The role of anomaly detection systems in Critical Infrastructures (CIs) is critical due to the complexity of CIs and their control systems, which are usually implemented by computer-based controllers that constantly produce logs of their activities. Moreover, many CIs, located in different locations or even belonging to different companies, may share similar application software for controlling the CIs themselves. The goal of this work is to use such logs to perform automatic anomaly detection in a federated learning (FL) paradigm, which ensures that no data is exchanged between sites to train the anomaly detection models, but each learning agent learns on its own data, leveraging the knowledge acquired by the other agents. Our proposed approach - AdaLightLog - which implements a modified FL paradigm with adaptive loss functions at local servers side and weighted averaging of local server models, so to differentiate the quality of the different local servers’ models in the global averaging, is tested against state-of-the-art methods and shows an improvement in performance in terms of accuracy, precision and recall with respect to the standard FL implementation (FedAvg). Furthermore, a comparison between different metrics for the adaptive loss functions and the dynamic weights is presented.
AdaLightLog: Enhancing Application Logs Anomaly Detection via Adaptive Federating Learning / Menegatti, Danilo; De Santis, Emanuele; Felli, Stefano; Giuseppi, Alessandro. - 15549 LNCS:(2025), pp. 289-305. (Intervento presentato al convegno International Workshop on Critical Information Infrastructures Security tenutosi a Rome; Italy) [10.1007/978-3-031-84260-3_17].
AdaLightLog: Enhancing Application Logs Anomaly Detection via Adaptive Federating Learning
Menegatti, Danilo;De Santis, Emanuele
;Giuseppi, Alessandro
2025
Abstract
The role of anomaly detection systems in Critical Infrastructures (CIs) is critical due to the complexity of CIs and their control systems, which are usually implemented by computer-based controllers that constantly produce logs of their activities. Moreover, many CIs, located in different locations or even belonging to different companies, may share similar application software for controlling the CIs themselves. The goal of this work is to use such logs to perform automatic anomaly detection in a federated learning (FL) paradigm, which ensures that no data is exchanged between sites to train the anomaly detection models, but each learning agent learns on its own data, leveraging the knowledge acquired by the other agents. Our proposed approach - AdaLightLog - which implements a modified FL paradigm with adaptive loss functions at local servers side and weighted averaging of local server models, so to differentiate the quality of the different local servers’ models in the global averaging, is tested against state-of-the-art methods and shows an improvement in performance in terms of accuracy, precision and recall with respect to the standard FL implementation (FedAvg). Furthermore, a comparison between different metrics for the adaptive loss functions and the dynamic weights is presented.| File | Dimensione | Formato | |
|---|---|---|---|
|
Menegatti_AdaLightLog_2025.pdf
solo gestori archivio
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
3.24 MB
Formato
Adobe PDF
|
3.24 MB | Adobe PDF | Contatta l'autore |
|
Menegatti_postprint_AdaLightLog_2025.pdf
accesso aperto
Note: DOI https://doi.org/10.1007/978-3-031-84260-3_17
Tipologia:
Documento in Post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
757.94 kB
Formato
Adobe PDF
|
757.94 kB | Adobe PDF |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
