Design of a Hierarchical Federated Generative
Learning-Based Smart Home System for
Real-Time Network Monitoring and Intrusion
Detection
Paulo Drefahl1 , Kevin Kostage1 , Sean Peppers1 , Wenbin Guo2 , Luca Mazzola3 ,
and Chengyi Qu2
1
Florida Gulf Coast University, FL, USA {pdrefahl,kkostage,speppers}@fgcu.edu
2
University of Florida, FL, USA {wguo,mqu}@ufl.edu
3
Lucerne University of Applied Sciences and Arts, Lucerne, Switzerland
luca.mazzola@hslu.ch
Abstract. As home networks expand with the rise of IoT devices, they
become increasingly vulnerable to advanced cyber threats. Conventional,
cloud-centric intrusion detection systems (IDS) can introduce both latency in threat detection and privacy concerns when transmitting raw
network data offsite. This paper presents a hierarchical federated generative learning framework deployed across a local server deployed by the
main application, user routers, and edge servers to provide near realtime network monitoring and distributed analysis of malicious traffic.
By leveraging OpenWRT-based router firmware, we use tcpdump and
Wireshark to capture packet-level data, transmitted securely to the local
server via the Paramiko library requests (SSH). A custom desktop application built using web technologies and portable through Electron.js,
allows homeowners to configure the router, visualize alerts, and orchestrate settings without technical complexity. Our approach utilizes a federated deep learning pipeline, combined with a Generative Adversarial
Network (GAN), to detect threats and share model updates (rather than
raw data) with edge nodes for collaborative learning. The GAN model
also simulates attacks to improve its own efficacy and reliability. Experimental results highlight improvements in intrusion detection accuracy
and reduced latency while preserving user privacy. This design shows
the potential of robust, privacy-preserving IDS solutions for the modern
smart home environment.
Keywords: Cybersecurity · Intrusion Detection · Federated Learning ·
Generative Adversarial Networks · IoT · Cloud Computing · Networks
1
Introduction
1.1
Motivation and Problem Statement
Smart homes now encompass a wide range of IoT devices such as cameras,
smart speakers, and wearables, each introducing its own operational considerations. Conventional, cloud-centric intrusion detection approaches often introduce
2
P. Drefahl et al.
unnecessary latency and possible privacy risks when transferring raw network
data offsite for analysis. Likewise, many existing IDS solutions are designed
for enterprise-scale deployments and are not easily adaptable to home environments. On the other hand, traditional antivirus solutions primarily target hostlevel threats, offering only limited network visibility and frequently relying on
signature-based detection. These factors underscore the need for a more efficient,
privacy-conscious, and home-focused solution that can effectively monitor traffic
without overburdening consumer hardware.
1.2
Hierarchical Federated Generative Learning-Based System
To address these challenges, we propose a Hierarchical Federated Generative
Learning-Based Smart Home System that operates in real time and preserves
user privacy. Our framework comprises:
1. Local Traffic Manager Server, which retrieves and filters network traffic
from the router via a secure SSH channel (Paramiko).
2. Custom OpenWRT Firmware that enables packet capture (tcpdump,
Wireshark) at the router level for on-device data collection.
3. Edge Servers (Federated Learning Nodes) that aggregate model updates, rather than raw data, from multiple local servers to detect malicious
traffic accurately and swiftly.
4. Intrusion Detection Application, an Electron.js desktop app that offers
a user-friendly interface for managing router settings and monitoring alerts.
By leveraging federated learning, raw data remain on the local network, while
only essential or anonymized information is shared with remote nodes. This
design reduces detection latency and enhances data security, making advanced
threat detection more accessible to residential users.
1.3
GAN-Driven Threat Synthesis
A Generative Adversarial Network (GAN) is integrated at the edge server level to
synthesize realistic attack patterns from both known malicious traffic and newly
encountered anomalies. The generator component produces synthetic intrusions
resembling genuine hostile activities, compelling the discriminator to refine its
detection criteria and adapt to ever-evolving threats. By continuously learning
Federated Generative Learning-Based Smart Home System
3
from newly observed attacks, the GAN-driven module supports robust identification of stealthy or zero-day exploits. Notably, these synthesized insights are
shared through federated model updates, ensuring all participating nodes benefit
from one another’s discoveries without exposing raw user data.
2
System Architecture
Figure 2 provides an overview of the proposed hierarchical system. Raw traffic
is captured at the user’s OpenWRT-flashed router and retrieved over an SSH
channel by a local server, which performs initial processing. Summaries or feature
sets are then forwarded to edge servers for federated training and inference, while
a user-friendly Electron.js desktop application presents alerts and configuration
options.
