Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
8.3
3.6
Journals
Future Internet
Special Issues
Anomaly and Intrusion Detection in Networks
share announcement

Anomaly and Intrusion Detection in Networks

A special issue of Future Internet (ISSN 1999-5903). This special issue belongs to the section "Cybersecurity".

Deadline for manuscript submissions: 10 September 2026 | Viewed by 3033

Special Issue Editors

Dr. Eszter Kail

E-Mail Website
Guest Editor
1. John von Neumann Faculty of Informatics, Óbuda University, 1034 Budapest, Hungary
2. Institute for Computer Science and Control (HUN-REN SZTAKI), HUN-REN Hungarian Research Network, 1111 Budapest, Hungary
Interests: AI-based solutions in cybersecurity; LoRaWAN networks; anomaly detection; intrusion detection; 5G networks
Dr. Anna Bánáti

E-Mail Website
Guest Editor
John von Neumann Faculty of Informatics, Óbuda University, 1034 Budapest, Hungary
Interests: 5G networks; attack graphs; honeypots; anomaly detection; intrusion detection
Prof. Dr. Miklós Kozlovszky

E-Mail Website
Guest Editor
John von Neumann Faculty of Informatics, Óbuda University, 1034 Budapest, Hungary
Interests: cloud; algorithms; workflows; cloud computing; virtualization; parallel and distributed computing; IT infrastructure

Special Issue Information

Dear Colleagues,

The expansion of networks from legacy IT infrastructures to the Internet of Things (IoT) and, increasingly, the Industrial Internet of Things (IIoT), has created highly interconnected environments where devices, sensors, and controllers operate alongside cloud platforms, data analytics, and artificial intelligence, resulting in heterogeneous and layered landscapes. This diversity significantly complicates anomaly and intrusion detection, as each domain exhibits distinct characteristics, communication patterns, and security requirements. Addressing these challenges is essential to safeguarding critical sectors such as smart manufacturing, healthcare, energy, and transportation.
This Special Issue seeks high-quality contributions presenting novel approaches, algorithms, and case studies in anomaly and intrusion detection. We welcome research that leverages machine learning, deep learning, hybrid methods, and other innovative techniques, as well as studies addressing the unique challenges posed by heterogeneous IoT, IIoT, and legacy IT networks. Both theoretical and practical works are encouraged, particularly those demonstrating real-world applicability and effectiveness in dynamic environments.

We invite original research papers, reviews, and case studies. Topics of interest include, but are not limited to, the following:

  • AI and Machine Learning for Intrusion Detection: Supervised, unsupervised, and reinforcement learning techniques for detecting anomalies in heterogeneous IoT and IIoT networks;
  • IoT and IIoT Security: Intrusion detection tailored to IoT ecosystems, industrial IoT deployments, and cyber–physical systems;
  • Hybrid and Knowledge-Driven Methods: Combining statistical, rule-based, and AI-powered approaches for more accurate anomaly detection;
  • Trustworthy and Explainable AI (XAI): Ensuring intrusion detection systems are interpretable, transparent, and secure;
  • Honeypots and Digital Twins: Deception- and simulation-based techniques to early detect and analyze advanced threats;
  • Innovative Approaches: Emerging and unconventional methods that advance anomaly and intrusion detection beyond existing paradigms;
  • Critical Infrastructure Applications: Case studies on anomaly and intrusion detection in smart grids, healthcare, transportation, and other mission-critical domains.

Dr. Eszter Kail
Dr. Anna Bánáti
Prof. Dr. Miklós Kozlovszky
Guest Editors

Manuscript Submission Information

Manuscripts should be submitted online at www.mdpi.com by registering and logging in to this website. Once you are registered, click here to go to the submission form. Manuscripts can be submitted until the deadline. All submissions that pass pre-check are peer-reviewed. Accepted papers will be published continuously in the journal (as soon as accepted) and will be listed together on the special issue website. Research articles, review articles as well as short communications are invited. For planned papers, a title and short abstract (about 250 words) can be sent to the Editorial Office for assessment.

Submitted manuscripts should not have been published previously, nor be under consideration for publication elsewhere (except conference proceedings papers). All manuscripts are thoroughly refereed through a single-blind peer-review process. A guide for authors and other relevant information for submission of manuscripts is available on the Instructions for Authors page. Future Internet is an international peer-reviewed open access monthly journal published by MDPI.

Please visit the Instructions for Authors page before submitting a manuscript. The Article Processing Charge (APC) for publication in this open access journal is 1800 CHF (Swiss Francs). Submitted papers should be well formatted and use good English. Authors may use MDPI's English editing service prior to publication or during author revisions.

