The rapid proliferation of digital devices, particularly resource-constrained IoT nodes, has expanded the network attack surface, posing new challenges for timely and effective intrusion detection. Traditional centralized Intrusion Detection Systems (IDSs) struggle to cope with the growing scale and sophistication of modern threats. Recent research leverages the programmability of the data plane in switches, edge gateways, and smart network interface cards to enable intrusion detection closer to the traffic source. Programmable Data Planes (PDPs) allow custom packet parsing, real-time header manipulation, and extraction of packet- and flow-level features, facilitating early attack detection without full reliance on centralized systems. This survey reviews PDP-based intrusion detection approaches, from thresholding and rule-based methods to entropy- and AI-driven techniques, while addressing hardware constraints such as limited memory and fixed pipelines. Unlike prior surveys, our work uniquely classifies IDSs as feature- or packet-based, analyzes inference approaches and their deployment points, examines datasets used for evaluation, identifies detectable threat types, and reports code availability to promote reproducibility. The paper concludes with key challenges and research directions for advancing PDP-based intrusion detection in dynamic network environments.

Network intrusion detection systems (IDS) face persistent challenges with imbalanced datasets, limited effectiveness against zero-day attacks, and inconsistent performance across diverse attack vectors. This paper presents the Adaptive Multi-View Transformer Ensemble for Intrusion Detection (AMTE-IDS), a comprehensive framework that addresses these limitations through innovative integration of advanced data balancing, multi-perspective feature learning, and dynamic ensemble classification. We introduce a Multi-Modal Wasserstein GAN with Gradient Penalty (MM-WGAN-GP) architecture employing multiple critics with complementary perspectives to generate high-quality synthetic samples for minority attack classes. Our Multi-View Feature Learning module extracts complementary representations of network traffic through specialized transformer-based pathways focusing on global features, temporal patterns, and protocol-specific characteristics. A Dynamic Ensemble Detection module adaptively combines specialized classifiers based on input characteristics, enabling effective detection across diverse attack vectors while maintaining robust performance against evolving threats. Extensive experimentation on NSL-KDD, UNSW-NB15, and CIC-IDS2017 datasets demonstrates that AMTE-IDS achieves 97.8% overall accuracy with 73.2% F1-score for minority classes, outperforming state-of-the-art MCGC-IDS by +0.9%/+2.4% respectively (p < 0.001), with 57.1% false positive rate reduction and 0.35ms per-sample inference latency confirming real-time deployment viability. The framework demonstrates strong generalization across different network environments and attack patterns, offering a promising approach for addressing the complex challenges of modern network security.

The increasing sophistication and frequency of cyber threats have rendered conventional protection strategies inadequate. Artificial Intelligence (AI) is becoming central to modern cybersecurity, strengthening capabilities in vulnerability assessment, malware detection, phishing prevention, intrusion detection, and deception technologies. Simultaneously, quantum computing introduces both challenges to classical cryptography and opportunities for new forms of quantum-enhanced defenses. This review integrates advances in AI, quantum methods, and ethical governance to provide an integrated perspective on the future of secure digital systems. It evaluates state-of-the-art AI models, including explainable frameworks and quantum-inspired approaches, such as Quantum Convolutional Neural Networks and Quantum Support Vector Machines, along with recent progress in post-quantum cryptography. Ethical concerns, particularly bias, transparency, privacy, and accountability, are examined as essential foundations for trustworthy cybersecurity design in system-on-chip and embedded AI environments. In addition to technical developments, this study considers regulatory frameworks, governance structures, and societal expectations, highlighting the need for responsible and adaptive approaches. A comparative SWOT analysis outlines the strengths, limitations, and areas for cross-domain integration. Finally, a roadmap of future research directions is presented, aligning AI-driven defenses, quantum resilience, and ethical safeguards into flexible and reliable cybersecurity architectures. By linking the technological, ethical, and policy dimensions, this review offers a consolidated foundation to guide the evolution of cybersecurity in a globally connected era.

• Hybrid digital twins secure IIoT while preserving data privacy • Continual learning adapts models to new threats with low data needs • Hardware-in-the-loop validates detection under realistic conditions • Achieves 97% accuracy with 20 × less training data than full retraining • Scalable framework for resilient anomaly detection in Industry 4.0 The Industrial Internet of Things (IIoT) is increasingly exposed to cyber threats due to its tight integration of operational technology and digital connectivity. Traditional intrusion detection systems (IDSs) often struggle with adaptability, false positives, and operational scalability in dynamic, non-stationary environments. This paper proposes a cyber threat detection framework that integrates hybrid digital twins (DTs) with continual learning to enable reliable and adaptive intrusion detection in realistic IIoT settings. The hybrid DTs act as local mirrors of IIoT devices, preserving sensitive data close to the source while supporting controlled validation of firmware updates and configuration changes. The continual learning mechanism enables the detection model to incrementally adapt to evolving traffic patterns and emerging attacks, mitigating catastrophic forgetting without requiring repeated offline retraining. Experimental validation on benchmark datasets and real IIoT traffic shows that the proposed DT-enabled framework supports stable detection performance over time under bounded memory and incremental update constraints, reflecting realistic deployment conditions. The proposed architecture highlights a practical trade-off between offline optimality and online adaptability, offering a robust, scalable solution for securing IIoT infrastructure that balances continuous operation, reliability, and controlled adaptation.

