{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,28]],"date-time":"2026-01-28T18:35:02Z","timestamp":1769625302034,"version":"3.49.0"},"reference-count":43,"publisher":"Frontiers Media SA","license":[{"start":{"date-parts":[[2026,1,28]],"date-time":"2026-01-28T00:00:00Z","timestamp":1769558400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["frontiersin.org"],"crossmark-restriction":true},"short-container-title":["Front. Commun. Netw."],"abstract":"<jats:p>The growing interconnection of industrial devices in IIoT networks has significantly increased the exposure of critical infrastructures to sophisticated cyberattacks, including 0-day threats, sensor spoofing, and lateral propagation. Conventional intrusion detection systems, based on static rules or supervised learning, often fail to generalize to unknown patterns and lack adaptability in decentralized edge environments. Moreover, most AI-based approaches do not offer real-time interpretability, hindering their deployment in regulated and auditable industrial contexts. This work proposes an autonomous and distributed defense system for IIoT networks based on Deep Deterministic Policy Gradient agents deployed at the edge, coordinated through asynchronous federated learning. Each agent performs local inference using real-time extracted traffic features, such as entropy, command frequency, and inter-packet time, and integrates an embedded SHAP-based XAI module for real-time explainability. The model is trained in an open-world setting, excluding entire attack classes during training to simulate realistic 0-day conditions. Experimental validation using the TON_IoT and N-BaIoT datasets demonstrates that the system maintains a detection F1-score of 92.0%, a false positive rate of 4.1%, and an inference latency of 182\u00a0m under multi-node attack conditions. The federated architecture ensures robustness and model continuity even with unstable node participation, while the embedded interpretability mechanism enables on-site auditability and decision traceability.<\/jats:p>","DOI":"10.3389\/frcmn.2025.1697204","type":"journal-article","created":{"date-parts":[[2026,1,28]],"date-time":"2026-01-28T06:44:23Z","timestamp":1769582663000},"update-policy":"https:\/\/doi.org\/10.3389\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Autonomous federated defense for zero-day threats in IIoT: explainable agents with real-time edge inference"],"prefix":"10.3389","volume":"6","author":[{"given":"William","family":"Villegas-Ch","sequence":"first","affiliation":[{"name":"Escuela de Ingenier\u00eda en Ciberseguridad, FICA, Universidad de Las Am\u00e9ricas","place":["Quito, Ecuador"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rommel","family":"Gutierrez","sequence":"additional","affiliation":[{"name":"Escuela de Ingenier\u00eda en Ciberseguridad, FICA, Universidad de Las Am\u00e9ricas","place":["Quito, Ecuador"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jaime","family":"Govea","sequence":"additional","affiliation":[{"name":"Escuela de Ingenier\u00eda en Ciberseguridad, FICA, Universidad de Las Am\u00e9ricas","place":["Quito, Ecuador"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Pablo","family":"Palacios","sequence":"additional","affiliation":[{"name":"Escuela de Inform\u00e1tica y Telecomunicaciones, Universidad Diego Portales","place":["Santiago, Chile"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1965","published-online":{"date-parts":[[2026,1,28]]},"reference":[{"key":"B1","doi-asserted-by":"publisher","first-page":"165","DOI":"10.47852\/bonviewaia42021780","article-title":"An intrusion system for internet of things security breaches using machine learning techniques","volume":"2","author":"Adekunle","year":"2024","journal-title":"Artif. Intell. Applications"},{"key":"B2","doi-asserted-by":"publisher","first-page":"216","DOI":"10.3390\/s25010216","article-title":"A scalable approach to internet of things and industrial internet of things security: evaluating adaptive self-adjusting memory K-Nearest neighbor for zero-day attack detection","volume":"25","author":"Agbedanu","year":"2025","journal-title":"Sensors"},{"key":"B3","doi-asserted-by":"publisher","first-page":"103888","DOI":"10.1016\/j.jnca.2024.103888","article-title":"Digital twin-driven secured edge-private cloud industrial internet of things (IIoT) framework","volume":"226","author":"Al-Hawawreh","year":"2024","journal-title":"J. Netw. Comput. Appl."