Next Article in Journal
Fuzzy-Based MEC-Assisted Video Adaptation Framework for HTTP Adaptive Streaming
Previous Article in Journal
A GHZ-Based Protocol for the Dining Information Brokers Problem
Previous Article in Special Issue
Hybrid B5G-DTN Architecture with Federated Learning for Contextual Communication Offloading
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Future Internet
Volume 17
Issue 9
10.3390/fi17090409
futureinternet-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Survey of Federated Learning for Cyber Threat Intelligence in Industrial IoT: Techniques, Applications and Deployment Models

by
Abin Kumbalapalliyil Tom
1,†,
Ansam Khraisat
2,†,
Tony Jan
1,†,
Md Whaiduzzaman
1,†,
Thien D. Nguyen
1,† and
Ammar Alazab
1,*,†
1
Centre for Artificial Intelligence Research and Optimization (AIRO), Torrens University Australia (TUA), 46–52 Mountain Street, Ultimo, NSW 2007, Australia
2
School of Info Technology, Faculty of Science Engineering & Built Environment, Deakin University, Burwood, VIC 3125, Australia
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Future Internet 2025, 17(9), 409; https://doi.org/10.3390/fi17090409
Submission received: 3 August 2025 / Revised: 31 August 2025 / Accepted: 3 September 2025 / Published: 8 September 2025
(This article belongs to the Special Issue Distributed Machine Learning and Federated Edge Computing for IoT)
Browse Figures
Versions Notes

Abstract

The Industrial Internet of Things (IIoT) is transforming industrial operations through connected devices and real-time automation but also introduces significant cybersecurity risks. Cyber threat intelligence (CTI) is critical for detecting and mitigating such threats, yet traditional centralized CTI approaches face limitations in latency, scalability, and data privacy. Federated learning (FL) offers a privacy-preserving alternative by enabling decentralized model training without sharing raw data. This survey explores how FL can enhance CTI in IIoT environments. It reviews FL architectures, orchestration strategies, and aggregation methods, and maps their applications to domains such as intrusion detection, malware analysis, botnet mitigation, anomaly detection, and trust management. Among its contributions is an empirical synthesis comparing FL aggregation strategies—including FedAvg, FedProx, Krum, ClippedAvg, and Multi-Krum—across accuracy, robustness, and efficiency under IIoT constraints. The paper also presents a taxonomy of FL-based CTI approaches and outlines future research directions to support the development of secure, scalable, and decentralized threat intelligence systems for industrial ecosystems.

1. Introduction

The Internet of Things (IoT) influences the advancement of modern industries and smart cities, particularly through the concept of intelligent industry [1]. A core component of this transformation is the Industrial Internet of Things (IIoT), which enables the collection and analysis of vast amounts of data from IoT devices and industrial machinery. IIoT facilitates seamless connectivity among distributed devices—including industrial sensors, machines, and controllers—to optimize operations through real-time data-driven decision-making [2]. With the integration of edge computing and cloud-based infrastructures, IIoT enables advanced services such as system optimization, predictive analytics, and remote monitoring.
Despite these technological advancements, the lack of standardized security frameworks renders IIoT networks highly vulnerable to sophisticated cyber threats. The growing volume and complexity of data intensify the need for effective cybersecurity mechanisms. Traditional rule-based and signature-based detection systems are insufficient for identifying advanced, evolving threats [3]. Consequently, cyber threat intelligence (CTI) has emerged as a proactive strategy for identifying, analyzing, and mitigating threats by leveraging real-time data on Indicators of Compromise (IOCs), adversarial tactics, and zero-day vulnerabilities. CTI enables organizations to make informed, evidence-based security decisions to protect critical infrastructure [4].
However, centralized CTI systems often struggle with latency, scalability, and privacy issues, particularly in distributed and heterogeneous IIoT environments. To overcome these limitations, artificial intelligence (AI)—especially machine learning (ML)—is increasingly integrated into CTI to support threat detection, analysis, and prediction in real time [5]. Nonetheless, centralized ML architectures introduce concerns around data privacy and communication overhead, making them unsuitable for IIoT’s distributed nature.
To address these challenges, federated learning (FL) offers a promising solution. It enables collaborative model training across IIoT devices without sharing raw data, thereby preserving data privacy and reducing the risk of breaches [6]. In FL-based CTI frameworks, only model updates are exchanged, allowing organizations to build shared threat intelligence while complying with privacy constraints. This makes FL especially suited for CTI in IIoT settings where data sensitivity is important.
Several surveys, such as those by [7,8,9], have thoroughly investigated AI-driven threat detection in IIoT environments. However, they do not address the use of CTI with federated learning in full, which is increasingly crucial for privacy-aware collaborative defense systems. Table 1 provides a comparative overview of recent surveys related to cybersecurity, CTI, and federated learning in IIoT.
References [12,13] focus on CTI frameworks and ML-based intelligence sharing, but they lack consideration of decentralized approaches like FL that mitigate privacy and data governance challenges. While Ref. [14] includes elements of FL-based CTI, it does not provide a detailed classification, challenges, or taxonomy specific to IIoT systems.
Moreover, refs. [10,15] introduce FL in cybersecurity, but without integrating it within CTI frameworks. Lastly, semantic approaches reviewed by [16] offer promising directions for CTI enrichment but omit the collaborative potential of FL for decentralized threat sharing. Therefore, as shown in the final row of Table 1, our proposed survey is one of the first to holistically address FL-based CTI within the IIoT context, covering AI integration, privacy preservation, taxonomy development, and future research directions.

1.1. Literature Review Strategies

This work is conducted as a review, following the guidelines of Kitchenham and Charters, and is reported in accordance with PRISMA recommendations. The aim is to comprehensively explore the convergence of federated learning (FL) and cyber threat intelligence (CTI) in the Industrial Internet of Things (IIoT), while ensuring the transparency and reproducibility of the review process.
Databases and Search Strings: We searched multiple leading digital libraries, including ACM Digital Library, IEEE Xplore, SpringerLink, ScienceDirect, and MDPI, to ensure wide coverage. The search was conducted between August 2024 and January 2025. Search queries combined Boolean operators with controlled vocabulary; for example:
  • “cyber threat intelligence” AND “federated learning”
  • “IIoT” OR “Industrial Internet of Things” AND “federated learning”
  • “privacy-preserving learning” AND “threat intelligence”
These terms were iteratively refined to balance recall and precision and expanded to include synonyms such as “distributed security,” “collaborative learning,” and “intrusion detection.”
Timeframe: The review covers publications from 2018 to 2025, encompassing both the early adoption of FL in security contexts and the latest advancements. The extended timeframe is necessary to illustrate the evolution of FL-based CTI frameworks and to include very recent contributions (2024–2025) that reflect state-of-the-art trends.
Inclusion and Exclusion Criteria: Studies were included if they (i) explicitly addressed CTI in conjunction with FL or (ii) proposed IIoT security frameworks in which FL was central to the threat intelligence process. Studies were excluded if they were (i) purely conceptual without technical detail, (ii) not peer-reviewed, or (iii) irrelevant to either CTI or FL in IIoT contexts. Only English-language publications were considered.
Screening Process: The initial search yielded 1210 records. After removing duplicates and applying the inclusion and exclusion criteria, 159 papers were retained for abstract and full-text screening. Using forward and backward snowballing, the final dataset comprised 154 primary studies: 57% journal articles, 30% conference papers, and 13% other sources. Nearly all (99%) were published after 2019, reflecting the rapid growth of this field.
A PRISMA flow diagram (Figure 1) is included to illustrate the selection process. The categorization and taxonomy presented in Section 3 and Section 4 are grounded in this systematically identified dataset, ensuring that the classification reflects evidence-based analysis rather than descriptive grouping. This systematic approach provides a transparent foundation for synthesizing developments in FL-driven CTI for IIoT, identifying knowledge gaps, and guiding future research directions.

1.2. Contributions

This paper makes the following key contributions:
  • We present a comprehensive survey of cyber threat intelligence (CTI) strategies for Industrial IoT (IIoT), emphasizing privacy-preserving federated learning (FL) approaches.
  • We analyze recent studies summarized in Table 1 to identify research gaps at the intersection of FL and CTI.
  • We contribute an empirical synthesis of FL aggregation strategies outlining trade-offs in accuracy, robustness, and efficiency under IIoT-specific constraints— offering a practical decision-support tool for system designers.
  • We highlight key deployment challenges, including non-IID data, communication overhead, adversarial threats, and resource heterogeneity in IIoT environments.
  • We propose a taxonomy and research roadmap aligning FL techniques with CTI goals to support scalable, secure, and decentralized intelligence systems for next-generation IIoT.
Unlike previous surveys that addressed AI-based CTI [12,13], FL in IoT [10,15], or semantic enrichment [16], this review uniquely integrates a (i) systematic PRISMA-based methodology, (ii) an empirical synthesis of aggregation strategies, and (iii) a deployment-focused taxonomy for IIoT.
The remainder of this paper is organized as follows. Section 2 outlines the preliminaries of CTI, AI, and FL; Section 3 offers a detailed review of the FL architecture and its working mechanisms. Section 4 presents a review of existing threat detection techniques that utilize FL in IIoT. Section 5 provides suggestions for future research, and Section 6 concludes the article.

2. Review of Cyber Threat Intelligence (CTI)

This section reviews CTI standards and federated learning (FL) mechanisms for cyber threat intelligence sharing in IIoT environments. Section 2.1 outlines widely adopted CTI standards, while Section 2.2 discusses the integration of FL in CTI sharing.

2.1. CTI Standards

Several CTI standards have been developed to facilitate structured, automated threat intelligence exchange across IIoT systems [17]. The well-known examples include Structured Threat Information Expression (STIX), Trusted Automated Exchange of Intelligence Information (TAXII), and OpenIOC. These standards provide a common format and language to enhance interoperability, accelerate threat detection, and facilitate real-time responses, as shown in Table 2.
For instance, CyNER [18] automates the conversion of raw CTI into STIX by extracting key entities and relationships, while cyberaCTIve [19] supports CTI modeling and integration into smart infrastructure. These standards underpin CTI aggregation in IIoT systems. With the increasing complexity and volume of CTI, Machine Learning (ML) and FL are utilized to support scalable, privacy-aware threat analysis.
In revising Section 2.1, we expanded the discussion of CTI standards and governance frameworks (including STIX, TAXII, OpenIOC, and CybOX) to provide depth comparable to the more technical FL aggregation and orchestration sections. In particular, we highlight how these standards underpin interoperability for CTI sharing in IIoT environments, the governance challenges of cross-organizational data exchange, and the implications for latency, privacy, and scalability in industrial deployments [20,21,22]. By balancing the detail between CTI standards and FL mechanisms, the survey ensures a more consistent treatment of cybersecurity frameworks and machine learning methodologies, addressing prior concerns regarding imbalance across sections.