Keywords

  • anomaly detection
  • intrusion detection
  • machine learning
  • legacy networks
  • XAI
  • IoT
  • IIoT
  • honeypots

Benefits of Publishing in a Special Issue

  • Ease of navigation: Grouping papers by topic helps scholars navigate broad scope journals more efficiently.
  • Greater discoverability: Special Issues support the reach and impact of scientific research. Articles in Special Issues are more discoverable and cited more frequently.
  • Expansion of research network: Special Issues facilitate connections among authors, fostering scientific collaborations.
  • External promotion: Articles in Special Issues are often promoted through the journal's social media, increasing their visibility.
  • Reprint: MDPI Books provides the opportunity to republish successful Special Issues in book format, both online and in print.

Further information on MDPI's Special Issue policies can be found here.

Published Papers (4 papers)

Download All Papers
Order results
Result details
Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:

Research

27 pages, 656 KB  
Article
Towards a Protocol-Aware Intrusion Detection System for LoRaWAN Networks
by Zsolt Bringye, Rita Fleiner and Eszter Kail
Future Internet 2026, 18(3), 140; https://doi.org/10.3390/fi18030140 - 9 Mar 2026
Viewed by 580
Abstract
The increasing reliance of Internet of Things (IoT) applications on low-power wide-area network technologies, particularly Long Range Wide Area Network (LoRaWAN), has amplified the need for security monitoring approaches that go beyond attack-specific signatures and generic traffic anomalies. Existing solutions are often tailored [...] Read more.
The increasing reliance of Internet of Things (IoT) applications on low-power wide-area network technologies, particularly Long Range Wide Area Network (LoRaWAN), has amplified the need for security monitoring approaches that go beyond attack-specific signatures and generic traffic anomalies. Existing solutions are often tailored to individual threat scenarios or rely on statistical indicators, which limits their ability to systematically capture protocol-level misuse in an interpretable manner. This paper addresses this gap by proposing a protocol-aware validation methodology based on a Digital Twin abstraction of LoRaWAN communication behavior. The Over-The-Air Activation (OTAA) procedure is modeled as a finite-state machine that encodes expected message sequences, timing constraints, and specification-driven state transitions. Observed network events are continuously evaluated against this formal state model, enabling the identification of protocol-level deviations indicative of anomalous or non-conformant behavior. Illustrative examples include replay behavior, timing inconsistencies, and integrity-related anomalies, although the framework is not limited to predefined attack categories. The results demonstrate that state machine-based Digital Twin provides a structured and extensible foundation for protocol-aware security validation and Security Operation Center (SOC)-oriented telemetry enrichment. In this sense, the presented approach represents a concrete step toward protocol-aware intrusion detection for LoRaWAN networks by establishing a state-synchronized semantic validation layer upon which higher-level detection mechanisms can be built. Full article
(This article belongs to the Special Issue Anomaly and Intrusion Detection in Networks)
Show Figures

Graphical abstract

17 pages, 662 KB  
Article
Attention-Based Transformer Encoder for Secure Wireless Sensor Operations
by Mohammad H. Baniata, Chayut Bunterngchit, Laith H. Baniata, Malek A. Almomani and Muhannad Tahboush
Future Internet 2026, 18(3), 119; https://doi.org/10.3390/fi18030119 - 27 Feb 2026
Viewed by 374
Abstract
Wireless sensor networks (WSNs) are integral components of smart environments. These allow monitoring and communication to take place autonomously across distributed sensor nodes. Nevertheless, they suffer from constrained resources that make them susceptible to routine-layer attacks. These specifically involve blackhole, flooding, selective forwarding [...] Read more.
Wireless sensor networks (WSNs) are integral components of smart environments. These allow monitoring and communication to take place autonomously across distributed sensor nodes. Nevertheless, they suffer from constrained resources that make them susceptible to routine-layer attacks. These specifically involve blackhole, flooding, selective forwarding attack traffic and normal traffic. The conventional machine learning and deep learning methods employed are effective in catering to these attacks, yet they have generalization issues when the network conditions are dynamic. The models are generally trained on the local features that make them more dependable and less interpretable. To overcome these issues, this paper proposes an attention-driven transformer encoder for tabular WSN traffic, designed for robust and interpretable intrusion detection in WSNs. The model represents the WSN features as sequential tokens and employs multi-head self-attention to capture global and local dependencies among sensor attributes and employs a multi-head self-attention for capturing the local and global dependencies among the sensor attributes. The framework integrated several components, including normalization, chi-square-based feature selection, and positional embedding. These are followed by multi-layer transformer encoding blocks for the feature fusion and subsequent classification. The framework has been evaluated on the publicly available WSN dataset. Results have been shown to attain an accuracy of 99.37%, which makes it outperform the traditional deep learning baseline models. The comparative analysis has shown the model to be superior in terms of generalization and reduced convergence time. It further offers enhanced interpretability that makes it a good fit to be deployed in real-world scenarios where resources can be constrained. Full article
(This article belongs to the Special Issue Anomaly and Intrusion Detection in Networks)
Show Figures

