A Comparative Study of Federated Learning and Amino Acid Encoding with IoT Malware Detection as a Case Study

Ibaisi, Thaer; Kuhn, Stefan; Kazim, Muhammad; Kara, İsmail; Altindag, Turgay; Rehman, Mujeeb

doi:10.3390/bdcc10040111

A Comparative Study of Federated Learning and Amino Acid Encoding with IoT Malware Detection as a Case Study

Ibaisi T. A., Kuhn S., Kazim M., Kara İ., Altindag T., Rehman M. U.

Big Data and Cognitive Computing, cilt.10, sa.4, ss.1-27, 2026 (Scopus)

Yayın Türü: Makale / Tam Makale
Cilt numarası: 10 Sayı: 4
Basım Tarihi: 2026
Doi Numarası: 10.3390/bdcc10040111
Dergi Adı: Big Data and Cognitive Computing
Derginin Tarandığı İndeksler: Scopus, Compendex, INSPEC, Directory of Open Access Journals
Sayfa Sayıları: ss.1-27
Atatürk Üniversitesi Adresli: Evet

Özet

The increasing deployment of Internet of Things (IoT) devices introduces significant security challenges, while privacy concerns limit centralized data aggregation for intrusion detection. Federated learning (FL) offers a decentralized alternative, yet the interaction between feature representation, model architecture, and data heterogeneity remains insufficiently understood in IoT malware detection. This study provides a controlled comparative analysis of centralized and federated learning, optionally using amino acid encoding, under IID and Non-IID conditions using a 10,000-sample subset of the CTU–IoT–Malware–Capture dataset. First, we evaluate raw tabular features versus amino acid-based feature encoding, followed by a lightweight multi-layer perceptron (2882 parameters) versus a deeper residual network (70,532 parameters), across binary and multi-class classification tasks. In the binary setting, centralized training achieved up to 98.6% accuracy, while federated IID training reached 98.6%, with differences within statistical variance. Under Non-IID conditions, performance decreased modestly (0.1–0.5 percentage points), and accuracy was consistently lower when using encoded features compared with raw features. The degradation is smaller in deeper architectures and may offer improved stability under highly skewed federated conditions. In the four-class setting, the complex network achieved up to 97.8% accuracy with raw features, while amino acid encoding achieves up to 93.3%. The results show that federated learning can achieve performance comparable to centralized training under moderate heterogeneity, that lightweight architectures are sufficient for low-dimensional IoT traffic features, and that feature compression via amino acid encoding does not inherently mitigate Non-IID effects. These findings clarify the relative impact of representation, heterogeneity, and architectural capacity in practical FL-based IoT intrusion detection systems.