AI-Driven Intrusion Detection System for 6G IoT Smart Cities: A Practical Implementation of the Mixture-of-Experts Architecture

This article presents a production-grade MLOps intrusion detection system designed for IoT smart cities in 5G/6G network environments. The project uses a Mixture-of-Experts integrated architecture, a complete CI/CD automation pipeline, and real-time monitoring to achieve real-time attack detection with an accuracy of over 99%. This project comes from a GitHub open-source repository (by author OuaragM/PIDATA project team of Esprit Engineering College, released in May 2026) and is a complete enterprise-level solution template.

With the digitalization of smart cities, the popularization of IoT devices, and the deployment of 6G infrastructure, network threats have increased dramatically. Traditional rule-based passive security systems can no longer meet the demands, facing four core pain points:

1. Manual analysis bottleneck: Slow manual processes, high costs, and error-prone, making it difficult to handle massive traffic;
2. Limitations of passive defense: Unable to detect evolving attacks and zero-day attacks;
3. Scale complexity: Imbalanced category datasets in 5G/6G heterogeneous networks, making model training challenging;
4. Operation and maintenance overhead: Lack of interpretability and effective monitoring, leading to difficult maintenance.

System Architecture

Adopts a microservice architecture, including 21 containerized services divided into 6 layers: Frontend Layer (Next.js14 React dashboard), Edge Gateway Layer (FastAPI JWT authentication), Business Service Layer (authentication/upload/inference, etc.), Machine Learning Layer (MOE inference/training/monitoring), MLOps Layer (MLflow/Prometheus/Grafana, etc.), and Data Plane Layer (PostgreSQL/Redis/MinIO, etc.). Innovative dual-network design: Edge Network (public network entry) + Data Network (internal isolation) to ensure the security of sensitive data.

Mixture-of-Experts Core

• Expert Models: Train dedicated models for different 5G scenarios (XGBoost handles eMBB/mMTC, URLLC models, protocol autoencoders);
• Gating Mechanism: MLP weighted routing + Platt calibration to dynamically select expert combinations;
• Hybrid Learning: Supervised learning (XGBoost/RF/LR with accuracy over 99%) + unsupervised learning (autoencoder + isolation forest for zero-day attack protection).

Feature Engineering

Unified mapping of raw traffic to a 16-dimensional feature space, complete preprocessing pipeline (cleaning/missing values/encoding/IQR anomaly handling), and solving data imbalance issues through stratified sampling and class weight adjustment.

CI/CD Pipeline

• Continuous Integration: 5 jobs (Ruff code check, Black formatting, Bandit security scan, pip-audit dependency audit, Trivy file scan), completed in about 8 minutes;
• Continuous Deployment:5 jobs (build 9 Docker images, Trivy image scan, automated testing, production deployment), completed in about 40 minutes.

Model Management

• MLflow-driven: Experiment tracking + version management, recording hyperparameters/metrics/artifacts;
• Automatic upgrade: Only promote to production version if F1 ≥0.9, recall ≥0.95, PR-AUC ≥0.92;
• Hot reload: Model updates without restart via the /admin/reload endpoint.

Drift Detection

Monitor data distribution changes in a 7-day sliding window based on PSI (Population Stability Index), and automatically send Slack alerts when drift is detected.

Inference Performance

• P95 inference latency <200ms;
• Accuracy over 99%;
• Stateless design supports horizontal scaling.

Security System

• Identity authentication: JWT token + RBAC role-based access control;
• Inter-service security: Internal API key (X-Api-Key) to protect communication;
• Sensitive operations: Endpoints like /train/start are only accessible to administrators;
• Password security: bcrypt hashing + Jose JWT library;
• Key management: 64-character random keys managed via .env files to avoid hardcoding.

Core Value

• Service Continuity: Early behavior detection identifies attacks and blocks threats in advance;
• Operation Efficiency: Precisely interpretable alerts reduce false positives and focus on real threats;
• Cost Control: Automated pipelines reduce long-term operation and maintenance costs.

Applicable Scenarios

• Protection of IoT infrastructure in smart cities;
• Security monitoring of 5G/6G core networks;
• Protection of edge devices in industrial internet;
• Anomaly traffic detection in large-scale distributed systems.

This project demonstrates the complete path of combining cutting-edge ML technology with modern software engineering practices to build a production-grade AI system. Insights for AI engineering teams:

1. Mixture-of-Experts architecture adapts to complex scenarios;
2. End-to-end MLOps pipeline ensures system maintainability;
3. Defense-in-depth concept: Ensemble learning at the model level improves accuracy, while multi-layer isolation + permission control + security scanning at the system level builds a defense line. This is a valuable enterprise-level AI solution template, worthy of reference for AI implementation teams.