Fig. 1: Overall Architecture. The user’s router (OpenWRT) captures PCAP files.
A local server secures and processes traffic via Paramiko-based SSH, passing
summarized/anonymized data to edge servers for federated model training and
inference. The Electron.js desktop app offers a user interface for setup, alerts,
and visualization.
2.1
OpenWRT-Enabled Router Layer
By flashing OpenWRT onto a compatible router, administrators can install tools
such as tcpdump and iptables-extra for packet capture and network monitoring. Key-based SSH authentication (handled through Paramiko on the local
server) streamlines the retrieval of packet captures and configuration updates,
ensuring secure and automated data collection. The raw PCAP files generated
by tcpdump or Wireshark reside locally on the router, minimizing exposure until
necessary for further analysis.
4
P. Drefahl et al.
2.2
Local Server and Electron.js Application
The local server, which runs Python scripts to connect via Paramiko, orchestrates packet capture sessions and fetches PCAP data for preliminary filtering
and basic anomaly checks. This step reduces the volume of traffic that needs
to be transferred to the next layer. The local server also hosts an Electron.js
desktop application, providing users with a clear, intuitive interface. From this
desktop app, homeowners can manage router settings, view live or historical
alerts, and configure default mitigation actions (e.g., blocking traffic from suspicious sources). By offloading intensive tasks to the local server, the router
remains responsive, and crucial data stay within the home network.
2.3
Edge Servers with Federated Learning
Aggregated traffic summaries or extracted features are securely sent to edge
servers, each operating as a federated learning node. These servers update model
parameters based on partial data contributions from multiple households while
keeping raw user traffic private. Inferences are performed in near real-time through
an API that either returns detection results to the local server or coordinates updates among edge nodes. A Generative Adversarial Network (GAN) within this
federated framework synthesizes malicious traffic samples to challenge the detection model, leading to more robust classification of both known and emerging
threats. Periodic parameter averaging strategies, such as FedAvg [4], converge
local updates into a globally improved model.
2.4
Workflow Overview
– Capture and Storage: The router continuously gathers traffic data with
tcpdump or Wireshark, storing raw PCAP files locally under OpenWRT.
– Retrieval and Filtering: The local server connects via Paramiko to fetch
PCAP files. It filters out known benign flows (e.g., whitelisted IPs) or common services before extracting relevant features.
– Federated Analysis: Filtered features are securely transmitted to edge
servers, which run a federated learning framework. Each node updates the
detection model with local contributions, preserving raw-data privacy.
– GAN-Enhanced Training: A Generative Adversarial Network (GAN)
synthesizes malicious traffic patterns to continuously challenge and refine
the classifier, strengthening detection of emerging or stealthy threats.
– Model Updates and Alerts: Detection outcomes and updated model parameters are relayed back to the local server. Users receive near real-time
alerts via the Electron.js interface, enabling timely interventions.
3
System Design
3.1
Navigation and Menu (Label 1)
The top navigation bar provides quick access to essential features. Users can
switch between views such as “IoT Devices,” “Network Status,” and “More Op-
Federated Generative Learning-Based Smart Home System
5
Fig. 2: The figure shows the main interface of our Electron.js application, divided
into several panels that provide users with clear, real-time insights into network
activity, device health, and firewall configurations. Each highlighted section is
described below.
tions,” while notifications and an “Exit” button remain easily accessible. This
design ensures that common actions are never more than a single click away.
3.2
Network & Device Security (Label 2)
Located prominently near the top of the dashboard, this panel gives an at-aglance summary of the home network’s current security state. It displays an
overall status indicator (e.g., “Secure” or “At Risk”), along with the number of
detected threats. By surfacing critical information immediately, homeowners are
empowered to act quickly if malicious activity is identified.
3.3
Network Traffic (Label 3)
This section offers a tabbed view of network traffic details, including a Traffic Table, Network Usage, and historical logs. Typical entries list source and destination
IP addresses, protocols (e.g., TCP, UDP, ICMP), packet sizes, and timestamps.
Users can filter traffic by protocol or IP range to investigate potential anomalies
or suspicious connections.
3.4
Bandwidth Usage (Label 4)
Displayed in a compact table, this view shows both inbound (received) and
outbound (transmitted) data volumes for each network interface (e.g., eth0,
br-lan). Real-time bandwidth metrics help diagnose performance bottlenecks,
identify high-traffic devices, and flag unusual surges that could signify malicious
activity (e.g., DDoS attacks).
6
3.5
P. Drefahl et al.
System Console (Label 5)
The console provides raw diagnostic messages, system logs, and kernel notices
originating from the OpenWRT router. Useful for advanced troubleshooting, it
enables technically inclined users (or automated scripts) to assess router performance, inspect syslog outputs, and validate that key services are running as
expected.
