Privacy-Preserving Byzantine-Tolerant Federated Learning Scheme in Vehicular Networks

Abstract

With the rapid development of vehicular network technology, data sharing and collaborative training among vehicles have become key to enhancing the efficiency of intelligent transportation systems. However, the heterogeneity of data and potential Byzantine attacks cause the model to update in different directions during the iterative process, causing the boundary between benign and malicious gradients to shift continuously. To address these issues, this paper proposes a privacy-preserving Byzantine-tolerant federated learning scheme. Specifically, we design a gradient detection method based on median absolute deviation (MAD), which calculates MAD in each round to set a gradient anomaly detection threshold, thereby achieving precise identification and dynamic filtering of malicious gradients. Additionally, to protect vehicle privacy, we obfuscate uploaded parameters to prevent leakage during transmission. Finally, during the aggregation phase, malicious gradients are eliminated, and only benign gradients are selected to participate in the global model update, which improves the model accuracy. Experimental results on three datasets demonstrate that the proposed scheme effectively mitigates the impact of non-independent and identically distributed (non-IID) heterogeneity and Byzantine behaviors while maintaining low computational cost.

1. Introduction

In recent years, the rapid development of vehicular networks has injected new vitality into intelligent transportation systems [1]. Leveraging efficient communication and collaborative training among vehicles, vehicular networks not only enable real-time environmental perception but also provide robust technical support for critical applications such as autonomous driving, intelligent route planning, and dynamic traffic flow optimization [2,3,4]. In the federated learning training process, clients (e.g., vehicles) perform local model training using their datasets and then upload the locally computed gradients to the server for global model updates. This process is conducted entirely independently by the clients without server involvement, ensuring that local data remain stored locally and avoiding the risk of data leakage [4,5]. Due to its distributed nature, federated learning has become an ideal choice for collaborative training among vehicles [6,7,8,9]. In the existing schemes, federated learning has been applied in many fields, such as the Internet of Vehicles [10], healthcare [11], and the Internet of Things [12]. Zhang et al. [13] combines homomorphic encryption and hash key exchange to design a collusion-resistant data aggregation scheme, but complex encryption may increase system burden. Scheme [14] targets unreliable users using threshold Paillier encryption, yet also introduces significant computational overhead. Therefore, a method with low computational cost that maintains model accuracy is needed to protect data privacy.

However, the non-independent and identically distributed (non-IID) nature of data in vehicular network environments, along with potential Byzantine attacks, poses severe challenges to traditional federated learning frameworks [15,16]. In complex vehicular network scenarios, data collected by different vehicles often exhibit significant non-IID characteristics, which severely impair the global model’s convergence and generalization capabilities [8,17]. More critically, in open vehicular network environments, malicious vehicles may launch Byzantine attacks by uploading carefully crafted fake gradients, to disrupt the model training process [18]. Both data heterogeneity and Byzantine attacks cause divergent model updates during iterations, causing the boundary between benign and malicious gradients to shift continuously [19]. These issues make it difficult for traditional detection mechanisms based on static thresholds or fixed rules to accurately identify malicious nodes, ultimately resulting in significant degradation of global model performance.

In order to deal with the above problems, many works related to resisting Byzantine attacks have been proposed. For example, scheme [20] proposes the auto-weighted geometric median (AutoGM) aggregation rule, which calculates the aggregated value through an alternating optimization strategy. However, when the Non-IID hyperparameter is set too small, it may misidentify normal nodes as outliers, leading to reduced model accuracy. Scheme [21] implements decentralized defense using blockchain and a committee mechanism but is constrained by the scale of the validation dataset and communication overhead. Scheme [19] introduces the SEAR framework, employing a sampling method to detect Byzantine faults. However, improper selection of parameter dimensions in the sampling detection may result in missed malicious gradients or the erroneous removal of legitimate updates. Therefore, effectively improving the detection accuracy of Byzantine nodes while reducing false positive and false negative rates remains a critical challenge in federated learning.

