Fractional Tchebichef-ResNet-SE: A Hybrid Deep Learning Framework Integrating Fractional Tchebichef Moments with Attention Mechanisms for Enhanced IoT Intrusion Detection

Abstract

The Internet of Things (IoT) faces critical security challenges stemming from resource-constrained devices and inadequate intrusion detection capabilities. Traditional machine learning approaches struggle with high-dimensional network traffic data due to the curse of dimensionality, severe class imbalance between benign and malicious traffic, and dependence on manual feature engineering that fails to capture complex non-linear attack patterns. Although deep neural networks offer automatic feature extraction, they suffer from two fundamental limitations: the degradation problem, where increasing network depth paradoxically raises training error rather than improving performance, and uniform channel weighting, which prevents the network from adaptively emphasizing attack-relevant features while suppressing irrelevant noise. This research proposes a novel hybrid framework integrating Fractional Tchebichef moment-based feature preprocessing with deep Residual Networks enhanced by Squeeze-and-Excitation (ResNet-SE) attention mechanisms. Fractional Tchebichef moments provide compact, noise-resistant representations by operating directly in the discrete domain, eliminating discretization errors inherent in continuous moment approaches. Network traffic features are transformed into 232 × 232 moment-based matrices capturing discriminative patterns across multiple scales. Comprehensive evaluation on Bot-IoT and Leopard Mobile IoT datasets demonstrates superior performance, achieving 99.78% accuracy and a 99.37% F1-score, substantially outperforming K-Nearest Neighbors (84.7%), Support Vector Machines (87.5%), and baseline CNNs (99.3%). Ablation studies confirm synergistic contributions, with residual connections contributing 0.18% and SE attention adding 0.14% improvements. Cross-dataset evaluation achieves 96.34% and 97.12% accuracy on UNSW-NB15 and IoT-Bot datasets without retraining, while the framework processes 127.9 samples per second across diverse attack taxonomies.

1. Introduction

The Internet of Things (IoT) has emerged as a transformative paradigm, interconnecting billions of devices across diverse domains including smart homes, healthcare systems, industrial automation, and critical infrastructure [1,2]. The proliferation of IoT devices projected to exceed 30 billion connected endpoints by 2025 has created unprecedented opportunities for intelligent automation while simultaneously expanding the attack surface available to malicious actors [3]. Despite research advancements, IoT ecosystems remain intrinsically vulnerable to cyber threats due to limited computational resources, heterogeneous communication protocols, and the inherent difficulty of implementing comprehensive security mechanisms on resource-constrained devices [4,5].

Traditional intrusion detection systems (IDS) face substantial challenges when deployed in IoT environments. Signature-based approaches, while effective against known threats, fail to detect zero-day attacks and novel malware variants that exploit previously unknown vulnerabilities [6]. Anomaly based detection methods offer improved coverage against unknown threats but suffer from high false positive rates that can overwhelm security operations centers and lead to alert fatigue [7]. Furthermore, the high-dimensional nature of network traffic data, combined with the extreme class imbalance characteristic of security datasets where benign traffic typically outnumbers malicious samples by orders of magnitude poses challenges for conventional machine learning classifiers [8].

Deep learning approaches have demonstrated substantial promise in addressing these limitations through their capacity for automatic feature extraction and hierarchical representation learning [9,10]. Convolutional Neural Networks (CNNs) have achieved success in extracting spatial patterns from network traffic when represented as two-dimensional matrices [11]. Long Short-Term Memory (LSTM) networks effectively capture temporal dependencies in sequential traffic flows [12]. Hybrid architectures combining CNNs and LSTMs leverage complementary strengths to achieve superior detection accuracy [13,14]. However, existing deep learning approaches for IoT intrusion detection continue to face critical limitations that motivate the present research. First, deep convolutional networks encounter the degradation problem as network depth increases, where adding more layers paradoxically leads to higher training error rather than improved representation learning [15]. This phenomenon limits the capacity to learn complex hierarchical attack patterns that span multiple abstraction levels. Second, standard CNN architectures treat all feature channels with equal importance, lacking mechanisms to adaptively emphasize attack-relevant characteristics while suppressing noise and irrelevant variations in network traffic data [16]. Third, most existing intrusion detection systems operate directly on raw or minimally processed network features, which are typically high-dimensional, noisy, and lack the compact representation necessary for efficient classification in resource-constrained IoT environments [17].

To address the challenge of high-dimensional, noisy network traffic data, this research introduces Fractional Tchebichef moment-based feature preprocessing as a novel approach for IoT security applications. Fractional Tchebichef moments, first introduced by Mukundan et al. [18], represent a class of discrete orthogonal moments based on Fractional Tchebichef polynomials that have demonstrated superior representation capabilities compared to conventional continuous orthogonal moments such as Legendre and Zernike moments [19,20]. The fundamental advantage of Fractional Tchebichef moments lies in their inherent orthogonality in the discrete domain, completely eliminating the need for numerical approximation that introduces discretization errors in continuous moment approaches [21]. This property ensures that Fractional Tchebichef moments preserve analytical properties needed to maintain information fidelity, making them particularly robust for feature extraction tasks [22,23]. Unlike continuous moments that require discrete approximation of continuous integrals leading to computational errors that accumulate at higher moment orders, Fractional Tchebichef moments can be computed directly through efficient recurrence relations [24,25]. Computational efficiency has been substantially improved through algorithmic innovations exploiting polynomial symmetry properties, reducing computation time by nearly 50% [26]. In the context of IoT security, Fractional Tchebichef moments offer several critical advantages: (i) compact feature representations that capture essential characteristics of network traffic patterns while suppressing noise; (ii) discrete nature that aligns perfectly with digital network data representation; (iii) efficient computation suitable for resource-constrained environments; and (iv) invariance properties ensuring robust feature extraction across varying network conditions [27].

While Fractional Tchebichef moments address the feature representation challenge, classification architecture must overcome the degradation problem in deep networks while adaptively emphasizing attack-indicative features. This research employs Residual Networks (ResNet) enhanced with Squeeze-and-Excitation (SE) attention mechanisms to achieve these objectives. Residual Networks, introduced by Tawfik et al. [15], revolutionized deep learning by enabling training of networks exceeding 100 layers through identity-based skip connections that allow gradients to flow directly during back propagation, effectively mitigating the vanishing gradient problem. The SE block, proposed by Hu et al. [28], introduces adaptive channel attention through a Squeeze-and-Excitation mechanism that learns to recalibrate channel-wise feature responses based on global context information.

