Fig 1.
An example SOC managing multiple independent entities.
Fig 2.
Label inconsistencies arising from different viewpoints.
Label inconsistencies arise when entities interpret the same alert differently due to different viewpoints or security policies.
Fig 3.
Schematic overview of federated learning in an SOC.
The process involves local training, model update, and global aggregation, highlighting (1) inconsistent labeling among different entities (ILADE) and (2) model inversion risk.
Fig 4.
Training and testing phases of AFL.
Fig 5.
Keyed Feature Hashing (KFH) overview.
KFH obfuscates alert data using a shared secret key among the security center and its participating entities, enabling consistent encoding across organizations and preventing index-probing enumeration that is feasible with fixed, unkeyed mappings.
Fig 6.
AFL incorporating a filtering mechanism to address semantic label divergence.
Fig 7.
The process uses obfuscated vectors from the KFH encoder to identify clusters prone to semantic label inconsistency.
Table 1.
Dataset statistics.
Fig 8.
Comparison of representative FL optimizers.
The figure compares FedAvg, FedProx, FedAdam, and FedELC based on macro-averaged precision, recall, and F1-scores across 14 entities. FedAvg, FedProx, and FedAdam show similar performance, while FedELC is slightly lower. Given their comparable results, FedAvg was chosen as the baseline for its simplicity and stability.
Table 2.
Hyperparameter settings for AFL and FedAvg experiments.
Fig 9.
Comparison of LOCAL and FL models.
The figure evaluates performance on local (left) and global (right) test datasets. Each bar indicates the mean F1-score over three runs. (A) LOCAL models generalize poorly across entities. (B) The FL model generalizes better overall but shows a sharp drop in Entity 10 due to semantic label divergence (ILADE).
Fig 10.
t–SNE visualization of latent representations.
Benign (blue) and malicious (red) flows from Entity 10 are clustered in the same region as malicious flows (orange) from other entities, illustrating semantic label divergence (ILADE).
Fig 11.
Results obtained when and
. (A) Per-entity F1-scores (mean
standard deviation over three runs) on local test sets. AFL shows comparable or higher performance than FL for several entities, while maintaining stable results under ILADE conditions. (B) Per-entity coverage (mean over three runs) on local test sets. AFL maintains consistently high coverage across institutions.
Fig 12.
Results obtained when and
. (A) Per-entity F1-scores (mean
standard deviation over three runs) on the global test set. AFL maintains higher or comparable global performance compared to FL and LOCAL across entities, demonstrating stable global generalization. (B) Per-entity coverage (mean over three runs) on the global test set. AFL sustains near-complete coverage.
Table 3.
Performance summary across different sweep settings of and
.
Values are reported as mean std over three runs.