To address these challenges, this paper proposes a privacy-preserving Byzantine-tolerant federated learning scheme. By adaptively calculating MAD values to set detection thresholds, our proposted scheme effectively filters out malicious gradients. The main contributions of this paper are as follows:

• To address the continuous boundary shifting between benign and malicious gradients, we propose a gradient anomaly detection method based on MAD. This method calculates MAD in each round to set a gradient anomaly detection threshold, thereby achieving precise identification and dynamic filtering of malicious gradients. During the gradient aggregation and model update phase, the identified malicious gradients are excluded, and only benign gradients are selected to participate in the global model update, thereby mitigating the impact of Byzantine attacks.
• To ensure data security during transmission, we implement parameter obfuscation prior to uploading. This method effectively protects data privacy during gradient transmission without compromising model accuracy.
• We conduct simulation experiments on three different datasets. The results demonstrate that the MAD-based gradient detection method can effectively filter out malicious gradients. Compared to existing approaches, it introduces no additional communication overhead and exhibits lower computational costs.

The remaining part of the paper is organized as follows. In Section 2, we present the details of the proposed scheme, followed by the security and privacy analysis in Section 3. Section 4 conducts the experimental evaluation. Finally, we conclude this paper in Section 5.

2. The Proposed Scheme

Our proposed scheme primarily addresses Byzantine attacks in vehicular networks under non-IID scenarios while employing obfuscation factors to protect vehicle privacy. The system model involves three entities: trusted third party (TTP), traffic cloud server (TCS), and vehicles. In this model, TTP is responsible for generating obfuscation factors for vehicles, while TCS serves as the aggregator. In this section, we provide a detailed description of the proposed scheme, as shown in Figure 1. For convenience, we list the main notations for this paper in

Table 1. Description of notations.

Name	Expression
${\displaystyle g_i^k}$	Local gradient of $V_i$ in the k-th round
${\tilde{\mathbf{g}}}^k$	Guidance gradient
$D_i^k$	Gradient deviation of $V_i$ in the k-th round
$D_{MAD}^k$	Median absolute deviation
$f_i$	$V_i$’s label
$w_k$	Global model in the k-th round
${\tilde{\mathbf{g}}}_{global}^k$	Aggregated gradient

.

2.1. System Initialization

At the beginning of training, TTP performs initialization configuration for the entire system. Given security parameters $k_1$ and $k_2$, TTP first generates a set of obfuscation factors $(a_1,a_2,\dots ,a_i,\dots ,a_N)$, where each $a_i$ corresponds to a vehicle client $V_i$. Simultaneously, TTP generates large prime numbers ${\epsilon }_1$ and ${\epsilon }_2$ with security length $k_1$ and a large prime number p with security length $k_2$. Subsequently, TTP distributes these parameters to the vehicles and TCS before exiting the system.

Each vehicle $V_i$ receives a set of parameters $<a_i,{\epsilon }_1,p>$, where the obfuscation factor $a_i$ is unique to $V_i$, while ${\epsilon }_1$ and p are shared public parameters for all vehicles. TCS only receives parameter ${\epsilon }_2$. All parameters are transmitted through secure channels. Before each training round begins, TCS updates the global model $w^k$ and broadcasts it to all vehicles, where k denotes the current training round.

2.2. Gradient Deviations Calculation

In this phase, $V_i$ obtains the guidance gradient through secure aggregation by TCS and calculates the gradient deviation based on the guidance gradient.

• Calculating the Guidance Gradient: Vehicle $V_i$ trains its local model based on local data and obtains the local gradient $g_i^k$. Since directly uploading gradients may leak private information, we use obfuscation factors to perturb the gradient, as shown in Equation (1). We define the local gradients obfuscated by vehicles using obfuscation factors as obfuscated gradient.

  $${\tilde{g}}_i^k=({\epsilon }_1{g}_i^k+a_i)\mathrm{mod}p$$

  (1)
  Next, $V_i$ uploads the obfuscated gradient ${\tilde{g}}_i^k$ to TCS. TCS aggregates the obfuscated gradient uploaded by all vehicles to compute the global gradient direction reference value, which incorporates obfuscation factors. In this paper, we define this value as the guidance gradient ${\tilde{\mathbf{g}}}^k$. As shown in Equation (2), the guidance gradient ${\tilde{\mathbf{g}}}^k$ is calculated and then sent back to $V_i$. We define the aggregated gradient after removing obfuscation factors as the “plaintext” gradient. $V_i$ locally recovers the “plaintext” ${\overline{\mathbf{g}}}^k$ of the guidance gradient, as shown in Equation (3). To ensure Equation (3) holds, we provide constraint conditions for ${\epsilon }_1$. Due to the fact that gradient parameters are generally decimals, we appropriately amplify the gradient to mitigate the impact of confusion factors.

