Adaptive graph attention-based federated learning for IoT intrusion detection: mitigating poisoning attacks

Background and motivation

Given the highly dynamic and heterogeneous nature of IoT environments, distributed IDSs have emerged as a preferred paradigm for enabling real-time, scalable, and autonomous threat detection. These systems, however, face several critical challenges, including privacy preservation, limited computational resources, and exposure to sophisticated adversarial attacks.

Among the most promising advancements in distributed IDS is federated learning (FL), which enables multiple IoT devices to collaboratively train a shared global model without transferring raw data (Yazdinejad et al., 2024b; Siddique et al., 2024). This decentralized architecture supports privacy-preserving learning, allowing each client to retain sensitive data locally while contributing to a global objective. Consequently, FL significantly improves anomaly detection by aggregating insights from geographically and contextually diverse sources, all while maintaining user confidentiality (Wang et al., 2024b).

However, the decentralized nature of FL also introduces new attack surfaces, most notably, poisoning attacks (Ni et al., 2024). In this context, a poisoning attack refers to the deliberate manipulation of the learning process by compromised clients that contribute adversarial updates (Yazdinejad et al., 2024a). These attacks can take the form of data poisoning, where malicious clients inject corrupted samples into their local training data, or model poisoning, where clients deliberately craft and submit deceptive gradients or parameter updates to degrade or subvert the global model. Such adversarial behaviors can significantly compromise the integrity, accuracy, and reliability of FL-based IDS, rendering them ineffective in detecting evolving threats.

FL enhances privacy by localizing training data while aggregating model updates on a central server (Yazdinejad et al., 2024b; Siddique et al., 2024). However, its decentralized nature introduces new attack vectors, particularly poisoning attacks (Ni et al., 2024; Nowroozi et al., 2025), which can significantly degrade IDS performance in IoT networks. Poisoning attacks in FL can be categorized into:

• Data poisoning attacks: Attackers inject malicious data into the local training process, leading to biased or incorrect model updates (Wang, Wang & Ban, 2024). In IoT, compromised devices may generate falsified network logs, misleading IDS models into learning incorrect patterns.

• Model poisoning attacks: Instead of tampering with the training data, adversaries directly manipulate model updates before sending them to the global server (Ni et al., 2024). This allows attackers to introduce backdoors or degrade model performance selectively.

FL’s distributed and asynchronous nature makes it challenging to detect and mitigate poisoning attacks effectively. Traditional anomaly detection techniques often fail because adversaries can subtly alter gradients without triggering defence mechanisms. Moreover, compromised IoT devices participating in FL can execute Sybil attacks (Hassan et al., 2024), where multiple fake nodes inject adversarial updates to corrupt the global model. For instance, Fig. 2 illustrates the architecture of an FL framework for IoT intrusion detection across distributed networks. At the IoT network layer, various devices (e.g., robots, drones, 5G nodes, and smart factories) collect data and communicate with edge servers, which act as intermediaries between the devices and the central server (Packianathan et al., 2025). The edge servers locally train artificial intelligence (AI) models using data from IoT devices and forward model updates (not raw data) to the central server, ensuring privacy preservation. The central server aggregates these updates (represented as a summation of model contributions from multiple nodes) to create a global model. However, the figure highlights potential security challenges, such as poisoning attacks, as indicated by malicious updates (red paths). These compromised contributions degrade the overall model’s integrity and underscore the need for robust defence mechanisms, such as the proposed Adaptive Graph Attention-based FL approach.

Despite the growing body of research on FL for IoT security, existing approaches often fall short in addressing the increasing sophistication of poisoning attacks, particularly in highly dynamic and heterogeneous network environments. Most current frameworks rely on uniform aggregation strategies, such as FedAvg, which do not distinguish between reliable and potentially adversarial nodes. This lack of contextual trust modeling significantly limits their resilience against malicious updates that degrade global model performance. Furthermore, the integration of adaptive trust mechanisms and graph-based learning remains underexplored in the context of IDSs. Therefore, this study addresses a critical gap by proposing a novel trust-aware FL framework that incorporates graph attention networks (GATs) and adaptive aggregation strategies to enhance robustness against poisoning attacks while maintaining the privacy-preserving advantages of FL.

Aim and objectives

The core aim of this article is to develop a robust and adaptive FL approach capable of detecting poisoning attacks in IoT. The proposed approach, AGAT-FL, adapts GATs, trust-aware aggregation, and hybrid deep learning models to enhance the resilience, scalability, and interpretability of IDSs in heterogeneous IoT environments.

To achieve this aim, the following main objectives have been identified. These objectives are intended to guide the development and evaluation of the proposed AGAT-FL framework, ensuring that it overcomes the existing research challenges posed by poisoning attacks while ensuring efficiency and accuracy in IoT environments:

• To develop a graph-based client representation that models IoT devices as interconnected nodes, enabling the use of GATs for adaptive trust scoring.

• To implement a dynamic trust-aware aggregation mechanism that downweights or rejects adversarial model updates during the federated learning process.

• To integrate a hybrid Convolutional Neural and Network Gated Recurrent Unit (CNN-GRU) model for effective spatial-temporal anomaly detection from network traffic data, enhancing detection accuracy and robustness.

• To incorporate statistical anomaly detection using Mahalanobis distance for the identification and suppression of poisoned updates based on deviation from normative behavior.

• To improve model interpretability and decision transparency through explainable AI (XAI) techniques such as SHapley Additive exPlanations (SHAP) and Local Interpretable Model-agnostic Explanations (LIME), offering insights into anomalous contributions.

Article organization

The remainder of this article is structured as follows. ‘Related Works’ reviews existing literature on federated learning, intrusion detection in IoT, and poisoning mitigation techniques, highlighting key limitations that motivate our work. In ‘Problem Definition and Threat Model’, we define the formal problem setting and outline the threat model, including various types of poisoning attacks relevant to FL-based IDSs. ‘Proposed Methodology’ presents the proposed AGAT-FL framework in detail, covering trust-aware graph construction, hybrid deep learning architecture, contrastive learning integration, and poisoning mitigation strategies. ‘Experiments and results’ describes the experimental setup, datasets, evaluation metrics, and comparative performance results against baseline and state-of-the-art approaches. In ‘Discussion and Limitations’, we discuss the key contributions of AGAT-FL and their roles in achieving superior results, along with a critical reflection on the limitations of the current approach. Finally, ‘Conclusion and Future Works’ concludes the article and outlines directions for future research based on the identified challenges and opportunities.

