<p>Cloud deployments spread traffic across many nodes, which makes intrusion detection harder to run from a single central analyzer. Sending all traffic to one point also creates privacy and bandwidth costs. In this study, data stay on the local node and only model updates are shared. The detector is a binary model that combines a convolutional neural network with a bidirectional long short-term memory network and is trained with federated averaging over 50 virtual clients for 50 communication rounds. Client heterogeneity is introduced with a Dirichlet split (<InlineEquation ID="IEq1"> <EquationSource Format="TEX">\(\alpha = 0.3\)</EquationSource> <EquationSource Format="MATHML"><math> <mrow> <mi>α</mi> <mo>=</mo> <mn>0.3</mn> </mrow> </math></EquationSource> </InlineEquation>), and 10 clients are sampled in each round. SHAP was applied to the final global model to examine the features behind its predictions. Across four random seeds, the model reached 97.67% ± 0.24% accuracy, 96.55% F1, and 2.82% false-positive rate on CICIDS2017. On UNSW-NB15, it reached 90.49% ± 1.88% accuracy, 91.48% F1, and 12.20% false-positive rate. The ablation results showed that each major component of the pipeline mattered: removing the CNN block, the BiLSTM block, SMOTE, or RFE produced statistically significant differences under McNemar’s test (<InlineEquation ID="IEq2"> <EquationSource Format="TEX">\(p &lt; 0.05\)</EquationSource> <EquationSource Format="MATHML"><math> <mrow> <mi>p</mi> <mo>&lt;</mo> <mn>0.05</mn> </mrow> </math></EquationSource> </InlineEquation>). SHAP assigned the highest importance to Flow Duration, Protocol, and Backward Inter-Arrival-Time Total on CICIDS2017, and to source TTL, destination TTL, and TCP source window on UNSW-NB15. We also observed that the <Emphasis FontCategory="NonProportional">id</Emphasis> field in UNSW-NB15 inflated accuracy by about eight percentage points despite being only a row identifier; all reported results therefore use the corrected pipeline with this field removed.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

An enhanced hybrid intrusion detection framework using federated learning and explainable AI for cloud-based cybersecurity systems

  • Şükrü Okul,
  • Mustafa Semih Sadak

摘要

Cloud deployments spread traffic across many nodes, which makes intrusion detection harder to run from a single central analyzer. Sending all traffic to one point also creates privacy and bandwidth costs. In this study, data stay on the local node and only model updates are shared. The detector is a binary model that combines a convolutional neural network with a bidirectional long short-term memory network and is trained with federated averaging over 50 virtual clients for 50 communication rounds. Client heterogeneity is introduced with a Dirichlet split ( \(\alpha = 0.3\) α = 0.3 ), and 10 clients are sampled in each round. SHAP was applied to the final global model to examine the features behind its predictions. Across four random seeds, the model reached 97.67% ± 0.24% accuracy, 96.55% F1, and 2.82% false-positive rate on CICIDS2017. On UNSW-NB15, it reached 90.49% ± 1.88% accuracy, 91.48% F1, and 12.20% false-positive rate. The ablation results showed that each major component of the pipeline mattered: removing the CNN block, the BiLSTM block, SMOTE, or RFE produced statistically significant differences under McNemar’s test ( \(p < 0.05\) p < 0.05 ). SHAP assigned the highest importance to Flow Duration, Protocol, and Backward Inter-Arrival-Time Total on CICIDS2017, and to source TTL, destination TTL, and TCP source window on UNSW-NB15. We also observed that the id field in UNSW-NB15 inflated accuracy by about eight percentage points despite being only a row identifier; all reported results therefore use the corrected pipeline with this field removed.