A botnet is an army of zombified computers infected with malware and controlled by malicious actors to carry out tasks such as Distributed Denial of Service (DDoS) attacks. Billions of Internet of Things (IoT) devices are primarily targeted to be infected as bots since they are configured with weak credentials or contain common vulnerabilities. Detecting botnet propagation by monitoring the network traffic is difficult as they easily blend in with regular network traffic. The traditional machine learning (ML) based Intrusion Detection System (IDS) requires the raw data to be captured and sent to the ML processor to detect intrusion. In this research, we examine the viability of a cross-device federated intrusion detection mechanism where each device runs the ML model on its data and updates the model weights to the central coordinator. This mechanism ensures the client's data is not shared with any third party, terminating privacy leakage. The model examines each data packet separately and predicts anomalies. We evaluate our proposed mechanism on a real botnet propagation dataset called MedBIoT. Overall, the proposed method produces an average accuracy of 71%, precision 78%, recall 71%, and f1-score 68%. In addition, we also examined whether any device taking part in federated learning can employ a poisoning attack on the overall system.

翻译：僵尸网络是被恶意软件感染并由恶意行为者控制以执行分布式拒绝服务（DDoS）攻击等任务的僵尸计算机大军。数十亿物联网设备因配置弱凭证或存在常见漏洞，成为被感染为僵尸主机的主要目标。通过监控网络流量来检测僵尸网络传播十分困难，因为其易于混入常规网络流量中。传统基于机器学习的入侵检测系统需要捕获原始数据并将其传输至机器学习处理器以检测入侵。在本研究中，我们探讨跨设备联邦入侵检测机制的可行性，该机制使每台设备在其自身数据上运行机器学习模型，并将模型权重更新至中央协调器。该机制确保客户端数据不共享给任何第三方，从而消除隐私泄露风险。模型逐一检查每个数据包并预测异常。我们在名为MedBIoT的真实僵尸网络传播数据集上评估所提机制。总体而言，该方法平均准确率达71%，精确率78%，召回率71%，F1分数68%。此外，我们还检验了参与联邦学习的设备是否可能对整个系统实施投毒攻击。