  $${\tilde{\mathbf{g}}}^k={\displaystyle \frac{1}{N}}\sum _{i\in N}{\tilde{g}}_i^k\mathrm{mod}p$$

  (2)

  $${\overline{\mathbf{g}}}^k={\displaystyle \frac{{10}^{\theta }{\tilde{\mathbf{g}}}^k-{10}^{\theta }{\tilde{\mathbf{g}}}^k\mathrm{mod}{\epsilon }_1}{{10}^{\theta }{\epsilon }_1}},{\epsilon }_1>{\sum }_{i=1}^N{a}_i$$

  (3)
• Uploading Gradient Deviation: After $V_i$ obtaining the “plaintext” guidance gradient ${\overline{\mathbf{g}}}^k$, $V_i$ calculates the gradient deviation $D_i^k$, as shown in Equation (4).

  $$D_i^k={\sum }_{j=1}^{len\left(g\right)}\left|g_{ij}^k-{\overline{\mathbf{g}}}_j^k\right|$$

  (4)

  where $len\left(g\right)$ represents the number of parameters in the gradient, where $g_{ij}^k\in g_i^k,{\overline{\mathbf{g}}}_j^k\in {\overline{\mathbf{g}}}^k$. $V_i$ then obfuscates the gradient deviation as in Equation (5) and sends the obfuscated gradient deviation ${\tilde{D}}_i^k$ to TCS.

$${\tilde{D}}_i^k=({\epsilon }_2{D}_i^k+a_i)\mathrm{mod}p$$

(5)

2.3. Identifying Byzantine Nodes

At this phase, we utilize MAD to set thresholds for filtering malicious gradients, enhancing the system’s resilience against Byzantine nodes, as it has been proven to be more robust than standard deviation [22], as shown in Algorithm 1.

• Calculating MAD: TCS receives the obfuscated gradient deviations uploaded by participating vehicles in this training round. Using parameter ${\epsilon }_2$, TCS recovers all gradient deviations, as shown in Equation (6). To ensure Equation (6) holds, we also provide constraints for ${\epsilon }_2$. To compute MAD, TCS first obtains the median $D_{med}^k$ of all vehicle gradient deviations, then calculates the absolute deviations between each vehicle’s gradient deviation and this median, and, finally, takes the median of these absolute deviations to obtain $D_{MAD}^k$, as shown in Equation (7).

  $$D_i^k={\displaystyle \frac{{10}^{\theta }{\tilde{D}}_i^k-{10}^{\theta }{\tilde{D}}_i^k\mathrm{mod}{\epsilon }_2}{{10}^{\theta }{\epsilon }_2}},{\epsilon }_2>{\sum }_{i=1}^N{a}_i$$

  (6)

  $$\left\{\begin{array}{c}{D}_{med}^k=median(D_i^k,\forall i\in N)\\ D_{MAD}^k=median(\left|D_i^k-D_{med}^k\right|,\forall i\in N)\end{array}\right.$$

  (7)
• Marking Nodes: To detect Byzantine nodes, we set upper and lower bounds for the gradient deviation threshold. The upper threshold is ${\delta }_1=D_{med}^k+c\times D_{MAD}^k$, and the lower threshold is ${\delta }_1=D_{med}^k-c\times D_{MAD}^k$. There is a fixed conversion relationship between MAD and standard deviation $\sigma$, where $\sigma \approx 1.4826\times MAD$. When $c=1$, the threshold covers approximately 85% of normally distributed data, helping to filter outliers and mitigate the impact of extreme values. Thus, we set $c=1$. A label is introduced to mark Byzantine nodes, as shown in Equation (8). Gradient deviation values outside the threshold range are considered outliers, and the corresponding node is labeled 0; otherwise, it is labeled 1. Nodes labeled 0 are identified as Byzantine nodes, and their uploaded gradients are treated as malicious gradients.

$$f_i=\left\{\begin{array}{c}1,{\delta }_1<D_i^k<{\delta }_2\\ 0,D_i^k<{\delta }_{1}or{D}_i^k>{\delta }_2\end{array}\right.$$

(8)

