A Lightweight Robust Training Method for Defending Model Poisoning Attacks in Federated Learning Assisted UAV Networks

Abstract

The integration of unmanned aerial vehicles (UAVs) into next-generation wireless networks greatly enhances the flexibility and efficiency of communication and distributed computation for ground mobile devices. Federated learning (FL) provides a privacy-preserving paradigm for device collaboration but remains highly vulnerable to poisoning attacks and is further challenged by the resource constraints and heterogeneous data common to UAV-assisted systems. Existing robust aggregation and anomaly detection methods often degrade in efficiency and reliability under these realistic adversarial and non-IID settings. To bridge these gaps, we propose FedULite, a lightweight and robust federated learning framework specifically designed for UAV-assisted environments. FedULite features unsupervised local representation learning optimized for unlabeled, non-IID data. Moreover, FedULite leverages a robust, adaptive server-side aggregation strategy that uses cosine similarity-based update filtering and dimension-wise adaptive learning rates to neutralize sophisticated data and model poisoning attacks. Extensive experiments across diverse datasets and adversarial scenarios demonstrate that FedULite reduces the attack success rate (ASR) from over 90% in undefended scenarios to below 5%, while maintaining the main task accuracy loss within 2%. Moreover, it introduces negligible computational overhead compared to standard FedAvg, with approximately 7% additional training time.

1. Introduction

The rapid deployment of fifth-generation (5G) and beyond wireless networks has positioned unmanned aerial vehicles (UAVs) as a transformative platform for delivering communication and computation services to ground mobile devices. UAVs are increasingly utilized in diverse scenarios, including sports stadiums, outdoor events, traffic hotspots, and remote regions, where they function as aerial base stations (BSs) or edge servers [1,2,3]. Leveraging their agility, mobility, and favorable line-of-sight (LoS) propagation, UAV-enabled networks facilitate rapid-response wireless communications, distributed data collection, artificial intelligence (AI) model training, and dynamic coverage enhancement [1]. These capabilities have spurred significant research into UAV-assisted computation and communication for next-generation wireless networks [3].

Despite their advantages, UAVs face challenges in processing and training large-scale datasets due to inherent limitations in energy, storage, and computational capacity [1,2]. Moreover, transmitting raw data from numerous ground devices to UAV servers is often impractical due to privacy concerns and constrained communication resources [4]. Federated learning (FL) [5,6] offers a privacy-preserving solution by enabling devices to train AI models locally without sharing raw data. In FL, devices perform local model updates using gradient descent optimization [7] and share only model parameters with a central server for aggregation, thereby reducing data transmission and enhancing privacy. Integrating FL into UAV-assisted networks enables distributed AI tasks without reliance on centralized BSs. Ground devices train models locally and upload model parameters to an FL-enabled UAV server, which aggregates them to update a global model. As shown in Figure 1, the UAV broadcasts the updated global model back to the devices for further refinement. This iterative process continues until the desired learning accuracy is achieved, minimizing network congestion and preserving data privacy. Compared to traditional cloud-centric frameworks, FL enhances the efficiency of AI model training in UAV-assisted wireless networks.

However, the distributed nature of FL renders it susceptible to poisoning attacks, where adversaries compromise local training data or model parameters [8]. Poisoning attacks are categorized as non-targeted, which degrade overall model performance [9], or targeted, which manipulate predictions for specific inputs [10]. A key vulnerability in FL systems arises from the potential untrustworthiness of participating clients, some of which may be malicious or compromised. For instance, adversaries may use projected gradient descent to craft local models that mislead the global model’s convergence [11]. Additionally, surrogate models mimicking target model behavior pose significant security risks [12]. These threats underscore the need for robust detection and defense mechanisms against poisoning attacks in FL environments.

The widely adopted Federated Averaging (FedAvg) algorithm is particularly vulnerable, as even rudimentary attack strategies can disrupt its convergence [13]. Existing defenses include robust aggregation algorithms [14,15] and anomaly detection techniques [16]. Robust aggregation methods employ weighting or filtering to mitigate anomalous updates but falter against numerous malicious clients. Anomaly detection approaches analyze update patterns to identify malicious clients, yet they often suffer from high false-positive and negative rates due to the complexity of attack strategies [17]. Gradient-based filtering methods struggle with coordinated attacks, while geometric median or gradient analysis approaches offer partial mitigation but compromise training efficiency and stability against sophisticated attacks.

Despite notable progress in designing secure federated learning frameworks, existing approaches exhibit critical limitations, particularly in UAV-assisted networks where resource constraints and data heterogeneity are pronounced. Many robust aggregation strategies, while effective against certain classes of attack, often suffer substantial performance degradation when confronted with highly coordinated or stealthy poisoning strategies or when the proportion of malicious clients increases. Anomaly detection techniques also tend to exhibit limited reliability under non-IID data distributions, producing high rates of false positives and negatives that undermine both the efficiency and trustworthiness of the learning process. Furthermore, the majority of prior proposals are challenged by the computational limitations of UAV hardware, as they frequently involve heavyweight model architectures or multiple training iterations, resulting in excessive local computation or communication overhead. These issues are compounded in practical deployments where bandwidth is severely limited, data is unlabeled, and sophisticated attackers can dynamically adapt to existing defense mechanisms. Model compression techniques, such as pruning and quantization, can reduce communication overhead in FL. However, these methods are ineffective against sophisticated model poisoning attacks, which manipulate the direction and magnitude of model parameter updates in a targeted manner. Pruning and quantization cannot reliably identify the affected neurons, and the information loss introduced by these techniques may even exacerbate model vulnerability, leading to a degradation in the main task accuracy.

To address these challenges, we propose FedULite, a federated learning framework specifically designed for UAV-assisted networks facing non-IID data and poisoning attacks. FedULite introduces a lightweight and robust local training pipeline that leverages unsupervised representation learning on unlabeled data, making it well-suited for resource-constrained UAV platforms. To further defend against model poisoning attacks, FedULite employs a robust server-side aggregation mechanism that adaptively filters and aggregates client updates based on update consistency and cosine similarity thresholds. Although techniques such as contrastive learning and cosine similarity-based filtering have been independently investigated in prior research, the core innovation of FedULite lies in its synergistic defense mechanism. At the client side, we employ lightweight unsupervised contrastive learning as the first line of defense. This approach not only addresses the challenges of unlabeled and non-IID data prevalent in UAV scenarios but also significantly enhances the robustness of local model feature representations before model updates are uploaded, thereby mitigating the impact of potential poisoning attacks at the source. On the server side, robust adaptive aggregation serves as the second line of defense. The local training in the first stage ensures that updates from benign clients exhibit greater consistency, substantially improving the accuracy of server-side cosine similarity-based filtering. This enables more effective identification of malicious models that deviate from the dominant update patterns. The two-stage design collectively forms a lightweight yet highly efficient defense framework, specifically tailored for resource-constrained environments such as UAVs. The holistic integration and synergistic effect of this approach represent the primary distinction and advantage over frameworks that rely solely on individual defense strategies.

