The rapid expansion of Internet of Things (IoT)-Smart Grid infrastructures has been heightened in their

vulnerability tendencies to diverse and evolving cyber threats, and this prompts the need for advanced intrusion

detection mechanisms. Hence, this study presents a Multi-Channel Data Fusion Network (MCDFN) framework

which is designed for the detection and classification of both common and domain-specific cyberattacks in real-

time. The proposed architecture integrates Convolutional Neural Networks (CNN) algorithm for spatial feature

extraction with recurrent layers for temporal sequence modelling which enables an effective system for

recognition of both static and dynamic intrusion patterns. In the system, a dual-dataset training strategy was

adopted by combining the NSL-KDD benchmark dataset with realistic IoT–Smart Grid traffic collected from

Mininet-WiFi simulation environment, and this incorporated targeted attack scenarios such as Man-in-the-

accuracy, low-latency processing and adaptability to heterogeneous network environments result, the proposed

MCDFN framework represents a scalable and operationally viable intrusion detection solution for securing

critical IoT–Smart Grid infrastructures against evolving cyber threats.

Keywords: IDS; MCDFN; IoT; Smart Grid; Cyberattack Detection

The ever-growing growth in IoT and smart grid technologies has changed the contemporary infrastructure of the

society by providing intelligence automation, real-time monitoring, and decentralized control of operative

activity in numerous spheres, including, but not limited to, energy, healthcare, and transportation (Kakolu et al.,

2023; Zhang, 2025). Nevertheless, such digital and technological change has also brought upon itself a series of

new opportunities due to the nature of such networks being highly targeted by other elevated and complicated

the new attack patterns (Al-Garadi et al., 2020). The systems are capable of dealing with large amounts of data

in real-time, proving to be reliable in detections with low false positives (Alsarhan et al., 2023). Convolutional

Neural Networks (CNN), Long Short-Term Memory (LSTM), and Isolation Forests are some of the models

exemplifying high accuracy in detection of both identified and novel threats (Ullah et al., 2022).

The networks of smart grids that combine IoT sensors in energy distribution, metering, and load balancing

systems are especially vulnerable because of its distributed network configuration and the relevant importance

of their work (Ghosh et al., 2021). The use of AI-based IDS can promote the resiliency of smart grids by tracking

the information pathways, preventing intrusion, and safeguarding control messages (Alzahrani et al., 2021; Al-

Garadi et al., 2020). Some of the more recent technologies like federated learning and blockchain further

reinforce these systems by allowing block-chain-like tamper evident logging of threats, as well as decentralized,

cybersecurity decision (Hussain et al., 2022; Ghosh et al., 2021). Besides their potential, AI-based IDS has some

issues. These are limited labelled training data, the computational burden of deep learning modules, and inability

to interpret complex AI decisions (Al-Garadi et al., 2020; Ullah et al., 2022). Furthermore, these systems must

use lightweight architectures and energy-efficient algorithms to deploy such systems on limited IoT devices

(Alsarhan et al., 2023). The first issue is central to the far-reaching implementation of AI-based IDS in real life

(Haozhe, 2025).

This piece of work aims to introduce a hybrid AI-based IDS architecture specifically designed to IoT and smart

grid systems which will address hybrid deployment architectures that mix lightweight, but precise identification

on edge or gateway devices, with more capable identification and analysis in the cloud or fog layer. Federated

learning, model compression, online learning, and others will be used as strategies to overcome privacy, resource

experimental design is chosen because it enables systematic testing of detection algorithms under controlled

conditions using benchmark datasets which is then followed by validation in a simulated IoT-Smart Grid

environment. The block diagram of the proposed system methodology is presented in Figure 1 which shows how

the proposed methodology flows from data collection to final classification in the proposed intelligent

architecture

Figure 1: Research Methodology Block Diagram

A combination of 2 datasets was leveraged in demonstrating the training of the proposed machine learning model

in this study. NSL-KDD dataset (Revathi and Malathi, 2013) belongs to the set of benchmarks commonly

significant, as it formerly resulted in models favoring more common types of attacks (Eldakhly, 2025). The

dataset consists of 41 clear-cut connection level features extracted in the TCP/IP traffic streams and they help in

issues in the NSL-KDD dataset make it a great point of departure in training the fundamental intrusion detection

schemes of the proposed system as well as benchmarking and validation of the schemes.

