XFedHunter: An Explainable Federated Learning Framework for Advanced Persistent Threat Detection in SDN

TL;DR

XFedHunter is an explainable federated learning framework designed for detecting advanced persistent threats in SDN, combining GNN and deep learning to improve detection accuracy while preserving privacy and providing explanations.

Contribution

The paper introduces XFedHunter, a novel federated learning framework that integrates explainability and graph neural networks for APT detection in SDN environments.

Findings

Enhanced detection accuracy on NF-ToN-IoT and DARPA datasets.

Improved trust and accountability in ML-based cybersecurity systems.

Effective identification of malicious events amidst normal network activity.

Abstract

Advanced Persistent Threat (APT) attacks are highly sophisticated and employ a multitude of advanced methods and techniques to target organizations and steal sensitive and confidential information. APT attacks consist of multiple stages and have a defined strategy, utilizing new and innovative techniques and technologies developed by hackers to evade security software monitoring. To effectively protect against APTs, detecting and predicting APT indicators with an explanation from Machine Learning (ML) prediction is crucial to reveal the characteristics of attackers lurking in the network system. Meanwhile, Federated Learning (FL) has emerged as a promising approach for building intelligent applications without compromising privacy. This is particularly important in cybersecurity, where sensitive data and high-quality labeling play a critical role in constructing effective machine learning models for detecting cyber threats. Therefore, this work proposes XFedHunter, an explainable federated learning framework for APT detection in Software-Defined Networking (SDN) leveraging local cyber threat knowledge from many training collaborators. In XFedHunter, Graph Neural Network (GNN) and Deep Learning model are utilized to reveal the malicious events effectively in the large number of normal ones in the network system. The experimental results on NF-ToN-IoT and DARPA TCE3 datasets indicate that our framework can enhance the trust and accountability of ML-based systems utilized for cybersecurity purposes without privacy leakage.