{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,20]],"date-time":"2025-10-20T00:07:37Z","timestamp":1760918857955,"version":"build-2065373602"},"reference-count":43,"publisher":"MDPI AG","issue":"10","license":[{"start":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T00:00:00Z","timestamp":1760659200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100004351","name":"Sultan Qaboos University","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100004351","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Securing Industrial Control Systems (ICSs) is critical, but it is made challenging by the constant evolution of cyber threats and the scarcity of labeled attack data in these specialized environments. Standard intrusion detection systems (IDSs) often fail to adapt when transferred to new networks with limited data. To address this, this paper introduces an adaptive intrusion detection framework that combines a hybrid Convolutional Neural Network and Long Short-Term Memory (CNN-LSTM) model with a novel transfer learning strategy. We employ a Reinforcement Learning (RL) agent to intelligently guide the fine-tuning process, which allows the IDS to dynamically adjust its parameters such as layer freezing and learning rates in real-time based on performance feedback. We evaluated our system in a realistic data-scarce scenario using only 50 labeled training samples. Our RL-Guided model achieved a final F1-score of 0.9825, significantly outperforming a standard neural fine-tuning model (0.861) and a target baseline model (0.759). Analysis of the RL agent\u2019s behavior confirmed that it learned a balanced and effective policy for adapting the model to the target domain. We conclude that the proposed RL-guided approach creates a highly accurate and adaptive IDS that overcomes the limitations of static transfer learning methods. This dynamic fine-tuning strategy is a powerful and promising direction for building resilient cybersecurity defenses for critical infrastructure.<\/jats:p>","DOI":"10.3390\/info16100910","type":"journal-article","created":{"date-parts":[[2025,10,17]],"date-time":"2025-10-17T13:07:22Z","timestamp":1760706442000},"page":"910","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Intrusion Detection in Industrial Control Systems Using Transfer Learning Guided by Reinforcement Learning"],"prefix":"10.3390","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-6491-0749","authenticated-orcid":false,"given":"Jokha","family":"Ali","sequence":"first","affiliation":[{"name":"Department of Information Systems, Sultan Qaboos University, Muscat 123, Oman"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7905-7306","authenticated-orcid":false,"given":"Saqib","family":"Ali","sequence":"additional","affiliation":[{"name":"Department of Information Systems, Sultan Qaboos University, Muscat 123, Oman"}]},{"given":"Taiseera","family":"Al Balushi","sequence":"additional","affiliation":[{"name":"Department of Information Systems, Sultan Qaboos University, Muscat 123, Oman"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-5711-8955","authenticated-orcid":false,"given":"Zia","family":"Nadir","sequence":"additional","affiliation":[{"name":"Department of Electrical & Computer Engineering, Sultan Qaboos University, Muscat 123, Oman"}]}],"member":"1968","published-online":{"date-parts":[[2025,10,17]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"1802","DOI":"10.1109\/JIOT.2017.2703172","article-title":"Cyber-Physical Systems SecurityA Survey","volume":"4","author":"Humayed","year":"2017","journal-title":"IEEE Internet Things J."},{"key":"ref_2","first-page":"946","article-title":"A Survey on the Security of SCADA Systems","volume":"115","author":"Yang","year":"2022","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1109\/MSP.2011.67","article-title":"Stuxnet: Dissecting a Cyberwarfare Weapon","volume":"9","author":"Langner","year":"2011","journal-title":"IEEE Secur. Priv."},{"key":"ref_4","unstructured":"Lee, R.M., Assante, M.J., and Conway, T. (2016). Analysis of the Cyber Attack on the Ukrainian Power Grid, E-ISAC."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"418","DOI":"10.1016\/j.cose.2012.02.009","article-title":"SCADA Security in the Light of Cyber-Warfare","volume":"31","author":"Nicholson","year":"2012","journal-title":"Comput. Secur."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Kravchik, M., and Shabtai, A. (2018, January 22). Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks. Proceedings of the 2018 Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPI 2018), New York, NY, USA.","DOI":"10.1145\/3264888.3264896"},{"key":"ref_7","unstructured":"Goh, J., Adepu, S., Junejo, K.N., and Mathur, A.P. (2016, January 10\u201312). A Dataset to Support Research in the Design of Secure Water Treatment Systems. Proceedings of the 11th International Conference on Critical Information Infrastructures Security (CRITIS 2016), Paris, France."