2.2. Federated Learning in CTI

Centralized ML typically requires collecting data from multiple sources to a central server for training [23]. However, in an IIoT environment, this approach introduces privacy, regulatory, and latency challenges. IIoT devices often generate sensitive but sparse data, making centralized models often non-compliant with data protection regulations.
FL addresses these limitations by enabling collaborative model training without transferring raw data [24]. Devices exchange model updates (e.g., gradients or weights) rather than sensitive (raw) data, reducing risk while ensuring regulatory compliance and real-time responsiveness.
In CTI applications, FL allows IIoT nodes to locally train models on network traffic and contribute encrypted updates to a global threat intelligence model. This decentralized collaboration supports timely threat identification while maintaining organizational data sovereignty, as shared in Figure 2.
Figure 2 contrasts ML-based and FL-based CTI architectures. In centralized ML, data from IIoT sensors is processed locally and forwarded to a central platform for threat analysis—posing data leakage risks. In contrast, FL retains data at the edge, sharing only model updates with a central aggregator, which then refines and redistributes the global model. Further exploration of FL models and threat detection mechanisms is presented in the following Section 3.

3. Review of Federated Learning

This section categorizes FL based on client type, data partitioning, network architecture, and orchestration strategy for effective IIoT deployment.

3.1. FL by Data Partitioning

FL can be classified by how data are partitioned among clients [24]:
  • Horizontal FL (HFL): Clients share the same features but different samples. Suitable for similar IIoT domains across locations.
  • Vertical FL (VFL): Clients observe the same entities with different features, enabling cross-domain feature fusion.
  • Federated Transfer Learning (FTL): Supports collaboration with minimal feature or sample overlap by transferring knowledge from trained models.
Table 3 offers more information on their comparison in approaches, benefits, challenges, and basic use cases.
Table 3 summarizes key differences between HFL, VFL, and FTL in terms of their applicable scenarios, methodological approaches, advantages, challenges, and representative use cases within cyber-physical threat intelligence (CTI) for IIoT systems. HFL is effective when data are horizontally partitioned, typically across similar devices or environments. VFL supports vertical partitioning across organizations that share common entities but collect different attributes. FTL provides flexibility in heterogeneous settings where data overlap is limited, enabling collaboration through model transfer. The table helps clarify when and how each FL type can be strategically applied depending on the data distribution and system goals.

3.2. FL by Network Architecture

FL architectures are generally categorized into centralized, decentralized, and hierarchical models [24,31]. In centralized FL, a central server aggregates updates from participating clients. This model can be implemented in different configurations: cloud-based FL is suitable for large-scale CTI systems, edge-based FL reduces latency by aggregating updates closer to data sources, and edge-cloud hybrid FL combines both approaches to support scalable and responsive threat modeling. Figure 3 showcases the above three cloud-edge orchestration strategies.
Decentralized FL removes the central aggregator, allowing clients to exchange model updates directly in a peer-to-peer manner. Peer-to-peer FL is well-suited for cooperative IIoT environments, while blockchain-based FL ensures tamper-proof and auditable collaboration, especially in cross-organizational settings.
Hierarchical FL introduces intermediate aggregation layers between local clients and the global model. In two-layer architectures, model updates flow from edge devices to the cloud via edge aggregators, whereas three-layer architectures add a regional layer to facilitate national-scale CTI operations. Each structure offers trade-offs in scalability, efficiency, and trust management, depending on the operational requirements of the IIoT environment.

3.3. FL Training Process in IIoT

This subsection provides a mathematical description of the federated learning (FL) model training process as applied to the Industrial Internet of Things (IIoT) context. It outlines the sequential stages, formalizes model update equations, and highlights key considerations for deploying FL in resource-constrained and heterogeneous IIoT environments.
Let M denote the set of n IIoT devices participating in FL. Each client M i holds a local dataset D i and selects a subset S i D i for training. The typical FL process involves the following stages [23,24,25,28,31,32,33,34]:
  • Client Selection A subset M s M of eligible clients is selected based on data quality, device capability, and diversity. The selection impacts model performance and convergence.
  • FL Initialization The FL system defines tasks, data sources, and evaluation metrics. The model architecture, optimization strategy, and data partitioning are established. Training begins with the central server distributing initial parameters.
  • Global Model Initialization: In round t, each client M i receives the current global model w t :
    w t i = w t
  • Data Preparation: Clients preprocess and clean local data to ensure quality and consistency. Redundant or low-value data are removed before training begins.
  • Local Model Training: Each client updates the model locally using its data subset S i :
    w t + 1 i = w t i μ L i ( w t i ; S i )
    where μ is the learning rate and L i is the local loss function.
  • Global Aggregation: The server aggregates local updates to produce the global model:
    w t + 1 = i M s | S i | w t + 1 i i M s | S i |
    This continues iteratively until convergence or target accuracy is reached.
  • Model Deployment: The finalized model is deployed for inference across IIoT environments and may be fine-tuned with new data to adapt to changing conditions.
  • Aggregation Strategies: Various aggregation methods can be used depending on requirements such as convergence speed, privacy, or robustness [27,34].
Table 4 provides a comparative overview of twelve aggregation strategies commonly employed in FL. These methods differ in how they weigh client updates, handle statistical heterogeneity, and balance trade-offs among convergence rate, communication cost, and privacy preservation. Strategies such as FedAvg, FedProx, and Scaffold are contrasted alongside more recent approaches designed to enhance robustness or adapt to non-IID data distributions. This comparison helps inform the selection of an appropriate aggregation technique based on specific IIoT deployment requirements and constraints.

3.4. FL Model Evaluation

Federated learning (FL) supports various data types reflecting the distributed and heterogeneous nature of real-world environments. Unlike centralized ML, which assumes IID data, FL often operates on non-IID data due to device variability, user behavior, and context. It also accommodates vertical, horizontal, sparse, sequential, and hybrid data partitions [53,54,55].
Evaluating FL models is more complex than in centralized ML due to data decentralization and privacy constraints. Since servers lack direct access to client data, indirect evaluation strategies are used to assess model quality, guide client selection, detect adversaries, and ensure fairness [56,57], as summarized in Table 5.

3.5. Empirical Comparisons: A Strategic Lens on Aggregation Trade-Offs

A key contribution of this survey is the synthesis of empirical findings that reveal critical trade-offs among federated learning (FL) aggregation methods within the context of cyber threat intelligence (CTI) for Industrial IoT (IIoT) environments. Despite the proliferation of FL strategies in the literature, few works offer a comparative lens that aligns technical performance with IIoT-specific operational constraints. This section consolidates empirical evidence to highlight how different aggregation strategies perform across key metrics, offering actionable insights for practitioners and researchers designing FL-enabled CTI systems.
  • FedAvg is simple to implement but suffers a 15% performance drop under non-IID data, a common characteristic in IIoT due to device heterogeneity.
  • Weighted aggregation improves accuracy by 10%, particularly in unbalanced environments, but requires precise tuning of client weights—posing scalability challenges.
  • Clipped averaging enhances robustness against adversarial updates (+8%) but increases computational overhead by 5%.
  • Differential privacy strengthens confidentiality but incurs a 7% reduction in model accuracy due to noise injection.
  • Adversarial aggregation techniques yield up to 12% resilience improvement but are computationally intensive, making them more suitable for high-stakes industrial applications.
FL-based models can reach 90% accuracy in IID settings, but this can drop by 20% under non-IID distributions—an issue highly relevant for CTI in IIoT, where data are often sparse, imbalanced, and decentralized.
As illustrated in Table 6, robust aggregation strategies such as Krum and ClippedAvg are better suited for adversarial settings but come at the cost of higher computational demand. Krum filters out anomalous or malicious updates, offering high resilience, whereas ClippedAvg mitigates the influence of extreme values, stabilizing the model under noisy conditions.
Conversely, FedAvg is ideal for resource-constrained or latency-sensitive deployments due to its simplicity, but it underperforms in non-IID conditions common in IIoT. FedProx adds regularization to enhance fairness across clients, although this slows convergence. Multi-Krum advances robustness further but requires significant computation, limiting its applicability in lightweight edge systems.
This comparative evaluation not only bridges a gap in current FL-CTI literature but also offers a decision-support framework for choosing aggregation strategies tailored to varying IIoT security, performance, and resource demands. It underscores the central thesis of this paper: designing effective FL-based CTI frameworks for IIoT requires a context-aware balance of accuracy, privacy, robustness, and scalability.

4. Real-World FL Applications for CTI in IIoT

Federated learning (FL) is increasingly used in cyber threat intelligence (CTI) systems to secure Industrial IoT (IIoT) environments by enabling collaborative threat detection without centralized data sharing [58]. This decentralized learning paradigm preserves privacy and improves scalability, which is critical for sensitive and heterogeneous IIoT settings. However, FL models must contend with challenges such as non-IID data distributions, communication overhead, model-poisoning attacks, and hardware limitations [59].
Deploying FL for CTI in IIoT requires architectures that balance privacy, scalability, and low latency, addressing challenges like resource-constrained devices and non-independent and identically distributed (non-IID) data. We identify three primary deployment models, summarized in Table 7.
Beyond academic prototypes, several industry-facing deployments illustrate the applicability of FL-CTI in IIoT contexts. For instance, Jithish et al. [46] demonstrated federated anomaly detection across smart grid substations, while Verma et al. [47] applied an edge–cloud FLDID framework in smart manufacturing environments. In the healthcare domain, Astillo et al. [61] deployed FL for privacy-preserving diabetes monitoring across hospital IoT infrastructures. These case studies, together with others summarized in Table 7 and Table 8, highlight how deployment choices (edge–cloud, hierarchical, or decentralized) manifest in practical IIoT scenarios with real operational constraints and performance outcomes.
  • Edge-Cloud Model:
    In the edge-cloud model, IIoT devices (e.g., sensors) perform local model training, and a central cloud server aggregates updates to build a global CTI model. This model minimizes latency, making it suitable for real-time threat detection in IIoT applications like smart manufacturing.
  • Hierarchical Model:
    Hierarchical models use intermediate edge servers (e.g., gateways) to perform partial aggregation, with a central server finalizing the global model. This model enhances scalability by reducing communication with the central server, making it ideal for large-scale IIoT deployments like smart grids.
  • Fully Decentralized Model:
    Fully decentralized models eliminate central servers, with IIoT devices collaborating peer-to-peer using protocols like blockchain for trust management. This maximizes privacy, which is critical for sensitive IIoT applications like oil and gas.
As discussed in Section 3.5, the choice of aggregation strategy significantly influences model accuracy, robustness, and convergence. For example, ClippedAvg and Krum offer higher resilience in adversarial environments, while FedAvg provides efficiency in resource-constrained IIoT deployments. These trade-offs are crucial when applying FL to specific cybersecurity tasks. Complementary defenses—such as differential privacy, secure aggregation, and adversarial training—are often integrated to enhance robustness [28].
FL-based threat detection has been applied across a range of CTI tasks, including malware detection, anomaly detection, intrusion detection systems (IDS), trust management, botnet identification, and phishing detection. The subsections below offer recommendations for the representative case examples.

