New Continual Federated Learning System for Intrusion Detection in SDN-Based Edge Computing

Software Defined Networking (SDN) is an open network approach that has been proposed to address some of the main problems with traditional networks. However, SDN faces cybersecurity issues. To provide a network defense against attacks, an Intrusion Detection System (IDS) needs to be updated and included into the SDN architecture on a regular basis. Machine learning methods have proved effective in detecting intrusions in SDN. Moreover, these techniques pose the problem of significant computational overload and the absence of regular updates when new cyber-attacks appear. To address these issues, we propose a new SDN-based cloud intrusion detection system called Continual Federated Learning (CFL). In CFL, we modify the classical federated learning process by granting a more important and dynamic role to each participating client. On the one hand, it can trigger this process whenever a new type of intrusion is detected. On the other hand, once the new model has been identified, the customer can decide whether or not to deploy it in his network. In addition, to verify the accuracy of the CFL system, we have formally specified it by a communication protocol. This specification organizes the exchanges between the different communicating entities involved in the CFL. To verify the accuracy of this specification, we described it using the PROMELA language and checked with the associated SPIN tool. On the experimental side, we deployed this specification of the CFL system in an SDN computing environment. We defined different scenarios, and we proposed that each client decides locally to deploy or not the newly obtained intrusion detection model. The decision is based on a modified metric where we integrate the severity of the intrusions. Experimental results using private local datasets show that the proposed CFL system can efficiently and accurately detect new types of intrusions while preserving client confidentiality. Thus, it can be considered a promising system for SDN-based edge computing.