Search Results (897)

Network intrusion detection has challenges that fundamentally differ from language and vision tasks typically addressed by Transformer models. In particular, network traffic features lack inherent ordering, datasets are extremely class-imbalanced (with benign traffic often exceeding 80%), and reported accuracies in the literature vary widely (57–95%) without systematic explanation. To address these challenges, we propose a controlled experimental study that isolates and quantifies the impact of tokenization strategies on Transformer-based intrusion detection systems. Specifically, we introduce and compare three tokenization approaches—feature-wise tokenization (78 tokens) based on CICIDS2017, a sample-wise single-token baseline, and an optimized sample-wise tokenization—under identical training and evaluation protocols on a highly imbalanced intrusion detection dataset. We demonstrate that tokenization choice alone accounts for an accuracy gap of 37.43 percentage points, improving performance from 57.09% to 94.52% (100 K data). Furthermore, we show that architectural mechanisms for handling class imbalance—namely Batch Normalization and capped loss weights—yield an additional 15.05% improvement, making them approximately 21× more effective than increasing the training data by 50%. We achieve a macro-average AUC of 0.98, improve minority-class recall by 7–12%, and maintain strong discrimination even for classes with as few as four samples (AUC 0.9811). These results highlight tokenization and imbalance-aware architectural design as primary drivers of performance in Transformer-based intrusion detection and contribute practical guidance for deploying such models in modern network infrastructures, including IoT and cloud environments where extreme class imbalance is inherent. This study also presents practical implementation scheme recommending sample-wise tokenization, constrained class weighting, and Batch Normalization after embedding and classification layers to improve stability and performance in highly unstable table-based IDS problems. Full article

Intrusion detection in IoT networks is challenged by data heterogeneity, label scarcity, and privacy constraints. Traditional federated learning (FL) methods often assume IID data or require supervised labels, limiting their practicality. We propose G-PFL-ID, a graph-driven personalized federated learning framework for unsupervised intrusion detection in non-IID IoT systems. Our method trains a global graph encoder (GCN or GAE) with a DeepSVDD objective under a federated regularizer (FedReg) that combines proximal and variance penalties, then personalizes local models via a lightweight fine-tuning head. We evaluate G-PFL-ID on the IoT-23 (Mirai-based captures) and N-BaIoT (device-level dataset) under realistic heterogeneity (Dirichlet-based partitioning with concentration parameters $\alpha \in \{0.1,0.5,\infty \}$ and client counts $K\in \{10,15,20\}$ for IoT-23, and natural device-based partitioning for N-BaIoT). G-PFL-ID outperforms global FL baselines and recent graph-based federated anomaly detectors, achieving up to 99.46% AUROC on IoT-23 and 97.74% AUROC on N-BaIoT. Ablation studies confirm that the proximal and variance penalties reduce inter-round drift and representation collapse, and that lightweight personalization recovers local sensitivity—especially for clients with limited data. Our work bridges graph-based anomaly detection with personalized FL for scalable, privacy-preserving IoT security. Full article

The rapid expansion of Internet of Things (IoT)-enabled smart grids has intensified the need for reliable fault detection and autonomous self-healing under non-stationary operating conditions characterized by frequent concept drift. To address the limitations of static and single-strategy adaptive models, this paper proposes H-CLAS, a novel Hybrid Continual Learning for Adaptive Self-healing framework that unifies regularization-based, memory-based, architectural, and meta-learning strategies within a single adaptive pipeline. The framework integrates convolutional neural networks (CNNs) for fault detection, graph neural networks for topology-aware fault localization, reinforcement learning for self-healing control, and a hybrid drift detection mechanism combining ADWIN and Page–Hinkley tests. Continual adaptation is achieved through the synergistic use of Elastic Weight Consolidation, memory-augmented replay, progressive neural network expansion, and Model-Agnostic Meta-Learning for rapid adaptation to emerging drifts. Extensive experiments conducted on the Smart City Air Quality and Network Intrusion Detection Dataset (NSL-KDD) demonstrate that H-CLAS achieves accuracy improvements of 12–15% over baseline methods, reduces false positives by over 50%, and enables 2–3× faster recovery after drift events. By enhancing resilience, reliability, and autonomy in critical IoT-driven infrastructures, the proposed framework contributes to improved grid stability, reduced downtime, and safer, more sustainable energy and urban monitoring systems, thereby providing significant societal and environmental benefits. Full article

