CITADEL: Continual Anomaly Detection for Enhanced Learning in IoT Intrusion Detection

• URL: http://arxiv.org/abs/2508.19450v1
• Date: Tue, 26 Aug 2025 21:55:26 GMT
• Title: CITADEL: Continual Anomaly Detection for Enhanced Learning in IoT Intrusion Detection
• Authors: Elvin Li, Onat Gungor, Zhengli Shang, Tajana Rosing,
• Abstract summary: Internet of Things (IoT) is vulnerable to a wide range of cyber threats.<n>Intrusion detection systems (IDS) have been extensively studied to enhance IoT security.<n>We propose CITADEL, a self-supervised continual learning framework to extract robust representations from benign data.
• Score: 9.92596575679496
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: The Internet of Things (IoT), with its high degree of interconnectivity and limited computational resources, is particularly vulnerable to a wide range of cyber threats. Intrusion detection systems (IDS) have been extensively studied to enhance IoT security, and machine learning-based IDS (ML-IDS) show considerable promise for detecting malicious activity. However, their effectiveness is often constrained by poor adaptability to emerging threats and the issue of catastrophic forgetting during continuous learning. To address these challenges, we propose CITADEL, a self-supervised continual learning framework designed to extract robust representations from benign data while preserving long-term knowledge through optimized memory consolidation mechanisms. CITADEL integrates a tabular-to-image transformation module, a memory-aware masked autoencoder for self-supervised representation learning, and a novelty detection component capable of identifying anomalies without dependence on labeled attack data. Our design enables the system to incrementally adapt to emerging behaviors while retaining its ability to detect previously observed threats. Experiments on multiple intrusion datasets demonstrate that CITADEL achieves up to a 72.9% improvement over the VAE-based lifelong anomaly detector (VLAD) in key detection and retention metrics, highlighting its effectiveness in dynamic IoT environments.

Related papers

• Backdoor Attacks on Contrastive Continual Learning for IoT Systems [0.0]
  Internet of Things (IoT) systems increasingly depend on continual learning to adapt to non-stationary environments.<n> Contrastive continual learning (CCL) combines contrastive representation learning with incremental adaptation, enabling robust feature reuse.<n>Backdoor attacks can exploit embedding alignment and replay reinforcement, enabling the implantation of persistent malicious behaviors.
  arXiv  Detail & Related papers  (2026-02-13T16:17:25Z)
• Multi-Agent Collaborative Intrusion Detection for Low-Altitude Economy IoT: An LLM-Enhanced Agentic AI Framework [60.72591149679355]
  The rapid expansion of low-altitude economy Internet of Things (LAE-IoT) networks has created unprecedented security challenges.<n>Traditional intrusion detection systems fail to tackle the unique characteristics of aerial IoT environments.<n>We introduce a large language model (LLM)-enabled agentic AI framework for enhancing intrusion detection in LAE-IoT networks.
  arXiv  Detail & Related papers  (2026-01-25T12:47:25Z)
• Modeling Uncertainty Trends for Timely Retrieval in Dynamic RAG [35.96258615258145]
  We introduce Entropy-Trend Constraint (ETC), a training-free method that determines optimal retrieval timing by modeling the dynamics of token-level uncertainty.<n>ETC consistently outperforms strong baselines while reducing retrieval frequency.<n>It is plug-and-play, model-agnostic, and readily integrable into existing decoding pipelines.
  arXiv  Detail & Related papers  (2025-11-13T05:28:02Z)
• Enhancing Adversarial Robustness of IoT Intrusion Detection via SHAP-Based Attribution Fingerprinting [5.35811141279537]
  We propose a novel adversarial detection model that enhances the robustness of IoT IDS against adversarial attacks.<n>We extract attribution fingerprints from network traffic features, enabling the IDS to reliably distinguish between clean and adversarially perturbed inputs.<n>We evaluate the model on a standard IoT benchmark dataset, where it significantly outperformed a state-of-the-art method in detecting adversarial attacks.
  arXiv  Detail & Related papers  (2025-11-09T02:56:54Z)
• Dynamic Temporal Positional Encodings for Early Intrusion Detection in IoT [3.6686692131754834]
  The rapid expansion of the Internet of Things (IoT) has introduced significant security challenges.<n>Traditional Intrusion Detection Systems (IDS) often overlook the temporal characteristics of network traffic.<n>We propose a Transformer-based Early Intrusion Detection System (EIDS) that incorporates dynamic temporal positional encodings.
  arXiv  Detail & Related papers  (2025-06-22T17:56:19Z)
• A Scalable Hierarchical Intrusion Detection System for Internet of Vehicles [1.6017263994482716]
  Internet of Vehicles (IoV) is prone to various cyber threats, ranging from spoofing and Distributed Denial of Services (DDoS) attacks to malware.<n>To safeguard the IoV ecosystem from intrusions, malicious activities, policy violations, intrusion detection systems (IDS) play a critical role by continuously monitoring and analyzing network traffic to identify and mitigate potential threats in real-time.<n>This paper proposes an effective hierarchical classification framework tailored for IoV networks.
  arXiv  Detail & Related papers  (2025-05-22T04:30:26Z)
• RAPID: Robust APT Detection and Investigation Using Context-Aware Deep Learning [26.083244046813512]
  We introduce a novel deep learning-based method for robust APT detection and investigation. By utilizing self-supervised sequence learning and iteratively learned embeddings, our approach effectively adapts to dynamic system behavior. Our evaluation demonstrates RAPID's effectiveness and computational efficiency in real-world scenarios.
  arXiv  Detail & Related papers  (2024-06-08T05:39:24Z)
• AOC-IDS: Autonomous Online Framework with Contrastive Learning for Intrusion Detection [6.613032895263769]
  The rapid expansion of the Internet of Things (IoT) has raised increasing concern about targeted cyber attacks. Previous research primarily focused on static Intrusion Detection Systems (IDSs) AOC-IDS features an autonomous anomaly detection module (ADM) and a labor-free online framework for continual adaptation.
  arXiv  Detail & Related papers  (2024-02-02T10:56:13Z)
• Effective Intrusion Detection in Heterogeneous Internet-of-Things Networks via Ensemble Knowledge Distillation-based Federated Learning [52.6706505729803]
  We introduce Federated Learning (FL) to collaboratively train a decentralized shared model of Intrusion Detection Systems (IDS) FLEKD enables a more flexible aggregation method than conventional model fusion techniques. Experiment results show that the proposed approach outperforms local training and traditional FL in terms of both speed and performance.
  arXiv  Detail & Related papers  (2024-01-22T14:16:37Z)
• Constrained Twin Variational Auto-Encoder for Intrusion Detection in IoT Systems [30.16714420093091]
  Intrusion detection systems (IDSs) play a critical role in protecting billions of IoT devices from malicious attacks. This article proposes a novel deep neural network/architecture called Constrained Twin Variational Auto-Encoder (CTVAE) CTVAE can boost around 1% in terms of accuracy and Fscore in detection attack compared to the state-of-the-art machine learning and representation learning methods.
  arXiv  Detail & Related papers  (2023-12-05T04:42:04Z)
• Learning Prompt-Enhanced Context Features for Weakly-Supervised Video Anomaly Detection [37.99031842449251]
  Video anomaly detection under weak supervision presents significant challenges. We present a weakly supervised anomaly detection framework that focuses on efficient context modeling and enhanced semantic discriminability. Our approach significantly improves the detection accuracy of certain anomaly sub-classes, underscoring its practical value and efficacy.
  arXiv  Detail & Related papers  (2023-06-26T06:45:16Z)
• Few-shot Weakly-supervised Cybersecurity Anomaly Detection [1.179179628317559]
  We propose an enhancement to an existing few-shot weakly-supervised deep learning anomaly detection framework. This framework incorporates data augmentation, representation learning and ordinal regression. We then evaluated and showed the performance of our implemented framework on three benchmark datasets.
  arXiv  Detail & Related papers  (2023-04-15T04:37:54Z)
• A Hybrid Deep Learning Anomaly Detection Framework for Intrusion Detection [4.718295605140562]
  We propose a three-stage deep learning anomaly detection based network intrusion attack detection framework. The framework comprises an integration of unsupervised (K-means clustering), semi-supervised (GANomaly) and supervised learning (CNN) algorithms. We then evaluated and showed the performance of our implemented framework on three benchmark datasets.
  arXiv  Detail & Related papers  (2022-12-02T04:40:54Z)
• Adversarial vs behavioural-based defensive AI with joint, continual and active learning: automated evaluation of robustness to deception, poisoning and concept drift [62.997667081978825]
  Recent advancements in Artificial Intelligence (AI) have brought new capabilities to behavioural analysis (UEBA) for cyber-security. In this paper, we present a solution to effectively mitigate this attack by improving the detection process and efficiently leveraging human expertise.
  arXiv  Detail & Related papers  (2020-01-13T13:54:36Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.