Search Results (36)

Intrusion detection systems (IDSs) must operate under severe class imbalance, evolving attack behavior, and the need for calibrated decisions that integrate smoothly with security operations. We propose a human-in-the-loop IDS that combines a convolutional neural network and a long short-term memory network (CNN–LSTM) classifier with a variational autoencoder (VAE)-seeded conditional Wasserstein generative adversarial network with gradient penalty (cWGAN-GP) augmentation and entropy-based abstention. Minority classes are reinforced offline via conditional generative adversarial (GAN) sampling, whereas high-entropy predictions are escalated for analysts and are incorporated into a curated retraining set. On CIC-IDS2017, the resulting framework delivered well-calibrated binary performance (ACC = 98.0%, DR = 96.6%, precision = 92.1%, F1 = 94.3%; baseline ECE ≈ 0.04, Brier ≈ 0.11) and substantially improved minority recall (e.g., Infiltration from 0% to >80%, Web Attack–XSS +25 pp, and DoS Slowhttptest +15 pp, for an overall +11 pp macro-recall gain). The deployed model remained lightweight (~42 MB, <10 ms per batch; ≈32 k flows/s on RTX-3050 Ti), and only approximately 1% of the flows were routed for human review. Extensive evaluation, including ROC/PR sweeps, reliability diagrams, cross-domain tests on CIC-IoT2023, and FGSM/PGD adversarial stress, highlights both the strengths and remaining limitations, notably residual errors on rare web attacks and limited IoT transfer. Overall, the framework provides a practical, calibrated, and extensible machine learning (ML) tier for modern IDS deployment and motivates future research on domain alignment and adversarial defense. Full article

The rapid expansion of the Internet of Things (IoT) across critical sectors such as healthcare, energy, cybersecurity, smart cities, and finance has increased its exposure to cyberattacks. Conventional centralized machine learning-based Intrusion Detection Systems (IDS) face limitations, including data privacy risks, legal restrictions on cross-border data transfers, and high communication overhead. To overcome these challenges, we propose Privacy-Preserving Hierarchical Fog Federated Learning (PP-HFFL) for IoT intrusion detection, where fog nodes serve as intermediaries between IoT devices and the cloud, collecting and preprocessing local data, thus training models on behalf of IoT clusters. The framework incorporates a Personalized Federated Learning (PFL) to handle heterogeneous, non-independent, and identically distributed (non-IID) data and leverages differential privacy (DP) to protect sensitive information. Experiments on RT-IoT 2022 and CIC-IoT 2023 datasets demonstrate that PP-HFFL achieves detection accuracy comparable to centralized systems, reduces communication overhead, preserves privacy, and adapts effectively across non-IID data. This hierarchical approach provides a practical and secure solution for next-generation IoT intrusion detection. Full article

The integration of the Internet of Things (IoT) has become essential in our daily lives. It plays a core role in operating our daily infrastructure from energy grids and water distribution systems to healthcare and household devices. However, the rapid growth of IoT connections exposes our world to various sophisticated cybersecurity threats. Responding to these potential threats, many security measures have been proposed. The IoT-based Intrusion Detection System is one of the salient components of the security layer and alerts security administrators to any suspicious behaviors. In fact, machine learning-based IDS shows promising results, especially supervised models, but such models require expensive labelling processes by domain experts. The active learning strategy reduces the annotation cost and directs experts to label a small set of carefully selected instances. This paper proposes a robust approach called Clustering-based Layered Active Instance REpresentation (CLAIRE). It involves selecting both representative and informative instances. The former is selected through three sequential clustering-based layers, while the latter is selected by the fourth layer that implements an ensemble-based uncertainty mechanism to identify the most informative instances. Comprehensive evaluation on two well-known IoT datasets, namely, N-BaIoT and CICIoT2023, demonstrates promising results in selecting a small set of instances that capture the various data distributions of the data even in imbalanced datasets. We compare the results of the proposed approach with state-of-the-art baselines that work in the same scope of traditional machine learning. Full article

