nn.Linear(model.fc.in_features, num_classes)
    return model

print("Model architectures defined!")

Model architectures defined!


## Utility Functions

In [5]:
def model_to_vector(model):
    """Convert model parameters to a flat numpy vector"""
    return torch.cat([p.detach().flatten() for p in model.parameters()]).cpu().numpy()

def vector_to_model(model, vec):
    """Load vector into model parameters"""
    ptr = 0
    for p in model.parameters():
        num = p.numel()
        p.data.copy_(torch.tensor(vec[ptr:ptr+num]).view_as(p.data))
        ptr += num

def subtract_model_params(m_new, m_old):
    """Compute parameter update: new - old"""
    v_new = model_to_vector(m_new)
    v_old = model_to_vector(m_old)
    return v_new - v_old

def set_seed(seed):
    """Set random seeds for reproducibility"""
    random.seed(seed)
    np.random.seed(seed)
    torch.manual_seed(seed)
    torch.cuda.manual_seed_all(seed)

print("Utility functions defined!")

Utility functions defined!


## Attack Implementations

In [6]:
def sign_flip_update(grad_vec):
    """Sign flipping attack: negate the gradient update"""
    return -grad_vec

def lie_attack_simulation(global_mean, global_std, beta=1.5):
    """LIE attack: craft malicious update near mean but in negative direction"""
    sign = -1.0
    return global_mean + sign * beta * global_std

print("Attack functions defined!")

Attack functions defined!


## Federated Learning Utilities

In [7]:
def local_train(model, train_loader, device, epochs=1, lr=0.01):
    """Train model locally for specified epochs"""
    model.train()
    criterion = nn.CrossEntropyLoss()
    optimizer = optim.SGD(model.parameters(), lr=lr)
    
    for e in range(epochs):
        for x, y in train_loader:
            x, y = x.to(device), y.to(device)
            optimizer.zero_grad()
            out = model(x)
            loss = criterion(out, y)
            loss.backward()
            optimizer.step()

def fedavg(models):
    """Federated Averaging: average model parameters"""
    avg = {}
    for k in models[0].keys():
        avg[k] = sum([m[k].float() for m in models]) / len(models)
    return avg

def evaluate(model, dataloader, device):
    """Evaluate model accuracy on test set"""
    model.eval()
    correct = 0
    total = 0
    
    with torch.no_grad():
        for x, y in dataloader:
            x, y = x.to(device), y.to(device)
            out = model(x)
            preds = out.argmax(dim=1)
            correct += (preds == y).sum().item()
            total += y.size(0)
    
    return correct / total

print("Federated learning functions defined!")

Federated learning functions defined!


## NC-FLD Defense: Weight Pruning, PCA, and Classification

In [8]:
def select_top_by_magnitude(grad_vec, keep_ratio):
    """Select top parameters by magnitude (weight pruning step)"""
    magnitudes = np.abs(grad_vec)
    threshold = np.quantile(magnitudes, 1 - keep_ratio)
    mask = magnitudes > threshold
    return grad_vec[mask], mask

def build_feature_matrix(selected_vectors):
    """Build feature matrix from selected parameters (pad to max length)"""
    max_len = max([v.shape[0] for v in selected_vectors])
    X = np.zeros((len(selected_vectors), max_len), dtype=np.float32)
    for i, v in enumerate(selected_vectors):
        X[i, :v.shape[0]] = v
    return X

def apply_pca(X, n_components=2):
    """Apply PCA for dimensionality reduction"""
    pca = PCA(n_components=n_components)
    Z = pca.fit_transform(X)
    return Z, pca

def classify_embeddings(Z, method='ocsvm'):
    """Classify clients as benign (True) or malicious (False)"""
    if method == 'ocsvm':
        clf = OneClassSVM(kernel='rbf', nu=0.1, gamma='scale')
        clf.fit(Z)
        preds = clf.predict(Z)  # +1 inlier, -1 outlier
        return (preds == 1).astype(bool)
    
    elif method == 'agg':
        cl = AgglomerativeClustering(n_clusters=2, linkage='average')
        labels = cl.fit_predict(Z)
        counts = np.bincount(labels)
        benign_label = np.argmax(counts)
        return (labels == benign_label).astype(bool)
    
    elif method == 'knn':
        k = 4
        kn = KNeighborsClassifier(n_neighbors=k, metric='manhattan')
        agg = AgglomerativeClustering(n_clusters=2)
        pseudo = agg.fit_predict(Z)
        counts = np.bincount(pseudo)
        benign_label = np.argmax(counts)
        y = (pseudo == benign_label).astype(int)
        kn.fit(Z, y)
        preds = kn.predict(Z)
        return (preds == 1).astype(bool)
    elif method == 'auror':
        aur = auror_defense(Z, attention_heads=4)
        return aur
    elif method == 'rfa':
        rffaa = rfa_defense(Z, max_iter=100)
        return rffaa
        
    
    else:
        raise ValueError(f'Unknown defense method: {method}')

print("NC-FLD defense functions defined!")

NC-FLD defense functions defined!


