Artificial Intelligence for Intrusion Detection Through Side-Channel Techniques ^†

Abstract

The rapid expansion of Internet of Things (IoT) technologies has introduced diverse applications while simultaneously exposing devices to increasing cybersecurity risks. Sensitive data handled within IoT networks and the limited resources of connected devices make conventional intrusion detection methods often impractical. This work introduces an approach for detecting cyberattacks in IoT environments through side-channel analysis based on device power consumption. A lightweight machine learning framework is employed to identify anomalous behavior without disrupting normal device operation. Experiments conducted on various setups, including custom datasets and unseen attack patterns, confirm the system’s effectiveness and real-time detection capability. The proposed solution stands out for its simplicity, reproducibility, and ease of deployment across heterogeneous IoT infrastructures with minimal computational overhead.

1. Introduction

The rapid expansion of the Internet of Things (IoT) has connected millions of devices, ranging from sensors and cameras to home automation systems. However, this hyperconnectivity significantly increases the attack surface and introduces new cybersecurity challenges, particularly for resource-constrained devices that cannot implement traditional defenses such as antivirus software or robust firewalls. To protect such environments, Artificial Intelligence (AI)-based Intrusion Detection Systems (IDSs) have been developed, employing machine learning (ML) and Deep Learning (DL) algorithms to detect anomalous behaviors. This study proposes a novel IDS that leverages side-channel techniques—specifically, measurements of device power consumption—combined with machine learning. The system detects cyberattacks by analyzing variations in electrical consumption without interfering with normal device operation. The main objective is to assess whether software attacks can be detected through power consumption signals, distinguishing among different attack types, identifying previously unseen attack patterns, and achieving real-time detection using lightweight and portable models.

2. State of the Art

The first IoT-oriented IDSs emerged around 2017 [1], focusing primarily on analyzing network traffic (e.g., packet captures). Many such systems employ deep neural networks or autoencoders to identify anomalies, often achieving accuracies above 90%.

However, these approaches present several limitations: They typically detect only a single attack type or fail to classify attack types. They are not reproducible (datasets or source code are not publicly available). And they require significant computational resources, rendering them unsuitable for real-world IoT deployments.

In parallel, some researchers have explored physical metrics such as energy consumption or electromagnetic emissions. Previous studies demonstrated that different attacks generate distinctive power signatures, allowing their identification using simple classification models (e.g., SVM and Random Forest). Nonetheless, many of these works suffer from small sample sizes, limited generalization, and lack of cross-validation.

The present study addresses these limitations by incorporating the following: multiple IoT devices; various attack types (mining, brute force, encryption, etc.); several machine learning algorithms; and publicly available datasets and source code, ensuring full reproducibility.

3. Methodology

3.1. General Approach

Given the lack of suitable datasets (existing ones do not include energy measurements), a dedicated dataset was created using an experimental IoT network.

The network includes the following:

• One Raspberry Pi 4 (Cambridge, UK), for orchestration and data logging.
• End devices (simulated victims).
• A power monitoring unit (INA3221) measuring current consumption.

According to the taxonomy of Thakkar and Lohiya [2], the proposed IDS can be classified as hybrid (combines signature-based and anomaly-based detection), flexible (capable of centralized or distributed operation), and software-oriented (focused on detecting logical/software attacks).

3.2. Hardware Setup

The primary configuration employed three Raspberry Pi 3 B (Cambridge, UK) connected to the energy sensor and one Raspberry Pi 4 acting as central node.

A secondary setup (adding an Odroid N2 (Gyeonggi, South Korea) [3] and an Asus Tinker Board (Taipei, Taiwan) [4] as new simulated victims) was implemented to evaluate the system’s generalization across different energy profiles.

Figure 1 shows the hardware architecture used in the experiments.

3.3. Simulated Attacks

Five types of attacks were implemented:

1.

Mining: Cryptocurrency mining (high CPU utilization) [5].

2.

Login (brute force): Massive SSH authentication attempts using Hydra [6].

3.

Encryption: File encryption simulating ransomware behavior.

4.

Password cracking: Hash-based password validation attack.

5.

Lite mining: Reduced-intensity mining variant.

The first three attacks were used for model training, while the last two were used for validation, representing unseen attack types not included in training.

3.4. Machine Learning Models

Five algorithms were selected [7], balancing accuracy and computational efficiency: K-Nearest Neighbors (KNN), Random Forest (RF), Extreme Boosting Trees (XBT) [8], Time Series Forest (TSF) [9], and Feature Summary (FS).

Data were transformed into temporal windows to capture the evolution of energy consumption. Each model was trained under several parameter combinations.

3.5. Experimental Scenarios

Five experimental scenarios were designed to address six research questions (RQs):

1.

Baseline: Detection (RQ1) and classification (RQ2) of known attacks.

2.

Validation: Detection of unseen attacks (RQ3).

3.

Local execution: Model running on the target device itself (RQ4).

4.

Real-time operation: Detection during live attack execution (RQ5).

5.

Multi-device training: Training with data from heterogeneous hardware (RQ6).

A total of 281 independent tests were performed, combining models, parameters, and scenarios.

4. Results

Results showed that the system accurately distinguishes between normal behavior and attack activity, achieving F1-scores above 0.99. The Time Series Forest (TSF) model achieved the highest performance, followed by Feature Summary (FS). Increasing dataset size did not significantly improve performance, suggesting high training efficiency.

Unseen attacks were detected with slightly lower accuracy ($F1\approx 0.85$–$0.90$). The lite mining attack was effectively identified, whereas password cracking proved more challenging due to its low energy footprint. The Random Forest (RF) model demonstrated superior robustness against unknown attacks, confirming that the system generalizes well (RQ3).

When executed directly on the target device, the model retained its detection capability. The FS model effectively distinguished attack-induced energy variations from the device’s own computational noise, demonstrating the feasibility of local deployment (RQ4).

The system detected attacks with an average delay of 5.25 s from initiation and 10 s from termination. This confirms the feasibility of real-time operation with acceptable latency (RQ5).

The TSF model maintained nearly identical accuracy ($F1\approx 0.998$), proving that a single model can be effectively trained for multiple IoT devices with heterogeneous energy profiles (RQ6).

Energy profiling showed that TSF, while the most accurate, also consumed the most power (≈435 mA). FS and RF models exhibited lower consumption (≈325–330 mA), offering an optimal balance for battery-powered devices.

5. Conclusions

This study demonstrates the feasibility of an energy-consumption-based, machine learning-driven IDS for IoT devices that operates without disrupting normal functionality.

Software attacks can be detected (RQ1) and classified (RQ2) through power consumption signals. Previously unseen attacks can be identified with moderate accuracy (RQ3). The system operates effectively even when it is executed locally on the target device (RQ4), and it supports low-latency real-time detection (RQ5). It generalizes across multiple heterogeneous IoT devices (RQ6).

In summary, the proposed IDS combines efficiency, portability, and reproducibility, representing a promising approach to IoT cybersecurity. The publicly available code and datasets further contribute a valuable open research resource for future investigations.