ijcnsInternational Journal of Communications, Network and System Sciences1913-37231913-3715Scientific Research Publishing10.4236/ijcns.2026.192002ijcns-152103ArticleComputer ScienceCommunicationsAI-Assisted Cybersecurity Mesh for Threat Detection in Edge-Enabled Communication Networks0009-0004-0661-043XSethupathyUtham Kumar Anugula1AnanthanarayananVijayanand1 Independent Researcher, Atlanta, GA, USA
The authors have no competing interests to declare that are relevant to the content of this article.
Next-generation communication environments increasingly combine IoT devices, edge gateways, cyber-physical components, and programmable network services. This convergence improves responsiveness but also creates fragmented trust boundaries and fast-changing attack surfaces. Conventional intrusion detection systems remain limited in such settings because they depend heavily on static signatures, centralized telemetry collection, or offline machine-learning models. This paper introduces a GenAI-assisted cybersecurity mesh for threat detection in heterogeneous intelligent communication systems. The framework places lightweight security functions at edge nodes, coordinates them through a mesh control layer, and uses a generative threat modeling engine to update anomaly assumptions as traffic conditions change. Network, application, and behavioral signals are fused into a dynamic risk score that supports policy actions such as throttling, isolation, and micro-segmentation. The framework is evaluated in a simulated communication environment with mixed benign traffic and attack scenarios, including DDoS, man-in-the-middle, protocol exploitation, behavioral drift, and synthetic zero-day patterns. Results show higher detection accuracy, lower false positive rates, and reduced response latency compared with rule-based and centralized ML-based IDS baselines. The study positions cybersecurity mesh as a practical direction for low-latency, AI-assisted protection of distributed communication infrastructures.
Intelligent communication systems are no longer built around a small number of controlled network endpoints. Modern deployments combine IoT sensors, edge computing nodes, cyber-physical controllers, software-defined networking functions, and emerging 5G/6G communication services. These components support smart transportation, industrial automation, healthcare monitoring, and distributed energy systems, but they also weaken the assumption that security can be enforced from a single central point. As device density, protocol diversity, and service mobility increase, the security model must shift from perimeter monitoring to continuous, context-aware protection across the communication fabric.
Traditional IDS deployments are useful for known threats but remain poorly suited for dynamic communication environments. Signature-driven tools detect recognized patterns but miss polymorphic and zero-day behavior. Centralized ML-based IDS models improve classification but introduce their own constraints: telemetry must be transported to a central point, inference may be delayed, and a compromised monitoring node can become a systemic weakness. A further limitation is analytical narrowness. Many IDS pipelines focus mainly on packet or flow-level anomalies while underusing application behavior, device telemetry, and protocol-state deviations that may reveal early-stage compromise.
The increasing sophistication of adversaries necessitates a transition toward adaptive, distributed, and intelligence-augmented security architectures. Generative Artificial Intelligence (GenAI) has recently demonstrated capabilities in pattern synthesis, contextual reasoning, and dynamic model adaptation. However, its integration into distributed cybersecurity infrastructures for real-time communication systems remains insufficiently explored. Existing research often treats AI-based intrusion detection as a standalone classifier rather than embedding adaptive intelligence within a mesh-based security topology.
To address these limitations, this paper proposes a GenAI-driven adaptive cybersecurity mesh architecture tailored for intelligent communication systems. The proposed framework incorporates three primary design principles:
1)Zero-Trust Distributed Security Enforcement: Security controls are enforced at edge nodes rather than relying solely on centralized monitoring.
2)Adaptive Generative Threat Modeling: A GenAI engine dynamically synthesizes threat hypotheses and refines anomaly detection models.
3)Cross-Layer Risk Fusion: Security signals from network, application, and behavioral layers are fused into a unified threat confidence score.
The contributions of this paper are summarized as follows:
It proposes an edge-coordinated cybersecurity mesh for intelligent communication systems, where detection and enforcement are distributed across local security nodes rather than concentrated in a central IDS.It introduces a GenAI-assisted threat modeling component that generates contextual attack hypotheses and supports model recalibration under changing traffic conditions.It defines a multi-signal risk scoring method that combines network, application, behavioral, and contextual threat indicators into a unified confidence score.It evaluates the framework against signature-based and centralized ML-based IDS baselines using multi-vector attack scenarios and scalability analysis.
The remainder of the paper is organized as follows. Section 2 reviews related work in distributed intrusion detection and AI-assisted security. Section 3 defines the threat model and adversarial assumptions. Section 4 describes the proposed cybersecurity mesh architecture. Section 5 presents the GenAI-based adaptive methodology and risk scoring formulation. Section 6 details the experimental setup, followed by results and analysis in Section 7. Section 8 discusses implications and limitations, and Section 9 concludes the paper.
2. Related Work
Security in intelligent communication systems has evolved significantly over the past decade, driven by the proliferation of IoT devices, edge computing frameworks, and next-generation communication protocols. Prior work has examined IoT intrusion detection architectures ranging from centralized and on-device models [1] to benchmark-driven IoT/IIoT evaluations [2][3]. Zero-trust foundations and later survey work provide the basis for continuous verification and least-privilege enforcement [4][5]. Cybersecurity mesh research has extended this discussion toward decentralized security control, cryptographic coordination, and AI-assisted defense [6]. Federated and distributed IDS studies have examined model coordination and collaborative enforcement across heterogeneous nodes [7]-[11]. Recent GenAI and LLM-security work motivates synthetic threat reasoning and automated security-context interpretation [12]-[14]. Dataset-focused IDS studies also highlight the importance of reproducible traffic characterization and benchmark design [15]-[18]. Existing research can therefore be grouped into four domains: 1) signature-based intrusion detection systems, 2) machine learning-based IDS models, 3) distributed and mesh-oriented security architectures, and 4) AI-assisted adaptive threat modeling. Existing research can be broadly categorized into four domains: 1) signature-based intrusion detection systems, 2) machine learning-based IDS models, 3) distributed and mesh-oriented security architectures, and 4) AI-assisted adaptive threat modeling.
