FedChain-Hunter: A reliable and privacy-preserving aggregation for federated threat hunting framework in SDN-based IIoT

In the development of the Industrial Internet of Things (IIoT), cyber threats and attacks have become major issues and concerns in Industry 4.0 due to the negative impacts on the infrastructures and services across organizations. Nevertheless, due to the issues in preserving privacy and transparency, there is a lack of threat intelligence sharing among parties, leading to the low performance in uncovering malicious actors. In fact, the method of gathering and exploiting such data has been getting more crucial in a trend of machine learning (ML) adoption in cybersecurity. In this scenario, Federated Learning (FL) can assume a significant role in constructing an ML-based threat hunting solution for IIoT networks. This can be achieved by harnessing data resources from diverse parties, utilizing a local training strategy that eliminates the need for centralized data collection. Hence, this paper proposes FedChain-Hunter, a blockchain and FL-based threat-hunting framework to mutually seek cyber threats while ensuring data privacy and the transparency in the contribution of data owners. Specifically, Software Defined Networking (SDN) with programmable and flexible security orchestration is used to easily monitor and gather appropriate security events in the IIoT network. In addition, the Fully Homomorphic Encryption (HE) and Differential Privacy (DP) are integrated into the FL scheme to provide strong security and privacy-preserving aggregation for each ML model update. Also, the blockchain adoption offers the transparency, auditability for collaboration and contribution management through a decentralized platform. The experimental results on 5 datasets indicate that FedChain-Hunter can achieve high performance for cyber threat detection with security, reliability, and privacy guarantee.