Advancing Network Anomaly Detection Using Deep Learning and

Federated Learning in an Interconnected Environment

Hanen Dhrir

1

, Maha Charfeddine

2

and Habib M. Kammoun

3

1

could indicate security threats or system failures. Traditional centralized anomaly detection methods face

issues such as data privacy. Federated Learning has emerged as a promising solution that distributes model

training across multiple devices or nodes. Federated Learning improves anomaly detection by leveraging ge-

ographically distributed data sources while maintaining data privacy and security. This study presents a novel

Federated Learning architecture designed specifically for network anomaly detection, addressing important

information sensitivity issues in network environments. We compare some Deep Learning algorithms, such

as Long Short-Term Memory (LSTM), Convolutional Neural Networks (CNN), and Multilayer Perceptron

(MLP), using XGBoost for feature selection and Stochastic Gradient Descent (SGD) as an optimizer. To ad-

dress the problem of imbalanced data, we use the Synthetic Minority Over-sampling Technique (SMOTE)

with the UNSW-NB15 dataset. Our methodology is rigorously evaluated using standard evaluation metrics

adapting to evolving threats, and operating in real-

time, all while raising privacy concerns by aggregat-

ing sensitive data in a single location. This approach

jeopardizes data confidentiality and demands exten-

sive datasets to effectively capture network behav-

iors, often failing to scale and respond to advanced

risks (Garg et al., 2020). Federated Learning offers a

promising alternative by decentralizing model train-

ing across multiple devices or nodes. It keeps data

local, sharing only model updates aggregated on a

improves detection system robustness and accuracy

through diverse data sources, enhancing model re-

contributions of this research work are as follows:

chitecture specifically designed for network anomaly

detection. This architecture ensures data privacy and

security, addressing the important challenge of data

sensitivity in network environments.

scent (SGD) as an optimizer. These models are as-

sessed for their effectiveness in accurately detecting

network anomalies.

address the challenge of imbalanced data, we ap-

ply the Synthetic Minority Over-sampling Technique

(SMOTE) to the UNSW-NB15 dataset. This tech-

nique improves the performance of our models by en-

suring a more balanced representation of the dataset.

orously evaluated using the most common evalua-

tion parameters. Our results are benchmarked against

other state-of-the-art approaches, demonstrating the

efficacy of our methods. The structure of this pa-

per is as follows: Section 2, Theoretical Background,

covers the foundations of Federated Learning and rel-

evant Deep Learning methods for network anomaly

parison with previous related works. Finally, Section

6, concludes the paper.

2 THEORETICAL BACKGROUND

This section covers the key concepts of Machine

Learning, Deep Learning, and Federated Learning for

network anomaly detection. It highlights how Fed-

erated Learning addresses the limitations of tradi-

tional methods by preserving privacy and decentraliz-

ing data, leading to more reliable and secure anomaly

detection solutions, and includes a description of the

terns, signaling potential malicious actions or system

failures. Historically, anomaly detection has relied

on two approaches: signature-based and anomaly-

based methods. Signature-based detection identifies

known threats by comparing network activity to pre-

defined patterns or signatures. While effective for

known threats, it is limited in detecting new or un-

known threats. On the other hand, anomaly-based

detection monitors network behavior, identifying de-

viations from established norms. While capable of

lies, overcoming the limitations of traditional meth-

ods. ML tools, such as classifiers, segment data into

distinct categories like normal and abnormal, train-

ing on labeled datasets to detect patterns and clas-

sify new data points, recognizing outliers (Rafique

et al., 2024). Autoencoders, a type of neural net-

work, excel at this task by compressing input data and

reconstructing it, Learning normal data patterns and

detecting anomalies by comparing the reconstructed

output with the original (Torabi et al., 2023). Ad-

ditionally, Deep Learning models like Convolutional

work anomaly detection, they also raise privacy con-

cerns. These methods often require centralizing large

datasets for model training, which can lead to privacy

breaches if sensitive data is not adequately protected.

