Edge-FLGuard+: A Federated and Lightweight Anomaly Detection Framework for Securing 5G-Enabled IoT in Smart Homes

Abstract

The rapid expansion of 5G-enabled Internet of Things (IoT) devices in smart homes has heightened the need for robust, privacy-preserving, and real-time cybersecurity mechanisms. Traditional cloud-based security systems often face latency and privacy bottlenecks, making them unsuitable for edge-constrained environments. In this work, we propose Edge-FLGuard+, a federated and lightweight anomaly detection framework specifically designed for 5G-enabled smart home ecosystems. The framework integrates edge AI with federated learning to detect network and device anomalies while preserving user privacy and reducing cloud dependency. A lightweight autoencoder-based model is trained across distributed edge nodes using privacy-preserving federated averaging. We evaluate our framework using the TON_IoT and CIC-IDS2018 datasets under realistic smart home attack scenarios. Experimental results show that Edge-FLGuard+ achieves high detection accuracy (≥95%) with minimal communication and computational overhead, outperforming traditional centralized and local-only baselines. Our results demonstrate the viability of federated AI models for real-time security in next-generation smart home networks.

1. Introduction

The widespread adoption of 5G-enabled IoT devices in smart homes has improved convenience and automation but also raised critical concerns about cybersecurity, privacy, and latency. Traditional centralized security systems, primarily cloud-based intrusion detection systems (IDS), face challenges such as high latency, bandwidth constraints, and potential exposure of sensitive user data [1].

Federated learning (FL) has emerged as a promising paradigm to address these issues. It allows for the decentralized training of machine learning models directly on distributed edge devices, thereby avoiding raw data transmission and preserving privacy. Recent works such as FedGroup in smart home environments demonstrate the efficacy of group-based FL approaches, achieving comparable performance to centralized models while maintaining data minimization [2].

At the same time, anomaly detection remains critical for identifying cyber threats in IoT systems. Several surveys report that lightweight and real-time anomaly detection methods—particularly those based on autoencoders, LSTM, or transformer networks—are gaining traction in industrial, smart city, and smart home applications [3]. One recent study showcased high-accuracy LSTM-based federated anomaly detection in smart buildings, emphasizing the reduction of communication latency and improved convergence time [4].

However, many existing solutions remain unoptimized for resource-constrained edge devices and the unique characteristics of 5G networks. While models like FLiForest demonstrate scalable unsupervised anomaly detection with sub-160 KB memory footprints [5], these are not tailored for heterogeneous smart home deployments with diverse devices and fast 5G uplinks.

To bridge these gaps, we propose Edge-FLGuard+, a federated learning anomaly detection framework designed specifically for 5G-enabled smart homes. Our contributions are:

• A lightweight edge AI model (e.g., autoencoder or GRU-based) optimized for device heterogeneity.
• A federated learning protocol using FedAvg, enhanced with group-level device clustering to reduce communication.
• Rigorous benchmarking using public datasets (TON_IoT and CIC-IDS2018), with ablation on latency, detection accuracy, model size, and communication overhead.

Our experiments reveal that Edge-FLGuard+ achieves ≥ 95% detection performance, with 50–70% less communication overhead compared to centralized FL baselines. This validates its suitability for real-world smart home settings.

The remainder of the paper is structured as follows: Section 2 reviews related work; Section 3 details our system architecture; Section 4 presents our methodology, dataset processing, and model design; Section 5 reports experimental results and evaluations; and Section 6 concludes with future directions.

2. Related Work

While notable progress has been made in ML-based, federated, and edge-aware anomaly detection, there remains a gap: high-performing, lightweight, privacy-preserving FL systems tailored to 5G-enabled smart home ecosystems. Edge-FLGuard+ is purpose-designed to fill that niche.

