Advanced Persistent Threat (APT) attacks are highly sophisticated and employ a multitude of advanced methods and techniques to target organizations and steal sensitive and confidential information. APT attacks consist of multiple stages and have a defined strategy, utilizing new and innovative techniques and technologies developed by hackers to evade security software monitoring. To effectively protect against APTs, detecting and predicting APT indicators with an explanation from Machine Learning (ML) prediction is crucial to reveal the characteristics of attackers lurking in the network system. Meanwhile, Federated Learning (FL) has emerged as a promising approach for building intelligent applications without compromising privacy. This is particularly important in cybersecurity, where sensitive data and high-quality labeling play a critical role in constructing effective machine learning models for detecting cyber threats. Therefore, this work proposes XFedHunter, an explainable federated learning framework for APT detection in Software-Defined Networking (SDN) leveraging local cyber threat knowledge from many training collaborators. In XFedHunter, Graph Neural Network (GNN) and Deep Learning model are utilized to reveal the malicious events effectively in the large number of normal ones in the network system. The experimental results on NF-ToN-IoT and DARPA TCE3 datasets indicate that our framework can enhance the trust and accountability of ML-based systems utilized for cybersecurity purposes without privacy leakage.

翻译：高级持续性威胁（APT）攻击具有高度复杂性，采用多种先进手段与技术针对组织机构，窃取敏感机密信息。APT攻击包含多个阶段并具有明确策略，利用黑客开发的新型创新技术与方法规避安全软件监控。为有效抵御APT攻击，通过机器学习预测结果的可解释性来检测和预测APT指标至关重要，这能揭示潜藏于网络系统中的攻击者特征。与此同时，联邦学习作为一种在不损害隐私的前提下构建智能应用的新兴方法，在网络安全领域尤为重要——敏感数据与高质量标注对于构建有效的网络威胁检测机器学习模型具有关键作用。因此，本文提出XFedHunter——一种面向软件定义网络中APT检测的可解释联邦学习框架，利用众多训练合作方的本地网络威胁知识。在XFedHunter中，图神经网络与深度学习模型被用于从网络系统中大量正常事件中有效识别恶意事件。在NF-ToN-IoT与DARPA TCE3数据集上的实验结果表明，本框架能在不泄露隐私的前提下，增强基于机器学习的网络安全系统的可信度与可问责性。