To address the robustness challenge in federated learning under unknown Byzantine attacks and uncertain numbers of malicious clients, this paper proposes an attack-agnostic hybrid defense framework. Methodologically, it introduces (1) a novel client heterogeneity–based modeling approach to assess attacker capability; (2) Trapsetter—a newly designed stealthy poisoning attack that exposes the fundamental vulnerability of existing defenses under covert corruption; and (3) a unified aggregation paradigm balancing average-case performance and worst-case security, integrating adaptive client scheduling with multi-strategy hybrid aggregation. Experiments demonstrate that the framework significantly enhances robustness across diverse Byzantine attack benchmarks and maintains stable convergence even under high poisoning ratios. Moreover, Trapsetter reduces test accuracy of mainstream defenses by an additional 8–10%, empirically validating both the necessity and effectiveness of the proposed defense.

Federated learning (FL) enables multiple clients to collaboratively train a global model without sharing their local data. Recent studies have highlighted the vulnerability of FL to Byzantine attacks, where malicious clients send poisoned updates to degrade model performance. Notably, many attacks have been developed targeting specific aggregation rules, whereas various defense mechanisms have been designed for dedicated threat models. This paper studies the resilience of an attack-agnostic FL scenario, where the server lacks prior knowledge of both the attackers' strategies and the number of malicious clients involved. We first introduce a hybrid defense against state-of-the-art attacks. Our goal is to identify a general-purpose aggregation rule that performs well on average while also avoiding worst-case vulnerabilities. By adaptively selecting from available defenses, we demonstrate that the server remains robust even when confronted with a substantial proportion of poisoned updates. To better understand this resilience, we then assess the attackers' capability using a proxy called client heterogeneity. We also emphasize that the existing FL defenses should not be regarded as secure, as demonstrated through the newly proposed Trapsetter attack. The proposed attack outperforms other state-of-the-art attacks by further reducing the model test accuracy by 8-10%. Our findings highlight the ongoing need for the development of Byzantine-resilient aggregation algorithms in FL.