FL-TWIN: a unified federated learning system for intrusion detection with digital twins modelling.

The growth of networked environments has intensified the challenge of detecting distributed denial-of-service (DDoS) attacks, as centralized intrusion detection systems face scalability, privacy, and data heterogeneity limitations. This paper proposes a federated learning framework for DDoS detection, Unified FL-TWIN, that pairs each participating client with an edge-resident Digital Twin (DT), applies a four-stage poisoning defence pipeline, and records all aggregations and security events on a permissioned blockchain ledger. Also, each DT maintains a versioned ring buffer of model snapshots, enabling per-client targeted rollback upon adversary detection. The defence pipeline comprises: Layered Update Purification (LUP), Differential Privacy via DP-SGD, Dual Dynamic Aggregation, TracIn and a blockchain. The novelty of this work lies in systematically integrating them into a Unified FL-TWIN approach that addresses several challenges simultaneously. This proposed approach simultaneously provides privacy protection, robustness, trustworthiness, accountability, and adaptive learning within a single architecture. In experiments on the CIC-DDoS 2019 dataset, we are covering clean baselines and three attack types with 30% malicious participation. The FL-TWIN achieves peak test accuracies of 99.97%, 99.98%, and 99.98% under label-flip, gradient-noise, and backdoor attacks, respectively, compared to a stagnant 99.72% for the undefended baseline. LUP achieves F1 scores of 0.57, 0.75, and 0.80 across three attack types, while the blockchain ledger maintains full save across all experiments. These results show that combining Digital Twin rollback with a layered detection pipeline improves recovery from federated poisoning attacks.