<p>The rapid proliferation of Internet of Things (IoT) devices has led to a significant rise in security issues, as traditional centralized intrusion detection systems face difficulties in handling issues such as privacy concerns, communication bottlenecks, and heterogeneous data. Federated Learning (FL) is a new paradigm for collaborative learning that can be used to train intrusion detection systems without compromising user privacy. However, it is challenged by critical issues such as handling highly non-independent and identically distributed (non-IID) data, a common problem in heterogeneous IoT networks such as healthcare networks, financial networks, and industrial networks. In this paper, a novel CNN-LSTM architecture is proposed that is equipped with Explainable AI (XAI) to handle extreme cases of heterogeneous data in Federated Learning-based intrusion detection. Using the CIC-IDS2017 dataset and Dirichlet-based partitioning (<InlineEquation ID="IEq1"><EquationSource Format="TEX">\(\upalpha \in \{0.01, 0.1, 0.5, 5.0, 50.0\}),\)</EquationSource></InlineEquation> our optimized CNN-LSTM model achieves a 97.36% centralized F1-score. We demonstrate that while architectural design provides highly stable robustness under moderate data heterogeneity (<InlineEquation ID="IEq2"><EquationSource Format="TEX">\(\upalpha =0.5\)</EquationSource></InlineEquation>), extreme non-IID conditions (<InlineEquation ID="IEq3"><EquationSource Format="TEX">\(\upalpha =0.01\)</EquationSource></InlineEquation>) trigger severe weight washing, dropping FedAvg performance to 71.53%. Through a comprehensive hyperparameter sweep, we prove that applying FedProx with a strong proximal penalty (<InlineEquation ID="IEq4"><EquationSource Format="TEX">\(\upmu =0.1\)</EquationSource></InlineEquation>) successfully mitigates this client drift, recovering the F1-score to 78.27%. Using SHAP, LIME, t-SNE, and PCA, we reveal that our model learns universal protocol-level features (Init_Win_bytes_forward, ACK Flag Count, and Fwd Packet Length Min) that remain invariant across heterogeneous networks. Finally, we demonstrate a highly stable detection is achieved for network-layer attacks, whereas application-layer intrusions (Web Attacks) suffer severe degradation, proving the fundamental limitations of flow-based features for payload-driven attacks.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Resilient federated intrusion detection with explainable AI: a robust CNN-LSTM architecture for extreme non-IID data distributions

  • Jallal-Eddine Moussaoui,
  • Mehdi Kmiti,
  • Yassine Maleh,
  • Khalid El Gholami

摘要

The rapid proliferation of Internet of Things (IoT) devices has led to a significant rise in security issues, as traditional centralized intrusion detection systems face difficulties in handling issues such as privacy concerns, communication bottlenecks, and heterogeneous data. Federated Learning (FL) is a new paradigm for collaborative learning that can be used to train intrusion detection systems without compromising user privacy. However, it is challenged by critical issues such as handling highly non-independent and identically distributed (non-IID) data, a common problem in heterogeneous IoT networks such as healthcare networks, financial networks, and industrial networks. In this paper, a novel CNN-LSTM architecture is proposed that is equipped with Explainable AI (XAI) to handle extreme cases of heterogeneous data in Federated Learning-based intrusion detection. Using the CIC-IDS2017 dataset and Dirichlet-based partitioning (\(\upalpha \in \{0.01, 0.1, 0.5, 5.0, 50.0\}),\) our optimized CNN-LSTM model achieves a 97.36% centralized F1-score. We demonstrate that while architectural design provides highly stable robustness under moderate data heterogeneity (\(\upalpha =0.5\)), extreme non-IID conditions (\(\upalpha =0.01\)) trigger severe weight washing, dropping FedAvg performance to 71.53%. Through a comprehensive hyperparameter sweep, we prove that applying FedProx with a strong proximal penalty (\(\upmu =0.1\)) successfully mitigates this client drift, recovering the F1-score to 78.27%. Using SHAP, LIME, t-SNE, and PCA, we reveal that our model learns universal protocol-level features (Init_Win_bytes_forward, ACK Flag Count, and Fwd Packet Length Min) that remain invariant across heterogeneous networks. Finally, we demonstrate a highly stable detection is achieved for network-layer attacks, whereas application-layer intrusions (Web Attacks) suffer severe degradation, proving the fundamental limitations of flow-based features for payload-driven attacks.