轻量级IIoT入侵检测模型跨域泛化失败研究
阅读原文· arxiv.org四种轻量级架构在一个IIoT数据集上训练后,不经重新训练直接在另两个结构不同的IIoT数据集上评估,仅使用三者共有的特征。可解释性分析显示,两个最优模型主要依赖粗粒度端口类别特征,其中最具影响力的类别在源域攻击流量出现频率是目标域的96至435倍,表明粗化端口分辨率只是转移而非消除已知捷径。自然不平衡分布下,评价协议可能反转对哪个目标域更具挑战的判断。对抗鲁棒性与跨网络泛化无关,有限目标域数据适应的恢复效果因架构而异。建议部署就绪性应在真实类别分布下通过跨网络评估。
Lightweight machine learning models are increasingly proposed for intrusion detection in Industrial Internet of Things (IIoT) networks due to their suitability for resource-constrained edge deployment. Most reported results evaluate these models only within their training network, leaving behavior on unseen networks unverified. This study trains four lightweight architectures on one IIoT dataset and evaluates them, without retraining, on two structurally distinct IIoT datasets using a feature representation restricted to attributes available across all three sources. Explainability analysis across two top-performing models shows both rely overwhelmingly on coarse port-category features; the most influential category occurs in source-domain attack traffic at 96 to 435 times the rate in the two target domains, indicating that coarsening port resolution relocates rather than removes a documented shortcut. Evaluation under naturally imbalanced class distributions reveals a further effect: the evaluation protocol used can reverse which target network appears to pose the greater generalization challenge. Adversarial robustness and recovery through limited target-domain exposure are also assessed; robustness to adversarial perturbation is unrelated to cross-network generalization, and recovery through adaptation varies considerably by architecture. These findings suggest deployment readiness should be assessed using cross-network evaluation under realistic class distributions, rather than within-domain accuracy alone.