G-PFL-ID: Graph-Driven Personalized Federated Learning for Unsupervised Intrusion Detection in Non-IID IoT Systems

Abstract

Intrusion detection in IoT networks is challenged by data heterogeneity, label scarcity, and privacy constraints. Traditional federated learning (FL) methods often assume IID data or require supervised labels, limiting their practicality. We propose G-PFL-ID, a graph-driven personalized federated learning framework for unsupervised intrusion detection in non-IID IoT systems. Our method trains a global graph encoder (GCN or GAE) with a DeepSVDD objective under a federated regularizer (FedReg) that combines proximal and variance penalties, then personalizes local models via a lightweight fine-tuning head. We evaluate G-PFL-ID on the IoT-23 (Mirai-based captures) and N-BaIoT (device-level dataset) under realistic heterogeneity (Dirichlet-based partitioning with concentration parameters $\alpha \in \{0.1,0.5,\infty \}$ and client counts $K\in \{10,15,20\}$ for IoT-23, and natural device-based partitioning for N-BaIoT). G-PFL-ID outperforms global FL baselines and recent graph-based federated anomaly detectors, achieving up to 99.46% AUROC on IoT-23 and 97.74% AUROC on N-BaIoT. Ablation studies confirm that the proximal and variance penalties reduce inter-round drift and representation collapse, and that lightweight personalization recovers local sensitivity—especially for clients with limited data. Our work bridges graph-based anomaly detection with personalized FL for scalable, privacy-preserving IoT security.

1. Introduction

The Internet of Things (IoT) has shown many benefits in various fields, including healthcare [1], logistics, and smart infrastructure [2]. The IoT is an interconnected network of physical objects that can include everyday consumer electronics, smart home devices, enterprise edge gateways, and industrial infrastructure [3]. These devices use networked sensors and actuators to collect and analyze sensor data, improving operational efficiency, revealing system behavior, supporting predictive maintenance, and enabling new services [4,5,6]. However, the growth of interconnected devices increases the attack surface, opening up more possible attack points in the network.

Notable examples include botnets such as Mirai, Emotet, and Srizbi, which have exploited weaknesses in devices on a large scale [7,8,9]. Once compromised, these devices are often used for attacks such as denial of service (DoS), distributed denial of service (DDoS), and spoofing campaigns. These attacks exploit protocol or software vulnerabilities, overwhelm network or computing resources, impersonate legitimate traffic, and facilitate spamming, advertising fraud, intellectual property theft, ransomware deployment, and other fraudulent activities [10,11,12].

To reduce risks in IoT systems, operators typically deploy both preventive and detective controls. These techniques include network segmentation, hardened firewall rules, platform hardening, secure update mechanisms, and packet filtering appliances [13,14,15,16,17]. Although these techniques often serve as the first line of defense, blocking many known exploits, intrusion detection systems (IDS) remain crucial to monitoring network traffic and identifying attacks that evade these defenses [18].

Classical IDS approaches can be categorized as signature-based, anomaly-based, or hybrid-based. A signature-based IDS compares traffic with known threat patterns. Studies show that these techniques are effective at detecting familiar exploits with relatively few false alarms, yet they struggle with novel or zero-day attacks and require frequent updates [18,19,20]. Anomaly detectors (AD) learn patterns of expected behavior, such as normal traffic volume, protocol usage, and communication timing. They raise alerts when behavior diverges [21]. Once expected behaviors have been established, ADs are effective at identifying new threats; however, false alarm rates tend to increase unless baselines are carefully adjusted, particularly in dynamic IoT environments [18,20,21]. Hybrid systems combine methods to achieve better coverage and accuracy. However, in IoT deployments, this combination results in increased complexity, greater resource demands, and heavier maintenance burdens [18,20].

Machine learning (ML) expands the capabilities of IDS beyond handcrafted rules, enabling the detection of unfamiliar threats by learning directly from device logs [22]. However, supervised ML IDS requires labeled datasets to develop effective models. This process involves gathering and labeling large datasets that include current attack types across many different IoT devices. These datasets can be very expensive and often impractical, as discussed in [23,24,25]. A commonly proposed technique in the literature is training positive-only datasets to understand benign behavior and flag deviations [26,27].

Recent literature shows that graph-aware models, such as graph autoencoders (GAEs) and graph convolutional networks (GCNs), effectively detect anomalies in centralized settings when the data contains relational or structural dependencies. Network sensor data naturally records relationships between hosts and flows, such as sessions, services, ports, and device roles, as well as how these elements communicate with one another. Representing this data as a graph reveals multi-hop dependencies and structural outliers that pointwise methods often overlook [28,29,30]. However, deploying centralized ML-IDS in real IoT environments often poses practical challenges. For instance, collecting raw traffic to a central server increases communication overhead and latency. It also requires more computing power and memory than many edge devices can provide, creating a single point of failure [31,32].

Federated learning (FL) offers a promising solution to addressing these challenges. In this approach, each client trains using its own local data and only shares model updates with a coordinating server [33,34,35,36,37], which significantly reduces the transfer of raw data and provides stronger privacy protections. However, deploying FL in IoT environments presents unique challenges. Many IoT FL–based intrusion-detection studies assume only mild non-independent and identically distributed (non-IID) variation across clients. In practice, however, clients often differ substantially in the quantity and distribution of their data. Consequently, simple aggregation methods, such as FedAvg [38], can produce global models that perform poorly for clients with highly heterogeneous data distributions [36,39,40,41,42,43]

Additionally, embeddings may collapse during unsupervised or self-supervised graph training in FL if clients only observe very small local batches or experience intermittent connectivity. Model aggregation becomes unstable when data is partitioned in a highly skewed manner, either by label or by volume. This instability is especially likely when many clients have only benign examples [44,45,46,47].

To address these issues, we propose a graph-based, personalized, unsupervised IDS trained in a federated manner across heterogeneous IoT clients. The approach follows a two-stage pipeline that begins with joint training of a shared graph encoder (a GCN or a GAE backbone) under a combined reconstruction and one-class objective [27]. Training is augmented with a proximal regularizer (FedProx) [48] and an embedding-variance penalty intended to stabilise updates when local data are scarce. The encoder is implemented in two complementary instantiations. The first is a graph-level GCN trained with a DeepSVDD objective that yields a compact hypersphere decision rule. The second is a hybrid GAE–DeepSVDD model that enforces reconstruction fidelity while also encouraging embedding compactness.

We adopt the hybrid variant as the canonical G-PFL-ID encoder because it combines the interpretability of reconstruction-based scoring with the explicit one-class boundary that operational detection benefits from. The GCN–DeepSVDD configuration is evaluated as a principled baseline and is used in ablations to probe how different inductive biases interact with the proposed federated regularizers and personalization choices.

After the global stage converges, clients perform light personalization by fine-tuning a small local head on benign examples and computing client specific calibration statistics. To simulate realistic heterogeneity we induce quantity skew via Dirichlet partitioning with concentration parameters $\alpha \in \{0.1,0.5,\infty \}$ and we vary the number of clients in the federation $K\in \{10,15,20\}$. Empirical evaluation on IoT-23 under these controlled splits demonstrates consistent gains from the proposed regularizers and from local personalization.

The main contributions of this paper are as follows:

• We implement and evaluate two federated one-class graph encoders that are compliant to federated training and comparable under identical conditions. These are a graph-level GCN trained with a DeepSVDD objective, and a hybrid GAE–DeepSVDD that jointly optimises reconstruction and embedding compactness. 
• We introduce two lightweight regularizers for federated unsupervised learning. A proximal aggregation term reduces weight divergence when client sample sizes vary. An embedding variance penalty mitigates representation collapse on small-data clients and preserves discriminative capacity. 
• We design a compact personalization head that each client fine-tunes on benign data. The head, together with selective encoder fine-tuning, restores local sensitivity while keeping communication overhead low. 
• We provide an extensive empirical study on IoT-23 using Dirichlet partitions with $\alpha \in \{0.1,0.5,\infty \}$ and $K\in \{10,15,20\}$, and further validate G-PFL-ID on the N-BaIoT dataset (treating each of the 9 IoT devices as a separate client, $K=9$) to demonstrate generalizability under real-world device heterogeneity. We report both global and personalized metrics (AUROC, AUPR, detection rates at fixed false-positive rates) and present ablation studies that isolate the contribution of each proposed component.

The rest of the paper is organized as follows. Section 2 situates our work relative to graph-based IDS and federated personalization. Section 3.1.1 formalizes the federated one-class problem and the partitioning protocols. Section 3 presents the model architecture, objectives, and federated algorithm. Section 4.1 details the experimental design and Section 4.2 reports the results and ablations. We conclude in Section 5 with limitations and directions for future work.

2. Related Works

In this section, we survey state-of-the-art work related to our proposal. We start with FL techniques applied to IoT intrusion or anomaly detection, then move to unsupervised anomaly detection methods, and finally discuss personalized federated learning approaches.

2.1. Federated Learning for Intrusion Detection

Existing studies have explored the use of federated learning for intrusion detection in various IoT and networked settings. Bhavsar et al. [49] proposed an edge-deployed federated learning intrusion detection system (FL-IDS) that runs lightweight classifiers on embedded devices and reported supervised training evaluated under an independent and identically distributed (IID) assumption on the NSL-KDD and Car Hacking datasets. Nguyen et al. [50] presented FedNIDS, a supervised, packet-level federated framework designed to disseminate incremental knowledge about new attacks. The paper reported strong empirical F1 scores, but the evaluation did not focus on extreme non-IID splits. Althunayyan et al. [51] designed a hierarchical federated learning (FL) system for in-vehicle Controller Area Network (CAN) bus monitoring. The system uses a two-stage detector with an LSTM autoencoder in the second stage. The proposed supervised model was evaluated on CAN datasets, but it did not explicitly stress-test severe client.

Huang et al. [52] introduced FED IoV, which converts vehicular traffic into images and trains MobileNet Tiny in a supervised, federated setting using the CAN Intrusion and CICIDS2017 datasets. The reported experiments assume independent and identically distributed (IID) clients and did not explore adversarial robustness. Shao et al. [53] used evolutionary neural architecture search to discover compact federated CNN models for industrial control systems. The supervised method was evaluated using the Gas Pipeline, SWaT, and WADI datasets, but non-IID behavior was not the main focus. Praharaj et al. [54] applied federated transfer learning to anomaly detection in cooperative smart farming. The authors reported supervised results on two smart farm testbeds, along with communication compression and acknowledge heterogeneity among farms but did not systematically parameterize it via Dirichlet or similar splits or measure the degree of heterogeneity. Singh and Popli [55] developed a supervised and validated federated IDS for underwater drones using a combination of in-house and public datasets, including CIC IDS 2017. However, the work did not deeply examine extreme non-IID participation.

Another group of studies looked at class imbalance and continuous learning, which are practical problems for supervised FL in IDS. Jin et al. [56] proposed FL-IDS, which augments local training with a class gradient balance loss and a relay client that fuses reconstructed samples. The evaluation was carried out using UNSW-NB15 and CIC-IDS17, showing improved resilience to catastrophic forgetting. However, the experiments consider moderate rather than extreme non-IID conditions. Mazid et al. [37] propose FL-IDPP, which used bidirectional RNNs locally and a voting ensemble at the server to improve decision quality. The paper reported reduced convergence time but does not analyze performance under strong client heterogeneity. Singh et al. [57] explicitly addressed class imbalance in federated IDS. The authors evaluated their class balancing strategies under both IID and moderate non-IID settings using the WUSTL IIoT 2021 dataset.

A common drawback of these studies is that they rely on supervised labels and therefore require access to representative attack annotations locally. Additionally, evaluations often assume mild heterogeneity or fail to systematically vary the degree of non-IID partitioning.

2.2. Unsupervised Anomaly Detection

Unsupervised techniques for anomaly detection in IoT networks do not require labeled attack examples, making them well-studied [21]. Classical methods include reconstruction-based models, such as autoencoders [58] and variational autoencoders [59]. These models learn to reconstruct benign behavior and flag inputs with large reconstruction errors [26,28]. Other common families of methods include one-class and density estimators, such as Isolation Forest (IF) and Local Outlier Factor (LOF). These methods identify points as anomalous if they fall in low-density regions or are isolated from the main data mass [60]. Clustering and density-based approaches group normal instances and treat points belonging to very small or sparse clusters as anomalies [21]. These algorithms perform well in many settings but they face practical difficulties when applied to heterogeneous networked IoT data.

There are two relevant challenges in federated and constrained IoT deployments. First, reconstruction-based models typically rely on large, representative, benign datasets to learn reliable generative mappings. When clients have limited local data, the quality of reconstruction can degrade, raising both false negatives and false positives [61,62]. Second, unsupervised feature learners are prone to representation collapse under small sample sizes or small batches. Representation collapse occurs when encoders map distinct normal instances to overly similar latent vectors. This behavior has a negative effect on one-class detectors. For instance, DeepSVDD and related hypersphere methods rely on a compact but informative normality region. When embeddings collapse, the hypersphere becomes trivial, fails to separate anomalies from normal examples, and detection performance degrades [27,63].

