Search Results (692)

The Robot Operating System (ROS) is widely used in modern robotics, but its open architecture makes it vulnerable to numerous cyber threats. Although machine learning (ML)-based intrusion detection systems (IDSs) demonstrate strong classification performance on ROS-specific datasets, reliance on topology-dependent identifiers such as source and destination IP addresses, port numbers, and Flow IDs remains a critical limitation in current research. This reliance may encourage algorithms to exploit scenario-specific endpoint signatures instead of relying primarily on transferable behavioral patterns. Consequently, classification scores may be artificially inflated due to data leakage. This study addresses this issue by quantitatively measuring the impact of data leakage and introducing a topology-independent, explainable ROS framework that provides a more realistic, leakage-aware, and topology-independent evaluation framework. The evaluation involved testing the LightGBM, XGBoost, and CatBoost algorithms on ROSIDS23. Additionally, Random Forest and Gradient Boosting were included to verify the presence of data leakage. In our ablation study, models that included topology features achieved near-perfect Macro-F1 values of 0.999 to 1.000. In contrast, removing topology-dependent features reduced the Macro-F1 score to about 0.66. This finding shows that topology descriptors, rather than just transferable attack behaviors, can significantly influence the near-perfect scores seen with topology-preserving protocols. Even without topology data, ML models effectively captured temporal behavioral patterns and detected DoS attacks with nearly perfect performance, reaching F1 scores of 0.99 or higher. However, semantic attacks like Unauthorized Subscribe remained tough to classify, with F1 scores of 0.43 or lower. Additionally, SHapley Additive exPlanations (SHAP) analysis improves the interpretability of IDSs by identifying the main behavioral features that drive model decisions and suggesting feature-level directions for rule-based defense configurations in ROS environments. Full article

The increase and professionalization of cyberattacks calls for the development of relevant defense-in-depth mechanisms of which intrusion detection systems (IDSs) are essential components. This paper provides an in-depth analysis of system call-based IDSs as intelligence for detecting malicious activities. A systematic analysis of 209 publications from the scientific literature between 1996 and early 2026 highlights trends in this field of research and defines a taxonomy presenting the different approaches proposed by researchers. Eighteen state-of-the-art methods, representative of the diversity of approaches proposed in the literature, were reproduced and evaluated on two public datasets, ADFA-LD and NGIDS-DS. The detection performance and overhead of each method are examined in great detail, opening discussions on the shortcomings of the state of the art, limitations of system call-based IDSs, and lines of research that would enable this type of detection system to meet the challenges of deployment in a real-world environment. Finally, recommendations for future work are derived from these findings. Full article

Deep learning-based intrusion detection systems offer world-class accuracy in threat classification. They are also generally not easily explainable to security analysts, which represents a major hurdle in their use in real-world Security Operations Centers (SOCs) where explainability and trust are critical. This operational challenge is tackled with a systems-engineered approach combining the CNN-LSTM architecture with the computationally optimized SHAP and LIME approaches for enabling real-time, interpretable threat detection. Unlike novel mathematical formulations, we concentrate on practical innovations in systems engineering that we believe are required to generate explanations in real-time: quantization of the numbers to INT8, execution of explanation algorithms in parallel, asynchronously, and caching of similar traffic patterns. CNN-LSTM combines the convolutional function to capture spatial dependencies and the recurrent function to capture temporal dynamics of network traffic, and SHAP and LIME capture global and local feature attributions, respectively. One of the major innovations is the parallel execution which brings the latency of explanation down from 117 ms (sequential SHAP + LIME) to 46 ms (parallel, cache-miss) and 39 ms (average with caching) and 46 ms (without caching), which is sufficient for operational “real-time” requirements. The framework is evaluated on CICIDS2017 and NSL-KDD benchmark datasets, and results show that it can achieve 98.7% accuracy with 98.6% F1-score and sub-50 ms explanation latency. The results here show that explainability and operational efficiency can be attained with the same level of accuracy in the detection of abnormal events, through careful systems engineering. This paper presents a systems-engineered framework demonstrating the feasibility of real-time, interpretable IDS for deployment in Security Operations Centers (SOCs) and addresses the challenges of combining high-performance deep learning with operational transparency in cybersecurity. Full article

