ChatPaper.aiChatPaper

工业物联网网络中轻量级入侵检测模型的跨域泛化失败

Cross-Domain Generalization Failure in Lightweight Intrusion Detection Models for IIoT Networks

July 1, 2026
作者: MD Azizul Hakim, Md Shihab Uddin, Talha Ibne Anis
cs.AI

摘要

轻量级机器学习模型因其适合资源受限的边缘部署环境,被越来越多地用于工业物联网(IIoT)网络入侵检测。然而,现有报告大多仅在其训练网络内评估这些模型,未验证其在未见网络上的表现。本研究在某个IIoT数据集上训练了四种轻量级架构,并在不重新训练的情况下,采用仅包含三个数据源共有属性的特征表示,将其应用于两个结构不同的IIoT数据集。对两个表现最优模型的解释性分析表明,两者均过度依赖粗粒度端口类别特征;其中影响最大的类别在源域攻击流量中的出现频率是目标域中的96至435倍,这表明细化端口分辨率只是转移而非消除了已知的捷径特征。在自然类别不平衡分布下的评估揭示了另一效应:所使用的评估协议可能导致对哪个目标网络构成更大泛化挑战的判断发生逆转。此外,本文还评估了对抗鲁棒性以及通过有限目标域暴露实现的恢复能力;对抗扰动的鲁棒性与跨网络泛化性无关,且通过自适应恢复的能力因架构不同而差异显著。这些发现表明,应当基于真实类别分布下的跨网络评估来判定部署准备程度,而非仅依赖域内准确率。
English
Lightweight machine learning models are increasingly proposed for intrusion detection in Industrial Internet of Things (IIoT) networks due to their suitability for resource-constrained edge deployment. Most reported results evaluate these models only within their training network, leaving behavior on unseen networks unverified. This study trains four lightweight architectures on one IIoT dataset and evaluates them, without retraining, on two structurally distinct IIoT datasets using a feature representation restricted to attributes available across all three sources. Explainability analysis across two top-performing models shows both rely overwhelmingly on coarse port-category features; the most influential category occurs in source-domain attack traffic at 96 to 435 times the rate in the two target domains, indicating that coarsening port resolution relocates rather than removes a documented shortcut. Evaluation under naturally imbalanced class distributions reveals a further effect: the evaluation protocol used can reverse which target network appears to pose the greater generalization challenge. Adversarial robustness and recovery through limited target-domain exposure are also assessed; robustness to adversarial perturbation is unrelated to cross-network generalization, and recovery through adaptation varies considerably by architecture. These findings suggest deployment readiness should be assessed using cross-network evaluation under realistic class distributions, rather than within-domain accuracy alone.