},{"key":"ref_8","first-page":"5678","article-title":"Deep Learning Techniques for Industrial Control System Security: A Comprehensive Survey","volume":"13","author":"Aslam","year":"2025","journal-title":"IEEE Access"},{"key":"ref_9","first-page":"1154","article-title":"A Survey of Deep Learning Methods for Cybersecurity","volume":"21","author":"Berman","year":"2019","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_10","first-page":"102786","article-title":"DI-NIDS: A Deep Intrusion Detection System for In-Vehicle Networks with Adversarial Domain Adaptation","volume":"120","author":"Layeghy","year":"2023","journal-title":"Comput. Secur."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Han, H., Kim, H., and Kim, Y. (2022). An Efficient Hyperparameter Control Method for a Network Intrusion Detection System Based on Proximal Policy Optimization. Symmetry, 14.","DOI":"10.3390\/sym14010161"},{"key":"ref_12","first-page":"108996","article-title":"HCLR-IDS: Hierarchical CNN-LSTM with Reinforcement Learning for Internet of Medical Things","volume":"110","author":"Shaikh","year":"2025","journal-title":"Comput. Electr. Eng."},{"key":"ref_13","unstructured":"(2025, January 15). MITRE ATT&CK for ICS: Adversarial Tactics, Techniques & Common Knowledge for Industrial Control Systems. Available online: https:\/\/attack.mitre.org\/matrices\/ics\/."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"821","DOI":"10.26599\/TST.2020.9010041","article-title":"Anomaly detection of industrial control systems based on transfer learning","volume":"26","author":"Wang","year":"2021","journal-title":"Tsinghua Sci. Technol."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"126932","DOI":"10.1016\/j.eswa.2025.126932","article-title":"Complexity and resolution of spatio-temporal reasonings for criminology with greedy and evolutionary algorithms","volume":"275","year":"2025","journal-title":"Expert Syst. Appl."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"21954","DOI":"10.1109\/ACCESS.2017.2762418","article-title":"A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks","volume":"5","author":"Yin","year":"2017","journal-title":"IEEE Access"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Javaid, A., Niyaz, Q., Sun, W., and Alam, M. (2015, January 3\u20135). A Deep Learning Approach for Network Intrusion Detection System. Proceedings of the 9th EAI International Conference on Bio-Inspired Information and Communications Technologies (BIONETICS), New York, NY, USA.","DOI":"10.4108\/eai.3-12-2015.2262516"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1109\/TETCI.2017.2772792","article-title":"A Deep Learning Approach to Network Intrusion Detection","volume":"2","author":"Shone","year":"2018","journal-title":"IEEE Trans. Emerg. Top. Comput. Intell."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"1137","DOI":"10.1007\/s11036-020-01623-2","article-title":"Robust Network Intrusion Detection Scheme Using Long-Short Term Memory Based Convolutional Neural Networks","volume":"26","author":"Hsu","year":"2021","journal-title":"Mobile Netw. Appl."},{"key":"ref_20","unstructured":"Lokman, S.F., Othman, A.T., and Abu-Bakar, M.H. (2018, January 16\u201317). Intrusion Detection System for Modbus Protocol Using Long Short-Term Memory. Proceedings of the 2018 International Conference on Computing, Electronics & Communications Engineering (iCCECE), Southend, UK."},{"key":"ref_21","first-page":"1","article-title":"Enhancing Security in DNP3 Communication for Smart Grids: A Segmented Neural Network Approach","volume":"13","author":"Bakhsh","year":"2025","journal-title":"IEEE Access"},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"100096","DOI":"10.1016\/j.csa.2025.100096","article-title":"Survey of Deep Learning Approaches for Securing Industrial Control Systems: A Comparative Analysis","volume":"3","author":"Aslam","year":"2025","journal-title":"Cyber Secur. Appl."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Pinto, A., Herrera, L.-C., Donoso, Y., and Gutierrez, J.A. (2023). Survey on Intrusion Detection Systems Based on Machine Learning Techniques for the Protection of Critical Infrastructure. Sensors, 23.","DOI":"10.3390\/s23052415"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Kumar, A., and Gutierrez, J.A. (2025). Impact of Machine Learning on Intrusion Detection Systems for the Protection of Critical Infrastructure. Information, 16.","DOI":"10.3390\/info16070515"},{"key":"ref_25","first-page":"45678","article-title":"An Improved Autoencoder Method for ICS Intrusion Detection","volume":"12","author":"Weragoda","year":"2024","journal-title":"IEEE Access"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Cai, Z., Du, H., Wang, H., Zhang, J., Si, Y., and Li, P. (2023). One-Dimensional Convolutional Wasserstein GAN-Based Intrusion Detection Method for Industrial Control Systems. Electronics, 12.","DOI":"10.3390\/electronics12224653"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Almalawi, A., Hassan, S., Fahad, A., Iqbal, A., and Khan, A.I. (2025). Hybrid Cybersecurity for Asymmetric Threats: Intrusion Detection and SCADA System Protection Innovations. Symmetry, 17.","DOI":"10.3390\/sym17040616"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"AlHaddad, U., Basuhail, A., Khemakhem, M., Eassa, F., and Jambi, K. (2023). Ensemble Model Based on Hybrid Deep Learning for Intrusion Detection in Smart Grid Networks. Sensors, 23.","DOI":"10.3390\/s23177464"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"109828","DOI":"10.1016\/j.compeleceng.2024.109828","article-title":"An Effective Intrusion Detection Scheme for Distributed Network Protocol 3 (DNP3) Applied in SCADA-Enabled IoT Applications","volume":"120","author":"Dangwal","year":"2024","journal-title":"Comput. Electr. Eng."