4.1. FL-Based Malware Detection

Traditional malware detection approaches struggle with evolving attack vectors and data privacy concerns. FL addresses these limitations by enabling collaborative training across edge devices without exposing raw data. Several frameworks have employed cross-silo learning and task-specific feature extraction to improve detection performance in IIoT networks [36,62].
To handle non-IID settings, techniques like associative rule mining and Markov chains [63] have been used. Lightweight models such as SIM-FED [64], which employs a 1D CNN, are designed for IIoT scalability and demonstrate robustness against white-box and black-box attacks. Ref. [65] propose a DNN-based flowchart for distributed traffic classification, while [66] use graph-based models (Fed-MalGAT, Fed-MalGCN) to leverage function call graphs (FCGs) and capture semantic code structures—improving detection accuracy in complex threat scenarios.
Summary and Challenges. FL-based malware detection frameworks demonstrate strong potential for privacy-preserving, scalable defense in IIoT. However, performance remains highly sensitive to non-IID distributions, adversarial manipulation, and communication overhead. Future work should emphasize adaptive aggregation, lightweight models, and real-world benchmarking on evolving malware datasets.

4.2. FL-Based Intrusion Detection Systems (IDS)

Intrusion detection systems (IDS) benefit significantly from FL’s privacy-preserving capabilities, particularly in IIoT deployments with distributed attack surfaces. Systems such as FELIDS [29], Fed-ANIDS [52], and MV-FLID [51] integrate DNNs and multiview learning for improved anomaly detection. However, the vulnerability of FL to backdoor attacks, as shown in [37], has prompted research into more robust aggregation strategies and defense mechanisms.
To improve resilience and communication efficiency, several works incorporate advanced aggregation or encryption techniques. Ref. [30] enable cross-organizational model sharing, while FLDID [47] uses encryption for secure gradient exchange. DAFL [31] dynamically adjusts aggregation weights, aligning with empirical insights that weighted or robust aggregation (e.g., ClippedAvg) enhances model performance under heterogeneity. Ref. [67] emphasize the benefits of local training to reduce latency and enhance scalability. Ref. [68] further demonstrate that FL outperforms centralized machine learning in both detection accuracy and data confidentiality.
Summary and Challenges. FL-based IDS solutions improve anomaly detection while safeguarding data privacy, yet they remain vulnerable to poisoning and backdoor attacks. Robust aggregation, encryption, and hybrid edge-cloud models are essential directions to balance accuracy, latency, and resilience in IIoT deployments.

4.3. FL-Based Phishing and Spam Detection

Phishing and spam attacks are persistent threats in IIoT environments, often leveraging email, SMS, and messaging protocols to deliver malicious payloads or exfiltrate sensitive information. These attacks frequently involve impersonation, spoofed links, or context-aware social engineering. Due to the sensitive nature of communication data, centralized phishing detection systems raise privacy and regulatory concerns. Federated learning (FL) provides a decentralized, privacy-preserving alternative that enables collaborative detection without exposing raw user data.
Recent FL-based approaches enhance phishing and spam detection by combining secure training with natural language processing (NLP), lightweight model architectures, and robust aggregation methods to address IIoT-specific challenges such as non-IID data and adversarial risks. Insights from the previous Section 3 highlight that resilient aggregation (e.g., ClippedAvg, Multi-Krum) improves detection reliability under heterogeneous and potentially compromised clients.
Notable systems include:
  • ConvLSTM-FL: Ref. [69] apply a ConvLSTM model within an FL framework to detect phishing content across distributed text streams.
  • SENTINEY: Ref. [70] integrate Secure Multi-Party Computation (SMPC), unsupervised clustering, and string-matching to build adaptive and privacy-respecting phishing detectors.
  • DistilBERT-FL: Ref. [71] implement SMS spam detection using federated DistilBERT, ensuring privacy while leveraging deep semantic representations.
  • FLPhish: Ref. [43] address Byzantine threats through ensemble learning and client reputation scoring, aligning with robust aggregation recommendations from empirical studies.
  • On-Device Learning: Refs. [72,73] implement mobile spam detection entirely on-device, reducing communication overhead and minimizing attack surfaces.
  • FPF: Ref. [74] apply federated NLP pipelines for phishing email detection using context-aware local features.
  • Client Grouping: Ref. [48] improve personalization by clustering clients with similar behavioral profiles, improving convergence under non-IID settings.
  • PhoBERT-FL: Ref. [75] demonstrate the effectiveness of federated PhoBERT in Vietnamese SMS classification, with promising results in multilingual IIoT contexts.
These approaches underscore the practical viability of FL for real-time phishing and spam detection in IIoT, especially when enhanced with behavioral personalization, robust aggregation, and efficient NLP. Selecting aggregation strategies suited to the threat model and system constraints—such as ClippedAvg for robustness or FedAvg for low-resource scenarios—is critical for maintaining performance in real-world deployments.
Summary and Challenges. FL-based phishing and spam detection frameworks leverage NLP, secure multi-party computation, and lightweight deep models to achieve privacy-preserving protection across distributed IIoT communication channels. While these approaches demonstrate strong adaptability to multilingual and context-aware data, challenges remain in handling adversarial clients, non-IID distributions, and high communication costs. Future work should explore personalized federated models, clustering-based client grouping, and robust aggregation mechanisms (e.g., ClippedAvg, Multi-Krum) to maintain accuracy while minimizing resource overhead in real-world deployments.

4.4. FL-Based Botnet Detection

The rise in connected IoT devices has expanded the attack surface for botnets, which leverage device heterogeneity and traffic volume to evade centralized detection. Traditional methods often fall short due to scalability, privacy concerns, and model brittleness under adversarial conditions. Federated learning (FL) offers a distributed and privacy-preserving solution for collaborative botnet detection in IIoT environments.
Refs. [76,77] designed FL-based frameworks enabling localized model training with shared aggregation, allowing adaptation to device-specific behavior. Ref. [78] combined FL with Network and Host IDS systems for early DDoS detection via decentralized correlation of malicious activities.
Ref. [50] introduced explainable FL with SHAP-based insights from client models to enhance global model interpretability. Ref. [44] used FedAvg in a deep learning framework for zero-day botnet detection but encountered limitations under non-IID data and adversarial interference—highlighting a need for robust aggregation, such as Krum or ClippedAvg, as discussed in Section 3.
To improve efficiency and scalability, Ref. [79] proposed a lightweight FL framework that applies hyperparameter tuning and dimensionality reduction to mitigate data imbalance and memory overhead. Ref. [80] also optimized aggregation mechanisms, aligning with empirical insights that aggregation strategies directly impact detection accuracy and system robustness in distributed environments.
Summary and Challenges. Botnet detection in IIoT benefits greatly from FL’s distributed collaboration, allowing detection of zero-day attacks and device-specific patterns without centralized data sharing. Recent works show improved interpretability through explainable FL and scalability via lightweight frameworks. Nonetheless, resilience against adversarial manipulation and efficiency under non-IID data remain unresolved. Future research should prioritize adaptive aggregation, efficient communication compression, and cross-domain validation to ensure botnet detection systems remain robust, scalable, and applicable to heterogeneous IIoT environments.

4.5. FL-Based Trust Management

Trust management in IIoT requires accurate assessment of client reliability while preserving data privacy. FL enables decentralized trust inference and collaboration across edge nodes, supporting adaptive defenses in dynamic threat environments.
Ref. [81] introduced a hybrid CNN–BiLSTM FL model embedded in a zero-trust framework, capturing spatio-temporal threat signatures. Ref. [42] proposed FedBayes, leveraging Bayesian inference for resilient aggregation—though its vulnerability to adversarial perturbation indicates the need for more robust strategies like Multi-Krum or ClippedAvg for stronger fault tolerance, per Section 3.5.
Ref. [82] employed asynchronous FL and reinforcement learning to assign trust scores in vehicular networks, while [83] combined blockchain and zero-trust FL for decentralized collaboration. Environmental variability and non-IID data remain challenges that can be addressed through adaptive aggregation or client clustering.
Ref. [84] and SAFL [85] integrate blockchain and self-attention mechanisms, respectively, to improve traceability and local personalization. These systems illustrate how context-aware aggregation and hybrid FL architectures can improve trust assessment in hostile IIoT settings.
Summary and Challenges. FL-based trust management enhances reliability assessments in IIoT by decentralizing decision-making and integrating zero-trust and blockchain principles. These systems demonstrate improved traceability, personalization, and fault tolerance. However, they face significant challenges in adversarial environments, where malicious clients or poisoned updates can distort trust scores. Developing hybrid trust models that combine Bayesian inference, reinforcement learning, and adaptive aggregation will be critical for strengthening resilience while maintaining low-latency performance suitable for dynamic industrial ecosystems.

4.6. FL-Based Anomaly Detection

Anomaly detection is central to CTI, especially in IIoT, where unusual behaviors often indicate compromise. FL allows edge devices to collaboratively detect anomalies while safeguarding raw data. However, as shown in Section 3.5, non-IID data and adversarial risks demand careful selection of aggregation strategies to ensure convergence and robustness.
Ref. [40] used GRU models with ensemble aggregation to enhance accuracy under variable network conditions. Ref. [46] applied SSL/TLS-based aggregation in smart meters, offering secure and low-latency anomaly detection. To prevent single points of failure, Ref. [38] introduced blockchain-based asynchronous FL.
In resource-constrained ICS environments, lightweight solutions like [86] autoencoder-Fourier hybrid achieve efficiency and performance. Ref. [87] proposed energy-weighted FL using symbolic sensor data to calculate global thresholds. These strategies reflect a need for flexible aggregation—FedProx or weighted FedAvg may balance personalization with generalization.
Ref. [45] enhanced motion-aware detection with FL-based Flownet-YOLOv8n, reducing latency via edge aggregators. FedeX [88] integrated VAE and XAI for explainability, while [61] addressed device-level anomaly detection in healthcare using quantized FL to reduce resource load.
Summary and Challenges. Anomaly detection represents a core CTI application for FL in IIoT, addressing threats ranging from industrial control system faults to healthcare monitoring anomalies. Current advances integrate secure aggregation, ensemble learning, and lightweight deep models, improving both detection accuracy and efficiency. However, performance remains constrained by device heterogeneity, scarce benchmark datasets, and vulnerability to adversarial manipulation. Future directions should emphasize benchmark creation, explainable anomaly detection, and adaptive aggregation strategies that can dynamically balance personalization with global generalization in IIoT deployments.

