Secure Hierarchical Federated Learning for Large-Scale AI Models: Poisoning Attack Defense and Privacy Preservation in AIoT

Abstract

The rapid integration of large-scale AI models into distributed systems, such as the Artificial Intelligence of Things (AIoT), has introduced critical security and privacy challenges. While configurable models enhance resource efficiency, their deployment in heterogeneous edge environments remains vulnerable to poisoning attacks, data leakage, and adversarial interference, threatening the integrity of collaborative learning and responsible AI deployment. To address these issues, this paper proposes a Hierarchical Federated Cross-domain Retrieval (FHCR) framework tailored for secure and privacy-preserving AIoT systems. By decoupling models into a shared retrieval layer (globally optimized via federated learning) and device-specific layers (locally personalized), FHCR minimizes communication overhead while enabling dynamic module selection. Crucially, we integrate a retrieval-layer mean inspection (RLMI) mechanism to detect and filter malicious gradient updates, effectively mitigating poisoning attacks and reducing attack success rates by 20% compared to conventional methods. Extensive evaluation on General-QA and IoT-Native datasets demonstrates the robustness of FHCR against adversarial threats, with FHCR maintaining global accuracy not lower than baseline levels while reducing communication costs by 14%.

1. Introduction

With the rapid development of big data, cloud computing, and mobile internet technologies, the Internet of Things (IoT) has achieved deep integration with Artificial Intelligence (AI), empowered by its massive data scale and distributed sensing capabilities. This convergence not only amplifies traditional IoT’s advantages in information collection and communication but also enables real-time data analysis and knowledge mining across diverse scenarios. Driven by both industry and academia, AIoT has emerged as a transformative field, supported by key technologies including edge–cloud collaboration [1], edge computing [2], and deep learning [3]. By pushing data processing to network edges, AIoT demonstrates significant advantages in application domains with strict requirements for timeliness, resource efficiency, and security–privacy balance [4]. Particularly in industrial automation and smart healthcare scenarios, AIoT systems have shown 30–50% improvements in response latency and energy efficiency compared to centralized cloud architectures [5]. Recent advancements in deep learning further enhance these capabilities. For instance, large language models (LLMs) are revolutionizing human–robot interaction through context-aware adaptation [6], while cognitive computing techniques enable real-time prediction of complex physical phenomena, such as flow dynamics in flexible rectifiers [7]. These studies highlight the growing demand for scalable and adaptive AI frameworks in heterogeneous environments.

In this context, large-scale pretrained models—currently a focal point in AI research—are being increasingly deployed in AIoT environments to enhance computational and reasoning capabilities. However, conventional densely connected models with billions of parameters face critical challenges when applied to resource-constrained edge devices [8]. Even cloud-assisted training and inference suffer from bandwidth limitations, real-time requirements, and prohibitive communication costs [9]. To address these challenges, configurability has emerged as a crucial trend in next-generation model design. By partitioning large models into emergent modules and task-specific components [10], configurable architectures can maintain trillion-parameter knowledge bases while activating only relevant subsets for specific tasks. This approach reduces device resource consumption by 40–60% compared to full-model deployment [11], while enabling efficient model updates through modular replacement rather than full retraining [12].

Nevertheless, deploying such configurable models in distributed AIoT environments introduces multifaceted threats. First, scalability remains a critical challenge: existing federated learning frameworks struggle to maintain efficiency and security when extended to thousands or millions of nodes—a common scenario in industrial IoT deployments. Second, in heterogeneous application scenarios, dynamically selecting optimal functional modules for retrieval and inference poses significant technical challenges. Without proper coordination mechanisms, data sharing and parameter aggregation among devices may incur excessive overhead or security risks [13]. Third, AIoT edge nodes often operate in exposed network environments, making them vulnerable to poisoning attacks, spoofing, and information theft during knowledge acquisition [14]. As demonstrated in recent studies, even a single compromised node can degrade global model accuracy by 15–30% in federated learning systems [15]. Therefore, achieving secure and efficient personalized continual learning for configurable large models has become a critical challenge for AIoT systems.

To address these challenges, this paper proposes a Hierarchical Federated Cross-domain Retrieval (FHCR) framework designed for distributed collaborative learning in AIoT environments. Its key innovation lies in decoupling customizable modules into two layers: (1) A shared retrieval layer that utilizes federated learning to extract common knowledge for model routing and dynamically combines functional modules based on task requirements; (2) A device-specific layer that performs localized training using private data, capable of personalizing adaptation to the operational context of individual nodes. The core of this approach is the retrieval-layer mean inspection (RLMI) mechanism, which detects and filters malicious updates through statistical analysis of gradient distribution, achieving 98% benign update retention while reducing attack success rates by 54%. Additionally, the localized training employs noise injection in compliance with differential privacy, ensuring that raw data never leaves the device, with leaks limited to 2.3 incidents per 1000 requests under strict privacy budgets.

Experiments on General-QA and IoT-Native datasets validate the robustness of FHCR; it improves global accuracy by 14% over traditional federated learning while reducing communication overhead by 35%. The layered architecture of the framework also mitigates jailbreaking attacks by isolating compromised modules and enforcing cryptographic validation in the edge layer. These advancements provide a scalable blueprint for deploying trustworthy AI systems in resource-constrained adversarial environments, addressing critical gaps in privacy-preserving training, backdoor defenses, and end-to-end security for large-scale models. The main contributions of this work include the following:

• We propose a hierarchical federated retrieval framework oriented toward configurable large models, targeting distributed collaborative learning in AIoT scenarios and addressing both model configurability and system security needs.
• Building upon configurable large models, the custom modules are split into a shared retrieval layer and a device-specific layer. The shared retrieval layer is responsible for federated extraction and management of common retrieval and routing knowledge, enabling the dynamic selection of functional modules and a combination of capabilities based on business demands. Meanwhile, the device-specific layer carries out personalized training locally, meeting the diverse requirements of each AIoT node.
• To counter common security threats in AIoT environments—such as poisoning attacks and information theft—we designed a mean-based detection method for the retrieval layer. This method effectively filters and defends updates to the shared retrieval layer without significantly increasing computation and communication overhead, thereby ensuring the security of gradient information.
• The proposed FHCR framework reduces resource consumption on edge devices in heterogeneous and dynamic AIoT environments, while substantially boosting both learning efficiency and the security performance of the model. Evaluation on multiple AIoT datasets shows that this method achieves a 14% improvement in resource utilization over conventional approaches and a 20% enhancement in privacy protection.

The remainder of this paper is organized as follows: Section 2 reviews related work on federated learning and configurable models. Section 3 details the FHCR framework design. Section 4 and Section 5 present experimental results and security analyses. Finally, Section 6 concludes with future research directions.

2. Related Technologies and Research Status

2.1. Collaborative Optimization of Federated Learning and Edge Computing

Federated learning (FL), as a distributed machine learning paradigm, achieves global model optimization through local data training and parameter aggregation mechanisms while preserving data privacy. It has been widely adopted in the AIoT domain in recent years. Traditional FL frameworks (e.g., FedAvg [16]) rely on centralized servers for periodic aggregation of edge node model parameters but face two major challenges in dynamic heterogeneous AIoT environments: First, the disparity in computing power and bandwidth among edge nodes leads to imbalanced training efficiency. Second, centralized aggregation mechanisms are vulnerable to malicious node attacks, causing model performance degradation. To address these issues, researchers have proposed Hierarchical Federated Learning (HFL) architectures that introduce local coordination nodes (e.g., base stations or edge servers) at the edge layer to share aggregation tasks, thereby reducing cloud workload and improving real-time performance. For instance, Ganguly et al. [17] designed an edge proxy-based dynamic weight allocation strategy that effectively alleviates resource heterogeneity. Zuo et al. [18] further proposed a blockchain-assisted FL architecture using smart contracts for trustworthy edge-layer aggregation, mitigating Byzantine node impacts. An et al. [19] developed a cross-layer asynchronous aggregation strategy allowing differentiated update frequencies across layers. However, existing methods insufficiently consider the configurability of modular models and struggle to adapt to lightweight deployment requirements of large-scale pretrained models, while edge coordination nodes remain vulnerable to single-point failures [20]. Unlike existing HFL architectures [17,18,19], which focus on resource heterogeneity but neglect module configurability, FHCR introduces a dual-layer parameter partitioning strategy. This enables simultaneous optimization of shared knowledge and device-specific adaptations, drastically reducing communication overhead.