Problem definition

FL enables multiple IoT devices to train an IDS model collaboratively without sharing raw data. The objective is to minimize the global loss function:

(1) $$\underset{\theta }{min}\sum _{i=1}^N{w}_i{\mathcal{L}}_i(\theta )$$where:

• $\theta$ represents the global model parameters,

• ${\mathcal{L}}_i(\theta )$ is the local loss function for device $i$,

• $w_i$ is the weight assigned to device $i$,

• N is the total number of participating IoT devices.

Poisoning attacks occur when adversarial devices inject malicious updates into the global model to degrade performance.

Threat model

FL-based IDS systems are vulnerable to two primary types of poisoning attacks:

Model poisoning attacks

Instead of modifying training data, adversaries alter model updates before sending them to the global FL server:

(4) $$\mathrm{\Delta }{\theta }_i=\mathrm{\nabla }{\mathcal{L}}_i(\theta ).$$

An adversarial device modifies the update:

(5) $$\mathrm{\Delta }{\theta }_i^{\mathrm{a}\mathrm{d}\mathrm{v}}=\mathrm{\Delta }{\theta }_i+\delta$$where:

• $\delta$ is an adversarial perturbation designed to degrade the model.

The standard FL model update using federated averaging (FedAvg) is:

(6) $${\theta }^{t+1}=\sum _{i=1}^N{w}_i\mathrm{\Delta }{\theta }_i.$$

Under an attack:

(7) $${\theta }^{t+1}=\sum _{i\in \mathcal{B}}{w}_i\mathrm{\Delta }{\theta }_i+\sum _{j\in \mathcal{A}}{w}_j\mathrm{\Delta }{\theta }_j^{\mathrm{a}\mathrm{d}\mathrm{v}}$$where:

• $\mathcal{B}$ is the set of benign devices,

• $\mathcal{A}$ is the set of adversarial devices.

Impact of poisoning attacks

Attackers aim to maximize the model degradation by optimizing adversarial updates:

(9) $$\underset{\delta }{max}\mathbb{E}[\mathcal{L}\mathcal{(}\theta \mathcal{+}\delta \mathcal{)}\mathcal{-}\mathcal{L}\mathcal{(}\theta \mathcal{)}\mathcal{]}$$where:

• $\mathbb{E}$ represents the expectation over adversarial strategies.

This mathematical framework formalizes the poisoning attack problem in FL-based IDS and highlights the need for robust defence mechanisms. The proposed AGAT-FL approach leverages trust-aware aggregation to mitigate adversarial attacks and enhance security in IoT networks.

Stage 1: dataset preprocessing and poisoning simulation

This stage focuses on preparing the dataset for training and simulating adversarial poisoning attacks. It involves selecting relevant datasets, normalizing data for consistency, and applying preprocessing techniques to enhance model training. Additionally, various poisoning attack strategies, such as backdoor insertion, label flipping, and adversarial perturbations, are introduced to evaluate the robustness of the IDS. These steps are to assess comprehensively the proposed model’s ability to detect and mitigate poisoning attacks in FL environments.

• 1.

  Dataset selection:

  • •

    Utilize N-BaIoT, CIC-ToN-IoT datasets.

    The N-BaIoT (Meidan et al., 2018) dataset is designed to detect anomalous behaviour in IoT devices. It consists of network traffic data captured from devices infected with Mirai and Bashlite botnets. The dataset includes benign and malicious traffic flows, with 115 extracted features related to network flow statistics. It provides a comprehensive benchmark for IoT security and intrusion detection.

    The CIC-ToN-IoT (Moustafa, 2021) dataset is a large-scale dataset that captures real-world IoT, IT, and OT (operational technology) environments. It contains a combination of normal and malicious network traffic, including attacks such as DDoS, reconnaissance, backdoors, and injection attacks. The dataset comprises approximately 16.8 million network traffic flows, with 44 labelled network flow features, making it highly suitable for evaluating intrusion detection models.

  • •

    Normalization: The datasets used in this article have different data types, requiring different normalization techniques for optimal performance. Table 2 presents the normalization methods used for each dataset:

    Symbol definitions:

    • –

      X—Original feature value

    • –

      X′—Normalized feature value

    • –

      $\mu$—Mean of the dataset

    • –

      $\sigma$—Standard deviation of the dataset

  To adhere to the privacy-preserving principles of FL, all normalization operations in AGAT-FL are performed locally on each client device. Specifically, the mean ( $\mu$) and standard deviation ( $\sigma$) required for Z-score normalization are computed independently using each client’s private dataset. This approach prevents the need to share raw data or global statistical summaries with the central server, thereby reducing the risk of data leakage through aggregation. Local normalization also reflects the inherent non-IID nature of federated data distributions, as clients may observe significantly different patterns in traffic behavior. While this may introduce slight statistical variation across nodes, our trust-aware aggregation mechanism compensates for these differences during model training. This design choice aligns with established practices in the FL literature, including Cao et al. (2020) and Kairouz et al. (2021), which emphasize local data processing to uphold privacy and system decentralization.

• 2.

  Data augmentation for poisoning attack simulations:

  • •

    Introduce Backdoor Attacks, Label Flipping, Gradient Manipulation, and Sybil Attacks.

    Backdoor attacks introduce malicious triggers into training data to manipulate the model’s behaviour at inference time. Formally, given a benign training dataset $D=\{(x_i,y_i){\}}_{i=1}^N$, a backdoor attack modifies a subset of instances:

    (10) $${x_i}^{\mathrm{\prime }}=x_i+\tau ,{y_i}^{\mathrm{\prime }}=y_{target}$$where:

    • –

      $\tau$ is the perturbation (trigger) applied to the input,

    • –

      $y_{target}$ is the adversarial target class.

    The model is trained on poisoned data $D^{\mathrm{\prime }}=\{({x_i}^{\mathrm{\prime }},{y_i}^{\mathrm{\prime }})\}\cup D_{benign}$, making it vulnerable to misclassification whenever the backdoor trigger appears.

    Label flipping attacks alter the labels of a fraction $\epsilon$ of training samples to mislead the learning process:

    (11) $${y_i}^{\mathrm{\prime }}=\mathrm{f}\mathrm{l}\mathrm{i}\mathrm{p}(y_i)$$where $\mathrm{f}\mathrm{l}\mathrm{i}\mathrm{p}(y)$ maps a class label to another incorrect class. This attack degrades the classifier’s generalization and robustness, especially when targeted at high-impact samples.