4.7. FL-Based CTI Approaches for IIoT Applications

The taxonomy presented in this section was not developed in a purely descriptive manner but was systematically derived from the 154 primary studies identified in Section 1.1. Specifically, we classified works according to four evidence-based criteria: (i) data partitioning strategy (e.g., HFL, VFL, FTL), (ii) orchestration approach (edge–cloud, hierarchical, decentralized), (iii) aggregation method (e.g., FedAvg, FedProx, robust aggregation), and (iv) targeted CTI task (e.g., intrusion detection, malware detection, trust management). This multi-criteria classification aligns with clustering-based frameworks in the FL survey literature [23,28,34], ensuring that categories emerge from systematic grouping of shared attributes across studies rather than subjective description. In this way, the taxonomy is both reproducible and grounded in the evidence base of CTI-relevant FL research.
FL-based CTI frameworks in IIoT aim to decentralize intelligence sharing while preserving data privacy and operational latency. Aggregation method selection is critical—robust techniques like ClippedAvg are well-suited for adversarial settings, whereas FedAvg may suffice in cooperative, low-risk environments.
Ref. [89] proposed SeCTIS, merging swarm learning, blockchain, and zero-knowledge proofs to enable secure and distributed threat collaboration. Ref. [90] introduced FL-CTIF, combining enriched attack data with a privacy-preserving ANN model. Ref. [91] designed FedTIU, a lightweight DDoS detection framework using edge-based collaborative FL.
DLTIF [92] applied distributed learning to maritime CTI, integrating FL with knowledge-driven classification. Ref. [93] developed a federated forest-based framework for adaptive edge defense, demonstrating robust CTI through hierarchical local-global fusion.

4.8. FL-Based CTI Approaches for Other Applications

FL-based CTI systems are increasingly adopted in domains beyond IIoT, including healthcare, SDN, and financial systems. In such contexts, model robustness, fairness, and privacy remain vital, and empirical findings (Section 3.5) suggest strategies like FedProx or grouped aggregation can help mitigate heterogeneity.
Refs. [94,95] developed FL-enabled IDS in SDNs and IoMTs using PCA-driven feature analysis under non-IID constraints. Ref. [60] employed encrypted FL with adversarial filtering for smart grid security. Ref. [96] introduced FedCRI to share mobile cyber-risk intelligence while maintaining privacy.
Ref. [20] used blockchain-FL for secure CTI sharing in IoT networks, addressing communication latency and integrity. FedCTI [6,97] applied federated intelligence to anomaly detection in smart spaces and Open Banking, respectively.
BFLS [98], CELEST [99], and FGNN [100] combined GNNs with FL for global threat pattern recognition with poisoning resistance. Ref. [101] integrated MISP, SSI, and blockchain into a federated framework for traceable and privacy-respecting CTI exchange.
In revising Section 4, we moved beyond descriptive reporting and incorporated explicit critical evaluation of the reviewed works. For example, while FedAvg remains widely adopted due to its simplicity and low computational cost, several studies highlight its vulnerability under highly non-IID conditions and susceptibility to poisoning attacks [29,44]. By contrast, robust aggregation methods such as Krum and Multi-Krum demonstrate greater resilience to adversarial clients, but at the expense of significantly higher computational overhead and slower convergence [27,34]. Similarly, hierarchical FL deployments have been shown to improve scalability and privacy in large IIoT environments, yet they introduce additional latency and coordination complexity [21,45]. These trade-offs underscore that no single approach dominates across all dimensions; instead, aggregation and deployment strategies must be carefully matched to the operational constraints and threat models of specific CTI use cases. By foregrounding such contradictions and limitations, the discussion provides a more balanced synthesis of the state of knowledge in FL-based CTI for IIoT.

5. Future Research Directions

Future research in federated learning (FL) for cybersecurity and cyber threat intelligence (CTI) in Industrial Internet of Things (IIoT) environments must address systemic limitations, contextual deployment constraints, and evolving adversarial threats. The following directions build upon empirical insights, including the aggregation strategy trade-offs identified in Section 3, and highlight key opportunities for both researchers and industry practitioners.

5.1. FL-Based Cybersecurity in IIoT

As IIoT deployments often include legacy systems with limited computational capabilities, future work should focus on lightweight and energy-efficient FL designs. Cryptographic techniques such as elliptic-curve cryptography and lightweight homomorphic encryption must be adapted to the constraints of IIoT nodes, enabling secure participation in collaborative training. Edge-aware model compression, quantization, and sparsification will be critical for reducing communication overhead.
Real-time adaptation is another pressing need. FL frameworks must evolve toward self-learning and context-aware updates that respond dynamically to fast-changing threat landscapes, including device compromise, firmware changes, or network shifts. This may require hybrid architectures that combine FL with edge intelligence, stream reasoning, or reinforcement learning.
Empirical analysis in this paper shows that aggregation strategy selection significantly impacts system robustness, especially under non-IID data and adversarial influence. Future research should develop adaptive aggregation mechanisms that can switch between methods (e.g., FedAvg, ClippedAvg, Krum) based on threat level, device profile, or network health.
Standardization of communication protocols and model exchange formats remains a barrier to interoperability across heterogeneous IIoT environments. Collaborative efforts are needed to align FL training processes with industrial protocols (e.g., OPC UA, MQTT) and to develop domain-specific FL APIs.
Finally, quantum-resilient FL is emerging as a long-term priority. Integrating quantum key distribution, post-quantum cryptography, and verifiable federated learning protocols can future-proof FL deployments against cryptographic degradation.

5.2. FL-Based CTI in IIoT

To support real-time threat intelligence, FL-based CTI systems must become scalable, interoperable, and semantically enriched. Existing CTI standards such as STIX and TAXII must be extended or wrapped in lightweight, federated APIs suitable for constrained IIoT environments. Cross-platform implementations that enable real-time sharing of structured threat indicators between IIoT nodes and enterprise systems are urgently needed.
As shown in Section 4, FL-based CTI systems vary in their sensitivity to aggregation choices, data imbalance, and adversarial clients. Future research should develop intelligent orchestration layers that dynamically assign clients to aggregation groups (e.g., as seen in [48]) based on behavior similarity or trust metrics. These grouping strategies can improve convergence and accuracy under non-IID conditions.
Benchmarking is also critical. Publicly available FL-CTI datasets for IIoT remain scarce. New benchmarks should include multi-source threat logs, communication traces, and enriched annotations to facilitate evaluation of detection accuracy, model resilience, privacy preservation, and scalability.
Semantic enrichment tools—including text mining, NLP, named-entity recognition, and diachronic linguistics—can enhance CTI extraction from unstructured data. The adoption of ontologies, particularly OWL-based models, can support reasoning across device types, threat vectors, and anomaly signatures. This also enables cross-system semantic interoperability.
At the organizational level, governance models must align CTI sharing with privacy and accountability mandates. Zero-trust principles, secure multiparty computation (SMPC), and blockchain integration can support trustworthy participation across entities. Multilevel governance frameworks—from local operators to national CERTs—can help operationalize FL-based CTI and provide adaptive responses to threats across jurisdictions.
Lastly, future research must focus on optimizing FL for large-scale CTI environments. Efficient filtering, threat prioritization, and contextual alert scoring can reduce analyst burden while maintaining detection accuracy. Combining FL with federated analytics, explainable AI (XAI), and secure auditability will be essential for fostering adoption in safety-critical industrial ecosystems.

5.3. Security Risks and Defenses in FL-CTI

While federated learning provides privacy-preserving collaboration, FL-CTI systems remain vulnerable to a spectrum of adversarial risks that can compromise trustworthiness and scalability in IIoT environments. We categorize these threats into three major classes and summarize corresponding defense strategies.
1. Poisoning Attacks. Malicious clients may inject poisoned gradients or manipulated local updates to degrade the performance of the global model or introduce targeted misclassifications. Empirical studies show that FL methods such as FedAvg are highly vulnerable under non-IID distributions [37,44]. Defenses include robust aggregation algorithms (e.g., Krum, Multi-Krum, ClippedAvg) [27,34], anomaly detection on client updates, and secure multi-party computation to filter malicious contributions.
2. Backdoor Attacks. Adversaries may implant hidden triggers in local updates, enabling specific malicious behaviors in the global model without significantly affecting aggregate accuracy. Such attacks have been demonstrated in FL-based IDS and malware detection [29,52]. Countermeasures include gradient clipping, differential privacy [22], model inspection, and defense-aware training that selectively removes suspicious update patterns.
3. Adaptive Adversaries. Attackers capable of dynamically adjusting strategies (e.g., combining data poisoning with inference or evasion tactics) pose a significant challenge in IIoT contexts where data are non-IID and devices are resource-constrained. Mitigation requires adaptive aggregation methods, ensemble defenses, blockchain-enabled trust management [20,21], and continuous monitoring of aggregation dynamics. We categorize these threats into three major classes and summarize corresponding defense strategies, as shown in Table 9.
By systematizing adversarial risks and linking them to concrete defenses, FL-CTI research can move beyond acknowledging threats to providing reproducible, evidence-based strategies. This structured synthesis addresses gaps in prior surveys, where adversarial issues were often only briefly noted.

5.4. Prioritized Research Roadmap

To provide clearer prioritization and actionable guidance, we restructure the research roadmap into short-term, medium-term, and long-term challenges for FL-CTI in IIoT:
Short-Term (1–2 years).
  • Development of lightweight FL models and efficient aggregation methods that can operate under strict IIoT resource constraints [29,44].
  • Creation and open sharing of standardized benchmark datasets (e.g., CTI-relevant subsets of CICIDS2017, Bot-IoT, IoT-23) to improve reproducibility and comparability [36,52].
  • Deployment of privacy-preserving FL prototypes in industrial testbeds (smart grids, smart manufacturing) to demonstrate near-term feasibility [46,47].
Medium-Term (3–5 years).
  • Adaptive aggregation strategies that dynamically adjust to adversarial conditions, non-IID distributions, and client heterogeneity [27,34].
  • Integration of CTI standards (e.g., STIX, TAXII, OpenIOC) with FL pipelines to ensure semantic interoperability across organizations [20,21].
  • Establishment of governance frameworks and regulatory guidelines for cross-organizational FL-CTI deployments, addressing trust, liability, and compliance [22].
Long-Term (5+ years).
  • Exploration of post-quantum cryptography and quantum-resilient FL frameworks to safeguard CTI sharing in next-generation IIoT systems [28].
  • Fully decentralized CTI exchange models leveraging blockchain and swarm learning to eliminate single points of failure while preserving scalability [45,60].
  • Development of self-healing, autonomous FL-CTI systems capable of real-time defense against adaptive adversaries through continual learning [37].
This structured roadmap ensures that near-term research addresses immediate practical gaps (lightweight models, benchmarks, testbeds), while medium-term efforts focus on interoperability and resilience, and long-term priorities target quantum-era security and fully autonomous FL-CTI ecosystems.

6. Conclusions

This survey provided a comprehensive examination of how federated learning (FL) can enhance cyber threat intelligence (CTI) across Industrial Internet of Things (IIoT) environments. By analyzing a wide range of threat detection methods, privacy-preserving architectures, and FL-based CTI applications, the study underscores the transformative potential of FL in enabling decentralized, secure, and scalable threat intelligence.
A key contribution of this work is the integration of an empirical synthesis that evaluates leading FL aggregation strategies under IIoT-specific constraints. This analysis offers practical insights into the trade-offs between accuracy, robustness, convergence speed, and computational cost—guiding system designers in selecting appropriate techniques based on deployment requirements. The taxonomy of real-world use cases and the detailed discussion of CTI integration further establish this work as a foundational reference for future research.
The future directions outlined in this survey highlight the need for adaptive, trustworthy, and interoperable FL frameworks that can operate under diverse IIoT conditions. As IIoT networks continue to grow in complexity and scale, developing FL-based CTI systems that are resilient to non-IID data, adversarial threats, and real-time constraints will be essential.
Ultimately, this work lays the groundwork for advancing FL-driven CTI research and supports the design of next-generation security solutions that align with the privacy, scalability, and trust requirements of emerging industrial ecosystems.