Future internet services are expected to increasingly depend on IoT–edge deployments, in which intrusion detection must operate close to constrained, heterogeneous devices rather than only in cloud or data-center environments. Although the literature focuses on many “lightweight” intrusion detection systems (IDSs), the evidence supporting deployability is uneven and often limited to accuracy-oriented benchmark results. This PRISMA-ScR review, which was cross-checked against the PRISMA 2020 reporting items, synthesizes 78 peer-reviewed studies published between January 2017 and March 2026 and evaluates how they report model compactness, data and preprocessing burden, system placement, hardware measurements, operational robustness, and reproducibility. The reviewers independently screened 1162 deduplicated records and charted the included studies. This review found that architectural compactness is commonly reported, whereas target device latency, runtime memory, measured power or energy, zero-day evaluation, time-aware splitting, and device shift validation remain inconsistent. To make these gaps auditable, this study introduces a five-dimensional deployability framework using log-scale normalization, bounded benefit coding, completeness penalties, scorer agreement checks, and scenario-based sensitivity analysis. The results show that no IDS family dominates across all deployment scenarios: rankings change when hardware constraints or operational robustness receive priority. This review concludes with a benchmark blueprint, reporting protocol, completed PRISMA checklist, and research agenda for deployment-grade IoT–edge IDS studies. Full article

As the Internet of Things (IoT) grows, strong, scalable, and adaptive intrusion detection systems (IDS) become increasingly critical for protecting IoT environments. This paper presents a comprehensive and systematic survey of IDS techniques for IoT environments, covering literature from 2021 to early 2026. The review introduces a multidimensional taxonomy that categorizes IDS approaches by detection strategy, learning paradigm, deployment architecture, and evaluation methodology. We examine conventional techniques, such as signature-based and anomaly-based detection, as well as modern machine-learning and deep-learning approaches. Furthermore, emerging paradigms, including Federated Learning, Explainable AI (XAI), TinyML, Large Language Models (LLMs), Transformer, Quantum Machine Learning, Generative Adversarial Networks and Incremental Learning, are analyzed with respect to their applicability to resource-constrained IoT environments. The paper also provides a detailed analysis of publicly available IDS datasets, validation protocols, and evaluation metrics used for benchmarking detection systems. In addition, critical challenges, including dataset realism, adversarial robustness, scalability, privacy preservation, and ethical considerations, are discussed. Finally, we highlight open research directions and propose guidelines for designing next-generation, trustworthy, and scalable IDS frameworks for IoT networks. Full article

The rapid expansion of Internet of Things (IoT) infrastructures in smart city environments has increased the demand for reliable intrusion detection systems (IDS). However, many existing studies rely on single-dataset evaluations and inconsistent experimental settings, which can lead to overly optimistic performance estimates. In this study, we propose a standardized benchmarking framework for evaluating artificial intelligence-based IDS across heterogeneous IoT datasets, including CIC-IoT 2023, BoT-IoT, and N-BaIoT. Multiple classical machine learning and deep learning models are evaluated under a unified preprocessing pipeline and a consistent evaluation protocol. A hybrid CNN–BiLSTM–Attention architecture is also implemented as a reference model within this framework. While several models achieve near-perfect performance under intra-dataset evaluation, cross-dataset experiments reveal substantial performance degradation and unstable metric behavior under distribution shifts. These results highlight the limitations of dataset-specific optimization and emphasize the necessity of cross-dataset validation for realistic IoT intrusion detection evaluation. All experiments are conducted under a binary intrusion detection setting (benign vs. attack) to enable consistent comparison across datasets. Consequently, the reported results reflect binary detection performance and do not capture attack-type discrimination. Full article

