Cross-Domain Generalization Failure in Lightweight Intrusion Detection Models for IIoT Networks
English summary
This study trains four lightweight architectures on one IIoT intrusion detection dataset and evaluates them without retraining on two structurally distinct datasets, using a shared feature set. Both top-performing models rely overwhelmingly on coarse port-category features; the most influential category appears 96 to 435 times more in source-domain attack traffic than in target domains, showing that coarsening port resolution relocates rather than removes a shortcut. Evaluation under natural class imbalance can reverse which target network seems harder to generalize to. Adversarial robustness is uncorrelated with cross-network generalization, and recovery through limited target-domain exposure varies widely by architecture. The results argue that deployment readiness should be judged by cross-network evaluation under realistic distributions, not within-domain accuracy alone.
Chinese summary
该研究在一种IIoT入侵检测数据集上训练四种轻量级架构,并在两种结构不同的数据集上不做再训练直接评估,使用三者共有的特征子集。表现最好的两个模型都严重依赖粗粒度的端口类别特征,其中最具影响力的类别在源域攻击流量中的出现频率是目标域的96到435倍,表明粗化端口分辨率只是移动而非消除了已知的捷径。在自然类不平衡条件下,评估协议可以颠倒哪个目标网络看起来更难泛化。对抗鲁棒性与跨网络泛化无关,通过少量目标域数据恢复的效果因架构而异。结果表明,部署就绪性应基于真实分布下的跨网络评估,而非仅看域内准确率。
Key points
Lightweight IIoT intrusion detection models fail to generalize across networks when tested without retraining, relying on port-category shortcuts.
轻量级IIoT入侵检测模型未经再训练直接跨网测试时无法泛化,依赖端口类别捷径。
The most influential port category appears 96–435× more in source attack traffic, revealing that coarsening port resolution does not eliminate the shortcut.
最具影响力的端口类别在源攻击流量中出现频率高出96–435倍,证明粗化端口分辨率未消除捷径。
Natural class imbalance can reverse the perceived generalization difficulty between target domains, depending on the evaluation protocol.
自然类不平衡可依据评估协议逆转目标域之间的泛化难度感知。
Adversarial robustness is independent of cross-network generalization, and adaptation via limited target-domain data varies strongly by architecture.
对抗鲁棒性与跨网络泛化无关,有限目标域数据下的适应效果因架构差异很大。
Cross-network evaluation under realistic class distributions is necessary to assess deployment readiness, not within-domain accuracy alone.
必须在真实类分布下进行跨网络评估才能判断部署就绪性,不能仅看域内准确率。