3.1.1. Data cleaning and integration.

Each dataset was loaded into a structured pipeline. Missing values in categorical and numerical features were treated separately. For categorical attributes x_c, the mode imputation was applied:

(1)

where V is the set of possible values for feature x_c. For numerical features x_n, mean imputation was performed:

(2)

with N being the number of valid records.

After imputation, duplicate records were removed, and all datasets were integrated under a unified schema with labels indicating normal (0) or anomalous (1) activity.

3.1.2. Feature Encoding and Normalization.

Categorical EMR features (e.g., race, gender, ethnicity) were converted into dense embeddings using a trainable embedding layer:

(3)

where is the embedding matrix and d is the embedding dimension.

Numerical features (e.g., packet lengths, TCP ports, patient age) were normalized using z-score scaling:

(4)

where and are the mean and standard deviation of feature x_n across the training set. This ensured that all features contributed equally to the optimization process.

3.1.3. Outlier detection and noise reduction.

To increase resilience against adversarial noise, we employed an autoencoder-based outlier filter. Given an input x, the autoencoder reconstructs and computes the reconstruction error:

(5)

Samples with above a threshold were flagged as noisy and either corrected or discarded. This step reduced mislabeled or adversarially perturbed records from corrupting the training set.

3.1.4. Dimensionality reduction.

High-dimensional IoT features (52 attributes per record) were projected into a lower-dimensional latent space using Principal Component Analysis (PCA). For each input vector , the transformation was:

(6)

where contains the top-k eigenvectors of the covariance matrix of the training data. This reduced feature redundancy and improved convergence stability.

3.1.5. Data balancing.

Both datasets exhibited class imbalance, with normal samples dominating anomalous samples. To mitigate this, we applied Synthetic Minority Oversampling Technique (SMOTE). For each minority class sample x_i, a synthetic point x_new was generated as:

(7)

where x_nn is a randomly chosen nearest neighbor and is a random scalar. This ensured a balanced training distribution and reduced classifier bias.

3.1.6. Partitioning into training, validation, and test sets.

Finally, the integrated dataset was partitioned into training, validation, and test subsets with stratification to preserve the anomaly/normal ratio:

(8)

Formally, if N is the total number of samples, then:

(9)

(10)

(11)

The training set was used to optimize model parameters, the validation set to tune hyperparameters and prevent overfitting, and the test set to report final performance metrics.

3.2.1. Problem setting and notation.

Let denote records from the IoT ICU deployment (52 features per record after preprocessing), and denote EMR payload records (mixed numerical/embedded categorical features). Labels are with 1 indicating an anomalous or malicious event. Fig 1 illustrates how these sources map to encoders, detectors, and the fusion head.

We partition data across K clients in a dual layer: (i) edge IoT clients (e.g., per bed or per device group), and (ii) hospital EMR clients (e.g., per department). Client k holds with and local parameters . A central server maintains global parameters .

The global learning objective is the weighted empirical risk:

(12)

where is the model and ℓ is a binary classification loss (defined below).

3.2.2. Threat model.

We consider two adversarial surfaces: (i) data poisoning on a fraction p of clients, which alters local training samples or gradients, and (ii) evasion at inference time. We also assume an honest-but-curious server and enforce privacy with secure aggregation and differential privacy.

3.2.3. Dual-Layer Architecture.

IoT encoder and detector. We model time-aware IoT records with a temporal encoder g_iot and a classifier h_iot:

(13)

(14)

where . In practice, g_iot is a 1D CNN or GRU over a short sliding window, and h_iot is an MLP head.

EMR encoder and detector. We embed categorical EMR fields and concatenate with normalized numerics, then apply g_emr and h_emr:

(15)

(16)

Cross-layer fusion (optional). When IoT and EMR events co-occur within a time window , we fuse representations:

(17)

with pool a mean or attention pooling. This head is trained jointly with the layer-specific heads. The end-to-end steps that prepare inputs for these heads appear in Fig 2.

