FINISH: Efficient and Scalable NMF-Based Federated Learning for Detecting Malware Activities

5G networks with the vast number of devices pose security threats. Manual analysis of such extensive security data is complex. Dark-NMF can detect malware activities by monitoring unused IP address space, i.e., the darknet. However, the challenges of cooperative training for Dark-NMF are immense computational complexity with Big Data, communication overhead, and privacy concern with darknet sensor IP addresses. Darknet sensors can observe multivariate time series of packets from the same hosts, represented as intersecting columns in different data matrices. Previous works do not consider intersecting columns, losing a host's semantics because they do not aggregate the host's time series. To solve these problems, we proposed a federated IoT malware detection NMF for intersecting source hosts (FINISH) algorithm for offloading computing tasks to 5G multiaccess edge computing (MEC). The experiments show that FINISH is scalable to a data size with a shorter computational time and has a lower false positive detection performance than Dark-NMF. The comparison results demonstrate that FINISH has better computation and communication efficiency than related works and a short communication time, taking only 1/10 the execution time in a simulated 5G MEC. The experimental results can provide substantial insights into developing federated cybersecurity in the future.