Network Intrusion Detection System Using Federated Machine Learning Approach
Network Intrusion Detection System Using Federated Machine Learning Approach
Volume 9, Issue 6, June – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24JUN030
Network Intrusion Detection System using
Federated Machine Learning Approach
R Padmashani1; Harshan R.2; Logeshwaran C.3; Srikrishna R.4; Vijay Sundar5
Department of Information Technology,
PSG College of Technology
Abstract:- In the quickly changing digital world of today, making them ideal for identifying subtle anomalies in network
protecting oneself from cyberattacks is crucial. This study traffic. BiLSTM excels at capturing temporal dependencies and
presents a novel method that uses TensorFlow Federated context from both past and future data points, enabling IDSs to
(TFF) Learning to merge BiLSTM and DNN architectures, detect sophisticated intrusion patterns that evolve over time.
improving the precision and effectiveness of intrusion
detection systems (IDS). TFF offers a major paradigm By integrating DNN and BiLSTM models into the IDS
change in model training by enabling decentralized framework and leveraging parallel training techniques, a more
learning on several servers or devices. TFF provides IDS robust and efficient Intrusion Detection System can be created.
with collective intelligence by fostering collaborative These deep learning architectures complement each other,
learning on remote data sources while protecting data allowing IDSs to effectively capture spatial and temporal
privacy. This improves detection accuracy and strengthens features in network traffic data. Additionally, parallel training
defenses against adversarial attacks. By utilizing enables the models to learn concurrently, accelerating the
TensorFlow Federated methods, IDS may run DNN and overall training process and enhancing the system's ability to
BiLSTM models concurrently, maximizing processing adapt to changing cyber threats. In addition to enhancing
speed and resource efficiency. The system's capacity to detection accuracy and resilience against adversarial attacks,
manage high-throughput data streams is ensured by this this collaborative approach also optimizes resource utilization
concurrent execution, which speeds up threat detection and and processing speed, ensuring timely threat detection and
response. Moreover, information sharing and smooth response. The project also explores potential applications for
integration between concurrent processes are made possible the enhanced IDS across diverse sectors including Banking,
via synchronization and communication protocols. The Finance, Healthcare, Defense, and E-commerce, underscoring
cooperative synergy between the various models improves its versatility and significance in safeguarding critical digital
IDS's dependability and efficacy in thwarting emerging assets within an interconnected digital landscape.
cyberthreats.
II. EXISTING WORKS
I. INTRODUCTION
In his research, Muhammad Ashfaq Khan [1] proposed the
In the fast-paced world of digital technology, defending use of a Convolutional Recurrent Neural Network (CRNN) to
against cyber threats is a critical endeavor. Traditional Intrusion develop a deep learning-based hybrid intrusion detection
Detection Systems (IDS) often struggle to keep pace with the system that can identify and classify potentially dangerous
rapidly evolving threat landscape. To address this challenge, network intrusions. The CSE-CIC- DS2018 [2] intrusion
this project proposes an innovative approach that integrates dataset was utilized to train the suggested methodology.
BiLSTM and DNN architectures within the IDS framework Utilizing the HCRNN methodology and a few common
using TensorFlow Federated (TFF) Learning. classification techniques like Logistic Regression, Decision
Tree, XGBoost, etc., the proposed Intrusion Detection system
TensorFlow Federated (TFF) represents a paradigm shift was put into practise.
in model training, enabling decentralized learning across
diverse devices or servers. By fostering collaborative learning In a paper by Javed Asharf et al. [3], the researchers sought
on distributed data sources while ensuring data privacy, TFF to give a thorough analysis of the technologies, protocols,
empowers IDS with collective intelligence. This collaborative architecture, and dangers that arise from hacked Internet of
approach enhances detection accuracy and fortifies resilience Things devices as well as an overview of intrusion detection
against adversarial attacks. Deep learning architectures, such as methods. The examination of several machine learning and
Deep Neural Networks (DNN) and Bidirectional Long Short- deep learning-based methodologies appropriate to identify IoT
Term Memory (BiLSTM), play a crucial role in the devices vulnerable to cyberattacks is also included in this paper.
