Problem formulation.

In the federated learning setting, there are K clients forming the set and a central server . Each client c_i possesses a private dataset with data distribution , where client data distributions are non-identically distributed (Non-IID). The global model parameters are denoted by , where d is the parameter dimensionality. The core objective of federated learning is to minimize the weighted empirical risk:

(1)

where, denotes the local empirical risk, is the loss function, and is the total data volume.

(1) Privacy Constraint

Suppose an adversary attempts to reconstruct raw data by observing the uploaded gradient updates from clients. The privacy objective is formally defined as follows: for any client c_i’s update , the mechanism must guarantee -differential privacy. Specifically, for any neighboring datasets , and any output subset :

(2)

Where, is the privacy mechanism, is the privacy budget, and is the failure probability threshold that upper-bounds the probability of the mechanism violating differential privacy.

(2) Model-Utility Constraint

Let denote the loss value at the global empirical risk minimizer. The model utility constraint requires:

(3)

Where, is the model after T training rounds, is the target accuracy-loss threshold for the relative deviation, and division by zero is avoided under standard convexity assumptions.

(3) Communication Efficiency Constraint

The communication overhead, denoted by , is defined as the cumulative volume of transmitted data over all training rounds:

(4)

where, is the subset of clients participating in round t, is a compression operator applied to client gradient updates to reduce data transmission volume, denotes the L₀-norm (counting non-zero elements);The aggregated overhead must satisfy , where is a predefined bandwidth budget.

Threat model.

In the federated learning system, we consider semihonest adversaries who faithfully follow protocol specifications but attempt to steal private information from observed messages. The adversary roles are defined as the set , where their attack capabilities and objectives are summarized in Table 1 (x denotes raw input; x^* denotes reconstructed data).

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 1. Formal definition of threat models.

https://doi.org/10.1371/journal.pone.0338822.t001

Next, conduct modeling of the key attack methods.

(1) Gradient Inversion Attack

The adversary reconstructs the original input data x^* through iterative optimization. The objective function is:

(5)

Where, is an image-prior regularizer that steers the reconstruction toward natural-image statistics, and is the observed gradient. Because shallow-layer gradients leak high-frequency features, they provide exploitable information for gradient inversion.

(2) Membership-Inference Attack

A shadow model is built to decide whether a sample x^* belongs to the client’s training set. The probability is . Where, is a discriminator that judges sample membership, and is the Sigmoid function mapping the output to the probability space (0,1). The attack success rate correlates positively with the severity of model overfitting; stronger overfitting facilitates the leakage of membership information.

(3) Attribute-Inference Attack

For label-excluded sensitive attributes , inference is performed as follows:

(6)

Where, is an attribute-inference model learning correlations between gradients and sensitive attributes, and are pre-trained parameters. By leveraging statistical dependencies between gradients and attributes, the model infers the sensitive attribute.

Core challenge: The privacy -utility -communication “Impossible Triangle”.

In federated learning, the system must jointly optimize three conflicting objectives-privacy protection, model utility, and communication overhead—that form an “impossible triangle” of mutual restriction. The optimization goal is formulated as:

(7)

(8)

Where, denotes the system policy, is the privacy loss, is utility loss (not model-utility loss), and is the communication overhead. Threat-model analysis reveals a three-dimensional trade-off manifested in:

(1) Quantified Privacy -Utility Conflict

To fundamentally understand and overcome the “privacy-utility-communication” impossibility triangle, we first derive a precise privacy-utility trade-off limit for federated learning.

Theorem 2.1 (Privacy -Utility Lower Bound). For any -differentially private mechanism applied to federated learning, the utility loss is ower-bounded by:

(9)

Where, L is the gradient Lipschitz constant, G is the gradient-norm upper bound, K is the client count, and T is the global round count. This result establishes that stronger privacy protection () inevitably incurs greater utility loss (), revealing a fundamental tension between these objectives.

Proof sketch: Building on the “trilemma” framework of Chen et al. [26] and employing the convergence analysis technique of Gu et al. [27], we compound the privacy budget over T rounds. The total variance grows as T^1/3, while the required Gaussian noise scale is proportional to . Combining these two effects yields the stated lower bound.

