Abstract

Securing industrial IoT infrastructure is no longer a competitive advantage ; it is a prerequisite for resilient, trustworthy, and sustainable Industry 5.0.

Keywords : Industry 5.0, Industrial IoT, Intrusion Detection, Federated Learning, GNN

The rapid proliferation of Industrial Internet of Things (IIoT) devices in manufacturing, energy, and logistics environments has dramatically expanded the cyber attack surface of critical industrial infrastructure. These interconnected cyber-physical systems, while enabling new data-driven automation and intelligent services, introduce severe security vulnerabilities: a single compromised sensor or gateway can propagate threats across the entire production network. In such distributed environments, where multiple industrial stakeholders collaborate without sharing sensitive operational data, security, resilience, and data confidentiality become critical prerequisites for the large-scale adoption of Industry 4.0 and 5.0 technologies.

This doctoral research addresses a core scientific challenge: the collaborative and privacy-preserving detection of cyberattacks and anomalies in IIoT ecosystems. Although deep learning-based intrusion detection systems (IDS) have shown strong performance, their centralized training paradigm raises critical concerns regarding data sovereignty, scalability, and robustness in heterogeneous industrial deployments. This thesis proposes a distributed detection framework combining federated learning and graph neural networks (GNNs), capable of modeling the structural dependencies between IIoT components while keeping sensitive operational data on-premises at each industrial site. Local detection models are trained at the level of edge nodes or industrial gateways and collaboratively aggregated without sharing raw data, enabling collective threat intelligence while preserving industrial confidentiality.

The originality of this work lies in the combined use of federated learning, GNNs, and centrality measures from complex network theory to enhance anomaly detection accuracy, improve robustness in heterogeneous environments, and generalize to novel, unseen attack patterns. Building directly upon prior contributions from the CESI LINEACT team in IoT intrusion detection, federated learning, and graph-based modeling, the proposed framework will be evaluated on realistic IIoT attack scenarios and benchmarked against state-of-the-art methods. The objective is to deliver a generic, distributed, and privacy-preserving methodological building block to strengthen the cybersecurity, operational resilience, and sustainability of future smart industrial systems.

Research Work

Scientific context

The rapid deployment of IIoT devices across manufacturing, smart energy, and logistics sectors has profoundly transformed industrial architectures, giving rise to a new generation of cyber-physical systems (CPS) whose security is critical to operational continuity. Modern IIoT infrastructures embed hundreds of heterogeneous sensors, actuators, and gateways communicating over protocols. The simultaneous growth of remote access interfaces, cloud connectivity, and over-the-air update mechanisms dramatically expands the attack surface of these industrial networks [1, 2].

Network Intrusion Detection Systems (NIDS) have emerged as an essential countermeasure for monitoring IIoT traffic and detecting malicious activity [3]. AI-based NIDS, notably deep learning models, have demonstrated high detection accuracy, but centralizing industrial data on a remote server for training introduces critical scalability, bandwidth, and data sovereignty challenges that are incompatible with real-world industrial deployments [4]. Federated Learning (FL) has been proposed as a solution: each node trains a model locally and only shares model weights with a central aggregator, keeping sensitive data on-premises while enabling collaborative learning at scale [5].

A key limitation of conventional federated approaches is their inability to capture the graph-structured topology inherent to IIoT networks, where devices and communication buses form complex relational graphs. Graph Neural Networks (GNNs) address this gap by modeling nodes and their interactions explicitly. Combined with complex network centrality measures (e.g., degree, betweenness, and modularity-aware centrality), GNNs can identify critical nodes and communication patterns, improving detection accuracy and generalization across heterogeneous industrial deployments [6–9]. This thesis sits at the intersection of federated learning, graph deep learning, and industrial cybersecurity.

Subject

This thesis proposes the design, implementation, and evaluation of a federated GNN-based intrusion detection framework for Industrial IoT networks (IIoT). Its originality lies in the combination of three complementary dimensions: (i) federated learning specifically adapted to the constraints and heterogeneity of industrial environments, (ii) graph neural network architectures tailored to the topology of IIoT communication systems, and (iii) the exploitation of complex network properties to optimize both the learning model and the federation process.