  • •

    Generate adversarial examples using the fast gradient sign method (FGSM) and projected gradient descent (PGD). In FL, gradient manipulation occurs when adversarial clients modify their model updates before submission. Given the local update at iteration $t$:

    (12) $$\mathrm{\Delta }{\theta }_i^t={\mathrm{\nabla }}_{\theta }{\mathcal{L}}_i({\theta }^t).$$Attackers inject adversarial gradients by applying a perturbation $\delta$: (13) $$\mathrm{\Delta }{\theta }_i^{t,adv}=\mathrm{\Delta }{\theta }_i^t+\delta$$where:

    • –

      $\delta$ is crafted to degrade global model performance,

    • –

      The central server aggregates poisoned updates:

      (14) $${\theta }^{t+1}=\sum _{i=1}^N{w}_i\mathrm{\Delta }{\theta }_i^{t,adv}$$

    This causes model drift and reduces the accuracy of benign data.

    A Sybil attack in FL occurs when a single adversary controls multiple fake clients to amplify the impact of poisoning. If an adversary injects M Sybil clients into a network of N clients, their cumulative influence is:

    (15) $$\sum _{j\in \mathcal{A}}{w}_j\mathrm{\Delta }{\theta }_j^{adv}\gg \sum _{i\in \mathcal{B}}{w}_i\mathrm{\Delta }{\theta }_i$$where:

    • –

      $\mathcal{A}$ represents adversarial clients,

    • –

      $\mathcal{B}$ represents benign clients.

    This attack significantly degrades global model convergence.

    FGSM generates adversarial examples by perturbing input samples along the gradient of the loss function:

    (16) $$x^{\mathrm{\prime }}=x+\epsilon \cdot \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}({\mathrm{\nabla }}_x\mathcal{L}(\theta ,x,y))$$where:

    • –

      $x^{\mathrm{\prime }}$ is the adversarial example,

    • –

      $\epsilon$ is the attack magnitude,

    • –

      $\mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}({\mathrm{\nabla }}_x\mathcal{L}\mathcal{)}$ is the direction of the loss gradient.

    FGSM is computationally efficient and effective for white-box attacks.

    PGD iteratively refines adversarial perturbations, making it a stronger attack than FGSM:

    (17) $$x^{t+1}={\mathrm{\Pi }}_{B_{\epsilon }(x)}\left(x^t+\alpha \cdot \mathrm{s}\mathrm{i}\mathrm{g}\mathrm{n}({\mathrm{\nabla }}_x\mathcal{L}(\theta ,x,y))\right)$$where:

    • –

      ${\mathrm{\Pi }}_{B_{\epsilon }(x)}$ projects perturbed samples onto the allowed $\epsilon$-ball,

    • –

      $\alpha$ is the step size per iteration.

    PGD applies multiple steps to maximize adversarial impact.

• 3.

  Feature extraction: IoT datasets such as N-BaIoT and CIC-ToN-IoT contain network traffic logs and behavioural data, which can be used to detect anomalies. The extracted features include:

  • •

    Network flow statistics: Packet size distribution, inter-arrival times, and connection durations.

  • •

    Behavioral anomaly indicators: Unusual communication patterns, frequency of connection attempts, and protocol usage deviations.

  Formally, let X represent the set of raw network features extracted from each IoT device. The feature transformation function $f(X)$ maps raw network flows to a vector representation: (18) $$f(X)=\{\mathrm{m}\mathrm{e}\mathrm{a}\mathrm{n}(X),\mathrm{s}\mathrm{t}\mathrm{d}(X),\mathrm{e}\mathrm{n}\mathrm{t}\mathrm{r}\mathrm{o}\mathrm{p}\mathrm{y}(X),\mathrm{c}\mathrm{o}\mathrm{r}\mathrm{r}\mathrm{e}\mathrm{l}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n}(X)\}$$where:

  • •

    $\mathrm{m}\mathrm{e}\mathrm{a}\mathrm{n}(X)$: Average packet size per session,

  • •

    $\mathrm{s}\mathrm{t}\mathrm{d}(X)$: Standard deviation of inter-arrival times,

  • •

    $\mathrm{e}\mathrm{n}\mathrm{t}\mathrm{r}\mathrm{o}\mathrm{p}\mathrm{y}(X)$: Shannon entropy of protocol usage,

  • •

    $\mathrm{c}\mathrm{o}\mathrm{r}\mathrm{r}\mathrm{e}\mathrm{l}\mathrm{a}\mathrm{t}\mathrm{i}\mathrm{o}\mathrm{n}(X)$: Statistical dependencies between network features.

  These extracted features are then fed into anomaly detection models for classification.

  Deep learning models are leveraged to extract high-level feature representations for image datasets such as SVHN, MNIST, FashionMNIST, and CIFAR-10. We utilize pre-trained CNNs, ResNet, and EfficientNet to obtain feature embeddings: (19) $$Z=g(I;\theta )$$where:

  • •

    I is the input image,

  • •

    $g(I;\theta )$ is the CNN feature extractor with parameters $\theta$,

  • •

    Z is the high-dimensional representation of the input.

  To extract robust features, we utilize:

  • •

    ResNet-50: Extracts hierarchical feature representations using residual learning.

  • •

    EfficientNet-B3: Optimized for computational efficiency while preserving feature diversity.

  These representations are then used in downstream classification or anomaly detection tasks.

• 4.

  Dimensionality reduction for multi-modal data: Since IoT-based features and image-based features exist in different domains, dimensionality reduction techniques are applied to ensure feature consistency:

  • •

    Principal component analysis (PCA): Reduces feature space by selecting principal components that maximize variance:

    (20) $$Z^{\mathrm{\prime }}=\mathrm{P}\mathrm{C}\mathrm{A}(Z),\mathrm{w}\mathrm{h}\mathrm{e}\mathrm{r}\mathrm{e}{Z}^{\mathrm{\prime }}\in {\mathbb{R}}^d,d<D.$$

  • •

    Autoencoders: Learn compressed latent space representations via unsupervised learning:

    (21) $$\hat{Z}=h_{\theta }(g_{\varphi }(Z))$$

    where:

    • –

      $g_{\varphi }(Z)$ is the encoder,

    • –

      $h_{\theta }$ is the decoder,

    • –

      $\hat{Z}$ is the reconstructed feature vector.

  • PCA and autoencoders allow multi-modal feature fusion, enabling a unified feature space for IoT and image datasets.