Design Implication: Theorem 2.1 demonstrates that any static noise injection significantly compromises either privacy or utility. Motivated by this limitation, AONC introduces Progress-Aware Noise Decay (PAND): larger noise is injected initially to ensure strong privacy, then exponentially decayed as the model converges. This approach follows the Pareto frontier characterized by Theorem 2.1, achieving a better overall trade-off than any fixed noise-injection strategy.

(2) Implicit Communication-Privacy Coupling

To reduce communication overhead, federated learning employs compression techniques [28] such as Top-K sparsification. The effective privacy leakage satisfies:

(10)

where, is the count of non-zero gradient entries, and d is the parameter dimension, is the gradient update vector. This equation demonstrates that compression reduces the volume of transmitted data(lowering communication cost), but simultaneously exacerbates privacy leakage by (), thereby diminishing the actual privacy-preserving efficacy. Consequently, communication efficiency and privacy protection exhibit implicit coupling.

(3) Resource Paradox

Performance-Communication Trade-offs under Non-IID Data Under a non-IID data distribution, model convergence rounds require communications T satisfying:

(11)

where B is the batch size, is the Learning rate, is the degree of data heterogeneity, and is an optimization-algorithm-dependent parameter. This inequality proves that data heterogeneity forces longer convergence. Under finite computational-/communication resources, simultaneously maximizing utility and minimizing overhead is infeasible—revealing a resource-allocation paradox.

The foregoing analysis reveals that privacy, utility, and communication are deeply interconnected. This raises a fundamental question: can all three be optimized simultaneously? Lemma 2.1, which serves as a theoretical summary of this paper, proves that this is impossible under strict constraints.

Lemma 2.1 (Infeasibility of the privacy-utility-communication trilemma). For any federated learning system that simultaneously requires:

• Strict -differential privacy
• Utility loss
• Communication cost

the three objectives are mutually exclusive when the performance targets are too stringent (i.e., and ):

(12)

where is the minimal communication threshold and denotes all possible algorithmic policies.

Proof sketch: This lemma follows as a corollary of Theorem 2.1 (privacy-utility lower bound) and Eq (10) (communication-privacy coupling). We proceed by contradiction: assume there exists a policy that simultaneously attains all three limits. Then, as , would inevitably violate the lower bound established in Theorem 2.1. At the same time, the same would contradict Eq (10), which implies that communication compression increases the effective privacy leakage . Therefore, such an ideal does not exist.

Implication: Lemma 2.1 demonstrates that optimizing a single objective under stringent limits is unattainable. Consequently, DualMask does not abandon AONC; instead, it uses AONC in conjunction with D3QN and PSO to dynamically adjust noise, resource allocation, and aggregation weights in real time, thereby circumventing theoretical impossibility and simultaneously improving privacy, utility, and communication.

DualMask coordinates a trilevel closed-loop collaboration: clients utilize AONC to dynamically adjust noise injection, balancing the trade-off between utility loss and privacy loss (); the server employs a D3QN-based resource allocator to reallocate resources in real time, mitigating the conflict between utility loss and communication cost − ; and a metaheuristic feature aggregator compresses and aligns features via PSO-driven fusion, detecting and removing implicit − − overheads. Operating as a closed-loop coordination mechanism, these components synergistically shift the Pareto frontier outward, enabling Pareto improvements in privacy protection (lower ), computational efficiency (higher FLOPs/utilization), and communication cost (lower ), thereby resolving the fundamental “impossible triangle” constraint.

Layer-wise adaptive EMA clipping.

Gradient clipping is a fundamental operation in differential privacy (DP) to control gradient sensitivity for effective noise perturbation [32]. However, fixed global clipping ignores the inherent heterogeneity of gradient behaviors across different layers in deep neural networks [33]. Shallow layers typically exhibit larger gradient norms, carrying rich low-level feature information but being more vulnerable to inversion attacks. In contrast, deep layers tend to have smaller norms, where their directional consistency is critical for model convergence. Using a single clipping threshold excessively truncates shallow gradients, sacrificing essential semantic information, while insufficiently constraining deep gradients, leading to inefficient use of the privacy budget or inadequate protection. Moreover, gradient norms dynamically change across training phases.

