Federated learning (FL) offers a privacy-preserving paradigm for machine learning, but its application in intrusion detection systems (IDS) within IoT networks is challenged by severe class imbalance, non-IID data, and high communication overhead.These challenges severely degrade the performance of conventional FL methods in real-world network traffic classification. To overcome these limitations, we propose Sentinel, a personalized federated IDS (pFed-IDS) framework that incorporates a dual-model architecture on each client, consisting of a personalized teacher and a lightweight shared student model. This design effectively balances deep local adaptation with efficient global model consensus while preserving client privacy by transmitting only the compact student model, thus reducing communication costs. Sentinel integrates three key mechanisms to ensure robust performance: bidirectional knowledge distillation with adaptive temperature scaling, multi-faceted feature alignment, and class-balanced loss functions. Furthermore, the server employs normalized gradient aggregation with equal client weighting to enhance fairness and mitigate client drift. Extensive experiments on the IoTID20 and 5GNIDD benchmark datasets demonstrate that Sentinel significantly outperforms state-of-the-art federated methods, establishing a new performance benchmark, especially under extreme data heterogeneity, while maintaining communication efficiency.
翻译:联邦学习(FL)为机器学习提供了一种隐私保护的范式,但其在物联网网络入侵检测系统(IDS)中的应用面临着严重的类别不平衡、非独立同分布数据以及高通信开销等挑战。这些挑战严重降低了传统联邦学习方法在现实网络流量分类中的性能。为克服这些限制,我们提出了哨兵(Sentinel),一种个性化联邦入侵检测系统(pFed-IDS)框架。该框架在每个客户端上采用双模型架构,包含一个个性化教师模型和一个轻量级共享学生模型。该设计在保持客户端隐私(仅传输紧凑的学生模型以降低通信成本)的同时,有效平衡了深度本地适应与高效的全局模型共识。哨兵集成了三个关键机制以确保鲁棒性能:采用自适应温度缩放的双向知识蒸馏、多层面特征对齐以及类别平衡损失函数。此外,服务器采用归一化梯度聚合与等权重客户端加权,以增强公平性并减轻客户端漂移。在IoTID20和5GNIDD基准数据集上进行的大量实验表明,哨兵显著优于最先进的联邦学习方法,尤其在极端数据异构性下建立了新的性能基准,同时保持了通信效率。