Stage 2: FL setup with graph-based adaptive attention

This stage configures the FL framework while integrating GATs to enhance security and robustness against poisoning attacks. The FL setup models participating IoT devices as graph nodes, establishing edges based on network traffic similarity and direct communication logs. To ensure the reliability of federated updates, a trust-based weighting mechanism is introduced, which assigns importance scores to each node based on historical model accuracy and anomaly detection techniques. This graph-based trust model dynamically filters out poisoned updates and improves the IDS by ensuring that only high-trust nodes influence the global model aggregation.

The construction of this graph representation of federated nodes and the trust-based model update process follows the structured procedure outlined in the following subsections.

Stage 3: hybrid deep learning model for anomaly detection

This stage introduces a hybrid deep-learning framework for detecting anomalies in network traffic. The model processes structured traffic data into matrix-like representations, allowing CNNs to extract spatial dependencies and GRUs to capture temporal variations.

The model leverages two key transformations:

1. Traffic Flow Embeddings: Converts raw packet-based logs into structured matrices.

2. Graph-Based Representations: Constructs an adjacency matrix to capture node relationships in FL.

Stage 4: poisoning attack detection and mitigation

This stage introduces a hybrid deep learning approach that combines CNNs and GRUs to enhance anomaly detection. CNNs extract spatial features from input data, while GRUs capture temporal dependencies, making the model more effective in identifying complex attack patterns. Additionally, contrastive learning is applied to refine feature representations, improving the model’s ability to distinguish between normal and malicious activities. This hybrid approach strengthens the detection of poisoning attacks and enhances the overall performance of the FL system.

Experiments setups

To conduct the AGAT-FL experiments efficiently, we utilized a high-performance computing system with hardware and software specifications detailed in Table 3. We employed diverse datasets covering both network traffic and image-based data for evaluation. The N-BaIoT and CIC-ToN-IoT datasets capture network traffic logs from IoT devices, encompassing benign and malicious activities. This dataset selection ensures a comprehensive assessment across multiple data modalities. The details of dataset preprocessing and datasets were previously discussed in ‘Stage 1: Dataset preprocessing and poisoning simulation’.

Evaluation metrics

To evaluate the performance of the proposed AGAT-FL model, we employed standard metrics widely used in classification tasks, namely accuracy, precision, recall, and F1-score. These metrics provide insights into the model’s ability to correctly classify benign and malicious activities while balancing false positives and negatives. The mathematical definitions of these metrics are presented below (Eqs. (37) to (40)) (Al-E’mari, Sanjalawe & Fraihat, 2023; Sanjalawe & Al-E’mari, 2023; Althobaiti, Sanjalawe & Ramzan, 2023).

(37) $$\mathrm{A}\mathrm{c}\mathrm{c}\mathrm{u}\mathrm{r}\mathrm{a}\mathrm{c}\mathrm{y}=\frac{TP+TN}{TP+TN+FP+FN}$$

(38) $$\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}=\frac{TP}{TP+FP}$$

(39) $$\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}=\frac{TP}{TP+FN}$$

(40) $$\mathrm{F}1\text{-}\mathrm{s}\mathrm{c}\mathrm{o}\mathrm{r}\mathrm{e}=2\times \frac{\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}\times \mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}}{\mathrm{P}\mathrm{r}\mathrm{e}\mathrm{c}\mathrm{i}\mathrm{s}\mathrm{i}\mathrm{o}\mathrm{n}+\mathrm{R}\mathrm{e}\mathrm{c}\mathrm{a}\mathrm{l}\mathrm{l}}$$where:

• TP (true positives): The number of correctly predicted positive instances (malicious activities correctly identified as malicious).

• TN (true negatives): The number of correctly predicted negative instances (benign activities correctly identified as benign).

• FP (false positives): The number of benign instances incorrectly classified as malicious.

• FN (false negatives): The number of malicious instances incorrectly classified as benign.

These metrics collectively measure the model’s:

• Overall performance (accuracy): The proportion of correct predictions (positive and negative) out of all predictions.

• Ability to correctly identify positive instances (precision): The proportion of true positive predictions out of all predicted positives.

• Completeness of identifying positive instances (recall): The proportion of true positives out of all actual positives.

• Balance between precision and recall (F1-score): The harmonic mean of precision and Recall.

The CNN model (Table 4) is designed to extract spatial features the datasets. It incorporates convolutional layers, batch normalization, pooling, and fully connected layers to achieve robust feature representation.

The GAT model (Table 5) is integral to the proposed trust-aware aggregation mechanism. It assigns attention scores to nodes based on similarity measures, ensuring robust aggregation in the presence of adversarial updates.

The hybrid model (Table 6) combines CNNs for spatial feature extraction and GRUs for capturing temporal dependencies in network flow data. This architecture enhances anomaly detection by leveraging complementary feature types.

The pre-trained ResNet-50 model (Table 7) is employed for feature extraction from image datasets. Its residual learning architecture facilitates extracting hierarchical features, aiding in robust anomaly classification.

Results and analysis

The effectiveness of data augmentation techniques such as backdoor insertion, label flipping, and adversarial attacks (FGSM/PGD) can be assessed through the analysis of feature distributions and temporal correlations in the datasets. Figures 4 and 5 provide a comparative evaluation of the original and augmented datasets for N-BaIoT and CIC-ToN-IoT, demonstrating that the augmentation process does not distort the realistic nature of traffic patterns.

Figure 4 presents the histogram distributions of feature values for the original (blue) and augmented (red) datasets. The substantial overlap between the two distributions confirms that the augmentation process preserves the statistical properties of network traffic. There are no significant shifts in the peak values, no excessive spread, and no unusual variations that would indicate data contamination. If augmentation had introduced unrealistic patterns, we would expect to see heavy skewness, extreme outliers, or new feature ranges that deviate from real-world network behavior. The similar variance and spread in both original and augmented datasets ensure that synthetic distortions will not bias the model trained on this data.

Figure 5 illustrates the autocorrelation analysis of both datasets, highlighting the time-dependent relationships within network traffic. The results indicate that sequential dependencies remain intact after augmentation. The gradual decay of autocorrelation values over time is consistent between the original and augmented datasets, demonstrating that the natural flow of network activity is preserved. If the augmentation process had significantly altered packet sequences, we would observe random fluctuations, erratic spikes, or abrupt drops in correlation values, which are not present in Fig. 5. This stability in autocorrelation confirms that time-based anomaly detection methods can still effectively model traffic behaviour without being misled by artificial modifications.

