Existing federated unlearning (FU) methods rely on client cooperation to mitigate model poisoning attacks caused by colluding malicious clients in federated learning, rendering them ineffective in non-cooperative adversarial settings. Method: We propose a client-agnostic, efficient FU framework that jointly measures weight magnitude and update-direction divergence to precisely identify malicious clients; it then applies a pruning-based strategy to zero out high-magnitude anomalous parameters, selectively nullifying their influence without global retraining. Contribution/Results: Our approach significantly reduces computational and storage overhead. Experiments demonstrate robust defense against label-flipping and backdoor attacks under both IID and Non-IID data distributions: malicious-sample accuracy is suppressed to near-from-scratch training levels, while benign performance is preserved. Moreover, it achieves substantial speedup over state-of-the-art FU methods, establishing new efficiency–robustness trade-offs in federated unlearning.

Federated Learning (FL) can be vulnerable to attacks, such as model poisoning, where adversaries send malicious local weights to compromise the global model. Federated Unlearning (FU) is emerging as a solution to address such vulnerabilities by selectively removing the influence of detected malicious contributors on the global model without complete retraining. However, unlike typical FU scenarios where clients are trusted and cooperative, applying FU with malicious and possibly colluding clients is challenging because their collaboration in unlearning their data cannot be assumed. This work presents FedUP, a lightweight FU algorithm designed to efficiently mitigate malicious clients' influence by pruning specific connections within the attacked model. Our approach achieves efficiency by relying only on clients' weights from the last training round before unlearning to identify which connections to inhibit. Isolating malicious influence is non-trivial due to overlapping updates from benign and malicious clients. FedUP addresses this by carefully selecting and zeroing the highest magnitude weights that diverge the most between the latest updates from benign and malicious clients while preserving benign information. FedUP is evaluated under a strong adversarial threat model, where up to 50%-1 of the clients could be malicious and have full knowledge of the aggregation process. We demonstrate the effectiveness, robustness, and efficiency of our solution through experiments across IID and Non-IID data, under label-flipping and backdoor attacks, and by comparing it with state-of-the-art (SOTA) FU solutions. In all scenarios, FedUP reduces malicious influence, lowering accuracy on malicious data to match that of a model retrained from scratch while preserving performance on benign data. FedUP achieves effective unlearning while consistently being faster and saving storage compared to the SOTA.