To address the challenge of detecting zero-day attacks on resource-constrained, heterogeneous devices in the Internet of Medical Things (IoMT), this paper proposes a hierarchical collaborative intrusion detection framework integrating near-edge, far-edge, and cloud layers. The method innovatively combines meta-learning with one-class classification (OCC) via the proposed usfAD algorithm, enabling rapid identification of previously unseen threats without requiring labeled samples of novel attacks. The first (near-edge) layer supports high-confidence zero-day attack detection while ensuring low latency and on-device privacy preservation. Evaluated on the CICIoMT2024 dataset, the framework achieves 99.77% accuracy and a 97.8% F1-score—substantially outperforming conventional centralized intrusion detection systems. This work delivers a scalable, lightweight, and adaptive security solution tailored for IoMT environments.

The Internet of Medical Things (IoMT) is driving a healthcare revolution but remains vulnerable to cyberattacks such as denial of service, ransomware, data hijacking, and spoofing. These networks comprise resource constrained, heterogeneous devices (e.g., wearable sensors, smart pills, implantables), making traditional centralized Intrusion Detection Systems (IDSs) unsuitable due to response delays, privacy risks, and added vulnerabilities. Centralized IDSs require all sensors to transmit data to a central server, causing delays or network disruptions in dense environments. Running IDSs locally on IoMT devices is often infeasible due to limited computation, and even lightweight IDS components remain at risk if updated models are delayed leaving them exposed to zero-day attacks that threaten patient health and data security. We propose a multi level IoMT IDS framework capable of detecting zero day attacks and distinguishing between known and unknown threats. The first layer (near Edge) filters traffic at a coarse level (attack or not) using meta-learning or One Class Classification (OCC) with the usfAD algorithm. Subsequent layers (far Edge, Cloud) identify attack type and novelty. Experiments on the CICIoMT2024 dataset show 99.77 percentage accuracy and 97.8 percentage F1-score. The first layer detects zero-day attacks with high accuracy without needing new datasets, ensuring strong applicability in IoMT environments. Additionally, the meta-learning approach achieves high.