PhD position H/F - Federated Graph Neural Networks for Intrusion Detection in Industrial IoT Networks CESI

Abstract

Securing industrial IoT infrastructure is no longer a competitive advantage ; it is a prerequisite for resilient, trustworthy, and sustainable Industry 5.0.

Keywords : Industry 5.0, Industrial IoT, Intrusion Detection, Federated Learning, GNN

The rapid proliferation of Industrial Internet of Things (IIoT) devices in manufacturing, energy, and logistics environments has dramatically expanded the cyber attack surface of critical industrial infrastructure. These interconnected cyber-physical systems, while enabling new data-driven automation and intelligent services, introduce severe security vulnerabilities: a single compromised sensor or gateway can propagate threats across the entire production network. In such distributed environments, where multiple industrial stakeholders collaborate without sharing sensitive operational data, security, resilience, and data confidentiality become critical prerequisites for the large-scale adoption of Industry 4.0 and 5.0 technologies.

This doctoral research addresses a core scientific challenge: the collaborative and privacy-preserving detection of cyberattacks and anomalies in IIoT ecosystems. Although deep learning-based intrusion detection systems (IDS) have shown strong performance, their centralized training paradigm raises critical concerns regarding data sovereignty, scalability, and robustness in heterogeneous industrial deployments. This thesis proposes a distributed detection framework combining federated learning and graph neural networks (GNNs), capable of modeling the structural dependencies between IIoT components while keeping sensitive operational data on-premises at each industrial site. Local detection models are trained at the level of edge nodes or industrial gateways and collaboratively aggregated without sharing raw data, enabling collective threat intelligence while preserving industrial confidentiality.

The originality of this work lies in the combined use of federated learning, GNNs, and centrality measures from complex network theory to enhance anomaly detection accuracy, improve robustness in heterogeneous environments, and generalize to novel, unseen attack patterns. Building directly upon prior contributions from the CESI LINEACT team in IoT intrusion detection, federated learning, and graph-based modeling, the proposed framework will be evaluated on realistic IIoT attack scenarios and benchmarked against state-of-the-art methods. The objective is to deliver a generic, distributed, and privacy-preserving methodological building block to strengthen the cybersecurity, operational resilience, and sustainability of future smart industrial systems.

Research Work

Scientific context

The rapid deployment of IIoT devices across manufacturing, smart energy, and logistics sectors has profoundly transformed industrial architectures, giving rise to a new generation of cyber-physical systems (CPS) whose security is critical to operational continuity. Modern IIoT infrastructures embed hundreds of heterogeneous sensors, actuators, and gateways communicating over protocols. The simultaneous growth of remote access interfaces, cloud connectivity, and over-the-air update mechanisms dramatically expands the attack surface of these industrial networks [1, 2].

Network Intrusion Detection Systems (NIDS) have emerged as an essential countermeasure for monitoring IIoT traffic and detecting malicious activity [3]. AI-based NIDS, notably deep learning models, have demonstrated high detection accuracy, but centralizing industrial data on a remote server for training introduces critical scalability, bandwidth, and data sovereignty challenges that are incompatible with real-world industrial deployments [4]. Federated Learning (FL) has been proposed as a solution: each node trains a model locally and only shares model weights with a central aggregator, keeping sensitive data on-premises while enabling collaborative learning at scale [5].

A key limitation of conventional federated approaches is their inability to capture the graph-structured topology inherent to IIoT networks, where devices and communication buses form complex relational graphs. Graph Neural Networks (GNNs) address this gap by modeling nodes and their interactions explicitly. Combined with complex network centrality measures (e.g., degree, betweenness, and modularity-aware centrality), GNNs can identify critical nodes and communication patterns, improving detection accuracy and generalization across heterogeneous industrial deployments [6-9]. This thesis sits at the intersection of federated learning, graph deep learning, and industrial cybersecurity.

Subject

This thesis proposes the design, implementation, and evaluation of a federated GNN-based intrusion detection framework for Industrial IoT networks (IIoT). Its originality lies in the combination of three complementary dimensions: (i) federated learning specifically adapted to the constraints and heterogeneity of industrial environments, (ii) graph neural network architectures tailored to the topology of IIoT communication systems, and (iii) the exploitation of complex network properties to optimize both the learning model and the federation process.

