More Works from Our Lab

SLADE: Shielding against Dual Exploits in Large Vision-Language Models

We introduce SheiLding against Dual Exploits (SLADE), a novel unsupervised adversarial fine-tuning scheme that enhances the resilience of CLIP-based vision encoders

CVPR 2025 (Main Track)
Towards Trustworthy Autonomous Vehicles with Vision-Language Models Under Targeted and Untargeted Adversarial Attacks

This paper rigorously examines the robustness of Vision-Language Models (VLMs) within AVs, emphasizing their resilience to both targeted and untargeted adversarial threats.

CVPR 2025 (Workshop)
Securing vision-language models with a robust encoder against jailbreak and adversarial attacks

In this paper, we propose a robust encoder that can be used to secure vision-language models against jailbreak attacks.

IEEE BigData 2024

When Data is Scarce, Learn to Adapt: Robust Federated Learning via Adversarial Meta-Optimization

Md Zarif Hossain, Awal Ahmed Fime, Ahmed Imteaj
Secure Prediction, Edge AI and Multimodal LLM (SPEED) Lab, Florida Atlantic University

CVPR 2026 (Findings Track)

Preprint and code will be available soon!

FAML achieves SOTA robustness with single adversarially trained client

Comparison of robust and clean accuracy on CIFAR10 and CIFAR100 with varying numbers of AT-performing clients in FAML. Notably, even with a single AT-performing client, FAML, even with a single AT-performing client, FAML attains robustness comparable to the full-AT setting while preserving higher clean accuracy.

t-SNE visualization

Abstract

Federated Learning (FL) enables collaborative model training without direct data sharing, but remains acutely vulnerable to adversarial perturbations. While recent efforts in Federated Adversarial Training (FAT) have adapted centralized adversarial defenses to the distributed setting, their performance significantly deteriorates under data scarcity and hardware heterogeneity, where clients possess varying computational capabilities. To address these limitations, we propose FAML (Federated Adversarial Meta-Learning), a novel FAT framework that leverages the fast adaptation capability of meta-learning to learn transferable robust priors in data-scarce and heterogeneous federated environments. FAML introduces two KL-based drift regularizers to mitigate client drift and employs an adaptive entropy-based mask that dynamically adjusts the regularization strength according to the confidence and correctness of the global model, ensuring stable convergence. Extensive experiments on four benchmark datasets demonstrate that FAML achieves state-of-the-art clean and robust performance while using only 20% of the training data and a single adversarially trained client under both IID and non-IID scenarios. Specifically, FAML improves robust accuracy by 2.34% ~ 22.81% under five adversarial attacks and reduces computation time per round by 3.5× compared to the best FAT baseline. Moreover, FAML achieves an average improvement of 31.76% in out-of-domain generalization while maintaining strong scalability.

Contributions

  • We propose FAML, a federated adversarial meta-learning framework designed for robust learning under data scarcity and client heterogeneity.
  • We show that a single adversarially trained client is sufficient to propagate robustness across the federation, removing the need for adversarial training at every client.
  • FAML achieves strong clean and robust performance using only 20% of the training data, enabling robust federated learning in highly data-scarce regimes.

Federated Adversarial Training & Client Drift

Federated meta-learning follows a bi-level optimization process (inner and outer updates). We first investigate where robustness regularization should be applied for maximum effectiveness under client heterogeneity. We compare two variants: applying robustness only during the outer update (FAMLquery) versus during both inner and outer updates (FAMLboth). As shown in the left figure, regularizing only the outer update is sufficient to achieve strong robust accuracy, while avoiding the extra computational cost of full bi-level adversarial training. We further analyze training stability. The right figure shows that FAML suffers from client drift across communication rounds with higher perturbation strength.

To address this issue, we propose a novel adaptive entropy-based mask and a KL-based drift regularizer to mitigate client drift and ensure stable convergence.

Robust Accuracy vs Attack Strength

Robust Accuracy vs. Attack Strength. Introducing robustness regularization during the outer update is sufficient to achieve strong robust accuracy.

Model Drift over Communication Rounds

Model Drift over Communication Rounds. Without any regularization, FAML suffers from significant client drift across communication rounds with higher perturbation strength.

Experimental Results

Clean and Robust Performance

We evaluate FAML against state-of-the-art federated adversarial training baselines across CIFAR10, SVHN, FMNIST, and CIFAR100 under multiple attack settings. FAML consistently achieves stronger clean and robust performance, demonstrating that a single adversarially trained client is sufficient for SOTA performance across the federation while requiring only 20% of the training data.

Main results comparison

Feature Representation Analysis

We visualize feature embeddings using t-SNE to examine class separability. Compared to prior FAT baselines, FAML produces more compact and well-separated clusters, indicating improved feature robustness and alignment across clients.

t-SNE visualization

Performance under data scarce scenario

Clean and PGD-20 robust accuracy of FAT methods on CIFAR10 and SVHN with varying training data ratios. FAML achieves SOTA performance even with only 20% of the training data.

t-SNE visualization

Scalability Performance

Clean and robust accuracy across different numbers of clients K = {10, 20, 50} on CIFAR10 and SVHN datasets under PGD-20 and AutoAttack (AA) at ϵ = 8/255. FAML consistently outperforms all baselines, demonstrating strong robustness and scalability

K-shot evaluation results

Non-IID vs IID Performance (β Analysis)

Under severe non-IID settings (β = 0.05) and IID conditions (β = 10), FAML maintains strong robustness and stability. The results show that our proposed approach achieves SOTA performance even in highly heterogeneous federated environments.

Non-IID vs IID results

Out-of-Domain Generalization

To evaluate transfer robustness, we test models trained on one dataset and evaluate on out-of-domain datasets. FAML demonstrates significantly stronger cross-domain robustness compared to prior methods, highlighting the effectiveness of transferable robust priors learned via meta-optimization.

Cross dataset evaluation

Funding

National Science Foundation Logo

This material is partly based upon work supported by the U.S. National Science Foundation (NSF) under Grant No. CRII-IIS-RI-2553868. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF.

BibTeX

Coming soon