This work addresses the challenges of model performance degradation due to evolving attacks and stringent resource constraints in Internet of Things (IoT) environments. To tackle these issues while preserving data privacy, the authors propose a federated incremental learning framework based on Long Short-Term Memory (LSTM) networks, integrating cumulative incremental learning, representative learning, and a rehearsal-based strategy to effectively handle concept drift. The approach enables continuous learning of both historical and emerging attack patterns, revealing an inherent trade-off between detection accuracy and model update latency dictated by training strategies. Experimental evaluation on the CICIoMT2024 dataset demonstrates that the proposed method maintains high detection stability in both binary and multi-class classification tasks, significantly enhancing the long-term robustness and adaptability of IoT intrusion detection systems.

The expansion of Internet of Things (IoT) devices has increased the attack surface of networks, necessitating a robust and adaptive intrusion detection systems. Machine learning based systems have been considered promising in enhancing the detection performance. Federated learning settings enabled us to train models from network intrusion data collected from clients in a privacy preserving manner. However, the effectiveness of these systems can degrade over time due to concept drift, where patterns in data evolve as attackers develop new techniques. Realistic detection models should be non-stationary, so they can be continuously updated with new intrusion data while maintaining their detection capability for older data. As IoT environments are resource constrained, updates should consume minimal computational resources. This study provides a comprehensive performance analysis of incremental federated learning in enhancing the long term performance of non stationary IDS models in IoT networks. Specifically, we propose LSTM models within a federated learning setting to evaluate incremental learning approaches that utilize data and model-based measures against catastrophic learning under drift conditions. Using the CICIoMT2024 dataset, which includes various attack variants across five major categories, we conduct both binary and multiclass classification to provide a granular analysis of the intrusion detection task. Our results show that cumulative incremental learning and representative learning provide the most stable performance under drift, while retention-based methods offer a strong accuracy and latency trade off. The study offers new insights into the interplay between training strategy performance and latency in dynamic IoT environments, aiming to inform the development of more resilient IDS solutions considering the resource constraints in IoT devices.