Implementing Anomaly-Based Intrusion Detection for Resource-Constrained Devices in IoMT Networks
Abstract
:1. Introduction
2. Proposed AIDS
2.1. System Architecture
2.2. Monitoring and Data Acquisition (MDA) Component
2.2.1. Data Collection
- the CPU mode group (i.e., indexes 2–11) containing all feature values related to the time (in ticks) that the CPU spends in a specific mode of operation,
- the memory group (i.e., indexes 17–25) containing all feature values that describe how the system memory is used, and
- the disk stats group (i.e., indexes 26–33) containing all feature values that describe how the OS interacts with storage drives.
2.2.2. Data Reporter
Title: MDA report (two lines) |
iomtSensor2 |
1733143854599,102899,11863,20796,1155510,1625,0,1016,0,0,0,3532646,11824936,6992,2, 1717639,2035460,124560,610688,614092,886328,826624,126760,8624,20364,68185,5664298, 20705,45733,3789920,75991,0,124190 |
2.3. Remote Detection Engine (RDE) Component
- receive the MDA reports from the IoMT devices (i.e., hosting the MDA component) that are connected to the gateway and leverage the received MDA reports to identify whether an attack incident has occurred in the connected IoMT devices, and
- send appropriate security alerts to the cloud server for further processing and visualization when attack incidents are detected.
2.3.1. Report Receiver
- The “report receiver” module splits the report into its two parts: (a) the unique ID of the IoMT device from where the MDA report originates and (b) the enclosed record collected on the IoMT device.
- The “report receiver” module checks if the unique ID of the IoMT device is present (i.e., registered) in the configuration file of the RDE component. The configuration file of the RDE component contains an array of unique device IDs that must include all unique IDs of the IoMT devices that are connected to the gateway and where MDA components are running.
- Only after ensuring that the IoMT device related to the received MDA report is registered in the configuration file of the RDE component does the “report receiver” module proceed to check whether a processing thread regarding this IoMT device already exists.
- In the case of an existing thread, the new MDA report is redirected to it; otherwise, a new thread is created to process the new MDA report.
2.3.2. Report Verifier
- The “report verifier” module splits the report into its two parts: (a) the unique ID of the IoMT device from where the MDA report originates and (b) the enclosed record collected on the IoMT device.
- The “report verifier” module performs a check on the enclosed record to verify whether the record is valid. In particular, the check is performed to ensure that the record follows the CSV format and that it contains the expected number of features with their expected types.
- If the record is deemed valid, it is forwarded to the “data preprocessing” module. Otherwise, if the record is deemed invalid, it is discarded, and the thread waits for a new MDA report.
2.3.3. Data Preprocessing
2.3.4. Detection Engine
- Parse the input preprocessed record,
- Load the trained ML model, and
- Make a prediction.
2.3.5. Alert Reporter
Title: RDE intrusion alert based on detection decisions in JSON format |
{ |
“ts”: “2024-10-04 10:13:34”, |
“dev_ID”: “iomtSensor1”, |
“intrusion_prob”: “1.0” |
} |
3. Runtime Performance Evaluation
3.1. Employed Detection Algorithms, Training Dataset, and Hyperparameters
3.2. Runtime Performance Evaluation Methodology
- It is ensured that all the components of the IoMT testbed are up and running.
- One detection algorithm is selected from Table 5, along with its hyperparameter set. The “LDE dataset” is used to train a corresponding ML model that is then integrated into the “detection engine” module of the RDE component of the AIDS.
- The RDE component is executed on the Raspberry Pi 4 device acting as a gateway.
- The MDA component is executed on the Raspberry Pi 4 device acting as a sensor device.
- We measure the CPU usage and memory usage of the MDA component on the IoMT device, hosting it by executing a custom bash script (i.e., the “cpu-mem usage” script) on the IoMT device during runtime.
- We measure the CPU usage and memory usage of the RDE component on the gateway by executing the “cpu-mem usage” script on the gateway during runtime.
- We launch attacks against the IoMT device hosting the MDA component by executing custom scripts.
