pith. sign in

arxiv: 2605.00279 · v1 · submitted 2026-04-30 · 💻 cs.CR · cs.LG

A Comparative Analysis of Machine Learning Models for Intrusion Detection in Intelligent Transport Systems

Zawad Yalmie Sazid , Robert Abbas , Sasa Maric This is my paper

Pith reviewed 2026-05-09 19:37 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords intrusion detectionintelligent transport systemsfederated learningedge computingmachine learning modelstrust-aware aggregationcybersecurityV2X security
0
0 comments X

The pith

A trust-aware federated hybrid framework lets random forest, decision tree, and linear SVM models learn complementary traffic patterns at edge sites for intrusion detection in intelligent transport systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes moving intrusion detection processing to edge nodes in intelligent transport systems to cut latency and bandwidth use while handling the larger attack surface created by distributed, resource-constrained devices. It combines a random forest, a decision tree, and a linear SVM at each edge site so the models capture different aspects of network traffic. A central server then aggregates the local model updates using a trust-aware method. This setup aims to deliver proactive, millisecond-scale protection for connected vehicles and infrastructure without requiring all data to be sent to a central location. A sympathetic reader would see value in the approach because it tries to balance security gains with the practical constraints of real-time V2X communications.

Core claim

The central claim is that a trust-aware federated hybrid intrusion detection framework, in which a random forest, a decision tree, and a linear SVM network learn complementary traffic representations at each edge site while a server performs trust-aware aggregation of local model updates, improves security for intelligent transport systems.

What carries the argument

The trust-aware federated hybrid intrusion detection framework that assigns complementary representation learning to three local models and trust-based aggregation to the server.

If this is right

  • Detection runs locally at edge nodes, lowering response time to threats in ultra-low-latency V2X links.
  • Complementary patterns from the three models cover a wider range of attack signatures than any one model alone.
  • Federated aggregation avoids moving raw traffic data off edge sites, preserving bandwidth and some privacy.
  • Trust scoring at the server filters unreliable updates, reducing the impact of compromised edge nodes.
  • The overall system supports zero-touch, self-sufficient safeguards that operate without constant human oversight.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same local-model-plus-trust-aggregation pattern could be tried in other distributed IoT settings such as smart grids or industrial control networks.
  • Future implementations would need explicit rules for calculating trust scores to prevent the aggregation step itself from becoming a target.
  • Real-world validation on 5G testbeds with actual vehicle traffic would show whether the claimed millisecond response times hold under load.
  • Because no raw data leaves the edge, the framework may incidentally reduce regulatory hurdles around data sharing in transportation systems.

Load-bearing premise

The three models truly learn complementary representations of traffic and the trust-aware aggregation step improves detection accuracy without creating new vulnerabilities or unrealistic trust requirements among edge nodes.

What would settle it

A side-by-side test on the same ITS traffic dataset showing the hybrid federated system achieves no higher detection rate or introduces measurable new attack success compared with any single local model or standard centralized training.

Figures

Figures reproduced from arXiv: 2605.00279 by Robert Abbas, Sasa Maric, Zawad Yalmie Sazid.

Figure 1
Figure 1. Figure 1: IDS-powered EC-FL V2X. ROC-AUC is particularly well-suited for IDS assessment because it provides performance evaluation across operat￾ing points rather than at a single threshold. This threshold￾independent capability enables analysts to select operating points that balance detection and false alarm rates depending on the attack surface. VI. RESULTS AND EVALUATION A. Achieved Quantitative Performance Thes… view at source ↗
Figure 2
Figure 2. Figure 2: SITS. TABLE I PERFORMANCE METRICS Model Accuracy Precision Recall F1-score ROC-AUC Random Forest 0.999889 0.999922 0.999883 0.999902 1.00000 Decision Tree 0.999756 0.999727 0.999844 0.999785 0.999833 Linear SVM 0.999092 0.999258 0.999141 0.999199 0.999882 negatives. This is an impressively clean error profile and explains why it tops the metric table. In the context of a cybersecurity deployment, low false… view at source ↗
Figure 5
Figure 5. Figure 5: Class support in the achieved CICIDS2017 binary baseline. [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Confusion matrices for the three achieved baseline models. [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗
Figure 4
Figure 4. Figure 4: Achieved performance comparison across accuracy, precision, recall, [PITH_FULL_IMAGE:figures/full_fig_p007_4.png] view at source ↗
Figure 7
Figure 7. Figure 7: False-positive and false-negative profiles derived from the achieved [PITH_FULL_IMAGE:figures/full_fig_p007_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: ROC curve comparison for Random Forest, Decision Tree, and Linear [PITH_FULL_IMAGE:figures/full_fig_p008_8.png] view at source ↗
read the original abstract

