A Dynamic Spatiotemporal Deep Learning Solution for Cloud–Edge Collaborative Industrial Control System Distributed Denial of Service Attack Detection

Abstract

With the continuous development of industrial intelligence, the integration of cyber–physical components creates a need for effective attack detection methods to mitigate potential DDoS threats. Although several DDoS attack detection modeling approaches have been proposed, few effectively incorporate the unique characteristics of industrial control system (ICS) architectures and traffic patterns. This paper focuses on DDoS attack detection within cloud–edge collaborative ICSs and proposes a novel detection model called FedDynST. This model combines federated learning and deep learning to construct feature graphs of traffic data. Introducing dynamic and static adjacency matrices, this work reveals the interactions between long-term industrial traffic data and short-term anomalies associated with DDoS attacks. Convolutional neural networks are utilized to capture distinctive temporal features within industrial traffic, thereby improving the detection precision. Moreover, the model enables continuous optimization of the global detection framework through a federated learning-based distributed training and aggregation mechanism, ensuring the privacy and security of industrial client data. The effectiveness of the FedDynST model was validated on the CICDDoS2019 and Edge-IIoTset datasets. The simulation results validated the superiority of the proposed approach, and thus, demonstrated significant improvements in both detection accuracy and convergence.

1. Introduction

Industrial control systems (ICSs) collectively denote the technologies designed to ensure the reliable monitoring and automation of industrial operations [1]. In recent years, modern ICSs and IT systems have displayed a trend of close integration under the development of industrial digitization, intelligence, and informatization. To manage and make sense of the vast data produced by modern ICSs, researchers have introduced edge and edge–cloud computing into their design. This integration has gradually led to the development of a collaborative cloud–edge architecture [2,3]. Under this architecture, ICSs achieve data sharing, knowledge sharing, and resource sharing, but the security boundaries become increasingly blurred, making them more susceptible to cyber attacks [4,5].

Among today’s most disruptive cyber threats are distributed denial of service (DDoS) attacks, impacting various fields, including communications, energy, and transportation [6,7,8]. DDoS attacks are particularly challenging in the field of ICS security due to their suddenness, large scale, and potential for severe harm [9]. In recent years, the methods of DDoS attacks have become more diversified, and the frequency of attacks has been on the rise, causing serious impacts and threats to the industrial production sector. For example, in July 2023, the ransomware group Lockbit 3.0 launched a DDoS attack on Nagoya Port in Japan, causing the port’s container handling system NUTS to shut down for a day and disrupting container handling operations, resulting in significant economic losses [10]. In November of the same year, a South Korean semiconductor manufacturer suffered a DDoS attack, leading to a production line shutdown and substantial economic losses. In ICS scenarios, such attacks can not only lead to production halts and service interruptions but also pose potential risks to personal safety [11,12].

Accordingly, strengthening DDoS detection and mitigation in ICS environments is essential. Early detection techniques for DDoS attacks in ICS primarily relied on simple feature rules, such as traffic thresholds, request frequency, and whitelisting [13]. For instance, signature detection techniques were introduced to build rule sets for identifying specific attack patterns, while network traffic analysis tools were used for the manual analysis of suspicious traffic information [14]. These methods typically depend on fixed rules and thresholds, leveraging experience and existing human knowledge to identify DDoS attacks. Although these techniques perform well against known attack patterns, they exhibit insufficient adaptability in the face of novel attacks.

With the increasing diversity and complexity of attack types, ICSs begin adopting machine learning methods to enhance dynamic adaptive capabilities in DDoS attack detection. Machine learning models, including J48, Naive Bayes, and Random Forest, have shown effectiveness in detecting DDoS attacks across diverse datasets. Among these, the Random Forest algorithm outperforms both J48 and Naive Bayes, demonstrating a higher accuracy in machine learning-based detection [15]. However, machine learning-based detection methods often require substantial labeled data and rigorous feature selection. When feature selection is inadequate, the accuracy of attack detection can be significantly affected. Additionally, some literature suggests that relying solely on machine learning methods may not be sufficient to capture the deeper characteristics of industrial traffic [16].

In recent years, deep learning has garnered significant attention for its strong feature extraction capabilities and outstanding performance. Advanced models, like convolutional neural networks (CNNs) and recurrent neural networks have been employed to analyze traffic patterns within industrial control systems. This approach is especially effective for processing time-series data, as it can identify complex traffic patterns and potential attack signals [17,18,19]. However, current deep learning methods primarily focus on learning local features of traffic data, such as the statistical characteristics of individual fields or field groups, and lack attention to the macro-level connections and global recognition patterns within industrial traffic datasets.

On the other hand, cloud–edge collaborative ICSs are deployed in a distributed manner. The hardware configurations, operating systems, application versions, and firmware update frequencies may differ from one factory to another [20]. Attackers can exploit these differences by adopting varied attack strategies, leading to detection models trained solely on local data from a single ICS having limited attack recognition capabilities. Additionally, the traffic data from industrial production processes may contain substantial sensitive information related to industrial operations, so centralized data training may significantly increase the risk of privacy breaches [21].

To address this gap, this work proposes a detection model that combines deep learning methods with a federated learning framework. First, this study adopted a federated learning framework within a cloud–edge collaborative ICS to avoid the exchange of raw data. By training on traffic data from multiple ICSs, the model improved its ability to detect and defend against attack behaviors. Second, this study modeled the correlations between features in industrial traffic data using a non-Euclidean graph structure. Considering the characteristics of ICS traffic, static and dynamic adjacency matrices were used to explore the interactions between traffic features on different time scales. By implementing the proposed graph convolutional network (GCN), the model effectively captured and learned complex relationships between traffic features, and thus, improved the global feature recognition.

In summary, this study focuses on DDoS attack detection algorithms in cloud–edge collaborative industrial control scenarios based on deep learning and federated learning, with the following main contributions:

• A federated learning framework suitable for cloud–edge collaborative ICSs is proposed. By assigning dynamic weights to each industrial client, the framework optimizes the learning process of the global model, enhancing the overall performance.
• A DDoS attack detection model is introduced that constructs static and dynamic adjacency matrices to address the differences between long-term and short-term traffic data. This approach extracts relationships between the features of industrial traffic data across different time scales, enabling better capture of the deeper characteristics of DDoS attacks in industrial scenarios.
• The proposed model was tested on the CICDDoS2019 and Edge-IIoTset datasets and benchmarked against multiple federated and deep learning-based DDoS detection approaches. The results confirmed its effectiveness, demonstrating clear performance gains over existing methods.

2. Related Work

DDoS detection within industrial control environments has attracted considerable research attention. This section specifically reviews deep learning-based approaches for identifying such attacks. Researchers have utilized deep learning techniques to learn and analyze the features of ICS traffic data from various dimensions, thereby enhancing the ability to identify DDoS attacks.