The present research proposes a novel hybrid framework that synergistically integrates Fractional Tchebichef moment-based feature preprocessing with ResNet-SE architecture for IoT intrusion detection. While both Fractional Tchebichef moments and SE attention mechanisms exist independently in the literature, their combination represents a methodologically deliberate and non-trivial integration whose novelty operates at three distinct levels:

First, Fractional Tchebichef moments have never previously been applied to network traffic data or any cybersecurity domain. Their established use has been confined to image analysis and bio-signal processing. Applying them to IoT intrusion detection requires a fundamental reinterpretation of network traffic features as structured 2D moment representations, which constitutes a domain transfer that is neither straightforward nor incremental.

Second, the integration of FT moment preprocessing with ResNet-SE architecture is not a simple pipeline concatenation. The 232 × 232 moment representation is specifically designed to exploit the spatial feature extraction capabilities of convolutional networks, creating a deliberate structural alignment between the preprocessing output and the convolutional input stage. This design choice transforming tabular network traffic into a moment-domain image representation that preserves both global traffic structure in low-order coefficients and local discriminative attack patterns in higher-order coefficients constitutes a principled architectural decision rather than an ad hoc combination.

Third, the framework addresses three simultaneous limitations that no existing IoT intrusion detection system resolves jointly: (i) the discretization error problem in feature representation, eliminated through discrete orthogonal moment computation; (ii) the degradation problem in deep networks, addressed through residual skip connections; and (iii) uniform channel weighting in standard CNNs, corrected through adaptive SE attention. Existing approaches address at most one or two of these limitations in isolation. The ablation study empirically confirms that each component contributes independently and synergistically, with the full model outperforming any partial combination, which would not be the case if the integration were merely incremental. The principal contributions are fourfold:

•

A fractional Tchebichef moment-based feature transformation as a preprocessing technique that converts high-dimensional network traffic data into compact, noise-resistant 232 × 232 feature matrices suitable for convolutional processing is introduced.

•

A principled mathematical framework is provided for dimensionality reduction while preserving discriminative information.

•

A deep Residual Network architecture is developed to enhance with Squeeze-and-Excitation attention blocks that overcomes the degradation problem for IoT intrusion detection.

•

A Comprehensive empirical evaluation is conducted on multiple benchmark datasets including Bot-IoT and Leopard Mobile IoT.

The remainder of this paper is organized as follows: Section 2 reviews related work. Section 3 presents the mathematical foundations of Fractional Tchebichef polynomials. Section 4 introduces ResNet-SE architecture. Section 5 describes the complete framework. Section 6 presents experimental results. Section 7 concludes with discussion of contributions and future directions.

2. Related Work

The development of effective intrusion detection systems for IoT environments has attracted substantial research attention. This section reviews the relevant literature organized into four thematic areas: traditional machine learning approaches, deep learning-based security systems, attention mechanisms, and orthogonal moment-based feature extraction.

Traditional machine learning methods have formed the foundation of intrusion detection research. Decision trees, random forests, and ensemble methods have demonstrated effectiveness in classifying network traffic based on hand-crafted features [29,30]. Support Vector Machines (SVMs) with various kernel functions have been extensively applied to attack classification, achieving accuracy rates of 85–95% on standard benchmarks [31]. K-Nearest Neighbors (KNN) algorithms offer interpretable classification but suffer from computational complexity scaling with dataset size [32]. However, traditional machine learning approaches face many limitations in IoT contexts. Manual feature engineering demands substantial domain expertise and often fails to capture complex, non-linear relationships [33]. Feature selection becomes increasingly challenging as dimensionality grows, leading to the curse of dimensionality [34]. Furthermore, these approaches struggle with the extreme class imbalance characteristic of security datasets [35,36].

Deep learning has emerged as a powerful paradigm for intrusion detection, offering automatic feature extraction and superior representation learning [37]. Convolutional Neural Networks have been extensively applied to network traffic classification by converting packet data into two-dimensional representations [38,39]. Recurrent architectures, particularly LSTM networks, have demonstrated effectiveness in modeling temporal dependencies in sequential network traffic [40,41].

Hernandez-Jaimes et al. [42] presented a comprehensive review of AI-based intrusion detection systems for Internet of Medical Things security, analyzing 40 publications with accuracy ranging from 90 to 100%. Alotaibi et al. [43] developed an explainable AI framework achieving 99.29% accuracy in web phishing classification. Al-Shurbaji et al. [44] proposed Bot-EnsIDS employing PSO combined with hybrid CNN-LSTM, achieving 97.5% accuracy on the BoT-IoT dataset. Attention mechanisms have revolutionized deep learning by enabling selective focus on relevant input features. The Squeeze-and-Excitation (SE) block [28] provides channel-wise attention through a compact gating mechanism, adding only 2.5% additional parameters while improving accuracy by approximately 1%. Roy et al. [45] extended SE attention to medical image segmentation, while Woo et al. [46] proposed CBAM combining channel and spatial attention. Orthogonal moments have been extensively studied as compact feature descriptors. Orthogonal moments based on Laguerre moments have demonstrated effectiveness but require numerical approximation introducing discretization errors [47,48]. Discrete orthogonal moments, including Fractional Tchebichef moments, address this limitation by operating directly in the discrete domain [18,49].

The literature review reveals key observations: traditional ML is limited by hand-crafted features; deep learning faces degradation and lacks adaptive feature emphasis; attention mechanisms remain underexplored for convolutional IDS; orthogonal moments have not been systematically applied to network security. This research addresses these gaps through a novel hybrid framework integrating Fractional Tchebichef moments with ResNet-SE architecture.

3. Tchebichef Polynomials and Moments

Tchebichef polynomials are defined in terms of the hypergeometric function 3F2 as discrete orthogonal polynomials that form the mathematical foundation for moment computation [18]. This section presents the theoretical framework underlying Tchebichef moment-based feature extraction.

3.1. Standard Tchebichef Polynomials

Tchebichef polynomials are discrete orthogonal polynomials defined over a finite set of sample points, making them naturally suited for digital data processing without requiring numerical approximation.

Tchebichef polynomials are defined in terms of the hypergeometric function $3\mathrm{F}2$ [6] as

$${\mathrm{T}}_{\mathrm{p}}\left(\mathrm{x}\right)={\left(1-\mathrm{N}\right)}_{\mathrm{p}}3\mathrm{F}2\left(-\mathrm{p},-\mathrm{x},1+\mathrm{p};1,1-\mathrm{N};1\right),\hspace{1em}\hspace{1em}\mathrm{p},\mathrm{x}=0,1,2,\dots \mathrm{N}-1$$

(1)

The hypergeometric function $3\mathrm{F}2$ is defined as

$$3\mathrm{F}2\left({\mathrm{a}}_1,{\mathrm{a}}_2,{\mathrm{a}}_3;{\mathrm{b}}_1,{\mathrm{b}}_2;\mathrm{z}\right)=\sum _{\mathrm{n}=0}^{\mathrm{\infty }}{\displaystyle \frac{{\left({\mathrm{a}}_1\right)}_{\mathrm{p}}{\left({\mathrm{a}}_2\right)}_{\mathrm{p}}{{\left({\mathrm{a}}_3\right)}_{\mathrm{p}}\mathrm{z}}^{\mathrm{p}}}{{\left({\mathrm{b}}_1\right)}_{\mathrm{p}}{\left({\mathrm{b}}_2\right)}_{\mathrm{p}}\mathrm{p}!}},$$

