Federated Intrusion Detection Systems
- Federated IDS are systems where local nodes train on their own security data and share model updates rather than raw data, ensuring privacy while broadening attack coverage.
- They employ diverse architectures such as FedAvg, blockchain-based aggregation, and hierarchical clustering to mitigate non-IID data challenges and optimize resource constraints.
- Integration of explainability, differential privacy, and personalized learning enhances detection accuracy and robustness against evolving cyber threats.
Searching arXiv for papers on federated intrusion detection systems and the cited works. Federated intrusion detection systems (federated IDSs, FL-based IDSs, or federated NIDS/HIDS depending on scope) are intrusion detection systems in which multiple clients collaboratively train detection models without centralizing raw traffic, logs, or host telemetry. Across IoT, IIoT, transportation IoT, mobile IoT, cyber-physical systems, and 5G edge environments, the central idea is consistent: local nodes train on local security data, exchange model information rather than raw observations, and use aggregation to construct a shared detector that preserves data locality while broadening attack coverage (Agrawal et al., 2021, Chaudhary et al., 24 Sep 2025, Gholamrezazadeh et al., 19 May 2026).
1. Definition and analytical scope
Intrusion detection remains organized around two classical distinctions. At the detection level, systems are commonly divided into signature-based IDS and anomaly-based IDS. Signature-based IDS uses predefined rules or signatures and is effective for known attacks but poor at detecting zero-day or evolving threats; anomaly-based IDS learns models of normal behavior and flags deviations, which improves novelty sensitivity but can increase false positives and retraining demands (2502.06099). At the deployment level, host-based IDS monitors system calls, file integrity, logs, memory, or user actions on a host, whereas network-based IDS inspects network traffic, flows, and packet-derived features (Agrawal et al., 2021).
Federated learning addresses the central limitation of modern ML-based IDS: the tension between the need for diverse training data and the sensitivity of network telemetry. Centralized IDS pipelines require raw data transfer, which raises privacy concerns, adds bandwidth and latency overhead, and creates central bottlenecks or single points of failure. Federated IDS instead keeps data on devices or sites and exchanges parameters, gradients, or related model artifacts (2502.06099, Ali et al., 21 May 2025, Chaudhary et al., 24 Sep 2025). This suggests that federated IDS is best understood not as a single algorithm, but as a systems pattern spanning client–server training, hierarchical edge–fog–cloud coordination, privacy-preserving collaboration, and, increasingly, personalization, explainability, and open-set reasoning.
2. Architectural patterns and federated training workflows
The canonical federated IDS workflow follows the standard federated objective
with FedAvg-style aggregation
This pattern appears across transportation IoT, Android-based host IDS, heterogeneous IoT, and multiple surveys of federated NIDS design (2502.06099, Nair et al., 19 Jun 2025, Chaudhary et al., 24 Sep 2025).
Within that template, contemporary federated IDS work diverges sharply in coordination strategy. XAI FL-IDS uses one central server and 10 clients, but departs from standard FedAvg by selecting the single best local XGBoost Booster each round, based on hierarchical scoring such as accuracy, F1, and ROC-AUC, and broadcasting that selected model rather than averaging parameters (Gholamrezazadeh et al., 19 May 2026). FL-BCID retains standard FedAvg, but embeds the workflow in a permissioned blockchain architecture with an aggregator node, smart contracts, and PBFT consensus, so that tuples of node identifier, model update, anomaly score, and round timestamp are recorded on-chain (Ali et al., 21 May 2025). FedFT uses a hybrid server–edge architecture in which the server pre-trains a global CNN+MLP IDS model on proxy data, clients freeze the CNN feature extractor, fine-tune only the MLP classification head, and the server aggregates only the head parameters (2502.06099).
Hierarchical organization is another recurrent design choice. CB-FLIDS places data-generating devices at the edge, intrusion-detection clients at the fog layer, cluster heads as local aggregators, and a cloud server as the inter-cluster aggregator. Its aggregation is explicitly two-level: so hardware-based clusters are aggregated locally before a global model is formed (Izadi et al., 13 Feb 2026). LegionITS generalizes the idea beyond IDS narrowly construed: it federates multiple intrusion-tolerant systems at intra-organizational and inter-organizational levels, links local ITS instances, SIEM pipelines, SOC/SOAR tooling, MISP-like CTI sharing, and federated learning, and treats raw telemetry as local while sharing only privacy-preserving CTI and model information (Freitas et al., 16 Dec 2025).
