Exploring Robust Intrusion Detection: A Benchmark Study of Feature Transferability in IoT Botnet Attack Detection

TL;DR

This study systematically evaluates the transferability of flow-based features for IoT intrusion detection across different network environments, highlighting the importance of feature engineering and algorithm choice for robustness.

Contribution

It provides a comprehensive benchmark analysis of feature transferability in IoT intrusion detection and offers practical guidelines for enhancing system robustness against domain shifts.

Findings

Models trained on one domain perform poorly on others.

Feature choice and algorithm significantly affect transferability.

Guidelines for feature engineering to improve robustness.

Abstract

Cross-domain intrusion detection remains a critical challenge due to significant variability in network traffic characteristics and feature distributions across environments. This study evaluates the transferability of three widely used flow-based feature sets (Argus, Zeek and CICFlowMeter) across four widely used datasets representing heterogeneous IoT and Industrial IoT network conditions. Through extensive experiments, we evaluate in- and cross-domain performance across multiple classification models and analyze feature importance using SHapley Additive exPlanations (SHAP). Our results show that models trained on one domain suffer significant performance degradation when applied to a different target domain, reflecting the sensitivity of IoT intrusion detection systems to distribution shifts. Furthermore, the results evidence that the choice of classification algorithm and feature representations significantly impact transferability. Beyond reporting performance differences and thorough analysis of the transferability of features and feature spaces, we provide practical guidelines for feature engineering to improve robustness under domain variability. Our findings suggest that effective intrusion detection requires both high in-domain performance and resilience to cross-domain variability, achievable through careful feature space design, appropriate algorithm selection and adaptive strategies.