A Dual-Attention CNN–GCN–BiLSTM Framework for Intelligent Intrusion Detection in Wireless Sensor Networks

1. Introduction

Wireless sensor networks (WSNs) are an essential part of the internet of things that are increasingly becoming common in critical infrastructures, environmental monitoring, healthcare, and industrial control systems [1,2,3,4,5]. These networks have revolutionized the sensing and communication frameworks. Nevertheless, the distributed and energy-constrained nature of these networks makes them susceptible to cyber intrusions [6,7,8]. Some of the commonly found attacks involve denial of service (DoS), jamming, sinkhole, blackhole, and selective forwarding. Such attacks lead to a compromise in the data integrity, network reliability, and real-time decision-making. Thus, the development of efficient and intelligent intrusion detection systems (IDS) is essential for protecting the WSNs while ensuring their energy efficiency and scalability [6,7,8].

The traditional WSN IDS framework predominantly relies on statistical analysis and rule-based systems. The classical machine learning (ML) algorithms like random forest (RF), support vector machine, k-nearest neighbors (kNN), and decision trees (DT) offer interpretability and low computational overhead [9,10,11], yet their performance reduces drastically under the dynamic topologies and non-linear attack patterns which are commonly found in real-world deployments. Some of the recent advancements towards deep learning based IDS have explored architectures like convolutional neural networks (CNNs), long short-term Memory (LSTM), and a hybrid combination of CNN-LSTMs [9,10,11]. In addition, autoencoders and graph neural networks have also been explored for capturing hierarchical and temporal dependencies in the traffic behavior. While offering higher accuracies, these methods exhibit certain limitations: (i) high energy and memory footprints unsuited for low-power sensor nodes, (ii) poor generalization to unseen attack types and evolving network conditions, and (iii) lack of interpretability and privacy preservation in distributed scenarios. Such gaps have been targeted by several studies in recent times.

Houda et al. [12] offered a collaborative federated learning framework that makes use of a secure aggregation protocol for the detection of jamming (including contrast, random, reactive, and deceptive). The study attained an accuracy of ≈99%, yet the focus has been limited to jamming behaviors while further assuming federated learning connectivity. The broader multi-attack generalization and on-device energy and communication costs have not been incorporated in the proposed design. Jeyakumar et al. [13] proposed a hybrid stacked CNN-bidirectional LSTM (BiLSTM). The model has been tuned by an African vulture optimization algorithm and trained using federated learning. The communication and aggregation overheads, along with the robustness of federated learning under, have not been fully quantified in the study. In addition, the interpretability and node-level resource constraints are found to be partially addressed. In Zhou et al. [14], a tabular to image transform has been incorporated by using transfer learning. The article involves MobileNet and Xception with black kite algorithm for the hyperparameter search and ensemble. The model has been found to offer a heavy computational footprint with a lack of explainability and uncertainty for real-world deployments.

Halbouni et al. [15] adopted CNN and LSTM for spatial and temporal features for the classification using three datasets. The models offered limited treatment of the class imbalance and WSN energy/latency constraints. Vinayakumar et al. [16] focused on a systematic deep learning (DNN) benchmarking compared to classical ML using multiple intrusion datasets. The early deep benchmarking datasets were found to lack WSN-specific topology and context modeling for interpretability. The false positive control was found under multi-attack scenarios. Birahim et al. [17] adopted particle swarm optimization (PSO) for the feature and hyperparameter search using an ensemble (RF/DT/kNN) and class imbalance handled using SMOTE-Tomek. The study failed to model the network-structure awareness and temporal dependencies. In addition scalability of the models was not fully addressed. Hakami et al. [18] presented a pipeline having SMOTE for the balancing of Pearson correlation for the feature selection. While using the WSN-DS dataset, the studies offered fair performance yet failed to address the privacy-preserving learning along with computational resource requirements. Alzahrani et al. [19] presented a ConvLSTM model offering benchmarking performance in several datasets. However, it was tailored for UAV networks having poor transferability towards resource-constrained environments. Similarly, a Red Kite Optimization framework [20] was proposed that focused on average ensemble, LCWOA, and hyperparameter tuning. The model relies on heuristic feature selection and moving ensembles without offering temporal and graph modeling. Atitallah et al. [21] Jiang et al. [21], and Saleh et al. [22], collectively enhanced the detection accuracy using fuzzy-graph attention, meta-heuristic optimization, and SGD-based learning. Yet their real-time adaptability and scalability are limited for making lightweight deployments.