- The successful (or unsuccessful) detection of the launched attacks is verified by checking both the logs generated by the attack scripts during execution as well as the internal logs produced by the AIDS.
stress-ng --cpu 1 --vm 1 --vm-bytes 512M |
stress-ng --cpu 2 --vm 2 --vm-bytes 512M |
stress-ng --matrix 4 --matrix-size 64 |
stress-ng --vm 2 --vm-bytes 2G --mmap 2 --mmap-bytes 2G |
stress-ng --timer 32 --timer-freq 1000000 |
3.3. Runtime Performance Evaluation of Detection Algorithms
3.4. Runtime CPU and Memory Usage Measurements
4. Comparison with Existing Works
5. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Rodrigues, J.J.P.C.; Segundo, D.B.D.R.; Junqueira, H.A.; Sabino, M.H.; Prince, R.M.I.; Al-Muhtadi, J.; De Albuquerque, V.H.C. Enabling Technologies for the Internet of Health Things. IEEE Access 2018, 6, 13129–13141. [Google Scholar] [CrossRef]
- Papaioannou, M.; Karageorgou, M.; Mantas, G.; Sucasas, V.; Essop, I.; Rodriguez, J.; Lymberopoulos, D. A Survey on Security Threats and Countermeasures in Internet of Medical Things (IoMT). Trans. Emerg. Telecommun. Technol. 2020, 33, e4049. [Google Scholar] [CrossRef]
- Islam, S.M.R.; Kwak, D.; Kabir, M.H.; Hossain, M.; Kwak, K.S. The Internet of Things for Health Care: A Comprehensive Survey. IEEE Access 2015, 3, 678–708. [Google Scholar] [CrossRef]
- Fengou, M.-A.; Mantas, G.; Lymberopoulos, D.; Komninos, N.; Fengos, S.; Lazarou, N. A New Framework Architecture for Next Generation E-Health Services. IEEE J. Biomed. Health Inform. 2013, 17, 9–18. [Google Scholar] [CrossRef] [PubMed]
- Makhdoom, I.; Abolhasan, M.; Lipman, J.; Liu, R.P.; Ni, W. Anatomy of Threats to the Internet of Things. IEEE Commun. Surv. Tutor. 2019, 21, 1636–1675. [Google Scholar] [CrossRef]
- Zhang, M.; Raghunathan, A.; Jha, N.K. Trustworthiness of Medical Devices and Body Area Networks. Proc. IEEE 2014, 102, 1174–1188. [Google Scholar] [CrossRef]
- Essop, I.; Ribeiro, J.C.; Papaioannou, M.; Zachos, G.; Mantas, G.; Rodriguez, J. Generating Datasets for Anomaly-Based Intrusion Detection Systems in Iot and Industrial Iot Networks. Sensors 2021, 21, 1528. [Google Scholar] [CrossRef] [PubMed]
- Alsubaei, F.; Abuhussein, A.; Shiva, S. Security and Privacy in the Internet of Medical Things: Taxonomy and Risk Assessment. In Proceedings of the 2017 IEEE 42nd Conference on Local Computer Networks Workshops, LCN Workshops 2017, Singapore, 9–12 October 2017; Institute of Electrical and Electronics Engineers Inc.: New York, NY, USA, 2017; pp. 112–120. [Google Scholar]
- Asharf, J.; Moustafa, N.; Khurshid, H.; Debie, E.; Haider, W.; Wahab, A. A Review of Intrusion Detection Systems Using Machine and Deep Learning in Internet of Things: Challenges, Solutions and Future Directions. Electronics 2020, 9, 1177. [Google Scholar] [CrossRef]
- Newaz, A.I.; Sikder, A.K.; Rahman, M.A.; Uluagac, A.S. HealthGuard: A Machine Learning-Based Security Framework for Smart Healthcare Systems. In Proceedings of the 2019 6th International Conference on Social Networks Analysis, Management and Security, SNAMS 2019, Granada, Spain, 22–25 October 2019; Institute of Electrical and Electronics Engineers Inc.: New York, NY, USA, 2019; pp. 389–396. [Google Scholar]