Author Contributions

Conceptualization, A.K.T., A.K., T.J., M.W., T.D.N. and A.A.; methodology, A.K.T., T.J. and A.A.; software, A.K.T. and M.W.; validation, A.K.T., A.K., T.J., T.D.N. and A.A.; formal analysis, A.K.T. and M.W.; investigation, A.K.T. and M.W.; resources, T.J. and A.A.; data curation, A.K.T. and M.W.; writing—original draft preparation, A.K.T. and M.W.; writing—review and editing, A.K., T.J., T.D.N. and A.A.; visualization, A.K.T. and M.W.; supervision, T.J., T.D.N. and A.A.; project administration, A.A.; funding acquisition, A.A. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Aouedi, O.; Vu, T.H.; Sacco, A.; Nguyen, D.C.; Piamrat, K.; Marchetto, G.; Pham, Q.V. A survey on intelligent Internet of Things: Applications, security, privacy, and future directions. IEEE Commun. Surv. Tutor. 2024, 27, 1238–1292. [Google Scholar] [CrossRef]
  2. Peter, O.; Pradhan, A.; Mbohwa, C. Industrial Internet of Things (IIoT): Opportunities, Challenges, and Requirements in Manufacturing Businesses in Emerging Economies. Procedia Comput. Sci. 2023, 217, 856–865. [Google Scholar] [CrossRef]
  3. Schlette, D.; Caselli, M.; Pernul, G. A Comparative Study on Cyber Threat Intelligence: The Security Incident Response Perspective. IEEE Commun. Surv. Tutor. 2021, 23, 2525–2556. [Google Scholar] [CrossRef]
  4. Alkhateeb, I.R.; Al-Haija, Q.A.; Abu-Soud, S. Analytical study for cyber threat intelligence (CTI). In Proceedings of the IET Conference Proceedings CP859; IET: London, UK, 2023; Volume 2023, pp. 411–418. [Google Scholar] [CrossRef]
  5. Naseer, I. Machine Learning Applications in Cyber Threat Intelligence: A Comprehensive Review. Asian Bull. Big Data Manag. 2024, 3, 190–200. [Google Scholar] [CrossRef]
  6. El Jaouhari, S.; Etiabi, Y. FedCTI: Federated Learning and Cyber Threat Intelligence on the Edge for secure IoT Networks. In Proceedings of the 13th International Conference on the Internet of Things, Nagoya, Japan, 7–10 November 2023; pp. 98–104. [Google Scholar] [CrossRef]
  7. Mekala, S.H.; Baig, Z.; Anwar, A.; Zeadally, S. Cybersecurity for Industrial IoT (IIoT): Threats, countermeasures, challenges and future directions. Comput. Commun. 2023, 208, 294–320. [Google Scholar] [CrossRef]
  8. Czeczot, G.; Rojek, I.; Mikołajewski, D.; Sangho, B. AI in IIoT management of cybersecurity for industry 4.0 and industry 5.0 purposes. Electronics 2023, 12, 3800. [Google Scholar] [CrossRef]
  9. Raimundo, R.J.; Rosário, A.T. Cybersecurity in the Internet of Things in Industrial Management. Appl. Sci. 2022, 12, 1598. [Google Scholar] [CrossRef]
  10. Kuzlu, M.; Fair, C.; Guler, O. Role of Artificial Intelligence in the Internet of Things (IoT) cybersecurity. Discov. Internet Things 2021, 1, 7. [Google Scholar] [CrossRef]
  11. Alnajim, A.M.; Habib, S.; Islam, M.; Thwin, S.M.; Alotaibi, F. A comprehensive survey of cybersecurity threats, attacks, and effective countermeasures in industrial internet of things. Technologies 2023, 11, 161. [Google Scholar] [CrossRef]
  12. Sun, N.; Ding, M.; Jiang, J.; Xu, W.; Mo, X.; Tai, Y.; Zhang, J. Cyber Threat Intelligence Mining for Proactive Cybersecurity Defense: A Survey and New Perspectives. IEEE Commun. Surv. Tutor. 2023, 25, 1748–1774. [Google Scholar] [CrossRef]
  13. Saeed, S.; Suayyid, S.A.; Al-Ghamdi, M.S.; Al-Muhaisen, H.; Almuhaideb, A.M. A Systematic Literature Review on Cyber Threat Intelligence for Organizational Cybersecurity Resilience. Sensors 2023, 23, 7273. [Google Scholar] [CrossRef] [PubMed]
  14. Alturkistani, H.; Chuprat, S. Artificial Intelligence and Large Language Models in Advancing Cyber Threat Intelligence: A Systematic Literature Review. Res. Sq. 2024. [Google Scholar] [CrossRef]
  15. Chatziamanetoglou, D.; Rantos, K. Cyber threat intelligence on blockchain: A systematic literature review. Computers 2024, 13, 60. [Google Scholar] [CrossRef]
  16. Bratsas, C.; Anastasiadis, E.K.; Angelidis, A.K.; Ioannidis, L.; Kotsakis, R.; Ougiaroglou, S. Knowledge Graphs and Semantic Web Tools in Cyber Threat Intelligence: A Systematic Literature Review. J. Cybersecur. Priv. 2024, 4, 518–545. [Google Scholar] [CrossRef]
  17. Ramsdale, A.; Shiaeles, S.; Kolokotronis, N. A Comparative Analysis of Cyber-Threat Intelligence Sources, Formats and Languages. Electronics 2020, 9, 824. [Google Scholar] [CrossRef]
  18. Czekster, R.M.; Metere, R.; Morisset, C. Incorporating cyber threat intelligence into complex cyber-physical systems: A STIX model for active buildings. Appl. Sci. 2022, 12, 5005. [Google Scholar] [CrossRef]
  19. Ainslie, S.; Thompson, D.; Maynard, S.; Ahmad, A. Cyber-threat intelligence for security decision-making: A review and research agenda for practice. Comput. Secur. 2023, 132, 103352. [Google Scholar] [CrossRef]
  20. Sarhan, M.; Layeghy, S.; Moustafa, N.; Portmann, M. Cyber Threat Intelligence Sharing Scheme Based on Federated Learning for Network Intrusion Detection. J. Netw. Syst. Manag. 2022, 31, 3. [Google Scholar] [CrossRef]
  21. Sarhan, M.; Lo, W.W.; Layeghy, S.; Portmann, M. HBFL: A Hierarchical Blockchain-Based Federated Learning Framework for Collaborative IoT Intrusion Detection. Comput. Electr. Eng. 2022, 103, 108379. [Google Scholar] [CrossRef]
  22. Dunnett, K.; Pal, S.; Jadidi, Z.; Dedeoglu, V.; Jurdak, R. Priv-Share: A privacy-preserving framework for differential and trustless delegation of cyber threat intelligence using blockchain. Comput. Netw. 2024, 252, 110686. [Google Scholar] [CrossRef]
  23. Kairouz, P.; McMahan, H.B.; Avent, B.; Bellet, A.; Bennis, M.; Bhagoji, A.N.; Bonawitz, K.; Charles, Z.; Cormode, G.; Cummings, R.; et al. Advances and open problems in federated learning. Found. Trends Mach. Learn. 2021, 14, 1–210. [Google Scholar] [CrossRef]
  24. Zhang, C.; Xie, Y.; Bai, H.; Yu, B.; Li, W.; Gao, Y. A Survey on Federated Learning. Knowl.-Based Syst. 2021, 216, 106775. [Google Scholar] [CrossRef]
  25. Wen, J.; Zhang, Z.; Lan, Y.; Cui, Z.; Cai, J.; Zhang, W. A Survey on Federated Learning: Challenges and Applications. Int. J. Mach. Learn. Cybern. 2022, 14, 513–535. [Google Scholar] [CrossRef]
  26. Woisetschläger, H.; Erben, A.; Wang, S.; Mayer, R.; Jacobsen, H.A. Federated fine-tuning of llms on the very edge: The good, the bad, the ugly. In Proceedings of the Eighth Workshop on Data Management for End-to-End Machine Learning, Santiago, Chile, 9–15 June 2024; pp. 39–50. [Google Scholar] [CrossRef]
  27. Qi, P.; Chiaro, D.; Guzzo, A.; Ianni, M.; Fortino, G.; Piccialli, F. Model Aggregation Techniques in Federated Learning: A Comprehensive Survey. Future Gener. Comput. Syst. 2023, 150, 272–293. [Google Scholar] [CrossRef]
  28. Liu, B.; Lv, N.; Guo, Y.; Li, Y. Recent advances on federated learning: A systematic survey. Neurocomputing 2024, 597, 128019. [Google Scholar] [CrossRef]
  29. Friha, O.; Ferrag, M.A.; Shu, L.; Maglaras, L.; Choo, K.K.R.; Nafaa, M. FELIDS: Federated learning-based intrusion detection system for agricultural Internet of Things. J. Parallel Distrib. Comput. 2022, 165, 17–31. [Google Scholar] [CrossRef]
  30. Tang, Z.; Hu, H.; Xu, C. A Federated Learning Method for Network Intrusion Detection. Concurr. Comput. Pract. Exp. 2021, 34, e6812. [Google Scholar] [CrossRef]
  31. Li, J.; Tong, X.; Liu, J.; Cheng, L. An efficient federated learning system for network intrusion detection. IEEE Syst. J. 2023, 17, 2455–2464. [Google Scholar] [CrossRef]
  32. Xu, J.; Glicksberg, B.S.; Su, C.; Walker, P.; Bian, J.; Wang, F. Federated Learning for Healthcare Informatics. J. Healthc. Inform. Res. 2020, 5, 1–19. [Google Scholar] [CrossRef]
  33. Woisetschläger, H.; Isenko, A.; Wang, S.; Mayer, R.; Jacobsen, H.A. A Survey on Efficient Federated Learning Methods for Foundation Model Training. In Proceedings of the Thirty-Third International Joint Conference on Artificial Intelligence (IJCAI-24), Jeju, Republic of Korea, 3–9 August 2024; pp. 8317–8325. [Google Scholar] [CrossRef]
  34. Moshawrab, M.; Adda, M.; Bouzouane, A.; Ibrahim, H.; Raad, A. Reviewing federated learning aggregation algorithms; strategies, contributions, limitations and future perspectives. Electronics 2023, 12, 2287. [Google Scholar] [CrossRef]
  35. Amiri, M.M.; Gündüz, D.; Kulkarni, S.R.; Poor, H.V. Convergence of Update Aware Device Scheduling for Federated Learning at the Wireless Edge. IEEE Trans. Wirel. Commun. 2021, 20, 3643–3658. [Google Scholar] [CrossRef]
  36. Rey, V.; Sánchez, P.M.S.; Celdrán, A.H.; Bovet, G. Federated Learning for Malware Detection in IoT Devices. Comput. Netw. 2022, 204, 108693. [Google Scholar] [CrossRef]
  37. Nguyen, T.D.; Rieger, P.; Miettinen, M.; Sadeghi, A.R. Poisoning Attacks on Federated Learning-based IoT Intrusion Detection System. In Proceedings of the Workshop on Decentralized IoT Systems and Security (DISS) 2020, San Diego, CA, USA, 23–26 February 2020. [Google Scholar] [CrossRef]
  38. Cui, L.; Qu, Y.; Xie, G.; Zeng, D.; Li, R.; Shen, S.; Yu, S. Security and privacy-enhanced federated learning for anomaly detection in IoT infrastructures. IEEE Trans. Ind. Inform. 2021, 18, 3492–3500. [Google Scholar] [CrossRef]
  39. Alamer, A. A privacy-preserving federated learning with a secure collaborative for malware detection models using Internet of Things resources. Internet Things 2024, 25, 101015. [Google Scholar] [CrossRef]