development of the IDS. DNNs are well-suited for capturing The problem is that there isn't a common mechanism that
complex patterns and relationships within large-scale datasets, ensures the suggested systems' or method's validity. The
IJISRT24JUN030 www.ijisrt.com 212
Volume 9, Issue 6, June – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24JUN030
majority of research studies provide assessment of the hidden signs of assaults, which will have an impact on the final
suggested systems using simulated datasets, which may not be profile that is derived.
applicable to real- world situations with actual data and other
challenges. Six Machine learning-based IDSs were suggested by
Bhavani et al. [9] utilizing the algorithms K Nearest Neighbour,
In a research published by Congyuan Xu et al [4], the traits Random Forest, Gradient Boosting, Adaboost, Decision Tree,
of the time-related incursion were taken into account. Recurrent and Linear Discriminant Analysis. The dataset CSE-CIC-
neural networks with gated recurrent units (GRU), multilayer IDS2018 [10] was utilized. Additionally unbalanced is the
perceptrons (MLP), and softmax modules make up a unique chosen dataset. Bias towards the dominant class results from
IDS that has been presented. The suggested solution was unbalanced datasets, and in certain extreme cases, minority
developed using the NSL-KDD [5] and KDD Cup 99 [6] classes are overlooked. These minority groups, nevertheless,
datasets. The theoretical verification is mostly responsible for are often advantageous ones. Therefore, the imbalance ratio is
the suggested system's limitations in this study. decreased by employing a synthetic data generation model
called Synthetic Minority Oversampling Technique (SMOTE)
On Coburg Intrusion Detection Datasets (CIDDS), Niraj in order to boost the efficiency of the system depending on
Thapa et al [7] presented a comparative study of several ML attack types and to decrease missed incursions and false alarms.
models and DL models. On the CIDDS dataset, various ML and The suggested technique significantly boosted the detection rate
DL-based models have first been contrasted. Second, a model for infrequent incursions, according to experimental data.
ensemble combining the top ML and DL models is suggested
to obtain high- performance metrics. Finally, using the Alqahtani et al [11] employed various popular Machine
CICIDS2017 dataset, the best models are compared to the most learning classification algorithms, namely Bayesian Network,
current models. The primary disadvantage would be that Naive Bayes classifier, Decision Tree, Random
different sorts of assaults are not included in the dataset utilized.
It does not provide defenses against complex adversarial Decision Forest, Random Tree, Decision Table, and
assaults. Artificial Neural Network to detect intrusions. Finally, the
effectiveness of various experiments on Cybersecurity datasets
Moving towards dynamically created datasets that not having several categories of cyber attacks were tested and
only represent the traffic compositions and intrusions of the evaluated on the effectiveness of the performance metrics,
moment but are also changeable, expandable, and repeatable is precision, recall, F1 score, and accuracy.
important as network behaviors and patterns change and
intrusions grow. Ali Shiravi et al. [8] established a methodical Variational autoencoders (VAE) were suggested as a
method in this research to create the needed datasets to meet technique by Jinwon [12] for anomaly identification. A
this demand. For HTTP, SMTP, SSH, IMAP, POP3, and FTP, probabilistic graphical model called a variational autoencoder
genuine traces are analyzed to establish profiles for agents that combines DL with variational inference. By taking into
produce real traffic. consideration the idea of variability, the reconstruction
probability combines the variational autoencoder's probabilistic
A profile consists of an abstract representation of various traits. Compared to the reconstruction error of autoencoder and
features and events to make it simpler to recreate particular real- Principal Component Analysis (PCA) based approaches, the
world behaviors as seen from the network. Then, agents or reconstruction probability is a probability measure, making it a
human operators use these profiles to create network events. far more objective and principled anomaly score. The suggested
Two broad classes of profiles are and profiles try to describe an technique outperforms autoencoder and PCA-based algorithms,
attack scenario as precisely as possible. The simplest case is that according to experimental data. It is also feasible to deduce the
individuals can comprehend these profiles and subsequently reconstruction of the data to study the underlying cause of the
take appropriate action. Compilers and autonomous agents anomaly because of its generative properties.
