EDR-FJ48: An Empirical Distribution Ranking-Based Fuzzy J48 Classifier for Multiclass Intrusion Detection in IoMT Networks

Abstract

The Internet of Medical Things (IoMT) interconnects medical devices, software applications, and healthcare services through the internet to enable the transmission and analysis of health data. IoMT facilitates seamless patient care and supports real-time clinical decision-making. The IoMT faces substantial security threats due to limited device resources, high device interconnectivity, and a lack of standardization. In this paper, we present an Intrusion Detection System (IDS) called An Empirical Distribution Ranking-Based Fuzzy J48 Classifier for Multiclass Intrusion Detection in IoMT Networks (EDR-FJ48) to distinguish between regular traffic and multiple types of security threats. The proposed IDS is built upon the J48 decision tree algorithm and is designed to detect a wide range of attacks. To ensure the protection of medical devices and patient data, the system incorporates a fuzzy IF-THEN rule inference module. In our approach, fuzzy rules are formulated based on the fuzzified values of selected features, which capture the statistical behavior of the input observations. These rules enable interpretable and transparent decision-making and are applied before the final classification step. We thoroughly evaluated our methodology through extensive simulations using three publicly available datasets, such as WUSTL-EHMS-2020, CICIoMT2024, and ECU-IoHT. The results exhibit exceptional accuracy rates of 99.68%, 98.71%, and 99.43%, respectively. A comparative analysis against state-of-the-art models in the existing literature, based on metrics including accuracy, precision, recall, F1-score, and time complexity, reveals that our proposed method achieves superior results. This evidence suggests that our method constitutes a robust solution for mitigating security threats in IoMT networks.

1. Introduction

The adoption of the Internet of Things (IoT) in the healthcare sector has led to the formation of the Internet of Medical Things (IoMT) [1]. The integration of Artificial Intelligence (AI) into healthcare systems has brought significant advancement in IoMT [2]. The primary breakthrough of the IoMT system is to improve the quality of life of patients, which also enables real-time health monitoring, remote patient care, and improved treatment accuracy [3]. However, the integration of various communication protocols and different healthcare devices in the IoMT is always vulnerable to various security threats and cyberattacks, allowing adversaries to exploit sensitive information [4]. Attackers often exploit Man-in-the-Middle (MitM) attacks to leak information from the IoMT system [5]. In an MitM attack, an adversary secretly intercepts and potentially alters communication between medical devices (e.g., wearable sensors) and healthcare servers or applications. Therefore, security monitoring becomes an utmost priority in IoMT systems.

Numerous attacks, ranging from network-based and device-specific to data-centric and authentication-related, are employed to infiltrate the network and compromise the integrity of the IoMT system. Various prevention methods, such as attack detection, standards and protocol compliance, and authentication and access control, are used to protect the robustness of the network [6]. In contrast, legacy security techniques are complex and require more resources, which cannot be afforded by IoMT devices due to their resource-constrained nature, characterized by low processing power, limited storage capacity, and short battery life [2]. The IoMT devices are connected using lightweight communication protocols, and the standardization is suboptimal. Therefore, innovative protection strategies must be engineered to address the urgent safety dilemmas of IoMT infrastructures, taking into account their limited-resource design [7]. Nowadays, a wide range of innovative ideas are emerging to protect the IoMT network, which consists of firmware validation, patch management, log analysis and auditing, and intrusion detection. Intrusion detection is the most frequently implemented attack detection and reduction methodology in IoMT, leveraging nascent Machine Learning (ML) methods. ML can streamline the IDS and easily deploy and control it even in resource-constrained devices and highly dynamic networks [8,9,10].

Traditional security strategies encounter significant limitations in IoMT environments. They lack the capability to detect unknown or zero-day attacks in real-time due to their static, rule-based nature, which prevents them from adapting to evolving threats. Additionally, they struggle to scale across diverse, heterogeneous networks of medical devices commonly found in IoMT systems [11,12].

New generation IDS are specifically designed to address the limitations of conventional security mechanisms in heterogeneous and resource-constrained IoMT environments. These IDS models are increasingly leveraging lightweight machine learning, deep learning, and adaptive ensemble techniques to operate effectively across a wide range of device types, communication protocols, and data formats [13]. By minimizing memory and computation requirements, they enable real-time detection even on low-power sensors and embedded medical devices. Moreover, the integration of anomaly-based and hybrid detection techniques allows these systems to identify novel attack patterns and zero-day threats that signature-based systems often miss. The ability to learn from streaming data, adapt to dynamic network conditions, and provide interpretable security decisions marks a significant advancement in securing sensitive healthcare infrastructures against modern cyber threats [14].

To overcome the challenges faced by traditional security systems, there is a strong motivation to develop a new IDS that can adapt to the highly dynamic and heterogeneous nature of IoMT. Our work addresses the limitations of existing IDS by developing a solution capable of detecting novel threats and adapting to dynamic intrusions within the diverse IoMT landscape. This framework prioritizes real-world deployment by ensuring minimal execution time and efficient resource utilization, ultimately enhancing detection accuracy and improving security in the ever-evolving IoMT environment.

This work is an extended version of our prior conference paper [1]. In contrast to [1], this article contributes:

• We propose a novel hybrid IDS that integrates Empirical Distribution Ranking (EDR) for feature selection with a fuzzy rule-based inference system and a J48 decision tree classifier to detect and categorize various cyberattacks in IoMT environments.
• The system introduces a fuzzification mechanism that translates numerical features into linguistic variables (e.g., Low, Medium, High), enabling the extraction of interpretable fuzzy IF-THEN rules that enhance explainability and reduce classification ambiguity.
• By employing the J48 algorithm in conjunction with fuzzy logic, the proposed system maintains low computational overhead while offering human-understandable reasoning paths, crucial for trust and transparency in medical settings.
• The model is extensively validated using three benchmark IoMT datasets: WUSTL-EHMS-2020, CICIoMT2024, and ECU-IoHT. It achieves superior accuracy (up to 99.68%) and robust performance in terms of precision, recall, F1-score, and ROC analysis.
• A detailed performance comparison demonstrates that the proposed method consistently outperforms state-of-the-art IDS approaches, particularly in attack interpretability, accuracy, and scalability to resource-constrained IoMT networks.

The structure of this manuscript is as follows: Section 2 provides a review of related work, Section 3 presents our novel intrusion detection methodology for IoMT networks, Section 4 introduces the dataset, Section 5 details the experiments and performance evaluations, and Section 6 concludes with a reflection on the contributions of this research.

2. Related Work

The Internet of Medical Things (IoMT) refers to the interconnected network of medical devices, software, and healthcare systems that enable real-time patient monitoring, diagnosis, and treatment through data transmission over the internet. This emerging technology significantly enhances the quality of healthcare services by enabling remote care, facilitating timely interventions, and allowing for continuous monitoring. However, the IoMT ecosystem faces substantial security challenges due to the resource-constrained nature of devices, the heterogeneous communication protocols used, and the absence of standardized frameworks. These limitations make IoMT systems vulnerable to a wide range of cyber threats, including data breaches, unauthorized access, and denial-of-service attacks. Therefore, implementing robust and adaptive security mechanisms is critical to safeguarding sensitive medical data and ensuring the integrity and reliability of healthcare services.

Recent advancements in intrusion detection for the IoMT have explored a variety of machine learning and deep learning paradigms. Sohail et al. [10] proposed an explainable IDS based on ensemble boosting algorithms such as XGBoost, AdaBoost, and CatBoost, with XGBoost demonstrating superior performance due to its robustness against class imbalance and effective regularization. Feature importance analysis highlighted indicators such as the FIN flag and the ICMP protocol, although class imbalance remained a limiting factor in detecting minority attacks. Similarly, the L2D2 model introduced in [15] employed a dual-layer LSTM and dense architecture optimized via the AdamW algorithm to capture temporal dependencies in IoMT traffic. Despite outperforming conventional methods in multi-class classification, its computational demands make it impractical for binary detection on constrained devices. In [16], a hybrid UNet++–LSTM architecture was proposed to extract network traffic features, achieving 99.92% anomaly detection and 87.96% attack categorization accuracy. However, difficulties in classifying specific attacks, such as ARP spoofing and reconnaissance, highlighted the model’s sensitivity to complex intrusion patterns. Addressing dataset limitations, Dadkhah et al. [17] curated a realistic IoMT dataset comprising 40 devices and 18 diverse attack types across various protocols. Their evaluation using five ML techniques demonstrated improved generalizability, although challenges such as class imbalance, limited device scalability, and potential overfitting persist. The study in [13] explored fine-tuned Transformer models for anomaly detection under data scarcity. While these models showed promising detection accuracy, their computational complexity and memory overhead limit their applicability in real-time IoMT deployments.