Recent federated work proposes complementary solutions. Federated denoising autoencoders, such as L-MDAE, demonstrate that collaborative training across noisy, multimodal clients can enhance robustness [64]. Temporal hybrids combining LSTM encoders and autoencoders have been applied to grid and telemetry data in a federated manner, yielding promising results [65]. Other approaches share compressed distributional summaries or local density functions, using those summaries to guide contrastive or density-based learning at the client level [61,66]. Contrastive learning can increase embedding diversity, but it is conceptually at odds with one-class learning. The contrastive objective pushes many pairs apart, whereas the one-class objective prefers normal samples to remain close together. In federated non-IID settings, naive contrastive losses can amplify cross-client divergence unless coupled with careful regularization [61,67].

To address the limitations of naive contrastive losses, a family of density-based methods aims to preserve the geometry of high-density inlier subspaces. RIFIFI modifies the isolation forest paradigm to isolate outliers while preserving dense subspace structure. This improves interpretability and reduces false alarms [60]. However, these methods still neglect relational context, such as host-to-host relations or flow sequences, which are often essential for network intrusion detection [68,69].

Graph-based methods address this gap by using structural cues that single-point detectors cannot perceive. Graph autoencoders and their variational counterparts learn representations by reconstructing edges and node attributes. Anomalies are revealed via either large reconstruction error or embeddings that deviate from normal inlier [28,70,71]. Therefore, federated adaptations of graph learning have been proposed. For instance, FedGCN reduces communication per round by exchanging neighbor summaries beforehand and then updating local subgraphs [47].

Some frameworks apply contrastive self-supervision to graphs, maintaining global negative pairs or pseudo-labels to improve the separation between anomalous and normal nodes [72,73]. Methods such as LG-FGAD combine adversarial anomaly generation with local-global knowledge distillation to increase anomaly awareness in non-IID federated settings [74]. While these graph-aware federated methods often outperform tabular baselines on graph anomaly benchmarks, they introduce new system-level trade-offs. For example, cross-client edge handling becomes necessary, per-round communication increases, and small local graphs become more sensitive to noise [68,75].

Deep one-class models, such as DeepSVDD, provide an explicit decision rule by learning a compact hypersphere that encloses normal data [27,76]. Combining reconstruction objectives with a one-class boundary (e.g., a VAE linked to SVDD) increases robustness because the model preserves data fidelity while enforcing a clearer decision surface [77,78]. These hybrids and pure one-class approaches are now being adapted to federated settings for both anomaly detection and defending against malicious updates [63]. However, applying naive federated averaging to DeepSVDD-style models can be fragile. When client embeddings drift inconsistently under severe non-IID sampling, the global hypersphere can be poorly defined, resulting in poor detection performance [79].

2.3. Personalized Federated Learning (PFL)

Personalization has emerged as a practical solution because a single global model rarely fits every client in a heterogeneous federation. In intrusion detection, for example, each site has its own mix of devices, traffic patterns, and operational constraints. A model tuned to these particularities often yields fewer false alarms, better local utility, and preserves the privacy benefits of federated training [80,81]. The empirical literature supports this intuition, and several distinct paradigms of personalization techniques have been developed.

One paradigm splits the model into a shared backbone and small client-specific modules, which could be a decoder or scoring head. The backbone is trained collaboratively across clients while the head remains private and is adapted locally. This pattern is easy to implement and keeps communication costs low because only the backbone parameters are exchanged during federation. Representative work includes FedPer [80] and FedRep [81], which demonstrate that separating shared representations from local heads can substantially improve performance for each client under heterogeneity. Ref. [82] also employed this paradigm to address the vulnerability of FL-based IDS systems to poisoned clients in non-IID IoT data environments. The proposed supervised PFL method for IDS (pFL-IDS) successfully defended against approximately $\approx 30$ poisoned clients while maintaining a low attack success rate, outperforming prior approaches. However, detection is limited to the attacks on which it was trained.

Another family of methods uses proximal regularization or related penalties to limit how far local updates may deviate from the global solution. FedProx [48] is the canonical example, and Ditto [83], builds on this concept by framing personalization as a two-level problem. In this problem, each client learns a model that remains close to a global reference while optimizing its own local objective. Regularizers of this type are appealing in IDS because they explicitly balance global consensus with local specialization and allow for straightforward analysis and tuning via a single regularization coefficient.

Methods such as Per-FedAvg treat federated learning as a form of meta-training that produces an initialization that can be adapted with a few local gradient steps [84]. Meta-based personalization is attractive when clients have very few labeled examples or when fast local adaptation is required. In practice, this approach has been applied more often to supervised tasks. However, the underlying idea can be applied to one-class or unsupervised settings, where a shared encoder can be rapidly adapted to local normal behavior [84,85,86].

Another family of methods groups clients into clusters or learns a client similarity graph so that only similar participants share information with one another. Clustering reduces negative transfer from dissimilar peers and can be implemented in multiple ways. For example, it can be done by grouping gradient signatures [46], estimating pairwise affinities [87], or learning a client network from marginal parameter statistics [88]. This family is relevant in graph-based federated anomaly detection because clients that host similar subgraphs or run similar services are natural sharing partners.

A notable trend regarding the benefits of these paradigms to FL is that they often improve worst-case performance per client rather than just average performance. This is important because a single poorly performing client can pose a significant risk [83]. However, two gaps are directly relevant to graph-based, unsupervised intrusion detection. First, many practical FL-IDSs operate on tabular features or time series and do not exploit the relational signals captured by graph models. Second, most personalization work has been developed independently of unsupervised, one-class objectives and the regularizer that stabilizes unsupervised, federated training. A summary of the existing related literature is presented in

Table 1. Comparison of selected federated learning-based IDS works and the present paper.

Ref	Year	FL Algorithm	Local Model (Client)	Server Model/Aggregation	Learning Type	Non-IID Reported	Personalized
Jin et al. [56]	2024	FedAvg with relay	CNN/CNN-GRU variants	Relay client fuses reconstructed samples	S	No	No
Mazid et al. [37]	2025	FedAvg + voting	Bi-RNN/RNN	Voting ensemble at server	S	No	No
Singh et al. [57]	2024	FedAvg variant (class-balanced)	DNN (local)	Aggregation with class-balancing adjustments	S	No	No
Nguyen et al. [50]	2025	FedAvg	Packet-level DNN	Aggregated DNN	S	No	FT
Xie et al. [46]	2021	Clustered FL	Local GNNs	Cluster-specific aggregations (gradient-based clustering)	S	Yes/JSD	C
Yao et al. [47]	2023	FedGCN (pre-exchange)	GCN variants (local)	Server aggregates precomputed neighbour summaries	SS	DD	No
Cai et al. [74]	2024	Custom federated GAD	GNN encoder + local discriminator	Dual knowledge distillation (local ↔ global)	U	Yes/KL-D	KDist
Zhang et al. [63]	2025	Deep one-class in FL (defence)	DeepSVDD embeddings on local updates	Server filters suspicious updates using one-class scores	U	Yes/DPA	No
Sáez-de-Cámara et al. [87]	2023	Clustered FL + fingerprinting	Local unsupervised anomaly detectors	Server clusters devices by model fingerprints; cluster-wise training	U	Yes/Infer	C
Li et al. [83]	2021	Regularised FedAvg (bi-level optimisation)	Generic DNN models	Aggregates global model; each client solves personalised subproblem with proximal regulariser $\lambda \parallel {\theta }_i-{\theta }_g{\parallel }^2$	S	Yes/DP	RegP
Fallah et al. [84]	2020	Meta-learning based FL	Task-agnostic networks (MAML-style)	Global model provides initialisation optimised for fast client adaptation	S	Yes/TVD & 1-WD	MetL
Thein et al. [82]	2024	pFL-IDS (personalized)	Local supervised classifier	Aggregated backbone + local head	S	Yes/DP	FT
Ours	2025	FedProx variant + var-penalty	GCN/GAE backbone; small local one-class head	Aggregated backbone; local head personalisation & fine-tuning	U	Yes/(DD + KL-D)	FT & RegP

Columns report the following: the federated learning (FL) algorithm used, the local (client) model, and the server aggregation method. The learning type is indicated as supervised (S), semi-supervised (SS), or unsupervised (U). The Non-IID behaviour column specifies whether the model was tested under non-IID settings. The possible entries are: ’Not reported’ (No), ’Mild’ (mentioned but not experimentally reported), or ’Yes’ (experimentally reported), with the metrics used for measurement listed. These metrics includes: Jensen-Shannon Distance (JSD), Dirichlet Distribution (DD), Generic Data partitioning (DP), Kullback–Leibler Divergence (KL-D), Direct Probabilistic Assignment (DPA), Total Variation Distance (TVD), 1-Wasserstein Distance (1-WD) and Device Characteristics (Infer). Finally, the Personalization column indicates whether personalization is provided. Personalization types include: Fine-Tuning Cluster (FT), Proximal Regularization (RegP), Meta-Learning (MetL), Clustering (C), Knowledge Distillation (Dist).

.

In this article, we combine these threads by federating a shared GNN encoder under a combined reconstruction and DeepSVDD one-class objective. We also augment local training with proximal and variance-preserving regularizers and allow lightweight local heads to personalize detection while minimizing backbone communication.

3. Methodology

3.1. Preliminaries

We present the preliminaries, which include the federated one-class problem for graph-structured IoT network traffic, and the definition of the main notation used for this study.

3.1.1. Problem Formulation

Given K clients with local datasets $\{{\mathcal{D}}_1,{\mathcal{D}}_2,\dots ,{\mathcal{D}}_K\}$ that contain primarily benign network traffic data, our goal is to learn a global model that can detect anomalous behavior while preserving data privacy. The objective is to minimize:

$$\underset{\theta }{min}{\mathcal{L}}_{\mathrm{global}}\left(\theta \right)=\sum _{k=1}^K{\displaystyle \frac{n_k}{N}}{\mathcal{L}}_k\left(\theta \right)+\Lambda \left(\theta \right),$$

(1)

where ${\mathcal{L}}_k\left(\theta \right)$ is the local unsupervised loss in client k and $\Lambda \left(\theta \right)$ denotes server-side regularization.

We transform network traffic into graph structures where anomalies manifest as deviations from learned normal patterns in the graph embedding space.

3.1.2. Notations and Definitions

We consider a federation of K clients (edge devices or gateways) indexed by $\mathcal{C}=\{1,\dots ,K\}$. Each client $k\in \mathcal{C}$ has a private data set ${\mathcal{D}}_k$ derived from network telemetry (Zeek conn logs in our experiments). From ${\mathcal{D}}_k$ we construct a client graph.

$$G_k=(V_k,E_k,X_k),$$

(2)

where $V_k$ is the set of nodes (hosts), $E_k$ the observed flow edges, and $X_k\in {\mathbb{R}}^{|V_k|\times d}$ the node feature matrix with d features per node. We denote by $A_k$ the adjacency matrix of $G_k$ and by $n_k=\left|V_k\right|$ the number of nodes on the client k. The total number of nodes in the federation is $N={\sum }_{k=1}^K{n}_k$.

A shared graph encoder $f_{\theta }$ parameterized by $\theta$ maps a client graph to the node embeddings:

$$Z_k=f_{\theta }(X_k,A_k)\in {\mathbb{R}}^{n_k\times m},$$

(3)

where each row $z_{k,i}\in {\mathbb{R}}^m$ is the embedding of node i and m is the embedding dimension.

Our pipeline supports three one-class instantiations: (i) GCN–DeepSVDD that directly optimizes a DeepSVDD hypersphere on graph-level GCN embeddings, (ii) GAE that uses reconstruction error on structure/features as an anomaly score, and (iii) a hybrid GAE–DeepSVDD that jointly optimizes reconstruction and hypersphere compactness. When using the GAE variant, the full model is $f_{\theta }$ (encoder) and $g_{\psi }$ (decoder) and both sets of parameters can be updated during federated rounds to minimize reconstruction objectives. For DeepSVDD variants, the training focuses on $f_{\theta }$ and a one-class objective. The personalization parameters ${\varphi }_k$ are introduced after the global backbone stabilizes. Clients initialize $h_{{\varphi }_k}$ from the stabilized backbone provided by the server, then perform local fine-tuning on benign samples while keeping most of $\theta$ fixed or allowing limited encoder updates according to the selected personalization budget.

Table 2. Notation summary.