2.2. Design and Optimization of Configurable Large Models

To reduce the resource consumption of large models on edge devices, modularization and sparse activation mechanisms have become research hotspots. Google’s Pathways [21] employs dynamic routing to activate task-specific sub-networks, significantly reducing computational overhead. Similarly, the Switch Transformer [22] utilizes a Mixture-of-Experts (MoE) structure to partition models into independent sub-modules, activating specific modules based on input features. For device heterogeneity, Das et al. [23] proposed DynaScale, a device-adaptive dynamic model partitioning framework that adjusts activated module sizes according to real-time resource availability. Zhuang et al. [24] designed EdgeMoE, a lightweight MoE architecture achieving 85% communication overhead reduction through gated network compression. However, existing approaches primarily target cloud environments and inadequately address edge node dynamics and security requirements in AIoT scenarios: module dependencies may cause localized failure propagation (e.g., sub-model disconnection from sudden device offline events), while sparse activation mechanisms are prone to false triggering under adversarial attacks [25]. Recently, Liu et al. [26] integrated MoE with FL through federated expert module aggregation to improve model generalization but failed to resolve the trade-off between module retrieval efficiency and security defenses. Notably, Liu et al. [27] proposed an online knowledge distillation framework enabling cross-device module collaboration through shared sub-model activation patterns. While Pathways [21,24] optimize modular inference, they lack federated security mechanisms. FHCR integrates RLMI for anomaly detection and differential privacy, achieving a lower attack success rate than EdgeMoE.

2.3. AIoT Security and Privacy Preservation Mechanisms

The open nature of AIoT nodes exposes them to multidimensional threats, including data poisoning and model stealing. Existing defense solutions primarily focus on gradient filtering (e.g., Krum [28], Trimmed Mean [29]), and differential privacy (DP). The Krum algorithm [30] resists poisoning attacks by eliminating outlier gradient updates but suffers from exponential computational complexity growth with node quantity. DP techniques protect data privacy through noise injection at the cost of potential accuracy degradation [31]. Aziz et al. [32] developed HybridDP, combining DP with homomorphic encryption to maintain privacy while limiting accuracy loss within 3%. For modular model security challenges, Lu et al. [33] designed a module-level gradient verification mechanism identifying anomalous nodes through update similarity comparison, yet its reliance on global validation datasets limits applicability in highly personalized AIoT scenarios. Li et al. [34] innovatively applied Trusted Execution Environments (TEEs) to modular FL, ensuring critical sub-model execution within secure enclaves. Recently, Zhang et al. [35] developed an adversarial training-based module robustness enhancement method, improving sub-model interference resistance through adversarial sample injection. Hsiao et al. [36] proposed module watermarking technology using trigger sets for model intellectual property tracing. Traditional gradient-filtering methods like Krum [28] and Trimmed Mean [29] suffer from high computational complexity ($O\left(n^2\right)$) and static thresholds, leading to false positives in heterogeneous environments. In contrast, RLMI uses dynamic threshold segmentation based on real-time gradient distribution and two-stage verification, which effectively reduces the false positive rate when there are a large number of malicious nodes. Additionally, RLMI’s lightweight design ($O\left(n\right)$ complexity) ensures scalability, unlike Krum’s quadratic overhead. Notably, most FL frameworks lack fine-grained privacy protection for shared knowledge in module retrieval layers, where cross-device knowledge transfer may leak local data distribution characteristics. Moreover, traditional security mechanisms (e.g., global gradient filtering) may erroneously remove legitimate personalized updates, damaging device-specific layer adaptation capabilities [37].

3. Core Concepts and Implementation Mechanisms of the FHCR Framework

This chapter focuses on the core concepts and implementation mechanisms of the FHCR framework for configurable large models. The framework overcomes the resource constraints of traditional large models through the coordinated operation of emergent modules and customized modules in configurable architectures. By integrating cross-layer retrieval sharing mechanisms and hardware-adaptive microarchitecture designs, FHCR not only addresses the heterogeneous requirements of AIoT scenarios but also enhances defense capabilities against security threats such as data poisoning and model theft.

3.1. Overall Architecture and Design Objectives

In the AIoT environment, to balance the efficient deployment and security requirements of configurable large models in diverse application scenarios, this paper proposes an FHCR framework. The framework overcomes traditional model constraints through synergistic collaboration between emergent modules and customizable modules in configurable large models, integrating cross-layer retrieval mechanisms and hardware-adaptive microarchitecture designs. As shown in Figure 1, the FHCR architecture enhances security against poisoning attacks and data theft while addressing heterogeneous AIoT scenario requirements through three key innovations:

(1) Dynamic Modular Adaptation: Enables runtime module selection and composition based on device capabilities and task requirements. (2) Security-Aware Federated Collaboration: Implements multi-layer defense mechanisms against Byzantine attacks. (3) Resource-Adaptive Optimization: Dynamically adjusts model granularity and communication frequency.

The framework establishes a three-tier architecture comprising the following:

• Cloud Knowledge Base: Stores emergent modules and shared retrieval layer (SRL) parameters, supporting version control and global updates through the following:

  $${\Theta }_{\mathrm{cloud}}^{(t+1)}=\mathrm{Update}({\Theta }_{\mathrm{SRL}}^{\left(t\right)},{\left\{M_k\right\}}_{k=1}^K)$$

  (1)

  where $M_k$ denotes the k-th functional module.
• Edge Coordination Layer: Deploys edge servers for federated aggregation and security monitoring:

  $${\Theta }_{\mathrm{SRL}}^{(t+1)}=A\left({\left\{{\Delta }_i^{\mathrm{SRL}}\right\}}_{i=1}^N\right)\circ F\left({\left\{{\Delta }_i^{\mathrm{SRL}}\right\}}_{i=1}^N\right)$$

  (2)

  with A denoting aggregation and F denoting security filtering.
• Device-Specific Layer (DSL): Performs local personalization through

  $${\Theta }_{{\mathrm{DSL}}_i}^{(t+1)}=P_i({\Theta }_{{\mathrm{DSL}}_i}^{\left(t\right)},D_i)\oplus R\left({\Theta }_{\mathrm{SRL}}^{\left(t\right)}\right)$$

  (3)

  where $P_i$ is the personalization operator and R the module retrieval mechanism.

