AMoE-IDS: An Adaptive Mixture-of-Experts Framework for Cross-Dataset Intrusion Detection

Authors

  • Ouail Mjahed Faculty of Sciences and Technology, Department of Computer Sciences, L2IS, Cadi Ayyad University, Marrakech, Morocco
  • Soukaina Mjahed Faculty of Sciences Semlalia, Department of Computer Sciences, LISI Laboratory, Cadi Ayyad University, Marrakech, Morocco

DOI:

https://doi.org/10.15837/ijccc.2026.4.7480

Keywords:

Intrusion Detection Systems, Deep Learning, Mixture-of-Experts, Cross-Dataset Generalization, cybersecurity

Abstract

Intrusion Detection Systems (IDS) are essential for securing modern network infrastructures against increasingly sophisticated cyber threats. While deep learning-based IDS have shown promising performance, most existing approaches rely on static and monolithic architectures that struggle to adapt to heterogeneous environments such as Internet of Things (IoT) systems, enterprise networks, and mixed traffic scenarios. Moreover, conventional ensemble and hybrid methods typically employ fixed fusion strategies, limiting their ability to exploit input-dependent specialization. To address these limitations, this paper proposes an Adaptive Mixture-of-Experts Intrusion Detection System (AMoE-IDS), a hybrid deep learning framework that integrates a shared feature encoder, multiple specialized expert networks, and an adaptive gating mechanism. The shared encoder learns a unified latent representation from heterogeneous feature spaces, while the gating network dynamically routes each input to the most relevant experts, enabling conditional computation and improved detection performance. Extensive experiments conducted on three recent benchmark datasets, CICIoT2023, CSE-CICIDS 2018, and TII-SSRC-23, demonstrate that AMoE-IDS consistently outperforms conventional deep learning and hybrid IDS models. The proposed framework achieves F1-scores of 99.19%, 99.67%, and 99.68% and AUC values of 0.992, 0.991, and 0.990 on CICIoT2023, CSE-CICIDS 2018, and TII-SSRC-23, respectively. Despite its multi-expert architecture, the model maintains low inference latency ranging from 1.28 to 1.56 ms per network flow, supporting real-time deployment. Cross-dataset evaluation confirms the robustness of AMoE-IDS under distribution shifts, while ablation studies highlight the critical role of feature harmonization and adaptive expert selection. Statistical significance analysis further validates the reliability of the observed improvements. Overall, the proposed framework demonstrates competitive performance, good scalability, and improved cross-dataset generalization.

References

Buczak A.L. and Guven E. (2016). A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection, IEEE Communications Surveys & Tutorials, 18(2): 1153- 1176. https://doi.org/10.1109/COMST.2015.2494502

Ferrag M.A., Maglaras L., Moschoyiannis S., Janicke H. (2019). Deep Learning for Cyber Security Intrusion Detection: Approaches, Datasets, and Comparative Study. Journal of Information Security and Applications. 2019, 50. https://doi.org/10.1016/j.jisa.2019.102419

Liu H. (2019). Lang B. Machine Learning and Deep Learning Methods for Intrusion Detection Systems: A Survey. Applied Sciences, 9(20):4396. https://doi.org/10.3390/app9204396

Ullah F., Ullah S., Srivastava G., Lin J. (2024). IDS-INT: Intrusion detection system using transformer-based transfer learning for imbalanced network traffic, Digital Communications and Networks, 10(1): 190-204. https://doi.org/10.1016/j.dcan.2023.03.008

Bouguessa A., Mostefaoui S.A.M., Daoud M.A. et al. (2025). TBAC-IDS: enhancing intrusion detection with transformer-based alerts correlation. Cluster Computing, 28, 1012. https://doi.org/10.1007/s10586-025-05716-z

Ring M., Wunderlich S., Scheuring D., Landes D., Hotho A. (2019). A survey of network-based intrusion detection data sets, Computers & Security, 86: 147-167. https://doi.org/10.1016/j.cose.2019.06.005

Mjahed O., El Hadaj S., El Guarmah E., Mjahed S. (2023). Improved Supervised and Unsupervised Metaheuristic-Based Approaches to Detect Intrusion in Various Datasets, Computer Modeling in Engineering & Sciences, 137(1): 265-298. https://doi.org/10.32604/cmes.2023.027581