To support this objective, the work begins with a comprehensive state of the art on GNN-based federated intrusion detection systems for industrial cyber-physical systems, building on existing approaches in IoT and CPS security while identifying key limitations and research opportunities specific to IIoT environments. A core contribution will be the modeling of IIoT networks as graph-structured systems, where devices are represented as nodes and communication channels as edges. This includes extracting structural features such as centrality metrics and constructing realistic datasets that capture a wide spectrum of IIoT attack scenarios, including traffic injection, spoofing, denial-of-service, and anomalous sensor behavior. Building upon the dataset generation methodology introduced in [10], these datasets will be enriched with diverse complex network properties to ensure robustness and representativeness.

The thesis will focus on the design of a federated GNN aggregation method adapted to IIoT heterogeneity, extending architectures such as FedGATSage [11]. The proposed approach will address the critical limitation of prior work, namely the loss of structural information during parameter aggregation, by preserving both spatial (topological) and temporal (traffic sequence) dependencies. Centrality-driven strategies will also be explored to guide client selection and weighting mechanisms, improving convergence and handling non-IID data distributions across heterogeneous industrial deployments.

The thesis will further investigate how complex network properties (such as modularity, community structure, and backbone extraction) can be leveraged to optimize IIoT systems by reducing computational overhead and improving inference speed, which is essential for resource-constrained embedded industrial environments [12-14]. The proposed framework will be extensively evaluated through experimental benchmarking against state-of-the-art methods, using both public datasets (NF-ToN-IoT, CIC-ToN-IoT, N-BaIoT) and internally generated datasets. Performance will be assessed across multiple dimensions: detection accuracy under diverse attack scenarios, privacy preservation, and communication efficiency in federated settings.

The doctoral candidate will be hosted at the CESI LINEACT research department during his stay in France and may have access to the 'Industry of the Future' demonstrator, equipped with sensors, robots, and a digital twin infrastructure that faithfully replicates real-world IIoT environments. During his stay in Canada, he will additionally benefit from an IoT platform dedicated to industrial smart buildings, offering a complementary and highly realistic experimental environment. Together, these two infrastructures will provide a rich, dual-context validation framework, enabling the proposed approach to be stress-tested across diverse industrial settings and strengthening the external validity and generalizability of the research findings.

Prior works in the…

Skills

Scientific and technical skills : Machine learning, deep learning, graph neural networks, federated learning, network security, industrial IoT and cyber-physical systems, data analysis, Python (PyTorch, TensorFlow, PyG), experimental evaluation, scientific writing.

Soft skills : Scientific rigor, autonomy, teamwork, critical thinking, project management, communication, and ability to evolve in an interdisciplinary research environment.

Organisation

Location: SCESI Strasbourg & INRS Canada

Starting date: 01/09/2026

Starting date: 01/09/2026

Supervisors

Amine Brahmia, Enseignant-Chercheur HDR, Directeur de thèse CESI LINEACT

Zakaria Abou El Houda, Directeur du laboratoire RSEC, Directeur de thèse INRS Canada

Zakariya Ghalmane, Enseignant-Chercheur, Encadrant CESI LINEACT

Bibliography

[1] Abou El Houda, Z., Moudoud, H., & Khoukhi, L. (2023, December). Secure and efficient federated learning for robust intrusion detection in IoT networks. In GLOBECOM 2023-2023 IEEE Global Communications Conference (pp. 2668-2673). IEEE.

[2] Abou El Houda, Z., Brik, B., & Senouci, S. M. (2022). A novel IoT-based explainable deep learning framework for intrusion detection systems. IEEE Internet of Things Magazine, 5(2), 20-23.

[3] Abou El Houda, Z., Moudoud, H., Brik, B., & Adil, M. (2024). A privacy-preserving framework for efficient network intrusion detection in consumer network using quantum federated learning. IEEE Transactions on Consumer Electronics, 70(4), 7121-7128.

[4] Hafi, H., Brik, B., Abou El Houda, Z., & Ksentini, A. (2025). Split federated learning-driven resource-efficient MEC framework for UAV-based networks. IEEE Transactions on Network Science and Engineering.

[5] Arbaoui, M., Brahmia, M.-E.-A., Rahmoun, A. & Zghal, M. Federated learning survey: A multi-level taxonomy of aggregation techniques, experimental insights, and future frontiers. ACM Transactions on Intelligent Systems and Technology 15, 1-69 (2024).

[6] Termos, M., Ghalmane, Z., Brahmia, M.-E.-A., Fadlallah, A., Jaber, A. & Zghal, M. GDLC: A new graph deep learning framework based on centrality measures for intrusion detection in IoT networks. Internet of Things 26, 101214 (2024).

[7] Termos, M., Ghalmane, Z., Brahmia, M.-E.-A., Fadlallah, A., Jaber, A. & Zghal, M. Integrating centrality measures in federated learning-based intrusion detection systems. In 2025 IEEE Wireless Communications and Networking Conference (WCNC), 1-6. IEEE (2025).

[8] Termos, M., Ghalmane, Z., Brahmia, M.-E.-A., Fadlallah, A., Jaber, A. & Zghal, M. Enhancing IoT network intrusion detection with a new GraphSAGE embedding algorithm using centrality measures. In 10th International Conference on Internet of Things, Big Data and Security (2025).

[9] Termos, M., Ghalmane, Z., Brahmia, M.-E.-A., Fadlallah, A., Jaber, A. & Zghal, M. Intrusion detection system for IoT based on complex networks and machine learning. In 2023 IEEE DASC/PiCom/CBDCom/CyberSciTech, 471-477. IEEE (2023).

[10] Al Tfaily, F., Ghalmane, Z., Termos, M., Brahmia, M.-E.-A., Jaber, A. & Zghal, M. Generating realistic cyber security datasets for IoT networks with diverse complex network properties. In 10th International Conference on Internet of Things, Big Data and Security (2025).

[11] Al Tfaily, F., Ghalmane, Z., Brahmia, M.-E.-A., Hazimeh, H., Jaber, A. & Zghal, M. Graph-based federated learning approach for intrusion detection in IoT networks. Scientific Reports 15, 41264 (2025).

[12] Ghalmane, Z., Cherifi, C., Cherifi, H. & El Hassouni, M. Centrality in complex networks with overlapping community structure. Scientific Reports 9, 10133 (2019).

[13] Ghalmane, Z., Cherifi, C., Cherifi, H. & El Hassouni, M. Extracting backbones in weighted modular complex networks. Scientific Reports 10, 15539 (2020).

[14] Ghalmane, Z., Brahmia, M.-E.-A., Zghal, M. & Cherifi, H. A stochastic approach for extracting community-based backbones. In International Conference on Complex Networks and Their Applications, 55-67. Springer (2022).

AbstractSecuring industrial IoT infrastructure is no longer a competitive advantage ; it is a prerequisite for resilient, trustworthy, and sustainable Industry 5.0.Keywords : Industry 5.0, Industrial

CESI est une école d'ingénieurs qui fait de la promotion sociale par l'excellence un modèle de réussite. Rejoignez un environnement stimulant où l'esprit d'équipe, la diversité des projets et l'autonomie ne font qu'un. Découvrez une école qui a su développer un modèle unique et se donne les moyens au quotidien de relever les grands défis de l'époque. Nos 25 campus, 28 000 étudiants, 8000 entreprises partenaires et 106 000 alumni témoignent de l'impact de CESI au niveau national.

CESI accompagne ses étudiants en utilisant des méthodes innovantes de pédagogie active. L'établissement forme avec rigueur les futurs ingénieurs, techniciens et managers, dans les secteurs suivants : l'Industrie & l'Innovation, le BTP, l'Informatique et le Numérique et le Développement Durable. Parallèlement, CESI concrétise son engagement dans la Recherche à travers des activités menées au sein de son Laboratoire d'Innovation Numérique, CESI LINEACT.

Les partenariats établis avec 130 universités à travers le globe, attestent de l'engagement international de CESI. Ces liens privilégiés offrent aux élèves ingénieurs une mobilité sortante et entrante à l'échelle internationale, façonnée notamment par des stages obligatoires faisant partie intégrante de leur cursus.