Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments

The growing complexity and scale of Internet of Things (IoT) ecosystems have intensified the emergence of cyber threats and amplified the impact of data heterogeneity across devices. These environments are characterised by their inherent hostility, comprising resource-limited and intermittently conn...

Descripción completa

Detalles Bibliográficos
Autores: García Sáez, Luis Miguel, Ruiz Villafranca, Sergio, Roldán Gómez, José, Carrillo Mondéjar, Javier, Martínez Martínez, José Luis
Tipo de recurso: artículo
Fecha de publicación:2026
País:España
Institución:Fundación Dialnet. Universidad de La Rioja
Repositorio:RUIdeRA. Repositorio Institucional de la UCLM
OAI Identifier:oai:ruidera.uclm.es:10578/47885
Acceso en línea:https://doi.org/10.1016/j.comnet.2026.112205
https://hdl.handle.net/10578/47885
Access Level:acceso abierto
Palabra clave:Adaptive clustering
Cyber threat detection
Federated learning
Intrusion detection system
IoT security
id ES_dfd5b34ac09b8cc939a15c522aa4a006
oai_identifier_str oai:ruidera.uclm.es:10578/47885
network_acronym_str ES
network_name_str España
repository_id_str
spelling Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environmentsGarcía Sáez, Luis MiguelRuiz Villafranca, SergioRoldán Gómez, JoséCarrillo Mondéjar, JavierMartínez Martínez, José LuisAdaptive clusteringCyber threat detectionFederated learningIntrusion detection systemIoT securityThe growing complexity and scale of Internet of Things (IoT) ecosystems have intensified the emergence of cyber threats and amplified the impact of data heterogeneity across devices. These environments are characterised by their inherent hostility, comprising resource-limited and intermittently connected devices. Consequently, this poses a considerable challenge to the stability and reliability of conventional Federated Learning (FL) approaches. Standard aggregation schemes such as FedAvg, FedProx, FedAdam, and SCAFFOLD often fail under such extreme non-Independent and Identically Distributed (non-IID) conditions, leading to unstable convergence and biased global models. This work introduces a double-clustering federated architecture for intrusion detection that coordinates training at two levels. Locally, lightweight micro-clustering organises client-side updates into consistent groups, reducing the influence of inconsistent local updates. At the server level, density-based (HDBSCAN) clustering discovers evolving families of distributionally compatible clients, allowing coordination to adapt as heterogeneity evolves over time. Clustering is stabilised across rounds through a stability-aware assignment rule. Training then proceeds via family-wise aggregation, producing one expert model per family and a global fallback model for outliers and unassigned participants. Extensive experiments on three public IoT cybersecurity datasets, X-IIoTID, RT-IoT22, and Edge-IIoTset, demonstrate the robustness of the proposed strategy across both lightweight and Deep Learning (DL) models. The architecture achieves up to 19.9% higher F1-score than standard FL methods and maintains over 90% of its peak performance even under severe non-IID conditions, while keeping runtime efficiency within  ± 15%. These results establish clustering-guided coordination as a practical and resilient foundation for federated intrusion detection, capable of sustaining high accuracy and stability in the most adversarial IoT environmentsElsevier202620262026info:eu-repo/semantics/articleapplication/pdfapplication/pdfhttps://doi.org/10.1016/j.comnet.2026.112205https://doi.org/10.1016/j.comnet.2026.112205https://hdl.handle.net/10578/47885reponame:RUIdeRA. Repositorio Institucional de la UCLMinstname:Fundación Dialnet. Universidad de La RiojaInglésPredoctoral 2024-UNIVERS-12844SBPLY/21/180501/000195PID2024-158682OB-C32PID2022-142332OA-I00TED2021-131115A-I00PID2023-151467OA-I00Strategic Projects Program for Research Groups (DisCo research group, ref. T21-23R)info:eu-repo/semantics/openAccessoai:ruidera.uclm.es:10578/478852026-05-27T07:36:41Z
dc.title.none.fl_str_mv Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
title Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
spellingShingle Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
García Sáez, Luis Miguel
Adaptive clustering
Cyber threat detection
