FL-TFlow: Benign-Only Federated LoRA Tuning of SLMs for Edge Ransomware Detection
Resumo
Ransomware is a major problem for edge computing environments because traditional centralized detection methods do not work as well when resources are limited, and privacy is a concern. Federated Learning (FL) addresses privacy concerns by enabling people to train models together without sharing raw data. Small Language Models (SLMs) are good for devices with limited resources because they are easy to use. In this paper, we introduce FL-TFlow, a benign-only detection framework based on textual representations of network flows that uses Low-Rank Adaptation (LoRA) to fine-tune SLMs in a federated setting. By training exclusively on benign traffic, the model detects attacks through degradation in token-prediction scores derived from the SLM output, eliminating the need for labeled attack data. Our evaluation results reveal that FL-TFlow achieves a flow-level F1-score of 0.9379 in the benign-only scenario. In addition, FL-TFlow reduces the false positive rate (FPR) by approximately 0.01% compared to the baseline schemes, i.e., reducing false alarms.
Referências
Buyuktanir, B., Altinkaya, Ş., Karatas Baydogmus, G., and Yildiz, K. (2025). Federated learning in intrusion detection: advancements, applications, and future directions. Cluster Computing, 28(7):473.
Chen, S. and Liao, H. (2022). Bert-log: Anomaly detection for system logs based on pre-trained language model. Applied Artificial Intelligence, 36(1).
Ferrag, M. A., Ndhlovu, M., Tihanyi, N., Cordeiro, L. C., Debbah, M., Lestable, T., and Thandi, N. S. (2024). Revolutionizing cyber threat detection with large language models: A privacy-preserving bert-based lightweight model for iot/iiot devices. IEEE Access, 12:23733–23750.
Guo, H., Yuan, S., and Wu, X. (2021). Logbert: Log anomaly detection via bert. In International Joint Conference on Neural Networks (IJCNN).
Hu, E. J., Shen, Y., Wallis, P., Allen-Zhu, Z., Li, Y., Wang, S., and Chen, W. (2021). Lora: Low-rank adaptation of large language models.
Li, T., Sahu, A. K., Zaheer, M., Sanjabi, M., Talwalkar, A., and Smith, V. (2020). Federated optimization in heterogeneous networks. Machine learning and systems, 2:429–450.
Maasaoui, Z., Battou, A., Merzouki, M., and Lbath, A. (2024). Anomaly based intrusion detection using large language models. In ACS/IEEE International Conference on Computer Systems and Applications (AICCSA). NIST.
McMahan, B., Moore, E., Ramage, D., Hampson, S., and y Arcas, B. A. (2017). Communication-efficient learning of deep networks from decentralized data. In 20th International Conference on Artificial Intelligence and Statistics (AISTATS), volume 54, pages 1273–1282. PMLR.
Popoola, S. I., Ande, R., Adebisi, B., Gui, G., Hammoudeh, M., and Jogunola, O. (2021). Federated deep learning for zero-day botnet attack detection in iot-edge devices. IEEE Internet of Things Journal, 9(5):3930–3944.
Sánchez, P. M. S., Huertas Celdrán, A., Bovet, G., and Martínez Pérez, G. (2024). Transfer learning in pre-trained large language models for malware detection based on system calls. In IEEE Military Communications Conference (MILCOM), pages 853–858.
Talasso, G. U., de Souza, A. M., Guidoni, D., Cerqueira, E., and Villas, L. A. (2025). Fine-tuning eficiente de modelos de linguagem para detectar anomalias em logs privados usando aprendizado federado. In Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos (SBRC).
Vailshery, L. S. (2024). Number of Internet of Things (IoT) connected devices world-wide from 2019 to 2033. [link]. Accessed: 2025-01-30.
