The vast increase of IoT technologies and the ever-evolving attack vectors and threat actors have increased cyber-security risks dramatically. Novel attacks can compromise IoT devices to gain access to sensitive data or control them to deploy further malicious activities. The detection of novel attacks often relies upon AI solutions. A common approach to implementing AI-based IDS in distributed IoT systems is in a centralised manner. However, this approach may violate data privacy and secrecy. In addition, centralised data collection prohibits the scale-up of IDSs. Therefore, intrusion detection solutions in IoT ecosystems need to move towards a decentralised direction. FL has attracted significant interest in recent years due to its ability to perform collaborative learning while preserving data confidentiality and locality. Nevertheless, most FL-based IDS for IoT systems are designed under unrealistic data distribution conditions. To that end, we design an experiment representative of the real world and evaluate the performance of two FL IDS implementations, one based on DNNs and another on our previous work on DBNs. For our experiments, we rely on TON-IoT, a realistic IoT network traffic dataset, associating each IP address with a single FL client. Additionally, we explore pre-training and investigate various aggregation methods to mitigate the impact of data heterogeneity. Lastly, we benchmark our approach against a centralised solution. The comparison shows that the heterogeneous nature of the data has a considerable negative impact on the model performance when trained in a distributed manner. However, in the case of a pre-trained initial global FL model, we demonstrate a performance improvement of over 20% (F1-score) when compared against a randomly initiated global model.

翻译：物联网技术的广泛普及以及不断演变的攻击载体和威胁行为者极大地增加了网络安全风险。新型攻击可能通过入侵物联网设备来获取敏感数据或控制设备以实施进一步恶意活动。此类攻击的检测通常依赖人工智能解决方案。在分布式物联网系统中实现基于AI的入侵检测系统时，常采用集中式方式。然而，该方式可能违反数据隐私与保密性原则。此外，集中式数据收集也限制了入侵检测系统的规模化扩展。因此，物联网生态系统中的入侵检测解决方案需要向去中心化方向发展。联邦学习因其能够在保持数据机密性和局部性的同时实现协作学习的能力，近年来吸引了广泛关注。但现有面向物联网系统的联邦学习入侵检测方案大多基于非现实的数据分布条件设计。为此，我们设计了一项能反映真实场景的实验，评估了两种联邦学习入侵检测实现方案——一种基于深度神经网络，另一种基于我们先前对深度信念网络的研究成果。实验采用真实物联网网络流量数据集TON-IoT，并将每个IP地址与单一联邦学习客户端相关联。同时，我们探索了预训练策略并研究多种聚合方法以缓解数据异质性影响。最后，我们将所提方法与集中式方案进行基准对比。结果表明，在分布式训练模式下，数据的异质性对模型性能产生了显著负面影响。然而，当使用预训练的初始全局联邦学习模型时，与随机初始化的全局模型相比，模型性能（F1分数）提升超过20%。