Neurosymbolic Learning for Advanced Persistent Threat Detection under Extreme Class Imbalance

• URL: http://arxiv.org/abs/2603.00453v1
• Date: Sat, 28 Feb 2026 04:25:50 GMT
• Title: Neurosymbolic Learning for Advanced Persistent Threat Detection under Extreme Class Imbalance
• Authors: Quhura Fathima, Neda Moghim, Mostafa Taghizade Firouzjaee, Christo K. Thomas, Ross Gore, Walid Saad,
• Abstract summary: This paper proposes a neurosymbolic architecture that integrates an optimized BERT model with logic tensor networks (LTN) for explainable APT detection in wireless IoT networks.<n>Results show that neurosymbolic learning enables high-performance, interpretable, and operationally viable APT detection for IoT network monitoring architectures.
• Score: 29.991707658663188
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: The growing deployment of Internet of Things (IoT) devices in smart cities and industrial environments increases vulnerability to stealthy, multi-stage advanced persistent threats (APTs) that exploit wireless communication. Detection is challenging due to severe class imbalance in network traffic, which limits the effectiveness of traditional deep learning approaches and their lack of explainability in classification decisions. To address these challenges, this paper proposes a neurosymbolic architecture that integrates an optimized BERT model with logic tensor networks (LTN) for explainable APT detection in wireless IoT networks. The proposed method addresses the challenges of mobile IoT environments through efficient feature encoding that transforms network flow data into BERT-compatible sequences while preserving temporal dependencies critical for APT stage identification. Severe class imbalance is mitigated using focal loss, hierarchical classification that separates normal traffic detection from attack categorization, and adaptive sampling strategies. Evaluation on the SCVIC-APT2021 dataset demonstrates an operationally viable binary classification F1 score of 95.27% with a false positive rate of 0.14%, and a 76.75% macro F1 score for multi-class attack categorization. Furthermore, a novel explainability analysis statistically validates the importance of distinct network features. These results demonstrate that neurosymbolic learning enables high-performance, interpretable, and operationally viable APT detection for IoT network monitoring architectures.

