The expansion of Internet of Things (IoT) devices has increased the attack surface of networks, necessitating a robust and adaptive intrusion detection systems. Machine learning based systems have been considered promising in enhancing the detection performance. Federated learning settings enabled us to train models from network intrusion data collected from clients in a privacy preserving manner. However, the effectiveness of these systems can degrade over time due to concept drift, where patterns in data evolve as attackers develop new techniques. Realistic detection models should be non-stationary, so they can be continuously updated with new intrusion data while maintaining their detection capability for older data. As IoT environments are resource constrained, updates should consume minimal computational resources. This study provides a comprehensive performance analysis of incremental federated learning in enhancing the long term performance of non stationary IDS models in IoT networks. Specifically, we propose LSTM models within a federated learning setting to evaluate incremental learning approaches that utilize data and model-based measures against catastrophic learning under drift conditions. Using the CICIoMT2024 dataset, which includes various attack variants across five major categories, we conduct both binary and multiclass classification to provide a granular analysis of the intrusion detection task. Our results show that cumulative incremental learning and representative learning provide the most stable performance under drift, while retention-based methods offer a strong accuracy and latency trade off. The study offers new insights into the interplay between training strategy performance and latency in dynamic IoT environments, aiming to inform the development of more resilient IDS solutions considering the resource constraints in IoT devices.

翻译：物联网设备的扩张增加了网络的攻击面，亟需构建鲁棒且自适应的入侵检测系统。基于机器学习的系统被认为在提升检测性能方面具有前景。联邦学习框架使我们能够以隐私保护的方式，利用从客户端收集的网络入侵数据训练模型。然而，由于概念漂移（即攻击者开发新技术导致数据模式演变），这些系统的有效性可能随时间推移而下降。现实的检测模型应是非平稳的，从而能够持续利用新的入侵数据进行更新，同时保持对旧数据的检测能力。鉴于物联网环境的资源受限性，模型更新应消耗最少的计算资源。本研究对增量联邦学习在提升物联网网络中非平稳入侵检测系统模型长期性能方面进行了全面的性能分析。具体而言，我们在联邦学习框架内提出LSTM模型，以评估利用数据和基于模型的度量、旨在应对漂移条件下灾难性遗忘的增量学习方法。使用包含五大类别多种攻击变体的CICIoMT2024数据集，我们同时进行了二元和多元分类，以提供对入侵检测任务的细粒度分析。结果表明，在数据漂移条件下，累积增量学习和代表性学习能提供最稳定的性能，而基于保留的方法则在准确性与延迟之间实现了良好的权衡。本研究为动态物联网环境中训练策略性能与延迟之间的相互作用提供了新的见解，旨在为考虑物联网设备资源约束、开发更具韧性的入侵检测解决方案提供参考。