2.1. Anomaly Detection in IoT and Smart Home Environments

Anomaly detection is a fundamental component of cybersecurity in Internet of Things (IoT) ecosystems, particularly within smart homes where device heterogeneity, data sparsity, and real-time responsiveness are critical challenges. Traditional rule-based and signature-based detection systems often fall short in these environments due to their limited adaptability and inability to recognize novel or evolving threats [6,7].

As a result, machine learning (ML)-based approaches have become increasingly prominent. A comprehensive survey by Kikissagbe and Adda [8] highlights the effectiveness of supervised and unsupervised learning models, including random forests, support vector machines, and neural networks, for IoT anomaly detection. Autoencoders and LSTM networks have been shown to capture temporal dependencies in time-series data, allowing detection of subtle deviations in smart home device behavior [9,10].

Recent studies have also explored hybrid architectures that combine both supervised and unsupervised methods. For instance, Rajaan et al. [9] proposed a two-stage detection pipeline integrating an Autoencoder with a random forest classifier, achieving 95.6% detection accuracy in a smart home testbed. Similarly, Sarwar et al. [1] applied multiple classifiers to IoT network data and demonstrated that ensemble methods, particularly random forests, consistently outperformed single-model baselines on the UNSW BoT-IoT dataset.

Despite these advances, most existing systems are still centralized, requiring continuous data transmission to the cloud. This setup introduces latency, increases bandwidth usage, and heightens privacy risks—factors that are especially problematic in-home environments where users expect fast and private operation. These limitations underscore the need for distributed and privacy-aware anomaly detection frameworks, such as those leveraging edge computing and federated learning, which this work aims to address.

2.2. Federated Learning for Privacy-Preserving Security

To address privacy concerns, federated learning (FL) has emerged as a promising alternative, enabling decentralized training without sharing raw data. Gosselin et al. [11] and Zhang et al. [12] provide comprehensive overviews of FL applications in security-sensitive domains. FL frameworks such as FedGroup allow for clustered model training within device groups, reducing communication overhead and improving personalization.

Recent studies have adapted FL to IoT-specific challenges. For instance, FLiForest [5] proposes a lightweight federated anomaly detector using Isolation Forests, while Albogami et al. [13] explore hybrid deep belief networks in energy-aware settings. However, many of these approaches are designed for general IoT or industrial control systems and lack tailored adaptations for smart home environments with 5G connectivity.

2.3. Lightweight AI and Edge-Aware Architectures

Resource constraints in IoT devices demand lightweight AI models. Techniques such as model pruning, quantization, and TinyML have been widely explored in recent surveys and experimental studies [14]. Edge deployment of the autoencoder- and LSTM-based anomaly detectors has demonstrated promise in handling device heterogeneity and latency. Moreover, adaptive architectures such as MEC-AI HetFL and peer-to-peer federated protocols have been designed specifically to handle non-IID data distributions in edge networks [15].

In addition, low-cost adaptive monitoring techniques—such as those proposed by Trihinas et al. [16]—offer valuable strategies for reducing system overhead through selective sampling, dynamic adjustment of monitoring rates, and contextual filtering. These techniques could further enhance the efficiency of lightweight anomaly detection models in smart home environments.

However, there remains a tension between reducing model complexity and preserving detection performance, especially in real-time systems where bandwidth and latency are critical factors.

2.4. Positioning This Work

Recent contributions by the authors have explored several foundational components relevant to this study. For instance, a federated learning and edge AI system for real-time anomaly detection in 5G-enabled IoT ecosystems was proposed in Edge-FLGuard, demonstrating high detection accuracy using lightweight models on public datasets such as TON_IoT and CIC-IDS2018 [17]. Another work focused on smart city contexts combined AI-driven anomaly detection with 5G and edge computing infrastructures, highlighting the role of multimodal data fusion for security [18]. Additionally, edge AI for real-time threat detection in smart homes was presented in a prior study, validating the feasibility of deploying lightweight federated models in latency-sensitive environments [19].

