Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
García-Sáez, Luis Miguel ; Ruiz-Villafranca, Sergio ; Roldán-Gómez, José (Universidad de Zaragoza) ; Carrillo-Mondéjar, Javier (Universidad de Zaragoza) ; Martínez, José Luis
Resumen: The growing complexity and scale of Internet of Things (IoT) ecosystems have intensified the emergence of cyber threats and amplified the impact of data heterogeneity across devices. These environments are characterised
by their inherent hostility, comprising resource-limited and intermittently connected devices. Consequently, this poses a considerable challenge to the stability and reliability of conventional Federated Learning (FL) approaches. Standard aggregation schemes such as FedAvg, FedProx, FedAdam, and SCAFFOLD often fail under such extreme non-Independent and Identically Distributed (non-IID) conditions, leading to unstable convergence and biased global models. This work introduces a double-clustering federated architecture for intrusion detection that coordinates training at two levels. Locally, lightweight micro-clustering organises client-side updates into consistent groups, reducing the influence of inconsistent local updates. At the server level, density-based (HDBSCAN) clustering discovers evolving families of distributionally compatible clients, allowing coordination to adapt as heterogeneity evolves over time. Clustering is stabilised across rounds through a stability-aware assignment rule. Training then proceeds via family-wise aggregation, producing one expert model per family and a global fallback model for outliers and unassigned participants. Extensive experiments on three public IoT cybersecurity datasets, X-IIoTID, RT-IoT22, and Edge-IIoTset, demonstrate the robustness of the proposed strategy across both lightweight and Deep Learning (DL) models. The architecture achieves up to 19.9% higher F1-score than standard FL methods and maintains over 90% of its peak performance even under severe non-IID conditions, while keeping runtime efficiency within ±15%. These results establish clustering-guided coordination as a practical and resilient foundation for federated intrusion detection, capable of sustaining high accuracy and stability in the most adversarial IoT environments
Idioma: Inglés
DOI: 10.1016/j.comnet.2026.112205
Año: 2026
Publicado en: Computer Networks 281 (2026), 112205 [17 pp.]
ISSN: 1389-1286
Financiación: info:eu-repo/grantAgreement/ES/AEI/PID2024-158682OB-C32
Financiación: info:eu-repo/grantAgreement/ES/DGA/T21-23R
Financiación: info:eu-repo/grantAgreement/ES/MCIU/PID2023-151467OA-I00
Financiación: info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
Financiación: info:eu-repo/grantAgreement/ES/MICINN/PID2022-142332OA-I00
Tipo y forma: Article (Published version)
Área (Departamento): Área Lenguajes y Sistemas Inf. (Dpto. Informát.Ingenie.Sistms.)
You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
Exportado de SIDERAL (2026-04-10-13:45:43)
Visitas y descargas
by their inherent hostility, comprising resource-limited and intermittently connected devices. Consequently, this poses a considerable challenge to the stability and reliability of conventional Federated Learning (FL) approaches. Standard aggregation schemes such as FedAvg, FedProx, FedAdam, and SCAFFOLD often fail under such extreme non-Independent and Identically Distributed (non-IID) conditions, leading to unstable convergence and biased global models. This work introduces a double-clustering federated architecture for intrusion detection that coordinates training at two levels. Locally, lightweight micro-clustering organises client-side updates into consistent groups, reducing the influence of inconsistent local updates. At the server level, density-based (HDBSCAN) clustering discovers evolving families of distributionally compatible clients, allowing coordination to adapt as heterogeneity evolves over time. Clustering is stabilised across rounds through a stability-aware assignment rule. Training then proceeds via family-wise aggregation, producing one expert model per family and a global fallback model for outliers and unassigned participants. Extensive experiments on three public IoT cybersecurity datasets, X-IIoTID, RT-IoT22, and Edge-IIoTset, demonstrate the robustness of the proposed strategy across both lightweight and Deep Learning (DL) models. The architecture achieves up to 19.9% higher F1-score than standard FL methods and maintains over 90% of its peak performance even under severe non-IID conditions, while keeping runtime efficiency within ±15%. These results establish clustering-guided coordination as a practical and resilient foundation for federated intrusion detection, capable of sustaining high accuracy and stability in the most adversarial IoT environments
Idioma: Inglés
DOI: 10.1016/j.comnet.2026.112205
Año: 2026
Publicado en: Computer Networks 281 (2026), 112205 [17 pp.]
ISSN: 1389-1286
Financiación: info:eu-repo/grantAgreement/ES/AEI/PID2024-158682OB-C32
Financiación: info:eu-repo/grantAgreement/ES/DGA/T21-23R
Financiación: info:eu-repo/grantAgreement/ES/MCIU/PID2023-151467OA-I00
Financiación: info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
Financiación: info:eu-repo/grantAgreement/ES/MICINN/PID2022-142332OA-I00
Tipo y forma: Article (Published version)
Área (Departamento): Área Lenguajes y Sistemas Inf. (Dpto. Informát.Ingenie.Sistms.)
You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. Exportado de SIDERAL (2026-04-10-13:45:43)
Permalink:
Visitas y descargas
Este artículo se encuentra en las siguientes colecciones:
Articles > Artículos por área > Lenguajes y Sistemas Informáticos
Record created 2026-04-10, last modified 2026-04-10