Open Access

ARTICLE

Systematic Evaluation of Few-Shot Learning for Unseen IoT Network Attack Detection

Liam Revell¹, Hyunjae Kang^1,*, Jung Taek Seo², Dan Dongseong Kim¹

1 School of Electrical Engineering and Computer Science, The University of Queensland, Brisbane, QLD, Australia
2 Department of Smart Security, Gachon University, Seongnam-si, Gyeonggi-do, Republic of Korea

* Corresponding Author: Hyunjae Kang. Email:

(This article belongs to the Special Issue: Computer Modeling for Future Communications and Networks)

Computer Modeling in Engineering & Sciences 2026, 147(1), 45 https://doi.org/10.32604/cmes.2026.078467

Received 31 December 2025; Accepted 23 March 2026; Issue published 27 April 2026

Abstract

The rapid proliferation of Internet of Things (IoT) devices has increased the importance of network intrusion detection systems (NIDS) for protecting modern networks. However, many machine learning and deep learning based NIDS rely on large volumes of labeled attack data, which is often impractical to obtain for newly emerging or rare attacks. This paper presents a benchmark-style systematic evaluation of meta-learning-based Few-Shot Learning (FSL) classifiers for detecting previously unseen intrusions with limited labeled data. We investigate three representative FSL models, namely Prototypical Networks, Relation Networks, and MetaOptNet, and further examine two decision-level ensemble strategies based on majority voting and probability averaging. Experiments are conducted on the UQ-IoT-IDS-2021 dataset under four attack distributions and five K-shot settings (K∈{3,5,7,10,15}), with performance reported separately for seen and unseen attacks using class-balanced macro-averaged F1 score. The experimental results show that MetaOptNet consistently provides the strongest and most stable performance on unseen attacks. Furthermore, investigating decision-level ensembling reveals that probability averaging frequently matches or marginally outperforms the best base model by successfully mitigating weaker predictions, whereas majority voting demonstrates slight performance degradation due to strict consensus requirements. We also highlight prominent error modes, such as benign-attack ambiguity and cross-device attack correlations, alongside an analysis of model complexity and inference latency. These findings highlight the potential of few-shot learning for data-scarce intrusion detection and provide insights into model selection and architectural trade-offs under varying support set sizes and attack compositions.

---

Keywords

---