Mjahed O., El Hadaj S., Guarmah E. and Mjahed S. (2023). New Denial of Service Attacks Detection Approach Using Hybridized Deep Neural Networks and Balanced Datasets, Computer Systems Science and Engineering, 47: 757-775. https://doi.org/10.32604/csse.2023.039111

Giap Thi N.-B., Nguyen V.-N., Pham A.-T., Hoang T.-M. (2026). Cosine Distance-Based FuzzyCMeans Clustering for Local Classification in Imbalanced Network Intrusion Detection, InternationalJournal of Computers Communications & Control, 21(3), 7305. https://doi.org/10.15837/ijccc.2026.3.7305

Li Y., Li Z., Li M. (2025). A comprehensive survey on intrusion detection algorithms, Computers and Electrical Engineering, 121, 109863. https://doi.org/10.1016/j.compeleceng.2024.109863

Hinton G., Shazeer N., Mirhoseini A., Maziarz K., Davis A., Le Quoc, Rachmad Y., Dean J. (2017). Outrageously Large Neural Networks: The Sparsely-Gated Mixture-of-Experts Layer. 10.48550/arXiv.1701.06538.

Fedus W., Zoph B., and Shazeer N. (2022). Switch Transformers: Scaling to Trillion Parameter Models with Simple and Efficient Sparsity, Journal of Machine Learning Research, 23(120): 1-39.

Long Z., Yan H., Shen G. et al. (2024). A Transformer-based network intrusion detection approach for cloud security. Journal of Cloud Computing 13, 5. https://doi.org/10.1186/s13677-023-00574-9

Kumar H., Konatham S., Rohit M. (2025). DeepTransIDS: Transformer-Based Deep learning Model for Detecting DDoS Attacks on 5G NIDD, Results in Engineering, 26, 104826. https://doi.org/10.1016/j.rineng.2025.104826

Doost, P.A., Moghadam, S.S., Khezri, E. et al. (2025). A new intrusion detection method using ensemble classification and feature selection. Scientific Reports 15, 13642. https://doi.org/10.1038/s41598-025-98604-w

Shin Y., Kim M., Kim H. et al. (2024). Towards unbalanced multiclass intrusion detection with hybrid sampling methods and ensemble classification. Applied Soft Computing, 157:111517. https://doi.org/10.1016/j.asoc.2024.111517

Kumar C. and Ansari, M. S. A. (2024). An explainable nature-inspired cyber attack detection system in software-defined IoT applications, Expert Systems with Applications, 250, 123853. https://doi.org/10.1016/j.eswa.2024.123853

Mjahed S., Mjahed 0. (2026). NFRT-IDS: A Unified Neuro-Fuzzy ReinforcementTransformer Architecture for Adaptive and Explainable Intrusion Detection. International Journal of Computers Communications & Control, 21(2), 7405. https://doi.org/10.15837/ijccc.2026.2.7405

Alharthi M., Medjek F., Djenouri D. (2025). Ensemble Learning Approaches for Multi-Class Intrusion Detection Systems for the Internet of Vehicles (IoV): A Comprehensive Survey. Future Internet. 17(7):317. https://doi.org/10.3390/fi17070317

Jony A.I. and Arnob A.K.B. (2024). A long short-term memory based approach for detecting cyber attacks in IoT using CIC-IoT2023 dataset. Journal of Edge Computing, 3(1): 28-42. https://doi.org/10.55056/jec.648

Kim J., Shin Y., Choi E. (2019). An intrusion detection model based on a convolutional neural network. Journal of Multimedia Information System, 6(4), 165-172. https://doi.org/10.33851/JMIS.2019.6.4.165

Khan M. A. (2021). HCRNNIDS: Hybrid convolutional recurrent neural network-based network intrusion detection system. Processes, 9(5), 834. https://doi.org/10.3390/pr9050834

Zhang Y., Zhang H., Zhang B. (2022). An effective ensemble automatic feature selection method for network intrusion detection. Information, 13(7), 314. https://doi.org/10.3390/info13070314

Herzalla D., Lunardi W.T. and Andreoni M. (2023). TII-SSRC-23 Dataset: Typological Exploration of Diverse Traffic Patterns for Intrusion Detection, IEEE Access, 11: 118577-118594. https://doi.org/10.1109/ACCESS.2023.3319213

Rani R., Barve A., Malviya A., Ranjan V., Jeet R., Bhosle N. (2025). Enhancing detection rates in intrusion detection systems using fuzzy integration and computational intelligence, Computers & Security, 157, 104577. https://doi.org/10.1016/j.cose.2025.104577

Jacobs R., Jordan M., Nowlan S., Hinton G. (1991). Adaptive Mixtures of Local Experts. Neural Computation. 3. 79-87. https://doi.org/10.1162/neco.1991.3.1.79

Goodfellow I., Bengio Y., and Courville A. (2016). Deep Learning, MIT Press, Cambridge, 2016.

Kingma D. and Ba J. (2015). Adam: A Method for Stochastic Optimization, Proceedings of the 3rd International Conference on Learning Representations (ICLR), San Diego, CA, USA, 7-9 May 2015.

Neto ECP, Dadkhah S, Ferreira R, Zohourian A, Lu R, Ghorbani AA. (2023). CICIoT2023: A Real-Time Dataset and Benchmark for Large-Scale Attacks in IoT Environment. Sensors. 23(13):5941. https://doi.org/10.3390/s23135941

Sharafaldin I., Lashkari A.H., and Ghorbani A.A. (2018). Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization, Proceedings of the 4th International Conference on Information Systems Security and Privacy (ICISSP 2018), pp. 108-116 https://doi.org/10.5220/0006639801080116

Chawla N.V., Bowyer K.W., Hall L. Kegelmeyer W.P. (2002). SMOTE: Synthetic Minority Oversampling Technique, Journal of Artificial Intelligence Research, 16, 321-357. https://doi.org/10.1613/jair.953

Bilal M.A., Ul Islam I., Idrees S. et al. (2026). Dataset-centric evaluation of federated intrusion detection models in IoT networks. Scientific Reports, 16, 2683. https://doi.org/10.1038/s41598-025-32567-w

Jaradat A.S., Nasayreh A., Al-Na'amneh Q., Gharaibeh H., Al Mamlook R.E. (2023). Genetic optimization techniques for enhancing web attacks classification in machine learning. Proceedings of the IEEE International Conference on Dependable, Autonomic & Secure Computing, Abu Dhabi, UAE, 2023, pp. 130-136. https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361399

Adewole K.S., Jacobsson A., Davidsson P. (2025). Intrusion Detection Framework for Internet of Things with Rule Induction for Model Explanation. Sensors, 25, 1845. https://doi.org/10.3390/s25061845

Elahi M., Songram R., Zaman M. (2025). Network-Shield: Exploring the Efficacy of GRU Model in Intrusion Detection Using CIC-IDS 2018 Dataset. 1058-1065. 10.1145/3723178.3723318. https://doi.org/10.1145/3723178.3723318

Lin P., Ye K., and Xu C.-Z. (2019). Dynamic Network AnomalyDetection System by Using Deep Learning Techniques. In Cloud Computing- CLOUD 2019, Dilma Da Silva, Qingyang Wang, and Liang-Jie Zhang (Eds.). Springer International Publishing, Cham, 161-176 https://doi.org/10.1007/978-3-030-23502-4_12

Wang Y.-C. , Houng Y.-C., Chen H.-X., and Tseng S.-M. (2023). Network anomaly intrusion detection based on deep learning approach, Sensors, 23(4), 2171. https://doi.org/10.3390/s23042171

Mondragon J.C., Branco P., Jourdan GV. et al. (2025). Advanced IDS: a comparative study of datasets and machine learning algorithms for network flow-based intrusion detection systems. Applied Intelligence, 55, 608. https://doi.org/10.1007/s10489-025-06422-4

Bilal M.A, Ul Islam I., Iltaf N., and Khan M.J. (2025). Federated Learning With Explainable AI for Malicious Traffic Detection in IoT Networks, IEEE Access, 13: 173368-173383. https://doi.org/10.1109/ACCESS.2025.3613459

Chekuri V. (2025). Cyber Threat Intelligence: Malware, Targets, and Emerging Attack Trends, Proceedings of 2025 Global Conference on Information Technology and Communication Networks (GITCON), Belagavi, India, 2025, pp. 1-8. https://doi.org/10.1109/GITCON65266.2025.11377094

Additional Files

Published

2026-07-07

Most read articles by the same author(s)

Obs.: This plugin requires at least one statistics/report plugin to be enabled. If your statistics plugins provide more than one metric then please also select a main metric on the admin's site settings page and/or on the journal manager's settings pages.