These studies establish the viability of decentralized, AI-based anomaly detection systems. However, they primarily address individual challenges—such as model architecture, edge integration, or domain-specific applications—without a unified treatment of smart home environments, lightweight model constraints, and 5G-related architectural considerations within the same framework.

This paper builds directly upon the preliminary Edge-FLGuard framework [17] and significantly extends it in four key ways:

• Model Innovation: Edge-FLGuard+ introduces a new lightweight GRU-based autoencoder architecture that improves performance while reducing memory and computation requirements, in contrast to the earlier LSTM-based models.
• Smart home Focus: The current work targets 5G-enabled smart home environments specifically, rather than generalized IoT deployments.
• Privacy Enhancements: Edge-FLGuard+ incorporates advanced privacy mechanisms including differential privacy and secure aggregation, which were not implemented in Edge-FLGuard.
• Broader Evaluation: The present study includes ablation experiments, quantization analysis, and comparisons with centralized/local baselines—offering a more comprehensive evaluation than the prior work.

2.5. Summary of Relevant Works and Positioning of the Proposed Framework

To contextualize and highlight the novelty of the proposed Edge-FLGuard+ framework,

Table 1. Comparative overview of recent federated learning-based anomaly detection frameworks and the proposed Edge-FLGuard+, with emphasis on deployment domain, model architecture, resource-awareness, privacy mechanisms, and 5G applicability. The distinction between the authors’ earlier Edge-FLGuard and the new Edge-FLGuard+ highlights key improvements in architecture, privacy, and evaluation scope. Symbols: “✓” indicates that the feature is present or supported; “✗” indicates it is absent or not supported.

Study	Domain	Model/FL	Devices	5G-Aware	Lightweight	Privacy-Preserving	Dataset(s)
Sarwar et al. (2023) [1]	Smart home ML	CNN, RF	Local	—	Moderate	✗	Smart home traffic data
Albogami (2025) [13]	Edge IoT FL	Deep-belief + GJO/DBO	FL	—	Moderate	✓	IoT time-series
Vasiljević et al. (2025) [5]	Edge IoT FL	Isolation Forest	Edge	—	✓ (<160 KB)	✓	Temperature sensors
Reis (Edge-FLGuard, 2025) [17]	Smart IoT 5G FL	Autoencoder + LSTM	Edge + FL	✓	Moderate	✓	TON-IoT, CIC-IDS
Proposed Edge-FLGuard+	Smart home 5G FL	Lightweight AE/GRU	Edge + FL	✓	✓ (<100 KB)	✓ (privacy-layer)	TON-IoT, CIC-IDS

provides a structured summary of representative recent studies in the domains of federated learning, IoT anomaly detection, and smart home cybersecurity. The table contrasts key characteristics such as architectural choices, privacy-preserving mechanisms, model efficiency, and 5G readiness across these works, clearly outlining how the present approach differentiates itself from the existing literature.

While prior works by the authors introduced key components such as federated anomaly detection in smart cities [18], edge AI for smart home applications [19], and a preliminary federated framework (Edge-FLGuard) [17], these contributions tackled isolated aspects or broader domains. The current work, Edge-FLGuard+, builds upon and significantly extends this prior research by

• Combining edge AI, federated learning, and 5G-specific optimizations into a single cohesive framework tailored for smart home environments;
• Introducing a lightweight GRU-based autoencoder architecture that offers improved detection performance with lower communication overhead;
• Conducting a more comprehensive evaluation, including ablation studies and privacy-preserving mechanisms, not present in earlier studies.

As such, this work represents a novel and integrated advancement in the secure deployment of AI-driven anomaly detection in 5G-enabled smart home ecosystems.

3. System Architecture

The proposed Edge-FLGuard+ framework is designed to perform real-time anomaly detection in 5G-enabled smart home environments using federated learning (FL) and lightweight edge AI models. It is built around a decentralized architecture that prioritizes low-latency inference, model privacy, and resource efficiency across heterogeneous IoT devices.