The possibility of zero-day attacks on Internet of Things (IoT) networks is high, particularly in dynamic and heterogeneous IoT environments, including emerging battlefield scenarios (IoBT). Detecting these attacks requires adaptive and generalizable security mechanisms. Due to the unique and unknown signatures of these attacks, they go undetected using signature-based Intrusion Detection Systems (IDSs) on the one side. On the other side, current anomaly-based IDSs that employ traditional machine learning on statistical features struggle to adapt and generalize to unknown networks, which is the case in IoBT. Transformer-based deep learning models have shown the capability of learning complex sequential patterns. This ability can be leveraged to analyze packet payloads that encompass opcodes capable of executing malicious patterns within an IoT network. In this work, we propose a dual-stage Transformer IDS that operates on the raw payload of network packets to detect zero-day attacks. Due to the lack of IoBT datasets, we evaluate the algorithm on three comprehensive IoT traffic benchmarks—MQTT-IoT, IoT-23, and CIC-IoT-2022—which have a high number of IoT devices and various attacks. Importantly, model evaluation is performed in two cross-validation settings to address the key operational challenges associated with unseen scenarios and networks. The evaluation settings are split-at-scenario to evaluate the detection ability of zero-day attacks and split-at-dataset to evaluate the model’s generalizability to new environments. In the former, the average increase in the F1-score of the proposed algorithm over the baseline model is 44% in detecting four zero-day attacks presented in the MQTT-IoT dataset. In the latter, the average increase in the F1-score is 16% in detecting malicious attacks across the three datasets. These results show the benefit of advanced AI in securing the next generation of IoT systems in future Internet applications. Full article

This study proposes a two-stage Intrusion Detection System (IDS) for Controller Area Networks (CAN) that leverages protocol-specific timing characteristics. Modern vehicular networks are vulnerable to injection attacks due to the CAN protocol’s lack of built-in authentication. Our methodology transforms raw CAN traffic into a structured feature space consisting of CAN IDs, message offsets, and inter-message intervals derived from the CAN Remote Frame request–response mechanism. The first stage applies unsupervised z-score statistical thresholding, requiring no labeled attack data. The second stage employs three independent binary Random Forest (RF) classifiers for precise characterization. Individual classifiers achieve F1-scores of 0.96 (Fuzzy), 0.77 (DoS), and 0.79 (Impersonation). In the integrated end-to-end pipeline, while the system effectively filters 97% of legitimate traffic, a performance stratification is observed: high detection is maintained for timing-disruptive attacks (Fuzzy), whereas timing-preserving attacks (DoS, Impersonation) exhibit lower recall due to the restrictive nature of the timing-only first-stage gating mechanism. Hardware profiling confirmed an inference latency of ∼0.018 ms and footprint of 8.8–19.2 MB, offering a deployable, computationally efficient defense for legacy automotive environments. Full article

The Industrial Internet of Things (IIoT) is central to modern industrial automation, yet its growing connectivity exposes critical systems to evolving cyber threats. Traditional intrusion detection methods struggle in IIoT environments due to class imbalance and limited adaptability to zero-day attacks. This systematic review evaluates generative AI techniques for IIoT intrusion detection and identifies deployment requirements for industrial environments. We searched five databases (IEEE Xplore, ACM Digital Library, Springer, ScienceDirect, and arXiv) for studies published between January 2019 and December 2025, applying predefined inclusion criteria. Following a systematic selection process (identification plus three progressive screening stages) across 342 records, 42 primary studies were included for systematic synthesis. We examined four GenAI paradigms—Generative Adversarial Networks, Transformers, Diffusion Models, and Variational Autoencoders—analyzing nine state-of-the-art frameworks through comparative performance analysis. Hybrid Transformer architectures (e.g., Transformer-GAN-AE) achieve the most consistent detection performance, while diffusion-based models (e.g., Diff-IDS) provide computational advantages for edge deployments. However, substantial variability in evaluation methodologies and limited reporting of statistical rigor indicate important gaps in current research practices. These findings inform the development of GenAI-driven strategies tailored to industrial infrastructure constraints and highlight key directions for advancing IIoT cybersecurity. Full article

As modern networks expand, the volume and destructiveness of cyberattacks continue to escalate, necessitating effective defense mechanisms. Intrusion Detection Systems (IDSs) are critical for maintaining network security; however, traditional signature-based systems often fail to detect zero-day attacks. This study explores recent advancements in Deep Learning (DL) for cybersecurity by analyzing and replicating the “IDS-ML” framework, an open-source repository for IDS development. We evaluate the performance of five deep learning Convolutional Neural Network (CNN) architectures adapted for intrusion detection via transfer learning on the CICIDS2017 dataset, and propose an enhancement by integrating Automated Machine Learning (AutoML) techniques that achieves a 94.7% reduction in model parameters while maintaining comparable accuracy, thus making our enhanced models suitable for deployment on edge devices. We further validate deployment feasibility by benchmarking both the baseline InceptionV3 and AutoML models on a Raspberry Pi 4, demonstrating an 18.7× inference speedup and 3.5× CPU reduction, with no change in predicted classes from model conversion. Our results confirm that lightweight AutoML architectures enable practical “zero-touch” edge-based intrusion detection on resource-constrained hardware. Full article

