Description:FIELD OF THE INVENTION
The present invention relates to the field of cybersecurity, artificial intelligence, and distributed networks. More particularly, it concerns a federated reinforcement learning framework for intrusion detection in software-defined networking (SDN) integrated with edge computing environments. The invention provides an intelligent and autonomous intrusion detection system (IDS) that leverages federated reinforcement learning to achieve adaptive, privacy-preserving, and real-time threat detection without centralized data exchange.
BACKGROUND OF THE INVENTION
The present invention provides a Federation Reinforced Learning Based Intrusion Detection System (FRL-ID) specifically developed for distributed software-defined network environments (SDNs) integrated into edge computing. The system includes an intelligent IDS agent used via distributed edge nodes that learn attack patterns together without centralized data exchange. The federation augmentation learning mechanism ensures global political optimization that preserves data protection and reduces bandwidth consumption. The system is also integrated into the SDN controller to dynamically adapt the network based on real-time threat detection, allowing for rapid and autonomous reductions in cyber threats.
1. US20240171599 The present invention introduces a privacy-focused intrusion recognition system for IoT networks that use blockchains that are relevant to learning. Instead of sharing raw user data, only model parameters are exchanged to protect personal information and simultaneously improve local neuron network models. A blockchain-based central server integrates learning from multiple clients to optimize global models and improve intrusion detection efficiency. Continuous updates to the model help combat control changes and external attacks to protect the system from threat development. With distributed control, the cybersecurity framework provides enhanced privacy for data with protected model integrity in a distributed IoT environment and secured network security.
2. US20220215256 A new training protocol for neural networks within the proposed invention optimizes the learning process of edge devices when using federal learning methods. Edge devices perform federal averages to obtain model copy information that converts limited clustering transformations into extended global specimens that help improve local training. The support system includes processors and network interfaces using memory elements, allowing edge devices to communicate with the central processing unit. Memory runs computer program products to aggregate specimens during the global model training process. The system implements a distributed learning process for model optimization, maintaining the device's functionality without affecting the confidentiality of local data.
Conventional intrusion detection systems in distributed networks suffer from major limitations, including dependency on centralized data collection, high bandwidth usage, vulnerability to privacy breaches, and slow adaptability to evolving cyber threats. Traditional signature-based IDS cannot detect novel attacks, while machine learning-based IDS rely on centralized datasets that compromise privacy and increase latency. Even federated learning-based IDS approaches lack real-time adaptability and automated network reconfiguration.
The present invention addresses these challenges by introducing a federated reinforcement learning-based IDS (FRL-IDS), wherein distributed IDS agents deployed at edge nodes learn collaboratively without exchanging raw data. The system ensures data privacy, minimizes bandwidth consumption, and adapts continuously to dynamic attack patterns using reinforcement learning methods. Integration with SDN controllers enables the network to autonomously reconfigure and mitigate threats in real time, offering a scalable and intelligent cybersecurity solution for modern distributed environments.
SUMMARY OF THE INVENTION
This summary is provided to introduce a selection of concepts, in a simplified format, that are further described in the detailed description of the invention.
This summary is neither intended to identify key or essential inventive concepts of the invention and nor is it intended for determining the scope of the invention.
The invention provides a federated reinforcement learning-based intrusion detection framework specifically designed for SDN-edge environments. Distributed IDS agents are deployed at edge nodes, each independently learning local attack patterns through reinforcement learning algorithms. Instead of transmitting raw data, the agents share only encrypted model updates, which are aggregated to form a global model. This federated approach enhances privacy, reduces bandwidth consumption, and improves scalability in large-scale distributed environments.
Reinforcement learning algorithms, including Deep Q-Networks (DQN) and multi-agent reinforcement learning methods, enable the agents to adapt dynamically to evolving threats. The hierarchical structure allows senior nodes to guide junior nodes, improving detection accuracy across the network. Integration with the SDN controller ensures that once threats are detected, the network can autonomously reconfigure its flows to mitigate risks, thus providing real-time defense rather than delayed alerts.
The system incorporates additional privacy-preserving measures such as differential privacy and encrypted communication protocols, ensuring secure sharing of model updates. Real-time anonymization of threat detection events prevents sensitive data exposure. The framework thus provides a comprehensive, autonomous, and explainable intrusion detection and mitigation system for SDN-edge environments.
To further clarify advantages and features of the present invention, a more particular description of the invention will be rendered by reference to specific embodiments thereof, which is illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail with the accompanying drawings.
Some new developments in cybersecurity are brought about by the Federated Reinforcement Learning-Based Intrusion Detection System (FRL-IDS) in distributed SDN networks that use edge computing. Unlike conventional intrusion detection approaches that depend on centralized data collection, FRL-ID leverages federated learning to allow intelligent IDS agents to use threat information in a distributed manner while maintaining privacy. With the use of reinforcement learning technologies like Deep Q Networking (DQN), Multi-Agent Reinforcement Learning (MARL), and ArtActor Critical Methods, the architecture offers adaptive security by continuously modifying rules for real-time intrusion detection. Without requiring human interaction, FRL ID's smooth integration into SDN controllers allows for autonomous threat avoidance and dynamic network coordination based on real-time insertion detection.
