Search papers, labs, and topics across Lattice.
This study investigates the cross-domain generalization capabilities of four lightweight machine learning models for intrusion detection in IIoT networks, trained on one dataset and evaluated on two structurally distinct datasets. The findings reveal that these models heavily depend on coarse port-category features, which can mislead performance assessments by favoring source-domain characteristics over true generalization. Additionally, the evaluation protocol can significantly alter perceived generalization challenges, emphasizing the need for realistic class distribution assessments in deployment readiness.
Lightweight intrusion detection models may be misjudged due to their reliance on misleading features, potentially compromising security in IIoT networks.
Lightweight machine learning models are increasingly proposed for intrusion detection in Industrial Internet of Things (IIoT) networks due to their suitability for resource-constrained edge deployment. Most reported results evaluate these models only within their training network, leaving behavior on unseen networks unverified. This study trains four lightweight architectures on one IIoT dataset and evaluates them, without retraining, on two structurally distinct IIoT datasets using a feature representation restricted to attributes available across all three sources. Explainability analysis across two top-performing models shows both rely overwhelmingly on coarse port-category features; the most influential category occurs in source-domain attack traffic at 96 to 435 times the rate in the two target domains, indicating that coarsening port resolution relocates rather than removes a documented shortcut. Evaluation under naturally imbalanced class distributions reveals a further effect: the evaluation protocol used can reverse which target network appears to pose the greater generalization challenge. Adversarial robustness and recovery through limited target-domain exposure are also assessed; robustness to adversarial perturbation is unrelated to cross-network generalization, and recovery through adaptation varies considerably by architecture. These findings suggest deployment readiness should be assessed using cross-network evaluation under realistic class distributions, rather than within-domain accuracy alone.