Figure 1

36 pages, 3068 KB  
Article
IRDS4C–CTIB: A Blockchain-Driven Deception Architecture for Ransomware Detection and Intelligence Sharing
by Ahmed El-Kosairy, Heba Aslan and Nashwa AbdelBaki
Future Internet 2026, 18(1), 66; https://doi.org/10.3390/fi18010066 - 21 Jan 2026
Viewed by 612
Abstract
This paper introduces a cybersecurity framework that combines a deception-based ransomware detection system, called the Intrusion and Ransomware Detection System for Cloud (IRDS4C), with a blockchain-enabled Cyber Threat Intelligence platform (CTIB). The framework aims to improve the detection, reporting, and sharing of ransomware [...] Read more.
This paper introduces a cybersecurity framework that combines a deception-based ransomware detection system, called the Intrusion and Ransomware Detection System for Cloud (IRDS4C), with a blockchain-enabled Cyber Threat Intelligence platform (CTIB). The framework aims to improve the detection, reporting, and sharing of ransomware threats in cloud environments. IRDS4C uses deception techniques such as honeypots, honeytokens, pretender network paths, and decoy applications to identify ransomware behavior within cloud systems. Tests on 53 Windows-based ransomware samples from seven families showed an ordinary detection time of about 12 s, often quicker than tralatitious methods like file hashing or entropy analysis. These detection results are currently limited to Windows-based ransomware environments, and do not yet cover Linux, containerized, or hypervisor-level ransomware. Detected threats are formatted using STIX/TAXII standards and firmly shared through CTIB. CTIB applies a hybrid blockchain consensus of Proof of Stake (PoS) and Proof of Work (PoW) to ensure data integrity and protection from tampering. Security analysis shows that an attacker would need to control over 71% of the network to compromise the system. CTIB also improves trust, accuracy, and participation in intelligence sharing, while smart contracts control access to erogenous data. In a local prototype deployment (Hardhat devnet + FastAPI/Uvicorn), CTIB achieved 74.93–125.92 CTI submissions/min, The number of attempts or requests in each test was 100 with median end-to-end latency 455.55–724.99 ms (p95: 577.68–1364.17 ms) across PoW difficulty profiles (difficulty_bits = 8–16). Full article
(This article belongs to the Special Issue Anomaly and Intrusion Detection in Networks)
Show Figures

Graphical abstract

33 pages, 4298 KB  
Article
Synergistic Phishing Intrusion Detection: Integrating Behavioral and Structural Indicators with Hybrid Ensembles and XAI Validation
by Isaac Kofi Nti, Murat Ozer and Chengcheng Li
Future Internet 2026, 18(1), 30; https://doi.org/10.3390/fi18010030 - 4 Jan 2026
Viewed by 1006
Abstract
Phishing websites continue to evolve in sophistication, making them increasingly difficult to distinguish from legitimate platforms and challenging the effectiveness of current detection systems. In this study, we investigate the role of subtle deceptive behavioral cues such as mouse-over effects, pop-up triggers, right-click [...] Read more.
Phishing websites continue to evolve in sophistication, making them increasingly difficult to distinguish from legitimate platforms and challenging the effectiveness of current detection systems. In this study, we investigate the role of subtle deceptive behavioral cues such as mouse-over effects, pop-up triggers, right-click restrictions, and hidden iframes in enhancing phishing detection beyond traditional structural and domain-based indicators. We propose a hierarchical hybrid detection framework that integrates dimensionality reduction through Principal Component Analysis (PCA), phishing campaign profiling using K Means clustering, and a stacked ensemble classifier for final prediction. Using a public phishing dataset, we evaluate multiple feature configurations to quantify the added value of behavioral indicators. The results demonstrate that behavioral indicators, while weak predictors in isolation, significantly improve performance when combined with conventional features, achieving a macro F1 score of 97 percent. Explainable AI analysis using SHAP confirms the contribution of specific behavioral characteristics to model decisions and reveals interpretable patterns in attacker manipulation strategies. This study shows that behavioral interactions leave measurable forensic signatures and provides evidence that combining structural, domain, and behavioral features offers a more comprehensive and reliable approach to phishing intrusion detection. Full article
(This article belongs to the Special Issue Anomaly and Intrusion Detection in Networks)
Show Figures

Graphical abstract

Show export options expand_more Show export options expand_less
Select all
Export citation of selected articles as:
 
Displaying articles 1-4
Back to TopTop