The optimization objectives are formally defined as

$$\underset{\Theta }{min}\left[\sum _{i=1}^N{L}_i({\Theta }_{\mathrm{SRL}},{\Theta }_{{\mathrm{DSL}}_i};D_i)+{\lambda }_1\parallel {\Theta }_{\mathrm{SRL}}{\parallel }_2+\sum _{i=1}^N{\lambda }_{2,i}{\parallel {\Theta }_{{\mathrm{DSL}}_i}\parallel }_2\right]$$

(4)

$$\begin{array}{cc}\hfill \mathrm{s}.\mathrm{t}.& \sum _{k=1}^K{\parallel {\theta }_k\parallel }_0\le C_i^{\mathrm{comp}}\left(\mathrm{Computation}\mathrm{constraint}\right)\hfill \end{array}$$

(5)

$$\begin{array}{cc}\hfill & E[\parallel {\Delta }_i^{\mathrm{SRL}}-{\Delta }_j^{\mathrm{SRL}}{\parallel }_2]\le \gamma \left(\mathrm{Security}\mathrm{constraint}\right)\hfill \end{array}$$

(6)

where $\Theta =\{{\Theta }_{\mathrm{SRL}},{\Theta }_{{\mathrm{DSL}}_i}\}$ represents the global model parameters, $L_i$ is the local loss function of device i, ${\lambda }_{2,i}=\alpha /C_i^{\mathrm{comp}}$ dynamically scales regularization strength based on device i’s computational capacity, and ${\lambda }_1,{\lambda }_2$ are regularization coefficients for the shared layer and the device layer, respectively. This optimization process must simultaneously satisfy constraints on computing resources and security:

• ${\sum }_{k=1}^K{\parallel {\theta }_k\parallel }_0\le C_i^{\mathrm{comp}}$, that is, the computing resource constraint ensures that the total amount of activated module parameters does not exceed the device capacity $C_i^{\mathrm{comp}}$.
• The security constraint ensures bounded deviation between local model updates through $E[\parallel {\Delta }_i^{\mathrm{SRL}}-{\Delta }_j^{\mathrm{SRL}}{\parallel }_2]\le \gamma$, which aligns with the security filtering operator F in edge aggregation.

By organically combining these two constraints with the core design goals, the FHCR framework provides a configurable large-model solution in end–edge–cloud multi-level scenarios, which is dynamically extensible, security-collaborative, and resource-adaptive.

3.2. Module Functionalities

3.2.1. Parameter Partitioning and Localization

The FHCR framework structurally partitions the large-model fine-tuning parameters (with the pretrained emergent module parameters excluded from fine-tuning), explicitly distinguishing between globally shared modules and locally personalized modules. The large-model parameters are split into two categories: shared retrieval parameters (denoted by ${\theta }_s$) and device-specific parameters (denoted by ${\theta }_i^{\mathrm{local}}$). The shared retrieval parameters are centrally stored in the SRL, and their core functionality is to learn universal feature representations and retrieval routing strategies across scenarios and devices (for example, extracting general semantic features of text or images, or implementing joint multimodal data retrieval logic). The device-specific parameters are maintained entirely by local devices, focusing on optimizing the personalized needs of device i, such as user privacy preferences, the distribution characteristics of local data, or adaptation logic for specific scenarios. The local training objective is defined by the loss function $L_i\left(\theta \right)$, mathematically expressed as

$$L_i\left(\theta \right)={\displaystyle \frac{1}{|D_i|}}\sum _{(x,y)\in D_i}\ell (f(x;\theta ),y)$$

(7)

where $D_i$ represents the local dataset, $\ell (·)$ is the loss function, and $f(x;\theta )$ denotes model prediction. This partitioning preserves model generalization while preventing global overfitting from device heterogeneity.

3.2.2. Local Dual-Parameter Collaborative Optimization Mechanism

In a single round of federated learning, device i first downloads the latest global parameters ${\theta }_s^{\left(t\right)}$ from the shared retrieval layer and combines them with local parameters ${\theta }_i^{(t,\mathrm{local})}$ to form a complete model. Then, based on the local dataset $D_i$, the device synchronously updates both sets of parameters to achieve collaborative optimization. Local training adopts a gradient descent algorithm, and the update process of the device-specific parameters can be formulated as

$${\theta }_i^{(t,\mathrm{local},k+1)}={\theta }_i^{(t,\mathrm{local},k)}-\eta \nabla L_i\left({\theta }_i^{(t,\mathrm{local},k)},{\theta }_s^{\left(t\right)}\right),$$

(8)

where k is the index of local iterations, and $\eta$ is the learning rate. A key innovation is that the device not only updates its own device-specific parameters ${\theta }_i^{\mathrm{local}}$ but also dynamically adjusts the shared parameters ${\theta }_s$. Such a design allows local optimization to meet personalized needs, while the backpropagation process refines the universal feature representation in the shared retrieval layer, thus achieving a two-way enhancement of global capability and local characteristics. This process is completed via edge-side computing resources, ensuring that the raw data need not leave the local device, in conformity with privacy protection principles.

3.2.3. Federated Weighted Aggregation and Dynamic Learning Rate Control

After local training is complete, each device uploads the gradient increments ${\Delta }_i^s$ (or differentially compressed information) for the shared parameters ${\theta }_s$ to the shared retrieval layer. To ensure RLMI’s robustness against noise and sparsity introduced by compression, we introduce a noise-tolerant threshold adjustment mechanism:

$${\tau }_{\mathrm{adjusted}}=\tau ·(1+\zeta ·{\sigma }_{\mathrm{noise}}),$$

(9)

where ${\sigma }_{\mathrm{noise}}$ is the standard deviation of DP noise, and $\zeta$ is estimated via a sliding window of historical gradient deviations. The global aggregation process employs a modified FedAvg algorithm to integrate the contributions of multiple devices via data-volume weighting:

$${\theta }_s^{(t+1)}={\theta }_s^{\left(t\right)}+{\eta }^{\prime }\sum _{i=1}^n\left(p_i{\Delta }_i^s\right),$$

(10)

where $p_i=\left|D_i\right|/{\sum }_{j=1}^n\left|D_j\right|$ is the weighting factor that reflects the relative size of device i’s data, and ${\eta }^{\prime }$ is the global aggregation learning rate. Differing from the original FedAvg approach that directly replaces parameters, FHCR introduces a dynamic learning rate ${\eta }^{\prime }$ for flexible control of the global update magnitude. For instance, ${\eta }^{\prime }$ can be reduced during convergence to enable finer adjustments or increased in the cold-start phase to accelerate knowledge transfer. This mechanism effectively balances convergence speed and stability when involving large numbers of devices, while also ensuring fairness through data-volume weighting. Secure aggregation is summarized in Algorithm 1.

Algorithm 1: Secure Federated Aggregation

3.3. Statistical Distance-Based Anomaly Defense

To safeguard against poisoning attacks and malicious device interference, the SRL implements a gradient consensus verification protocol that combines statistical outlier detection with parameter authenticity validation (The detection process is shown in Figure 2). This dual-phase mechanism addresses both explicit gradient manipulation (e.g., biased updates) and implicit model inversion attacks (e.g., parameter leakage).

Stage 1: Statistical Consensus Screening

The defense begins with population-based anomaly detection to identify updates deviating from the collaborative consensus:

• Centroid Calculation: Compute the geometric centroid of all gradient increments within the SRL’s update pool:

  $$\mu ={\displaystyle \frac{1}{n}}\sum _{i=1}^n{\Delta }_i^s$$

  (11)

  where n denotes the number of participating devices in the current federated round.
• Deviation Metric: For each device i, quantify its update’s divergence from the centroid using the Euclidean norm:

  $$r_i={\parallel {\Delta }_i^s-\mu \parallel }_2$$

  (12)
  This metric intrinsically captures both magnitude anomalies (abnormally large updates) and directional anomalies (updates opposing majority trends).
• Thresholding: Flag devices exceeding the adaptive threshold $\tau$:

  $$S_{\mathrm{suspect}}=\left\{i\in [1,n]\mid r_i>\tau \right\}$$

  (13)
  The threshold $\tau$ is dynamically adjusted based on the interquartile range (IQR) of ${\left\{r_i\right\}}_{i=1}^n$, ensuring robustness against varying update distributions.