In [18], the authors proposed an enhanced deep learning-based intrusion detection framework tailored for IoMT environments, combining embedded Ensemble Learning (EL) for feature selection with a One-Dimensional Convolutional Long Short-Term Memory (1D-CLSTM) neural network for cyberthreat classification. To address class imbalance, a random undersampling boosting strategy was employed. Although the model demonstrated promising results, its accuracy in detecting specific attacks, such as DoS (88%) and Nmap Port Scan (81%), remained suboptimal on the ECU-IoHT dataset, indicating a need for further refinement in handling complex and stealthy threat types. Similarly, the authors in [14] proposed time-series classification models for detecting potential cyberattacks in IoHT networks by first applying a modified Neighborhood Component Analysis (NCA) for feature selection. They introduced two LSTM-based architectures, the Directed Acyclic Graph LSTM (DAG-LSTM) and the Projected Layer LSTM (PL-LSTM), and compared them against existing models, including GRU, traditional LSTM, and Bi-LSTM, using real-world IoHT traffic data. Despite demonstrating improved performance, tuning the regularization parameter $\lambda$ and computing feature weights remains computationally intensive, suggesting that ensemble learning could be a potential enhancement.

In [19], the authors proposed a hybrid IDS that integrates Bidirectional Encoder Representations from Transformers (BERT) with deep learning techniques to detect cyberattacks in IoMT networks. The approach leverages BERT’s contextual understanding to enhance detection performance in complex medical traffic environments. However, the study highlights key limitations, including limited generalizability due to evaluation on small datasets and the model’s computational complexity, which may hinder deployment on resource-constrained IoMT devices. Kumar et al. [20] proposed a novel cyberattack detection framework for Internet of Healthcare Things (IoHT) environments that integrates Federated Learning (FL) with LSTM networks. The FL paradigm preserves patient privacy by enabling decentralized training of a global model without data sharing, while the LSTM network effectively captures temporal attack patterns in time-series data. Although the system demonstrates robustness and reduced computational complexity through embedded feature selection, the authors acknowledge the need for improvement in detecting specific attacks, such as DoS and Nmap port scans, in future iterations. Complementing these efforts, the authors in [21] introduced SECIoHTFL, a federated learning-based IDS that incorporates $ϵ$-differential privacy to identify cyberattacks in Internet of Healthcare Things networks securely. Their approach leverages Deep Neural Networks (DNNs), including Convolutional Neural Networks (CNNs), to analyze network traffic while preserving user privacy. Although the system demonstrates promise, this work highlights vulnerabilities in the aggregation server to adversarial model poisoning attacks. It suggests future enhancements such as adaptive noise addition and more robust aggregation techniques to improve security and scalability.

In [22], the authors proposed a novel cyberattack detection framework tailored for healthcare systems using IoMT datasets. The integrated model combines LSTM for extracting temporal features, Principal Component Analysis (PCA) for dimensionality reduction, and K-Nearest Neighbors (KNN) for classification, achieving high accuracy across multiple datasets. However, the combination of LSTM and PCA introduces increased computational overhead, potentially necessitating high-performance systems or cloud-based deployment solutions to ensure scalability in real-world environments. Similarly, the work done in [23] presents a comparative analysis of intrusion detection models in healthcare systems, highlighting the effectiveness of the Maximum Information Coefficient (MIC) for feature selection in capturing nonlinear relationships. However, the approach’s reliance on biometric features may raise privacy concerns, and its effectiveness may diminish on datasets lacking strong nonlinear correlations. Moreover, the study [24] proposes Light Feature Engineering based on Mean Decrease in Accuracy (LEMDA). This feature engineering method enhances IDS performance in IoT systems by improving F1 scores by 34% and reducing detection time. However, its effectiveness depends on parameter tuning and may vary in dynamic IoT environments.

In [25], the authors proposed the Memory Feedback Transformer (MF-Transformer), which integrates Memory Feedback LSTM (MF-LSTM) modules throughout the Transformer architecture to capture and propagate temporal dependencies across all layers. The model initially captures spatial-to-spatial relationships within individual time steps and subsequently fuses spatial-to-temporal dynamics through MF-LSTM’s feedback mechanism, allowing for robust tracking of both short-term anomalies and long-term trends. While the approach demonstrates superior performance in anomaly detection by preserving long-range dependencies, the integration of LSTM feedback loops throughout the Transformer increases model complexity. It may pose scalability challenges in resource-constrained IoMT environments.

In [26], the authors proposed a novel human-centric framework for cyberattack detection in IoMT environments, combining Quantum Random Forest (QRF) with local differential privacy to ensure patient data protection while enhancing detection accuracy. The framework further integrates active learning, threat intelligence feeds, and generative AI tools such as ChatGPT (GPT-5) to augment human decision-making and strengthen threat response. Although the framework demonstrates strong performance in terms of accuracy, detection rate, and resource efficiency, the use of quantum-enhanced techniques and generative tools introduces complexity. It requires advanced hardware and careful tuning for real-world deployment.

In [27], the authors introduced FedIoMT, a federated learning framework designed for the IoMT ecosystem that incorporates meta-learning and an advanced clustering strategy to enable robust model aggregation. The system employs the Kolmogorov-Arnold Convolutional Network (KANConvNet) as a local classifier, enhancing scalability, interpretability, and adaptability within the federated learning environment. Despite these strengths, the framework faces challenges related to computational efficiency on low-power devices, maintaining privacy protections, mitigating overfitting, and ensuring seamless deployment across heterogeneous IoMT infrastructures.

In [28], the authors proposed MF-CGAN, a multi-feature Conditional Generative Adversarial Network designed to generate realistic synthetic data using the WUSTL-EHMS-2020 dataset, which includes both network traffic and health metrics. The architecture integrates conditional features, such as attack type, traffic direction, and status flags, to preserve complex interdependencies. It comprises a generator composed of dense layers and a discriminator that jointly evaluates data authenticity. While MF-CGAN enhances data diversity and realism for training intrusion detection systems, potential drawbacks include the risk of mode collapse and computational overhead associated with generating high-dimensional, feature-rich synthetic samples.

Fuzzy IF-THEN rule-based systems offer significant advantages for IDS in the IoMT environment, primarily due to their ability to handle uncertainty, vagueness, and imprecision inherent in medical and network data. These systems enable interpretable decision-making by formulating human-readable rules, making them highly suitable for critical domains like healthcare, where explainability and trust are paramount. Unlike crisp classification models that require precise thresholds, fuzzy rule-based systems offer soft boundaries for attack detection, enabling nuanced classification of ambiguous patterns commonly found in resource-constrained and heterogeneous IoMT networks.

In [29], the authors proposed a fuzzy-based self-tuning LSTM Intrusion Detection System that dynamically adjusts training epochs using early stopping, thereby improving adaptability and detection performance over conventional models. Complementing this, ref. [30] introduced a hybrid risk assessment framework that combines fuzzy logic with the Fuzzy Analytical Hierarchy Process (FAHP) to evaluate and prioritize vulnerabilities in heterogeneous IoMT devices. This approach, demonstrated through a BLE attack case study, provides structured risk quantification but may be subject to the subjectivity of linguistic inputs and dependence on expert-defined parameters. To address trust and identity threats, Ref. [31] presented FTM-IoMT, a fuzzy logic-based Trust Management mechanism capable of detecting Sybil attacks by evaluating trustworthiness through integrity, receptivity, and compatibility. Despite its effectiveness in isolating malicious nodes, its reliance on static fuzzy rules may hinder responsiveness to rapidly evolving attack strategies. Furthermore, Ref. [32] proposed a Federated Learning-based Deep Neural Network (DNN-FL) anomaly detection system that preserves data privacy while ensuring robust cyberthreat identification across IoHT networks; however, this approach faces challenges such as communication overhead and handling non-IID data distributions across clients.

