Emerging Research Trends and Technologies in Intrusion Detection Systems (IDSs) and Artificial Intelligence (AI) Utilization

A special issue of Electronics (ISSN 2079-9292). This special issue belongs to the section "Computer Science & Engineering".

Deadline for manuscript submissions: 15 August 2026 | Viewed by 4714

Editor


E-Mail Website
Guest Editor
Computer Security Department, New York State University at Farmingdale, New York, NY 11735, USA
Interests: cybersecurity; intrusion detection; machine learning

Special Issue Information

Dear Colleagues,

With the increasing complexity and diversity of network threats, Intrusion Detection Systems (IDSs) are confronted with more stringent performance demands, and the integration of artificial intelligence (AI) has become a key driver for their advancement.

This Special Issue focuses on emerging research trends and technologies in Intrusion Detection Systems (IDSs) and artificial intelligence (AI) and is intended to improve IDS designs. Interested researchers are invited to submit manuscripts that relate but are not limited to the following topics: artificial intelligence, optimization, quantum and post-quantum technologies, automation, software development, authentication, cryptography, and automated system designs for IDS improvements. This Special Issue particularly welcomes recent studies exploring traditional and quantum artificial intelligence and their applications in IDSs. All researchers, graduate students, and faculty of universities and other organizations are invited to participate in this publication by submitting novel research results that contribute theoretical and practical insights.

Focus areas include (but are not limited to) the following:

  • Intrusion detection systems;
  • Network security;
  • Application security;
  • Cloud security;
  • Endpoint security;
  • Data security;
  • Identity and access management;
  • Operational security;
  • Incidence response;
  • Forensics;
  • IoT security;
  • Mobile security;
  • Critical infrastructure security;
  • Cyber threat intelligence security;
  • Cryptography;
  • Governance, risk, and compliance;
  • Zero trust;
  • Physical security;
  • Human security;
  • Vulnerability management;
  • Machine learning;
  • Deep learning.

Dr. Emre Tokgoz
Guest Editor

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All submissions that pass pre-check are peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 250 words) can be sent to the Editorial Office for assessment.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-anonymized peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Electronics is an international peer-reviewed open access semimonthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 2400 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Keywords

  • intrusion detection system
  • artificial intelligence
  • machine learning
  • deep learning
  • optimization
  • quantum and post-quantum technologies
  • automation
  • software solutions
  • authentication
  • cryptography
  • network system design
  • automated cryptographic system design

Benefits of Publishing in a Special Issue

  • Ease of navigation: Grouping papers by topic helps scholars navigate broad scope journals more efficiently.
  • Greater discoverability: Special Issues support the reach and impact of scientific research. Articles in Special Issues are more discoverable and cited more frequently.
  • Expansion of research network: Special Issues facilitate connections among authors, fostering scientific collaborations.
  • External promotion: Articles in Special Issues are often promoted through the journal's social media, increasing their visibility.
  • Reprint: MDPI Books provides the opportunity to republish successful Special Issues in book format, both online and in print.

Further information on MDPI's Special Issue policies can be found here.

Published Papers (9 papers)

Order results
Result details
Select all
Export citation of selected articles as:

