The explosive growth of the Internet of Things (IoT) and personal computer (PC)-oriented networked environments has significantly expanded the attack surface for cyberattacks, particularly for zero-day attacks. Conventional intrusion detection systems often rely on centralized architectures and fixed thresholds, which can limit their scalability and compromise data privacy. In this paper, the propose a novel hybrid intrusion detection framework that integrates a Transformer-based Autoencoder (AE) with a Reinforcement Learning (RL)–driven threshold tuning mechanism deployed within a Federated Learning setup. Transformer AE is trained for benign network activity prediction using self-attention mechanisms and is therefore capable of identifying high-order sequential patterns. To preserve privacy and reflect real-world deployment, the system trains the model in a federated manner across six IoT devices and four PC hosts without exchanging raw traffic data. This federated training method compresses model updates using FedAvg, enabling the system to generalize across varied environments. As a detection performance boost, introduce an RL agent that adjusts the anomaly threshold dynamically by optimizing the F 1 -score on a validation partition; the chosen threshold is then frozen and evaluated on a held-out test set. This dynamic tuning helps balance recall and precision, significantly reducing false positives while maintaining high detection rates. The validate framework on both the BoT-IoT dataset for PC traffic and generated IoT dataset collected via Wireshark. Experimental results demonstrate that this approach achieves near-perfect detection accuracy and zero false positives after RL tuning, confirming its effectiveness for mitigating zero-day attacks in diverse, privacy-sensitive networks.
Ailabouni et al. (Mon,) studied this question.