(2)

${\left(\mathrm{a}\right)}_{\mathrm{p}}$ is a pochhammer symbol (it is also known as a rising factorial)

$${\left(\mathrm{a}\right)}_{\mathrm{p}}=\mathrm{a}\left(\mathrm{a}+1\right)\dots \left(\mathrm{a}+\mathrm{p}-1\right)={\displaystyle \frac{\left(\mathrm{a}+\mathrm{p}-1\right)!}{\left(\mathrm{a}-1\right)!}}={\displaystyle \frac{\mathsf{\Gamma }\left(\mathrm{a}+\mathrm{p}\right)}{\mathsf{\Gamma }\left(\mathrm{a}\right)}}.$$

(3)

Equation (1) can be expressed as

$${\mathrm{T}}_{\mathrm{p}}\left(\mathrm{x}\right)=\mathrm{p}!\sum _{\mathrm{k}=0}^{\mathrm{p}}\left({\displaystyle \genfrac{}{}{0pt}{}{\mathrm{N}-1-\mathrm{k}}{\mathrm{p}-\mathrm{K}}}\right)\left({\displaystyle \genfrac{}{}{0pt}{}{\mathrm{p}+\mathrm{k}}{\mathrm{p}}}\right)\left({\displaystyle \genfrac{}{}{0pt}{}{\mathrm{x}}{\mathrm{k}}}\right),\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{p},\mathrm{x}=0,1,2,\dots \mathrm{N}-1.$$

(4)

The set of Fractional Tchebichef polynomials satisfies the following orthogonality condition:

$$\sum _{\mathrm{x}=0}^{\mathrm{N}-1}{\mathrm{T}}_{\mathrm{p}}\left(\mathrm{x}\right){\mathrm{T}}_{\mathrm{m}}\left(\mathrm{y}\right)=\mathsf{\varrho }\left(\mathrm{p};\mathrm{s},\mathrm{N}\right){\mathsf{\delta }}_{\mathrm{m}\mathrm{p}},$$

(5)

The normalization factor $\mathsf{\varrho }\left(\mathrm{p};\mathrm{s},\mathrm{N}\right)$ is

$$\mathsf{\varrho }\left(\mathrm{p};\mathrm{s},\mathrm{N}\right)={\displaystyle \frac{\mathrm{N}\left({\mathrm{N}}^2-1\right)\left({\mathrm{N}}^2-2^2\right)\dots \left({\mathrm{N}}^2-{\mathrm{p}}^2\right)}{2\mathrm{p}+1}}=\left(2\mathrm{p}\right)!\left({\displaystyle \genfrac{}{}{0pt}{}{\mathrm{N}+\mathrm{p}}{2\mathrm{p}+1}}\right),$$

$$\mathrm{p}=0,1,2,\dots ,\mathrm{N}-1,$$

(6)

${\mathsf{\delta }}_{\mathrm{m}\mathrm{p}}$ indicates a Kronecker delta, ${\mathsf{\delta }}_{\mathrm{n}\mathrm{m}}=\left\{\begin{array}{ll}1& \mathrm{m}=\mathrm{p}\\ 0& \mathrm{otherwise}\end{array}\right..$

3.2. Efficient Computation via Recurrence Relations

Direct computation of Tchebichef polynomials from their hypergeometric definition is computationally expensive. A more efficient approach uses the following three-term recurrence relation, which computes each polynomial order from the two preceding orders:

$$\begin{array}{l}{\mathrm{T}}_0\left(\mathrm{x}\right)=1\\ {\mathrm{T}}_1\left(\mathrm{x}\right)=2\mathrm{x}+1-\mathrm{N}\\ \left(\mathrm{p}+1\right){\mathrm{T}}_{\mathrm{p}+1}\left(\mathrm{x}\right)=\left(2\mathrm{p}+1\right)\left(2\mathrm{x}-\mathrm{N}+1\right){\mathrm{T}}_{\mathrm{p}}\left(\mathrm{x}\right)-\mathrm{p}\left({\mathrm{N}}^2-{\mathrm{p}}^2\right){\mathrm{T}}_{\mathrm{p}-1}\left(\mathrm{x}\right)\\ \mathrm{p}=1,2,\dots ,\mathrm{N}-1,\end{array}$$

(7)

It is preferable to work with orthonormal polynomials ${\widehat{\mathrm{T}}}_{\mathrm{p}}\left(\mathrm{x}\right)$ that have a norm of one:

$$\sum _{\mathrm{x}=0}^{\mathrm{N}-1}{\left({\widehat{\mathrm{T}}}_{\mathrm{p}}\left(\mathrm{x}\right)\right)}^2=1,$$

(8)

a normalization factor and derived recurrence formula for the following three terms:

$$\begin{array}{l}{\widehat{\mathrm{T}}}_0\left(\mathrm{x}\right)=1\\ {\widehat{\mathrm{T}}}_1\left(\mathrm{x}\right)=(2\mathrm{x}+1-\mathrm{N})/\mathrm{N}\\ {\widehat{\mathrm{T}}}_{\mathrm{p}+1}\left(\mathrm{x}\right)=\left(2\mathrm{p}-1\right){\mathrm{T}}_1\left(\mathrm{x}\right){\mathrm{T}}_{\mathrm{p}}\left(\mathrm{x}\right)-\left(\mathrm{p}-1\right)\left(1-{\displaystyle \frac{{\left(\mathrm{p}-1\right)}^2}{{\mathrm{N}}^2}}\right){\mathrm{T}}_{\mathrm{p}-1}\left(\mathrm{x}\right)\\ \mathrm{p}=1,2,\dots ,\mathrm{N}-1,\end{array}$$

(9)

To obtain more accurate reconstruction, especially at an enormous value of $\mathrm{N}$, the recurrence formula depends on the normalization factor $\left(\mathrm{p};\mathrm{s},\mathrm{N}\right)$:

$$\begin{array}{l}{\widehat{\mathrm{T}}}_0\left(\mathrm{x}\right)={\displaystyle \frac{1}{\sqrt{\mathrm{N}}}}\\ {\widehat{\mathrm{T}}}_1\left(\mathrm{x}\right)=\left(2\mathrm{x}+1-\mathrm{N}\right)\sqrt{{\displaystyle \frac{3}{\mathrm{N}\left({\mathrm{N}}^2-1\right)}}},\\ {\widehat{\mathrm{T}}}_{\mathrm{p}}\left(\mathrm{x}\right)=\left({\mathsf{\alpha }}_1\mathrm{x}+{\mathsf{\alpha }}_2\right){\widehat{\mathrm{T}}}_{\mathrm{p}-1}\left(\mathrm{x}\right)-{\mathsf{\alpha }}_3{\widehat{\mathrm{T}}}_{\mathrm{p}-2}\left(\mathrm{x}\right),\end{array}$$