BRIEF DESCRIPTION OF THE DRAWINGS
The illustrated embodiments of the subject matter will be understood by reference to the drawings, wherein like parts are designated by like numerals throughout. The following description is intended only by way of example, and simply illustrates certain selected embodiments of devices, systems, and methods that are consistent with the subject matter as claimed herein, wherein:
FIGURE 1: SYSTEM ARCHITECTURE
The figures depict embodiments of the present subject matter for the purposes of illustration only. A person skilled in the art will easily recognize from the following description that alternative embodiments of the structures and methods illustrated herein may be employed without departing from the principles of the disclosure described herein.
DETAILED DESCRIPTION OF THE INVENTION
The detailed description of various exemplary embodiments of the disclosure is described herein with reference to the accompanying drawings. It should be noted that the embodiments are described herein in such details as to clearly communicate the disclosure. However, the amount of details provided herein is not intended to limit the anticipated variations of embodiments; on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the scope of the present disclosure as defined by the appended claims.
It is also to be understood that various arrangements may be devised that, although not explicitly described or shown herein, embody the principles of the present disclosure. Moreover, all statements herein reciting principles, aspects, and embodiments of the present disclosure, as well as specific examples, are intended to encompass equivalents thereof.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms “a",” “an” and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises,” “comprising,” “includes” and/or “including,” when used herein, specify the presence of stated features, integers, steps, operations, elements and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components and/or groups thereof.
It should also be noted that in some alternative implementations, the functions/acts noted may occur out of the order noted in the figures. For example, two figures shown in succession may, in fact, be executed concurrently or may sometimes be executed in the reverse order, depending upon the functionality/acts involved.
In addition, the descriptions of "first", "second", “third”, and the like in the present invention are used for the purpose of description only, and are not to be construed as indicating or implying their relative importance or implicitly indicating the number of technical features indicated. Thus, features defining "first" and "second" may include at least one of the features, either explicitly or implicitly.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which example embodiments belong. It will be further understood that terms, e.g., those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Some new developments in cybersecurity are brought about by the Federated Reinforcement Learning-Based Intrusion Detection System (FRL-IDS) in distributed SDN networks that use edge computing. Unlike conventional intrusion detection approaches that depend on centralized data collection, FRL-ID leverages federated learning to allow intelligent IDS agents to use threat information in a distributed manner while maintaining privacy. With the use of reinforcement learning technologies like Deep Q Networking (DQN), Multi-Agent Reinforcement Learning (MARL), and ArtActor Critical Methods, the architecture offers adaptive security by continuously modifying rules for real-time intrusion detection. Without requiring human interaction, FRL ID's smooth integration into SDN controllers allows for autonomous threat avoidance and dynamic network coordination based on real-time insertion detection.
Agents on the edge operate together through a Feder model aggregation technique. This method ensures effective learning with little delay by training independently and sharing just the encrypted model's updates. The hierarchical IDS learning design enables senior agents to guide junior nodes in enhancing threat detection, boosting network accuracy overall, to guarantee optimal system performance. Data protection elements in this system include encrypted encryption protocols that substitute attack information between edge nodes and SDN controllers, as well as differential data protection measures to safeguard association model updates. In addition to preventing leaks that could compromise sensitive network data, real-time anonymization of threat detection guarantees that the threat detected is linked to an identity and that the detection is as successful as possible. Overall, FRL IDS innovates distributed security through federated learning, increased learning, performing intrusion detection, and using SDN. Edge computing security more secure data exchange in an IoT-SDN environment.
FRL-IDS aim to improve cybersecurity by identifying intrusions using distributed, autonomous, and data protection methods. FRL-IDS is characterized by traditional models as intelligent IDS agents reveal raw data, protect privacy, and learn attack patterns together without storing bandwidth. By learning to enhance, the system can automatically adjust its identification measures and be sensitive without necessarily requiring changing cyber threat situations. With the help of an SDN controller, FRL-IDS can also change the network in real time, allowing you to instantly reduce threats at scale, rather than just generating warnings. The purpose of this model is to provide the advantages of edge computing. In this model, intrusion recognition is locally performed on several distributed nodes, resulting in faster detection without delay. Additionally, federation learning and discriminatory privacy techniques are used to securely protect and share threat information without disclosing sensitive information about private networks. This new system combines data protection cooperation, autonomous decision-making and effective security security, and is a state-of-art solution to protect today's distributed networks.
The invention discloses a federated reinforcement learning-based intrusion detection framework that leverages the distributed nature of edge nodes in SDN environments. The system architecture includes three primary components: distributed IDS agents deployed at edge nodes, a federated aggregation mechanism for global model learning, and integration with the SDN controller for automated network adaptation.
Edge nodes are equipped with intelligent IDS agents that independently monitor traffic patterns, extract features, and apply reinforcement learning to identify anomalies or malicious activities. Each agent trains locally using algorithms such as Deep Q-Networks or Actor-Critic methods. This local learning ensures that sensitive raw data remains within the edge device, preserving privacy while still enabling effective intrusion detection.