In the spatial dimension, Haider et al. [22] introduced a deep CNN ensemble framework that effectively detects DDoS attacks in software-defined networks by capturing spatial characteristics of network traffic, achieving a high detection accuracy. Kim et al. [23] suggested converting traffic data features into grayscale and RGB images. They leveraged the ability of CNNs to process spatial information, thereby extracting the spatial features of these images and effectively improving the performance of intrusion detection systems.

In the temporal dimension, recurrent neural networks, including Gated Recurrent Units (GRUs) and Long Short-Term Memory (LSTM) variants, are commonly employed to capture temporal patterns in time-series data [24,25]. Shen et al. [26] proposed an LSTM-based deep learning model for DDoS detection in SDN-based Industrial Internet environments. The LSTM network identifies DDoS attacks and normal traffic based on temporal features, and its effectiveness was validated through experiments with real industrial control network topologies. Yazdinejad et al. [27] combined LSTM with autoencoders (AEs) to propose the LSTMAE deep learning model. This model leverages temporal features of traffic data to assist in decision tree usage, effectively identifying anomalous data and threats. It performed well on datasets from gas pipeline and secure water treatment systems.

In the spatiotemporal dimension, Zainudin et al. [28] proposed a hybrid model combining CNN and LSTM for identifying DDoS attacks targeting controllers. This model effectively extracts both spatial and temporal features from traffic data, demonstrating a high detection accuracy. Diaba et al. [29] utilized a hybrid deep learning approach that integrates CNN and GRU to mine spatial and temporal features of smart grid traffic for DDoS attack detection. Their research demonstrated that this method significantly improved the DDoS attack detection accuracy in smart grid applications. Söğüt et al. [30] introduced a hybrid model based on CNN and LSTM for industrial control SCADA systems. Using SCADA system test data, they evaluated the hybrid model against individual CNN and LSTM models, and observed improved detection accuracy for DDoS attacks.

The mentioned deep learning-based attack detection methods primarily delve into traffic features from spatial and temporal dimensions to enhance DDoS attack recognition. Specifically, CNNs are commonly used to extract spatial features of traffic, while temporal features are learned through recurrent neural networks. However, traditional CNNs, as was noted above, mainly focus on learning local features of the traffic, i.e., the statistical characteristics of individual fields or groups of fields. They have a limited ability to recognize the relationships and global patterns across the entire set of traffic fields.

In the field of federated learning, Li et al. [31] introduced FLEAM, a federated learning-based architecture designed to mitigate DDoS attacks, which adopts a federated learning enhanced architecture combined with the IMA-GRU protocol to combat malicious DDoS scripts. This model offers greater flexibility, scalability, and adjustability, along with an improved detection accuracy and reduced response time. Zainudin et al. [32] introduced the FedDDoS model, which uses Pearson’s correlation coefficient (PPC) to select potential traffic features based on FS methods. To reduce the model complexity, the model utilizes CNNs with residual connections to extract features, followed by an MLP for attack classification, demonstrating good detection performance. Shao et al. [33] applied federated learning to intrusion detection in an ICS. By employing an evolutionary neural architecture search, they developed a lightweight federated learning model that performed well in dataset-based experiments. Federated learning-based methods allow for model training in distributed environments without sharing raw data, effectively protecting the data privacy [34]. However, current research on federated learning for cloud–edge collaborative industrial control scenarios is limited.

3. Methodology

3.1. Model Architecture

This paper proposes FedDynST, a deep learning-based solution for DDoS detection in cloud–edge collaborative ICS environments. As shown in Figure 1, the architecture integrates a DDoS detection module with a federated learning framework.

3.2. Federated Learning Algorithm Based on Dynamic Weights

Within the federated learning framework, each industrial client employs a local CNN to learn from its traffic data and independently train a DDoS detection model. The trained model parameters are sent to a central server for aggregation and then returned to each client to update their local models, enabling effective training and optimization without disclosing sensitive data. This approach aligns well with the current cloud–edge collaborative architecture in ICSs, where data transmission between the cloud and edges typically occurs over relatively closed industrial private networks. Moreover, techniques such as homomorphic encryption and access control are employed to minimize data leakage and privacy risks during training.

Considering that the scenarios and data quality faced by different ICS clients vary, resulting in differing quality of trained models, this paper proposes an improved dynamic weighting algorithm based on the federated averaging algorithm (FedAvg). The algorithm assigns dynamic weights to client model updates, optimizing the global model’s learning process and enhancing its performance and convergence speed.

The design of the dynamic weights is based on two metrics: the difference between the client’s model update parameters and the global model update parameters, and the client’s local training loss. The divergence metric is defined as Equation (1):

$$A_k=0.5+0.5cos({\omega }_C,{\omega }_G)$$

(1)

where $A_k$ represents the difference index between the local client model update parameters and the previous round of global client model update parameters, ${\omega }_C$ is the client local update model parameters, and ${\omega }_G$ represents the previous round of global model update parameters.

Another important metric for the model is the local training loss. Generally, a lower training loss indicates a higher quality of the locally trained model, and thus, the client’s weight in the federated learning process should be greater. To facilitate the integration of the client’s loss with the divergence metric $A_k$, normalization is applied, as shown in Equation (2):

$$L_k^t=1-{\displaystyle \frac{\left|los{s}_k^t\right|}{{\sum }_{j=1}^m{\left|loss\right|}_k^t}}$$

(2)

where m is the total number of clients participating in the training, $L_k^t$ is the normalized index of training loss for client k in round t, and $\left|los{s}_k^t\right|$ represents the training loss of client k in round t.

The weight coefficient of each client is set by combining the divergence and loss value indicators, as defined in Equation (3):

$$Q_k=0.5A_k+0.5L_K$$

(3)

Finally, all client weight coefficients are normalized, and a weighted aggregation of all client models is performed to generate a new global model. As the federated learning training progresses, the training loss of each participating local client model changes, and its divergence from the global model also changes. Consequently, in the new global model, the parameters from higher-quality clients have a larger proportion. This method not only ensures rapid convergence speed but also effectively enhances the model’s performance.

3.3. DDoS Attack Detection Model

The detection model comprises an APPNP graph CNN, a 1D CNN, pooling layers, and fully connected layers, as illustrated in Figure 2.

The model receives traffic data that have been subjected to feature extraction, resulting in an initial feature matrix fed into the APPNP graph convolution layer. Here, both static and dynamic adjacency matrices facilitate graph convolution on traffic features, extracting relationships between ICS traffic data packet fields to enhance feature expression. Subsequently, the feature matrix from the graph convolution is input into the 1D-CNN layer, primarily extracting temporal sequence features from ICS traffic data. Finally, the traffic data undergo pooling after spatial and temporal convolutions, and is processed through fully connected layers to perform the ultimate task of DDoS attack detection. The subsequent sections provide a detailed discussion of each component of the proposed model.