The findings from Figs. 4 and 5 validate that data augmentation techniques used in this study maintain the integrity of network traffic characteristics. The feature distributions remain consistent, ensuring that classifiers do not learn artificial patterns, while the temporal dependencies are preserved, allowing time-sensitive security models to function effectively. These results confirm that the applied data augmentation methods do not distort network behavior, making the dataset reliable for intrusion detection and cybersecurity analysis.

The Mahalanobis distance distribution plots for the N-BaIoT and CIC-ToN-IoT datasets reveal how network traffic deviates from normal behavior, highlighting potential anomalies. The right-skewed distributions indicate that most benign traffic falls within a low-distance range, while a subset of samples exhibits significantly higher distances, suggesting possible adversarial activity. To ensure that anomaly scores generalize to unseen adversarial strategies rather than overfitting to synthetic poisoning attacks, it is critical to adopt an adaptive thresholding mechanism based on statistical properties of the data, such as:

(41) $${\tau }_t={\mu }_{D_M}+\lambda \cdot {\sigma }_{D_M}.$$

The Mahalanobis distance distribution plots for the N-BaIoT and CIC-ToN-IoT datasets, in Fig. 6, reveal how network traffic deviates from normal behaviour, highlighting potential anomalies. The right-skewed distributions indicate that most benign traffic falls within a low-distance range, while a subset of samples exhibits significantly higher distances, suggesting possible adversarial activity. To ensure that anomaly scores generalize to unseen adversarial strategies rather than overfitting to synthetic poisoning attacks, it is critical to adopt an adaptive thresholding mechanism based on statistical properties of the data, such as:

(42) $${\tau }_t={\mu }_{D_M}+\lambda \cdot {\sigma }_{D_M}$$where:

• ${\tau }_t$ is the adaptive threshold for Mahalanobis distance at time step $t$.

• ${\mu }_{D_M}$ is the mean Mahalanobis distance computed from the training dataset.

• ${\sigma }_{D_M}$ is the standard deviation of the Mahalanobis distances.

• $\lambda$ is a sensitivity parameter that controls the trade-off between detection sensitivity and false positives (typically set to 2 or 3 for 95–99% confidence intervals).

Rather than relying on fixed thresholds. Additionally, cross-validation on diverse attack types, calibration using ROC and precision-recall curves, and contrastive learning to refine feature separability can further prevent overfitting. The observed differences in spread between the two datasets suggest that dataset-specific tuning is necessary, reinforcing the importance of a flexible and adaptive detection approach to improve resilience against zero-day and adversarial attacks.

The experimental evaluation provided in Tables 8 to 11 highlights the comparative performance of the proposed AGAT-FL model against various State-of-the-Art (SOTA) techniques across multiple datasets. This section discusses and interprets the results comprehensively.

Table 8 presents the accuracy performance of various FL approaches across six benchmark datasets. The results show that AGAT-FL consistently outperforms traditional methods in terms of accuracy. This improvement is mainly due to its ability to reduce the influence of poisoning attacks through an adaptive attention mechanism.

Conventional techniques such as FedAvg and FedGen are prone to adversarial model updates, which can degrade global model performance. In contrast, AGAT-FL dynamically adjusts trust scores for each client, allowing it to filter out malicious updates. This ensures that trustworthy contributions have a greater influence during the model aggregation process.

Additionally, the integration of graph-based learning enhances AGAT-FL’s understanding of client relationships. This structure-aware approach promotes secure and efficient knowledge transfer across nodes, further strengthening model robustness. The relatively lower accuracy of the baseline methods highlights their vulnerability to model poisoning, where manipulated updates compromise learning. These findings emphasize the importance of adaptive, trust-aware aggregation strategies in FL, particularly in high-risk domains like IoT intrusion detection.

Table 9 compares the precision of different approaches across datasets. Precision, which measures the proportion of correctly identified malicious instances among all positive predictions, is critical in IDSs to reduce false positives. The AGAT-FL model significantly improves precision, particularly in datasets that exhibit a high degree of attack diversity, such as CIC-ToN-IoT and N-BaIoT. This enhancement is primarily due to the model’s ability to leverage graph attention networks for feature extraction, which ensures that the model learns distinctive patterns of malicious activity. In contrast, traditional FL methods rely on simpler aggregation techniques that fail to distinguish between adversarial and benign updates effectively. The lower precision observed in some baseline approaches suggests that these methods tend to misclassify benign traffic maliciously, leading to unnecessary false alarms. The proposed model’s trust-aware mechanism mitigates this issue by assigning higher aggregation weights to reliable clients, thus improving the classification of genuine malicious traffic without inflating the number of false positives.

The recall performance of different models, as shown in Table 10, provides insights into how effectively each method detects actual malicious activities. High recall is crucial for an IDS as it ensures that a significant portion of attacks are identified, minimizing the risk of undetected threats. The AGAT-FL model consistently exhibits superior recall compared to other approaches, demonstrating its robustness in recognizing and flagging security threats across diverse datasets. The ability of AGAT-FL to maintain high recall rates stems from its incorporation of adaptive attention-based aggregation, which filters out adversarial influence while preserving informative updates.

Conventional FL methods, such as pFedLA and HeteroFL, show lower recall due to their reliance on static aggregation rules, making them susceptible to poisoned updates that skew the global model’s learning process. A lower recall in these models suggests that some malicious activities remain undetected, posing potential security risks. By contrast, the AGAT-FL model achieves a balance between capturing attack patterns and minimizing false negatives, ensuring a more resilient intrusion detection mechanism.

Table 11 presents the F1-score comparisons, which offer a balanced perspective by considering both precision and recall. The results reinforce the findings from previous tables, showing that AGAT-FL maintains superior performance across all datasets. A high F1-score indicates that the model successfully mitigates trade-offs between precision and recall, ensuring optimal classification of adversarial activities. This improvement is particularly evident in datasets with complex attack scenarios, where traditional methods struggle to differentiate between normal and malicious patterns.

The strength of AGAT-FL is that it can update trust scores as needed, enabling the model to focus on contributions from trusted nodes. This helps to prevent adversarial noise from hindering the learning process, improving resilience to poisoning attacks. Relatively lower F1-scores obtained by FedAvg and ScaleFL suggest that these approaches suffer from an imbalance in classification and either over-classify malicious threats or under-classify all dangers. By overcoming these concerns, AGAT-FL enhances the reliability and security of the intrusion detection system tailored for the FL framework.

