Reducing Intrusion Detection’s Impact through Adaptive and Knowledge-Preserving Strategies

The exponential growth of cloud computing paradigms, edge, and Internet of Things devices has created extensive and dynamic computing environments spanning from the core network to the edge, raising concerns about network perimeter definition. Adopting security measures where each device and service is authenticated and authorized is reasonable, but this approach does not guarantee complete security, as compromised devices could interact maliciously with others without being detected by Intrusion Detection Systems (IDSs). A possible solution involves deploying an in-place instance of the IDS on each device, serving as a proactive defense and alarm mechanism. In this context, Machine Learning (ML) detection models offer high automation and detection capability due to their advanced learning of intrinsic data patterns. Moreover, aggregating observations from multiple organizations, such as within a consortium using Federated Learning (FL), can extend the effectiveness of these models beyond the mere local data of each organization. However, the extensive requirements and the resulting complex architecture to accommodate all traffic profiles pose challenges in peripheral devices due to limited resource availability and data access. This thesis explores the challenges of adapting IDSs for resource-constrained devices, proposing a framework that integrates all the tasks involved in the detection process into a cohesive pipeline. It leverages and extends feature selection, model pruning, and fine-tuning techniques to derive lighter IDS setups. Moreover, the framework adopts a novel evaluation mechanism that simulates the entire monitoring-detection-mitigation process, providing a holistic assessment of the system’s performance and enabling better-informed security countermeasures for infrastructure administrators. The framework is evaluated across many deployment scenarios, simulating the transition from the core infrastructure to edge computing, proving its ability to adapt the IDSs to lighter setups while preserving high accuracy on local data and retaining historical knowledge acquired during FL rounds. The identified solutions enable improving the overall performance by minimizing the impact of the entire IDS. Furthermore, this thesis highlights the limitation of evaluating the performance of the mere detection process, which may not accurately reflect the overall effectiveness of the IDS against ongoing attacks despite the high accuracy of the model.