The growing sophistication of cyberattacks in Internet of Things (IoT) environments demands proactive and efficient solutions. We present an automated hyperparameter optimization (HPO) method for detecting cyberattacks in IoT that explicitly addresses class imbalance. The approach combines a Random Forest surrogate, a UCB acquisition function with controlled exploration, and an objective function that maximizes weighted F1 and MCC; it also integrates stratified validation and a compact selection of descriptors by metaheuristic consensus. Five models (RandomForest, AdaBoost, DecisionTree, XGBoost, and MLP) were evaluated on CICIoT2023 and CIC-DDoS2019. The results show systematic improvements over default configurations and competitiveness compared to Hyperopt and GridSearch. For RandomForest, marked increases were observed in CIC-DDoS2019 (F1-Score from 0.9469 to 0.9995; MCC from 0.9284 to 0.9986) and consistent improvements in CICIoT2023 (F1-Score from 0.9947 to 0.9954; MCC from 0.9885 to 0.9896), while maintaining low inference times. These results demonstrate that the proposed HPO offers a solid balance between performance, computational cost, and traceability, and constitutes a reproducible alternative for strengthening cybersecurity mechanisms in IoT environments with limited resources. Full article

The rapid expansion of the Industrial Internet of Things (IIoT) within smart grid infrastructures has increased the risk of sophisticated cyberattacks, where severe class imbalance and stringent real-time requirements continue to hinder the effectiveness of conventional intrusion detection systems (IDSs). Existing approaches often achieve high accuracy on specific datasets but lack generalizability, interpretability, and stability when deployed across heterogeneous IIoT environments. This paper introduces AegisGuard, a hybrid intrusion detection framework that integrates an adaptive four-stage sampling process with a calibrated ensemble learning strategy. The sampling module dynamically combines SMOTE, SMOTE-ENN, ADASYN, and controlled under sampling to mitigate the extreme imbalance between benign and malicious traffic. A quantum-inspired feature selection mechanism then fuses statistical, informational, and model-based significance measures through a trust-aware weighting scheme to retain only the most discriminative attributes. The optimized ensemble, comprising Random Forest, Extra Trees, LightGBM, XGBoost, and CatBoost, undergoes Optuna-based hyperparameter tuning and post-training probability calibration to minimize false alarms while preserving accuracy. Experimental evaluation on four benchmark datasets demonstrates the robustness and scalability of AegisGuard. On the CIC-IoT 2023 dataset, it achieves 99.6% accuracy and a false alarm rate of 0.31%, while maintaining comparable performance on TON-IoT (98.3%), UNSW-NB15 (98.4%), and Bot-IoT (99.4%). The proposed framework reduces feature dimensionality by 54% and memory usage by 65%, enabling near real-time inference (0.42 s per sample) suitable for operational IIoT environments. Full article

The exponential growth of Internet of Things (IoT) devices introduces significant security challenges due to their resource constraints and diverse attack surfaces. To address these issues, this paper proposes the Centralized Two-Tiered Tree-Based Intrusion Detection System (C2T-IDS), a lightweight framework designed for efficient and scalable threat detection in IoT networks. The system employs a hybrid edge-centralized architecture, where the first tier, deployed on edge gateways, performs real-time binary classification to detect anomalous traffic using optimized tree-based models. The second tier, hosted on a centralized server, conducts detailed multi-class classification to diagnose specific attack types using advanced ensemble methods. Evaluated on the realistic CIC-IoT-2023 dataset, C2T-IDS achieves a Macro F1-Score of up to 0.94 in detection and 0.80 in diagnosis, outperforming direct multi-class classification by 5–15%. With inference times as low as 6 milliseconds on edge devices, the framework demonstrates a practical balance between accuracy, efficiency, and deployability, offering a robust solution for securing resource-constrained IoT environments. Full article

A surge in global connectivity has led to an increase in cyberattacks, creating a need for improved security. A promising area of research is using machine learning to detect these attacks. Traditional two-class machine learning models can be ineffective for real-time detection, as attacks often represent a minority of traffic (anomaly) and fluctuate with time. This comparative study uses an ensemble of one-class classification models. First, we employed an ensemble of autoencoders with randomly generated architectures to enhance the dynamic detection of attacks, enabling each model to learn distinct aspects of the data distribution. The term ‘dynamic’ reflects the ensemble’s superior responsiveness to different attack rates without the need for retraining, offering enhanced performance compared to a static average of individual models, which we refer to as the baseline approach. Second, for comparison with the ensemble of autoencoders, we employ an ensemble of isolation forests, which also improves dynamic attack detection. We evaluated our ensemble models using the NSL-KDD dataset, testing them without the need for retraining with varying attack ratios, and comparing the results with the baseline method. Then, we investigated the impact of training data overlap among ensemble components and its effect on the detection of extremely low attack rates. The objective is to train each model within the ensemble with the minimal amount of data necessary to detect malicious traffic across varying attack rates effectively. Based on the conclusions drawn from our initial study using the NSL-KDD dataset, we re-evaluated our strategy with a modern dataset, CIC_IoT-2023, which also achieved good performance in detecting various attack rates using an ensemble of simple autoencoder models. Finally, we have observed that when distributing normal traffic data among ensemble components with a small overlap, the results show enhanced overall performance. Full article

The rapid proliferation of Internet of Things (IoT) devices has significantly increased vulnerability to Distributed Denial of Service (DDoS) attacks, which can severely disrupt network operations. DDoS attacks in IoT networks disrupt communication and compromise service availability, causing severe operational and economic losses. In this paper, we present a Deep Learning (DL)-based Intrusion Detection System (IDS) tailored for IoT environments. Our system employs three architectures—Convolutional Neural Networks (CNNs), Deep Neural Networks (DNNs), and Transformer-based models—to perform binary, three-class, and 12-class classification tasks on the CiC IoT 2023 dataset. Data preprocessing includes log normalization to stabilize feature distributions and SMOTE-based oversampling to mitigate class imbalance. Experiments on the CIC-IoT 2023 dataset show that, in the binary classification task, the DNN achieved 99.2% accuracy, the CNN 99.0%, and the Transformer 98.8%. In three-class classification (benign, DDoS, and non-DDoS), all models attained near-perfect performance (approximately 99.9–100%). In the 12-class scenario (benign plus 12 attack types), the DNN, CNN, and Transformer reached 93.0%, 92.7%, and 92.5% accuracy, respectively. The high precision, recall, and ROC-AUC values corroborate the efficacy and generalizability of our approach for IoT DDoS detection. Comparative analysis indicates that our proposed IDS outperforms state-of-the-art methods in terms of detection accuracy and efficiency. These results underscore the potential of integrating advanced DL models into IDS frameworks, thereby providing a scalable and effective solution to secure IoT networks against evolving DDoS threats. Future work will explore further enhancements, including the use of deeper Transformer architectures and cross-dataset validation, to ensure robustness in real-world deployments. Full article

Internet of Things (IoT) applications and services have transformed the way people interact with their environment, enhancing comfort and quality of life. Additionally, Machine Learning (ML) approaches show significant promise for detecting intrusions in IoT environments. However, the high dimensionality, class imbalance, and complexity of network traffic—combined with the dynamic nature of sensor networks—pose substantial challenges to the development of efficient and effective detection algorithms. In this study, a multi-objective metaheuristic optimization approach, referred to as MOOIDS-IoT, is integrated with ML techniques to develop an intelligent cybersecurity system for IoT environments. MOOIDS-IoT combines a Genetic Algorithm (GA)-based feature selection technique with a multi-objective Particle Swarm Optimization (PSO) algorithm. PSO optimizes convergence speed, model complexity, and classification accuracy by dynamically adjusting the weights and thresholds of the deployed classifiers. Furthermore, PSO integrates Pareto-based multi-objective optimization directly into the particle swarm framework, extending conventional swarm intelligence while preserving a diverse set of non-dominated solutions. In addition, the GA reduces training time and eliminates redundancy by identifying the most significant input characteristics. The MOOIDS-IoT framework is evaluated using two lightweight models—MOO-PSO-XGBoost and MOO-PSO-RF—across two benchmark datasets, namely the NSL-KDD and CICIoT2023 datasets. On CICIoT2023, MOO-PSO-RF obtains 91.42% accuracy, whereas MOO-PSO-XGBoost obtains 98.38% accuracy. In addition, both models perform well on NSL-KDD (MOO-PSO-RF: 99.66% accuracy, MOO-PSO-XGBoost: 98.46% accuracy). The proposed approach is particularly appropriate for IoT applications with limited resources, where scalability and model efficiency are crucial considerations. Full article

This paper presents a large-scale empirical study aimed at identifying the optimal local deep learning model and data volume for deploying intrusion detection systems (IDS) on resource-constrained IoT devices using federated learning (FL). While previous studies on FL-based IDS for IoT have primarily focused on maximizing accuracy, they often overlook the computational limitations of IoT hardware and the feasibility of local model deployment. In this work, three deep learning architectures—a deep neural network (DNN), a convolutional neural network (CNN), and a hybrid CNN+BiLSTM—are trained using the CICIoT2023 dataset within a federated learning environment simulating up to 150 IoT devices. The study evaluates how detection accuracy, convergence speed, and inference costs (latency and model size) vary across different local data scales and model complexities. Results demonstrate that CNN achieves the best trade-off between detection performance and computational efficiency, reaching ~98% accuracy with low latency and a compact model footprint. The more complex CNN+BiLSTM architecture yields slightly higher accuracy (~99%) at a significantly greater computational cost. Deployment tests on Raspberry Pi 5 devices confirm that all three models can be effectively implemented on real-world IoT edge hardware. These findings offer practical guidance for researchers and practitioners in selecting scalable and lightweight IDS models suitable for real-world federated IoT deployments, supporting secure and efficient anomaly detection in urban IoT networks. Full article

The Internet of Things (IoT) holds transformative potential in fields such as power grid optimization, defense networks, and healthcare. However, the constrained processing capacities and resource limitations of IoT networks make them especially susceptible to cyber threats. This study addresses the problem of detecting intrusions in IoT environments by evaluating the performance of deep learning (DL) models under different data and algorithmic conditions. We conducted a comparative analysis of three widely used DL models—Convolutional Neural Networks (CNNs), Long Short-Term Memory (LSTM), and Bidirectional LSTM (biLSTM)—across four benchmark IoT intrusion detection datasets: BoTIoT, CiCIoT, ToNIoT, and WUSTL-IIoT-2021. Each model was assessed under balanced and imbalanced dataset configurations and evaluated using three loss functions (cross-entropy, focal loss, and dual focal loss). By analyzing model efficacy across these datasets, we highlight the importance of generalizability and adaptability to varied data characteristics that are essential for real-world applications. The results demonstrate that the CNN trained using the cross-entropy loss function consistently outperforms the other models, particularly on balanced datasets. On the other hand, LSTM and biLSTM show strong potential in temporal modeling, but their performance is highly dependent on the characteristics of the dataset. By analyzing the performance of multiple DL models under diverse datasets, this research provides actionable insights for developing secure, interpretable IoT systems that can meet the challenges of designing a secure IoT system. Full article

The growth of Internet of Things (IoT) systems has brought serious security concerns, especially in asymmetrical environments where device capabilities and communication flows vary widely. Many machine-learning-based intrusion detection systems struggle to address noise, uncertainty, and class imbalance. For that reason, intensive data preprocessing procedures were required. These challenges are in real-world data. In this work, we introduce a semi-supervised learning approach that uses entropy-based uncertainty filtering to improve intrusion detection in IoT environments. By dynamically identifying uncertain predictions from tree-based classifiers, we retain only high-confidence results during training. Later, confident samples from the uncertain set are used to retrain the model through a self-training loop. We evaluate this method using three diverse and benchmark datasets named RT-IoT2022, CICIoT2023, and CICIoMT2024, which include up to 34 different attack types. The experimental results reveal that XGBoost and Random Forest outperformed other tree-based models while maintaining their robustness when predicting attacks in the IoT environment. In addition, our proposed model was compared with other models proposed by researchers in the field, and the findings confirmed that our model presented promising results. Full article

Intrusion detection in the Internet of Things (IoT) environments is increasingly critical due to the rapid proliferation of connected devices and the growing sophistication of cyber threats. Traditional detection methods often fall short in identifying multi-class attacks, particularly in the presence of high-dimensional and imbalanced IoT traffic. To address these challenges, this paper proposes a novel hybrid intrusion detection framework that integrates transformer networks with generative adversarial networks (GANs), aiming to enhance both detection accuracy and robustness. In the proposed architecture, the transformer component effectively models temporal and contextual dependencies within traffic sequences, while the GAN component generates synthetic data to improve feature diversity and mitigate class imbalance. Additionally, an improved non-dominated sorting biogeography-based optimization (INSBBO) algorithm is employed to fine-tune the hyper-parameters of the hybrid model, further enhancing learning stability and detection performance. The model is trained and evaluated on the CIC-IoT-2023 and TON_IoT dataset, which contains a diverse range of real-world IoT traffic and attack scenarios. Experimental results show that our hybrid framework consistently outperforms baseline methods, in both binary and multi-class intrusion detection tasks. The transformer-GAN achieves a multi-class classification accuracy of 99.67%, with an F1-score of 99.61%, and an area under the curve (AUC) of 99.80% in the CIC-IoT-2023 dataset, and achieves 98.84% accuracy, 98.79% F1-score, and 99.12% AUC on the TON_IoT dataset. The superiority of the proposed model was further validated through statistically significant t-test results, lower execution time compared to baselines, and minimal standard deviation across runs, indicating both efficiency and stability. The proposed framework offers a promising approach for enhancing the security and resilience of next-generation IoT systems. Full article

As cyber–physical systems are applied not only to crucial infrastructure but also to day-to-day technologies, from industrial control systems through to smart grids and medical devices, they have become very significant. Cyber–physical systems are a target for various security attacks, too; their growing complexity and digital networking necessitate robust cybersecurity solutions. Recent research indicates that deep learning can improve CPS security through intelligent threat detection and response. We still foresee limitations to scalability, data privacy, and handling the dynamic nature of CPS environments in existing approaches. We developed the CPS ShieldNet Fusion model as a comprehensive security framework for protecting CPS from ever-evolving cyber threats. We will present a model that integrates state-of-the-art methodologies in both federated learning and optimization paradigms through the combination of the Federated Residual Convolutional Network (FedRCNet) and the EEL-Levy Fusion Optimization (ELFO) methods. This involves the incorporation of the Federated Residual Convolutional Network into an optimization method called EEL-Levy Fusion Optimization. This preserves data privacy through decentralized model training and improves complex security threat detection. We report the results of a rigorous evaluation of CICIoT-2023, Edge-IIoTset-2023, and UNSW-NB datasets containing the CPS ShieldNet Fusion model at the forefront in terms of accuracy and effectiveness against several threats in different CPS environments. Therefore, these results underline the potential of the proposed framework to improve CPS security by providing a robust and scalable solution to current problems and future threats. Full article

Incremental learning empowers models to continuously acquire knowledge of new classes while retaining previously learned information. However, catastrophic forgetting and class imbalance often impede this process, especially when new classes are introduced sequentially. We propose a hybrid method that integrates Elastic Weight Consolidation (EWC) with a shared encoder architecture to overcome these obstacles. This approach provides robust feature extraction, while EWC safeguards vital parameters and preserves prior knowledge. Moreover, task-specific output layers enable flexible adaptation to new classes. We evaluated our method using the CICIoT2023 dataset, a class-incremental IoT anomaly detection benchmark. Our results demonstrated a 15.3% improvement in the macro F1-score and a 1.28% increase in overall accuracy compared to a baseline model that did not incorporate EWC, with particular advantages for underrepresented classes. These findings underscore the effectiveness of the EWC-assisted shared encoder framework for class-imbalanced incremental learning in streaming environments. Full article