Each IoT device Di implements a local transformer module that processes device-specific data while maintaining privacy. The transformer architecture consists of multi-head self-attention layers followed by position-wise feed-forward networks.

The multi-head attention mechanism is defined as: (5)MultiHead(Q,K,V)=Concat(head1,…,headh)WOwhere each attention head is computed as: (6)headi=Attention(QWiQ,KWiK,VWiV)the scaled dot-product attention is defined as: (7)Attention(Q,K,V)=softmax(QKTdk)Vto preserve input-level privacy during multi-head self-attention computation, Gaussian noise is injected into the attention logits. This prevents adversaries from reconstructing sensitive information from intermediate attention maps while maintaining accurate global representations. (8)A~i,j=softmax(qikjTdk+N(0,σ2))here, qi and kj represent the query and key vectors, dk is the key dimension, and N(0,σ2) denotes Gaussian noise with variance σ2 calibrated to the privacy budget ϵ. This mechanism provides formal differential privacy guarantees while preventing leakage through attention visualization.

The aggregation protocol combines differential privacy with secure multi-party computation to ensure privacy while maintaining model utility. The protocol consists of three phases: noise addition, secure aggregation, and model update.

Phase 1: Noise Addition. Each device Di adds calibrated Gaussian noise to its local model updates: (9)θ~i(t)=θi(t)+N(0,σ2I)where the noise variance is calibrated according to the differential privacy requirements: (10)σ2=2log⁡(1.25/δ)C2ϵ2here, C represents the clipping bound for gradient updates.

Phase 2: Secure Aggregation. The noisy updates are aggregated using homomorphic encryption. Each device encrypts its update using a shared public key: (11)E(θ~i(t))=Encpk(θ~i(t))the server performs homomorphic aggregation: (12)E(θ(t+1))=1N∑i=1NE(θ~i(t))

Phase 3: Model Update. The aggregated model is decrypted and distributed to all participating devices: (13)θ(t+1)=Decsk(E(θ(t+1)))

Conceptual Summary of the Privacy-Preserving Aggregation Workflow: The privacy-preserving aggregation process of EdgeTrustX operates in three sequential stages to ensure secure model coordination across distributed IoT devices. (1)

Noise Addition: Each client locally perturbs its gradient updates by injecting calibrated Gaussian noise according to differential-privacy parameters (ε,δ). This step guarantees that the contribution of any single data sample remains indistinguishable, protecting sensitive device-level information.

Fig. 3 visually summarises these three phases, depicting the interaction between IoT devices, the privacy-preserving aggregation layer, and the global coordination server.

The explainability engine provides multi-faceted interpretability through three complementary approaches: attention visualisation, SHAP analysis, and feature importance ranking.

Attention-Based Explanations: The attention weights from the transformer provide insight into which input features or time steps are most relevant for the decision: (14)Importance(xj)=∑h=1H∑i=1Lαh,i,j(l)where αh,i,j(l) represents the attention weight for feature j in head h of layer l.

SHAP-Based Explanations: SHAP values are computed to provide feature-level explanations: (15)ϕj=∑S⊆F\{j}|S|!(|F|−|S|−1)!|F|![f(S∪{j})−f(S)]where F is the set of all features and S is a subset of features.

Integrated Explainability Score: A combination of attention and SHAP-based explanations to provide a comprehensive interpretability score: (16)ExplainScore(xj)=α⋅Importance(xj)+(1−α)⋅|ϕj|where α∈[0,1] is a weighting parameter.

Two datasets X and X′ are adjacent if they differ in at most one record. Let Δ2(g) denote the ℓ2-sensitivity of a (vector-valued) function g. Let N(0,σ2I) denote isotropic Gaussian noise.

We assume throughout:

Per-example gradients are clipped: for all examples z, ∥∇ℓ(θ;z)∥2≤C; client update deltas are clipped to norm ≤C before noise.

