arxiv: 2605.06571 · v1 · submitted 2026-05-07 · 💻 cs.LG · cs.CR· cs.DC· cs.NI

Recognition: unknown

CLAD: A Clustered Label-Agnostic Federated Learning Framework for Joint Anomaly Detection and Attack Classification

Iason Ofeidis , Nikos Papadis , Randeep Bhatia , Leandros Tassiulas , TV Lakshman

Authors on Pith no claims yet

Pith reviewed 2026-05-08 12:24 UTC · model grok-4.3

classification 💻 cs.LG cs.CRcs.DCcs.NI

keywords federated learninganomaly detectionattack classificationIoT securityclustered federated learningunsupervised learninglabel scarcityintrusion detection

0 comments

The pith

CLAD improves IoT attack detection by 30% relative in settings with 80% unlabeled clients while halving communication costs.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes CLAD as a framework that merges clustered federated learning with a dual-mode model architecture to handle both device differences and scarce labels in IoT networks. It groups devices by similar traffic patterns and uses a shared encoder with separate branches so the system can perform anomaly detection on unlabeled data and attack classification on labeled data at the same time. This design lets every client contribute without discarding data and keeps models from diverging across heterogeneous devices. Evaluations show the approach yields stronger detection results than prior federated methods, especially when most clients lack labels, and does so with reduced communication.

Core claim

CLAD integrates clustered federated learning with a dual-mode micro-architecture that consists of a shared encoder followed by two branches, one for unsupervised anomaly detection and one for supervised attack classification. By dynamically grouping clients according to congruent traffic patterns, the framework prevents global model divergence while allowing every client to contribute intelligence regardless of label availability.

What carries the argument

Dual-Mode Micro-Architecture (DM²A) consisting of a shared encoder with separate unsupervised and supervised branches, combined with dynamic client clustering based on traffic patterns.

If this is right

Detection performance rises 30% relative to baselines when 80% of clients provide only unlabeled data.
Communication cost drops to half that of standard federated learning while privacy is preserved.
No client data is discarded, allowing full use of both labeled and unlabeled traffic.
Distinct device behaviors are maintained through clustering rather than averaged into one global model.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The clustering step may transfer to other federated settings that face client heterogeneity even if labels are abundant.
Joint unsupervised-supervised training could be adapted to additional edge tasks such as predictive maintenance where partial labels exist.
Dynamic reclustering during operation might support environments where device traffic patterns shift over time.

Load-bearing premise

Devices can be reliably grouped by traffic patterns and the two learning branches can be combined without causing performance losses in varied device environments.

What would settle it

A controlled test in which clustering is deliberately inaccurate or the dual branches are forced to share more parameters, checking whether the reported 30% gain and halved communication cost disappear in the 80% unlabeled setting.

Figures

Figures reproduced from arXiv: 2605.06571 by Iason Ofeidis, Leandros Tassiulas, Nikos Papadis, Randeep Bhatia, TV Lakshman.

**Figure 1.** Figure 1: While centralized methods compromise privacy and view at source ↗

**Figure 2.** Figure 2: The proposed Dual-Mode Micro-Architecture view at source ↗

**Figure 3.** Figure 3: System Overview provides architectural flexibility: in scenarios where labels are unavailable, α is set to 0, reducing the task to pure anomaly detection via reconstruction error. When labels are present, each client can set their own α value based on their label availability to allow both heads to update the shared encoder accordingly. B. Federated Training with Adapted CLoVE Standard FedAvg fails in hete… view at source ↗