(10)

where

$${\mathsf{\alpha }}_1={\displaystyle \frac{2}{\mathrm{p}}}\sqrt{{\displaystyle \frac{4{\mathrm{p}}^2-1}{{\mathrm{N}}^2-{\mathrm{p}}^2}},}$$

(11)

$${\mathsf{\alpha }}_2={\displaystyle \frac{1-\mathrm{N}}{\mathrm{p}}}\sqrt{{\displaystyle \frac{4{\mathrm{p}}^2-1}{{\mathrm{N}}^2-{\mathrm{p}}^2}}},$$

(12)

$${\mathsf{\alpha }}_3={\displaystyle \frac{\mathrm{p}-1}{\mathrm{p}}}\sqrt{{\displaystyle \frac{2\mathrm{p}+1}{2\mathrm{p}-3}}}\sqrt{{\displaystyle \frac{{\mathrm{N}}^2-{\left(\mathrm{p}-1\right)}^2}{{\mathrm{N}}^2-{\mathrm{p}}^2}}}.$$

(13)

This recurrence approach reduces computational complexity by approximately 50% compared to direct polynomial evaluation, making it suitable for resource-constrained IoT environments.

3.3. Fractional Tchebichef Polynomials

Fractional extension introduces a continuous parameter α ∈ (0, 1] that controls polynomial scaling, allowing finer adaptation to the signal being analyzed. The Fractional Tchebichef polynomial ${\mathrm{F}\mathrm{T}}_{\mathrm{n}}^{\propto }\left(\mathrm{t}\right)$ is:

$${\mathrm{F}\mathrm{T}}_{\mathrm{n}}^{\propto }\left(\mathrm{t}\right)={\mathrm{T}}_{\mathrm{n}}\left(1-2{\mathrm{t}}^{\propto }\right), \mathrm{w}\mathrm{h}\mathrm{e}\mathrm{r}\mathrm{e} \mathrm{t}\in [0,1] \mathrm{a}\mathrm{n}\mathrm{d} \propto >0$$

The analytical form of ${\mathrm{F}\mathrm{T}}_1^{\propto }\left(\mathrm{t}\right)$ is obtained as

$${\mathrm{F}\mathrm{T}}_{\mathrm{n}}^{\propto }\left(\mathrm{t}\right)=\sum _{\mathrm{k}=0}^{\mathrm{n}}{(-1)}^{\mathrm{k}}{\displaystyle \frac{\mathrm{n}{2}^{2\mathrm{k}}\left(\mathrm{n}+\mathrm{k}-1\right)!}{\left(\mathrm{n}-\mathrm{k}\right)!\left(2\mathrm{k}\right)!}}{\mathrm{t}}^{\propto \mathrm{k}}=\sum _{\mathrm{k}=0}^{\mathrm{n}}{\mathsf{\beta }}_{\mathrm{n},\mathrm{k}}{\mathrm{t}}^{\mathsf{\alpha }\mathrm{k}},$$

(14)

where

$${\mathsf{\beta }}_{\mathrm{n},\mathrm{k}}={(-1)}^{\mathrm{k}}{\displaystyle \frac{\mathrm{n}{2}^{2\mathrm{k}}\left(\mathrm{n}+\mathrm{k}-1\right)!}{\left(\mathrm{n}-\mathrm{k}\right)!\left(2\mathrm{k}\right)!}}\hspace{1em}\hspace{1em}\mathrm{a}\mathrm{n}\mathrm{d}\hspace{1em}\hspace{1em}\hspace{1em}{\mathsf{\beta }}_{0,\mathrm{k}}=1.$$

The values of the terms ${\mathrm{F}\mathrm{T}}_{\mathrm{n}}^{\propto }\left(\mathrm{t}\right)$ can be calculated efficiently by the following three-term recurrence relation

$$\begin{array}{l}{\mathrm{F}\mathrm{T}}_0^{\propto }\left(\mathrm{t}\right)=1,\\ {\mathrm{F}\mathrm{T}}_1^{\propto }\left(\mathrm{t}\right)=1-2{\mathrm{t}}^{\propto },\\ {\mathrm{F}\mathrm{T}}_{\mathrm{n}+1}^{\propto }\left(\mathrm{t}\right)=\left(2-4{\mathrm{t}}^{\propto }\right){\mathrm{F}\mathrm{T}}_{\mathrm{n}}^{\propto }\left(\mathrm{t}\right)-{\mathrm{F}\mathrm{T}}_{\mathrm{n}-1}^{\propto }\left(\mathrm{t}\right).\hspace{1em}\hspace{1em}\mathrm{n}=1,2,\dots ,\mathrm{N}-1.\end{array}$$

(15)

The FTPs satisfy the orthogonality relationship as:

$${\int }_0^1{\mathrm{F}\mathrm{T}}_{\mathrm{n}}^{\propto }\left(\mathrm{t}\right){\mathrm{F}\mathrm{T}}_{\mathrm{m}}^{\propto }\left(\mathrm{t}\right)\mathrm{w}\left(\mathrm{t}\right)\mathrm{d}\mathrm{t}={{\mathrm{c}}_{\mathrm{n}}\mathsf{\delta }}_{\mathrm{n}\mathrm{m}},\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{m},\mathrm{n}\ge 0,$$

(16)

where the weight function $\mathrm{w}\left(\mathrm{t}\right)$ is defined as

$$\mathrm{w}\left(\mathrm{t}\right)={\displaystyle \frac{{\mathrm{t}}^{\frac{\propto }{2}-1}}{\sqrt{1-{\mathrm{t}}^{\propto }}}},$$

(17)

${\mathrm{c}}_0=0,$ and ${\mathrm{c}}_{\mathrm{n}}=1$. ${\mathsf{\delta }}_{\mathrm{n}\mathrm{m}}$ is a Kronecker delta, ${\mathsf{\delta }}_{\mathrm{n}\mathrm{m}}=\left\{\begin{array}{ll}1& \mathrm{m}=\mathrm{n}\\ 0& \mathrm{otherwise}\end{array}\right..$

The weighted Fractional Tchebyshev polynomials ${\widetilde{\mathrm{F}\mathrm{T}}}_{\mathrm{n}}^{\mathsf{\alpha }}\left(\mathrm{t}\right)$ is:

$${\widetilde{\mathrm{F}\mathrm{T}}}_{\mathrm{n}}^{\mathsf{\alpha }}\left(\mathrm{t}\right)=\sqrt{{\displaystyle \frac{\mathrm{w}\left(\mathrm{t}\right)}{{\mathrm{c}}_{\mathrm{n}}}}}{\mathrm{F}\mathrm{T}}_{\mathrm{n}}^{\propto }\left(\mathrm{t}\right),$$