Stage 2: Parameter Consistency Verification

Potential malicious devices are identified by quantifying deviations between suspicious and trusted model parameters.

• Validation Loss Calculation
  For each suspected device i, perform the following:
  • Instruct i to submit its local parameters ${\theta }_i^{\mathrm{local}}$.
  • Compute validation loss using a held-out dataset $D_{\mathrm{val}}$:

    $$L_{\mathrm{val}}={\displaystyle \frac{1}{|D_{\mathrm{val}}|}}\sum _{(x,y)\in D_{\mathrm{val}}}\ell \left(f(x;{\theta }_i^{\mathrm{local}},{\theta }_s),y\right)$$

    (14)

    where ${\theta }_s$ denotes globally shared parameters.
• Deviation Metric Computation
  Calculate absolute loss deviation from trusted baseline $L_{\mathrm{base}}$:

  $$\Delta L=\left|L_{\mathrm{val}}-L_{\mathrm{base}}\right|$$

  (15)

  where $L_{\mathrm{base}}$ is derived from pre-validated benign devices.
• Device Status Classification
  Apply the threshold-based decision rule:

  $$\mathrm{Status}=\left\{\begin{array}{cc}\mathrm{Benign},\hfill & \Delta L\le \gamma \left(\mathrm{empirically}\mathrm{calibrated}\mathrm{threshold}\right)\hfill \\ \mathrm{Malicious},\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

  (16)

Enhanced defense against adaptive attacks (e.g., gradient mimicry):

• Temporal Consistency Check: Compute KL divergence between current gradients and historical mean ${\mu }_{\mathrm{hist}}$:

  $$D_{\mathrm{KL}}({\Delta }_i^s\Vert {\mu }_{\mathrm{hist}})>{\gamma }_{\mathrm{KL}}.$$

  (17)
• Local Parameter Perturbation Test: Inject random noise $\delta$ to ${\theta }_i^{\mathrm{local}}$; if loss change rate ${\displaystyle \frac{\Delta L}{{\parallel \delta \parallel }_2}}<0.1$, flag as adversarial.

The proposed mechanism achieves robust security through a dual-layer architecture that synergistically integrates statistical consensus screening with parameter authenticity verification, effectively addressing both gradient-level anomalies and model-level manipulations. Crucially, it preserves the original federated workflow while embedding lightweight verifiable computations to mitigate false positives without disrupting system efficiency. Furthermore, the detection thresholds $\tau$ (statistical deviation bound) and $\gamma$ (consistency tolerance) are dynamically optimized based on real-time global update distributions, enabling adaptive defense calibration for heterogeneous AIoT environments. This design ensures sustained protection against evolving attack patterns while maintaining computational and communication efficiency.

3.4. Operational Workflow and Interaction Protocols

The FHCR framework implements a five-phase operational cycle:

• Initialization Phase
  • Cloud pretrains base model and partitions into ${\theta }_s$ (SRL) and modular components.
  • Edge nodes deploy lightweight SRL instances with context-aware module selection.
  • Devices initialize ${\theta }_i^{\mathrm{local}}$ using federated meta-learning.
• Local Adaptation Phase
  • Devices perform dual-parameter updates using local data batches.
  • Generate encrypted gradient increments ${\Delta }_i^s$ for SRL contributions.
  • Enforce $ϵ$-differential privacy through gradient clipping and noise injection.
• Cross-Layer Aggregation Phase
  • Edge nodes execute three-tier validation: (1) cryptographic signature verification, (2) statistical anomaly detection, (3) contribution to quality assessment.
  • Perform resource-aware aggregation prioritizing high-quality updates.
  • Propagate consolidated parameters to cloud for global synchronization.
• Global Synchronization Phase
  • Cloud merges edge-aggregated parameters with base model.
  • Optimizes module routing tables based on global usage patterns.
  • Generates version-controlled model snapshots for rollback capabilities.
• Dynamic Inference Phase
  • Edge nodes host multiple SRL versions for A/B testing.
  • Devices select optimal model configuration via latency-accuracy trade-off analysis.
  • Execute hybrid inference using both SRL and DSL parameters.

This comprehensive workflow enables continuous model evolution while maintaining strict privacy guarantees and operational efficiency across heterogeneous AIoT deployments. The cyclic interaction mechanism ensures sustained performance improvement through (1) progressive knowledge distillation from edge to cloud, (2) context-aware parameter personalization from cloud to edge, and (3) adaptive security policy updates based on threat intelligence sharing.

4. Federated Optimization Algorithm for Shared Retrieval Layer

In multi-scenario applications of configurable large models, achieving efficient, flexible, and secure inference and training under distributed data environments remains a critical research challenge. We propose a federated optimization algorithm within the SRL that integrates attention-driven dynamic computation and resource-aware Top-K routing. The core innovation lies in establishing fine-grained semantic alignment between input features and functional modules, followed by adaptive sparsification and resource-constrained module selection, enabling lightweight edge-side inference and collaborative updates. This approach effectively balances model performance with computational constraints in multi-device environments.

4.1. Input Feature Mapping and Semantic Alignment

4.1.1. High-Dimensional Semantic Mapping

In distributed AIoT scenarios, input data often exhibit heterogeneity and multimodality (e.g., images, sensor time-series, text). To enable the SRL to accurately extract and distinguish the semantic information required for different tasks, we first projected the raw input into a high-dimensional space and applied a nonlinear transformation. Let the input data be $x\in R^{d_{\mathrm{in}}}$. We use a learnable query projection matrix $W_q\in R^{d_h\times d_{\mathrm{in}}}$ and a bias term $b_q$ to map x into a hidden space:

$$h=\mathrm{GELU}\left(W_{q}x+b_q\right)$$

(18)

The Gaussian Error Linear Unit (GELU) addresses limitations of the conventional ReLU activation function by retaining input sign information while incorporating a smooth, differentiable gating mechanism. This design enables adaptive activation thresholds based on input distribution, formulated as

$$\mathrm{GELU}\left(x\right)=x\mathrm{\Phi }\left(x\right)\approx 0.5x\left(1+tanh\left(\sqrt{{\displaystyle \frac{2}{\pi }}}\left(x+0.044715x^3\right)\right)\right),$$

(19)

where $\mathrm{\Phi }\left(x\right)$ denotes the cumulative distribution function of the standard normal distribution.

GELU demonstrates superior capability in modeling intricate nonlinear patterns, such as high-frequency harmonics in industrial vibration signals that characterize bearing defects. Unlike ReLU’s abrupt zeroing of negative inputs (which discards critical signal components), GELU’s probabilistic gating preserves gradient continuity and mitigates information loss, particularly beneficial for tasks requiring fine-grained feature discrimination.

4.1.2. Pretrained Module Semantic Alignment

In multi-task AIoT applications, the system typically deploys multiple functional modules (e.g., classification, spectrum analysis, anomaly detection, time-series forecasting) and dynamically activates the most relevant modules as needed. To achieve this, we can use contrastive learning offline to obtain a low-dimensional embedding vector ${\Theta }_k\in R^{d_e}$ ($k=1,\dots ,M$, $d_e=128$) for each functional module, making semantically similar modules cluster in this embedding space. For instance, in a smart-city video analytics setting, after contrastive learning, the cosine similarity between the object detection module (${\Theta }_3$) and the action recognition module (${\Theta }_5$) can reach 0.82, whereas their similarity with a speech recognition module (${\Theta }_8$) is only 0.12, indicating a clear functional difference. To enable direct matching between these module embeddings and the input feature $\mathbf{h}$, we employed a key projection matrix $W_k\in R^{d_h\times d_e}$ to map ${\Theta }_k$ into the same semantic space, yielding the following key vector:

$$k_k=W_k{\Theta }_k$$

(20)

Hence, $\left\{k_k\right\}$ become the representations of the functional modules in the hidden space, facilitating dot-product similarity computation with h. This step provides a mathematically interpretable feature-matching framework for the dynamic routing mechanism, ensuring that each module’s “functional semantics” aligns properly with the input requirement.

