CO-DEFEND: Continuous Decentralized Federated Learning for Secure DoH-Based Threat Detection
arXiv:2504.01882v2 Announce Type: replace Abstract: The use of DNS over HTTPS (DoH) tunneling by an attacker to hide malicious activity within encrypted DNS traffic poses a serious threat to network security, as it allows malicious actors to bypass traditional monitoring and intrusion detection systems while evading detection by conventional traffic analysis techniques. ML techniques can be used to detect DoH tunnels; however, their effectiveness relies on large datasets containing both benign and malicious traffic. Sharing such datasets across entities is challenging due to privacy concerns.
The increasing sophistication of cyber threats and the widespread adoption of encrypted protocols like DoH necessitate new, decentralized approaches to network security, moving beyond traditional centralized models.
This development addresses a critical vulnerability in network security, enabling more robust threat detection in environments where data privacy concerns limit centralized analysis, thereby enhancing overall cybersecurity posture.
The shift to continuous decentralized federated learning allows organizations to share threat intelligence and improve detection capabilities without compromising sensitive data, changing how collaborative cybersecurity is implemented.
- · Cybersecurity providers
- · Organizations with sensitive data
- · Users of DoH services
- · Cybercriminals
- · Centralized security solution providers (if slow to adapt)
- · Traditional intrusion detection systems
Improved detection of obfuscated malicious activities using DoH tunnels.
Increased adoption of federated learning for other sensitive data analysis tasks due to demonstrated success in cybersecurity.
A potential reduction in the efficacy of certain state-sponsored cyber-espionage techniques relying on encrypted channels, leading to a re-evaluation of offensive cyber strategies.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at arXiv cs.LG