Federated Intrusion Detection

• Federated intrusion detection is a system where multiple entities train local models on private data and share updates to build a global intrusion detection model.
• It leverages advanced ML architectures and aggregation algorithms like FedAvg and FedProx to achieve robust, scalable, and privacy-preserving anomaly detection.
• The approach addresses challenges such as non-IID data, adversarial attacks, and communication constraints, enabling resilient cyber defense across diverse environments.

Federated intrusion detection denotes collaborative intrusion detection systems (IDS) where distributed devices or organizations jointly learn detection models without centralizing raw data. This paradigm leverages federated learning (FL) as the core computational methodology, supporting cross-device, cross-silo, and hierarchical architectures for privacy-preserving, resilient, and scalable IDS. FL-based IDS have gained traction in settings ranging from IoT networks, cyber-physical systems, and vehicular environments to industry/enterprise deployments, addressing the dual imperatives of privacy and operational robustness. The following sections systematize the field based on recent research, with particular attention to methodological advances, privacy mechanisms, heterogeneity solutions, operational protocols, and limitations.

1. Federated Intrusion Detection: Problem Scope and Core Principles

The canonical federated intrusion detection problem involves $K$ clients (devices, vehicles, gateways, or silos), each holding private telemetry or traffic datasets $D_k=\{(x_i^k, y_i^k)\}_{i}$, with $x_i^k\in \mathbb{R}^d$ denoting network features and $y_i^k$ the (local) ground truth label. Raw network traffic or audit logs remain strictly local. Clients periodically synchronize local model updates (parameters or intermediate representations) via a protocol such as FedAvg. The global model is typically formulated as: $$\min_{w}\;F(w)=\sum_{k=1}^K \frac{n_k}{n} F_k(w),\qquad F_k(w)=\frac{1}{n_k}\sum_{i=1}^{n_k} \ell(w;x_i^k, y_i^k)$$ where $n_k = |D_k|$ and $n = \sum_k n_k$ (Belenguer et al., 2022, Hernandez-Ramos et al., 2023).

Federated IDS realize distributed detection across diverse settings:

• IoT/IIoT: resource-constrained devices monitor flows, collaborate via FL for anomaly or misuse detection (Belarbi et al., 2023, Izadi et al., 31 Oct 2025).
• Vehicular & FANETs: connected and autonomous vehicles (CAVs), UAVs, and their infrastructure share models to detect V2X, CAN, AODV, or GPS spoofing attacks (S et al., 30 Dec 2025, Ceviz et al., 22 Jan 2025).
• Enterprise/sectoral silos: multiple organizations or business units align detection models without exposing sensitive internal logs (Chennoufi et al., 7 Jul 2025, Belenguer et al., 2022).
• Mobile/Android ecosystems: device-local system call traces support federated anomaly detection under non-IID behavior (Nair et al., 19 Jun 2025).

Key operational principles include privacy preservation (no raw data sharing), model/representation alignment to address data heterogeneity, communication-efficient synchronization, and scalable handling of adversarial, unreliable, or straggler clients.

2. Machine Learning Architectures and Aggregation Algorithms

Federated IDS research utilizes a repertoire of deep, ensemble, hybrid, and unsupervised models:

• MLP, CNN, RNN, GRU, Transformer: Used for time-series/sequential modeling, e.g., MLPs for tabular flow features, GRUs for system-call analysis, and lightweight transformer encoders for vehicular data streams (S et al., 30 Dec 2025, Nair et al., 19 Jun 2025, Belarbi et al., 2023).
• Ensemble/Hybrid Models: Combine multiple learners for robustness, e.g., hybrid KNN-RF ensembles (Chatterjee et al., 2021), dual-model KD-based architectures (personalized teacher/student) (Singh et al., 27 Oct 2025), or GBDT-based interpretable frameworks (Dong et al., 2022).
• Prototype/Semantics-based Models: Use semantic or prototype alignment—such as Tri-LLM semantic embeddings (Jamshidi et al., 30 Jan 2026) or learned attack-class prototypes (PROTEAN) (Chennoufi et al., 7 Jul 2025)—for zero-shot and open-set detection.
• Unsupervised Methods: Clustering-based FL (federated K-means, silhouette-based voting (Gourceyraud et al., 28 Mar 2025)), one-class anomaly detection via autoencoders and centroid-based scoring (Nguyen et al., 2024).