## Main Simulation Function

In [9]:
# Create named tuple for experiment configuration
ExpConfig = namedtuple('ExpConfig', ['dataset', 'clients', 'rounds', 'local_epochs', 
                                     'lr', 'attack', 'malicious_ratio', 'defense', 
                                     'keep_ratio', 'seed', 'log_interval'])

def simulate(config):
    """
    Run federated learning simulation with NC-FLD defense
    
    Args:
        config: ExpConfig object with experiment parameters
    
    Returns:
        results: List of test accuracies per round
    """
    device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')
    set_seed(config.seed)
    
    # Dataset setup
    if config.dataset == 'mnist':
        transform = transforms.Compose([transforms.ToTensor(), 
                                       transforms.Normalize((0.5,), (0.5,))])
        trainset = torchvision.datasets.MNIST(root='./data', train=True, 
                                             download=True, transform=transform)
        testset = torchvision.datasets.MNIST(root='./data', train=False, 
                                            download=True, transform=transform)
        model_fn = lambda: SimpleCNN(input_channels=1, num_classes=10)
        batch_size = 32
        flip_map = {7: 1}
    
    elif config.dataset == 'fmnist':
        transform = transforms.Compose([transforms.ToTensor(), 
                                       transforms.Normalize((0.5,), (0.5,))])
        trainset = torchvision.datasets.FashionMNIST(root='./data', train=True, 
                                                     download=True, transform=transform)
        testset = torchvision.datasets.FashionMNIST(root='./data', train=False, 
                                                    download=True, transform=transform)
        model_fn = lambda: SimpleCNN(input_channels=1, num_classes=10)
        batch_size = 25
        flip_map = {0: 6, 6: 0}
    
    elif config.dataset == 'cifar10':
        transform = transforms.Compose([transforms.ToTensor(), 
                                       transforms.Normalize((0.5, 0.5, 0.5), 
                                                          (0.5, 0.5, 0.5))])
        trainset = torchvision.datasets.CIFAR10(root='./data', train=True, 
                                               download=True, transform=transform)
        testset = torchvision.datasets.CIFAR10(root='./data', train=False, 
                                              download=True, transform=transform)
        model_fn = lambda: get_resnet18(num_classes=10)
        batch_size = 100
        flip_map = {5: 3}  # dog -> cat
    
    else:
        raise NotImplementedError(f'Dataset {config.dataset} not implemented')
    
    # Create client data shards
    total_train = len(trainset)
    indices = list(range(total_train))
    random.shuffle(indices)
    shards = np.array_split(indices, config.clients)
    
    client_loaders = []
    for s in shards:
        sub = Subset(trainset, s)
        loader = DataLoader(sub, batch_size=batch_size, shuffle=True)
        client_loaders.append(loader)
    
    testloader = DataLoader(testset, batch_size=256, shuffle=False)
    
    # Select malicious clients
    num_mal = int(config.malicious_ratio * config.clients)
    mal_indices = set(random.sample(range(config.clients), num_mal))
    print(f"Malicious clients: {sorted(list(mal_indices))} (count={num_mal})")
    
    # Initialize global model
    global_model = model_fn().to(device)
    global_state = copy.deepcopy(global_model.state_dict())
    
    # Main federated learning rounds
    results = []
    for r in trange(config.rounds, desc='Training Rounds'):
        local_states = []
        grad_vectors = []
        raw_masks = []
        
        # Local training for each client
        for c in range(config.clients):
            model_c = model_fn().to(device)
            model_c.load_state_dict(global_state)
            old_model = copy.deepcopy(model_c)
            
            # Label flip attack: poison training data
            if config.attack == 'label_flip' and c in mal_indices:
                ds_indices = shards[c]
                poison_list = []
                for idx in ds_indices:
                    x, y = trainset[idx]
                    y_ = flip_map.get(int(y), int(y))
                    poison_list.append((x, y_))
                poisoned_loader = DataLoader(poison_list, batch_size=batch_size, shuffle=True)
                local_train(model_c, poisoned_loader, device, 
                          epochs=config.local_epochs, lr=config.lr)
            else:
                local_train(model_c, client_loaders[c], device, 
                          epochs=config.local_epochs, lr=config.lr)
            
            # Compute update vector
            diff_vec = subtract_model_params(model_c, old_model)
            
            # Model poisoning attacks
            if c in mal_indices and config.attack == 'sign_flip':
                diff_vec = sign_flip_update(diff_vec)
            
            if c in mal_indices and config.attack == 'lie':
                if len(grad_vectors) > 0:
                    global_mean = np.mean(np.stack(grad_vectors), axis=0)
                    global_std = np.std(np.stack(grad_vectors), axis=0) + 1e-6
                    diff_vec = lie_attack_simulation(global_mean, global_std, beta=1.0)
                else:
                    diff_vec = sign_flip_update(diff_vec)
            
            grad_vectors.append(diff_vec)
            local_states.append(model_c.state_dict())
        
        # NC-FLD Defense: Weight Pruning
        selected_vecs = []
        for vec in grad_vectors:
            sel, mask = select_top_by_magnitude(vec, config.keep_ratio)
            selected_vecs.append(sel)
            raw_masks.append(mask)
        
