The Internet of Battlefield Things (IoBT) relies on heterogeneous, bandwidth-constrained, and intermittently connected tactical networks that face rapidly evolving cyber threats. In this setting, intrusion detection cannot depend on continuous central collection of raw traffic due to disrupted links, latency, operational security limits, and non-IID traffic across zones. We present Zone-Adaptive Intrusion Detection (ZAID), a collaborative detection and model-improvement framework for unseen attack types, where "zero-day" refers to previously unobserved attack families and behaviours (not vulnerability disclosure timing). ZAID combines a universal convolutional model for generalisable traffic representations, an autoencoder-based reconstruction signal as an auxiliary anomaly score, and lightweight adapter modules for parameter-efficient zone adaptation. To support cross-zone generalisation under constrained connectivity, ZAID uses federated aggregation and pseudo-labelling to leverage locally observed, weakly labelled behaviours. We evaluate ZAID on ToN_IoT using a zero-day protocol that excludes MITM, DDoS, and DoS from supervised training and introduces them during zone-level deployment and adaptation. ZAID achieves up to 83.16% accuracy on unseen attack traffic and transfers to UNSW-NB15 under the same procedure, with a best accuracy of 71.64%. These results indicate that parameter-efficient, zone-personalised collaboration can improve the detection of previously unseen attacks in contested IoBT environments.
翻译:战场物联网依赖于异构、带宽受限且间歇性连接的战区网络,这些网络面临着快速演变的网络威胁。在此环境下,由于链路中断、延迟、作战安全限制以及跨区域非独立同分布流量等因素,入侵检测无法依赖对原始流量的持续集中收集。本文提出区域自适应入侵检测框架,这是一种针对未知攻击类型的协作式检测与模型改进框架,其中“零日”指代先前未观测到的攻击家族与行为(而非漏洞披露时间)。该框架融合了三个核心组件:用于生成可泛化流量表示的通用卷积模型、基于自编码器的重构信号作为辅助异常评分,以及用于参数高效区域适配的轻量级适配器模块。为在受限连通性下支持跨区域泛化,该框架采用联邦聚合与伪标注技术,以利用本地观测到的弱标注行为。我们在ToN_IoT数据集上采用零日协议对框架进行评估,该协议在监督训练阶段排除中间人攻击、分布式拒绝服务攻击与拒绝服务攻击,并在区域级部署与适配阶段引入这些攻击类型。实验表明,该框架在未知攻击流量上达到83.16%的检测准确率,并通过相同流程迁移至UNSW-NB15数据集时取得71.64%的最佳准确率。这些结果表明,参数高效的区域个性化协作机制能够有效提升在对抗性战场物联网环境中对未知攻击的检测能力。