Decentralized Federated Learning for IoT Malware Detection at the Multi-Access Edge: A Two-Tier, Privacy-Preserving Design

Asiri, Mohammed; Khemakhem, Maher A.; Alhebshi, Reemah M.; Alsulami, Bassma S.; Eassa, Fathy E.

Decentralized Federated Learning for IoT Malware Detection at the Multi-Access Edge: A Two-Tier, Privacy-Preserving Design

Mohammed Asiri (), Maher A. Khemakhem, Reemah M. Alhebshi (), Bassma S. Alsulami and Fathy E. Eassa
Additional contact information
Mohammed Asiri: Department of Computer Science, King Abdulaziz University, Jeddah 21589, Saudi Arabia
Maher A. Khemakhem: Department of Computer Science, King Abdulaziz University, Jeddah 21589, Saudi Arabia
Reemah M. Alhebshi: Department of Computer Science, King Abdulaziz University, Jeddah 21589, Saudi Arabia
Bassma S. Alsulami: Department of Computer Science, King Abdulaziz University, Jeddah 21589, Saudi Arabia
Fathy E. Eassa: Department of Computer Science, King Abdulaziz University, Jeddah 21589, Saudi Arabia

Future Internet, 2025, vol. 17, issue 10, 1-30

Abstract: Botnet attacks on Internet of Things (IoT) devices are escalating at the 5G/6G multi-access edge, yet most federated learning frameworks for IoT malware detection (FL-IMD) still hinge on a central aggregator, enlarging the attack surface, weakening privacy, and creating a single point of failure. We propose a two-tier, fully decentralized FL architecture aligned with MEC’s Proximal Edge Server (PES)/Supplementary Edge Server (SES) hierarchy. PES nodes train locally and encrypt updates with the Cheon–Kim–Kim–Song (CKKS) scheme; SES nodes verify ECDSA-signed provenance, homomorphically aggregate ciphertexts, and finalize each round via an Algorand-style committee that writes a compact, tamper-evident record (update digests/URIs and a global-model hash) to an append-only ledger. Using the N-BaIoT benchmark with an unsupervised autoencoder, we evaluate known-device and leave-one-device-out regimes against a classical centralized baseline and a cryptographically hardened but server-centric variant. With the heavier CKKS profile, attack sensitivity is preserved (TPR ≥ 0.99 ), and specificity (TNR) declines by only 0.20 percentage points relative to plaintext in both regimes; a lighter profile maintains TPR while trading 3.5–4.8 percentage points of TNR for about 71% smaller payloads. Decentralization adds only a negligible per-round overhead for committee finality, while homomorphic aggregation dominates latency. Overall, our FL-IMD design removes the trusted aggregator and provides verifiable, ledger-backed provenance suitable for trustless MEC deployments.

Keywords: federated learning; decentralized learning; multi-access edge computing (MEC); Internet of Things (IoT); IoT malware detection; privacy preservation; homomorphic encryption (CKKS); blockchain provenance; peer-to-peer aggregation; N-BaIoT dataset (search for similar items in EconPapers)
JEL-codes: O3 (search for similar items in EconPapers)
Date: 2025
References: View complete reference list from CitEc
Citations:

Downloads: (external link)
https://www.mdpi.com/1999-5903/17/10/475/pdf (application/pdf)
https://www.mdpi.com/1999-5903/17/10/475/ (text/html)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:gam:jftint:v:17:y:2025:i:10:p:475-:d:1774110

Access Statistics for this article

Future Internet is currently edited by Ms. Grace You

More articles in Future Internet from MDPI
Bibliographic data for series maintained by MDPI Indexing Manager ().