In [33], the authors introduced FLSec-RPL, a fuzzy logic-based intrusion detection scheme targeting DIO neighbor suppression attacks in RPL-based IoT networks. Their three-phase detection strategy, comprising activity monitoring, fuzzy logic-based identification, and malicious node validation, demonstrated superior performance across multiple metrics, including detection accuracy, F1-score, energy efficiency, and network reliability, in both static and mobile RPL scenarios. Similarly, the work done in [34] proposed a collaborative framework that integrates fuzzy logic-based feature selection with CNN-based classification, addressing challenges such as attack diversity and scalability in large-scale IoT systems. By employing network clustering and observer nodes with localized detection models that collaborate via majority voting, the system achieved remarkable detection accuracies of 99.72% and 98.36% on the NSLKDD and NSW-NB15 datasets, respectively. However, despite these advancements, existing IDS frameworks often underutilize the interpretability advantages of fuzzy inference systems, leaning instead on black-box models that entail high computational complexity and limited explainability. This gap motivates our proposed work to develop an efficient, lightweight, and interpretable IDS that combines fuzzy inference with ensemble decision-tree classifiers, notably the J48 algorithm, to address the evolving security demands of IoMT environments. Our approach aims to deliver robust, transparent, and resource-aware intrusion detection tailored to the heterogeneous and constrained nature of medical networks.

Table 1 provides a comparison of studies based on ML/DL for IoMT network attack detection and mitigation.

Table 1. A comparative evaluation of current research trends in IDS for IoMT networks.

Ref.	Algorithm	Dataset	Drawbacks
[10]	Boosting algorithm	CICIoMT2024	Potential underfitting of minority classes leading to skewed results.
[15]	LSTM	CICIoMT2024	Complex model unsuitable for resource-constrained IoMT devices.
[16]	UNet++ and LSTM	CICIoMT2024	High complexity and misclassification of ARP protocol.
[18]	1D Convolutional LSTM	WUSTL-EHMS-2020; ECU-IoHT	Difficulty handling stealthy and complex threats.
[19]	Bidirectional Encoder	WUSTL-EHMS-2020	Limited generalizability across dynamic IoMT environments.
[20]	Federated Learning with LSTM	WUSTL-EHMS-2020	Suboptimal detection accuracy for DoS and Nmap port scans.
[22]	LSTM	WUSTL-EHMS-2020; ECU-IoHT; TON-IoT	Combined use of LSTM and PCA increases computational overhead.
[25]	Memory Feedback Transformer	WUSTL-EHMS-2020; ECU-IoHT; XIIoTID	Increased model complexity affecting deployment feasibility.
[26]	Quantum Random Forest (QRF)	WUSTL-EHMS-2020; ICU Dataset	Quantum-enhanced methods increase hardware and processing requirements.
[29]	Fuzzy-based Self-tuning LSTM	WUSTL-EHMS-2020	Predefined fuzzy rules and static membership functions reduce adaptability in dynamic IoMT environments.
[30]	Fuzzy Analytical Hierarchy Process (FAHP)	–	Limited by subjective linguistic inputs and reliance on expert tuning.
[32]	Fuzzy Logic-based Trust Management (TM)	WUSTL-EHMS-2020; ECU-IoHT	Vulnerability to communication overhead and synchronization issues across distributed IoHT nodes.

3. Proposed Method

This section presents the proposed Empirical Distribution Ranking-Based Fuzzy J48 Classifier for Multiclass Intrusion Detection (EDR-FJ48) in IoMT networks. The method integrates Empirical Distribution Ranking (EDR) for effective feature selection with a fuzzy rule-based inference mechanism and a J48 decision tree classifier. This hybrid approach is designed to accurately detect and classify a wide range of cyberattacks within Internet of Medical Things (IoMT) environments.

3.1. System Architecture

Figure 1 shows the overall system architecture of the proposed Empirical Distribution Ranking-Based Fuzzy J48 Intrusion Detection System for the IoMT. The process begins with a feature extraction stage using Principal Component Analysis (PCA), which reduces the dimensionality of raw IoMT traffic data by capturing the most significant variance components. This is followed by a feature selection phase employing the EDR technique to identify the most informative and non-redundant features. The selected features are then transformed through fuzzification using Gaussian membership functions, converting numeric inputs into linguistic terms such as Low, Medium, and High. Based on these fuzzified values, fuzzy IF-THEN rules are generated to encode domain-specific knowledge and provide interpretable inference. Finally, the J48 decision tree classifier uses these fuzzy rules to perform multiclass intrusion detection. Table 2 shows the important mathematical notations used in this paper.

Figure 1. Overall system architecture.

Table 2. Mathematical Symbols and Notations.

Symbol	Description
$\mathcal{D}={\left\{({\mathbf{x}}_i,y_i)\right\}}_{i=1}^N$	Dataset with N samples
$x_{i,f}$	Original value of the f-th feature in the i-th sample
$x_{:,f}$	All values of the f-th feature across the dataset
$min\left(x_{:,f}\right)$ and $max\left(x_{:,f}\right)$	Minimum and maximum values of the f-th feature across all samples
$x_{i,f}^{\prime }$	Normalized value
$\mathit{\mu }$	Mean vector
${\lambda }_j$	Eigenvalue
${\mathbf{v}}_j$	Eigenvector
$\mathbf{Z}$	Feature matrix
$P_c\left(z_f\right)$	Empirical probability distribution for each class $c\in \{1,\dots ,C\}$
$D_c$	Set of samples belonging to class c
$\delta$	Kernel density function estimating the empirical probability of $z_f$ in class c
$z_f$	The f-th Principal component (new feature) obtained after PCA
$\mathrm{EDR}\left(z_f\right)$	EDR score for feature $z_f$
$\overline{P}\left(z_f\right)$	Mean empirical distribution of feature $z_f$ across all classes
${\mathbf{Z}}^{*}$	Reduced feature matrix after feature engineering
$c_L$, $c_M$, and $c_H$	Centers for the fuzzy sets Low, Medium, and High respectively
${\sigma }_L$, ${\sigma }_M$, and ${\sigma }_H$	Standard deviation of the fuzzy sets Low, Medium, and High respectively

3.2. Data Preprocessing

In the data preprocessing step, we remove missing values that can cause skewness in the model and convert categorical values to numerical values using a label encoder. Subsequently, we use Min-Max normalization techniques to normalize the data. This helps mitigate biases in the model. Let $\mathcal{D}={\left\{({\mathbf{x}}_i,y_i)\right\}}_{i=1}^N$ be a dataset with N samples, where ${\mathbf{x}}_i\in {\mathbb{R}}^d$ is a d-dimensional feature vector and $y_i\in \{1,\dots ,C\}$ is the class label. For each feature dimension $f\in \{1,\dots ,d\}$, Min-Max normalization is applied to scale the feature values into the range $[0,1]$, which improves convergence.

The normalization formula is given by:

$$x_{i,f}^{\prime }={\displaystyle \frac{x_{i,f}-min\left(x_{:,f}\right)}{max\left(x_{:,f}\right)-min\left(x_{:,f}\right)}}$$

(1)

where: $x_{i,f}$ is the original value of the f-th feature in the i-th sample, $x_{:,f}$ denotes all values of the f-th feature across the dataset, $min\left(x_{:,f}\right)$ and $max\left(x_{:,f}\right)$ are the minimum and maximum values of the f-th feature across all samples, and $x_{i,f}^{\prime }$ is the normalized value.

3.3. Feature Engineering

After data preprocessing, a high-quality dataset is generated. However, further refinement is crucial for accurate feature selection. Feature engineering, which involves extracting relevant features from the dataset, is performed prior to training the detection models. In this work, we employ PCA for feature extraction and EDR for feature selection.

3.3.1. Feature Extraction

After normalizing the dataset ${\mathcal{D}}^{\prime }={\left\{({\mathbf{x}}_i^{\prime },y_i)\right\}}_{i=1}^N$, where ${\mathbf{x}}_i^{\prime }\in {\mathbb{R}}^d$ are normalized feature vectors, We applied PCA to reduce dimensionality and extract informative features.

Let ${\mathbf{X}}^{\prime }\in {\mathbb{R}}^{N\times d}$ denote the normalized data matrix. PCA projects ${\mathbf{X}}^{\prime }$ onto a lower-dimensional subspace $\mathbf{Z}\in {\mathbb{R}}^{N\times k}$, where $k<d$, by solving the eigenvalue decomposition of the covariance matrix:

$$\mathbf{\Sigma }={\displaystyle \frac{1}{N}}\sum _{i=1}^N({\mathbf{x}}_i^{\prime }-\mathit{\mu }){({\mathbf{x}}_i^{\prime }-\mathit{\mu })}^{\top }$$

(2)

where $\mathit{\mu }={\displaystyle \frac{1}{N}}{\sum }_{i=1}^N{\mathbf{x}}_i^{\prime }$ is the mean vector of the dataset.

