Resource-Aware Deployment Optimization for Collaborative Intrusion Detection in Layered Networks
André García Gómez, Ines Rieger, Wolfgang Hotwagner, Max Landauer, Markus Wurzenberger, Florian Skopik, Edgar Weippl
TL;DR
This work addresses the challenge of deploying intrusion detection across heterogeneous, resource-constrained IoT environments by proposing a resource-aware, adaptive CIDS framework. The approach auto-optimizes detector allocation at each node using metaheuristic optimization within a knapsack-like, time-constrained formulation, enabling rapid reconfiguration with minimal overhead on edge devices ($cpu_{max}$, $ram_{max}$, $T_{max}$). A layered architecture with leaf and standard nodes supports cross-node coordination while accounting for security/trust layers and topology-driven deployment. To support realistic evaluation, the authors introduce a public UGV cyberattack dataset and demonstrate, through synthetic and real-data experiments, that the framework can rapidly redeploy detectors in response to topology changes and network disruptions, enhancing resilience in contested environments. Overall, the study contributes a flexible taxonomy for CIDS, a deployment-optimization framework suitable for edge devices, and empirical evidence of practical performance in multi-domain scenarios. Key methodological insights include the use of Tabu Search to approach optimal configurations and an explicit topological optimization scheme that processes leaf layers before standard layers to manage detector allocation across a distributed graph.
Abstract
Collaborative Intrusion Detection Systems (CIDS) are increasingly adopted to counter cyberattacks, as their collaborative nature enables them to adapt to diverse scenarios across heterogeneous environments. As distributed critical infrastructure operates in rapidly evolving environments, such as drones in both civil and military domains, there is a growing need for CIDS architectures that can flexibly accommodate these dynamic changes. In this study, we propose a novel CIDS framework designed for easy deployment across diverse distributed environments. The framework dynamically optimizes detector allocation per node based on available resources and data types, enabling rapid adaptation to new operational scenarios with minimal computational overhead. We first conducted a comprehensive literature review to identify key characteristics of existing CIDS architectures. Based on these insights and real-world use cases, we developed our CIDS framework, which we evaluated using several distributed datasets that feature different attack chains and network topologies. Notably, we introduce a public dataset based on a realistic cyberattack targeting a ground drone aimed at sabotaging critical infrastructure. Experimental results demonstrate that the proposed CIDS framework can achieve adaptive, efficient intrusion detection in distributed settings, automatically reconfiguring detectors to maintain an optimal configuration, without requiring heavy computation, since all experiments were conducted on edge devices.