3.3.1. APPNP Graph Convolution Layer

In this layer, static and dynamic adjacency matrices are constructed based on long-term and short-term flow data, respectively. After performing graph convolution operations using these two types of adjacency matrices, we maximized the correlation of the outputs obtained from the graph convolution through an unsupervised loss function based on mutual information.

ICSs typically operate in periodic modes, with devices regularly transmitting and receiving data. The static adjacency matrix, derived from long-term statistics of ICS traffic data, captures enduring relationships between traffic features, providing reliable feature associations for the model. Conversely, DDoS attacks in ICSs often induce notable changes in traffic features over short intervals. The dynamic adjacency matrix, informed by short-term traffic data, captures relationships between traffic features, enabling real-time detection of anomalous changes in ICS traffic and bolstering the model’s ability to identify sudden attacks. Integrating these two types of adjacency matrices allows for a more comprehensive exploration of traffic data feature relationships across various time scales.

Specifically, this work employed the graph neural network APPNP to model the relationships between traffic features. APPNP, a graph neural network, combines GCN and personalized PageRank [35]. Compared with a traditional GCN, APPNP offers faster convergence and fewer parameters. The specific process is as follows.

For long-term ICS traffic data, this study measured the correlation between variables by calculating the mutual information between traffic features. Specifically, the static adjacency matrix $A_s\in {\mathbb{R}}^{n\times n}$ is defined such that $A_s[i,j]=1$ indicates a connection between variable i and variable j, while $A_s[i,j]=0$ indicates no connection. The definition of $A_s$ is given in Equation (4):

$$A_s[i,j]=\left\{\begin{array}{cc}1\hfill & \mathrm{if}MI(x_i,x_j)\ge ϵ\hfill \\ 0\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

(4)

where $x_i$ and $x_j$ represent the sequence data of traffic features i and j across the entire training set, and $ϵ$ is a predefined threshold. The average mutual information $MI(x_i,x_j)$ is calculated, where N is the number of features extracted from the traffic data. The mutual information $MI(x_i,x_j)$ is defined in Equation (5):

$$MI(x_i,x_j)=\int \int p(x,y)log\left({\displaystyle \frac{p(x,y)}{p\left(x\right)p\left(y\right)}}\right)dxdy$$

(5)

where $p(x,y)$ is the joint probability density function of $x_i$ and $x_j$, while $p\left(x\right)$ and $p\left(y\right)$ are their marginal probability density functions, respectively.

Considering the influence of various factors over time, the correlation between traffic data features may change. Therefore, a dynamic adjacency matrix is constructed to update the correlations between traffic data features in real time, allowing for timely responses to these changes. The specific steps are as follows.

First, the training set is segmented by a time window T (as shown in Figure 3), where each time window T contains N data packets X. For each time window T, the traffic data $Y_i\in {\mathbb{R}}^{N\times n}$ is transposed to obtain $Z_i\in {\mathbb{R}}^{n\times N}$ (where n represents the number of traffic data features). Then, the similarity between features is calculated to define the adjacency matrix for each traffic packet. The calculation process is shown in Equations (6) and (7):

$$M_1=\sigma \left(Z_i{\mathsf{\Theta }}_1\right),M_1\in {\mathbb{R}}^{n\times f}$$

(6)

$$M_2=\sigma \left(Z_i{\mathsf{\Theta }}_2\right),M_2\in {\mathbb{R}}^{n\times f}$$

(7)

where two different mapping functions, ${\mathsf{\Theta }}_1\in {\mathbb{R}}^{N\times f}$ and ${\mathsf{\Theta }}_2\in {\mathbb{R}}^{N\times f}$, are used to map $Z_i\in {\mathbb{R}}^{n\times N}$ to a higher-dimensional space ${\mathbb{R}}^{n\times f}$, enhancing the representation capability of the relationships between features. Here, $\sigma$ is the sigmoid activation function.

Next, the inner product similarity is used to obtain the similarity matrices $M_1{M}_2^T$ and $M_2{M}_1^T$. These two similarity matrices represent the dependency of source nodes on target nodes and target nodes on source nodes within the graph, respectively. By adding these two matrices together, bidirectional modeling is achieved (with $\sigma$ as the sigmoid activation function). This results in the adjacency matrix $A_d$ corresponding to the traffic data $Y_i$ within each time window T, as follows:

$$A_d=\sigma (M_1{M}_2^T+M_2{M}_1^T),A\in {\mathbb{R}}^{n\times n}$$

(8)

Finally, to ensure the sparsity of the adjacency matrix and prevent overfitting, the average similarity score of each dynamic adjacency matrix is used to filter the adjacency matrix, as shown in the following equation:

$$A_d(i,j)=\left\{\begin{array}{ccc}1,\hfill & A_d(i,j)\ge {\displaystyle \frac{1}{n\ast n}}\sum A,\hfill & i,j\in [1,n]\hfill \\ 0,\hfill & A_d(i,j)<{\displaystyle \frac{1}{n\ast n}}\sum A,\hfill & i,j\in [1,n]\hfill \end{array}\right.$$

(9)

The constructed static adjacency matrix $A_s$ and dynamic adjacency matrix $A_d$ are symmetrically normalized. Graph convolution operations using the APPNP model are then applied to extract both the fixed and dynamic relationships between the traffic data features. The computation process is outlined as follows, from Equation (10) to Equation (13):

$$Z_s^{\left(0\right)}=Y$$

(10)

$$Z_s^{\left(k\right)}=(1-\alpha )\widehat{A_s}{Z}_s^{(k-1)}+\alpha Z_s^{\left(0\right)}$$

(11)

$$Z_d^{\left(0\right)}=Y$$

(12)

$$Z_d^{\left(k\right)}=(1-\alpha )\widehat{A_d}{Z}_d^{(k-1)}+\alpha Z_d^{\left(0\right)}$$

(13)

where $\widehat{A_s}$ and $\widehat{A_d}$ are the normalized static and dynamic adjacency matrices, respectively. Y is the set of N traffic data packets within the time window T, with $Y\in {\mathbb{R}}^{N\times n}$. To differentiate the outputs of the graph convolution operations using different adjacency matrices, let $Z_s^{\left(0\right)}=Y$ and $Z_d^{\left(0\right)}=Y$, representing the inputs to the GCN using the static and dynamic adjacency matrices, respectively. $Z_s^{\left(k\right)}$ and $Z_d^{\left(k\right)}$ represent the static and dynamic node variable embedding matrices after the APPNP graph convolution. $\alpha$ is the weight coefficient of the initial residual, ranging between 0 and 1, and k denotes the number of layers in the GCN.