The architectural record therefore includes at least five distinct federation modes: classical client–server FedAvg, best-model broadcast, blockchain-audited federated aggregation, server-pretraining plus edge fine-tuning, and hierarchical cluster-based FL. A plausible implication is that “federated IDS” is now an umbrella term for several coordination regimes rather than a synonym for FedAvg alone.
3. Detection models, data modalities, and representative systems
Federated IDS research spans a wide range of local models and observation spaces. Tabular network flow classification remains dominant, but recent work also includes host-level system calls, CAN-bus anomaly messages, Gower-dissimilarity representations, lightweight image-free deep models for edge deployment, and semantics-driven projections for zero-shot intrusion detection (Nair et al., 19 Jun 2025, Belenguer et al., 2022, Freitas et al., 16 Dec 2025, Jamshidi et al., 30 Jan 2026).
XAI FL-IDS trains XGBoost locally on Edge-IIoTset, after a preprocessing pipeline that replaces infinite values with NaN, removes irrelevant or incomplete features, encodes categorical features, imputes NaNs with the mode of the corresponding class or category, normalizes all features, performs an 80/20 global train/test split, and then distributes training data among 10 clients with class balancing (Gholamrezazadeh et al., 19 May 2026). FedFT uses a CNN feature extractor with three Conv1D + MaxPooling blocks and an MLP classification head, grouping NSL-KDD attack classes into a binary intrusion label and fine-tuning either three FC layers or only the last FC layer at the edge (2502.06099). The 5G-Advanced edge model combines an autoencoder bottleneck, a CNN branch, and a BiLSTM branch, with fusion at a dense sigmoid head, and treats UNSW-NB15 as a binary intrusion task (Baidar et al., 19 Sep 2025). CB-FLIDS instead adopts MobileNet with depthwise separable convolutions and a hybrid loss
with , temperature , and (Izadi et al., 13 Feb 2026).
Host-based federated IDS broadens the modality. AndroIDS constructs a generalized Android system-call dataset with 5,832 labeled files, removes timestamps by regex, tokenizes syscalls, builds a vocabulary of the 1000 most frequent syscall tokens, applies TF-IDF, uses a sliding window of size and stride , injects Gaussian noise with 0, and trains a GRU classifier with 32 and 16 units in the two recurrent layers (Nair et al., 19 Jun 2025). GowFed replaces direct feature vectors by Gower dissimilarity matrices so that mixed categorical and numerical network features can be handled without one-hot expansion; an MLP then learns in the induced dissimilarity space (Belenguer et al., 2022). A different line abandons supervision almost entirely: an unsupervised federated IDS based on federated K-means++ initialization is proposed to reduce labeling burden, and its findings indicate that transitioning from a centralized to a federated setup does not significantly diminish performance (Gourceyraud et al., 28 Mar 2025).
A compact cross-section of representative systems is given below.
| System | Core design | Reported outcome |
|---|---|---|
| XAI FL-IDS | XGBoost, best-model broadcast, local and global SHAP | Accuracy of over 99%, and at times 100% |
| FL-BCID | Lightweight ML model, FedAvg, blockchain, DP | 97.3% on ToN-IoT, 96.8% on N-BaIoT, 41% reduction in communication overhead |
| FedFT | Server pre-training, client fine-tuning of MLP head | Up to 99.2% accuracy; up to 42% memory reduction; up to 75% training-time reduction |
| Hybrid AE–CNN–BiLSTM FL IDS | Autoencoder, CNN, BiLSTM in FL for IoT/5G edge | AUC 99.59 percent, F1 97.36 percent, inference time approximately 0.0476 ms/sample |
| CB-FLIDS | Cluster-based FL, MobileNet, SoftMax + Gumbel-SoftMax | 99.22% on ToN-IoT, 99.02% on CICDDoS2019, 2.47x lower training time, 2.16x lower testing latency |
| AndroIDS | GRU on TF-IDF syscall windows with FedAvg | 96.46% accuracy under IID and 92.87% under non-IID |
These model choices indicate that federated IDS is no longer tied to a single modeling tradition. Tree ensembles, MLPs, CNNs, GRUs, LSTMs, autoencoders, MobileNet variants, knowledge-distilled ensembles, and semantic projection models all appear in the literature, with the shared constraint that the training loop must remain compatible with parameter exchange under privacy and resource limitations (Gholamrezazadeh et al., 19 May 2026, 2502.06099, Baidar et al., 19 Sep 2025, Izadi et al., 13 Feb 2026, Nair et al., 19 Jun 2025).