Theorem 1 (Per-Mechanism DP via Gaussian Mechanism): Let g be a function with ℓ2-sensitivity Δ2(g). For any ϵ0∈(0,1] and δ0∈(0,1), the mechanism (17)M(x)=g(x)+N(0,σ2I)with σ≥2ln⁡(1.25δ0)Δ2(g)ϵ0is (ϵ0,δ0)-differentially private.

Proof: This is the classical Gaussian mechanism; see, e.g., Dwork–Roth (2014, Thm 3.22). □

Corollary 1 (Per-Round DP for EdgeTrustX components): In each communication round t: 1.

Attention-logit privatisation (Eq. (8)): with logit clipping enforcing Δ2(h)≤2B and noise std σatt≥2ln(1.25/δatt)(2B)/ϵatt, the attention-logit release is (ϵatt,δatt)-DP.

Proof: Apply Theorem 1 with Δ2(h)≤2B and Δ2(Δθi)≤2C. □

The differential privacy parameters are configured as ε = 0.1 and δ = 1 × 10⁻⁵ to achieve a rigorous balance between privacy and utility. These values ensure that the probability of an adversary inferring any single sample’s contribution remains negligible while maintaining convergence stability during federated optimisation. Empirical studies in privacy-preserving learning have shown that ε≤0.1 achieves strong protection against gradient inversion without compromising model accuracy by more than 1%–2%, justifying the selected configuration for EdgeTrustX.

Theorem 2 (Advanced Composition across Rounds): Suppose each round applies two mechanisms as in Cor. 1, each satisfying (ϵ0,δ0)-DP with ϵ0∈(0,1]. Across T rounds, the total mechanism is (ϵT,δT)-DP with ϵT≤ (18)2(2T)ln⁡(1δ^) ϵ0+(2T)ϵ02,δT=(2T)δ0+δ^,

for any δ^∈(0,1).

Proof: Use the advanced composition theorem (e.g., Dwork–Roth 2014, Thm 3.20) on 2T sequential mechanisms with identical (ϵ0,δ0), then collect δ terms. □

Remark (Moments Accountant/RDP Alternative).

Tighter bounds are obtainable via Rényi DP (RDP) or the moments accountant. If each mechanism is Gaussian with variance σ2, then for order α>1, εRDP(α)=α/(2σ2) (no subsampling). Over 2T compositions: εRDP,T(α)=(2T)α/(2σ2), and conversion to (ϵ,δ) gives ϵ(δ)=minα>1{εRDP,T(α)+ln⁡(1/δ)α−1}. This can be reported alongside the advanced-composition bound.

Theorem 3 (HE Aggregation Preserves DP by Post-Processing): Let each client transmit a DP-sanitised vector xi=Mi(Di) where Mi is (ϵT,δT)-DP w.r.t. Di. Let Enc/Dec be any (possibly randomised) encryption/decryption maps independent of Di, and let the server compute y=Dec(∑ iEnc(xi)). Then the distribution of y is also (ϵT,δT)-DP with respect to each Di.

Proof. Differential privacy is closed under post-processing: for any (possibly randomised) function F independent of the underlying data, F(M(D)) is (ϵ,δ)-DP if M is. Encryption, homomorphic addition, and decryption are (data-independent) mappings applied to DP outputs xi; hence, y preserves the same (ϵT,δT). □

Corollary 2 (End-to-End DP for EdgeTrustX): Under (A1)–(A2), with per-round parameters set as in Corollary 1 and composition as in Theorem 2, the global model sequence {θ(t)}t=1T released to clients is (ϵT,δT)-DP with respect to every individual record across all devices.

Proof: Combine Corollary 1, Theorem 2, and Theorem 3; the server’s decryption and model update are post-processing steps. □

We analyse FedAvg with clipping and Gaussian noise in the strongly convex case.

Lemma 1 (Noise on Averaged Update): Let each of N clients send a clipped update with added noise ξi∼N(0,σupd2I). The server forms the average u↼=1N∑i=1N(Δθi+ξi). Then E[u↼]=1N∑iΔθi and Var(u↼)=σupd2NI.