Then, compute the eigenvalues ${\lambda }_j$ and corresponding eigenvectors ${\mathbf{v}}_j$ of $\mathbf{\Sigma }$:

$$\mathbf{\Sigma }{\mathbf{v}}_j={\lambda }_j{\mathbf{v}}_j$$

(3)

The top-k eigenvectors corresponding to the largest k eigenvalues are selected to form the projection matrix ${\mathbf{V}}_k\in {\mathbb{R}}^{d\times k}$. The reduced representation of each sample is then given by:

$${\mathbf{z}}_i={\mathbf{V}}_k^{\top }({\mathbf{x}}_i^{\prime }-\mathit{\mu })$$

(4)

The resulting feature matrix $\mathbf{Z}={[{\mathbf{z}}_1^{\top },\dots ,{\mathbf{z}}_N^{\top }]}^{\top }$ captures the most significant variance in the data.

3.3.2. Feature Selection

Following PCA-based feature extraction, Empirical Distribution Ranking (EDR) is applied to further refine the set of informative features by assessing their discriminative ability across different classes.

Let $\mathbf{Z}={[{\mathbf{z}}_1^{\top },\dots ,{\mathbf{z}}_N^{\top }]}^{\top }\in {\mathbb{R}}^{N\times k}$ be the PCA-transformed feature matrix. For each feature dimension $z_f$$(f=1,\dots ,k)$, we compute the empirical probability distribution for each class $c\in \{1,\dots ,C\}$:

$$P_c\left(z_f\right)={\displaystyle \frac{1}{|D_c|}}\sum _{{\mathbf{z}}_i\in D_c}\delta (z_f=z_{if})$$

(5)

where $D_c$ is the set of samples belonging to class c, and $\delta$ is the kernel density function estimating the empirical probability of $z_f$ in class c.

Then, the EDR score for feature $z_f$ is calculated based on the variance of the empirical distributions across all classes:

$$\mathrm{EDR}\left(z_f\right)=\sum _{c=1}^C{\left(P_c\left(z_f\right)-\overline{P}\left(z_f\right)\right)}^2$$

(6)

where $\overline{P}\left(z_f\right)={\displaystyle \frac{1}{C}}{\sum }_{c=1}^C{P}_c\left(z_f\right)$ is the mean empirical distribution of feature $z_f$ across all classes.

Features with higher EDR scores exhibit greater variation between class-specific distributions and are thus more informative for classification. We rank features based on their EDR scores and retain the top-m features to form the reduced feature matrix ${\mathbf{Z}}^{*}\in {\mathbb{R}}^{N\times m}$, where $m<k$.

This reduced matrix ${\mathbf{Z}}^{*}$ is subsequently used for the fuzzification process.

3.4. Fuzzy Rule-Based System

We employed a fuzzy rule-based system to create fuzzy IF-THEN rules, which serve as input for a J48 decision tree used for detecting various attacks. The fuzzy system operates in two stages: first, the selected features undergo fuzzification; second, fuzzy rules are derived from the fuzzified data.

3.4.1. Fuzzification

Fuzzification is the process of transforming crisp numerical input values into fuzzy linguistic variables using predefined membership functions. It is a foundational step in fuzzy inference systems, allowing real-valued data to be represented as degrees of membership in linguistic categories such as “Low,” “Medium,” or “High.” This approach is particularly beneficial when dealing with uncertain, imprecise, or noisy data, which is commonly found in IoMT environments. Fuzzification enhances interpretability and decision-making by enabling systems to reason in a way that resembles human logic. To fuzzify an input, each numerical feature is mapped to one or more fuzzy sets through membership functions, often Gaussian, triangular, or trapezoidal, which assign a degree of belonging to each fuzzy category. For instance, a feature like packet size may simultaneously belong partially to both “Medium” and “High” sets, with associated membership values guiding downstream fuzzy rule inference.

We used a Gaussian membership function [35] for fuzzification due to its smoothness, flexibility, and ability to model uncertainty effectively. Unlike triangular or trapezoidal functions, Gaussian functions provide continuous and differentiable curves, allowing for more natural and gradual transitions between fuzzy sets. This smooth behavior is especially beneficial in real-world domains, such as the IoMT, where data is often noisy and imprecise. The parameters of the Gaussian function, namely the mean (center) and standard deviation (spread), can be easily adjusted to fit the statistical distribution of feature values, many of which resemble normal distributions.

${\mathbf{Z}}^{*}=\left[z_{if}^{*}\right]$ denotes the reduced dataset after applying PCA and selecting important components via EDR. Each $z_{if}^{*}$ is the value of the f-th selected PCA feature for the i-th sample. For each feature $z_f^{*}$, we define three fuzzy sets: Low, Medium, and High, each with a membership function ${\mu }_{\mathrm{Low}}\left(z_f^{*}\right)$, ${\mu }_{\mathrm{Medium}}\left(z_f^{*}\right)$, and ${\mu }_{\mathrm{High}}\left(z_f^{*}\right)$.

Fuzzification Using Gaussian Membership Functions:

$${\mu }_{\mathrm{Low}}\left(z_{if}^{*}\right)=exp\left(-{\displaystyle \frac{{(z_{if}^{*}-c_L)}^2}{2{\sigma }_L^2}}\right)$$

(7)

$${\mu }_{\mathrm{Medium}}\left(z_{if}^{*}\right)=exp\left(-{\displaystyle \frac{{(z_{if}^{*}-c_M)}^2}{2{\sigma }_M^2}}\right)$$

(8)

$${\mu }_{\mathrm{High}}\left(z_{if}^{*}\right)=exp\left(-{\displaystyle \frac{{(z_{if}^{*}-c_H)}^2}{2{\sigma }_H^2}}\right)$$

(9)

where:

$c_L$, $c_M$, and $c_H$ are the centers for the fuzzy sets Low, Medium, and High, respectively. ${\sigma }_L$, ${\sigma }_M$, and ${\sigma }_H$ are the corresponding standard deviations.

The Figure 2 illustrates the process of fuzzification using Gaussian membership functions for a single feature $z_{if}^{*}$ in a fuzzy inference system. It displays three Gaussian curves representing fuzzy sets Low, Medium, and High each defined by a center ($c_L,c_M,c_H$) and a spread ($\sigma$). These functions map a crisp input value to a degree of membership between 0 and 1, enabling soft boundaries and overlapping classifications.

Figure 2. Gaussian membership functions (Low, Medium, High) used in fuzzification of feature $z_{if}^{*}$.

3.4.2. Fuzzy Rule Generation

Fuzzy rule generation is a crucial step in designing a fuzzy inference system. It involves formulating a set of interpretable rules that describe the relationship between input features and output classes using linguistic terms (e.g., Low, Medium, High). These rules are generated based on the combinations of fuzzified input values derived through membership functions.

Let ${\mathbf{z}}_i^{*}=(z_{i1}^{*},z_{i2}^{*},\dots ,z_{id}^{*})$ be the fuzzified feature vector of the i-th sample. Each feature $z_{if}^{*}$ is associated with one of the three fuzzy sets: Low, Medium, or High. We defined the fuzzy rule $R_j$ in the standard IF-THEN form:

$$\begin{array}{cc}\hfill R_j:& \mathrm{IF}\left(z_{i1}^{*}\mathrm{is}{A}_1^j\right)\mathrm{AND}\left(z_{i2}^{*}\mathrm{is}{A}_2^j\right)\hfill \\ \hfill & \mathrm{AND}\dots \mathrm{AND}\left(z_{id}^{*}\mathrm{is}{A}_d^j\right)\mathrm{THEN}y=C_j\hfill \end{array}$$

(10)

where $A_f^j\in \{\mathrm{Low},\mathrm{Medium},\mathrm{High}\}$ are fuzzy labels for the f-th feature in the j-th rule, and $C_j$ is the class label associated with the rule.

The strength (firing strength) ${\alpha }_j$ of a rule $R_j$ for a given fuzzified input ${\mathbf{z}}_i^{*}$ is computed using the minimum t-norm:

$${\alpha }_j\left({\mathbf{z}}_i^{*}\right)=\underset{f=1}{\overset{d}{min}}{\mu }_{A_f^j}\left(z_{if}^{*}\right)$$

(11)

where ${\mu }_{A_f^j}\left(z_{if}^{*}\right)$ is the membership degree of the input value $z_{if}^{*}$ in fuzzy set $A_f^j$.