},{"key":"B4","doi-asserted-by":"publisher","first-page":"13215","DOI":"10.1038\/s41598-025-98056-2","article-title":"Artificial intelligence-driven cybersecurity system for internet of things using self-attention deep learning and metaheuristic algorithms","volume":"15","author":"Alblehai","year":"2025","journal-title":"Sci. Rep."},{"key":"B5","doi-asserted-by":"publisher","first-page":"12071","DOI":"10.1007\/s13369-024-09663-6","article-title":"Integrated genetic algorithm and deep learning approach for effective cyber-attack detection and classification in industrial internet of things (IIoT) environments","volume":"50","author":"Alkhafaji","year":"2024","journal-title":"Arab. J. Sci. Eng."},{"key":"B6","doi-asserted-by":"publisher","first-page":"485","DOI":"10.1109\/JIOT.2021.3085194","article-title":"ToN_IoT: the role of heterogeneity and the need for standardization of features and attack types in IoT network intrusion data sets","volume":"9","author":"Booij","year":"2022","journal-title":"IEEE Internet Things J."},{"key":"B7","doi-asserted-by":"crossref","DOI":"10.1109\/ICDSCNC62492.2024.10939775","article-title":"Adaptive defense mechanisms against zero-day attacks in wireless sensor networks","volume-title":"International conference on distributed systems, computer networks and cybersecurity (ICDSCNC 2024)","author":"Chaturvedi","year":"2024"},{"key":"B8","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/TIM.2022.3180417","article-title":"Federated transfer learning for bearing fault diagnosis with discrepancy-based weighted federated averaging","volume":"71","author":"Chen","year":"2022","journal-title":"IEEE Trans. Instrum. Meas."},{"key":"B9","doi-asserted-by":"publisher","first-page":"3200","DOI":"10.1109\/TMC.2023.3272567","article-title":"FTPipeHD: a fault-tolerant pipeline-parallel distributed training approach for heterogeneous edge devices","volume":"23","author":"Chen","year":"2024","journal-title":"IEEE Trans. Mobile Comput."},{"key":"B10","doi-asserted-by":"publisher","first-page":"85315","DOI":"10.1109\/ACCESS.2023.3303205","article-title":"A comparative analysis of industrial cybersecurity standards","volume":"11","author":"Djebbar","year":"2023","journal-title":"IEEE Access"},{"key":"B11","doi-asserted-by":"publisher","first-page":"103588","DOI":"10.1016\/j.cose.2023.103588","article-title":"A deep learning technique to detect distributed denial of service attacks in software-defined networks","volume":"137","author":"Gadallah","year":"2024","journal-title":"Computers and Security"},{"key":"B12","doi-asserted-by":"publisher","first-page":"30164","DOI":"10.1109\/ACCESS.2024.3368377","article-title":"Explainable AI for intrusion detection systems: LIME and SHAP applicability on multi-layer perceptron","volume":"12","author":"Gaspar","year":"2024","journal-title":"IEEE Access"},{"key":"B13","doi-asserted-by":"publisher","first-page":"29345","DOI":"10.1109\/ACCESS.2024.3367110","article-title":"Explainable predictive maintenance of rotating machines using LIME","volume":"12","author":"Gawde","year":"2024","journal-title":"SHAP, PDP, ICE. IEEE Access"},{"key":"B14","doi-asserted-by":"publisher","first-page":"573","DOI":"10.3390\/electronics12030573","article-title":"Anomaly detection of zero-day attacks based on CNN and regularization techniques","volume":"12","author":"Hairab","year":"2023","journal-title":"Electronics (Switzerland)"},{"key":"B15","doi-asserted-by":"publisher","first-page":"126430","DOI":"10.1016\/j.apenergy.2025.126430","article-title":"Enhancing smart grid security in smart cities: a review of traditional approaches and emerging technologies","volume":"398","author":"Hassine","year":"","journal-title":"Applied Energy"},{"key":"B16","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s13369-025-10636-6","article-title":"GAN-driven feature selection and GraphSAGE for advanced persistent threat defense in smart grids","author":"Hassine","year":"","journal-title":"Arab. J. Sci. Eng."