3.1. Architectural Overview

At a high level, the system comprises the following components:

• Smart home IoT Devices (Edge Nodes): These include smart thermostats, cameras, voice assistants, etc., each capable of local computation.
• Edge AI Module: Each device or its corresponding gateway runs a lightweight anomaly detection model locally.
• Federated Learning Coordinator: Hosted either on a local hub (e.g., home router with edge server) or cloud-based edge node, this component orchestrates model aggregation.
• 5G Communication Layer: High-speed and low-latency 5G connectivity supports timely model updates and federated rounds. In our architecture, 5G is leveraged specifically to reduce the latency and bandwidth bottlenecks traditionally associated with FL systems, enabling faster convergence and more responsive updates across edge devices.

The overall architecture of the proposed Edge-FLGuard+ framework is illustrated in Figure 1, highlighting the interaction between edge devices, the federated learning coordinator, and the 5G communication infrastructure. The system leverages the federated averaging (FedAvg) algorithm [20] to coordinate global model updates. For privacy enhancement, differential privacy (DP) [21] may be applied to model updates before transmission. We selected GRU-based autoencoders due to their lower complexity and comparable temporal modeling capabilities to LSTM [22].

While the current implementation does not incorporate 5G network telemetry or signal-level features directly into the anomaly detection logic, we acknowledge this as a limitation and highlight it as an opportunity for personalization and adaptation in future work.

3.2. Edge AI Model

Each edge device runs a lightweight deep learning model for local anomaly detection. The model is designed to

• Be trainable on-device with low computational cost;
• Handle time-series IoT data;
• Identify deviations in device behavior.

We implement either of the following:

• A 1D convolutional autoencoder (CAE) suitable for compact feature learning from raw data;
• A GRU-based autoencoder, which efficiently captures sequential dependencies in device-generated logs.

The choice of model is based on the computational profile of devices, with the GRU version offering better temporal sensitivity.

3.3. Federated Learning Protocol

To avoid transmitting raw data and ensure user privacy, the system utilizes federated averaging (FedAvg) as the core mechanism for decentralized learning.

FedAvg is a communication-efficient algorithm that aggregates model updates from multiple clients by averaging their local weights, allowing for global model improvements without centralizing sensitive data.

• The coordinator initializes a global model.
• Each device trains its local model on locally stored anomaly-labeled data.
• After a training round, devices transmit only their model weights to the coordinator.
• The coordinator aggregates updates (e.g., weighted average) and broadcasts the new global model.

This process is repeated over multiple communication rounds. The framework assumes partial client participation and supports asynchronous updates to accommodate device availability.

3.4. Privacy-Preserving Mechanisms

To enhance data confidentiality beyond simple decentralization, the architecture optionally includes:

• Differential privacy (DP): Local model updates may be perturbed with calibrated noise before upload. This technique helps obscure the contribution of individual data points by adding statistically controlled noise, thereby protecting user-level information during federated training.
• Secure aggregation: The coordinator can apply cryptographic aggregation protocols to prevent reconstruction of individual updates.
• Transport layer security (TLS): All communication between edge devices and the aggregator is encrypted.

These mechanisms ensure that even in a 5G-enabled high-throughput environment, the system complies with data minimization principles and user privacy expectations. The 5G connectivity layer complements these mechanisms by supporting faster encrypted communication and federated coordination without compromising user data integrity.

4. Methodology

This section details the datasets, data preprocessing pipeline, model architecture, training configuration for FL, and the baseline methods used for evaluation. The focus is on realistic simulation of smart home environments within 5G-enabled IoT contexts.

4.1. Dataset Description

To evaluate the Edge-FLGuard+ framework, we use two widely adopted and publicly available datasets:

• TON_IoT (Telecommunications and Operational Network IoT): This dataset includes telemetry data from smart home devices, operating systems, and network logs. We extract subsets related to smart home traffic, including data from smart lights, thermostats, and door sensors, with both benign and attack scenarios.
• CIC-IDS2018 (Canadian Institute for Cybersecurity—Intrusion Detection System 2018): This dataset contains labeled flows of benign and malicious traffic. For our purposes, we filter for home network-relevant features, such as port scan, brute force SSH, and botnet traffic patterns, emulating a smart home gateway context.

Each dataset provides timestamped feature-rich flows annotated with normal or attack labels, suitable for supervised or unsupervised learning.

4.2. Data Preprocessing

We adopt the following preprocessing steps for both datasets:

• Filtering: Select only smart home–relevant logs (e.g., IoT devices, home Wi-Fi, local subnet flows).
• Cleaning: Remove duplicate entries, resolve missing values, and unify timestamp formats.
• Feature Selection: Extract protocol-based (e.g., source/destination port, protocol), time-based (e.g., packet interval), and statistical (e.g., entropy, variance) features.
• Normalization: Apply min–max scaling to numeric features for neural network compatibility.
• Label Encoding: Labels are binary (normal = 0; anomaly = 1).

The final dataset is partitioned into local shards (one per device/client) to emulate a non-IID federated setting.

4.3. Model Architecture

Each edge node hosts a lightweight GRU-based Autoencoder ([22]) specifically designed to detect temporal anomalies in IoT traffic sequences with minimal resource usage. The architecture is composed of:

• Input Layer: A time-series window of shape (T, F), where T = 10 time steps and F = 20 selected features.
• GRU Encoder: Two stacked GRU layers:

  ○

  Layer 1: 64 hidden units; dropout = 0.2;

  ○

  Layer 2: 32 hidden units; dropout = 0.2.

• Latent Representation: The final hidden state of the second GRU, forming a 32-dimensional embedding.
• GRU Decoder: Symmetric structure to the encoder, with 32 and 64 GRU units, respectively, followed by a dense projection layer to match input shape.
• Output Layer: Reconstructed time-series window (T, F).
• Loss Function: Mean squared error (MSE) between original and reconstructed sequences.

During inference, the reconstruction error is computed per instance and compared to a threshold θ, empirically defined as follows:

$$\theta ={\mu }_{\mathrm{train}}+3{\mathsf{\sigma }}_{\mathrm{train}}$$

where ${\mu }_{\mathrm{train}}$ and ${\mathsf{\sigma }}_{\mathrm{train}}$ are the mean and standard deviation of the reconstruction error over training data.

This empirical rule helps distinguish anomalous behavior by identifying data points whose reconstruction error significantly deviates from the norm, assuming a near-Gaussian distribution of errors.

Samples with error $> \theta$ are flagged as anomalies. Listing 1 presents the pseudocode of the detection phase.

Listing 1. Pseudocode of the detection phase.

▪ Algorithm: Anomaly Detection using Reconstruction Error ▪ Input: test_data ← list of time-series sequences ▪     θ ← anomaly detection threshold (computed from training data) ▪ for each input sequence x_t in test_data do ▪     x_hat ← model.reconstruct(x_t) ▪     error ← MSE(x_t, x_hat) ▪     if error > θ then ▪         label ← 'anomaly' ▪     else ▪         label ← 'normal' ▪     end if ▪ end for

The full model has approximately 160,000 parameters and requires <1.2 MB of memory, making it deployable on Raspberry Pi–class devices.

4.4. Federated Learning Setup

The federated learning configuration used in this work is illustrated in Figure 2, which shows how smart home edge nodes collaborate with a central coordinator over 5G links to train a global anomaly detection model. We implement a standard FedAvg protocol [20] with the following settings:

• Federated Rounds: 100.
• Clients per Round: 5–10 (simulating active smart home nodes).
• Data Distribution: Non-IID across clients (each device sees distinct behavior profiles).
• Model Updates: Weights transmitted securely after local epochs (typically 2–5 per round).
• Communication: Simulated via 5G emulated links with latency and bandwidth constraints.
• Hardware Specs: Simulated edge devices: 2–4 core CPUs, 2GB RAM; Aggregator: 8-core CPU, 16 GB RAM.