Symbol	Meaning
K	Number of federated clients
${\mathcal{D}}_k$	Local dataset at client k (flows, per-host aggregates)
$G_k=(V_k,E_k,X_k)$	Local graph at client k with nodes $V_k$, edges $E_k$, features $X_k\in {\mathbb{R}}^{n_k\times d}$
d	the input feature dimension (typically 128 for IoT-23 features)
$n_k$	Number of nodes at client k ($|V_k|$)
N	Total nodes across all clients, $N={\sum }_k{n}_k$
$f_{\theta }$	Shared graph encoder (GCN/GAE encoder) with encoder parameter $\theta$ shared globally via federation
$g_{\psi }$	Optional decoder for GAE reconstruction with decoder parameter $\psi$ shared globally via federation
$h_{{\varphi }_k}$	Client k’s lightweight personalization head
$Z_k$	Embeddings at client k, $Z_k=f_{\theta }(X_k,A_k)\in {\mathbb{R}}^{n_k\times m}$
m	Embedding dimension (typically 16 in our experiments)
$z_{k,i}$	Embedding for node i at client k (row of $Z_k$)
c/$c_k$	Global or client DeepSVDD center; $c_k$ is client k’s hypersphere center
$\mu$	FedProx proximal coefficient used in local updates
$\lambda$	Weight decay regularization coefficient
$\alpha$	Dirichlet concentration parameter for non-IID partitioning

summarizes the main symbols used throughout the paper.

3.2. G-PFL-ID Overview

The proposed Graph-based Personalized Federated Learning for Intrusion Detection (G-PFL-ID) framework addresses the fundamental challenges of IoT security in distributed environments through a comprehensive two-stage architecture. As illustrated in Figure 1, our approach combines global model federation with client-specific personalization to achieve robust generalization while maintaining individualized adaptation to local data distributions. The G-PFL-ID framework operates through the following systematic process:

• Global Model Initialization:The process begins with the central server initializing a shared global intrusion detection model $f_{\theta }$. This model employs graph-based architectures which includes the option to use GCN encoders or GAE encoders with decoders $g_{\psi }$ for reconstruction tasks [28,30,68]. The initialized model is broadcast to all participating clients at the beginning of each federation round t.
• Local Training with Multi-Objective Optimization: Each client k computes local updates using the shared global model $f_{\theta }$ on its per-host aggregated graph dataset ${\mathcal{D}}_k$. The local optimization incorporates three key components:

  –

  Task-Specific Objective: Clients employ one of three graph-based architectures: GAE (Graph Autoencoder), GAE-DeepSVDD, or GCN-DeepSVDD, depending on the detection paradigm (reconstruction-based or hypersphere-based anomaly detection).

  –

  FedProx Regularization: The proximal term ${\displaystyle \frac{\mu }{2}}{\parallel \theta -{\theta }^t\parallel }^2$ [48] stabilizes training under non-IID data distributions by constraining local updates to remain close to the global model.

  –

  Embedding Variance Penalty: A variance regularization term ${\lambda }_{\mathrm{var}}·{\mathcal{L}}_{\mathrm{var}}\left(z\right)$ promotes compact feature representations, enhancing anomaly detection performance in one-class settings.

• Secure Server Aggregation with Intrusion Detection: The global server employs an intrusion detection mechanism to identify and filter out potentially malicious client updates ${\Delta }_k$. Clean updates are aggregated using federated averaging [33]:

  $${\theta }^{t+1}\leftarrow {\theta }^t+{\displaystyle \frac{1}{|{\mathcal{S}}_{\mathrm{clean}}|}}\sum _{k\in {\mathcal{S}}_{\mathrm{clean}}}{\Delta }_k^t$$

  (4)

  where ${\mathcal{S}}_{\mathrm{clean}}$ represents the set of verified benign clients, ${\theta }^t$ and ${\theta }^{t+1}$ represents the global model parameters at round t and $t+1$ respectively, and ${\Delta }_k^t$ which is ${\Delta }_k^t={\theta }_k^t-{\theta }^t$ represents the model update from client k at round t.
• Client-Specific Personalization: In the final stage, each client adapts the global model through personalized heads ${\varphi }_k$ trained exclusively on local data ${\mathcal{D}}_k$. This personalization phase optimizes ${\varphi }_k^{*}$ ensuring optimal adaptation to local traffic patterns while maintaining stability [81,84].

  $${\varphi }_k^{*}=arg\underset{{\varphi }_k}{min}{\mathbb{E}}_{(x,y)\sim {\mathcal{D}}_k}[\mathsf{\ell }(f_{{\theta }^{*}}\left(x\right)\circ {\varphi }_k,y)]+{\lambda }_p{\parallel {\varphi }_k-{\varphi }_{\mathrm{init}}\parallel }^2$$

  (5)

  where ${\varphi }_k^{*}$ represents the optimal personalized head for client k, $arg{min}_{{\varphi }_k}$ finds parameters that minimize the objective, ${\mathbb{E}}_{(x,y)\sim {\mathcal{D}}_k}$ is the expectation over client k’s data distribution, $\mathsf{\ell }(·,y)$ represents the loss function (e.g., reconstruction error for GAE), $f_{{\theta }^{*}}\left(x\right)$ is the feature representation from frozen global backbone, ∘ is the function composition (backbone + personal head), ${\lambda }_p$ is the personalization regularization strength, and $|{\varphi }_k-{\varphi }_{\mathrm{init}}{|}^2$ represents the L2 regularization from initial head.

3.3. Global Federated Training

The first stage of G-PFL-ID trains a shared graph encoder across the federation without centralizing raw network traffic. For a federation network containing K clients with local graph datasets ${\left\{{\mathcal{D}}_k\right\}}_{k=1}^K$, each client k provides a graph $G_k=(V_k,E_k,X_k)$ with $n_k=\left|V_k\right|$ nodes and node features $X_k\in {\mathbb{R}}^{n_k\times d}$. Our global backbone is a parameterised encoder $f_{\theta }$ that maps $(X_k,A_k)\mapsto Z_k\in {\mathbb{R}}^{n_k\times m}$.

We evaluate two principal one-class instantiations of $f_{\theta }$: (i) GCN–DeepSVDD (encoder + one-class hypersphere objective) and (ii) GAE–DeepSVDD (encoder + decoder with joint reconstruction and one-class compactness). Figure 2 shows a schematic of the two alternatives,

Table 3. GCN –DeepSVDD architecture specifications.

Layer	Operation	Output Shape
Input	Node features $X\in {\mathbb{R}}^{n\times d}$	$n\times d$
GCN block 1	GCNConv($d\to 64$) → BatchNorm → ReLU	$n\times 64$
Dropout	$p=0.3$	$n\times 64$
GCN block 2	GCNConv($64\to 32$) → BatchNorm → ReLU	$n\times 32$
GCN block 3	GCNConv($32\to m$) → Linear	$n\times m$
Embedding	Node representations $Z=f_{\theta }(X,A)$	$n\times m$
DeepSVDD	Euclidean distance to center $c\in {\mathbb{R}}^m$	$n\times 1$

presents the GCN–DeepSVDD architecture, and 

Table 4. GAE–DeepSVDD architecture specifications.

Layer/Component	Operation	Output Shape
Input	Node features $X\in {\mathbb{R}}^{n\times d}$, adjacency A	$n\times d$, $n\times n$
Encoder block 1	GCNConv($d\to 64$) → BatchNorm → ReLU	$n\times 64$
Encoder block 2	GCNConv($64\to 32$) → BatchNorm → ReLU	$n\times 32$
Encoder block 3	GCNConv($32\to m$) → Linear	$n\times m$
Latent representation	$Z=f_{\theta }(X,A)$	$n\times m$
Decoder block 1	GCNConv($m\to 32$) → BatchNorm → ReLU	$n\times 32$
Decoder block 2	GCNConv($32\to 64$) → BatchNorm → ReLU	$n\times 64$
Reconstruction	$\widehat{A}=\sigma \left(Z{Z}^{\top }\right)$	$n\times n$
DeepSVDD	Euclidean distance to center $c\in {\mathbb{R}}^m$	$n\times 1$

presents the GAE-DeepSVDD architecture used in our experiments.

3.3.1. GCN-DeepSVDD Implementation

In the GCN-DeepSVDD implementation, the hypersphere centre $c\in {\mathbb{R}}^m$ is initialized using a data-driven procedure [27] and remains fixed during training to prevent trivial solutions. The model optimizes the standard DeepSVDD objective:

$${\mathcal{L}}_{\mathrm{GCN}\text{-}\mathrm{SVDD}}^{\left(k\right)}(\theta ;{\mathcal{D}}_k)={\displaystyle \frac{1}{n_k}}\sum _{i\in V_k}{\parallel z_{k,i}-c\parallel }^2+{\displaystyle \frac{\lambda }{2}}{\parallel \theta \parallel }_F^2,$$

(6)

where $z_{k,i}\in {\mathbb{R}}^m$ represents the embedding of node i in client k which is also referred to as ${\varphi }_{\theta }\left(x_i\right)$ in literature [27], $\lambda$ is the weight decay coefficient, and ${\parallel ·\parallel }_F$ denotes the Frobenius norm. At inference, the anomaly score for node i is $s_{k,i}={\parallel z_{k,i}-c\parallel }_2$.

3.3.2. GAE-DeepSVDD Implementation

The hybrid GAE-DeepSVDD model produces complementary anomaly signals through reconstruction error and embedding compactness. The reconstruction error detects local inconsistencies in graph structure, while embedding compactness enforces a tight one-class boundary, following principles established in graph autoencoder anomaly detection [89,90].

In our GAE-DeepSVDD implementation, the node features, $x_{k,i}$ are not reconstructed (i.e., ${\widehat{x}}_{k,i}=0$) for client k, only the adjacency matrix $\widehat{A}$. Therefore the total hybrid loss, ${\mathcal{L}}_{\mathrm{GAE}\text{-}\mathrm{SVDD}}^{\left(k\right)}(\theta ,\psi )$ for client k is expressed as:

$$\begin{array}{c}{\mathcal{L}}_{\mathrm{GAE}\text{-}\mathrm{SVDD}}^{\left(k\right)}(\theta ,\psi )=\alpha {\mathcal{L}}_{\mathrm{recon}}^{\left(k\right)}(\theta ,\psi )+\beta {\mathcal{L}}_{\mathrm{SVDD}}^{\left(k\right)}\left(\theta \right)+{\displaystyle \frac{\lambda }{2}}{\parallel \theta \parallel }_F^2,\end{array}$$

(7)

$$\begin{array}{c}{\mathcal{L}}_{\mathrm{recon}}^{\left(k\right)}(\theta ,\psi )={\displaystyle \frac{1}{|{\mathcal{E}}_k|}}\sum _{(i,j)\in {\mathcal{E}}_k}{\mathsf{\ell }}_{\mathrm{BCE}}(A_{ij},{\widehat{A}}_{ij}),\end{array}$$

(8)

$$\begin{array}{c}{\mathcal{L}}_{\mathrm{SVDD}}^{\left(k\right)}\left(\theta \right)={\displaystyle \frac{1}{n_k}}\sum _{i\in V_k}{\parallel z_{k,i}-c\parallel }_2^2,z_{k,i}=f_{\theta }(X_k,A_k)\left[i\right].\end{array}$$

(9)

where:

• ${\mathcal{L}}_{\mathrm{recon}}^{\left(k\right)}(\theta ,\psi )$ and ${\mathcal{L}}_{\mathrm{SVDD}}^{\left(k\right)}\left(\theta \right)$ are the graph reconstruction loss and DeepSVDD compactness loss for client k,
• $\alpha$, and $\beta$ are the reconstruction and DeepSVDD loss weight, where ($\alpha \in [0,1]$), and ($\beta \in [0,1]$).
• $\lambda$ is the weight decay coefficient for $L2$ regularization
• ${\parallel \theta \parallel }_F^2$ is the frobenius norm of encoder parameters (sum of squared weights), and ${\parallel ·\parallel }_2^2$ is the squared $L2$ norm (Euclidean distance)
• ${\mathsf{\ell }}_{\mathrm{BCE}}(A_{ij},{\widehat{A}}_{ij})$ is binary cross-entropy between actual, $A_{ij}$ and reconstructed, ${\widehat{A}}_{ij}$ adjacency matrix element. $A_{ij}=1$ if the edge $(i,j)$ exists, and 0, otherwise. $\widehat{A}=\sigma \left(Z{Z}^{\top }\right),\sigma$ is sigma,
• $(i,j)\in {\mathcal{E}}_k$ is the edge between nodes i and j which is an element of the edges, ${\mathcal{E}}_k$ in client k’s graph.
• $x_{k,i}$, ${\widehat{x}}_{k,i}$, and $z_{k,i}$ are the original node features, reconstructed node features, and latent embedding for node i in client k, where $z_{k,i}\in {\mathbb{R}}^m$.

Following the standard federated learning principles for autoencoders [33], where the complete model benefits from distributed learning of both encoding and decoding patterns across the federation, both the encoder parameters $\theta$ and decoder parameters $\psi$ are updated locally and aggregated globally.

