ZTA-FedIDS: A Zero-Trust Architecture-Integrated Federated Intrusion Detection System with Explainable AI for Enterprise Network Cybersecurity

Hybrid cloud setups, scattered remote teams, and the boom in IoT devices have basically wiped out the old idea of a network perimeter. The network isn’t a closed castle anymore—it’s porous, sprawling, and way more complicated. Old-school intrusion detection systems that rely on centralized machine learning just can’t keep up. They stumble in three main ways: First, they need to gather all the raw traffic in one place, which goes against today’s data privacy rules. Second, they look at traffic one packet at a time, which means they miss attacks that hop across the network—especially within supposed “safe zones.” And third, the alerts these systems spit out are so vague that security teams struggle to respond fast enough. This paper introduces ZTA-FedIDS, a framework designed to tackle all those pain points. It brings together Zero-Trust Architecture micro-segmentation, Federated Learning, and Graph Attention Networks. Here’s how it works: Each network segment runs its own Graph Attention Network model using traffic graphs that include four context markers inspired by Zero-Trust principles—Policy Compliance Score, Micro-Segment Boundary Crossing flag, Identity Confidence Score, and Session Risk Tier. Instead of sharing raw traffic, the system sends privacy-protected model updates to a central server that combines them using weighted averaging. Things don’t stop there: A Mistral-7B-Instruct large language model turns the most important detection features into clear, MITRE ATT&CK-style advice that security analysts can actually use. In real-world tests across a simulated network with eight clients and using real intrusion data, ZTA-FedIDS hit 97.8% detection accuracy, an F1-score of 0.97, and kept false positives down to just 1.1%. For lateral movement attacks—the “infiltration” class—the recall shot up to 96.3%, which beats a centralized CNN-LSTM system by over 35%. In a hands-on trial with twelve SOC analysts, the system cut down the time to handle alerts by 41.5%.