To address the Non-IID data challenge in federated intrusion detection—arising from heterogeneous security policies across organizations—this paper proposes a privacy-preserving collaborative framework based on prototype learning. Instead of sharing model parameters or raw data, clients exchange semantic prototypes of attack classes, enabling cross-institutional knowledge transfer and feature alignment while preserving sensitive information. Prototypical networks are innovatively integrated into the federated learning pipeline to support generalization to unseen attack types. Experiments on real-world IIoT and 5G intrusion datasets demonstrate that the method significantly improves detection accuracy (average +8.3% F1-score), robustness, and interpretability under highly Non-IID settings, all while satisfying stringent privacy constraints. This work establishes a novel paradigm for distributed cybersecurity modeling through semantically grounded, privacy-aware collaboration.

In distributed networks, participants often face diverse and fast-evolving cyberattacks. This makes techniques based on Federated Learning (FL) a promising mitigation strategy. By only exchanging model updates, FL participants can collaboratively build detection models without revealing sensitive information, e.g., network structures or security postures. However, the effectiveness of FL solutions is often hindered by significant data heterogeneity, as attack patterns often differ drastically across organizations due to varying security policies. To address these challenges, we introduce PROTEAN, a Prototype Learning-based framework geared to facilitate collaborative and privacy-preserving intrusion detection. PROTEAN enables accurate detection in environments with highly non-IID attack distributions and promotes direct knowledge sharing by exchanging class prototypes of different attack types among participants. This allows organizations to better understand attack techniques not present in their data collections. We instantiate PROTEAN on two cyber intrusion datasets collected from IIoT and 5G-connected participants and evaluate its performance in terms of utility and privacy, demonstrating its effectiveness in addressing data heterogeneity while improving cyber attack understanding in federated intrusion detection systems (IDSs).