Federated learning is a distributed machine learning paradigm that enables multiple devices to collaboratively train a shared model while keeping their raw data localized. Federated learning has become an attractive solution for intrusion detection in Internet of Things (IoT)-based wireless sensor networks because it enables collaborative model training without transferring raw traffic data. However, real deployments rarely satisfy the common assumption that client data are independent and identically distributed (IID). In practical wireless sensor networks, data heterogeneity naturally arises from spatial variation, uneven attack exposure, traffic imbalance, and differences in sensing conditions, which can substantially affect detection reliability and deployment feasibility. This study presents an application-oriented evaluation of federated intrusion detection under controlled non-IID conditions using three representative datasets: WSN-DS, CIC-IDS-2017, and UNSW-NB15. An LSTM-based intrusion detection model is trained in a federated setting and assessed using three aggregation strategies, namely, FedAvg, FedProx, and SCAFFOLD, under label skew, quantity skew, and feature skew scenarios. The results show that standard FedAvg degrades markedly as heterogeneity increases, with accuracy reductions of up to 23.4 percentage points and substantially higher communication cost under extreme non-IID settings. In contrast, FedProx and SCAFFOLD improve convergence stability and reduce the impact of client drift, with SCAFFOLD showing the strongest overall robustness and up to 45% lower communication cost than FedAvg due to faster convergence. These results demonstrate that non-IID awareness is essential for building deployable privacy-preserving intrusion detection systems for resource-constrained IoT environments. The study provides practical guidance for selecting federated aggregation strategies in wireless sensor network security applications where robustness, bandwidth efficiency, and real-world data heterogeneity must be jointly considered. Full article

Intrusion detection system (IDS) research relies on accurately labeled network traffic datasets; however, label quality in IDS datasets is seldom audited prior to modeling. Many publicly available IDS datasets assign ground-truth labels based on capture filenames or temporal session windows rather than per-flow inspection, a practice referred to as file-level labeling. This study identifies and corrects a systematic mislabeling instance in SDN-MG25, a CICFlowMeter-based dataset for software-defined networking (SDN)-enabled microgrid intrusion detection. IP composition analysis, which cross-references each attack-labeled flow with the documented attacker IP address, reveals that the BackgroundAttackTraffic (BAT) class, comprising 3167 flows (79.5% of all attack labels), contains no attacker-originated traffic. All BAT flows involve legitimate microgrid hosts communicating with external services during the attack capture window. Correcting this labeling error increases binary detection F1 from 0.578 to $0.956\pm 0.005$, an improvement of $+0.378$ that is 4.2 times greater than the best single modeling improvement (threshold tuning, $+0.090$). Furthermore, Confident Learning, a state-of-the-art automated label-noise detector, recovers only 8.4% of mislabeled BAT flows (recall $=0.084$, precision $=0.247$), indicating that domain-knowledge audits are essential for detecting systematic, class-level mislabeling that statistical methods cannot identify. The end-to-end pipeline Macro F1 improves from 0.749 to 0.862 after label correction. IP composition analysis is proposed as a mandatory prerequisite for IDS dataset evaluation, and a reproducible two-stage pipeline with feature-tier ablation for session confound diagnosis is provided. Full article