Since we only reconstruct the adjacency matrix (not node features, $x_{k,i}$), the reconstruction score is based solely on edge reconstruction errors. For node-level scoring, we aggregate edge errors. Therefore the final combined anomaly score, $s_{k,i}$ for node i in client k is expressed as:

$$s_{k,i}=\gamma s_{k,i}^{\mathrm{SVDD}}+(1-\gamma )s_{k,i}^{\mathrm{rec}}.$$

(10)

where, $s_{k,i}^{\mathrm{rec}}={\displaystyle \frac{1}{n_k}}{\sum }_{j=1}^{n_k}{\mathsf{\ell }}_{\mathrm{BCE}}(A_{ij},{\widehat{A}}_{ij})$ represents the average reconstruction error or anomaly score of edges connected to node i, providing a node-centric reconstruction score, $s_{k,i}^{\mathrm{SVDD}}={\parallel z_{k,i}-c\parallel }_2$ represents the DeepSVDD anomaly score, and $\gamma$ is the score fusion parameter (tuned on validation data, $\gamma \in [0,1]$)

3.3.3. Federated Optimization with Multi-Objective Regularization (FedReg)

To address the challenges posed by non-IID data distributions and unstable convergence in federated one-class learning, we propose FedReg, a regularization framework that integrates multiple complementary objectives during local client training. For each client k, the local training objective, ${\mathcal{L}}_{\mathrm{local}}^{\left(k\right)}$ combines three theoretically grounded regularization terms, as shown in Equations (14) and (15):

• Embedding Compactness, ${\mathcal{L}}_{\mathrm{compact}}^{\left(k\right)}$: The variance regularization, $\mathrm{Var}\left(Z_k\right)$, prevents feature collapse in unsupervised learning by encouraging diverse but structured representations [67,91]. This addresses the trivial solution problem where all embeddings converge to the hypersphere center c, which is crucial for effective anomaly detection in high-dimensional spaces [92].
• FedProx, ${\mathcal{L}}_{\mathrm{prox}}^{\left(k\right)}$: Provides convergence guarantees for non-convex objectives under heterogeneous data distributions, with the proximal term bounding client drift by constraining local updates to remain close to the global model ${\theta }_G$ [48]. The hyperparameter $\mu$ controls the regularization strength.
• Adaptive Center Update, c: Ensures stable DeepSVDD optimization by gradually refining the hypersphere center, c while avoiding abrupt changes (model collapse) that could destabilize training [27].

$$\begin{array}{c}{\mathcal{L}}_{\mathrm{local}}^{\left(k\right)}={\mathcal{L}}_{\mathrm{task}}^{\left(k\right)}+{\mathcal{L}}_{\mathrm{compact}}^{\left(k\right)}+{\mathcal{L}}_{\mathrm{prox}}^{\left(k\right)}\end{array}$$

(11)

$$\begin{array}{c}{\mathcal{L}}_{\mathrm{task}}^{\left(k\right)}=\left\{\begin{array}{cc}{\mathcal{L}}_{\mathrm{SVDD}}^{\left(k\right)}\hfill & \mathrm{for}\mathrm{GCN-DeepSVDD}\hfill \\ \alpha {\mathcal{L}}_{\mathrm{recon}}^{\left(k\right)}+\beta {\mathcal{L}}_{\mathrm{SVDD}}^{\left(k\right)}\hfill & \mathrm{for}\mathrm{GAE-DeepSVDD}\hfill \end{array}\right.\end{array}$$

(12)

$$\begin{array}{c}{\mathcal{L}}_{\mathrm{compact}}^{\left(k\right)}={\lambda }_{\mathrm{compact}}·\mathrm{Var}\left(Z_k\right)={\lambda }_{\mathrm{compact}}·\mathbb{E}[\parallel z-{\mu }_z{\parallel }^2]\end{array}$$

(13)

$$\begin{array}{c}{\mathcal{L}}_{\mathrm{prox}}^{\left(k\right)}={\displaystyle \frac{\mu }{2}}{\parallel {\theta }_k-{\theta }_G\parallel }^2\end{array}$$

(14)

where, ${\mathcal{L}}_{\mathrm{task}}^{\left(k\right)}$ is the task-specific loss: The core detection objective varying by model architecture, as defined in Equations (6) and (7), ${\mathcal{L}}_{\mathrm{compact}}^{\left(k\right)}$ is the embedding compactness, and ${\mathcal{L}}_{\mathrm{prox}}^{\left(k\right)}$ is the FedProx regularization.

$$c\leftarrow (1-\alpha )·c+\alpha ·{\displaystyle \frac{1}{n_k}}\sum _{i=1}^{n_k}{z}_{k,i}$$

(15)

where $\alpha$ is the update rate, and the center is initialized using a single forward pass on the first training batch of benign data. This approach follows established practices for stable DeepSVDD training [27]. Algorithm 1 provides the pseudo-code for the G-PFL-ID global federation training. During training, c is updated gradually using an exponential moving average (Equation (15)) to avoid sudden shifts that could destabilize the one-class objective. The update rate $\alpha$ is set to 0.1 in our experiments.

Algorithm 1 G-PFL-ID Federated Training with FedReg Regularization

Require:  Client datasets ${\left\{{\mathcal{D}}_k\right\}}_{k=1}^K$, global model ${\theta }_G^0$, FedReg hyperparameters Ensure:  Trained global model ${\theta }_G^T$, personalized models $\left\{{\theta }_k^{*}\right\}$   1: Initialize global parameters ${\theta }_G^0$, set round $t\leftarrow 0$   2: while $t<T$ and not converged do   3:       Sample client subset ${\mathcal{S}}^t\subset \{1,\dots ,K\}$ with fraction C   4:       for each client $k\in {\mathcal{S}}^t$ in parallel do   5:             ${\theta }_k^{t,0}\leftarrow {\theta }_G^t$                              ▹ Initialize with global model   6:             Initialize optimizer with learning rate $\eta$, weight decay $\lambda$   7:             for local epoch $e=1$ to E do   8:                   for each batch b in ${\mathcal{D}}_k$ do   9:                         Compute embeddings: $Z_k=f_{{\theta }_k}(X_b,A_b)$ 10:                         Compute task loss ${\mathcal{L}}_{\mathrm{task}}^{\left(k\right)}$ via Equation (12) 11:                         Compute compactness: ${\mathcal{L}}_{\mathrm{compact}}^{\left(k\right)}={\lambda }_{\mathrm{compact}}·\mathrm{Var}\left(Z_k\right)$ 12:                         Compute FedProx: ${\mathcal{L}}_{\mathrm{prox}}^{\left(k\right)}={\displaystyle \frac{\mu }{2}}{\parallel {\theta }_k-{\theta }_G^t\parallel }^2$ 13:                         Total loss: ${\mathcal{L}}_{\mathrm{local}}^{\left(k\right)}={\mathcal{L}}_{\mathrm{task}}^{\left(k\right)}+{\mathcal{L}}_{\mathrm{compact}}^{\left(k\right)}+{\mathcal{L}}_{\mathrm{prox}}^{\left(k\right)}$ 14:                         Update: ${\theta }_k\leftarrow {\theta }_k-\eta \nabla {\mathcal{L}}_{\mathrm{local}}^{\left(k\right)}$ 15:                         if DeepSVDD model then 16:                               Update center c via Equation (15) with rate $\alpha$ 17:                         end if 18:                   end for 19:             end for 20:             Upload local update: ${\Delta }_k^t={\theta }_k-{\theta }_G^t$ 21:       end for 22:       Server aggregates: ${\theta }_G^{t+1}\leftarrow {\theta }_G^t+{\displaystyle \frac{1}{|{\mathcal{S}}^t|}}{\sum }_{k\in {\mathcal{S}}^t}{\Delta }_k^t$ 23:       $t\leftarrow t+1$ 24: end while 25: return ${\theta }_G^T$, ${\left\{{\theta }_k\right\}}_{k=1}^K$ for personalization stage

Our global federated training operates under a strict one-class setting, where each client uses only its local benign data to train the shared graph encoder. This avoids the need for labeled attacks but assumes that the available benign data is representative of future normal traffic. The DeepSVDD objective enforces a compact hypersphere around these benign embeddings, which provides a clear decision boundary for anomaly detection.

3.4. Personalization Strategy

The second stage of G-PFL-ID performs client-specific adaptation to address statistical heterogeneity in federated IoT environments. Building on established personalized FL frameworks [93], it applies client-specific classification heads $h_{{\varphi }_k}$ to tailor the globally trained model to each client’s data distribution. Global model components remain frozen and the personalized heads are regularized, following [81,84], which helps maintain federation stability and preserve local data privacy.

For each client k, we optimize a personalized classification head, $h_{{\varphi }_k}$ while keeping all global parameters fixed. Each client fine-tunes its head ${\varphi }_k$ using only its local benign data. The loss is the same unsupervised objective used in global training plus a regularization term that discourages large deviations from the initial head:

$$\begin{array}{c}{\varphi }_k^{*}=arg\underset{{\varphi }_k}{min}{\mathcal{L}}_{\mathrm{personal}}^{\left(k\right)}({\varphi }_k;{\theta }_G,{\psi }_G,c)\end{array}$$

(16)

$$\begin{array}{c}{\mathcal{L}}_{\mathrm{personal}}^{\left(k\right)}=\underset{\mathrm{Unsupervised\; local\; loss}}{\underbrace{{\mathbb{E}}_{x\sim {\mathcal{D}}_k^{\mathrm{benign}}}\left[\mathsf{\ell }\left({\varphi }_k\circ f_{{\theta }_G}\left(x\right)\right)\right]}}+\underset{\mathrm{Stability\; regularization}}{\underbrace{{\lambda }_p{\parallel {\varphi }_k-{\varphi }_{\mathrm{init}}\parallel }^2}}\end{array}$$

(17)

Here ${\theta }_G$ is the global encoder parameter (frozen), ${\psi }_G$ is the global decoder parameter for GAE-DeepSVDD (frozen), c is the fixed DeepSVDD hypersphere center, ${\lambda }_p$ is the personalization regularization strength, $f_{{\theta }_G}$ is the frozen global encoder backbone, ${\theta }_{init}$ is the initialized personal head, and ${\varphi }_k$ represents the trainable client-specific personal head.

During inference, we combine global and personalized components:

$$\begin{array}{c}\mathrm{For}\mathrm{GCN-DeepSVDD:}{s}_{k,i}=\gamma \underset{\mathrm{Global\; SVDD}}{\underbrace{\parallel f_{{\theta }_G}\left(x_i\right){-c\parallel }_2}}+(1-\gamma )\underset{\mathrm{Personal\; head}}{\underbrace{{\varphi }_k\left(f_{{\theta }_G}\left(x_i\right)\right)}}\end{array}$$

(18)

$$\begin{array}{c}\mathrm{For}\mathrm{GAE-DeepSVDD:}{s}_{k,i}={\gamma }_1\underset{\mathrm{Global\; SVDD}}{\underbrace{\parallel f_{{\theta }_G}\left(x_i\right){-c\parallel }_2}}+{\gamma }_2\underset{\mathrm{Global\; reconstruction}}{\underbrace{\parallel {\widehat{x}}_i-x_i{\parallel }_2}}+{\gamma }_3\underset{\mathrm{Personal\; head}}{\underbrace{{\varphi }_k\left(f_{{\theta }_G}\left(x_i\right)\right)}}\end{array}$$

(19)

where $\sum {\gamma }_i=1$ and weight $\gamma$ (and ${\gamma }_1,{\gamma }_2,{\gamma }_3$ for GAE-DeepSVDD) is tuned on a held-out validation set of benign data from each client to balance the contribution of each anomaly signal.

Table 5. Personalization Strategy by Model Type.

Model Type	Frozen Components	Adapted Components
GCN-DeepSVDD	Early encoder layers (convs.0, projector.0-3)	Head layers, final encoder (convs.1, projector.4)
GAE-DeepSVDD	Early encoder layers	Decoder layers, final encoder layer

outlines the personalization strategy, including which parameters are frozen and which are adapted, to preserve global knowledge while allowing local client adaptation across both model variants. Algorithm 2 provides the pseudo-code for client personalization in G-PFL-ID.

