Intrusion and anomaly detectors trained on Internet Protocol (IP) traffic are increasingly deployed in heterogeneous IoT environments where Bluetooth Low Energy (BLE) links coexist with IP networks. We quantify the cross-protocol domain gap in an IP → BLE transfer setting under unsupervised domain adaptation (UDA), where target labels are unavailable for training and model selection. Using 14 lightweight window-level statistics and leakage-aware splits, we benchmark classical baselines and alignment methods (CORAL and MMD) against domain-adversarial neural networks (DANNs). Under random window splits, DANNs can yield modest target gains but exhibit strong seed sensitivity and non-monotonic domain confusion. We propose R3, a domain-aware checkpoint rule that combines near-best source validation with domain discriminator accuracy as a proxy for alignment, improving the target ROC-AUC by ~+0.053 across three representative seeds and producing more consistent AP gains over 20 seeds. However, under a stricter capture-wise leave-one-capture-out (LOCO) protocol, UDA collapses to near-chance ranking and can underperform simple baselines, highlighting the risk of optimistic random splits. Finally, we show that transferring a source-tuned threshold can trigger unsafe operating points (micro-FPR = 1.0 on benign-only captures), motivating PR-based metrics and calibration/operating-point audits. We have released derived feature tables, split definitions, and scripts to support reproducibility under restricted raw data access.
Hyejin Jin (Wed,) studied this question.