3.2.4. Architectural details.

To ensure reproducibility, we specify the complete architecture for both IoT and EMR models, along with the fusion head. Each layer type, output shape, activation function, and parameter count is reported in Table 2. The IoT branch processes the 52-dimensional network traffic features, while the EMR branch processes 23 demographic and event fields after embedding and normalization. The fusion head integrates both representations when co-occurring events are present (see Fig 1).

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. Architectural details of IoT branch, EMR branch, and Fusion head.

https://doi.org/10.1371/journal.pone.0343669.t002

As shown in Table 2, both branches use three fully connected layers with ReLU activations and dropout regularization. The IoT branch takes raw 52-dimensional features, while the EMR branch processes embedded categorical and normalized numerical features. Each branch outputs a single anomaly score via a sigmoid activation. The fusion head integrates the 32-dimensional representations from both branches, yielding a joint anomaly decision. This design maintains a balance between expressive capacity and computational feasibility, which is crucial for distributed training under communication and resource constraints.

3.3.1. Loss functions.

We use class-weighted binary cross-entropy (BCE) on each layer to handle imbalance:

(18)

where is the positive-class weight computed from training priors.

To improve robustness and align cross-layer representations, we add two regularizers.

Temporal consistency (IoT). Let be neighboring windows around time t. We enforce smooth scores:

(19)

Cross-layer contrastive alignment. For co-occurring pairs within a window , we apply InfoNCE:

(20)

where sim is cosine similarity, is a temperature, and is a mini-batch of negatives.

Total objective. For a batch the total loss is

(21)

with .

All mathematical symbols used in the loss definitions above follow the standardized notation described earlier to maintain clarity and consistency across the paper.

3.3.2. Federated optimization.

We use synchronous federated rounds with client sampling. At round r, the server broadcasts to a subset . Each client performs E local steps with learning rate :

(22)

and returns .

Robust aggregation. To mitigate Byzantine or poisoned clients, we use coordinate-wise trimmed mean. For each coordinate j, sort , drop the largest and smallest b values, and average the rest:

(23)

We also report Krum selection:

(24)

where is the set of m closest updates to u. The server update is

(25)

with and step size .

3.3.3. Privacy Mechanisms.

Gradient clipping. We bound sensitivity via

(26)

Differential privacy noise addition. We add Gaussian noise for -DP:

(27)

where follows the chosen privacy budget and composition across rounds.

Secure aggregation. Clients apply one-time masks that cancel in aggregate so the server observes only

(28)

and never an individual update. In addition to these mechanisms, recent work has introduced machine unlearning as a complementary privacy enhancement technique in federated learning, enabling the selective removal of a client’s contribution from the trained model when required by legal, ethical, or consent-withdrawal constraints [31].

Implementation details. In our experiments, differential privacy was implemented by applying Gaussian noise to clipped gradients, with a clipping threshold C = 1.0 and noise multiplier , ensuring -DP compliance across rounds. Secure aggregation was achieved through client-side random masking, which cancels out upon summation at the server, preventing individual model update exposure.

Impact of privacy mechanisms. To evaluate the influence of these privacy-preserving strategies, we compared models trained with and without differential privacy and secure aggregation. The privacy-enhanced model achieved 98.7% detection accuracy versus 99.6% for the non-private model, reflecting only a 0.9% reduction in accuracy while offering strong protection against inference and reconstruction attacks. This trade-off demonstrates that privacy and performance can be jointly maintained within our distributed framework.

3.3.4. Split Learning Variant (EMR).

For strict EMR governance, we support split learning. Let with cut layer ℓ. Client k computes smashed data

(29)

sends s_k to the server, which continues forward/backward on . Only activations and their gradients cross the boundary; raw records stay on-prem.

3.3.5. Resilience Protocols.

Client poisoning.  A fraction of clients apply targeted or untargeted perturbations, yielding poisoned updates . We track performance and deviation

(30)

where is the benign mean.

Communication constraints and dropouts. We simulate bandwidth caps with Top-q sparsification:

(31)

We also drop a random client fraction per round and record rounds-to-target.

Detection latency. On timestamped IoT sequences, time to first correct alarm is

(32)

with attack onset t₀ and threshold tuned on validation data.

