This work addresses the challenge of simultaneously achieving secure aggregation and Byzantine robustness in federated learning by proposing a novel method that performs efficient Byzantine filtering directly in the encrypted domain. Leveraging the concept of attribute inference attacks for the first time in Byzantine detection, the approach employs a support vector machine–based meta-classifier to reweight and filter client updates under CKKS homomorphic encryption. To balance security and computational efficiency, the authors also introduce an automatic strategy for optimizing the CKKS kernel function and ciphertext dimensionality. Experimental results on FEMNIST, CIFAR-10, GTSRB, and acsincome datasets demonstrate that the method achieves Byzantine detection accuracy of 90%–94% with minimal degradation in model utility, while encrypted inference and aggregation incur overheads of only 6–24 seconds and 9–26 seconds, respectively.

Federated Learning (FL) aims to train a collaborative model while preserving data privacy. However, the distributed nature of this approach still raises privacy and security issues, such as the exposure of sensitive data due to inference attacks and the influence of Byzantine behaviors on the trained model. In particular, achieving both secure aggregation and Byzantine resilience remains challenging, as existing solutions often address these aspects independently. In this work, we propose to address these challenges through a novel approach that combines homomorphic encryption for privacy-preserving aggregation with property-inference-inspired meta-classifiers for Byzantine filtering. First, following the property-inference attacks blueprint, we train a set of filtering meta-classifiers on labeled shadow updates, reproducing a diverse ensemble of Byzantine misbehaviors in FL, including backdoor, gradient-inversion, label-flipping and shuffling attacks. The outputs of these meta-classifiers are then used to cancel the Byzantine encrypted updates by reweighting. Second, we propose an automated method for selecting the optimal kernel and the dimensionality hyperparameters with respect to homomorphic inference, aggregation constraints and efficiency over the CKKS cryptosystem. Finally, we demonstrate through extensive experiments the effectiveness of our approach against Byzantine participants on the FEMNIST, CIFAR10, GTSRB, and acsincome benchmarks. More precisely, our SVM filtering achieves accuracies between $90$% and $94$% for identifying Byzantine updates at the cost of marginal losses in model utility and encrypted inference runtimes ranging from $6$ to $24$ seconds and from $9$ to $26$ seconds for an overall aggregation.