4. Privacy, integrity, and explainability
The privacy claim common to almost all federated IDS work is data locality: raw traffic, local logs, Android system calls, or IoT telemetry remain at the client, and only model updates or related summaries are exchanged (Ali et al., 21 May 2025, Nair et al., 19 Jun 2025, Agrawal et al., 2021). That baseline is often presented as a substantial improvement over centralized IDS, but the literature is explicit that baseline FL is not the same as formal privacy.
Several systems add stronger mechanisms. FL-BCID performs gradient clipping and Gaussian noise addition: 1 with noise scale 2, and couples this with a permissioned blockchain, PBFT consensus, smart contracts, anomaly-score recording, and reputation updates 3 (Ali et al., 21 May 2025). LegionITS applies differential privacy to FL with 4 and 5, combines this with Multiparty Homomorphic Encryption and Zero-Knowledge Proofs, and reports a manageable accuracy drop from 98.42% to 85.98% while maintaining reliable detection of compromised messages (Freitas et al., 16 Dec 2025).
Integrity and accountability are also foregrounded. In FL-BCID, smart contracts validate updates against trust and anomaly thresholds, maintain reputation scores, and record approved updates on-chain (Ali et al., 21 May 2025). LegionITS similarly places CTI hashes, audit information, and cryptographic proofs on a ledger while federating local MISP instances, SIEM pipelines, and SOC workflows (Freitas et al., 16 Dec 2025). By contrast, several performance-oriented federated IDS systems explicitly do not implement secure aggregation, encryption of parameter updates, or formal differential privacy, even when they rely on FL for privacy improvement. This is stated for XAI FL-IDS, FedFT, AndroIDS, and CB-FLIDS, which all preserve locality but leave stronger privacy and Byzantine-robustness mechanisms as future work or external integration points (Gholamrezazadeh et al., 19 May 2026, 2502.06099, Nair et al., 19 Jun 2025, Izadi et al., 13 Feb 2026).
Explainability is the other major theme. XAI FL-IDS integrates SHAP at both client and server levels. Clients compute local TreeExplainer values for each prediction and log prediction ID, true label, predicted label, probability, SHAP values, client ID, and round; the server computes global SHAP values on the global test set, enabling both per-alert interpretation and system-level feature attribution (Gholamrezazadeh et al., 19 May 2026). The paper explicitly uses the additive SHAP formulation
6
and reports that, for Client 5, decision probabilities around 0.59–0.60 in Round 1 rose to approximately 0.90 by Round 9, with clearer SHAP attributions (Gholamrezazadeh et al., 19 May 2026). Explainability in the 5G edge hybrid model is discussed conceptually rather than through a named algorithm, but its operational role is similarly framed around human-readable explanations, regulatory compliance, and debugging of distributed IDS behavior (Baidar et al., 19 Sep 2025).
5. Heterogeneity, zero-day detection, personalization, and drift
Non-IID data is the core systems challenge of federated IDS. Surveys and empirical studies agree that traffic distributions, attack prevalence, feature spaces, device capabilities, and label availability vary sharply across clients, and that naive federated averaging can degrade performance under realistic heterogeneity (Agrawal et al., 2021, Belarbi et al., 2023, Shen et al., 2024). In a realistic TON-IoT setup that maps each destination IP to a client, the heterogeneous nature of the data has a considerable negative impact on distributed training, whereas a pre-trained initial global model improves performance by over 20% in F1-score compared to a randomly initiated global model (Belarbi et al., 2023).
A first response is heterogeneity-aware aggregation. FLEKD replaces pure parameter fusion with ensemble knowledge distillation on a proxy dataset, dynamically weighting client teachers by validation performance and then distilling their logits into a student global model. On CICIDS2019, FLEKD outperforms local training and traditional FL in both speed and performance and significantly improves the ability to detect unknown attacks, including under scenarios with different feature dimensions, different sample sizes, and missing attack categories (Shen et al., 2024). Sentinel moves further toward personalized FL by giving each client a personalized teacher model and a lightweight shared student model, transmitting only the student. Its local objective combines class-balanced task loss, adaptive bidirectional knowledge distillation, and feature alignment; the server aggregates normalized pseudo-gradients with equal client weighting rather than raw FedAvg. Under extreme heterogeneity on IoTID20 with Dirichlet 7, conventional methods such as FedAvg, FedProx, and Scaffold degrade sharply, whereas Sentinel variants remain near 78% macro F1, and on 5GNIDD under the same setting Sentinel-II reaches 97.29% macro F1 (Singh et al., 27 Oct 2025).