AI-powered edge computing security is moving Intelligent Transportation Systems (ITS) from passive, rule-based protections to proactive, smart, zero-touch, self-sufficient safeguards that neutralize threats in milliseconds. As transportation becomes more connected with edge computing, massive IoT, and advanced 5G for vehicle-to-everything (V2X) connectivity, AI at the edge computing nodes plays a crucial role in protecting against sophisticated threats, enabling URLLC (ultra-low-latency communications) for smart transport, and enhancing infrastructure capabilities and safety. This research applies edge computing to improve latency, bandwidth efficiency, and service responsiveness by moving processing closer to devices, gateways, and users. However, this shift also expands the cyberattack surface because edge nodes are distributed, heterogeneous, and often resource-constrained. The paper proposes a trust-aware federated hybrid intrusion detection framework in which a random forest, a decision tree, and a linear SVM network learn complementary traffic representations at each edge site, while a server performs trust-aware aggregation of local model updates.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper proposes a trust-aware federated hybrid intrusion detection framework for Intelligent Transport Systems (ITS). Random forest, decision tree, and linear SVM models are trained locally at each edge site to learn complementary traffic representations, after which a central server performs trust-aware aggregation of the local model updates to enable proactive, low-latency threat detection in edge computing and V2X environments.

Significance. If the framework could be shown to resolve the aggregation of heterogeneous models while delivering measurable gains in detection accuracy and resilience without introducing new attack surfaces, it would address a timely need for distributed security in connected transportation systems. The combination of multi-model complementarity at the edge with trust-aware server coordination has potential relevance for URLLC and resource-constrained IoT settings, but the manuscript provides no experimental results, datasets, or validation to substantiate these benefits.

major comments (1)
  1. [Abstract] Abstract: The central claim requires a server to perform trust-aware aggregation of updates from random forest, decision tree, and linear SVM models trained at edge sites. These models operate in incompatible parameter spaces (tree structures versus hyperplane coefficients), so conventional federated averaging is undefined. No alternative mechanism (knowledge distillation, meta-learning, shared embedding space, or ensemble construction) is specified, rendering the hybrid federated component of the proposal inoperable as stated.
minor comments (1)
  1. The title emphasizes comparative analysis of machine learning models, yet the provided text contains no performance metrics, baseline comparisons, or ablation studies.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback. We address the single major comment point by point below.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central claim requires a server to perform trust-aware aggregation of updates from random forest, decision tree, and linear SVM models trained at edge sites. These models operate in incompatible parameter spaces (tree structures versus hyperplane coefficients), so conventional federated averaging is undefined. No alternative mechanism (knowledge distillation, meta-learning, shared embedding space, or ensemble construction) is specified, rendering the hybrid federated component of the proposal inoperable as stated.

    Authors: We acknowledge the validity of this observation. The manuscript presents the high-level architecture of the trust-aware federated hybrid framework but does not specify the concrete aggregation mechanism for heterogeneous models with incompatible parameter spaces. We agree that this omission renders the proposal incomplete as written. In the revised manuscript we will add a dedicated subsection detailing a decision-level fusion approach: each edge site transmits only the prediction scores (or probability outputs) produced by its local random forest, decision tree, and linear SVM models on a small shared reference batch of traffic samples; the central server then computes a trust-weighted average of these scores to obtain the final detection result. This method avoids direct parameter aggregation entirely while preserving the complementary strengths of the three models and the trust-aware weighting. We believe the addition will make the hybrid federated component fully operable and address the referee's concern. revision: yes

