HLPMM–GRSPHTRU: An explainable cross-layer temporal framework for multi-stage attack detection in IoT-CPS

Abstract

The high growth rate of Internet of Things (IoT)-powered Cyber-Physical Systems (CPS) has led to advanced, multi-level cyber-attacks such as ransomware, distributed denial-of-service (DDoS), and malware, which tend to spread across various system levels over time. Current intrusion detection systems often fail to detect these cross-layer temporal dependencies and offer weak interpretability, limiting their trustworthiness in safety-critical CPS environments. To address these issues, this paper proposes an explainable cross-layer temporal correlation system for detecting multi-stage cyber-attacks in IoT-enabled CPS. The framework combines the Hidden Laguerre Polynomial Markov Model (HLPMM), a probabilistic sequence model that enables flexible state transition learning, with a Gated Rastrigin Sphere Penalized Hyperbolic Tangent Recurrent Unit (GRSPHTRU), an improved gated recurrent neural network designed for healthy temporal feature learning. Principal Griewank Component Analysis is employed for dimensionality reduction, while an adaptive density-based clustering mechanism groups behavioral patterns. Model transparency is achieved through a Shapley-based explainability module, and system integrity is maintained via blockchain-based tamper-resistant logging. The federated learning structure decentralizes training across multiple distributed CPS nodes, reducing raw data sharing and enhancing privacy. Experimental analysis using benchmark ransomware, malware, and CIC-DDoS2019 datasets demonstrates high performance, with detection accuracy and explainability fidelity reaching up to 99 percent compared to conventional RNN, LSTM, BiLSTM, and GRU models. Additionally, feature compression and federated aggregation significantly impact computational load and communication overhead, facilitating scalable deployment.