  40. Mothukuri, V.; Khare, P.; Parizi, R.M.; Pouriyeh, S.; Dehghantanha, A.; Srivastava, G. Federated-Learning-Based anomaly detection for IoT security attacks. IEEE Internet Things J. 2021, 9, 2545–2554. [Google Scholar] [CrossRef]
  41. Li, Y.; Zhang, Q.; Wang, X.; Zeng, R.; Li, H.; Murturi, I.; Dustdar, S.; Huang, M. Federated Learning for Internet of Things. In Learning Techniques for the Internet of Things; Springer: Cham, Switzerland, 2023; pp. 33–55. [Google Scholar] [CrossRef]
  42. Vucovich, M.; Quinn, D.; Choi, K.; Redino, C.; Rahman, A.; Bowen, E. FedBayes: A Zero-Trust Federated Learning Aggregation to Defend Against Adversarial Attacks. In Proceedings of the 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 8–10 January 2024; pp. 0028–0035. [Google Scholar] [CrossRef]
  43. Li, B.; Wang, P.; Huang, H.; Ma, S.; Jiang, Y. FLPHISH: Reputation-based Phishing Byzantine Defense in ensemble Federated learning. In Proceedings of the 2021 IEEE Symposium on Computers and Communications (ISCC), Athens, Greece, 5–8 September 2021; pp. 1–6. [Google Scholar] [CrossRef]
  44. Popoola, S.I.; Ande, R.; Adebisi, B.; Gui, G.; Hammoudeh, M.; Jogunola, O. Federated Deep Learning for Zero-Day Botnet Attack Detection in IoT-Edge Devices. IEEE Internet Things J. 2021, 9, 3930–3944. [Google Scholar] [CrossRef]
  45. Alnajjar, I.A.; Almazaydeh, L.; Odeh, A.A.; Salameh, A.A.; Alqarni, K.; Ban Atta, A.A. Anomaly Detection Based on Hierarchical Federated Learning with Edge-Enabled Object Detection for Surveillance Systems in Industry 4.0 Scenario. Int. J. Intell. Eng. Syst. 2024, 17. [Google Scholar] [CrossRef]
  46. Jithish, J.; Alangot, B.; Mahalingam, N.; Yeo, K.S. Distributed Anomaly Detection in Smart Grids: A Federated Learning-Based Approach. IEEE Access 2023, 11, 7157–7179. [Google Scholar] [CrossRef]
  47. Verma, P.; Breslin, J.G.; O’Shea, D. FLDID: Federated Learning Enabled Deep Intrusion Detection in Smart Manufacturing Industries. Sensors 2022, 22, 8974. [Google Scholar] [CrossRef]
  48. Yoon, J.Y.; Choi, B.J. Privacy-Friendly Phishing Attack Detection Using Personalized Federated Learning. In Intelligent Human Computer Interaction; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2023; pp. 460–465. [Google Scholar] [CrossRef]
  49. Jindal, K.; Guha, K. Federated Learning-Based Malware Detection for IoT Platforms. In Proceedings of the International Conference on Data, Electronics and Computing, Aizawl, India, 15–16 December 2023; Springer: Cham, Switzerland, 2023; pp. 185–202. [Google Scholar] [CrossRef]
  50. Kalakoti, R.; Bahsi, H.; Nõmm, S. Explainable federated learning for botnet detection in IoT networks. In Proceedings of the 2024 IEEE International Conference on Cyber Security and Resilience (CSR), London, UK, 2–4 September 2024; IEEE: Piscataway, NJ, USA, 2024; pp. 01–08. [Google Scholar] [CrossRef]
  51. Attota, D.C.; Mothukuri, V.; Parizi, R.M.; Pouriyeh, S. An ensemble multi-view federated learning intrusion detection for IoT. IEEE Access 2021, 9, 117734–117745. [Google Scholar] [CrossRef]
  52. Idrissi, M.J.; Alami, H.; El Mahdaouy, A.; El Mekki, A.; Oualil, S.; Yartaoui, Z.; Berrada, I. Fed-anids: Federated learning for anomaly-based network intrusion detection systems. Expert Syst. Appl. 2023, 234, 121000. [Google Scholar] [CrossRef]
  53. Brecko, A.; Kajati, E.; Koziorek, J.; Zolotova, I. Federated learning for edge computing: A survey. Appl. Sci. 2022, 12, 9124. [Google Scholar] [CrossRef]
  54. Arafeh, M.; Hammoud, A.; Otrok, H.; Mourad, A.; Talhi, C.; Dziong, Z. Independent and identically distributed (IID) data assessment in federated learning. In Proceedings of the GLOBECOM 2022-2022 IEEE Global Communications Conference, Rio de Janeiro, Brazil, 4–8 December 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 293–298. [Google Scholar] [CrossRef]
  55. Kim, M.; Saad, W.; Debbah, M.; Hong, C.S. SpaFL: Communication-Efficient Federated Learning with Sparse Models and Low Computational Overhead. arXiv 2024, arXiv:2406.00431. [Google Scholar] [CrossRef]
  56. Soltani, B.; Zhou, Y.; Haghighi, V.; Lui, J. A Survey of Federated Evaluation in Federated Learning. In Proceedings of the Thirty-Second International Joint Conference on Artificial Intelligence (IJCAI-23), Macao, China, 19–25 August 2023; pp. 6769–6777. [Google Scholar] [CrossRef]
  57. Soudan, B.; Abbas, S.; Kubba, A.; Abu Waraga, O.; Abu Talib, M.; Nasir, Q. Scalability and Performance Evaluation of Federated Learning Frameworks: A Comparative Analysis. Res. Sq. 2024. [Google Scholar] [CrossRef]
  58. Khraisat, A.; Alazab, A.; Singh, S.; Jan, T.; Gomez, A., Jr. Survey on Federated Learning for Intrusion Detection System: Concept, Architectures, Aggregation Strategies, Challenges, and Future Directions. ACM Comput. Surv. 2024, 57, 1–38. [Google Scholar] [CrossRef]
  59. Khraisat, A.; Alazab, A.; Alazab, M.; Jan, T.; Singh, S.; Uddin, M.A. Securing federated learning: A defense strategy against targeted data poisoning attack. Discover Internet Things 2025, 5, 16. [Google Scholar] [CrossRef]
  60. Rahman, S.; Pal, S.; Jadidi, Z.; Karmakar, C. Robust Cyber Threat Intelligence Sharing using Federated Learning for Smart Grids. IEEE Trans. Comput. Soc. Syst. 2024, 12, 635–644. [Google Scholar] [CrossRef]
  61. Astillo, P.V.; Duguma, D.G.; Park, H.; Kim, J.; Kim, B.; You, I. Federated intelligence of anomaly detection agent in IoTMD-enabled Diabetes Management Control System. Future Gener. Comput. Syst. 2022, 128, 395–405. [Google Scholar] [CrossRef]
  62. Serpanos, D.; Xenos, G. Federated Learning in Malware Detection. In Proceedings of the 2022 IEEE 27th International Conference on Emerging Technologies and Factory Automation (ETFA), Sinaia, Romania, 12–15 September 2023; pp. 1–4. [Google Scholar] [CrossRef]
  63. D’Angelo, G.; Farsimadan, E.; Ficco, M.; Palmieri, F.; Robustelli, A. Privacy-preserving malware detection in Android-based IoT devices through federated Markov chains. Future Gener. Comput. Syst. 2023, 148, 93–105. [Google Scholar] [CrossRef]
  64. Nobakht, M.; Javidan, R.; Pourebrahimi, A. SIM-FED: Secure IoT malware detection model with federated learning. Comput. Electr. Eng. 2024, 116, 109139. [Google Scholar] [CrossRef]
  65. Babbar, H.; Rani, S.; Boulila, W. NGMD: Next generation malware detection in federated server with deep neural network model for autonomous networks. Sci. Rep. 2024, 14, 10898. [Google Scholar] [CrossRef]
  66. Amjath, M.; Henna, S.; Rathnayake, U. Graph representation federated learning for malware detection in Internet of health things. Results Eng. 2025, 25, 103651. [Google Scholar] [CrossRef]
  67. Markovic, T.; Leon, M.; Buffoni, D.; Punnekkat, S. Random forest based on federated learning for intrusion detection. In Proceedings of the IFIP Advances in Information and Communication Technology, Crete, Greece, 17–20 June 2022; pp. 132–144. [Google Scholar] [CrossRef]
  68. Alazab, A.; Khraisat, A.; Singh, S.; Jan, T. Enhancing privacy-preserving intrusion detection through federated learning. Electronics 2023, 12, 3382. [Google Scholar] [CrossRef]
  69. Rose, J.D. Next-Gen Phishing Detection System Based on Federated Learning Integrated CNN-LSTM for SMS Communication. In Proceedings of the 2024 5th International Conference on Intelligent Communication Technologies and Virtual Mobile Networks (ICICV), Tirunelveli, India, 11–12 March 2024. [Google Scholar] [CrossRef]
  70. Hendaoui, F.; Hendaoui, S. SENTINEY: Securing ENcrypted mulTI-party computatIoN for Enhanced data privacY and phishing detection. Expert Syst. Appl. 2024, 256, 124896. [Google Scholar] [CrossRef]
  71. Sidhpura, J.; Shah, P.; Veerkhare, R.; Godbole, A. FedSpam: Privacy Preserving SMS Spam Prediction. In Communications in Computer and Information Science; Springer: Cham, Switzerland, 2023; pp. 52–63. [Google Scholar] [CrossRef]
  72. Vats, S.; Shastri, S.; Mehta, S. Federated Learning for SMS Spam Detection: A Privacy-Focused Approach. In Proceedings of the 2022 13th International Conference on Computing Communication and Networking Technologies (ICCCNT), Kamand, India, 24–28 June 2024; pp. 1–5. [Google Scholar] [CrossRef]
  73. Srinivasa Rao, D.; Ajith Jubilson, E. SMS Spam Detection using Federated Learning. In Proceedings of International Conference on Computational Intelligence and Data Engineering; Lecture Notes on Data Engineering and Communications Technologies; Springer: Singapore, 2023; pp. 547–562. [Google Scholar] [CrossRef]
  74. Ul Haq, I.; Black, P.; Gondal, I.; Kamruzzaman, J.; Watters, P.; Kayes, A. Spam email categorization with nlp and using federated deep learning. In Proceedings of the International Conference on Advanced Data Mining and Applications, Brisbane, QLD, Australia, 28–30 November 2022; Springer: Cham, Switzerland, 2022; pp. 15–27. [Google Scholar] [CrossRef]
  75. Anh, H.Q.; Anh, P.T.; Nguyen, P.S.; Hung, P.D. Federated Learning for Vietnamese SMS Spam Detection Using Pre-trained PhoBERT. In Proceedings of the International Conference on Intelligent Data Engineering and Automated Learning, Valencia, Spain, 20–22 November 2024; Springer: Cham, Switzerland, 2024; pp. 254–264. [Google Scholar] [CrossRef]
  76. Zhou, H.; Sheng, Z. A Federated Learning Based Botnet Detection Method for Industrial Internet of Things. In Proceedings of the 7th International Conference on Cyber Security and Information Engineering, Putrajaya, Malaysia, 22–24 September 2023. [Google Scholar] [CrossRef]