Optional enhancements include gradient noise (DP) and compressed updates for bandwidth efficiency.

4.5. Baseline Methods for Comparison

To benchmark performance, we compare Edge-FLGuard+ against

• Centralized LSTM Autoencoder: A full data–centralized model trained on all available data.
• Local-only Model: Each client trains an independent GRU autoencoder with no FL.
• FedAvg + CNN Encoder: A variation using lightweight 1D CNN instead of GRU.
• Unsupervised Isolation Forest (centralized and federated): To benchmark traditional ML-based anomaly detectors [5].

All methods are evaluated on accuracy, F1-score, false-positive rate, and communication overhead.

5. Experimental Evaluation

This section presents the evaluation of the Edge-FLGuard+ framework in terms of detection performance, communication efficiency, and scalability under federated learning (FL) conditions. We compare it with centralized and local baselines and conduct an ablation study to assess the influence of model size, compression, and training configuration.

5.1. Evaluation Metrics

The following metrics are used to assess model performance and system behavior:

• Accuracy (Acc): Ratio of correctly classified instances to total instances.
• F1-Score (F1): Harmonic mean of precision and recall, suitable for imbalanced data.
• False Positive Rate (FPR): Measures the rate of benign traffic misclassified as anomalies.
• Inference Latency: Average time per instance for local anomaly detection (on-device).
• Communication Overhead: Volume of data exchanged per federated round (in KB or MB).

These metrics jointly capture the trade-off between security efficacy and system efficiency.

5.2. Comparative Results

We compare Edge-FLGuard+ against three baseline approaches:

• Centralized Model (C-AE): A GRU-based autoencoder trained on all data centrally.
• Local-Only Model (L-AE): Edge nodes train independently without collaboration.
• Vanilla Federated Model (F-AE): FL with no optimizations or privacy layers.

To evaluate the effectiveness of Edge-FLGuard+, we compare its performance against centralized, local-only, and vanilla federated baselines using key metrics such as accuracy, F1-score, latency, and communication overhead. These results are presented in

Table 2. Comparative performance of Edge-FLGuard+ against centralized (C-AE), local-only (L-AE), and standard federated (F-AE) baselines. Edge-FLGuard+ demonstrates a favorable balance between detection accuracy and communication efficiency in 5G-enabled smart home environments.

Model	Accuracy	F1-Score	FPR	Latency (ms)	Comm. Overhead (MB/Round)
C-AE (Centralized)	97.1%	0.962	2.3%	—	—
L-AE (Local Only)	88.4%	0.871	6.2%	6.7	0
F-AE (Vanilla FL)	95.2%	0.946	3.5%	7.1	3.8
Edge-FLGuard+	96.4%	0.954	2.6%	6.8	2.1

.

To visually highlight performance differences across baseline and proposed models, we present a comparison of accuracy, F1-score, and false positive rate in Figure 3.

Edge-FLGuard+ demonstrates superior trade-offs between accuracy and overhead compared to both isolated and centralized models.

5.3. Ablation Study

We conducted ablation experiments by modifying:

• Model Size: Compared full GRU model (160 K params) vs. pruned version (90 K params).
• Compression: Tested 8-bit quantized weights vs. floating-point weights.
• Number of FL Rounds: Evaluated convergence under 20, 50, 100, and 200 rounds.

To further understand the trade-offs between model complexity, communication efficiency, and convergence behavior, we conducted an ablation study by varying the model size, applying compression techniques, and adjusting the number of federated learning rounds. The key results are summarized in

Table 3. Ablation study results for Edge-FLGuard+ across different model configurations. The results show how model pruning and 8-bit quantization impact accuracy, communication overhead, and training convergence in a 5G-enabled smart home FL setup.

Variant	Accuracy	Comm. Overhead	Convergence Rounds
Full Model (160 K)	96.4%	2.1 MB	~100
Pruned Model (90 K)	95.6%	1.3 MB	~80
8-bit Quantized	94.9%	0.7 MB	~120

.