Aggregation protocols include:

Aggregation Rule	Mathematical Formulation	Main Use
FedAvg	$w^{t+1} = \sum_{k=1}^K (n_k/n) w_k^t$	Baseline for IID or mild skew
FedProx	Local: $\min_w F_k(w) + \frac{\mu}{2}\|w-w^t\|^2$	Non-IID, suppressing client drift
Knowledge Distillation	Server-side distillation over ensemble logit outputs; e.g., FLEKD (Shen et al., 2024)	Heterogeneity, label-missing
Trust-aware/FedSA	Client weighting by loss/trust (Jamshidi et al., 30 Jan 2026), hyperparameter adaptation (Neto et al., 2022)	Client reliability, fast convergence

Examples of advanced strategies include dynamic trust-weighted updates for robustness against noisy/compromised clients (Jamshidi et al., 30 Jan 2026), metaheuristic-driven hyperparameter and client subset search via simulated annealing (Neto et al., 2022), bidirectional knowledge distillation with feature alignment for extreme heterogeneity (Singh et al., 27 Oct 2025), or mean square error–based weighting for unsupervised/semi-supervised training (Nguyen et al., 2024).

3. Addressing Data, System, and Semantic Heterogeneity

Real-world non-IID conditions manifest in both sample- and feature-space disparity: clients may observe differing attack distributions, modalities, or feature schemas. Mitigation techniques include:

• Prototype & Semantic Supervision: Tri-LLM semantic prototypes (averaged embeddings from GPT-4o, DeepSeek-V3, LLaMA-3-8B) guide network feature space alignment to abstract attack intent and symptoms, with inter-LLM disagreement modeling epistemic uncertainty in zero-day detection (Jamshidi et al., 30 Jan 2026). Prototype sharing (e.g., class means in the embedding space) enables direct cross-silo transfer—even enabling zero-shot attribution in clients with no local examples of a class (Chennoufi et al., 7 Jul 2025).
• Ensemble Knowledge Distillation: FLEKD aggregates heterogeneous client models via teacher-student logits, dynamically reweighting teachers by proxy-set performance to bias toward statistically representative or high-performing clients (Shen et al., 2024).
• Hierarchical FL Architectures: Mist-Edge-Fog-Cloud frameworks perform local feature abstraction (Mist), utility-based client selection (Edge), regional non-IID stabilization (Fog/FedProx), and global aggregation (Cloud) (Izadi et al., 31 Oct 2025).
• Personalization & Adaptation: Dual-model architectures assign a client-specific high-capacity teacher and a lightweight student (the only globally aggregated component): this decouples local adaptation from global regularization (Singh et al., 27 Oct 2025).
• Pre-training and Model Alignment: Initializing federated models with public/synthetic traffic pre-training harmonizes subsequent local updates, mitigating divergence and boosting minority-class handling (Belarbi et al., 2023).

These approaches demonstrably improve performance and convergence, even under Dirichlet-sampled partitions with extreme class imbalance or partial participation (Chennoufi et al., 7 Jul 2025, Shen et al., 2024, Singh et al., 27 Oct 2025).

4. Privacy, Security, and Robustness Mechanisms

Federated intrusion detection inherently elevates privacy by design: only model updates, logit vectors, or prototypes are shared. Recent works further harden privacy and security by:

• Differential Privacy (DP): Clients noise their updates, e.g., using Gaussian or Laplace mechanisms on gradients or softmax encodings (S et al., 30 Dec 2025, Dong et al., 2022). Epsilon-delta budgets are formally tracked via Rényi accounting.
• Secure Aggregation: Homomorphic encryption or Secure Multi-Party Computation (SMPC) is layered onto protocol to shield model updates from server inspection (Chaudhary et al., 24 Sep 2025).
• Trust/Quality-based Aggregation: Clients are weighted or filtered by alignment loss, utility, or ROC-AUC, reducing impact of unreliable, compromised, or poisoned updates (Jamshidi et al., 30 Jan 2026, Izadi et al., 31 Oct 2025, Belenguer et al., 2022).
• Interpretable and Audit-friendly Models: Approaches based on GBDT (FedForest), model distillation, or explicit prototype exchange enable model introspection, traceability, and attack path explanation (Dong et al., 2022, Chennoufi et al., 7 Jul 2025).

