Dataset statistics.

Federated learning (FL) is emerging as a key approach for collaborative machine learning (ML) in distributed information systems where direct data sharing is infeasible due to policy constraints. In security operations center (SOC) settings, we study FL for the classification of network intrusion detection system (IDS) alerts—structured event records emitted by sensors (e.g., Snort/Suricata)—where consistent interpretation of event data is critical for reliable ML-based decision support. However, differences in labeling criteria across organizations often lead to semantic inconsistencies, undermining the accuracy and generalizability of FL models. This paper presents two key contributions that mitigate this issue without requiring raw data exchange. First, we propose Keyed Feature Hashing (KFH), a key-dependent obfuscated encoding scheme that enables consistent vectorization of heterogeneous IDS alerts across entities while reducing the risk of model inversion. Second, we introduce a filtering mechanism that leverages KFH representations to identify and exclude alerts likely to be misclassified due to inter-entity label discrepancies. Experiments using a large-scale real-world dataset collected from 14 organizations demonstrate that our method improves classification F1-score by up to 13.36% while maintaining over 99% alert coverage. These contributions enhance the trustworthiness of FL-based decision models in distributed, label-divergent environments.