The main contributions of this work are summarized as follows.

• We introduce a computationally efficient FL framework optimized for UAV-assisted networks, leveraging unsupervised contrastive learning and lightweight architectures to enable robust representation learning on resource-constrained clients, addressing the computational and storage limitations of UAVs.
• We develop a robust, adaptive aggregation method at the server, which combines cosine similarity-based update filtering and dimension-wise aggregation with adaptive learning rates, effectively countering both traditional and adaptive model poisoning strategies, including stealthy and coordinated attacks.
• We provide extensive experimental validation, demonstrating that FedULite not only significantly improves robustness and efficiency in UAV-assisted federated learning but also achieves reliable convergence and strong resistance to adversarial disruptions under diverse real-world conditions.

The remainder of this paper is organized as follows. Section 2 reviews related work on federated learning assisted UAV networks and backdoor attacks, as well as defense mechanisms in federated learning. Section 3 presents the proposed FedULite method in detail. Section 4 evaluates and analyzes the experimental results. Finally, Section 5 concludes the paper and discusses future research directions.

2. Related Work

2.1. Federated Learning Assisted UAV Networks

In recent years, FL has garnered significant attention for its implementation in wireless networks, with researchers extensively exploring methods to enhance learning efficiency [18,19,20]. Tran et al. [18] formulated the FL framework in wireless networks as an optimization problem, targeting the minimization of aggregation latency and total device energy consumption. Further studies [19,20] refined global aggregation frequency under various resource constraints, including device CPU performance, transmission delays, and model accuracy, highlighting the need for efficient resource management in dynamic settings.

In the context of UAV-assisted communication, research has focused on leveraging FL to improve AI model training efficiency [4,21,22,23,24,25,26,27]. For instance, Studies [21,23] developed FL frameworks for UAV swarms, proposing joint optimization of power allocation and flight trajectories to enhance learning performance. Lim et al. [24] introduced an FL-aware collaborative learning approach tailored for vehicular networks, while Ng et al. [25] utilized UAVs as relays to improve FL accuracy through enhanced communication reliability. Notably, Shiri et al. [22] innovatively combined FL with mean-field game theory to address large-scale UAV path planning, offering a scalable solution for complex scenarios. Additionally, [4] systematically analyzed the prospects and challenges of FL in UAV-assisted networks, whereas [25,26] proposed a two-tier FL algorithm for heterogeneous computing architectures and a blockchain-based secure collaboration scheme, respectively.

Significant progress has also been made in joint trajectory and resource management for multi-UAV networks [28,29,30,31,32,33]. Early works [28,29] investigated the joint optimization of user association, resource allocation, and UAV deployment, yet traditional optimization methods struggled with dynamic and complex environments. To address this, reinforcement learning (RL) and deep reinforcement learning (DRL) approaches have been adopted [30,31,32,33,34,35]. Studies [30,31] employed multi-agent DRL algorithms to optimize UAV trajectories and transmit power, achieving robust performance in dynamic settings. Zhu et al. [32] proposed an Actor–Critic-based algorithm for joint optimization of three-dimensional UAV flight paths and transmission control in continuous action spaces. Similarly, Ref. [33] applied an Actor–Critic framework to dynamically optimize device association, resource allocation, and trajectories. While these advancements enhance adaptability, they often overlook security vulnerabilities in FL, such as poisoning attacks, which our work aims to address.

2.2. Poisoning Attacks in Federated Learning

Poisoning attacks in FL systems primarily target the data collection [36] and model training [37] phases, characterized by low implementation barriers and high cost-effectiveness. These attacks are classified into non-targeted attacks, which aim to degrade overall model performance, and targeted attacks, which induce incorrect predictions for specific inputs. From a mechanistic perspective, data poisoning attacks [38,39,40] manipulate training samples, such as through label-flipping techniques, while model poisoning attacks [41,42,43] directly alter local model parameters. A prominent example is the model replacement attack, where malicious updates are crafted to supplant global model updates. Research indicates [44] that model poisoning attacks pose a severe threat, achieving significant disruption even with few attackers and limited training rounds. Liu et al. [45] enhanced the efficacy of model replacement (MR) attacks by precisely evaluating global parameters and injecting malicious updates with weighted factors. Similarly, Wang et al. [46] proposed a Projected Gradient Descent (PGD) attack, employing iterative parameter perturbations for stealthier manipulation.

Notably, traditional defense mechanisms relying on specific metrics face emerging challenges. Huang et al. [47] introduced the Cosine Constraint Attack (CCA), which incorporates a cosine distance term into the loss function to align malicious gradients with global gradients, effectively evading cosine similarity-based detection. More critically, even multi-metric defense strategies struggle against sophisticated attacks that mimic normal gradient characteristics, underscoring the limitations of existing defenses.

2.3. Poisoning Defenses in Federated Learning

Research on defense mechanisms against poisoning attacks in FL primarily focuses on server-side strategies [48], predicated on the assumption of basic trust between clients and the server, as well as among clients. These approaches aim to mitigate the adverse impact of malicious updates on the global model by employing specific defense mechanisms after receiving client updates. Huang et al. [47] proposed the Scope method, which utilizes gradient normalization to counteract the masking effect of benign gradients on backdoor gradients, enhances anomalous gradient features through differential privacy, and employs cosine distance to measure gradient direction similarity, followed by dominant gradient clustering to detect and filter backdoor gradients. Blanchard et al. [49] introduced the Krum scheme, which selects the update with the smallest Euclidean distance to others as the global model parameter. However, its reliance on a single update may introduce model bias. The improved Multi-Krum variant aggregates the mean of multiple updates with minimal Euclidean distances, enhancing aggregation robustness and convergence efficiency, though its effectiveness is limited by the reduced discriminative power of Euclidean distance in high-dimensional spaces and its inability to detect diverse malicious updates.

