This work proposes a privacy-preserving federated learning framework for intrusion detection in the Internet of Things, addressing critical challenges including privacy leakage, poor scalability, and insufficient robustness against poisoning attacks. The framework integrates a dynamic temporal gradient auditing mechanism, an enhanced ElGamal-based secure aggregation protocol, and a dual-objective personalized learning strategy tailored for non-IID data. Anomaly detection is achieved through Gaussian mixture modeling combined with Mahalanobis distance, while performance is further improved via adaptive pruning quantization and a logit-adjusted loss function. Experimental results on the N-BaIoT dataset demonstrate that the proposed method significantly outperforms existing federated intrusion detection approaches, maintaining robust accuracy even when 50% of the participating clients are malicious.

The rapid proliferation of Internet of Things (IoT) devices across domains such as smart homes, industrial control systems, and healthcare networks has significantly expanded the attack surface for cyber threats, including botnet-driven distributed denial-of-service (DDoS), malware injection, and data exfiltration. Conventional intrusion detection systems (IDS) face critical challenges like privacy, scalability, and robustness when applied in such heterogeneous IoT environments. To address these issues, we propose SecureDyn-FL, a comprehensive and robust privacy-preserving federated learning (FL) framework tailored for intrusion detection in IoT networks. SecureDyn-FL is designed to simultaneously address multiple security dimensions in FL-based IDS: (1) poisoning detection through dynamic temporal gradient auditing, (2) privacy protection against inference and eavesdropping attacks through secure aggregation, and (3) adaptation to heterogeneous non-independent-and-identically-distributed (non-IID) data via personalized learning. The framework introduces three core contributions: (i) a dynamic temporal gradient auditing mechanism that leverages Gaussian mixture models (GMMs) and Mahalanobis distance (MD) to detect stealthy and adaptive poisoning attacks, (ii) an optimized privacy-preserving aggregation scheme based on transformed additive ElGamal encryption with adaptive pruning and quantization for secure and efficient communication, and (iii) a dual-objective personalized learning strategy that improves model adaptation under non-IID data using logit-adjusted loss. Extensive experiments on the N-BaIoT dataset under both IID and non-IID settings, including scenarios with up to 50% adversarial clients, demonstrate that SecureDyn-FL consistently outperforms state-of-the-art FL-based IDS defenses. It achieves up to 99.01% detection accuracy, a 98.9% F1-score, and significantly reduced attack success rates across diverse poisoning attacks, while maintaining strong privacy guarantees and computational efficiency for resource-constrained IoT devices.