To address the challenges of class imbalance, non-IID data distribution, and high communication overhead in IoT intrusion detection under federated learning, this paper proposes a personalized dual-model federated intrusion detection framework. The method introduces: (1) a teacher–shared-student architecture enabling client-specific modeling; (2) bidirectional knowledge distillation with adaptive temperature scaling to enhance knowledge transfer across heterogeneous data; (3) multi-dimensional feature alignment coupled with a balanced loss function to mitigate class bias; and (4) normalized gradient aggregation to reduce communication costs while ensuring fair model updates. Extensive experiments on IoTID20 and 5GNIDD demonstrate that our approach achieves significantly higher F1-scores than state-of-the-art federated methods under extreme non-IID settings, while reducing communication overhead by approximately 37%, thereby establishing a new performance benchmark.

Federated learning (FL) offers a privacy-preserving paradigm for machine learning, but its application in intrusion detection systems (IDS) within IoT networks is challenged by severe class imbalance, non-IID data, and high communication overhead.These challenges severely degrade the performance of conventional FL methods in real-world network traffic classification. To overcome these limitations, we propose Sentinel, a personalized federated IDS (pFed-IDS) framework that incorporates a dual-model architecture on each client, consisting of a personalized teacher and a lightweight shared student model. This design effectively balances deep local adaptation with efficient global model consensus while preserving client privacy by transmitting only the compact student model, thus reducing communication costs. Sentinel integrates three key mechanisms to ensure robust performance: bidirectional knowledge distillation with adaptive temperature scaling, multi-faceted feature alignment, and class-balanced loss functions. Furthermore, the server employs normalized gradient aggregation with equal client weighting to enhance fairness and mitigate client drift. Extensive experiments on the IoTID20 and 5GNIDD benchmark datasets demonstrate that Sentinel significantly outperforms state-of-the-art federated methods, establishing a new performance benchmark, especially under extreme data heterogeneity, while maintaining communication efficiency.