Integrating Centrality Measures in Federated Learning-Based Intrusion Detection Systems

Network Intrusion Detection Systems (NIDS) are mechanisms designed to improve security by monitoring networks for signs of potential intrusions. While data-driven deep learningbased NIDSs have been popular for their superior performance, they are limited by their reliance on large amounts of data, often processed in a centralized manner. Federated Learning (FL) has thus emerged as a distributed paradigm to preserve privacy and data confidentiality, reduce communication costs, and promote collaborative learning. However, FL solutions require a high degree of generalization and adaptation to data and system heterogeneity. In this paper, we introduce a new approach to enhance the generalization of deep learning models in FLbased NIDS by integrating centrality measures. These centrality measures assess the importance of nodes in a cyber-physical system, providing valuable insights into network structures. By
adopting these measures within the graph constructed from source and destination devices of network flows, we aim to enhance the model’s understanding of how network dynamics correlate with intrusion patterns. For our experiments, we used two public datasets: CIC-IDS-2017 and CIC-ToN-IoT. To reflect real-world network variability, we utilized a realistic federated learning setup by distributing distinct parts of the datasets among FL clients. Our approach demonstrates an improvement of over 6% in F1-score with the use of centrality measures, surpassing the traditional baseline approach. Our findings underscore the effectiveness of integrating centrality measures in FLbased NIDS, offering enhanced intrusion detection capabilities in heterogeneous network environments.