        # Build feature matrix and apply PCA
        X = build_feature_matrix(selected_vecs)
        Z, pca = apply_pca(X, n_components=2)
        
        # Classify clients
        benign_mask = classify_embeddings(Z, method=config.defense)
        benign_indices = [i for i, b in enumerate(benign_mask) if b]
        
        if len(benign_indices) == 0:
            print("Warning: all clients classified malicious; skipping aggregation")
            continue
        
        # Aggregate benign clients (FedAvg)
        benign_states = [local_states[i] for i in benign_indices]
        new_global_state = fedavg(benign_states)
        global_state = new_global_state
        
        # Evaluate
        global_model.load_state_dict(global_state)
        acc = evaluate(global_model, testloader, device)
        results.append(acc)
        
        if (r + 1) % config.log_interval == 0:
            print(f"Round {r+1}/{config.rounds} - Test Acc: {acc:.4f} - "
                  f"Included: {len(benign_indices)}/{config.clients}")
    
    final_acc = results[-1] if len(results) > 0 else None
    print(f"Final test accuracy: {final_acc:.4f}")
    
    # Save the final model
    import os
    os.makedirs('models', exist_ok=True)
    model_filename = f"models/{config.dataset}_{config.attack}_mr{config.malicious_ratio}_{config.defense}_final.pth"
    torch.save(global_model.state_dict(), model_filename)
    print(f"Model saved to: {model_filename}")
    
    return results, final_acc

print("Simulation function defined!")

Simulation function defined!


## Initialize Results Storage

In [10]:
# Storage for all experiment results
all_results = []

print("Results storage initialized!")

Results storage initialized!


---
# MNIST Experiments (20 clients)
## Label Flip Attack

In [11]:
for ratio in [0.1, 0.2, 0.3, 0.4, 0.5, 0.6]:
    config = ExpConfig(dataset='mnist', clients=20, rounds=50, local_epochs=1, lr=0.01,
                       attack='label_flip', malicious_ratio=ratio, defense='auror',
                       keep_ratio=0.15, seed=42, log_interval=10)
    round_accs, final_acc = simulate(config)
    all_results.append({'dataset': 'mnist', 'attack': 'label_flip', 'malicious_ratio': ratio,
                       'defense': 'auror', 'final_accuracy': final_acc, 'round_accuracies': round_accs})

100%|██████████| 9.91M/9.91M [00:03<00:00, 2.50MB/s]
100%|██████████| 28.9k/28.9k [00:00<00:00, 128kB/s]
100%|██████████| 1.65M/1.65M [00:01<00:00, 1.25MB/s]
100%|██████████| 4.54k/4.54k [00:00<?, ?B/s]


Malicious clients: [2, 13] (count=2)


Training Rounds:  20%|██        | 10/50 [02:19<09:19, 13.98s/it]

Round 10/50 - Test Acc: 0.9262 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:33<06:42, 13.41s/it]

Round 20/50 - Test Acc: 0.9566 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:46<04:25, 13.25s/it]

Round 30/50 - Test Acc: 0.9689 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:59<02:15, 13.58s/it]

Round 40/50 - Test Acc: 0.9743 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [11:10<00:00, 13.40s/it]


Round 50/50 - Test Acc: 0.9793 - Included: 10/20
Final test accuracy: 0.9793
Model saved to: models/mnist_label_flip_mr0.1_auror_final.pth
Malicious clients: [2, 10, 13, 14] (count=4)


Training Rounds:  20%|██        | 10/50 [02:09<08:41, 13.04s/it]

Round 10/50 - Test Acc: 0.9239 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:21<06:42, 13.40s/it]

Round 20/50 - Test Acc: 0.9552 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:39<04:32, 13.60s/it]

Round 30/50 - Test Acc: 0.9627 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:57<02:17, 13.79s/it]

Round 40/50 - Test Acc: 0.9658 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [11:13<00:00, 13.47s/it]


Round 50/50 - Test Acc: 0.9759 - Included: 10/20
Final test accuracy: 0.9759
Model saved to: models/mnist_label_flip_mr0.2_auror_final.pth
Malicious clients: [2, 5, 10, 13, 14, 16] (count=6)


Training Rounds:  20%|██        | 10/50 [02:14<08:55, 13.40s/it]

Round 10/50 - Test Acc: 0.8815 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:28<06:40, 13.36s/it]

Round 20/50 - Test Acc: 0.9492 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:43<04:31, 13.56s/it]

Round 30/50 - Test Acc: 0.9689 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [09:01<02:17, 13.72s/it]

Round 40/50 - Test Acc: 0.9093 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [11:19<00:00, 13.58s/it]


Round 50/50 - Test Acc: 0.8808 - Included: 10/20
Final test accuracy: 0.8808
Model saved to: models/mnist_label_flip_mr0.3_auror_final.pth
Malicious clients: [0, 2, 5, 10, 13, 14, 16, 19] (count=8)


Training Rounds:  20%|██        | 10/50 [02:19<09:20, 14.01s/it]

Round 10/50 - Test Acc: 0.8354 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:37<06:55, 13.84s/it]

Round 20/50 - Test Acc: 0.8610 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [07:08<04:49, 14.48s/it]

Round 30/50 - Test Acc: 0.9704 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [09:39<02:27, 14.75s/it]

Round 40/50 - Test Acc: 0.8771 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [12:03<00:00, 14.47s/it]


Round 50/50 - Test Acc: 0.8789 - Included: 10/20
Final test accuracy: 0.8789
Model saved to: models/mnist_label_flip_mr0.4_auror_final.pth
Malicious clients: [0, 2, 5, 7, 9, 10, 13, 14, 16, 19] (count=10)


Training Rounds:  20%|██        | 10/50 [02:25<09:41, 14.54s/it]

Round 10/50 - Test Acc: 0.8375 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:50<07:10, 14.34s/it]

Round 20/50 - Test Acc: 0.8607 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [07:15<04:42, 14.11s/it]

Round 30/50 - Test Acc: 0.9683 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [09:36<02:20, 14.05s/it]

Round 40/50 - Test Acc: 0.8765 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [12:00<00:00, 14.40s/it]


Round 50/50 - Test Acc: 0.8799 - Included: 10/20
Final test accuracy: 0.8799
Model saved to: models/mnist_label_flip_mr0.5_auror_final.pth
Malicious clients: [0, 1, 2, 5, 7, 8, 9, 10, 13, 14, 16, 19] (count=12)


Training Rounds:  20%|██        | 10/50 [02:22<09:31, 14.30s/it]

Round 10/50 - Test Acc: 0.9035 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:46<07:18, 14.63s/it]

Round 20/50 - Test Acc: 0.9532 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [07:23<05:13, 15.69s/it]

Round 30/50 - Test Acc: 0.8724 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [09:57<02:31, 15.15s/it]

Round 40/50 - Test Acc: 0.8766 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [12:30<00:00, 15.02s/it]

Round 50/50 - Test Acc: 0.8802 - Included: 10/20
Final test accuracy: 0.8802
Model saved to: models/mnist_label_flip_mr0.6_auror_final.pth





In [12]:
for ratio in [0.1, 0.2, 0.3, 0.4, 0.5, 0.6]:
    config = ExpConfig(dataset='mnist', clients=20, rounds=50, local_epochs=1, lr=0.01,
                       attack='sign_flip', malicious_ratio=ratio, defense='auror',
                       keep_ratio=0.15, seed=42, log_interval=10)
    round_accs, final_acc = simulate(config)
    all_results.append({'dataset': 'mnist', 'attack': 'sign_flip', 'malicious_ratio': ratio,
                       'defense': 'auror', 'final_accuracy': final_acc, 'round_accuracies': round_accs})

Malicious clients: [2, 13] (count=2)


Training Rounds:  20%|██        | 10/50 [02:19<09:07, 13.69s/it]

Round 10/50 - Test Acc: 0.9285 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:36<06:52, 13.76s/it]

Round 20/50 - Test Acc: 0.9580 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [07:02<04:53, 14.68s/it]

Round 30/50 - Test Acc: 0.9686 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [09:25<02:20, 14.07s/it]

Round 40/50 - Test Acc: 0.9766 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [11:54<00:00, 14.28s/it]


Round 50/50 - Test Acc: 0.9792 - Included: 10/20
Final test accuracy: 0.9792
Model saved to: models/mnist_sign_flip_mr0.1_auror_final.pth
Malicious clients: [2, 10, 13, 14] (count=4)


Training Rounds:  20%|██        | 10/50 [02:26<09:53, 14.84s/it]

Round 10/50 - Test Acc: 0.9309 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [05:07<08:18, 16.62s/it]

Round 20/50 - Test Acc: 0.9584 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [07:52<05:25, 16.28s/it]

Round 30/50 - Test Acc: 0.9702 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [10:12<02:11, 13.12s/it]

Round 40/50 - Test Acc: 0.9762 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [12:18<00:00, 14.77s/it]


Round 50/50 - Test Acc: 0.9793 - Included: 10/20
Final test accuracy: 0.9793
Model saved to: models/mnist_sign_flip_mr0.2_auror_final.pth
Malicious clients: [2, 5, 10, 13, 14, 16] (count=6)


Training Rounds:  20%|██        | 10/50 [02:04<08:20, 12.51s/it]

Round 10/50 - Test Acc: 0.9292 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:12<06:26, 12.90s/it]

Round 20/50 - Test Acc: 0.9588 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:22<04:18, 12.94s/it]

Round 30/50 - Test Acc: 0.9695 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:34<02:12, 13.24s/it]

Round 40/50 - Test Acc: 0.9761 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [10:45<00:00, 12.91s/it]


Round 50/50 - Test Acc: 0.9790 - Included: 10/20
Final test accuracy: 0.9790
Model saved to: models/mnist_sign_flip_mr0.3_auror_final.pth
Malicious clients: [0, 2, 5, 10, 13, 14, 16, 19] (count=8)


Training Rounds:  20%|██        | 10/50 [02:07<08:31, 12.78s/it]

Round 10/50 - Test Acc: 0.9288 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:17<06:27, 12.91s/it]