- Schneble, W.; Thamilarasu, G. Attack Detection Using Federated Learning in Medical Cyber-Physical Systems. In Proceedings of the 28th International Conference on Computer Communication and Networks (ICCCN), Valencia, Spain, 29 July–1 August 2019; Volume 29, pp. 1–8. [Google Scholar]
- Thamilarasu, G.; Odesile, A.; Hoang, A. An Intrusion Detection System for Internet of Medical Things. IEEE Access 2020, 8, 181560–181576. [Google Scholar] [CrossRef]
- Said, A.M.; Yahyaoui, A.; Abdellatif, T. Efficient Anomaly Detection for Smart Hospital IoT Systems. Sensors 2021, 21, 1026. [Google Scholar] [CrossRef] [PubMed]
- Zubair, M.; Ghubaish, A.; Unal, D.; Al-Ali, A.; Reimann, T.; Alinier, G.; Hammoudeh, M.; Qadir, J. Secure Bluetooth Communication in Smart Healthcare Systems: A Novel Community Dataset and Intrusion Detection System. Sensors 2022, 22, 8280. [Google Scholar] [CrossRef]
- Nandini, A.; Behera, A.; Mishra, T.K. Detecting Threats in IoT Based Healthcare Using Machine Learning Algorithms. In Proceedings of the 2024 IEEE 9th International Conference for Convergence in Technology (I2CT), Pune, India, 5–7 April 2024; pp. 1–6. [Google Scholar]
- Zukaib, U.; Cui, X.; Zheng, C.; Hassan, M.; Shen, Z. Meta-IDS: Meta-Learning-Based Smart Intrusion Detection System for Internet of Medical Things (IoMT) Network. IEEE Internet Things J. 2024, 11, 23080–23095. [Google Scholar] [CrossRef]
- Pimentel, M.A.F.; Clifton, D.A.; Clifton, L.; Tarassenko, L. A Review of Novelty Detection. Signal Process. 2014, 99, 215–249. [Google Scholar] [CrossRef]
- Zachos, G.; Mantas, G.; Essop, I.; Porfyrakis, K.; Bastos, J.M.C.S.; Rodriguez, J. An IoT/IoMT Security Testbed for Anomaly-Based Intrusion Detection Systems. In Proceedings of the 2023 IFIP Networking Conference (IFIP Networking), Barcelona, Spain, 12–15 June 2023; pp. 1–6. [Google Scholar]
- Zachos, G.; Mantas, G.; Porfyrakis, K.; Bastos, J.M.C.S.; Rodriguez, J. Anomaly-Based Intrusion Detection for IoMT Networks: Design, Implementation, Dataset Generation and ML Algorithms Evaluation. IEEE Access 2024. under review. [Google Scholar]
- Sector, I.T.U.T.S. Recommendation ITU-T Y.2060: Overview of the Internet of Things. Available online: https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=y.2060 (accessed on 20 October 2022).
- Ubuntu 20.04.5 LTS (Focal Fossa). Available online: https://releases.ubuntu.com/focal/ (accessed on 20 March 2023).
- Eclipse Paho|The Eclipse Foundation. Available online: https://eclipse.dev/ (accessed on 8 January 2024).
- Proc(5)—Linux Manual Page. Available online: https://man7.org/linux/man-pages/man5/proc.5.html (accessed on 22 February 2024).
- Proc_stat(5)—Linux Manual Page. Available online: https://man7.org/linux/man-pages/man5/proc_stat.5.html (accessed on 23 August 2024).
- Proc_meminfo(5)—Linux Manual Page. Available online: https://man7.org/linux/man-pages/man5/proc_meminfo.5.html (accessed on 23 August 2024).
- Proc_diskstats(5)—Linux Manual Page. Available online: https://man7.org/linux/man-pages/man5/proc_diskstats.5.html (accessed on 23 August 2024).
- JSON-Java. Available online: https://stleary.github.io/JSON-java/index.html (accessed on 13 November 2024).
- Apache HttpComponents. Available online: https://hc.apache.org/ (accessed on 13 November 2024).
