LegionITS: A Federated Intrusion-Tolerant System Architecture

TL;DR

LegionITS introduces a federated architecture for intrusion-tolerant cyber defense that enables secure, privacy-preserving sharing of threat intelligence among entities, improving collective security against sophisticated cyberattacks.

Contribution

The paper proposes a novel federated system architecture combining intrusion tolerance and privacy-preserving data sharing, validated through a differential privacy-enhanced federated learning module.

Findings

Achieved a manageable accuracy drop from 98.42% to 85.98% with differential privacy.

Demonstrated effective detection of compromised messages in a privacy-preserving setting.

Established a foundation for secure, collaborative cyber defense systems.

Abstract

The growing sophistication, frequency, and diversity of cyberattacks increasingly exceed the capacity of individual entities to fully understand and counter them. While existing solutions, such as Security Information and Event Management (SIEM) systems, Security Orchestration, Automation, and Response (SOAR) platforms, and Security Operation Center (SOC), play a vital role in mitigating known threats, they often struggle to effectively address emerging and unforeseen attacks. To increase the effectiveness of cyber defense, it is essential to foster greater information sharing between entities; however, this requires addressing the challenge of exchanging sensitive data without compromising confidentiality or operational security. To address the challenges of secure and confidential Cyber Threat Intelligence (CTI) sharing, we propose a novel architecture that federates Intrusion Tolerant Systems (ITSs) and leverages concepts from Malware Information Sharing Platform (MISP) to empower SOCs. This framework enables controlled collaboration and data privacy while enhancing collective defenses. As a proof of concept, we evaluate one module by applying Differential Privacy (DP) to Federated Learning (FL), observing a manageable accuracy drop from 98.42% to 85.98% (average loss 12.44%) while maintaining reliable detection of compromised messages. These results highlight the viability of secure data sharing and establishes a foundation for the future full-scale implementation of LegionITS.