To address these limitations, Zhang et al. [50] developed the DWAMA algorithm, which integrates Mahalanobis distance with an adaptive threshold mechanism. By capturing complex correlations among data features and dynamically adjusting detection thresholds and aggregation weights, DWAMA significantly improves update stability. Huang et al. [51] proposed the Multi-Metrics algorithm, combining Manhattan distance, Euclidean distance, and cosine similarity to implement a multi-dimensional scoring mechanism for selecting high-quality updates for aggregation. Jebreel et al. [52] introduced the FL-Defender algorithm, which identifies potential malicious updates based on cosine similarity of the last-layer gradients, incorporating PCA dimensionality reduction and reweighting strategies to suppress malicious client influence. Pillutla et al. [53] proposed the Robust Federated Aggregation (RFA) scheme, which replaces traditional mean aggregation with geometric median estimation to reduce the impact of anomalous clients through robust statistical methods. Liu et al. [54] developed the DefendFL algorithm, which employs collinearity masks to protect gradient privacy and implements a cosine similarity-based mask verification mechanism to counter poisoning attacks. While these methods effectively mitigate poisoning threats in specific scenarios, their performance diminishes in settings with large-scale clients or a high proportion of malicious clients, highlighting the need for more robust and scalable defense strategies. In addition, certain personalized federated learning techniques, such as those proposed in [55,56], achieve model personalization through partial model-sharing methods. These approaches aggregate only specific parts of the model at the server while retaining or locally learning additional modules. Such strategies inherently offer some resistance to poisoning attacks by limiting the scope of shared parameters. However, these methods primarily aim to improve efficiency or address data heterogeneity. In the face of sophisticated poisoning attacks, their performance is limited. In contrast, the core objective of FedULite is to ensure model security and robustness in adversarial environments, addressing a distinct research dimension.

3. Threat Model

Attack model: We adopt the attack model established in prior works [45,46,57]. Specifically, the adversary controls one or more malicious clients, which may include fabricated clients injected into the system. The adversary does not compromise the server. During each iteration of the FL training process, malicious clients can send arbitrary local model updates to the server.

Attacker’s goal: Poisoning attacks in FL are generally categorized into untargeted poisoning attacks, which degrade overall model performance, and targeted poisoning attacks, which induce erroneous predictions on specific target samples while maintaining high overall model accuracy to evade detection. This study focuses on targeted poisoning attacks due to their stealthier nature.

Attacker’s capability: The adversary possesses full control over the training process of compromised clients, enabling direct manipulation of their model parameters in each attack cycle. The adversary has access to the global model updates in each training round and knowledge of the local data and model parameters of controlled clients. However, the adversary cannot access the server’s aggregation algorithm, defense mechanisms, or the data and training strategies of benign clients.

Defender’s goal: Existing poisoning defense methods are predominantly server-side, assuming a trusted server, but their performance degrades sharply as the proportion of malicious clients increases. This work aims to design a lightweight, localized poisoning defense method to achieve the following objectives: (1) Utility: In the absence of attacks, the method should not compromise the classification accuracy of the global model, achieving performance comparable to the widely used FedAvg algorithm in non-adversarial settings. (2) Robustness: In the presence of strong targeted poisoning attacks, the global model trained with our method should not predict attacker-specified labels for attacker-chosen target test samples. (3) Lightweight: Given the resource-constrained nature of clients in UAV-assisted FL systems, the method should impose minimal additional computational workload.

4. Method

4.1. Overview of FedULite

Figure 2 presents FedULite, a federated learning framework tailored for unmanned aerial vehicle (UAV)-assisted scenarios, addressing the challenges of non-independent and identically distributed (non-IID) data and poisoning attacks. FedULite leverages unlabeled data to train a robust global encoder $f_g$, enabling effective representation learning in resource-constrained and dynamic network environments. To accommodate the computational limitations of UAV clients, the framework employs lightweight local training with optimized architectures and minimal computational overhead. At the server, a robust aggregation mechanism mitigates model poisoning attacks, such as backdoor and model replacement attacks [23,24,25], by prioritizing consistent client updates. A streamlined bidirectional communication protocol facilitates the exchange of online encoders $f_g^k$ and predictors $p_g^k$ between clients and the server, with the server distributing aggregated models $f_g$ and $p_g$. The FedULite framework operates through three core stages:

• Local Training: Each client performs unsupervised representation learning with a lightweight contrastive loss, training an online encoder $f_g^k$, predictor $p_g^k$, and target encoder $f_t^k$, with anomaly detection to counter data poisoning.
• Model Aggregation: The server aggregates client models using a robust strategy that evaluates update consistency, producing updated global models $f_g$ and $p_g$.
• Model Update: The server distributes $f_g$ and $p_g$, which clients adopt to update their local models.

Algorithm 1 encapsulates FedULite, detailing its lightweight training, robust aggregation, and update mechanisms.

4.2. Local Robust Training

In FedULite, local training employs a dual-network architecture comprising an online network, consisting of an online encoder $f_g^k$ with parameters $\theta$ and a predictor $p_g^k$, and a target network, represented by a target encoder $f_t^k$ with parameters $\xi$. This architecture facilitates unsupervised representation learning, optimized for the resource-constrained environment of UAV clients while ensuring robustness against data poisoning attacks, such as label flipping or adversarial samples.

To mitigate the impact of potentially malicious encoders in federated learning, FedULite employs a strategic initialization and update policy for local models. In the first training round, benign clients initialize both their online encoder $f_g^k$ and target encoder $f_t^k$ with the global encoder $f_g$, ensuring a clean starting point free from malicious influence. In subsequent rounds, the online encoder $f_g^k$ and predictor $p_g^k$ are set to the global encoder $f_g$ and predictor $p_g$, respectively, while the target encoder $f_t^k$ adopts the parameters of the previous round’s local online encoder $f_g^k$. This approach leverages the historical, presumably benign, local encoder as the target to stabilize training and counteract potential malicious updates aggregated into the global encoder. By using the previous round’s local encoder as a reference, FedULite disperses the influence of malicious clusters, enhancing the robustness of the global model against backdoor attacks.

Algorithm 1: Algorithm of FedULite process

Data: Number of clients N, communication rounds T, local epochs $E=1$   Result: Global encoder $f_g$, global predictor $p_g$   $// \mathtt{Initialize\; global\; and\; local\; models}$

Training commences with the generation of two augmentations, t and $t^{\prime }$, from an input image x, employing computationally efficient transformations, such as random cropping and horizontal flipping, to minimize preprocessing overhead. Both the online and target encoders are implemented as lightweight convolutional neural networks, designed to reduce model complexity while preserving expressive capacity. The predictor $p_g^k$ is a compact multilayer perceptron (MLP), further reducing computational demands.

The online network is optimized using a contrastive loss that aligns the normalized outputs of the online and target networks:

$$\begin{array}{c}\hfill {\mathcal{L}}_{\theta \xi }\triangleq {∥{\displaystyle \frac{p_g^k\left(f_g^k\left(t\right)\right)}{\parallel p_g^k\left(f_g^k\left(t\right)\right){\parallel }_2}}-{\displaystyle \frac{f_t^k\left(t^{\prime }\right)}{\parallel f_t^k\left(t^{\prime }\right){\parallel }_2}}∥}_2^2,\end{array}$$

(1)

where $p_g^k\left(f_g^k\left(t\right)\right)$ represents the output of the online network, and $f_t^k\left(t^{\prime }\right)$ serves as the regression target provided by the target network. The parameters of the target network, $\xi$, are updated via an exponential moving average (EMA) of the online encoder’s parameters $\theta$:

$$\begin{array}{c}\hfill \xi \leftarrow m\xi +(1-m)\theta ,\end{array}$$

(2)

where the decay rate $m\in [0,1]$ is dynamically adjusted based on training dynamics, such as loss variance or communication rounds, to balance stability and adaptability in non-IID settings. To enhance computational efficiency, each client performs a single training iteration per communication round on a small batch of samples, significantly reducing overhead compared to multi-iteration training.