The generated rules are organized within a fuzzy rule base, $\mathcal{R}$, which is then served as the input to the J48 decision tree.

3.5. Training the J48 Decision Tree on Fuzzified Input

The J48 decision tree in the proposed IDS framework is trained on fuzzified input features, where each numerical attribute is converted into a linguistic value such as Low, Medium, or High using Gaussian membership functions. To train the J48 tree, these linguistic values extracted from the rules serve as feature labels. The J48 algorithm calculates the Information Gain (IG) for each feature based on the entropy reduction it provides:

$$IG(T,f)=Entropy\left(T\right)-\sum _{v\in Values\left(f\right)}{\displaystyle \frac{|T_v|}{\left|T\right|}}·Entropy\left(T_v\right)$$

(12)

where T is the training set, and $T_v$ is the subset of samples where feature f takes the value v. The J48 algorithm constructs the decision tree by selecting features that yield the highest information gain, which is calculated based on the reduction in entropy after each split. During training, each node in the tree represents a decision based on one fuzzified feature, and branches correspond to the fuzzy labels assigned to that feature. To improve generalization and probabilistic accuracy, the decision tree is further optimized using Log Loss, allowing soft classification decisions based on class probabilities at the leaf nodes.

$$\mathrm{Log}\mathrm{Loss}=-{\displaystyle \frac{1}{N}}\sum _{i=1}^N\sum _{c=1}^C{y}_{i,c}log\left(p_{i,c}\right)$$

(13)

where, $y_{i,c}$ is a binary indicator function that equals 1 if sample i belongs to class c, and 0 otherwise, and $p_{i,c}$ is the predicted probability that sample i belongs to class c derived from normalized firing strength ${\alpha }_j$.

The log loss increases as the predicted probability diverges from the actual label. A perfect classifier would have a log loss of 0, while larger values indicate more uncertainty or incorrect predictions. The final predicted class $\widehat{y}$ is determined by selecting the rule with the maximum firing strength:

$$\widehat{y}=arg\underset{j}{max}{\alpha }_j\left({\mathbf{z}}_i^{*}\right)$$

(14)

Algorithm 1 outlines the proposed EDR-FJ48 classification method designed for intrusion detection in IoMT environments. The process begins with data preprocessing, including normalization and encoding, followed by feature extraction using PCA. Next, EDR is applied to select the most discriminative features. These selected features are then fuzzified using Gaussian membership functions, generating linguistic categories such as Low, Medium, and High. Finally, a fuzzy rule base is constructed and utilized to train a J48 decision tree, thereby enhancing both classification accuracy and interpretability.

Algorithm 1 EDR-FJ48 Intrusion Detection Algorithm

Require:  Normalized dataset $\mathcal{D}={\left\{({\mathbf{x}}_i,y_i)\right\}}_{i=1}^N$, where ${\mathbf{x}}_i\in {\mathbb{R}}^d$ Ensure:  Trained fuzzy J48 decision tree model   1: Step 1: Data Preprocessing   2: for each sample ${\mathbf{x}}_i\in \mathcal{D}$ do   3:     Remove missing values   4:     Encode categorical attributes using LabelEncoder   5:     Normalize: $x_{i,f}^{\prime }={\displaystyle \frac{x_{i,f}-min\left(x_{:,f}\right)}{max\left(x_{:,f}\right)-min\left(x_{:,f}\right)}}$   6: end for   7: Step 2: PCA Feature Extraction   8: Compute covariance matrix $\Sigma$   9: Perform eigen decomposition $\Sigma {\mathbf{v}}_j={\lambda }_j{\mathbf{v}}_j$ 10: Select top-k eigenvectors ${\mathbf{V}}_k$ 11: Project samples: ${\mathbf{z}}_i={\mathbf{V}}_k^{\top }({\mathbf{x}}_i^{\prime }-\mathit{\mu })$ 12: Form reduced matrix $\mathbf{Z}\in {\mathbb{R}}^{N\times k}$ 13: Step 3: Feature Ranking via EDR 14: for each feature $z_f$ in $\mathbf{Z}$ do 15:     Compute class-wise empirical distributions $P_c\left(z_f\right)$ 16:     Compute EDR score: $\mathrm{EDR}\left(z_f\right)={\sum }_{c=1}^C{(P_c\left(z_f\right)-\overline{P}\left(z_f\right))}^2$ 17: end for 18: Select top-m ranked features: ${\mathbf{Z}}^{*}\in {\mathbb{R}}^{N\times m}$ 19: Step 4: Fuzzification 20: for each feature value $z_{if}^{*}$ in ${\mathbf{Z}}^{*}$ do 21:      ${\mu }_{\mathrm{Low}}\left(z_{if}^{*}\right)=exp\left(-{\displaystyle \frac{{(z_{if}^{*}-c_L)}^2}{2{\sigma }_L^2}}\right)$ 22:      ${\mu }_{\mathrm{Medium}}\left(z_{if}^{*}\right)=exp\left(-{\displaystyle \frac{{(z_{if}^{*}-c_M)}^2}{2{\sigma }_M^2}}\right)$ 23:      ${\mu }_{\mathrm{High}}\left(z_{if}^{*}\right)=exp\left(-{\displaystyle \frac{{(z_{if}^{*}-c_H)}^2}{2{\sigma }_H^2}}\right)$ 24:     Assign linguistic label $\in \{\mathrm{Low},\mathrm{Medium},\mathrm{High}\}$ 25: end for 26: Step 5: Fuzzy Rule Generation 27: for each fuzzified sample ${\mathbf{z}}_i^{*}$ do 28:     Construct rule $R_j$: $$\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em} R_j:\mathrm{IF}\left(z_{i1}^{*}\mathrm{is}{A}_1^j\right)\wedge \dots \wedge \left(z_{im}^{*}\mathrm{is}{A}_m^j\right)\mathrm{THEN}y=C_j$$ 29:     Add $R_j$ to rule base $\mathcal{R}$ 30: end for 31: Step 6: Firing Strength Computation 32: for each fuzzy rule $R_j$ do 33:     ${\alpha }_j={min}_f{\mu }_{A_f^j}\left(z_{if}^{*}\right)$ 34: end for 35: Step 7: J48 Decision Tree Classification 36: Train J48 on fuzzified feature set 37: Split nodes using Information Gain: $$\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}IG(T,f)=\mathrm{Entropy}\left(T\right)-\sum _v{\displaystyle \frac{|T_v|}{\left|T\right|}}\mathrm{Entropy}\left(T_v\right)$$ 38: return Trained fuzzy J48 model

4. Dataset Description

We evaluated our proposed intrusion detection system using three widely recognized IoMT datasets: WUSTL-EHMS-2020 [36], CICIoMT2024 [37], and ECU-IoHT [38]. These datasets offer comprehensive coverage of network traffic from medical devices, encompassing various attack types, which enables rigorous testing of our model’s detection and classification capabilities.

4.1. WUSTL-EHMS-2020 Dataset

The WUSTL-EHMS-2020 dataset is a publicly available IoMT dataset designed for intrusion detection research in healthcare environments. It was generated using a real-time Enhanced Healthcare Monitoring System (EHMS) testbed, which integrates medical sensors, a gateway, network infrastructure, and a control unit for data visualization and analysis. The dataset comprises both network traffic metrics (35 features) and patient biometric data (8 features), totaling 44 features with corresponding class labels. It contains benign and malicious traffic, capturing attacks such as spoofing, data injection, and man-in-the-middle attacks that target data confidentiality and integrity. This dataset provides a realistic testbed for evaluating cybersecurity solutions by combining sensor and network traffic data from live health monitoring scenarios. An overview of the dataset is presented in Table 3.

Table 3. Description of WUSTL-EHMS-2020 dataset.

Category	Counts	Training (70%)	Test (15%)	Validation (15%)
Normal	14,272	9990	2141	2141
Attack	1124	786	169	169

4.2. CICIoMT2024 Dataset

The dataset was generated from an IoMT testbed comprising 40 devices (25 real and 15 simulated) operating over standard healthcare communication protocols, including Wi-Fi, MQTT, and Bluetooth Low Energy (BLE). A total of 18 attacks were executed and categorized into five classes: DDoS, DoS, Recon, MQTT-based, and spoofing. Traffic data were collected using a network tap to duplicate packets in real time between the switch and IoMT devices, ensuring a comprehensive capture of both benign and malicious traffic. The dataset includes 45 features alongside a label column, offering a rich resource to support machine learning-based intrusion detection research in healthcare networks. A detailed summary of the dataset is presented in Table 4.