- Apache Commons IO. Available online: https://commons.apache.org/proper/commons-io/ (accessed on 13 November 2024).
- Argparse4j. Available online: https://argparse4j.github.io/ (accessed on 13 November 2024).
- Scikit-Learn: Novelty and Outlier Detection. Available online: https://scikit-learn.org/stable/modules/outlier_detection.html (accessed on 13 November 2024).
- Pedregosa, F.; Varoquaux, G.; Gramfort, A.; Michel, V.; Thirion, B.; Grisel, O.; Blondel, M.; Prettenhofer, P.; Weiss, R.; Dubourg, V.; et al. Scikit-Learn: Machine Learning in Python. J. Mach. Learn. Res. 2011, 12, 2825–2830. [Google Scholar]
- Scikit-Learn. Available online: https://scikit-learn.org/stable/ (accessed on 10 November 2021).
- Zhao, Y.; Nasrullah, Z.; Li, Z. PyOD: A Python Toolbox for Scalable Outlier Detection. J. Mach. Learn. Res. 2019, 20, 1–7. [Google Scholar]
- Pyod 2.0.2 Documentation. Available online: https://pyod.readthedocs.io/en/latest/index.html (accessed on 9 September 2024).
- GitHub—ColinIanKing/Stress-Ng. Available online: https://github.com/ColinIanKing/stress-ng (accessed on 3 September 2024).
- Kernel/Reference/Stress-Ng—Ubuntu Wiki. Available online: https://wiki.ubuntu.com/Kernel/Reference/stress-ng (accessed on 3 September 2024).
- Oikonomou, G.; Duquennoy, S.; Elsts, A.; Eriksson, J.; Tanaka, Y.; Tsiftes, N. The {Contiki-NG} Open Source Operating System for next Generation {IoT} Devices. SoftwareX 2022, 18, 101089. [Google Scholar] [CrossRef]
- Zephyr Project Documentation—Zephyr Project Documentation. Available online: https://docs.zephyrproject.org/latest/index.html (accessed on 24 January 2023).
- Moteiv Corporation Tmote Sky—Ultra Low Power IEEE 802.15.4 Compliant Wireless Sensor Module. Available online: http://www.crew-project.eu/sites/default/files/tmote-sky-datasheet.pdf (accessed on 6 September 2021).
Feature Name | Index | Description |
---|---|---|
timestamp | 1 | Time in milliseconds when the current record was collected. |
user_ticks | 2 | Duration in ticks 1 that the CPU has been in user mode after system boot. |
nice_ticks | 3 | Duration in ticks 1 that the CPU has been in user mode with low priority after system boot. |
system_ticks | 4 | Duration in ticks 1 that the CPU has been in system mode after system boot. |
idle_ticks | 5 | Duration in ticks 1 that the CPU has been idling after system boot. |
iowait_ticks | 6 | Duration in ticks 1 that the CPU has been waiting for I/O to complete after system boot. |
irq_ticks | 7 | Duration in ticks 1 that the CPU has been servicing interrupts after system boot. |
softirq_ticks | 8 | Duration in ticks 1 that the CPU has been servicing software interrupts after system boot. |
steal_ticks | 9 | Duration in ticks 1 that the CPU has been spending in other operating systems when running in a virtualized environment after system boot. |
guest_ticks | 10 | Duration in ticks 1 that the CPU has been running a virtual CPU for guest operating systems under the control of the Linux kernel after system boot. |
guest_nice_ticks | 11 | Duration in ticks 1 that the CPU has been running a niced (low priority) virtual CPU for guest operating systems under the control of the Linux kernel after system boot. |
intr | 12 | Number of interrupts serviced after system boot. |
ctxt | 13 | Number of context switches that the system has undergone after system boot. |
processes | 14 | Number of newly created processes after system boot. |
procs_running | 15 | Number of processes in a runnable state. |
softirq | 16 | Number of software interrupts serviced after system boot. |
mem_total | 17 | Size of total usable RAM. |
mem_free | 18 | Sum of sizes of free memory in the low-memory region and the high-memory region. |
mem_available | 19 | Estimated size of memory available for starting new applications without swapping. |
mem_cached | 20 | Size of memory used for caching files read from the disk. |
mem_active | 21 | Size of memory that is used frequently and usually not reclaimed unless absolutely necessary. |
mem_inactive | 22 | Size of memory that is used less frequently and can be reclaimed for other purposes. |
