Data-Efficient, Federated Learning for Raw Network Traffic Detection

Traditional machine learning (ML) models used for enterprise network intrusion detection systems (NIDS) typically rely on vast amounts of centralized data with expertly engineered features. Previous work, however, has shown the feasibility of using deep learning (DL) to detect malicious activity on raw network traffic payloads rather than engineered features at the edge, which is necessary for tactical military environments. In the future Internet of Battlefield Things (IoBT), the military will find itself in multiple environments with disconnected networks spread across the battlefield. These resource-constrained, data-limited networks require distributed and collaborative ML/DL models for inference that are continually trained both locally, using data from each separate tactical edge network, and then globally in order to learn and detect malicious activity represented across the multiple networks in a collaborative fashion. Federated Learning (FL), a collaborative paradigm which updates and distributes a global model through local model weight aggregation, provides a solution to train ML/DL models in NIDS utilizing learning from multiple edge devices from the disparate networks without the sharing of raw data. We develop and experiment with a data-efficient, FL framework for IoBT settings for intrusion detection using only raw network traffic in restricted, resource-limited environments. Our results indicate that regardless of the DL model architecture used on edge devices, the Federated Averaging FL algorithm achieved over 93% accuracy in model performance in detecting malicious payloads after only five episodes of FL training

Federated Deep Learning for collaborative intrusion detection in heterogeneous networks

In this paper, we propose Federated Deep Learning (FDL) for intrusion detection in heterogeneous networks. Local Deep Neural Network (DNN) models are used to learn the hierarchical representations of the private network traffic data in multiple edge nodes. A dedicated central server receives the parameters of the local DNN models from the edge nodes, and it aggregates them to produce an FDL model using the Fed+ fusion algorithm. Simulation results show that the FDL model achieved an accuracy of 99.27 ± 0.79%, a precision of 97.03 ± 4.22%, a recall of 98.06 ± 1.72%, an F1 score of 97.50 ± 2.55%, and a False Positive Rate (FPR) of 2.40 ± 2.47%. The classification performance and the generalisation ability of the FDL model are better than those of the local DNN models. The Fed+ algorithm outperformed two state-of-the-art fusion algorithms, namely federated averaging (FedAvg) and Coordinate Median (CM). Therefore, the DNN-Fed+ model is preferable for intrusion detection in heterogeneous wireless networks