A Federated framework for unsupervised intrusion detection on the Modbus protocol in cyber-physical systems

Dashtabadi, Hamid Reza; Ahmadi, Siavash

doi:10.22042/isecure.2026.242101

A Federated framework for unsupervised intrusion detection on the Modbus protocol in cyber-physical systems

Articles in Press

Document Type : Research Article

Authors

Hamid Reza Dashtabadi ¹

Siavash Ahmadi ²

¹ Information Systems and Security Lab (ISSL), Department of Electrical Engineering, Sharif University of Technology, Tehran, Iran

² Electronics Research Institute, Sharif University of Technology, Tehran, Iran

10.22042/isecure.2026.242101

Abstract

The increasing integration of modern network infrastructure into industrial control systems elevates the need for robust cyber intrusion detection for industrial protocols. Unsupervised anomaly detection is particularly effective for this task, as it identifies novel attacks by modeling normal behaviour rather than relying on limited attack data. While techniques like autoencoders, which use reconstruction error to flag deviations, can be effective, their application is often hindered by practical challenges, such as regulatory constraints and the large volumes of data that prohibit the centralised collection required for training. Federated learning offers a solution by distributing the training process to local clients and aggregating only the resulting model parameters, thus preserving data privacy and locality. This paper proposes an anomaly-based intrusion detection framework built on federated learning. Using the CIC-Modbus2023 dataset, which comprises raw Modbus traffic from a smart grid, we systematically extract and label network flows based on attack logs. We then train and evaluate several autoencoder variants—including standard, variational, and adversarial autoencoders—within this federated setting. Our results demonstrate strong performance in detecting malicious behaviour, highlighting the framework’s potential as a promising approach for mitigating threats against the Modbus protocol without centralised data access. The code is available at https://github.com/hamid-rd/FLBased-ICS-NIDS.

Keywords

Industrial network intrusion detection

Modbus/TCP attacks

Federated deep learning

Autoencoder models

Raw network traffic preprocessing

[1] Rasim Alguliyev, Yadigar Imamverdiyev, and Lyudmila Sukhostat. Cyber-physical systems and their security issues. Computers in Industry, 100:212–223, 2018.

[2] Nicholas Jeffrey, Qing Tan, and José R Villar. A hybrid methodology for anomaly detection in cyber–physical systems. Neurocomputing, 568: 127068, 2024.

[3] MarieBaeznerandPatriceRobin. Stuxnet. Technical report, ETH Zurich, 2017.

[4] Ansam Khraisat, Iqbal Gondal, Peter Vamplew, and Joarder Kamruzzaman. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, 2(1):1–22, 2019.

[5] Raghavendra Chalapathy and Sanjay Chawla. Deep learning for anomaly detection: A survey. arXiv preprint arXiv:1901.03407, 2019.

[6] Brendan McMahan, Eider Moore, Daniel Ramage, Seth Hampson, and Blaise Aguera y Arcas. Communication-efficient learning of deep networks from decentralized data. In Artificial intelligence and statistics, pages 1273–1282. PMLR, 2017.

[7] Lisa Liu, Gints Engelen, Timothy Lynar, Daryl Essam, and Wouter Joosen. Error prevalence in nids datasets: A case study on cic-ids-2017 and cse-cic-ids-2018. In 2022 IEEE Conference on Communications and Network Security (CNS), pages 254–262. IEEE, 2022.

[8] Kwasi Boakye-Boateng, Ali A Ghorbani, and Arash Habibi Lashkari. Securing substations with trust, risk posture, and multi-agent systems: A comprehensive approach. In 2023 20th Annual International Conference on Privacy, Security and Trust (PST), pages 1–12. IEEE, 2023.

[9] Tian Li, Anit Kumar Sahu, Manzil Zaheer, Maziar Sanjabi, Ameet Talwalkar, and Virginia Smith. Federated optimization in heterogeneous networks. Proceedings of Machine learning and systems, 2:429–450, 2020.

[10] Thien Duc Nguyen, Samuel Marchal, Markus Miettinen, Hossein Fereidooni, Nadarajah Asokan, and Ahmad-Reza Sadeghi. Dïot: A federated self-learning anomaly detection system for iot. In 2019 IEEE 39th International conference on distributed computing systems (ICDCS), pages 756–767. IEEE, 2019.

[11] Beibei Li, Yuhao Wu, Jiarui Song, Rongxing Lu, Tao Li, and Liang Zhao. Deepfed: Federated deep learning for intrusion detection in industrial cyber–physical systems. IEEE Transactions on Industrial Informatics, 17(8):5615–5624, 2020.