Instead of centralizing data, the invention employs a federated learning mechanism. IDS agents periodically transmit encrypted model updates to an aggregation unit, which may reside within the SDN controller or at a designated secure server. These updates are combined to form a global intrusion detection model that reflects knowledge gained across multiple nodes. The updated global model is then redistributed to the agents, ensuring collaborative learning while maintaining privacy.
The reinforcement learning aspect of the invention ensures adaptability. IDS agents do not merely classify known attack patterns but continuously update their policies in response to new and evolving threats. The multi-agent learning structure allows nodes to share strategies indirectly through the federated model, improving accuracy and reducing false positives. Hierarchical coordination between senior and junior agents further enhances system performance, with more capable nodes guiding weaker nodes in refining detection strategies.
Integration with the SDN controller enables automated responses to detected threats. When an intrusion is identified, the IDS agent communicates with the controller, which reconfigures flow rules in the network to isolate malicious traffic, block suspicious nodes, or reroute data securely. This capability transforms the IDS from a passive monitoring tool into an active, autonomous defense system capable of mitigating attacks in real time.
The system incorporates advanced privacy-preserving techniques. All model updates exchanged between nodes are encrypted, and differential privacy is applied to ensure that no sensitive information can be inferred from shared parameters. Anonymization of threat detection logs further prevents association with specific users or devices, ensuring compliance with data protection requirements.
The invention is designed to optimize both bandwidth and latency. By transmitting only model updates instead of raw data, the system drastically reduces communication overhead. The distributed architecture ensures that intrusion detection occurs locally at the edge, minimizing delays in detection and response. This edge-centric design makes the system highly scalable, supporting deployment across large networks with thousands of nodes.
The modular nature of the invention allows it to be extended beyond SDN-edge environments to IoT, cloud, and enterprise networks. Its reinforcement learning foundation ensures that it remains adaptable to emerging threats without requiring manual signature updates. The system is also explainable, as IDS agents can highlight features or patterns that contributed to a detection decision, enhancing trust in automated cybersecurity tools.
In summary, the invention presents a novel, hybridized framework combining federated learning, reinforcement learning, and SDN integration to deliver a scalable, adaptive, and privacy-preserving intrusion detection and mitigation solution.
Best Method of Working
The best method of working the invention involves deploying distributed IDS agents across multiple SDN edge nodes. Each agent continuously monitors local traffic flows and applies reinforcement learning algorithms to detect anomalies. Model updates are generated at periodic intervals and securely transmitted to an aggregation unit, which combines them into a global model using federated averaging. This aggregated model is redistributed to all agents, enhancing their learning capabilities without compromising local data privacy.
The IDS agents interact with the SDN controller, which is programmed to autonomously reconfigure the network when threats are detected. This includes isolating compromised nodes, blocking malicious flows, or rerouting traffic to safe paths. Differential privacy mechanisms and encryption ensure the confidentiality of shared parameters. This embodiment provides the most effective, efficient, and secure application of the invention in real-world SDN-edge environments.

, Claims:1. A system for intrusion detection in SDN-edge environments, comprising:
an input module at distributed edge nodes for capturing network traffic;
a preprocessing unit for extracting features from the traffic data;
intelligent IDS agents embedded within the edge nodes, the agents configured to train locally using reinforcement learning algorithms;
a federated learning module for aggregating encrypted model updates from the IDS agents to generate a global intrusion detection model;
a communication unit for securely transmitting model updates between nodes and the aggregation module;
an SDN controller integrated with the system for dynamically reconfiguring network flows in response to detected threats; and
an output interface for providing intrusion alerts and mitigation actions.
2. The system as claimed in claim 1, wherein the reinforcement learning algorithms include Deep Q-Networks, Multi-Agent Reinforcement Learning, or Actor-Critic methods.
3. The system as claimed in claim 1, wherein the federated learning module aggregates only encrypted model updates without exchanging raw traffic data.
4. The system as claimed in claim 1, wherein the IDS agents perform real-time intrusion detection locally at the edge nodes to minimize latency.
5. The system as claimed in claim 1, wherein the SDN controller autonomously reconfigures flow rules to isolate malicious traffic.
6. The system as claimed in claim 1, wherein differential privacy mechanisms and encryption protocols ensure secure sharing of model updates.
7. The system as claimed in claim 1, wherein the IDS agents operate in a hierarchical manner, with senior agents guiding junior agents for improved accuracy.
8. The system as claimed in claim 1, wherein the output interface provides explainable alerts by highlighting features influencing intrusion detection.
9. The system as claimed in claim 1, wherein the system is scalable across large SDN-edge environments with optimized bandwidth consumption.
10. A method for intrusion detection in SDN-edge environments, comprising:
capturing network traffic at distributed edge nodes;
extracting features from the traffic data;
training IDS agents locally using reinforcement learning algorithms;
transmitting encrypted model updates to a federated aggregation module;
generating a global intrusion detection model through federated averaging;
redistributing the global model to the IDS agents; and
reconfiguring network flows through an SDN controller in response to detected threats.