would be employed to interpret and perform these scenarios in
a perfect world. Profiles are techniques with pre and post In order to create a flexible and effective IDS to identify
conditions that include mathematical distributions or behaviors and categorize unanticipated and unpredictable cyberattacks,
of certain entities that have been extracted. Examples include Vinayakumar et al.
how often a protocol uses different packet sizes, how many
packets are in a flow, and certain patterns. [13] investigated a Deep Neural Network (DNN), a type
of Deep learning model. The fast growth of attacks and the
The requirement to initially construct and then run profiles ongoing change in network behaviour need the evaluation of
causes complications. Profiles need a specialized understanding multiple datasets that have been produced over time using both
of how an assault is put together. Filtered network traces are static and dynamic methods. This study makes it easier to
needed for the production of -profiles but they might not be identify the best algorithm for reliably identifying upcoming
readily available. Some of this routine traffic may contain threats. A thorough analysis of DNN and other traditional
IJISRT24JUN030 www.ijisrt.com 213
Volume 9, Issue 6, June – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24JUN030
machine learning classifier studies is presented using a variety latency is much reduced. Here, agents work together to jointly
of publicly accessible benchmark malware datasets, such as the detect and analyse, enabling informed decision-making.
KDDCup 99 dataset. Through the use of hyperparameter Effective intrusion detection was accomplished using an
selection methods and the KDDCup 99 dataset, the best ensemble data mining methodology. With the help of numerous
network parameters and topologies for DNNs are determined. modules in the design, the system is capable of responding to
fresh threats in the future. The agents' autonomy allows them to
An agent-based distributed intrusion detection system quickly replace a broken agent, which makes for a good fault
architecture was put out in this study by Riyad et al [10]. Mobile tolerance mechanism. The JADE platform for mobile agents
agents are used by the system for analysis and detection. Since was used for the studies, and the outcomes are quite
the process now travels to the data for analysis, the network encouraging.
III. PROPOSED METHODOLOGY FOR NETWORK INTRUSION DETECTION SYSTEM
Fig 1: Proposed Methodology
Dataset Description
The project aims to enhance network security through the contains 12 classes of traffic including 11 attack classes and one
development of robust intrusion detection systems using normal class.
Federated Machine Learning and techniques. To achieve this
goal, the project utilizes two benchmark datasets: the NSL- Dataset Preprocessing
KDD dataset and the IEC 60870-5-104 dataset. For each traffic The preprocess function which is common for both the
record in the NSL-KDD dataset, there are 41 features and one datasets defines a nested function called map_fn, which maps
category tag, including basic features, information, and traffic each dataset element to an Ordered Dictionary with features (x)
features. Attacks in the database are classified into four types of and labels (y). The features are cast to float64 using TensorFlow
attacks according to their characteristics: DoS (Denial of operations, and the labels are then reshaped appropriately. From
Service Attacks), R2L (Root to Local Attacks), U2R (User to the input DataFrame, the function creates a TensorFlow dataset
Root Attack) and Probe (Test Attacks). For each traffic record by repeating it over epochs multiple epochs, batching the data,
in the IEC Dataset, there are 83 features and one label tag. In prefetching batches to increase performance, and rearranging
the dataset there are two types of the labels, which are normal the data with a given buffer size. After applying this
and anomaly. The training data as well as the testing data preprocessing function to a list comprehension, the function
samples data points from the training set to create pre-processed
IJISRT24JUN030 www.ijisrt.com 214
Volume 9, Issue 6, June – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24JUN030
datasets for multiple clients. This is common in federated In this federated learning process, as illustrated in Figure
learning, in which every client might have a local training 2, each client conducts multiple local epochs of training on its
dataset of its own. Overall, the code ensures data consistency data, represented by the dashed arrows. The model parameters
and effective processing across multiple clients by establishing are initialized beforehand, ensuring consistency across client
