FedDef: Defense Against Gradient Leakage in Federated Learning-based Network Intrusion Detection Systems

TL;DR

This paper evaluates privacy vulnerabilities in federated learning-based network intrusion detection systems and introduces FedDef, a novel defense strategy that significantly enhances privacy protection while maintaining high model utility.

Contribution

The paper systematically assesses existing privacy defenses in FL-based NIDS and proposes FedDef, an optimization-based input perturbation method with theoretical guarantees for improved privacy and utility.

Findings

Existing defenses offer limited privacy protection.

Adversarial traffic can evade state-of-the-art NIDS.

FedDef outperforms baselines with up to 7x higher privacy score.

Abstract

Deep learning (DL) methods have been widely applied to anomaly-based network intrusion detection system (NIDS) to detect malicious traffic. To expand the usage scenarios of DL-based methods, federated learning (FL) allows multiple users to train a global model on the basis of respecting individual data privacy. However, it has not yet been systematically evaluated how robust FL-based NIDSs are against existing privacy attacks under existing defenses. To address this issue, we propose two privacy evaluation metrics designed for FL-based NIDSs, including (1) privacy score that evaluates the similarity between the original and recovered traffic features using reconstruction attacks, and (2) evasion rate against NIDSs using adversarial attack with the recovered traffic. We conduct experiments to illustrate that existing defenses provide little protection and the corresponding adversarial traffic can even evade the SOTA NIDS Kitsune. To defend against such attacks and build a more robust FL-based NIDS, we further propose FedDef, a novel optimization-based input perturbation defense strategy with theoretical guarantee. It achieves both high utility by minimizing the gradient distance and strong privacy protection by maximizing the input distance. We experimentally evaluate four existing defenses on four datasets and show that our defense outperforms all the baselines in terms of privacy protection with up to 7 times higher privacy score, while maintaining model accuracy loss within 3% under optimal parameter combination.