2.1. Signature-Based and Centralized Intrusion Detection
Traditional intrusion detection systems such as Snort and Suricata rely on rule-based or signature-based detection mechanisms. While effective against known attack patterns, these systems exhibit limited capability in identifying zero-day exploits and polymorphic threats. Moreover, centralized deployment architecture introduces scalability and latency challenges in intelligent communication systems where nodes are geographically distributed and operate with real-time constraints.
Centralized IDS models also present a single point of failure and increase network overhead due to continuous telemetry aggregation. In high-throughput environments such as IoT-enabled smart grids or vehicular communication systems, this architectural limitation significantly affects detection latency and responsiveness.
Limitation Identified: Lack of adaptability and insufficient resilience against evolving, multi-stage attacks.
2.2. Machine Learning-Based Intrusion Detection
Recent advancements have incorporated supervised and unsupervised machine learning techniques for anomaly detection in communication networks. Approaches leveraging Support Vector Machines (SVM), Random Forests, k-Nearest Neighbors, and Deep Neural Networks have demonstrated improved detection accuracy compared to signature-based systems.
Deep learning models, including Convolutional Neural Networks (CNN) and Long Short-Term Memory (LSTM) networks, have been applied for traffic pattern recognition and time-series anomaly detection. These models enhance classification performance; however, they are typically trained offline and lack dynamic threat adaptation capabilities.
Furthermore, most ML-based IDS implementations operate in centralized environments. Distributed deployment remains limited due to computational overhead and synchronization challenges across heterogeneous nodes.
Limitation Identified: Static model training, insufficient cross-layer contextual fusion, and limited distributed enforcement.
2.3. Distributed and Mesh-Based Security Architectures
To overcome centralization constraints, recent research has explored distributed intrusion detection frameworks and cybersecurity mesh architectures. Cybersecurity mesh models emphasize decentralized policy enforcement, micro-segmentation, and zero-trust principles. Security capabilities are deployed closer to assets, often at edge gateways or node clusters.
Such architecture enhances resilience and reduces response latency. However, many implementations still rely on static rule engines or traditional ML classifiers without adaptive threat generation mechanisms. Additionally, risk scoring is often performed independently at the node level without systematic cross-layer correlation.
Limitation Identified: Absence of adaptive intelligence capable of synthesizing new attack hypotheses and limited risk fusion mechanisms.
2.4. Generative AI in Cybersecurity
Generative Artificial Intelligence (GenAI) has recently been explored in cybersecurity contexts for synthetic attack generation, adversarial training, automated threat intelligence summarization, and log analysis. Large language models and generative adversarial networks (GANs) have demonstrated potential in simulating evolving attack patterns and improving detection robustness through adversarial learning.
Despite promising advancements, integration of GenAI into real-time distributed communication security remains limited. Existing work often focuses on either:
There remains a gap in embedding GenAI as an adaptive reasoning component within a distributed cybersecurity mesh capable of continuous cross-layer threat modeling.
2.5. Research Gap
Existing IDS research has improved detection accuracy, but three gaps remain important for intelligent communication systems. First, many models still assume centralized collection and inference, which is not ideal for latency-sensitive edge environments. Second, AI-based IDS methods often operate as fixed classifiers rather than continuously updating their threat assumptions as adversarial behavior changes. Third, available approaches rarely combine network events, application behavior, node telemetry, and external threat context into a single operational risk score. These gaps motivate a mesh-based approach in which local detection, AI-assisted threat reasoning, and policy enforcement operate as coordinated functions.
3. Threat Model and Assumptions
Intelligent communication systems consist of heterogeneous devices, edge gateways, communication protocols, and cloud-coordinated services. These systems operate in semi-trusted or untrusted environments where adversaries may exploit protocol weaknesses, compromised nodes, or misconfigured services. This section formalizes the adversarial model and system assumptions used to evaluate the proposed GenAI-driven cybersecurity mesh.
3.1. System Model
We consider an intelligent communication environment comprising:
N distributed nodes (IoT devices, embedded systems, edge servers)Edge gateways responsible for traffic aggregationA centralized orchestration layer for policy coordinationMulti-layer communication stack:Network layer (packet flows, routing behavior)Transport/session layer (connection states, protocol exchanges)Application layer (API calls, service requests, payload semantics)Behavioral layer (node-level telemetry, CPU/memory usage, process anomalies)
Each node is equipped with a lightweight security agent capable of telemetry collection and local anomaly pre-processing. These agents communicate with a distributed mesh controller enforcing zero-trust policies.
3.2. Adversarial Capabilities
We assume a probabilistic polynomial-time (PPT) adversary with the following capabilities:
1)Network Manipulation
Packet injectionReplay attacksDistributed Denial of Service (DDoS)Man-in-the-Middle (MITM)
Continuous update of anomaly hypothesesDynamic risk threshold recalibration
4)Distributed Resilience
Avoid single point of failureMaintain detection capability under partial node compromise
3.4. Threat Categories Considered
The experimental evaluation considers five primary attack categories:
1)Distributed Denial of Service (DDoS)
High-volume traffic floods targeting gateways
2)Man-in-the-Middle (MITM)
Traffic interception and modification
3)Protocol Exploitation
Malformed packet injectionSession hijacking
4)Anomalous Behavioral Drift
Gradual deviation in device resource patterns
5)Synthetic Zero-Day Patterns
Generated attack traffic not matching predefined signatures
3.5. Operationalization in Simulation
The threat model was instantiated by allowing up to 10% of nodes to exhibit compromised behavior during selected attack windows. Compromised nodes generated abnormal communication patterns, protocol irregularities, or behavioral telemetry drift depending on the attack category. Adaptive threshold updates were performed every 30 simulated minutes using training-window statistics and were frozen during final testing. Poisoning risk was represented as an adversarial limitation: the current simulation did not allow attackers to directly modify the GATE training process, but telemetry manipulation by compromised nodes was included as part of the behavioral drift and protocol exploitation scenarios.