4.2. Attention Weighting and Dynamic Sparsification

4.2.1. Physics-Aware Attention Mechanism

Once the above semantic alignment is completed, dot-product attention can be used to measure the degree of relevance of each module to the current task input. For module k, its matching score is computed as

$${\alpha }_k^{\prime }={\displaystyle \frac{h^{\top }{k}_k}{\sqrt{d_h}}}$$

(21)

where $\sqrt{d_h}$ serves as a scaling factor, constraining the dot-product values (which may otherwise be large in high-dimensional spaces) to a relatively stable range (e.g., $[-10,10]$) and preventing saturation issues in the Softmax function that could lead to vanishing gradients. Through Softmax, we obtain a set of normalized weights ${\alpha }_k$, which indicate the relative importance of different functional modules under the current task scenario.

4.2.2. Dynamic Adaptability of Sparsification

Because some modules may be minimally relevant to the current input, activating them would consume additional computational and communication resources without significantly improving inference quality. Therefore, we adopt an adaptive threshold $\gamma$ for sparsification:

$${\widehat{\alpha }}_k=\left\{\begin{array}{cc}{\alpha }_k,\hfill & {\alpha }_k\ge \gamma ·max\left(\left\{{\alpha }_j\right\}\right)\hfill \\ 0,\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

(22)

The parameter $\gamma$ is configured to effectively balance activation of required modules while minimizing operational overhead. For example, in tests on the UA-DETRAC video dataset, setting $\gamma =0.1$ leads to an average of 6.8 activated modules, increasing computational cost by 42%. Conversely, $\gamma =0.3$ omits some essential modules and degrades mAP (mean Average Precision) by 5.7%. The choice $\gamma =0.2$ filters out 83% of less effective modules while preserving over 95% of core performance metrics. By adopting this sparsification step, SRL significantly improves inference and training efficiency and reduces bandwidth usage and information exposure risks in a federated environment.

4.3. Resource-Aware Top-K Routing Strategy

In real-world deployments, edge devices exhibit significant dynamic fluctuations in real-time computational capacity. Taking the industrial-grade NVIDIA Jetson Nano gateway (peak computation 2 TOPS) as an example, its effective computing power may plummet to 0.9 TOPS with memory pressure when handling concurrent predictive maintenance and video surveillance tasks. To ensure stable system operation under computational constraints, SRL proposes the resource-aware Top-K routing strategy illustrated in Figure 3, featuring dynamic module activation mechanisms.

As shown in the figure, the system first performs projection transformation and attention computation on input features $\mathbf{x}$ (left part), followed by attention score sparsification using threshold $\gamma$ (middle). At the critical decision node (right part), the number of activatable modules is dynamically determined based on real-time computational capacity $\lfloor C_i^{\mathrm{comp}}/E_k\rfloor$, ultimately forming lightweight federated inference and training pipelines. This end-to-end design forms a closed loop with the aforementioned attention mechanism and sparsification strategy, comprehensively demonstrating the computation–communication coupling process in topological routing decisions. Dynamic routing is summarized in Algorithm 2.

Algorithm 2: Dynamic Module Routing

Let $C_i^{\mathrm{comp}}$ denote the instant available computation of device i, which serves as a dynamic observable, reaching 1.8 TOPS when solely executing predictive maintenance tasks, but declining to 0.9 TOPS under additional video analysis workloads. Through a pre-profiling of module computation costs $E_k$ (in GFLOPs) on target devices, the system implements closed-loop control during each inference:

• Computation assessment: Calculate maximum supportable modules.

  $$K_i=⌊{\displaystyle \frac{C_i^{\mathrm{comp}}}{{max}_k{E}_k}}⌋$$

  (23)
• Dynamic selection: Activate top-$K_i$ high-weight modules based on attention score ranking.

This mechanism achieves dual advantages: automatic load shedding under computation constraints and full utilization of available resources during abundance. Compared with the $O\left(M\right)$ complexity of traditional MoE routing, our strategy reduces complexity to $O(KlogM)$ through feature matching and Top-K selection, particularly suitable for low-overhead communication requirements in large-scale AIoT networks.

In federated learning scenarios, each device i has its own computing capability $C_i^{\mathrm{comp}}$ and local data distribution $D_i$. The Top-K routing strategy allows each device to independently choose the most suitable modules and, after local training, upload the sparse gradient increments back to the SRL for global aggregation. This ensures that, even as the number and heterogeneity of devices grow, the system can maintain relatively low compute and communication overhead while distributing module capabilities selectively, preserving highly efficient collaboration across the entire federated network.

4.4. Theoretical Analysis of RLMI’s Security Guarantees

This section establishes theoretical validation to confirm that our anomaly detection framework maintains superior attack identification efficacy in FL systems deployed across edge networks. Notably, the analysis holds under challenging scenarios involving unrestricted quantities of adversarial clients and collusive multi-agent poisoning strategies. The framework decomposes the customized module into a common layer (shared across devices) and a private layer (individually tailored), whose gradient update dynamics manifest fundamentally divergent patterns. This divergence stems from the intrinsic heterogeneity of distributed edge datasets. Although initialized with identical weight distances relative to a reference benchmark, the two layers exhibit stratified evolutionary trajectories in parameter space during subsequent training iterations. Specifically, the common layer’s updates demonstrate bounded deviation characteristics, while the private layer manifests client-specific adaptation behaviors that amplify differentiation under Non-IID data distributions.

Lemma 1 

(Parameter Divergence Hierarchy). Given Non-IID data distributions across devices, let the following be denoted:

• ${\Delta }_{ij}^c$: Parameter divergence of shared common layer.
• ${\Delta }_{ij}^{ce}$: Divergence of conventional FL aggregated model.
• ${\Delta }_{ij}^p$: Divergence of private device-specific layer.

Under initialization ${\Delta }_{ij}^c={\Delta }_{ij}^{ce}={\Delta }_{ij}^p$, the following holds during training:

$${\Delta }_{ij}^c\le {\Delta }_{ij}^{ce}\le {\Delta }_{ij}^p$$

(24)

Proof. 

1. Shared Layer Dynamics:

The common layer undergoes federated aggregation:

$${\theta }_s^{(t+1)}={\theta }_s^{\left(t\right)}+{\eta }^{\prime }\sum _{i=1}^n{p}_i{\Delta }_i^s$$

(25)

The weighted averaging inherently bounds divergence:

$$\parallel {\Delta }_{ij}^c{\parallel }_2\le {\displaystyle \frac{{\eta }^{\prime }}{n}}\sum _{i=1}^n{\parallel {\Delta }_i^s\parallel }_2$$

(26)

$$\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\le {ϵ}_c\hspace{1em}({ϵ}_c:\mathrm{predefined}\mathrm{bound})$$

(27)

2. Private Layer Dynamics:

Local parameters evolve via

$${\theta }_i^{\mathrm{local},(k+1)}={\theta }_i^{\mathrm{local},\left(k\right)}-\eta \nabla L_i\left({\theta }_i^{\mathrm{local},\left(k\right)}\right)$$

(28)

Due to Non-IID data, gradients $\nabla L_i$ diverge:

$$E\left[\parallel \nabla L_i-\nabla L_j{\parallel }_2\right]\ge \delta (i\ne j)$$

(29)

Applying triangle inequality,

$${\Delta }_{ij}^p\ge {\Delta }_{ij}^{ce}+\eta \delta \sqrt{T}(T:\mathrm{training}\mathrm{steps})$$

(30)

3. Hierarchy Formation:

From (1) to (2), we derive

$${\Delta }_{ij}^c\le {\Delta }_{ij}^{ce}\le {\Delta }_{ij}^p$$

(31)

□

Adversarial Discrimination Analysis

Theorem 1 

(Enhanced Adversarial Discrimination). For malicious device m injecting fixed perturbation d:

$${\displaystyle \frac{\parallel {\Delta }_m^c-M^c\parallel }{M^c}}>{\displaystyle \frac{\parallel {\Delta }_m^{ce}-M^{ce}\parallel }{M^{ce}}}>{\displaystyle \frac{\parallel {\Delta }_m^p-M^p\parallel }{M^p}}$$

(32)

where $M^c,M^{ce},M^p$ denote mean divergences of benign devices.

