Go to DBLP homepageFedCAD: Federated Cyberattack Attribution Detection for Internet of Things Forensics
Abstract: Attributing cyberattacks in Internet of Things (IoT) environments is challenging due to their distributed, heterogeneous natures and the limitations of traditional Digital Forensics (DF) tools for preserving privacy and scalability. This paper presents FedCAD, a novel Federated Learning (FL)-based forensic method for multi-attribute cyberattack attribution that operates directly on IoT devices. It leverages a lightweight 1D Convolutional Neural Network (CNN) architecture with a shared feature extractor and three parallel sub-networks, each of which targets a distinct attribute, i.e., attack types, tactics/tools, and motives. Its architecture consists of three layers: an IoT device one collecting traces and local training; an FL one for privacy-preserving model aggregation via FedAvg; and a DF analysis one for multi-attribute inference and reporting. Also, FedCAD integrates the MITRE ATT&CK framework to enrich training data with real-world adversarial knowledge. Evaluations on the three public datasets TON-IoT, Bot-IoT, and UNSW-NB15 show that FedCAD outperforms centralized models, with gains of 2.1% accuracy, 1.0% precision, 1.5% recall, and 1.3% f1-score on TON-IoT. Experimental results demonstrate FedCAD’s effectiveness as a scalable, privacy-preserving solution for cyberattack attribution in dynamic IoT ecosystems.
External IDs:dblp:journals/tsusc/MohamedMKTZS25
Loading