3.6. Assumptions
The following assumptions constrain the system:
Secure initial device onboarding with cryptographic identity provisioning.Encrypted communication channels between mesh nodes and orchestrator.Computational capability at edge nodes sufficient for lightweight inference.Availability of baseline training dataset for initial model bootstrapping.
3.7. Risk Representation
We define a threat confidence function:
Ri=f(Ni,Ai,Bi,Ci)
where:
N i = Network-layer anomaly score; A i = Application-layer anomaly score; B i = Behavioral deviation metric; C i = Contextual threat intelligence weight.
The final risk score for node i is computed as:
Ri=αNi+βAi+γBi+δCi
Subject to:
α+β+γ+δ=1
This weighted fusion model enables cross-layer anomaly aggregation and adaptive risk recalibration through the GenAI threat modeling engine described in Section 5.
3.8. Summary
The threat model reflects realistic adversarial behavior in distributed intelligent communication systems. The security objectives emphasize adaptive detection, cross-layer reasoning, and distributed resilience. These assumptions form the basis for the architectural design described in the next section.
The proposed architecture organizes security as a mesh of cooperating detection and enforcement points. Instead of forwarding all telemetry to a central IDS, edge nodes perform initial inspection and local risk estimation. A coordination layer then shares summarized security state, while the GenAI engine updates threat hypotheses and recalibrates policy thresholds. This design is intended for communication systems where latency, node heterogeneity, and partial compromise are realistic operating conditions.
4.1. Architectural Overview
The proposed system follows a distributed mesh topology composed of:
1)Edge Security Nodes (ESNs)
2)Mesh Coordination Layer (MCL)
3)GenAI Adaptive Threat Engine (GATE)
4)Policy Orchestration and Response Layer (PORL)
The design adheres to zero-trust principles: no device, session, or communication flow is inherently trusted, even within internal network boundaries. Figure 1 presents the proposed GenAI-assisted cybersecurity mesh architecture, showing the flow from edge security nodes to mesh coordination, generative threat reasoning, dynamic risk fusion, and adaptive policy enforcement. At the edge layer, heterogeneous nodes (IoT sensors, control systems, and gateways) perform network, application, and behavioral anomaly detection, followed by local risk scoring. Telemetry summaries are forwarded to the Mesh Control Layer (MCL), which coordinates distributed updates. The Generative AI Adaptive Threat Engine (GATE) synthesizes adversarial threat hypotheses and recalibrates contextual risk weights. The Dynamic Risk Fusion module computes the composite risk score R i = α N i + β A i + γ B i + δ C i , triggering the Adaptive Policy Module when thresholds are exceeded.
Diagram showing edge security nodes performing network, application, and behavioral anomaly detection, followed by local risk scoring, telemetry aggregation, mesh coordination, generative threat analysis, dynamic risk fusion, and adaptive policy enforcement.
Figure 1.GenAI-assisted cybersecurity mesh architecture for edge-enabled communication networks.
4.2. High-Level Architecture
Components:
1) Edge Security Nodes (ESNs)
Deployed at IoT devices, gateways, and edge servers.
where θ t is an adaptive risk threshold recalibrated by GATE.
4.3. Data Flow Pipeline
1) Telemetry captured at ESNs
2) Local anomaly scoring
3) Aggregated signals transmitted to MCL
4) GATE performs contextual reasoning
5) Updated policies propagated back to ESNs
6) Enforcement applied in near real-time
Latency target:
Ttotal=Tcapture+Tinference+Tpropagation
The architecture aims to minimize T p r o p a g a t i o n through decentralized updates.
4.4. Zero-Trust Enforcement Model
Each communication request undergoes:
1) Identity verification
2) Context validation
3) Behavioral deviation check
4) Dynamic risk scoring
Trust is continuously re-evaluated rather than statically assigned.
4.5. Resilience under Node Compromise
If k nodes are compromised:
ESNs operate independentlyMCL redistributes trust scoresCompromised nodes are isolated via automated micro-segmentation
System integrity is maintained provided:
k<N3
(Assuming distributed consensus threshold)
4.6. Architectural Advantages
Table 1 compares the proposed mesh architecture with a centralized IDS baseline across adaptability, scalability, latency, zero-day detection, and failure-resilience dimensions.
Table 1.Comparison of centralized IDS and proposed cybersecurity mesh.
Feature
Centralized IDS
Proposed Mesh
Adaptability
Static models
GenAI adaptive
Scalability
Limited
Distributed
Latency
Higher
Edge-based inference
Zero-Day Detection
Weak
Generative threat synthesis
Single Point of Failure
Yes
No
4.7. Summary
The proposed architecture integrates distributed enforcement, adaptive generative threat modeling, and cross-layer risk fusion. It is designed to operate efficiently within heterogeneous intelligent communication environments while maintaining resilience and low latency.
5. GenAI-Based Adaptive Threat Modeling and Cross-Layer Risk Scoring Methodology
This section details the methodological foundation of the proposed system, including 1) adaptive generative threat modeling, 2) cross-layer anomaly scoring, 3) dynamic risk fusion, and 4) automated policy recalibration.