Algorithm 2 Client Personalization with Frozen Backbone

Require:  Global encoder $f_{{\theta }^{*}}$, client data ${\mathcal{D}}_k$, personalization epochs $E_{personal}$, personal head ${\varphi }_k^0$ Ensure:  Personalized model ${\varphi }_k^{*}$   1: Initialize personal head ${\varphi }_k^0$ with shared initialization   2: for epoch $e=1$ to $E_{\mathrm{personal}}$ do   3:       Sample batch $\mathcal{B}\sim {\mathcal{D}}_k$   4:       Compute embeddings: $Z=f_{{\theta }^{*}}\left(\mathcal{B}\right)$             ▹ Frozen backbone   5:       Compute anomaly score (e.g., $s=\parallel {\varphi }_k{\left(Z\right)-c\parallel }_2$ for GCN-DeepSVDD) ▹ Trainable head   6:       Compute loss: $\mathcal{L}={\displaystyle \frac{1}{\left|\mathcal{B}\right|}}{\sum }_{i\in \mathcal{B}}{s}_i+{\lambda }_p{\parallel {\varphi }_k-{\varphi }_k^0\parallel }^2$   7:       Update: ${\varphi }_k\leftarrow {\varphi }_k-\eta {\nabla }_{{\varphi }_k}\mathcal{L}$   8: end for   9: return  ${\varphi }_k^{*}$

4. Evaluation

This section describes the experimental setup used to evaluate the proposed G-PFL-ID framework, including dataset selection, preprocessing and graph construction, partitioning (non-IID) and analysis, baseline comparisons, and the evaluation protocol.

4.1. Experimental Setup

Table 6. Comprehensive Hyperparameter Specifications.

Hyperparameter	Description	Typical Value
${\lambda }_{\mathrm{compact}}$	Embedding compactness weight	$0.01$
$\mu$	FedProx regularization strength	$0.01$
K	Number of federated clients	$10,15,30$
${\alpha }_c$	Center update rate (DeepSVDD)	$0.1$
$\beta$	SVDD Weight	1.0
$\alpha$	Dirichlet parameter for non-IID partitioning	$0.1,0.5,\infty$
m	embedding Dim	16
-	Batch Size	64
$\nu$	DeepSVDD hypersphere boundary parameter	$0.1$
$\eta$	Learning rate (Adam optimizer)	$0.001$
$\lambda$	Weight decay	$1\times {10}^{-4}$
E	Local epochs	30
$E_p$	Personalization epochs	5
T	Number of server rounds (Global rounds)	20
$rng$	Random seeds	42

For N-BaIoT, we use the same hyperparameters except window size = 100 packets, graph type = temporal chain, and no Dirichlet partitioning ($\alpha$ not applicable).

shows the comprehensive hyperparameter specifications used in the implementation of the global federated training and personalized strategy stages.

We evaluated the proposed framework from both client and server perspectives using the Flower federated learning framework [94] and PyTorch [95] with PyTorch Geometric [96] for graph neural network operations. All experiments were conducted on a system with AMD Ryzen 9 5900X CPU (12 cores, 24 threads @ 3.70 GHz), 32 GB DDR4/3600 RAM, and an NVIDIA RTX 4090 GPU with 24GB VRAM. The software environment included Python 3.9, PyTorch 1.13.1, PyTorch Geometric 2.3.0, and Flower 1.4.0.

4.1.1. Dataset and Preprocessing

For computational efficiency, we selected malware-capture-35-1 (Mirai botnet traffic) sub-capture containing 10,447,787 (8,262,389 benign and 2,185,398 malicious) connection records, each with 20 original Zeek connection log fields. This capture provides a realistic IoT attack scenario with sufficient data volume for meaningful federated learning experiments. The dataset supports both binary classification (benign vs. malicious) and one-class anomaly detection paradigms.

Zeek “conn” records were parsed using the header fields to extract connection attributes (timestamps, IPs, bytes, pkts, proto, service, conn_state, history, etc.). From raw fields we derived a richer set of per-flow features of a total of 48 as shown in

Table 7. Representative engineered per-flow/per-host features used to build node vectors (directional features are expanded to src/dst).

Feature Name	Description	Category
hour_of_day, day_of_week, is_weekend	Temporal time features to capture periodic patterns	Temporal
log_duration, time_since_first	Connection timing statistics	Temporal
orig_bytes, resp_bytes, orig_pkts, resp_pkts, orig_ip_bytes, resp_ip_bytes	Volumetric counts to identify traffic volume patterns from originator and responder	Volumetric
bytes_ratio($br$), packets_ratio($pr$), bytes_per_packet_orig($b{p}_{or}$), bytes_per_packet_resp($b{p}_{res}$)	Ratios, $br={\displaystyle \frac{\mathrm{orig\_bytes}}{\mathrm{resp\_bytes}+ϵ}}$, $pr={\displaystyle \frac{\mathrm{orig\_pkts}}{\mathrm{resp\_pkts}+ϵ}}$, $b{p}_{or}={\displaystyle \frac{\mathrm{orig\_bytes}}{\mathrm{orig\_pkts}+ϵ}}$, $b{p}_{res}={\displaystyle \frac{\mathrm{resp\_bytes}}{\mathrm{resp\_pkts}+ϵ}}$	Volumetric
conn_state_*	One-hot connection states (established/reset/half-open/no-response/normal/other/rejected)	Connection State
proto_*	Protocol interactions (tcp/udp/icmp/other)	Protocol
syn, ack, fin, rst	TCP flags set	Protocol
init, data, timeout	Packet types and events	Protocol
syn_reply, ack_reply	Protocol response patterns	Protocol
handshake, fin_ack	Connection establishment/termination	Protocol
data_*	Data flow characteristics (direction/timeout)	Protocol
service_*	Service one-hots (http/dns/dhcp/ssl/unknown)	Service

* denotes categorical attributes that are transformed into one-hot encoded vectors prior to feature extraction.

. These features include: temporal (hour_of_day, day_of_week, is_weekend, log_duration, time_since_first), volumetric (orig/resp bytes & pkts, ip level bytes, missed bytes, bytes/packet ratios), connection state indicators (established, half-open, reset, etc.), protocol flags (SYN, ACK, FIN, RST, ICMP), and service one-hots (HTTP, DNS, DHCP, SSL, unknown). Categorical fields (e.g., proto, service, conn_state) were one-hot encoded and a $log(1+x)$ transform was applied to stabilize long-tailed numeric features (distributions).

We build per-host feature vectors by aggregating flow statistics for each unique IP address (using id.orig_h for source hosts and id.resp_h for destination hosts). For each host h, we compute separate source and destination feature aggregates:

• Source features: Mean values of numeric features when host h acts as source:

  $${\mathrm{src\_mean}}_h\left(x\right)={\displaystyle \frac{1}{N_{h,\mathrm{src}}}}\sum _{i:{\mathrm{src}}_i=h}{x}_i$$

  (20)
• Destination features: Mean values of numeric features when host h acts as destination:

  $${\mathrm{dst\_mean}}_h\left(x\right)={\displaystyle \frac{1}{N_{h,\mathrm{dst}}}}\sum _{i:{\mathrm{dst}}_i=h}{x}_i$$

  (21)

These source and destination feature sets are combined using an outer join, with missing values filled with zeros. The host label $y_h$ is determined by logical OR aggregation across all flows involving host h:

$$y_h=\cancel{⊩}[\exists \mathrm{flow}i:({\mathrm{src}}_i=h\vee {\mathrm{dst}}_i=h)\wedge {\mathrm{label}}_i=\mathrm{malicious}]$$

(22)

In one-class mode, only benign flows were used for training, resulting in all host labels $y_h=0$.

We construct an undirected graph $G=(V,E,X)$ where nodes V represent unique host IPs, and edges E connect hosts that communicate (at least one flow between them). Self-loops are removed. The final per-client graph is $G_k=(V_k,E_k,X_k)$ where $X_k\in {\mathbb{R}}^{|V_k|\times d}$ is the per-host feature matrix. To ensure consistent encoder input sizes, we pad or truncate feature vectors to a fixed dimension $d=128$.

To evaluate the generalizability of G-PFL-ID, we also use the N-BaIoT dataset [97], which contains traffic from 9 real IoT devices infected by Mirai and BASHLITE botnets. Each device is treated as a separate client ($K=9$), reflecting a natural (non-IID) partitioning because each device type has distinct traffic patterns. The dataset provides 115 statistical features extracted from traffic windows (e.g., packet counts, byte rates, jitter). We use only benign traffic for training and include all attack types in testing.

Since N-BaIoT does not contain explicit source/destination IPs, we construct a temporal graph for each device as follows. We split the traffic of each device into non-overlapping windows of 100 consecutive packets. For each window, we compute the mean of the 115 features, resulting in a node feature vector $x_i\in {\mathbb{R}}^{115}$. We then build an undirected chain graph connecting each window to its immediate predecessor and successor, capturing the temporal dependency of normal traffic. Self-loops are removed. The resulting graph for device k is $G_k=(V_k,E_k,X_k)$ where $|V_k|$ is the number of windows, $E_k$ are the temporal edges, and $X_k\in {\mathbb{R}}^{|V_k|\times 115}$ is the node feature matrix. We standardize features per client and pad/truncate to a fixed dimension $d=128$ for consistency with the encoder.

We split each device’s data into 70% benign for training, 10% benign for validation, and 20% (benign + all attacks) for testing. This construction allows us to test G-PFL-ID on a fundamentally different graph topology (temporal chains) compared to the host-based graphs of IoT-23, thereby assessing its adaptability.

4.1.2. Non-IID Partitioning and Client Splits

To simulate client heterogeneity, we partition the dataset across K clients using a label-dependent Dirichlet distribution, following established methodologies for federated learning benchmarking [98,99]. The partitioning process ensures that each client K receives a subset of data ${\mathcal{D}}_k$ with label distribution $p_k\sim {\mathrm{Dir}}_K(\alpha ·{\mathbf{1}}_K)$, where $\alpha >0$ controls the degree of heterogeneity.

We run experiments for $K\in \{10,15,20\}$ and $\alpha \in \{0.1,0.5,\infty \}$ with smaller $\alpha$ (e.g $0.01$ to $0.1$) yielding highly skewed allocations, $\alpha =0.5$ yielding medium skewness and large $\alpha$ (e.g $\ge 1$) yielding near-uniform allocations i.e., IID. After obtaining the sample indices assigned to each client, we construct each client’s local graph $G_k$ using only its assigned flows (per-host aggregation). This yields client graphs that vary in size and connectivity, emulating realistic IoT edge heterogeneity.

Algorithm 3 summarizes the procedure used in our experiments. To avoid tiny clients that preclude local training, we enforce a minimum sample constraint $\min \_\mathrm{samples},m$ (default $m=100$). If the initial allocation yields some clients with fewer than m, we retry the sampling with a higher effective $\alpha$ (e.g., set $\alpha \leftarrow max(\alpha ,1.0)$). For lower heterogeneity, $\alpha$ was set between $0.01$ and $0.1$; for medium heterogeneity, $\alpha$ was set between $0.3$ and $0.6$; and for IID partitioning, this was not an issue because $\alpha$ was set to ${10}^6$. Additionally, we may increment the $rng$ seed to introduce more randomness into the retry process. The best settings for $\alpha$ were $0.1$, $0.5$, and ${10}^6$. Finally, the integer allocations are computed and adjusted to match the total remaining samples.

Once hosts are assigned to clients, each client’s host set is partitioned into train/validation/test splits (e.g., 70/10/20). All experiments are controlled by a single experiment seed ($rng=42$).

