Federated Learning-Based Cyber Threat Hunting for APT Attack Detection in SDN-Enabled Networks

Abstract

Threat hunting is the action of seeking harmful actors lurking in the network or the system in the early stage with the assumption of attackers already broke the cy-ber defense solution. This defense solution requires collecting more knowledge inside and outside to search potential threats in each organization. To leverage the knowledge of multiple organizations and experts for cyber threat detection, there is a need for the collaboration without breaking data among data owners across the cybersecurity community. Meanwhile, Software Defined Networking (SDN) is the flexible and programmable network architecture, which enables network administrator to proactively enforce the security policy in the large-scale network. Obviously, it can help organizations to enforce dynamically threat hunting services. Thus, this work introduces a federated learning (FL) approach for cyber threat hunting in SDN-enabled networks to deploy a proactive APT attack detection and response by leveraging threat intelligence from collaborative parties. Our approach can enrich the outcome of machine learning (ML)-based or deep learning (DL)-based threat detectors in recognizing malicious indicators. The experimental results on NF-UQ-NIDS dataset and FedPlus model aggregation algorithm demonstrate the feasibility of FL-based cyber threat hunting with privacy preservation among data holders in SDN context.