Round 20/50 - Test Acc: 0.9587 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:26<04:18, 12.93s/it]

Round 30/50 - Test Acc: 0.9700 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:34<02:08, 12.85s/it]

Round 40/50 - Test Acc: 0.9752 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [10:43<00:00, 12.86s/it]


Round 50/50 - Test Acc: 0.9791 - Included: 10/20
Final test accuracy: 0.9791
Model saved to: models/mnist_sign_flip_mr0.4_auror_final.pth
Malicious clients: [0, 2, 5, 7, 9, 10, 13, 14, 16, 19] (count=10)


Training Rounds:  20%|██        | 10/50 [02:08<08:35, 12.88s/it]

Round 10/50 - Test Acc: 0.9316 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:17<06:25, 12.86s/it]

Round 20/50 - Test Acc: 0.9608 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:26<04:16, 12.84s/it]

Round 30/50 - Test Acc: 0.9708 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:36<02:09, 12.94s/it]

Round 40/50 - Test Acc: 0.9754 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [10:44<00:00, 12.89s/it]


Round 50/50 - Test Acc: 0.9792 - Included: 10/20
Final test accuracy: 0.9792
Model saved to: models/mnist_sign_flip_mr0.5_auror_final.pth
Malicious clients: [0, 1, 2, 5, 7, 8, 9, 10, 13, 14, 16, 19] (count=12)


Training Rounds:  20%|██        | 10/50 [02:08<08:36, 12.91s/it]

Round 10/50 - Test Acc: 0.9304 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:17<06:29, 12.98s/it]

Round 20/50 - Test Acc: 0.9574 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:27<04:18, 12.90s/it]

Round 30/50 - Test Acc: 0.9702 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:36<02:10, 13.02s/it]

Round 40/50 - Test Acc: 0.9759 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [10:46<00:00, 12.92s/it]

Round 50/50 - Test Acc: 0.9785 - Included: 10/20
Final test accuracy: 0.9785
Model saved to: models/mnist_sign_flip_mr0.6_auror_final.pth





In [13]:
for ratio in [0.1, 0.2, 0.3, 0.4, 0.5, 0.6]:
    config = ExpConfig(dataset='mnist', clients=20, rounds=50, local_epochs=1, lr=0.01,
                       attack='lie', malicious_ratio=ratio, defense='auror',
                       keep_ratio=0.15, seed=42, log_interval=10)
    round_accs, final_acc = simulate(config)
    all_results.append({'dataset': 'mnist', 'attack': 'lie', 'malicious_ratio': ratio,
                       'defense': 'auror', 'final_accuracy': final_acc, 'round_accuracies': round_accs})

Malicious clients: [2, 13] (count=2)


Training Rounds:  20%|██        | 10/50 [02:09<08:37, 12.94s/it]

Round 10/50 - Test Acc: 0.9290 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:19<06:27, 12.91s/it]

Round 20/50 - Test Acc: 0.9582 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:27<04:15, 12.78s/it]

Round 30/50 - Test Acc: 0.9696 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:35<02:08, 12.86s/it]

Round 40/50 - Test Acc: 0.9765 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [10:45<00:00, 12.90s/it]


Round 50/50 - Test Acc: 0.9791 - Included: 10/20
Final test accuracy: 0.9791
Model saved to: models/mnist_lie_mr0.1_auror_final.pth
Malicious clients: [2, 10, 13, 14] (count=4)


Training Rounds:  20%|██        | 10/50 [02:09<08:38, 12.96s/it]

Round 10/50 - Test Acc: 0.9296 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:19<06:28, 12.94s/it]

Round 20/50 - Test Acc: 0.9584 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:28<04:18, 12.92s/it]

Round 30/50 - Test Acc: 0.9687 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:37<02:07, 12.74s/it]

Round 40/50 - Test Acc: 0.9758 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [10:47<00:00, 12.95s/it]


Round 50/50 - Test Acc: 0.9794 - Included: 10/20
Final test accuracy: 0.9794
Model saved to: models/mnist_lie_mr0.2_auror_final.pth
Malicious clients: [2, 5, 10, 13, 14, 16] (count=6)


Training Rounds:  20%|██        | 10/50 [02:09<08:37, 12.94s/it]

Round 10/50 - Test Acc: 0.9290 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:20<06:30, 13.01s/it]

Round 20/50 - Test Acc: 0.9585 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:30<04:20, 13.00s/it]

Round 30/50 - Test Acc: 0.9698 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:40<02:10, 13.08s/it]

Round 40/50 - Test Acc: 0.9757 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [10:50<00:00, 13.01s/it]


Round 50/50 - Test Acc: 0.9796 - Included: 10/20
Final test accuracy: 0.9796
Model saved to: models/mnist_lie_mr0.3_auror_final.pth
Malicious clients: [0, 2, 5, 10, 13, 14, 16, 19] (count=8)


Training Rounds:  20%|██        | 10/50 [02:10<08:42, 13.05s/it]

Round 10/50 - Test Acc: 0.9308 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:21<06:30, 13.02s/it]

Round 20/50 - Test Acc: 0.9587 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:31<04:19, 12.99s/it]

Round 30/50 - Test Acc: 0.9690 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:42<02:10, 13.09s/it]

Round 40/50 - Test Acc: 0.9760 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [10:52<00:00, 13.05s/it]


Round 50/50 - Test Acc: 0.9790 - Included: 10/20
Final test accuracy: 0.9790
Model saved to: models/mnist_lie_mr0.4_auror_final.pth
Malicious clients: [0, 2, 5, 7, 9, 10, 13, 14, 16, 19] (count=10)


Training Rounds:  20%|██        | 10/50 [02:11<08:43, 13.10s/it]

Round 10/50 - Test Acc: 0.9302 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:22<06:34, 13.14s/it]

Round 20/50 - Test Acc: 0.9584 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:33<04:20, 13.01s/it]

Round 30/50 - Test Acc: 0.9697 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:44<02:10, 13.06s/it]

Round 40/50 - Test Acc: 0.9759 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [10:54<00:00, 13.10s/it]


Round 50/50 - Test Acc: 0.9795 - Included: 10/20
Final test accuracy: 0.9795
Model saved to: models/mnist_lie_mr0.5_auror_final.pth
Malicious clients: [0, 1, 2, 5, 7, 8, 9, 10, 13, 14, 16, 19] (count=12)


Training Rounds:  20%|██        | 10/50 [02:11<08:45, 13.13s/it]

Round 10/50 - Test Acc: 0.9295 - Included: 10/20


Training Rounds:  40%|████      | 20/50 [04:25<06:47, 13.58s/it]

Round 20/50 - Test Acc: 0.9588 - Included: 10/20


Training Rounds:  60%|██████    | 30/50 [06:47<04:32, 13.61s/it]

Round 30/50 - Test Acc: 0.9689 - Included: 10/20


Training Rounds:  80%|████████  | 40/50 [08:59<02:11, 13.17s/it]

Round 40/50 - Test Acc: 0.9757 - Included: 10/20


Training Rounds: 100%|██████████| 50/50 [11:10<00:00, 13.40s/it]

Round 50/50 - Test Acc: 0.9793 - Included: 10/20
Final test accuracy: 0.9793
Model saved to: models/mnist_lie_mr0.6_auror_final.pth





In [14]:
for ratio in [0.1, 0.2, 0.3, 0.4, 0.5, 0.6]:
    config = ExpConfig(dataset='mnist', clients=100, rounds=100, local_epochs=1, lr=0.01,
                       attack='lie', malicious_ratio=ratio, defense='rfa',
                       keep_ratio=0.15, seed=42, log_interval=10)
    round_accs, final_acc = simulate(config)
    all_results.append({'dataset': 'mnist', 'attack': 'lie', 'malicious_ratio': ratio,
                       'defense': 'rfa', 'final_accuracy': final_acc, 'round_accuracies': round_accs})

Malicious clients: [5, 8, 20, 41, 54, 59, 72, 80, 83, 84] (count=10)


Training Rounds:  10%|█         | 10/100 [02:24<21:33, 14.38s/it]

Round 10/100 - Test Acc: 0.6858 - Included: 89/100


Training Rounds:  20%|██        | 20/100 [04:49<19:21, 14.51s/it]

Round 20/100 - Test Acc: 0.8705 - Included: 83/100


Training Rounds:  30%|███       | 30/100 [07:14<16:50, 14.44s/it]

Round 30/100 - Test Acc: 0.9049 - Included: 84/100


Training Rounds:  40%|████      | 40/100 [09:37<14:23, 14.38s/it]

Round 40/100 - Test Acc: 0.9207 - Included: 82/100


Training Rounds:  50%|█████     | 50/100 [12:02<12:05, 14.51s/it]

Round 50/100 - Test Acc: 0.9308 - Included: 87/100


Training Rounds:  60%|██████    | 60/100 [14:26<09:38, 14.47s/it]

Round 60/100 - Test Acc: 0.9390 - Included: 81/100


Training Rounds:  70%|███████   | 70/100 [16:51<07:13, 14.47s/it]

Round 70/100 - Test Acc: 0.9450 - Included: 86/100


Training Rounds:  80%|████████  | 80/100 [19:17<04:51, 14.58s/it]

Round 80/100 - Test Acc: 0.9495 - Included: 83/100


Training Rounds:  90%|█████████ | 90/100 [21:42<02:25, 14.57s/it]

Round 90/100 - Test Acc: 0.9549 - Included: 83/100


Training Rounds: 100%|██████████| 100/100 [24:07<00:00, 14.48s/it]


Round 100/100 - Test Acc: 0.9592 - Included: 84/100
Final test accuracy: 0.9592
Model saved to: models/mnist_lie_mr0.1_rfa_final.pth
Malicious clients: [5, 8, 12, 20, 23, 35, 41, 54, 59, 65, 72, 76, 78, 80, 83, 84, 87, 88, 93, 99] (count=20)


Training Rounds:  10%|█         | 10/100 [02:33<23:02, 15.36s/it]

Round 10/100 - Test Acc: 0.6840 - Included: 80/100


Training Rounds:  20%|██        | 20/100 [05:07<20:29, 15.37s/it]