A summary of these articles has been presented in Table 1

The studies reviewed above help in highlighting substantial progress in the IDS detection approaches; however, they have several challenges. The federated and optimization-based models, including Federated SCNN-BiLSTM and AVOA, along with Privacy-Preserving FL for jamming, have improved distributed learning, yet they face communication and synchronization bottlenecks. The optimization-driven framework involving CBCTL-IDS, RKOA, AEID, and ST-IAOA-XGBoost has shown high detection accuracies. Yet they remain computationally heavy on the node deployments. The explainable artificial intelligence (XAI) techniques, including PSO-Ensemble and LIME/SHAP, have enhanced the interpretability, yet they lack real-time adaptability and spatial-temporal reasoning. The fuzzy graph attention networks capture the topological relations, yet suffer from high complexity and limited scalability in the constrained WSN environments. Overall, the following research gaps have been identified:

• Deployment Realism: Existing models overlook computational and energy limitations of distributed sensor nodes.
• Temporal–Spatial Dependency: Most IDS fail to jointly model both the temporal evolution of attacks and spatial correlations among nodes.
• Dynamic Adaptation: Static training prevents adaptation to changing traffic distributions and novel intrusions.
• Interpretability and Fusion: Few works integrate multi-level feature fusion or interpretable decision mechanisms within hybrid deep architectures.

To overcome these limitations, the proposed framework introduces a multi-branch hybrid deep learning framework optimized for the IDS in WSNs. The model integrated multi-scale CNN blocks, attention-based fusion layers, graph convolutional network (GCN) operations, and BiLSTM for effectively capturing the multi-resolution, spatial, and temporal dependencies in the WSN-DS traffic. The multi-scale CNN layers have been used to extract the hierarchical frequency-temporal patterns. The attention fusion dynamically re-weights the salient spatial-temporal features. The GCN components help in encoding the inter-node topological relationships, and the BiLSTM layers model the bidirectional temporal correlations. These help in enhancing the detection of subtle and evolving attack behaviors. Finally, the dense layers and softmax classifiers produce probabilistic intrusion classifications. Compared to previous models, the proposed framework is lightweight, modular, and optimized for both the centralized and distributed detection schemes. It helps in offering improved generalization towards unseen intrusions and maintains computational efficiency in real-time edge deployments. Overall, the study contributes as follows:

• It integrates multi-scale CNN, attention fusion, GCN, and BiLSTM to capture comprehensive spatio-temporal dynamics of WSN traffic.
• The model learns hierarchical and context-aware embeddings that improve separability between normal and anomalous traffic. This is attained through multi-branch feature extraction and adaptive attention weighting.
• Introduces advanced preprocessing and normalization steps to ensure stability.

The rest of the article has been structured as follows. Section II offers a detailed methodology framework incorporating preprocessing, model, and evaluation details. Section III provides results along with a critical analysis of the findings and validation against the benchmarking models. Section IV concludes the study along with a potential future roadmap.

2. Materials and Methods

2.1. Dataset Description

The study employed the WSN-DS dataset for carrying out the experimentation and evaluations. The WSN-DS dataset, developed by Almomani et al. [24], is specifically designed for the detection of Denial-of-Service (DoS) attacks and consists of 374,661 records, with approximately 9% labeled as DoS incidents. This dataset was constructed using the LEACH protocol, a widely adopted hierarchical routing protocol in Wireless Sensor Networks (WSNs), and encompasses both normal network behavior and four distinct types of DoS attacks: Grayhole, Blackhole, TDMA, and Flooding. Data collection was performed using Network Simulator 2 (NS-2), and the resulting traces were processed to extract 18 relevant features. Due to its comprehensive structure and labeled attack scenarios, the WSN-DS dataset serves as a valuable benchmark for researchers developing intrusion detection strategies and enhancing the security of WSNs [25].