The overall findings from Tables 8 to 11 highlight the limitations of traditional FL aggregation techniques in adversarial settings. While effective in benign environments, methods such as FedRep and FedGen struggle under poisoning attacks due to their equal treatment of all client contributions. This leads to vulnerabilities where adversarial updates compromise the integrity of the global model. The AGAT-FL model addresses this challenge through a trust-aware, attention-based mechanism that selectively integrates model updates based on reliability. The consistent performance gains across all evaluation metrics indicate that AGAT-FL enhances security and ensures efficient learning in federated environments.

Furthermore, the results emphasize the importance of incorporating graph-based aggregation in FL. By leveraging graph attention networks, AGAT-FL captures inter-client relationships more effectively, allowing for context-aware weighting of model updates. This is particularly beneficial in IoT-based applications where device heterogeneity and dynamic network conditions pose significant security risks. The findings suggest that future research in FL security should focus on refining adaptive trust mechanisms and exploring novel ways to detect and mitigate adversarial influences in real-time.

Statistical analysis and interpretation

To improve the statistical rigor of our evaluation, we extend our performance analysis with detailed reporting of 95% confidence intervals and corresponding p-values for each model and dataset. This allows for more precise interpretations of the model’s performance and the statistical significance of observed differences.

Table 12 summarizes the performance metrics for AGAT-FL and baseline FL methods (FedAvg, FedGen, and AdaptFL) across the N-BaIoT and CIC-ToN-IoT datasets. Each metric is accompanied by a 95% confidence interval, estimated using bootstrap sampling (1,000 iterations), and p-values derived from paired t-tests against the AGAT-FL results.

As depicted in Fig. 7, AGAT-FL achieves the highest accuracy across both datasets with tight confidence intervals, indicating consistent performance and low variance. In contrast, baseline methods demonstrate wider intervals and slightly lower central values.

Moreover, p-values under 0.05 for most comparisons validate that the observed performance gains of AGAT-FL are statistically significant, particularly against FedAvg and FedGen. The AdaptFL method comes close in performance but is still outperformed by AGAT-FL with a statistically significant margin (p ¡ 0.01).

The inclusion of confidence intervals reinforces the robustness of our results, ensuring they are not due to random variation. AGAT-FL not only shows superior central performance metrics but also maintains narrower CIs, suggesting higher stability under varied training rounds and attack intensities. These statistical improvements further confirm the effectiveness of our trust-aware, attention-based FL strategy in adversarial IoT scenarios.

To further validate the robustness of AGAT-FL, we conducted pairwise statistical comparisons with baseline FL methods (FedAvg, FedGen, and AdaptFL). Independent t-tests were performed across four key performance metrics (Accuracy, Precision, Recall, and F1-score) for both N-BaIoT and CIC-ToN-IoT datasets. The results are presented in Table 13.

The p-values indicate that the performance improvements of AGAT-FL are statistically significant ( $p<0.05$) in all cases. Especially for the N-BaIoT dataset, AGAT-FL shows substantial improvement over all baseline models, with the lowest p-value ( $p=0.001$) recorded against AdaptFL. These findings confirm the effectiveness of the proposed trust-aware aggregation and anomaly detection mechanisms under adversarial conditions.

Robustness to varying attack intensity

To further evaluate the resilience of AGAT-FL under adversarial settings, we assess its performance across different levels of poisoning severity. In particular, we vary the intensity of adversarial perturbations using the fast gradient sign method (FGSM) by adjusting the perturbation parameter $\epsilon \in \{0.01,0.05,0.1,0.2\}$. These values represent a progression from weak to strong adversarial influence, allowing us to measure the system’s robustness under increasing attack strength.

For each perturbation level, the model was trained and evaluated on the CIC-ToN-IoT dataset. The key detection metrics, accuracy, precision, recall, and F1-score, were recorded as presented in Table 14, AGAT-FL maintains strong detection capabilities under mild perturbations ( $\epsilon \le 0.05$), with only slight drops in performance. As $\epsilon$ increases to more aggressive values (e.g., 0.1 and 0.2), a gradual degradation is observed. Importantly, the model does not collapse or fail abruptly, reflecting its structural robustness and effective filtering of poisoned updates through trust-aware aggregation and Mahalanobis-based anomaly scoring.

These results demonstrate that AGAT-FL can effectively tolerate moderate levels of adversarial noise and adapt to poisoned environments without significant compromise in detection accuracy. The gradual performance degradation curve further validates the framework’s robustness and its suitability for deployment in real-world IoT settings facing dynamic and evolving attack patterns.

Sensitivity analysis

To assess the robustness of the proposed AGAT-FL framework under varying operational conditions, we conducted a sensitivity analysis focusing on three critical hyperparameters: (1) the proportion of poisoned nodes in the network, (2) the trust threshold $\tau$ used in the adaptive aggregation mechanism, and (3) the Mahalanobis distance scaling factor $\lambda$ for anomaly detection.

Sensitivity to number of poisoned nodes

Figure 8 illustrates how model accuracy degrades as the percentage of poisoned nodes increases from 0% to 40%. AGAT-FL maintains high accuracy up to 20% poisoned participation, after which performance declines more noticeably. This result highlights the method’s resilience against moderate adversarial interference, primarily due to its trust-aware aggregation and anomaly filtering strategies.

Sensitivity to trust threshold $\tau$

Figure 9 shows how the F1-score varies with different values of the trust threshold $\tau$. The best performance is achieved at $\tau =0.6$, balancing the rejection of adversarial updates and retention of legitimate contributions. Extremely low or high thresholds lead to suboptimal performance due to over-permissiveness or over-restriction, respectively.

Sensitivity to Mahalanobis scaling parameter $\lambda$

The parameter $\lambda$ controls the aggressiveness of anomaly rejection in the Mahalanobis-based detection stage. As shown in Fig. 10, the model achieves the highest recall at $\lambda =1.5$. Lower values risk failing to detect anomalies, while overly high values may flag benign updates as malicious.

This sensitivity analysis confirms that AGAT-FL is robust across a range of realistic operational parameters. It performs reliably with moderate levels of poisoning and responds well to properly tuned thresholds for trust and anomaly detection.

Computational and communication overhead analysis

While AGAT-FL demonstrates superior detection performance and robustness to poisoning attacks, practical deployment in IoT environments requires efficiency in terms of both computation and communication. This subsection evaluates AGAT-FL’s overhead and scalability by comparing it to representative FL baselines, including FedAvg, FedMADE, and BFL-SC, under the same experimental conditions.

Measurement setup. To ensure consistency, all experiments were executed on the same hardware infrastructure specified in Table 3, using identical configurations for dataset splits, local training epochs, model sizes, and communication rounds. We measured:

• Computational overhead as the average wall-clock time per communication round, including local training, trust score computation, and server-side aggregation.