},{"key":"B17","doi-asserted-by":"publisher","first-page":"3140","DOI":"10.1109\/OJCOMS.2024.3523368","article-title":"Adaptive trust management for data poisoning attacks in MEC-based FL infrastructures","volume":"6","author":"Hathout","year":"2025","journal-title":"IEEE Open Journal of the Communications Society"},{"key":"B18","first-page":"4069","article-title":"IDS-SIoEL: intrusion detection framework for IoT-Based smart environments security using ensemble learning","volume-title":"Cluster Comput.","author":"Hazman","year":"2022"},{"key":"B19","doi-asserted-by":"publisher","first-page":"929","DOI":"10.26599\/TST.2023.9010033","article-title":"Enhanced IDS with deep learning for IoT-Based smart cities security","volume":"29","author":"Hazman","year":"2024","journal-title":"Tsinghua Sci. Technol."},{"key":"B20","first-page":"88","article-title":"A federated learning framework with self-attention and deep reinforcement learning for IoT intrusion detection","volume-title":"Proceedings of the 2024 13th international conference on software and information engineering (ICSIE \u201924)","author":"Hesham","year":"2025"},{"key":"B21","doi-asserted-by":"publisher","first-page":"47815","DOI":"10.1109\/ACCESS.2021.3068459","article-title":"Deep reinforcement learning-based traffic sampling for multiple traffic analyzers on software-defined networks","volume":"9","author":"Kim","year":"2021","journal-title":"IEEE Access"},{"key":"B22","doi-asserted-by":"publisher","first-page":"1455","DOI":"10.1109\/TIFS.2023.3338469","article-title":"DOMR: toward deep open-world malware recognition","volume":"19","author":"Lu","year":"2024","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"B23","doi-asserted-by":"publisher","first-page":"71","DOI":"10.17560\/atp.v65i8.2673","article-title":"Security Analyse des MTP Konzepts","volume":"65","author":"Madsen","year":"2023","journal-title":"atp Magazin"},{"key":"B24","doi-asserted-by":"publisher","first-page":"1721","DOI":"10.32604\/cmc.2023.040567","article-title":"Fusion of feature ranking methods for an effective intrusion detection system","volume":"76","author":"Mallampati","year":"2023","journal-title":"Computers, Materials and Continua"},{"key":"B25","doi-asserted-by":"publisher","first-page":"12","DOI":"10.1109\/MPRV.2018.03367731","article-title":"N-BaIoT\u2014Network-based detection of IoT botnet attacks using deep autoencoders","volume":"17","author":"Meidan","year":"2018","journal-title":"IEEE Pervasive Comput."},{"key":"B26","article-title":"New generations of internet of things datasets for cybersecurity applications based on machine learning: ton_iot datasets","volume-title":"eResearch Australia Asia 2019, October","author":"Moustafa","year":"2019"},{"key":"B27","first-page":"110","article-title":"A dynamic reward-based deep reinforcement learning for IoT intrusion detection","volume-title":"2024 2nd international conference on intelligent communication and networking (ICN 2024)","author":"Ren","year":"2024"},{"key":"B28","doi-asserted-by":"publisher","first-page":"410","DOI":"10.1080\/08874417.2022.2067792","article-title":"Enhancing supply chain through implementation of key IIoT technologies","volume":"63","author":"Safa","year":"2023","journal-title":"J. Comput. Syst. Sci."},{"key":"B29","doi-asserted-by":"publisher","first-page":"101532","DOI":"10.1016\/j.jksuci.2023.03.010","article-title":"A novel hybrid ensemble learning for anomaly detection in industrial sensor networks and SCADA systems for smart city infrastructures","volume":"35","author":"Saheed","year":"2023","journal-title":"J. King Saud Univ. Comput. Inf. Sci."},{"key":"B30","doi-asserted-by":"publisher","first-page":"15930","DOI":"10.1109\/ACCESS.2024.3350197","article-title":"EESNN: hybrid deep learning empowered spatial-temporal features for network intrusion detection system","volume":"12","author":"Saikam","year":"2024","journal-title":"IEEE Access"},{"key":"B31","doi-asserted-by":"crossref","DOI":"10.1109\/WINCOM59760.2023.10323032","article-title":"IA applied to IIoT intrusion detection: an overview","volume-title":"Proceedings of the 10th international conference on wireless networks and Mobile communications (WINCOM 2023)","author":"Serhane","year":"2023"},{"key":"B32","doi-asserted-by":"publisher","first-page":"2121","DOI":"10.32604\/cmc.2023.040287","article-title":"AID4I: an intrusion detection framework for industrial internet of things using automated machine learning","volume":"76","author":"Sezgin","year":"2023","journal-title":"Computers, Materials and Continua"},{"key":"B33","doi-asserted-by":"publisher","first-page":"01","DOI":"10.5121\/ijcnc.2023.15601","article-title":"Trust metric-based anomaly detection via deep deterministic policy gradient reinforcement learning framework","volume":"15","author":"Shruthi","year":"2023","journal-title":"Int. J. Comput. Netw. Commun."