The dataset has been treated as a benchmark corpus for the IDS in the WSNs. Each of the records in the data comprises 18 continuous-valued attributes that represent traffic, energy, and protocol-level indicators. These are followed by a categorical class label $y\in \{C_1,C_2,\dots ,C_5\}$ corresponding to different attack or normal states. The data attributes are represented as follows:

$$\mathcal{D}=\{({\mathbf{x}}_i,y_i)\mid {\mathbf{x}}_i\in {\mathbb{R}}^{18},y_i\in \{1,\dots ,5\},i=1,\dots ,N\}$$

(1)

where N denotes the total number of samples. The dataset was partitioned into training and testing subsets with an 80:20 ratio:

$${\mathcal{D}}_{train}\cup {\mathcal{D}}_{test}=\mathcal{D},{\mathcal{D}}_{train}\cap {\mathcal{D}}_{test}=\varnothing$$

(2)

Algorithm 1 Proposed Intrusion Detection Framework

Require: Dataset $\mathcal{D}$, learning rate $\eta$, epochs E, batch size B Ensure: ${\Theta }^{★}$ 1: Split $\mathcal{D}\to ({\mathcal{D}}_{\mathrm{train}},{\mathcal{D}}_{\mathrm{val}},{\mathcal{D}}_{\mathrm{test}})$ 2: Apply Min–Max normalization; rank features by ${\chi }^2$ 3: Reshape inputs to $\mathbf{X}\in {\mathbb{R}}^{k\times 1}$ 4: for$e=1$ to E do 5:    Forward →: 6:    Apply 1D convolutions with kernel sizes $\{3,5\}$ to $\mathbf{X}$ to obtain ${\mathbf{C}}_i$ 7:    Concatenate ${\left[{\mathbf{C}}_i\right]}_i$, apply batch normalization and dropout $\to \tilde{\mathbf{C}}$ 8:    Compute spatial attention ${\mathbf{A}}_s$ on $\tilde{\mathbf{C}}$, temporal attention ${\mathbf{A}}_t$ on ${\mathbf{A}}_s$ 9:    Build graph features $\mathbf{H}$ via GCN(${\mathbf{A}}_s,{\mathbf{A}}_t$); obtain $\mathbf{h}$ via BiLSTM($\mathbf{H}$) 10:    Compute logits $\hat{\mathbf{y}}=\mathrm{softmax}(\mathbf{W}\mathbf{h}+\mathbf{b})$ 11:    Backward ⇐: 12:    Compute gradients ${\nabla }_{\Theta }\mathcal{L}$ and update $\Theta \leftarrow \Theta -\eta {\nabla }_{\Theta }\mathcal{L}$ (Adam) 13:    Validate on ${\mathcal{D}}_{\mathrm{val}}$ and save best checkpoint 14: end for 15: Test on ${\mathcal{D}}_{\mathrm{test}}$; report accuracy, precision, recall, and F1

The following features are the part of dataset as described in Table 2:

2.2. Design Framework

The proposed framework entails multi-scale convolutional filters, attention-based fusions, and BiLSTM for the extraction of spatio-temporal dependencies in the WSN traffic. The overall structure of the proposed IDS framework has been presented in Algorithm 1.

2.3. Data Preprocessing

To allow numerical stability and optimal convergence, the features have been subjected to normalization by using mix-max scaling as follows:

$$x^{\prime }={\displaystyle \frac{x-min\left(x\right)}{max\left(x\right)-min\left(x\right)}}\in [0,1]$$

(3)

Feature selection was achieved using the ${\chi }^2$ statistical test. For each feature $f_j$, the relevance score was computed as:

$${\chi }^2\left(f_j\right)=\sum _{i=1}^m{\displaystyle \frac{{(O_{ij}-E_{ij})}^2}{E_{ij}}}$$

(4)

where $O_{ij}$ and $E_{ij}$ denote observed and expected frequencies across class distributions. The top-16 features with highest ${\chi }^2$ scores were retained:

$${\mathbf{X}}^{\prime }={\mathrm{SelectKBest}}_{{\chi }^2,k=16}\left(\mathbf{X}\right)$$

(5)

Additionally, label encoding was applied to the target variable, which was categorical in nature and therefore unsuitable for direct use in ML algorithms. Label encoding is a common preprocessing technique that transforms categorical labels into numerical representations, making them more suitable for algorithmic processing—particularly when the target classes are limited and discrete. The WSN-DS dataset includes five target categories: Flooding, TDMA, Grayhole, Blackhole, and Normal. Each class was assigned a unique numerical identifier, as summarized in Table 3, to ensure compatibility with supervised learning models.

