This work addresses the lack of flexible, resource-aware collaborative intrusion detection mechanisms for distributed critical infrastructure—such as unmanned aerial vehicles—in dynamic and heterogeneous environments. To this end, the authors propose a hierarchical network-based Collaborative Intrusion Detection System (CIDS) framework featuring a novel resource-aware architecture that enables automatic reconfiguration of edge devices. The framework integrates dynamic detector allocation with lightweight collaboration algorithms to optimize detector deployment based on node resources and data types. Key contributions include the release of the first publicly available real-world dataset capturing attacks against ground-based UAV critical infrastructure, along with comprehensive validation across diverse network topologies and datasets, demonstrating highly effective and adaptive intrusion detection with minimal computational overhead.

Collaborative Intrusion Detection Systems (CIDS) are increasingly adopted to counter cyberattacks, as their collaborative nature enables them to adapt to diverse scenarios across heterogeneous environments. As distributed critical infrastructure operates in rapidly evolving environments, such as drones in both civil and military domains, there is a growing need for CIDS architectures that can flexibly accommodate these dynamic changes. In this study, we propose a novel CIDS framework designed for easy deployment across diverse distributed environments. The framework dynamically optimizes detector allocation per node based on available resources and data types, enabling rapid adaptation to new operational scenarios with minimal computational overhead. We first conducted a comprehensive literature review to identify key characteristics of existing CIDS architectures. Based on these insights and real-world use cases, we developed our CIDS framework, which we evaluated using several distributed datasets that feature different attack chains and network topologies. Notably, we introduce a public dataset based on a realistic cyberattack targeting a ground drone aimed at sabotaging critical infrastructure. Experimental results demonstrate that the proposed CIDS framework can achieve adaptive, efficient intrusion detection in distributed settings, automatically reconfiguring detectors to maintain an optimal configuration, without requiring heavy computation, since all experiments were conducted on edge devices.