Algorithm 3 Dirichlet-based Non-IID Partitioning with Minimum Sample Guarantees

Require:  Labels $\mathbf{y}\in {\mathbb{R}}^N$, client count K, concentration $\alpha$, minimum samples m, random seed Ensure:  Client indices $\{{\mathcal{I}}_1,\dots ,{\mathcal{I}}_K\}$   1: Initialize ${\mathcal{I}}_k\leftarrow \varnothing$ for $k=1,\dots ,K$   2: $\mathbf{y}\leftarrow \mathrm{np}.\mathrm{array}\left(\mathbf{y}\right)$, $rng\leftarrow \mathrm{RandomState}\left(\mathrm{seed}\right)$   3: $classes,counts\leftarrow \mathrm{unique}(\mathbf{y},\mathrm{return\_counts}=\mathrm{True})$   4: if $\left|classes\right|=1$ then                    ▹ Single-class scenario   5:       $\mathcal{I}\leftarrow \mathrm{arange}\left(N\right)$; $rng.\mathrm{shuffle}\left(\mathcal{I}\right)$   6:       assert $N\ge K·m$                 ▹ Minimum sample requirement   7:       Assign first $K·m$ samples: ${\mathcal{I}}_k\leftarrow \mathcal{I}[(k-1)m:km]$ for $k=1,\dots ,K$   8:       ${\mathcal{I}}_{\mathrm{rem}}\leftarrow \mathcal{I}[K·m:]$                     ▹ Remaining samples   9:       $\mathbf{p}\leftarrow rng.\mathrm{dirichlet}\left(\right[\alpha ]\times K)$                ▹ Skew proportions 10:       $\mathbf{c}\leftarrow \mathrm{floor}(\mathbf{p}·|{\mathcal{I}}_{\mathrm{rem}}\left|\right)$                       ▹ Integer allocations 11:       Adjust $\mathbf{c}$ to satisfy ${\sum }_k{c}_k=\left|{\mathcal{I}}_{\mathrm{rem}}\right|$ 12:       Assign ${\mathcal{I}}_{\mathrm{rem}}$ proportionally to $\mathbf{c}$ 13: end if 14: if${min}_k\left|{\mathcal{I}}_k\right|<m$ then                   ▹ Minimum sample validation 15:       Recursively retry with increased $\alpha \leftarrow max(\alpha ,1.0)$ 16: end if 17: return  $\{{\mathcal{I}}_1,\dots ,{\mathcal{I}}_K\}$

To quantify the degree of non-IIDness across client partitions, we employ multiple complementary metrics that capture different aspects of distributional heterogeneity. We utilize Jensen-Shannon (JS) divergence as our primary metric for quantifying distributional differences between clients and the global dataset. The JS divergence provides a symmetric and bounded measure of distribution similarity, making it ideal for federated learning scenarios [100]. It ranges from 0 (identical distributions) to 1 (completely dissimilar distributions), with values below 0.1 typically indicating good distributional alignment. For a client distribution $P_k$ and global distribution $P_{\mathrm{global}}$, the JS divergence is defined as:

$$\mathrm{JS}(P_k\parallel P_{\mathrm{global}})={\displaystyle \frac{1}{2}}{D}_{\mathrm{KL}}\left(P_k\parallel M\right)+{\displaystyle \frac{1}{2}}{D}_{\mathrm{KL}}\left(P_{\mathrm{global}}\parallel M\right)$$

(23)

where $M={\displaystyle \frac{1}{2}}(P_k+P_{\mathrm{global}})$ is the mixture distribution, and $D_{\mathrm{KL}}$ denotes the Kullback-Leibler divergence:

$$D_{\mathrm{KL}}(P\parallel Q)=\sum _{x\in \mathcal{X}}P\left(x\right)log{\displaystyle \frac{P\left(x\right)}{Q\left(x\right)}}$$

(24)

where $P\left(x\right)$ represents the probability distribution of client k, and $Q\left(x\right)$ is the global probability distribution across all clients.

Complementary to JS divergence, we measure the spread of feature values within each client called the feature variances. A high variation in feature variance across clients indicates heteroscedasticity.

Figure 3 presents the comprehensive non-IID analysis across three Dirichlet concentration parameters. The high non-IID setting ($\alpha =0.1$) exhibited extreme heterogeneity with JS divergences ranging from 0.011 to 0.405, the moderate non-IID setting ($\alpha =0.5$) showed significantly reduced heterogeneity with JS divergences tightly clustered around $8.2\times {10}^{-5}$. The same applied to the feature variances. The near-IID setting ($\alpha \to \infty$) approached homogeneous distribution with JS divergences nearly identical across client, ($\sim 1.2\times {10}^{-5}$) and feature variances showing minimal variation.

The N-BaIoT dataset provides a natural non-IID partitioning where each IoT device represents a distinct client with inherently different traffic characteristics. We quantify this heterogeneity using three complementary metrics computed on benign samples (

Table 8. Benign-sample counts and heterogeneity statistics for N-BaIoT devices (used as clients).

Device ID	Device Type	Manufacturer	City	Country	Benign Samples
1	Danmini Doorbell	Unknown/OEM	N/A	N/A	49,548
2	Ecobee Thermostat	ecobee Inc.	Toronto	Canada	13,113
3	Ennio Doorbell	Unknown/OEM	N/A	N/A	39,100
4	Philips Baby Monitor	Koninklijke Philips N.V.	Amsterdam	Netherlands	175,240
5	Provision PT-737E Camera	Provision-ISR	Kfar Saba	Israel	62,154
6	Provision PT-838 Camera	Provision-ISR	Kfar Saba	Israel	98,514
7	Samsung Webcam	Samsung Electronics	Suwon	South Korea	52,150
8	SimpleHome XCS7-1002 Camera	Unknown/OEM	N/A	N/A	46,585
9	SimpleHome XCS7-1003 Camera	Unknown/OEM	N/A	N/A	19,528
Mean	–	–	–	–	$\mathbf{61},\mathbf{770}$
Std. dev.	–	–	–	–	$\mathbf{46},\mathbf{385}$
CV	–	–	–	–	$\mathbf{0}.\mathbf{75}$
Gini	–	–	–	–	$\mathbf{0}.\mathbf{37}$
Max/Min ratio	–	–	–	–	$\mathbf{13}.\mathbf{4}:\mathbf{1}$

Notes: statistics computed on benign sample counts shown above. Manufacturer/city/country information is included where publicly available; some entries correspond to OEM or brand names without documented corporate headquarters. Mean and standard deviation are rounded to the nearest integer; CV and Gini are shown with two significant digits.

):

• Quantity skew. Data volume varies substantially across devices. In our benign subset the largest device (Device 4: Philips baby monitor) contributes 175,240 samples while the smallest device (Device 2: Ecobee thermostat) contributes 13,113 samples, a max/min ratio of approximately 13.4:1. This degree of skew reflects real-world deployments where device types and usage patterns differ.
• Gini coefficient. The Gini coefficient for the nine-device benign split is $G\approx 0.37$, indicating a moderate level of inequality in sample counts (with a small number of devices contributing a large fraction of the data). We compute G as

  $$G={\displaystyle \frac{{\sum }_{i=1}^n{\sum }_{j=1}^n|x_i-x_j|}{2n{\sum }_{i=1}^n{x}_i}}=0.37,$$

  (25)

  where $x_i$ denotes the benign-sample count of device i and $n=9$.
• Coefficient of variation (CV). The mean number of benign samples per device is $\overline{x}$ = 61,770 and the standard deviation is $\sigma \approx$ 46,385, yielding $\mathrm{CV}=\sigma /\overline{x}\approx 0.75$. This high relative variability further establishes the imbalance that federated algorithms must tolerate during aggregation and personalization.

4.2. Discussion and Results

To demonstrate the various strengths of the proposed G-PFL-ID framework, we conducted and report experiments under two different settings: (1) core anomaly detection capability under the moderate non-iid setting $\alpha =0.5$, and (2) the contribution of the regularizers and personalization the under the highest non-iid setting, and (3) the G-PFL-ID frameworks performance across all clients and $\alpha$ settings (ablation) is presented.

4.2.1. Experimental Setting 1: Global Anomaly Detection Performance

Table 9. Global anomaly detection performance on IoT-23 (host-based graph, $\alpha =0.5$, $K=10$) and N-BaIoT (9 device-clients). Baselines (rows 1–5) are evaluated on IoT-23; our graph methods (rows 6–9) are evaluated on both datasets. Best mean per column is bold.

Method	AUC-ROC	AUPR	TPR@1%FPR	TPR@5%FPR	TPR@10%FPR	Infer. Time (ms)
Isolation Forest	91.25 ± 1.59	94.47 ± 0.45	0.62 ± 0.44	24.43 ± 1.39	53.47 ± 5.76	2.586 ± 0.39
One-Class SVM	78.56 ± 1.03	91.16 ± 0.79	2.47 ± 1.66	16.81 ± 6.25	38.92 ± 4.93	4.571 ± 0.68
LG-FGAD [74]	96.10 ± 1.10	97.10 ± 0.70	42.50 ± 5.23	66.30 ± 3.64	92.80 ± 2.11	2.187 ± 0.20
FedAvg + MLP	93.92 ± 1.26	96.13 ± 0.11	10.02 ± 4.84	50.02 ± 1.52	91.19 ± 0.25	3.899 ± 0.32
FedProx + MLP	94.35 ± 2.01	98.27 ± 0.47	15.33 ± 2.03	53.94 ± 1.30	93.19 ± 0.56	3.133 ± 0.03
N-BaIoT dataset ($K=9$)
GCN–DeepSVDD	96.48 ± 0.89	96.89 ± 0.67	45.67 ± 4.12	68.90 ± 2.45	93.67 ± 1.23	1.234 ± 0.12
GAE–DeepSVDD	97.74 ± 0.45	98.28 ± 0.23	65.89 ± 3.78	86.34 ± 1.89	97.92 ± 0.25	1.567 ± 0.15
IoT-23 Dataset ($\alpha =0.5,K=10$)
GCN-DeepSVDD	97.25 ± 1.18	98.82 ± 0.76	23.27 ± 4.13	61.59 ± 3.05	94.62 ± 0.89	1.553 ± 0.17
GAE-DeepSVDD	99.46 ± 0.27	99.94 ± 0.02	80.16 ± 5.87	93.83 ± 0.47	100.00 ± 0.00	1.989 ± 0.23

presents the primary detection results under representative heterogeneity settings for both IoT-23 ($\alpha =0.5$, $K=10$) and N-BaIoT ($K=9$) datasets. We compare classical one-class algorithms (Isolation Forest, One-Class SVM), the recent graph-based federated anomaly detection method LG-FGAD [74], federated MLP baselines (FedAvg and FedProx), and our proposed federated graph methods (GCN-DeepSVDD and GAE-DeepSVDD). The table reports area under the ROC curve (AUROC), area under the precision-recall curve (AUPR), true positive rates at false positive rates of 1%, 5%, and 10%, and inference time per sample.

The hybrid GAE-DeepSVDD consistently achieves the best detection performance across both datasets. On IoT-23, it yields 99.46% AUROC and 99.94% AUPR, substantially outperforming all baselines including LG-FGAD (96.10% AUROC). This performance advantage is pronounced at low false positive rates: at 1% FPR, GAE-DeepSVDD achieves 80.16% TPR compared to LG-FGAD’s 42.50% TPR—nearly double the detection rate. These results suggest that compared to the LG-FGAD’s adversarial augmentation approach, under moderate non-IID conditions, the hybrid objective (combining reconstruction and compactness) produces effective discriminative embeddings where anomalous nodes are well separated from normal ones, enabling high detection sensitivity while keeping false alarms very low.

The results also shows that the graph-based methods consistently outperform traditional feature-based approaches, confirming that graph encoders capture relational patterns—host homophily, service dependencies, temporal correlations—that flat feature representations miss. For instance, the pure GCN-DeepSVDD (97.25% AUROC on IoT-23) exceeds all non-graph baselines, including federated MLP variants. Even on N-BaIoT, where we construct simple temporal chain graphs, GCN-DeepSVDD achieves 96.48% AUROC, demonstrating that minimal graph structure provides valuable inductive bias.

Inference times per sample remain practical for real-time deployment. GCN-DeepSVDD is fastest at 1.55 ms per inference on IoT-23, while the hybrid GAE-DeepSVDD requires 1.99 ms—both suitable for near-real-time detection on IoT gateways. LG-FGAD requires 2.19 ms, slightly slower despite comparable graph processing. The modest computational overhead of our hybrid model is justified by its significantly better detection performance, particularly at stringent operating points.

Despite extreme natural heterogeneity (9.0:1 quantity skew, Gini coefficient 0.37) of the N-BaIoT, our methods maintain strong performance: GAE-DeepSVDD achieves 97.74% AUROC and 98.28% AUPR. This demonstrates that G-PFL-ID generalizes beyond host-based graphs to temporal constructions, and handles real-world device heterogeneity effectively. The performance gap between GAE-DeepSVDD and GCN-DeepSVDD narrows slightly on N-BaIoT (1.26 percentage points versus 2.21 points on IoT-23), suggesting that the reconstruction objective provides less advantage when graph structure is simpler. Nonetheless, both variants significantly outperform classical and federated MLP baselines.

These findings validate our core design principles. The hybrid reconstruction and compactness objective produces more discriminative embeddings than pure one-class or adversarial approaches. Graph encoders, even with simple constructions, capture relational patterns that boost detection accuracy. And the framework scales effectively from artificially partitioned datasets (IoT-23) to naturally heterogeneous deployments (N-BaIoT), maintaining strong performance under diverse operational conditions.

4.2.2. Experimental Setting 2: Component Contribution Analysis

Table 10. G-PFL-ID per-client AUC-ROC (%) results under different non-IID settings.