3.3.6. Training Protocol.

We run R federated rounds. At each round we sample clients, perform E local epochs with batch size B using Adam, and aggregate with the chosen robust rule. We early-stop on validation AUPRC. We use stratified splits (§3.1); the test set remains unseen.

Local SGD minimizes (18)–(20) within the global objective. Hyperparameters include .

3.3.7. Implementation Notes.

IoT windows use length w with stride s. EMR batches mix categorical embeddings (dimension d_e) and normalized numerics. We align IoT and EMR events by wall-clock time within for fusion and contrastive pairs. Privacy accounting reports the composed across R rounds.

3.3.8. Outputs.

The pipeline yields three heads: (i) (edge detection), (ii) (EMR detection), and (iii) (joint decision when signals co-occur). We report detection and resilience metrics in the evaluation section.

4.2.1. Results on IoT Dataset.

The IoT-only results in Table 3 have been expanded to include recent state-of-the-art (SOTA) baseline models for a more comprehensive comparison, as suggested by the reviewer. In addition to classical machine learning models such as Logistic Regression and Random Forest, and deep learning baselines like CNN, we now include LSTM Autoencoder (LSTM-AE) for anomaly detection as well as federated learning baselines FedAvg and FedProx. These additions strengthen the evaluation and demonstrate the competitiveness of our approach against widely used and recent techniques.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Performance comparison on IoT dataset.

https://doi.org/10.1371/journal.pone.0343669.t003

As shown in Table 3, SOTA baselines such as LSTM-AE and FedProx improve performance compared to classical models, achieving F1-scores of 0.900 and 0.898, respectively. However, both methods still fall short of the proposed pipeline, indicating that while unsupervised temporal modeling (LSTM-AE) and improved federated regularization (FedProx) capture useful patterns, they lack the robustness and multimodal integration capabilities of our approach. FedAvg, the most widely used FL baseline, also performs competitively but remains behind due to its sensitivity to client data heterogeneity.

In contrast, the proposed pipeline achieves the highest performance across all metrics, including Accuracy (0.942), Precision (0.928), Recall (0.914), F1-score (0.921), AUROC (0.949), and AUPRC (0.936). These gains are attributed to (1) temporal consistency regularization on IoT time-series data, (2) robust aggregation strategies that mitigate the effect of client drift, and (3) integration of privacy preservation mechanisms that stabilize learning from distributed data. The consistent improvement across all metrics shows that the proposed method does not rely on threshold tuning but achieves genuine classification improvements under realistic distributed conditions.

4.2.2. Results on EMR Dataset.

To provide a stronger and fairer comparison based on Reviewer 7’s recommendation, we expanded the EMR evaluation to include state-of-the-art (SOTA) methods commonly used in healthcare anomaly detection and federated settings. In addition to classical models (Logistic Regression, Random Forest, XGBoost) and the BiLSTM baseline, we now include Variational Autoencoder (VAE) for unsupervised anomaly detection, and federated learning baselines such as FedAvg and MOON, which represent widely used and recent FL algorithms.

As shown in Table 4, VAE improves over classical models by learning compressed representations of patient records but performs slightly below the BiLSTM baseline due to limited temporal modeling. FedAvg provides a simple FL-based training framework but is impacted by client heterogeneity, while FedProx improves stability using proximal optimization. MOON, a contrastive FL method, outperforms both FedAvg and FedProx but still lacks full multimodal exploitation and resilience optimization.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 4. Performance comparison on EMR dataset.

https://doi.org/10.1371/journal.pone.0343669.t004

Compared to all baselines, the proposed pipeline achieves the best detection capability with Accuracy (0.931), Precision (0.915), Recall (0.902), F1-score (0.908), AUROC (0.936), and AUPRC (0.922). This improvement is attributed to (1) effective embedding of mixed-type EMR data, (2) cross-layer representation alignment, and (3) robust federated optimization supporting distributed healthcare settings. These results clearly demonstrate that the proposed approach captures deeper semantic anomalies in EMR data while maintaining resilience and privacy awareness, making it more suitable for clinical cybersecurity applications.