Research

41 pages, 2880 KB  
Article
A Comparative Study of Large Language Models for Industrial Cyber-Physical Security
by J. de Curtò, I. de Zarzà, Juan Carlos Cano and Carlos T. Calafate
Electronics 2026, 15(13), 2779; https://doi.org/10.3390/electronics15132779 - 24 Jun 2026
Viewed by 175
Abstract
Intrusion detection in industrial cyber-physical systems is constrained by small labelled-attack corpora and by the subtler signal of physical-process attacks compared with classical IT-network intrusions, motivating renewed interest in foundation-model-based detectors; classical detectors are typically trained per dataset and degrade under the distribution [...] Read more.
Intrusion detection in industrial cyber-physical systems is constrained by small labelled-attack corpora and by the subtler signal of physical-process attacks compared with classical IT-network intrusions, motivating renewed interest in foundation-model-based detectors; classical detectors are typically trained per dataset and degrade under the distribution shift that is common in operational technology, where attack repertoires evolve faster than retraining cycles. Two foundation-model families are now plausible candidates: open-source Large Language Models (LLMs) and recent tabular foundation models (TabPFN, TabICL) pre-trained for in-context tabular inference. We compare the two families head-to-head, alongside Random Forest and XGBoost classical anchors, across three established industrial security benchmarks (SWaT, HAI, WUSTL-IIoT-2021) under a controlled multi-seed full-holdout protocol with paired McNemar and cross-seed Mann–Whitney tests. The empirical picture is dataset-dependent rather than universal: tabular foundation models establish a strong, previously unreported baseline that is competitive with or superior to classical anchors on every dataset evaluated, while LLMs are complementary detectors with a specific advantage on schemas that carry process-engineering semantics (such as SWaT’s named sensor channels). A per-class analysis on the WUSTL five-class attack taxonomy shows that the two families have structurally different strengths: tabular methods dominate traffic-rich attacks (Denial-of-Service, Reconnaissance), whereas LLMs are competitive on rare attack types (Backdoor, Command Injection). A confidence-gated cascade that escalates only low-confidence tabular decisions to an LLM exceeds either detector alone at a small query budget, and a leave-one-attack-type-out analysis shows that foundation-model detectors generalise to unseen attack families substantially better than the classical anchors. The appropriate detector choice in industrial cyber-physical security is therefore informed by the dataset’s feature schema, the attack-type mix, and the operational cost envelope, rather than by a specific performance metric. Full article
Show Figures

Figure 1

25 pages, 4347 KB  
Article
A Technology-Centric Cyber Resilience Evaluation Framework Using MITRE D3FEND for Bridging the Policy Technology Gap in Financial and Enterprise Environments
by GwangHyun Ahn and Dongkyoo Shin
Electronics 2026, 15(12), 2554; https://doi.org/10.3390/electronics15122554 - 9 Jun 2026
Viewed by 199
Abstract
Existing Cyber Resilience Assessment Guidelines, including those of the Bank of Korea (BoK), focus on governance-oriented compliance and lack quantitative criteria for measuring the operational effectiveness of security technologies—a Policy–Technology Gap also common in general enterprise settings. To address this gap, this study [...] Read more.
Existing Cyber Resilience Assessment Guidelines, including those of the Bank of Korea (BoK), focus on governance-oriented compliance and lack quantitative criteria for measuring the operational effectiveness of security technologies—a Policy–Technology Gap also common in general enterprise settings. To address this gap, this study proposes D3-CREF, a technology-centric cyber resilience evaluation framework that maps the MITRE D3FEND taxonomy to financial security domains and introduces a Normalized Resilience Index (NRI) aggregating four dimensions—Coverage, Maturity, Automation, and Timeliness—via a closed-form weighted geometric mean with AHP-elicited weights (consistency ratio CR = 0.04). All NRI indicators are anchored to MITRE ATT&CK techniques and exemplar CVE entries, enabling threat-informed measurement. The framework was validated through a three-round Delphi study with 50 experts (Kendall’s W = 0.78, p < 0.001; Cronbach’s α = 0.89; CVR 0.68–0.92) and a Cyber Range-based simulation. For three institutions with identical BoK scores (92/100), NRI yielded discriminative values of 0.83, 0.44, and 0.09 (CV = 0.68 vs. 0.00 for the baseline), confirming a shift from compliance-based to performance-driven assessment. Full article
Show Figures

Figure 1

14 pages, 734 KB  
Article
An Agent-Based Model of a Controlled Detonation System for Sandbox Analysis of Suspicious Software
by Yevheniia Ivanchenko, Mikolaj Karpinski, Mykola Ryzhakov, Ihor Ivanchenko, Patryk Mazurek and Pawel Sawicki
Electronics 2026, 15(11), 2348; https://doi.org/10.3390/electronics15112348 - 28 May 2026
Viewed by 260
Abstract
In this paper, we present an agent-based model of a controlled detonation system for dynamic sandbox analysis of suspicious software. Instead of treating the sandbox as a passive observer, the model places an AI operator inside the analysis loop and allows it to [...] Read more.
In this paper, we present an agent-based model of a controlled detonation system for dynamic sandbox analysis of suspicious software. Instead of treating the sandbox as a passive observer, the model places an AI operator inside the analysis loop and allows it to perform adaptive GUI interactions in a plausible, isolated execution environment. The controlled detonation process is formulated as a partially observable Markov decision process (POMDP), while the proposed proof-of-concept architecture combines initial profiling, VM preparation, multi-layer telemetry, and an RL policy with visual perception and temporal memory. Evaluation in a controlled emulation setting on 180 malware samples from three threat classes shows higher Activity Rates and Coverage, and shorter Time-to-Reveal than passive and fixed scripted baselines. These results support the feasibility of adaptive interactions as a promising direction for sandbox analysis, while broader external validation, matched comparisons with prior systems, and component-wise ablation remain future work. Full article
Show Figures