• Communication overhead as the proportion of accepted vs. rejected model updates per round, which directly impacts the volume of transmitted data.

Runtime was recorded using Python’s time module, while communication statistics were logged by tracking accepted update payloads at the server.

Computational overhead. AGAT-FL introduces additional computations through its GAT-based trust model and hybrid CNN-GRU architecture. However, these components are computationally lightweight and optimized for parallel execution. The GAT operates on sparse graphs with low node degrees, and trust scores are derived from compact behavioral features (e.g., local loss trends, anomaly score variances) that require minimal processing.

Table 15 reports the average runtime per communication round. AGAT-FL exhibits a modest increase of approximately 13–16% over FedAvg, while remaining more efficient than blockchain-based methods like BFL-SC. This trade-off is acceptable given the significant gains in robustness and interpretability.

Communication overhead. AGAT-FL optimizes communication by incorporating an adaptive filtering mechanism based on Mahalanobis distance and dynamic trust scores. Only updates from clients with sufficient trust are accepted for aggregation, thereby reducing bandwidth usage and preventing poisoned data transmission.

We compute the communication overhead as the fraction of client updates rejected during each round. Table 16 shows that AGAT-FL filters out approximately 22–28% updates on average, depending on dataset variability and attack intensity. This selective aggregation contributes to improved scalability and energy efficiency, especially in bandwidth-constrained IoT scenarios.

AGAT-FL was designed with IoT scalability in mind. First, it supports asynchronous client participation, enabling clients to train and upload updates intermittently without compromising model consistency. Second, trust scores are updated incrementally across rounds and do not require full graph recomputation. Finally, GATs operate efficiently on sparse graphs with low connectivity, and the CNN-GRU anomaly detector is compatible with edge deployment due to its compact architecture.

AGAT-FL introduces moderate computational overhead while significantly reducing communication cost through intelligent update filtering. These trade-offs support its deployment in real-world IoT networks, where resources are limited and communication is costly. The results confirm that AGAT-FL offers a scalable and efficient defense mechanism, striking a balance between security, accuracy, and overhead.

Interpretability results using SHAP and LIME

To enhance the transparency and auditability of the AGAT-FL pipeline, we integrated two widely adopted XAI tools—SHAP and LIME, into the post-processing stage of the anomaly detection module. After the hybrid CNN-GRU model produces its prediction for a given client update (benign or poisoned), SHAP and LIME are applied to analyze the contributing features that led to the model’s decision. This integration allows us to validate the internal logic of the poisoning detection process, inspect misclassifications, and provide security analysts with intuitive, human-understandable explanations for each prediction.

SHAP-based global interpretability

SHAP was used to evaluate the global interpretability of the AGAT-FL model. Specifically, it provides a feature attribution map based on the average contribution of each input feature across all test samples from the N-BaIoT dataset. As shown in Fig. 11, the SHAP summary plot highlights several influential features, most notably, destination bytes, payload entropy, and connection duration. These features are known indicators of abnormal traffic behavior in IoT environments and are highly correlated with poisoning activity.

This analysis provides evidence that the AGAT-FL model’s attention mechanism and anomaly classifier align with domain-relevant security patterns. For example, elevated entropy in payloads is often indicative of encoded or obfuscated attack traffic, while irregular connection durations may signal botnet-like behavior. The SHAP-based evaluation supports that the model’s decision-making process is both semantically meaningful and grounded in practical cybersecurity heuristics.

LIME-Based Local Interpretability

To complement global insights, we used LIME to generate case-specific explanations, particularly for individual predictions that involved borderline or misclassified instances. Figure 12 shows the explanation for a true positive poisoning detection. In this case, LIME highlighted unusually high values in features such as connection count, average packet size, and inter-packet timing as key contributors to the model’s classification.

These local explanations proved especially useful in investigating false positives, i.e., benign updates mistakenly flagged as poisoned. In one such instance, LIME revealed that a benign node exhibiting sudden but legitimate spikes in traffic volume had a feature pattern similar to backdoor attacks. This allowed us to identify overly aggressive thresholding in the Mahalanobis anomaly score and adjust the sensitivity parameter $\lambda$ accordingly. Thus, LIME not only aids in interpreting correct classifications but also plays a practical role in improving detection logic and reducing operational false alarms.

The integration of SHAP and LIME into AGAT-FL’s post-decision layer serves two critical functions. First, it confirms that the model prioritizes meaningful, high-signal features when detecting poisoned updates. Second, it provides visual and quantifiable reasoning for each prediction, allowing developers and analysts to assess whether the model’s conclusions are trustworthy.

Furthermore, these tools were instrumental in refining hyperparameters during sensitivity analysis (‘Sensitivity Analysis’), particularly in adjusting trust thresholds and anomaly scoring to reduce misclassifications. By offering both macro-level (SHAP) and micro-level (LIME) interpretability, the framework achieves a balance between predictive accuracy and explainability, two essential requirements for deployment in real-world, mission-critical IoT environments.

Ablation study and component contribution analysis

To better understand the source of AGAT-FL’s performance improvements, we conducted a comprehensive ablation study. The goal is to evaluate the individual and combined impact of each major component, (i) GAT-based trust-aware aggregation, (ii) CNN-GRU hybrid anomaly detection, and (iii) Mahalanobis distance-based filtering, on the model’s accuracy, robustness, and generalizability under adversarial conditions.

Experimental design. We designed four experimental variants of AGAT-FL by selectively disabling one or more of its core components:

• Baseline FL (FedAvg + CNN-GRU): Uses federated averaging without trust or filtering.

• + Mahalanobis Filtering: Adds anomaly-based update rejection using Mahalanobis distance.

• + Trust-Aware GAT Aggregation: Adds dynamic trust scoring and GAT-based weighted aggregation.

• Full AGAT-FL: Combines CNN-GRU, GAT aggregation, and Mahalanobis filtering.

Each variant was tested using the same settings and datasets (N-BaIoT and CIC-ToN-IoT), with identical poisoning attack configurations (label flipping, backdoor triggers, FGSM/PGD adversarial gradients, and Sybil nodes). We measured accuracy, precision, recall, and F1-score for all configurations over five independent runs.

Results and interpretation. Table 17 summarizes the results of the ablation study. We observe that each component provides measurable benefits, but their combination yields the most robust and consistent performance.