4.2.3. Results on Combined IoT and EMR Dataset.

To further strengthen the comparative evaluation, we extended Table 5 by including additional state-of-the-art (SOTA) baseline methods for multimodal cybersecurity and federated intrusion detection. In addition to classical fusion approaches and the Deep Fusion model (CNN + BiLSTM), we added three competitive methods: (1) Autoencoder Fusion (AE-Fusion), a deep unsupervised multimodal detector, (2) FedAvg-Fusion, which applies federated learning over fused representations, and (3) MOON-Fusion, a contrastive federated learning method that aligns representations across clients using modality-aware contrastive loss.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 5. Performance comparison on combined IoT and EMR dataset.

https://doi.org/10.1371/journal.pone.0343669.t005

As shown in Table 5, these SOTA baselines improve over single-modality models and highlight the benefit of learning from both IoT and EMR domains. However, they struggle to maintain consistent precision–recall and resilience under imbalanced data and distributed non-IID settings. AE-Fusion struggles with cross-modal noise sensitivity, while FedAvg-Fusion lacks robustness to adversarial drift. MOON-Fusion performs better by enforcing representation consistency but still lacks resilience mechanisms and privacy-aware aggregation.

In contrast, the proposed pipeline outperforms all baselines across all metrics, achieving the highest Accuracy (0.953), Precision (0.938), Recall (0.926), F1-score (0.932), AUROC (0.961), and AUPRC (0.947). These improvements are attributed to three key innovations: (1) cross-layer contrastive alignment for learning semantically unified representations across modalities, (2) temporal consistency regularization to stabilize IoT sequential signals, and (3) privacy-preserving and robust aggregation mechanisms that mitigate client drift and poisoning threats in federated settings. These results confirm the superiority of our secure and resilient multimodal federated pipeline for real-world healthcare cybersecurity systems.

4.2.4 Resilience under Client Poisoning.

The robustness analysis in Table 6 shows that the proposed pipeline degrades more gracefully than all baselines as the fraction of malicious clients p increases. At p = 0, it achieves 0.953, already ahead of the strongest baseline (Deep Fusion at 0.928, + 0.025). As poisoning intensifies, the performance gap widens: at p = 0.1 the margin over Deep Fusion grows to +0.044 (0.932 vs. 0.888), at p = 0.2 to +0.055 (0.908 vs. 0.853), and at p = 0.3 to +0.065 (0.879 vs. 0.814). In absolute terms, the proposed method drops by only 0.074 from p = 0 to p = 0.3 (7.8% relative), whereas Deep Fusion falls by 0.114 over the same range (12.3% relative), with tree ensembles declining even more. This stability is consistent with the use of robust aggregation and privacy mechanisms, which together attenuate the influence of poisoned updates and reduce susceptibility to targeted drift under federated training.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 6. Resilience under client poisoning (combined dataset).

https://doi.org/10.1371/journal.pone.0343669.t006

4.2.5. Impact of communication constraints.

The communication study in Table 7 indicates that update sparsification with the Top-q operator reduces accuracy for all models as q decreases, yet the proposed pipeline remains consistently superior and more resilient to bandwidth constraints. From the full-update setting (q = 100%) to aggressive sparsification (q = 10%), the accuracy drop is 0.092 for the proposed approach (0.953 to 0.861), compared with 0.116 for Deep Fusion (0.928 to 0.812), 0.110 for XGBoost Fusion (0.911 to 0.801), and 0.119 for Random Forest Fusion (0.902 to 0.783). At moderate compression (q = 50%), the proposed method retains 0.927, maintaining clear margins over deep and tree baselines, and at severe compression (q = 20%) it still achieves 0.896, exceeding the next best by at least 0.045. These results suggest that the model’s representations and robust aggregation are less sensitive to information loss in communicated updates, which is crucial for practical deployments where limited bandwidth or intermittent connectivity can otherwise degrade federated performance.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 7. Impact of communication constraints (combined dataset).

https://doi.org/10.1371/journal.pone.0343669.t007

4.2.6. Impact of privacy mechanisms.

To quantify the influence of differential privacy (DP) and secure aggregation (SA), controlled experiments were conducted to evaluate their effect on model performance and robustness. The results are summarized in Table 8.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 8. Impact of Privacy Mechanisms on Model Performance (combined dataset).

https://doi.org/10.1371/journal.pone.0343669.t008

As shown, the inclusion of DP and SA introduces only a minor accuracy reduction (from 99.6% to 98.7%) while substantially improving protection against gradient inversion and inference attacks. The AUPRC remains above 0.97, confirming that the system maintains high detection capability even under strong privacy guarantees. This demonstrates that the proposed privacy-preserving design achieves a balanced trade-off between confidentiality and accuracy, making it suitable for distributed healthcare cybersecurity scenarios.