The final graph convolution result is obtained by weighting the outputs of the static and dynamic adjacency matrix convolutions, as defined in Equation (14):

$$Z^{\left(k\right)}=(1-\eta )Z_s^{\left(k\right)}+\eta Z_d^{\left(k\right)}$$

(14)

where $Z^{\left(k\right)}\in {\mathbb{R}}^{N\times n}$, and $\eta$ represents the weight proportion of the dynamic adjacency matrix output.

The static adjacency matrix is constructed based on long-term traffic data feature relationships, reflecting stable correlations between features over an extended period and typically exhibiting high reliability. Therefore, this manuscript maximizes the correlation by maximizing the mutual information between $Z_d^{\left(k\right)}$, the output from the convolution with the dynamic adjacency matrix, and $Z_s^{\left(k\right)}$, the output from the convolution with the static adjacency matrix. Assuming two random variables, X and Y, their mutual information $MI(X,Y)$ can be maximized following the method proposed by Belghazi et al. [36], as shown in Equation (15):

$$maxMI(X,Y)\ge {\mathbb{E}}_{P(X,Y)}\left[D(X,Y)\right]-log{\mathbb{E}}_{P\left(X\right)P\left(Y\right)}\left[e^{D(X,Y)}\right]$$

(15)

where $D(X,Y)$ is a binary classifier, and its implementation method is as follows:

$$D(d_i,s_i)=\sigma \left(d_i^{T}W{s}_i\right)$$

(16)

where $\sigma$ is the activation function and W is the weight matrix. To concretize this maximization process, we define an unsupervised loss function $L_p$:

$$L_p\left(Z_d^{\left(k\right)},Z_s^{\left(k\right)}\right)=-{\mathbb{E}}_{P\left(d_i,s_i\right)}\left[D\left(d_i,s_i\right)\right]+log{\mathbb{E}}_{P\left(d\right)P\left(s\right)}\left[e^{D\left(d_i,s_i\right)}\right]$$

(17)

where $d_i$ and $s_i$ represent the outputs corresponding to the dynamic and static adjacency matrices, respectively. For each batch of data, a pair is selected from the joint distribution $P(d_i,s_i)$ to estimate the first term of the loss function $L_p$. Then, $s_i$ is shuffled within the batch to generate negative sample pairs, estimating the second term of the loss function $L_p$, thereby achieving the maximization of mutual information.

3.3.2. CNN Layer

After extracting the relationships between traffic data features using the APPNP graph convolution layer, the next step is to extract the temporal information of the traffic data using a temporal convolution module [37]. This manuscript employs a 1D-CNN as the temporal convolution module to extract the temporal features of the traffic data, as shown in Figure 4.

As mentioned above, after applying the APPNP graph convolution to the traffic data Y, the output $Z^{\left(k\right)}$ is obtained. The structure of the 1D-CNN is illustrated in the diagram below. The output $Z^{\left(k\right)}$ from the graph convolution is input into the 1D-CNN for convolution operations, as follows:

$$Z^{\left(l\right)}=g(Z^{(l-1)}{W}^{\left(l\right)}+b^{\left(l\right)})$$

(18)

where $Z^{\left(l\right)}$ represents the feature map of the first layer; $W^{\left(l\right)}$ and $b^{\left(l\right)}$ represent the weights and biases of the convolution kernel, respectively; and g is the activation function. Assuming the convolution kernel size is h and the number of output channels is T, since the input $Z^{\left(k\right)}\in {\mathbb{R}}^{N\times n}$, the output after extracting temporal features using the 1D-CNN is $Z_O\in {\mathbb{R}}^{(N-h+1)\times T}$.

3.3.3. Pooling Layer

After processing through the APPNP graph convolution and 1D-CNN layers, a significant amount of traffic feature information is extracted, leading to a substantial increase in the feature dimensions. However, high-dimensional features increase the model’s parameter count and computational complexity. Introducing a pooling layer can effectively address this issue. The pooling layer compresses high-dimensional features into a one-dimensional representation. This reduces the computational complexity while preserving key information, ensuring the model retains strong representational capacity. The one-dimensional feature layer obtained after pooling is flattened and concatenated into a one-dimensional feature vector, serving as the input for the subsequent fully connected layer.

In the fully connected layer, each neuron is connected to all neurons in the previous layer, integrating the features extracted by the previous layers for the final classification task:

$$y=\sigma (Wx+b)$$

(19)

where x is the input vector for the fully connected layer, y is the output vector, W is the weight matrix, b is the bias vector, and $\sigma$ is the activation function.

Finally, the output from the fully connected layer is passed through a softmax function to compute classification scores, and thus, determine whether the input traffic Y corresponds to a DDoS attack.

Cross-entropy loss is employed as the supervised training objective, quantifying the gap between the model’s predicted distribution and the actual label distribution:

$$L_s=-{\displaystyle \frac{1}{N}}\sum _{i=1}^N[y_{i}log\left({\widehat{y}}_i\right)+(1-y_i)log(1-{\widehat{y}}_i)]$$

(20)

where N is the number of samples, $y_i$ is the true label of the i-th sample (0 or 1), and ${\widehat{y}}_i$ is the predicted probability of the sample being positive. Combining the unsupervised loss function $L_p$ proposed in this section, the total loss of the DDoS attack detection model is defined as the weighted sum of the two loss functions, as shown in Equation (21):

$$L=L_s+\mu L_p$$

(21)

where $\mu$ is the weight of the unsupervised loss, ranging between 0 and 1.

4. Experiment Settings and Results Analysis

4.1. Datasets and Preparation

This study employed the CICDDoS2019 and Edge IIoTset datasets to validate the detection of ICS DDoS attacks.

The CICDDoS2019 dataset, developed by the Canadian Institute for Cybersecurity, is a widely used benchmark in DDoS detection research. It contains traffic data from 13 common DDoS attack types—including HTTP floods, TCP SYN floods, and UDP floods—alongside normal traffic, simulating a realistic network environment [38].

The Edge-IIoTset dataset is a recent benchmark combining IoT and IIoT applications for network security research. It is well-suited for studies involving ensemble and federated learning-based intrusion detection. The dataset includes 14 categories of malicious traffic, with DDoS attacks further divided into HTTP flood, TCP SYN flood, UDP flood, and ICMP flood. It also features traffic from diverse network devices using various protocols, including Modbus/TCP—an application-layer protocol commonly used in ICS environments [39].

4.1.1. Dataset Preprocessing

The shared nature of communication links leads to the multiplexing of packets from various data streams, and as a result, packets belonging to the same stream can be transmitted non-sequentially. This means that the order of packets in the captured raw traffic data may be non-continuous. To address this, this study employed a network traffic preprocessing algorithm proposed by Doriguzzi-Corin [40], which converts captured raw traffic data into an array-like data structure and divides them into sub-data streams based on time windows.

The traffic preprocessing algorithm aggregates packets belonging to the same bidirectional flow into sub-flow samples of size $n\times f$, where f is the number of features extracted from the traffic, and n is the maximum number of packets collected during the parsing of each flow within the time window t. If the number of packets collected within each time window t exceeds n, the flow is truncated; if it is less than n, it is padded with zeros at the end. Finally, each sample is assigned a corresponding label (attack traffic or normal traffic). As shown in Figure 5, the algorithm’s output E can be seen as a two-dimensional sample array, where each row represents packet samples captured within the same time window, and each column represents packet samples belonging to the same bidirectional flow.

Additionally, in terms of feature selection, this research primarily selected 20 network traffic features, including parts of the IP header fields, TCP header fields, UDP header fields, and some application layer protocol fields. Features such as IP addresses and port numbers, which are closely tied to specific classes, were excluded to ensure a fair and accurate model performance.

4.1.2. Dataset Partitioning

Since ICSs are primarily deployed in a distributed manner, the devices in different systems can vary significantly, allowing attackers to exploit these differences with various DDoS attack methods. As a result, the types and volumes of DDoS attack traffic data in different systems often differ. This situation aligns with the federated learning scenario, where data from different participants are not independently and identically distributed. To reflect this scenario, this study included specific category divisions for the CICDDoS2019 and Edge-IIoTset datasets.

First, considering that the number of normal traffic and some attack traffic samples in the CICDDoS2019 and Edge-IIoTset datasets was excessive, random sampling of the datasets was necessary. Then, an artificial categorization of attack types is implemented so that each client’s dataset contains different DDoS attack types, simulating the data distribution in a real ICS environment. The specific details are as follows.

CICDDoS2019 dataset: Based on the 13 types of DDoS attacks in the CICDDoS2019 dataset, we selected a portion of the traffic sample data and divided it into 13 datasets, each representing one client. Among these, seven clients contained only one type of DDoS attack traffic in addition to normal traffic, three clients contained two types of DDoS attack traffic, two clients contained four types of DDoS attack traffic, and one client contained all 13 types of DDoS attack traffic. The specific dataset divisions are shown in

Table 1. Traffic division of DDoS attacks (CICDDoS2019).

Clients	Types of Attack Traffic	Number of Attack Traffic Samples	Number of Normal Traffic Samples
1	DNS, MSSQL	3824	3824
2	LDAP, NETBIOS	5522	5522
3	MSSQL	143,510	143,510
4	NETBIOS	143,325	143,325
5	NTP, SSDP	872	872
6	ALL Types	4730	4730
7	SNMP	10,998	10,998
8	SSDP	20,481	20,481
9	SYN	18,032	18,032
10	TFTP	33,266	33,266
11	UDP	24,044	24,044
12	UDPFLAG, MSSQL, TFTP, UDP	5065	5065
13	WebDDoS, MSSQL, TFTP, UDP	8705	8705

. Note that the last two columns in this table are the same because we performed random sampling of the dataset to ensure that the ratio of the attack traffic to normal traffic was 1:1. This approach is commonly used to maintain the effectiveness of training by balancing the classes.

Edge-IIoTset dataset: Similar to the division method for the CICDDoS2019 dataset, based on the four types of DDoS attacks in the Edge-IIoTset dataset, we selected a portion of the traffic sample data and divided it into four datasets, each representing one client. Among these, Client 1 contained all four types of DDoS attack traffic in addition to normal traffic, Client 2 contained two types of DDoS attack traffic, and Clients 3 and 4 each contained only one type of DDoS attack traffic. The specific dataset divisions are shown in

Table 2. Traffic division of DDoS attacks (Edge-IIoTset).

Clients	Types of Attack Traffic	Number of Attack Traffic Samples	Number of Normal Traffic Samples
1	HTTP, ICMP, TCP, UDP	2740	2740
2	ICMP, TCP	5697	5697
3	TCP	2499	2499
4	UDP	4896	4896

.

This dataset division method ensured the non-IID nature of the datasets across different clients, which better tested the training effectiveness of the proposed FedDynST model. For each local client dataset, we divided the data into training, validation, and test sets in an 8:1:1 ratio. Additionally, 5% of the traffic data from each dataset was selected to form a global test set to evaluate the generalization performance and accuracy of the global model.

4.2. Evaluation Methodology

4.2.1. Evaluation Metrics

Evaluation metrics: This study used five metrics to evaluate the classification performance of the FedDynST model from different perspectives: accuracy, precision, recall, F1-score, and AUC. The formulas for these metrics are as follows:

• Accuracy: ${\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$;
• Precision: ${\displaystyle \frac{TP}{TP+FP}}$;
• Recall: ${\displaystyle \frac{TP}{TP+FN}}$;
• F1-score: $2\times {\displaystyle \frac{Precision\times Recall}{Precision+Recall}}$;
• AUC: the area under the ROC curve, reflecting the trade-off between the true positive rate and the false positive rate.

• where TP, TN, FP, and FN represent true positive, true negative, false positive, and false negative, respectively. These metrics are selected to provide a comprehensive assessment of model performance, taking into account not only the overall accuracy but also the balance between the detection precision and false positives, which is critical for the continuous operation of ICSs.

4.2.2. Comparison Algorithms

To validate the effectiveness of the FedDynST model in detecting attacks, we selected several classic algorithms and recent novel DDoS attack detection models based on federated learning frameworks for comparison. These were as follows:

• FLAD: This algorithm, detailed in [41], is an adaptive federated learning algorithm for DDoS attack detection. The study used two DDoS attack detection models: FLAD + CNN and FLAD + MLP. Both models were used for comparison in this study.
• FedDDoS: This model, presented at [32], utilizes Pearson coefficient-based feature selection techniques to enhance the detection performance while reducing the model complexity. The detection model for this algorithm is CNN + MLP, and the federated learning algorithm used is FedAvg.
• FedAvg: This classic algorithm in the field of federated learning, introduced in [42], serves as a benchmark model and provides an important starting point for subsequent research. In this work, we trained both a CNN model and our proposed DDoS attack detection model under this federated learning algorithm to compare overall detection performance. These models are denoted as FedAvg + CNN and FedAvg + Ours, respectively.