The rapid proliferation of Internet of Things (IoT) devices has dramatically expanded the attack surface for cyber threats, exposing critical infrastructure to sophisticated intrusion attempts that traditional static intrusion detection systems (IDS) fail to counter effectively. This paper proposes an autonomous reinforcement learning (RL)-based IDS framework for dynamic IoT networks, capable of adaptive, real-time threat detection without human intervention. The proposed system integrates a Deep Q-Network (DQN) agent with a hybrid convolutional neural network–long short-term memory (CNN-LSTM) feature extractor to identify and classify malicious network traffic across 33 attack categories. We evaluate the framework on two recent, publicly available benchmark datasets: CICIoT2023, comprising 8.94 GB of traffic from 105 real IoT devices, and CIC IoT-DIAD 2024, a flow-based dataset with diverse attack and benign scenarios. Experimental results demonstrate superior detection performance compared to baseline classifiers, including SVM, Random Forest, and standalone deep learning models, with improved F1-score, reduced false alarm rate (FAR), and lower detection latency. The reward-shaping strategy explicitly penalizes false positives, addressing a key limitation of prior RL-based IDS approaches. This work contributes a scalable, dataset-agnostic autonomous defense architecture suitable for real-world IoT deployment. Full article

The evolution from the Internet of Things (IoT) to the Internet of Vehicles (IoV) has expanded intelligent connectivity across embedded systems while increasing cybersecurity risks arising from large scale data exchange and device heterogeneity. As IoV environments become more dynamic and safety critical, centralized Intrusion Detection Systems (IDSs) face constraints related to latency, privacy exposure, and bandwidth overhead. These limitations motivate a transition to edge-enabled IoV architectures, where localized vehicular and anchor nodes supported by edge servers enable decentralized processing, enhanced privacy, and reduced communication load. To address these operational challenges, this paper proposes FedX (Federated Explainable Ensemble Intrusion Detection System), a privacy-preserving and explainable federated ensemble IDS that integrates XGBoost and LightGBM models across resource-constrained edge vehicles and roadside units (RSUs) to enable collaborative, low-latency anomaly detection without sharing raw data. By applying adaptive weighting based on model confidence and resource availability, FedX enhances robustness and efficiency while enabling explainable decisions via SHAP and LIME analysis, which highlights reliance on key features (flow duration, speed, RPM) for high-confidence (>97%) intrusion alerts grounded in domain-specific behavior. Privacy is further enforced through Gaussian differential privacy and secure aggregation to mitigate inference and inversion attacks. Experiments on the CICIoV2024 dataset show that FedX achieves 99.1% accuracy, outperforming existing federated ensemble IDS models by up to 2.1%. The system reduces communication overhead by 17% relative to full synchronization through adaptive weighted transmission and secure aggregation. It maintains negligible accuracy loss (<1.5%) under a strong privacy budget ($ϵ$ = 1.1). The deployment of proposed IDS on Raspberry Pi 4 underscores its efficacy for edge computing. Experimental results indicate that adaptive weighting yields a 1.8% performance increase, while resource profiling shows 45% lower CPU utilization and over 50% lower power consumption compared with centralized baselines. The findings demonstrate that FedX, combined with explainable AI enables trustworthy, interpretable, and energy-efficient intrusion detection for secure next-generation Edge-enabled IoV networks. Full article

Historically, critical water infrastructures have operated with limited digitalization, relying on legacy protocols designed without intrinsic security. The rapid integration of advanced IoT telemetry into Operational Technology (OT) networks has dissolved traditional air gaps, exposing these facilities to severe cyber–physical threats. Concurrently, regulatory frameworks such as the European NIS2 Directive and the Cyber Resilience Act (CRA) now strictly mandate robust risk monitoring for essential entities. To address these challenges, this study develops a non-intrusive, hybrid Intrusion Detection System (IDS) tailored for converged IT/OT environments. Engineered upon the Snort 3 multi-threaded engine, the architecture captures both North–South and East–West traffic. A defense-in-depth rule set was constructed using threat intelligence (MITRE ATT&CK, CISA KEV) to perform Deep Packet Inspection (DPI) across legacy industrial protocols (Modbus, S7Comm, CIP) and IoT application layers (MQTT, HTTP). Experimental validation against high-volume synthetic packet captures (exceeding 170,000 packets) replicating specific manufacturer vulnerabilities (CVEs) demonstrated an improvement in the detection rate from a 0% baseline to 100%. Crucially, the system demonstrated high scalability and minimal computational overhead, processing high-volume traffic streams with zero dropped packets. This contextualized signature approach provides the deterministic security required to ensure operational continuity and regulatory compliance in modern water infrastructures. Full article