Hybrid cloud setups, scattered remote teams, and the boom in IoT devices have basically wiped out the old idea of a network perimeter. The network isn’t a closed castle anymore—it’s porous, sprawling, and way more complicated. Old-school intrusion detection systems that rely on centralized machine learning just can’t keep up. They stumble in three main ways: First, they need to gather all the raw traffic in one place, which goes against today’s data privacy rules. Second, they look at traffic one packet at a time, which means they miss attacks that hop across the network—especially within supposed “safe zones.” And third, the alerts these systems spit out are so vague that security teams struggle to respond fast enough. This paper introduces ZTA-FedIDS, a framework designed to tackle all those pain points. It brings together Zero-Trust Architecture micro-segmentation, Federated Learning, and Graph Attention Networks. Here’s how it works: Each network segment runs its own Graph Attention Network model using traffic graphs that include four context markers inspired by Zero-Trust principles—Policy Compliance Score, Micro-Segment Boundary Crossing flag, Identity Confidence Score, and Session Risk Tier. Instead of sharing raw traffic, the system sends privacy-protected model updates to a central server that combines them using weighted averaging. Things don’t stop there: A Mistral-7B-Instruct large language model turns the most important detection features into clear, MITRE ATT&CK-style advice that security analysts can actually use. In real-world tests across a simulated network with eight clients and using real intrusion data, ZTA-FedIDS hit 97.8% detection accuracy, an F1-score of 0.97, and kept false positives down to just 1.1%. For lateral movement attacks—the “infiltration” class—the recall shot up to 96.3%, which beats a centralized CNN-LSTM system by over 35%. In a hands-on trial with twelve SOC analysts, the system cut down the time to handle alerts by 41.5%.

In this paper, we introduced ZTA-FedIDS—a federated intrusion detection system that brings together Zero-Trust Architecture policy enforcement, Graph Attention Networks, Gaussian differential privacy, and explainability powered by large language models, all within one enterprise-ready setup. We used four context vectors derived from Zero-Trust principles—PCS, MSBC, ICS, and SRT—to give local GAT models extra policy-driven information that regular packet-level classifiers just can’t see. Federated training with strict (ε, δ)-differential privacy ensures network traffic never leaves each segment, keeping sensitive data safe. Then, our LLM-based explainability module converts raw SHAP attributions into clear, MITRE ATT&CK-mapped advice for security teams. Experimental results on CICIDS2017 and CIC-IDS-2018 across an 8-client enterprise topology simulation demonstrate 97.8% detection accuracy, F1-score of 0.97, 1.1% FPR, and a 35.3% relative improvement in lateral movement recall over a centralized CNN-LSTM baseline. Adversarial robustness under FGSM perturbation yields 94.1% accuracy versus 79.3% for the centralized model. A practitioner study with twelve SOC professionals confirms a 41.5% reduction in mean triage time with LLM advisories. Looking ahead, we’re aiming for real-world deployment using telemetry from production ZTA-enabled platforms, expanding our GNN design to work with encrypted traffic (using certificate data and flow stats), and exploring personalized federated learning to handle non-IID data across different enterprise segments. Altogether, ZTA-FedIDS provides a tested and reliable base for building intrusion detection that actually protects privacy, spots lateral movement, and gives analysts insights they can act on in complex enterprise environments.

[1] A. Rabiu and K. Nkongolo, “AI-Driven Network Intrusion Detection Systems for Enterprise Cybersecurity,” International Journal of Computer Applications, vol. 187, no. 8, pp. 1–14, 2025. [2] Frontiers in Computer Science, “Evaluating Machine Learning-Based Intrusion Detection Systems with Explainable AI,” Frontiers in Computer Science, vol. 7, Art. no. 1520741, 2025. [CrossRef] [Google Scholar] [3] S. Rose, O. Borchert, S. Mitchell, and S. Connelly, “Zero Trust Architecture,” NIST Special Publication 800-207, National Institute of Standards and Technology, 2020. [Publisher Link] [4] R. S. Al-Maroof et al., “The Erosion of Cybersecurity Zero-Trust Principles Through Generative AI,” Computers, vol. 5, no. 4, Art. no. 87, Oct. 2025. [CrossRef] [Google Scholar] [5] H. B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. Agüera y Arcas, “Communication-Efficient Learning of Deep Networks from Decentralized Data,” in Proc. AISTATS, pp. 1273–1282, 2017. [Google Scholar] [6] V. Mothukuri et al., “Intrusion Detection Based on Federated Learning: A Systematic Review,” ACM Computing Surveys, vol. 57, no. 4, pp. 1–43, 2025. [CrossRef] [7] W. A. Iqbal et al., “Hybrid Deep Learning–Federated Learning Powered IDS for IoT/5G Advanced Edge Computing,” arXiv:2509.15555, Sep. 2025. [Google Scholar] [8] F. Al Tfaily et al., “Graph-Based Federated Learning Approach for Intrusion Detection in IoT Networks,” Scientific Reports, vol. 15, Art. no. 41264, Nov. 2025. [CrossRef] [Google Scholar] [9] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A Detailed Analysis of the KDD CUP 99 Data Set,” in Proc. IEEE CISDA, Ottawa, Canada, pp. 1–6, 2009. [CrossRef] [10] Frontiers in Artificial Intelligence, “A Systematic Review on XAI Integration in Intrusion Detection Systems,” Frontiers in Artificial Intelligence, vol. 8, Art. no. 1526221, Jan. 2025. [CrossRef] [11] A. A. Khan et al., “A Novel and Secure AI-Enabled Zero Trust Intrusion Detection in Industrial IoT Architecture,” Scientific Reports, vol. 15, Art. no. 26843, Jul. 2025. [CrossRef] [12] Y. Tursynbek et al., “Federated Learning-Based Intrusion Detection in IoT Networks: Performance Evaluation and Data Scaling,” Journal of Sensor and Actuator Networks, vol. 14, no. 4, Art. no. 78, Jul. 2025. [CrossRef] [13] M. Abadi et al., “Deep Learning with Differential Privacy,” in Proc. 23rd ACM CCS, Vienna, pp. 308–318, 2016. [CrossRef] [14] P. Velickovic et al., “Graph Attention Networks,” in Proc. ICLR, Vancouver, 2018. [Google Scholar] [15] Canadian Institute for Cybersecurity, “CIC-IDS-2018 Dataset,” University of New Brunswick, 2018. [Online]. Available: https://www.unb.ca/cic/datasets/ids-2018.html