This work addresses the challenge of effectively detecting both known and unknown attacks in Industrial Internet of Things (IIoT) environments, where heterogeneous devices and dynamic traffic patterns hinder traditional intrusion detection systems. To this end, the authors propose a multi-layer collaborative detection framework that integrates Gaussian Mixture Models (GMM), Local Outlier Factor (LOF), and Random Forest, enhanced with hierarchical traffic pooling, open-set recognition, and incremental learning mechanisms. This approach enables layered identification of normal traffic, known attacks, and unknown attacks without requiring extensive labeled data, while supporting continuous adaptation. Evaluated on the Edge-IIoTset dataset, the system achieves a binary classification accuracy of 0.953 for normal versus attack traffic, recall rates of 0.813 and 0.882 for known and unknown attacks respectively, a macro-F1 score of 0.941 for fine-grained known attack classification, and a macro-F1 of 0.8995 for the incremental learning module.

The rapid expansion of Industrial IoT (IIoT) systems has amplified security challenges, as heterogeneous devices and dynamic traffic patterns increase exposure to sophisticated and previously unseen cyberattacks. Traditional intrusion detection systems often struggle in such environments due to their reliance on extensive labeled data and limited ability to detect new threats. To address these challenges, we propose MI$^2$DAS, a multi-layer intrusion detection framework that integrates anomaly-based hierarchical traffic pooling, open-set recognition to distinguish between known and unknown attacks and incremental learning for adapting to novel attack types with minimal labeling. Experiments conducted on the Edge-IIoTset dataset demonstrate strong performance across all layers. In the first layer, GMM achieves superior normal-attack discrimination (accuracy = 0.953, TPR = 1.000). In open-set recognition, GMM attains a recall of 0.813 for known attacks, while LOF achieves 0.882 recall for unknown attacks. For fine-grained classification of known attacks, Random Forest achieves a macro-F1 of 0.941. Finally, the incremental learning module maintains robust performance when incorporation novel attack classes, achieving a macro-F1 of 0.8995. These results showcase MI$^2$DAS as an effective, scalable and adaptive framework for enhancing IIoT security against evolving threats.