(18)

From Equations (17) and (19), the condition of orthogonality can be concluded as

$${\mathrm{F}\mathrm{T}}_{\mathrm{n}}^{\propto }\left(\mathrm{t}\right)=\sqrt{{\displaystyle \frac{{\mathrm{c}}_{\mathrm{n}}}{\mathrm{w}\left(\mathrm{t}\right)}}}{\widetilde{\mathrm{F}\mathrm{T}}}_{\mathrm{n}}^{\mathsf{\alpha }}\left(\mathrm{t}\right),$$

hence

$$\begin{array}{l}{\int }_0^1\sqrt{{\displaystyle \frac{{\mathrm{c}}_{\mathrm{n}}}{\mathrm{w}\left(\mathrm{t}\right)}}}{\widetilde{\mathrm{F}\mathrm{T}}}_{\mathrm{n}}^{\mathsf{\alpha }}\left(\mathrm{t}\right)\sqrt{{\displaystyle \frac{{\mathrm{c}}_{\mathrm{m}}}{\mathrm{w}\left(\mathrm{t}\right)}}}{\widetilde{\mathrm{F}\mathrm{T}}}_{\mathrm{m}}^{\mathsf{\alpha }}\left(\mathrm{t}\right)\mathrm{w}(\mathrm{t})\mathrm{d}\mathrm{t}={{\mathrm{c}}_{\mathrm{n}}\mathsf{\delta }}_{\mathrm{n}\mathrm{m}},\\ {\mathrm{c}}_{\mathrm{n}}{\int }_0^1{\widetilde{\mathrm{F}\mathrm{T}}}_{\mathrm{n}}^{\mathsf{\alpha }}\left(\mathrm{t}\right){\widetilde{\mathrm{F}\mathrm{T}}}_{\mathrm{m}}^{\mathsf{\alpha }}\left(\mathrm{t}\right)\mathrm{w}(\mathrm{t})\mathrm{d}\mathrm{t}={{\mathrm{c}}_{\mathrm{n}}\mathsf{\delta }}_{\mathrm{n}\mathrm{m}}\\ {\int }_0^1{\widetilde{\mathrm{F}\mathrm{T}}}_{\mathrm{n}}^{\mathsf{\alpha }}\left(\mathrm{t}\right){\widetilde{\mathrm{F}\mathrm{T}}}_{\mathrm{m}}^{\mathsf{\alpha }}\left(\mathrm{t}\right)\mathrm{w}\left(\mathrm{t}\right)\mathrm{d}\mathrm{t}={\mathsf{\delta }}_{\mathrm{n}\mathrm{m}}.\end{array}$$

(19)

3.4. Fractional Tchebichef Moments

The 1D orders Fractional Tchebichef orthogonal moments ${\widehat{{\mathrm{F}}_{\mathrm{r}}\mathrm{T}\mathrm{M}}}_{\mathrm{n}}$ with the order, and $\mathrm{n}$ can be mathematically formulated with Fractional Tchebichef Polynomials ${\widetilde{{\mathrm{F}}_{\mathrm{r}}\mathrm{T}}}_{\mathrm{n}}^{\mathsf{\alpha }}\left(\mathrm{t}\right)$ as follows:

$${\widehat{{\mathrm{F}}_{\mathrm{r}}\mathrm{T}\mathrm{M}}}_{\mathrm{n}}=\sum _{\mathrm{x}=0}^{\mathrm{N}-1}{\widetilde{{\mathrm{F}}_{\mathrm{r}}\mathrm{T}}}_{\mathrm{n}}^{\mathsf{\alpha }}\left(\mathrm{t}\right)\mathrm{t}\left(\mathrm{x}\right),\hspace{1em}\hspace{1em}\hspace{1em}\mathrm{n}=0,1,2,\dots ,\mathrm{N}-1$$

(20)

3.5. Advantages for Network Traffic Analysis

Fractional Tchebichef moments offer four key advantages for IoT intrusion detection: (i) discrete orthogonality eliminates discretization errors that affect continuous moment methods; (ii) hierarchical encoding captures both global traffic statistics in low-order coefficients and local attack patterns in high-order coefficients; (iii) computational efficiency through recurrence relations reduces processing cost by ~50%; and (iv) the fractional parameter α provides flexible adaptation to varying network traffic distributions across different IoT environments.

4. Residual Network with Squeeze-and-Excitation Attention

This section presents the deep learning architecture combining residual learning with channel attention mechanisms for IoT attack classification.

4.1. Residual Learning Framework

Residual learning introduces skip connections that enable training of deeper networks by learning residual mappings F(x) = H(x) − x instead of the desired mapping H(x) directly [15]. The residual block formulation is:

y = F(x, {W_i}) + x

(21)

where $\mathrm{x}\in {\mathbb{R}}^{C\times H\times W}$ and $\mathrm{y}\in {\mathbb{R}}^{C\times H\times W}$ are input and output feature map tensors respectively, W_i denotes the weight matrix of the i-th convolutional layer, and F represents the residual function learned by stacked convolutional layers. The skip connection performs identity mapping, allowing gradients to flow directly through the network during back propagation, effectively mitigating the vanishing gradient problem.

4.2. Squeeze-and-Excitation Attention Mechanism

SE blocks adaptively recalibrate channel-wise feature responses through three sequential operations [28]:

•

Squeeze Operation: Global spatial information is aggregated through global average pooling, producing a channel descriptor zc that captures the global distribution of channel-wise responses:

$${\mathrm{z}}_{\mathrm{c}}=\mathrm{F}\mathrm{s}\mathrm{q}\left(\mathrm{u}\mathrm{c}\right)=(1/\mathrm{H}\times \mathrm{W}){\mathsf{\Sigma }}_{\mathrm{i}}{\mathsf{\Sigma }}_{\mathrm{j}}\mathrm{u}\mathrm{c}\left({\mathrm{i}}_{\mathrm{s}},\mathrm{j}\right)$$

(22)

•

Excitation Operation: Channel dependencies are captured through two fully connected layers with bottleneck structure:

$$\mathrm{s}=\mathrm{F}\mathrm{e}\mathrm{x}\left(\mathrm{z},\mathrm{W}\right)=\underset{\_}{\underset{\_}{\mathsf{\sigma }}}\left({\mathrm{W}}_2\cdot \underset{\_}{\underset{\_}{\mathsf{\delta }}}\left({\mathrm{W}}_1\cdot \mathrm{z}\right)\right)$$

(23)

where δ denotes ReLU activation, σ denotes sigmoid activation, and the reduction ratio r = 16 controls the bottleneck dimensionality.