To leverage labeled data available at each client and align with the primary objectives of federated learning, FedULite incorporates supervised learning when labels are present. The online encoder $f_g^k$ is optimized with a cross-entropy loss over labeled samples:

$$\begin{array}{c}\hfill {\theta }_{f_g^k}^t=arg\underset{{\theta }_{f_g^k}^t}{min}\sum _{(x,y)\in {\mathcal{D}}_k}\left[-\sum _{c=1}^C{y}_c·log{\left(f_g^k\left(x\right)\right)}_c\right]\end{array}$$

(3)

where ${\mathcal{D}}_k$ denotes the local labeled dataset of client k, and ${\theta }_{f_g^k}^t$ represents the parameters of $f_g^k$ at round t. This supervised objective complements the unsupervised contrastive loss, enhancing the encoder’s ability to capture task-specific features while maintaining robustness in non-IID settings.

The communication protocol is designed for efficiency: clients upload only the online encoder $f_g^k$ and predictor $p_g^k$, as $f_g^k$ encapsulates the most recent data representations, while the target encoder $f_t^k$ remains local to provide stable regression targets. This approach minimizes uplink communication overhead, a critical consideration for bandwidth-constrained UAV networks.

4.3. Robust Adaptive Aggregation

To enhance the robustness of the global model against poisoning attacks, FedULite employs a sophisticated aggregation strategy at the server, supplanting traditional weighted averaging. It is crucial to note that our robust adaptive aggregation strategy fundamentally relies on the server’s ability to access and inspect the individual model update, ${\Delta }_t^k$, from each client prior to aggregation. This access is essential for computing the cosine similarities used in the filtering stage (Equation (4)) and for assessing the sign consistency of each parameter dimension (Equation (5)). We therefore must clearly state that this requirement makes FedULite, in its current form, incompatible with standard secure aggregation protocols that are designed to provide server-side privacy by hiding these very updates.

For each client k, model updates are computed as ${\Delta }_t^k={\theta }_{f_g^k}-{\theta }_{f_g}$ for the online encoder and ${\Delta }_{p_g^k}={\theta }_{p_g^k}-{\theta }_{p_g}$ for the predictor, where ${\theta }_{f_g}$ and ${\theta }_{p_g}$ represent the global parameters from the previous communication round. The aggregation process leverages a two-stage mechanism to evaluate update consistency, effectively neutralizing malicious contributions while preserving model convergence in non-IID settings.

In the first stage, updates are pre-filtered based on their alignment with the mean update across clients:

$$\begin{array}{c}\hfill S_t^{\prime }=\left\{k\in S_t\mid cos\left({\Delta }_t^k,{\displaystyle \frac{1}{|S_t|}}\sum _{j\in S_t}{\Delta }_t^j\right)\ge \tau \right\},\end{array}$$

(4)

where $\tau$ is a cosine similarity threshold. This filtering excludes updates that significantly deviate from the majority, thereby mitigating stealthy attacks, such as cosine-constrained poisoning attempts [29]. In the second stage, the server assesses the consistency of updates along each parameter dimension i by computing the sum of update signs:

$$\begin{array}{c}\hfill \mathrm{sign}\_\mathrm{sum}=\sum _{k\in S_t^{\prime }}sgn\left({\Delta }_{t,i}^k\right).\end{array}$$

(5)

A dimension-specific learning rate ${\eta }_{\theta ,i}$ is then assigned:

$$\begin{array}{c}\hfill {\eta }_{\theta ,i}=\left\{\begin{array}{cc}\eta \hfill & \mathrm{if}|{\mathrm{sign}\_\mathrm{sum}}_i| \ge \theta ,\hfill \\ -\eta \hfill & \mathrm{otherwise},\hfill \end{array}\right.\end{array}$$

(6)

where $\eta$ is the base learning rate, and $\theta$ is a threshold dynamically adjusted based on the number of participating clients to accommodate the variable client participation inherent in UAV networks. The global encoder and predictor parameters are updated as follows:

$$\begin{array}{c}\hfill {\theta }_{f_g}^{t+1}={\theta }_{f_g}^t+{\eta }_{\theta }\odot {\displaystyle \frac{{\sum }_{k\in S_t^{\prime }}{n}_k·{\Delta }_t^k}{{\sum }_{k\in S_t^{\prime }}{n}_k}},\end{array}$$

(7)

$$\begin{array}{c}\hfill {\theta }_{p_g}^{t+1}={\theta }_{p_g}^t+{\eta }_{\theta }\odot {\displaystyle \frac{{\sum }_{k\in S_t^{\prime }}{n}_k·{\Delta }_{p_g^k}}{{\sum }_{k\in S_t^{\prime }}{n}_k}},\end{array}$$

(8)

where ${\eta }_{\theta }={[{\eta }_{\theta ,1},{\eta }_{\theta ,2},\dots ,{\eta }_{\theta ,d}]}^{\top }$, and ⊙ denotes element-wise multiplication. The vector $n_k$ represents the data volume of client k, ensuring weighted contributions proportional to local dataset sizes. This mechanism suppresses the influence of inconsistent updates, effectively mitigating poisoning attacks while maintaining robust convergence.

Upon aggregation, the server distributes the updated global models $f_g$ and $p_g$ to all clients, who synchronize their local models by setting $f_g^k\leftarrow f_g$ and $p_g^k\leftarrow p_g$. This streamlined update process ensures model consistency across clients, enhancing robustness in heterogeneous, non-IID data environments characteristic of UAV-assisted FL.

5. Evaluation

5.1. Experimental Setup

5.1.1. Datasets and Models

To evaluate the defensive capabilities of the FedULite framework, we conducted experiments across four widely adopted public datasets: MNIST, Fashion-MNIST (F-MNIST), EMNIST, and CIFAR-10. Notably, EMNIST was specifically employed to simulate non-IID settings, reflecting the heterogeneous data distributions common in UAV-assisted federated learning scenarios. The MNIST dataset comprises 70,000 grayscale handwritten digit images (0–9), with 60,000 training samples and 10,000 test samples, all normalized to a resolution of 28 × 28 pixels. Fashion-MNIST mirrors MNIST in data size and scale, containing 70,000 grayscale images of 10 fashion item categories (e.g., clothing, footwear), but presents greater complexity due to its diverse visual patterns. The CIFAR-10 dataset consists of 60,000 color images across 10 classes (e.g., airplane, automobile, bird), with 50,000 training samples and 10,000 test samples, each normalized to 32 × 32 pixels with three RGB channels during preprocessing. These datasets were selected to encompass a range of data modalities (grayscale vs. color), complexities, and distribution characteristics, enabling a comprehensive assessment of FedULite’s robustness against poisoning attacks under varied conditions.

The experimental setup incorporated tailored model architectures to align with the distinct characteristics of each dataset, ensuring both applicability and fairness in evaluating defensive performance. For MNIST and Fashion-MNIST, we adopted the LeNet-5 architecture, a lightweight convolutional neural network well-suited for grayscale image classification. LeNet-5 features two convolutional layers (with 6 and 16 feature maps, respectively, using 5 × 5 kernels), followed by three fully connected layers, with ReLU activation functions and standard max-pooling layers to enhance feature extraction and reduce computational overhead. For CIFAR-10, which involves more complex color images, we employed the ResNet-18 model, a deeper architecture with residual connections that facilitate training and improve generalization on challenging visual tasks. This differentiated design accounts for the varying computational demands and feature complexities of the datasets, aligning with FedULite’s lightweight local training paradigm optimized for resource-constrained UAV environments.

5.1.2. Federated Learning Settings

To rigorously assess the defensive performance of the FedULite framework, we conducted experiments with an FL setup comprising $N=100$ clients, reflecting a realistic scale for UAV-assisted networks. In each communication round, the server randomly selected $M=10$ clients to contribute updates to the global model, corresponding to a participation ratio of 10%, a common configuration in FL studies to balance computational efficiency and model convergence. To emulate the non-IID data distributions prevalent in such scenarios, we employed Dirichlet sampling [58] to partition the datasets across clients.

For each selected benign client, local training was performed using a stochastic gradient descent (SGD) optimizer with a learning rate of $\eta =0.01$, a standard choice ensuring stable convergence across diverse datasets. Clients executed two local training epochs consistent with FedULite’s lightweight design, which employs single-iteration contrastive and supervised training to minimize computational overhead on resource-constrained devices. A batch size of 64 was adopted, striking a balance between gradient estimation stability and memory efficiency, particularly suitable for the constrained computational capabilities of UAV clients. The local training process incorporated anomaly detection to discard samples with excessively high contrastive losses, enhancing resilience against data poisoning.

5.1.3. Attacks and Defenses Settings

In terms of attack settings, we conduct experimental evaluations against four distinct poisoning attack strategies. For the model replacement attack, also known as the constrain-and-scale (CSC) attack, the adversary amplifies its malicious update by a factor of $N/K$, where N denotes the total number of clients and K is the number of clients participating in each training round. This amplification is designed to ensure that the attacker’s update can fully override the global model, effectively hijacking the aggregation process. In the projected gradient descent (PGD) attack, we impose an $L_2$ norm constraint by projecting the adversarial gradients onto a norm ball with a radius of 2. The specific hyperparameter settings for this attack are as follows: each gradient update uses a step size of 0.02, the model parameters are projected every 10 updates, and Gaussian noise with a standard deviation of 0.025 is added to further obfuscate the update’s malicious intent. For the cosine constraint attack (CCA), we balance the cross-entropy loss and cosine loss with equal weights of 0.5, thereby ensuring that the direction of the attacker’s update aligns closely with that of the global model, making malicious contributions harder to distinguish during aggregation. Finally, for the distributed backdoor attack (DBA), we adopt the approach in [57], wherein multiple local triggers are collaboratively combined into a single global trigger. We configure three independent local triggers, thereby enhancing the attack’s stealthiness and effectiveness through the cooperation among multiple adversarial clients.

These attack strategies are evaluated in conjunction with four state-of-the-art defense mechanisms: FoolsGold [59], Multi-Krum [49], RLR [60], and FL-Defender [52]. For both attack implementations and defense algorithms, we adhere strictly to the original official implementations to ensure the fairness and reproducibility of our experiments.

5.1.4. Evaluation Metrics

Drawing on prior research, we evaluated the performance of the FedULite framework using two key metrics: Attack Success Rate (ASR) and Accuracy on the main classification task (ACC). ASR is defined as the proportion of backdoor inputs misclassified as the attacker’s target label by the compromised global model, providing a direct measure of the poisoning attack’s effectiveness. In contrast, ACC quantifies the model’s performance on benign, clean test samples, serving as an indicator of the defense mechanism’s ability to maintain overall model utility while countering malicious interference. In the context of FL, particularly within UAV-assisted networks, benign clients aim to maximize ACC to ensure robust task performance, whereas attackers strive to maximize ASR while concealing their presence by ensuring ACC remains largely unaffected. An effective defense, such as FedULite, seeks to minimize ASR, ideally approaching zero, while preserving high ACC, thereby achieving a balance between security and functionality in the face of sophisticated poisoning attacks.

5.2. Experimental Results

5.2.1. Comparison

Table 1. Performance comparison between FedULite and four SOTA defense methods.

Datasets	Attack	No-Defense		FoolsGold		Multi-Krum		RLR		FL-Defender		FedULite
		ASR	ACC	ASR	ACC	ASR	ACC	ASR	ACC	ASR	ACC	ASR	ACC
MNIST	CSC	87.33	82.08	8.45	80.26	4.71	80.33	6.72	82.49	75.54	79.58	1.97	92.08
	PGD	89.88	91.94	13.06	82.37	4.58	88.46	0.46	84.21	73.13	86.81	2.41	93.66
	CCA	91.59	92.58	12.87	82.29	4.12	87.49	4.16	88.75	86.12	82.55	0.67	90.43
	DBA	99.1	90.27	96.92	78.44	6.91	88.08	5.6	87.96	87.48	82.86	4.33	90.2
F-MNIST	CSC	79.06	82.54	6.8	81.6	3.89	80.34	5.1	81.44	4.35	80.16	0.25	90.74
	PGD	90.54	90.17	12.13	79.35	2.2	88.68	2.69	86.57	2.96	82.44	2.4	91.12
	CCA	90.56	94.34	9.5	81.42	2.86	89.17	4.68	84.56	2.57	84.63	1.63	88.16
	DBA	99.11	89.95	97.7	79.41	7.42	86.32	7.32	83.84	10.69	82.82	3.26	89.7
CIFAR-10	CSC	77.34	87.93	10.97	78.39	2.14	81.37	10.1	81.53	14.9	80.25	1.72	83.96
	PGD	88.5	86.8	9.08	76.72	6.01	77.76	6.16	71.76	4.88	77.96	2.34	88.92
	CCA	94.87	83.27	8.8	80.46	2.53	82.51	7.59	81.03	66.82	79.68	1.11	86.42
	DBA	93.74	78.75	94.36	70.07	8.14	70.67	9.74	78.34	80.32	68.84	2.91	86.91

presents a comparative analysis of FedULite and four benchmark backdoor defense methods, with all approaches evaluated under the same configurations as their original works. The “No-Defense” column denotes the baseline scenario where no defensive mechanisms are applied, and the best results in each category are highlighted in bold. Experimental results indicate that FedULite consistently reduces the ASR of all four evaluated attacks to as low as 4% across three benchmark datasets, outperforming all other baseline methods in terms of attack mitigation.

