Federated Learning Approaches Towards Intrusion Detection in Industrial Internet of Things

• DIRECTORS:Urko Zurutuza and Cristóbal Arellano
• UNIVERSITY: Mondragon Unibertsitatea

ABSTRACT:

Intrusion detection refers to methods for determining whether a computer system or network has been compromised or is currently under attack. Multiple types of intrusion detection systems exist according to the technologies used for threat detection and the environment or devices in which it is intended to be deployed. This thesis is framed in the context of machine learning (ML) techniques applied to intrusion detection in Internet of Things (IoT) settings. This is a timely line of research as, despite the benefits and pervasiveness of IoT, several vulnerabilities and poor security practices have led to malware specifically designed to target and exploit the IoT ecosystem. 

In particular, in this thesis, we are going to explore federated learning (FL) approaches, a relatively new ML training framework especially suitable for distributed settings such as IoT. In short, FL is a ML training paradigm with the objective of training a model between multiple collaborating clients while maintaining the training dataset local and private to each device, thereby addressing challenges such as data privacy, availability and communication cost concerns that arise in traditional cloud or edge ML model training methods. While FL has been successfully applied to many practical settings, including next-word prediction for mobile keyboards or voice classification, to name a few, the application of these settings to IoT security has not been as widely researched. Moreover, this setting presents significant gaps and challenges that have served as motivation for this thesis, including the scarcity of public IoT security datasets for ML training purposes specifically designed for FL experimentation, the cost of data labeling, the high heterogeneity of IoT deployments that can hinder FL model training convergence and the need for explainability to address the black-box nature of many ML models, which is crucial to increase the trust of these techniques by security analysts but presents additional issues in FL settings.

While those are not the only challenges, this thesis presents three main contributions towards reducing the mentioned gaps. First, we develop an emulated testbed to generate datasets in a reproducible, extendable and shareable way specifically designed to allow FL experimentation. The testbed presents many threat models, including real malware samples. Then, we present a FL architecture for unsupervised network anomaly detection that addresses the high heterogeneity of IoT deployments by using an automatic client clustering technique integrated into the FL process. Finally, we propose a methodology to incorporate an explainability layer on top of the unsupervised anomaly detection models that uses FL techniques to characterize, group, summarize and auto-label the detected anomalies throughout the federated network.