Robustness to adversarial participation remains an active frontier: research highlights needs for Byzantine-robust aggregation, malicious prototype defense, and anomaly-aware or blockchain-backed client validation (Hernandez-Ramos et al., 2023, Chaudhary et al., 24 Sep 2025).

5. Zero-Shot and Open-Set Intrusion Detection

Traditional federated IDS presume closed-set classification, rendering them brittle to previously unseen (zero-day) attack behaviors. Current research pioneers open-set and zero-shot recognition via:

• Semantic Prototyping: LLM-derived semantic embeddings form attack-class prototypes; telemetry features are projected and scored by embedding-level similarity. LLM disagreement yields epistemic uncertainty, directly powering a zero-day risk metric (ZDS) (Jamshidi et al., 30 Jan 2026).
• Prototype-based Alignment: PROTEAN prototype sharing allows unseen classes to be recognized by their proximity to aggregate class centers. Clients with no local samples for a given attack can nonetheless attain 75–100% accuracy on those classes at inference time (Chennoufi et al., 7 Jul 2025).
• Distillation and Drop-label Experiments: FLEKD and similar methods demonstrably improve recognition of missing/unknown attacks in federated clients, outperforming baseline FL/ML methods by 5–10 F1 points (Shen et al., 2024).

Experimental results consistently indicate >80% accuracy in zero-shot regimes using semantic or prototype-based methods (Jamshidi et al., 30 Jan 2026, Chennoufi et al., 7 Jul 2025, Shen et al., 2024).

6. Communication Efficiency and Scalability

Efficient federated IDS must balance detection quality against strict constraints on communication, bandwidth, and computational cost:

• Local and selection-efficient training: Strategies such as few-shot adaptation in FANETs (FSFL-IDS) (Ceviz et al., 22 Jan 2025), only partial client participation per round (Nguyen et al., 2024), and dynamic hyperparameter/participant metaoptimization (FedSA) (Neto et al., 2022) demonstrably reduce communication rounds by 50–90% with negligible convergence penalty.
• Model Compression: Quantization and pruning (e.g., reduction of BERT variants from 110M to 11M parameters and a further 29% via linear quantization) (Adjewa et al., 2024), distillation to lightweight students (Singh et al., 27 Oct 2025), and prototype-only updates (d × K rather than full model) (Chennoufi et al., 7 Jul 2025) accelerate convergence and minimize network usage.
• Hierarchical architectures: Mist/Edge/Fog/Cloud constructs localize heavy computation and traffic to appropriate network regions, reducing backhaul and improving runtime stability (Izadi et al., 31 Oct 2025).
• Partial Update Frequency: Adaptive schemes decouple local training epochs and upload schedules to further reduce communication (Neto et al., 2022, Nguyen et al., 2024).

Scalability to hundreds of clients or device types is demonstrated, with multi-layer federated hierarchies and dynamic client selection mitigating congestion and device churn (Izadi et al., 31 Oct 2025, Nguyen et al., 2024).

7. Limitations, Challenges, and Research Directions

Despite clear advances, federated intrusion detection faces persistent technical and operational challenges:

