This study addresses the significant performance degradation of intrusion detection systems in cross-domain scenarios due to environmental heterogeneity. It presents the first systematic evaluation of the transferability of three widely used IoT traffic feature sets—Argus, Zeek, and CICFlowMeter—across four heterogeneous IoT/IIoT datasets. By integrating multiple classification models with SHAP-based interpretability analysis, the work reveals the critical influence of feature representation and algorithm selection on cross-domain detection performance. The findings not only expose the limitations of current approaches under domain shift but also establish practical guidelines for feature engineering and model selection to enhance robustness. This research provides actionable insights for developing intrusion detection systems with improved generalization capabilities across diverse operational environments.

Cross-domain intrusion detection remains a critical challenge due to significant variability in network traffic characteristics and feature distributions across environments. This study evaluates the transferability of three widely used flow-based feature sets (Argus, Zeek and CICFlowMeter) across four widely used datasets representing heterogeneous IoT and Industrial IoT network conditions. Through extensive experiments, we evaluate in- and cross-domain performance across multiple classification models and analyze feature importance using SHapley Additive exPlanations (SHAP). Our results show that models trained on one domain suffer significant performance degradation when applied to a different target domain, reflecting the sensitivity of IoT intrusion detection systems to distribution shifts. Furthermore, the results evidence that the choice of classification algorithm and feature representations significantly impact transferability. Beyond reporting performance differences and thorough analysis of the transferability of features and feature spaces, we provide practical guidelines for feature engineering to improve robustness under domain variability. Our findings suggest that effective intrusion detection requires both high in-domain performance and resilience to cross-domain variability, achievable through careful feature space design, appropriate algorithm selection and adaptive strategies.