**Figure 4.** Figure 4: Performance under balanced & IID scenario for CIC view at source ↗

**Figure 5.** Figure 5: Impact of Unlabeled Client Ratios for CIC view at source ↗

**Figure 7.** Figure 7: Computational Impact for different scenarios. view at source ↗

**Figure 6.** Figure 6: Communication Efficiency for different scenarios. view at source ↗

read the original abstract

The rapid expansion of the Internet of Things (IoT) and Industrial IoT (IIoT) has created a massive, heterogeneous attack surface that challenges traditional network security mechanisms. While Federated Learning (FL) offers a privacy-preserving alternative to centralized Intrusion Detection Systems (IDS), standard approaches struggle to generalize across diverse device behaviors and typically fail to utilize the vast amounts of unlabeled data present in realistic edge environments. To bridge these gaps, we propose CLAD, a holistic framework that seamlessly incorporates Clustered Federated Learning (CFL) with a novel Dual-Mode Micro-Architecture ($\text{DM}^2\text{A}$). This unified approach simultaneously tackles the two primary bottlenecks of IoT security: device heterogeneity and label scarcity. The $\text{DM}^2\text{A}$ component features a shared encoder followed by two branches, enabling joint unsupervised anomaly detection and supervised attack classification; this allows the framework to harvest intelligence from both labeled and unlabeled clients. Concurrently, the clustering component dynamically groups devices with congruent traffic patterns, preventing global model divergence. By carefully combining these elements, CLAD ensures that no data is discarded and distinct operational patterns are preserved. Extensive evaluations demonstrate that this integrated approach significantly outperforms state-of-the-art baselines, achieving a 30% relative improvement in detection performance in scenarios with 80% unlabeled clients, with only half the communication cost.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

CLAD pairs clustered federated learning with a shared-encoder dual-branch model to pull value from both labeled and unlabeled IoT clients, but the 30% gain and halved communication cost rest on experiments whose details are not visible in the abstract.

read the letter

This paper's central idea is to cluster devices by traffic patterns and run a single model that does unsupervised anomaly detection on unlabeled clients while doing supervised classification on the labeled ones. The shared encoder plus separate branches is meant to avoid throwing away the bulk of the data and to keep communication low even when 80% of clients have no labels. That combination is what they present as new for this specific joint task in heterogeneous IoT settings.

Referee Report

0 major / 3 minor

Summary. The paper proposes CLAD, a Clustered Label-Agnostic Federated Learning framework that integrates Clustered Federated Learning (CFL) with a novel Dual-Mode Micro-Architecture (DM²A). The DM²A consists of a shared encoder followed by two branches that enable joint unsupervised anomaly detection on unlabeled clients and supervised attack classification on labeled clients. Devices are dynamically clustered based on congruent traffic patterns to mitigate heterogeneity, with the framework designed to utilize all data without discarding any and to reduce communication costs. The central empirical claim is a 30% relative improvement in detection performance in scenarios with 80% unlabeled clients, achieved at half the communication cost of state-of-the-art baselines.

Significance. If the reported gains are robustly supported by the experiments, this work is significant for advancing privacy-preserving intrusion detection in heterogeneous IoT/IIoT environments. It directly tackles label scarcity by harvesting value from unlabeled clients via the dual-branch design and addresses device heterogeneity via clustering, while halving communication overhead. The joint training approach without data discard and the empirical demonstration of gains at high unlabeled ratios represent a practical strength over standard FL or single-task CFL methods.

minor comments (3)

Abstract: The claim of 'extensive evaluations' and the 30% improvement would be strengthened by briefly indicating the datasets (e.g., TON_IoT, UNSW-NB15) and client counts used, even at high level, to allow immediate assessment of scope and realism.
§3 (Method): The description of how traffic patterns are encoded for clustering (e.g., feature extraction, distance metric, or number of clusters) could include a short equation or pseudocode to make the CFL component fully reproducible from the text.
§4 (Experiments): While the 30% relative gain and halved communication cost are reported, adding a table or figure with per-baseline breakdowns (including standard FL, non-clustered DM²A, and other CFL variants) and standard deviations across runs would improve clarity and allow readers to judge consistency.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive evaluation of our work and the recommendation for minor revision. We appreciate the recognition that CLAD addresses key challenges in privacy-preserving intrusion detection for heterogeneous IoT/IIoT settings through its integration of clustered federated learning and the dual-mode architecture, particularly the ability to leverage unlabeled data without discarding any clients and the reported reductions in communication overhead.

Circularity Check

0 steps flagged

No significant circularity; empirical claims only

full rationale

The paper introduces CLAD as a combined CFL + DM²A framework for joint anomaly detection and attack classification in heterogeneous IoT settings. All performance claims (e.g., 30% relative improvement at 80% unlabeled clients, halved communication cost) are presented as direct outcomes of experimental evaluations on baselines. No equations, derivations, fitted parameters renamed as predictions, or load-bearing self-citations appear in the abstract or described structure. The architecture is a standard multi-task FL pattern with clustering on traffic similarity; no step reduces to its own inputs by construction. The derivation chain is therefore self-contained and non-circular.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The abstract does not specify any free parameters, axioms, or invented entities beyond naming the framework components; full details would be in the paper.

