# Fed-DTCN: A Federated Disentangled Learning Framework for Unsupervised Zero-Day Anomaly Detection in IoT with Semantic-Aware Augmentation

**Authors:** Muhammad Ali Khan, Osman Khalid, Rao Naveed Bin Rais

PMC · DOI: 10.3390/s26061918 · Sensors (Basel, Switzerland) · 2026-03-18

## TL;DR

Fed-DTCN is a new framework for detecting unknown cyber threats in IoT devices without sharing private data, using a privacy-preserving machine learning approach.

## Contribution

Fed-DTCN introduces a novel federated learning framework for unsupervised zero-day anomaly detection in IoT with semantic-aware augmentation and dual-encoder architecture.

## Key findings

- Fed-DTCN achieves an F1-score of 99.99% on TON_IoT for standard attacks and 96% for zero-day Botnet attacks.
- The framework reduces inter-client variance and improves consistency across heterogeneous IoT deployments.
- Semantic-preserving augmentations and dual-encoder design enhance robustness and generalization in federated settings.

## Abstract

The proliferation of Internet of Things (IoT) devices continues to expand the network attack surface while introducing stringent privacy requirements that challenge effective intrusion detection. Federated learning enables collaborative model training without centralizing raw network telemetry. However, existing federated intrusion detection approaches often degrade under statistical heterogeneity and remain vulnerable to zero-day attacks when they rely on labeled data or reconstruction-based objectives. This work proposes Fed-DTCN (Federated Dual Temporal Contrastive Network), an unsupervised federated framework for zero-day anomaly detection in IoT environments. Fed-DTCN learns robust representations of benign IoT traffic using contrastive learning with semantic-preserving augmentations. A dual-encoder architecture disentangles globally shared features from client-specific patterns, improving generalization under heterogeneous federated deployments. Personalization and privacy are preserved by selectively aggregating only the shared encoder parameters. The framework employs a compact temporal convolutional backbone together with a soft-weighted contrastive objective to constrain benign representations, thereby enabling reliable detection of out-of-distribution threats. Extensive experiments on the TON_IoT and CSE-CIC-IDS2018 benchmarks show that Fed-DTCN matches or surpasses a state-of-the-art supervised baseline on standard attacks, achieving an F1-score of 99.99% on TON_IoT. In a zero-day evaluation where the Botnet class is withheld during training, Fed-DTCN attains an F1-score of 96%, compared to 0.52% for the supervised baseline. Ablation studies validate the effectiveness of the proposed augmentations, while evaluations under heterogeneous client partitions demonstrate reduced inter-client variance and consistent per-client improvements, indicating suitability for realistic IoT deployments.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC13030789/full.md

## Figures

10 figures with captions in the complete paper: https://tomesphere.com/paper/PMC13030789/full.md

## References

34 references — full list in the complete paper: https://tomesphere.com/paper/PMC13030789/full.md

---
Source: https://tomesphere.com/paper/PMC13030789