Open-set and zero-day detection are handled most explicitly by the semantics-driven Tri-LLM framework. Each attack concept is represented by a semantic prototype derived from GPT-4o, DeepSeek-V3, and LLaMA-3-8B; clients learn a projection 8 into the semantic space by minimizing
9
Inter-LLM semantic disagreement
0
serves as epistemic uncertainty, and the zero-day score is defined as
1
The framework reports 82.8% zero-shot accuracy on unseen attack patterns, AUROC 0.91, ZDS 0.17, and more than 10% improvement in zero-day discrimination relative to similarity-based baselines (Jamshidi et al., 30 Jan 2026).
Transferability across unseen attacks is treated directly in a federated setting by the study on transferability of network intrusion detection. Using a threshold of 70% attack accuracy to define transferable train–test attack pairs, plain federated learning yields only 2 transferable pairs, centralized learning yields 17, federated learning with bootstrapping yields 22, federated learning with temporal averaging yields 14, and TabFIDS yields 31, with 17 of those above 90% attack accuracy (Ghosh et al., 2024). Long-term non-stationarity is handled in the incremental federated IDS study on CICIoMT2024, which concludes that cumulative incremental learning and representative learning provide the most stable performance under drift, while retention-based methods offer a strong accuracy and latency trade-off (Rehman et al., 11 Mar 2026).
A notable commonality across these lines of work is that heterogeneity is no longer treated as a peripheral optimization nuisance. It is the principal determinant of whether a federated IDS merely preserves privacy or also generalizes to unseen attacks, unstable local distributions, and evolving operational regimes.
6. Empirical profile, trade-offs, and open problems
The empirical record is strong but highly qualified. XAI FL-IDS reports accuracy of over 99% and, at times, 100% on Edge-IIoTset while keeping raw traffic local and adding dual-level SHAP explanations (Gholamrezazadeh et al., 19 May 2026). FL-BCID reports 97.3% accuracy on ToN-IoT and 96.8% on N-BaIoT, with 41% reduction in communication overhead compared to standard FL and convergence in 21 rounds rather than more than 30 (Ali et al., 21 May 2025). FedFT-3 reaches 99.2% accuracy with 20% memory reduction and 5% execution-time reduction relative to a centralized baseline, while FedFT-1 drops to 94.3% accuracy but yields up to 42% memory reduction and 75% training-time reduction (2502.06099). The federated AE–CNN–BiLSTM model for IoT/5G edge computing reports AUC 99.59 percent, F1 97.36 percent, and inference time approximately 0.0476 ms per sample, well within the less than 10 ms URLLC budget (Baidar et al., 19 Sep 2025). CB-FLIDS reports 99.22% accuracy on ToN-IoT and 99.02% on CICDDoS2019, with 2.47x lower end-to-end training time and 2.16x lower testing latency than traditional FL methods (Izadi et al., 13 Feb 2026). AndroIDS reports 96.46% accuracy and 89% F1 under IID conditions, and 92.87% accuracy and 86% F1 under non-IID conditions (Nair et al., 19 Jun 2025). FedSA, focused on optimization rather than model architecture, reports convergence in less than ten communication rounds and up to 50% fewer aggregation rounds to achieve approximately 97% accuracy than a conventional aggregation approach (Neto et al., 2022).
At the same time, multiple papers record persistent limitations. Realistic non-IID partitioning can sharply reduce federated performance relative to centralized training, as shown in the TON-IoT destination-IP study and in AndroIDS under non-IID conditions (Belarbi et al., 2023, Nair et al., 19 Jun 2025). Many systems still assume honest clients and omit explicit defenses against poisoning, Byzantine behavior, or model inversion (2502.06099, Izadi et al., 13 Feb 2026, Nair et al., 19 Jun 2025). Public benchmark datasets dominate evaluation, and several architectures are demonstrated with only 10 or 20 clients (Gholamrezazadeh et al., 19 May 2026, Ali et al., 21 May 2025, Izadi et al., 13 Feb 2026). Even when blockchain, differential privacy, or explainability are added, these additions introduce nontrivial trade-offs in latency, complexity, and accuracy (Ali et al., 21 May 2025, Freitas et al., 16 Dec 2025).
The survey literature therefore frames the field as one of simultaneous optimization over privacy, communication, robustness, explainability, and detection performance rather than a solved privacy-preserving substitute for centralized IDS. Current frontiers include personalized FL, robust aggregation, secure aggregation and differential privacy tuned for IDS workloads, continual and drift-aware updating, attack-specific federation strategies, model compression, and, at the survey level, emerging quantum federated learning for network intrusion detection (Agrawal et al., 2021, Chaudhary et al., 24 Sep 2025).