Algorithm 1 Identify Byzantine Nodes

Input: Gradient deviations ${\left\{D_i^k\right\}}_{i=1}^N$ Output: Byzantine nodes 1: Initialize $Num\leftarrow \varnothing$ 2: Compute $D_{\mathrm{med}}^k$ and $D_{\mathrm{MAD}}^k$ 3: ${\delta }_2\leftarrow D_{\mathrm{med}}^k+c\times D_{\mathrm{MAD}}^k$ 4: ${\delta }_1\leftarrow D_{\mathrm{med}}^k-c\times D_{\mathrm{MAD}}^k$ 5: for $i=1$ to N do 6:     if ${\delta }_1<D_i^k<{\delta }_2$ then 7:         $Num$.append(i) 8:     end if 9: end for 10: return $N\setminus Num$

2.4. Gradient Aggregation and Model Update

In Section 2.3, we mark benign nodes and Byzantine nodes separately, with the number of benign nodes being $Num={\sum }_{i=1}^N{f}_i$. Next, we filter out malicious gradients and retain only benign gradients for aggregation, as shown in Equation (9). The aggregated gradient ${\tilde{\mathbf{g}}}_{global}^k$ obtained in Equation (9) still contains obfuscation factors. Using the same method as in Section 2.2, we remove the obfuscation factors to obtain the “plaintext” gradient ${\overline{\mathbf{g}}}_{global}^k$, as shown in Equation (10). Finally, TCS updates the global model by executing Equation (11).

$${\tilde{\mathbf{g}}}_{global}^k={\displaystyle \frac{1}{Num}}\sum _{i\in Num}{\tilde{g}}_i^k\mathrm{mod}p$$

(9)

$${\overline{\mathbf{g}}}_{global}^k={\displaystyle \frac{{10}^{\theta }{\tilde{\mathbf{g}}}_{global}^k-{10}^{\theta }{\tilde{\mathbf{g}}}_{global}^k\mathrm{mod}{\epsilon }_1}{{10}^{\theta }{\epsilon }_1}}$$

(10)

$$w^{k+1}=w^k-\eta \times {\overline{\mathbf{g}}}_{global}^k$$

(11)

3. Security and Privacy Analysis

Theorem 1. 

Gradient information is secure, the original gradient information cannot be inferred.

Proof of Theorem 1 

$V_i$ protects its local gradient using obfuscation as Equation ${\tilde{g}}_i^k={\epsilon }_1{g}_i^k+a_i$. TCS receives all obfuscated gradients to compute the guidance gradient “ciphertext” ${\tilde{\mathbf{g}}}^k$. The guidance gradient “plaintext” is computed locally by the vehicle as follows:

$$\begin{array}{c}{\overline{\mathbf{g}}}^{\mathrm{k}}={\displaystyle \frac{10^{\theta }{\tilde{\mathbf{g}}}^k-10^{\theta }{\tilde{\mathbf{g}}}^{\mathrm{k}}\mathrm{mod}{\epsilon }_1}{10^{\theta }{\epsilon }_1}}={\displaystyle \frac{10^{\theta }\left(\frac{1}{\mathrm{N}}{\sum }_{\mathrm{i}\in \mathrm{N}}{\tilde{\mathrm{g}}}^{\mathrm{k}})-10^{\theta }\right(\frac{1}{\mathrm{N}}{\sum }_{\mathrm{i}\in \mathrm{N}}{\tilde{\mathrm{g}}}^{\mathrm{k}})\mathrm{mod}{\epsilon }_1}{10^{\theta }{\epsilon }_1}}\hfill \\ ={\displaystyle \frac{10^{\theta }\left(\frac{{\epsilon }_1}{\mathrm{N}}{\sum }_{\mathrm{i}\in \mathrm{N}}{\mathrm{g}}_{\mathrm{i}}^{\mathrm{k}}+\frac{1}{\mathrm{N}}{\sum }_{\mathrm{i}\in \mathrm{N}}{\mathrm{a}}_{\mathrm{i}})-10^{\theta }\right(\frac{{\epsilon }_1}{\mathrm{N}}{\sum }_{\mathrm{i}\in \mathrm{N}}{\mathrm{g}}_{\mathrm{i}}^{\mathrm{k}}+\frac{1}{\mathrm{N}}{\sum }_{\mathrm{i}\in \mathrm{N}}{\mathrm{a}}_{\mathrm{i}})\mathrm{mod}{\epsilon }_1}{10^{\theta }{\epsilon }_1}}\hfill \\ ={\displaystyle \frac{1}{\mathrm{N}}}{\sum }_{\mathrm{i}\in \mathrm{N}}{\mathrm{g}}_{\mathrm{i}}^{\mathrm{k}}\hfill \end{array}$$

(12)

$V_i$ then calculates the gradient deviation $D_i^k={\sum }_{j=1}^{len\left(g\right)}\left|g_{ij}^k-{\overline{\mathbf{g}}}_j^k\right|$ based on the guidance gradient “plaintext” and uploads the obfuscated gradient deviation to TCS. Under our security assumptions, adversary $\mathcal{A}$ may attack TCS to obtain collected parameters ${\tilde{g}}_i^k$, ${\tilde{\mathbf{g}}}^k$ and $D_i^k$, attempting to infer $V_i$’s private information. To recover $g_i^k$, adversary $\mathcal{A}$ must solve the following equation:

$$g_i^k\equiv ({\tilde{g}}_i^k-a_i)·{\epsilon }_1^{-1}\left(\mathrm{mod}p\right)$$

(13)

Since ${\epsilon }_1$ and p are public, adversary $\mathcal{A}$ can compute ${\epsilon }_1^{-1}$ independently. However, $a_i$ is a private random obfuscation factor distributed by TTP to vehicle $V_i$, which adversary $\mathcal{A}$ cannot obtain. Even if adversary $\mathcal{A}$ collects multiple obfuscated gradient ${\tilde{g}}_i^k$, each $g_i^k$ corresponds to a unique $a_i$, making it impossible to eliminate $a_i$ by solving simultaneous equations. Similarly, since the local gradient $g_i^k$ and guidance gradient “plaintext” $\overline{\mathbf{g}}$ remain unknown, even if adversary $\mathcal{A}$ obtains $V_i$’s gradient deviation $D_i^k$, the local gradient cannot be inferred. Thus, the proposed scheme effectively protects the security of $V_i$’s local gradient. □

Theorem 2. 

Parameters transmitted over communication channels are privacy-preserving.

Proof of Theorem 2 

Both the local gradient and gradient deviation from $V_i$ are obfuscated locally before being uploaded to TCS. Due to the randomness of the obfuscation factors, no external attacker or third party (including TCS) can accurately infer the original gradient information of $V_i$ from the obfuscated data. Furthermore, the obfuscation factor $a_i$ is generated and distributed exclusively by the trusted TTP and remains undisclosed, preventing adversary $\mathcal{A}$ from inferring the true transmitted data through statistical methods. Therefore, the transmitted parameters are protected and satisfy all privacy requirements. □

Theorem 3. 

The MAD-based threshold detection method can effectively identify Byzantine nodes.

Proof of Theorem 3 

By using MAD instead of the mean for detection and assuming benign nodes consistently form the majority (>50%), the median gradient deviation must originate from benign nodes. While benign nodes’ gradient deviations follow a normal distribution, Byzantine nodes’ deviations appear as outliers. Compared to the mean, the median remains unaffected by extreme values, making MAD more sensitive to outliers and consequently more effective at identifying Byzantine nodes. □

4. Experiments

In this section, we evaluate the performance of the proposed scheme through both theoretical analysis and experimental evaluation under a general FL setup [23]. In our experimental evaluation, the considered Byzantine attack type is Gaussian attack [24], where each element in the local gradients uploaded by Byzantine nodes follows a Gaussian distribution $\mathcal{N}\left(\mu ,{\sigma }^2\right)=\mathcal{N}(0,4)$.

4.1. Experimental Setup and Data Sets

Our experiments are conducted in a Python 3.10 on laptop equipped with 12th Gen Intel(R) Core(TM) i9-12900H. We employ a CNN model for federated learning training, consisting of two convolutional layers and two fully connected layers. The data partitioning follows a Non-IID approach based on the Dirichlet distribution [17], with the hyperparameter $\alpha$ set to 0.5 to control the degree of data heterogeneity. The setting of $\alpha =0.5$ generates a data distribution that is neither entirely random nor heavily skewed, effectively mimicking the moderately skewed distributions typically encountered in real-world vehicular networks. We take the MNIST dataset partitioning as an example, as shown in Figure 2. Additional hyperparameter settings are detailed in

Table 2. Experiments configuration.

Hyperparameters
Learning rate	0.001
Rounds	50
Epochs	1
$\alpha$	0.5
Batchsize	64 (MNIST, Fahion-MNIST)/32(CIFAR-10)

.