Table 4. Description of CICIoMT2024 Dataset.

Category	Counts	Train (70%)	Test (15%)	Val (15%)
Benign	230,339	161,237	34,551	34,551
ARP spoofing	17,791	12,454	2669	2668
Ping sweep	3207	2245	481	481
Recon Attacks	3207 (Recon VulScan)	2245	481	481
	20,666 (OS Scan)	14,466	3100	3100
Port scan	106,603	74,622	15,990	15,991
Malformed Data	6877	4813	1032	1032
DoS Attacks	15,904 (DoS Connect Flood)	11,132	2386	2386
	52,881 (DoS Publish Flood)	37,016	7932	7933
	462,480 (DoS TCP)	323,736	69,372	69,372
	514,724 (DoS ICMP)	360,306	77,208	77,210
	540,498 (DoS SYN)	378,348	81,074	81,076
DDoS Attacks	214,952 (DDoS Connect Flood)	150,466	32,243	32,243
	36,039 (DDoS Publish Flood)	25,227	5406	5406
	704,503 (DoS UDP)	493,152	105,676	105,675
	987,063 (DDoS TCP)	690,944	148,059	148,060
	1,887,175 (DDoS ICMP)	1,321,023	283,076	283,076
	974,359 (DDoS SYN)	682,051	146,154	146,154
	1,998,026 (DDoS UDP)	1,398,618	299,704	299,704

4.3. ECU-IoHT Dataset

The ECU-IoHT dataset was developed to address the lack of publicly available data on healthcare cyberattacks, which is often constrained by privacy concerns. Created in a controlled experimental environment, it simulates various attacks, including ARP spoofing, DoS, Nmap port scans, and Smurf attacks, to expose vulnerabilities in IoMT systems. The dataset comprises 87,754 normal instances and 23,453 attack instances, with seven network-related features (e.g., source, destination, protocol). Table 5 provides a comprehensive summary of the dataset.

Table 5. Description of ECU IoHT dataset.

Category	Counts	Train (70%)	Test (15%)	Val (15%)
Normal	23,453	16,417	3518	3518
Smurf	77,920	54,544	11,688	11,688
Nmap port scan	6836	4785	1026	1025
ARP spoofing	2359	1651	354	354
DoS	639	447	96	96

5. Experiment and Performance Evaluation

This section presents the experimental design and performance metrics employed for the evaluation. Subsequently, a detailed analysis of the results is provided, followed by a comparative analysis with existing literature to assess the efficacy of the proposed approach.

5.1. Experimental Setup

We implemented our proposed algorithm in Python (3.9.25), utilizing libraries such as NumPy, Pandas, Scikit-learn, and SciPy. Experiments were conducted on a system equipped with a 12th-generation Intel(R) Core(TM) i5-12600K processor (3.69 GHz) and 48 GB of RAM, running Ubuntu 20.04.4 with Linux kernel version 5.13.

5.2. Evaluation Metrics

To evaluate the performance of our proposed framework, we employed standard evaluation metrics commonly used in machine learning. Specifically, we computed accuracy, precision, recall, and the F1-score to assess the correctness of classifying network traffic into specific categories.

$$\begin{array}{cc}\hfill \hspace{1em}\hspace{1em}\hspace{1em} \mathrm{Accuracy}\left(\mathrm{A}\right)& ={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}\hfill \end{array}$$

(15)

$$\begin{array}{cc}\hfill \mathrm{Precision}\left(\mathrm{P}\right)& ={\displaystyle \frac{TP}{TP+FP}}\hfill \end{array}$$

(16)

$$\begin{array}{cc}\hfill \hspace{1em} \mathrm{Recall}\left(\mathrm{R}\right)& ={\displaystyle \frac{TP}{TP+FN}}\hfill \end{array}$$

(17)

$$\begin{array}{cc}\hfill \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\text{F1-Score}& =2·{\displaystyle \frac{\mathrm{Precision}·\mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}}\hfill \end{array}$$

(18)

The number of correctly classified instances for a given class is recorded as True Positives (TP). In contrast, the number of correctly classified instances that do not belong to that class is recorded as True Negatives (TN). Conversely, instances that were incorrectly classified are recorded as False Positives (FP) and False Negatives (FN).

5.3. Feature Engineering Results

To ensure the robustness and generalizability of the proposed EDR-based fuzzy J48 IDS, we employed a 10-fold cross-validation strategy during model evaluation. Specifically, the dataset was initially partitioned into three subsets: 70% for training, 15% for validation, and 15% for testing. Within the training set, k-fold cross-validation with $k=10$ was applied, where in each iteration, one fold was reserved as an internal validation set and the remaining $k-1$ folds were used to train the model. This internal cross-validation was repeated ten times, and the performance metrics were averaged to reduce the impact of data bias and overfitting.

The Figure 3 presents EDR-based feature rankings across three IoMT datasets: WUSTL-EHMS-2020 (top), CICIoMT2024 (middle), and ECU-IoHT (bottom). For the WUSTL-EHMS-2020 dataset (top), which includes 44 features (35 network and 8 biometric), the EDR analysis identified the top 20 most discriminative features, which were selected for model training. The EDR values exhibit a broad range, reflecting high inter-class variability. The CICIoMT2024 dataset (middle), containing 49 flow-based features, showed a similar EDR distribution. The top 20 features with the highest EDR scores were retained to optimize model accuracy while reducing dimensionality. The ECU-IoHT dataset (bottom) is more compact with only 7 network features. Due to the limited dimensionality, the top 3 features, Length, Protocol, and Time, were selected based on their consistently high EDR values, indicating that these few features are uniformly informative for classification.

Figure 3. Feature rankings using EDR on three IoMT datasets: (a) WUSTL-EHMS-2020, (b) CICIoMT2024, and (c) ECU-IoHT.

Figure 4 presents the experimental comparison of classification accuracy using varying numbers of EDR-selected features across the two IoMT datasets, such as WUSTL-EHMS-2020 and CICIoMT2024 datasets. For WUSTL-EHMS-2020, accuracy consistently improved up to 10 selected features, beyond which performance slightly declined, indicating the introduction of redundant information. Similarly, the CICIoMT2024 dataset achieved its highest accuracy with 16 features, confirming that a compact and informative subset yields optimal results. In contrast, the ECU-IoHT dataset, with only seven original features, achieved its peak accuracy using the top three features: Length, Protocol, and Time, which highlighted their discriminative strength. These respective optimal feature counts are used for all subsequent performance analysis.

Figure 4. Accuracy vs number of features in different datasets.

5.4. Evaluation of EDR-FJ48 Performance

The proposed EDR-FJ48 method is evaluated across three benchmark IoMT datasets, such as WUSTL-EHMS-2020, CICIoMT2024, and ECU-IoHT, in comparison with several state-of-the-art approaches. The results are summarized in Table 6. On the WUSTL-EHMS-2020 dataset, the proposed EDR-FJ48 method outperforms baseline models such as SECIoHT IDS [21], FST-LSTM [23,29], LEMDA [24] and DNN-FL [32], achieving superior accuracy, precision, recall, and F1-score. Our method achieved an impressive classification accuracy of 99.68%, demonstrating a strong capability in accurately distinguishing between normal and attack traffic patterns. Notably, our earlier approach, EDR-J48 [1], also exhibited competitive performance on this dataset. In the case of the CICIoMT2024 and ECU-IoHT datasets, both of which include diverse attack patterns, our proposed method achieves high classification accuracies of 98.71% and 99.43%, respectively. While EDR-J48 [1] performs well in distinguishing between normal and attack patterns in binary classification settings, its effectiveness declines in multiclass scenarios. This limitation arises from the J48 decision tree’s reliance on static, axis-aligned decision boundaries, which are suitable for separating two distinct classes but struggle when multiple class regions overlap in feature space. As the number of classes increases, the likelihood of feature similarity and class overlap grows, making it challenging for J48 to generate clear and generalized decision partitions. Leveraging the fuzzy inference rule, which is well-suited for defining flexible and overlapping class boundaries, the proposed EDR-FJ48 method offers enhanced classification performance in complex, multiclass attack scenarios.

Table 6. Performance comparison of different algorithms across datasets.