},{"key":"B34","doi-asserted-by":"publisher","first-page":"92","DOI":"10.20998\/2522-9052.2024.3.11","article-title":"Sequential intrusion detection system for zero-trust cyber defense of IoT\/IIoT networks","volume":"8","author":"Sobchuk","year":"2024","journal-title":"Advanced Information Systems"},{"key":"B35","doi-asserted-by":"publisher","first-page":"103961","DOI":"10.1016\/j.compind.2023.103961","article-title":"ENIGMA: an explainable digital twin security solution for cyber\u2013physical systems","volume":"151","author":"Suhail","year":"2023","journal-title":"Comput. Ind."},{"key":"B36","doi-asserted-by":"publisher","first-page":"34613","DOI":"10.1109\/ACCESS.2022.3162588","article-title":"Robust botnet DGA detection: blending XAI and OSINT for cyber threat intelligence sharing","volume":"10","author":"Suryotrisongko","year":"2022","journal-title":"IEEE Access"},{"key":"B37","doi-asserted-by":"publisher","first-page":"3992","DOI":"10.1109\/TII.2020.3009133","article-title":"Secure links: secure-By-design communications in IEC 61499 industrial control applications","volume":"17","author":"Tanveer","year":"2021","journal-title":"IEEE Trans. Industr. Inform."},{"key":"B38","doi-asserted-by":"publisher","first-page":"15","DOI":"10.3991\/ijoe.v20i05.48229","article-title":"Deep reinforcement learning approach for cyberattack detection","volume":"20","author":"Tareq","year":"2024","journal-title":"Int. J. Online Biomed. Eng."},{"key":"B39","doi-asserted-by":"publisher","first-page":"3856","DOI":"10.1109\/TCE.2023.3335385","article-title":"Zero-day guardian: a dual model enabled federated learning framework for handling zero-day attacks in 5G enabled IIoT","volume":"70","author":"Verma","year":"2024","journal-title":"IEEE Trans. Consum. Electron."},{"key":"B40","doi-asserted-by":"publisher","first-page":"18372","DOI":"10.36418\/syntax-literate.v7i11.15426","article-title":"Analysis of risk management information system applications using Iso\/Iec 27001:2022","volume":"7","author":"Wiemas","year":"2024","journal-title":"Syntax Literate Jurnal Ilmiah Indonesia"},{"key":"B41","doi-asserted-by":"publisher","first-page":"13509","DOI":"10.1109\/JIOT.2023.3337897","article-title":"A hierarchical network management strategy for distributed CIIoT with imperfect CSI","volume":"11","author":"Yang","year":"2024","journal-title":"IEEE Internet Things J."},{"key":"B42","doi-asserted-by":"publisher","first-page":"88","DOI":"10.1049\/icp.2023.2577","article-title":"Deep reinforcement learning-based intrusion detection in IoT system: a review","volume":"2023","author":"Zhang","year":"2023","journal-title":"IET Conference Proceedings"},{"key":"B43","doi-asserted-by":"publisher","first-page":"8159","DOI":"10.1109\/TII.2022.3216575","article-title":"Federated learning for distributed IIoT intrusion detection using transfer approaches","volume":"19","author":"Zhang","year":"2023","journal-title":"IEEE Trans. Industr. Inform."}],"container-title":["Frontiers in Communications and Networks"],"original-title":[],"link":[{"URL":"https:\/\/www.frontiersin.org\/articles\/10.3389\/frcmn.2025.1697204\/full","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,28]],"date-time":"2026-01-28T06:44:27Z","timestamp":1769582667000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.frontiersin.org\/articles\/10.3389\/frcmn.2025.1697204\/full"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,28]]},"references-count":43,"alternative-id":["10.3389\/frcmn.2025.1697204"],"URL":"https:\/\/doi.org\/10.3389\/frcmn.2025.1697204","relation":{},"ISSN":["2673-530X"],"issn-type":[{"value":"2673-530X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,28]]},"article-number":"1697204"}}