Community-based Vulnerability Prediction Framework for IoT Intrusion Detection using only Network Topology

Internet of Things networks in critical infrastructure face sophisticated attacks that exploit structural vulnerabilities. Existing intrusion detection methods analyze individual devices, missing patterns that emerge when functionally related devices organize into communities that communicate more frequently with each other than with the rest of the network. Current structural analysis approaches examine either individual devices or entire networks, missing the intermediate community scale where attacks concentrate. Community-level analysis offers three advantages: capturing coordinated attack patterns, reducing computational complexity through grouping, and enabling proactive detection before attacks spread beyond community boundaries. Additionally, existing methods use fixed vulnerability criteria that fail across different network topologies. This paper proposes AdapCVP (Adaptive Community Vulnerability Prediction), a framework addressing these limitations through multi-scale structural analysis. AdapCVP detects communities using multiple algorithms, extracts features describing intra-community organization and inter-community relationships, then automatically determines vulnerability thresholds through cross-validation optimization. By operating exclusively on the network topology without examining flow content, AdapCVP preserves privacy and remains applicable across different classifiers. Experiments on three datasets compare 27 structural features capturing network topology against 28 data-flow features encapsulating traffic content. Structural features consistently outperform data-flow ones by 12.3 to 16.7% across machine learning, deep learning, and graph neural network classifiers. Vulnerability threshold optimization automatically discovers appropriate criteria ranging from 0.5% for distributed networks to 2% for centralized, and 3% for clustered, validating that vulnerability stems from structure rather than traffic volume and enabling deployment across heterogeneous IoT architectures without manual tuning. Moreover, ablation analysis demonstrates that the dominant structural drivers vary with network topology, reflecting differences in hub concentration, community clustering, and inter-community connectivity.