Industrial Internet of Things (IIoT) ecosystems are expanding rapidly. Scalable and reliable intrusion detection systems (IDS) are needed to protect critical infrastructures from evolving cyber threats. This study proposes a hybrid IDS framework that combines Graph Attention Networks (GAT) and Bidirectional Gated Recurrent Units (BiGRU) for privacy‑preserving distributed detection. The model is optimized with the Grey Wolf Optimizer (GWO) and enhanced through Federated Learning (FL). In IIoT traffic, GAT captures complex structural links, while BiGRU analyzes bidirectional temporal patterns, enabling accurate anomaly detection. GWO automates hyperparameter tuning and offers faster convergence than traditional methods such as Ant Colony Optimization. FL trains models locally on distributed IIoT devices, preserving data privacy and supporting decentralized deployment. The framework demonstrates improved scalability potential through decentralized training and reduced communication overhead (20% lower in a 10-node simulation), achieving detection accuracies of up to 95% across diverse attack scenarios, including Distributed Denial of Service (DDoS), Advanced Persistent Threats (APTs), and Zero‑Day exploits. It has been evaluated on the Edge‑Industrial Internet of Things dataset (Edge‑IIoTset), Canadian Institute for Cybersecurity – Internet of Things 2023 Dataset (CICIoT2023), and Real‑Time Internet of Things 2022 (RT‑IoT2022) datasets. An Explainable AI (XAI) module further improves interpretability by leveraging GAT’s attention mechanism. Overall, this technology demonstrates competitive offline performance on the EDGE-IIoTset, CICIoT2023, and RT-IoT2022 benchmark datasets, achieving F1-scores of up to 0.94, and shows promising scalability potential through decentralized Federated Learning with 20% lower communication overhead in a 10-node simulation. However, inference latency on resource-constrained edge hardware remains a challenge (e.g., 120–180 ms per sample on Raspberry Pi 4), which limits its strict real-time feasibility in mission-critical environments. Therefore, further model compression, adversarial robustness testing, and real-world deployment validation are required before practical edge-level applicability can be confirmed.
Nassef et al. (Mon,) studied this question.