Collaborative Federated Learning-Based Model for Alert Correlation and Attack Scenario Recognition

Abstract

Planned and targeted attacks, such as the advanced persistent threat (APT), are highly sophisticated forms of attack. They involve numerous steps and are intended to remain within a system for an extended length of period before progressing to the next stage of action. Anticipating the next behaviors of attackers is a challenging and crucial task due to the stealthy nature of advanced attack scenarios, in addition to the possible high volumes of false positive alerts generated by different security tools such as intrusion detection systems (IDSs). Intelligent models that are capable of establishing a correlation individual between individual security alerts in order to reconstruct attack scenarios and to extract a holistic view of intrusion activities are required to exploit hidden links between different attack stages. Federated learning models performed in distributed settings have achieved successful and reliable implementations. Alerts from distributed security devices can be utilized in a collaborative manner based on several learning models to construct a federated model. Therefore, we propose an intelligent detection system that employs federated learning models to identify advanced attack scenarios such as APT. Features extracted from alerts are preprocessed and engineered to produce a model with high accuracy and fewer false positives. We conducted training on four machine learning models in a centralized learning; these models are XGBoost, Random Forest, CatBoost, and an ensemble learning model. To maintain privacy and ensure the integrity of the global model, the proposed model has been implemented using conventional neural network federated learning (CNN_FL) across several clients during the process of updating weights. The experimental findings indicate that ensemble learning achieved the highest accuracy of 88.15% in the context of centralized learning. CNN_FL has demonstrated an accuracy of 90.18% in detecting various attacks of APTs while maintaining a low false alarm rate.