Subsequently, the Mininet-WiFi simulation data set, in its turn, adds a practical, domain-specific aspect to the

analysis through simulating realistic IoT network and smart grid network network conditions. With Mininet-

WiFi emulator employed, bespoke network configurations will be created to resemble a smart meter, sensor,

controller, and other important IoT devices usually communicating through wireless mediums. Traffic will be

captured in both benign operation conditions and malicious conditions such as, Man-in-the-Middle (MITM),

Denial of Service (DoS) flood, and Replay. The data that will be captured will consist of packet-level data of

protocol types and IP addresses, sizes of packets, timestamps and dynamic trend of traffic flow that are crucial

in real-time analysis of intrusions. This dataset ensures that the proposed IDS is not only capable of performing

interoperability when training the AI models. In the case of NSL-KDD, data cleaning will form the preprocessing

stage whereby inconsistent as well as corrupted values will be deleted. The features of the dataset (41 of them)

are thereafter considered in terms of significance to eliminate the least informative features with techniques like

Mutual Information and Recursive Feature Elimination (RFE) by using feature selection (Mohanty et al., 2024).

This is done to retain useful attributes useful to detect intrusions. Categorical features like protocol type, service

and Flag variables are converted into numerical using one-hot encoding and the numbers of continuous features

are scaled using Min-Max scaling technique (Williamson_5, 2024) to have comparable ranges of each variable.

Lastly, the imbalances in classes are mitigated, especially on rare types of attacks, such as U2R and R2L, through

the Synthetic Minority Oversampling Technique (SMOTE) (Wu et al., 2022) in order to make the model sensitive

towards minority classes.

case they are non-numeric; the numerical features are normalized and reflecting that noise is reduced by

excluding irrelevant or redundant features. Equally, in the same way that NSL-KDD preprocessing can be used,

SMOTE or controlled under-sampling can be used to normalize the frequency of attacks and normal traffic

instances. By applying dataset-specific preprocessing pipelines and then merging the processed outputs into a

standardized feature space, the system ensures that both benchmark and simulation data can be fed into the same

AI model architecture without bias toward one source. This dual-preprocessing strategy enhances the robustness

of the IDS in handling both structured legacy datasets and real-world IoT-Smart Grid network traffic.

It has been proposed that the proposed intrusion detection system will be modelled using the MCDFN based

architecture, as it is customized to accommodate heterogeneous network traffic of a benchmarked and real-life

KDD dataset (structured connection records) and the Mininet-WiFi dataset (packet-level time-series data) over

independent but parallel communication channels that merge into a separate decision framework.

on aggregated traffic flows read out of the Mininet-WiFi PCAP files. All the flows maintain the temporal

properties critical to identify IoT-specific and Smart Grid-specific attacks, including man-in-the-middle attacks,

replay attacks, locator-based attacks, or coordinated denial-of-service attacks. In this case, CNN layers serve as

local feature extractors of metrics at the packet-level and the GRU layers time variations in traffic patterns. Such

a configuration allows the system to build out finer-grained detection based on a realistic, domain-specific traffic

behaviour.

representation of features. It is composed of four parallel modules, which are customized in order to derive

distinct spatial and temporal patterns out of network traffic. The first module consists of a Bi-GRU layer

representing the sequential behaviour and avoiding overfitting. The third module has a BiLSTM layer

(activation: tanh, recurrent activation: sigmoid, output: (30, 64)) whose output is connected to the Dropout layer

suggested IDS can achieve high accuracy levels that satisfy the low latency needs of the IoT-Smart Grid

environment activities, which makes it capable of implementation in real life.