Byzantine-robust federated learning

What is claimed is: 1. A federated learning method by a federated learning aggregator, comprising: creating a log of previously provided gradients from a plurality of workers; issuing queries to the plurality of workers, wherein the queries include current parameters for a global machine learning model; receiving updated gradients from the plurality of workers; maintaining the log within a predetermined maximum log size of past collected gradients from the plurality of workers, wherein the federated learning aggregator adds current gradients to the log and removes oldest gradients from the log to keep a current log size of the log less than the predetermined maximum log size; calculating a vulnerability weight for each layer of the global machine learning model using the updated gradients; calculating an average of the previously provided gradients; multiplying the average of the previously provided gradients by one minus the layer's vulnerability weight to generate a weighted average; multiplying the updated gradients by each layer's vulnerability weight to generate re-weighted gradients; adding the re-weighted gradients to the weighted average to calculate an aggregated gradient; and updating the global machine learning model using the aggregated gradient. 2. The method of claim 1 , further comprising determining whether a Byzantine attack is occurring based upon the calculated aggregated gradient. 3. The method of claim 1 , further comprising periodically updating the vulnerability weight for each layer of the global machine learning model. 4. The method of claim 1 , further comprising calculating a robustness factor for a plurality of layers in the global machine learning model, wherein calculating the robustness factor comprises: calculating, for each layer in the global machine learning model, an L2 norm across the previously provided gradients and the updated gradients; calculating, for each layer in the global machine learning model, a standard deviation of each layer's L2 norms from each round; and determining the weight factor for each layer using the normalized reciprocals of the calculated standard deviations. 5. The method of claim 1 , wherein the global machine learning model is updated with a gradient descent step using the aggregated gradient. 6. The method of claim 1 , further comprising identifying a layer in the global machine learning model that is relatively more vulnerable to Byzantine attacks. 7. The method of claim 1 , further comprising filtering outlier gradients. 8. A computer program product for a federated learning aggregator, the computer program product comprising: a computer readable storage medium having program instructions embodied therewith, the program instructions executable by a processor to cause the processor to: create a log of previously provided gradients from workers; issuing queries to the workers, wherein the queries include current parameters for a global machine learning model; receive updated gradients from the workers; maintaining the log within a predetermined maximum log size of past collected gradients from the plurality of workers, wherein the federated learning aggregator adds current gradients to the log and removes oldest gradients from the log to keep a current log size of the log less than the predetermined maximum log size; calculate a vulnerability weight for each layer of the global machine learning model using the updated gradients; reconfigure respective gradients from the workers individually based on the vulnerability weights; calculate an aggregated gradient by averaging the reconfigured gradients from the workers; and updating the global machine learning model using the aggregated gradient. 9. A federated learning aggregator comprising a processor and a memory coupled with and readable by the processor, wherein the memory stores program instructions which when executed by the processor cause the processor to: create a log of previously provided gradients from a plurality of workers; issuing queries to the plurality of workers, wherein the queries include current parameters for a global machine learning model; receive updated gradients from the plurality of workers; compute a respective robustness factor for layers in the global machine learning model by using the updated gradients and the previously provided gradients retrieved from the log, wherein the respective robustness factor is computed via: calculating, for each layer in the global machine learning model, an L2 norm across the previously provided gradients and the updated gradients; calculating, for each layer in the global machine learning model, a standard deviation of each layer's L2 norms from each round; and determining the respective robustness factor for each layer using the normalized reciprocals of the calculated standard deviations; calculating a vulnerability weight for each layer of a global machine learning model using the updated gradients; calculating an aggregated gradient using the vulnerability weight and the updated gradients; and updating the global machine learning model using the aggregated gradient. 10. The federated learning aggregator of claim 9 , further comprising instructions to determine whether a Byzantine attack is occurring based upon the calculated aggregated gradient. 11. The federated learning aggregator of claim 9 , further comprising instructions to maintain the log within a predetermined maximum log size of past collected gradients from the plurality of workers, wherein: the federated learning aggregator adds current gradients to the log; and the federated learning aggregator removes oldest gradients from the log to keep a current log size of the log less than the predetermined maximum log size. 12. The federated learning aggregator of claim 9 , further comprising instructions to periodically update the vulnerability weight for each layer of the global machine learning model. 13. The federated learning aggregator of claim 9 , wherein calculating the robustness factor comprises: calculating, for each layer in the global machine learning model, a standard deviation of each layer's L2 norms from each round; and determining the weight factor for each layer using a normalized reciprocals of the calculated standard deviations.