FedDICE: A ransomware spread detection in a distributed integrated clinical environment using federated learning and SDN based mitigation

TL;DR

FedDICE is a privacy-preserving federated learning framework integrated with SDN to detect and mitigate ransomware spread in distributed clinical environments, enabling collaborative security without sharing sensitive data.

Contribution

This paper introduces FedDICE, a novel federated learning-based approach combined with SDN for ransomware detection and mitigation in geographically distributed hospital networks.

Findings

FedDICE achieves detection performance comparable to centralized methods.

It demonstrates effective ransomware mitigation using SDN-based device removal.

Overhead in model training is increased, e.g., 28x for logistic regression.

Abstract

An integrated clinical environment (ICE) enables the connection and coordination of the internet of medical things around the care of patients in hospitals. However, ransomware attacks and their spread on hospital infrastructures, including ICE, are rising. Often the adversaries are targeting multiple hospitals with the same ransomware attacks. These attacks are detected by using machine learning algorithms. But the challenge is devising the anti-ransomware learning mechanisms and services under the following conditions: (1) provide immunity to other hospitals if one of them got the attack, (2) hospitals are usually distributed over geographical locations, and (3) direct data sharing is avoided due to privacy concerns. In this regard, this paper presents a federated distributed integrated clinical environment, aka. FedDICE. FedDICE integrates federated learning (FL), which is privacy-preserving learning, to SDN-oriented security architecture to enable collaborative learning, detection, and mitigation of ransomware attacks. We demonstrate the importance of FedDICE in a collaborative environment with up to four hospitals and four popular ransomware families, namely WannaCry, Petya, BadRabbit, and PowerGhost. Our results find that in both IID and non-IID data setups, FedDICE achieves the centralized baseline performance that needs direct data sharing for detection. However, as a trade-off to data privacy, FedDICE observes overhead in the anti-ransomware model training, e.g., 28x for the logistic regression model. Besides, FedDICE utilizes SDN's dynamic network programmability feature to remove the infected devices in ICE.