Published in the 5th IEEE International Conference on AI in Cybersecurity (ICAIC), 2026.
Read the Full IEEE Paper →Overview
The rapid expansion of Internet of Things (IoT) devices has introduced massive scale and complexity to network traffic, making centralized intrusion detection privacy-invasive and computationally expensive.
This project introduces a Hybrid Federated Learning Architecture that combines a deep Transformer backbone with an XGBoost specialist. By utilizing Low-Rank Adaptation (LoRA), we achieved a communication-efficient system that reduces data transmission by 89.5% while maintaining 97.98% global accuracy on the CICIoT2023 dataset.
Dataset & Preparation
We utilized the CICIoT2023 dataset, a massive collection of real-world IoT traffic covering over 80 attack subtypes. To handle the extreme class imbalance and heterogeneity inherent in IoT networks, we implemented a rigorous preprocessing pipeline:
- Column Pruning: Removed redundant fields (e.g.,
Srate,LLC). - Stratified Partitioning: Data was divided into four federated clients preserving label proportions to mitigate non-IID effects.
- Balancing Strategy: Applied a mix of oversampling for minority attacks (e.g., Mirai) and downsampling for dominant benign traffic.
- Class Weighting: Inverse-frequency weights were computed and applied to the Cross-Entropy loss function.
System Architecture
The system addresses the "Heterogeneous Feature" problem by fusing two distinct modalities. Each local client trains a dual-model pipeline:
1. Transformer Backbone (with LoRA)
A tabular Transformer encoder processes features using multi-head self-attention to capture complex dependencies. To ensure the model is light enough for IoT edge training, we inject LoRA (Low-Rank Adaptation) adapters. Instead of updating the full weight matrix, we only learn rank-decomposition matrices.
2. XGBoost Specialist
Parallel to the Transformer, an XGBoost model captures tree-based decision boundaries on structured fields (packet counts, flags), excelling at detecting volumetric attacks where deep learning sometimes struggles.
3. Learnable Fusion Head
A Multi-Layer Perceptron (MLP) acts as a fusion gate. It takes the probability vectors from both models and learns a weighted combination, outputting the final prediction logits.
Federated Methodology
Traditional Federated Learning (FedAvg) transmits full model parameters, saturating bandwidth. Our approach freezes the backbone and XGBoost parameters.
Communication Efficiency: Only the LoRA adapter updates (ΔW) are transmitted to the central server.
This reduces the payload from 468 KB (Full Model) to just 49 KB per round.
The server aggregates these lightweight updates using weighted averaging based on the client's sample size (nk), ensuring fairness across heterogeneous devices.
Experimental Results
After 4 communication rounds, the global model achieved an overall accuracy of 97.98% across 2.4 million test samples.
Attack-Specific Performance
The model excelled at volumetric attacks while maintaining competitive performance on stealthier vectors.
| Attack Class | Precision | Recall | F1-Score |
|---|---|---|---|
| DDoS-ICMP_Flood | 1.0000 | 1.0000 | 1.0000 |
| Mirai-udpplain | 0.9999 | 0.9999 | 0.9999 |
| Uploading_Attack | 0.9556 | 0.9919 | 0.9734 |
| SqlInjection | 0.7105 | 0.8788 | 0.7857 |
| Recon-OSScan | 0.5961 | 0.6668 | 0.6294 |
| Weighted Average | 0.9815 | 0.9798 | 0.9803 |
*Table I: Selected performance metrics from Round 4.
Communication Analysis
By exchanging only low-rank matrices, we achieved massive compression, enabling deployment on constrained networks like LoRaWAN or LTE-M.
| Method | Trainable Params | Payload Size | Reduction |
|---|---|---|---|
| Standard FedAvg | 117,248 | ~468 KB | 0% |
| Proposed LoRA | 12,288 | ~49 KB | 89.52% |
Conclusion
This work represents the first integration of hybrid ensemble learning with parameter-efficient LoRA updates in federated IoT security. By fusing Deep Learning with Tree-based models and optimizing for communication, we created a robust system capable of defending edge networks against complex cyber threats.