Figure 1

30 pages, 7038 KB  
Article
Distributional Drift in IoT Intrusion Detection Systems: Implications for Cross-Dataset Generalisation
by Kazım Kıvanç Eren, Kerem Küçük, Radhwan A. A. Saleh, Mehmet Zeki Konyar, Olympia M. Hardy and Sajjad Ahmad Khan
Electronics 2026, 15(11), 2307; https://doi.org/10.3390/electronics15112307 - 26 May 2026
Viewed by 393
Abstract
The rapid expansion of Internet of Things (IoT) technologies has highlighted the need for reliable intrusion detection systems (IDSs), yet the majority of existing studies rely on single-dataset evaluations, raising concerns about their real-world generalisation capability. This study addresses this limitation by systematically [...] Read more.
The rapid expansion of Internet of Things (IoT) technologies has highlighted the need for reliable intrusion detection systems (IDSs), yet the majority of existing studies rely on single-dataset evaluations, raising concerns about their real-world generalisation capability. This study addresses this limitation by systematically investigating distributional shift across heterogeneous IoT intrusion detection datasets and their impact on model behaviour. To achieve this, a unified feature space is constructed using BoT-IoT, ToN-IoT, and UNSW-NB15 datasets, followed by a comprehensive preprocessing pipeline including attack class alignment, distribution-preserving sampling for class imbalance, and feature selection based on cross-dataset feature value propagation analysis. Furthermore, feature-specific transformations and correlation-based dimensionality reduction are applied to enhance statistical consistency and model stability. To simulate realistic deployment scenarios, models are trained on combinations of datasets and evaluated on unseen datasets. The results reveal that distributional inconsistencies and dataset-specific feature biases significantly degrade cross-dataset performance, despite strong within-dataset results. The proposed framework provides a systematic understanding of feature-level behaviour across datasets, identifying both stable and bias-prone features. These findings highlight the necessity of distribution-aware preprocessing and feature analysis for developing robust and generalisable IoT intrusion detection systems. Full article
Show Figures

Figure 1

31 pages, 917 KB  
Article
X-GATE: Attribution-Aware Distillation and Hardening for Compressed Edge-IIoT Intrusion Detection
by Tran Duc Le, Yida Bao and Mohammad Arifuzzaman
Electronics 2026, 15(11), 2284; https://doi.org/10.3390/electronics15112284 - 25 May 2026
Viewed by 312
Abstract
Industrial Internet of Things (IIoT) intrusion detection requires compact, latency-efficient models whose behavior remains assessable under adversarial stress, yet compression can alter the feature-attribution structure learned by a full-precision model. This paper presents X-GATE (eXplanation-Guided Adversarial Training Engine), an attribution-aware training framework for [...] Read more.
Industrial Internet of Things (IIoT) intrusion detection requires compact, latency-efficient models whose behavior remains assessable under adversarial stress, yet compression can alter the feature-attribution structure learned by a full-precision model. This paper presents X-GATE (eXplanation-Guided Adversarial Training Engine), an attribution-aware training framework for compressed Edge-IIoT intrusion detection. X-GATE combines Explanation-Consistency Distillation (ECD), which aligns Teacher–Student feature-attribution rankings with a differentiable soft-rank Spearman penalty, and Explanation-Guided Adversarial Training (EGAT), which hardens the Student on Teacher-salient feature coordinates. On the full Edge-IIoTset 2022 benchmark, the latest three-seed ablation gives Full X-GATE 89.30 ± 3.89% F1-Macro with 0.617 M parameters, within approximately 0.6 percentage points of the full-precision Teacher; a Random Forest model remains a stronger clean-F1 reference, so X-GATE is not framed as the clean-accuracy optimum. In a separate deployment-subset rerun, X-GATE obtains 78.83 ± 5.83% float F1-Macro and 79.11 ± 5.47% INT8 F1-Macro, reduces the adversarial false-positive rate from 0.46 ± 0.08% for KD-only to 0.16 ± 0.09% under the evaluated single-step white-box explanation-evasion protocol, and reduces CPU latency from 4.16 to 1.25 ms/sample. Component ablation further shows that ECD reduces Logical Drift by 17.24%, while EGAT improves adversarial F1 by 10.57 percentage points. Taken together, these benchmark- and protocol-bounded results position X-GATE as a compact neural operating point for the Edge-IIoT setting studied here, balancing attribution consistency, targeted hardening, and CPU-side efficiency. Full article
Show Figures

