ML Security PapersPenTiDef: Enhancing Privacy and Robustness in Decentralized Federated Intrusion Detection Systems against Poisoning Attacks
Phan The Duy 1,2,3, Nghi Hoang Khoa 1,2,3, Nguyen Tran Anh Quan 1,2,3, Luong Ha Tien 1,2,3, Ngo Duc Hoang Son 1,2,3, Van-Hau Pham 1,2,3
Published on arXiv
2602.17973
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
PenTiDef consistently outperforms FLARE and FedCC defenses across multiple poisoning attack scenarios and data distributions on CIC-IDS2018 and Edge-IIoTSet benchmarks
PenTiDef
Novel technique introduced
The increasing deployment of Federated Learning (FL) in Intrusion Detection Systems (IDS) introduces new challenges related to data privacy, centralized coordination, and susceptibility to poisoning attacks. While significant research has focused on protecting traditional FL-IDS with centralized aggregation servers, there remains a notable gap in addressing the unique challenges of decentralized FL-IDS (DFL-IDS). This study aims to address the limitations of traditional centralized FL-IDS by proposing a novel defense framework tailored for the decentralized FL-IDS architecture, with a focus on privacy preservation and robustness against poisoning attacks. We propose PenTiDef, a privacy-preserving and robust defense framework for DFL-IDS, which incorporates Distributed Differential Privacy (DDP) to protect data confidentiality and utilizes latent space representations (LSR) derived from neural networks to detect malicious updates in the decentralized model aggregation context. To eliminate single points of failure and enhance trust without a centralized aggregation server, PenTiDef employs a blockchain-based decentralized coordination mechanism that manages model aggregation, tracks update history, and supports trust enforcement through smart contracts. Experimental results on CIC-IDS2018 and Edge-IIoTSet demonstrate that PenTiDef consistently outperforms existing defenses (e.g., FLARE, FedCC) across various attack scenarios and data distributions. These findings highlight the potential of PenTiDef as a scalable and secure framework for deploying DFL-based IDS in adversarial environments. By leveraging privacy protection, malicious behavior detection in hidden data, and working without a central server, it provides a useful security solution against real-world attacks from untrust participants.
Key Contributions
- Latent space representation (LSR) mechanism derived from neural networks to detect malicious model updates in decentralized FL aggregation without a central server
- Distributed Differential Privacy (DDP) integration to protect gradient confidentiality and prevent data reconstruction attacks by honest-but-curious participants
- Blockchain-based decentralized coordination using smart contracts to manage model aggregation, track update history, and enforce trust without a single point of failure
🛡️ Threat Analysis
PenTiDef's primary contribution is robustness against poisoning attacks in decentralized federated learning: malicious participants inject corrupted model updates to degrade the global model. The LSR-based detection mechanism and Byzantine-fault-tolerant aggregation directly defend against this threat. The paper evaluates against multiple poisoning attack scenarios and compares to existing FL poisoning defenses (FLARE, FedCC).