GRAF-IDS: graph-based clustering as aggregation for federated intrusion detection system in IoT network

With the growing adoption of distributed machine learning (ML) in Internet of Thing (IoT)-based intrusion detection systems (IDS), ensuring robust models against attacks has become essential. Federated learning (FL), a distributed ML framework, improves privacy by enabling collaborative model training without sharing user data. However, FL systems are vulnerable to malicious participants who can disrupt the training process and compromise the aggregation phase, posing significant security challenges. This paper addresses these vulnerabilities by proposing a novel graph-based clustering aggregation (GBCA). GBCA enhances the widely used Krum algorithm by using graph-based clustering to identify and group trustworthy updates more effectively, thereby improving resistance to sophisticated attacks and enhancing model accuracy. We evaluate the proposed method under various attack scenarios, including label flipping and noise-based label flipping attacks, with poisoning rates of 25%, 30%, and 35%. Our experiments on IoT datasets (N-BaIoT2018 and UNSW-NB15) demonstrate the superior performance of GBCA compared to existing aggregation methods, such as Krum and FedAvg. Under noise-based label flipping attacks, GBCA achieves up to 8% and 5% higher accuracy than Krum and FedAvg, respectively. These results highlight the robustness and reliability of GBCA, making it a promising solution for securing FL-based IDS in IoT environments.