Figure 1

26 pages, 12505 KB  
Article
Hardware–Software Co-Optimized Lightweight Real-Time CAN Intrusion Detection and Prevention System for ECUs
by Youngmin Jang, Hyungchul Im, Jonggwon Kim, Semin Kim, Eunsu Kim and Seongsoo Lee
Electronics 2026, 15(10), 2108; https://doi.org/10.3390/electronics15102108 - 14 May 2026
Viewed by 440
Abstract
The Controller Area Network (CAN) protocol used in in-vehicle networks is vulnerable to external attacks because it lacks authentication and encryption mechanisms. Accordingly, CAN Intrusion Detection Systems (IDSs) have been studied. However, existing IDSs remain difficult to deploy in practical vehicles because of [...] Read more.
The Controller Area Network (CAN) protocol used in in-vehicle networks is vulnerable to external attacks because it lacks authentication and encryption mechanisms. Accordingly, CAN Intrusion Detection Systems (IDSs) have been studied. However, existing IDSs remain difficult to deploy in practical vehicles because of their limited real-time capability, complex preprocessing, and high computational cost. To overcome these limitations, this paper proposes an ultra-lightweight Convolutional Neural Network (CNN)-based IDS that significantly reduces parameters and computational complexity while maintaining high detection performance. The proposed IDS improves area efficiency through a streaming pipeline, computation-block reuse, and constrained Processing Element (PE) parallelism. In addition, its lightweighting effect was quantitatively evaluated against an RTL baseline implemented under identical platform and design constraints. When an attack is detected, an Intrusion Prevention System (IPS) integrated with the CAN controller generates an error frame to block it in real time. The proposed IDS achieved over 99.97% detection performance for known frame-level message-injection scenarios on the Car-Hacking Dataset. It also achieved branch-wise real-time feasibility with an 11.46 µs ID-branch precomputation latency and a 5.68 µs DATA-complete-to-decision latency at 50 MHz. In TSMC 28 nm ASIC synthesis, the proposed IDS required 70,592 gates, with an estimated ASIC power of 2.0231 mW and an active inference energy of 34.68 nJ. Full article
Show Figures

Figure 1

16 pages, 919 KB  
Article
A Comparative Performance Study of Host-Based Intrusion Detection Using TextRank-Based System Call Preprocessing and Deep Learning Models
by Hyunwook You, Chulgyun Park, Dongkyoo Shin and Dongil Shin
Electronics 2026, 15(9), 1856; https://doi.org/10.3390/electronics15091856 - 27 Apr 2026
Viewed by 500
Abstract
Host-based intrusion detection systems (HIDSs) can address the limitations of network-based detection by analyzing system calls and other low-level events. Many existing benchmark datasets remain inadequate for evaluating modern attacks because they were built in outdated environments and cover only a limited set [...] Read more.
Host-based intrusion detection systems (HIDSs) can address the limitations of network-based detection by analyzing system calls and other low-level events. Many existing benchmark datasets remain inadequate for evaluating modern attacks because they were built in outdated environments and cover only a limited set of attack behaviors. To address this gap, this study builds a TextRank-based preprocessing pipeline on the LID-DS 2021 dataset and compares five end-to-end pipelines: Random Forest (RF), Long Short-Term Memory (LSTM), Convolutional Neural Network(CNN) + LSTM, LSTM, Bidirectional LSTM (BiLSTM), and CNN + Bidirectional Gated Recurrent Unit (BiGRU). Of the 15 scenarios in the dataset, six multi-stage attacks were excluded, and three representative scenarios were selected based on attack-category coverage and suitability for single-chunk host-level detection. Within these three selected scenarios and same-scenario file-level splits, the deep learning pipelines achieved F1-scores of 0.90–0.94, whereas RF ranged from 0.55 to 0.63. Among the evaluated pipelines, CNN + BiGRU produced the strongest overall results. These findings indicate that, under this constrained evaluation setting, sequential deep learning pipelines can be effective for scenario-specific system-call-based HIDS; however, broader generalization to unseen attacks or to the full LID-DS 2021 scenario set remains unverified. Full article
Show Figures

