Personalized federated learning-based intrusion detection system: Poisoning attack and defense

Abstract

To deal with the increasing number of cyber-attacks, intrusion detection system (IDS) plays an important role in monitoring and ensuring the security of the computer network. With the power of machine learning and deep learning, intelligent IDS systems have gained increasing attention due to their efficiency and high classification accuracy. However, the premise of machine learning/deep learning is that the data must be in one central entity (e.g., server) to train the model. This causes additional concerns, such as data transmission costs and privacy leakage. Federated learning complements this shortcoming with a privacy-preserving decentralized learning technique. In federated learning, the data are not shared with the server, local model training is performed where the data reside and only the model parameters are exchanged with the server. This work investigates the federated learning-based IDS approach in the context of IoT data to study the main challenges imposed by federated learning. Two main issues, such as data heterogeneity and poisoning attacks launched by malicious clients, are the main focus of this study. As real-world IoT datasets are heterogeneous, we propose a personalized federated learning-based IDS approach to handle imbalanced data distributions. Moreover, a curious yet malicious client can poison the local data or model to corrupt the global intrusion detection model due to the distributed nature of federated learning, where the central server has no control over the client’s local training process. This study demonstrates that the existence of a malicious client can degrade the performance of the federated learning-based IDS model. Accordingly, we propose a robust approach called pFL-IDS to combat poisoning attacks against the federated learning-enabled IDS on heterogeneous IoT data. Our approach introduces mini-batch logit adjustment loss to local model training to obtain a personalized model tailored to each local data distribution. Moreover, we design a detection mechanism at the server to identify malicious agents by considering the cosine similarity of local models from the non-poisoned client’s centroid. The non-poisoned centroid is determined from the similarity between the pre-computed global model and the local models. If the poisoning attack is successful, poisoned clients will be closer to the pre-computed global model; any models further from the pre-computed model are taken as the non-poisoned clients. With this two-phase client similarity alignment, we identify poisoned clients and restrict their aggregation on the global intrusion detection model. In comparison with the baseline methods, we demonstrate that our pFL-IDS can detect poisoning attacks without compromising performance.