Deep learning (DL) methods have been widely applied to anomaly-based network intrusion detection system (NIDS) to detect malicious traffic. To expand the usage scenarios of DL-based methods, federated learning (FL) allows multiple users to train a global model on the basis of respecting individual data privacy. However, it has not yet been systematically evaluated how robust FL-based NIDSs are against existing privacy attacks under existing defenses. To address this issue, we propose two privacy evaluation metrics designed for FL-based NIDSs, including (1) privacy score that evaluates the similarity between the original and recovered traffic features using reconstruction attacks, and (2) evasion rate against NIDSs using adversarial attack with the recovered traffic. We conduct experiments to illustrate that existing defenses provide little protection and the corresponding adversarial traffic can even evade the SOTA NIDS Kitsune. To defend against such attacks and build a more robust FL-based NIDS, we further propose FedDef, a novel optimization-based input perturbation defense strategy with theoretical guarantee. It achieves both high utility by minimizing the gradient distance and strong privacy protection by maximizing the input distance. We experimentally evaluate four existing defenses on four datasets and show that our defense outperforms all the baselines in terms of privacy protection with up to 7 times higher privacy score, while maintaining model accuracy loss within 3% under optimal parameter combination.

翻译：深度学习（DL）方法已广泛应用于基于异常的网络入侵检测系统（NIDS）以检测恶意流量。为拓展基于深度学习的方法的应用场景，联邦学习（FL）允许用户在尊重个体数据隐私的基础上训练全局模型。然而，目前尚未系统评估基于FL的NIDS在现有防御措施下对现有隐私攻击的鲁棒性。针对此问题，我们提出两种专为基于FL的NIDS设计的隐私评估指标，包括：（1）隐私评分——通过重构攻击评估原始流量特征与恢复特征之间的相似度；（2）逃逸率——利用恢复流量进行对抗性攻击后对NIDS的逃逸能力。实验表明，现有防御措施提供的保护微乎其微，且相应的对抗性流量甚至能逃逸当前最先进的NIDS系统Kitsune。为防御此类攻击并构建更鲁棒的基于FL的NIDS，我们进一步提出FedDef——一种具有理论保证的新型基于优化的输入扰动防御策略。该策略通过最小化梯度距离实现高实用性，同时通过最大化输入距离实现强隐私保护。我们在四个数据集上实验评估了四种现有防御方法，结果表明：在最优参数组合下，我们的防御在隐私保护方面优于所有基线方法，隐私评分提升最高达7倍，同时模型准确率损失控制在3%以内。