Figure 1

27 pages, 3484 KB  
Article
Enhancing RMF and ATT&CK Mapping Accuracy Through Integration of Sentence-BERT and Mitigation Parameters
by Hanhee Lee, Sukjoon Yoon, Yunkyung Lee and Jiwon Kang
Electronics 2026, 15(6), 1248; https://doi.org/10.3390/electronics15061248 - 17 Mar 2026
Viewed by 654
Abstract
To minimize cybersecurity risks in weapon systems, the implementation of the Korean Risk Management Framework (K-RMF) has become imperative. However, a significant “strategic gap” exists between high-level RMF controls and technical MITRE ATT&CK techniques, rendering manual mapping labor-intensive. This study proposes an automated [...] Read more.
To minimize cybersecurity risks in weapon systems, the implementation of the Korean Risk Management Framework (K-RMF) has become imperative. However, a significant “strategic gap” exists between high-level RMF controls and technical MITRE ATT&CK techniques, rendering manual mapping labor-intensive. This study proposes an automated mitigation-driven pipeline that integrates Sentence-BERT (SBERT) with the structural defense relationships of the ATT&CK knowledge graph. To address the data coverage limitations of the Center for Threat-Informed Defense (CTID) silver standard, we introduce Recall@restricted as a calibrated performance metric. Experimental evaluations demonstrate that the proposed ensemble framework achieves a Recall@restricted of 0.74, significantly outperforming baseline SBERT-only models. These findings suggest that deterministic mitigation relationships effectively complement semantic representations, providing a robust framework for aligning RMF controls with adversarial behaviors. Full article
Show Figures

Figure 1

24 pages, 3150 KB  
Article
An Intrusion Detection Model Based on Equalization Loss and Spatio-Temporal Feature Extraction
by Miaolei Deng, Shaojun Fan, Yupei Kan and Chuanchuan Sun
Electronics 2026, 15(3), 646; https://doi.org/10.3390/electronics15030646 - 2 Feb 2026
Viewed by 680
Abstract
In recent years, the expansion of network scale and the diversification of attack methods pose dual challenges to intrusion detection systems in extracting effective features and addressing class imbalance. To address these issues, the Spatial–Temporal Equilibrium Graph Convolutional Network (STEGCN) is proposed. This [...] Read more.
In recent years, the expansion of network scale and the diversification of attack methods pose dual challenges to intrusion detection systems in extracting effective features and addressing class imbalance. To address these issues, the Spatial–Temporal Equilibrium Graph Convolutional Network (STEGCN) is proposed. This model integrates Graph Convolutional Network (GCN) and Gated Recurrent Unit (GRU), leveraging GCN to extract high-order spatial features from network traffic data while capturing complex topological relationships and latent patterns. Meanwhile, GRU efficiently models the dynamic evolution of network traffic over time, accurately depicting temporal trends and anomaly patterns. The synergy of these two components provides a comprehensive representation of network behavior. To mitigate class imbalance in intrusion detection, the Equalization Loss v2 (EQLv2) is introduced. By dynamically adjusting gradient contributions, this function reduces the dominance of majority classes, thereby enhancing the model’s sensitivity to minority-class attacks. Experimental results demonstrate that STEGCN achieves superior detection performance on the UNSW-NB15 and CICIDS2017 datasets. Compared with traditional deep learning models, STEGCN shows significant improvements in accuracy and recall, particularly in detecting minority-class intrusions. Full article
Show Figures

Figure 1

Back to TopTop