The role of anomaly detection systems in Critical Infrastructures (CIs) is critical due to the complexity of CIs and their control systems, which are usually implemented by computer-based controllers that constantly produce logs of their activities. Moreover, many CIs, located in different locations or even belonging to different companies, may share similar application software for controlling the CIs themselves. The goal of this work is to use such logs to perform automatic anomaly detection in a federated learning (FL) paradigm, which ensures that no data is exchanged between sites to train the anomaly detection models, but each learning agent learns on its own data, leveraging the knowledge acquired by the other agents. Our proposed approach - AdaLightLog - which implements a modified FL paradigm with adaptive loss functions at local servers side and weighted averaging of local server models, so to differentiate the quality of the different local servers’ models in the global averaging, is tested against state-of-the-art methods and shows an improvement in performance in terms of accuracy, precision and recall with respect to the standard FL implementation (FedAvg). Furthermore, a comparison between different metrics for the adaptive loss functions and the dynamic weights is presented.
AdaLightLog: Enhancing Application Logs Anomaly Detection via Adaptive Federating Learning / Menegatti, Danilo; De Santis, Emanuele; Felli, Stefano; Giuseppi, Alessandro. - (2025), pp. 289-305. (Intervento presentato al convegno Critical Information Infrastructures Security. CRITIS 2024 tenutosi a Rome; Italy) [10.1007/978-3-031-84260-3_17].
AdaLightLog: Enhancing Application Logs Anomaly Detection via Adaptive Federating Learning
Menegatti, Danilo;De Santis, Emanuele
;Giuseppi, Alessandro
2025
Abstract
The role of anomaly detection systems in Critical Infrastructures (CIs) is critical due to the complexity of CIs and their control systems, which are usually implemented by computer-based controllers that constantly produce logs of their activities. Moreover, many CIs, located in different locations or even belonging to different companies, may share similar application software for controlling the CIs themselves. The goal of this work is to use such logs to perform automatic anomaly detection in a federated learning (FL) paradigm, which ensures that no data is exchanged between sites to train the anomaly detection models, but each learning agent learns on its own data, leveraging the knowledge acquired by the other agents. Our proposed approach - AdaLightLog - which implements a modified FL paradigm with adaptive loss functions at local servers side and weighted averaging of local server models, so to differentiate the quality of the different local servers’ models in the global averaging, is tested against state-of-the-art methods and shows an improvement in performance in terms of accuracy, precision and recall with respect to the standard FL implementation (FedAvg). Furthermore, a comparison between different metrics for the adaptive loss functions and the dynamic weights is presented.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
