# Enabling Trustworthy Federated Learning via Remote Attestation for Mitigating Byzantine Threats

**Authors:** Chaoyu Zhang, Heng Jin, Shanghao Shi, Hexuan Yu, Sydney Johns, Y. Thomas Hou, Wenjing Lou

arXiv: 2509.00634 · 2025-09-03

## TL;DR

This paper introduces Sentinel, a remote attestation-based system that enhances trust in federated learning by verifying the integrity of local training processes to mitigate Byzantine threats effectively.

## Contribution

Sentinel is the first system to apply remote attestation and code instrumentation for verifying training integrity in federated learning, reducing false positives and improving security.

## Key findings

- Ensures training process integrity with low overhead.
- Effectively detects malicious client behavior.
- Maintains high accuracy in Byzantine attack mitigation.

## Abstract

Federated Learning (FL) has gained significant attention for its privacy-preserving capabilities, enabling distributed devices to collaboratively train a global model without sharing raw data. However, its distributed nature forces the central server to blindly trust the local training process and aggregate uncertain model updates, making it susceptible to Byzantine attacks from malicious participants, especially in mission-critical scenarios. Detecting such attacks is challenging due to the diverse knowledge across clients, where variations in model updates may stem from benign factors, such as non-IID data, rather than adversarial behavior. Existing data-driven defenses struggle to distinguish malicious updates from natural variations, leading to high false positive rates and poor filtering performance.   To address this challenge, we propose Sentinel, a remote attestation (RA)-based scheme for FL systems that regains client-side transparency and mitigates Byzantine attacks from a system security perspective. Our system employs code instrumentation to track control-flow and monitor critical variables in the local training process. Additionally, we utilize a trusted training recorder within a Trusted Execution Environment (TEE) to generate an attestation report, which is cryptographically signed and securely transmitted to the server. Upon verification, the server ensures that legitimate client training processes remain free from program behavior violation or data manipulation, allowing only trusted model updates to be aggregated into the global model. Experimental results on IoT devices demonstrate that Sentinel ensures the trustworthiness of the local training integrity with low runtime and memory overhead.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2509.00634/full.md

## Figures

5 figures with captions in the complete paper: https://tomesphere.com/paper/2509.00634/full.md

## References

52 references — full list in the complete paper: https://tomesphere.com/paper/2509.00634/full.md

---
Source: https://tomesphere.com/paper/2509.00634