a strong preprocessing pipeline appropriate for federated devices. Meanwhile, the central server initiates with an initial
learning scenarios. model, serving as a starting point for the collaborative learning
process. After each training round, updates from client devices
Intrusion Detection using Federated Learning are transmitted to the server, where they are aggregated by
In a federated learning setup, K clients act as gateways for computing the average of model parameters, as depicted by the
monitored systems, training local models individually. Each of solid arrow leading to the "Average Weights" step. This
these K models, denoted as 𝑘=1.., shares an identical structure, aggregation mechanism ensures that individual client
meaning they possess the same number of layers and neurons contributions are integrated into the global model while
per layer. They are, however, trained on separate datasets preserving data privacy. Subsequently, the updated global
provided by their connected clients. model is refined on the server, incorporating the aggregated
updates, before being redistributed to all client devices for
As a result, the available user clients will be used to train further training rounds. This iterative exchange of model
the data locally and compute the update updates continues until the model achieves the desired
performance metrics, facilitating collaborative learning across
to the server's shared global model, which will aggregate distributed data sources while addressing privacy concerns and
all of the updates from the distributed devices and compute regulatory requirements.
weight using the Federated Averaging algorithm in the
Equation (1). IV. RESULT ANALYSIS
The results obtained evaluation of the federated learning
model on both the IEC and NSL-KDD datasets reveals
(1)
promising performance in network intrusion detection. The
purpose of using federated learning in NIDS is to enhance the
In this formula, is the size of the partition of client k
overall security posture by leveraging distributed data sources
such that n is the sum of all partitions. Further , is the local without compromising data privacy. The below are the obtained
weight of client k which is averaged over the summation. results:
Federated Aggregation of the Local Weight Updates into
the Master Model
Fig 2: Federated Averaging
IJISRT24JUN030 www.ijisrt.com 215
Volume 9, Issue 6, June – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24JUN030
Table 1: Results of IEC Dataset
Fig. 3 Accuracy of IEC Dataset
Table 2: Training Results on NSL KDD Dataset
IJISRT24JUN030 www.ijisrt.com 216
Volume 9, Issue 6, June – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24JUN030
Fig 4: Training Accuracy of NSL KDD Dataset
Fig 5: Training Precision of NSL KDD Dataset
Table 3: Testing Results on NSL KDD Dataset
IJISRT24JUN030 www.ijisrt.com 217
Volume 9, Issue 6, June – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24JUN030
Table 4: Overall Result Analysis
The model achieved high accuracy rates, reaching 99.71% network traffic data. Additionally, optimizing the federated
on the IEC dataset and a 95.43% on the NSL-KDD dataset in a learning process by fine tuning communication protocols and
binary classification setting with two classes. Accuracy is a implementing strategies for efficient model aggregation will
critical metric in NIDS as it measures the overall correctness of further improve the system's scalability and performance.
the model's predictions. When considering the impact of client Moreover, integrating real-time threat intelligence feeds and
numbers on the NSL-KDD dataset, the accuracy slightly implementing adaptive learning mechanisms would enable the
decreased from 95.43% with two clients to 88.38% with five IDS to dynamically adjust its detection capabilities in response
clients and 90.31% with ten clients, highlighting potential to emerging cyber threats. These enhancements collectively
challenges with increased client heterogeneity. Recall, which strengthen the effectiveness and reliability of the Intrusion
measures the ability of the model to identify all relevant Detection System, ensuring robust cybersecurity defenses for
instances, remained consistently high, demonstrating the organizations in the face of evolving security challenges.
model's effectiveness in detecting intrusions. Precision, which
measures the proportion of true positives among all positive REFERENCES
predictions, and F1 Score, which combines precision and recall,
are crucial for assessing the model's performance in minimizing [1]. Muhammad Ashfaq khan,” HCRNNIDS: Hybrid
false alarms while maximizing the detection of actual Convolutional Recurrent Neural Network-Based
intrusions. Network Intrusion Detection System”,pp 6-8
[2]. Zhang, Chen, et al. "A survey on federated learning."
