contINuous deCentralized lEarNing of ioT devIces' behaVioural profilEs

Modern societies are hyperconnected, relying on IoT devices in critical areas like healthcare, transport, industry, and homes. This connectivity brings convenience but also expands the “attack surface” for cyber threats. In recent years, significant incidents have shown how attackers can exploit insecure IoT devices; for example, the Mirai botnet hijacked thousands of smart cameras and routers by using their default passwords, turning them into a network of attack. Such events underscore the risk: a successful attack on IoT systems can disrupt services affecting even citizens’ safety. The challenge is that many IoT devices are resource-constrained (with limited computing power and memory) and often deployed in large numbers, making traditional security measures difficult to apply. INCENTIVE was conceived to address some of these challenges by developing new methods that help secure IoT devices in line with these evolving needs.
The project’s overarching objective is to proactively detect cyberattacks on IoT devices by continuously learning their “normal” behavior patterns. Instead of reacting after a breach, INCENTIVE’s approach is preventive, so it constantly monitors and learns from device activity to quickly flag abnormal behaviors. This is especially important for IoT, where attacks might not be immediately obvious.
To achieve its aim, INCENTIVE has four key objectives:
• O1. To understand IoT device behavior (with human factors) by developing enriched profiles of how IoT devices behave under normal conditions over time. This includes the influence of human interaction (e.g. how people manage settings, usage patterns, maintenance habits). These behavior profiles form a baseline to compare against and spot irregularities that could indicate a security threat.
• O2. Continuous decentralized learning through the design of a secure learning process that updates these behavior profiles using Federated Learning (FL). This allows the detection model to improve over time as devices generate new data, without relying on centralized data collection.
• O3. Trust and integrity in the learning process by ensuring that collaborative learning is trustworthy and tamper-resistant, to prevent attackers from poisoning the system with false data. INCENTIVE integrates robust aggregation approaches to guarantee that only legitimate devices participate and that the model updates they contribute cannot be maliciously modified.
• O4. Validation in different scenarios through the verification of the developed framework in various deployment settings. The goal is to demonstrate that the approach works in practice by measuring how well it detects intrusions, how it impacts device performance, and identifying any trade-offs. These evaluations ensure that the solution can be adapted to different IoT environments and inform further refinements needed for real-world adoption.
Through such objectives, INCENTIVE provides a practical approach to improving the security of IoT systems. Its methods are designed to work within the real-world limitations of connected devices, while also considering how people interact with them. Therefore, the project contributes to building more resilient and user-aware IoT environments, helping to reduce risks and support safer everyday use of connected technologies.

The project began with the design and implementation of a data collection strategy focused on capturing not just the technical behaviour of IoT devices, but also how that behaviour is shaped by human usage. To support this, a custom Android mobile application was developed to collect behavioural data from smartphones in a structured and privacy-conscious way. Furthermore, the project developed an intrusion detection framework based on FL, enabling distributed and privacy-preserving model training across IoT nodes. The system was designed to operate in environments where centralised data processing is impractical or undesirable. The project also analyzes the use of different machine learning techniques, including supervised and unsupervised approaches. Furthermore, to enhance the trustworthiness of this distributed learning process, INCENTIVE introduces a robust aggregation mechanism that helps protect the system from manipulation by compromised or unreliable participants. This mechanism dynamically identifies and limits the influence of anomalous model updates during training, without requiring prior knowledge about the nature or number of adversarial sources. This adds a crucial layer of resilience to the system and supports its safe deployment in untrusted or open environments. In parallel with the technical development, the project produced a set of scientific contributions that explore and support the broader implications of its work. This includes a systematic review of the use of FL for intrusion detection, which helped frame the state of the art and identify existing research gaps. Other publications focused on the use of unsupervised FL for detecting misbehaviour in connected vehicles. Additionally, the design and evaluation of the project’s robust aggregation approach was formalised and disseminated through peer-reviewed articles. These research outputs highlight the project relevance to a wide range of security-critical sectors.

INCENTIVE contributed several advances that meaningfully extend current approaches to cybersecurity in IoT systems, particularly in the integration of distributed intelligence and behavioural awareness. One important innovation lies in the construction of behavioural profiles enriched with human interaction data. By incorporating how users interact with devices, such as configuration habits, usage timing, and maintenance routines, the system moves beyond traditional anomaly detection models that rely solely on low-level network traffic or device metrics. This enables more context-aware detection strategies that are better aligned with how devices are actually used in practice. Furthermore, the project adopted different supervised and unsupervised approaches capable of operating without labelled data. This is especially relevant for IoT environments, where labelled datasets are often unavailable and usage patterns evolve rapidly. The ability to train collaboratively while respecting data locality opens the door to more adaptive and scalable security solutions that do not rely on centralised infrastructures. Another notable result is the design and implementation of a robust aggregation function for the FL process. This component enhances the system’s resilience to unreliable or adversarial participants by detecting and filtering out potentially harmful updates during training. Unlike many existing methods, the aggregation strategy introduced in INCENTIVE does not depend on prior assumptions about the number or behaviour of malicious nodes, allowing for broader applicability across deployment scenarios. Therfore, INCENTIVE advances the state of the art by combining behavioural intelligence, collaborative learning, and robustness into a cohesive framework. These results contribute to a more adaptive and decentralised approach to securing connected environments, supporting the broader shift toward intelligent, self-protecting digital infrastructures.