  77. Metwaly, A.; El-henawy, I. Protecting IoT Devices from BotNet Threats: A Federated Machine Learning Solution. Sustain. Mach. Intell. J. 2023, 2, 1–12. [Google Scholar] [CrossRef]
  78. de Caldas Filho, F.L.; Soares, S.C.M.; Oroski, E.; de Oliveira Albuquerque, R.; Da Mata, R.Z.A.; De Mendonça, F.L.L.; de Sousa Júnior, R.T. Botnet detection and mitigation model for IoT networks using federated learning. Sensors 2023, 23, 6305. [Google Scholar] [CrossRef]
  79. Popoola, S.; Ande, R.; Atayero, A.; Hammoudeh, M.; Gui, G.; Adebisi, B. Optimized Lightweight Federated Learning for Botnet Detection in Smart Critical Infrastructure. TechRxiv 2023. [Google Scholar] [CrossRef]
  80. Zhang, J.; Liang, S.; Ye, F.; Hu, R.Q.; Qian, Y. Towards Detection of Zero-Day Botnet Attack in IoT Networks Using Federated Learning. In Proceedings of the ICC 2022—IEEE International Conference on Communications, Rome, Italy, 28 May–1 June 2023. [Google Scholar] [CrossRef]
  81. Javeed, D.; Saeed, M.S.; Adil, M.; Kumar, P.; Jolfaei, A. A federated learning-based zero trust intrusion detection system for Internet of Things. Ad Hoc Netw. 2024, 162, 103540. [Google Scholar] [CrossRef]
  82. Consul, P.; Joshi, N.; Budhiraja, I.; Biswas, S.; Kumar, N.; Sharma, S.; Abraham, A. A Reliable Zero-Trust Network for Task Offloading in Vehicular Systems Using an Asynchronous Federated Learning Approach in 6G. In Proceedings of the SIGCOMM Workshop on Zero Trust Architecture for Next Generation Communications, Sydney, NSW, Australia, 4–8 August 2024; pp. 25–30. [Google Scholar] [CrossRef]
  83. Pokhrel, S.R.; Yang, L.; Rajasegarar, S.; Li, G. Robust Zero Trust Architecture: Joint Blockchain based Federated Learning and Anomaly Detection based Framework. In Proceedings of the ZTA-NextGen ’24: Proceedings of the SIGCOMM Workshop on Zero Trust Architecture for Next Generation Communications, Sydney, NSW, Australia, 4–8 August 2024; pp. 7–12. [Google Scholar] [CrossRef]
  84. Bandara, E.; Liang, X.; Shetty, S.; Mukkamala, R.; Rahman, A.; Keong, N.W. Skunk—A blockchain and zero trust security enabled federated learning platform for 5G/6G network slicing. In Proceedings of the 2022 19th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON), Stockholm, Sweden, 20–23 September 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 109–117. [Google Scholar] [CrossRef]
  85. Al Shahrani, A.M.; Rizwan, A.; Sánchez-Chero, M.; Cornejo, L.L.C.; Shabaz, M. Blockchain-Enabled Federated Learning for Prevention of Power Terminals Threats in IoT Environment Using Edge Zero-Trust Model. J. Supercomput. 2023, 80, 7849–7875. [Google Scholar] [CrossRef]
  86. Truong, H.T.; Ta, B.P.; Le, Q.A.; Nguyen, D.M.; Le, C.T.; Nguyen, H.X.; Do, H.T.; Nguyen, H.T.; Tran, K.P. Light-weight federated learning-based anomaly detection for time-series data in industrial control systems. Comput. Ind. 2022, 140, 103692. [Google Scholar] [CrossRef]
  87. Yan, Y.; Wang, Y.; Hu, Y.; Li, Y. Federated Learning-Based Anomaly Detection for Environment Monitoring Sensor Networks. IEEE Sens. Lett. 2024, 8, 6008904. [Google Scholar] [CrossRef]
  88. Huong, T.T.; Bac, T.P.; Ha, K.N.; Hoang, N.V.; Hoang, N.X.; Hung, N.T.; Tran, K.P. Federated learning-based explainable anomaly detection for industrial control systems. IEEE Access 2022, 10, 53854–53872. [Google Scholar] [CrossRef]
  89. Arikkat, D.R.; Cihangiroglu, M.; Conti, M.; KA, R.R.; Nicolazzo, S.; Nocera, A.; Vinod, P. SeCTIS: A framework to Secure CTI Sharing. Future Gener. Comput. Syst. 2025, 164, 107562. [Google Scholar] [CrossRef]
  90. Salim, M.M.; El Azzaoui, A.; Deng, X.; Park, J.H. FL-CTIF: A Federated Learning Based CTI Framework Based on Information Fusion for Secure IIoT. Inf. Fusion 2023, 102, 102074. [Google Scholar] [CrossRef]
  91. Verma, P.; De Leon, M.P.; Breslin, J.G.; O’Shea, D. FedTIU: Securing Virtualized PLCs Against DDoS Attacks Using a Federated Learning Enabled Threat Intelligence Unit. In Proceedings of the 2023 IEEE International Conference on Smart Computing (SMARTCOMP), Nashville, TN, USA, 26–30 June 2023. [Google Scholar] [CrossRef]
  92. Kumar, P.; Gupta, G.P.; Tripathi, R.; Garg, S.; Hassan, M.M. DLTIF: Deep Learning-Driven Cyber Threat Intelligence Modeling and Identification Framework in IoT-Enabled Maritime Transportation Systems. IEEE Trans. Intell. Transp. Syst. 2021, 1–10. [Google Scholar] [CrossRef]
  93. Tulasi Kasuba, D.S.S.; Balaram, V. Adaptive Secure Threat Intelligence Infrastructure for AI and the Edge. Math. Stat. Eng. Appl. 2022, 71, 1459–1474. [Google Scholar]
  94. Kazmi, S.H.A.; Qamar, F.; Hassan, R.; Nisar, K.; Dahnil, D.P.B.; Al-Betar, M.A. Threat Intelligence with Non-IID Data in Federated Learning enabled Intrusion Detection for SDN: An Experimental Study. In Proceedings of the 2023 24th International Arab Conference on Information Technology (ACIT), Ajman, United Arab Emirates, 6–8 December 2023; pp. 1–6. [Google Scholar] [CrossRef]
  95. Kazmi, S.H.A.; Hassan, R.; Qamar, F.; Nisar, K.; Dahnil, D.P. Threat Intelligence in IoMTs with Federated Learning using Non-IID Data: An Experimental Analysis. In Proceedings of the 2024 IEEE 7th International Symposium on Telecommunication Technologies (ISTT), Langkawi Island, Malaysia, 21–22 October 2024; IEEE: Piscataway, NJ, USA, 2024; pp. 120–125. [Google Scholar] [CrossRef]
  96. Fereidooni, H.; Dmitrienko, A.; Rieger, P.; Miettinen, M.; Sadeghi, A.R.; Madlener, F. FedCRI: Federated Mobile Cyber-Risk Intelligence. In Proceedings of the NDSS, San Diego, CA, USA, 24–28 April 2022. [Google Scholar] [CrossRef]
  97. Saura, P.F.; Gil, J.F.M.; Bernabé, J.B.; Skarmeta, A. Privacy-Preserving Cyber Threat Information Sharing Leveraging FL-Based Intrusion Detection in the Financial Sector. In Communications in Computer and Information Science; Springer: Cham, Switzerland, 2023; pp. 50–64. [Google Scholar] [CrossRef]
  98. Jiang, T.; Shen, G.; Guo, C.; Cui, Y.; Xie, B. BFLS: Blockchain and Federated Learning for sharing threat detection models as Cyber Threat Intelligence. Comput. Netw. 2023, 224, 109604. [Google Scholar] [CrossRef]
  99. Ongun, T.; Boboila, S.; Oprea, A.; Eliassi-Rad, T.; Hiser, J.; Davidson, J. CELEST: Federated learning for globally coordinated threat detection. arXiv 2023, arXiv:2205.11459. [Google Scholar] [CrossRef]
  100. Bouharoun, M.; Taghdouti, B.; Erradi, M. A Peer to Peer Federated Graph Neural Network for Threat Intelligence. In Proceedings of the International Conference on Networked Systems, Benguerir, Morocco, 22–24 May 2023; Springer: Cham, Switzerland, 2023; pp. 35–40. [Google Scholar] [CrossRef]
  101. Bandara, E.; Shetty, S.; Mukkamala, R.; Rahaman, A.; Liang, X. Luunu—Blockchain, misp, model cards and federated learning enabled cyber threat intelligence sharing platform. In Proceedings of the 2022 Annual Modeling and Simulation Conference (ANNSIM), San Diego, CA, USA, 18–20 July 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 235–245. [Google Scholar] [CrossRef]
Futureinternet 17 00409 g001
Figure 1. PRISMA flow diagram.
Figure 1. PRISMA flow diagram.
Futureinternet 17 00409 g001
Futureinternet 17 00409 g002
Figure 2. ML-based vs. FL-based CTI sharing architectures in IIoT environments.
Figure 2. ML-based vs. FL-based CTI sharing architectures in IIoT environments.
Futureinternet 17 00409 g002
Futureinternet 17 00409 g003
Figure 3. FL Categorization by Cloud Orchestration.
Figure 3. FL Categorization by Cloud Orchestration.
Futureinternet 17 00409 g003
Table 1. Comparison of the existing surveys.
Table 1. Comparison of the existing surveys.
Author (Year) [Ref]CTICybersecurityIIoTAIFL-Based CybersecurityML-Based CTIFL-Based CTI
[7]
[8]
[10]
[9]
[11]
[12]
[13]
[14]
[15]
[16]
Proposed survey
Table 2. Standards and Protocols for CTI Sharing.
Table 2. Standards and Protocols for CTI Sharing.
Standard/ ProtocolDescriptionFormat/ TechnologyPrimary Purpose
STIXStructured language for describing threat informationStructured LanguageExchanging CTI data
TAXIISecure protocol for CTI communication over HTTPProtocol/APIReal time CTI exchange
MAECMalware attribute and behavior encoding standardStructured LanguageDescribing malware traits
OpenIOCXML-based IoC sharing formatXMLIndicator collection and exchange
CybOXLanguage for representing observablesStructured LanguageSharing cyber events
OpenTPXJSON format for operational threat dataJSONSharing operational intelligence
IODEFFormat for describing incident dataXMLCSIRT communications
RIDProtocol for real-time incident coordinationProtocolAutomated incident mitigation
Table 3. Comparison of Federated Learning Types Based on Data Partition (adapted from [23,24,25]).
Table 3. Comparison of Federated Learning Types Based on Data Partition (adapted from [23,24,25]).
AspectHFLVFLFTL
ScenarioSame features, different entities [24]Same entities, different features [23]Minimal overlap in users/features [25]
ApproachAlign shared features [24]Align shared entities [23]Transfer via auxiliary models [26]
BenefitsBroader sample space [24]Richer feature context [23]Effective in sparse data [25]
ChallengesGradient leakage [23]Secure aggregation [27]Task/domain mismatch [28]
CTI Use CaseMulti-site intrusion detection [29]Cross-org fusion [30]Rare threat generalization [6]
Table 4. Comparison of aggregation methods in federated learning (adapted from [23,27,28,34,35]).
Table 4. Comparison of aggregation methods in federated learning (adapted from [23,27,28,34,35]).