4.3. Comparative Experiments

4.3.1. Parameter Settings

The proposed model was implemented by PyTorch 2.1.1 on a server equipped with an Intel(R) Xeon(R) Platinum 8352V, 2.10 GHz CPU, and Nvidia RTX 4080 GPU. The presented results are the mean of five runs for all models. The parameter settings for both the DDoS attack detection model and the federated learning framework in the FedDynST model were as follows:

• APPNP layer:

  -

  Input dimension: 20;

  -

  Output dimension: 20;

  -

  Number of layers: 3;

  -

  $\alpha$: 0.3;

  -

  Weight for the dynamic adjacency matrix ($\eta$): 0.3.

• CNN layer:

  -

  Input channels: 20;

  -

  Output channels: 64;

  -

  Kernel size: 3.

• Loss function:

  -

  Weight for the maximization of mutual information loss (unsupervised loss) ($\mu$): 0.1.

• Final classification layer:

  -

  Two fully connected layers for each node with a hidden layer size of 64;

  -

  Output dimension: 1;

  -

  Dropout rate: 0.5.

• Federated learning: each round, half of the clients were randomly selected for aggregation (client selection ratio C = 0.5):

  -

  Local training epochs E = 5;

  -

  Communication rounds r = 20;

  -

  Batch size for the attack detection model: 100;

  -

  Learning rate: 0.005;

  -

  Number of epochs: 5;

  -

  Optimizer: Adam. The final trained model was the one that performed the best on the validation set.

4.3.2. Results

Based on the parameter settings outlined in the previous section, the model training was conducted and compared with the following five models: FLAD+CNN, FLAD+MLP, FLAD+Ours, FedDDoS, and FedAvg+CNN. The experimental results on the CICDDoS2019 dataset and the Edge-IIoTset dataset are as follows:

(1)

Results on CICDDoS2019 Dataset

Table 3. Comparison results of client detection accuracy (CICDDoS2019).

Clients	FedDynST (Ours)	FLAD + CNN	FLAD + MLP	FedDDoS	FedAvg + CNN	FedAvg + Ours
1	0.9989	0.9870	0.9286	0.9385	0.9377	0.9658
2	0.9937	1.0	0.9288	0.9584	0.9354	0.9841
3	0.9972	0.9757	0.9667	0.9584	0.9535	0.9756
4	0.9959	0.9758	0.9515	0.9635	0.9617	0.9836
5	0.9978	0.9611	0.9772	0.9658	0.9541	0.9684
6	0.9948	0.9742	0.9375	0.9737	0.9647	0.9785
7	1.0	0.9748	0.9683	0.9417	0.9541	0.9914
8	1.0	0.9720	0.9402	0.9614	0.9587	0.9781
9	0.9986	0.9455	0.8961	0.9356	0.9344	0.9654
10	0.9984	0.9677	0.9662	0.9258	0.9543	0.9874
11	1.0	0.9443	0.9471	0.9325	0.9148	0.9647
12	0.9803	0.9578	0.9412	0.9412	0.9458	0.9682
13	0.9629	0.9486	0.9343	0.9428	0.9215	0.9874

indicates the comparative experimental results of the detection accuracy across the test sets of the 13 clients.

Table 4. Comparison results of client evaluation metrics (CICDDoS2019).

Model	Accuracy	Precision	Recall	F1	AUC
FedAvg + Ours	0.9769	0.9547	0.9617	0.9582	0.9736
FedAvg + CNN	0.9454	0.9389	0.9568	0.9478	0.9554
FedDDoS	0.9492	0.9498	0.9602	0.9550	0.9675
FLAD + MLP	0.9449	0.9538	0.9606	0.9572	0.9435
FLAD + CNN	0.9680	0.9758	0.9738	0.9748	0.9678
FedDynST	0.9937	0.9835	0.9897	0.9866	0.9957

presents the average values of various metrics across the test sets of the 13 clients.

Table 5. Comparison results of global evaluation metrics (CICDDoS2019).

Model	Accuracy	Precision	Recall	F1	AUC
FedAvg + Ours	0.9874	0.9698	0.9654	0.9676	0.9745
FedAvg + CNN	0.9687	0.9725	0.9635	0.9680	0.9674
FedDDoS	0.9698	0.9654	0.9683	0.9668	0.9699
FLAD + MLP	0.9667	0.9883	0.9649	0.9765	0.9687
FLAD + CNN	0.9751	0.9835	0.9759	0.9797	0.9785
FedDynST	0.9932	0.9938	0.9927	0.9932	0.9972

provides the comparison results of various metrics on the global test set.

From the experimental results, it can be seen that on the CICDDoS2019 dataset, the FedDynST model generally outperformed the other models in terms of accuracy, precision, recall, F1-score, and AUC. Specifically, as shown in Table 1, the detection accuracy of the FedDynST model on the 13 clients was consistently higher than that of other models, where the detection accuracy of each client exceeded 0.96, indicating strong adaptability and high stability of the FedDynST model. According to Table 2, the average values of each metric across the 13 clients for the FedDynST model were also superior to those of the other models. Compared with the novel FLAD + CNN model, the FedDynST model represented an improvement of 2.57% in accuracy, 0.77% in precision, 1.59% in recall, 1.18% in F1-score, and 2.79% in AUC. This indicates that the FedDynST model could identify attack traffic with a higher accuracy in DDoS attack detection tasks. According to the experimental results on the global test set shown in Table 3, the FedDynST model also led the other models in all metrics, reflecting the proposed model’s ability to adapt to different data from various clients, demonstrating good robustness and effective performance across diverse scenarios.

(2)

Results on Edge-IIoTset Dataset

For the Edge-IIoTset dataset, the detection performance of the global model was tested on the test sets of four clients and the global test set using the same metrics. The specific comparative experimental results are shown in

Table 6. Comparison results of client detection accuracy (Edge-IIoTset).

Clients	FedDynST (Ours)	FLAD + CNN	FLAD + MLP	FedDDoS	FedAvg + CNN	FedAvg + Ours
1	0.9989	0.9725	0.9821	0.9628	0.9838	0.9738
2	0.9578	0.9328	0.8000	0.9125	0.9725	0.9417
3	0.9500	0.9148	0.7700	0.9243	0.9135	0.9384
4	0.9798	0.9594	0.8202	0.9248	0.9438	0.9489

,

Table 7. Comparison results of client evaluation metrics (Edge-IIoTset).

Model	Accuracy	Precision	Recall	F1	AUC
FedAvg + Ours	0.9507	0.9785	0.9343	0.9559	0.9695
FedAvg + CNN	0.9534	0.9587	0.9334	0.9459	0.9547
FedDDoS	0.9311	0.9415	0.9210	0.9311	0.9458
FLAD + MLP	0.8431	0.8604	0.7875	0.7787	0.8916
FLAD + CNN	0.9449	0.9243	0.9374	0.9308	0.9818
FedDynST	0.9694	0.9903	0.9489	0.9681	1.0

and

Table 8. Comparison results of global evaluation metrics (Edge-IIoTset).