Dataset	Algorithm	Accuracy	Precision	Recall	F1-Score
WUSTL-EHMS-2020	EDR-J48 [1]	99.33	99	99	99
	SECIoHT IDS [21]	94.48	95	99	97
	FST-LSTM [29]	96.60	96.80	97	96.70
	DNN-FL [32]	91.40	91.02	93	91
	[23]	95.01	94.94	95.01	95
	LEMDA [24]	94.73	95.60	96	74.556
	EDR-FJ48 (Proposed)	99.68	97.84	99.82	98.81
CICIoMT2024	EDR-J48 [1]	77	74	73.87	72.50
	EXP BOOSTING [10]	95.01	89.63	87.44	88.44
	L2D2 [15]	98	98	98	98
	UNet++–LSTM [16]	87.96	94.55	93.31	86.47
	[17]	70	70	65	55
	Transformer Models [13]	73	68	73	68
	EDR-FJ48 (Proposed)	98.71	98.70	98.78	98.73
ECU-IoHT	EDR-J48 [1]	78.36	77.14	75.68	71.63
	1D-CLSTM [18]	98.55	90.08	92.03	87.77
	BERT [19]	99.11	99	99	99
	EFL-LSTM [20]	97.16	93.96	79.33	82.37
	SECIoHT IDS [21]	95.80	92	100	96
	[14]	92.04	89.84	92.03	87.17
	EDR-FJ48 (Proposed)	99.43	99.01	99.35	99.21

Table 7, Table 8 and Table 9 present the class-wise performance metrics of the proposed EDR-FJ48 model, highlighting its consistent and high detection accuracy across all three datasets. On the WUSTL-EHMS-2020 dataset (Table 7), the model achieves near-perfect scores for both Spoofing and Normal classes, demonstrating its strong capability in detecting normal and attack patterns. In the CICIoMT2024 dataset (Table 8), despite the challenges posed by multiple and diverse attack types, the model maintains excellent performance with precision, recall, and F1-scores exceeding 0.90 for most classes, including perfect scores for MQTT and TCP-based DDoS attacks. The ECU-IoHT dataset (Table 9) also reflects strong results, with perfect classification for Smurf Attack and No Attack classes, and only marginal decreases in performance for ARP Spoofing and Nmap Port Scan. These findings confirm the robustness and generalizability of the EDR-FJ48 model in effectively handling both simple and complex intrusion detection tasks in varied IoMT environments.

Table 7. Class-wise performance metrics WUSTL-EHMS-2020.

Class	Accuracy	Precision	Recall	F1-Score
Spoofing	99.6	96	100	98
Normal	100	100	100	100

Table 8. Class-wise performance metrics CICIoMT2024.

Class	Accuracy	Precision	Recall	F1-Score
ARP Spoofing	0.85	0.85	0.84	0.85
Benign	0.99	0.99	0.99	0.99
MQTT-DDoS-Connect Flood	1.00	1.00	1.00	1.00
MQTT-DDoS-Publish Flood	1.00	1.00	1.00	1.00
MQTT-DoS-Connect Flood	1.00	1.00	1.00	1.00
MQTT-DoS-Publish Flood	1.00	1.00	1.00	1.00
MQTT-Malformed Data	0.93	0.93	0.91	0.92
Recon-OS Scan	0.96	0.96	0.94	0.95
Recon-Ping Sweep	0.80	0.76	0.89	0.82
Recon-Port Scan	0.92	0.90	0.90	0.90
Recon-VulScan	0.83	0.83	0.83	0.83
TCP IP-DDoS-ICMP1	0.96	0.96	0.97	0.96
TCP IP-DDoS-ICMP2	0.98	1.00	0.97	0.98
TCP IP-DDoS-SYN	1.00	1.00	1.00	1.00
TCP IP-DDoS-TCP	1.00	1.00	1.00	1.00
TCP IP-DDoS-UDP1	0.96	0.96	0.92	0.95
TCP IP-DDoS-UDP2	0.95	0.92	0.95	0.94
TCP IP-DoS-ICMP	1.00	1.00	1.00	1.00
TCP IP-DoS-SYN	1.00	1.00	1.00	1.00
TCP IP-DoS-TCP	1.00	1.00	1.00	1.00
TCP IP-DoS-UDP	1.00	1.00	1.00	1.00

Table 9. Class-wise performance metrics ECU-IoHT dataset.

Class	Accuracy	Precision	Recall	F1-Score
No Attack	97	97	97	97
ARP Spoofing	99	99	96	97
DoS Attack	89	87	90	88
Nmap Port Scan	96	95	94	95
Smurf Attack	100	100	100	100

Figure 5 illustrates the confusion matrix of the proposed EDR-FJ48 model on the WUSTL-EHMS-2020 dataset, achieving an accuracy of 99.68% with a minimal misclassification rate of 0.0014%. Figure 6 depicts the confusion matrix results on the CICIoMT2024 dataset, where the model attains a high accuracy of 98.71% and a corresponding misclassification rate of 0.0261%. Figure 7 displays the confusion matrix for the ECU-IoHT dataset, illustrating a robust classification performance with 99.43% accuracy and a low misclassification rate of 0.0174%.

Figure 5. Confusion matrix for EDR-FJ48 on WUSTL-EHMS-2020 dataset.

Figure 6. Confusion matrix for EDR-FJ48 on CICIoMT2024 dataset.

Figure 7. Confusion matrix for EDR-FJ48 on ECU-IoHT dataset.

The ROC curves depicted in Figure 8a–c for the WUSTL-EHMS-2020, CICIoMT2024, and ECU-IoHT datasets, respectively, demonstrate the high discriminative ability of the proposed EDR-FJ48 model across all classes. The AUC values are consistently close to 1, indicating excellent attack detection in the IoMT environment. For the binary WUSTL-EHMS-2020 dataset, both attack and normal traffic patterns achieve near-perfect AUCs. In the more complex multiclass scenarios of CICIoMT2024 and ECU-IoHT, the model maintains strong separability between classes, with most AUC values exceeding 0.95.

Figure 8. AUC on the (a) WUSTL-EHMS-2020, (b) CICIoMT2024, and (c) ECU-IoHT dataset.

Figure 9 presents the training and testing performance of the EDR-FJ48 model on the WUSTL-EHMS-2020 dataset as the maximum tree depth increases. In Figure 9a, both training and testing accuracies steadily rise with increasing depth. As the tree depth increases, these values rise to 0.999 for training and 0.9968 for testing at a depth of 20, indicating improved learning capability. Figure 9b shows a consistent decline in log loss for both training and testing as tree depth increases. Training loss drops from about 0.08 to 0.03, while test loss decreases from 0.15 to 0.08. The narrowing gap between training and test loss reflects strong generalization, suggesting that deeper trees enhance the model’s performance without significant overfitting.

Figure 9. Performance evaluation of the EDR-FJ48 model on the WUSTL-EHMS-2020 dataset: Accuracy and loss across varying maximum tree depths.

Figure 10 illustrates the training and testing accuracy and log loss of the EDR-FJ48 model on the CICIoMT2024 dataset across varying values of maximum tree depth. As shown in Figure 10a, both training and testing accuracy steadily increase with deeper trees. Initially, at a depth of 3, the training and testing accuracies are relatively low, around 0.80 and 0.82, respectively. However, as the depth increases, the accuracies rise sharply, reaching approximately 0.98 at a depth of 20, indicating significant model improvement and better pattern learning. Conversely, Figure 10b shows that the training and testing log losses decrease consistently with increasing depth. The training loss drops from approximately 0.065 to 0.01, and the test loss decreases from 0.25 to around 0.09. This declining trend confirms that the model is learning effectively, minimizing the prediction error as it grows deeper. Notably, the gap between training and test loss remains minimal, demonstrating that the model maintains good generalization performance without overfitting. The convergence of accuracy and minimization of loss affirms that the chosen depth yields strong performance on both seen and unseen data.

Figure 10. Performance evaluation of the EDR-FJ48 model on the CICIoMT2024 dataset: Accuracy and loss across varying maximum tree depths.