2.4. Feature Engineering

Feature transformation for temporal learning was performed via 3D reshaping:

$${\mathbf{X}}^{\prime \prime }\in {\mathbb{R}}^{n\times k\times 1},\mathrm{where}k=16$$

(6)

This embedding enables convolutional and recurrent layers to explore the localized dependencies.

2.5. Model Design

The proposed hybrid framework $\mathcal{M}(\Theta )$ constitutes a multi-branch. It is a hierarchically coupled architecture designed to capture spatio–temporal–spectral correlations. $\Theta$ denotes the complete set of learnable parameters of the model $\mathcal{M}$, including convolutional kernels, recurrent weights, normalization matrices, and bias terms. The model comprises four principal computational entities: a Multi-Scale Convolutional Block for local feature extraction, an Attention Fusion Layer for dynamic context weighting, a Graph Convolutional Module for structural regularization, and a Bidirectional LSTM with Contextual Attention for temporal propagation modeling. These integrated modules help in collectively representing the learnable tensors that involve convolutional kernels, recurrent weights, normalization matrices, and bias offsets. Overall, the model design has been depicted in Figure 1.

2.5.1. Multi-Scale Convolutional Block

Given a normalized sequence tensor $\mathbf{X}\in {\mathbb{R}}^{k\times 1}$ that represents the compacted feature manifold. The multi-scale convolutional extractor performs convolutions at multiple receptive field scales for capturing heterogeneous spatial dependencies:

$$\begin{array}{cc}\hfill {\mathbf{F}}_1& =\sigma \left({\mathcal{N}}_1({\mathbf{W}}_1{*}_3\mathbf{X}+{\mathbf{b}}_1)\right),\hfill \end{array}$$

(7)

$$\begin{array}{cc}\hfill {\mathbf{F}}_2& =\sigma \left({\mathcal{N}}_2({\mathbf{W}}_2{*}_5\mathbf{X}+{\mathbf{b}}_2)\right),\hfill \end{array}$$

(8)

$$\begin{array}{cc}\hfill {\mathbf{F}}_3& =\sigma \left({\mathcal{N}}_3({\mathbf{W}}_3{*}_7\mathbf{X}+{\mathbf{b}}_3)\right),\hfill \end{array}$$

(9)

where ${*}_n$ denotes 1-D convolution with kernel size n, ${\mathcal{N}}_i(·)$ indicates batch normalization, and $\sigma (·)$ is the ReLU activation. The multi-scale responses are concatenated into a composite feature tensor:

$${\mathbf{F}}_{ms}=\left[{\mathbf{F}}_1\parallel {\mathbf{F}}_2\parallel {\mathbf{F}}_3\right]\in {\mathbb{R}}^{k\times d_{ms}},$$

(10)

where $d_{ms}$ denotes the total concatenated dimensionality. A dropout mapping ${\mathcal{D}}_p$ with stochastic rate $p=0.3$ is subsequently applied to prevent co-adaptation:

$${\tilde{\mathbf{F}}}_{ms}={\mathcal{D}}_p\left({\mathbf{F}}_{ms}\right).$$

(11)

This operation enforces robustness to local perturbations. In addition, it preserves gradient stability across convolutional depths.