Overall, while Multi-Krum and RLR exhibit a certain degree of effectiveness against a range of poisoning attacks under balanced data distributions, this often comes at the cost of a substantial decrease in the main task’s accuracy. FoolsGold, on the other hand, fails to defend against DBA, reflecting its limitations in more sophisticated adversarial scenarios. FL-Defender demonstrates inconsistent performance, showing effectiveness on some datasets such as F-MNIST but reduced robustness on others, suggesting its sensitivity to data characteristics. In contrast, FedULite achieves robust resistance against poisoning attacks by combining local mitigation techniques with server-side filtering and robust aggregation. This integrated defense paradigm effectively balances model accuracy and security, demonstrating superior adaptability across various data distributions and attack types. Moreover, the observed drops are attributed to the inherent trade-off of the defense mechanism, where filtering malicious updates occasionally affects benign updates that deviate significantly from the mainstream pattern. This defensive overhead is necessary to ensure robustness but is minimized in FedULite ’s design, as evidenced by the limited accuracy degradation compared to other methods.

Moreover, we visualize the distribution in the feature space of the global model under the attacks with/without FedULite to further understand the advantages of our proposed method. Specifically, we poisoned part of the test data in CIFAR-10, where the number of each poisoned class is the same. Then, the poisoned test data are used for t-SNE visualization. From Figure 3a, we can see that the feature representations of benign samples from the same category form an individual cluster, while the poisoned samples form a new cluster (in grey color). However, the clusters of poisoned samples in Figure 3b are absolutely damaged, and all the poisoned samples are assembled with the benign samples from the same category. This means that FedULite can effectively break the cluster of backdoor features and further prevent the establishment of the connection between the targeted label and the trigger through contrastive training.

5.2.2. Different FL and Attack Settings

Non-IID data distributions. To investigate the impact of data heterogeneity on backdoor defense effectiveness, we evaluate the performance of FedULite under varying levels of statistical heterogeneity and compare its robustness against baseline methods. In this analysis, we manipulate the Dirichlet distribution parameter $\alpha \in \{0.05,0.1,10\}$ to control the degree of non-IID data allocation among clients, with a particular focus on DBA, as its distributed triggering mechanism poses substantial challenges under heterogeneous conditions. To visualize the effect of data heterogeneity, we randomly select 10 clients from a total of 100 and display the number of samples per class for each client, as illustrated in Figure 4. Here, $\alpha =10$ approximates an IID setting, while smaller values, such as $\alpha =0.05$, indicate higher heterogeneity with increasingly skewed class distributions across clients.

The experimental results reported in

Table 2. Performance comparison between FedULite and four SOTA defenses on non-IID settings.

Datasets	Setting	No-Defense		FoolsGold		Multi-Krum		RLR		FL-Defender		FedULite
		ASR	ACC	ASR	ACC	ASR	ACC	ASR	ACC	ASR	ACC	ASR	ACC
MNIST	$\alpha$ = 0.05	85.07	85.62	81.26	75.41	40.96	80.86	42.88	78.04	12.53	79.11	1.18	82.29
	$\alpha$ = 0.1	89.58	87.22	87.55	79.36	22.59	81.96	27.24	81.42	8.29	79.7	3.44	88.47
	$\alpha$ = 10	99.1	90.27	96.92	78.44	6.91	88.08	5.6	87.96	87.48	82.86	4.33	90.2
E-MNIST	$\alpha$ = 0.05	81.5	66.46	80.45	64.26	35.31	60.37	39.66	62.77	7.27	62.39	1.54	65.86
	$\alpha$ = 0.1	86.54	74.3	82.33	67.69	37.25	63.66	39.13	64.63	10.26	63.14	5.48	73.25
	$\alpha$ = 10	95.25	75.09	88.23	68.82	17.67	72.5	12.94	72.79	6.19	70.61	3.48	73.7

, corresponding to the non-IID settings, demonstrate that data heterogeneity has a pronounced influence on both ASR and ACC, where the best results in each category are highlighted in bold. As the value of $\alpha$ decreases, representing increased heterogeneity, both ASR and ACC tend to decline. This phenomenon reflects the dual effects of non-IID distributions: on one hand, elevated heterogeneity restricts the global model’s generalization ability due to some clients possessing samples predominantly from a few classes while having few or no samples from others, leading to diminished overall model performance; on the other hand, heterogeneity impedes the propagation of malicious triggers, thereby reducing the effectiveness of backdoor injection attacks. Notably, data heterogeneity presents additional challenges for defense techniques based on detection, such as FoolsGold and Multi-Krum, as these methods rely on similar client updates to distinguish adversarial behavior.

By contrast, FedULite exhibits exceptional resilience regardless of the degree of data heterogeneity. Even under highly non-IID settings ($\alpha =0.05$), FedULite consistently reduces the DBA ASR to below 3% for all tested $\alpha$ values. Although there is a modest decline in ACC owing to the extreme skewness of class distributions, FedULite still outperforms all baseline methods, underscoring its robustness and adaptability to heterogeneous FL environments.

Different ratios of malicious clients. To assess the robustness of FedULite in defending against poisoning attacks, we systematically investigate its performance under varying proportions of malicious participants. The proportion of adversarial clients is a critical factor in practical FL deployments, as the prevalence of malicious actors may fluctuate over time. In our experiments, the fraction of malicious clients is varied within the set {0.1, 0.2, 0.4, 0.6, 0.8, 0.9}, enabling a comprehensive evaluation of the impact on both ASR and ACC.

The trends observed in Figure 5 reveal that as the proportion of malicious clients increases, ACC for all evaluated methods exhibits a consistent decline, while ASR rises sharply. This behavior is intuitive: higher proportions of adversarial clients introduce a greater number of backdoor triggers into the global model during the aggregation process, thereby undermining its ability to learn benign patterns and resulting in degraded classification performance. Concurrently, the amount of poisoned data utilized during local training by malicious clients grows as their proportion increases, strengthening the efficacy of the injected triggers and further elevating the ASR. Notably, when the malicious client ratio exceeds 40%, most baseline defense methods experience a considerable performance drop. These results highlight the vulnerability of server-side defense approaches, particularly those based on detection, to high proportions of adversarial participation.

By contrast, FedULite demonstrates remarkable robustness even as the proportion of malicious clients increases. Its design, which integrates local mitigation strategies with server-side filtering and aggregation techniques, enables it to maintain lower ASR values and relatively stable ACC, thereby providing a reliable defense against poisoning attacks in FL scenarios with varying degrees of adversarial presence.

Number of clients. The number of clients is a critical parameter in FL scenarios, as it directly influences system dynamics and the effectiveness of defense mechanisms. To validate the applicability of FedULite, we examine its performance under varying numbers of participating clients. Additionally, to rigorously assess FedULite’s resilience against hybrid poisoning attacks, we combine the DBA and the CSC attack, and further vary the scaling factor S in the CSC attack from 10 to 50 in increments of 20. The experimental results shown in Figure 6 indicate that FedULite maintains robust defense efficacy across different client population settings. Notably, as the proportion of clients selected per round increases, the ASR exhibits a decreasing trend. This effect is mainly attributed to the dilution of malicious influence: with a larger number of benign clients participating in the aggregation process, the relative weight and impact of malicious updates are diminished, thereby weakening the ability of adversaries to implant effective backdoor triggers. Furthermore, FedULite demonstrates a strong immunity to variations in attack intensity, maintaining stable performance even as the attacks’ strength escalates. This highlights the method’s adaptability and robustness in practical FL environments with dynamic client populations and evolving adversarial threats.

Different model structures. To ensure the generalizability of the FedULite framework across diverse model architectures, which inherently learn distinct feature representations, we conducted an extensive evaluation of its robustness against poisoning attacks using six widely adopted image classification architectures: ResNet18, ResNet34, VGG11, VGG19, MobileNet-V2, and LeNet-5. These architectures were selected to span a range of complexities, depths, and computational requirements, from lightweight models like MobileNet-V2, suitable for resource-constrained UAV clients, to deeper networks like VGG19, which are more computationally intensive. All experiments maintained consistency with the default configuration. As shown in Figure 7, although ACC exhibits some variation depending on the choice of encoder architecture—likely due to differences in local contrastive training resulting from architectural dissimilarities—our method consistently demonstrates effective performance across these models. This consistency highlights the adaptability of our approach and suggests that it can be reliably applied to diverse neural network architectures in practical federated learning settings.

5.3. Ablation and Parameter Sensitivity Analysis

5.3.1. Robust Adaptive Aggregation

In this section, we investigate the impact of Robust Adaptive Aggregation (RAA) on the effectiveness of our method. Specifically, we consider three ablation scenarios: removing only the Filter Updates component while retaining Robust Aggregation (denoted as RAA-DFU), removing only Robust Aggregation while retaining Filter Updates (RAA-DRA), and eliminating all RAA components (RAA-DALL). We evaluate the performance of these configurations under the DBA attack across three datasets. For scenarios without RAA, we adopt the standard FedAvg aggregation algorithm by default. The experimental results, summarized in

Table 3. Performance of FedULite using different components.

Dataset	RAA-DFU		RAA-DRA		RAA-DALL		FedULite
	ASR	ACC	ASR	ACC	ASR	ACC	ASR	ACC
MNIST	12.08	89.13	26.78	85.42	34.17	81.04	4.33	90.2
F-MNIST	14.37	86.61	32.02	84.45	43.55	80.13	3.26	89.7
CIFAR-10	13.74	83.48	39.45	84.3	46.06	72.26	2.91	86.91

, demonstrate that each RAA component plays a critical role. When all server-side operations are removed, both ASR and ACC show significant degradation, indicating that although local defenses provide some level of protection, they are insufficient on their own. The Robust Aggregation module proves essential for mitigating advanced poisoning strategies, while Filter Updates effectively filters out anomalous gradients at an early stage. These findings highlight the necessity of both server-side mechanisms in achieving comprehensive and resilient defense against backdoor attacks in federated learning.

To further elucidate the impact of RAA, we quantified the learning rate inversion ratio across different dimensions, defined as the proportion of participants exhibiting learning rate inversion in a specific dimension relative to the total number of participants. In our experiments, we fixed the number of malicious participants at three and selected eight dimensions for analysis, with the first five corresponding to the encoder and the remaining three to the predictor. We computed the inversion ratio over ten communication rounds and reported the average values. Additionally, we examined the inversion ratio under varying degrees of data heterogeneity to assess its sensitivity to non-IID data distributions. The experimental results shown in

Table 4. The inversion ratio of the learning rate across different dimensions.

Setting	Encoder					Predictor
	1	2	3	4	5	6	7	8
a = 0.05	0.48	0.51	0.46	0.52	0.49	0.37	0.54	0.29
a = 0.1	0.37	0.41	0.42	0.46	0.36	0.28	0.36	0.26
a = 10	0.36	0.39	0.35	0.37	0.32	0.26	0.31	0.25

reveal that RAA effectively induces learning rate inversion across different dimensions, with the observed ratio closely aligning with the proportion of malicious participants, approximately 30%. However, the degree of data heterogeneity significantly amplifies this ratio, indicating that non-uniform data distributions exacerbate the challenges posed by malicious participants. This finding underscores the interplay between data heterogeneity and the efficacy of RAA in mitigating adaptive attacks, highlighting its robustness in detecting and countering malicious behavior under diverse conditions.

5.3.2. Impact of $\tau$

$\tau$ represents a cosine similarity threshold, which is employed to filter client model updates during the aggregation process. Specifically, an update from client k is included in the set $S_t^{\prime }$ for subsequent aggregation only if its cosine similarity meets or exceeds $\tau$. By tuning $\tau$, the algorithm can exclude malicious updates that significantly deviate from the predominant update direction. A smaller value of $\tau$ allows a broader range of updates to be included—including those that might arise from benign sources of noise or normal deviations due to non-IID data distribution—whereas a larger value of $\tau$ enforces stricter filtering, potentially increasing robustness but also risking the exclusion of legitimate diversity among client updates.

In this section, we examine the effects of different $\tau$ settings on our method under varying levels of data heterogeneity. As illustrated in Figure 8, our experimental results align with expectations: the choice of $\tau$ is closely related to the degree of data heterogeneity. In scenarios characterized by high degrees of non-IID data, opting for a smaller $\tau$ is more appropriate, given the inherently lower similarity among local models. This nuanced adjustment enables the aggregation scheme to better accommodate natural variability while still providing a degree of resilience against adversarial updates. These findings highlight the nuanced interplay between $\tau$, data heterogeneity, and defense efficacy. In non-IID scenarios, the diversity of legitimate updates necessitates a relaxed $\tau$ to preserve model utility, as overly strict thresholds risk undermining the global model’s ability to generalize across skewed distributions.