Client ID	GCN-DeepSVDD			GAE-DeepSVDD
	Base-Model Only	w/FedReg	w/Personalization	Base-Model Only	w/FedReg	w/Personalization
High non-IIDness ($\alpha =0.1$)
Client 0	85.66 ± 3.25	92.00 ± 0.96	95.97 ± 1.05	90.89 ± 3.52	95.78 ± 0.87	96.58 ± 0.58
Client 1	87.57 ± 2.90	91.91 ± 1.03	96.68 ± 0.47	89.80 ± 2.81	95.09 ± 0.94	96.49 ± 0.46
Client 2	84.59 ± 6.15	89.93 ± 4.84	94.30 ± 1.20	88.32 ± 4.84	93.41 ± 1.62	94.51 ± 0.98
Client 3	89.72 ± 1.33	93.06 ± 0.49	97.43 ± 0.59	91.45 ± 2.14	96.54 ± 0.71	97.64 ± 0.42
Client 4	91.37 ± 1.19	94.71 ± 0.37	99.08 ± 0.33	93.10 ± 0.79	98.19 ± 0.62	99.29 ± 0.09
Client 5	89.81 ± 4.90	94.15 ± 0.17	98.52 ± 0.34	92.54 ± 1.12	97.63 ± 0.50	98.73 ± 0.25
Client 6	92.77 ± 0.13	95.11 ± 0.28	99.48 ± 0.03	93.50 ± 0.09	98.59 ± 0.10	99.69 ± 0.07
Client 7	86.07 ± 3.20	90.41 ± 1.92	95.78 ± 0.91	88.80 ± 5.76	93.89 ± 1.30	94.99 ± 1.19
Client 8	84.51 ± 5.87	89.85 ± 2.48	93.22 ± 2.03	88.24 ± 5.14	93.33 ± 1.66	94.43 ± 0.79
Client 9	90.85 ± 0.09	95.19 ± 0.08	99.56 ± 0.07	93.58 ± 0.03	98.67 ± 0.09	99.77 ± 0.05
Average	88.29 ± 2.90	92.63 ± 1.26	97.00 ± 0.70	91.02 ± 2.62	96.11 ± 0.84	97.21 ± 0.49
Medium non-IIDness ($\alpha =0.5$)
Client 0	91.98 ± 1.30	94.53 ± 0.64	96.28 ± 0.62	93.89 ± 2.92	95.88 ± 0.62	99.06 ± 0.79
Client 1	94.90 ± 0.42	97.09 ± 0.49	97.45 ± 0.73	96.94 ± 0.10	97.57 ± 0.08	99.66 ± 0.17
Client 2	96.24 ± 0.50	95.06 ± 0.54	96.02 ± 0.56	94.48 ± 0.51	97.14 ± 0.09	99.49 ± 0.11
Client 3	97.96 ± 0.29	97.81 ± 0.57	98.26 ± 0.38	96.38 ± 0.09	99.09 ± 0.11	100.00 ± 0.00
Client 4	89.74 ± 2.84	90.71 ± 1.15	94.82 ± 0.46	90.91 ± 0.12	95.19 ± 0.86	98.93 ± 1.06
Client 5	91.38 ± 0.35	93.93 ± 0.64	95.78 ± 0.39	91.12 ± 0.21	95.41 ± 0.70	99.14 ± 0.33
Client 6	98.02 ± 0.18	98.25 ± 0.08	98.96 ± 0.07	97.06 ± 0.01	99.53 ± 0.12	100.00 ± 0.00
Client 7	94.00 ± 1.04	97.49 ± 0.25	97.49 ± 0.40	94.94 ± 2.10	97.87 ± 0.68	99.86 ± 0.09
Client 8	94.88 ± 0.83	96.78 ± 0.31	98.05 ± 0.32	94.92 ± 0.10	97.16 ± 0.10	99.46 ± 0.34
Client 9	99.04 ± 0.07	99.16 ± 0.00	99.38 ± 0.07	98.58 ± 0.06	99.94 ± 0.13	100.00 ± 0.00
Average	94.88 ± 0.78	96.08 ± 0.47	97.25 ± 0.40	94.92 ± 0.62	97.48 ± 0.35	99.56 ± 0.29
Low non-IIDness ($\alpha =\infty$)
Client 0	96.46 ± 1.05	97.22 ± 0.12	99.95 ± 0.01	97.08 ± 0.18	100.00 ± 0.00	100.00 ± 0.00
Client 1	96.79 ± 1.20	97.95 ± 0.10	98.19 ± 0.09	97.73 ± 0.15	97.74 ± 0.91	99.98 ± 0.01
Client 2	95.77 ± 3.45	99.10 ± 0.25	99.49 ± 0.15	96.95 ± 0.35	98.53 ± 0.41	100.00 ± 0.00
Client 3	96.56 ± 0.30	98.03 ± 0.15	98.36 ± 0.46	97.27 ± 0.22	98.60 ± 0.29	99.97 ± 0.01
Client 4	97.14 ± 0.95	96.49 ± 2.08	100.00 ± 0.00	98.43 ± 0.12	100.00 ± 0.00	100.00 ± 0.00
Client 5	96.56 ± 0.30	99.00 ± 0.15	99.06 ± 0.06	97.27 ± 0.22	99.39 ± 0.03	100.00 ± 0.00
Client 6	97.14 ± 1.10	97.49 ± 1.68	99.96 ± 0.03	98.44 ± 0.22	100.00 ± 0.00	100.00 ± 0.00
Client 7	95.20 ± 1.43	97.71 ± 1.35	98.73 ± 0.12	94.55 ± 1.48	99.31 ± 0.09	100.00 ± 0.00
Client 8	96.40 ± 0.35	98.19 ± 0.18	98.35 ± 0.07	96.95 ± 0.28	99.52 ± 0.11	100.00 ± 0.00
Client 9	97.17 ± 0.14	98.00 ± 0.07	98.32 ± 0.63	98.49 ± 0.11	97.61 ± 1.02	99.93 ± 0.05
Average	96.52 ± 1.03	97.92 ± 0.61	99.04 ± 0.16	97.32 ± 0.33	99.07 ± 0.29	99.99 ± 0.01
N-BaIoT for the 9 devices ($K=9$)
Client 1	92.23 ± 1.48	94.41 ± 0.94	96.28 ± 0.74	93.15 ± 1.98	95.78 ± 0.84	97.58 ± 0.54
Client 2	86.12 ± 2.50	89.79 ± 1.75	92.40 ± 2.25	87.80 ± 2.91	90.33 ± 1.75	93.10 ± 1.10
Client 3	92.11 ± 1.66	94.30 ± 1.16	96.55 ± 0.83	92.20 ± 1.66	94.97 ± 1.22	97.60 ± 0.33
Client 4	97.89 ± 0.50	98.61 ± 0.31	99.35 ± 0.19	97.95 ± 0.83	98.90 ± 0.15	99.95 ± 0.05
Client 5	94.64 ± 1.30	95.59 ± 0.91	96.70 ± 0.65	94.75 ± 1.30	96.95 ± 0.91	98.80 ± 0.35
Client 6	96.27 ± 0.95	97.12 ± 0.67	98.33 ± 0.48	96.77 ± 0.95	98.35 ± 0.67	99.75 ± 0.08
Client 7	94.16 ± 1.44	96.92 ± 1.01	98.10 ± 0.72	94.60 ± 1.44	96.35 ± 1.01	97.90 ± 0.42
Client 8	93.88 ± 1.52	95.55 ± 0.98	96.80 ± 0.76	93.95 ± 1.52	95.05 ± 0.93	98.90 ± 0.36
Client 9	89.90 ± 2.19	91.10 ± 1.53	93.85 ± 1.40	90.15 ± 2.19	93.30 ± 1.53	96.05 ± 0.85
Average	93.02 ± 1.55	94.82 ± 1.03	96.48 ± 0.89	93.48 ± 1.64	95.55 ± 1.00	97.74 ± 0.45

reports per-client AUROC under three configurations: (i) the base model alone (no federated regularizer, no personalization), (ii) with federated regularizers (FedProx proximal term plus an embedding variance penalty), and (iii) with personalization (a lightweight local head fine-tuned on each client plus center recalibration). Results are shown for three degrees of heterogeneity: high non-IID ($\alpha =0.1$), medium non-IID ($\alpha =0.5$), and near-IID ($\alpha \to \infty$).

Across all heterogeneity regimes, adding FedReg yields a clear and consistent improvement in average per-client AUROC while reducing variance. For instance, with GCN DeepSVDD at $\alpha =0.1$ the mean client AUROC rises from about 88.3% for the base model to 92.6% with FedReg, and for GAE DeepSVDD it rises from 91.0% to 96.1%. These gains are most pronounced in the highly non-IID setting, which matches our design intuition. The FedProx term limits large weight drift under quantity and distribution skew, and the variance penalty prevents each client’s representations from collapsing when its data are sparse. This is reflected in the reduced standard deviations across clients after FedReg, indicating more consistent performance.

The natural heterogeneity of N-BaIoT presents a distinct challenge with a 9.0:1 quantity skew across devices (Table 8). Despite this extreme imbalance, FedReg provides substantial improvements, raising GAE-DeepSVDD performance from 93.48% to 95.55% on average. Notably, low-data devices (e.g., Device 2 with 13,113 samples) benefit the most, with AUROC improvements of 3-4 percentage points. This demonstrates FedReg’s effectiveness in real-world scenarios where device heterogeneity is intrinsic rather than artificially induced.

Local personalization produces a further and often substantial uplift in per-client AUROC. Continuing the previous example (GCN DeepSVDD at $\alpha =0.1$), personalization increases the mean AUROC from 92.6% (with FedReg) to 97.0%. Crucially, personalization brings up the weaker clients that suffer the most from distribution mismatch. After personalization, clients that were previously in the low 80s rise into the mid 90s. In other words, adding a small local head and recalibrating the center effectively recovers local sensitivity without retraining the entire encoder or heavy communication.

On N-BaIoT, personalization yields an additional 2.19 percentage point improvement for GAE-DeepSVDD (from 95.55% to 97.74%), with low-data devices showing the largest gains. Device 2, for instance, improves from 90.33% to 93.10%, demonstrating that even with extreme quantity skew, lightweight personalization can significantly enhance local detection performance. This is particularly valuable in IoT deployments where devices cannot share their raw data but can afford to fine-tune a small local module.

Over all $\alpha$ settings, the hybrid GAE model achieves slightly higher average AUROC and smaller variance after FedReg and personalization compared to the pure GCN. For example, in the high non-IID case the GAE DeepSVDD reaches 97.21% average after personalization versus 97.00% for the GCN variant. We attribute this to the complementary learning objectives: the reconstruction term in the GAE offers a strong local constraint that is less affected by moderate distribution shifts, while the SVDD term aligns representations globally. Together they stabilize learning under heterogeneity.

A key concern in federated learning is poor worst-case performance on some clients. The per-client results in Table 10 show that the worst-performing clients under the base model improve markedly with FedReg and personalization. For instance, at $\alpha =0.1$ the lowest GCN DeepSVDD client AUROC moves from the low 80s in the base model to the mid-90s after personalization. This shows that our approach not only raises the average performance but also reduces client-level risk, addressing an important gap emphasized in personalized FL literature [83].

These findings illustrate several important points. First, relational inductive bias matters: graph encoders exploit patterns such as host homophily and repeated service patterns that simple feature models miss, yielding higher overall AUROC and especially much better detection at low FPR (which is critical in IDS). Second, the hybrid reconstruction-plus-SVDD objective works particularly well: the autoencoder forces the model to preserve local graph topology, while the SVDD term carves out a tight hypersphere of normal instances. Together they produce embeddings where anomalies fall clearly outside the sphere, in line with findings in [77]. Third, FedReg (FedProx plus variance penalty) effectively curbs model drift and collapse on clients with few samples, as discussed in [48,67]. Finally, personalization through a local head and center calibration leverages each client’s own benign data distribution to fine-tune thresholds without heavy overhead, significantly improving per-client sensitivity. This confirms that modest personalization can yield large practical gains in unsupervised one-class federated learning.

4.2.3. Experimental Setting 3: Ablation Study

To comprehensively evaluate G-PFL-ID’s robustness across different operational configurations, we conduct an ablation study that systematically varies two key parameters: (1) the degree of non-IIDness through the Dirichlet concentration parameter $\alpha \in \{0.1,0.5,\infty \}$, and (2) the federation size $K\in \{10,15,20\}$.

Table 11. G-PFL-ID per-client AUC-ROC (%) results under different non-IID and number of clients settings.

