The widespread adoption of cloud computing, edge, and IoT has increased the attack surface for cyber threats. This is due to the large-scale deployment of often unsecured, heterogeneous devices with varying hardware and software configurations. The diversity of these devices attracts a wide array of potential attack methods, making it challenging for individual organizations to have comprehensive knowledge of all possible threats. In this context, powerful anomaly detection models can be developed by combining data from different parties using Federated Learning. FL enables the collaborative development of ML-based IDSs without requiring the parties to disclose sensitive training data, such as network traffic or sensor readings. However, deploying the resulting models can be challenging, as they may require more computational resources than those available on target devices with limited capacity or already allocated for other operations. Training device-specific models is not feasible for an organization because a significant portion of the training data is private to other participants in the FL process. To address these challenges, this paper introduces INTELLECT, a novel solution that integrates feature selection, model pruning, and fine-tuning techniques into a cohesive pipeline for the dynamic adaptation of pre-trained ML models and configurations for IDSs. Through empirical evaluation, we analyze the benefits of INTELLECT's approach in tailoring ML models to the specific resource constraints of an organization's devices and measure variations in traffic classification accuracy resulting from feature selection, pruning, and fine-tuning operations. Additionally, we demonstrate the advantages of incorporating knowledge distillation techniques while fine-tuning, enabling the ML model to consistently adapt to local network patterns while preserving historical knowledge.

翻译：云计算、边缘计算和物联网的广泛采用扩大了网络威胁的攻击面。这是由于大规模部署了通常未受保护、具有不同硬件和软件配置的异构设备。这些设备的多样性吸引了多种潜在攻击方法，使得单个组织难以全面了解所有可能的威胁。在此背景下，通过联邦学习整合多方数据可以开发强大的异常检测模型。联邦学习支持基于机器学习的入侵检测系统的协作开发，且无需参与方披露敏感的训练数据（如网络流量或传感器读数）。然而，部署生成的模型可能面临挑战，因为这些模型可能比目标设备（计算能力有限或资源已分配给其他操作）可用的计算资源需求更高。为组织训练特定于设备的模型并不可行，因为训练数据的很大一部分是联邦学习过程中其他参与方的私有数据。为应对这些挑战，本文提出了INTELLECT——一种将特征选择、模型剪枝和微调技术集成到统一流程中的新颖解决方案，用于实现预训练机器学习模型和入侵检测系统配置的动态自适应。通过实证评估，我们分析了INTELLECT方法在根据组织设备特定资源约束定制机器学习模型方面的优势，并测量了特征选择、剪枝和微调操作导致的流量分类准确率变化。此外，我们论证了在微调过程中结合知识蒸馏技术的优势，使机器学习模型能够持续适应本地网络模式，同时保留历史知识。