2.5.2. Dual-Stage Attention Fusion

The fused features ${\tilde{\mathbf{F}}}_{ms}$ are passed into a dual-stage attention mechanism. These have been designed to disentangle spatial and temporal significance within the feature domain. Let ${\mathbf{Q}}_s,{\mathbf{K}}_s,{\mathbf{V}}_s\in {\mathbb{R}}^{T\times d_k}$ represent the query, key, and value embeddings for the spatial attention subspace:

$${\mathbf{A}}_s=\mathrm{softmax}\left({\displaystyle \frac{{\mathbf{Q}}_s{\mathbf{K}}_s^T}{\sqrt{d_k}}}+{\mathbf{M}}_s\right){\mathbf{V}}_s,$$

(12)

where ${\mathbf{M}}_s$ is a learned bias mask regulating sparsity across nodes. The temporal refinement stage analogously computes:

$${\mathbf{A}}_t=\mathrm{softmax}\left({\displaystyle \frac{\left({\mathbf{Q}}_t{\mathbf{K}}_t^T\right){\mathbf{W}}_{\tau }+{\mathbf{B}}_{\tau }}{\sqrt{d_k}}}\right){\mathbf{V}}_t,$$

(13)

where ${\mathbf{W}}_{\tau }$ introduces a learnable transformation capturing cross-time contextual drift. The joint fused representation is then expressed as:

$${\mathbf{A}}_{fused}=\alpha {\mathbf{A}}_s+(1-\alpha ){\mathbf{A}}_t+\lambda ({\mathbf{A}}_s\odot {\mathbf{A}}_t),$$

(14)

where $\alpha$ and $\lambda$ are trainable coupling coefficients, and ⊙ denotes element-wise interaction. This composite fusion reinforces both spatially localized and temporally evolving intrusion cues.

2.5.3. Graph Convolutional Regularization

To embed topological priors of the WSN, an adjacency matrix $\mathbf{A}\in {\mathbb{R}}^{n\times n}$ is constructed. This encodes communication reachability among sensor nodes. The spectral graph convolution for layer l is formulated as:

$${\mathbf{H}}^{(l+1)}=\xi \left({\tilde{\mathbf{D}}}^{-{\displaystyle \frac{1}{2}}}\tilde{\mathbf{A}}{\tilde{\mathbf{D}}}^{-{\displaystyle \frac{1}{2}}}{\mathbf{H}}^{\left(l\right)}{\mathbf{W}}^{\left(l\right)}+\gamma {\mathbf{H}}^{\left(l\right)}\right),$$

(15)

where $\tilde{\mathbf{A}}=\mathbf{A}+\mathbf{I}$ ensures self-loops, ${\tilde{\mathbf{D}}}_{ii}={\sum }_j{\tilde{\mathbf{A}}}_{ij}$ is the degree matrix, $\xi (·)$ is a nonlinear mapping (ReLU), and $\gamma$ is a residual stability factor.

This operation integrates both direct communication correlations and latent dependencies that are inferred using the higher-order neighborhoods.

2.5.4. Bidirectional LSTM with Contextual Attention

To capture temporal recurrency and bidirectional dependencies, the model employs forward and backward LSTMs defined as:

$$\begin{array}{cc}\hfill {\overrightarrow{\mathbf{h}}}_t& =f_{\mathrm{LSTM}}\left({\mathbf{x}}_t,{\overrightarrow{\mathbf{h}}}_{t-1};{\Theta }_f\right),\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill {\overleftarrow{\mathbf{h}}}_t& =f_{\mathrm{LSTM}}\left({\mathbf{x}}_t,{\overleftarrow{\mathbf{h}}}_{t+1};{\Theta }_b\right),\hfill \end{array}$$

(17)

yielding the contextual embedding. Here, ${\Theta }_f$ and ${\Theta }_b$ represent the sets of learnable parameters (weights and biases) for the forward and backward LSTM networks, respectively.

$${\mathbf{H}}_t=[{\overrightarrow{\mathbf{h}}}_t\parallel {\overleftarrow{\mathbf{h}}}_t].$$

(18)

An adaptive attention mechanism refines ${\mathbf{H}}_t$ into a context-weighted summary vector:

$${\mathbf{h}}_{att}=\sum _{t=1}^T{\alpha }_t{\mathbf{H}}_t,{\alpha }_t={\displaystyle \frac{exp\left({\mathbf{u}}_t^{\top }{\mathbf{w}}_a\right)}{{\sum }_{i=1}^{T}exp\left({\mathbf{u}}_i^{\top }{\mathbf{w}}_a\right)}},{\mathbf{u}}_t=tanh({\mathbf{W}}_u{\mathbf{H}}_t+{\mathbf{b}}_u),$$

(19)

where ${\mathbf{w}}_a$ serves as the attention query vector, optimizing temporal salience through soft alignment.

