Traditional approaches to cybersecurity issues usually protect users from attacks after the occurrence of specific types of attacks. Besides, patterns of recent cyberattacks tend to be changeable, which add up to unpredictability of them. On the other hand, machine learning, as a new method used to detect intrusion, is attracting more and more attention. Moreover, through the sharing of local training data, the centralized learning approach has proven to improve a model's performance. In this research, a segmented federated learning is proposed, different from a collaborative learning based on single global model in a traditional federated learning model, it keeps multiple global models which allow each segment of participants to conduct collaborative learning separately and rearranges the segmentation of participants dynamically as well. Furthermore, these multiple global models interact with each other for updating parameters, thus being adaptable to various participants' LANs. A dataset covering two months' traffic data from 20 participants' LANs in the LAN-Security Monitoring Project is used. We adopt three types of knowledge-based methods for labeling network events and train a CNN model based on the dataset. At last, we achieve validation accuracies of 0.923, 0.813 and 0.877 individually with these labeling methods.

1. Intrusion Detection with
Segmented Federated Learning
for Large-Scale Multiple LANs
Yuwei Sun, Hideya Ochiai, Hiroshi Esaki
The University of Tokyo

2. Agenda
• Motivation: Isolated anomaly detection in a network
• Proposal: Segmented federated learning for dynamically
collaborative learning within diverse nodes
• Evaluation: How it worked for anomaly detection with the
enhanced federated learning in stochastic network environments
• Conclusion

3. Remote Server
Training parameters of models
Server
in
UTokyo
Participant A Participant B Participant C Participant D
Motivation
Problems:
• Training data is too diverse for a traditional federated learning
• Different data sizes of participants, features from the ones with a smaller dataset
might be erased by the larger ones
• When participants keep increasing, the waiting time for updating the global
model goes to overflow the limit time of a round

4. Server
in
UTokyo
Participant A Participant B Participant C Participant D
Server
in
UTokyo
Proposal: Segmented Federated Learning

5. Features:
• Multiple global models
• Limited participants’ updating
• Regular performance evaluation
for a structure adjustment
Methods: Segmented federated learning (1/4)

6. Global parameters updating
Perfomance evaluation
Methods: Segmented federated learning (2/4)

7. • 𝑝t-1: former global parameters
• 𝑝i: parameters from participants who
conduct training
• 𝑞i: the other global models’ parameters
• 𝑑i: distance between each participant’s
accuracy and the average accuracy
Global parameters updating Performance evaluation
Methods: Segmented federated learning (3/4)

8. • Two convolution layers, each of which is followed
by a maxpooling layer and two fully-connected
layers
• Feature maps of local dataset as the input, and
the result from an expert-knowledge based
labeling as the output
• Learning rate: 0.00001 Batch size: 50 Epoch: 1
Design of a model protocol for parameters sharing
Methods: Segmented federated learning (4/4)

9. Broadcast data in a LAN and any communication
directly sent to the monitor device
Event
Generator
Host 1 Host m
….
Data
Collector
Capture
network traffic
Visulization and
classification with DCNN
nmap execution
e.g., ARP scan, TCP/UDP port scan, …
Local Area Network
Malici
ous
user
Two months’ network traffic data of 20 participants from
the LAN-Security Monitoring Project
How it worked for anomaly detection in stochastic network environments
Evaluation

10. Knowledge-based labeling
• Malicious SMB: Detection of any SYN445 to the monitor device
• TCP SYN Flooding: TCP SYN from the same IP with a frequency of more than
three times
• Malicious UDP unicast: Detection of any UDP unicast to the monitor device
(except the communications of NTP with a source port of 123 and DNS with
a source port of 53)

11. Validation accuracy (Malicious SMB)
rounds

12. Segmentation of participants’ local neural networks
Se
rve
r
in
UT
ok
yo
Se
rve
r
in
UT
ok
yo
Se
rve
r
in
UT
ok
yo
Se
rve
r
in
UT
ok
yo
Se
rve
r
in
UT
ok
yo
(Malicious SMB)

13. Conclusion
• Isolated anomaly detection in a network
• SFL is proposed to solve the problem of various adaptivity of participants to
the single global model in a FL scheme
• Regular performance evaluation is conducted automatically for transforming
the structure of the system
• Insights on intelligent networking and anomaly detection using distributed
neural networks, for anomaly information sharing among various networks