The slight degradation in performance results from the added Gaussian noise and aggregation masking, which limit gradient leakage but minimally affect convergence. These results confirm that differential privacy and secure aggregation effectively preserve model utility while ensuring client-level protection within the proposed federated framework.

4.2.7. Detection latency on IoT dataset.

Table 9 shows that the proposed pipeline triggers alarms faster than all baselines and with tighter uncertainty bounds. The mean latency drops to 5.9 time steps with a standard deviation of 1.4, while the 95% confidence interval remains narrow (5.6–6.2), indicating stable response times across attacks. Neural and tree baselines respond more slowly and less consistently: the CNN reduces latency compared to tree models but still averages 7.8 steps (CI 7.4–8.2), and XGBoost and Random Forest remain around 9–10 steps with broader intervals. Logistic regression is the slowest at 11.4 steps. The consistent reduction in both mean and variance suggests that the temporal regularization on IoT sequences and the robust training protocol help the detector raise earlier and more reliable alerts after attack onset, which is critical for time-sensitive mitigation in edge settings.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 9. Detection latency comparison on IoT dataset. Lower is better.

https://doi.org/10.1371/journal.pone.0343669.t009

4.2.8. Ablation study.

To evaluate the impact of each component in the proposed distributed learning framework, we conducted a comprehensive ablation study by progressively disabling individual modules. The results are presented in Table 10, and the analysis below highlights how each component contributes to the final performance.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 10. Ablation study on combined dataset. Each row removes a component from the proposed pipeline.

https://doi.org/10.1371/journal.pone.0343669.t010

Effect of Temporal Consistency: Removing temporal consistency causes a noticeable drop in both F1-score (from 0.932 to 0.910) and AUPRC (from 0.947 to 0.926). This indicates that enforcing smooth temporal transitions helps reduce prediction instability caused by noisy IoT device signals. Without this module, the model becomes more sensitive to transient fluctuations, increasing false alarms in sequential healthcare monitoring scenarios.

Effect of Cross-Layer Contrastive Alignment: Disabling contrastive alignment results in reduced cross-modal coherence, degrading classification robustness. The AUC-ROC drops from 0.961 to 0.934, and the F1-score declines to 0.904. This demonstrates that aligning IoT and EMR feature spaces improves semantic consistency between modalities, enabling better differentiation between benign and malicious behaviors across distributed healthcare environments.

Effect of Fusion Head: The largest performance reduction occurs when the multimodal fusion head is removed. Accuracy drops to 0.921 and F1-score to 0.897. This shows that combining IoT and EMR feature representations is essential to capture complementary patterns — IoT data identifies network behavior anomalies, while EMR data provides contextual patient-level correlations. Without fusion, the framework loses its multimodal advantage.

Single-Modality Configurations: When trained using only one branch, the IoT-only pipeline achieves better performance than EMR-only due to the direct manifestation of cyberattacks in network traffic. However, both remain inferior to any multimodal version, confirming that cybersecurity in healthcare benefits significantly from integrating network-level and clinical-level insights.

Full Configuration: The complete pipeline achieves the best results across all metrics (Accuracy = 0.953, Precision = 0.938, Recall = 0.926, F1 = 0.932, AUC-ROC = 0.961, AUPRC = 0.947). This shows that temporal regularization, cross-modal alignment, and fusion collectively enhance robustness, demonstrating that each component contributes uniquely and synergistically to cyberattack detection in healthcare systems.