V. CONCLUSION AND FUTURE ENHANCEMENT Knowledge-Based Systems 216 (2021): 106775.
[3]. Javed Asharf ,Nour Moustafa , Hasnat Khurshid ,Essam
The integration of BiLSTM and DNN architectures Debie ,Waqas Haider ,Abdul Wahab,"A Review of
through TensorFlow Federated learning in this project Intrusion Detection Systems Using Machine and Deep
represents a significant breakthrough in Intrusion Detection Learning in Internet of Things: Challenges, Solutions
Systems (IDS). By leveraging decentralized learning and and Future Directions",pp 12-26
collaborative intelligence, this approach enhances the accuracy [4]. Conguyan Xu, Jizhong Shen ,Xin Du, Fan Zhang,”An
and efficacy of detecting cyber threats. The BiLSTM Intrusion Detection System Using a Deep Neural
component captures bidirectional dependencies, enabling the Network With Gated Recurrent Units”,pp 4-9
system to analyze past and future contextual information, while [5]. Li, Li, et al. "A review of applications in federated
DNNs excel in identifying complex patterns within datasets. learning." Computers & Industrial Engineering 149
Through TensorFlow Federated learning, the IDS efficiently (2020): 106854.
processes data across distributed sources, enhancing scalability [6]. Mammen, Priyanka Mary. "Federated learning:
and enabling timely threat detection. Opportunities and challenges." arXiv preprint
arXiv:2101.05428 (2021).
The system's ability to adapt and learn from decentralized [7]. AL-barakati, Niraj Thapa, Saigo Hiroto , Kaushik Roy ,
data sources ensures continuous improvement in threat Robert H. Newman , Dukka KC, “RF-MaloSite and DL-
detection capabilities, making it a valuable asset for Malosite: Methods based on random forest and deep
safeguarding digital infrastructures against evolving security learning to identify malonylation sites”, pp 8-20
challenges. Major area to focus on for advancing this project [8]. Ali Shiravi, Hadi Shiravi, Mahbod Tavallaee, Ali A.
involves refining the model's architecture to integrate more Ghorbani,”Toward developing a systematic approach to
sophisticated deep learning techniques. Exploring innovative generate benchmark datasets for intrusion detection”, pp
approaches for feature extraction and representation learning 2-14
can enhance the IDS's ability to detect subtle anomalies in
IJISRT24JUN030 www.ijisrt.com 218
Volume 9, Issue 6, June – 2024 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165 https://doi.org/10.38124/ijisrt/IJISRT24JUN030
[9]. Lei Wang, Latifur Khan and Bhavani
Thuraisingham,”An Effective Evidence Theory based
K-nearest Neighbor (KNN) classification”,pp 3-12
[10]. Rieke, Nicola, et al. "The future of digital health with
federated learning." NPJ digital medicine 3.1(2020): 17.
[11]. Hamed Alqahtani, Iqbal H. Sarker,Asra Kalim,Syed
Mohammod ,Minhaz Hossain,”Cyber Intrusion
Detection Using Machine Learning Classification
Techniques”,pp 4-10
[12]. Jinwon An, Sungzoon Cho, “Variational Autoencoder
based Anomaly Detection using Reconstruction
Probability”,pp 5
[13]. Li, Qinbin, Bingsheng He, and Dawn Song. "Model-
contrastive federated learning." Proceedings of the
IEEE/CVF conference on computer vision and pattern
recognition. 2021
