Author: Abhinav Ranjan
FED_IIDS is a federated, privacy-preserving intrusion detection framework designed for distributed environments where organizations cannot share raw network traffic logs. The system allows institutions—such as hospitals and manufacturing plants—to collaboratively train a global Intrusion Detection System (IDS) while maintaining full ownership of their private datasets.
FED_IIDS implements the complete lifecycle of a federated IDS, including:
- Non-IID data engineering
- Feature reduction with correlation filtering and LightGBM ranking
- Deep neural network–based classification
- Differentially Private SGD (DP-SGD) on clients
- Secure federated coordination using the Flower framework
A detailed technical explanation of the system architecture, algorithms, and experimental evaluation is available in TECHNICAL_REPORT.md.
Centralized intrusion detection pipelines face significant challenges:
Regulations such as GDPR and HIPAA prevent sharing sensitive network data.
Organizations accumulate valuable intrusion data but cannot pool it.
- Hospitals experience spoofing and web-based attacks.
- Factories encounter DoS, DDoS, Mirai, and Recon traffic.
A single-domain IDS fails to generalize across environments.
Even model gradients can leak training data through inference attacks.
- Enabling collaborative IDS training without moving data
- Leveraging diverse attack patterns across organizations
- Applying Differential Privacy to protect each client’s data
- Providing a realistic benchmark for studying catastrophic forgetting
Two heterogeneous clients simulate real-world domain skew:
- Client 1 (Hospital): Benign, Spoofing
- Client 2 (Factory): Benign, DoS, DDoS, Mirai, Recon
Client-side training uses:
- Gradient clipping
- Gaussian noise addition
- DPKerasAdamOptimizer from
tensorflow-privacy
Implemented in Fed_IIDS.ipynb (Colab link below). Includes:
- Cleaning + normalization
- Correlation-based filtering
- LightGBM-based feature ranking
- Feature reduction: 74 → 30 features
- Configurable server and clients
- Cross-client weighted FedAvg aggregation
- Global and local evaluations each round
FED_IIDS follows a decoupled client–server design supplemented by a shared API contract that defines the model architecture and feature dimensions.
Fed_IIDS/
│
├── client/
│ ├── run_client.py
│ ├── nids_client.py
│ ├── config.py
│ ├── data_loader.py
│ ├── requirements.txt
│ ├── standalone_test.py
│ └── data/
│ ├── client_hospital_train.npz
│ ├── client_hospital_test.npz
│ ├── client_factory_train.npz
│ ├── client_factory_test.npz
│
├── server/
│ ├── server.py
│ ├── server_config.py
│ └── data/
│ └── global_test_set.npz
│
├── shared/
│ ├── model.py
│ └── model_config.py
│
├── outputs/
│ ├── server_terminal_output.txt
│ └── client_terminal_output.txt
│
├── Fed_IIDS.ipynb
├── TECHNICAL_REPORT.md
└── README.md
flowchart TD
subgraph SERVER["Server (server/)"]
S["server.py"]
SC["server_config.py"]
GTS["global_test_set.npz"]
S --> SC
S -->|"Evaluate"| GTS
end
subgraph CLIENT1["Client 1: Hospital (client/)"]
C1["run_client.py"]
C1D["hospital_train.npz"]
C1C["config.py"]
C1 --> C1C
C1 -->|"DP-SGD Training"| C1D
end
subgraph CLIENT2["Client 2: Factory (client/)"]
C2["run_client.py"]
C2D["factory_train.npz"]
C2C["config.py"]
C2 --> C2C
C2 -->|"DP-SGD Training"| C2D
end
S -->|"Send Model + Config"| C1
S -->|"Send Model + Config"| C2
C1 -->|"Private Update"| S
C2 -->|"Private Update"| S
S -->|"FedAvg Aggregation"| S
Full architectural details are available in TECHNICAL_REPORT.md.
git clone https://github.com/letsbegincode/Fed_IIDS.git
cd Fed_IIDS
python -m venv venv
.\venv\Scripts\activate
pip install -r client/requirements.txt
The full preprocessing notebook used to generate all .npz files:
Google Colab (View Mode): https://colab.research.google.com/drive/1gb8MZQ5IooUB7BXmIzm5J9QSgOituJFi?usp=sharing
This notebook performs:
- CSV aggregation
- Cleaning & normalization
- Feature engineering
- Non-IID splits
.npzfile generation
Fed_IIDS/client/data/
Fed_IIDS/server/data/
All commands must be run from the root folder.
python -m server.server
python -m client.run_client --client-id hospital
python -m client.run_client --client-id factory
Training begins automatically once the minimum clients connect.
The outputs/ directory includes reference logs:
server_terminal_output.txtclient_terminal_output.txt
Useful for debugging and verifying correct operation.
Single-client training fails on unseen attack types (e.g., Mirai). Federated training resolves this issue.
DP-SGD introduces noise and overhead, requiring careful batch configuration.
The global model improves steadily through federated rounds, outperforming single-client baselines.
Full results are in TECHNICAL_REPORT.md.
This project is licensed under the MIT License. See: LICENSE
If you use FED_IIDS in your research, please cite:
Abhinav Ranjan, "FED_IIDS: A Differentially Private Federated Intrusion Detection System", 2025.
GitHub Repository: https://github.com/letsbegincode/Fed_IIDS
See the full technical paper: