PROTEAN: Federated Intrusion Detection in Non-IID Environments Through Prototype-Based Knowledge Sharing

Sara Chennoufi; Yufei Han; Gregory Blanc; Emiliano De Cristofaro; Christophe Kiennert

doi:10.1007/978-3-032-07884-1_6

PROTEAN: Federated Intrusion Detection in Non-IID Environments Through Prototype-Based Knowledge Sharing

Sara Chennoufi
, Yufei Han
, Gregory Blanc
, Emiliano De Cristofaro
, Christophe Kiennert

Telecom Sudparis
INRIA Institut National de Recherche en Informatique et en Automatique
University of California, Riverside

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In distributed networks, participants often face diverse and fast-evolving cyberattacks. This makes techniques based on Federated Learning (FL) a promising mitigation strategy. By only exchanging model updates, FL participants can collaboratively build detection models without revealing sensitive information, e.g., network structures or security postures. However, the effectiveness of FL solutions is often hindered by significant data heterogeneity, as attack patterns often differ drastically across organizations due to varying security policies. To address these challenges, we introduce PROTEAN, a Prototype Learning-based framework geared to facilitate collaborative and privacy-preserving intrusion detection. PROTEAN enables accurate detection in environments with highly non-IID attack distributions and promotes direct knowledge sharing by exchanging class prototypes of different attack types among participants. This allows organizations to better understand attack techniques not present in their data collections. We instantiate PROTEAN on two cyber intrusion datasets collected from IIoT and 5G-connected participants and evaluate its performance in terms of utility and privacy, demonstrating its effectiveness in addressing data heterogeneity while improving cyber attack understanding in federated intrusion detection systems (IDSs).

Original language	English
Title of host publication	Computer Security – ESORICS 2025 - 30th European Symposium on Research in Computer Security, Proceedings
Editors	Vincent Nicomette, Abdelmalek Benzekri, Nora Boulahia-Cuppens, Jaideep Vaidya
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	103-125
Number of pages	23
ISBN (Print)	9783032078834
DOIs	https://doi.org/10.1007/978-3-032-07884-1_6
Publication status	Published - 1 Jan 2026
Event	30th European Symposium on Research in Computer Security, ESORICS 2025 - Toulouse, France Duration: 22 Sept 2025 → 24 Sept 2025

Publication series

Name	Lecture Notes in Computer Science
Volume	16053 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	30th European Symposium on Research in Computer Security, ESORICS 2025
Country/Territory	France
City	Toulouse
Period	22/09/25 → 24/09/25

Access to Document

10.1007/978-3-032-07884-1_6

Cite this

Chennoufi, S., Han, Y., Blanc, G., De Cristofaro, E., & Kiennert, C. (2026). PROTEAN: Federated Intrusion Detection in Non-IID Environments Through Prototype-Based Knowledge Sharing. In V. Nicomette, A. Benzekri, N. Boulahia-Cuppens, & J. Vaidya (Eds.), Computer Security – ESORICS 2025 - 30th European Symposium on Research in Computer Security, Proceedings (pp. 103-125). (Lecture Notes in Computer Science; Vol. 16053 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-032-07884-1_6

Chennoufi, Sara ; Han, Yufei ; Blanc, Gregory et al. / PROTEAN : Federated Intrusion Detection in Non-IID Environments Through Prototype-Based Knowledge Sharing. Computer Security – ESORICS 2025 - 30th European Symposium on Research in Computer Security, Proceedings. editor / Vincent Nicomette ; Abdelmalek Benzekri ; Nora Boulahia-Cuppens ; Jaideep Vaidya. Springer Science and Business Media Deutschland GmbH, 2026. pp. 103-125 (Lecture Notes in Computer Science).

@inproceedings{b10cba0a29f14e3f9b9d66ddb602f681,

title = "PROTEAN: Federated Intrusion Detection in Non-IID Environments Through Prototype-Based Knowledge Sharing",

abstract = "In distributed networks, participants often face diverse and fast-evolving cyberattacks. This makes techniques based on Federated Learning (FL) a promising mitigation strategy. By only exchanging model updates, FL participants can collaboratively build detection models without revealing sensitive information, e.g., network structures or security postures. However, the effectiveness of FL solutions is often hindered by significant data heterogeneity, as attack patterns often differ drastically across organizations due to varying security policies. To address these challenges, we introduce PROTEAN, a Prototype Learning-based framework geared to facilitate collaborative and privacy-preserving intrusion detection. PROTEAN enables accurate detection in environments with highly non-IID attack distributions and promotes direct knowledge sharing by exchanging class prototypes of different attack types among participants. This allows organizations to better understand attack techniques not present in their data collections. We instantiate PROTEAN on two cyber intrusion datasets collected from IIoT and 5G-connected participants and evaluate its performance in terms of utility and privacy, demonstrating its effectiveness in addressing data heterogeneity while improving cyber attack understanding in federated intrusion detection systems (IDSs).",

author = "Sara Chennoufi and Yufei Han and Gregory Blanc and \{De Cristofaro\}, Emiliano and Christophe Kiennert",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.; 30th European Symposium on Research in Computer Security, ESORICS 2025 ; Conference date: 22-09-2025 Through 24-09-2025",

year = "2026",

month = jan,

day = "1",

doi = "10.1007/978-3-032-07884-1\_6",

language = "English",

isbn = "9783032078834",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "103--125",

editor = "Vincent Nicomette and Abdelmalek Benzekri and Nora Boulahia-Cuppens and Jaideep Vaidya",

booktitle = "Computer Security – ESORICS 2025 - 30th European Symposium on Research in Computer Security, Proceedings",

}

Chennoufi, S, Han, Y, Blanc, G, De Cristofaro, E & Kiennert, C 2026, PROTEAN: Federated Intrusion Detection in Non-IID Environments Through Prototype-Based Knowledge Sharing. in V Nicomette, A Benzekri, N Boulahia-Cuppens & J Vaidya (eds), Computer Security – ESORICS 2025 - 30th European Symposium on Research in Computer Security, Proceedings. Lecture Notes in Computer Science, vol. 16053 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 103-125, 30th European Symposium on Research in Computer Security, ESORICS 2025, Toulouse, France, 22/09/25. https://doi.org/10.1007/978-3-032-07884-1_6

PROTEAN: Federated Intrusion Detection in Non-IID Environments Through Prototype-Based Knowledge Sharing. / Chennoufi, Sara; Han, Yufei; Blanc, Gregory et al.
Computer Security – ESORICS 2025 - 30th European Symposium on Research in Computer Security, Proceedings. ed. / Vincent Nicomette; Abdelmalek Benzekri; Nora Boulahia-Cuppens; Jaideep Vaidya. Springer Science and Business Media Deutschland GmbH, 2026. p. 103-125 (Lecture Notes in Computer Science; Vol. 16053 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - PROTEAN

T2 - 30th European Symposium on Research in Computer Security, ESORICS 2025

AU - Chennoufi, Sara

AU - Han, Yufei

AU - Blanc, Gregory

AU - De Cristofaro, Emiliano

AU - Kiennert, Christophe

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2026.

PY - 2026/1/1

Y1 - 2026/1/1

N2 - In distributed networks, participants often face diverse and fast-evolving cyberattacks. This makes techniques based on Federated Learning (FL) a promising mitigation strategy. By only exchanging model updates, FL participants can collaboratively build detection models without revealing sensitive information, e.g., network structures or security postures. However, the effectiveness of FL solutions is often hindered by significant data heterogeneity, as attack patterns often differ drastically across organizations due to varying security policies. To address these challenges, we introduce PROTEAN, a Prototype Learning-based framework geared to facilitate collaborative and privacy-preserving intrusion detection. PROTEAN enables accurate detection in environments with highly non-IID attack distributions and promotes direct knowledge sharing by exchanging class prototypes of different attack types among participants. This allows organizations to better understand attack techniques not present in their data collections. We instantiate PROTEAN on two cyber intrusion datasets collected from IIoT and 5G-connected participants and evaluate its performance in terms of utility and privacy, demonstrating its effectiveness in addressing data heterogeneity while improving cyber attack understanding in federated intrusion detection systems (IDSs).

AB - In distributed networks, participants often face diverse and fast-evolving cyberattacks. This makes techniques based on Federated Learning (FL) a promising mitigation strategy. By only exchanging model updates, FL participants can collaboratively build detection models without revealing sensitive information, e.g., network structures or security postures. However, the effectiveness of FL solutions is often hindered by significant data heterogeneity, as attack patterns often differ drastically across organizations due to varying security policies. To address these challenges, we introduce PROTEAN, a Prototype Learning-based framework geared to facilitate collaborative and privacy-preserving intrusion detection. PROTEAN enables accurate detection in environments with highly non-IID attack distributions and promotes direct knowledge sharing by exchanging class prototypes of different attack types among participants. This allows organizations to better understand attack techniques not present in their data collections. We instantiate PROTEAN on two cyber intrusion datasets collected from IIoT and 5G-connected participants and evaluate its performance in terms of utility and privacy, demonstrating its effectiveness in addressing data heterogeneity while improving cyber attack understanding in federated intrusion detection systems (IDSs).

UR - https://www.scopus.com/pages/publications/105020256752

U2 - 10.1007/978-3-032-07884-1_6

DO - 10.1007/978-3-032-07884-1_6

M3 - Conference contribution

AN - SCOPUS:105020256752

SN - 9783032078834

T3 - Lecture Notes in Computer Science

SP - 103

EP - 125

BT - Computer Security – ESORICS 2025 - 30th European Symposium on Research in Computer Security, Proceedings

A2 - Nicomette, Vincent

A2 - Benzekri, Abdelmalek

A2 - Boulahia-Cuppens, Nora

A2 - Vaidya, Jaideep

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 22 September 2025 through 24 September 2025

ER -

Chennoufi S, Han Y, Blanc G, De Cristofaro E, Kiennert C. PROTEAN: Federated Intrusion Detection in Non-IID Environments Through Prototype-Based Knowledge Sharing. In Nicomette V, Benzekri A, Boulahia-Cuppens N, Vaidya J, editors, Computer Security – ESORICS 2025 - 30th European Symposium on Research in Computer Security, Proceedings. Springer Science and Business Media Deutschland GmbH. 2026. p. 103-125. (Lecture Notes in Computer Science). doi: 10.1007/978-3-032-07884-1_6