To address these issues, AONC introduces layer-adaptive exponential moving average (EMA) clipping, which dynamically adjusts the clipping threshold for each layer based on their gradient statistics over time.

(13)

Here, is the raw gradient of layer l on client i at round t. is the updated clipping threshold, and is the smoothing factor. Clipping preserves gradient direction while bounding its magnitude:

(14)

This method assigns layer-specific clipping thresholds, adapting to gradient heterogeneity across layers. By applying EMA normalization, it smooths gradient norms and dynamically tracks their variations over time. Thanks to its negligible computational overhead, it is well-suited for deployment on resource-constrained edge devices. Moreover, by maintaining bounded gradient norms, it ensures compatibility with noise injection mechanisms, effectively mitigating the privacy-utility trade-off—often referred to as the “seesaw effect.”

Progress-aware noise attenuation.

After clipping gradients to control their sensitivity, the introduction of carefully calibrated noise becomes critical for enforcing strict privacy guarantees. However, existing approaches predominantly adopt static noise strategies (e.g., a fixed scale per round), which fail to adapt to the dynamic requirements throughout the training lifecycle. In the early stages, model representations remain unstable, and gradients carry high-density raw data signals. Insufficient noise fails to counter inversion attacks (e.g., gradient reconstruction), escalating privacy risks. As training progresses and the model begins to converge, gradient norms decrease, leading to a reduction in informative signal content. Excessive static noise then becomes the primary source of error, slowing convergence and degrading fine-grained feature learning—resulting in a dual dilemma: inadequate protection and unnecessary utility loss [34]. To achieve a training-progress-dependent equilibrium between privacy and utility, AONC proposes the Progress-Aware Noise Attenuation (PAND) framework. Its core principle is that noise should decay dynamically in alignment with the gradual reduction of gradient information over time.

(15)

Where is the initial noise scale at layer l, A_t is the global validation accuracy (progress indicator, ); a high A_t indicates convergence. is the decay strength hyperparameter. is a layer-dependent modulator for noise baselines (e.g., boosting protection for vulnerable shallow layers). Noise is injected as follows: . The mechanism, driven by the training progress A_t as its core, dynamically scales down the noise magnitude via exponential decay as the model approaches convergence. This strategy ensures robust privacy protection during the early stages while preventing convergence slowdown caused by excessive noise interference in later stages. Crucially, it couples in real time with the model states, minimizing cumulative noise bias to accelerate convergence. With negligible computational overhead for noise scaling adjustments, it naturally supports edge deployment, achieving cooptimization of privacy guarantees and convergence efficiency.

Directional noise injection.

Cropping and scale adaptation address the issue of noise magnitude constraints; however, traditional isotropic noise contaminates all gradient directions, including those critical for model optimization. This contamination increases training difficulty and leads to performance degradation [35].

AONC decomposes noise into two components: a parallel component that preserves gradient directions effective for optimization, and an orthogonal component that disrupts sensitive information. It dynamically adjusts the mixing ratio to concentrate most of the noise energy in the subspace orthogonal to the true gradient direction. First, to maximally interfere with adversarial models, orthogonal noise leaves the primary gradient direction unchanged while significantly distorting orthogonal subspaces, thereby greatly increasing the difficulty of data reconstruction for attackers. Second, by minimizing contamination of gradient directions that are effective for optimization, it preserves the efficacy of model updates. The steps for constructing directional noise are as follows:

(1) Compute the effective gradient direction: Normalize the clipped gradient as .

(2) Noise decomposition (separating parallel and orthogonal components): Generate a base Gaussian noise vector , which is then projected and decomposed into: Parallel component (aligned with the gradient direction), and the orthogonal component − is perpendicular to the gradient direction. Critically, the parallel component has minimal impact on model convergence but provides weak privacy protection, whereas the orthogonal component disrupts statistical features to effectively suppress inversion attacks.

(3) Directional Reshaping (Dynamic Scheduling of Noise Component Ratios): Under the energy conservation constraint (), reshape the noise direction by defining . The default parameters are k₁ = 0, k₂ = 1, yielding . Dynamically adjust the ratio using a Sigmoid activation scaled by training progress t, increasing the weight of in later stages to accelerate model convergence.

(4) Generate Protected Gradient: Inject directional noise into the clipped gradient using  +  n_dnl, producing an output gradient that preserves the primary optimization direction. The orthogonal noise significantly enhances attack resistance.

The mechanism enhances privacy protection by amplifying orthogonal noise and suppressing parallel noise to minimize utility loss, all while maintaining computational complexity of O(d). Through layer-adaptive EMA clipping, progress-aware noise attenuation, and directional noise injection, AONC generates privacy-enhanced optimization gradients that enable high-efficiency, high-accuracy global model aggregation.

Computing resources dynamic allocation.

The D3QN algorithm enables dynamic scheduling of computing resources through a two-level cooperative mechanism, encompassing three key components: state space design, action space design, and reward function design.

(1) State-Space Design

The environmental state vector S_t integrates multidimensional information, including device states, data distribution characteristics, and model states.

Device states are composed of , which correspond to real-time metrics of CPU utilization, memory usage, instantaneous bandwidth, and remaining battery level. These metrics reflect hardware resource availability and energy consumption.

Data distribution characteristics are represented as , where denotes the size of the local dataset for client i (i.e., the number of samples), and represents the label skewness. Label skewness is quantified using the Kullback-Leibler divergence, which measures the discrepancy between the local label distribution P_i(y) and the global distribution P_global(y).

Model states consist of , representing the mean of local loss gradients and the L₂-norm of gradients after AONC pruning, respectively. These components characterize gradient information during model training [13,14]. The final state space is formally defined as follows:

(16)

(2) Action Space Design

The scheduler outputs a joint decision vector A_t each round, consisting of the following three types of actions:

Client Selection: is a binary indicator denoting whether client c_i participates in the current training round. Computing Resource Allocation: represents the proportion of CPU cores allocated to client c_i.

Bandwidth Reservation Weight: is a priority weight that controls the precedence of a client’s data upload.

The action space is defined as . Where K is the total number of clients. Concurrently, actions must satisfy server resource constraints: , where denotes the total CPU cores available on the server, and represents the aggregate bandwidth capacity of the server.

(3) Reward Function Design

The composite reward function incorporates time-variant costs and asymptotic objectives, formulated as:

(17)

The communication latency penalty term aims to reduce the per-round duration T_round, and is expressed as , where denotes the penalty coefficient. The model convergence gain term promotes the selection of high-efficiency clients to accelerate model convergence. it is defined as − , where represents the gain coefficient, and and are the loss function values of the global model and the current-round model, respectively. The fairness adjustment term prevents resource monopolization while ensuring the participation of resource-constrained devices. it is expressed as , where serves as the fairness coefficient. Var(.) denotes the variance operator, which measures the equity of resource allocation.

(4) D3QN Decision Mechanism The D3QN algorithm employs the Dueling D3QN network architecture to decouple the state value V(S) and the action advantage A(S, A), with its Q-value function expressed as:

(18)

where is the size of the action space. This architecture enables more precise evaluation of the values of different state-action pairs. In distributed training, N synchronously updating agents (Actors) are deployed, each responsible for scheduling tasks within a sub-cluster. The target network adopts a periodic synchronization strategy, with the update formula:. Here, is the soft update coefficient for the target network. A small ensures smoother updates of the target network, enhancing training stability. To accelerate policy convergence, a prioritized experience replay mechanism is utilized. Sampling is based on the TD error , with the sampling probability given by:

(19)

where is a very small value to prevent probabilities from reaching zero, and is a parameter adjusting the influence level of priorities.

Through a triple-aware state representation—incorporating resources, data, and models—and a reward design focused on global convergence, the D3QN algorithm significantly reduces the dropout rate of weak devices (improving participation fairness) while decreasing per-round communication latency. This provides high-quality input gradient sets for subsequent PSO feature fusion.

PSO feature fusion module.

Traditional FedAvg employs a static weight aggregation strategy [37], where the aggregation weight w_i is directly proportional to the client data volume . Under non-IID data conditions, this approach causes the global model to skew toward clients with dominant classes, thereby degrading generalization performance. To address this bias, we introduce a PSO feature fusion module that enables optimized model aggregation through dynamic weighting:

(1) Particle Encoding and Search Space

Each particle is defined as a weight vector , where represents the weight allocation ratio of the j-th particle to the i-th particle to the must hold.

The initial particle population is generated by injecting a Gaussian perturbation into FedAvg weights: . Here, denotes a truncated normal distribution, and controls perturbation variance to enhance population diversity.

(2) Fitness Function Design

The fitness function evaluates the quality of the global model corresponding to particle :

(20)

Where f is the model’s prediction distribution, is an indicator function (1 if the condition is true, 0 otherwise), and is a penalty coefficient balancing validation accuracy and KL divergence between client models to prevent overfitting to specific clients [14].

(3) Particle Update Rules

Particles update their velocities and positions based on their individual historical best (pbest_j)and the global best (gbest). The update formulas are as follows:

Velocity Update:

(21)

Position Update:

(22)

Where is the inertia factor, used to balance the global exploration and local exploitation abilities of particles. and are learning rates that control the step sizes at which particles move toward the individual optimal and global optimal positions, respectively. are random numbers from a uniform distribution. is a projection operation that ensures the particle positions satisfy the weight renormalization constraint.

(4) Ensemble Aggregation Mechanism

Optimal Particle Aggregation: In each iteration, the weights corresponding to the global best particle, gbest, are selected as the formal aggregation weights to achieve the current optimal model fusion.

Soft Voting Mechanism: To prevent the algorithm from becoming trapped in local optima, if there is no significant improvement in gbest for G consecutive iterations, the weights of the top M particles with the highest fitness values are summed and averaged. The formula is:

(23)

Where , which reflects the importance of different particles. In terms of collaborative advantages, the PSO fusion module and D3QN establish a closed-loop collaborative relationship: D3QN is responsible for selecting high-value clients to ensure that the input gradients exhibit good diversity and quality; PSO uses these gradients to optimize the weights and correct the Non-IID deviation; and the performance of the aggregated model is fed back into the reward function of D3QN, thereby promoting optimization in the next round of scheduling.

Analysis of model effectiveness and convergence.

To evaluate the comprehensive performance of DualMask in terms of model accuracy and convergence efficiency, experiments were conducted to compare its advantages under both IID and Non-IID data distributions.

(1) Accuracy-Driven Effectiveness Analysis

Table 2 presents the final accuracy of various methods on the CIFAR-10, CIFAR-100, and Shakespeare test sets (task details: ResNet-18 for CIFAR datasets and a two-layer LSTM for Shakespeare). The data distributions include IID and Non-IID (Dirichlet and role-based partitioning).

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. Final accuracy of various methods on CIFAR and Shakespeare test sets under IID and Non-IID data distributions.

https://doi.org/10.1371/journal.pone.0338822.t002

(2) Convergent Dynamic Characteristics Analysis

To emphasize the benefits in training efficiency, Fig 3 shows the test accuracy progression across 500 communication rounds for different methods on the CIFAR-100 dataset in a Non-IID setting.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Convergence dynamics comparison of federated learning methods on CIFAR-100 under Non-IID data distribution.

(A) Convergence Efficiency: DualMask (green solid line) achieves 50% accuracy in 210 rounds, requiring 34.4% fewer rounds than FedAvg (320 rounds) and 27.6% fewer rounds than DeltaMask (290 rounds), respectively—while exhibiting 38% lower variance. (B) Training Stability: Whereas FedAvg fluctuates by 2.1% after 400 rounds, DualMask maintains a 0.7% deviation through AONC with progress-aware attenuation (). (C) System Optimization: D3QN scheduling increases low-power device participation from 62% to 89% and reduces the average round time by 28%, thereby accelerating convergence.

https://doi.org/10.1371/journal.pone.0338822.g003

Privacy protection strength verification.

To comprehensively evaluate the privacy protection capability of the DualMask framework, this experiment adopts a triple verification mechanism: theoretical privacy budget analysis (based on Rényi Differential Privacy), gradient inversion attack reconstruction experiments, and membership inference/attribute inference attack testing. Specifically, all experiments were conducted on the CIFAR-10 dataset under a Non-IID setting, with comparison baselines including FedAvg, DP-SGD, DeltaMask, and FlashMask.

(1) Privacy Budget (RDP) Analysis

A quantitative assessment of the privacy consumption of the AONC module was performed using Rényi Differential Privacy (RDP). For this analysis, parameters were set to and , and the cumulative privacy budget after T training rounds was calculated. The results are illustrated in Fig 4.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. RDP privacy budget accumulation ().

(A) Privacy budget () comparison across methods. DualMask achieves (, significantly lower than DP-SGD () and DeltaMask (). (B) Impact of the dynamic attenuation mechanism. Progress-aware noise attenuation reduces privacy budget consumption by 41% during later training stages. (C) Effect of orthogonal noise amplification. Directional noise injection increases the effective noise scale by 43%, yielding a 1.7-fold improvement in privacy-utility trade-off. Figure Notes: All RDP computations use and (shown) or (curves in Appendix).

https://doi.org/10.1371/journal.pone.0338822.g004

(2) Gradient Inversion Attack Reconstruction Experiment

A total of 100 gradient inversion attack reconstructions were performed using the L–BFGS optimizer to quantify the reconstruction quality.

Attack Setup: L–BFGS optimizer (lr = 1.0, , ); zero-image initialization; white-box setting: attacker knows full model architecture and ground-truth labels; identical hyper-parameters for all methods. The results are shown in Fig 5.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. Effectiveness of gradient inversion attacks.

(A) Mean Squared Error (MSE) comparison: DualMask showed an MSE that is 64% greater than DP-SGD, indicating that its orthogonal noise effectively disturbs the gradient statistics. (B) Peak Signal-to-Noise Ratio (PSNR) evaluation: The PSNR of images reconstructed from DualMask gradients decreased to 18.2 dB, which is below the 20 dB level generally considered visible to the human eye. (C) Visual assessment of reconstruction quality: Images reconstructed by an attacker using DualMask gradients contain substantial high-frequency noise, making them unidentifiable. Figure Notes: All values are computed with and ; numbers in parentheses indicate relative change w.r.t. DP-SGD.

https://doi.org/10.1371/journal.pone.0338822.g005

(3) Membership and Attribute Inference Attack Test

The shadow model attack framework was employed for testing, and the experimental results are summarized in Table 3.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Attack success rates (%) of membership and attribute inference attacks under different defense methods.

https://doi.org/10.1371/journal.pone.0338822.t003

The values indicate the Attack Success Rate (ASR) as a percentage, where a lower ASR signifies better privacy protection. With the same privacy budget (), DualMask’s AONC directional noise injection decreases the model’s accuracy loss by 4.9% compared to DP-SGD. The progress-aware noise attenuation (PAND) mechanism reduces the PSNR to 15 dB in the later stages of training, addressing the shortcomings of static noise defenses. Additionally, orthogonal perturbations increase the number of iterations needed for gradient inversion attacks by 3.2 times, raising the average from 150 to 486 iterations.

Communication overhead and resource efficiency evaluation.

To measure the resource efficiency of AONC in federated learning, this section assesses its performance from two angles: communication overhead and resource usage. The experiments took place in a simulated federated setting with 100 clients, where 10 clients were randomly chosen to join each training round. A non-IID data distribution was created using a Dirichlet distribution with .

(1) Communication Overhead Analysis

Communication overhead was evaluated based on the total amount of data transmitted. The results of the experiments are presented in Fig 6.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. Communication cost comparison on CelebA-HQ (Non-IID).

(A) Total communication cost across different methods. AONC reduces this cost by 37.2% compared to baseline approaches, thanks to its hierarchical clipping and adaptive noise scaling, which minimize unnecessary gradient transmissions. (B) Effect of gradient sparsity. The directional noise injection used in AONC creates sparsity, with orthogonal components making up more than 70%, thereby improving compression efficiency. (C) Communication costs of other methods. DP-SGD results in a 71% higher total communication cost than FedAvg because fixed clipping causes an increase in gradient magnitude, while CENSOR raises the cost by 36.8% due to the extra dimensionality involved in orthogonal projection operations. Note: All communication and energy figures are aggregate totals over 100 training rounds (10 clients sampled per round), not per-round or per-client values.

https://doi.org/10.1371/journal.pone.0338822.g006

(2) Computational Resource Utilization

Resource efficiency is evaluated using Client Compute Time (CCT) and CPU/GPU utilization. The experimental results are summarized in Table 4.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 4. Resource utilization comparison (CIFAR-10 Task, ResNet-56).

https://doi.org/10.1371/journal.pone.0338822.t004

Three-dimensional comprehensive pareto analysis.

The performance comparison results of five federated learning methods on the CIFAR-10 dataset are presented in Table 5 and visualized in Fig 7. As shown in Fig 7, DualMask dynamically balances the three objectives during training: it steadily improves test accuracy (utility), continuously decays the privacy budget (privacy), and maintains the lowest cumulative communication cost (efficiency). In contrast, FedAvg suffers from a constant privacy loss () and slower convergence, highlighting the advantages of DualMask in simultaneously optimizing the privacy-utility-communication trilemma.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. Dynamic privacy-utility-communication trade-off across communication rounds on CIFAR-10.

Shaded areas represent 95% confidence intervals over three runs. DualMask continuously decays the privacy budget while improving accuracy and maintaining the lowest cumulative communication cost; FedAvg exhibits constant privacy leakage and slower convergence.

https://doi.org/10.1371/journal.pone.0338822.g007

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 5. Performance comparison of five federated learning methods on CIFAR-10.

https://doi.org/10.1371/journal.pone.0338822.t005

Impact of the AONC component.

The experimental results regarding the impact of the AONC component are presented in Table 6.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 6. Ablation study of the AONC component (mean values over 100 rounds).

https://doi.org/10.1371/journal.pone.0338822.t006

Impact of server-side components (D3QN-PSO synergy).

The experimental results for the synergistic mechanism of D3QN and PSO are presented in Table 7.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 7. Analysis of server-side component synergy (CIFAR-10, 100 clients).

https://doi.org/10.1371/journal.pone.0338822.t007

AONC parameter analysis.

To assess the robustness of the AONC framework, parameter sensitivity experiments were performed on the CIFAR-10 dataset with the ResNet-56 model. Three main parameters—-the EMA coefficient , the initial noise ratio , and the clipping quantile q—were each evaluated at five evenly spaced levels. The evaluation metrics comprised the average accuracy, attack success rate, privacy budget (), and communication cost calculated over 100 training rounds. Each experiment was repeated three times, and the results were averaged. The findings are presented in Table 8.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 8. AONC parameter sensitivity matrix (Mean over 100 rounds).

https://doi.org/10.1371/journal.pone.0338822.t008

D3QN and PSO parameter analysis.

Parameter sensitivity testing was conducted on the CelebA-HQ face recognition task using a ResNet-18 model, with the D3QN-PSO module deployed on the server side. The test parameters included: D3QN learning rate ; PSO cognitive coefficient ; and PSO particle number . Other parameters were fixed as follows: discount factor , experience replay buffer size of 5000, and inertia weight . The results represent the average of three experimental runs, with detailed outcomes presented in Table 9.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 9. Server-side parameter sensitivity analysis (CelebA-HQ, ResNet-18).

https://doi.org/10.1371/journal.pone.0338822.t009