Client ID	GCN-DeepSVDD			GAE-DeepSVDD
	$\mathit{\alpha }=\mathbf{0}.\mathbf{1}$	$\mathit{\alpha }=\mathbf{0}.\mathbf{5}$	$\mathit{\alpha }=\infty$	$\mathit{\alpha }=\mathbf{0}.\mathbf{1}$	$\mathit{\alpha }=\mathbf{0}.\mathbf{5}$	$\mathit{\alpha }=\infty$
10 Clients ($K=10$)
Client 0	95.97 ± 1.05	96.28 ± 0.62	99.95 ± 0.01	96.58 ± 0.58	99.06 ± 0.79	100.00 ± 0.00
Client 1	96.68 ± 0.47	97.45 ± 0.73	98.19 ± 0.09	96.49 ± 0.46	99.66 ± 0.17	99.98 ± 0.01
Client 2	94.30 ± 1.20	96.02 ± 0.56	99.49 ± 0.15	94.51 ± 0.98	99.49 ± 0.11	100.00 ± 0.00
Client 3	97.43 ± 0.59	98.26 ± 0.38	98.36 ± 0.46	97.64 ± 0.42	100.00 ± 0.00	99.97 ± 0.01
Client 4	99.08 ± 0.33	94.82 ± 0.46	100.00 ± 0.00	99.29 ± 0.09	98.93 ± 1.06	100.00 ± 0.00
Client 5	98.52 ± 0.34	95.78 ± 0.39	99.06 ± 0.06	98.73 ± 0.25	99.14 ± 0.33	100.00 ± 0.00
Client 6	99.48 ± 0.03	98.96 ± 0.07	99.96 ± 0.03	99.69 ± 0.07	100.00 ± 0.00	100.00 ± 0.00
Client 7	95.78 ± 0.91	97.49 ± 0.40	98.73 ± 0.12	94.99 ± 1.19	99.86 ± 0.09	100.00 ± 0.00
Client 8	93.22 ± 2.03	98.05 ± 0.32	98.35 ± 0.07	94.43 ± 0.79	99.46 ± 0.34	100.00 ± 0.00
Client 9	99.56 ± 0.07	99.38 ± 0.07	98.32 ± 0.63	99.77 ± 0.05	100.00 ± 0.00	99.93 ± 0.05
Average	97.00 ± 0.70	97.25 ± 0.40	99.04 ± 0.16	97.21 ± 0.49	99.56 ± 0.29	99.99 ± 0.01
15 Clients ($K=15$)
Client 0	95.15 ± 0.62	96.89 ± 0.98	99.19 ± 0.38	96.13 ± 1.25	98.76 ± 0.45	100.00 ± 0.00
Client 1	94.82 ± 1.05	95.74 ± 1.24	99.04 ± 0.76	94.87 ± 1.68	97.92 ± 0.89	99.79 ± 0.09
Client 2	98.47 ± 0.34	97.28 ± 0.76	99.21 ± 0.24	96.42 ± 0.92	99.13 ± 0.32	100.00 ± 0.00
Client 3	91.19 ± 1.98	94.82 ± 2.85	96.89 ± 0.85	93.56 ± 2.14	97.14 ± 1.12	99.34 ± 0.12
Client 4	96.95 ± 0.62	98.63 ± 0.61	100.00 ± 0.00	97.88 ± 0.74	99.41 ± 0.25	100.00 ± 0.00
Client 5	91.72 ± 3.22	94.15 ± 2.03	96.45 ± 0.81	92.94 ± 2.41	96.57 ± 1.34	98.97 ± 0.34
Client 6	97.68 ± 1.09	98.52 ± 0.91	99.18 ± 0.41	95.67 ± 1.09	98.49 ± 0.52	99.89 ± 0.02
Client 7	97.02 ± 0.42	98.09 ± 0.81	99.93 ± 0.03	97.21 ± 0.97	98.98 ± 0.38	100.00 ± 0.00
Client 8	91.24 ± 1.41	95.37 ± 0.47	97.07 ± 0.47	94.52 ± 1.87	97.68 ± 0.97	99.68 ± 0.27
Client 9	97.98 ± 0.34	98.02 ± 0.51	100.00 ± 0.00	98.35 ± 0.61	99.72 ± 0.18	100.00 ± 0.00
Client 10	90.56 ± 2.78	94.96 ± 2.52	97.90 ± 0.47	93.87 ± 2.03	97.35 ± 1.05	99.85 ± 0.05
Client 11	96.63 ± 0.54	97.45 ± 0.68	99.95 ± 0.02	97.67 ± 0.82	99.26 ± 0.29	100.00 ± 0.00
Client 12	91.96 ± 2.12	96.24 ± 0.35	99.37 ± 0.36	95.28 ± 1.55	98.21 ± 0.72	99.81 ± 0.00
Client 13	98.21 ± 0.13	99.16 ± 0.56	100.00 ± 0.00	99.12 ± 0.68	99.58 ± 0.21	100.00 ± 0.00
Client 14	92.88 ± 2.63	95.03 ± 1.79	98.00 ± 0.79	93.79 ± 2.23	97.02 ± 1.18	99.41 ± 0.18
Average	94.83 ± 1.29	96.69 ± 1.14	98.81 ± 0.37	95.82 ± 1.40	98.35 ± 0.66	99.78 ± 0.07
20 Clients ($K=20$)
Client 0	97.47 ± 0.45	98.24 ± 0.57	99.20 ± 0.37	96.95 ± 0.88	99.62 ± 0.12	100.00 ± 0.00
Client 1	94.18 ± 3.38	95.78 ± 2.21	98.78 ± 0.11	97.43 ± 0.67	99.34 ± 0.18	99.98 ± 0.00
Client 2	96.84 ± 0.58	98.05 ± 0.18	99.00 ± 0.52	97.26 ± 1.42	98.47 ± 0.68	99.49 ± 0.16
Client 3	93.37 ± 4.82	95.91 ± 2.58	97.11 ± 0.58	95.58 ± 3.12	97.73 ± 1.24	99.13 ± 0.42
Client 4	98.76 ± 0.62	99.82 ± 0.09	100.00 ± 0.00	98.84 ± 0.15	99.12 ± 0.28	100.00 ± 0.00
Client 5	95.56 ± 0.32	96.13 ± 1.89	97.88 ± 0.29	96.72 ± 3.02	98.02 ± 1.08	99.92 ± 0.00
Client 6	97.25 ± 1.25	98.67 ± 0.39	99.17 ± 0.09	98.63 ± 0.73	99.09 ± 0.02	100.00 ± 0.00
Client 7	97.39 ± 1.08	98.48 ± 0.72	99.08 ± 0.12	97.81 ± 1.28	98.86 ± 0.35	99.98 ± 0.00
Client 8	92.94 ± 2.82	94.52 ± 0.85	98.15 ± 0.15	93.27 ± 2.24	96.98 ± 1.18	98.98 ± 0.16
Client 9	98.27 ± 0.48	99.15 ± 0.18	100.00 ± 0.00	98.59 ± 0.98	99.45 ± 0.38	100.00 ± 0.00
Client 10	96.79 ± 0.62	98.26 ± 0.42	99.72 ± 0.14	97.08 ± 0.92	98.89 ± 0.48	99.89 ± 0.06
Client 11	93.58 ± 0.66	96.71 ± 0.86	99.01 ± 0.16	95.97 ± 1.12	99.03 ± 0.44	100.00 ± 0.00
Client 12	97.36 ± 1.68	98.89 ± 0.52	99.90 ± 0.01	96.74 ± 2.11	99.25 ± 0.05	100.00 ± 0.00
Client 13	98.15 ± 0.52	99.03 ± 0.02	100.00 ± 0.00	96.42 ± 1.02	99.31 ± 0.40	100.00 ± 0.00
Client 14	95.52 ± 3.25	97.94 ± 1.18	99.86 ± 0.06	97.81 ± 0.58	99.17 ± 0.12	100.00 ± 0.00
Client 15	97.07 ± 0.05	99.19 ± 0.28	99.96 ± 0.02	96.98 ± 1.55	99.28 ± 0.05	100.00 ± 0.00
Client 16	95.57 ± 2.38	98.42 ± 0.51	99.22 ± 0.01	94.93 ± 1.85	97.84 ± 0.89	99.68 ± 0.10
Client 17	92.68 ± 1.72	96.59 ± 0.96	98.89 ± 0.16	96.05 ± 1.21	98.94 ± 0.52	99.91 ± 0.03
Client 18	98.21 ± 0.08	99.75 ± 0.22	100.00 ± 0.00	97.52 ± 1.38	99.86 ± 0.14	100.00 ± 0.00
Client 19	96.94 ± 0.58	97.87 ± 0.84	98.67 ± 0.04	96.28 ± 1.06	99.18 ± 0.42	100.00 ± 0.00
Average	96.20 ± 1.37	97.87 ± 0.77	99.18 ± 0.14	96.84 ± 1.36	98.87 ± 0.45	99.85 ± 0.05

reports the per-client AUC-ROC for the complete G-PFL-ID framework (with personalization heads) across these configurations for both GCN-DeepSVDD and GAE-DeepSVDD backbones on the IoT-23 dataset.

The ablation study shows that performance improves as data distributions become more IID (i.e increasing $\alpha$) for a fixed federation size. With $K=10$, GCN-DeepSVDD average AUC-ROC increases from 97.00% at $\alpha =0.1$ to 99.04% at $\alpha =\infty$, while GAE-DeepSVDD shows a similar progression from 97.21% to 99.99%. This pattern holds across all K values, confirming that IID data facilitates global model convergence. However, even under extreme non-IID conditions ($\alpha =0.1$), both variants maintain strong performance (above 94% for $K\le 15$), demonstrating the framework’s resilience to distributional skew.

The study also shows that increasing federation size (more clients with less data each) moderately impacts performance, particularly under high non-IIDness. For $\alpha =0.1$, GAE-DeepSVDD average AUC-ROC slightly decreases by about as the number of clients increases from $K=10$ to $K=20$, particularly from $K=10$ to $K=15$. It then slightly recovers at $K=20$ showing that generally as the client increases, the personalization stage becomes more critical because clients with very limited data benefit less from global aggregation but can still achieve reasonable performance through local adaptation.

The performance difference of the hybrid GAE-DeepSVDD over the pure GCN variant narrows down as the data becomes more IID across all configurations, suggesting that the reconstruction objective in GAE provides valuable regularization when global consensus is difficult to achieve. The hybrid architecture also exhibits lower performance variance, with standard deviations consistently 15-30% smaller than those of GCN-DeepSVDD.

These findings validate several design choices in G-PFL-ID. The FedReg regularizer (FedProx + variance penalty) proves essential for maintaining stability across diverse non-IID levels, as evidenced by the consistent performance improvements across $\alpha$ values. Personalization heads effectively mitigate the impact of increased federation size, allowing clients to adapt the global model to their specific data distributions. The GAE backbone’s dual reconstruction-compactness objective provides more robust representations than the pure one-class objective of GCN-DeepSVDD, especially when clients have limited or highly skewed data.

5. Conclusions

In this paper, we proposed G-PFL-ID, a graph-driven personalized federated learning framework for unsupervised intrusion detection in non-IID IoT systems. The framework leverages graph neural networks (GCN and GAE) combined with a DeepSVDD objective to learn compact representations of normal network behavior. To address the challenges of non-IID data, we introduced FedReg, a regularization method that includes a proximal term and an embedding variance penalty. Furthermore, we enabled personalization through client-specific heads to adapt the global model to local data distributions.

We evaluated G-PFL-ID on two IoT intrusion datasets under diverse heterogeneity scenarios. On IoT-23, we used Dirichlet-based partitioning to simulate varying degrees of non-IIDness ($\alpha \in \{0.1,0.5,\infty \}$) and federation sizes ($K\in \{10,15,20\}$), while N-BaIoT provided natural device-based partitioning with inherent heterogeneity (9.0:1 quantity skew, Gini coefficient 0.37). The results demonstrate that our approach significantly outperforms baseline methods, including classical one-class algorithms, federated MLP models, and recent graph-based federated anomaly detectors (e.g., LG-FGAD), in terms of AUROC, AUPR, and detection rates at low false positive rates. The hybrid GAE-DeepSVDD instantiation delivered the strongest global detection performance (99.46% AUROC on IoT-23, 97.74% on N-BaIoT) and the best per-client robustness across both artificial and natural partitioning schemes, while the GCN-DeepSVDD variant served as a principled baseline to assess the role of inductive bias.

Ablation studies confirm that (i) FedProx reduces parameter divergence under quantity skew, (ii) the variance penalty prevents embedding collapse on low-data clients and improves downstream AUROC, and (iii) lightweight personalization recovers client-level thresholds, especially for low-data clients under extreme non-IID settings. On N-BaIoT, despite extreme natural heterogeneity, G-PFL-ID achieved 97.74% average AUROC for GAE-DeepSVDD after personalization, with low-data devices showing the largest relative improvements (up to 6 percentage points).

We highlight three practical core insights for deploying federated graph anomaly detectors in IoT networks. First, combining reconstruction and one-class compactness provides complementary signals that improve resilience to heterogeneity across both artificial and natural partitioning. Second, simple, aggregation-aware regularizers (FedReg) are effective and computationally inexpensive, which is important for constrained edge devices. Third, personalization via small heads is an efficient way to produce strong per-client performance while keeping the backbone shared, with particular value in real-world deployments where device heterogeneity is intrinsic rather than artificially induced.

Limitations include reliance on reasonably representative benign data for one-class training, sensitivity to extreme concept drift, and the need to evaluate privacy/robustness under adversarial updates (e.g., targeted poisoning). Future work will extend G-PFL-ID to (a) adversarially robust aggregation and certified defenses, (b) continual calibration for concept drift, and (c) evaluation over wider operational datasets and live deployments. We release our code, model definitions, and partitioning scripts to enable reproducible follow-up research.