5.3.3. Computational Overhead

To quantify the additional computational overhead introduced by FedULite, we measured the average time and peak memory usage required for a single round of local training on the CIFAR-10 dataset, using models of varying scales on a single client. The experiments were conducted on an NVIDIA RTX 3090 GPU. We compared FedULite against FedAvg, which lacks any defense mechanisms, and a representative defense method, FL-Defender. The results are presented in

Table 5. Computational overhead of FedULite.

Method	MobileNetV2		ResNet50
	Average Training Time	Memory Usage	Average Training Time	Memory Usage
FedAvg	0.85 (seconds/epoch)	20 MB	3.71 (seconds/epoch)	90 MB
FL-Defender	1.32 (seconds/epoch)	28 MB	5.82 (seconds/epoch)	135 MB
FedULite	0.91 (seconds/epoch)	22 MB	4.05 (seconds/epoch)	96 MB

.

As shown in Table 5, compared to the baseline FedAvg, FedULite incurs minimal additional time overhead (approximately 7%) and memory overhead (approximately 1%). This efficiency is primarily attributed to our lightweight contrastive learning approach, which requires only a single forward and backward propagation. In contrast to other defense methods, such as FL-Defender, which demand additional computations or complex analyses, FedULite achieves robust performance with negligible computational burden on clients. These results strongly validate its practicality in resource-constrained UAV environments.

5.3.4. Impact of Local Epoch

In this section, we explore the impact of local training epochs on the performance of our proposed method. The experimental results shown in

Table 6. Performance of FedULite under different local epochs.

Attack	Metric	No-Defense	E = 1	E = 2	E = 4	E = 6	E = 8
CSC	ASR	77.34	1.72	1.54	1.13	1.52	0.96
	ACC	87.93	83.96	84.14	86.71	87.15	87.24
PGD	ASR	88.5	2.34	2.56	1.79	1.62	1.57
	ACC	86.8	88.92	88.76	89.01	89.21	89.35
CCA	ASR	94.87	1.11	1.04	0.53	0	0
	ACC	83.27	86.42	86.72	87.58	87.42	87.73
DBA	ASR	93.74	2.91	2.18	1.98	1.76	1.05
	ACC	78.75	86.91	85.74	86.95	87.13	87.42

demonstrate that increasing the number of local training epochs enhances the defense against backdoor attacks while simultaneously improving the accuracy of the primary task. This improvement is attributed to the extended local optimization, which strengthens the model’s resilience to malicious perturbations. However, our findings indicate that this enhancement is subject to diminishing returns, with performance gains plateauing after four local training epochs. Beyond this threshold, additional epochs yield negligible improvements, suggesting an upper limit to the benefits of extended local training. Notably, our method achieves satisfactory performance with just a single training epoch, a result that can be attributed to the synergistic integration of our chosen contrastive learning paradigm with cross-entropy loss. This combination effectively balances robustness and efficiency, enabling the model to maintain strong defensive capabilities even with minimal local training. In scenarios where computational resources are constrained, this lightweight design represents a practical trade-off, where marginal performance sacrifices are acceptable to ensure resource efficiency and scalability.

5.4. Adaptive Attack

In this section, we investigate the robustness of FedULite against adaptive attacks, where attackers are aware of the filtering threshold $\tau$ and constrain the model updates to ensure the model differences remain below $\tau$ during the attack process. To evaluate the resilience of FedULite, we conducted experiments across three distinct datasets, reporting standard deviations across multiple random seeds to ensure statistical reliability. The results shown in

Table 7. Performance of FedULite under adaptive attack.

Adaptive Attack	Dataset	No-Defense		FedULite
		ASR	ACC	ASR	ACC
	MNIST	90.63 ± 0.98	90.18 ± 0.72	5.42 ± 1.32	90.72 ± 2.71
	F-MNIST	88.92 ± 1.73	89.72 ± 1.89	3.58 ± 2.21	90.18 ± 1.98
	CIFAR-10	89.15 ± 2.15	83.24 ± 5.73	6.72 ± 1.54	88.74 ± 3.46

demonstrate that constraining model differences inherently exerts a suppressive effect on the efficacy of such attacks. However, this approach fails to fully circumvent our defense mechanism, as attackers cannot simultaneously achieve a successful backdoor attack while maintaining normal behavior across all feature dimensions. This limitation arises because the constrained updates disrupt the attacker’s ability to embed malicious behavior without exceeding the detectable threshold. Furthermore, FedULite incorporates a two-stage defense strategy, where the contrastive learning component, integrated into the local training process, introduces an additional layer of resistance against backdoor attacks. This mechanism effectively disrupts the attacker’s ability to manipulate the model covertly, reinforcing the overall robustness of the system.

6. Conclusions and Future Work

In this paper, we present FedULite, a lightweight and robust federated learning framework tailored for UAV-assisted wireless networks. Specifically, FedULite enables clients to perform efficient unsupervised local representation learning. To enhance model robustness, FedULite incorporates a two-stage adaptive aggregation strategy at the server side, leveraging cosine similarity-based update filtering and dimension-wise adaptive learning rates to effectively suppress both data and model poisoning attacks. Compared with conventional defense approaches, FedULite achieves superior robustness and efficiency in resource-constrained, adversarial UAV environments. Extensive experiments demonstrate that FedULite ensures reliable learning performance and strong resistance to advanced adversarial threats. Looking ahead, we plan to extend the research on FedULite in several key directions. First, regarding deployment in more realistic UAV environments, our framework already exhibits inherent adaptability. For instance, Intermittent Connectivity and Mobility: The federated learning paradigm of FedULite is designed to tolerate dynamic changes in participant availability. Client mobility or temporary disconnections are treated as temporary non-participation in a given aggregation round, and our robust aggregation algorithm remains insensitive to variations in the number of participating clients. Energy Constraints: The lightweight design of our framework is a core strength. Local training requires only a single iteration, significantly reducing energy consumption for UAVs or ground devices, thereby ensuring feasibility in energy-constrained environments. Second, the assumption of a fully trusted server represents a limitation of the current work, and we envision a clear path toward extending FedULite to decentralized or semi-trusted settings. FedULite can be integrated with blockchain technology. Model updates and aggregation rules can be deployed as smart contracts on the blockchain, ensuring transparency, immutability, and auditability of the process. This enables reliable collaboration in semi-trusted environments. In addition, we will explore effective integration schemes of FedULite with privacy-enhancing technologies such as differential privacy and secure aggregation to build a comprehensive framework that is both secure, robust, and privacy-preserving. Finally, we provide a strict theoretical convergence guarantee for our robust aggregation algorithm, which is a key step in pushing this method from empirical validity to theoretical reliability.