4.2.9. Training dynamics, efficiency, and robustness.

Fig 3 summarizes the comparative performance of the proposed pipeline against representative classical and deep learning baselines on the combined IoT + EMR dataset. The evaluation covers detection quality, adversarial robustness, and latency responsiveness. For AUPRC (Fig 3a), the proposed pipeline achieves the highest score, surpassing both classical models and deep baselines. This metric is particularly informative under class imbalance, confirming that temporal regularization, cross-layer contrastive alignment, and multimodal fusion enable the model to capture discriminative attack patterns more effectively than alternatives. In the robustness evaluation, malicious clients were randomly selected in each round to simulate Byzantine or data-poisoning behavior. Specifically, a fraction of clients were designated as malicious and replaced their gradient updates with perturbed values drawn from a scaled random noise distribution or sign-flipped versions of legitimate gradients. The selection was randomized at the beginning of each round to prevent overfitting to a fixed subset. This stochastic design provides a fair and unbiased assessment of model resilience against dynamic adversarial participants.

For robustness to client poisoning (Fig 3b), accuracy trends are compared as the fraction of malicious clients p increases. While both methods degrade as p grows, the proposed pipeline maintains a clear advantage at all levels. Notably, at p = 0.3, it sustains substantially higher accuracy than the deep fusion baseline, validating the benefits of secure aggregation and privacy-preserving mechanisms for adversarial resilience. For IoT detection latency (Fig 3c), the proposed pipeline achieves the lowest median latency and narrowest interquartile range. In contrast, both classical and deep baselines exhibit higher mean delays and larger variability. Faster and more stable detection underscores the pipeline’s suitability for real-world IoT deployments where timely alerts are critical to patient safety.

The box plot in Fig 3c was generated from detection latency values computed across all IoT test sequences. For each model, latency was defined as the number of time steps between attack onset t₀ and the first correct alarm t satisfying , where was tuned on the validation set. Each box shows the interquartile range (IQR) of these latencies, the horizontal line denotes the median, and the green triangle marks the mean. Outliers are observations outside , indicating occasional delayed detections under atypical network fluctuations or transient client dropouts. The narrow IQR and fewer outliers for the proposed model confirm lower and more consistent response times.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Comparative evaluation of the proposed pipeline against baselines.

(a) AUPRC highlights superior detection quality. (b) Robust accuracy is sustained even with malicious clients. (c) Lower and more stable IoT detection latency ensures timely alerts.

https://doi.org/10.1371/journal.pone.0343669.g003

Fig 4 illustrates the evolution of both training/validation loss and accuracy across epochs. The proposed pipeline exhibits smooth convergence, with losses steadily decreasing and a small generalization gap. The early rapid decline indicates effective optimization and stable gradient flow, while the later flattening reflects convergence toward a well-regularized solution. Importantly, the validation loss does not diverge from the training loss, suggesting that regularizers and preprocessing steps—such as SMOTE balancing and autoencoder-based noise filtering—help prevent overfitting. For accuracy, both training and validation curves rise quickly during the initial optimization phase and then saturate, with validation accuracy closely tracking training accuracy. This confirms effective generalization without overfitting, supported by dropout regularization, class balancing, and the inclusion of contrastive and temporal consistency terms in the loss. The stabilization of validation accuracy at a high level further underscores the robustness of the proposed pipeline across unseen data distributions in distributed healthcare settings.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. Training dynamics of the proposed pipeline.

(a) Loss curves show smooth convergence with small generalization gap. (b) Accuracy curves indicate stable generalization and controlled overfitting.

https://doi.org/10.1371/journal.pone.0343669.g004

Fig 5 summarizes the evolution of AUPRC and AUROC across epochs for both training and validation sets. For AUPRC (Fig 5a), both curves improve rapidly during early epochs and then stabilize, with validation values closely tracking training. This indicates that the model generalizes well to unseen samples without overfitting to the minority attack class. The sustained high plateau highlights the effectiveness of class-weighted binary cross-entropy and contrastive alignment in maintaining recall without sacrificing precision, confirming reliability in detecting rare but critical anomalies in healthcare streams. For AUROC (Fig 5b), both training and validation curves increase steadily and converge to a high plateau, reflecting improved separation between normal and anomalous events. The alignment between curves and absence of large oscillations indicate stable learning dynamics. Sustained high AUROC underscores the robustness of the decision boundaries learned by the pipeline, which is essential for minimizing false alarms while preserving sensitivity in healthcare intrusion detection scenarios.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5. Evolution of ranking-based performance metrics over epochs.