Figure 11 presents the training and testing performance of the EDR-FJ48 model on the ECU-IoHT dataset concerning varying maximum tree depths. As illustrated in Figure 11a, the model’s accuracy improves progressively with increased depth. The training accuracy climbs from approximately 0.978 at depth 3 to nearly perfect at depth 20, indicating that the model learns more complex decision boundaries as depth increases. The test accuracy also improves initially, peaking around depth 10 and then stabilizing close to 0.9943, reflecting strong generalization on unseen data. In Figure 11b, the log loss plots further validate these observations. The training loss steadily decreases from around 0.10 to below 0.02, showing the model’s increasing confidence in its predictions. Similarly, the test loss drops sharply from 0.26 to 0.11, reflecting an improvement in predictive quality. Notably, the consistently decreasing test loss, accompanied by minimal overfitting, suggests that the model generalizes well even at higher depths.

Figure 11. Performance evaluation of the EDR-FJ48 model on the ECU-IoHT dataset: Accuracy and loss across varying maximum tree depths.

Figure 12 presents the fuzzy membership functions for selected input features of the EDR-FJ48 model on the WUSTL-EHMS-2020 dataset. Each subplot illustrates how a specific feature is transformed into linguistic terms such as Low, Medium, and High using Gaussian membership functions. Features such as Header_Length, Tot_size, Tot_sum, and HTTP exhibit sharp transitions, indicating well-separated data distributions. In contrast, standardized features like Protocol_Type, rst_count, and fin_count span both negative and positive ranges, resulting in smoother and more overlapping transitions. This fuzzification process enables more interpretable and flexible input representations, thereby enhancing the model’s capability to handle uncertainty, establish more precise class boundaries, and generalize effectively across diverse network traffic patterns.

Figure 12. Fuzzy membership function on WUSTL-EHMS-2020 dataset.

Figure 13 illustrates the fuzzy membership functions of selected features used in the EDR-FJ48 model trained on the CICIoMT2024 dataset. Each subplot represents the fuzzification of an input variable into three linguistic categories: Low, Medium, and High, using Gaussian membership functions. Features such as Header_Length, Tot_sum, HTTPS, and HTTP show sharply separated distributions, indicating a clear distinction among categories. Standardized features, such as Rate, syn_count, and Duration, exhibit smoother and more overlapping transitions, thereby enhancing the interpretability and adaptability of the fuzzy logic system. The systematic fuzzification of numerical and protocol-related features facilitates better handling of uncertainty, thereby contributing to improved detection accuracy across diverse and imbalanced traffic patterns typical of IoMT environments.

Figure 13. Fuzzy membership function on CICIoMT2024 dataset.

Figure 14 illustrates the fuzzy membership functions of three selected features, such as Header_Length, Tot size, and TCP, from the ECU-IoHT dataset as part of the EDR-FJ48 model. The membership curves demonstrate smooth and balanced transitions, particularly for Header_Length and Tot size, indicating standardized input scaling. The TCP feature exhibits a sharper transition from Low to High, reflecting strong feature polarity. This fuzzy representation facilitates the effective modeling of non-linear behavior and complex patterns within healthcare-related IoT traffic.

Figure 14. Fuzzy membership function on ECU-IoHT dataset.

The ablation study investigates the contribution of each key component, such as PCA, EDR, fuzzification, and J48 classifier, by systematically disabling them and evaluating the impact on classification accuracy across three benchmark datasets. As shown in Table 10, the complete EDR-FJ48 model consistently delivers the highest accuracy, demonstrating the effectiveness of its integrated architecture. In the WUSTL-EHMS-2020 dataset, which contains both normal and attack patterns, the model achieves an accuracy of 99.68%. The removal of the fuzzification step results in only a minor drop in accuracy, indicating that fuzzification is less critical for binary scenarios. Conversely, in multiclass datasets such as CICIoMT2024 and ECU-IoHT, fuzzification and EDR play a more influential role. Disabling EDR or fuzzification results in noticeable performance degradation, dropping from 98.73% to 77% and from 99.21% to 78.36%, respectively, highlighting their importance in effectively handling class diversity and improving discrimination in multiclass intrusion detection. These results underscore the importance of EDR and fuzzification in achieving robust performance in complex, multiclass IoMT scenarios.

Table 10. Ablation study on different datasets and results.

Dataset	Configuration	PCA	EDR	Fuzzification	J48	Accuracy (%)
WUSTL-EHMS-2020	Full model	Enable	Enable	Enable	Enable	99.68
	No PCA	Disable	Enable	Enable	Enable	99.39
	No EDR	Enable	Disable	Enable	Enable	99.32
	No fuzzy rule	Enable	Enable	Disable	Enable	99.33
CICIoMT2024	Full model	Enable	Enable	Enable	Enable	98.73
	No PCA	Disable	Enable	Enable	Enable	98.01
	No EDR	Enable	Disable	Enable	Enable	96.59
	No fuzzy rule	Enable	Enable	Disable	Enable	77.00
ECU-IoHT	Full model	Enable	Enable	Enable	Enable	99.21
	No PCA	Disable	Enable	Enable	Enable	98.74
	No EDR	Enable	Disable	Enable	Enable	98.11
	No fuzzy rule	Enable	Enable	Disable	Enable	78.36

Table 11 presents the execution time and memory usage of the proposed algorithm evaluated across three datasets. The results demonstrate that the algorithm maintains a low computational footprint, with execution times ranging from approximately 2.08 to 3.49 s and memory usage between 6.19 and 8.81 MiB. These lightweight resource requirements indicate its suitability for deployment on resource-constrained IoT and edge devices. This framework prioritizes real-world deployment by ensuring minimal execution time and efficient memory utilization, thereby enhancing detection accuracy and overall system responsiveness.

Table 11. Execution time and Memory usage of EDR-J48 in different datasets.

Dataset	Ex. Time (s)	Memory Usage (MiB)
WUSTL-EHMS-2020	3.3787	7.6484
CICIoMT2024	3.4893	8.8090
ECU-IoHT	2.0751	6.1992

6. Discussion

The proposed EDR-FJ48 framework combines Empirical Distribution Ranking feature selection with a fuzzy-enhanced J48 decision tree classifier to improve intrusion detection in Internet of Medical Things networks. EDR-FJ48 has several advantages, including its robustness and interpretability. The EDR method emphasizes the statistical differences in feature distributions between classes, enabling the selection of highly discriminatory attributes. This is especially useful in multiclass IoMT traffic environments where small changes in traffic behavior must be identified across multiple attack types. Furthermore, the inclusion of fuzzy logic improves the model’s ability to handle noisy traffic data, which is common in real-world IoT contexts. It delivers interpretable, rule-based conclusions that are practical for security experts. In terms of resource efficiency, experimental results show that EDR-FJ48 requires only modest memory (6–9 MiB) and execution time (2–4 s), which affirms its feasibility for deployment on constrained IoMT devices. This enables real-time detection capabilities at the network edge, minimizing dependency on cloud-based processing and accelerating threat mitigation.

However, despite these strengths, the proposed model exhibits certain limitations. It is sensitive to variations in network environments and heavily dependent on the quality and representativeness of the datasets used for training. Additionally, it may be susceptible to evolving cyber threats, as it has not been explicitly evaluated for its effectiveness in detecting zero-day or adversarial attacks, which limits its demonstrated robustness against unknown threats. The framework also involves resource-intensive training processes and faces challenges in simultaneously optimizing detection accuracy and computational efficiency, which may hinder its deployment in diverse and resource-constrained industrial scenarios. Furthermore, the current reliance on manual feature engineering, even when supported by EDR, limits the model’s adaptability to dynamic and evolving traffic patterns.

7. Conclusions

To address the security challenges of IoMT networks, this work proposes the EDR-FJ48 algorithm for accurate detection of both normal and malicious traffic patterns, enabling the identification of various attack types within IoMT environments. The proposed methodology incorporates feature engineering to reduce data redundancy and enhance feature representation. By utilizing a fuzzy membership function, the model effectively manages uncertainty, improves interpretability, and establishes clear decision boundaries. When tested on the WUSTL-EHMS-2020, CICIoMT2024, and ECU-IoHT datasets, the proposed method achieves high accuracy.

To enhance the real-world applicability of EDR-FJ48, future research should focus on expanding its generalization capabilities across a wider array of IoMT environments. This includes validating performance using more diverse, real-world datasets. Improving robustness against zero-day threats is also critical; this can be addressed through the integration of continual learning, zero-shot or few-shot learning techniques, and anomaly detection modules. In addition, exploring model compression, fuzzy rule simplification, and federated learning can optimize the framework for efficient deployment in large-scale, resource-constrained networks. Moreover, incorporating adaptive mechanisms to handle dynamic traffic and evolving threat landscapes will further improve the framework’s resilience and long-term scalability in the ever-changing IoMT ecosystem.