3.6
IP Leases and Device Information (Label 6)
This section lists the active DHCP leases, including the lease duration, corresponding MAC addresses, IP addresses, and (if available) device hostnames.
By consolidating this information, users can quickly identify new or unknown
devices on the network and apply customized security policies.
Fig. 3: The highlighted Firewall Rules section (Label 7 ) in the interface, showing the user-editable configuration file (/etc/config/firewall), along with
router Uptime and Load metrics and low-level Network Configuration
details. Administrators can modify default firewall policies, view real-time performance data, and inspect interface-level parameters (e.g., IP addresses, error
counts, and packet statistics).
3.7
Firewall Rules (Label 7)
A dedicated pane for viewing and editing firewall configurations directly reflects
the underlying OpenWRT /etc/config/firewall file. Administrators can confirm default policies (e.g., ACCEPT or REJECT) and manage custom zones or
traffic rules. Adjustments made here are immediately propagated to the router,
enabling rapid responses to detected threats and fine-grained control over network traffic flows.
Federated Generative Learning-Based Smart Home System
4
7
Methodology: Federated Generative Learning
Approach
KEVIN’S PART -DUMMY CONTENT
4.1
Federated Learning Workflow
In traditional machine learning, data from different clients is aggregated in a
central location to train a model. By contrast, federated learning ensures data
stays local and only model updates are shared. Our workflow (Fig. 4) includes:
1. Feature Extraction: Local servers parse PCAP flows, anonymize IP/port
details if necessary, and convert data into feature vectors (e.g., packet length,
flow duration).
2. Edge Training: Each edge server trains on aggregated local feature updates
from multiple homes, without accessing raw PCAP.
3. Global Model Updates: Periodically, edge nodes share updated weights
with a federated coordinator (optional), which merges them and distributes
the new global model.
4. Local Inference: The updated model is pushed back to the local server for
on-premises or near-edge intrusion detection.
4.2
Generative Adversarial Network (GAN) Integration
GANs consist of two models: a generator G and a discriminator D. We adopt
an approach where:
– Generator (G): Synthesizes malicious traffic patterns resembling real attack flows (e.g., stealth scanning, ARP spoofing).
– Discriminator (D): Learns to differentiate legitimate vs. malicious traffic,
including the synthetic flows from G.
This adversarial setup boosts detection capabilities, as D is consistently
challenged by new synthetic examples. Over time, D becomes more robust to
attacks not present in the initial dataset.
4.3
Intrusion Detection and Alert Generation
1. Scoring New Traffic: Each new network flow is passed to D, producing a
maliciousness probability.
2. Thresholding: If suspicious scores exceed a certain threshold, the local
server flags the session.
3. User Notification: Via the Electron.js interface, the user receives an alert
(e.g., possible DDoS attempt from IP x.x.x.x).
4. Router Mitigation: The user (or automated script) may apply firewall
rules, dropping or throttling suspicious connections directly at the router.
8
P. Drefahl et al.
federated_workflow.png
Fig. 4: Federated Learning Workflow. Traffic data stays local, while model
weights/updates flow between the coordinator and edge nodes.
5
Implementation and Experimentation
KEVIN’S PART -DUMMY CONTENT
5.1
Implementation Details
OpenWRT + Paramiko Setup. We install tcpdump on an OpenWRT-flashed
router (TP-Link Archer series). A Python daemon on the local server uses
Paramiko to:
– exec_command("tcpdump ..."): Start/stop packet capture remotely.
– sftp.get(...): Securely copy PCAP files to the local server.
Electron.js Desktop Application. We create a cross-platform desktop UI
using Electron.js. Key features:
– Router Configuration Panel: IP, SSH credentials, capturing intervals,
filter strings for tcpdump.
– Attack Dashboard: Real-time feed of flagged traffic, with charts/visualizations (port usage, top talkers).
– Actions/Controls: Firewall rule updates, auto-block suspicious IP addresses,
alert notifications.
Federated Generative Learning-Based Smart Home System
9
Edge Server & Federated Nodes. Edge servers run a Dockerized environment
with PyTorch or TensorFlow for the GAN-based intrusion detection. Communication with local servers is done through secure REST or gRPC endpoints.
5.2
Dataset and Testbed Setup
We evaluate the system on:
– Real IoT Traffic Dataset: A curated set of labeled normal and malicious
IoT traffic traces (port scans, DDoS attempts).
– Local + Edge Testbed: The local server runs on a small Intel NUC (8GB
RAM), with edge nodes on two AWS virtual machines (4 vCPUs, 8GB each).
5.3
Metrics
1. Accuracy & F1-Score: For malicious vs. legitimate flow classification.
2. Latency: Time from packet capture to user alert.
3. Privacy Overhead: Volume of data sent out of the home network (compared to a cloud-based approach).
5.4
Results
Detection Performance. Table 1 shows classification metrics for multiple attacks. Our GAN-augmented classifier surpasses a baseline CNN-based intrusion
detection by ∼ 5% in F1 across stealth scans and zero-day variants.
Table 1: Intrusion Detection Results
Attack Type
Port Scanning
ARP Spoofing
DDoS (SYN Flood)
Zero-day (simulated)
Precision Recall F1 Score
0.96
0.93
0.98
0.90
0.94
0.92
0.95
0.87
0.95
0.92
0.96
0.88
Latency & Privacy Gains. Compared to a fully cloud-based solution (which
requires uploading all PCAP data), we observe:
– Latency Reduced by 40%: Offloading only essential feature data or local
model updates.
– Data Volume Reduced by 65%: Only summarized features or parameter
gradients are shared.
These reductions preserve user privacy while accelerating detection.
Usability Feedback. A small user study (n=10) found the Electron.js GUI
intuitive, enabling them to quickly manage router captures and interpret alerts.
Most participants expressed confidence in the minimal overhead for network data
sharing.
10
6
P. Drefahl et al.
Discussion and Future Work
SEAN’S PART -DUMMY CONTENT Our experiments validate the efficacy
of a federated, generative approach in detecting advanced threats in real time,
making it suitable for resource-limited home networks. The hierarchical design
extends to potential commercial ISP-grade edge infrastructures. As IoT adoption
grows, so does the potential for broader collaboration between devices.
Potential limitations:
– Edge Resource Constraints: Not all ISPs may invest in robust edge
servers for ML tasks.
– OpenWRT Compatibility: Some router models lack the hardware resources or do not support full OpenWRT.
– GAN Stability: Training instability or mode collapse can occasionally hamper the synthetic data generation process.
Future directions include:
1. Lightweight Model Compression: Pruning or quantization for on-router
inference.
2. Adaptive Thresholding: Dynamically adjusting maliciousness thresholds
based on real-time traffic patterns.
3. Integrated Remediation: Automated or semi-automated firewall reconfiguration once an attack is detected.
7
Conclusion
We presented a Hierarchical Federated Generative Learning-Based Smart
Home System for real-time intrusion detection at the router level. By leveraging tcpdump-based local captures on OpenWRT, a Paramiko-driven local server
for data preprocessing, and GAN-augmented federated deep learning at the edge,
our approach significantly reduces detection latency while preserving user privacy. Additionally, an Electron.js desktop application offers an intuitive interface,
empowering non-expert users to manage router settings, view alerts, and quickly
mitigate suspicious activity. Experimental results highlight gains in detection accuracy, latency reduction, and data privacy, underscoring the system’s potential
to secure next-generation home networks against evolving threats.
Acknowledgments. This research was supported in part by the Florida Gulf
Coast University (FGCU) Engineering & Cybersecurity Research Lab. We thank
our collaborators at the University of Florida and Lucerne University of Applied
Sciences and Arts for invaluable feedback.
Competing Interests. The authors have no competing interests to declare
that are relevant to the content of this article.
Federated Generative Learning-Based Smart Home System
11
References
1. Lin, J., Yu, W., Zhang, N., Yang, X., Zhang, H., Zhao, W.: A survey on internet of
things: Architecture, enabling technologies, security and privacy, and applications.
IEEE Internet of Things Journal, 4(5), 1125–1142 (2017)
2. Chen, X., Pu, L., Gao, L., Wu, W., Wu, D.: Exploiting massive D2D collaboration
for energy-efficient mobile edge computing. IEEE Wireless Communications, 24(4),
64–71 (2017)
3. Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proc. 13th Systems Administration Conference (LISA), pp. 229–238. USENIX (1999)
4. McMahan, H.B., Moore, E., Ramage, D., Hampson, S., Arcas, B.A.:
Communication-efficient learning of deep networks from decentralized data. In: Proc.
20th International Conference on Artificial Intelligence and Statistics (AISTATS),
pp. 1273–1282 (2017)
5. Brisimi, T.S., Chen, R., Mela, T., Vlachos, A., Saligrama, V.: Federated learning of
predictive models from federated electronic health records. International Journal of
Medical Informatics, 112, 59–67 (2018)
6. Wang, W., Debbabi, M., Wang, L.: GAN-based intrusion detection system for advanced persistent threat detection. Computers & Security, 95, 101873 (2020)