For dataset selection, we use three different real-world datasets: MNIST [25], Fashion-MNIST [25], and CIFAR-10 [25]. The MNIST dataset is a simple handwritten digit dataset containing 60,000 training images and 10,000 test images, each sized $28\times 28$ pixels in grayscale. The Fashion-MNIST dataset is an apparel classification dataset consisting of 60,000 training images and 10,000 test images, each being a $28\times 28$ grayscale image covering 10 categories of clothing items. The CIFAR-10 dataset includes 50,000 training images and 10,000 test images, divided into 10 distinct categories, with each image being a $3\times 32\times 32$ natural image. For comparison, we implement the FedAvg algorithm [26] and the Byzantine attack detection scheme DisBezant [27] as baseline methods.

4.2. Communication Overhead

Our proposed scheme’s communication overhead involves interactions between vehicles and the TCS. During each training round, $V_i$ uploads obfuscated gradient ${\tilde{g}}_i^k$ and gradient deviation ${\tilde{D}}_i^k$ to TCS, resulting in a communication overhead of $O\left(2len\right(g\left)\right)$. To eliminate the obfuscation factors from the aggregated gradient, $V_i$ also needs to send aggregated gradient to TCS, incurring an additional communication overhead of $O\left(len\right(g\left)\right)$. TCS receives all uploaded obfuscated gradients from vehicles and then computes and broadcasts the guidance gradient ${\tilde{\mathbf{g}}}^k$ to all vehicles, with a communication overhead of $O\left(Nlen\right(g\left)\right)$. TCS then aggregates benign gradients and updates the global model, resulting in a communication overhead of $O\left(Nlen\right(g\left)\right)$. Therefore, the total communication overhead per training round between vehicles and TCS is $O\left(\right(2N+3\left)len\right(g\left)\right)$.

In DisBezant [27], ships locally compute two obfuscated gradients and upload them to the server, resulting in a communication overhead of $O\left(2len\right(g\left)\right)$. Sending aggregated gradients to the server incurs an additional communication overhead of $O\left(len\right(g\left)\right)$. The server sends aggregated gradient and similarity verification requests based on the received obfuscated parameters from ships, with a communication overhead of $O\left(Nlen\right(g\left)\right)$, and then broadcasts the aggregated obfuscated gradients to all ships, resulting in a communication overhead of $O\left(Nlen\right(g\left)\right)$. Thus, the total communication overhead per training round between ships and the server is $O\left(\right(2N+3\left)len\right(g\left)\right)$. Although the proposed scheme and scheme DisBezant [27] have the same communication overhead, the proposed scheme demonstrates significant advantages in the subsequent computational cost analysis.

4.3. Computational Cost

In this section, we analyze the computational cost of the vehicles and TCS. On the vehicle side, to protect gradient privacy, $V_i$ first obfuscates gradient $g_i^k$ using obfuscation factors; to identify Byzantine nodes, $V_i$ also needs to calculate gradient deviation ${\tilde{D}}_i^k$. The computational cost for calculating local gradient and gradient deviation is $O\left(2len\right(g\left)\right)$. On TCS side, TCS first receives obfuscated gradients uploaded by all vehicles and then computes the guidance gradient ${\tilde{\mathbf{g}}}^k$, with a computational cost of $O\left(Nlen\right(g\left)\right)$. TCS also needs to calculate MAD for Byzantine node detection, incurring a computational cost of $O\left(NlogN\right)$. Finally, during the gradient aggregation and model update phase, TCS aggregates gradients to update the global model, resulting in a computational cost of $O\left(Nlen\right(g)+len(g\left)\right)$. Therefore, in the proposed scheme, the total computational cost per training round is $O\left(3len\right(g)+2Nlen(g)+NlogN)$.

In DisBezant [27], ships need to compute obfuscated gradient parameters and gradient similarity, resulting in a computational cost of $O\left(3len\right(g\left)\right)$. The computational cost for ships reaches $O\left(3len\right(g\left)\right)$. On the server side, the computational cost for calculating the aggregated gradient is $O\left(Nlen\right(g\left)\right)$; the computational cost for verifying gradient similarity and updating the contribution value for each ship is $O\left(3Nlen\right(g)+len(g\left)\right)$; and finally, aggregating ship gradients incurs a computational cost of $O\left(Nlen\right(g\left)\right)$. Thus, in DisBezant [27], the total computational cost per training round is $O\left(4len\right(g)+5Nlen(g\left)\right)$.