mem_slab | 23 | Size of memory that is used as a cache for in-kernel data structures. |
mem_kernel_stack | 24 | Size of memory allocated to kernel stacks. |
mem_pagetables | 25 | Size of memory dedicated to the lowest level of page tables. |
reads | 26 | Number of total read operations that have been completed successfully after system boot. |
sectors_rd_num | 27 | Number of total sectors that have been read successfully after system boot. |
msecs_rd | 28 | Number of milliseconds spent during read operations after system boot. |
writes | 29 | Number of total write operations that have been completed successfully after system boot. |
sectors_wr_num | 30 | Number of total sectors that have been written successfully after system boot. |
msecs_wr | 31 | Number of milliseconds spent during write operations after system boot. |
cur_IOs | 32 | Number of I/O operations currently in progress. |
msecs_io | 33 | Number of milliseconds spent during I/O operations after system boot. |
Library | Short Description |
---|---|
JSON-java [27] | This library is used to load JSON objects from text, create JSON objects, and transform JSON objects to text. |
Apache HttpComponents (Core & Client) [28] | These libraries were used to send intrusion alerts to a remote host through the HTTP protocol. |
Eclipse Paho Java Client [22] | This library is used to create MQTT clients so that (a) intrusion alerts can be sent to a remote host through MQTT and (b) IoMT device behavior data can be received by the connected IoMT device through MQTT. |
Apache Commons IOUtils [29] | This library is used to simplify input/output operations when using standard Java classes. |
Argparse4j [30] | This library is used to be able to include a command-line argument parser in the implementation of the RDE component. |
Feature Name | Index | Description |
---|---|---|
timestamp_delta | 1 | Elapsed time in milliseconds between the currently collected record and the previously collected record. |
user_ticks_delta | 2 | Duration in ticks 1 that the CPU has been in user mode since the previously collected record. |
nice_ticks_delta | 3 | Duration in ticks 1 that the CPU has been in user mode with low priority since the previously collected record. |
system_ticks_delta | 4 | Duration in ticks 1 that the CPU has been in system mode since the previously collected record. |
idle_ticks_delta | 5 | Duration in ticks 1 that the CPU has been idling since the previously collected record. |
iowait_ticks_delta | 6 | Duration in ticks 1 that the CPU has been waiting for I/O to complete since the previously collected record. |
irq_ticks_delta | 7 | Duration in ticks 1 that the CPU has been servicing interrupts since the previously collected record. |
softirq_ticks_delta | 8 | Duration in ticks 1 that the CPU has been servicing software interrupts since the previously collected record. |
steal_ticks_delta | 9 | Duration in ticks 1 that the CPU has been spending in other operating systems when running in a virtualized environment since the previously collected record. |
guest_ticks_delta | 10 | Duration in ticks 1 that the CPU has been running a virtual CPU for guest operating systems under the control of the Linux kernel since the previously collected record. |
guest_nice_ticks_delta | 11 | Duration in ticks 1 that the CPU has been running a niced (low priority) virtual CPU for guest operating systems under the control of the Linux kernel since the previously collected record. |
intr_delta | 12 | Number of interrupts serviced since the previously collected record. |
ctxt_delta | 13 | Number of context switches that the system has undergone since the previously collected record. |
processes_delta | 14 | Number of newly created processes since the previously collected record. |
procs_running | 15 | Number of processes in a runnable state. |
softirq_delta | 16 | Number of software interrupts serviced since the previously collected record. |
mem_total | 17 | Size of total usable RAM. |
mem_free | 18 | Sum of sizes of free memory in the low-memory region and the high-memory region. |
