ZeroDefense: An adaptive hybrid fusion-based intrusion detection system for zero-day threat detection in IoT networks

Abubakar Wakili; Sara Bakkali

doi:10.1016/j.jnlest.2026.100345

Journal of Electronic Science and Technology ›› 2026, Vol. 24 ›› Issue (1) :100345 DOI: 10.1016/j.jnlest.2026.100345

research-article

ZeroDefense: An adaptive hybrid fusion-based intrusion detection system for zero-day threat detection in IoT networks

Author information +

School of Digital Engineering and Artificial Intelligence, Euromed University of Fez, Fez, 30030, Morocco

^* E-mail addresses: a.wakili@ueuromed.org (A. Wakili),

s.bakkali@insa.ueuromed.org (S. Bakkali).

Abubakar Wakili obtained the B.S. and M.S. degrees in computer science from Federal University Dutse, Dutse, Nigeria in 2016 and 2021, respectively. He is currently pursuing the Ph.D. degree in cybersecurity and computer networking at Euromed University of Fez, Fez, Morocco. His research interests include Internet of things (IoT) security, intrusion detection systems, explainable machine learning, as well as digital healthcare and secure networked systems. He has earned professional training certifications, including Cisco Certified Network Associate (CCNA), CompTIA Security + Certificate, Certified Ethical Hacking (CEH), and Certified Information System Security Professional (CISSP).

Sara Bakkali received the Ph.D. degree in computer networks from Mohammed V University of Rabat, Rabat, Morocco in 2015. She is currently an Assistant Professor at the School of Digital Engineering and Artificial Intelligence, Euromed University of Fez. Her research interests include IoT security, routing optimization, IPv6 technologies, digital healthcare, and artificial intelligence (AI)-enabled network resilience.

Show less

History +

PDF (11007KB)

Abstract

Zero-day attacks present a critical cybersecurity challenge for Internet of things (IoT) infrastructures, where the inability of signature-based intrusion detection systems (IDSs) to recognize novel threat behaviors compromises both system reliability and operational continuity. Existing hybrid IDS solutions often struggle to balance accurate classification of known attacks with reliable anomaly detection, particularly under the computational constraints of IoT environments. To address this gap, we introduce ZeroDefense, an adaptive fusion-based IDS designed for simultaneous detection of known intrusions and emerging zero-day threats. The framework employs a four-layer architecture consisting of i) feature standardization and class balancing, ii) anomaly detection using isolation forest, autoencoder, and local outlier factor, iii) fine-grained attack classification via random forest, extreme gradient boosting (XGBoost), light gradient boosting machine (LightGBM), and attentive interpretable tabular learning (TabNet), and iv) a confidence-aware fusion engine that adaptively selects the most reliable decision path. Suspicious or previously unseen traffic is isolated early through fused anomaly scoring, while benign and known-malicious flows are processed through supervised classification for precise attack labeling. With an anomaly cascaded decision pipeline, a dynamic confidence-driven fusion mechanism, and a deployment-conscious design, ZeroDefense enables real-time inference on IoT edge gateways. Evaluation on the CICIoT2023 benchmark demonstrates 99.94% overall accuracy and 95.64% macro-average F1-score for known attacks, while 5.76% of traffic is successfully flagged as potential zero-day activity, with inference latency maintained below 100 ms/flow. These results indicate that ZeroDefense offers a scalable, resilient, and practically deployable defense capability for modern IoT infrastructures.

Keywords

Anomaly detection / Hybrid fusion / Internet of things (IoT) / Intrusion detection system / IoT security / Resilient digital infrastructure / Zero-day detection

Cite this article

Download citation ▾

Abubakar Wakili, Sara Bakkali. ZeroDefense: An adaptive hybrid fusion-based intrusion detection system for zero-day threat detection in IoT networks. Journal of Electronic Science and Technology, 2026, 24(1): 100345 DOI:10.1016/j.jnlest.2026.100345

登录浏览全文

4963

注册一个新账户忘记密码

CRediT authorship contribution statement

Abubakar Wakili: Conceptualization, Methodology, Software, Validation, Investigation, Data curation, Writing – original draft, Writing – review & editing, Visualization. Sara Bakkali: Conceptualization, Methodology, Validation, Resources, Writing – review & editing, Supervision.

Declaration of competing interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	Y. Guo, A review of machine learning-based zero-day attack detection: challenges and future directions, Comput. Commun. 198 (2023) 175-185.

[2]	L. Bilge, T. Dumitras, Before we knew it: an empirical study of zero-day attacks in the real world, in: Proc. of the ACM Conf. on Computer and Communications Security, Raleigh, USA, 2012, pp. 833-844.

[3]	E.C.P. Neto, S. Dadkhah, R. Ferreira, A. Zohourian, R.-X. Lu, A.A. Ghorbani, CICIoT2023: a real-time dataset and benchmark for large-scale attacks in IoT environment, Sensors 23 (13) (2023) 5941.

