Collaborative Zone-Adaptive Zero-Day Intrusion Detection for IoBT

The Internet of Battlefield Things (IoBT) relies on heterogeneous, bandwidth-constrained, and intermittently connected tactical networks that face rapidly evolving cyber threats. In this setting, intrusion detection cannot depend on continuous central collection of raw traffic due to disrupted links, latency, operational security limits, and non-IID traffic across zones. We present Zone-Adaptive Intrusion Detection (ZAID), a collaborative detection and model-improvement framework for unseen attack types, where “zero-day” refers to previously unobserved attack families and behaviours (not vulnerability disclosure timing). ZAID combines a universal convolutional model for generalisable traffic representations, an autoencoder-based reconstruction signal as an auxiliary anomaly score, and lightweight adapter modules for parameter-efficient zone adaptation. To support cross-zone generalisation under constrained connectivity, ZAID uses federated aggregation and pseudo-labelling to leverage locally observed, weakly labelled behaviours. We evaluate ZAID on ToN_IoT using a zero-day protocol that excludes MITM, DDoS, and DoS from supervised training and introduces them during zone-level deployment and adaptation. ZAID achieves up to 83.16% accuracy on unseen attack traffic and transfers to UNSW-NB15 under the same procedure, with a best accuracy of 71.64%. These results indicate that parameter-efficient, zone-personalised collaboration can improve the detection of previously unseen attacks in contested IoBT environments.

💡 Research Summary

The paper addresses the unique challenges of intrusion detection in the Internet of Battlefield Things (IoBT), where heterogeneous devices, limited bandwidth, intermittent connectivity, and rapidly evolving threats make centralized traffic collection infeasible. The authors propose ZAID (Zone‑Adaptive Intrusion Detection), a collaborative framework that combines a universal convolutional classifier, an autoencoder‑based reconstruction anomaly signal, and lightweight adapter modules for zone‑specific personalization.

In ZAID, each tactical zone is equipped with a gateway that extracts flow‑level and statistical features (avoiding payload inspection). A globally pre‑trained CNN (the “Universal Model”) provides a shared representation for normal vs. abnormal traffic, outputting a probability λ_U. In parallel, an autoencoder trained on normal traffic reconstructs the input and yields a normalized reconstruction error λ_A, which serves as an auxiliary anomaly score especially useful for unseen (zero‑day) attacks.

To adapt to non‑IID traffic across zones, the framework inserts small adapter modules into the upper layers of the universal CNN. These adapters contain only a few thousand trainable parameters, allowing each zone to fine‑tune the model locally while the bulk of the network remains frozen. After local training, zones transmit only the adapter weights and a subset of the universal model’s parameters to a central federated learning server. The server aggregates updates using FedAvg (with optional compression) and redistributes the refreshed global parameters, thus enabling knowledge sharing without moving raw traffic.

Because labeled data are scarce in operational settings, ZAID also employs pseudo‑labeling: zones generate weak labels from high‑confidence predictions and incorporate them into subsequent local training, effectively turning unlabeled samples into additional supervision.

The authors evaluate ZAID on two public datasets: ToN_IoT and UNSW‑NB15. A “zero‑day” protocol is used: MITM, DDoS, and DoS attacks are deliberately omitted from the supervised training set and introduced only during zone‑level deployment. Results show that ZAID achieves up to 83.16 % accuracy on the unseen attacks in ToN_IoT and 71.64 % on UNSW‑NB15, outperforming a baseline CNN by 8‑12 percentage points. Ablation studies confirm that both adapters and the autoencoder contribute significantly to detecting previously unseen behavior.

The paper situates ZAID within related work on edge IDS, federated intrusion detection, and transfer/personalization under non‑IID shifts, highlighting how it uniquely combines (i) a shared universal representation, (ii) an anomaly‑oriented reconstruction signal, and (iii) three complementary adaptation mechanisms (federated aggregation, adapter‑based personalization, and pseudo‑labeling).

Limitations are acknowledged: (1) the added computational load of adapters and autoencoders may strain ultra‑low‑power devices, (2) the current federated learning scheme lacks defenses against malicious model updates (poisoning attacks), and (3) reliance on flow‑level features may miss subtle cues in encrypted traffic. Future work is proposed on model compression for real‑time edge inference, robust aggregation techniques (e.g., differential privacy, Byzantine‑resilient methods), and incorporation of multimodal side‑channel features.

In summary, ZAID demonstrates that parameter‑efficient, zone‑personalized collaboration can substantially improve zero‑day intrusion detection in contested, bandwidth‑constrained IoBT environments while preserving data locality and operational security.