mem_available | 19 | Estimated size of memory available for starting new applications without swapping. |
mem_cached | 20 | Size of memory used for caching files read from the disk. |
mem_active | 21 | Size of memory that is used frequently and usually not reclaimed unless absolutely necessary. |
mem_inactive | 22 | Size of memory that is used less frequently and can be reclaimed for other purposes. |
mem_slab | 23 | Size of memory that is used as a cache for in-kernel data structures. |
mem_kernel_stack | 24 | Size of memory allocated to kernel stacks. |
mem_pagetables | 25 | Size of memory dedicated to the lowest level of page tables. |
reads_delta | 26 | Number of total read operations that have been completed successfully since the previously collected record. |
sectors_rd_num_delta | 27 | Number of total sectors that have been read successfully since the previously collected record. |
msecs_rd_delta | 28 | Number of milliseconds spent during read operations since the previously collected record. |
writes_delta | 29 | Number of total write operations that have been completed successfully since the previously collected record. |
sectors_wr_num_delta | 30 | Number of total sectors that have been written successfully since the previously collected record. |
msecs_wr_delta | 31 | Number of milliseconds spent during write operations since the previously collected record. |
cur_IOs | 32 | Number of I/O operations currently in progress. |
msecs_io_delta | 33 | Number of milliseconds spent during I/O operations since the previously collected record. |
Feature Name | Index | Description |
---|---|---|
user_ticks_perc | 1 | Percentage of ticks that the CPU has been in user mode during the last behavior sampling period. |
nice_ticks_perc | 2 | Percentage of ticks that the CPU has been in user mode with low priority during the last behavior sampling period. |
system_ticks_perc | 3 | Percentage of ticks that the CPU has been in system mode during the last behavior sampling period. |
idle_ticks_perc | 4 | Percentage of ticks that the CPU has been idling during the last behavior sampling period. |
iowait_ticks_perc | 5 | Percentage of ticks that the CPU has been waiting for I/O to complete during the last behavior sampling period. |
irq_ticks_perc | 6 | Percentage of ticks that the CPU has been servicing interrupts during the last behavior sampling period. |
softirq_ticks_perc | 7 | Percentage of ticks that the CPU has been servicing software interrupts during the last behavior sampling period. |
steal_ticks_perc | 8 | Percentage of ticks that the CPU has been spending in other operating systems when running in a virtualized environment during the last behavior sampling period. |
guest_ticks_perc | 9 | Percentage of ticks that the CPU has been running a virtual CPU for guest operating systems under the control of the Linux kernel during the last behavior sampling period. |
guest_nice_ticks_perc | 10 | Percentage of ticks that the CPU has been running a niced (low priority) virtual CPU for guest operating systems under the control of the Linux kernel during the last behavior sampling period. |
intr_per_ms | 11 | Number of interrupts serviced per millisecond during the last behavior sampling period. |
ctxt_per_ms | 12 | Number of context switches per millisecond that the system has undergone during the last behavior sampling period. |
processes_per_ms | 13 | Number of newly created processes per millisecond during the last behavior sampling period. |
procs_running | 14 | Number of processes in a runnable state. |
softirq_per_ms | 15 | Number of software interrupts serviced per millisecond during the last behavior sampling period. |
mem_free_perc | 16 | Sum of sizes of free memory in the low-memory region and the high-memory region as a percentage of total RAM memory. |
mem_available_perc | 17 | Estimated size of memory available for starting new applications without swapping as a percentage of total RAM memory. |
mem_cached_perc | 18 | Size of memory used for caching files read from the disk as a percentage of total RAM memory. |
