Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
The growing complexity and scale of Internet of Things (IoT) ecosystems have intensified the emergence of cyber threats and amplified the impact of data heterogeneity across devices. These environments are characterised by their inherent hostility, comprising resource-limited and intermittently conn...
| Autores: | , , , , |
|---|---|
| Tipo de recurso: | artículo |
| Fecha de publicación: | 2026 |
| País: | España |
| Institución: | Fundación Dialnet. Universidad de La Rioja |
| Repositorio: | RUIdeRA. Repositorio Institucional de la UCLM |
| OAI Identifier: | oai:ruidera.uclm.es:10578/47885 |
| Acceso en línea: | https://doi.org/10.1016/j.comnet.2026.112205 https://hdl.handle.net/10578/47885 |
| Access Level: | acceso abierto |
| Palabra clave: | Adaptive clustering Cyber threat detection Federated learning Intrusion detection system IoT security |
| id |
ES_dfd5b34ac09b8cc939a15c522aa4a006 |
|---|---|
| oai_identifier_str |
oai:ruidera.uclm.es:10578/47885 |
| network_acronym_str |
ES |
| network_name_str |
España |
| repository_id_str |
|
| spelling |
Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environmentsGarcía Sáez, Luis MiguelRuiz Villafranca, SergioRoldán Gómez, JoséCarrillo Mondéjar, JavierMartínez Martínez, José LuisAdaptive clusteringCyber threat detectionFederated learningIntrusion detection systemIoT securityThe growing complexity and scale of Internet of Things (IoT) ecosystems have intensified the emergence of cyber threats and amplified the impact of data heterogeneity across devices. These environments are characterised by their inherent hostility, comprising resource-limited and intermittently connected devices. Consequently, this poses a considerable challenge to the stability and reliability of conventional Federated Learning (FL) approaches. Standard aggregation schemes such as FedAvg, FedProx, FedAdam, and SCAFFOLD often fail under such extreme non-Independent and Identically Distributed (non-IID) conditions, leading to unstable convergence and biased global models. This work introduces a double-clustering federated architecture for intrusion detection that coordinates training at two levels. Locally, lightweight micro-clustering organises client-side updates into consistent groups, reducing the influence of inconsistent local updates. At the server level, density-based (HDBSCAN) clustering discovers evolving families of distributionally compatible clients, allowing coordination to adapt as heterogeneity evolves over time. Clustering is stabilised across rounds through a stability-aware assignment rule. Training then proceeds via family-wise aggregation, producing one expert model per family and a global fallback model for outliers and unassigned participants. Extensive experiments on three public IoT cybersecurity datasets, X-IIoTID, RT-IoT22, and Edge-IIoTset, demonstrate the robustness of the proposed strategy across both lightweight and Deep Learning (DL) models. The architecture achieves up to 19.9% higher F1-score than standard FL methods and maintains over 90% of its peak performance even under severe non-IID conditions, while keeping runtime efficiency within ± 15%. These results establish clustering-guided coordination as a practical and resilient foundation for federated intrusion detection, capable of sustaining high accuracy and stability in the most adversarial IoT environmentsElsevier202620262026info:eu-repo/semantics/articleapplication/pdfapplication/pdfhttps://doi.org/10.1016/j.comnet.2026.112205https://doi.org/10.1016/j.comnet.2026.112205https://hdl.handle.net/10578/47885reponame:RUIdeRA. Repositorio Institucional de la UCLMinstname:Fundación Dialnet. Universidad de La RiojaInglésPredoctoral 2024-UNIVERS-12844SBPLY/21/180501/000195PID2024-158682OB-C32PID2022-142332OA-I00TED2021-131115A-I00PID2023-151467OA-I00Strategic Projects Program for Research Groups (DisCo research group, ref. T21-23R)info:eu-repo/semantics/openAccessoai:ruidera.uclm.es:10578/478852026-05-27T07:36:41Z |
| dc.title.none.fl_str_mv |
Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments |
| title |
Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments |
| spellingShingle |
Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments García Sáez, Luis Miguel Adaptive clustering Cyber threat detection Federated learning Intrusion detection system IoT security |
| title_short |
Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments |
| title_full |
Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments |
| title_fullStr |
Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments |
| title_full_unstemmed |
Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments |
| title_sort |
Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments |
| dc.creator.none.fl_str_mv |
García Sáez, Luis Miguel Ruiz Villafranca, Sergio Roldán Gómez, José Carrillo Mondéjar, Javier Martínez Martínez, José Luis |
| author |
García Sáez, Luis Miguel |
| author_facet |
García Sáez, Luis Miguel Ruiz Villafranca, Sergio Roldán Gómez, José Carrillo Mondéjar, Javier Martínez Martínez, José Luis |
| author_role |
author |
| author2 |
Ruiz Villafranca, Sergio Roldán Gómez, José Carrillo Mondéjar, Javier Martínez Martínez, José Luis |
| author2_role |
author author author author |
| dc.subject.none.fl_str_mv |
Adaptive clustering Cyber threat detection Federated learning Intrusion detection system IoT security |
| topic |
Adaptive clustering Cyber threat detection Federated learning Intrusion detection system IoT security |
| description |
The growing complexity and scale of Internet of Things (IoT) ecosystems have intensified the emergence of cyber threats and amplified the impact of data heterogeneity across devices. These environments are characterised by their inherent hostility, comprising resource-limited and intermittently connected devices. Consequently, this poses a considerable challenge to the stability and reliability of conventional Federated Learning (FL) approaches. Standard aggregation schemes such as FedAvg, FedProx, FedAdam, and SCAFFOLD often fail under such extreme non-Independent and Identically Distributed (non-IID) conditions, leading to unstable convergence and biased global models. This work introduces a double-clustering federated architecture for intrusion detection that coordinates training at two levels. Locally, lightweight micro-clustering organises client-side updates into consistent groups, reducing the influence of inconsistent local updates. At the server level, density-based (HDBSCAN) clustering discovers evolving families of distributionally compatible clients, allowing coordination to adapt as heterogeneity evolves over time. Clustering is stabilised across rounds through a stability-aware assignment rule. Training then proceeds via family-wise aggregation, producing one expert model per family and a global fallback model for outliers and unassigned participants. Extensive experiments on three public IoT cybersecurity datasets, X-IIoTID, RT-IoT22, and Edge-IIoTset, demonstrate the robustness of the proposed strategy across both lightweight and Deep Learning (DL) models. The architecture achieves up to 19.9% higher F1-score than standard FL methods and maintains over 90% of its peak performance even under severe non-IID conditions, while keeping runtime efficiency within ± 15%. These results establish clustering-guided coordination as a practical and resilient foundation for federated intrusion detection, capable of sustaining high accuracy and stability in the most adversarial IoT environments |
| publishDate |
2026 |
| dc.date.none.fl_str_mv |
2026 2026 2026 |
| dc.type.none.fl_str_mv |
info:eu-repo/semantics/article |
| format |
article |
| dc.identifier.none.fl_str_mv |
https://doi.org/10.1016/j.comnet.2026.112205 https://doi.org/10.1016/j.comnet.2026.112205 https://hdl.handle.net/10578/47885 |
| url |
https://doi.org/10.1016/j.comnet.2026.112205 https://hdl.handle.net/10578/47885 |
| dc.language.none.fl_str_mv |
Inglés |
| language_invalid_str_mv |
Inglés |
| dc.relation.none.fl_str_mv |
Predoctoral 2024-UNIVERS-12844 SBPLY/21/180501/000195 PID2024-158682OB-C32 PID2022-142332OA-I00 TED2021-131115A-I00 PID2023-151467OA-I00 Strategic Projects Program for Research Groups (DisCo research group, ref. T21-23R) |
| dc.rights.none.fl_str_mv |
info:eu-repo/semantics/openAccess |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
application/pdf application/pdf |
| dc.publisher.none.fl_str_mv |
Elsevier |
| publisher.none.fl_str_mv |
Elsevier |
| dc.source.none.fl_str_mv |
reponame:RUIdeRA. Repositorio Institucional de la UCLM instname:Fundación Dialnet. Universidad de La Rioja |
| instname_str |
Fundación Dialnet. Universidad de La Rioja |
| reponame_str |
RUIdeRA. Repositorio Institucional de la UCLM |
| collection |
RUIdeRA. Repositorio Institucional de la UCLM |
| repository.name.fl_str_mv |
|
| repository.mail.fl_str_mv |
|
| _version_ |
1869422099742851072 |
| score |
15,811543 |