# Cross-Protocol Domain Gap in Internet of Things Intrusion and Anomaly Detection: An Empirical Internet Protocol-to-Bluetooth Low Energy Study of Domain-Adversarial Training

**Authors:** Hyejin Jin

PMC · DOI: 10.3390/s26041184 · Sensors (Basel, Switzerland) · 2026-02-11

## TL;DR

This study examines how well intrusion detection systems trained on IP traffic work when applied to Bluetooth Low Energy (BLE) devices, finding significant variability and risks in performance.

## Contribution

The study introduces R3, a domain-aware checkpointing method that improves target performance in label-free settings for cross-protocol domain adaptation.

## Key findings

- Domain-adversarial training shows transient domain confusion and high seed-to-seed variability in label-free target conditions.
- R3 improves target ROC-AUC by ~+0.053 across three seeds using domain-discriminator accuracy as an alignment proxy.
- UDA performance collapses under capture-wise LOCO evaluation, highlighting risks of optimistic random splits.

## Abstract

What are the main findings?
Cross-protocol IP → BLE transfer yields high seed-to-seed variability under label-free target conditions.Domain-adversarial training shows transient domain confusion; R3 (domain-aware checkpointing via domain-discriminator accuracy) improves target ROC-AUC without target labels, while classical ML baselines remain strong in this 14D setting.

Cross-protocol IP → BLE transfer yields high seed-to-seed variability under label-free target conditions.

Domain-adversarial training shows transient domain confusion; R3 (domain-aware checkpointing via domain-discriminator accuracy) improves target ROC-AUC without target labels, while classical ML baselines remain strong in this 14D setting.

What are the implications of the main findings?
Random window-level splits can be optimistic; capture-wise/LOCO evaluation and operating-point audits (e.g., micro-FPR) are critical for deployment-faithful reporting.Monitoring domain-discriminator behavior (DomAcc, domain-discriminator accuracy) curves helps avoid misleading final-epoch conclusions in adversarial UDA.

Random window-level splits can be optimistic; capture-wise/LOCO evaluation and operating-point audits (e.g., micro-FPR) are critical for deployment-faithful reporting.

Monitoring domain-discriminator behavior (DomAcc, domain-discriminator accuracy) curves helps avoid misleading final-epoch conclusions in adversarial UDA.

Intrusion and anomaly detectors trained on Internet Protocol (IP) traffic are increasingly deployed in heterogeneous IoT environments where Bluetooth Low Energy (BLE) links coexist with IP networks. We quantify the cross-protocol domain gap in an IP → BLE transfer setting under unsupervised domain adaptation (UDA), where target labels are unavailable for training and model selection. Using 14 lightweight window-level statistics and leakage-aware splits, we benchmark classical baselines and alignment methods (CORAL and MMD) against domain-adversarial neural networks (DANNs). Under random window splits, DANNs can yield modest target gains but exhibit strong seed sensitivity and non-monotonic domain confusion. We propose R3, a domain-aware checkpoint rule that combines near-best source validation with domain discriminator accuracy as a proxy for alignment, improving the target ROC-AUC by ~+0.053 across three representative seeds and producing more consistent AP gains over 20 seeds. However, under a stricter capture-wise leave-one-capture-out (LOCO) protocol, UDA collapses to near-chance ranking and can underperform simple baselines, highlighting the risk of optimistic random splits. Finally, we show that transferring a source-tuned threshold can trigger unsafe operating points (micro-FPR = 1.0 on benign-only captures), motivating PR-based metrics and calibration/operating-point audits. We have released derived feature tables, split definitions, and scripts to support reproducibility under restricted raw data access.

## Full-text entities

- **Diseases:** IoT (MESH:C000719207), MCD (MESH:D012514), MMD (MESH:D009800), IDS (MESH:D016532), anomaly (MESH:D000013), injury to (MESH:D014947)
- **Chemicals:** IP (-)
- **Species:** Homo sapiens (human, species) [taxon 9606]

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12944665/full.md

## Figures

15 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12944665/full.md

## References

30 references — full list in the complete paper: https://tomesphere.com/paper/PMC12944665/full.md

---
Source: https://tomesphere.com/paper/PMC12944665