Scalable architecture for autonomous malware detection and defense in software-defined networks using federated learning approaches

Abstract

This paper proposes a scalable and autonomous malware detection and defence architecture in software-defined networks (SDNs) that employs federated learning (FL). This architecture combines SDN’s centralized management of potentially significant data streams with FL’s decentralized, privacy-preserving learning capabilities in a distributed manner adaptable to varying time and space constraints. This enables a flexible, adaptive design and prevention approach in large-scale, heterogeneous networks. Using balanced datasets, we observed detection rates of up to 96% for controlled DDoS and Botnet attacks. However, in more realistic simulations that utilized diverse, real-world imbalanced datasets (such as CICIDS 2017 and UNSW-NB15) and complex scenarios like data exfiltration, the performance dropped to an overall accuracy of 59.50%. This reflects the challenges encountered in real-world deployments. We analyzed performance metrics such as detection accuracy, latency (less than 1 s), throughput recovery (from 300 to 500 Mbps), and communication overhead comparatively. Our architecture minimizes privacy risks by ensuring that raw data never leaves the device; only model updates are shared for aggregation at the global level. While it effectively detects high-impact incursions, there is room for improvement in identifying more subtle threats, which can be addressed with enriched datasets and improved feature engineering. This work offers a robust, privacy-preserving framework for deploying scalable and intelligent malware detection in contemporary network infrastructures.