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"561","DOI":"10.1007\/s10586-021-03426-w","article-title":"A Stacked Deep Learning Approach to Cyber-Attacks Detection in Industrial Systems: Application to Power System and Gas Pipeline Systems","volume":"25","author":"Wang","year":"2022","journal-title":"Clust. Comput."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Qu, Y., Ma, H., Jiang, Y., and Bu, Y. (2023). A Network Intrusion Detection Method Based on Domain Confusion. Electronics, 12.","DOI":"10.3390\/electronics12051255"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"124352","DOI":"10.1016\/j.eswa.2024.124352","article-title":"Multi-Source Refined Adversarial Domain Adaptation with Transfer Complementarity Infusion for IoT Intrusion Detection under Limited Samples","volume":"254","author":"Li","year":"2024","journal-title":"Expert Syst. Appl."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Mehedi, S.T., Anwar, A., Rahman, Z., and Ahmed, K. (2021). Deep Transfer Learning-Based Intrusion Detection System for Electric Vehicular Networks. Electronics, 21.","DOI":"10.3390\/s21144736"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Rodr\u00edguez, E., Valls, P., Otero, B., Costa, J.J., Verd\u00fa, J., Pajuelo, M.A., and Canal, R. (2022). Transfer-Learning-Based Intrusion Detection Framework in IoT Networks. Sensors, 22.","DOI":"10.3390\/s22155621"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1016\/j.dcan.2023.03.008","article-title":"IDS-INT: Intrusion Detection System Using Transformer-Based Transfer Learning for Imbalanced Network Traffic","volume":"10","author":"Ullah","year":"2024","journal-title":"Digit. Commun. Netw."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Abdelhamid, S., Hegazy, I., Aref, M., and Roushdy, M. (2024). Attention-Driven Transfer Learning Model for Improved IoT Intrusion Detection. Big Data Cogn. Comput., 8.","DOI":"10.3390\/bdcc8090116"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Amamra, A., and Terrelonge, V. (2025). Multiple Kernel Transfer Learning for Enhancing Network Intrusion Detection in Encrypted and Heterogeneous Network Environments. Electronics, 14.","DOI":"10.3390\/electronics14010080"},{"key":"ref_38","first-page":"1","article-title":"Deep Transfer Learning Techniques in Intrusion Detection System\u2013Internet of Vehicles: A State-of-the-Art Review","volume":"80","author":"Wu","year":"2024","journal-title":"Comput. Mater. Contin."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ACCESS.2024.3477415","article-title":"Intrusion Detection in Industrial Control Systems Based on Deep Reinforcement Learning","volume":"12","author":"Sangoleye","year":"2024","journal-title":"IEEE Access"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Shaikh, J., Wang, C., Sima, M., Arshad, M., Owais, M., Hassan, D., Alkanhel, R., and Muthanna, M. (2025). A Deep Reinforcement Learning-Based Robust Intrusion Detection System for Securing IoMT Healthcare Networks. Front. Med., 12.","DOI":"10.3389\/fmed.2025.1524286"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"13349","DOI":"10.1007\/s12652-022-03788-y","article-title":"RL-Based Hyper-Parameters Optimization Algorithm (ROA) for Convolutional Neural Network","volume":"14","author":"Talaat","year":"2023","journal-title":"J. Ambient. Intell. Humaniz. Comput."},{"key":"ref_42","first-page":"1261","article-title":"Reinforcement Learning for Adaptive Intrusion Detection under Concept Drift","volume":"9","author":"Han","year":"2022","journal-title":"IEEE Trans. Netw. Sci. Eng."},{"key":"ref_43","unstructured":"(2012). IEEE Standard for Electric Power Systems Communications\u2013Distributed Network Protocol (DNP3) (Standard No. IEEE Std 1815-2012 (Revision of IEEE Std 1815-2010))."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/10\/910\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,19]],"date-time":"2025-10-19T04:16:50Z","timestamp":1760847410000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/10\/910"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,17]]},"references-count":43,"journal-issue":{"issue":"10","published-online":{"date-parts":[[2025,10]]}},"alternative-id":["info16100910"],"URL":"https:\/\/doi.org\/10.3390\/info16100910","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2025,10,17]]}}}