The results demonstrate:

• Trust-aware aggregation via GAT contributes significantly to resilience by downweighting adversarial nodes, improving accuracy by approximately 3.5% over FedAvg.

• Mahalanobis distance filtering is particularly effective in reducing false positives, which improves precision by over 2.8%.

• CNN-GRU enhances anomaly detection by capturing both spatial (via CNN) and temporal (via GRU) patterns in network traffic, outperforming simpler MLP or CNN-only models used in baseline IDS.

• AGAT-FL (full model) shows a synergistic benefit when all three components are used together, yielding the highest scores across all evaluation metrics.

While each module improves detection individually, their joint application produces a compounding effect. GAT-based aggregation mitigates model poisoning at the aggregation stage, Mahalanobis filtering pre-screens suspicious updates before they impact the global model, and the CNN-GRU hybrid architecture enhances the representation power of local models. Together, they form a robust defense pipeline that is especially effective under diverse and evolving poisoning attacks.

This confirms that the observed performance gains, particularly the 5–6% improvement in accuracy and F1-score over FedAvg baselines, are not the result of any single enhancement, but rather the product of coordinated synergy between all components. We believe this holistic design is what enables AGAT-FL to maintain both high accuracy and operational robustness in federated IoT security contexts.

Discussion

The experimental evaluation of the proposed AGAT-FL framework demonstrates its superior performance in mitigating poisoning attacks within FL-based IDSs in IoT environments. The analysis of the results, as observed on the N-BaIoT and CIC-ToN-IoT datasets, reveals a significant improvement in detection accuracy, robustness, and interpretability compared to traditional and state-of-the-art FL methodologies.

AGAT-FL achieves an accuracy of up to 94.01% on N-BaIoT and 91.02% on CIC-ToN-IoT, surpassing conventional FL aggregation methods such as FedAvg, which cannot differentiate between benign and adversarial model contributions. This notable gain is attributed to the integration of adaptive graph attention mechanisms that dynamically adjust trust scores based on clients’ historical behavior and deviation patterns. Specifically, the employment of GATs enables AGAT-FL to model the federated ecosystem as a relational graph, where attention coefficients are weighted according to the contextual trustworthiness of nodes. This trust-aware aggregation ensures that malicious updates exert minimal influence on the global model.

Moreover, the spatial and temporal features of network traffic data are captured, therefore enhancing the anomaly detection with the hybrid AGAT-FL model, which uses the CNN-Gru deep learning technique. This dual capability is particularly critical in IoT environments where attack signatures may vary across time and devices. Incorporation of contrastive learning strengthens the performance of the model by improving representation learning, class separability, and robustness against attacks.

Also noteworthy is the application of the statistical filter based on Mahalanobis distance. This distance enables the system to mark outliers in model updates, thus identifying poisoned updates while preserving the updates from non-malicious clients. The dynamic thresholding approach, which adapts to the spread of Mahalanobis distances, helps limit the possibility of identifying non-existent outliers and strengthens the system against poisoning attacks, be it PGD, FGSM, backdoor, or Sybil-based.

The practical implications of these contributions are profoundly impactful. In actual implementations, especially in environments with IoT devices, ensuring privacy without model deprecation reliability in privacy-preserving settings with strict resource limitations is crucial. AGAT-FL addresses this via local computation, decentralized trust, and preemptive rejection of adversarial contributions. More importantly, the explainability module, which implements SHAP and LIME, strengthens the transparency of model measures so that human operators can interpret discrepancies and trust automated detection systems.

From a deployment perspective, AGAT-FL reduces communication overhead by prioritizing updates from high-trust clients, thus making it suitable for bandwidth-limited environments. Its asynchronous client participation model also improves scalability and accommodates intermittent connectivity, a common feature in distributed IoT systems.

In conclusion, the results validate AGAT-FL as a comprehensive, resilient, and practical solution for securing FL-based IDSs in IoT environments. The adaptive trust-aware aggregation, hybrid anomaly detection model, and explainability integration collectively address significant shortcomings of existing approaches. Future extensions could explore the integration of blockchain for auditability, reinforcement learning for adaptive defense tuning, and transfer learning to generalize across unseen attack domains.

Limitations

While AGAT-FL demonstrates significant improvements over existing methods, several limitations must be acknowledged, which suggest important directions for future work.

First, the computational complexity of AGAT-FL, particularly due to the graph attention mechanism and hybrid CNN-GRU model, may limit its deployment on extremely resource-constrained IoT nodes. Although trust computation and model training are offloaded to edge servers in our setup, the additional overhead introduced by GAT training and graph construction may not scale efficiently in scenarios involving thousands or millions of nodes. Optimization techniques, such as graph sparsification, knowledge distillation, or pruning, could be explored to reduce the runtime and memory footprint.

Second, AGAT-FL relies on accurate trust estimation derived from past behavior and anomaly detection scores. However, in highly dynamic environments or early rounds of training where historical data is sparse or noisy, trust scores may be unreliable. This introduces the risk of penalizing new or previously unseen clients with benign behavior. A potential mitigation strategy is the inclusion of uncertainty modeling or Bayesian inference to represent trust confidence during early interactions better.

Third, while the Mahalanobis distance-based filtering performs well under most scenarios, it assumes a roughly Gaussian distribution of benign update vectors. In practice, the distribution of model updates—especially in non-IID federated settings—can deviate significantly from this assumption. This may lead to false positives or undetected poisoning in edge cases. Future versions of AGAT-FL could incorporate more flexible anomaly scoring methods, such as deep generative models (e.g., VAEs or normalizing flows), which are better suited for modeling complex distributions.

Another limitation relates to the framework’s handling of asynchronous client participation. While AGAT-FL supports partial client selection in each round, trust evolution is still influenced by the frequency and consistency of updates. Clients with intermittent availability may have their trust scores unfairly penalized, especially if their update patterns deviate from the norm. Incorporating temporal decay models or fairness-aware trust mechanisms could alleviate this issue.

Finally, the current evaluation is conducted on two benchmark datasets (N-BaIoT and CIC-ToN-IoT), which, while comprehensive, may not fully capture the diversity and unpredictability of real-world IoT deployments. The generalization of AGAT-FL to diverse settings—including unseen attack types, hardware variations, and multi-tenant networks—remains an open research question. Real-world deployment trials, possibly in collaboration with industry partners, are needed to validate the practical robustness and usability of the framework.

In conclusion, while AGAT-FL introduces several valuable innovations and achieves state-of-the-art performance, addressing these limitations is essential for its transition from a research prototype to a deployable cybersecurity solution in diverse IoT environments.