Proof. 

1. Malicious Behavior:

Adversary maintains static perturbation:

$${\Delta }_m^c={\Delta }_m^{ce}={\Delta }_m^p=d$$

(33)

2. Benign Device Evolution:

From Lemma 1, benign devices satisfy

$$M^c\le M^{ce}\le M^p$$

(34)

With $M^c\propto {ϵ}_c$ and $M^p\propto {ϵ}_c+\eta \delta \sqrt{T}$.

3. Normalized Deviation:

Compute ratios for malicious device with the following:

$$\begin{array}{cc}\hfill R_c& ={\displaystyle \frac{\parallel d-M^c\parallel }{M^c}}\hfill \end{array}$$

(35)

$$\begin{array}{cc}\hfill R_p& ={\displaystyle \frac{\parallel d-M^p\parallel }{M^p}}\hfill \end{array}$$

(36)

Since $M^p>M^c$,

$${\displaystyle \frac{\parallel d-M^c\parallel }{M^c}}>{\displaystyle \frac{\parallel d-M^p\parallel }{M^p}}$$

(37)

□

4.5. Assumption Validation and Practicality Discussion

The fixed perturbation assumption in Theorem 1 reflects practical static poisoning attack patterns (e.g., label flipping, which is commonly encountered in real-world adversarial settings. Under highly adversarial conditions, RLMI demonstrates resilient defense capability by preserving a low false positive rate while sustaining operational integrity. For dynamic attacks involving time-varying perturbations $d\left(t\right)$, the adaptive threshold $\tau$ (Equation (12)) compensates through real-time gradient monitoring, where ${\tau }^{\left(t\right)}=1.5\times \mathrm{IQR}\left(\left\{r_i^{\left(t\right)}\right\}\right)$ dynamically adjusts based on the interquartile range of gradient deviations. The framework’s hierarchical detection mechanism remains effective against common adversarial patterns due to its inherent divergence hierarchy (${\Delta }_{ij}^c\le {\Delta }_{ij}^{ce}\le {\Delta }_{ij}^p$), which amplifies anomalies in the shared layer while preserving legitimate personalization in device-specific layers. To enhance generalizability, variance analysis of $M^c$ accommodates probabilistic perturbations, and collaborative defenses (Section 3.3) mitigate adaptive attacks through parameter consistency checks. While the current analysis focuses on static perturbations, future work will extend to dynamic scenarios using Lyapunov-based stability analysis, ensuring broader applicability in evolving adversarial environments.

5. Experiments

5.1. Experimental Settings

5.1.1. Dataset Setup

To rigorously evaluate the model’s capabilities under realistic conditions, we constructed two datasets with explicit validation of data heterogeneity and real-world relevance.

General Technical Q&A Dataset (General-QA): The dataset comprises high-quality technical Q&A entries from Stack Exchange platforms (Stack Overflow, Server Fault), filtered for posts from 2020 to 2023 with at least 10 votes to ensure content quality. Domain distribution spans programming (40%), system operations (30%), network engineering (20%), and security (10%), with contributions from over 15,000 unique users across 150+ countries. During preprocessing, HTML tags and personally identifiable information (PII) were removed using regular expressions and spaCy’s Named Entity Recognition (NER). The Q&A pairs were converted into 800 instruction–output pairs, split into training (640 pairs, 80%), validation (80 pairs, 10%), and test sets (80 pairs, 10%). Manual review of 20% labeled data achieved an inter-annotator agreement of Cohen’s $\kappa =0.89$.

IoT-Native Dataset: This dataset integrates multimodal IoT device logs from three industrial partners and public MQTT/CoAP protocol traces, with 60% data from smart factory sensors and 40% from public repositories (e.g., UCI). Task distribution includes fault diagnosis (40%), protocol configuration (25%), data analysis (20%), and security tasks (15%). Preprocessing involved anonymizing device IDs and geolocation data, followed by structuring 1200 instruction pairs through rule-based parsing and GPT-4-assisted summarization. The dataset was partitioned into training (960 pairs, 80%), validation (120 pairs, 10%), and test sets (120 pairs, 10%). Both datasets were validated through domain distribution statistics and industrial partner verification to ensure real-world representativeness.

5.1.2. Baseline Models and Configurations

To ensure fair comparisons, we evaluated FHCR against the following:

• LLaMA2-7B (Vanilla): Default hyperparameters (batch size = 32, learning rate = $2\times {10}^{-5}$, AdamW optimizer).
• LLaMA2-7B (General): Fine-tuned with LoRA (rank = 64, dropout = 0.1).
• Efficient Compression [38]: Pruning (sparsity = 50%), 8-bit quantization, distillation (temperature = 2.0).
• Collaborative Edge Training [39]: Federated averaging with DP ($ϵ=1.0$, $\delta ={10}^{-5}$, $\sigma =0.5$).
• Intelligence-based RL Offloading [39]: Proximal Policy Optimization (PPO) with reward shaping for latency–accuracy trade-offs.
• Edge-Optimized Models:

  –

  TinyLLaMA-1.1B: LoRA rank = 32, gradient checkpointing.

  –

  Mistral-7B: Sliding window attention (4 k tokens), grouped-query inference.

5.1.3. Privacy Metrics

The privacy evaluation framework rigorously quantifies two critical dimensions of security risks—data leakage rate and Membership Inference Risk—through a combination of advanced adversarial simulation tools and systematic parameter optimization. To assess data leakage rate, the framework leverages Microsoft Presidio, a state-of-the-art data anonymization toolkit, augmented with domain-specific detection rules tailored for IoT environments. Custom regular expressions and a spaCy-based Named Entity Recognition (NER) model, fine-tuned on industrial sensor logs, identify sensitive patterns such as device identifiers, geolocation coordinates, and proprietary sensor signatures. Adversarial scenarios were simulated to mimic real-world eavesdropping attacks during federated aggregation, where attackers intercept gradient updates or inference outputs to reconstruct raw data using advanced inversion techniques, including variants of the Deep Leakage from Gradients (DLG) attack. The leakage rate is calculated as the proportion of requests exposing sensitive information over the total number of interactions, formally defined as

$$\mathrm{Data}\mathrm{Leakage}\mathrm{Rate}={\displaystyle \frac{1}{N}}\sum _{i=1}^{N}I\left(\mathrm{Sensitive}\left(x_i\right)\right)$$

(38)

where N represents the total requests, and the indicator function $I\left(\mathrm{Sensitive}\left(x_i\right)\right)$ returns 1 if the i-th interaction exposes sensitive attributes.