pith-pipeline@v0.9.0 · 5573 in / 1049 out tokens · 54004 ms · 2026-05-08T12:24:02.115922+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

37 extracted references · 2 canonical work pages · 1 internal anchor

[1]

Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications,

A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and M. Ayyash, “Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications,”IEEE communications surveys & tutorials, vol. 17, no. 4, pp. 2347–2376, 2015

2015
[2]

Cisco Annual Internet Report (2018–2023) White Paper,

Cisco, “Cisco Annual Internet Report (2018–2023) White Paper,”Cisco: San Jose, CA, USA, vol. 10, no. 1, pp. 1–35, 2020

2018
[3]

In- dustrial Internet of Things: Challenges, Opportunities, and Directions,

E. Sisinni, A. Saifullah, S. Han, U. Jennehag, and M. Gidlund, “In- dustrial Internet of Things: Challenges, Opportunities, and Directions,” IEEE Transactions on Industrial Informatics, vol. 14, no. 11, pp. 4724– 4734, 2018

2018
[4]

Understanding the Mirai Botnet,

M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis et al., “Understanding the Mirai Botnet,” in26th USENIX security symposium (USENIX Security 17), 2017, pp. 1093–1110

2017
[5]

Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabil- ities and a First Empirical Look on Internet-Scale IoT Exploitations,

N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani, “Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabil- ities and a First Empirical Look on Internet-Scale IoT Exploitations,” IEEE Communications Surveys & Tutorials, vol. 21, no. 3, pp. 2702– 2733, 2019

2019
[6]

Intrusion detection system: A comprehensive review,

H.-J. Liao, C.-H. R. Lin, Y .-C. Lin, and K.-Y . Tung, “Intrusion detection system: A comprehensive review,”Journal of Network and Computer Applications, vol. 36, no. 1, pp. 16–24, 2013

2013
[7]

Towards Federated Learning at Scale: System Design,

K. Bonawitz, H. Eichner, W. Grieskamp, D. Huba, A. Ingerman, V . Ivanov, C. Kiddon, J. Kone ˇcn`y, S. Mazzocchi, B. McMahanet al., “Towards Federated Learning at Scale: System Design,”Proceedings of Machine Learning and Systems, vol. 1, pp. 374–388, 2019

2019
[8]

A survey on security and privacy of federated learning,

V . Mothukuri, R. M. Parizi, S. Pouriyeh, Y . Huang, A. Dehghantanha, and G. Srivastava, “A survey on security and privacy of federated learning,”Future Generation Computer Systems, vol. 115, pp. 619–640, 2021

2021
[9]

Communication-Efficient Learning of Deep Networks from Decen- tralized Data,

B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y Arcas, “Communication-Efficient Learning of Deep Networks from Decen- tralized Data,” inProceedings of the 20th International Conference on Artificial Intelligence and Statistics, ser. Proceedings of Machine Learning Research, A. Singh and J. Zhu, Eds., vol. 54. PMLR, Apr. 2017, pp. 1273–1282

2017
[10]

Federated Learning with Non-IID Data

Y . Zhao, M. Li, L. Lai, N. Suda, D. Civin, and V . Chandra, “Federated Learning with Non-IID Data,”arXiv preprint arXiv:1806.00582, 2018

work page internal anchor Pith review arXiv 2018
[11]

Federated Learning: Challenges, Methods, and Future Directions,

T. Li, A. K. Sahu, A. Talwalkar, and V . Smith, “Federated Learning: Challenges, Methods, and Future Directions,”IEEE Signal Processing Magazine, vol. 37, no. 3, pp. 50–60, 2020

2020
[12]

Clustered Federated Learning: Model-Agnostic Distributed Multitask Optimization Under Privacy Con- straints,

F. Sattler, K.-R. M ¨uller, and W. Samek, “Clustered Federated Learning: Model-Agnostic Distributed Multitask Optimization Under Privacy Con- straints,”IEEE Transactions on Neural Networks and Learning Systems, vol. 32, no. 8, pp. 3710–3722, 2020

2020
[13]

An efficient frame- work for clustered federated learning,

A. Ghosh, J. Chung, D. Yin, and K. Ramchandran, “An efficient frame- work for clustered federated learning,”Advances in Neural Information Processing Systems, vol. 33, pp. 19 586–19 597, 2020

2020
[14]

Taking Advantage of the Mistakes: Rethinking Clustered Federated Learning for IoT Anomaly Detection,

