There is a growing trend of cyberattacks against Internet of Things (IoT) devices; moreover, the sophistication and motivation of those attacks is increasing. The vast scale of IoT, diverse hardware and software, and being typically placed in uncontrolled environments make traditional IT security mechanisms such as signature-based intrusion detection and prevention systems challenging to integrate. They also struggle to cope with the rapidly evolving IoT threat landscape due to long delays between the analysis and publication of the detection rules. Machine learning methods have shown faster response to emerging threats; however, model training architectures like cloud or edge computing face multiple drawbacks in IoT settings, including network overhead and data isolation arising from the large scale and heterogeneity that characterizes these networks. This work presents an architecture for training unsupervised models for network intrusion detection in large, distributed IoT and Industrial IoT (IIoT) deployments. We leverage Federated Learning (FL) to collaboratively train between peers and reduce isolation and network overhead problems. We build upon it to include an unsupervised device clustering algorithm fully integrated into the FL pipeline to address the heterogeneity issues that arise in FL settings. The architecture is implemented and evaluated using a testbed that includes various emulated IoT/IIoT devices and attackers interacting in a complex network topology comprising 100 emulated devices, 30 switches and 10 routers. The anomaly detection models are evaluated on real attacks performed by the testbed's threat actors, including the entire Mirai malware lifecycle, an additional botnet based on the Merlin command and control server and other red-teaming tools performing scanning activities and multiple attacks targeting the emulated devices.

翻译：针对物联网设备的网络攻击呈现增长趋势，且攻击的复杂性与动机持续升级。物联网的庞大规模、多样化的硬件与软件配置，以及通常部署在不可控环境中的特点，使得传统IT安全机制（如基于签名的入侵检测与防御系统）难以集成。同时，由于检测规则从分析到发布存在较长延迟，这些传统方法也难以应对快速演变的物联网威胁态势。机器学习方法对新兴威胁展现出更快的响应能力；然而，在物联网环境中，云计算或边缘计算等模型训练架构面临多重缺陷，包括由大规模网络及异构特性引发的通信开销与数据隔离问题。本文提出一种面向大规模分布式物联网与工业物联网部署场景的无监督网络入侵检测模型训练架构。我们利用联邦学习实现节点间的协同训练，以减少数据隔离与网络开销问题。在此基础上，将无监督设备聚类算法完整嵌入联邦学习流程，以解决联邦学习场景中出现的异构性问题。通过包含多种仿真物联网/工业物联网设备与攻击者的测试平台，在由100个仿真设备、30台交换机与10台路由器构成的复杂网络拓扑中，对该架构进行了实现与评估。异常检测模型基于测试平台威胁行为体发起的真实攻击进行验证，涵盖完整的Mirai恶意软件生命周期、基于Merlin命令与控制服务器的其他僵尸网络，以及执行扫描活动与针对仿真设备的多重攻击的红队工具。