[12] SyedaAunanyaMahmud,NazmulIslam,Zahidul Islam, Ziaur Rahman, and Sk Tanzir Mehedi. Privacy-preserving federated learning-based intrusion detection technique for cyber-physical systems. Mathematics, 12(20):3194, 2024.

[13] Viraaji Mothukuri, Prachi Khare, Reza M Parizi, Seyedamin Pouriyeh, Ali Dehghantanha, and Gautam Srivastava. Federated-learning-based anomaly detection for iot security attacks. IEEE Internet of Things Journal, 9(4):2545–2554, 2021.

[14] Ivo Frazão, Pedro Henriques Abreu, Tiago Cruz, Hélder Araújo, and Paulo Simões. Denial of service attacks: Detecting the frailties of machine learning algorithms in the classification process. In International Conference on Critical Information Infrastructures Security, pages 230–235. Springer, 2018.

[15] Gerard Draper-Gil, Arash Habibi Lashkari, Mohammad Saiful Islam Mamun, and Ali A Ghorbani. Characterizationofencryptedandvpntraffic using time-related. In Proceedings of the 2nd international conference on information systems security and privacy (ICISSP), pages 407–414, 2016.

[16] Ons Aouedi, Kandaraj Piamrat, Guillaume Muller, and Kamal Singh. Federated semisupervised learning for attack detection in industrial internet of things. IEEE Transactions on Industrial Informatics, 19(1):286–295, 2022.

[17] Ahmad Zainudin, Rubina Akter, Dong-Seong Kim, and Jae-Min Lee. Federated learning inspired low-complexity intrusion detection and classification technique for sdn-based industrial cps. IEEE Transactions on Network and Service Management, 20(3):2442–2459, 2023.

[18] Shaurya Purohit, Manimaran Govindarasu, and Benjamin Blakely. Fl-ads: Federated learning anomaly detection system for distributed energy resource networks. IET Cyber-Physical Systems: Theory & Applications, 10(1):e70001, 2025.

[19] Meryem Janati Idrissi, Hamza Alami, Abdelkader El Mahdaouy, Abdellah El Mekki, Soufiane Oualil, Zakaria Yartaoui, and Ismail Berrada. Fed-anids: Federated learning for anomaly-based network intrusion detection systems. Expert Systems with Applications, 234:121000, 2023.

[20] Iman Sharafaldin, Arash Habibi Lashkari, Ali A Ghorbani, et al. Toward generating a new intrusion detection dataset and intrusion traffic characterization. ICISSp, 1(2018):108–116, 2018.

[21] Inc. Acromag. Technical reference - modbus tcp/ip: Introduction to modbus tcp/ip. Technical report, Acromag, Inc., 2005. URL https://www.prosoft-technology.com/kb/ assets/intro_modbustcp.pdf.

[22] Dor Bank, Noam Koenigstein, and Raja Giryes. Autoencoders. arxiv. arXiv preprint arXiv:2003.05991, pages 2593–2613, 2020.

[23] Diederik P Kingma, Max Welling, et al. Autoencoding variational bayes, 2013.

[24] Alireza Makhzani, Jonathon Shlens, Navdeep Jaitly, Ian Goodfellow, and Brendan Frey. Adversarial autoencoders. arXiv preprint arXiv:1511.05644, 2015.

[25] Ian J Goodfellow, Jean Pouget-Abadie, Mehdi Mirza, Bing Xu, David Warde-Farley, Sherjil Ozair,AaronCourville,andYoshuaBengio. Generative adversarial nets. Advances in neural information processing systems, 27, 2014.

[26] Dirk P Kroese, Tim Brereton, Thomas Taimre, and Zdravko I Botev. Why the monte carlo method is so important today. Wiley Interdisciplinary Reviews: Computational Statistics, 6(6): 386–392, 2014.

[27] Siddharth Krishna Kumar. On weight initialization in deep neural networks. arXiv preprint arXiv:1704.08863, 2017.

[28] Corinna Cortes, Mehryar Mohri, and Afshin Rostamizadeh. L2 regularization for learning kernels. arXiv preprint arXiv:1205.2653, 2012.

[29] Adrian Komadina, Mislav Martinić, Stjepan Groš, and Željka Mihajlović. Comparing threshold selection methods for network anomaly detection. IEEE access, 2024.

[30] Charu C. Aggarwal. Outlier Analysis. Springer International Publishing, 2nd edition, 2017. ISBN 978-3-319-47578-3.