Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Collaborative Zone-Adaptive Zero-Day Intrusion Detection for IoBT

Amirmohammad Pasdar, Shabnam Kasra Kermanshahi, Nour Moustafa, Van-Thuan Pham

TL;DR

Results indicate that parameter-efficient, zone-personalised collaboration can improve the detection of previously unseen attacks in contested IoBT environments.

Abstract

The Internet of Battlefield Things (IoBT) relies on heterogeneous, bandwidth-constrained, and intermittently connected tactical networks that face rapidly evolving cyber threats. In this setting, intrusion detection cannot depend on continuous central collection of raw traffic due to disrupted links, latency, operational security limits, and non-IID traffic across zones. We present Zone-Adaptive Intrusion Detection (ZAID), a collaborative detection and model-improvement framework for unseen attack types, where "zero-day" refers to previously unobserved attack families and behaviours (not vulnerability disclosure timing). ZAID combines a universal convolutional model for generalisable traffic representations, an autoencoder-based reconstruction signal as an auxiliary anomaly score, and lightweight adapter modules for parameter-efficient zone adaptation. To support cross-zone generalisation under constrained connectivity, ZAID uses federated aggregation and pseudo-labelling to leverage locally observed, weakly labelled behaviours. We evaluate ZAID on ToN_IoT using a zero-day protocol that excludes MITM, DDoS, and DoS from supervised training and introduces them during zone-level deployment and adaptation. ZAID achieves up to 83.16% accuracy on unseen attack traffic and transfers to UNSW-NB15 under the same procedure, with a best accuracy of 71.64%. These results indicate that parameter-efficient, zone-personalised collaboration can improve the detection of previously unseen attacks in contested IoBT environments.

Collaborative Zone-Adaptive Zero-Day Intrusion Detection for IoBT

TL;DR

Results indicate that parameter-efficient, zone-personalised collaboration can improve the detection of previously unseen attacks in contested IoBT environments.

Abstract

The Internet of Battlefield Things (IoBT) relies on heterogeneous, bandwidth-constrained, and intermittently connected tactical networks that face rapidly evolving cyber threats. In this setting, intrusion detection cannot depend on continuous central collection of raw traffic due to disrupted links, latency, operational security limits, and non-IID traffic across zones. We present Zone-Adaptive Intrusion Detection (ZAID), a collaborative detection and model-improvement framework for unseen attack types, where "zero-day" refers to previously unobserved attack families and behaviours (not vulnerability disclosure timing). ZAID combines a universal convolutional model for generalisable traffic representations, an autoencoder-based reconstruction signal as an auxiliary anomaly score, and lightweight adapter modules for parameter-efficient zone adaptation. To support cross-zone generalisation under constrained connectivity, ZAID uses federated aggregation and pseudo-labelling to leverage locally observed, weakly labelled behaviours. We evaluate ZAID on ToN_IoT using a zero-day protocol that excludes MITM, DDoS, and DoS from supervised training and introduces them during zone-level deployment and adaptation. ZAID achieves up to 83.16% accuracy on unseen attack traffic and transfers to UNSW-NB15 under the same procedure, with a best accuracy of 71.64%. These results indicate that parameter-efficient, zone-personalised collaboration can improve the detection of previously unseen attacks in contested IoBT environments.
Paper Structure (23 sections, 8 equations, 10 figures, 10 tables, 1 algorithm)

This paper contains 23 sections, 8 equations, 10 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Intrusion detection at IoT/IoBT gateways under constrained operation
  4. Collaborative and federated intrusion/anomaly detection
  5. Transfer, personalisation, and weak supervision under non-IID shift
  6. Threats to collaborative IDS: adversarial robustness
  7. Zone-Adaptive Intrusion Detection (ZAID)
  8. System model and threat setting
  9. From centralised traffic analysis to collaborative zone learning
  10. ZAID Universal ($\mathcal{U}$) and Autoencoder ($\mathcal{A}$) models
  11. Feature selection and training of $\mathcal{U}$ and $\mathcal{A}$
  12. ZAID localised and collaborative model ($\mathcal{C}$)
  13. Federated collaboration and aggregation
  14. Evaluation
  15. Datasets and experimental protocol
  16. ...and 8 more sections

Figures (10)

  • Figure 1: Overview of ZAID in an IoBT environment. Each zone processes traffic locally at a restricted gateway, where a universal classifier makes a baseline decision, lightweight adapters customise the classifier to local traffic, and an autoencoder-based anomaly score reliably detects unseen attack types. Zones periodically share only a small set of trainable parameters for aggregation, enabling collaborative enhancement without centralising raw traffic.
  • Figure 2: Centralised (traffic centralisation baseline)
  • Figure 3: Zone-local learning with collaborative updates (ZAID)
  • Figure 5: ZAID universal model with three stacked convolutional layers with filters 64, 32, 16, ReLU activation and kernel size 3, followed by 256, 64, 16 dense layers with 0.2 for dropout.
  • Figure 6: ZAID autoencoder structure with two stacked convolutional-pooling layers with filters 16, 32, a bottleneck layer with 64 filters, and kernel size 3, ending at two stacked upsampling-convolutional layers, with 0.2 for dropout.
  • ...and 5 more figures