Spotting Anomalies at the Edge: Outlier Exposure-Based Cross-Silo Federated Learning for DDoS Detection

Distributed Denial-of-Service (DDoS) attacks are expected to continue plaguing service availability in emerging networks which rely on distributed edge clouds to offer critical, latency-sensitive applications. However, edge servers increase the network attack surface, which is exacerbated with the massive number of connected Internet of Things (IoT) devices that can be weaponized to launch DDoS attacks. Therefore, it is crucial to detect DDoS attacks early, i.e., at the network edge. In this paper, we empower the network edge with intelligent DDoS detection by learning from similarities between different data and DDoS attacks available across the edge servers. To this end, we develop a novel Outlier Exposure (OE)-enabled cross-silo Federated Learning framework, namely FedOE. FedOE enables distributed training of OE-based ML models using a limited number of labeled outliers (i.e., attack flows) experienced at edge servers. We propose a novel OE-based Autoencoder (oAE) that can better discriminate anomalies in comparison to the widely adopted traditional Autoencoder, using a tailored, OE-based loss function. We evaluate oAE in FedOE and demonstrate its ability to generalize to zero-day attacks, with just 50 labeled attack flows per edge server. The results show that oAE achieves a high F1-score for most DDoS attacks, outclassing its non-OE counterpart.