Model	Accuracy	Precision	Recall	F1	AUC
FedAvg + Ours	0.9678	0.9689	0.9752	0.9720	0.9614
FedAvg + CNN	0.9518	0.9484	0.9918	0.9731	0.9718
FedDDoS	0.9318	0.9358	0.9812	0.9580	0.9574
FLAD + MLP	0.8953	0.8537	0.8642	0.8589	0.6104
FLAD + CNN	0.9468	0.9418	1.0	0.9701	0.9608
FedDynST	0.9947	0.9939	1.0	0.9969	0.9979

.

The experimental results indicate that the proposed FedDynST model outperformed the other models in all metrics, both on the test sets of the four clients and the global test set. Compared with the CICDDoS2019 dataset, the Edge-IIoTset dataset is more suitable for intrusion detection research based on ensemble learning and federated learning. This dataset includes industrial traffic data based on the Modbus/TCP protocol, providing more realistic test scenarios for model training that align with actual ICSs. Therefore, this validates the FedDynST model’s detection capability and application potential in more realistic environments.

4.3.3. Analysis

Overall, the FedDynST model demonstrated superior detection capabilities across both client test sets and the global test set. Models relying solely on a CNN for mining traffic data features struggle to effectively learn traffic patterns. As a result, such a model shows diminished capability in distinguishing normal traffic from attacks during classification tasks. The enhanced detection capabilities of the proposed FedDynST model can be attributed to its improvements in feature representation in several key aspects.

First, the model employs graph neural networks to capture multi-scale temporal dependencies between traffic features, thereby improving the feature representation. Furthermore, it employs one-dimensional 1D-CNN to extract the temporal features of traffic, thereby enriching the feature representation from multiple dimensions and perspectives. This multidimensional feature extraction boosts the model’s ability to identify DDoS attacks.

Second, compared with the average global model update methods used in the FLAD and FedAvg federated learning frameworks, the FedDynST model employs a dynamic weight-based federated learning global model parameter update method. This method optimizes weight allocation by considering the divergence between local and global models and the training loss of clients. This targeted updating ensures a better global model quality and convergence speed.

To further explore the correlation between certain features in industrial control traffic data, one can quantify the relationships between these features by calculating mutual information. Using the Edge-IIoTset dataset as an example, Figure 6 displays a heatmap of the mutual information calculated for selected features from the dataset samples. The color brightness in the heatmap indicates the magnitude of mutual information: brighter colors (closer to yellow) represent higher mutual information values, while darker colors (closer to purple) represent lower values. This demonstrates that there was indeed some correlation between the features of the traffic data.

Particularly, Modbus/TCP protocol features unique to industrial control traffic, such as ModbusADU_len, ModbusADU_transId, and ModbusADU_protoId, showed a high correlation with other features. For instance, the bright area between TCP_window_size (TCP sliding window) and ModbusADU_len (Modbus Application Data Unit length) suggests a strong correlation between these two features. Generally, when ModbusADU_len was larger, this correlation implies that each Modbus/TCP protocol packet contained more data, necessitating a larger TCP window to improve the transmission efficiency. Therefore, the high correlation between these feature fields was reasonable.

The results confirm that the dynamic and static adjacency matrix traffic feature mining method proposed in this manuscript is highly suitable for industrial control scenarios. This is also a primary reason why the FedDynST model outperformed the other models in comparative experiments.

4.4. Ablation Study

The primary innovation of the proposed FedDynST model lies in its integration of static and dynamic adjacency matrices to extract the relationships between traffic data features across different time scales, alongside the design of a dynamic weight-based federated learning parameter update method. These elements collectively ensure the detection performance of the final trained global model. To further explore the model’s rationale, this section examines the effectiveness of each component of the model, validating their contributions to DDoS attack detection, as follows:

• FedDynST model: This model uses both static and dynamic adjacency matrices to extract relationships between traffic features across different time scales. It also employs an unsupervised mutual information maximization loss to maximize the correlation between the outputs of graph convolutions using the two types of adjacency matrices. Additionally, it improves upon the traditional FedAvg federated averaging algorithm by designing a dynamic weight-based federated learning parameter update method.
• FedDynST-APP model: this variant removes the graph convolution layer, retaining only the 1D-CNN layer, to investigate the impact of using static and dynamic adjacency matrices for extracting relationships between traffic features on the model.
• FedDynST-Loss model: this variant removes the unsupervised loss function, aiming to explore the impact of the correlation between the outputs of graph convolutions using different adjacency matrices on the model.

Based on these ablation experiment model variants, this section compares the performance metrics of the different model variants on the CICDDoS2019 and Edge-IIoTset datasets, using both the client test sets and the global test set. The specific results are shown in

Table 9. Ablation results of client evaluation metrics (CICDDoS2019).

Model	Accuracy	Precision	Recall	F1	AUC
FedDynST-Loss	0.9768	0.9638	0.9725	0.9681	0.9528
FedDynST-APP	0.9602	0.9534	0.9720	0.9626	0.9625
FedDynST	0.9937	0.9835	0.9897	0.9866	0.9957

,

Table 10. Ablation results of global evaluation metrics (CICDDoS2019).

Model	Accuracy	Precision	Recall	F1	AUC
FedDynST-Loss	0.9685	0.9583	0.9789	0.9685	0.9832
FedDynST-APP	0.9874	0.9589	0.9687	0.9648	0.9568
FedDynST	0.9932	0.9938	0.9927	0.9932	0.9972

,

Table 11. Ablation results of client evaluation metrics (Edge-IIoTset).

Model	Accuracy	Precision	Recall	F1	AUC
FedDynST-Loss	0.9588	0.9687	0.9326	0.9503	0.9778
FedDynST-APP	0.9429	0.9714	0.9289	0.9497	0.9874
FedDynST	0.9694	0.9903	0.9489	0.9681	1.0

and

Table 12. Ablation results of global evaluation metrics (Edge-IIoTset).

Model	Accuracy	Precision	Recall	F1	AUC
FedDynST-Loss	0.9785	0.9712	0.9841	0.9776	0.9678
FedDynST-APP	0.9834	0.9759	0.9878	0.9818	0.9752
FedDynST	0.9947	0.9939	1.0	0.9969	0.9979

.

The results indicate that the FedDynST model outperformed the other model variants across both datasets, demonstrating the effectiveness of the methods designed within the model. First, the FedDynST model significantly outperformed the FedDynST-APP model, which removed the graph convolution layer, across all the test sets. This highlights the importance of capturing relationships between traffic features for model detection performance. Second, the FedDynST model also surpassed the FedDynST-Loss model, which omitted the unsupervised loss function, indicating that ensuring a certain degree of correlation between traffic feature relationships extracted across different time scales is crucial for maintaining the detection performance. Finally, the FedDynST-Fed model, which replaced the dynamic weight-based federated learning algorithm with the FedAvg federated averaging algorithm, showed a significantly inferior performance compared with the FedDynST model. This confirmed that the dynamic weight-based federated learning algorithm designed in this work effectively enhanced the performance of the final trained global model.

4.5. Parameter Study

4.5.1. The Weight Proportion of the Dynamic Adjacency Matrix

In the FedDynST model, the output weight parameters of the static adjacency matrix and the dynamic adjacency matrix through the APPNP graph convolution layer are set to $1-\eta$ and $\eta$, respectively. To explore the impact of $\eta$ on the model performance, this section tests presents the results of testing the FedDynST model on the CICDDoS2019 and Edge-IIoTset datasets, with $\eta$ set to 0.1, 0.2, 0.3, 0.4, and 0.5 while keeping the other parameters unchanged. The experimental results are illustrated in Figure 7.

The experimental results indicate that on both the CICDDoS2019 and Edge-IIoTset datasets, the model’s performance initially improved and then declined as $\eta$ increased, where it reached its optimal performance around $\eta =0.3$. On the CICDDoS2019 dataset, the model achieved its second-best performance at $\eta =0.2$, while on the Edge-IIoTset dataset, the second-best performance occurred at $\eta =0.4$. The model achieved an optimal performance when $\eta$ was within a reasonable range; excessively high or low values of $\eta$ adversely affected the performance. When $\eta$ was too low, the information captured by the dynamic adjacency matrix on short time scales contributed minimally to the overall feature representation, which was detrimental to subsequent classification tasks. Conversely, when $\eta$ was too high, the feature representation of the traffic included too much information about changes in traffic feature relationships, making the model overly sensitive to variations in the traffic features and leading to false alarms, thereby degrading the performance. Overall, the proportion of the dynamic adjacency matrix’s output weight should not exceed that of the static adjacency matrix, aligning with general understanding.

4.5.2. The Weight of Unsupervised Loss

In the FedDynST model, the total loss function is a weighted sum of the supervised cross-entropy loss for the classification task and the unsupervised maximum mutual information loss, with the unsupervised loss weighted by $\mu$. To explore the impact of the parameter $\mu$ on model performance, this section presents the results of a controlled variable analysis with $\mu$ set to 0.02, 0.04, 0.08, 0.1, and 0.2 on the CICDDoS2019 and Edge-IIoTset datasets. The experimental results are shown in Figure 8.

The results indicate that, similar to the parameter $\eta$, the model’s performance on both datasets initially improved and then declines as $\mu$ increased, reaching its optimal performance around $\mu =0.1$. When $\mu$ was less than 0.1, the model performance dropped significantly, indicating that the influence of the unsupervised loss in the total loss function was insufficient. This suggests that the model did not effectively leverage the relationships between traffic data features to enhance detection performance. Conversely, when $\mu$ exceeded 0.1, the model performance also declined, suggesting that the model’s final classification task still needed to be primarily guided by the supervised loss. As $\mu$ continued to increase, the model overly focused on the intrinsic structure of the traffic data while neglecting the actual goal of the classification task, leading to a decrease in the performance.

4.6. Convergence Study

To assess the complexity and feasibility of the FedDynST model, we compared its convergence with previously discussed models. After 20 rounds of federated learning training, we calculated the average metrics for each communication round and the total time taken for the training, as shown in

Table 13. Convergence study on the CICDDoS2019 dataset.

Model	Accuracy	Precision	Recall	F1	AUC	Time (s)
FedAvg + Ours	0.9378	0.9389	0.9338	0.9388	0.9409	449.56
FedAvg + CNN	0.9245	0.9374	0.9412	0.9393	0.9285	420.27
FedDDoS	0.9201	0.9118	0.9287	0.9202	0.8978	445.82
FLAD + MLP	0.9288	0.9217	0.9324	0.9270	0.9125	388.87
FLAD + CNN	0.9330	0.9414	0.9442	0.9428	0.9325	415.34
FedDynST	0.9628	0.9714	0.9541	0.9629	0.9518	405.98

and

Table 14. Convergence study on the Edge-IIoTset dataset.

Model	Accuracy	Precision	Recall	F1	AUC	Time (s)
FedAvg + Ours	0.9365	0.9579	0.9011	0.9286	0.9487	25.21
FedAvg + CNN	0.9324	0.9613	0.8974	0.9284	0.9512	18.93
FedDDoS	0.9284	0.9584	0.8741	0.9178	0.9416	19.86
FLAD + MLP	0.9587	0.9614	0.9014	0.9304	0.9657	41.89
FLAD + CNN	0.9478	0.9636	0.8947	0.9279	0.9587	53.38
FedDynST	0.9728	0.9714	0.9128	0.9412	0.9762	21.83

.

According to the experimental results, the FedDynST model demonstrated a superior performance in terms of the average accuracy, precision, recall, F1-score, and AUC compared with the other five models while maintaining similar training times. Specifically, as illustrated in Figure 9, which show the convergence plots of accuracy for different datasets, the FedDynST model experienced a rapid increase in accuracy during the initial rounds of federated learning training and stabilized quickly. In contrast, the other models converged more slowly, and their average metrics after stabilization remained lower than those of the FedDynST model. This indicates that the FedDynST model could achieve high performance metrics in a relatively short amount of time when dealing with different data from various clients, demonstrating excellent convergence properties.

Moreover, the training times for 20 rounds of federated learning for the FLAD + Ours and FedAvg + Ours models on both datasets were higher than for the FedDynST model. This suggests that the federated learning algorithm based on dynamic weight Q, as designed in this study, offered superior convergence speed. Overall, the convergence performance of the FedDynST model surpassed that of the comparison models, particularly in terms of the convergence speed and final performance metrics, indicating the high practicality of the FedDynST model in industrial control system scenarios.

5. Conclusions

This paper proposes FedDyST, a DDoS attack detection model based on federated learning and dynamic spatiotemporal networks, which was specifically designed for ICSs within cloud–edge environments. Within the framework of federated learning, we innovatively combined static and dynamic adjacency matrices to learn the relationships between traffic data features across various temporal scales. This approach significantly enhanced the performance of the DDoS attack detection model. Our experimental analysis, conducted on both the CICDDoS2019 and Edge-IIoTset datasets, demonstrated the superior detection performance of our proposed model when compared with various federated learning-based DDoS detection algorithms.

Future work will focus on further investigating the engineering implementation of DDoS attack detection in cloud–edge collaborative industrial control scenarios. This aims to enhance the identification capabilities of DDoS attack traffic across different industrial contexts and facilitate the implementation of more targeted defense strategies.