Cyber-Security in Cyber-Physical Systems and Critical Infrastructure: A Self-Healing Federated Learning Intrusion Detection Framework

Authors

  • Francisca Ezulike
  • Sheunesu Makura University of Pretoria https://orcid.org/0000-0002-5129-3216
  • Stacey Baror University of Pretoria
  • Hein Venter University of Pretoria

DOI:

https://doi.org/10.34190/iccws.21.1.4467

Keywords:

Cyber-physical systems, Intrusion Detection Systems, Anomaly Detection, Federated Learning, Meta-learning

Abstract

Cyber-Physical Systems (CPS) underpin critical infrastructures such as power grids, water treatment facilities, and transportation systems. Their increasing connectivity, combined with legacy physical components and modern digital interfaces, expands the attack surface and exposes CPS to sophisticated cyber threats. The resulting heterogeneous, latency-sensitive environments challenge conventional security mechanisms, while centralized Intrusion Detection Systems (IDS) introduce privacy risks and fail to meet real-time operational constraints. To address these challenges, this paper proposes a hybrid framework that integrates Federated Learning (FL) with a Lightweight Intrusion Detection System (LIDS), augmented by Model-Agnostic Meta-Learning (MAML) and a self-healing feedback loop. Edge-based LSTM anomaly detectors are collaboratively trained using FedAvg to preserve data locality and privacy, meta-learning enables rapid adaptation to zero-day attacks, and the self-healing mechanism supports automated rollback, isolation of compromised clients, retraining, and feedback-driven threshold adjustment. We further present a practical deployment blueprint for production CPS environments, leveraging edge gateways with MQTT telemetry, Flower for FL orchestration, KubeEdge or AWS IoT Greengrass for edge management, and secure aggregation protocols, along with an analysis of communication overhead and mitigation strategies. The framework is evaluated on the ICS-AD and SWaT datasets, as well as a synthetic digital twin environment. Data preprocessing includes min–max normalization, 50-timestep sliding windows, and SMOTE-based class balancing. Experiments simulate 50 non-IID federated clients over 100 rounds with a two-layer LSTM architecture (128 and 64 units, dropout 0.3), trained using Adam. Results demonstrate strong detection performance (mean F1-score ≈ 92.4% ± 1.2) and low detection latency (≈ 1.2 s ± 0.1), with improved resilience to zero-day attacks compared to centralized baselines, albeit with increased communication overhead. Key limitations include federated communication cost, model drift, and deployment complexity. This work contributes an integrated self-healing federated IDS framework with meta-learning, designed for privacy-preserving, adaptive, and practical CPS security deployment.

Author Biographies

Sheunesu Makura, University of Pretoria

Sheunesu Makura is a lecturer in the Department of Computer Science at the University of Pretoria, developing digital forensic solutions that can be applied to a variety of electronic devices or systems. With expertise in programming, databases, digital forensics, and computer security, he teaches both undergraduate and postgraduate students in these areas. Sheunesu has also worked in the industry as a Digital Forensic Investigator, specializing in Mobile Forensics and Social Media Forensics. He has published his work in international conferences and accredited journals. His current research interests include digital forensic readiness, cloud forensics, mobile forensics, computer information security, and cybersecurity.

Stacey Baror, University of Pretoria

Stacey O. Baror is a computer scientist and cybersecurity researcher with expertise in digital forensics, secure software architecture, and applied machine learning. Her experience spans both academic research and hands-on software projects, giving her the ability to translate complex technical concepts into practical, real-world solutions. As a member of the DigiForS Research Group, Stacey has contributed to pioneering studies in cybercrime readiness and digital risk reduction, collaborating with peers to design systems that strengthen digital resilience. Beyond research, she has mentored over 200 students through software projects and curriculum design, integrating emerging technologies into training and guiding future engineers. This blend of technical depth, leadership, and communication skills positions her to thrive in industry roles that demand security expertise, system design, and cross-functional collaboration.

Hein Venter, University of Pretoria

Prof Hein Venter is the Head of the Department of Computer Science at the University of Pretoria. His research interests focus on computer and Internet security, including network security, intrusion detection, information privacy, and digital forensics. Prof Venter has published extensively in accredited international journals and has presented his work at numerous internationally and nationally recognized Computer and Information Security conferences. He serves on the organizing committees of the Information Security for South Africa (ISSA) national conference and the South African Institute of Computer Scientists and Information Technologists (SAICSIT) national conference. Prof Venter is also actively involved in industry consultation, including the design and development of information and computer security training programmes, as well as providing security consultancy services.

Downloads

Published

19-02-2026

Issue

Vol. 21 No. 1 (2026): Proceedings of the 21st International Conference on Cyber Warfare and Security (ICCWS 2026)

Section

PhD Papers

License

Copyright (c) 2026 Francisca Ezulike, Sheunesu Makura, Stacey Baror, Hein Venter

Creative Commons License

This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.