• Extreme Non-IID and Personalization: While methods like FedProx, personalized KD, and prototype alignment address some statistical heterogeneity, full support for highly dynamic/heterogeneous environments or individualized updates under real-world churn remains incomplete (Singh et al., 27 Oct 2025, Chennoufi et al., 7 Jul 2025).
• Robustness to Adversarial Attacks/Byzantine Clients: Few works offer provable guarantees against semantic or gradient poisoning, model inversion, or backdoor attacks. Secure aggregation and client attestation are active research directions (Chaudhary et al., 24 Sep 2025, Belenguer et al., 2022).
• Optimal Tradeoffs: Communication, privacy (DP $\varepsilon$), and statistical utility often trade off. Systematic tuning and analytic frameworks are needed for deployment-level calibration (S et al., 30 Dec 2025).
• Evaluation Standardization: Lack of common benchmarks, non-IID splits, and uniform metrics obscure head-to-head comparison. Calls for open FL-IDS testbeds, cross-dataset validation, and shared code/config are prominent (Hernandez-Ramos et al., 2023).
• Quantum FL/Next-Gen Architectures: Initial explorations of quantum federated learning for NIDS (QFL, PQCs) promise theoretically richer representations, but are nascent and constrained by quantum hardware availability (Chaudhary et al., 24 Sep 2025).
• Attack coverage and adaptive threats: IDS must adapt to ever-evolving malware, lateral movement, insider threats, and evasive tactics. Streaming, concept-drift–aware, and ensemble/hybrid architectures are recommended (Belenguer et al., 2022, Chaudhary et al., 24 Sep 2025).

• Tri-LLM Cooperative Federated Zero-Shot Intrusion Detection with Semantic Disagreement and Trust-Aware Aggregation (Jamshidi et al., 30 Jan 2026)
• FedSA: Accelerating Intrusion Detection in Collaborative Environments with Federated Simulated Annealing (Neto et al., 2022)
• Effective Intrusion Detection in Heterogeneous Internet-of-Things Networks via Ensemble Knowledge Distillation-based Federated Learning (Shen et al., 2024)
• Federated Deep Learning for Intrusion Detection in IoT Networks (Belarbi et al., 2023)
• FedSecureFormer: A Fast, Federated and Secure Transformer Framework for Lightweight Intrusion Detection in Connected and Autonomous Vehicles (S et al., 30 Dec 2025)
• Mist-Assisted Federated Learning for Intrusion Detection in Heterogeneous IoT Networks (Izadi et al., 31 Oct 2025)
• AndroIDS: Android-based Intrusion Detection System using Federated Learning (Nair et al., 19 Jun 2025)
• Sentinel: Dynamic Knowledge Distillation for Personalized Federated Intrusion Detection in Heterogeneous IoT Networks (Singh et al., 27 Oct 2025)
• PROTEAN: Federated Intrusion Detection in Non-IID Environments through Prototype-Based Knowledge Sharing (Chennoufi et al., 7 Jul 2025)
• FedMSE: Semi-supervised federated learning approach for IoT network intrusion detection (Nguyen et al., 2024)
• Distributed Intrusion Detection in Dynamic Networks of UAVs using Few-Shot Federated Learning (Ceviz et al., 22 Jan 2025)
• Federated Intrusion Detection System Based on Unsupervised Machine Learning (Gourceyraud et al., 28 Mar 2025)
• Efficient Federated Intrusion Detection in 5G ecosystem using optimized BERT-based model (Adjewa et al., 2024)
• GowFed -- A novel Federated Network Intrusion Detection System (Belenguer et al., 2022)
• An Interpretable Federated Learning-based Network Intrusion Detection Framework (Dong et al., 2022)
• Enhancing Intrusion Detection In Internet Of Vehicles Through Federated Learning (Sebastian et al., 2023)
• A review of Federated Learning in Intrusion Detection Systems for IoT (Belenguer et al., 2022)
• Intrusion Detection based on Federated Learning: a systematic review (Hernandez-Ramos et al., 2023)
• Federated Learning for Intrusion Detection in IoT Security: A Hybrid Ensemble Approach (Chatterjee et al., 2021)
• Towards Adapting Federated & Quantum Machine Learning for Network Intrusion Detection: A Survey (Chaudhary et al., 24 Sep 2025)

---

Federated intrusion detection thus represents a cornerstone of modern cyber defense in distributed, privacy- and resource-constrained environments. Architectures leveraging semantic, ensemble, prototype, personalized, and communication-efficient techniques are now fundamental, but remain subject to ongoing innovation in robustness, scalability, and adaptability to emerging threats and environments.