Related papers

• Unknown Attack Detection in IoT Networks using Large Language Models: A Robust, Data-efficient Approach [5.0363184281919215]
  Existing machine learning approaches rely on large labeled datasets, payload inspection, or closed-set classification.<n>We propose SiamXBERT, a robust and data-efficient Siamese meta-learning framework empowered by a transformer-based language model for unknown attack detection.<n>We show that SiamXBERT consistently outperforms state-of-the-art baselines under both within-dataset and cross-dataset settings.
  arXiv  Detail & Related papers  (2026-02-12T17:15:39Z)
• Learning Alzheimer's Disease Signatures by bridging EEG with Spiking Neural Networks and Biophysical Simulations [42.091774598477706]
  Conventional deep learning approaches for EEG-based Alzheimer's disease detection are computationally intensive and mechanistically opaque.<n>We propose a neuro-bridge framework that links data-driven learning with biophysically grounded simulations.
  arXiv  Detail & Related papers  (2026-01-30T21:54:16Z)
• Multi-Agent Collaborative Intrusion Detection for Low-Altitude Economy IoT: An LLM-Enhanced Agentic AI Framework [60.72591149679355]
  The rapid expansion of low-altitude economy Internet of Things (LAE-IoT) networks has created unprecedented security challenges.<n>Traditional intrusion detection systems fail to tackle the unique characteristics of aerial IoT environments.<n>We introduce a large language model (LLM)-enabled agentic AI framework for enhancing intrusion detection in LAE-IoT networks.
  arXiv  Detail & Related papers  (2026-01-25T12:47:25Z)
• Efficient Asynchronous Federated Evaluation with Strategy Similarity Awareness for Intent-Based Networking in Industrial Internet of Things [42.55497517367321]
  We propose FEIBN, a Federated Evaluation Enhanced Intent-Based Networking framework.<n>We show that SSAFL can improve model accuracy, accelerate model convergence, and reduce the cost by 27.8% with SemiAsyn.
  arXiv  Detail & Related papers  (2025-11-28T09:03:26Z)
• Enhancing Internet of Things Security throughSelf-Supervised Graph Neural Networks [1.0678175996321808]
  New types of attacks often have significantly fewer samples than more common attacks, leading to unbalanced datasets.<n>We suggest a new approach to IoT intrusion detection using Self-Supervised Learning (SSL) with a Markov Graph Convolutional Network (MarkovGCN)<n>Our approach leverages the inherent structure of IoT networks to pre-train a GCN, which is then fine-tuned for the intrusion detection task.
  arXiv  Detail & Related papers  (2024-12-17T17:40:14Z)
• FedMSE: Semi-supervised federated learning approach for IoT network intrusion detection [0.0]
  The rise of IoT has expanded the cyber attack surface, making traditional centralized machine learning methods insufficient due to concerns about data availability, computational resources, transfer costs, and especially privacy preservation.<n>A semi-supervised federated learning model was developed to overcome these issues, combining the Shrink Autoencoder and Centroid one-class classifier (SAE-CEN)<n>This approach enhances the performance of intrusion detection by effectively representing normal network data and accurately identifying anomalies in the decentralized strategy.
  arXiv  Detail & Related papers  (2024-10-18T02:23:57Z)
• Enhancing IoT Security with CNN and LSTM-Based Intrusion Detection Systems [0.23408308015481666]
  Our proposed model consists on a combination of convolutional neural network (CNN) and long short-term memory (LSTM) deep learning (DL) models. This fusion facilitates the detection and classification of IoT traffic into binary categories, benign and malicious activities. Our proposed model achieves an accuracy rate of 98.42%, accompanied by a minimal loss of 0.0275.
  arXiv  Detail & Related papers  (2024-05-28T22:12:15Z)
• Dealing with Imbalanced Classes in Bot-IoT Dataset [3.7399138244928145]
  We propose a binary classification method with synthetic minority over-sampling techniques (SMOTE) to address the class imbalance problem in the Bot-IoT dataset. The proposed classifier aims to detect attack packets and overcome the class imbalance problem using the SMOTE algorithm.
  arXiv  Detail & Related papers  (2024-03-27T20:09:59Z)
• Effective Intrusion Detection in Heterogeneous Internet-of-Things Networks via Ensemble Knowledge Distillation-based Federated Learning [52.6706505729803]
  We introduce Federated Learning (FL) to collaboratively train a decentralized shared model of Intrusion Detection Systems (IDS) FLEKD enables a more flexible aggregation method than conventional model fusion techniques. Experiment results show that the proposed approach outperforms local training and traditional FL in terms of both speed and performance.
  arXiv  Detail & Related papers  (2024-01-22T14:16:37Z)
• Effective Intrusion Detection in Highly Imbalanced IoT Networks with Lightweight S2CGAN-IDS [48.353590166168686]
  Internet of Things (IoT) networks contain benign traffic far more than abnormal traffic, with some rare attacks. Most existing studies have been focused on sacrificing the detection rate of the majority class in order to improve the detection rate of the minority class. We propose a lightweight framework named S2CGAN-IDS to expand the number of minority categories in both data space and feature space.
  arXiv  Detail & Related papers  (2023-06-06T14:19:23Z)
• A Novel Automatic Modulation Classification Scheme Based on Multi-Scale Networks [35.04402595330191]
  A novel automatic modulation classification scheme is proposed by using the multi-scale network in this paper. A novel loss function that combines the center loss and the cross entropy loss is exploited to learn both discriminative and separable features. Our proposed automatic modulation classification scheme can achieve better performance than the benchmark schemes in terms of the classification accuracy.
  arXiv  Detail & Related papers  (2021-05-31T15:18:58Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.