Graph-based federated learning approach for intrusion detection in IoT networks

Internet of Things (IoT) networks face increasing cyber threats that require collaborative intrusion detection across distributed environments. Existing federated learning approaches for intrusion detection have critical architectural and methodological limitations: traditional federated approaches using deep learning methods like LSTM and CNN cannot capture structural patterns as these architectures are not designed to model network graph topology, while GNN-based federated approaches can preserve structural patterns but lose temporal patterns during parameter aggregation, making both ineffective against sophisticated coordinated attacks like DDoS campaigns. Yet, detecting coordinated attacks requires understanding both structural relationships and temporal sequences across networks. This paper proposes FedGATSage, a federated learning architecture that integrates client-side Graph Attention Networks with server-side GraphSAGE through community abstraction to address both architectural and temporal limitations. The approach uses specialized detector variants for different attack types and preserves both structural and temporal attack patterns while protecting device identities through community-based embeddings. The latter aims to aggregate the information of groups of nodes at the client level before the submission to the server which reduces communication overhead by 85%. Extensive experiments on NF-ToN-IoT and CIC-ToN-IoT datasets demonstrate that FedGATSage achieves performance comparable to centralized approaches while preserving privacy, significantly outperforming existing federated solutions and successfully detecting challenging coordinated attacks that current federated methods cannot handle.