Hybrid clustering-guided federated learning for robust intrusion detection in highly heterogeneous IoT environments
García-Sáez, Luis Miguel ; Ruiz-Villafranca, Sergio ; Roldán-Gómez, José (Universidad de Zaragoza) ; Carrillo-Mondéjar, Javier (Universidad de Zaragoza) ; Martínez, José Luis
Resumen: The growing complexity and scale of Internet of Things (IoT) ecosystems have intensified the emergence of cyber threats and amplified the impact of data heterogeneity across devices. These environments are characterised
by their inherent hostility, comprising resource-limited and intermittently connected devices. Consequently, this poses a considerable challenge to the stability and reliability of conventional Federated Learning (FL) approaches. Standard aggregation schemes such as FedAvg, FedProx, FedAdam, and SCAFFOLD often fail under such extreme non-Independent and Identically Distributed (non-IID) conditions, leading to unstable convergence and biased global models. This work introduces a double-clustering federated architecture for intrusion detection that coordinates training at two levels. Locally, lightweight micro-clustering organises client-side updates into consistent groups, reducing the influence of inconsistent local updates. At the server level, density-based (HDBSCAN) clustering discovers evolving families of distributionally compatible clients, allowing coordination to adapt as heterogeneity evolves over time. Clustering is stabilised across rounds through a stability-aware assignment rule. Training then proceeds via family-wise aggregation, producing one expert model per family and a global fallback model for outliers and unassigned participants. Extensive experiments on three public IoT cybersecurity datasets, X-IIoTID, RT-IoT22, and Edge-IIoTset, demonstrate the robustness of the proposed strategy across both lightweight and Deep Learning (DL) models. The architecture achieves up to 19.9% higher F1-score than standard FL methods and maintains over 90% of its peak performance even under severe non-IID conditions, while keeping runtime efficiency within ±15%. These results establish clustering-guided coordination as a practical and resilient foundation for federated intrusion detection, capable of sustaining high accuracy and stability in the most adversarial IoT environments
Idioma: Inglés
DOI: 10.1016/j.comnet.2026.112205
Año: 2026
Publicado en: Computer Networks 281 (2026), 112205 [17 pp.]
ISSN: 1389-1286
Financiación: info:eu-repo/grantAgreement/ES/AEI/PID2024-158682OB-C32
Financiación: info:eu-repo/grantAgreement/ES/DGA/T21-23R
Financiación: info:eu-repo/grantAgreement/ES/MCIU/PID2023-151467OA-I00
Financiación: info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
Financiación: info:eu-repo/grantAgreement/ES/MICINN/PID2022-142332OA-I00
Tipo y forma: Artículo (Versión definitiva)
Área (Departamento): Área Lenguajes y Sistemas Inf. (Dpto. Informát.Ingenie.Sistms.)
Debe reconocer adecuadamente la autoría, proporcionar un enlace a la licencia e indicar si se han realizado cambios. Puede hacerlo de cualquier manera razonable, pero no de una manera que sugiera que tiene el apoyo del licenciador o lo recibe por el uso que hace.
Exportado de SIDERAL (2026-04-10-13:45:43)
Visitas y descargas
by their inherent hostility, comprising resource-limited and intermittently connected devices. Consequently, this poses a considerable challenge to the stability and reliability of conventional Federated Learning (FL) approaches. Standard aggregation schemes such as FedAvg, FedProx, FedAdam, and SCAFFOLD often fail under such extreme non-Independent and Identically Distributed (non-IID) conditions, leading to unstable convergence and biased global models. This work introduces a double-clustering federated architecture for intrusion detection that coordinates training at two levels. Locally, lightweight micro-clustering organises client-side updates into consistent groups, reducing the influence of inconsistent local updates. At the server level, density-based (HDBSCAN) clustering discovers evolving families of distributionally compatible clients, allowing coordination to adapt as heterogeneity evolves over time. Clustering is stabilised across rounds through a stability-aware assignment rule. Training then proceeds via family-wise aggregation, producing one expert model per family and a global fallback model for outliers and unassigned participants. Extensive experiments on three public IoT cybersecurity datasets, X-IIoTID, RT-IoT22, and Edge-IIoTset, demonstrate the robustness of the proposed strategy across both lightweight and Deep Learning (DL) models. The architecture achieves up to 19.9% higher F1-score than standard FL methods and maintains over 90% of its peak performance even under severe non-IID conditions, while keeping runtime efficiency within ±15%. These results establish clustering-guided coordination as a practical and resilient foundation for federated intrusion detection, capable of sustaining high accuracy and stability in the most adversarial IoT environments
Idioma: Inglés
DOI: 10.1016/j.comnet.2026.112205
Año: 2026
Publicado en: Computer Networks 281 (2026), 112205 [17 pp.]
ISSN: 1389-1286
Financiación: info:eu-repo/grantAgreement/ES/AEI/PID2024-158682OB-C32
Financiación: info:eu-repo/grantAgreement/ES/DGA/T21-23R
Financiación: info:eu-repo/grantAgreement/ES/MCIU/PID2023-151467OA-I00
Financiación: info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
Financiación: info:eu-repo/grantAgreement/ES/MICINN/PID2022-142332OA-I00
Tipo y forma: Artículo (Versión definitiva)
Área (Departamento): Área Lenguajes y Sistemas Inf. (Dpto. Informát.Ingenie.Sistms.)
Debe reconocer adecuadamente la autoría, proporcionar un enlace a la licencia e indicar si se han realizado cambios. Puede hacerlo de cualquier manera razonable, pero no de una manera que sugiera que tiene el apoyo del licenciador o lo recibe por el uso que hace. Exportado de SIDERAL (2026-04-10-13:45:43)
Enlace permanente:
Visitas y descargas
Este artículo se encuentra en las siguientes colecciones:
Artículos > Artículos por área > Lenguajes y Sistemas Informáticos
Registro creado el 2026-04-10, última modificación el 2026-04-10