ADAP-GNN: Adaptive property-aware graph neural network for intrusion detection in IoT networks

Enhancing federated intrusion detection through LLM-Driven alert enrichment and collaborative threat information sharing

A mamba-based lightweight and dynamically adaptive intrusion detection framework for in-vehicle CAN bus

Intrusion detection for low-altitude wireless networks: Diffusion-enhanced spatiotemporal graph network with dual self-attention

FedPGO : A personalized federated learning framework with gradient orthogonalization for IoT intrusion detection

Vehicular controller area networks (CANs) are susceptible to masquerade attacks by malicious adversaries. In masquerade attacks, adversaries silence a targeted ID and then send malicious frames with forged content at the expected timing of benign frames. As masquerade attacks could seriously harm vehicle functionality and are the stealthiest attacks to detect in CAN, recent work has devoted attention to compare frameworks for detecting masquerade attacks in CAN. However, most existing works report offline evaluations using CAN logs already collected using simulations that do not comply with the domain’s real-time constraints. Here we contribute to advance the state of the art by presenting a comparative evaluation of four different non-deep learning (DL)-based unsupervised online intrusion detection systems (IDS) for masquerade attacks in CAN. Our approach differs from existing comparative evaluations in that we analyze the effect of controlling streaming data conditions in a sliding window setting. In doing so, we use realistic masquerade attacks being replayed from the ROAD dataset. We show that although evaluated IDS are not effective at detecting every attack type, the method that relies on detecting changes in the hierarchical structure of clusters of time series produces the best results at the expense of higher computational overhead. We discuss limitations, open challenges, and how the evaluated methods can be used for practical unsupervised online CAN IDS for masquerade attacks.

Real-time intrusion detection with millisecond response is critical for Internet of Vehicles (IoV) security but is challenged by extreme class imbalance and high computational costs. This paper proposes a novel multimodal framework integrating Denoising Diffusion Probabilistic Models (DDPM) and Knowledge Distillation (KD). First, multi-source data is transformed into RGB images. A conditional DDPM with timestep and class embeddings balances datasets by generating minority-class samples. The teacher model (DiffuGuardian) fuses text-image features for training. Subsequently, a lightweight student model, LiteSentinel, is designed employing depthwise separable convolutions and inverted residual blocks to reduce parameters. Results on three datasets demonstrate that DiffuGuardian consistently achieves around 98–100% precision, accuracy, recall, and F1-score under 5-fold evaluation, while LiteSentinel maintains approximately 95–99% across all metrics with substantially reduced complexity. DiffuGuardian reaches an inference time of 3.80ms with a model size of 0.10 MB, whereas LiteSentinel further reduces latency to 0.79ms with a size of 0.07 MB, enabling efficient edge deployment for IoV security.

Enhancing real-time IoT intrusion detection using KAN-based frameworks with SMOTE

OPTIMAL: Unsupervised network intrusion detection model based on optimized graph neural network and graph contrastive learning

Detecting intrusions on in-vehicle networks from voltage characteristics has become a popular technique. However, an effective mechanism for voltage identification of Electronic Control Units requires both a sound clustering algorithm to determine the correct number of devices on the network and an efficient classifier that allows updates in order to handle changes due to environmental conditions. Firstly, we explore the use of HDBSCAN in order to cluster ECUs based on voltage characteristics. While HDBSCAN is a highly effective algorithm, which has the merit of having only a few parameters that need to be tuned, our results show that finding the optimal parametrization is not that straight-forward. We test two well-known methods and an empirical selection in order to determine optimal choices for the largest existing dataset that contains voltage samples from ten vehicles. Secondly, we use the Nearest Centroid classifier to identify ECUs based on their fingerprints, which offers the advantage of an extremely small memory footprint and an efficient updating mechanism for the centroids. Thus, the method is both efficient and capable of adapting to environmental changes, which is a known demand for voltage-based identification. The proposed methodology demonstrates a very high detection rate that is specific to voltage-based techniques, i.e., true acceptance rate greater than 99.93% and false acceptance rate lower than 0.03%, even when faced with changing environmental conditions when updates are used. It also features an easy to update mechanism and a minimal memory footprint that is 4 to 20 times smaller than baseline classifiers such as SVM and RF.

Industrial Internet of Things intrusion detection based on a hybrid model of Pearson-Deep Neural Network And Transformer

Uncertainty-calibrated hierarchical Gaussian processes for intrusion detection with multi-scale temporal modeling

Intrusion detection for multi-modal data in the internet of vehicles employing large-scale temporal semantic modeling: A survey

As the proliferation of Consumer Internet of Things (CIoT) and Industrial IoT (IIoT) devices intensifies, ensuring secure and interpretable edge deployment of Intrusion Detection Systems (IDS) has become a critical challenge. The rapid expansion of CIoT/IIoT networks at the edge has introduced complex cyber-attack surfaces, posing significant challenges to conventional machine learning and deep learning-based IDS. These challenges include adversarial vulnerabilities where attackers deliberately inject malicious samples to mislead security predictions, class imbalance, and opaque black-box decision processes. Motivated by these challenges, this research proposes a novel unified eXplainable Artificial Intelligence (XAI) enhanced adversarial resilient deep learning framework for transparent, robust, and resource-efficient edge deployment in CIoT/IIoT environments. Unlike existing methods that rely on oversampling techniques such as SMOTE, our approach leverages Conditional Generative Adversarial Networks (CGANs) to synthetically balance highly imbalanced intrusion classes without relying on oversampling heuristics. We further design an LSTM-based denoising autoencoder to perform nonlinear dimensionality reduction, significantly improving noise robustness and edge deployability. In order to strengthen adversarial resilience, we introduce a defense strategy via Automatic Projected Gradient Descent (Auto-PGD), Square Attack, Carlini-Wagner (CW), and DeepFool during training to enhance robustness against both white-box and black-box perturbations. We built a hybrid Multi-Head Self-Attention (MHSA) and Bidirectional Gated Recurrent Units (BiGRU) for rich sequential learning and contextual sensitivity. Beyond performance, the model integrates Shapley Additive explanations (SHAP) to deliver both global and local post-hoc feature attributions, enhancing interpretability and trust. We evaluated our framework on two recent representative datasets Edge-IIoTset (IIoT-specific) and CIC-IoT2023 (general IoT) and demonstrated detection accuracies exceeding 99% on both clean and adversarial samples, with a minimal memory overhead of less than 140 MB and real-time inference latency of 32.1 ms per sample on the Raspberry Pi 4 and Jetson Nano. SHAP visualizations validate the framework’s decision rationale, highlighting protocol-aware and behaviorally critical features as dominant predictors, supporting forensic analysis across diverse attack types. Compared against state-of-the-art adversarial and non-adversarial models, our framework achieves superior performance in adversarial robustness, interpretability, and edge efficiency, without sacrificing detection precision. This research presents a deployable, auditable, and secure IDS solution aligned with standards such as CCPA, GDPR, NISTIR 8259, and HIPAA, advancing the frontier of intelligent edge security in CIoT/IIoT ecosystems.

Software-Defined networking (SDN) increases the scalability and programmability of the network, but it also introduces new security vulnerabilities requiring the implementation of dynamically-adaptive intrusion-detection systems.The current paper proposes a Bio-inspired Waggle Dance-Driven Transformer, which is based on a mixtureof-experts framework and inspired by the communication pattern of honeybees.The suggested architecture implements a waggle-dance routing algorithm, which dynamically assigns the traffic images to specialised experts, which foster an equal use of experts and stabilise learning dynamics.This architecture was tested alone on three heterogeneous benchmark datasets, InSDN, CICIDS-DDOS and 5G-NIDD with the same training and optimisation protocols.The model on the InSDN dataset was found to be accurate at 99.89 per cent, F1 -score was 0.9993 and ROC -AUC was 0.9998.It was found that under the same independent training regimes, consistent 99.8 and above accuracy was experienced on CICIDS-DDOS and 5G-NIDD.Relative analysis to the baselines of LSTM and CNN showed significant error in classification and better balance between precision and recall.Multi-seed validation also ensured a stable statistic with the smallest variance of independent runs.These findings suggest that bio-inspired expert routing combined with transformer-based attention models can be improved to make SDN intrusion detection more robust and scalable, avoiding the use of transfer learning or cross-domain adaptation.

Security systems play a vital role in protecting residential, commercial and institutional environments. Conventional security solutions such as CCTV cameras, magnetic door sensors and motion detectors mainly focus on entry points like doors and windows. However, these systems often fail to detect intruders once they enter the protected area or generate false alarms due to environmental disturbances, pets or stationary objects. The Anti-Theft Smart Flooring System with Dual Sensor Logic and IoT is designed to overcome these limitations by introducing a novel approach to intrusion detection using the floor as the primary sensing medium. Since every human intruder must physically walk on the floor, this system detects unauthorized presence at the earliest possible stage. The system employs Force Sensitive Resistors (FSR) embedded beneath the flooring to sense pressure and Infrared (IR) sensors to detect movement. A dual-sensor logic is implemented, where human presence is confirmed only when both pressure and motion are detected simultaneously, thereby significantly reducing false triggering. An ESP32 microcontroller acts as the central processing unit, continuously monitoring sensor data and executing real-time decision-making algorithms. The system divides the floor into multiple zones, enabling zone-wise intrusion detection and display. A buzzer provides immediate audible alerts, while LCD displays show real-time system status and active zones. To enhance security further, a fingerprint-based door locking system is integrated using a fingerprint sensor and servo motor, ensuring that only authorized users can access the protected area. The project also incorporates IoT functionality using the Blynk platform, allowing remote monitoring, real-time notifications, and mobile-based visualization of zone status. Whenever human presence is detected, instant alerts are sent to the user’s smartphone, making the system suitable for modern smart security applications.