A Clustering Strategy for Enhanced FL-Based Intrusion Detection in IoT Networks

TL;DR

This paper introduces a three-tier federated learning architecture with entropy-based clustering for IoT intrusion detection, significantly improving detection performance and reducing training rounds compared to traditional FL methods.

Contribution

The paper presents a novel entropy-based clustering strategy within a three-tier FL framework to address data heterogeneity in IoT intrusion detection.

Findings

F1-score improved by up to 17% with clustering

Reduced number of training rounds needed

Enhanced intrusion detection performance

Abstract

The Internet of Things (IoT) is growing rapidly and so the need of ensuring protection against cybersecurity attacks to IoT devices. In this scenario, Intrusion Detection Systems (IDSs) play a crucial role and data-driven IDSs based on machine learning (ML) have recently attracted more and more interest by the research community. While conventional ML-based IDSs are based on a centralized architecture where IoT devices share their data with a central server for model training, we propose a novel approach that is based on federated learning (FL). However, conventional FL is ineffective in the considered scenario, due to the high statistical heterogeneity of data collected by IoT devices. To overcome this limitation, we propose a three-tier FL-based architecture where IoT devices are clustered together based on their statistical properties. Clustering decisions are taken by means of a novel entropy-based strategy, which helps improve model training performance. We tested our solution on the CIC-ToN-IoT dataset: our clustering strategy increases intrusion detection performance with respect to a conventional FL approach up to +17% in terms of F1-score, along with a significant reduction of the number of training rounds.