Proof: Linearity of expectation; independence of ξi gives variance reduction by N. □

Theorem 4 (Utility Bound for DP-FedAvg (Strongly Convex)): Assume (A1) and (A3). Consider global updates θ(t+1)=θ(t)−ηg↼(t), where g↼(t) is the clipped, noisy average gradient proxy from Lemma 1 with variance σeff2:=σupd2/N per coordinate. Choose step size 0<η≤1/L. Then for all T≥1, (19)E[L(θ(T))−L⋆]≤(1−ημ)T(L(θ(0))−L⋆)+ηLdσeff22μ+ηLζ22μ,

where d is the parameter dimension and ζ2 collects the (bounded) variance/bias from stochastic gradients and clipping (with ∥∇ℓ(θ;z)∥≤C giving ζ2≤C2).

Proof: By L-smoothness and μ-strong convexity (standard descent lemma), (20)L(θ+)≤L(θ)−η⟨∇L(θ),g↼⟩+Lη22∥g↼∥2.

Take the conditional expectation given θ. Write g↼=∇L(θ)+ϵ, where ϵ has zero mean and covariance bounded by Σ≼σeff2I+ζ2I (DP noise + stochastic/clipping noise). Then E∥g↼∥2≤∥∇L(θ)∥2+d(σeff2+ζ2). With η≤1/L and strong convexity (∥∇L(θ)∥2≥2μ(L(θ)−L⋆)), it yields: (21)E[L(θ+)−L⋆]≤(1−ημ)(L(θ)−L⋆)+ηL2dσeff2+ηL2ζ2.

Unroll the recursion for T steps and sum the geometric tail to get the stated bound. □

Corollary 3 (Explicit DP–Utility Tradeoff): Using the Gaussian calibration σupd=2ln(1.25/δ0)2Cϵ0 per round (Cor. 1), the effective noise term in Thm. 4 is σeff2=8C2ln(1.25/δ0)Nϵ02. Thus, the DP-induced steady-state error contribution is: (22)ηLd2μσeff2=4ηLdμ⋅C2ln⁡(1.25δ0)Nϵ02

for fixed (ϵ0,δ0) and N, tighter privacy (smaller ϵ0) increases this term as 1/ϵ02, while more devices decrease it as 1/N.

Gradient Clipping and Convergence Assumptions: to ensure numerical stability during privacy-preserving training, gradient clipping was applied with an upper bound of ‖g‖2≤1.0, thereby limiting the sensitivity of model updates before the injection of differential privacy noise. This constraint controls the variance of the Gaussian noise and prevents gradient explosion in non-IID client distributions. Convergence was empirically assumed when the validation loss improvement remained below 1% over five consecutive communication rounds, a condition verified across all experimental configurations. These assumptions provide a reproducible basis for analysing training dynamics under privacy and encryption constraints.

The computational complexity of EdgeTrustX per round is analysed as follows:

Local Computation: Each device performs transformer computation with complexity O(nid2+ni2d) for attention computation and O(nid2) for feed-forward layers.

Communication Complexity: The communication cost per round is O(Nd) for encrypted model updates.

Aggregation Complexity: The server aggregation complexity is O(Nd) for homomorphic operations.

The total complexity per round is: (23)Ctotal=O(∑i=1N(nid2+ni2d)+Nd)

Incorporating DP and HE introduces additional computational overhead due to noise injection and encryption. However, this cost is offset by reduced communication frequency and parameter sharing, leading to an overall 23% reduction in transmission volume while maintaining <0.5 s per round latency.

EdgeTrustX is evaluated on four widely used IoT security datasets, with explicit links to the datasets provided to ensure reproducibility. (1)

IoT-23 Dataset¹1

https://www.kaggle.com/datasets/surajsooraj26/iot-23/data, (accessed on 11 November 2025).

Each dataset was partitioned across 20 clients under both IID and non-IID conditions. For IID, samples were randomly distributed, ensuring class balance; for non-IID, the Dirichlet distribution (α = 0.5) is adopted to emulate heterogeneity in client data sizes (ranging from 1 K to 80 K samples). A random seed of 42 was fixed for all splits to ensure reproducibility. Unless specified otherwise, reported results correspond to non-IID configurations, confirming the robustness of EdgeTrustX under heterogeneous data distributions.

Table 2 summarises the primary hyperparameters used for training EdgeTrustX and the comparison baselines to ensure experimental reproducibility.

We compare EdgeTrustX with the following state-of-the-art approaches:

FedAvg-CNN: Standard federated averaging using a deep convolutional architecture, represented by the deep federated learning approach in Albogami’s model [2].

FedProx-LSTM: Federated proximal variant implemented with an LSTM-based intrusion detection framework as demonstrated in Sorour et al.’s privacy-preserving LSTM-JSO federated model [15].

DP-Fed: Differential-privacy–enhanced federated learning following the DP-integrated FL mechanisms adopted in Albogami’s work [2].

HE-Fed: Homomorphic-encryption–based federated learning consistent with the blockchain-assisted HE-enabled FL system proposed by Han [20].

Centralised-Transformer: Centralised transformer-based intrusion detection system without privacy guarantees, represented by Alsharaiah et al.’s explainable transformer-powered IoMT threat detection model [9].

EdgeTrustX is implemented in PyTorch with the following configuration: Transformer layers: 6 encoder layers with eight attention heads; Hidden dimension: 512; Feed-forward dimension: 2048; Learning rate: 0.001 with Adam optimiser; Batch size: 32; Local epochs: 5; Privacy parameters: ϵ=0.1, δ=10−5; Communication rounds: 100.

The experiments are conducted on a distributed testbed consisting of 20 edge devices (Raspberry Pi 4) and a central server (Intel Xeon E5-2690).

We evaluate the privacy preservation capabilities of EdgeTrustX through membership inference attacks and reconstruction attacks. Fig. 5 illustrates the privacy-utility trade-off under different privacy budgets.

Fig. 5 examines privacy-utility trade-offs in federated IoT learning. Fig. 5a illustrates the inverse relationship between detection accuracy and privacy budget (ϵ), with EdgeTrustX maintaining high accuracy even at low ϵ values. Fig. 5b compares effectiveness scores of privacy mechanisms (DP, HE, secure aggregation, noise addition), where EdgeTrustX outperforms others across all categories. Fig. 5c visualises the privacy-utility Pareto landscape. EdgeTrustX resides in the optimal zone, offering high privacy and utility simultaneously. The figure confirms EdgeTrustX’s strong privacy preservation with minimal performance compromise, outperforming traditional DP-Fed, HE-Fed, and centralised models.

Table 5 presents the quantitative results of the privacy evaluation using standard privacy attack methods.

EdgeTrustX achieves the best privacy score (0.923) with minimal utility loss (0.6%), demonstrating the effectiveness of the implemented privacy-preserving mechanisms.

The evaluation was conducted under a semi-honest adversarial model where the attacker observes exchanged gradients during federated rounds. Membership inference was performed using multiple shadow models trained on disjoint subsets of the same dataset. At the same time, gradient reconstruction employed an inversion strategy optimised with the Adam algorithm (learning rate = 0.001, 2000 iterations). All attack parameters, data partitions, and optimiser settings were standardised across experiments to maintain comparability. The privacy score reported in Table 5 is a normalised indicator combining membership-inference resistance, reconstruction difficulty, and utility retention, where higher values denote stronger privacy preservation. Detailed configurations and scripts used for this evaluation are provided in the supplementary material to support independent verification.

The strong performance of EdgeTrustX at low privacy budgets (ε ≤ 0.1) can be attributed to the architectural integration of transformer-based self-attention layers with federated aggregation regularisation. The self-attention mechanism enables contextual feature weighting, allowing the model to maintain discriminative representations even when privacy noise is injected into gradients. Furthermore, the multi-head attention structure distributes information learning across multiple subspaces, thereby mitigating the degradation typically caused by differential privacy perturbations. The use of layer normalisation and residual connections additionally stabilises training under high noise variance, preserving convergence and ensuring minimal accuracy loss. Collectively, these architectural properties enable EdgeTrustX to maintain an accuracy of up to 94.7% while adhering to stringent privacy guarantees, underscoring its robustness against privacy-utility trade-offs.

We analyse the computational overhead of homomorphic encryption operations in EdgeTrustX. Fig. 6 shows the encryption, computation, and decryption times for different model sizes.

Fig. 6 evaluates the efficiency of homomorphic encryption (HE) in EdgeTrustX. Fig. 6a shows computation time scaling with model size, where EdgeTrustX outperforms baseline HE implementations. Fig. 6b plots memory usage, demonstrating the impact of encryption on model overhead. Fig. 6c analyses throughput versus device count, revealing that EdgeTrustX maintains linear scalability while standard HE-fed approaches degrade rapidly beyond 100 devices. These insights highlight EdgeTrustX’s optimisation for resource-constrained environments, making it scalable and efficient even under cryptographic load, validating its practical feasibility for large-scale IoT deployments with privacy guarantees.

We evaluate EdgeTrustX’s scalability by varying the number of participating devices from 10 to 200. Fig. 7 presents the scalability analysis results.

Fig. 7 assesses EdgeTrustX scalability across varying IoT network sizes. Fig. 7a presents convergence time contours as device count increases, showing that EdgeTrustX remains efficient up to 1000 nodes. Fig. 7b uses a forest plot to compare performance (in terms of memory, convergence, efficiency, and accuracy) across 200 different device setups. Fig. 7c analyzes convergence time vs. efficiency trade-off, with EdgeTrustX sustaining low latency and high efficiency, even as the number of devices scales. This demonstrates the framework’s robustness and adaptability under heavy load, reinforcing its suitability for diverse, large-scale federated IoT networks.

Although Table 6 presents empirical scalability results up to 200 physical IoT devices, an additional large-scale simulation was conducted to examine performance under extended network sizes. Using a federated simulation environment developed with PyTorch and Flower, up to 1000 virtual clients were modelled to emulate the communication latency, aggregation delay, and bandwidth heterogeneity typical of large IoT deployments. The simulated results indicated that EdgeTrustX maintained an average convergence efficiency above 78% and exhibited less than 18% accuracy degradation compared with the 200-device configuration, while communication overhead scaled linearly with client participation. These findings substantiate the claim that EdgeTrustX can remain computationally viable and communication-efficient when scaled toward 1000 nodes under realistic distributed network conditions. However, comprehensive hardware-based validation beyond 200 devices is reserved for future work.

We analyse the communication efficiency of EdgeTrustX compared to baseline methods. Fig. 8 illustrates the reduction in communication overhead achieved by the proposed framework.

Fig. 8 provides a communication-centric analysis. Fig. 8a maps communication overhead across communication rounds and device numbers, showing EdgeTrustX achieves low overhead at scale. Fig. 8b evaluates bandwidth-latency trade-offs with message size and compression, highlighting EdgeTrustX’s optimal region. Fig. 8c compares convergence efficiency with communication overhead over time, where EdgeTrustX consistently outperforms FedAvg and HE-Fed in convergence while incurring lower overhead. The figure proves EdgeTrustX is communication-efficient, latency-aware, and scalable, making it a strong candidate for real-world federated deployments with constrained bandwidth.

Fig. 9 presents attention heatmaps for different types of attacks, demonstrating how EdgeTrustX focuses on relevant features for threat detection.

Fig. 9 explores the explainability of EdgeTrustX via attention mechanisms. Fig. 9a maps attention strengths over feature-attack type combinations, identifying patterns (e.g., system-level vs. command and control). Fig. 9b tracks the temporal evolution of attention during DDoS attacks, clearly showing the decision-making phases. Fig. 9c presents the statistical distribution of feature importance across different threat categories, classified as critical, high, moderate, and supportive. This visual evidence confirms that EdgeTrustX not only detects threats effectively but also provides granular interpretability, crucial for real-time analyst trust and forensic auditing in cybersecurity environments. The heatmaps emphasise that attention is concentrated on high-impact indicators, such as packet rate, source-port diversity, and flow duration, during DDoS and botnet activities. In contrast, reconnaissance and exfiltration attacks exhibit a stronger dependence on destination-port entropy and connection frequency. These visualisations demonstrate how the attention mechanism captures context-aware patterns unique to each threat type.

We conduct a comprehensive SHAP analysis to provide feature-level explanations. Table 7 presents the top contributing features for each attack type.

We evaluate the explainability quality using standard metrics. Fig. 10 shows the explainability assessment results.

Fig. 10 provides a comprehensive evaluation of EdgeTrustX’s explainability. Fig. 10a plots faithfulness versus comprehensiveness in a Pareto-optimal landscape, where EdgeTrustX ranks among the best. Fig. 10b illustrates how explainability evolves during training, with EdgeTrustX exhibiting consistent growth. Fig. 10c presents a forest plot with scores across eight explainability metrics, confirming EdgeTrustX’s balance of interpretability dimensions. Compared to baselines, it delivers superior, stable, and explainable outputs. These results validate that privacy-preserving federated models can achieve high transparency—addressing the black-box criticism of deep learning. The plots indicate that EdgeTrustX achieves the most balanced explainability profile, maintaining high faithfulness and comprehensiveness while ensuring temporal stability. Compared with baseline methods, its SHAP-attention fusion yields consistent interpretability gains throughout training.

Table 8 compares the explainability performance of EdgeTrustX with baseline methods.

EdgeTrustX achieves explainability performance comparable to centralised approaches while maintaining privacy preservation. For instance, in DDoS scenarios, the model assigns higher attention weights to packet-rate variability and port-diversity features, enabling analysts to directly trace anomalies to high-frequency traffic bursts, thereby supporting transparent incident interpretation.

We conduct ablation studies to understand the contribution of each component in EdgeTrustX. Table 9 presents the results.

To evaluate the contribution of each module within EdgeTrustX, an ablation study is conducted, as shown in Table 5. The base Transformer model achieves an accuracy of 91.2% ± 0.4 with limited privacy preservation and moderate explainability.

All reported results are presented as the mean ± standard deviation computed over five independent runs to capture experimental variability. A paired t-test with a significance threshold of p < 0.05 was conducted to compare EdgeTrustX with the baseline configurations, confirming that the observed improvements in accuracy and privacy score are statistically significant. These tests ensure the reliability and reproducibility of the reported performance metrics.

Integrating Federated Learning (FL) enhances data decentralisation but slightly decreases accuracy due to non-IID distributions. Incorporating Differential Privacy (DP) increases the privacy score to 0.823 while causing a slight reduction in accuracy to 89.3% ± 0.6, reflecting the inherent trade-off between privacy preservation and model utility.

When Homomorphic Encryption (HE) is introduced, the privacy score increases further to 0.891, while accuracy recovers to 90.1%±0.5, demonstrating that secure aggregation can maintain its competitive utility. Incorporating the Attention Explanation module enhances interpretability, raising the explainability score from 0.669 to 0.789 without compromising performance. Further adding SHAP Analysis provides the highest interpretability (0.823±0.02), enabling human-understandable feature importance rankings.

Finally, the complete EdgeTrustX framework integrates all modules, achieving the best overall performance with an accuracy of 94.7%±0.3, the highest privacy score (0.923), and an explainability score of 0.851±0.01. These results validate the synergistic benefit of combining DP, HE, federated learning, and explainable attention mechanisms.

In addition to the component-level analysis, the effect of training hyperparameters on communication efficiency and model performance is examined. Fig. 11 illustrates the relationship between accuracy and communication cost as the local training epochs, client sampling rates, and quantisation levels are varied. Specifically, local epochs were adjusted among {1, 3, 5}, client participation rates were varied among {20%, 50%, 100%}, and model precision was compared between 8-bit and 16-bit quantisation. Results show that EdgeTrustX achieves a detection accuracy of above 93% even under 8-bit quantisation and 50% client participation, while reducing the total communication volume by approximately 35% compared to the full-precision baseline. Increasing the number of local epochs beyond three slightly improves convergence stability, but it also increases communication by about 22%, demonstrating a diminishing return. Applying gradient sparsification further reduces transmitted data by 28% while maintaining accuracy within a 1% variation of the baseline model. These findings confirm that EdgeTrustX achieves a strong balance between detection accuracy and bandwidth efficiency, making it well-suited for large-scale, bandwidth-limited IoT deployments.

Increasing the number of attention heads enhances the model’s ability to represent multi-context features, thereby improving its capacity to capture diverse traffic behaviours. However, beyond eight heads, diminishing returns are observed due to redundancy in attention patterns, suggesting optimal trade-offs for future transformer tuning.

All hyperparameter-sensitivity experiments were conducted under constant privacy parameters (ε = 0.1, δ = 1 × 10⁻⁵) to isolate the effects of architectural and optimisation settings. Fig. 12 shows the sensitivity analysis for key hyperparameters, including privacy budget, learning rate, and number of attention heads.

Fig. 12 investigates how tuning key hyperparameters affects EdgeTrustX. Fig. 12a shows a 3D privacy-budget vs. learning-rate surface, pinpointing optimal configuration (ϵ =0.1, LR=10−2) with confidence contours. Fig. 12b normalises parameter influence—privacy budget, attention heads, epochs, batch size—revealing that privacy and attention dimensions dominate performance. Fig. 12c presents a related quantum framework (QMobNet) to contrast incremental performance contributions. While EdgeTrustX is not quantum, the comparative subplot underscores modular performance gains. Overall, this figure highlights the importance of meticulous hyperparameter tuning in striking a balance between privacy, accuracy, and efficiency.

We analyse the energy consumption of EdgeTrustX on IoT devices. Fig. 13 presents a comparison of energy efficiency.

Fig. 13 evaluates EdgeTrustX’s energy footprint. Fig. 13a breaks down power usage across five IoT device types (Raspberry Pi 4, Jetson Nano), revealing that Jetson Nano consumes the most, mainly during local training. Fig. 13b compares federated learning methods on the Raspberry Pi 4, showing that EdgeTrustX achieves better battery life due to lower power consumption. Fig. 13c plots detection accuracy vs. energy, highlighting EdgeTrustX’s optimal zone of energy, performance, and privacy balance. This figure validates EdgeTrustX’s hardware efficiency, making it ideal for real-time threat detection on resource-constrained edge platforms.

Table 10 presents the latency analysis for different operations in EdgeTrustX.

To evaluate the computational feasibility of running EdgeTrustX on resource-constrained hardware, throughput and memory profiling were performed using two representative edge devices: Raspberry Pi 4 (4 GB RAM) and NVIDIA Jetson Nano (8 GB RAM). Each device executed the local transformer model, which was configured with six encoder layers and a hidden dimension of d = 512. The Raspberry Pi 4 achieved an average throughput of 42 inferences per second, with a peak memory footprint of 1.28 GB. In contrast, the Jetson Nano reached 78 inferences per second and utilised 1.94 GB of memory. To validate scalability, a lightweight configuration comprising four layers was developed (d = 256), which reduced memory usage by 37% while maintaining detection accuracy within 2% of the whole model. Further 8-bit quantisation of model weights reduced total memory to below 1 GB with negligible accuracy loss (<0.5%). Fig. 14 illustrates the throughput–layer-depth trade-off, confirming that the transformer backbone remains computationally feasible for practical IoT deployment. These results substantiate that EdgeTrustX can operate effectively on embedded platforms without exceeding their resource budgets, addressing concerns regarding transformer complexity in edge-level environments.