To support this objective, the work begins with a comprehensive state of the art on GNN-based federated intrusion detection systems for industrial cyber-physical systems, building on existing approaches in IoT and CPS security while identifying key limitations and research opportunities specific to IIoT environments. A core contribution will be the modeling of IIoT networks as graph-structured systems, where devices are represented as nodes and communication channels as edges. This includes extracting structural features such as centrality metrics and constructing realistic datasets that capture a wide spectrum of IIoT attack scenarios, including traffic injection, spoofing, denial-of-service, and anomalous sensor behavior. Building upon the dataset generation methodology introduced in [10], these datasets will be enriched with diverse complex network properties to ensure robustness and representativeness.

The thesis will focus on the design of a federated GNN aggregation method adapted to IIoT heterogeneity, extending architectures such as FedGATSage [11]. The proposed approach will address the critical limitation of prior work, namely the loss of structural information during parameter aggregation, by preserving both spatial (topological) and temporal (traffic sequence) dependencies. Centrality-driven strategies will also be explored to guide client selection and weighting mechanisms, improving convergence and handling non-IID data distributions across heterogeneous industrial deployments.

The thesis will further investigate how complex network properties (such as modularity, community structure, and backbone extraction) can be leveraged to optimize IIoT systems by reducing computational overhead and improving inference speed, which is essential for resource-constrained embedded industrial environments [12–14]. The proposed framework will be extensively evaluated through experimental benchmarking against state-of-the-art methods, using both public datasets (NF-ToN-IoT, CIC-ToN-IoT, N-BaIoT) and internally generated datasets. Performance will be assessed across multiple dimensions: detection accuracy under diverse attack scenarios, privacy preservation, and communication efficiency in federated settings.

The doctoral candidate will be hosted at the CESI LINEACT research department during his stay in France and may have access to the "Industry of the Future" demonstrator, equipped with sensors, robots, and a digital twin infrastructure that faithfully replicates real-world IIoT environments. During his stay in Canada, he will additionally benefit from an IoT platform dedicated to industrial smart buildings, offering a complementary and highly realistic experimental environment. Together, these two infrastructures will provide a rich, dual-context validation framework, enabling the proposed approach to be stress-tested across diverse industrial settings and strengthening the external validity and generalizability of the research findings.

Prior works in the laboratory

The contributions of this thesis project build directly on an established and coherent body of research conducted by the CESI LINEACT team, in collaboration with the Lebanese University, through the jointly supervised theses of Mortada Termos and Fouad Al Tfaily. Termos et al. introduced the GDLC framework, which integrates graph deep learning with centrality measures for intrusion detection in IoT networks [6], and subsequently extended this approach with an enhanced GraphSAGE embedding algorithm that further exploits centrality for node representation [8]. These contributions demonstrated that modeling network traffic as graphs and leveraging topological properties significantly outperforms classical deep learning methods for NIDS.

More recently, Termos et al. showed that integrating centrality measures into FL-based NIDS substantially improves generalization in heterogeneous federated environments [7–9], establishing the methodological foundation upon which this thesis will build. At the federated learning level, Al Tfaily et al. proposed FedGATSage, a federated architecture combining client-side Graph Attention Networks with server-side GraphSAGE through community abstraction, achieving near-centralized accuracy on NF-ToN-IoT and CIC-ToN-IoT benchmarks while preserving full data privacy [11]. Arbaoui et al. provided a comprehensive multi-level taxonomy of FL aggregation techniques [5], while Brahmia et al. demonstrated adaptive attack prediction for CPS using ensemble machine learning [3].

The team has also investigated dataset diversity, showing that generating datasets with varied complex network properties is essential for reliable IDS evaluation [10]. The research group around Ghalmane et al. has contributed foundational work on centrality in complex networks with overlapping community structures [12] and on backbone extraction in weighted modular networks [13, 14]. All these works converge naturally toward the IIoT security domain, which constitutes the core application frontier of this doctoral project.