[4]	A. Wakili, S. Bakkali, A resilient IoT intrusion detection system using hybrid feature selection and explainable ensemble learning, Results Eng. 28 (2025) 107392.

[5]	K. Tsiknas, D. Taketzis, K. Demertzis, C. Skianis, Cyber threats to industrial IoT: a survey on attacks and countermeasures, IoT 2 (1) (2021) 163-186.

[6]	A. Wakili, S. Bakkali, Privacy-preserving security of IoT networks: a comparative analysis of methods and applications, Cyber Security and Applications 3 (2025) 100084.

[7]	A. Wakili, S. Bakkali, A. El Hilali Alaoui, Machine learning for QoS and security enhancement of RPL in IoT-enabled wireless sensors, Sens. Int. 5 (2024) 100289.

[8]	N. Sharma, P.G. Shambharkar, Transforming security in Internet of medical things with advanced deep learning-based intrusion detection frameworks, Appl. Soft Comput. 180 (2025) 113420.

[9]	H. Farshadinia, A. Barati, H. Barati, A secure and energy-efficient architecture in Internet of things—cloud computing network by enhancing and combining three cryptographic techniques via defining new features, areas, and entities, J. Supercomput. 81 (8) (2025) 944.

[10]	N. Sharma, P.G. Shambharkar, Multi-layered security architecture for IoMT systems: integrating dynamic key management, decentralized storage, and dependable intrusion detection framework, Int. J. Mach. Learn. Cyb. 16 (9) (2025) 6399-6446.

[11]	A. Wakili, S. Bakkali, I.A. Ibrahim, A digital twin-enhanced cybersecurity framework for IoT in healthcare: applications in Industry 4.0, Telemat. Inform. Rep. 20 (2025) 100254.

[12]	F.T. Liu, K.M. Ting, Z.-H. Zhou, Isolation-based anomaly detection, ACM T. Knowl. Discov. D. 6 (1) (2012) 3.

[13]	M.M. Inuwa, R. Das, A comparative analysis of various machine learning methods for anomaly detection in cyber attacks on IoT networks, Internet Things-Neth. 26 (2024) 101162.

[14]	M.M. Breunig, H.P. Kriegel, R.T. Ng, J. Sander, LOF: identifying density-based local outliers, ACM SIGMOD Record 29 (2) (2000) 93-104.

[15]	S. Sattarpour, A. Barati, H. Barati, EBIDS: efficient BERT-based intrusion detection system in the network and application layers of IoT, Cluster Comput. 28 (2) (2025) 138.

[16]	L. Breiman, Random forests, Mach. Learn. 45 (1) (2001) 5-32.

[17]	T.-Q. Chen, C. Guestrin, XGBoost: a scalable tree boosting system, in: Proc. of the 22nd ACM SIGKDD Intl. Conf. on Knowledge Discovery and Data Mining, San Francisco, USA, 2016, pp. 785-794.

[18]	G.-L. Ke, Q. Meng, T. Finley, et al., LightGBM: a highly efficient gradient boosting decision tree, in: Proc. of the 31st Intl. Conf. on Neural Information Processing Systems, Long Beach, USA, 2017, pp. 3149-3157.

[19]	T. Shojarazavi, H. Barati, A. Barati, A wrapper method based on a modified two-step league championship algorithm for detecting botnets in IoT environments, Computing 104 (8) (2022) 1753-1774.

[20]	S.O. Arik, T. Pfister, TabNet: attentive interpretable tabular learning, in: Proc. of the 35th AAAI Conf. on Artificial Intelligence, Virtual Event, 2021, pp. 6679-6687.

[21]	N. Sharma, P.G. Shambharkar, Multi-attention DeepCRNN: an efficient and explainable intrusion detection framework for Internet of medical things environments, Knowl. Inf. Syst. 67 (7) (2025) 5783-5849.

[22]	R. Ranpara, S.K. Patel, O.P. Kumar, F.A. Al-Zahrani, A computational framework for IoT security integrating deep learning-based semantic algorithms for real-time threat response, Sci. Rep.-UK 15 (1) (2025) 16794.

[23]	M.A. Talukder, K.F. Hasan, M.M. Islam, et al., A dependable hybrid machine learning model for network intrusion detection, J. Inf. Secur. Appl. 72 (2023) 103405.

[24]	N.V. Chawla, K.W. Bowyer, L.O. Hall, W.P. Kegelmeyer, SMOTE: synthetic minority over-sampling technique, J. Artif. Intell. Res. 16 (2002) 321-357.

[25]	L.I. Kuncheva, C.J. Whitaker, Measures of diversity in classifier ensembles and their relationship with the ensemble accuracy, Mach. Learn. 51 (2) (2003) 181-207.