Circularity Check

0 steps flagged

No derivation chain or equations present; framework proposal is self-contained

full rationale

The paper describes a conceptual trust-aware federated hybrid IDS framework using RF, DT, and linear SVM at edge sites with server aggregation. No equations, derivations, parameter fittings, or mathematical reductions appear in the abstract or described text. The proposal does not claim to derive any result from inputs that reduce to the same by construction, nor does it invoke load-bearing self-citations, uniqueness theorems, or ansatzes. Per guidelines, absence of any derivation chain means the work is self-contained as a design proposal with no circularity to flag. This matches the reader's assessment of no equations or self-referential definitions.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract provides no explicit free parameters, axioms, or invented entities; the proposal implicitly assumes standard ML model behaviors and the feasibility of trust-aware aggregation without detailing supporting evidence.

pith-pipeline@v0.9.0 · 5481 in / 1033 out tokens · 21741 ms · 2026-05-09T19:37:55.536167+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

25 extracted references · 25 canonical work pages

  1. [1]

    Secure Fog-Edge and 5G-Enabled Architecture for AI-Driven Mobility, Real-Time Traffic Analytics, and Accessibility in Aging-Focused Intelligent Transportation Systems,

    V . Balogun, S. S. Rahman, and W. K. Watt, “Secure Fog-Edge and 5G-Enabled Architecture for AI-Driven Mobility, Real-Time Traffic Analytics, and Accessibility in Aging-Focused Intelligent Transportation Systems,” in2025 IEEE Smart World Congress (SWC)

    work page

  2. [2]

    Integrating AI and Edge Computing for Real-time Decision Making in Smart Transportation Systems,

    R. Konda, “Integrating AI and Edge Computing for Real-time Decision Making in Smart Transportation Systems,”Journal of Software Engi- neering and Simulation, 2022

    work page 2022

  3. [3]

    A hybrid CNN+LSTM-based intrusion detection system for industrial IoT networks,

    H. C. Altunay and H. Albayrak, “A hybrid CNN+LSTM-based intrusion detection system for industrial IoT networks,”Engineering Science and Technology, an International Journal, vol. 38, p. 101322, 2023

    work page 2023

  4. [4]

    Hybrid Deep Learning-Federated Learning-Powered Intrusion Detection System for IoT/5G Advanced Edge Computing Network,

    R. Baidar, S. Maric, and R. Abbas, “Hybrid Deep Learning-Federated Learning-Powered Intrusion Detection System for IoT/5G Advanced Edge Computing Network,”arXiv, 2025

    work page 2025

  5. [5]

    Edge- IIoTset: A new comprehensive, realistic cybersecurity dataset of IoT and IIoT applications for centralized and federated learning,

    M. A. Ferrag, O. Friha, L. Maglaras, H. Janicke, and L. Shu, “Edge- IIoTset: A new comprehensive, realistic cybersecurity dataset of IoT and IIoT applications for centralized and federated learning,”IEEE Access, vol. 10, pp. 40281–40306, 2022

    work page 2022

  6. [6]

    A comprehensive survey on intrusion detection systems with advances in machine learning, deep learning and emerging cybersecurity challenges,

    A. Hozouri, A. Mirzaei, and M. Effatparvar, “A comprehensive survey on intrusion detection systems with advances in machine learning, deep learning and emerging cybersecurity challenges,”Discover Artificial Intelligence, vol. 5, Art. 578, 2025

    work page 2025

  7. [7]

    Federated learning-based intrusion detection in IoT: A comprehensive survey and performance evaluation,

    M. A. Khan, K. N. Junejo, and E. Felemban, “Federated learning-based intrusion detection in IoT: A comprehensive survey and performance evaluation,”Sensors, vol. 23, no. 5, p. 2637, 2023

    work page 2023

  8. [8]

    Auditing cache data integrity in the edge computing environment,

    B. Li, Q. He, F. Chen, H. Jin, Y . Xiang, and Y . Yang, “Auditing cache data integrity in the edge computing environment,”IEEE Transactions on Parallel and Distributed Systems, vol. 32, no. 5, pp. 1210–1223, 2020

    work page 2020

  9. [9]

    Hierarchical federated learning for intrusion detection in IoT networks,

    Y . Li, Z. Qin, Q. Huang, L. Gao, and S. Hu, “Hierarchical federated learning for intrusion detection in IoT networks,”IEEE Access, vol. 10, pp. 104213–104226, 2022

    work page 2022

  10. [10]

    A secure edge computing model using machine learning and IDS to detect and isolate intruders,

    P. Mahadevappa, R. K. Murugesan, R. Al-amri, R. Thabit, A. H. Al- Ghushami, and G. Alkawsi, “A secure edge computing model using machine learning and IDS to detect and isolate intruders,”MethodsX, vol. 12, p. 102706, 2024

    work page 2024

  11. [11]

    McMahan, E

    B. McMahan, E. Moore, D. Ramage, S. Hampson, and B. A. y. Arcas, ‘ ”Communication-efficient learning of deep networks from decentralized data,” inProceedings of the 20th International Conference on Artificial Intelligence and Statistics, pp. 1273–1282, 2017

    work page 2017

  12. [12]

    R Baidar, S Maric, R. Abbas. ”Hybrid deep learning-federated learning- powered intrusion detection system for IoT/5G advanced edge comput- ing networks.” arXiv preprint arXiv:2509.15555

    work page arXiv

  13. [13]

    3GPP,TR 22.870 V20.0.0, Mar. 2026

    work page 2026

  14. [14]

    UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set),

    N. Moustafa and J. Slay, “UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set),” in2015 Military Communications and Information Systems Conference (MilCIS), pp. 1–6, 2015

    work page 2015

  15. [15]

    Federated learning- based intrusion detection in industrial IoT networks,

    G. D. Pecherle, R. S. Gyorodi, and C. A. Gyorodi, “Federated learning- based intrusion detection in industrial IoT networks,”Future Internet, vol. 18, no. 1, Art. 2, 2025

    work page 2025

  16. [16]

    A survey on intrusion detection system in IoT networks,

    M. M. Rahman, M. S. Hossain, and M. M. Gazi, “A survey on intrusion detection system in IoT networks,”Internet of Things and Cyber- Physical Systems, vol. 5, p. 100110, 2025

    work page 2025

  17. [17]

    S Maric, R Baidar, R Abbas, S Reisenfeld,”System Security Framework for 5G Advanced/6G IoT Integrated Terrestrial Network-Non-Terrestrial Network (TN-NTN) with AI-Enabled Cloud Security” arXiv preprint arXiv:2508.05707

    work page arXiv

  18. [18]

    The emergence of edge computing,

    M. Satyanarayanan, “The emergence of edge computing,”Computer, vol. 50, no. 1, pp. 30–39, 2017

    work page 2017

  19. [19]

    Toward generating a new intrusion detection dataset and intrusion traffic characterization,

    I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization,” in Proceedings of the 4th International Conference on Information Systems Security and Privacy, pp. 108–116, 2018

    work page 2018

  20. [20]

    Edge computing: Vision and challenges,

    W. Shi, J. Cao, Q. Zhang, Y . Li, and L. Xu, “Edge computing: Vision and challenges,”IEEE Internet of Things Journal, vol. 3, no. 5, pp. 637–646, 2016

    work page 2016

  21. [21]

    An edge-computing- based integrated framework for network traffic analysis and intrusion detection to enhance cyber-physical system security in industrial IoT,

    T. Zhukabayeva, J. Ahmad, A. Abdildayeva, B. Omarov, G. Rassykulova, J. Tussupov, H. Song, and Y . I. Cho, “An edge-computing- based integrated framework for network traffic analysis and intrusion detection to enhance cyber-physical system security in industrial IoT,” Sensors, vol. 25, no. 8, p. 2395, 2025

    work page 2025

  22. [22]

    Daryll Ralph D’Costa, Robert Abbas,”5G enabled Mo- bile Edge Computing security for Autonomous Vehi- cles”https://doi.org/10.48550/arXiv.2202.00005

    work page doi:10.48550/arxiv.2202.00005

  23. [23]

    Federated learning with non-IID data,

    Y . Zhao, M. Li, L. Lai, N. Suda, D. Civin, and V . Chandra, “Federated learning with non-IID data,”arXiv, 2018

    work page 2018

  24. [24]

    UNSW-NB15 computer security dataset: Analysis through visualization,

    Z. Zoghi, T. T. Nguyen, G. Armitage, et al., “UNSW-NB15 computer security dataset: Analysis through visualization,”arXiv, 2021

    work page 2021

  25. [25]

    S Shakya, R Abbas, S Maricar”A novel zero-touch, zero-trust, AI/ML enablement framework for IoT network security Xiv preprint arXiv:2502.03614

    work page arXiv