Non-stationary Distribution Attack in Federated Intrusion Detection Systems: Formal Definition, Convergence Analysis, and Empirical Evaluation

Abstract Federated learning has emerged as the dominant paradigm for privacy-preserving intrusion detection across distributed networks, yet its vulnerability to adversarial manipulation of the training process remains incompletely characterised. Existing attack formulations—Byzantine poisoning, label flipping, and gradient inversion—treat the local data distribution of a malicious client as fixed across training rounds. We identify and formalise a fundamentally different threat: the Non-stationary Distribution Attack (NDA), in which a single adversarial client strategically rotates its local attack-traffic family across rounds to deliberately amplify gradient divergence induced by non-independent and identically distributed (non-IID) data partitioning. We prove formally (Theorem 1) that NDA degrades FedAvg convergence whenever the Dirichlet heterogeneity parameter α falls below a dataset-dependent critical threshold α*, and we show constructively (Theorem 2) that NDA evades Krum-style aggregation filters by design. We further derive a KL drift-based detection criterion (Proposition 1) and establish that NDA requires Ω(1/ε²) observation rounds to distinguish from natural concept drift (Theorem 3). Comprehensive experiments on three benchmark datasets—CICIDS2017, TON_IoT, and NSL-KDD—across three aggregation schemes (FedAvg, FedProx, SCAFFOLD) demonstrate that NDA's primary operational impact is silent Area Under the ROC Curve (AUC) degradation: up to 4.84 percentage points on TON_IoT under SCAFFOLD at α = 0.05, while accuracy decreases by only 1.65 percentage points. This stealth ratio of 2.9× renders NDA invisible to accuracy-based monitoring yet highly damaging to the model's attack-ranking capability. Our results motivate a rethinking of non-IID heterogeneity as an actively exploitable attack surface rather than a passive statistical inconvenience.