Federated Learning is a revolutionary approach to ma-

chine Learning, providing a decentralized framework

that enables multiple entities to collaboratively train

a model while keeping their data local. Unlike tra-

gregation reduces the risk of data breaches and en-

sures compliance with stringent data protection regu-

lations. Federated Learning’s key principles include

collaborative training across distributed nodes, se-

cure aggregation of model updates, and robust com-

munication protocols. Federated Learning improves

anomaly detection across network environments by

aggregating model updates from a variety of decen-

tralized sources. This approach uses a broader set

of data while maintaining individual privacy, result-

raw data. The architecture depicted in figure 1 has

three major components (Zhao et al., 2019):

et al., 2022). The described Federated Learning ar-

chitecture provides a strong foundation for collabora-

tive, privacy-preserving anomaly detection in decen-

tralized environments.

gorithms, datasets, and evaluation metrics used to im-

plement and evaluate the effectiveness of this archi-

tecture in real-world network anomaly detection sce-

narios.

cal architectures that enhance system robustness and

data privacy. Authors in (Doriguzzi-Corin and Sir-

acusa, 2024) introduced FLAD, an adaptive Fed-

erated Learning Approach specifically designed for

DDoS attack detection. This approach aims to over-

come the limitations of traditional Federated Learn-

ing algorithms by dynamically adjusting client selec-

tion and computational workloads during the train-

ing process, without necessitating the exchange of

training or validation data between clients and the

central server. FLAD is tailored for cybersecurity

applications, with a particular focus on maintaining

data privacy by ensuring that sensitive attack data

is not shared between clients and the server. This

et al., 2021), which provides a robust framework

for evaluating DDoS detection capabilities under a

Federated Learning paradigm. The paper introduces

clients, edge servers, and a global server. Clients re-

tain their data locally and manage their models inde-

pendently, thereby safeguarding data privacy by pre-

venting direct data transfers to central servers. Edge

servers play a critical role in this architecture by re-

ceiving model updates from clients, aggregating these

updates, and forwarding the consolidated results to

the global server. The global server then refines the

global model using these aggregated updates and dis-

seminates the improved model back to clients for lo-

Learning systems. The application of Multilayer Per-

ceptron (MLP) within this framework is particularly

effective for tasks like network anomaly detection, as

demonstrated using the UNSW-NB15 dataset, which

provides comprehensive coverage of network intru-

sion scenarios. These innovative approaches in Fed-

erated Learning for network anomaly detection un-

derscore the importance of adaptive frameworks and

hierarchical architectures in enhancing privacy, scala-

divides the model into multiple components, each of

which is trained on a separate device. This lowers

the computational load while enhancing security. The

UNSW-NB15 dataset, which is renowned for its ex-

tensive records of network traffic, facilitates the effi-

cient identification of cyberthreats within the infras-

tructure of smart cities. In the following section, we

delve Deeper into the proposed methodology, further

exploring their implication for robust and efficient

anomaly detection.

4 METHODOLOGY

This section describes how we developed and evalu-

ated our Federated Learning-based network anomaly

detection system. Our methodology ensures a thor-

Figure 2: Overview of the proposed methodology.

the SMOTE technique and then partitioned across ten

clients. We explored various scenarios by implement-

ing and training CNN, LSTM, and MLP models for

each client. To achieve optimal performance in our

Federated Learning-based system, we used Stochas-

tic Gradient Descent (SGD) as an optimizer and XG-

Boost for feature selection.

The UNSW-NB15 dataset (Moustafa and Slay, 2015),

developed by the ACCS at UNSW, is used for training

systems.

Preprocessing plays a vital role in enhancing the per-

formance of Machine Learning models. The key steps

include:

sulting from data corruption or improper recording,

are addressed by removing rows with NaN values,

nority Over-sampling Technique (SMOTE) addresses

class imbalance by generating synthetic examples for

the minority class. It creates new instances in the fea-

ture space, improving the model’s ability to classify

minority classes (Ali et al., 2024a).

Using MLP, LSTM, and CNN architectures, we con-

ducted 50 rounds with 10 epochs for each of the 10

clients. Through extensive testing, we determined

that 10 epochs yielded the best results. Additionally,

culates the gradient using the entire dataset, SGD up-

dates model parameters iteratively using small, ran-

domly selected batches of data. This approach signif-

icantly enhances computational efficiency and speed.

