Collaborative Zone-Adaptive Zero-Day Intrusion Detection for IoBT

TL;DR

This paper introduces ZAID, a collaborative, zone-adaptive intrusion detection framework for IoBT that effectively detects unseen cyber attacks using federated learning and lightweight adaptation modules.

Contribution

ZAID is the first to combine universal traffic models, autoencoder anomaly signals, and lightweight adapters for zone-specific intrusion detection in disrupted IoBT networks.

Findings

Achieves up to 83.16% accuracy on unseen attack traffic.

Transfers detection capabilities to different datasets with up to 71.64% accuracy.

Demonstrates effective zero-day attack detection in contested environments.

Abstract

The Internet of Battlefield Things (IoBT) relies on heterogeneous, bandwidth-constrained, and intermittently connected tactical networks that face rapidly evolving cyber threats. In this setting, intrusion detection cannot depend on continuous central collection of raw traffic due to disrupted links, latency, operational security limits, and non-IID traffic across zones. We present Zone-Adaptive Intrusion Detection (ZAID), a collaborative detection and model-improvement framework for unseen attack types, where "zero-day" refers to previously unobserved attack families and behaviours (not vulnerability disclosure timing). ZAID combines a universal convolutional model for generalisable traffic representations, an autoencoder-based reconstruction signal as an auxiliary anomaly score, and lightweight adapter modules for parameter-efficient zone adaptation. To support cross-zone generalisation under constrained connectivity, ZAID uses federated aggregation and pseudo-labelling to leverage locally observed, weakly labelled behaviours. We evaluate ZAID on ToN_IoT using a zero-day protocol that excludes MITM, DDoS, and DoS from supervised training and introduces them during zone-level deployment and adaptation. ZAID achieves up to 83.16% accuracy on unseen attack traffic and transfers to UNSW-NB15 under the same procedure, with a best accuracy of 71.64%. These results indicate that parameter-efficient, zone-personalised collaboration can improve the detection of previously unseen attacks in contested IoBT environments.