The residential energy sector contributes substantially to global energy-related emissions. Effective energy management requires an understanding occupant behavior through activity detection and habit identification. Recent advances in artificial intelligence (AI) and machine learning (ML) enable the automatic detection of user activities and prediction of energy needs based on historical consumption data. Non-intrusive load monitoring (NILM) facilitates device-level disaggregation without additional sensors, supporting demand forecasting and behavior-aware control in Home Energy Management Systems (HEMSs). This review synthesizes various AI and ML approaches for detecting user activities and energy habits in HEMSs from 2020 to 2025. The analyses revealed that deep learning (DL) models, with their ability to capture complex temporal and nonlinear patterns in multisensor data, achieve superior accuracy in activity detection and load forecasting, with occupancy detection reaching 95–99% accuracy. Hybrid systems combining neural networks and optimization algorithms demonstrate enhanced robustness, but challenges remain in limited cross-building generalization, insufficient interpretability of deep models, and the absence of dataset standardized. Future work should prioritize lightweight, explainable edge-ready models, federated learning, and integration with digital twins and control systems. It should also extend energy optimization toward occupant wellbeing and grid flexibility, using standardized protocols and open datasets for ensuring trustworthy and sustainability. Full article

This study provides a detailed comparative analysis of a three-hybrid intrusion detection method aimed at strengthening network security through precise and adaptive threat identification. The proposed framework integrates an Autoencoder-Gaussian Mixture Model (AE-GMM) with two supervised learning techniques, XGBoost and Logistic Regression, combining deep feature extraction with interpretability and stable generalization. Although the downstream classifiers are trained in a supervised manner, the hybrid intrusion detection nature of the framework is preserved through unsupervised representation learning and probabilistic modeling in the AE-GMM stage. Two benchmark datasets were used for evaluation: NSL-KDD, representing traditional network behavior, and UNSW-NB15, reflecting modern and diverse traffic patterns. A consistent preprocessing pipeline was applied, including normalization, feature selection, and dimensionality reduction, to ensure fair comparison and efficient training. The experimental findings show that hybridizing deep learning with gradient-boosted and linear classifiers markedly enhances detection performance and resilience. The AE–GMM-XGBoost model achieved superior outcomes, reaching an F1-score above 0.94 ± 0.0021 and an AUC greater than 0.97 on both datasets, demonstrating high accuracy in distinguishing legitimate and malicious traffic. AE-GMM-Logistic Regression also achieved strong and balanced performance, recording an F1-score exceeding 0.91 ± 0.0020 with stable generalization across test conditions. Conversely, the standalone AE-GMM effectively captured deep latent patterns but exhibited lower recall, indicating limited sensitivity to subtle or emerging attacks. These results collectively confirm that integrating autoencoder-based representation learning with advanced supervised models significantly improves intrusion detection in complex network settings. The proposed framework therefore provides a solid and extensible basis for future research in explainable and federated intrusion detection, supporting the development of adaptive and proactive cybersecurity defenses. Full article

The Internet of Things (IoT) is increasingly deployed at the edge under resource and environmental constraints, which limits the practicality of traditional intrusion detection systems (IDSs) on IoT hardware. This paper presents two IDS configurations. First, we develop a baseline IDS with fixed hyperparameters, achieving 99.20% accuracy and ~0.002 ms/sample inference latency on a desktop machine; this configuration is suitable for high-performance platforms but is not intended for constrained IoT deployment. Second, we propose a lightweight, edge-oriented IDS that applies ANOVA-based filter feature selection and uses a genetic algorithm (GA) for the bounded hyperparameter tuning of the classifier under stratified cross-validation, enabling efficient execution on Raspberry Pi-class devices. The lightweight IDS achieves 98.95% accuracy with ~4.3 ms/sample end-to-end inference latency on Raspberry Pi while detecting both low-volume and high-volume (DoS/DDoS) attacks. Experiments are conducted in a Raspberry Pi-based real lab using an up-to-date mixed-modal dataset combining system/network telemetry and heterogeneous physical sensors. Overall, the proposed framework demonstrates a practical, hardware-aware, and reproducible way to balance detection performance and edge-level latency using established techniques for real-world IoT IDS deployment. Full article

