Incremental Federated Learning for Intrusion Detection in IoT Networks under Evolving Threat Landscape

TL;DR

This paper evaluates incremental federated learning with LSTM models for IoT intrusion detection, addressing concept drift and resource constraints to improve long-term detection performance in evolving threat landscapes.

Contribution

It introduces and analyzes incremental federated learning strategies with LSTM models for non-stationary IoT intrusion detection, emphasizing resource efficiency and robustness against concept drift.

Findings

Cumulative incremental learning offers stable performance under drift.

Retention-based methods balance accuracy and latency effectively.

Representative learning enhances long-term detection stability.

Abstract

The expansion of Internet of Things (IoT) devices has increased the attack surface of networks, necessitating a robust and adaptive intrusion detection systems. Machine learning based systems have been considered promising in enhancing the detection performance. Federated learning settings enabled us to train models from network intrusion data collected from clients in a privacy preserving manner. However, the effectiveness of these systems can degrade over time due to concept drift, where patterns in data evolve as attackers develop new techniques. Realistic detection models should be non-stationary, so they can be continuously updated with new intrusion data while maintaining their detection capability for older data. As IoT environments are resource constrained, updates should consume minimal computational resources. This study provides a comprehensive performance analysis of incremental federated learning in enhancing the long term performance of non stationary IDS models in IoT networks. Specifically, we propose LSTM models within a federated learning setting to evaluate incremental learning approaches that utilize data and model-based measures against catastrophic learning under drift conditions. Using the CICIoMT2024 dataset, which includes various attack variants across five major categories, we conduct both binary and multiclass classification to provide a granular analysis of the intrusion detection task. Our results show that cumulative incremental learning and representative learning provide the most stable performance under drift, while retention-based methods offer a strong accuracy and latency trade off. The study offers new insights into the interplay between training strategy performance and latency in dynamic IoT environments, aiming to inform the development of more resilient IDS solutions considering the resource constraints in IoT devices.