J. Fan, K. Wu, G. Tang, Y . Zhou, and S. Huang, “Taking Advantage of the Mistakes: Rethinking Clustered Federated Learning for IoT Anomaly Detection,”IEEE Transactions on Parallel and Distributed Systems, vol. 35, no. 6, pp. 862–876, Jun. 2024

2024
[15]

Label-Efficient Self-Supervised Federated Learning for Tackling Data Heterogeneity in Medical Imaging,

R. Yan, L. Qu, Q. Wei, S.-C. Huang, L. Shen, D. L. Rubin, L. Xing, and Y . Zhou, “Label-Efficient Self-Supervised Federated Learning for Tackling Data Heterogeneity in Medical Imaging,”IEEE Transactions on Medical Imaging, vol. 42, no. 7, pp. 1932–1943, 2023

1932
[16]

A Survey on Deep Semi- Supervised Learning,

X. Yang, Z. Song, I. King, and Z. Xu, “A Survey on Deep Semi- Supervised Learning,”IEEE Transactions on Knowledge and Data Engineering, vol. 35, no. 9, pp. 8934–8954, 2022

2022
[17]

Device Identification and Anomaly Detection in IoT Environments,

M. Rabbani, J. Gui, F. Nejati, Z. Zhou, A. Kaniyamattam, M. Mirani, G. Piya, I. Opushnyev, R. Lu, and A. A. Ghorbani, “Device Identification and Anomaly Detection in IoT Environments,”IEEE Internet of Things Journal, vol. 12, no. 10, pp. 13 625–13 643, May 2025

2025
[18]

Unsupervised machine learning for network-centric anomaly detection in IoT,

R. Bhatia, S. Benno, J. Esteban, T. V . Lakshman, and J. Grogan, “Unsupervised machine learning for network-centric anomaly detection in IoT,” inProceedings of the 3rd ACM CoNEXT Workshop on Big DAta, Machine Learning and Artificial Intelligence for Data Communication Networks. Orlando FL USA: ACM, Dec. 2019, pp. 42–48

2019
[19]

D ¨IoT: A Federated Self-learning Anomaly Detection System for IoT,

T. D. Nguyen, S. Marchal, M. Miettinen, H. Fereidooni, N. Asokan, and A.-R. Sadeghi, “D ¨IoT: A Federated Self-learning Anomaly Detection System for IoT,” in2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS), Jul. 2019, pp. 756–767, iSSN: 2575-8411

2019
[20]

Federated-Learning-Based Anomaly Detection for IoT Security Attacks,

V . Mothukuri, P. Khare, R. M. Parizi, S. Pouriyeh, A. Dehghantanha, and G. Srivastava, “Federated-Learning-Based Anomaly Detection for IoT Security Attacks,”IEEE Internet of Things Journal, vol. 9, no. 4, pp. 2545–2554, Feb. 2022

2022
[21]

Distributed Anomaly Detection in Smart Grids: A Federated Learning-Based Ap- proach,

J. Jithish, B. Alangot, N. Mahalingam, and K. S. Yeo, “Distributed Anomaly Detection in Smart Grids: A Federated Learning-Based Ap- proach,”IEEE Access, vol. 11, pp. 7157–7179, 2023

2023
[22]

IDS for Industrial Applications: A Federated Learning Approach with Active Personalization,

V . Kelli, V . Argyriou, T. Lagkas, G. Fragulis, E. Grigoriou, and P. Sarigiannidis, “IDS for Industrial Applications: A Federated Learning Approach with Active Personalization,”Sensors, vol. 21, no. 20, p. 6743, Jan. 2021

2021
[23]

LocKedge: Low-Complexity Cyberattack Detection in IoT Edge Computing,

T. T. Huong, T. P. Bac, D. M. Long, B. D. Thang, N. T. Binh, T. D. Luong, and T. K. Phuc, “LocKedge: Low-Complexity Cyberattack Detection in IoT Edge Computing,”IEEE Access, vol. 9, pp. 29 696– 29 710, 2021

2021
[24]

FedJam: Multimodal Federated Learning Framework for Jamming Detection,

I. Panitsas, I. Ofeidis, and L. Tassiulas, “FedJam: Multimodal Federated Learning Framework for Jamming Detection,” inIEEE INFOCOM 2026 - IEEE Conference on Computer Communications, 2026

2026
[25]

Federated Learning Inspired Low-Complexity Intrusion Detection and Classification Tech- nique for SDN-Based Industrial CPS,