The current intrusion detection methods suffer from deficiencies in terms of cross-domain adaptability, privacy preservation, and limited effectiveness in detecting minority-class attacks. To address these issues, a novel intrusion detection model framework, TrMulS, is proposed that integrates federated learning, generative adversarial networks with multispace feature enhancement ability, and transformers with multi-source transfer ability. First, at each institution (source domain), local spatial features are extracted through a CNN, multiple subsets are constructed (to solve the feature singularity problem), and the multihead self-attention mechanism of the transformer is utilized to capture the correlation of features. Second, the synthetic samples of the target domain are generated on the basis of the improved Exchange-GAN, and the cross-domain transfer module is designed by combining the Maximum Mean Discrepancy (MMD) to minimize the feature distribution difference between the source domain and the target domain. Finally, the federated transfer learning strategy is adopted. The model parameters of each local institution are encrypted and uploaded to the target server and then aggregated to generate the global model. These steps iterate until convergence, yielding the globally optimal model. Experiments on the ISCX2012, KDD99 and NSL-KDD intrusion detection standard datasets show that the detection accuracy of this method is significantly improved in cross-domain scenarios. This paper presents a novel paradigm for cross-domain security intelligence analysis that considers efficiency, privacy and balance. Full article

The proliferation of Internet of Things (IoT) devices has created unprecedented security challenges characterized by resource constraints, heterogeneous network architectures, and severe class imbalance in attack detection datasets. This paper presents a comprehensive benchmark evaluation of five Generative Adversarial Network (GAN) architectures for energy-aware intrusion detection: Standard GAN, Progressive GAN (PGAN), Conditional GAN (cGAN), Graph-based GAN (GraphGAN), and Wasserstein GAN with Gradient Penalty (WGAN-GP). Our evaluation framework introduces novel energy-normalized performance metrics, including Accuracy-per-Joule (APJ) and F1-per-Joule (F1PJ), that enable principled architecture selection for energy-constrained deployments. We propose an optimized WGAN-GP architecture incorporating diversity loss, feature matching, and noise injection mechanisms specifically designed for classification-oriented data augmentation. Experimental results on a stratified subset of the BoT-IoT dataset (approximately 1.83 million records) demonstrate that our optimized WGAN-GP achieves state-of-the-art performance, with 99.99% classification accuracy, a 0.99 macro-F1 score, and superior generation quality (MSE 0.01). While traditional classifiers augmented with SMOTE (i.e., Logistic Regression and CNN1D-TCN) also achieve 99.99% accuracy, they suffer from poor minority class detection (77.78–80.00%); our WGAN-GP improves minority class detection to 100.00% on the reported test split (45 of 45 attack instances correctly identified). Furthermore, WGAN-GP provides substantial efficiency advantages under our energy-normalized metrics, achieving superior accuracy-per-joule performance compared to Standard GAN. Also, a cross-dataset validation across five benchmarks (BoT-IoT, CICIoT2023, ToN-IoT, UNSW-NB15, CIC-IDS2017) was implemented using 250 pooled test attacks to confirm generalizability, with WGAN-GP achieving 98.40% minority class accuracy (246/250 attacks detected) compared to 76.80% for Classical + SMOTE methods, a statistically significant 21.60 percentage point improvement ($p<0.0001$). Finally, our analysis reveals that incorporating diversity-promoting mechanisms in GAN training simultaneously achieves best generation quality AND best classification performance, demonstrating that these objectives are complementary rather than competing. Full article