Federated learning
Intrusion detection system
IoT security
title_short Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
title_full Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
title_fullStr Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
title_full_unstemmed Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
title_sort Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
dc.creator.none.fl_str_mv García Sáez, Luis Miguel
Ruiz Villafranca, Sergio
Roldán Gómez, José
Carrillo Mondéjar, Javier
Martínez Martínez, José Luis
author García Sáez, Luis Miguel
author_facet García Sáez, Luis Miguel
Ruiz Villafranca, Sergio
Roldán Gómez, José
Carrillo Mondéjar, Javier
Martínez Martínez, José Luis
author_role author
author2 Ruiz Villafranca, Sergio
Roldán Gómez, José
Carrillo Mondéjar, Javier
Martínez Martínez, José Luis
author2_role author
author
author
author
dc.subject.none.fl_str_mv Adaptive clustering
Cyber threat detection
Federated learning
Intrusion detection system
IoT security
topic Adaptive clustering
Cyber threat detection
Federated learning
Intrusion detection system
IoT security
description The growing complexity and scale of Internet of Things (IoT) ecosystems have intensified the emergence of cyber threats and amplified the impact of data heterogeneity across devices. These environments are characterised by their inherent hostility, comprising resource-limited and intermittently connected devices. Consequently, this poses a considerable challenge to the stability and reliability of conventional Federated Learning (FL) approaches. Standard aggregation schemes such as FedAvg, FedProx, FedAdam, and SCAFFOLD often fail under such extreme non-Independent and Identically Distributed (non-IID) conditions, leading to unstable convergence and biased global models. This work introduces a double-clustering federated architecture for intrusion detection that coordinates training at two levels. Locally, lightweight micro-clustering organises client-side updates into consistent groups, reducing the influence of inconsistent local updates. At the server level, density-based (HDBSCAN) clustering discovers evolving families of distributionally compatible clients, allowing coordination to adapt as heterogeneity evolves over time. Clustering is stabilised across rounds through a stability-aware assignment rule. Training then proceeds via family-wise aggregation, producing one expert model per family and a global fallback model for outliers and unassigned participants. Extensive experiments on three public IoT cybersecurity datasets, X-IIoTID, RT-IoT22, and Edge-IIoTset, demonstrate the robustness of the proposed strategy across both lightweight and Deep Learning (DL) models. The architecture achieves up to 19.9% higher F1-score than standard FL methods and maintains over 90% of its peak performance even under severe non-IID conditions, while keeping runtime efficiency within  ± 15%. These results establish clustering-guided coordination as a practical and resilient foundation for federated intrusion detection, capable of sustaining high accuracy and stability in the most adversarial IoT environments
publishDate 2026
dc.date.none.fl_str_mv 2026
2026
2026
dc.type.none.fl_str_mv info:eu-repo/semantics/article
format article
dc.identifier.none.fl_str_mv https://doi.org/10.1016/j.comnet.2026.112205
https://doi.org/10.1016/j.comnet.2026.112205
https://hdl.handle.net/10578/47885
url https://doi.org/10.1016/j.comnet.2026.112205
https://hdl.handle.net/10578/47885
dc.language.none.fl_str_mv Inglés
language_invalid_str_mv Inglés
dc.relation.none.fl_str_mv Predoctoral 2024-UNIVERS-12844
SBPLY/21/180501/000195
PID2024-158682OB-C32
PID2022-142332OA-I00
TED2021-131115A-I00
PID2023-151467OA-I00
Strategic Projects Program for Research Groups (DisCo research group, ref. T21-23R)
dc.rights.none.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
application/pdf
dc.publisher.none.fl_str_mv Elsevier
publisher.none.fl_str_mv Elsevier
dc.source.none.fl_str_mv reponame:RUIdeRA. Repositorio Institucional de la UCLM
instname:Fundación Dialnet. Universidad de La Rioja
instname_str Fundación Dialnet. Universidad de La Rioja
reponame_str RUIdeRA. Repositorio Institucional de la UCLM
collection RUIdeRA. Repositorio Institucional de la UCLM
repository.name.fl_str_mv
repository.mail.fl_str_mv
_version_ 1869422099742851072
score 15,811543