[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-82524-en":3,"doc-seo-82524-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},82524,549758146520,"Patrick","https://ap-avatar.wpscdn.com/avatar/80002397d8c0411e94?_k=1775819394049821470",8,"Research & Report","Cross-Domain Generalization Failure in Lightweight Intrusion Detection Models for IIoT Networks","Lightweight machine learning models are increasingly proposed for intrusion detection in Industrial Internet of Things (IIoT) networks because they fit resource-constrained edge deployment. Existing evaluations usually test within the same training network, leaving generalization to unseen industrial networks under-verified. This study trains four representative lightweight architectures on one IIoT dataset and evaluates them, without retraining, on two independent structurally different datasets using a shared attribute feature space.","arXiv :2607 .00553v 1 [ cs .CR] 1 Jul 2026  \nCross-Domain Generalization Failure in Lightweight Intrusion Detection Models for IIoT Networks  \nMD Azizul Hakim 1∗ Md Shihab Uddin2 [azizulhakim8291@gmail.com](azizulhakim8291@gmail.com) [shihab9586@gmail.com](shihab9586@gmail.com)  \nTalha Ibne Anich 1  \n[mail.talhaibneanich@gmail.com](mail.talhaibneanich@gmail.com)  \n1 ,3Department of Computer Science and Technology, Bangladesh Sweden Polytechnic Institute  \n2Department of Electrical Engineering, Bangladesh Sweden Polytechnic Institute  \nKaptai, Rangamati, Chittagong 4530, Bangladesh  \n∗ Corresponding author  \nAbstract  \nLightweight machine learning models are increasingly proposed for intrusion detection in Industrial Internet of Things (IIoT) networks due to their suitability for resource-constrained edge deployment. However, most reported results evaluate these models only within their training network, leaving behavior on unseen industrial networks largely unverified. This study trains four representative lightweight architectures on one widely used IIoT dataset and evaluates them, without retraining, on two independent and structurally distinct IIoT datasets, using a feature representation restricted to attributes available across all three sources. Explainability analysis, corroborated across two architecturally distinct top-performing models, shows that both rely overwhelmingly on coarse port-category features, and a direct comparison of port-category prevalence across datasets reveals that the most influential category occurs in source-domain attack traffic at 96 to 435 times the rate observed in the two target domains, indicating that coarsening port resolution relocates rather than removes a documented shortcut. Evaluation under naturally imbalanced class distributions, rather than the balanced distributions common in prior work, reveals a further effect: the evaluation protocol used can reverse which target network appears to pose the greater generalization challenge. Adversarial robustness and the capacity to recover performance through limited exposure to target-domain data are also assessed; robustness to adversarial perturbation is found to be unrelated to a model’s ability to generalize across networks, and recovery through limited adaptation varies considerably by architecture. These findings suggest that deployment readiness for lightweight IIoT intrusion detection should be assessed using cross-network evaluation under realistic class distributions, rather than within-domain accuracy alone.  \n1 Introduction  \nIndustrial Internet of Things (IIoT) networks now connect sensors, controllers, and actuators across manufacturing, energy, and critical infrastructure systems, creating an attack surface that conventional, server-grade intrusion detection cannot always reach. This has driven sustained interest in lightweight machine learning models for intrusion detection: classifiers small enough to run on constrained edge hardware, where computation, memory, and energy budgets are limited. A growing body of work reports such models achieving near-perfect detection accuracy on standard IIoT traffic benchmarks, suggesting that the problem of resource-efficient intrusion detection is largely solved.  \nThis impression rests on a narrow form of evaluation. In almost all published studies, a model is trained and tested on data drawn from the same capture, often a single split of one dataset collected  \nPreprint.  \non one network. Real IIoT deployments do not work this way. A model trained on one industrial network is routinely expected to operate on another, with different devices, different traffic patterns, and different attacker behavior. Whether the accuracy reported under same-dataset evaluation has any bearing on this realistic deployment scenario is rarely tested, and almost never tested for the specific class of lightweight models that edge deployment requires.  \nThis gap motivates a direct question: do lightweight in","cbCaiqw3NVJA63QI","https://ap.wps.com/l/cbCaiqw3NVJA63QI","pdf",371140,1,17,"English","en",105,"# Abstract\n# Introduction\n## Problem motivation\n## Research questions\n## Method overview\n## Contributions","[{\"question\":\"Why is cross-network evaluation necessary for lightweight IIoT intrusion detection models?\",\"answer\":\"Real IIoT deployments expect a model trained on one industrial network to operate on another with different devices, traffic patterns, and attacker behavior. Prior studies often evaluate only within the same dataset or network split, so generalization is rarely tested for lightweight edge-oriented models.\"},{\"question\":\"How did the study test whether performance transfers without retraining?\",\"answer\":\"The study trains four lightweight architectures on one IIoT dataset and evaluates them, without retraining, on two independent IIoT datasets that differ in source network, device composition, and traffic capture format.\"},{\"question\":\"What feature-related explanation is identified for the generalization failure?\",\"answer\":\"Explainability analysis across two top-performing architectures indicates heavy reliance on coarse port-category features. A cross-dataset port-category prevalence comparison shows a key category occurs 96 to 435 times more frequently in the source-domain attack traffic than in the target domains, suggesting the shortcut shifts rather than disappears when port resolution is coarsened.\"}]",1784181226,43,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"cross-domain-generalization-failure-in-lightweight-intrusion-detection-models-for-iiot-networks","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/cross-domain-generalization-failure-in-lightweight-intrusion-detection-models-for-iiot-networks/82524/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"Why is cross-network evaluation necessary for lightweight IIoT intrusion detection models?","Question",{"text":75,"@type":76},"Real IIoT deployments expect a model trained on one industrial network to operate on another with different devices, traffic patterns, and attacker behavior. Prior studies often evaluate only within the same dataset or network split, so generalization is rarely tested for lightweight edge-oriented models.","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"How did the study test whether performance transfers without retraining?",{"text":80,"@type":76},"The study trains four lightweight architectures on one IIoT dataset and evaluates them, without retraining, on two independent IIoT datasets that differ in source network, device composition, and traffic capture format.",{"name":82,"@type":73,"acceptedAnswer":83},"What feature-related explanation is identified for the generalization failure?",{"text":84,"@type":76},"Explainability analysis across two top-performing architectures indicates heavy reliance on coarse port-category features. A cross-dataset port-category prevalence comparison shows a key category occurs 96 to 435 times more frequently in the source-domain attack traffic than in the target domains, suggesting the shortcut shifts rather than disappears when port resolution is coarsened.","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,128,131,135],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":125,"show_sort_weight":126,"slug":127},9,"Religion & Spirituality",20,"religion-spirituality",{"id":126,"doc_module":4,"doc_module_name":45,"category_name":129,"show_sort_weight":126,"slug":130},"World Cup","world-cup",{"id":132,"doc_module":4,"doc_module_name":45,"category_name":133,"show_sort_weight":132,"slug":134},10,"Lifestyle","lifestyle",{"id":136,"doc_module":4,"doc_module_name":45,"category_name":137,"show_sort_weight":106,"slug":138},19,"General","general"]