In recent years, load disaggregation and non-intrusive load-monitoring (NILM) methods have garnered widespread attention for optimizing energy management systems, becoming crucial tools for achieving energy efficiency and analyzing power consumption. However, existing NILM methods face challenges in accurately handling appliances with multiple operational states and suffer from low accuracy and poor computational efficiency, particularly in modeling long-term dependencies and complex appliance load patterns. This article proposes an improved NILM model optimized based on transformers. The model first utilizes a convolutional neural network (CNN) to extract features from the input sequence and employs a bidirectional long short-term memory (BiLSTM) network to model long-term dependencies. Subsequently, multiple transformer blocks are used to capture dependencies within the sequence. To validate the effectiveness of the proposed model, we applied it to real-world household energy datasets: UK-DALE and REDD. Compared with suboptimal models, our model significantly improves the F1 score by 24.5% and 22.8%. Full article

Intrusion detection systems (IDSs) are crucial for safeguarding modern digital infrastructure against the ever-evolving cyber threats. As cyberattacks become increasingly complex, traditional machine learning (ML) algorithms, while remaining effective in classifying known threats, face limitations such as static learning, dependency on labeled data, and susceptibility to adversarial exploits. Deep reinforcement learning (DRL) has recently surfaced as a viable substitute, providing resilience in unanticipated circumstances, dynamic adaptation, and continuous learning. This study conducts a thorough bibliometric analysis and systematic literature review (SLR) of DRL-based intrusion detection systems (DRL-based IDS). The relevant literature from 2020 to 2024 was identified and investigated using the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) framework. Emerging research themes, influential works, and structural relationships in the research fields were identified using a bibliometric analysis. SLR was used to synthesize methodological techniques, datasets, and performance analysis. The results indicate that DRL algorithms such as deep Q-network (DQN), double DQNs (DDQN), dueling DQN (D3QN), policy gradient methods, and actor–critic models have been actively utilized for enhancing IDS performance in various applications and datasets. The results highlight the increasing significance of DRL-based solutions for developing intelligent and robust intrusion detection systems and advancing cybersecurity. Full article

This study aims to enhance the security of unmanned aerial vehicles (UAVs) within the Internet of Drones (IoD) ecosystem by detecting and preventing Denial-of-Service (DoS) attacks. We introduce DroneDefender, a web-based intrusion detection system (IDS) that employs machine learning (ML) techniques to identify anomalous network traffic patterns associated with DoS attacks. The system is evaluated using the CIC-IDS 2018 dataset and utilizes the Random Forest algorithm, optimized with the SMOTEENN technique to tackle dataset imbalance. Our results demonstrate that DroneDefender significantly outperforms traditional IDS solutions, achieving an impressive detection accuracy of 99.93%. Key improvements include reduced latency, enhanced scalability, and a user-friendly graphical interface for network administrators. The innovative aspect of this research lies in the development of an ML-driven, web-based IDS specifically designed for IoD environments. This system provides a reliable, adaptable, and highly accurate method for safeguarding drone operations against evolving cyber threats, thereby bolstering the security and resilience of UAV applications in critical sectors such as emergency services, delivery, and surveillance. Full article

Cloud computing environments generate high-dimensional, large-scale, and highly dynamic network traffic, making intrusion diagnosis challenging due to evolving attack patterns, severe traffic imbalance, and limited availability of labeled data. To address these challenges, this study presents an unsupervised, cloud-centric intrusion diagnosis framework that integrates autoencoder-based representation learning with density-based attack categorization. A dual-stage autoencoder is trained exclusively on benign traffic to learn compact latent representations and to identify anomalous flows using reconstruction-error analysis, enabling effective anomaly detection without prior attack labels. The detected anomalies are subsequently grouped using density-based learning to uncover latent attack structures and support fine-grained multiclass intrusion diagnosis under varying attack densities. Experiments conducted on the large-scale CSE-CIC-IDS2018 dataset demonstrate that the proposed framework achieves an anomaly detection accuracy of 99.46%, with high recall and low false-negative rates in the optimal latent-space configuration. The density-based classification stage achieves an overall multiclass attack classification accuracy of 98.79%, effectively handling both majority and minority attack categories. Clustering quality evaluation reports a Silhouette Score of 0.9857 and a Davies–Bouldin Index of 0.0091, indicating strong cluster compactness and separability. Comparative analysis against representative supervised and unsupervised baselines confirms the framework’s scalability and robustness under highly imbalanced cloud traffic, highlighting its suitability for future Internet cloud security ecosystems. Full article