2.5.5. Hierarchical Aggregation and Output Projection

The contextual embedding ${\mathbf{h}}_{att}$ is aggregated through a hierarchical fusion of global average and maximum pooling:

$$\mathbf{z}={\beta }_1·{\displaystyle \frac{1}{T}}\sum _{t=1}^T{\mathbf{h}}_{att,t}+{\beta }_2·\underset{t}{max}\left({\mathbf{h}}_{att,t}\right),$$

(20)

where ${\beta }_1$ and ${\beta }_2$ are learned weighting scalars enforcing balanced statistical and extremal emphasis. The resultant descriptor $\mathbf{z}$ traverses two nonlinear dense transformations under $L_2$ regularization:

$${\mathbf{z}}^{\prime }=\varphi ({\mathbf{W}}_1\mathbf{z}+{\mathbf{b}}_1)+\rho \varphi ({\mathbf{W}}_2\mathbf{z}+{\mathbf{b}}_2),$$

(21)

where $\varphi$ denotes ReLU activation and $\rho$ acts as a dense fusion coefficient. Finally, the class posterior distribution over intrusion categories is modeled as:

$$\hat{\mathbf{y}}=\mathrm{softmax}({\mathbf{W}}_o{\mathbf{z}}^{\prime }+{\mathbf{b}}_o),$$

(22)

with optimization governed by categorical cross-entropy loss:

$${\mathcal{L}}_{CE}=-{\displaystyle \frac{1}{N}}\sum _{i=1}^N\sum _{c=1}^C{y}_{i,c}log{\hat{y}}_{i,c}.$$

(23)

This hierarchical deep representation ensures that $\mathcal{M}(\Theta )$ can capture localized transient anomalies. It further encodes persistent cross-node intrusion dynamics characteristic of WSN attack behavior.

2.6. Evaluation and Simulation

The model was implemented in TensorFlow 2.15 and trained on a single NVIDIA GPU with CUDA acceleration. Hyperparameters and simulation settings are summarized in Table 4.

2.6.1. Evaluation Metrics

Performance evaluaiton has been carried out using Accuracy ($Acc$), Precision (P), Recall (R), and F1-score ($F_1$):

$$\begin{array}{cc}\hfill Acc& ={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}\hfill \end{array}$$

(24)

$$\begin{array}{cc}\hfill P& ={\displaystyle \frac{TP}{TP+FP}}\hfill \end{array}$$

(25)

$$\begin{array}{cc}\hfill R& ={\displaystyle \frac{TP}{TP+FN}}\hfill \end{array}$$

(26)

$$\begin{array}{cc}\hfill F_1& =2\times {\displaystyle \frac{P\times R}{P+R}}\hfill \end{array}$$

(27)

where $TP$, $TN$, $FP$, and $FN$ denote true positives, true negatives, false positives, and false negatives, respectively. Confusion matrices and learning curves were used to further assess classification stability and convergence.

3. Results

The performance analysis of the proposed IDS in WSN has been carried out under multi-tier analysis. The system has been implemented using Python and TensorFlow while using Keras backends. The dataset has been divided into three sub-sets (training, validation, and testing). The model has been trained for 30 epochs using the Adam optimizer with a learning rate of $\eta ={10}^{-3}$. It has been categorized by using a categorical cross-entropy loss function.

3.1. Training and Validation Performance

The model convergence behavior has been depicted in Figure 2. These depict the evolution of both the accuracy and loss across epochs. The training accuracy has been found to consistently increase with the increasing epochs. The stabilization is approximately $98\%$ after epoch 10. This indicated that a fast convergence has been attained along with strong generalization. The validation accuracy also follows the same trajectory. This suggests that the overfitting has been successfully mitigated through the inclusion of dropout and batch normalization layers.