mem_active_perc | 19 | Size of memory that is used frequently and usually not reclaimed unless absolutely necessary as a percentage of total RAM memory. |
mem_inactive_perc | 20 | Size of memory that is used less frequently and can be reclaimed for other purposes as a percentage of total RAM memory. |
mem_slab_perc | 21 | Size of memory that is used as a cache for in-kernel data structures as a percentage of total RAM memory. |
mem_kernel_stack_perc | 22 | Size of memory allocated to kernel stacks as a percentage of total RAM memory. |
mem_pagetables_perc | 23 | Size of memory dedicated to the lowest level of page tables as a percentage of total RAM memory. |
reads_per_ms | 24 | Number of total read operations that have been completed successfully per millisecond during the last behavior sampling period. |
sectors_rd_num_per_ms | 25 | Number of total sectors that have been read successfully per millisecond during the last behavior sampling period. |
msecs_rd_perc | 26 | Percentage of milliseconds spent during read operations during the last behavior sampling period. |
writes_per_ms | 27 | Number of total write operations that have been completed successfully per millisecond during the last behavior sampling period. |
sectors_wr_num_per_ms | 28 | Number of total sectors that have been written successfully per millisecond during the last behavior sampling period. |
msecs_wr_perc | 29 | Percentage of milliseconds spent during write operations during the last behavior sampling period. |
cur_IOs | 30 | Number of I/O operations currently in progress. |
msecs_io_perc | 31 | Percentage of milliseconds spent during I/O operations during the last behavior sampling period. |
Algorithm | Hyperparameters | |
---|---|---|
Novelty Detection | OCSVM | nu = 0.01, gamma = 0.02, kernel = rbf |
LOF | algorithm = ball_tree, contamination = auto, metric = euclidean, neighbors = 10, novelty = True | |
G_KDE | bandwidth = 0.2, kernel = gaussian, metric = manhattan | |
PW_KDE | bandwidth = 0.6, kernel = tophat, metric = euclidean | |
B_GMM | components = 2, covariance = full | |
Outlier Detection | MCD | contamination = 0.1, assume_centered = true |
Algorithm | Area Under ROC Curve | Accuracy | Precision on Normal Class | Recall on Normal Class | F1-Score on Normal Class | Precision on Abnormal Class | Recall on Abnormal Class | F1-Score on Abnormal Class | |
---|---|---|---|---|---|---|---|---|---|
Novelty Detection | OCSVM | 81.85 | 77.76 | 97.94 | 66.06 | 78.9 | 62.86 | 97.64 | 76.48 |
LOF | 47.85 | 36.28 | 38.3 | 2.51 | 4.72 | 36.2 | 93.18 | 52.14 | |
G_KDE | 50.21 | 37.52 | 100 | 0.42 | 0.83 | 37.36 | 100 | 54.39 | |
PW_KDE | 78.17 | 77.67 | 86.73 | 76.25 | 81.15 | 66.4 | 80.09 | 72.61 | |
B_GMM | 73.48 | 67.37 | 96.76 | 49.79 | 65.75 | 53.3 | 97.17 | 68.84 | |
Outlier Detection | MCD | 50.56 | 38.8 | 70 | 3.94 | 7.47 | 37.66 | 97.17 | 34.28 |
Algorithm | CPU Usage | Memory Usage |
---|---|---|
OCSVM | 0.30% | 11.22% |
LOF | 0.25% | 10.7% |
G_KDE | 0.35% | 9.7% |
PW_KDE | 0.23% | 10.35% |
B_GMM | 0.20% | 10.33% |
MCD | 0.30% | 10.2% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Zachos, G.; Mantas, G.; Porfyrakis, K.; Rodriguez, J. Implementing Anomaly-Based Intrusion Detection for Resource-Constrained Devices in IoMT Networks. Sensors 2025, 25, 1216. https://doi.org/10.3390/s25041216
Zachos G, Mantas G, Porfyrakis K, Rodriguez J. Implementing Anomaly-Based Intrusion Detection for Resource-Constrained Devices in IoMT Networks. Sensors. 2025; 25(4):1216. https://doi.org/10.3390/s25041216
Chicago/Turabian StyleZachos, Georgios, Georgios Mantas, Kyriakos Porfyrakis, and Jonathan Rodriguez. 2025. "Implementing Anomaly-Based Intrusion Detection for Resource-Constrained Devices in IoMT Networks" Sensors 25, no. 4: 1216. https://doi.org/10.3390/s25041216
APA StyleZachos, G., Mantas, G., Porfyrakis, K., & Rodriguez, J. (2025). Implementing Anomaly-Based Intrusion Detection for Resource-Constrained Devices in IoMT Networks. Sensors, 25(4), 1216. https://doi.org/10.3390/s25041216