•

Scale Operation: Original feature maps are recalibrated through channel-wise multiplication with learned attention weights:

$$\widetilde{\mathrm{xc}}=\mathrm{sc}·\mathrm{uc}$$

(24)

4.3. Loss Function and Optimization

The network is trained using categorical cross-entropy loss with L2 regularization:

$$\mathrm{L}=-(1/\mathrm{N}) {\mathsf{\Sigma }}_{\mathrm{i}} {\mathsf{\Sigma }}_{\mathrm{k}} {\mathrm{y}}_{\mathrm{i}\mathrm{k}} \mathrm{l}\mathrm{o}\mathrm{g} \left({\widehat{\mathrm{y}}}_{\mathrm{i}\mathrm{k}}\right)+\mathsf{\lambda } {\mathsf{\Sigma }}_{\mathrm{l}} \left|\right|{\mathrm{W}}_{\mathrm{l}}\left|\right|2$$

(25)

The Adam optimizer is employed with the initial learning rate 0.001, β₁ = 0.9, β₂ = 0.999, and learning rate reduction on plateau with patience = 5 and factor = 0.5.

5. Proposed Deep Learning Framework

The proposed framework integrates Fractional Tchebichef moment preprocessing with ResNet-SE architecture for IoT intrusion detection. Figure 1 illustrates the complete pipeline comprising preprocessing, moment computation, and deep classification stages.

5.1. Network Traffic Preprocessing Pipeline

Raw IoT network traffic undergoes systematic transformation through multiple preprocessing stages: (1) feature extraction isolates relevant network attributes including packet sizes, inter-arrival times, protocol flags, and flow statistics; (2) TF-IDF weighting assigns importance scores based on term frequency-inverse document frequency; (3) logarithmic transform applies log(1 + x) scaling to handle skewed distributions; (4) Z-score normalization standardizes features to zero mean and unit variance.

5.2. Fractional Tchebichef Moment Feature Transformations

The preprocessed features are organized into 2D matrices and transformed through Fractional Tchebichef moment computation, as illustrated in Figure 2. This transformation process consists of four sequential stages that convert raw network traffic data into compact, discriminative feature representations suitable for deep learning classification.

Stage a: Network Traffic Feature Matrix Organization: The preprocessed network traffic features are first arranged into a two-dimensional matrix structure. This spatial organization captures the relationships between different traffic attributes, with each cell representing normalized feature values. The matrix dimensions are carefully selected to preserve the intrinsic correlations within the traffic patterns while enabling efficient moment computation.

Stage b: Fractional Tchebichef Polynomial Basis Functions: The core of the transformation relies on Fractional Tchebichef polynomials of varying orders (0–3 shown in the figure). These discrete orthogonal polynomials function as basis functions for decomposing the feature matrix. Each polynomial order captures different frequency characteristics of the input data: lower-order polynomials (e.g., order 0 and 1) represent smooth, global variations in the traffic patterns, while higher-order polynomials (e.g., orders 2 and 3) capture finer-grained, localized details. The orthogonality property ensures that each basis function contributes unique, non-redundant information to the final representation, eliminating the correlation between different moment orders.

Stage c: Moment Coefficient Computation: Through mathematical projection of the input feature matrix onto each Fractional Tchebichef polynomial basis function, moment coefficients are computed using the recurrence relations defined in Equations (10)–(13). Each coefficient quantifies how strongly a particular polynomial pattern is present in the network traffic data. The resulting moment coefficient matrix exhibits a structured pattern where low-order moments contain the majority of signal energy (representing primary attack characteristics), while higher-order moments capture subtle discriminative details. This energy compaction property is particularly valuable for distinguishing between benign traffic and sophisticated attack variants that differ only in subtle statistical properties.

Stage d: Final 232 × 232 Feature Representation: Moments up to order N-1 are systematically calculated using the efficient three-term recurrence relations, producing the final 232 × 232 feature representation that serves as input to the ResNet-SE convolutional network. This compact representation offers several critical advantages over raw feature inputs:

(1)

Noise resistance: the low-pass filtering characteristics of lower-order moments suppress high-frequency noise inherent in network traffic measurements.

(2)

Dimensionality reduction: essential traffic patterns are captured in a structured format that reduces computational burden while preserving discriminative information.

(3)

Multi-scale pattern capture: the hierarchical nature of polynomial orders enables simultaneous representation of both coarse-grained attack signatures and fine-grained anomalous behaviors.

(4)

Discretization error elimination: unlike continuous orthogonal moments that require numerical approximation, Fractional Tchebichef moments operate directly in the discrete domain, ensuring analytical precision throughout the transformation process.

This moment-based feature transformation fundamentally reshapes the intrusion detection problem from high-dimensional noisy feature classification to structured pattern recognition in a compact, noise-resistant representation space optimized for convolutional neural network processing.

5.3. ResNet-SE Architecture Configuration

The ResNet-SE architecture comprises an initial convolutional block (7 × 7 conv, 64 filters, stride 2, followed by 3 × 3 max pooling), four progressive residual stages with SE attention (Stage 1: 3 blocks, 64 channels, 58 × 58; Stage 2: 4 blocks, 128 channels, 29 × 29; Stage 3: 6 blocks, 256 channels, 15 × 15; Stage 4: 3 blocks, 512 channels, 8 × 8), global average pooling, and classification head (FC-512 with dropout 0.5, FC-256 with dropout 0.3, softmax output). Figure 3 illustrates the Squeeze-and-Excitation (SE) attention block showing squeeze operation, excitation operation, and scale operation. The residual learning with channel attention is shown in Figure 4.

5.4. Justification of the 232 × 232 Dimensionality

The 232 × 232 dimensionality is determined by three converging criteria. First, regarding information completeness, empirical evaluation across candidate resolutions confirms that 232 × 232 achieves the optimal accuracy–efficiency balance: 225 × 225 yields 97.09% accuracy (18 s), 228 × 228 yields 98.43% (35 s), and 232 × 232 achieves 99.78% (43 s), demonstrating that additional coefficients at higher resolution encode security-relevant discriminative patterns. Second, regarding structural alignment, the 232 × 232 input produces non-degenerate spatial dimensions at each ResNet-SE stage (232→58→29→15→8), ensuring meaningful SE attention computation throughout the network. Third, regarding computational feasibility, larger representations such as 256 × 256 provided no statistically significant accuracy improvement while increasing processing time by 34%, confirming 232 × 232 as the point of diminishing returns.

