To address the challenge of detecting backdoor attacks under non-IID data in edge federated learning, this paper proposes FeRA—a lightweight, unsupervised, and model-agnostic defense mechanism. FeRA introduces a novel Federated Representational Attention mechanism that captures intra-client feature representation correlations across clients; it scores malicious clients via representation reconstruction error, requiring no labels, prior knowledge of attack patterns, or assumptions about global model architecture. Its low computational overhead ensures compatibility with resource-constrained edge devices, and it is seamlessly integrated into the aggregation phase to form an end-to-end defense framework. Extensive experiments across diverse non-IID edge settings demonstrate that FeRA reduces backdoor attack success rates to near zero while incurring negligible main-task accuracy degradation (<0.5%). The method exhibits strong robustness and practical deployability in real-world edge federated learning systems.

Federated learning (FL) enhances privacy and reduces communication cost for resource-constrained edge clients by supporting distributed model training at the edge. However, the heterogeneous nature of such devices produces diverse, non-independent, and identically distributed (non-IID) data, making the detection of backdoor attacks more challenging. In this paper, we propose a novel federated representative-attention-based defense mechanism, named FeRA, that leverages cross-client attention over internal feature representations to distinguish benign from malicious clients. FeRA computes an anomaly score based on representation reconstruction errors, effectively identifying clients whose internal activations significantly deviate from the group consensus. Our evaluation demonstrates FeRA's robustness across various FL scenarios, including challenging non-IID data distributions typical of edge devices. Experimental results show that it effectively reduces backdoor attack success rates while maintaining high accuracy on the main task. The method is model-agnostic, attack-agnostic, and does not require labeled reference data, making it well suited to heterogeneous and resource-limited edge deployments.