With the rapid development of the Internet of Things (IoT) and Industrial IoT (IIoT), Network Intrusion Detection Systems (NIDSs) play a critical role in securing modern networked environments. Despite advances in multi-class intrusion detection, existing approaches face challenges from high-dimensional heterogeneous traffic data, severe class imbalance, and limited interpretability of high-performance “black-box” models. To address these issues, this study presents an XGBoost-based NIDSs integrating optimized strategies for feature dimensionality reduction and class balancing, alongside SHAP-based interpretability analysis. Feature reduction is investigated by comparing selection methods that preserve original features with generation methods that create transformed features, aiming to balance detection performance and computational efficiency. Class balancing techniques are evaluated to improve minority-class detection, particularly reducing false negatives for rare attack types. SHAP analysis reveals the model’s decision process and key feature contributions. The experimental results demonstrate that the method enhances multi-class detection performance while providing interpretability and computational efficiency, highlighting its potential for practical deployment in IoT security scenarios. Full article

The ubiquity of smartphones has transformed them into primary repositories of sensitive data; however, traditional one-time authentication mechanisms create a critical trust gap by failing to verify identity post-unlock. Our aim is to mitigate these vulnerabilities and align with the Zero Trust Architecture (ZTA) framework and philosophy of “never trust, always verify,” as formally defined by the National Institute of Standards and Technology (NIST) in Special Publication 800-207. This study introduces a robust continuous authentication (CA) framework leveraging multimodal behavioral biometrics. A dedicated application was developed to synchronously capture touch, sliding, and inertial sensor telemetry. For feature modeling, a heterogeneous deep learning pipeline was employed to capture modality-specific characteristics, utilizing Convolutional Neural Networks (CNNs) for sensor data, Long Short-Term Memory (LSTM) networks for curvilinear sliding, and Gated Recurrent Units (GRUs) for discrete touch. To resolve performance degradation caused by class imbalance in Zero Trust environments, a Grid Search Optimization (GSO) strategy was applied to optimize a weighted voting ensemble, identifying the global optimum for decision thresholds and modality weights. Empirical validation on a dataset of 35,519 samples from 15 subjects demonstrates that the optimized ensemble achieves a peak accuracy of 99.23%. Sensor kinematics emerged as the primary biometric signature, followed by touch and sliding features. This framework enables high-precision, non-intrusive continuous verification, bridging the critical security gap in contemporary mobile architectures. Full article

Healthcare has been fundamentally changed by the expansion of IoT, which enables advanced diagnostics and continuous monitoring of patients outside clinical settings. Frequently interconnected medical devices often encounter resource limitations and lack comprehensive security safeguards. Therefore, such devices are prone to intrusions, with DDoS attacks in particular threatening the integrity of vital infrastructure. To safe guard sensitive patient information and ensure the integrity and confidentiality of medical devices, this article explores the critical importance of robust security measures in healthcare IoT systems. In order to detect DDoS attacks in healthcare networks supported by WBSN-enabled IoT devices, we propose a hybrid detection model. The model utilizes the advantages of Long Short-Term Memory (LSTM) networks for modeling temporal dependencies in network traffic and Convolutional Neural Networks (CNNs) for extracting spatial features. The effectiveness of the model is demonstrated by simulation results on the CICDDoS2019 datasets, which indicate a detection accuracy of 99% and a loss of 0.05%, respectively. The evaluation results highlight the capability of the hybrid model to reliably detect potential anomalies, showing superior performance over leading contemporary methods in healthcare environments. Full article