6. Experimental Results

6.1. Experimental Setup

The proposed framework was implemented using TensorFlow 2.10 with Keras API and evaluated on NVIDIA Tesla V100 GPU (32 GB memory). Training configuration: batch size 32, maximum 100 epochs with early stopping (patience = 15), Adam optimizer (lr = 0.001), 5-fold stratified cross-validation, and 70%/15%/15% train/validation/test split. The implementation was developed using TensorFlow 2.10 with Keras API, Python 3.9, NumPy 1.23.4, Scikit-learn 1.1.3, and CUDA 11.8 with cuDNN 8.6. Both datasets were used in their original form without any sample removal. Class imbalance was handled using stratified sampling during the 70%/15%/15% train/validation/test split, ensuring proportional class representation across all partitions. The random seed was fixed at 42 for all splitting operations to guarantee identical data partitions across runs. Feature extraction selected the 46 most informative network flow attributes following the original dataset documentation. TF-IDF weighting, log transform, and Z-score normalization were applied sequentially using Scikit-learn’s TfidfTransformer, FunctionTransformer, and StandardScaler respectively, with normalization statistics computed exclusively on the training partition and applied to validation and test partitions. The fractional parameter was set to α = 0.8\alpha = 0.8 α = 0.8 and moment order to N = 232 N = 232 N = 232, with polynomial basis functions precomputed once using the three-term recurrence relation and cached to avoid redundant computation across batches. The network architecture configuration is illustrated in

Table 1. Network Architecture Configuration.

Layer Type	Output Shape	Parameters	Description
Input	232 × 232 × 1	0	Fractional Tchebichef moment features
Conv1 + MaxPool	58 × 58 × 64	3200	Initial feature extraction
Stage 1	58 × 58 × 64	73,984	3 SE-ResNet blocks
Stage 2	29 × 29 × 128	230,144	4 SE-ResNet blocks
Stage 3	15 × 15 × 256	1,180,672	6 SE-ResNet blocks
Stage 4	8 × 8 × 512	2,364,416	3 SE-ResNet blocks
GAP + FC	K classes	394,240	Classification head

.

6.2. Dataset Description

Two benchmark IoT security datasets were employed for evaluation:

• Bot-IoT Dataset: A comprehensive IoT network traffic dataset containing over 72 million records including DDoS attacks (1,926,624 samples), DoS attacks (1,650,260), reconnaissance (91,082), theft (79), and normal traffic (477). The dataset was collected from a realistic IoT network environment comprising weather stations, smart thermostats, motion sensors, and security cameras [50]. Bot-IoT demonstrates superiority over alternative datasets for ML applications by capturing realistic IoT device communications with contemporary attack vectors, unlike legacy datasets (KDD99, NSL-KDD) containing synthetic traffic from outdated protocols or datasets focused on traditional IT infrastructure (UNSW-NB15). The dataset’s substantial scale (72+ million records), IoT-specific attack patterns, and class diversity enable robust deep learning model training while addressing resource exhaustion and device compromise scenarios characteristic of real-world IoT environments.
• Leopard Mobile IoT Dataset: Comprising 14,733 malware samples and 2486 benign samples (17,219 total), this dataset represents real-world IoT security scenarios including various attack types such as DDoS, DoS, malware infections, and unauthorized access attempts. Figure 5 shows class distribution of evaluation to Bot-IoT and Leopard Mobile IoT datasets.

6.3. Performance Comparison with Baseline Methods

Table 2. Performance comparison with baseline methods.

Method	Accuracy (%)	F1-Score (%)	Category
K-Nearest Neighbors	84.70	82.30	Traditional ML
Support Vector Machine	87.50	85.10	Traditional ML
Random Forest	92.00	90.50	Traditional ML
Traditional CNN	96.90	95.80	Deep Learning
ResNet (baseline)	99.30	98.87	Deep Learning
Proposed ResNet-SE	99.78	99.37	Proposed

presents comparative evaluation against traditional machine learning and deep learning baselines. The proposed ResNet-SE achieves 99.78% accuracy, substantially outperforming K-Nearest Neighbors (84.7%), Support Vector Machines (87.5%), Random Forest (92.0%), and baseline CNN (99.3%). These comparative results for classification accuracy and F1-score between the proposed ResNet-SE and baseline methods are illustrated in Figure 6.

6.4. Impact of Input Image Dimensions

Table 3. Ablation study results.

Configuration	Accuracy (%)	Precision (%)	F1-Score (%)
Baseline CNN (no ResNet, no SE)	99.54	99.38	98.87
CNN + Residual Blocks (no SE)	99.72	99.51	99.18
CNN + SE Attention (no ResNet)	99.68	99.47	99.12
ResNet-SE without BatchNorm	99.61	99.42	99.05
ResNet-SE without Dropout	99.53	99.37	98.94
Full Model (Proposed ResNet-SE)	99.78	99.55	99.37

and Figure 7 present the impact of input dimensions on classification performance. The 232 × 232 resolution achieves optimal performance (99.78% accuracy, 99.37% F1) with acceptable processing time (43 s), while 225 × 225 offers faster processing (18 s) at reduced accuracy (97.09%).

6.5. Ablation Study

Table 4. Computational efficiency and runtime comparison.

Method	Training Time (s)	Inference Throughput (Samples/s)	Parameters
KNN	—	312.4	—
SVM (RBF)	847.3	284.7	—
Random Forest	124.6	1847.2	—
Traditional CNN	3240.5	198.3	2.1 M
ResNet (baseline)	4118.7	143.6	4.2 M
Proposed ResNet-SE	4356.2	127.9	4.46 M

presents systematic ablation analysis quantifying individual component contributions. Adding residual blocks alone improves accuracy from 99.54% to 99.72% (+0.18%), while SE attention contributes 99.68% (+0.14%). The full model achieves optimal 99.78% accuracy, confirming synergistic benefits. Figure 8 depicts Ablation study visualization showing accuracy and F1-score contributions of individual architectural components.

6.6. Training Dynamics

Figure 9 illustrates training and validation curves over 100 epochs. The model exhibits stable convergence with training loss decreasing smoothly to 0.02 and validation accuracy reaching 99.78% by epoch 65. Early stopping prevented overfitting while the learning rate scheduler enabled fine-grained optimization in later epochs.

Although the model demonstrates apparent convergence around epoch 58 as evidenced by stabilized validation accuracy, training continues until epoch 100 due to the early stopping mechanism configuration with patience = 15. Early stopping monitors validation loss rather than accuracy, allowing the optimizer to explore fine-grained parameter adjustments that may yield marginal performance improvements. The continued training from epoch 58 to 100 serves multiple purposes: (1) the learning rate scheduler reduces learning rate at plateaus (patience = 5, factor = 0.5), enabling refined weight adjustments in near-optimal regions that may not significantly affect accuracy metrics but improve model robustness; (2) validation loss continues decreasing subtly beyond epoch 58, indicating ongoing optimization despite negligible accuracy changes; (3) the Adam optimizer’s momentum components benefit from extended training to stabilize gradient estimates and escape potential local minima. Training terminates when validation loss shows no improvement for 15 consecutive epochs, which occurs around epoch 73, though the figure displays the complete 100-epoch trajectory for comprehensive analysis. This training strategy balances computational efficiency with thorough convergence verification, ensuring the model reaches genuine optimality rather than premature stopping at superficial plateaus.

