Anomaly detection of cyber threats in industrial IoT networks via hybrid digital twins and continual learning

The Industrial Internet of Things (IIoT) is increasingly exposed to cyber threats due to its tight integration of operational technology and digital connectivity. Traditional intrusion detection systems (IDSs) often struggle with adaptability, false positives, and operational scalability in dynamic, non-stationary environments. This paper proposes a cyber threat detection framework that integrates hybrid digital twins (DTs) with continual learning to enable reliable and adaptive intrusion detection in realistic IIoT settings. The hybrid DTs act as local mirrors of IIoT devices, preserving sensitive data close to the source while supporting controlled validation of firmware updates and configuration changes. The continual learning mechanism enables the detection model to incrementally adapt to evolving traffic patterns and emerging attacks, mitigating catastrophic forgetting without requiring repeated offline retraining. Experimental validation on benchmark datasets and real IIoT traffic shows that the proposed DT-enabled framework supports stable detection performance over time under bounded memory and incremental update constraints, reflecting realistic deployment conditions. The proposed architecture highlights a practical trade-off between offline optimality and online adaptability, offering a robust, scalable solution for securing IIoT infrastructure that balances continuous operation, reliability, and controlled adaptation.