MI$^2$DAS: A Multi-Layer Intrusion Detection Framework with Incremental Learning for Securing Industrial IoT Networks

TL;DR

MI$^2$DAS is a multi-layer intrusion detection framework for Industrial IoT that uses anomaly detection, open-set recognition, and incremental learning to identify and adapt to both known and unknown cyberattacks effectively.

Contribution

The paper introduces MI$^2$DAS, a novel multi-layer intrusion detection system that combines anomaly detection, open-set recognition, and incremental learning for adaptive IIoT security.

Findings

GMM achieves 0.953 accuracy in normal-attack discrimination

Open-set recognition recall of 0.813 for known and 0.882 for unknown attacks

Incremental learning maintains macro-F1 of 0.8995 with new attack classes

Abstract

The rapid expansion of Industrial IoT (IIoT) systems has amplified security challenges, as heterogeneous devices and dynamic traffic patterns increase exposure to sophisticated and previously unseen cyberattacks. Traditional intrusion detection systems often struggle in such environments due to their reliance on extensive labeled data and limited ability to detect new threats. To address these challenges, we propose MI$^2$DAS, a multi-layer intrusion detection framework that integrates anomaly-based hierarchical traffic pooling, open-set recognition to distinguish between known and unknown attacks and incremental learning for adapting to novel attack types with minimal labeling. Experiments conducted on the Edge-IIoTset dataset demonstrate strong performance across all layers. In the first layer, GMM achieves superior normal-attack discrimination (accuracy = 0.953, TPR = 1.000). In open-set recognition, GMM attains a recall of 0.813 for known attacks, while LOF achieves 0.882 recall for unknown attacks. For fine-grained classification of known attacks, Random Forest achieves a macro-F1 of 0.941. Finally, the incremental learning module maintains robust performance when incorporation novel attack classes, achieving a macro-F1 of 0.8995. These results showcase MI$^2$DAS as an effective, scalable and adaptive framework for enhancing IIoT security against evolving threats.