Design of A Hierarchical Federated Generative
Learning Based Smart Home System
Paulo Drefahl1 , Kevin Kostage1 , Sean Peppers1 ,
Wenbin Guo2 , Luca Mazzola3 , and Chengyi Qu1[0000−0002−7936−4813]
1
Florida Gulf Coast University, FL, USA
{pdrefahl,kkostage,speppers,cqu}@fgcu.edu
2
University of Florida, FL, USA wenbin.guo@ufl.edu
3
Lucerne University of Applied Sciences and Arts, Lucerne, Switzerland
luca.mazzola@hslu.ch
Abstract. The proliferation of Internet of Things (IoT) devices in smart
home environments has significantly expanded the attack surface, making
home networks increasingly susceptible to sophisticated cyber threats.
Traditional cloud-based intrusion detection systems (IDS) often suffer
from high latency and performance bottlenecks, limiting their effectiveness in real-time threat mitigation. This paper introduces a Hierarchical Federated Generative Learning (HFGL) framework for decentralized
intrusion detection, leveraging a multi-tiered architecture composed of
user routers, a local server, and edge nodes to facilitate real-time network monitoring and distributed anomaly detection. The system integrates OpenWRT-based router firmware with packet-level data capture,
securely transmitting network traffic metadata to a local server via SSHbased Paramiko requests. A custom Electron.js-based desktop application provides an intuitive interface for homeowners, enabling seamless
router configuration, real-time alert visualization, and security policy orchestration. At its core, our approach employs a federated deep learning
pipeline augmented with Generative Adversarial Networks (GANs) to enhance intrusion detection capabilities while preserving data privacy. The
GAN model not only identifies emerging threats but also generates adversarial attack simulations to improve model robustness. Experimental
evaluations demonstrate significant improvements in detection accuracy
and latency reduction compared to conventional IDS approaches, underscoring the potential of privacy-preserving, edge-driven cybersecurity
solutions for modern smart home ecosystems.
Keywords: Cybersecurity · Intrusion Detection System · Federated Learning · Generative Adversarial Networks · IoT
1
Introduction
The rapid proliferation of Internet of Things (IoT) devices has significantly expanded the attack surface of modern home networks. From smart thermostats
2
P. Drefahl et al.
and security cameras to connected lighting and appliances, these devices continuously exchange data over home networks, often relying on low-cost, resourceconstrained embedded systems with limited security features [10]. As IoT adoption grows, so does the risk of cyber threats, with attackers exploiting vulnerabilities in home routers, insecure device configurations, and weak authentication mechanisms. Traditional cloud-based intrusion detection systems (IDS)
struggle to provide low-latency, privacy-preserving solutions due to network congestion, bandwidth limitations, and centralized dependency. Consequently, an
urgent need exists for decentralized, edge-based security mechanisms that can
efficiently detect and mitigate emerging cyber threats in real time [7].
To address these challenges, we propose a Hierarchical Federated Generative Learning-Based Smart Home System for real-time intrusion detection at the
router level. Our framework leverages a multi-tiered architecture integrating federated learning (FL) and Generative Adversarial Networks (GANs) to enhance
threat detection capabilities while preserving user privacy. The system operates
at three layers: local servers, edge servers, and a centralized high-performance
computing (HPC) server, ensuring scalable, privacy-conscious network monitoring. At the local level, an OpenWRT-enabled home router captures network
traffic using tcpdump and securely transmits packet data to a lightweight local
server deployed on an Intel NUC. This server preprocesses the data and extracts
network features before forwarding them to federated edge servers deployed on
AWS virtual machines for collaborative model training. The edge servers participate in federated learning, aggregating intrusion detection models from multiple
devices and refining security policies before relaying optimized models back to
local networks.
Fig. 1: Illustration of IoT Network Vulnerabilities: How Malicious Actors Exploit
IoT Devices Through Victim’s Router Using Spoofing, Packet Sniffing, and Manin-the-Middle (MitM) Attacks
The primary threats targeted by our system include spoofing attacks (ARP,
DNS, MAC address), packet sniffing, rogue DHCP server attacks, and manin-the-middle (MitM) intrusions. As illustrated in Figure 1, malicious actors
Federated Generative Learning-Based Smart Home System
3
leverage the internet service provider (ISP) infrastructure to inject malicious
traffic into home networks, exploiting vulnerabilities in IoT devices and routers.
Our system mitigates these threats by continuously monitoring network flows,
detecting anomalies, and deploying adaptive mitigation measures.
To validate our approach, we conduct extensive experiments using three
datasets: a real IoT traffic dataset, the CICIoT2023 benchmark dataset, and
a synthetic adversarial dataset generated by our GAN model. The real dataset
provides labeled normal and malicious traffic, capturing real-world attack patterns, while CICIoT2023 offers a diverse range of attack and benign traffic types
for robust IDS evaluation. Additionally, our GAN model generates synthetic attack scenarios to enhance detection capabilities, training the discriminator to
differentiate between legitimate and adversarial traffic while improving overall
IDS robustness.
The experimental setup consists of a hierarchical deployment, where a local
server (Intel NUC, 8GB RAM) handles preprocessing, and two AWS virtual machines (4 vCPUs, 8GB RAM each) serve as federated edge nodes for distributed
learning. A Flask-based coordination server facilitates model exchanges between
local and edge servers, ensuring real-time model updates while maintaining lowlatency threat detection. The system also integrates an Electron.js-based desktop application, providing an intuitive user interface for security alerts, network
monitoring, and automated response configurations.
Our results demonstrate that the proposed federated GAN-based intrusion
detection system achieves high detection accuracy, reduced latency, and improved privacy protection compared to traditional cloud-based IDS solutions.
However, several challenges remain, including computational overhead at the
edge, limited OpenWRT compatibility across router models, and the need for further GAN stability improvements. Future work will focus on integrating a Mixture of Experts (MoE) model to optimize federated learning efficiency across heterogeneous network environments and enhancing GAN training methodologies to
improve adversarial traffic simulations. Additionally, expanding the framework
to enable cross-domain collaboration between home networks and ISP infrastructures will facilitate large-scale, privacy-preserving threat intelligence sharing.
2
Related Works
With the increasing prevalence of IoT devices in smart home environments, security challenges have become more significant. This has led to the development
of complex intrusion detection systems (IDS) aimed at addressing evolving cyber
threats. However, traditional IDS solutions suffer from limited network visibility,
high maintenance costs, and an inability to adapt to novel attacks. Moreover,
cloud-centric IDS models exacerbate privacy concerns by requiring the transmission of raw network data to centralized servers for analysis [3]. These limitations
necessitate a shift toward near real-time, privacy-preserving IDS models. Our
work addresses this challenge by introducing a hierarchical federated generative
4
P. Drefahl et al.
learning framework that enables real-time, decentralized intrusion detection at
the router level while preserving user privacy.
Federated Learning (FL) has shown promise in privacy-preserving machine
learning, allowing data to remain local while leveraging distributed training to
produce robust, global models. This approach mitigates privacy risks associated
with centralized learning while enabling continuous model updates [6]. The FedAvg algorithm demonstrated efficient communication in decentralized networks,
leading to its adoption in applications such as animal monitoring methods [12].
However, applying FL to IoT environments presents additional challenges due to
the need for real-time responsiveness and computational constraints. Our novel
contribution lies in adapting FL for smart home IDS, ensuring that federated
updates occur with minimal latency while maintaining threat detection accuracy
across heterogeneous IoT devices.
Generative Adversarial Networks (GANs) have been increasingly applied in
cybersecurity, particularly for generating synthetic attack patterns that mimic
real-world cyber threats. This enhances IDS robustness by incorporating adversarial training [1]. GANs enable IDS models to learn from diverse attack scenarios, improving detection accuracy against previously unseen threats. However,
GANs introduce risks such as training instability and susceptibility to data poisoning. Our work addresses these concerns by integrating stabilized GAN training techniques into a federated IDS framework, ensuring model reliability while
maintaining adversarial robustness.
Recent studies have explored hybrid IDS models that incorporate both FL
and GANs. For instance, prior research introduced GAN-enhanced IDS models
to tackle class imbalance issues in intrusion detection datasets [5]. These studies
analyzed multiple GAN architectures, including WGAN-GP, CGAN, CTGAN,
and GWGAN-GP, comparing their performance against traditional sampling
techniques. Their findings highlighted GANs’ effectiveness in improving detection accuracy across multiple attack types. Our work builds upon this research by
implementing GAN-augmented federated learning in a real-world deployment,
demonstrating its feasibility and effectiveness in smart home network security.
Federated Learning has also been applied to dynamic network environments,
such as drone swarms, where it has been used to enhance anomaly detection
models for network security in autonomous systems [4]. Studies leveraging the
AERPAW testbed demonstrated the benefits of differential privacy and adversarial training in mitigating data poisoning risks. Our work extends this concept
to IoT networks, applying FL optimization strategies tailored for smart home
environments. By doing so, we demonstrate FL’s adaptability across diverse
network structures, further enhancing its viability for resource-constrained IoT
deployments.
While previous studies have independently explored FL and GAN-based IDS
models, few have effectively combined these technologies to address security challenges in smart home environments. Smart home networks present unique constraints, including limited computational resources, device heterogeneity, and
compatibility issues. Our proposed hierarchical federated generative learning
Federated Generative Learning-Based Smart Home System
5
framework bridges these gaps by leveraging FL to maintain user privacy and
GANs to simulate diverse attack scenarios, improving detection accuracy, latency reduction, and adaptability to zero-day threats [9]. By integrating these
methods, our system offers a scalable, real-time, and privacy-preserving IDS designed for the next generation of smart home cybersecurity.
As we see larger IoT systems within homes continue to grow and evolve the
challenge of ensuring usability and security will remain. Most IDS systems are
implemented with out user interfaces (UI) which makes them less available to
non-experts to manage and configure. As proposed, a user-centric framework for
smart homes [11] would ensure accessibility and ease of use for complex technologies such as IDS based on federated learning. These systems could become
quite cumbersome for our senior citizens, which is why usability should be prioritized [2]. with our proposed design offering a user-friendly monitoring interface
that allows easy access and management of security settings.
3
System Architecture and Design
In this section, we detail our multi-layered smart home security framework by
providing a step-by-step workflow for the whole logic. In addition to that, we
provide a detailed system architecture, offering a breakdown of each component
within the front-end and back-end design.
3.1
System & Networks Architecture Overview
Fig. 2: Hierarchical Federated Generative Learning Framework for Smart Home
Security
Figure 2 presents the proposed system architecture from a network and computational perspective, highlighting a hierarchical, federated intrusion detection
6
P. Drefahl et al.
framework designed to enhance smart home security. At the foundation of this
system, a smart home router running OpenWRT serves as the first line of defense, continuously monitoring network traffic and capturing packet-level data
using tools such as tcpdump and Wireshark. To minimize data exposure and preserve privacy, raw packet capture (PCAP) files remain on the router, ensuring
that sensitive network information is not prematurely transmitted beyond the
local network. A secure, key-based SSH connection, managed via Python scripts
utilizing Paramiko, facilitates trusted and automated interactions between the
router and the local server, enabling remote initiation or scheduling of packet
capture sessions and secure retrieval of relevant traffic data.
Upon receiving the PCAP data, the local server performs an initial preprocessing and filtering stage, removing benign or routine traffic associated with
whitelisted IP addresses and recognized services. This preprocessing step significantly reduces the volume of data requiring deeper analysis while concurrently
flagging potentially anomalous patterns using lightweight heuristics. Instead of
transmitting raw traffic logs, the local server extracts and anonymizes relevant
network features, which are then securely relayed to designated edge servers.
These edge nodes participate in a federated learning framework, allowing for
decentralized model training without compromising user privacy.
At the edge computing layer, advanced Generative Adversarial Networks
(GANs) enhance the intrusion detection process by generating adversarial traffic samples, enabling the classifier to identify both known and emerging cyber
threats with greater accuracy. To further improve detection capabilities while
ensuring privacy, a federated model aggregation protocol, such as FedAvg [6],
periodically synchronizes model updates across multiple distributed nodes. This
strategy enables the collaborative refinement of a global intrusion detection
model without requiring direct access to individual network traffic data, thereby
preserving privacy while improving detection robustness.
Detection outcomes and refined model parameters are continuously relayed
back to the local server, facilitating real-time network monitoring and security
updates. The user-facing desktop application, developed using Electron.js, React, and JavaScript, provides an interactive visualization dashboard, allowing
homeowners to configure security settings, visualize alerts, and take proactive
mitigation actions, such as blocking or quarantining malicious connections. By
distributing computational workloads across the router, local server, and federated edge nodes, this architecture achieves low-latency, privacy-preserving intrusion detection, ensuring a robust and scalable cybersecurity solution for modern
smart home environments.
The proposed system follows a structured workflow that enables privacypreserving, real-time intrusion detection through a hierarchical federated learning approach. Initially, an OpenWRT-enabled router passively captures network
traffic using tcpdump and Wireshark, storing raw PCAP files locally to minimize data exposure. A secure SSH-based communication channel, managed via
Paramiko, allows the local server to retrieve these files for preprocessing, where
benign traffic is filtered out, and initial anomaly detection is performed based
Federated Generative Learning-Based Smart Home System
7
on extracted network features. Instead of transmitting raw data, the local server
forwards anonymized and summarized traffic features to federated edge nodes,
including Raspberry Pi, Jetson Nano, and Chameleon cloud servers, where advanced Generative Adversarial Networks (GANs) refine the detection process by
synthesizing attack patterns and improving classifier robustness. Using federated
averaging (FedAvg), model updates from distributed edge nodes are aggregated,
enhancing global detection capabilities while preserving privacy. These refined
models and detection outcomes are then relayed back to the local server, ensuring low-latency threat detection and adaptive security responses. A desktop
application, built with Electron.js and React, provides users with an intuitive interface for real-time monitoring, security alerts, and router configuration, allowing homeowners to manage network policies while benefiting from a continuously
evolving, collaborative cybersecurity framework.
3.2
Main User Interface Components
Fig. 3: Comprehensive Network Security Dashboard for Smart Home Intrusion
Detection and Monitoring
Figure 3 presents the main interface of the desktop application, which provides a comprehensive network security dashboard with functionalities such as
real-time network monitoring, device activity tracking, bandwidth usage analysis, and network diagnostics. Each labeled section in the figure corresponds to
a key component of the system, offering users an intuitive way to monitor and
manage their home network security.
Navigation and Menu (Label 1) The top navigation bar offers quick access
to core functionalities, allowing users to switch between different views, including
“IoT Devices," “Network Status," and “More Options." Additionally, this section
8
P. Drefahl et al.
includes a notifications panel for security alerts and a clearly visible "Exit"
button, ensuring seamless navigation and accessibility.
Network & Device Security (Label 2) This panel provides a high-level
overview of the network’s security status, offering a visual indicator (e.g., "Secure" or "At Risk") based on detected threats. The displayed threat count enables users to quickly assess potential risks and take immediate action if security
anomalies are identified.
Network Traffic (Label 3) The network traffic section provides a detailed
table of active network connections, displaying essential attributes such as source
and destination IP addresses, communication protocols (e.g., TCP, UDP, ICMP),
packet sizes, traffic types, and timestamps. Users can filter traffic logs based
on protocol or IP range to detect suspicious activity and investigate potential
security threats.
Bandwidth Usage (Label 4) This panel presents real-time bandwidth consumption across different network interfaces, showing both received (inbound)
and transmitted (outbound) data volumes. Interfaces such as eth0 and br-lan
are monitored to help users diagnose network performance issues, identify bandwidthheavy devices, and detect unusual data spikes, which may indicate malicious
activities such as denial-of-service (DoS) attacks.
System Console (Label 5) The system console provides low-level diagnostic messages, kernel logs, and system status outputs from the OpenWRT-based
router. This feature is particularly useful for troubleshooting, allowing advanced
users to inspect real-time logs, validate network services, and debug connectivity
issues.
IP Leases and Device Information (Label 6) This section displays active DHCP leases, listing key device attributes such as lease duration, MAC
addresses, assigned IP addresses, and hostnames. By consolidating this information, users can easily identify unauthorized devices, track active hosts, and
enforce customized security policies for different network endpoints.
Overall, this interface integrates multiple security and diagnostic tools, enabling proactive network monitoring and user-driven cybersecurity management
in smart home environments.
3.3
Additional User Interface Components
Figure 4 presents key panels within the user application that facilitate firewall
rule configuration, system performance monitoring, and network interface diagnostics. These components provide administrators with fine-grained control over
security policies, network load assessment, and interface-level configurations to
ensure optimal performance and protection.
Firewall Rules (Label 7) This panel displays and allows modification of the
OpenWRT /etc/config/firewall file, enabling administrators to configure security policies, traffic filtering rules, and network protection mechanisms. Default
settings define the handling of incoming, outgoing, and forwarded traffic, with
options for enabling synflood protection and defining specific zones. As firewall
Federated Generative Learning-Based Smart Home System
9
Fig. 4: Firewall Configuration, System Performance Monitoring, and Network
Diagnostics Panel
rules take effect immediately, users can quickly adapt policies to mitigate threats,
enforce segmentation, or optimize network flow based on real-time security needs.
Uptime and Load (Label 8) This section provides real-time system performance metrics, including device uptime and CPU load averages over the past
1, 5, and 15 minutes. Monitoring these indicators helps administrators detect
excessive resource consumption, potential performance bottlenecks, or system
instability. Elevated load values may indicate CPU-intensive tasks, while unexpectedly short uptime durations could suggest frequent reboots or underlying
hardware/software failures requiring further investigation.
Network Configuration (Label 9) This panel presents detailed interface-level
network diagnostics, displaying hardware addresses (MAC), assigned IPs, subnet
masks, and traffic statistics. Users can monitor packet transmission and reception rates, detect packet drops or errors, and validate interface configurations to
ensure proper routing and network segmentation. The information provided is
crucial for troubleshooting connectivity issues, verifying correct bridge settings,
and diagnosing potential hardware-related failures before they impact network
stability.
10
P. Drefahl et al.
These panels collectively enhance network security management by providing real-time insights, proactive diagnostics, and user-controlled firewall policy
adjustments, ensuring a robust and resilient smart home security environment.
4
Federated Generative Learning Methodology
Building upon the previously discussed security and intrusion detection framework, this section introduces a hierarchical federated learning architecture designed to enhance distributed model training and collaborative threat detection.
4.1
Federated Learning Workflow
Figure 6 presents a hierarchical federated learning framework that enables distributed model training and adaptive cybersecurity solutions across multiple
network layers. At the foundation of this system, edge devices within local networks independently train localized machine learning models based on the network traffic they monitor. These devices report to edge servers, which serve as
intermediate nodes responsible for aggregating, refining, and distributing model
updates. Each edge server collects multiple local models, integrates them, and
generates an optimized local federated model, which is then transmitted to a
remote high-performance computing (HPC) server for further refinement.
At the top tier of the hierarchy, the HPC server aggregates multiple local
models from edge servers to produce a more generalized global model. This
global model is then distributed back to edge servers, ensuring that each network
benefits from collective intelligence while maintaining data privacy—since raw
traffic data never leaves the local network. The bidirectional flow of local and
global model updates fosters an adaptive intrusion detection system capable of
identifying both known and emerging threats.
By organizing federated learning into multiple levels—from local edge devices
to edge servers and finally to a centralized HPC system—this approach optimizes
computational efficiency, reduces latency, and enhances detection accuracy. The
depicted architecture highlights the potential for scalable, privacy-preserving
cybersecurity solutions applicable to smart home environments, industrial IoT,
and broader network security applications.
More specifically, federated learning facilitates decentralized model training
while preserving data privacy by ensuring that raw data remains local, with
only model updates being exchanged across network layers. The workflow is
meticulously designed to uphold this principle, preventing the transmission of
sensitive network traffic data while still enabling collaborative learning. The
process begins with feature extraction, where local servers analyze PCAP flow
data, extracting key network characteristics such as packet length, flow duration,
and protocol distribution. To further safeguard privacy, sensitive identifiers like
IP addresses and port numbers can be anonymized before further processing.
Following feature preparation, the edge training phase is initiated, where
each edge device independently trains a local intrusion detection model using
Federated Generative Learning-Based Smart Home System
11
Fig. 5: Hierarchical Federated Learning Architecture for Distributed Intrusion
Detection
aggregated feature updates derived from observed network traffic. These localized models are periodically synchronized through federated updates, wherein
edge devices transmit computed weight adjustments to a federated coordinator
or central aggregation server. The coordinator then integrates these updates, refines the global model, and redistributes the improved version back to the edge
devices within the local network.
Finally, during the local inference phase, each edge device applies the latest
model for real-time intrusion detection, leveraging the continuously evolving
federated model to identify anomalies, detect cyber threats, and enhance network
security. This hierarchical learning approach significantly reduces data exposure
risks while enabling adaptive, privacy-preserving cybersecurity solutions within
distributed smart home and IoT environments.
4.2
GAN and IDS Integration
Building on the federated learning framework, Generative Adversarial Networks
(GANs) further enhance the effectiveness of intrusion detection by introducing
an adversarial training paradigm. This approach leverages two competing models: a generator (G) and a discriminator (D), working in tandem to refine network
intrusion detection capabilities. The generator (G) is responsible for synthesizing realistic malicious network traffic patterns, emulating attack behaviors such
as DDoS floods, ARP spoofing, and other sophisticated cyber threats. By continuously generating deceptive attack flows, G challenges the discriminator (D),
which is trained to differentiate between legitimate traffic and adversarial attack
samples. Through this iterative adversarial training, D progressively improves
12
P. Drefahl et al.
its detection robustness, learning to recognize more nuanced and evasive attack
strategies over time.
To ensure scalability and efficiency, the trained GAN model is deployed across
distributed edge servers, enabling real-time, localized detection of malicious activities while reducing dependence on centralized infrastructure. This distributed
approach enhances both responsiveness and resilience, allowing the intrusion detection system (IDS) to adapt dynamically to evolving cyber threats.
The adversarial detection workflow begins with real-time scoring of incoming
network traffic, where the discriminator module (D) evaluates extracted traffic
features and assigns a probability score to determine whether the traffic is legitimate or adversarial. If the traffic is classified as malicious or artificially generated
by G, it is immediately blocked, and an alert is sent to administrators, notifying
them of a potential adversarial attack. The intrusion detection module then processes legitimate traffic, analyzing its characteristics to assess potential security
risks. To further improve adaptability against emerging threats, the IDS incorporates federated deep learning, aggregating threat intelligence from multiple
edge nodes while maintaining privacy. Additionally, GAN-generated synthetic
attack simulations are integrated into the IDS training process, enabling it to
identify complex and previously unseen cyber threats.
To achieve high detection precision while minimizing false positives, the system implements a thresholding mechanism, flagging network sessions as malicious only if their suspicion score exceeds a predefined threshold. This decisionmaking process is context-aware, taking into account factors such as time of day,
typical user behavior, and device activity patterns. Once a threat is confirmed,
real-time notifications are triggered via the Electron.js-based desktop application, providing administrators with detailed threat reports, including attack type
(e.g., DDoS attempt), source IP address, and recommended mitigation actions.
Designed for both technical and non-technical users, the notification system allows administrators to review logs, visualize network traffic trends, and configure
security policies in an intuitive interface.
Upon detecting and confirming malicious network activity, the system enforces router-level mitigation measures, dynamically applying security policies
such as throttling suspicious connections, dropping harmful packets, or updating firewall rules to neutralize ongoing threats. By integrating adversarial learning, adaptive intrusion detection, and automated threat response, this GANenhanced IDS framework strengthens smart home network security while ensuring efficient and precise real-time threat mitigation.
5
Evaluation
In this section, we first present a detailed overview of the experimental environment, including the design and deployment of both local and edge servers
in a real-world setting. We then describe the dataset and evaluation metrics
used for the federated learning (FL), Generative Adversarial Networks (GANs),
and intrusion detection system (IDS) integration. This is followed by an analy-
Federated Generative Learning-Based Smart Home System
13
sis of experimental results, examining the system’s performance across various
simulated and real-world attack scenarios. Finally, we provide a discussion on
the key findings, highlighting the effectiveness and limitations of the proposed
framework.
5.1
Experiment Setup
Building on the system’s design, the experimental setup ensures seamless integration between the router, local server, and federated edge nodes to facilitate
real-time intrusion detection. The desktop application serves as the primary
interface for network configuration, security monitoring, and response management, requiring users to provide essential router credentials, including IP address, SSH port, and administrative login details during the initial setup. These
parameters are securely stored using encrypted configuration files, streamlining
subsequent access without compromising security. Once configured, the application automatically initializes a local Python server, which establishes a secure
SSH connection to the OpenWRT router via the Paramiko library.
With this secure channel in place, the local server retrieves real-time router
diagnostics, such as CPU utilization, active network interfaces, and firewall configurations, ensuring continuous monitoring of system performance. It then initiates packet capture sessions using tcpdump or Wireshark, enabling network
traffic analysis directly at the router level. Captured raw PCAP files are securely
transferred to the local server via Paramiko, where they undergo preprocessing
to filter out benign or whitelisted traffic. The extracted feature set is then transmitted to federated edge servers for distributed learning and collaborative threat
detection, reducing computational load on the home router while preserving data
privacy.
The local server, deployed on an Intel NUC with 8GB RAM, is responsible
for handling initial data preprocessing and coordinating secure data transmission
to federated nodes. The federated learning framework is implemented across two
AWS virtual machines, each configured with 4 vCPUs and 8GB RAM, serving
as edge computing nodes for distributed training. These edge servers aggregate
intrusion detection models from multiple devices, refining security policies before relaying optimized models back to the local network for adaptive real-time
protection.
A lightweight Flask-based service running on the local server coordinates the
exchange of model updates and inference results between the federated learning
nodes. Once the edge servers complete their analysis, the Flask server retrieves
the refined threat intelligence and updated model parameters, integrating them
into the local security framework. The desktop application then visualizes security insights, triggers real-time alerts, and enables user-configurable response
mechanisms, providing a comprehensive and adaptive intrusion detection system
within a single unified interface. This experimental setup ensures low-latency
threat detection, decentralized model training, and privacy-preserving security
monitoring for smart home environments. To clarify the hardware and software
14
P. Drefahl et al.
setup used in our experiments, Table 1 summarizes the specifications of each
system component.
Component
Specifications
Function
Router
OpenWRT-based GL-MT300N-V2
Network traffic capture via tcpdump
Local Server Intel NUC, 8GB RAM, Ubuntu 20.04 Data preprocessing, SSH, model updates
Edge Server 1/2 AWS EC2 VM, 4 vCPUs, 8GB RAM Federated model training, threat analysis
Desktop App
Electron.js, React, Flask Backend
UI for alerts and network monitoring
Table 1: Experimental Setup Specifications
5.2
Dataset Discussion
The evaluation of our intrusion detection system (IDS) is conducted using three
datasets: a real-world IoT traffic dataset, the [8] benchmark dataset, and a synthetic traffic dataset generated by our GAN model. The real IoT traffic dataset
comprises labeled normal and malicious traffic traces, capturing real-world adversarial behaviors such as port scans and distributed denial-of-service (DDoS)
attacks. This dataset provides a ground truth reference for evaluating the system’s ability to detect common cyber threats.
The CICIoT2023 traffic dataset, a widely recognized benchmark for IoT intrusion detection, includes a diverse mix of benign and attack traffic patterns,
offering a comprehensive evaluation ground for IDS models. By incorporating
multiple attack types, it allows for robust validation of the system’s detection
accuracy and generalization capabilities.
Additionally, our GAN model generates a synthetic traffic dataset designed
to simulate adversarial attack patterns, improving the IDS’s resilience against
novel and evasive threats. While the discriminator in the GAN is trained on
both real and synthetic network traffic to differentiate between legitimate and
malicious activity, the generator does not interact directly with real network
packets. Instead, it produces artificial adversarial samples that enhance the IDS’s
ability to detect previously unseen attack strategies. The IDS integrates all three
datasets, leveraging real-time packet captures, labeled traffic from CICIoT2023,
and synthetic adversarial patterns to refine its detection capabilities and adapt
dynamically to evolving cyber threats.
5.3
Results
Figure 6 illustrates the comparative performance of the proposed Network Intrusion Detection System (NIDS) trained on both real and augmented datasets
over five epochs. The evaluation focuses on key performance metrics, including
accuracy, precision, recall, and loss, to assess how the system adapts and improves during training. The baseline performance, represented as "AVG Real
Data," reflects the model’s initial capabilities when trained solely on real-world
Federated Generative Learning-Based Smart Home System
15
traffic. At this stage, while accuracy is relatively high, both precision and recall
exhibit moderate values, suggesting potential limitations in detecting minorityclass attack patterns due to class imbalance. Loss values at this stage are also
higher, indicating the model’s initial struggle in distinguishing between normal
and attack traffic.
Fig. 6: Performance Comparison of NIDS Using Real Data vs. GAN-Augmented
Data Over Five Training Epochs
Data Type
Accuracy
Precision
Recall
Augmented 0.8206 ± 0.0066 0.5823 ± 0.0091 0.9996 ± 0.0001
Real
0.9908 ± 0.0005 0.9823 ± 0.0009 0.9996 ± 0.0001
Data Type
AUC
Loss
LogCosh
Augmented 0.9859 ± 0.0045 0.5596 ± 0.0499 0.0640 ± 0.0031
Real
0.9925 ± 0.0003 0.0781 ± 0.0024 0.0042 ± 0.0002
Table 2: Comparative Performance Metrics of NIDS on Real vs. GANAugmented Data Over Five Training Epochs
Table 2 further quantifies the impact of GAN-based augmentation by providing average model performance metrics across five training epochs. The results
indicate that while models trained on real data achieve higher accuracy (0.9908)
and precision (0.9823), they exhibit lower robustness against evolving adversarial
threats. In contrast, models trained with augmented data demonstrate superior
16
P. Drefahl et al.
recall (0.9996), ensuring that fewer attack instances go undetected. However, the
lower precision (0.5823) suggests an increased false positive rate, likely due to
the diversity of synthetic attack samples generated by GANs. The AUC score remains high for both datasets, reaffirming the model’s effectiveness in classifying
network traffic. Notably, the loss value for augmented data (0.5596) is significantly higher than that of real data (0.0781), indicating that adversarial training
introduces additional complexity in learning decision boundaries. Similarly, the
LogCosh loss, which measures gradient smoothness, is noticeably higher for augmented data, reflecting the model’s exposure to more diverse and complex attack
patterns.
As training progresses, the model exhibits significant improvements across
all key metrics. By Epoch 1, the integration of GAN-generated adversarial samples enhances the model’s ability to recognize attack behaviors, evident from the
steady increase in recall and precision. The recall metric continues to improve in
subsequent epochs, demonstrating that the model becomes progressively more
adept at detecting previously unseen attack patterns while reducing false negatives. The overall accuracy remains consistently high, validating the effectiveness
of federated learning and GAN-based augmentation in reinforcing the model’s
decision boundaries. Additionally, the loss function shows a clear decreasing
trend, indicating stable convergence and reduced classification errors. By Epoch
5, the model achieves its optimal performance, with near-maximal accuracy, precision, and recall, affirming the robustness of the proposed intrusion detection
framework in recognizing sophisticated cyber threats with minimal performance
degradation.
The quantitative results in Table 3 further support the efficacy of the proposed method in differentiating between attack and benign network traffic. The
model successfully identifies 3,919 attack instances from a total of 4,000, demonstrating high sensitivity to malicious activities. The false positive rate remains
exceptionally low, with only one benign instance being misclassified as an attack, minimizing unnecessary security alerts. Additionally, the system correctly
classifies 39,999 benign network flows while only misidentifying 81 attack samples as normal traffic. This low number of false negatives highlights the model’s
effectiveness in mitigating the risk of undetected intrusions, a critical factor in
real-world cybersecurity applications. The combination of federated learning and
adversarial training ensures that the model remains adaptable to emerging attack strategies, improving its generalization across different IoT environments.
5.4
Results Discussion
Our experimental results validate the efficacy of a hierarchical federated generative learning approach in detecting advanced cyber threats in near-real time,
particularly within resource-limited home networks. Traditional cloud-based security mechanisms often face challenges in balancing latency, privacy, and computational efficiency, whereas our distributed learning framework successfully
mitigates these issues by enabling local inference and edge-based model updates. The hierarchical model design not only enhances network security but
Federated Generative Learning-Based Smart Home System
17
Traffic True
False
True
False
Total
Type Positives Positive Negatives Negatives Traffic
Attack
3919
1
39999
81
4000
Benign 39999
81
3919
1
40000
Table 3: Intrusion Detection Results in terms of Classification Performance on
Attack and Benign Network Traffic
also presents a viable commercial-grade ISP solution, leveraging edge computing
for large-scale deployment. As IoT adoption continues to expand, this approach
supports broader device-to-device collaboration, making it increasingly relevant
in the modern cybersecurity landscape.
However, several limitations must be acknowledged. Deploying this system at
scale would introduce high computational demands on edge devices, increasing
operational costs for ISPs and potentially limiting widespread adoption. Many
ISPs may be reluctant or unable to invest in high-performance edge computing
infrastructures, thereby constraining the system’s applicability. Another critical
limitation is compatibility with OpenWRT. Although OpenWRT serves as a
widely adopted open-source router firmware, not all router models support its
full functionality due to hardware limitations. This incompatibility restricts the
system’s feasibility across diverse home networking environments, highlighting
the need for broader hardware support or alternative integration strategies.
6
Conclusion and Future Work
This paper presented a Hierarchical Federated Generative Learning-Based Smart
Home System for real-time intrusion detection at the router level. By integrating tcpdump-based local captures, a Paramiko-driven local server, and GANaugmented federated learning at the edge, our approach enhances threat detection accuracy while preserving user privacy. Additionally, an Electron.js-based
desktop application enables intuitive network monitoring and security management for non-expert users. Experimental results demonstrate reduced detection
latency, improved accuracy, and strong privacy preservation, reinforcing the system’s potential to secure modern home networks.
Future research will focus on optimizing computational efficiency by incorporating a Mixture of Experts (MoE) model, which can dynamically allocate resources for different cyber threats, improving scalability across resourcelimited home routers. Additionally, improving GAN stability through adaptive
loss functions and hyperparameter tuning will enhance attack simulations, ensuring more reliable adversarial learning. Finally, expanding the framework for
cross-domain collaboration with ISP infrastructures could enable large-scale,
privacy-preserving threat intelligence sharing, strengthening cybersecurity across
interconnected networks.
18
P. Drefahl et al.
Acknowledgments. This research was supported in part by the Florida Gulf
Coast University (FGCU) Head-Start Funding and funding from DENDRITIC
Human-Centered AI and Data Science Institute. We thank our collaborators at
the University of Florida and Lucerne University of Applied Sciences and Arts
for invaluable feedback.
Competing Interests. The authors have no competing interests to declare
that are relevant to the content of this article.
References
1. de Araujo-Filho, P.F., Kaddoum, G., Campelo, D.R., Santos, A.G., Macêdo, D.,
Zanchettin, C.: Intrusion detection for cyber–physical systems using generative
adversarial networks in fog environment. IEEE Internet of Things Journal 8(8),
6247–6256 (2020)
2. Ashraf, A., Zhu, X., Liu, J., Rauf, Q., Firdaus, R.: Usability evaluation framework of smart home applications for senior citizens. In: 2022 12th International
Conference on Software Technology and Engineering (ICSTE). pp. 29–39. IEEE
(2022)
3. He, P., Huang, D., Wu, D., He, H., Wei, Y., Cui, Y., Wang, R., Peng, L.: A survey
of internet of medical things: technology, application and future directions. Digital
Communications and Networks (2024)
4. Kostage, K., Adepu, R., Monroe, J., Haughton, T., Mogollon, J., Poduvu, S.,
Palaniappan, K., Qu, C., Calyam, P., Mitra, R.: Federated learning-enabled network incident anomaly detection optimization for drone swarms. In: ICDCN ’25:
Proceedings of the 26th International Conference on Distributed Computing and
Networking. pp. 104–114. ACM (2025). https://doi.org/10.1145/3700838.3700857,
https://doi.org/10.1145/3700838.3700857
5. Kostage, K., West, D., Meinert, T., Qu, C., Calyam, P., Mazzola, L.: Enhancing
autonomous intrusion detection system with generative adversarial networks. In:
2024 IEEE 20th International Conference on e-Science (e-Science). pp. 1–10 (2024).
https://doi.org/10.1109/e-Science62913.2024.10678662
6. McMahan, H.B., Moore, E., Ramage, D., Hampson, S., y Arcas, B.A.:
Communication-efficient learning of deep networks from decentralized data (2023),
https://arxiv.org/abs/1602.05629
7. Moustafa, N., Koroniotis, N., Keshk, M., Zomaya, A.Y., Tari, Z.: Explainable
intrusion detection for cyber defences in the internet of things: Opportunities
and solutions. IEEE Communications Surveys Tutorials 25(3), 1775–1807 (2023).
https://doi.org/10.1109/COMST.2023.3280465
8. Neto, E.C.P., Dadkhah, S., Ferreira, R., Zohourian, A., Lu, R., Ghorbani, A.A.:
Ciciot2023: A real-time dataset and benchmark for large-scale attacks in iot environment. Sensors 23(13), 5941 (2023)
9. Pu, X., Lei, T., Wen, W., Feng, W., Wang, Z., Chen, Q., Jin, S.: Incentive mechanism and resource allocation for collaborative task offloading in energy-efficient mobile edge computing. IEEE Transactions on Vehicular Technology 72(10), 13775–
13780 (2023)
10. Sadotra, P., Thakur, G., Chouksey, P., Nayak, M.H., Chopra, M.: Intrusion detection in smart homes: A comprehensive review. environment 4, 11 (2024)
Federated Generative Learning-Based Smart Home System
19
11. Wickramasinghe, C.I.: Best-practice-based framework for user-centric privacypreserving solutions in smart home environments. In: International Conference
on Mobile and Ubiquitous Systems: Computing, Networking, and Services. pp.
101–120. Springer (2022)
12. Yu, Z., Xiangting, L., Yalin, S., Aidi, X., Yi, Z., Hailong, J., Weizheng, S.: Realtime monitoring method for cow rumination behavior based on edge computing
and improved mobilenet v3. Smart Agriculture 6(4), 29 (2024)