ApproachDescriptionAdvantagesDisadvantagesRepresentative Use Case/Reference
FedAvg (Average)Mean of client updates [23]Simple, effectiveWeak under highly non-IID dataStandard baseline for FL, widely used in CTI frameworks [29,36]
Clipped Avg.Limits extreme updates (gradient clipping) [27,34]Mitigates outliers and poisoned updatesExtra tuning/compute for clipping thresholdsMalicious-client resistance in IDS [37]
Secure AggregationUses encryption/secure multiparty computation [23,28]Strong confidentiality; hides client updatesSetup and communication complexityPrivacy-preserving IDS [38,39]
Differential PrivacyAdds calibrated noise to updates [27,28]Formal privacy guaranteesAccuracy–privacy trade-off; parameter tuningPrivacy-critical CTI sharing [22]
Momentum-basedAdds momentum to global optimization [27]Faster convergenceSensitive to hyperparametersSpeed-focused anomaly detection [40]
Weighted AggregationScales updates by dataset size/quality [27,41]Reflects client importance; boosts accuracyCan bias toward large clientsNon-IID IIoT datasets [30,31]
Bayesian/ProbabilisticProbabilistic weighting of client updates [34]Better generalization; models uncertaintyRequires more data and computeAdvanced aggregation in uncertain IIoT tasks [42]
Adversarial-RobustFilters/downweights malicious updates [34,37]Improves resilience against poisoning/backdoorsExtra compute; may penalize benign clientsHigh-threat IIoT deployments [43]
Quantization/CompressionCompresses model updates [35]Reduces bandwidth and uplink costsLoss of precision in extreme compressionLow-bandwidth IIoT networks [44]
HierarchicalMulti-level (edge/regional/cloud) aggregation [21,45]Scalable; reduces cross-domain trafficRequires orchestration across levelsSmart grids, smart manufacturing [46,47]
PersonalizedTailors global model per client [28,48]Handles heterogeneity; better local fitHigher overhead; careful balancing neededPhishing/malware detection in heterogeneous IoT [49,50]
EnsembleCombines diverse local/global models [34,51]High accuracy on diverse tasksModel management overheadNon-IID intrusion detection [29,52]
Table 5. FL model evaluation methods (adapted from [27,28,34,54,56]).
Table 5. FL model evaluation methods (adapted from [27,28,34,54,56]).
AspectDescriptionEvaluation TypeMetricsChallenges/References
Data-levelBased on client data volume [27]IndirectData quantityLacks quality insight; may not reflect representativeness [34]
Model UtilityUses loss/accuracy to estimate client contribution [28]Metric-basedLoss, accuracyNo access to raw data; risks of privacy leakage [27]
Shapley ValuesContribution estimation via cooperative game theory [56]Contribution-basedApprox. SV scoreHigh computational cost; scalability issues [34]
StatisticalDivergence in model updates [27,54]Parameter-basedEuclidean distance, cosine similarityMay miss semantic or task-level insights [28]
PerformanceEvaluates global model accuracy [28]Outcome-basedPrecision, F1, AUCRequires secure aggregation; biased under non-IID data [27]
Proxy DatasetUses shared benchmark/test dataset [34]HybridAccuracy, loss, latencyRisk of bias, domain mismatch [28]
Table 6. Comparison of FL aggregation methods on key performance metrics. Values are synthesized from multiple benchmark studies in CTI/IIoT contexts, including IDS and anomaly detection benchmarks on CICIDS2017, UNSW-NB15, Bot-IoT, and IoT-23 datasets [27,28,29,34,35,36,44,52].
Table 6. Comparison of FL aggregation methods on key performance metrics. Values are synthesized from multiple benchmark studies in CTI/IIoT contexts, including IDS and anomaly detection benchmarks on CICIDS2017, UNSW-NB15, Bot-IoT, and IoT-23 datasets [27,28,29,34,35,36,44,52].
Aggregation MethodAccuracy (IID)Accuracy (Non-IID)Convergence SpeedRobustness to AttacksComputational Cost
FedAvg91% [29,36]75% [44]Medium [27]Low [34]Low [28]
FedProx89% [52]78% [29]Slow [27]Moderate [34]Medium [28]
Krum87% [34]77% [27]Slow [34]High [37]High [28]
ClippedAvg88% [27]80% [34]Medium [35]High [37]Medium [28]
Multi-Krum85% [34]79% [27]Slow [34]Very High [37]Very High [28]
Note: The performance values in Table 6 are synthesized from multiple benchmark studies conducted in CTI-relevant IIoT environments. These include widely used intrusion detection and anomaly detection datasets such as CICIDS2017 [29], UNSW-NB15 [52], Bot-IoT [44], and IoT-23 [36], as well as industrial smart grid and manufacturing testbeds [46,47]. Reported accuracies and robustness values reflect both IID and non-IID training conditions, with experiments typically conducted on federated settings involving 10–50 clients using edge-cloud or hierarchical deployments. Differences in convergence speed and computational overhead stem from variations in model complexity, aggregation strategies, and communication constraints across these environments. This contextualization ensures that the comparative synthesis remains reproducible and representative of real-world FL-CTI scenarios.
Table 7. Comparison of FL-CTI deployment models (adapted from [20,21,45,46,47,60]).
Table 7. Comparison of FL-CTI deployment models (adapted from [20,21,45,46,47,60]).
ModelLatencyScalabilityPrivacy
Edge–CloudLow [46,47]Moderate [60]Moderate [20]
HierarchicalModerate [21,45]High [46]High [60]
Fully DecentralizedHigh [21]Low [7]Very High [20,60]
Note: The deployment trade-offs in Table 7 are synthesized from studies evaluating FL-based CTI in IIoT contexts. Edge–cloud deployments have been demonstrated in smart manufacturing and industrial intrusion detection frameworks (e.g., FLDID [47], smart grid IDS [46]), showing low latency but only moderate scalability and privacy. Hierarchical models leverage multi-tier aggregation across edge, fog, and cloud layers (e.g., [21,45]), which improves scalability and privacy at the expense of added coordination overhead and moderate latency. Fully decentralized or blockchain-based CTI sharing schemes (e.g., [7,20,60]) provide very strong privacy guarantees by eliminating central aggregation, but they incur higher latency and limited scalability due to consensus and communication costs. These results illustrate how deployment choices directly influence latency, scalability, and privacy, and highlight the need for context-aware model selection in IIoT environments.
Table 8. Representative industry case studies and benchmarks of FL-CTI in IIoT contexts.
Table 8. Representative industry case studies and benchmarks of FL-CTI in IIoT contexts.
DomainStudy/ReferenceDeployment ContextFL ApproachKey Outcomes
Smart GridJithish et al. [46]Substation anomaly detection across distributed nodesHierarchical FLImproved detection accuracy; scalable to multiple grid substations
Smart ManufacturingVerma et al. [47]Industrial IDS in manufacturing edge–cloud settingsEdge–cloud FL (FLDID)Low-latency detection; supports secure edge participation
Healthcare IoTAstillo et al. [61]Diabetes monitoring across hospital IoT devicesPrivacy-preserving FLProtected patient data while maintaining predictive accuracy
IoT Botnet DefensePopoola et al. [44]IoT-Edge devices against large-scale botnet trafficCross-silo FLDetected zero-day botnet variants; challenges under non-IID data
IIoT Intrusion DetectionFriha et al. [29]Agricultural IoT intrusion detectionHorizontal FL (FELIDS)Demonstrated scalability with limited communication overhead
Table 9. Summary of adversarial risks and defenses in FL-CTI.
Table 9. Summary of adversarial risks and defenses in FL-CTI.
Attack TypeThreat DescriptionDefenses/References
Poisoning AttacksMalicious clients inject corrupted updates to degrade model accuracy or introduce errorsRobust aggregation (Krum, Multi-Krum, ClippedAvg) [27,34]; anomaly detection; secure multi-party computation
Backdoor AttacksHidden triggers implanted to cause targeted misclassification while maintaining normal accuracyGradient clipping, differential privacy [22]; model inspection; selective update filtering [29,52]
Adaptive AdversariesAttackers adjust tactics dynamically, combining poisoning, inference, or evasion across roundsAdaptive aggregation; ensemble defenses; blockchain-based trust [20,21]; continuous monitoring
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Tom, A.K.; Khraisat, A.; Jan, T.; Whaiduzzaman, M.; Nguyen, T.D.; Alazab, A. Survey of Federated Learning for Cyber Threat Intelligence in Industrial IoT: Techniques, Applications and Deployment Models. Future Internet 2025, 17, 409. https://doi.org/10.3390/fi17090409

AMA Style

Tom AK, Khraisat A, Jan T, Whaiduzzaman M, Nguyen TD, Alazab A. Survey of Federated Learning for Cyber Threat Intelligence in Industrial IoT: Techniques, Applications and Deployment Models. Future Internet. 2025; 17(9):409. https://doi.org/10.3390/fi17090409

Chicago/Turabian Style

Tom, Abin Kumbalapalliyil, Ansam Khraisat, Tony Jan, Md Whaiduzzaman, Thien D. Nguyen, and Ammar Alazab. 2025. "Survey of Federated Learning for Cyber Threat Intelligence in Industrial IoT: Techniques, Applications and Deployment Models" Future Internet 17, no. 9: 409. https://doi.org/10.3390/fi17090409

APA Style

Tom, A. K., Khraisat, A., Jan, T., Whaiduzzaman, M., Nguyen, T. D., & Alazab, A. (2025). Survey of Federated Learning for Cyber Threat Intelligence in Industrial IoT: Techniques, Applications and Deployment Models. Future Internet, 17(9), 409. https://doi.org/10.3390/fi17090409

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop