This work addresses the privacy-preserving aggregation of IP logs from multiple organizations in collaborative network intrusion detection. We propose a single-collector threshold private set intersection (t-PSI) protocol that outputs only IP addresses appearing in at least *t* participants’ logs, while rigorously concealing all other IPs and their ownership. Our key innovation is a lightweight hash-sharding mechanism, reducing computational complexity from *O(M(N log M/t)^(2t))* to *O(t²M·C(N,t))*. The protocol supports both collusion-resistant and non-interactive deployment modes, balancing security and practicality. Built upon cryptographic PSI, secure multi-party computation, and threshold collaborative analytics, it achieves high efficiency and low communication overhead on real-world multi-institutional logs. Experimental evaluation confirms its scalability and feasibility for privacy-sensitive collaborative threat detection.

An important function of collaborative network intrusion detection is to analyze the network logs of the collaborators for joint IP addresses. However, sharing IP addresses in plain is sensitive and may be even subject to privacy legislation as it is personally identifiable information. In this paper, we present the privacy-preserving collection of IP addresses. We propose a single collector, over-threshold private set intersection protocol. In this protocol $N$ participants identify the IP addresses that appear in at least $t$ participant's sets without revealing any information about other IP addresses. Using a novel hashing scheme, we reduce the computational complexity of the previous state-of-the-art solution from $O(M(N log{M}/t)^{2t})$ to $O(t^2Minom{N}{t})$, where $M$ denotes the dataset size. This reduction makes it practically feasible to apply our protocol to real network logs. We test our protocol using joint networks logs of multiple institutions. Additionally, we present two deployment options: a collusion-safe deployment, which provides stronger security guarantees at the cost of increased communication overhead, and a non-interactive deployment, which assumes a non-colluding collector but offers significantly lower communication costs and applicable to many use cases of collaborative network intrusion detection similar to ours.