1: \begin{abstract}

2: Byzantine-robust Federated Learning (FL) aims to counter malicious clients and to train an accurate global model while maintaining an extremely low attack success rate.

3: Most of the existing systems, however, are only robust in honest/semi-honest majority settings.

4: FLTrust (NDSS '21) extends the context to the malicious majority for clients but with a strong restriction that the server should be provided with an auxiliary dataset before training in order to filter malicious inputs. 

5: Private FLAME/FLGUARD (USENIX '22) gives a solution to guarantee both robustness and updates confidentiality in the semi-honest majority context. 

6: It is so far impossible to balance the trade-off among malicious context, robustness, and updates confidentiality. 

7: To tackle this problem, we propose a novel Byzantine-robust and privacy-preserving FL system, called BRIEF, to capture malicious minority and majority for server and client sides. 

8: Specifically, based on the DBSCAN algorithm, we design a new method for clustering via pairwise adjusted cosine similarity to boost the accuracy of the clustering results.

9: To thwart attacks of malicious majority, we develop an algorithm called \textit{Model Segmentation}, where local updates in the same cluster are aggregated together, and the aggregations are sent back to corresponding clients correctly. 

10: We also leverage multiple cryptographic tools to conduct clustering tasks without sacrificing training correctness and updates confidentiality. 

11: We present detailed security proof and empirical evaluation along with convergence analysis for BRIEF.

12: The experimental results demonstrate that the testing accuracy of BRIEF is practically close to the FL baseline ($\approx$0.8\% gap on average). At the same time, the attack success rate is around 0\%-5\%.

13: We further optimize our design so that the communication overhead and runtime can be decreased by {67\%-89.17\% and  66.05\%-68.75\%}, respectively.

14: \end{abstract}

15: