Enhancing Security and Privacy in IoT Data Streams: Real-Time Anomaly Detection for Threat Mitigation in Traffic Management †
Abstract
1. Introduction
2. Background and Related Work
2.1. Anomaly Detection in IoT Networks
2.2. Cryptographic and AI-Powered Security Mechanisms
2.3. Security Challenges in IoT-Enabled Traffic Management
3. System Model and Threat Analysis
3.1. IoT System Architecture and Data Flow
- –
- This layer consists of heterogeneous IoT devices, including smart sensors, industrial IoT devices, and healthcare monitoring systems;
- –
- Devices communicate using various IoT protocols (Zigbee, MQTT, CoAP, etc.);
- –
- Lightweight Zero Trust authentication mechanisms, such as one-time device verification, ECC-based credentials, or hardware trust anchors (e.g., TPM, TrustZone), are employed to reduce processing overhead while maintaining strong identity assurance.
- –
- IoT gateways aggregate, filter, and encrypt data before forwarding it to the cloud;
- –
- Blockchain stores authentication logs, ensuring tamper-proof access control;
- –
- AI-based real-time anomaly detection helps detect malicious behavior at the edge.
- –
- Uses both short-range (Wi-Fi, BLE, Zigbee) and long-range (5G, LPWAN, LoRaWAN) communication;
- –
- Implements Zero Trust micro-segmentation, preventing lateral movement of attacks;
- –
- Enforces lightweight end-to-end encryption (TLS, DTLS with PSK or ECC) for secure and efficient data transmission.
- –
- Cloud servers analyze real-time data using machine learning-based anomaly detection;
- –
- Blockchain ledger stores transaction logs, ensuring data integrity and non-repudiation;
- –
- Implementing data-centric security ensures that data protection mechanisms travel with the data, reducing risks of exposure.
- IoT devices generate data and transmit it securely via gateways using lightweight authentication (e.g., ECC or hardware-based);
- Gateways preprocess, encrypt, and verify data through adaptive Zero Trust policies;
- Blockchain records access logs to ensure authenticity and traceability;
- The cloud performs real-time anomaly detection and threat analysis;
- Secure storage and fine-grained access control protect data from unauthorized access.
3.2. IoT Network Setup, Devices, and Protocols
- –
- Smart cities: Traffic monitoring, smart grids, surveillance.
- –
- Healthcare IoT (MIoT): Wearable devices, remote patient monitoring.
- –
- Industrial IoT (IIoT): Smart factories, predictive maintenance.
3.3. Attack Surfaces
- –
- Device Layer: Vulnerable to malware injection, physical tampering, and botnet attacks, where infected IoT devices are used for large-scale DDoS attacks.
- –
- Gateway Layer: Exposed to unauthorized access, protocol exploitation (e.g., MQTT, AMQP), and firmware attacks.
- –
- Network Layer: Prone to Man-in-the-Middle (MitM) attacks, Denial-of-Service (DoS), and eavesdropping, where unprotected data exchanges expose sensitive information.
- –
- Cloud Layer: At risk of data breaches, unauthorized access, and API exploitation.
3.4. Key Security Challenges and Threats
4. Proposed Framework: Real-Time Anomaly Detection and Threat Mitigation
- Data Collection and Preprocessing Layer: Gathers real-time data from IoT sources, preprocessing via feature extraction, normalization, and blockchain-based labeling.
- Anomaly Detection Layer: Uses ML (SVM, RF) and DL (CNNs, Autoencoders) for threat classification, adaptive learning for evolving attacks, and blockchain for integrity and verification.
- Security and Access Control Layer: Applies ZTA to verify entities, uses blockchain for device authentication, and RBAC/ABAC for fine-grained access control.
- Threat Mitigation and Response Layer: Automates threat response, isolates devices, logs incidents on blockchain, and reallocates resources adaptively.
5. Methodology
5.1. Dataset and Data Collection
5.2. Data Preprocessing and Feature Engineering
5.3. Anomaly Detection Models (Model Selection)
- –
- Random Forest (RF): The Random Forest classifier achieved 81.72% accuracy (standard deviation: 0.0047), effectively distinguishing benign traffic from malicious activities. Its ensemble approach, averaging predictions from multiple decision trees, ensured stable, high performance.
- –
- Support Vector Machine (SVM): The Support Vector Machine (SVM) model achieved 54.06% accuracy with a low standard deviation of 0.0001, showing poor performance in distinguishing legitimate from malicious traffic. This was likely due to dataset dimensionality, class imbalance, and challenges in selecting an optimal kernel function.
- –
- Logistic Regression(LR): The Logistic Regression model achieved 46.59% accuracy with a standard deviation of 0.0716. It struggled with traffic classification and showed convergence warnings, indicating incomplete optimization, possibly due to the dataset’s complexity.
- –
- Extreme Gradient Boosting (XGBoost): The XGBoost classifier achieved 89.89% accuracy and strong performance metrics, including 90.78% precision and 89.89% recall, with hyperparameters optimized using Optuna. Its scalability, regularization, and ability to handle high-dimensional, imbalanced data made it well-suited for real-time IoT anomaly detection.
- –
- CNN Autoencoder: The CNN Autoencoder, trained on benign traffic to detect anomalies via reconstruction error, achieved 95.16% accuracy with a standard deviation of 0.0061. It outperformed traditional models, excelling in detecting rare attacks by capturing complex spatial–temporal patterns, though at the cost of higher computational demands.
- –
- Attack: precision—1.00; recall—1.00; F1-score—1.00.
- –
- Benign: precision—0.89; recall—0.88; F1-score—0.88.
- –
- C&C: precision—0.70; recall—0.72; F1-score—0.71.
- –
- DDoS: precision—0.86; recall—0.89; F1-score—0.88.
- –
- Okiru: precision—0.95; recall—0.87; F1-score—0.91.
- –
- PartOfAHorizontalPortScan: precision—0.97; recall—0.98; F1-score—0.98.
- –
- Attack: precision—1.00; recall—1.00; F1-score—1.00.
- –
- Benign: precision—0.91, recall—0.89; F1-score—0.90.
- –
- C&C: precision—0.75; recall—0.78; F1-score—0.76.
- –
- DDoS: precision—0.82; recall—0.88; F1-score—0.85.
- –
- Okiru: precision—0.97; recall—0.90; F1-score—0.93.
- –
- PartOfAHorizontalPortScan: precision—0.99; recall—0.99; F1-score—0.99.
5.4. Blockchain Integration, Hyperparameter Optimization, and Threat Mitigation
6. Results and Discussion
6.1. Anomaly Detection Performance
6.2. Blockchain Integration and Security Enhancements
- –
- Revoking device access in 1.2 s;
- –
- Dynamically updating firewall rules;
- –
- Adjusting access policies based on verified threats.
6.3. Threat Mitigation and System Efficiency
- –
- Isolated compromised devices within 1.2 s, preventing malware spread;
- –
- Updated security rules and firewall policies dynamically, reducing attack propagation;
- –
- Logged security incidents in blockchain, ensuring non-repudiation and forensic traceability.
7. Conclusions and Future Work
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Kathriarachchi, R.P.S.; de Silva, D.A.D.U. IoT Security in Smart Cities: Explore the unique security challenges in the context of smart city deployments. In Proceedings of the 4th Student Symposium of Faculty of Computing, Ratmalana, Sri Lanka, 17 January 2024. [Google Scholar]
- Ferdowsi, A.; Saad, W. Generative adversarial networks for distributed intrusion detection in the internet of things. In Proceedings of the 2019 IEEE Global Communications Conference (GLOBECOM), Waikoloa, HI, USA, 9–13 December 2019. [Google Scholar] [CrossRef]
- Bharati, S.; Podder, P. Machine and Deep Learning for IoT Security and Privacy: Applications, Challenges, and Future Directions. Secur. Commun. Netw. 2022, 2022, 8951961. [Google Scholar] [CrossRef]
- Tahir, U.; Abid, M.K.; Fuzail, M.; Aslam, N. Enhancing IoT Security through Machine Learning-Driven Anomaly Detection. VFAST Trans. Softw. Eng. 2024, 12, 1–13. [Google Scholar] [CrossRef]
- Pandey, S.; Bhushan, B. Exploring The Viability And Effectiveness of Lightweight Cryptographic Techniques in Enhancing The Iot Data Security of Smart Cities. In Proceedings of the 2023 International Conference on Computational Intelligence and Sustainable Engineering Solutions (CISES), Greater Noida, India, 28–30 April 2023; pp. 295–300. [Google Scholar] [CrossRef]
- Ray, S.K.; Susan, S. Performance Analysis of Online Machine Learning Frameworks for Anomaly Detection in IoT Data Streams. In Proceedings of the 2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT), Kamand, India, 24–28 June 2024. [Google Scholar] [CrossRef]
- Maheshwari, V.; Osman, N.A.B.; Daud, H.; Kurniati, A.P.; Yusoff, W.N.S.B.W. A Drift-Oriented Adaptive Framework for Concept Drift Detection in Large-Scale Internet-of-Medical-Things Data Streams. medRxiv 2024. [Google Scholar] [CrossRef]
- Ahmed, T.; Oreshkin, B.; Coates, M. Machine Learning Approaches to Network Anomaly Detection; McGill University: Montreal, QC, Canada, 2007. [Google Scholar]
- Gandhi, H.; Sharma, P. Issue 1. ISSN-2349-5162. 2025. Available online: www.jetir.org (accessed on 1 May 2025).
- Mutambik, I. Enhancing IoT Security Using GA-HDLAD: A Hybrid Deep Learning Approach for Anomaly Detection. Appl. Sci. 2024, 14, 9848. [Google Scholar] [CrossRef]
- Bakhsh, S.A.; Khan, M.A.; Ahmed, F.; Alshehri, M.S.; Ali, H.; Ahmad, J. Enhancing IoT network security through deep learning-powered Intrusion Detection System. Internet Things 2023, 24, 100936. [Google Scholar] [CrossRef]
- Hwang, R.H.; Peng, M.C.; Huang, C.W.; Lin, P.C.; Nguyen, V.L. An Unsupervised Deep Learning Model for Early Network Traffic Anomaly Detection. IEEE Access 2020, 8, 30387–30399. [Google Scholar] [CrossRef]
- van Wyk, F.; Wang, Y.; Khojandi, A.; Masoud, N. Real-Time Sensor Anomaly Detection and Identification in Automated Vehicles. IEEE Trans. Intell. Transp. Syst. 2020, 21, 1264–1276. [Google Scholar] [CrossRef]
- Radhakrishnan, I.; Jadon, S.; Honnavalli, P.B. Efficiency and Security Evaluation of Lightweight Cryptographic Algorithms for Resource-Constrained IoT Devices. Sensors 2024, 24, 4008. [Google Scholar] [CrossRef] [PubMed]
- Amrita; Ekwueme, C.P.; Adam, I.H.; Dwivedi, A. Lightweight Cryptography for Internet of Things: A Review. EAI Endorsed Trans. Internet Things 2024, 10, 5565. [Google Scholar] [CrossRef]
- Delgado, J.L.L.; Ramos, J.A.L. A Comprehensive Survey on Generative AI Solutions in IoT Security. Electronics 2024, 13, 4965. [Google Scholar] [CrossRef]
- Rajan, H.; Burns, J.; Jaiswal, C. IoT Security: AI Blockchaining Solutions and Practices. In Proceedings of the 2023 IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 8–11 March 2023; pp. 396–401. [Google Scholar] [CrossRef]
- Humayun, M.; Tariq, N.; Alfayad, M.; Zakwan, M.; Alwakid, G.; Assiri, M. Securing the Internet of Things in Artificial Intelligence Era: A Comprehensive Survey. IEEE Access 2024, 12, 25469–25490. [Google Scholar] [CrossRef]
- Gilbert, C.; Gilbert, M.A. AI-Driven Threat Detection in the Internet of Things (IoT) Exploring Opportunities and Vulnerabilities. Int. J. Res. Publ. Rev. 2024, 5, 219–236. [Google Scholar]
- Mazhar, T.; Talpur, D.B.; Shloul, T.A.; Ghadi, Y.Y.; Haq, I.; Ullah, I.; Ouahada, K.; Hamam, H. Analysis of IoT Security Challenges and Its Solutions Using Artificial Intelligence. Brain Sci. 2023, 13, 683. [Google Scholar] [CrossRef] [PubMed]
Layer | Devices | Communication Protocols |
---|---|---|
Device Layer | Smart sensors, actuators, cameras | Zigbee, BLE, Wi-Fi |
Gateway Layer | IoT gateways, edge nodes | MQTT, AMQP, Edge Computing Protocols |
Network Layer | Routers, base stations | 5G, LPWAN, LoRaWAN |
Cloud Layer | AI-powered servers, blockchain nodes | MQTT, CoAP, HTTPS |
Challenge | Solution |
---|---|
Unauthenticated IoT devices | Zero Trust authentication |
Data tampering | Blockchain-based integrity verification |
Unauthorized access | Role-based and attribute-based access control (RBAC/ABAC) |
DDoS attacks | AI-driven anomaly detection |
Secure communication | End-to-end encryption (TLS, DTLS) |
Model | Accuracy (%) | Precision | Recall | F1-Score | FPR |
---|---|---|---|---|---|
CNN-Autoencoder | 95.16 | 0.98 | 0.95 | 0.98 | 0.07 |
XGBoost | 89.89 | 0.90 | 0.89 | 0.88 | 0.11 |
RF | 81.72 | 0.85 | 0.78 | 0.81 | 0.12 |
SVM | 54.06 | 0.55 | 0.49 | 0.51 | 0.34 |
LR | 46.59 | 0.47 | 0.42 | 0.44 | 0.41 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Berraadi, O.; Gibet Tani, H.; Ben Ahmed, M. Enhancing Security and Privacy in IoT Data Streams: Real-Time Anomaly Detection for Threat Mitigation in Traffic Management. Comput. Sci. Math. Forum 2025, 10, 8. https://doi.org/10.3390/cmsf2025010008
Berraadi O, Gibet Tani H, Ben Ahmed M. Enhancing Security and Privacy in IoT Data Streams: Real-Time Anomaly Detection for Threat Mitigation in Traffic Management. Computer Sciences & Mathematics Forum. 2025; 10(1):8. https://doi.org/10.3390/cmsf2025010008
Chicago/Turabian StyleBerraadi, Oumayma, Hicham Gibet Tani, and Mohamed Ben Ahmed. 2025. "Enhancing Security and Privacy in IoT Data Streams: Real-Time Anomaly Detection for Threat Mitigation in Traffic Management" Computer Sciences & Mathematics Forum 10, no. 1: 8. https://doi.org/10.3390/cmsf2025010008
APA StyleBerraadi, O., Gibet Tani, H., & Ben Ahmed, M. (2025). Enhancing Security and Privacy in IoT Data Streams: Real-Time Anomaly Detection for Threat Mitigation in Traffic Management. Computer Sciences & Mathematics Forum, 10(1), 8. https://doi.org/10.3390/cmsf2025010008