The frequent updates facilitated by mini-batches en-

able faster convergence and improve the model’s abil-

ity to generalize, thereby reducing the risk of overfit-

ting. Additionally, the stochastic nature of SGD helps

the optimizer escape local minima, making it advanta-

geous for handling large-scale datasets. Overall, SGD

ture importance by analyzing each feature’s contribu-

tion to the model’s predictive accuracy during train-

ing. It measures metrics such as gain, coverage, and

frequency. This process enables the identification of

the most influential features, facilitating dimension-

ality reduction, enhancing model performance, and

lowering computational costs by focusing on the fea-

tures that significantly impact prediction outcomes

(Chen and Guestrin, 2016).

(1)

tives and true negatives. The formula (2) for ac-

curacy, considering true positives (TP), true neg-

atives (TN), false positives (FP), and false nega-

tives (FN), is:

TN + TP

TP + FN + FP + TN

(2)

.

F1-Score =

2 × (Recall × Precision)

Recall + Precision

(3)

• Precision measures the proportion of flagged

anomalies that are true anomalies, minimizing

false positives (Ali et al., 2024b). The formula

for precision is (4):

Precision =

TP

(4)

els. In addition, we displayed some plotted curves

3, 4 and 5 for the tested combined approaches. In

our Federated Learning setup, a ”round” is a full cy-

cle in which each client performs local training on its

data and sends updates to the central server. The pro-

cess is repeated 50 rounds, allowing each model to it-

eratively improve while Learning from decentralized

data sources. In figures 3, 4 and 5, the X-axis repre-

sents the number of communication rounds (ranging

from 1 to 50). The Y-axis represents the metric val-

ues (recall, precision, accuracy, F1-score, and loss)

from decentralized data from multiple clients. The

MLP’s recall begins low and improves marginally, in-

dicating a struggle to consistently identify anomalies.

CNN increases significantly over time, rapidly reach-

ing high recall values, indicating its effectiveness in

detecting anomalies. LSTM gradually evolves, but

not as quickly or effectively as CNN, most likely due

tends to improve with rounds as the model reduces

loss values, indicating effective Learning and con-

vergence. Loss decreases steadily with LSTM but

does not reach the minimal values achieved by CNN.

Among the three models, CNN with SGD optimiza-

tion performs the best in anomaly detection within the

proposed Federated Learning framework. It consis-

tently achieves high recall, precision, accuracy, and

F1-score while reducing loss. LSTM performs rea-

sonably well but is less effective than CNN, most

for feature selection, SMOTE for dataset balancing,

and SGD for model optimization. The findings show

that when it comes to recall, precision, accuracy, and

F1-score, CNN combined with SGD, SMOTE, and

XGBoost perform noticeably better than other pos-

sible combinations. In particular, the CNN model

demonstrated almost flawless classification perfor-

mance with recall of 0.9939, precision of 0.9998, ac-

curacy of 0.9965, and F1-score of 0.9968. The per-

formance of the LSTM and MLP models was en-

significance of correcting the dataset’s class imbal-

ance. However, the feature selection model using

MLP, SGD, and SMOTE performed relatively poorly,

indicating that this combination might not be as use-

ful in the network anomaly specific context. Over-

all, the results indicate that feature selection with a

CNN equipped with SGD, SMOTE, and XGBoost is

very successful when applied to network anomaly de-

tection tasks within a Federated Anomaly environ-

The research leading to these results was supported

by the Ministry of Higher Education and Scientific

Research of Tunisia.

Ali, A. H., Charfeddine, M., Ammar, B., Hamed, B. B.,

Bharati, S., Mondal, M., Podder, P., and Prasath, V. (2022).

Fki, Z., Ammar, B., Fourati, R., Fendri, H., Hussain, A.,

Garg, S., Kaur, K., Batra, S., Kaddoum, G., Kumar, N., and

Hdaib, M., Rajasegarar, S., and Pan, L. (2024). Quan-

Marfo, W., Tosh, D. K., and Moore, S. V. (2022). Net-

Moustafa, N. and Slay, J. (2015). Unsw-nb15: a compre-

Rafique, S. H., Abdallah, A., Musa, N. S., and Murugan,

Sun, Y., Que, H., Cai, Q., Zhao, J., Li, J., Kong, Z., and

Torabi, H., Mirtaheri, S. L., and Greco, S. (2023). Practical

Zhao, Y., Chen, J., Wu, D., Teng, J., and Yu, S. (2019).