5.1. Overview of Adaptive Threat Modeling
Traditional IDS models rely on static datasets and fixed decision boundaries. In contrast, the proposed framework embeds a Generative AI-based Adaptive Threat Engine (GATE) that continuously refines detection models using contextual telemetry and synthesized adversarial patterns.
The adaptive process operates in iterative cycles:
1) Telemetry aggregation
2) Anomaly detection
3) Threat hypothesis synthesis
4) Adversarial pattern generation
5) Model refinement
6) Policy redistribution
This cycle reduces concept drift and enhances zero-day detection resilience.
5.2. Generative Threat Hypothesis Synthesis
Let X t represent observed traffic and telemetry features at time t .
The generative engine learns an evolving distribution:
Pt(X)
Using a generative model G , new adversarial samples are synthesized:
X˜=G(Z,C)
where:
Z = latent noise vector; C = contextual threat embedding; ϕ = generative model parameters.
These synthetic samples simulate polymorphic or zero-day attack variants. The anomaly detection model is retrained incrementally with both real and synthesized samples:
θt+1=θt−η∇L(Xt∪X˜)
where:
θ = detection model parameters; η = learning rate; L = loss function.
5.3. GATE Implementation Details
In this study, the GenAI Adaptive Threat Engine (GATE) was implemented as a conditional generative model trained on contextual traffic and telemetry embeddings from the training partition. The model family follows a conditional generative adversarial structure in which the generator produces candidate adversarial feature vectors and the discriminator rejects samples that do not resemble plausible communication-layer anomalies.
The input to GATE consists of four feature groups: network anomaly descriptors, application interaction descriptors, behavioral telemetry descriptors, and contextual threat labels. The output is a synthetic adversarial feature vector representing a plausible attack variant. The model was recalibrated every 30 simulated minutes using newly observed training-window telemetry summaries. Synthetic samples were accepted for detector updates only when they satisfied three criteria: feature-range validity, discriminator confidence above the validation threshold, and non-duplication against existing attack vectors based on cosine similarity. Samples failing these checks were discarded.
5.4. Cross-Layer Feature Extraction
Each Edge Security Node extracts features across three layers:
1) Network Layer Features N i .
Packet inter-arrival timeFlow durationEntropy of source/destination distributionTCP flag anomalies
2) Application Layer Features A i .
API call frequency deviationRequest payload entropyAuthentication failure ratesSession irregularities
3) Behavioral Layer Features B i .
CPU utilization driftMemory allocation anomaliesProcess spawning irregularitiesDevice energy usage deviations
Feature vectors are normalized and fed into local anomaly estimators:
Si=g(Ni,Ai,Bi)
where g ( ⋅ ) may represent a lightweight neural classifier deployed at the edge.
5.5. Dynamic Cross-Layer Risk Fusion
The final threat score is computed as:
Ri=αtNi+βtAi+γtBi+δtCi
where:
C i = contextual threat intelligence from GATE;Weights dynamically updated over time.
Adaptive Weight Update Rule
Weights are updated using performance feedback:
αt+1=αt+λ∂F1∂α
Similarly, for β , γ , δ .
Subject to normalization constraint:
α+β+γ+δ=1
This enables the system to emphasize layers that improve detection performance in current threat landscapes.
5.6. Definition of Local Anomaly Scores
Each Edge Security Node computes three normalized anomaly scores before risk fusion. The network-layer score N i ∈ [ 0 , 1 ] represents deviation in packet timing, flow duration, source-destination entropy, and protocol-flag behavior. The application-layer score A i ∈ [ 0 , 1 ] represents deviation in API request frequency, payload entropy, authentication failures, and session-state consistency. The behavioral score B i ∈ [ 0 , 1 ] represents deviation in CPU utilization, memory consumption, process activity, and device-level resource patterns.
These values are not class probabilities. They are normalized anomaly aggregates produced by lightweight local estimators at each Edge Security Node. A value closer to 0 indicates behavior close to the learned baseline, while a value closer to 1 indicates stronger deviation from expected behavior. The fused risk score combines these normalized signals with contextual threat intelligence weight C i .
5.7. Risk Threshold Adaptation
A static threshold increases false positives during traffic bursts. Therefore, threshold θ t is adjusted dynamically:
θt+1=μRavg+σRstd
where:
R a v g = rolling average risk; R s t d = rolling standard deviation; μ , σ = tuning constants.
The proposed methodology integrates generative threat synthesis, cross-layer anomaly extraction, dynamic risk fusion, and adaptive threshold recalibration into a cohesive distributed framework. This creates a continuously evolving detection ecosystem suitable for intelligent communication infrastructures.
6. Experimental Setup and Simulation Environment
This section describes the experimental design used to evaluate the proposed GenAI-driven adaptive cybersecurity mesh. The objective is to assess detection accuracy, false positive reduction, latency performance, and adaptive robustness under multi-vector attack conditions.
6.1. Experimental Objectives
The evaluation aims to measure:
1) Detection Accuracy (ACC)
2) Precision, Recall, and F1-Score
3) False Positive Rate (FPR)
4) Detection Latency
5) Adaptive Improvement Over Time
6) Scalability under increasing node count
Baseline comparisons include:
Signature-based IDS (Rule-driven)Centralized ML-based IDS (Static Deep Neural Network)
6.2. Simulation Environment
Table 2 summarizes the configuration of the simulated edge-enabled communication environment.
The experimental dataset was generated within the simulated intelligent communication environment described in Table 2. No external public dataset was directly reused for the primary evaluation. Normal traffic instances were generated from heterogeneous node profiles representing IoT sensors, embedded control devices, edge analytics nodes, and gateway services. These profiles produced periodic telemetry, burst communication, API requests, session exchanges, and randomized background noise. The 120,000 normal instances, therefore represent simulated per-flow and per-session communication records collected over a 24-hour synthetic timeline.
Malicious traffic was injected at a 15% attack rate across selected time windows and node groups. DDoS traffic was modeled through high-volume request bursts against edge gateways; MITM behavior was modeled through delayed, modified, and replayed packet sequences; protocol exploitation was modeled through malformed packet fields, irregular handshake sequences, and session manipulation; behavioral drift was modeled through gradual resource-usage deviation at compromised nodes. Synthetic zero-day patterns were generated only from the training partition using the GATE module and then evaluated on held-out test windows to avoid test-set leakage.
To reduce leakage risk, the train, validation, and test partitions were separated by time window rather than by random flow-level sampling. The first 70% of the synthetic timeline was used for training, the next 15% for validation, and the final 15% for testing. Feature normalization parameters, adaptive thresholds, and generative updates were fitted only on the training partition and applied unchanged to validation and test partitions.
6.4. Dataset Composition
The dataset consists of:
120,000 normal traffic instances25,000 malicious instances8000 synthetic zero-day patterns generated by GATEMixed multi-stage attack sequences
Table 3 lists the attack categories and instance counts used in the simulated evaluation.
Table 3.Attack category composition.
Attack Type
Instances
DDoS
10,000
MITM
5000
Protocol Exploitation
4000
Behavioral Drift
3000
Synthetic Zero-Day
8000
Data was partitioned:
70% training15% validation15% testing
6.5. Implementation Details
Edge inference model: Lightweight feedforward neural networkGenerative model: Conditional generative model with contextual embeddingsOptimization: Adam optimizerLearning rate: 0.001Risk fusion weights initialized uniformlyThreshold recalibration interval: Every 30 minutes (simulated)
Hardware configuration (simulation environment):
16-core CPU64 GB RAMGPU-assisted generative training
Deep neural networkPeriodic offline retrainingNo generative augmentation
6.8. Baseline Reproducibility Configuration
All evaluated methods used the same train, validation, and test partitions, feature extraction pipeline, and normalization procedure. The signature-based IDS baseline used static rule patterns corresponding to the attack categories included in the simulation and did not receive adaptive threshold updates or synthetic samples. The centralized ML baseline used a feedforward neural network with three hidden layers, ReLU activation, dropout regularization, Adam optimization, and a learning rate of 0.001. The proposed GCM model used the same base feature set as the centralized ML baseline but added edge-local inference, dynamic risk fusion, adaptive threshold recalibration, and GATE-generated adversarial samples during training-window updates.
Hyperparameters were selected using the validation partition and then fixed before final test evaluation. No model used test-set labels during training, threshold tuning, or synthetic sample generation.
Balanced attack injectionCross-validation across time windowsIndependent test partitionAblation study for:No generative augmentationStatic weight fusionNo adaptive threshold
6.11. Summary
The experimental design simulates a realistic intelligent communication network with heterogeneous nodes and diverse attack scenarios. Comparisons against rule-based and centralized ML-based IDS models enable quantitative evaluation of adaptive performance improvements.
7. Results and Performance Evaluation
This section presents the empirical results comparing the proposed GenAI-driven adaptive cybersecurity mesh (GCM) against two baselines: 1) signature-based IDS (SID) and 2) centralized ML-based IDS (CML).
7.1. Detection Performance
The proposed GCM model achieved the strongest overall classification performance among the three evaluated methods. Accuracy increased from 0.914 for the centralized ML baseline to 0.948, while the false positive rate declined from 0.062 to 0.038. This improvement is important for communication networks because excessive false alerts can delay operational response and reduce trust in automated enforcement. The F1-score also improved to 0.935, indicating that the gain was not driven by precision or recall alone.
Overall Classification Metrics
Table 4 reports the overall classification performance of the evaluated IDS models.
Table 4.Overall classification performance of evaluated IDS models.
Model
Accuracy
Precision
Recall
F1-Score
FPR
SID
0.872
0.841
0.804
0.822
0.091
CML
0.914
0.902
0.887
0.894
0.062
GCM (Proposed)
0.948
0.939
0.931
0.935
0.038
7.2. Variability and Statistical Testing
Results were evaluated across five chronological test windows from the held-out test period. The proposed GCM model consistently outperformed both baselines in accuracy, F1-score, and false positive rate. The paired comparison across the five test windows showed that the GCM improvement over the centralized ML baseline was statistically significant for F1-score.
7.3. Zero-Day Detection Capability
Table 5.Zero-day detection performance.
Model
Zero-Day Recall
Zero-Day F1
SID
0.421
0.398
CML
0.684
0.672
GCM
0.862
0.849
Table 5 summarizes detection performance on synthetic zero-day attack patterns.
The largest relative gain appears in the zero-day evaluation. The rule-based IDS performed poorly because the attack patterns were not represented in its signature base. The centralized ML model performed better but remained limited by its static training distribution. In contrast, the GCM approach benefited from generated adversarial variants, which exposed the detector to a wider range of plausible attack behaviors before evaluation.
7.4. Detection Latency
Table 6 compares the average detection latency of the evaluated models.
Table 6.Average detection latency comparison.
Model
Mean Latency (ms)
SID
142
CML
118
GCM
74
GCM also produced the lowest mean detection latency at 74 ms, compared with 118 ms for centralized ML-based IDS and 142 ms for the signature-based IDS. The reduction is mainly attributable to local inference at the edge, which avoids continuous backhaul of raw telemetry to a central decision point. For intelligent communication systems, this latency reduction is operationally relevant because threat response must often occur before compromised flows spread across dependent services.
7.5. Adaptive Weight Evolution
Cross-layer weight distribution evolved over the simulation. The initial weights were approximately uniform: network-layer weight = 0.33, application-layer weight = 0.33, and behavioral-layer weight = 0.34. After 24 simulated hours, the weights shifted to network-layer weight = 0.46, application-layer weight = 0.34, and behavioral-layer weight = 0.20.
Interpretation:
Network-layer anomalies contributed more significantly during DDoS-heavy intervals.Behavioral metrics reduced weight as attack emphasis shifted.
This confirms adaptive rebalancing effectiveness.
7.6. Scalability Analysis
Table 7 summarizes latency and throughput behavior as the simulated node count increases from 100 to 500.
Table 7.Scalability analysis under increasing node count.
Nodes
Avg Latency (ms)
Throughput Degradation
100
61
0%
300
74
4.2%
500
89
7.8%
Latency growth remained sub-linear, demonstrating distributed efficiency.
7.7. Ablation Study
Table 8 reports the ablation results for the main components of the proposed GCM model.
Table 8.Ablation study of proposed GCM components.
Configuration
F1-Score
Full Model
0.935
No Generative Augmentation
0.902
Static Weights
0.918
Static Threshold
0.911
7.8. ROC-AUC Analysis
The proposed GCM model achieved an ROC-AUC of 0.963, compared with 0.928 for CML and 0.871 for SID. This result indicates stronger separability across attack categories.
The results suggest that the value of the proposed model comes from combining three mechanisms rather than from GenAI alone: local edge inference, dynamic risk fusion, and generated adversarial variants. Edge inference reduced response latency, risk fusion improved contextual scoring, and generative augmentation helped the detector generalize beyond previously observed attack patterns.
The improvement in zero-day recall (0.862) is primarily attributable to adversarial pattern synthesis. By generating contextualized synthetic attack variants, the detection model becomes less dependent on fixed traffic signatures and better generalized to unseen distributions.
This reduces:
Overfitting to historical trafficConcept drift vulnerabilitySensitivity to polymorphic attacks
The ablation study confirms that removing generative augmentation reduces F1-score by approximately 3%.
8.1.2. Effectiveness of Cross-Layer Fusion
The adaptive weight mechanism allowed the system to dynamically prioritize relevant layers during specific attack phases. For instance:
Network layer weight increased during DDoS bursts.Behavioral features became more relevant during stealth compromise phases.
This dynamic rebalancing improved robustness compared to static fusion schemes.
8.1.3. Distributed Architecture Benefits
Edge-based inference reduced centralized bottlenecks, leading to lower detection latency. Sub-linear latency growth during node scaling indicates that the distributed mesh design effectively mitigates performance degradation in large networks.
8.2. Attack-Wise Interpretation
The largest performance gain was observed for synthetic zero-day and protocol exploitation scenarios, where static signatures were least effective. DDoS detection improved mainly because network-layer entropy and packet-rate features were captured locally at edge nodes, reducing response delay. MITM detection improved moderately, especially when application-session irregularities were combined with transport-layer deviations. Behavioral drift remained the most difficult category because gradual resource changes sometimes overlapped with benign workload variation. Most false alarms occurred during bursty legitimate traffic, where temporary packet-rate increases resembled early-stage DDoS behavior.
8.3. Practical Deployment Considerations
While promising, deployment in real-world environments requires addressing:
1)Computational Constraints
Edge devices with limited processing capability may struggle with frequent adaptive updates.Lightweight inference optimization is required.
2)Model Synchronization Overhead
Frequent weight updates may introduce network overhead.Efficient update batching strategies must be implemented.
3)Trust in Generative Outputs
Poorly calibrated generative models may introduce adversarial bias.Synthetic pattern validation mechanisms are necessary.
4)Privacy and Data Governance
Cross-layer telemetry aggregation may raise privacy concerns.Secure aggregation and anonymization must be enforced.
8.4. Limitations
8.4.1.Synthetic Dataset Dependence
The experimental evaluation was conducted in a simulated intelligent communication environment. Although diverse attack scenarios were modeled, real-world deployment may introduce unforeseen noise patterns and operational variability.
8.4.2.Generative Model Complexity
Generative threat synthesis requires periodic retraining. In highly resource-constrained environments, maintaining real-time adaptability may be challenging.
8.4.3.Threshold Sensitivity
Dynamic threshold recalibration improves adaptability but may cause temporary instability during abrupt traffic shifts. Stability mechanisms must be incorporated.
8.4.4.Adversarial Manipulation of GenAI
Sophisticated adversaries could attempt to poison telemetry inputs to manipulate generative adaptation. Defensive adversarial training strategies should be integrated.
8.5. Future Research Directions
Several extensions are proposed:
1) Federated generative threat modeling across organizational boundaries.
2) Integration with blockchain-backed trust management.
3) Formal verification of adaptive threshold stability.
4) Extension toward 6G-enabled ultra-low latency communication systems.
5) Deployment in real-world IoT testbeds for longitudinal validation.
8.6. Overall Implications
The results suggest that embedding adaptive generative intelligence into distributed cybersecurity meshes can meaningfully improve detection robustness in intelligent communication systems. However, practical scalability, stability, and adversarial robustness must be further evaluated under operational deployment conditions.
9. Conclusions
This paper introduced a mesh-based security framework for threat detection in intelligent communication systems. The framework distributes detection and enforcement across edge security nodes while using a GenAI-assisted threat engine to update adversarial assumptions and recalibrate risk scoring.
The main finding is that communication-system security benefits from moving beyond centralized IDS design. By combining local anomaly detection, multi-signal risk fusion, and adaptive policy orchestration, the proposed model reduced detection latency while improving classification performance against both known and synthetic zero-day attacks.
Experimental evaluation in a simulated heterogeneous intelligent communication environment demonstrated:
Improved detection accuracy (94.8%)Significant reduction in false positive rate (3.8%)Strong zero-day recall (86.2%)Reduced detection latency (74 ms average)Stable scalability under increased node density
An ablation study confirmed that generative augmentation and adaptive weight recalibration contributed measurable performance improvements.
While the results indicate promising advances in adaptive distributed cybersecurity, the study is constrained by synthetic simulation environments and computational assumptions. Future work should focus on real-world deployment, federated adaptive learning across domains, and formal robustness guarantees against adversarial manipulation.
The proposed framework contributes toward next-generation intelligent communication security paradigms by embedding adaptive generative reasoning within distributed cybersecurity meshes, aligning with emerging requirements for scalable, resilient, and low-latency protection mechanisms.
Acknowledgments
This research did not receive any specific grant from funding agencies in the public, commercial, or not-for-profit sectors. The authors acknowledge the computational resources used for experimental validation and the anonymous reviewers whose feedback improved the quality of this manuscript.
ReferencesRahman, S.A., Tout, H., Talhi, C. and Mourad, A. (2020) Internet of Things Intrusion Detection: Centralized, On-Device, or Federated Learning? IEEE Network, 34, 310-317. https://doi.org/10.1109/mnet.011.2000286 10.1109/mnet.011.2000286https://doi.org/10.1109/mnet.011.2000286Rahman, S.A.Tout, H.Talhi, C.Mourad, A.Centralized, O2020Internet of Things Intrusion Detection: Centralized, On-Device, or Federated Learning? IEEE Network, 34, 310-31710.1109/mnet.011.2000286Ferrag, M.A.E., Friha, O., Hamouda, D., Maglaras, L. and Janicke, H. (2022) Edge-IIoTset: A New Comprehensive Realistic Cyber Security Dataset of IoT and IIoT Applications for Centralized and Federated Learning. IEEE Access, 10, 40281-40306.Ferrag, M.A.E.Friha, O.Hamouda, D.Maglaras, L.Janicke, H.2022Edge-IIoTset: A New Comprehensive Realistic Cyber Security Dataset of IoT and IIoT Applications for Centralized and Federated LearningIEEE Access10Al Nuaimi, T., Al Zaabi, S., Alyilieli, M., AlMaskari, M., Alblooshi, S., Alhabsi, F., et al. (2023) A Comparative Evaluation of Intrusion Detection Systems on the Edge-Iiot-2022 Dataset. Intelligent Systems with Applications, 20, Article ID: 200298. https://doi.org/10.1016/j.iswa.2023.200298 10.1016/j.iswa.2023.200298https://doi.org/10.1016/j.iswa.2023.200298Nuaimi, T.Zaabi, S.Alyilieli, M.AlMaskari, M.Alblooshi, S.Alhabsi, F.2023A Comparative Evaluation of Intrusion Detection Systems on the Edge-Iiot-2022 DatasetIntelligent Systems with Applications20200298ID10.1016/j.iswa.2023.200298Rose, S.W., Borchert, O., Mitchell, S. and Connelly, S. (2020) Zero Trust Architecture. NIST Special Publication 800-207. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdfRose, S.W.Borchert, O.Mitchell, S.Connelly, S.2020Zero Trust ArchitectureKang, H., Liu, G., Wang, Q., Meng, L. and Liu, J. (2023) Theory and Application of Zero Trust Security: A Brief Survey. Entropy, 25, Article No. 1595. https://doi.org/10.3390/e25121595 10.3390/e2512159538136475https://doi.org/10.3390/e25121595Kang, H.Liu, G.Wang, Q.Meng, L.Liu, J.2023Theory and Application of Zero Trust Security: A Brief SurveyEntropy25No10.3390/e2512159538136475Ramos-Cruz, B., Andreu-Perez, J. and Martínez, L. (2024) The Cybersecurity Mesh: A Comprehensive Survey of Involved Artificial Intelligence Methods, Cryptographic Protocols and Challenges for Future Research. Neurocomputing, 581, Article ID: 127427. https://doi.org/10.1016/j.neucom.2024.127427 10.1016/j.neucom.2024.127427https://doi.org/10.1016/j.neucom.2024.127427Ramos-Cruz, B.Andreu-Perez, J.Methods, C2024The Cybersecurity Mesh: A Comprehensive Survey of Involved Artificial Intelligence Methods, Cryptographic Protocols and Challenges for Future ResearchNeurocomputing581127427ID10.1016/j.neucom.2024.127427Khraisat, A., Alazab, A., Singh, S., Jan, T. and Jr. Gomez, A. (2024) Survey on Federated Learning for Intrusion Detection System: Concept, Architectures, Aggregation Strategies, Challenges, and Future Directions. ACM Computing Surveys, 57, Article No. 7. https://doi.org/10.1145/3687124 10.1145/3687124https://doi.org/10.1145/3687124Khraisat, A.Alazab, A.Singh, S.Jan, T.Gomez, A.Concept, AStrategies, C2024Survey on Federated Learning for Intrusion Detection System: Concept, Architectures, Aggregation Strategies, Challenges, and Future DirectionsACM Computing Surveys57No10.1145/3687124Zhang, H., Ye, J., Huang, W., Liu, X. and Gu, J. (2025) Survey of Federated Learning in Intrusion Detection. Journal of Parallel and Distributed Computing, 195, Article ID: 104976. https://doi.org/10.1016/j.jpdc.2024.104976 10.1016/j.jpdc.2024.104976https://doi.org/10.1016/j.jpdc.2024.104976Zhang, H.Ye, J.Huang, W.Liu, X.Gu, J.2025Survey of Federated Learning in Intrusion DetectionJournal of Parallel and Distributed Computing195104976ID10.1016/j.jpdc.2024.104976Breitenbacher, D., Homoliak, I., Aung, Y.L., Elovici, Y. and Tippenhauer, N.O. (2022) HADES-IoT: A Practical and Effective Host-Based Anomaly Detection System for IoT Devices (Extended Version). IEEE Internet of Things Journal, 9, 9640-9658. https://doi.org/10.1109/jiot.2021.3135789 10.1109/jiot.2021.3135789https://doi.org/10.1109/jiot.2021.3135789Breitenbacher, D.Homoliak, I.Aung, Y.L.Elovici, Y.Tippenhauer, N.O.2022HADES-IoT: A Practical and Effective Host-Based Anomaly Detection System for IoT Devices (Extended Version)IEEE Internet of Things Journal910.1109/jiot.2021.3135789Alkadi, O., Moustafa, N., Turnbull, B. and Choo, K.R. (2021) A Deep Blockchain Framework-Enabled Collaborative Intrusion Detection for Protecting IoT and Cloud Networks. IEEE Internet of Things Journal, 8, 9463-9472. https://doi.org/10.1109/jiot.2020.2996590 10.1109/jiot.2020.2996590https://doi.org/10.1109/jiot.2020.2996590Alkadi, O.Moustafa, N.Turnbull, B.Choo, K.R.2021A Deep Blockchain Framework-Enabled Collaborative Intrusion Detection for Protecting IoT and Cloud NetworksIEEE Internet of Things Journal810.1109/jiot.2020.2996590Shu, J., Zhou, L., Zhang, W., Du, X. and Guizani, M. (2021) Collaborative Intrusion Detection for VANETs: A Deep Learning-Based Distributed SDN Approach. IEEE Transactionson Intelligent Transportation Systems, 22, 4519-4530. https://doi.org/10.1109/tits.2020.3027390 10.1109/tits.2020.3027390https://doi.org/10.1109/tits.2020.3027390Shu, J.Zhou, L.Zhang, W.Du, X.Guizani, M.2021Collaborative Intrusion Detection for VANETs: A Deep Learning-Based Distributed SDN ApproachIEEE Transactions on Intelligent Transportation Systems2210.1109/tits.2020.3027390Yao, Y., Duan, J., Xu, K., Cai, Y., Sun, Z. and Zhang, Y. (2024) A Survey on Large Language Model (LLM) Security and Privacy: The Good, the Bad, and the Ugly. High-Confidence Computing, 4, Article ID: 100211. https://doi.org/10.1016/j.hcc.2024.100211 10.1016/j.hcc.2024.100211https://doi.org/10.1016/j.hcc.2024.100211Yao, Y.Duan, J.Xu, K.Cai, Y.Sun, Z.Zhang, Y.2024A Survey on Large Language Model (LLM) Security and Privacy: The Good, the Bad, and the UglyHigh-Confidence Computing4100211ID10.1016/j.hcc.2024.100211de Jesus Coelho da Silva, G. and Westphall, C.B. (2024) A Survey of Large Language Models in Cybersecurity. https://arxiv.org/abs/2402.16968Silva, G.Westphall, C.B.2024A Survey of Large Language Models in CybersecurityXu, H., Wang, S., Li, N., Wang, K., Zhao, Y., Chen, K., Yu, T., Yang, L. and Wang, H. (2024) Large Language Models for Cyber Security: A Systematic Literature Review. ACM Transactions on Software Engineering and Methodology. https://doi.org/10.1145/3769676 10.1145/3769676https://doi.org/10.1145/3769676Xu, H.Wang, S.Li, N.Wang, K.Zhao, Y.Chen, K.Yu, T.Yang, L.Wang, H.2024Large Language Models for Cyber Security: A Systematic Literature Review10.1145/3769676Sharafaldin, I., Habibi Lashkari, A. and Ghorbani, A.A. (2018) Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization. Proceedings of the4 th International Conference on Information Systems Security and Privacy, Funchal, 22-24 January 2018, 108-116. https://doi.org/10.5220/0006639801080116 10.5220/0006639801080116https://doi.org/10.5220/0006639801080116Sharafaldin, I.Lashkari, A.Ghorbani, A.A.Privacy, F2018Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic CharacterizationProceedings of the 4th International Conference on Information Systems Security and Privacy2210.5220/0006639801080116Canadian Institute for Cybersecurity (2017) Intrusion Detection Evaluation Dataset, CIC-IDS2017. University of New Brunswick. https://www.unb.ca/cic/datasets/ids-2017.htmlDataset, C2017Intrusion Detection Evaluation Dataset, CIC-IDS2017Thakkar, A. and Lohiya, R. (2020) A Review of the Advancement in Intrusion Detection Datasets. Procedia Computer Science, 167, 636-645. https://doi.org/10.1016/j.procs.2020.03.330 10.1016/j.procs.2020.03.330https://doi.org/10.1016/j.procs.2020.03.330Thakkar, A.Lohiya, R.2020A Review of the Advancement in Intrusion Detection DatasetsProcedia Computer Science16710.1016/j.procs.2020.03.330Rawat, M. and Singal, G. (2025) Surveying Technology Fusion in IoT Networks for IDS: Exploring Datasets, Tools, Challenges, and Research Prospects. ACM Transactions on Intelligent Systems and Technology, 16, 1-45. https://doi.org/10.1145/3744745 10.1145/3744745https://doi.org/10.1145/3744745Rawat, M.Singal, G.Datasets, T2025Surveying Technology Fusion in IoT Networks for IDS: Exploring Datasets, Tools, Challenges, and Research ProspectsACM Transactions on Intelligent Systems and Technology1610.1145/3744745