INTELLECT: Adapting Cyber Threat Detection to Heterogeneous Computing Environments

TL;DR

INTELLECT presents a comprehensive approach combining feature selection, pruning, fine-tuning, and knowledge distillation to adapt federated learning-based intrusion detection models for heterogeneous, resource-constrained cyber environments.

Contribution

It introduces a novel pipeline that dynamically adapts pre-trained ML models for IDSs in diverse and limited-resource settings, addressing deployment and privacy challenges.

Findings

Enhanced traffic classification accuracy through feature selection and pruning.

Effective model adaptation with knowledge distillation preserves historical knowledge.

Demonstrated resource-efficient deployment on heterogeneous devices.

Abstract

The widespread adoption of cloud computing, edge, and IoT has increased the attack surface for cyber threats. This is due to the large-scale deployment of often unsecured, heterogeneous devices with varying hardware and software configurations. The diversity of these devices attracts a wide array of potential attack methods, making it challenging for individual organizations to have comprehensive knowledge of all possible threats. In this context, powerful anomaly detection models can be developed by combining data from different parties using Federated Learning. FL enables the collaborative development of ML-based IDSs without requiring the parties to disclose sensitive training data, such as network traffic or sensor readings. However, deploying the resulting models can be challenging, as they may require more computational resources than those available on target devices with limited capacity or already allocated for other operations. Training device-specific models is not feasible for an organization because a significant portion of the training data is private to other participants in the FL process. To address these challenges, this paper introduces INTELLECT, a novel solution that integrates feature selection, model pruning, and fine-tuning techniques into a cohesive pipeline for the dynamic adaptation of pre-trained ML models and configurations for IDSs. Through empirical evaluation, we analyze the benefits of INTELLECT's approach in tailoring ML models to the specific resource constraints of an organization's devices and measure variations in traffic classification accuracy resulting from feature selection, pruning, and fine-tuning operations. Additionally, we demonstrate the advantages of incorporating knowledge distillation techniques while fine-tuning, enabling the ML model to consistently adapt to local network patterns while preserving historical knowledge.