Round 20/100 - Test Acc: 0.8712 - Included: 76/100


Training Rounds:  30%|███       | 30/100 [07:40<17:50, 15.29s/it]

Round 30/100 - Test Acc: 0.9061 - Included: 78/100


Training Rounds:  40%|████      | 40/100 [10:12<15:15, 15.25s/it]

Round 40/100 - Test Acc: 0.9213 - Included: 74/100


Training Rounds:  50%|█████     | 50/100 [12:45<12:47, 15.35s/it]

Round 50/100 - Test Acc: 0.9314 - Included: 79/100


Training Rounds:  60%|██████    | 60/100 [15:18<10:10, 15.27s/it]

Round 60/100 - Test Acc: 0.9390 - Included: 76/100


Training Rounds:  70%|███████   | 70/100 [17:50<07:38, 15.28s/it]

Round 70/100 - Test Acc: 0.9456 - Included: 78/100


Training Rounds:  80%|████████  | 80/100 [20:23<05:05, 15.27s/it]

Round 80/100 - Test Acc: 0.9499 - Included: 76/100


Training Rounds:  90%|█████████ | 90/100 [22:56<02:33, 15.31s/it]

Round 90/100 - Test Acc: 0.9559 - Included: 79/100


Training Rounds: 100%|██████████| 100/100 [25:28<00:00, 15.29s/it]


Round 100/100 - Test Acc: 0.9595 - Included: 76/100
Final test accuracy: 0.9595
Model saved to: models/mnist_lie_mr0.2_rfa_final.pth
Malicious clients: [5, 8, 9, 10, 12, 15, 20, 23, 33, 35, 41, 42, 43, 54, 59, 60, 65, 66, 69, 71, 72, 76, 78, 80, 83, 84, 86, 91, 92, 97] (count=30)


Training Rounds:  10%|█         | 10/100 [02:37<23:51, 15.90s/it]

Round 10/100 - Test Acc: 0.6847 - Included: 69/100


Training Rounds:  20%|██        | 20/100 [05:16<21:08, 15.85s/it]

Round 20/100 - Test Acc: 0.8709 - Included: 68/100


Training Rounds:  30%|███       | 30/100 [07:53<18:23, 15.76s/it]

Round 30/100 - Test Acc: 0.9064 - Included: 69/100


Training Rounds:  40%|████      | 40/100 [10:31<15:49, 15.82s/it]

Round 40/100 - Test Acc: 0.9208 - Included: 69/100


Training Rounds:  50%|█████     | 50/100 [13:09<13:13, 15.88s/it]

Round 50/100 - Test Acc: 0.9311 - Included: 69/100


Training Rounds:  60%|██████    | 60/100 [15:47<10:33, 15.84s/it]

Round 60/100 - Test Acc: 0.9399 - Included: 68/100


Training Rounds:  70%|███████   | 70/100 [18:25<07:55, 15.86s/it]

Round 70/100 - Test Acc: 0.9462 - Included: 70/100


Training Rounds:  80%|████████  | 80/100 [21:03<05:16, 15.82s/it]

Round 80/100 - Test Acc: 0.9499 - Included: 67/100


Training Rounds:  90%|█████████ | 90/100 [23:41<02:37, 15.76s/it]

Round 90/100 - Test Acc: 0.9556 - Included: 69/100


Training Rounds: 100%|██████████| 100/100 [26:18<00:00, 15.79s/it]


Round 100/100 - Test Acc: 0.9590 - Included: 68/100
Final test accuracy: 0.9590
Model saved to: models/mnist_lie_mr0.3_rfa_final.pth
Malicious clients: [5, 8, 9, 10, 11, 12, 15, 20, 23, 32, 33, 34, 35, 36, 38, 41, 42, 43, 54, 55, 59, 60, 61, 64, 65, 66, 68, 69, 71, 72, 76, 78, 80, 83, 84, 86, 90, 91, 92, 97] (count=40)


Training Rounds:  10%|█         | 10/100 [02:44<24:41, 16.46s/it]

Round 10/100 - Test Acc: 0.6756 - Included: 61/100


Training Rounds:  20%|██        | 20/100 [05:28<21:53, 16.41s/it]

Round 20/100 - Test Acc: 0.8706 - Included: 62/100


Training Rounds:  30%|███       | 30/100 [08:12<19:06, 16.38s/it]

Round 30/100 - Test Acc: 0.9063 - Included: 61/100


Training Rounds:  40%|████      | 40/100 [10:57<16:25, 16.42s/it]

Round 40/100 - Test Acc: 0.9214 - Included: 63/100


Training Rounds:  50%|█████     | 50/100 [13:41<13:43, 16.48s/it]

Round 50/100 - Test Acc: 0.9316 - Included: 61/100


Training Rounds:  60%|██████    | 60/100 [16:25<10:57, 16.43s/it]

Round 60/100 - Test Acc: 0.9388 - Included: 61/100


Training Rounds:  70%|███████   | 70/100 [19:10<08:15, 16.52s/it]

