Entente: Cross-silo Intrusion Detection on Network Log Graphs with Federated Learning

Graph-based Network Intrusion Detection System (GNIDS) has gained significant momentum in detecting sophisticated cyber-attacks, like Advanced Persistent Threat (APT), in an organization or across organizations. Though achieving satisfying detection accuracy and adapting to ever-changing attacks and normal patterns, all prior GNIDSs assume the centralized data settings directly, but non-trivial data collection is not always practical under privacy regulations nowadays. We argue that training a GNIDS model has to consider privacy regulations, and propose to leverage federated learning (FL) to address this prominent challenge.Yet, directly applying FL to GNIDS is unlikely to succeed, due to issues like non-IID (independent and identically distributed) graph data over clients and the diverse design choices taken by different GNIDS. We address these issues with a set of novel techniques tailored to the graph datasets, including reference graph synthesis, graph sketching and adaptive contribution scaling, and develop a new system Entente. We evaluate Entente on the large-scale LANL, OpTC and Pivoting datasets. The result shows Entente outperforms the other baseline FL algorithms and sometimes even the non-FL GNIDS. We also evaluate Entente under FL poisoning attacks tailored to the GNIDS setting, and show Entente is able to bound the attack success rate to low values. Overall, our result suggests building cross-silo GNIDS is feasible and we hope to encourage more efforts in this direction.

@article{xu2025_2503.14284,
  title={ Entente: Cross-silo Intrusion Detection on Network Log Graphs with Federated Learning },
  author={ Jiacen Xu and Chenang Li and Yu Zheng and Zhou Li },
  journal={arXiv preprint arXiv:2503.14284},
  year={ 2025 }
}