A. Zainudin, R. Akter, D.-S. Kim, and J.-M. Lee, “Federated Learning Inspired Low-Complexity Intrusion Detection and Classification Tech- nique for SDN-Based Industrial CPS,”IEEE Transactions on Network and Service Management, vol. 20, no. 3, pp. 2442–2459, Sep. 2023

2023
[26]

Federated Semisuper- vised Learning for Attack Detection in Industrial Internet of Things,

O. Aouedi, K. Piamrat, G. Muller, and K. Singh, “Federated Semisuper- vised Learning for Attack Detection in Industrial Internet of Things,” IEEE Transactions on Industrial Informatics, vol. 19, no. 1, pp. 286– 295, Jan. 2023

2023
[27]

Toward data efficient anomaly detection in heterogeneous edge–cloud environments using clustered federated learning,

Z. Wei, J. Wang, Z. Zhao, and K. Shi, “Toward data efficient anomaly detection in heterogeneous edge–cloud environments using clustered federated learning,”Future Generation Computer Systems, vol. 164, p. 107559, Mar. 2025

2025
[28]

Clustered federated learning architecture for network anomaly detection in large scale heterogeneous IoT networks,

X. S ´aez-de C ´amara, J. L. Flores, C. Arellano, A. Urbieta, and U. Zuru- tuza, “Clustered federated learning architecture for network anomaly detection in large scale heterogeneous IoT networks,”Computers & Security, vol. 131, p. 103299, 2023

2023
[29]

CLoVE: Personalized Federated Learning through Clustering of Loss Vector Embeddings,

R. Bhatia, N. Papadis, M. Kodialam, T. V . Lakshman, and S. Chakrabarty, “CLoVE: Personalized Federated Learning through Clustering of Loss Vector Embeddings,” inProceedings of the 43rd International Conference on Machine Learning (ICML). PMLR, 2026

2026
[30]

Decision Tree-Based Federated Learning: A Survey,

Z. Wang and K. Gai, “Decision Tree-Based Federated Learning: A Survey,”Blockchains, 2024

2024
[31]

A collaborative ensemble construction method for federated random forest,

P. A. E. Lim and C. Park, “A collaborative ensemble construction method for federated random forest,”Expert Syst. Appl., vol. 255, p. 124742, 2024

2024
[32]

Tree-based Models for Vertical Federated Learning: A Survey,

B. Qian, Y . Xie, Y . Li, B. Ding, and J. Zhou, “Tree-based Models for Vertical Federated Learning: A Survey,”ACM Computing Surveys, vol. 57, pp. 1 – 30, 2025

2025
[33]

An inter- pretable client decision tree aggregation process for federated learning,

A. Argente-Garrido, C. Zuheros, M. V . Luz ´on, and F. Herrera, “An inter- pretable client decision tree aggregation process for federated learning,” Information Sciences, vol. 694, p. 121711, 2025

2025
[34]

Balancing Interpretability and Perfor- mance: Optimizing Random Forest Algorithm Based on Point-to-Point Federated Learning,

C. Gao, X. Yang, and Y . Guo, “Balancing Interpretability and Perfor- mance: Optimizing Random Forest Algorithm Based on Point-to-Point Federated Learning,”Journal of Electrical Systems, 2024

2024
[35]

Gotham Dataset 2025: A Reproducible Large-Scale IoT Network Dataset for Intrusion Detection and Security Research,

O. Belarbi, T. Spyridopoulos, E. Anthi, O. Rana, P. Carnelli, and A. Khan, “Gotham Dataset 2025: A Reproducible Large-Scale IoT Network Dataset for Intrusion Detection and Security Research,”arXiv preprint arXiv:2502.03134, 2025

work page arXiv 2025
[36]

Detect- ing V olumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity,

A. Hamza, H. H. Gharakheili, T. A. Benson, and V . Sivaraman, “Detect- ing V olumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity,” inProceedings of the 2019 ACM Symposium on SDN Research, 2019, pp. 36–48

2019
[37]

Pytorch: An imperative style, high-performance deep learning library,

A. Paszke, S. Gross, F. Massa, A. Lerer, J. Bradbury, G. Chanan, T. Killeen, Z. Lin, N. Gimelshein, L. Antigaet al., “Pytorch: An imperative style, high-performance deep learning library,”Advances in Neural Information Processing Systems, vol. 32, 2019

2019