The results of the ablation experiments are also visualized in Figure 4, illustrating how configuration choices impact model accuracy, communication overhead, and convergence speed.

Results show that model pruning and quantization reduce communication costs at the expense of minimal accuracy loss.

5.4. Discussion

The results offer practical insights into the trade-offs of deploying Edge-FLGuard+ in real-world smart home scenarios. Specifically, our findings highlight the following:

• Scalability:
  Edge-FLGuard+ supports asynchronous and partial participation. It performed consistently with 5–10 clients, and the system scales to dozens of nodes without performance collapse.
• Privacy Trade-offs:
  Incorporating differential privacy noise (ε = 5) resulted in a ~1.4% drop in F1-score, but significantly enhanced privacy guarantees.
• Real-World Applicability:
  The low inference latency (<7 ms) and small memory footprint (<1.2 MB) confirm its suitability for smart home routers and IoT gateways. All experiments were simulated on Raspberry Pi–like edge nodes.

To better understand the trade-off between communication efficiency and detection performance, Figure 5 plots accuracy against communication overhead across different configurations.

6. Conclusions and Future Work

This paper presented Edge-FLGuard+, a lightweight and privacy-preserving federated learning framework designed for real-time anomaly detection in 5G-enabled smart home IoT environments. The proposed system integrates a GRU-based autoencoder architecture with the FedAvg protocol, enabling decentralized, low-latency, and communication-efficient training across edge nodes.

Experimental results on filtered subsets of the TON_IoT and CIC-IDS2018 datasets demonstrate that Edge-FLGuard+ achieves a favorable balance between detection accuracy (≥96%), communication overhead (≈2.1 MB/round), and inference latency (<7 ms). Comparative analysis against centralized and local-only baselines confirms its competitiveness, while ablation studies validate the benefits of pruning and quantization for deployment on resource-constrained devices.

These results confirm that federated learning frameworks are viable for enhancing cybersecurity in smart home settings, where privacy, real-time responsiveness, and device heterogeneity are key concerns.

However, this work also has several limitations that must be acknowledged. The current framework assumes stable and low-latency 5G connectivity, which may not be universally available across all smart home contexts. Furthermore, while the system is designed to support heterogeneous edge devices, real-world deployment could face challenges in calibrating model performance across widely varying hardware capabilities. Finally, although our evaluation uses realistic datasets, field testing in live home environments remains a necessary step for broader validation. Additionally, while key performance metrics such as accuracy and communication overhead were reported, our current evaluation reflects single-run results per configuration. As such, we were unable to generate statistical visualizations (e.g., box plots) to capture variability across multiple runs—an aspect we aim to address in future experimentation.

Future Work

Future research will explore the following directions to extend the applicability and robustness of the Edge-FLGuard+ framework:

• Cross-Domain Generalization: Investigate transferability of trained models across heterogeneous environments (e.g., smart buildings, smart healthcare).
• Adaptive and Personalized FL Models: Incorporate continual learning and attention-based mechanisms to adapt to evolving device behavior patterns.
• LLM-Integrated Threat Intelligence: Explore the use of large language models (LLMs) for contextual reasoning, anomaly explanation, and threat attribution at the edge.
• Adaptive Monitoring Integration: Future versions of Edge-FLGuard+ could incorporate adaptive data collection and monitoring strategies (e.g., dynamic sampling, context-aware feedback) to further reduce communication and computation costs without sacrificing detection accuracy.
• 5G-Aware Anomaly Detection: Future versions of the framework could incorporate 5G-specific network telemetry (e.g., signal strength, latency spikes, handover frequency) as auxiliary features for anomaly detection. This would enable context-aware threat analysis and potentially improve detection accuracy and responsiveness in highly dynamic network conditions.

Overall, this work lays the foundation for intelligent, secure, and scalable anomaly detection in next-generation smart home ecosystems.