The vast increase of IoT technologies and the ever-evolving attack vectors and threat actors have increased cyber-security risks dramatically. Novel attacks can compromise IoT devices to gain access to sensitive data or control them to deploy further malicious activities. The detection of novel attacks often relies upon AI solutions. A common approach to implementing AI-based IDS in distributed IoT systems is in a centralised manner. However, this approach may violate data privacy and secrecy. In addition, centralised data collection prohibits the scale-up of IDSs. Therefore, intrusion detection solutions in IoT ecosystems need to move towards a decentralised direction. FL has attracted significant interest in recent years due to its ability to perform collaborative learning while preserving data confidentiality and locality. Nevertheless, most FL-based IDS for IoT systems are designed under unrealistic data distribution conditions. To that end, we design an experiment representative of the real world and evaluate the performance of two FL IDS implementations, one based on DNNs and another on our previous work on DBNs. For our experiments, we rely on TON-IoT, a realistic IoT network traffic dataset, associating each IP address with a single FL client. Additionally, we explore pre-training and investigate various aggregation methods to mitigate the impact of data heterogeneity. Lastly, we benchmark our approach against a centralised solution. The comparison shows that the heterogeneous nature of the data has a considerable negative impact on the model performance when trained in a distributed manner. However, in the case of a pre-trained initial global FL model, we demonstrate a performance improvement of over 20% (F1-score) when compared against a randomly initiated global model.

翻译：物联网技术的迅猛发展以及不断演变的攻击载体与威胁行为者，使得网络安全风险急剧增加。新型攻击可能攻陷物联网设备以获取敏感数据，或控制设备实施进一步的恶意活动。这类攻击的检测通常依赖人工智能解决方案。在分布式物联网系统中部署基于人工智能的入侵检测系统的常见方式是采用集中式方法。然而，这种方法可能违反数据隐私与保密性要求，且集中式数据收集阻碍了入侵检测系统的扩展。因此，物联网生态系统中的入侵检测方案需向去中心化方向发展。联邦学习因其能在保护数据机密性与本地性的同时实现协作学习，近年来引起广泛关注。然而，现有针对物联网系统的基于联邦学习的入侵检测系统大多在非真实数据分布条件下设计。为此，我们设计了具有现实代表性的实验，评估了两种联邦学习入侵检测系统的性能：一种基于深度神经网络，另一种基于我们先前对深度信念网络的研究。实验中采用真实物联网网络流量数据集TON-IoT，将每个IP地址关联至单一联邦学习客户端。此外，我们探索了预训练机制，并研究多种聚合方法以缓解数据异质性的影响。最后，我们将所提方法与集中式方案进行基准对比。结果表明，数据异质特性在分布式训练时对模型性能产生显著的负面影响。然而，当使用预训练的初始全局联邦学习模型时，与随机初始化的全局模型相比，性能（F1分数）提升了超过20%。