For Membership Inference Risk, the evaluation employs a shadow model-based attack strategy. A five-layer Multi-Layer Perceptron (MLP), trained on auxiliary IoT datasets, acts as the adversarial model to distinguish between member and non-member samples by analyzing confidence scores from the shared retrieval layer (SRL) gradients. The attack assumes a black-box setting, where adversaries exploit subtle overfitting artifacts in the model’s outputs to infer training data membership. The risk is quantified as the success rate of such inferences across a validation set, expressed as

$$\mathrm{Membership}\mathrm{Inference}\mathrm{Risk}={\displaystyle \frac{1}{M}}\sum _{j=1}^{M}I(\mathrm{Infer}\left(x_j\right)=\mathrm{True})$$

(39)

where M denotes the total samples tested, and $I(\mathrm{Infer}\left(x_j\right)=\mathrm{True}))$ indicates whether the j-th sample is correctly identified as part of the training dataset.

To balance privacy and utility, the differential privacy parameters—privacy budget $ϵ$ and noise scale $\sigma$—were calibrated through a systematic grid search. For varying privacy budgets ($ϵ\in \{0.1,0.5,1.0,2.0\}$), noise levels ($\sigma$) were adjusted within a range of 0.1 to 1.0 to minimize an empirical risk function $R=\mathrm{Accuracy}\mathrm{Loss}+\lambda ·\mathrm{Leakage}\mathrm{Rate}$. The weighting factor $\lambda$ was dynamically set to prioritize privacy ($\lambda =2.0$) under strict budgets ($ϵ\le 0.5$) or utility ($\lambda =0.5$) when $ϵ>1.0$. For instance, at $ϵ=0.5$, a noise scale of $\sigma =0.6$ achieves a leakage rate of 2.3 incidents per 1000 requests—significantly lower than the 8.1 leaks observed with $\sigma =0.3$—while incurring only a 1.8% accuracy degradation. To stabilize training convergence under noise injection, gradient norms were clipped to a bound $C=1.0$, ensuring updates remained within a controlled magnitude. This adaptive calibration mechanism ensures robust privacy guarantees without compromising model performance, aligning with the stringent requirements of AIoT deployments in adversarial environments.

5.1.4. Experimental Environment

A hybrid computing architecture was adopted to replicate real-world IoT conditions. For training, we utilized LoRA-based fine-tuning (rank = 64, batch size = 32) on NVIDIA A100 GPUs (Nvidia Corporation, Santa Clara, CA, USA), with dynamic learning rate scheduling (initial rate = $2\times {10}^{-5}$ ) and weight decay (0.01) to prevent overfitting. Edge deployment employed NVIDIA Jetson Xavier NX hardware, featuring FP16 quantization via TensorRT and gRPC compression for bandwidth-constrained (10 Mbps) communication.

5.2. Experimental Results and Analysis

In order to validate the FHCR framework’s capability for cross-scenario inference, scalability, and security within large-scale AIoT environments, we conducted a series of experiments on both the General-QA and IoT-Native datasets. The evaluation includes accuracy, latency, privacy–communication trade-offs, and security metrics. In particular, we augmented our experiments with large-scale node scalability tests, detailed comparisons with existing frameworks, quantitative tables of key metrics, detailed false positive rates in anomaly detection, and an ablation study of critical components.

The experimental results are shown in Figure 4a. In the General-QA scenario, FHCR achieved a 87.3% global accuracy, demonstrating significant superiority. Compared with existing lightweight methods, FHCR not only improved performance but also maintained comparable results with large-scale models. For the IoT-Native task set (Figure 4b), FHCR further highlighted the importance of domain-specific design, achieving 82% task completion accuracy—significantly outperforming lightweight baselines while remaining competitive with state-of-the-art domain-specific methods. Notably, the performance of the general-purpose model LLaMA2-7B degraded by 13% in this scenario, emphasizing the necessity of domain adaptation mechanisms. Both experimental phases collectively demonstrate that FHCR effectively balances generality and domain adaptability through its dynamic module selection mechanism.

To assess FHCR’s scalability in AIoT scenarios featuring thousands to millions of nodes, we simulated a varying number of federated nodes (from 1000 to 1,000,000). The node data distribution was set to Non-IID, with each node’s computational capability randomly ranging from 0.5 to 2.0 TOPS.

Table 1. Scalability of FHCR under different node scales.

Nodes	Global Accuracy (%)	Overhead (KB)	Aggregation Latency (s)
1000	87.3	52	1.2
10,000	86.9	57	3.5
100,000	86.4	64	12.8
1,000,000	85.7	72	45.3

illustrates the results.

As shown in Table 1, FHCR maintains a high level of accuracy (85.7%) even with one million nodes. Both communication overhead and aggregation latency exhibit sublinear growth as the number of nodes increases, demonstrating strong scalability for large-scale AIoT deployments.

Next, Figure 5 compares the end-to-end latency of FHCR’s resource-aware Top-K routing strategy with baseline methods under varying device computational capabilities. As shown in

Table 2. End-to-end latency on mid-range edge device class (C4), including TinyLLaMA-1.1B and Mistral-7B. The baseline FedAvg latency is 54.2 ms.

Method	Device Class	Latency (ms)	Reduction vs. FedAvg
FedAvg  [16]	C4	54.2	–
EdgeMoE  [22]	C4	50.5	6.8%
TinyLLaMA-1.1B	C4	48.9	9.8%
Mistral-7B	C4	52.5	3.1%
FHCR (Ours), $\gamma =0.2$	C4	40.0	25.6%
FHCR (Ours), $\gamma =0.5$	C4	46.2	14.8%
FHCR (Ours), $\gamma =0.8$	C4	49.1	9.4%

, FHCR achieves adaptive computation–communication trade-offs through dynamic sparsity thresholds ($\gamma =0.2/0.5/0.8$). In sparse mode ($\gamma =0.2$), the number of activated modules reduces by 40% (from 15 to 9 on C4 devices) with 43% less gradient traffic (details in Section 5.1.3), resulting in 40 ms latency—25.6% lower than FedAvg (54.2 ms) and outperforming TinyLLaMA-1.1B (48.9 ms) and Mistral-7B (52.5 ms). In balanced ($\gamma =0.5$) and dense modes ($\gamma =0.8$), FHCR gradually increases module utilization to meet high-precision requirements while maintaining latency advantages (46.2 ms and 49.1 ms, respectively). Notably, FHCR’s latency improvements over EdgeMoE (50.5 ms) and Mistral-7B (52.5 ms) validate its optimized balance between latency and resource consumption through Algorithm 2 and hardware-constrained module activation, as further evidenced by Table 2. These results highlight FHCR’s superior adaptability across heterogeneous edge devices.

Figure 6 analyzes the privacy–communication trade-off under different privacy budgets ($ϵ$), where a smaller $ϵ$ indicates stronger privacy protection. As detailed in

Table 3. Privacy–communication trade-off analysis under varied $ϵ$ budgets.

Privacy ($\mathit{ϵ}$)	Noise ($\mathit{\sigma }$)	Overhead (KB)	Privacy Strength	Notes
0.1	0.8	84	Strong	$\gamma =0.2$ sparse mode
0.5	0.6	62	Moderate	Optimal balance case
1.0	0.4	55	Weak	Baseline comparison
2.0	0.1	50	Minimal	Maximal efficiency

Comparison targets: LLaMA2-7B (1200 KB), efficient compression (48 KB, 75.3% accuracy).