6.7. Confusion Matrix Analysis

Figure 10 presents normalized confusion matrices for both datasets. On Bot-IoT, the model achieves per-class performance with DDoS (99.8%), DoS (99.7%), Reconnaissance (99.4%), Theft (99.0%), and Normal (99.5%) detection rates. On Leopard Mobile, malware detection reaches 99.8% with 99.6% benign classification accuracy.

6.8. Cross-Dataset Generalization

Table 5. Comparisons; the false positive and false negative analysis for the proposed ResNet-SE and baseline methods.

Dataset	Method	False Positive Rate (%)	False Negative Rate (%)	True Negatives	False Positives	True Positives	False Negatives
Bot-IoT	KNN	8.30	12.50	437	40	3,150,892	450,153
	SVM	6.10	9.80	448	29	3,248,763	352,282
	Random Forest	3.40	6.20	461	16	3,378,140	222,905
	Traditional CNN	2.80	2.10	463	14	3,526,351	74,694
	ResNet (baseline)	1.20	0.95	471	6	3,566,845	34,200
	Proposed ResNet-SE	0.22	0.35	476	1	3,589,864	11,181
Leopard Mobile	KNN	11.20	9.80	2207	279	13,291	1442
	SVM	8.50	7.30	2275	211	13,657	1076
	Random Forest	4.90	5.10	2364	122	13,985	748
	Traditional CNN	2.10	1.80	2434	52	14,468	265
	ResNet (baseline)	1.30	1.10	2454	32	14,571	162
	Proposed ResNet-SE	0.40	0.28	2476	10	14,692	41

evaluates generalization capability by testing the Leopard Mobile-trained model on external datasets without retraining. The model achieves 96.34% accuracy on UNSW-NB15 and 97.12% on IoT-Bot, demonstrating modest 2.7–3.4% performance degradation that indicates robust learned representations transferable across IoT security domains (Figure 11).

6.9. Computational Efficiency

The framework demonstrates favorable scalability: throughput increases from 98.0 samples/sec (1000 samples, batch 16) to 127.9 samples/sec (20,000 samples, batch 64). Memory consumption ranges from 4.2 GB to 11.2 GB depending on batch size, remaining within practical constraints for edge deployment. Single sample inference requires 7.8 ms, enabling real-time detection for moderate traffic volumes. Table 4 summarizes the Runtime Comparison for the Proposed ResNet-SE and traditional methods.

Although the proposed framework introduces a modest training time overhead of approximately 5.8% relative to the baseline ResNet (4356.2 s vs. 4118.7 s), attributable to the FT moment preprocessing stage, this cost is incurred only once during offline training. At inference, the framework processes 127.9 samples per second with single-sample latency of 7.8 ms, which, while lower in raw throughput than Random Forest (1847.2 samples/sec), represents a favorable trade-off given the substantially superior detection accuracy (99.78% vs. 92.0%). Compared directly to the baseline ResNet, the SE attention blocks introduce only a 2.5% parameter increase (4.46 M vs. 4.2 M parameters) while delivering a 0.48% accuracy gain, confirming that the efficiency cost of the SE mechanism is negligible relative to its discriminative benefit.

Memory consumption ranges from 4.2 GB to 11.2 GB depending on batch size, remaining within practical constraints for edge gateway deployment. For highly resource-constrained endpoints where the full framework cannot be deployed, the FT moment preprocessing stage can be executed on an edge gateway with the ResNet-SE model running on a more capable device, preserving the computational benefits of compact moment-based representations at the sensing layer.

It should be noted that the throughput advantage of traditional methods such as Random Forest is offset by their substantially lower detection accuracy and inability to generalize across attack taxonomies, as demonstrated in Table 2. The proposed framework represents the optimal balance among accuracy, generalization, and inference latency for IoT intrusion detection deployments.

6.10. False Positive Analysis and Cybersecurity Implications

The analysis of false positives is critically important as it directly impacts the operational feasibility of intrusion detection systems. False positives instances where benign traffic is incorrectly classified as malicious can lead to alert fatigue, wasted investigative resources, and potential disruption of legitimate network operations. This section provides a comprehensive analysis of false positive rates and their distribution across different attack categories. Table 5 presents detailed false positive and false negative analysis across both evaluation datasets. On the Bot-IoT dataset, the proposed ResNet-SE framework achieves a remarkably low false positive rate (FPR) of 0.22%, meaning that only 2.2 out of every 1000 benign traffic samples are incorrectly flagged as attacks. This represents a substantial improvement over baseline methods: K-Nearest Neighbors exhibits an FPR of 8.3%, Support Vector Machines show 6.1% FPR, and even the baseline CNN demonstrates 2.8% FPR. The Leopard Mobile IoT dataset shows similarly strong performance with an FPR of 0.40%, indicating robust generalization of the framework’s discriminative capabilities across different IoT network environments.

7. Conclusions

This study presents a hybrid intrusion detection framework integrating Fractional Tchebichef moment-based preprocessing with ResNet-SE architecture, addressing critical limitations in existing IoT security systems including network degradation, insufficient feature adaptation, and computational constraints. The framework introduces Fractional Tchebichef moments as a preprocessing technique that eliminates discretization errors while generating compact noise-resistant representations, coupled with ResNet-SE architecture that mitigates degradation through residual skip connections and adaptive channel-wise attention mechanisms. Experimental validation on complementary datasets Bot-IoT (72+ million network traffic samples) and Leopard Mobile (17,219 endpoint malware samples) demonstrates versatility across network-level and application-layer threat detection, achieving 99.78% accuracy and a 99.37% F1-score while substantially outperforming traditional approaches. Bot-IoT demonstrates superiority for machine learning applications by capturing realistic IoT device communications with contemporary attack vectors, unlike legacy datasets containing synthetic traffic. Cross-dataset evaluation confirms robust generalization (96.34% on UNSW-NB15, 97.12% on IoT-Bot) without retraining. Computational profiling reveals favorable scalability with 127.9 samples/second throughput and 7.8 ms inference latency, suitable for moderate-scale deployments. Regarding large-scale botnet detection, the framework exhibits strong applicability for coordinated attack identification across diverse taxonomies including DDoS (1,926,624 samples) and DoS (1,650,260 samples). However, carrier-grade deployment necessitates distributed architectures or hardware acceleration for networks serving millions of endpoints. Key limitations include dataset-specific evaluation scope, potential computational constraints on highly resource-limited devices, and limited model interpretability. Future directions should encompass ensemble moment-based approaches, explainable AI integration, federated learning for privacy-preserving threat intelligence, and lightweight variants through neural architecture search for edge deployment.