Round 70/100 - Test Acc: 0.9458 - Included: 62/100


Training Rounds:  80%|████████  | 80/100 [21:54<05:28, 16.45s/it]

Round 80/100 - Test Acc: 0.9505 - Included: 61/100


Training Rounds:  90%|█████████ | 90/100 [24:39<02:44, 16.50s/it]

Round 90/100 - Test Acc: 0.9552 - Included: 62/100


Training Rounds: 100%|██████████| 100/100 [27:23<00:00, 16.43s/it]


Round 100/100 - Test Acc: 0.9591 - Included: 61/100
Final test accuracy: 0.9591
Model saved to: models/mnist_lie_mr0.4_rfa_final.pth
Malicious clients: [1, 5, 8, 9, 10, 11, 12, 15, 20, 22, 23, 25, 26, 32, 33, 34, 35, 36, 38, 41, 42, 43, 47, 49, 54, 55, 59, 60, 61, 64, 65, 66, 68, 69, 70, 71, 72, 75, 76, 78, 80, 81, 83, 84, 86, 90, 91, 92, 96, 97] (count=50)


Training Rounds:  10%|█         | 10/100 [02:50<25:35, 17.06s/it]

Round 10/100 - Test Acc: 0.6817 - Included: 68/100


Training Rounds:  20%|██        | 20/100 [05:40<22:42, 17.03s/it]

Round 20/100 - Test Acc: 0.8700 - Included: 98/100


Training Rounds:  30%|███       | 30/100 [08:31<19:56, 17.10s/it]

Round 30/100 - Test Acc: 0.9048 - Included: 96/100


Training Rounds:  40%|████      | 40/100 [11:22<17:06, 17.11s/it]

Round 40/100 - Test Acc: 0.9202 - Included: 92/100


Training Rounds:  50%|█████     | 50/100 [14:12<14:13, 17.07s/it]

Round 50/100 - Test Acc: 0.9312 - Included: 88/100


Training Rounds:  60%|██████    | 60/100 [17:02<11:21, 17.03s/it]

Round 60/100 - Test Acc: 0.9394 - Included: 91/100


Training Rounds:  70%|███████   | 70/100 [19:52<08:29, 16.99s/it]

Round 70/100 - Test Acc: 0.9457 - Included: 100/100


Training Rounds:  80%|████████  | 80/100 [22:40<05:38, 16.93s/it]

Round 80/100 - Test Acc: 0.9507 - Included: 84/100


Training Rounds:  90%|█████████ | 90/100 [25:30<02:49, 16.98s/it]

Round 90/100 - Test Acc: 0.9560 - Included: 90/100


Training Rounds: 100%|██████████| 100/100 [28:20<00:00, 17.00s/it]


Round 100/100 - Test Acc: 0.9597 - Included: 97/100
Final test accuracy: 0.9597
Model saved to: models/mnist_lie_mr0.5_rfa_final.pth
Malicious clients: [1, 3, 5, 8, 9, 10, 11, 12, 15, 20, 22, 23, 25, 26, 31, 32, 33, 34, 35, 36, 38, 40, 41, 42, 43, 46, 47, 48, 49, 50, 53, 54, 55, 57, 58, 59, 60, 61, 64, 65, 66, 68, 69, 70, 71, 72, 75, 76, 78, 80, 81, 82, 83, 84, 86, 90, 91, 92, 96, 97] (count=60)


Training Rounds:  10%|█         | 10/100 [02:55<26:19, 17.55s/it]

Round 10/100 - Test Acc: 0.6858 - Included: 100/100


Training Rounds:  20%|██        | 20/100 [05:50<23:25, 17.57s/it]

Round 20/100 - Test Acc: 0.8709 - Included: 100/100


Training Rounds:  30%|███       | 30/100 [08:45<20:23, 17.48s/it]

Round 30/100 - Test Acc: 0.9054 - Included: 100/100


Training Rounds:  40%|████      | 40/100 [11:41<17:36, 17.61s/it]

Round 40/100 - Test Acc: 0.9216 - Included: 100/100


Training Rounds:  50%|█████     | 50/100 [14:37<14:38, 17.58s/it]

Round 50/100 - Test Acc: 0.9311 - Included: 100/100


Training Rounds:  60%|██████    | 60/100 [17:32<11:43, 17.59s/it]

Round 60/100 - Test Acc: 0.9397 - Included: 100/100


Training Rounds:  70%|███████   | 70/100 [20:29<08:50, 17.67s/it]

Round 70/100 - Test Acc: 0.9460 - Included: 100/100


Training Rounds:  80%|████████  | 80/100 [23:25<05:53, 17.65s/it]

Round 80/100 - Test Acc: 0.9506 - Included: 100/100


Training Rounds:  90%|█████████ | 90/100 [26:21<02:55, 17.57s/it]

Round 90/100 - Test Acc: 0.9562 - Included: 100/100


Training Rounds: 100%|██████████| 100/100 [29:18<00:00, 17.58s/it]

Round 100/100 - Test Acc: 0.9599 - Included: 100/100
Final test accuracy: 0.9599
Model saved to: models/mnist_lie_mr0.6_rfa_final.pth



