Enhancing generalization of cross-domain intrusion detection: a heterogeneous deep stacked ensemble approach

Intrusion Detection Systems (IDS) are critical for safeguarding network infrastructures, yet the challenges of heterogeneous environments and diverse data distributions often hinder their effectiveness. This study introduces the Heterogeneous Deep Stacked Ensemble for IDS (HDSE-IDS), a novel framework designed to improve cross-domain generalization by integrating Gated Recurrent Units (GRU), Long Short-Term Memory (LSTM), Deep Neural Networks (DNN), and Multi-Layer Perceptron (MLP) models in a stacked ensemble architecture. Each base model is trained on a distinct dataset and frozen to preserve domain-specific decision boundaries, while a meta-learner aggregates their predictions to form the final decision layer. The study conducted comprehensive cross-domain evaluations using four benchmark NetFlow-based datasets: NFv2-UNSW-NB15, NFv2-BoT-IoT, NFv2-ToN-IoT, and NFv2-CIC-2018. The proposed HDSE-IDS framework achieved an average F1-score of 88.77%, representing up to a 30% improvement over recent state-of-the-art methods. These findings demonstrate the robustness and effectiveness of HDSE-IDS in diverse and dynamic network scenarios, contributing to the advancement of scalable, generalizable IDS solutions for modern cybersecurity challenges.