<p>Low-rate stealth attacks present a major challenge in Internet of Things (IoT) environments because their slow, irregular, and noise-like traffic patterns evade traditional rate-based intrusion detection systems. To address this problem, this paper proposes FSL-IDS, a hierarchical federated intrusion detection framework designed for resource-constrained IoT deployments. The framework integrates sparse representation learning, hierarchical temporal modeling, and federated optimization across distributed IoT, fog, and cloud layers. At the device level, a sparsity-constrained encoder captures subtle deviations in local traffic behavior, while fog nodes employ a Hierarchical Ensemble for Correlated Events (H-EFCE) to identify cross-device temporal attack patterns. At the cloud layer, a Federated Gradient Aggregation Module (FGAM) performs robust global model aggregation, and a Lightweight Quantized Model Optimization Layer (LQMOL) enables efficient deployment on constrained edge devices. The proposed system was evaluated on the IoTID20 dataset containing heterogeneous smart-home IoT traffic, including Mirai, DoS, scan, authentication attacks, and stealth anomalies. To address the scarcity of low-rate stealth samples, a Synthetic Stealth Attack Injection Module (SSAIM) was used to augment training data while preserving realistic traffic characteristics. Experimental results demonstrate that the proposed architecture significantly improves stealth attack detection compared with multiple baseline methods, including federated learning algorithms and classical anomaly detection models. The FGAM-based cloud model achieved an AUC-ROC of 0.992 and F1-score of 0.965, outperforming FedAvg, FedProx, GRU-Autoencoder, Temporal Convolutional models, and Isolation Forest baselines under identical dataset and split conditions. Ablation experiments confirm that each architectural component contributes to performance gains, with the removal of the sparse encoder, temporal ensemble, or SSAIM module reducing detection accuracy and recall for low-rate stealth anomalies. Sensitivity analysis further shows stable detection performance across varying proportions of synthetic stealth traffic, while evaluation on limited real stealth samples confirms consistent detection capability. Additionally, model compression experiments demonstrate that 6-bit quantization provides an effective balance between efficiency and security, reducing edge-device energy consumption by 43% while maintaining near-optimal detection performance; further compression below this threshold leads to noticeable degradation in stealth-attack recall.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Federated sparse-learning framework for detecting low-rate stealth attacks in resource-constrained IoT devices

  • R. Anandhi,
  • G. Umarani Srikanth

摘要

Low-rate stealth attacks present a major challenge in Internet of Things (IoT) environments because their slow, irregular, and noise-like traffic patterns evade traditional rate-based intrusion detection systems. To address this problem, this paper proposes FSL-IDS, a hierarchical federated intrusion detection framework designed for resource-constrained IoT deployments. The framework integrates sparse representation learning, hierarchical temporal modeling, and federated optimization across distributed IoT, fog, and cloud layers. At the device level, a sparsity-constrained encoder captures subtle deviations in local traffic behavior, while fog nodes employ a Hierarchical Ensemble for Correlated Events (H-EFCE) to identify cross-device temporal attack patterns. At the cloud layer, a Federated Gradient Aggregation Module (FGAM) performs robust global model aggregation, and a Lightweight Quantized Model Optimization Layer (LQMOL) enables efficient deployment on constrained edge devices. The proposed system was evaluated on the IoTID20 dataset containing heterogeneous smart-home IoT traffic, including Mirai, DoS, scan, authentication attacks, and stealth anomalies. To address the scarcity of low-rate stealth samples, a Synthetic Stealth Attack Injection Module (SSAIM) was used to augment training data while preserving realistic traffic characteristics. Experimental results demonstrate that the proposed architecture significantly improves stealth attack detection compared with multiple baseline methods, including federated learning algorithms and classical anomaly detection models. The FGAM-based cloud model achieved an AUC-ROC of 0.992 and F1-score of 0.965, outperforming FedAvg, FedProx, GRU-Autoencoder, Temporal Convolutional models, and Isolation Forest baselines under identical dataset and split conditions. Ablation experiments confirm that each architectural component contributes to performance gains, with the removal of the sparse encoder, temporal ensemble, or SSAIM module reducing detection accuracy and recall for low-rate stealth anomalies. Sensitivity analysis further shows stable detection performance across varying proportions of synthetic stealth traffic, while evaluation on limited real stealth samples confirms consistent detection capability. Additionally, model compression experiments demonstrate that 6-bit quantization provides an effective balance between efficiency and security, reducing edge-device energy consumption by 43% while maintaining near-optimal detection performance; further compression below this threshold leads to noticeable degradation in stealth-attack recall.