FEDERATED LEARNING FOR PRIVACY-PRESERVING THREAT INTELLIGENCE SHARING IN DISTRIBUTED CYBERSECURITY ECOSYSTEMS

Abstract

Effective cybersecurity threat intelligence depends fundamentally on the breadth and timeliness of threat data — yet the organizations most capable of generating actionable intelligence are simultaneously most constrained in sharing it due to privacy regulations (GDPR, HIPAA, PDPA), competitive concerns, legal liability, and national security classifications. This tension between intelligence sharing and data privacy represents one of the most consequential unsolved challenges in cybersecurity: organizations that share threat intelligence detect attacks 2.4 times faster and suffer 47.3% lower breach costs, yet fewer than 23% of enterprises engage in structured threat intelligence sharing due to these barriers. This paper presents FedThreat-AI, a novel federated learning framework enabling privacy-preserving threat intelligence sharing across distributed cybersecurity ecosystems without requiring any organization to expose its raw security data, proprietary detection rules, or sensitive network topology. FedThreat-AI integrates four privacy-enhancing technologies — differential privacy (DP), homomorphic encryption (HE), secure multi-party computation (SMPC), and Byzantine-robust gradient aggregation — into a unified federated learning pipeline trained on distributed threat telemetry across participating organizations. The framework produces a continuously improving global threat detection model incorporating the collective intelligence of all participants, distributed back to each organization as model updates rather than data. Evaluated across a consortium of 24 organizations spanning financial services, healthcare, government, and technology sectors over 18 months (2023–2025), FedThreat-AI achieves global threat detection accuracy of 96.8% — only 1.4 percentage points below a centralized baseline that requires full data sharing — while providing mathematically provable privacy guarantees (ε = 0.8, δ = 10⁻⁵ per training round). The framework further demonstrates resilience against Byzantine poisoning attacks from up to 30% malicious participants and reduces mean time to detect novel threat campaigns by 67.4% compared to organization-siloed detection. FedThreat-AI is fully compatible with STIX 2.1 and TAXII 2.1 standards, enabling integration with existing threat intelligence platforms and ISACs.