The model’s stability can be characterized by the loss differential:

$$\Delta \mathcal{L}\left(t\right)=|{\mathcal{L}}_{train}\left(t\right)-{\mathcal{L}}_{val}\left(t\right)|,$$

(28)

This asymptotically approaches zero as $t\to T_{final}$ and leads to confirming the convergence without oscillation and divergence. This results from the adaptive gradient dynamics, which are inherent in the Adam optimizer, represented as follows:

$${\Theta }_{t+1}={\Theta }_t-{\displaystyle \frac{\eta }{\sqrt{{\hat{v}}_t}+ϵ}}{\hat{m}}_t,$$

(29)

where ${\hat{m}}_t$ and ${\hat{v}}_t$ denote bias-corrected first and second moment estimates, respectively.

3.2. Confusion Matrix Analysis

To further analyze the classification performance of the model across the multiple attack classes, outcomes have been presented in the form of a confusion matrix. The proposed CNN-Attention-BiLSTM hybrid model has been found to exhibit strong diagonal dominance as presented in Figure 3. The model has been found to attain accurate multi-class discrimination. The normal and DoS categories in particular have attained a near-perfect classification. This led to minimal confusion between normal network behavior and four distinct types of DoS attacks: Grayhole, Blackhole, TDMA, and Flooding.

The overall precision (P), recall (R), and $F_1$-score were computed as:

$$\begin{array}{cc}\hfill P& ={\displaystyle \frac{{\sum }_{i}T{P}_i}{{\sum }_i(T{P}_i+F{P}_i)}}=0.9842,\hfill \end{array}$$

(30)

$$\begin{array}{cc}\hfill R& ={\displaystyle \frac{{\sum }_{i}T{P}_i}{{\sum }_i(T{P}_i+F{N}_i)}}=0.9791,\hfill \end{array}$$

(31)

$$\begin{array}{cc}\hfill F_1& ={\displaystyle \frac{2PR}{P+R}}=0.9791,\hfill \end{array}$$

(32)

which collectively demonstrate the superior discriminative capacity of the model.

3.3. Model Interpretability and Structural Visualization

The network architecture has been depicted in Figure 4. It entails a multiscale convolutional feature extraction with multi-head attention fusion and BiLSTM encoding for the temporal dependency modeling. The total number of trainable parameters is approximately $96,735$, with only 256 non-trainable parameters. This ensured a lightweight deployment within constrained WSN environments.

3.4. Learning Dynamics and Validation Logs

Figure 5 presents the epoch-wise training logs. These depict a consistent improvement in accuracy and reduction in loss. Each epoch’s validation loss (${\mathcal{L}}_{val}$) was evaluated, and the best-performing model was checkpointed according to:

$${\mathcal{L}}_{val}^{best}=\underset{t}{min}\left\{{\mathcal{L}}_{val}\left(t\right)\right\}.$$

(33)

3.5. Comparative Evaluation

The proposed model has been validated against the benchmark models and classifiers that involve CNN, CNN+ recurrent neural network (RNN), and naïve nayes. The summary of the comparison has been presented in Table 5. The model has been found to attain an overall accuracy of $98.0\%$. The accuracy is higher compared to the conventional approaches by up to $2.2\%$. In addition, the inclusion of the attention mechanism further improved the interpretability. This allows offering insights into the neuron activation relevance during detection.

The CNN model recorded 97.0% accuracy, demonstrating the ability of convolutional layers to extract important spatial features. However, it presented lower precision and recall of 83.60% and 82.60% respectively, indicating difficulty in identifying several attack types and resulting in a relatively high false positive rate. The CNN + RNN gained better recall of 96.48%, and F1-score with 96.86% due to the ability of learn patterns over time, while the overall accuracy was similar to the CNN model. This means that using only simple time modeling is not enough to express complex and nonlinear behaviors observed in WSNs.

On the other hand, the Naïve Bayes classifier demonstrated the lowest accuracy at 95.82% compared to other baseline models. This finding shows the limitation to cope with non-linear, and high-dimensional feature interactions which appear in intrusion data.

The proposed model outperforms baseline models across all metrics, reaching 98.42% precision, 97.91% recall, and a 97.91% F1-score. This indicates the model is more effective at detecting attacks while minimizing false positives, which matters in real-time WSN uses. The dual-attention mechanism assists the model in targeting key features, boosting both robustness and stability.

Unlike other baseline models, the proposed model offers interpretability based on the XAI feature. Attention layers reveal the spatial or temporal regions that most strongly influence classification decisions. Interpreting decisions helps network administrators to understand the model’s reasoning and identify vulnerable parts of the network, unlike black-box models that only provide prediction results. The proposed approach provides both interpretable reasoning and high-performance detection, which is beneficial for WSN security monitoring in the real world.

3.6. Discussion

Overall, the proposed framework has been found to outperform the baseline models in terms of accuracy and interpretability. In addition, the contextual attention mechanisms have allowed improved discrimination between the overlapping attack signatures. The mathematical baseline for this improvement is related to non-linear fusion of multi-scale convolutional and temporal embeddings:

$${\mathbf{z}}_{final}=\varphi ({\mathbf{W}}_a[{\mathbf{F}}_{ms}\oplus {\mathbf{h}}_{bi}]+{\mathbf{b}}_a),$$

(34)

where ⊕ denotes concatenation and $\varphi$ represents a non-linear mapping. The end-to-end architecture thus achieves robust generalization, scalability, and real-time inference capability. This makes it suitable for deployment in resource-constrained WSN environments.

The integration of multi-scale convolutional features and bidirectional temporal embeddings enables the framework to create a coherent latent space that simultaneously captures both local spatial patterns and temporal dynamics of WSN traffic. This combination of features from both domains enhances the model’s ability to detect subtle differences in behavior between normal and malicious traffic. The linear transformation, characterized by $W_a$ and the bias term $b_a$, maps these features into a more differentiated subspace, while the non-linear activation function $\varphi$ facilitates higher-order interactions among features, allowing the model to capture complex and non-linear attack behaviors common in WSN environments. The proposed approach not only improves the representative power of the learned embeddings but also enhances the differentiation between classes within the latent space, as demonstrated by the improved clustering of attack categories during the evaluation process.

Compared with conventional CNN or LSTM-based models, the proposed hybrid framework offers a significant advantage in handling the complex characteristics of WSNs. Traditional CNNs can extract local spatial features but often struggle with irregular topologies of WSN. LSTM models excel at capturing temporal patterns but overlook the spatial relationships among network nodes. Introducing the GCN addresses these limitations by learning the connections between nodes and how anomalies propagate across the network, which is crucial for identifying distributed or coordinated attacks. Furthermore, the BiLSTM component of the model improves temporal learning by analyzing data in both forward and backward directions. Additionally, the attention fusion mechanism emphasizes the most significant spatial, structural, and temporal features. As a result, the proposed framework provides reliable and precise intrusion detection, decreases false alarms, and adapts effectively to changing network conditions.

4. Conclusion

The research presents an advanced hybrid deep learning framework for intrusion detection in the WSNs. The model integrated multi-scale convolutional blocks, attention fusion layers, graph convolutional reasoning, and BiLSTM components. The proposed framework helped in effectively capturing both spatial and temporal dependencies in sensor network traffic. The evaluation of the model has been carried out on the WSN-DS dataset. The model has been found to attain superior detection capability and has shown the ability to distinguish against diverse attacks, including Grayhole, Blackhole, TDMA, and Flooding. The study not only attained high detection accuracy but also maintained lightweight computational complexity that is suitable for real-time WSN environments. Compared to the existing baseline models, the proposed model attained enhanced generalization, reduced false alarms, and improved feature interpretability through its attention-driven design. Overall, the model bridged the gap between a high-performance IDS framework and practical WSN deployment. These offer scalable, energy-efficient, and topology-aware detection solutions. In the future, the following can be explored: (i) adaptive federated implementations for decentralized WSN nodes, (ii) self-evolving detection modules leveraging online learning to handle emerging attack patterns, and (iii) explainable visual analytics to strengthen trust and interpretability in mission-critical applications.