PenTiDef: Enhancing Privacy and Robustness in Decentralized Federated Intrusion Detection Systems against Poisoning Attacks

The increasing deployment of Federated Learning (FL) in Intrusion Detection Systems (IDS) introduces new challenges related to data privacy, centralized coordination, and susceptibility to poisoning attacks. While significant research has focused on protecting traditional FL-IDS with centralized aggregation servers, there remains a notable gap in addressing the unique challenges of decentralized FL-IDS (DFL-IDS). This study aims to address the limitations of traditional centralized FL-IDS by proposing a novel defense framework tailored for the decentralized FL-IDS architecture, with a focus on privacy preservation and robustness against poisoning attacks. We propose PenTiDef, a privacy-preserving and robust defense framework for DFL-IDS, which incorporates Distributed Differential Privacy (DDP) to protect data confidentiality and utilizes latent space representations (LSR) derived from neural networks to detect malicious updates in the decentralized model aggregation context. To eliminate single points of failure and enhance trust without a centralized aggregation server, PenTiDef employs a blockchain-based decentralized coordination mechanism that manages model aggregation, tracks update history, and supports trust enforcement through smart contracts. Experimental results on CIC-IDS2018 and Edge-IIoTSet demonstrate that PenTiDef consistently outperforms existing defenses (e.g., FLARE, FedCC) across various attack scenarios and data distributions. These findings highlight the potential of PenTiDef as a scalable and secure framework for deploying DFL-based IDS in adversarial environments. By leveraging privacy protection, malicious behavior detection in hidden data, and working without a central server, it provides a useful security solution against real-world attacks from untrust participants.

💡 Research Summary

The paper addresses the growing need for privacy‑preserving, robust intrusion detection systems (IDS) that leverage federated learning (FL) while eliminating the single point of failure inherent in centralized aggregation servers. Existing defenses focus on centralized FL‑IDS and rely on heavy cryptographic primitives such as homomorphic encryption or secure multi‑party computation, which are unsuitable for large‑scale, heterogeneous environments. To fill this gap, the authors propose PenTiDef, a comprehensive framework tailored for decentralized FL‑IDS (DFL‑IDS). PenTiDef combines three core innovations: (1) Distributed Differential Privacy (DDP) that injects calibrated Gaussian noise locally at each client before model updates are shared, thereby protecting gradient‑level privacy without a trusted aggregator and preserving model utility; (2) a latent‑space‑based anomaly detection pipeline that extracts penultimate‑layer representations (PLR) from each local model, compresses them through an auto‑encoder, and compares the resulting latent vectors using Centered Kernel Alignment (CKA) together with unsupervised K‑means clustering. This approach eliminates the need for auxiliary datasets (as required by FLARE) and stabilizes PLR variability across non‑IID data distributions (a weakness of FedCC). (3) A blockchain‑driven coordination layer that records model updates, aggregates them via smart contracts, and enforces trust scores through a lightweight Proof‑of‑Authority consensus. The blockchain ensures immutability, transparency, and fault tolerance while keeping communication overhead modest (≈12 % of total training time).

Experimental evaluation uses two benchmark IDS datasets—CIC‑IDS2018 and Edge‑IIoTSet—under realistic non‑IID partitions and four poisoning attack vectors: label flipping, weight scaling, backdoor insertion, and GAN‑generated malicious samples. PenTiDef is compared against state‑of‑the‑art defenses FLARE and FedCC. Results show that PenTiDef achieves an average detection accuracy of 92.3 % (7–8 % points higher than the baselines), maintains a low global loss (<0.12), and suffers less than 2 % degradation in overall classification performance despite DDP noise (ε = 1.5, δ = 10⁻⁵). The blockchain component introduces only a modest overhead while providing verifiable update histories.

The authors acknowledge limitations: CKA computation scales poorly with thousands of participants, smart‑contract deployment adds operational complexity, and the choice of DDP parameters is sensitive to specific service requirements. They suggest future work on efficient CKA approximations, dynamic privacy‑budget allocation, and real‑world deployment in IoT or smart‑factory settings. In summary, PenTiDef delivers a unified solution that simultaneously guarantees privacy, decentralization, and robustness against poisoning attacks, positioning it as a viable foundation for next‑generation distributed IDS deployments.