000170278 001__ 170278
000170278 005__ 20260410165451.0
000170278 0247_ $$2doi$$a10.1016/j.comnet.2026.112205
000170278 0248_ $$2sideral$$a148833
000170278 037__ $$aART-2026-148833
000170278 041__ $$aeng
000170278 100__ $$aGarcía-Sáez, Luis Miguel
000170278 245__ $$aHybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
000170278 260__ $$c2026
000170278 5060_ $$aAccess copy available to the general public$$fUnrestricted
000170278 5203_ $$aThe growing complexity and scale of Internet of Things (IoT) ecosystems have intensified the emergence of cyber threats and amplified the impact of data heterogeneity across devices. These environments are characterised
by their inherent hostility, comprising resource-limited and intermittently connected devices. Consequently, this poses a considerable challenge to the stability and reliability of conventional Federated Learning (FL) approaches. Standard aggregation schemes such as FedAvg, FedProx, FedAdam, and SCAFFOLD often fail under such extreme non-Independent and Identically Distributed (non-IID) conditions, leading to unstable convergence and biased global models. This work introduces a double-clustering federated architecture for intrusion detection that coordinates training at two levels. Locally, lightweight micro-clustering organises client-side updates into consistent groups, reducing the influence of inconsistent local updates. At the server level, density-based (HDBSCAN) clustering discovers evolving families of distributionally compatible clients, allowing coordination to adapt as heterogeneity evolves over time. Clustering is stabilised across rounds through a stability-aware assignment rule. Training then proceeds via family-wise aggregation, producing one expert model per family and a global fallback model for outliers and unassigned participants. Extensive experiments on three public IoT cybersecurity datasets, X-IIoTID, RT-IoT22, and Edge-IIoTset, demonstrate the robustness of the proposed strategy across both lightweight and Deep Learning (DL) models. The architecture achieves up to 19.9% higher F1-score than standard FL methods and maintains over 90% of its peak performance even under severe non-IID conditions, while keeping runtime efficiency within ±15%. These results establish clustering-guided coordination as a practical and resilient foundation for federated intrusion detection, capable of sustaining high accuracy and stability in the most adversarial IoT environments
000170278 536__ $$9info:eu-repo/grantAgreement/ES/AEI/PID2024-158682OB-C32$$9info:eu-repo/grantAgreement/ES/DGA/T21-23R$$9info:eu-repo/grantAgreement/ES/MCIU/PID2023-151467OA-I00$$9info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00$$9info:eu-repo/grantAgreement/ES/MICINN/PID2022-142332OA-I00
000170278 540__ $$9info:eu-repo/semantics/openAccess$$aby$$uhttps://creativecommons.org/licenses/by/4.0/deed.es
000170278 655_4 $$ainfo:eu-repo/semantics/article$$vinfo:eu-repo/semantics/publishedVersion
000170278 700__ $$aRuiz-Villafranca, Sergio
000170278 700__ $$aRoldán-Gómez, José$$uUniversidad de Zaragoza
000170278 700__ $$aCarrillo-Mondéjar, Javier$$uUniversidad de Zaragoza
000170278 700__ $$aMartínez, José Luis
000170278 7102_ $$15007$$2570$$aUniversidad de Zaragoza$$bDpto. Informát.Ingenie.Sistms.$$cÁrea Lenguajes y Sistemas Inf.
000170278 773__ $$g281 (2026), 112205 [17 pp.]$$pComput. networks$$tComputer Networks$$x1389-1286
000170278 8564_ $$s3391281$$uhttps://zaguan.unizar.es/record/170278/files/texto_completo.pdf$$yVersión publicada
000170278 8564_ $$s2564801$$uhttps://zaguan.unizar.es/record/170278/files/texto_completo.jpg?subformat=icon$$xicon$$yVersión publicada
000170278 909CO $$ooai:zaguan.unizar.es:170278$$particulos$$pdriver
000170278 951__ $$a2026-04-10-13:45:43
000170278 980__ $$aARTICLE