Improving IoT security through an explainable hybrid CNN-transformer model and federated learning
摘要
The rapid proliferation of Internet of Things (IoT) devices has intensified cybersecurity threats, exposing critical infrastructure to sophisticated intrusion attacks. Existing intrusion detection systems (IDS) typically rely on centralized architectures that compromise data privacy, or employ single-architecture models that fail to capture both local spatial patterns and long-range temporal dependencies in network traffic simultaneously. To address these limitations, this paper proposes a novel explainable hybrid CNN-Transformer model integrated with federated learning (FL) for privacy-preserving intrusion detection in IoT environments. The proposed framework uniquely combines four key components not previously integrated in this context: a dual-block CNN-Transformer architecture, federated learning with FedAvg aggregation, multi-class attack classification, and Local Interpretable Model-Agnostic Explanations (LIME) for decision transparency. Evaluated on the IoT-23 dataset across both federated and non-federated scenarios, the proposed model achieves 94.89% accuracy in federated binary classification and 92.17% in federated multi-class classification, outperforming standalone CNN and ensemble baselines by significant margins. Generalizability is further validated through an ablation study on the CIC IoT-DIAD 2024 dataset. The integration of LIME provides actionable feature-level explanations that support real-time decision-making for network security analysts, advancing both the interpretability and trustworthiness of automated IoT intrusion detection systems.