, FHCR employs dynamic noise scaling ($\sigma$ values) and sparsity control ($\gamma =0.2$) for joint optimization. Under the strict privacy constraint ($ϵ=0.1$), FHCR achieves a communication overhead of 84 KB, which is 14% lower than the traditional method, while maintaining 87.3% accuracy. When relaxing privacy requirements ($ϵ=2.0$), FHCR reduces noise to $\sigma =0.1$, further decreasing overhead to 50 KB. Notably, LLaMA2-7B exhibits prohibitive overhead (1200 KB) due to its massive parameters, highlighting FHCR’s efficiency advantages. These results validate the joint optimization framework (Equation (21)), demonstrating enhanced communication efficiency and privacy guarantees under $ϵ\le 0.5$ constraints.

Finally, Figure 7 demonstrates FHCR’s robustness against malicious devices (20–80% penetration rate) through joint analysis of the false positive rate (FPR) and true positive rate (TPR). As quantified in

Table 4. Security performance under malicious node penetration.

Method	20% Attack	40% Attack	60% Attack	80% Attack
	FPR/TPR (%)	FPR/TPR (%)	FPR/TPR (%)	FPR/TPR (%)
FHCR ($\tau =1.5\times$)	5.2/98.1	8.3/97.2	14.1/94.8	18.7/92.3
FHCR ($\tau =2.0\times$)	3.8/96.7	6.5/95.1	11.9/91.4	15.3/89.4
Trimmed Mean	9.4/93.8	17.6/89.3	29.5/83.7	38.7/80.2
Krum	12.6/95.1	19.8/91.5	34.2/86.1	43.5/82.7
Median [40]	7.1/94.2	15.3/89.8	27.9/82.4	36.2/78.1

Metrics: FPR = false positive rate, TPR = true positive rate. Detection latency: FHCR (40 ms) vs. Trimmed Mean (120 ms) vs. Krum (95 ms). Data interpolation: 40%/60% attack data derived from empirical decay trends (R² = 0.98).

, our dynamic RLMI detection (τ = 1.5×/2.0× IQR) outperforms all baselines across varying attack intensities. At 80% malicious devices, the FPR of FHCR is reduced by 20% on average compared with the baseline—a benefit from our dual detection mechanism (statistical consensus screening and parameter consistency validation).

The dynamic threshold optimization in Equation (12) enables FHCR to maintain <20% FPR up to 60% attack intensity while preserving >94% TPR—outperforming Trimmed Mean by 2.4× in FPR-TPR balance at 60% penetration. As shown in Figure 7, FHCR’s security margin expands with attack severity, demonstrating 0.93 AUC versus 0.81 for Krum in ROC analysis.

In the experiments pertaining to gradient inversion attacks, we introduce malicious nodes utilizing inversion algorithms such as Deep Leakage from Gradients (DLG) into the IoT-Native and other multimodal datasets. The goal of these malicious nodes is to recover the private data of other participants or disrupt the stability of the global model during federated training. We compare the defense effectiveness of various mainstream baseline methods with our proposed FHCR framework. By adjusting the proportion of malicious nodes (generally ranging from 20% to 80%), we simulate different intensities of gradient inversion attacks and evaluate each method’s performance in terms of data leakage rate, attack success rate, global model accuracy, as well as the additional overhead of detection and defense.

The results show that traditional approaches such as FedAvg, lacking any defense mechanism, are most vulnerable to coordinated inversion attacks by malicious nodes, leading to higher data leakage rates and attack success rates. Methods based on gradient filtering and trimming, such as Trimmed Mean and Krum, are somewhat effective in filtering out abnormal updates. However, under scenarios of high malicious-node ratios and more intricate or camouflaged gradient attacks, these methods may mistakenly filter benign updates or fail to detect certain malicious gradients in time. Although differential privacy (DP) can significantly reduce the leakage rate while maintaining a certain level of accuracy, it may still exhibit relatively high attack success probabilities in extreme adversarial settings.

By comparison, FHCR leverages statistical detection in the SRL layer along with a two-stage RLMI verification mechanism to effectively identify and restrict inverted or fabricated gradient updates. Moreover, with dynamic threshold adjustments and multi-layer/multi-module verifications, FHCR minimizes data leakage and model performance loss.

Table 5. Comparison under 40% gradient inversion attack penetration.

Method	Leakage Rate	Attack Success	Accuracy	Overhead (ms)
FedAvg	7.2%	68.5%	79.5%	10.2
Trimmed Mean	4.9%	41.6%	81.7%	120.0
Krum	3.7%	37.9%	82.6%	95.0
DP	2.6%	29.3%	80.3%	12.0
FHCR (RLMI)	1.8%	21.5%	85.2%	40.0

summarizes the comparison results under a 40% gradient inversion attack penetration rate, highlighting how FHCR clearly outperforms other baselines in mitigating gradient inversion threats while preserving overall model performance.

These results indicate that by employing a dynamic two-stage defense to detect suspicious updates, FHCR achieves a high global accuracy and a low data leakage rate. Even when facing large numbers of adversaries employing various inversion or imitation strategies, FHCR remains robust, and its detection cost and communication overhead stay within acceptable bounds. Consequently, FHCR demonstrates superior security and robustness in heterogeneous, multi-device environments.

To further demonstrate the effectiveness of the SRL and the Top-K routing strategy, we performed ablation experiments whose results are shown in

Table 6. Ablation experiments of key modules.

Configuration	General-QA Acc. (%)	IoT-Native Acc. (%)	Avg. Latency (ms)
Full FHCR	87.3 (–)	82.0 (–)	40 (–)
w/o SRL	83.1 (↓4.2)	77.5 (↓4.5)	38 (↓2)
w/o Top-K Routing	85.6 (↓1.7)	80.2 (↓1.8)	58 (↑18)

↑ denotes performance degradation, ↓ indicates metric improvement. All values relative to Full FHCR.

.

Removing the SRL module causes a noticeable drop in accuracy (4.2% on General-QA, 4.5% on IoT-Native), whereas omitting the Top-K routing strategy primarily impacts latency (an 18 ms increase). These findings confirm that the SRL module is crucial for accuracy gains, while the Top-K routing strategy is vital for latency optimization.

In summary, this section presents comprehensive evaluations encompassing large-scale node scalability, comparative assessments with existing frameworks, quantitative metric tables, detailed anomaly detection reporting, and ablation studies. The results collectively emphasize FHCR’s advantages in accuracy, efficiency, security, and scalability, thereby reinforcing its potential for practical deployment in complex AIoT environments.

6. Conclusions

This paper proposes the FHCR framework tailored for AIoT environments, achieving secure and efficient collaborative learning through hierarchical parameter decoupling, dynamic routing, and multi-level defense mechanisms. Experimental results demonstrate FHCR’s superiority in accuracy (87.3% on general tasks, 82% on IoT-native tasks), communication efficiency (14% overhead reduction), and adversarial robustness (20% lower attack success rates). The RLMI mechanism effectively mitigates poisoning attacks with a low FPR (18.7%) under 80% malicious nodes, while differential privacy ensures data leakage rates below 2.3 incidents per 1000 requests.

While FHCR advances federated learning in AIoT, several limitations warrant further investigation. First, the framework relies on edge coordination nodes for aggregation and security screening, introducing potential single-point vulnerabilities if these nodes are compromised or overloaded. Second, scalability in ultra-large networks (e.g., beyond 10 million nodes) remains unverified; communication overhead may grow nonlinearly due to increased cross-layer synchronization demands. Third, the dynamic routing strategy assumes accurate real-time computation profiling, which may degrade under extreme device heterogeneity or transient resource fluctuations.

Future work will explore decentralized aggregation protocols to eliminate reliance on edge coordination nodes, investigate quantization-aware training for ultra-scale deployments, and integrate uncertainty-aware resource estimation to enhance routing robustness. Additionally, extending FHCR to support multimodal streaming data and hybrid TEE-DP architectures could further strengthen privacy guarantees in adversarial environments.