Botnet intrusion detection faces several critical challenges, including data silos, significant class imbalance, privacy concerns, and non-independent and identically distributed (Non-IID) client data. To address these challenges, we propose a novel intrusion detection framework based on federated learning. Our framework allows isolated data holders to collaboratively train a shared model while preserving data privacy. To mitigate aggregation bias caused by statistical heterogeneity in the federated setting, we introduce a Jensen-Shannon (JS) divergence-based client similarity-aware aggregation strategy, which dynamically adjusts each client’s contribution during global model updates. Furthermore, we integrate the Synthetic Minority Over-sampling Technique (SMOTE) and Focal Loss into the local training process to enhance the model’s capability in detecting minority-class attack traffic. Extensive experiments conducted on the publicly available CTU-13 botnet dataset demonstrate that our approach significantly outperforms both conventional centralized models and standard federated learning baselines in terms of accuracy, F1-score, and other key metrics. The results highlight the framework’s effectiveness in privacy-preserving modeling of imbalanced and Non-IID intrusion detection data.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Federated Intrusion Detection Under Non-IID Traffic

  • Ziang Wu,
  • Xiuheng Liao,
  • Buzhen He,
  • Shuai Shang,
  • Tianhui Li,
  • Chunhua Su

摘要

Botnet intrusion detection faces several critical challenges, including data silos, significant class imbalance, privacy concerns, and non-independent and identically distributed (Non-IID) client data. To address these challenges, we propose a novel intrusion detection framework based on federated learning. Our framework allows isolated data holders to collaboratively train a shared model while preserving data privacy. To mitigate aggregation bias caused by statistical heterogeneity in the federated setting, we introduce a Jensen-Shannon (JS) divergence-based client similarity-aware aggregation strategy, which dynamically adjusts each client’s contribution during global model updates. Furthermore, we integrate the Synthetic Minority Over-sampling Technique (SMOTE) and Focal Loss into the local training process to enhance the model’s capability in detecting minority-class attack traffic. Extensive experiments conducted on the publicly available CTU-13 botnet dataset demonstrate that our approach significantly outperforms both conventional centralized models and standard federated learning baselines in terms of accuracy, F1-score, and other key metrics. The results highlight the framework’s effectiveness in privacy-preserving modeling of imbalanced and Non-IID intrusion detection data.