Figure 3 compares the training time between our proposed scheme and DisBezant [27] across client and server components. Scheme DisBezant [27] incurs significant CPU overhead due to its sequential gradient obfuscation and similarity computation loops on vessel nodes, while server operations benefit from GPU-accelerated tensor processing that reduces latency. In our proposted scheme, TCS handles computationally intensive tasks including gradient aggregation, guidance gradient computation, and MAD analysis operations that inherently require more processing time due to their large-scale tensor computations. However, vehicle nodes only perform gradient obfuscation, contributing to our scheme’s overall runtime efficiency advantage. As shown in Figure 4, when scaling from 20 to 90 participating vehicles, the per-vehicle computation time stabilizes while TCS processing time increases linearly. This scalability pattern occurs because TCS must expend additional computation for MAD-based malicious gradient filtering as more vehicles submit their gradients.

4.4. Accuracy

Under the client setting of 20 nodes, we evaluate the accuracy across three datasets with 30% malicious nodes participating in training. Figure 5 shows the accuracy comparison after 50 iterations between the FedAvg algorithm, scheme DisBezant [27], and our proposed scheme on MNIST, Fashion-MNIST, and CIFAR-10. From Figure 5a, it can be seen that the initial accuracy of the proposed scheme is close to that of scheme DisBezant [27], with both being lower than the accuracy of the FedAvg algorithm without attacks. However, around the 20th iteration, the accuracy of our proposed scheme gradually converges with no-attack FedAvg and surpasses the accuracy of scheme DisBezant [27]. Figure 5b shows that in the first 30 iterations, the proposed scheme has the lowest accuracy, but after 30 iterations, its accuracy gradually exceeds the other three baselines. Figure 5c demonstrates that while FedAvg suffers significant fluctuations due to data heterogeneity, both our scheme and scheme DisBezant [27] maintain stable accuracy improvements. From Figure 5, it can be seen that the FedAvg algorithm lacks resistance to Byzantine attacks and cannot meet the model accuracy requirements.

As shown in Figure 6, we plotted the relationship between model training convergence and the number of iterations. From Figure 6a, it can be seen that three curves on the MNIST dataset are nearly overlapping. From Figure 6b,c, it can be observed that on the Fashion-MNIST and CIFAR-10 datasets, both our proposed scheme and scheme DisBezant [27] converge more slowly than the traditional FedAvg algorithm. This is because the FedAvg algorithm does not account for malicious nodes, whereas our proposed scheme and the scheme DisBezant [27] need to identify Byzantine nodes. Additionally, the process of filtering malicious gradients or adjusting node trustworthiness removes some nodes’ gradient updates, which affects the convergence of model training to some extent.

Finally, we conducted experiments with malicious node ratios ranging from 0% to 30%. As shown in Figure 7a–c, as the proportion of malicious nodes increases, the final model accuracy decreases slightly, but the global model accuracy is not significantly affected. This result verifies the resilience of our proposed scheme against malicious nodes, as it maintains stable model performance under varying numbers of malicious nodes.

5. Conclusions

In federated learning systems, data heterogeneity and potential Byzantine attacks continuously blur the boundary between benign and malicious gradients. To address security and privacy concerns in vehicular networks, this paper proposes a privacy-preserving Byzantine-tolerant federated learning scheme that utilizes gradient deviation to distinguish between benign and malicious gradients. Specifically, we replace standard deviation with MAD to dynamically set gradient detection thresholds, enabling efficient filtering of malicious gradients without introducing additional computational cost. Furthermore, we employ obfuscation factors to protect gradient privacy. Experimental results demonstrate that the proposed scheme maintains model accuracy and training convergence while achieving low computational cost and communication overhead.

However, the proposed scheme still has some limitations. First, the proposed scheme heavily relies on TTP for system initialization and obfuscation factors distribution. In practical deployment, this centralized design may introduce single-point-of-failure risks, and the assumption of a fully trusted TTP may be unrealistic in open environments. Second, as the number of participating vehicles increases, the computational complexity of TCS increases significantly, posing challenges for real-time processing in resource-constrained edge computing scenarios, especially for large-scale deployments. Finally, while obfuscation factors are employed to protect gradient privacy, this approach depends on specific constraint conditions that may not hold consistently in dynamic networks.

In the future, we will focus on addressing these limitations by designing decentralized trust mechanisms to eliminate reliance on a single trusted third party. Concurrently, we will develop lightweight dynamic Byzantine detection algorithms to improve system scalability for large-scale networks with dynamic node participation.