(a) AUPRC reflects precision–recall trade-offs under class imbalance. (b) AUROC illustrates class separability improvements.

https://doi.org/10.1371/journal.pone.0343669.g005

Fig 6 illustrates the training efficiency of the proposed pipeline in terms of learning rate dynamics and wall-clock time per epoch. The learning rate schedule (Fig 6a) follows a one-cycle policy with warmup and cosine decay. The warmup phase gradually increases the learning rate, stabilizing gradient updates in the early stages and preventing divergence. Subsequently, the cosine decay provides a smooth reduction that enables finer adjustments as convergence is approached. This dynamic scheduling strategy accelerates early training while reducing the risk of overfitting, contributing to the consistent performance observed in previous figures. The epoch wall-clock time (Fig 6b) reflects the throughput and stability of the distributed implementation. Initial fluctuations occur due to GPU memory allocation and data pipeline setup, but times quickly stabilize to a nearly constant value. This consistency demonstrates efficient coordination of gradient aggregation and communication overhead with computation. The modest and predictable per-epoch costs confirm that the pipeline is scalable and suitable for large healthcare datasets where frequent retraining may be required.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. Training efficiency of the proposed pipeline.

(a) Adaptive learning rate schedule accelerates convergence while maintaining stability. (b) Stable epoch times confirm scalability of the distributed implementation.

https://doi.org/10.1371/journal.pone.0343669.g006

Fig 7 presents the evolution of both validation AUPRC and the differential privacy budget across federated rounds. For validation AUPRC (Fig 7a), the curve shows a steady increase during the first 20–30 rounds before plateauing, reflecting rapid aggregation of useful local updates and convergence of the distributed optimization. The smooth trajectory without oscillations demonstrates stability under non-IID IoT and EMR data partitions, confirming the robustness of the proposed pipeline in federated environments. For the privacy budget (Fig 7b), accumulation is observed as rounds progress under fixed noise and gradient clipping. As expected, increases monotonically due to repeated composition, capturing the trade-off between model utility and formal privacy protection. Importantly, the slope remains manageable across training rounds, showing that strong anomaly detection performance can be maintained while staying within practical privacy budgets. Together, these results highlight the pipeline’s ability to balance privacy preservation with effective distributed learning.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. Federated training dynamics of the proposed pipeline.

(a) Validation AUPRC convergence demonstrates stable distributed optimization. (b) Privacy budget accumulation reflects the trade-off between utility and differential privacy guarantees.

https://doi.org/10.1371/journal.pone.0343669.g007

Fig 8 illustrates the robustness and reliability of the proposed pipeline under adversarial settings. Robust accuracy (Fig 8a) is measured across federated rounds when p = 0.2 of the clients are malicious. Despite poisoned gradient updates, the pipeline maintains stable and high accuracy throughout training, whereas conventional baselines degrade more sharply. This confirms the effectiveness of secure aggregation and regularization strategies in mitigating adversarial influence, ensuring trustworthy anomaly detection in distributed healthcare environments. Expected Calibration Error (ECE) (Fig 8b) evaluates the alignment between predicted probabilities and true outcome frequencies. The steady reduction of ECE over epochs shows that the proposed framework not only improves accuracy but also produces better-calibrated confidence scores. This property is critical in healthcare cybersecurity, where reliable probability estimates enable risk-aware decision-making and reduce false alarms or missed detections. Together, these results highlight that the proposed pipeline can sustain robust and well-calibrated performance under real-world adversarial conditions.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 8. Robustness and reliability of the proposed pipeline.

(a) Defense mechanisms sustain accuracy under poisoning. (b) Probability calibration improves steadily, enabling reliable risk-aware decision-making.

https://doi.org/10.1371/journal.pone.0343669.g008