IoTGeM: Generalizable models for behaviour-based IoT attack detection

IF 4.6 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-07-25 DOI:10.1016/j.comnet.2025.111550

Kahraman Kostas , Mike Just , Michael A. Lones

{"title":"IoTGeM: Generalizable models for behaviour-based IoT attack detection","authors":"Kahraman Kostas , Mike Just , Michael A. Lones","doi":"10.1016/j.comnet.2025.111550","DOIUrl":null,"url":null,"abstract":"<div><div>Previous research on behaviour-based attack detection for networks of IoT devices has resulted in machine learning models whose ability to adapt to unseen data is limited and often not demonstrated. This paper presents IoTGeM, an approach for modelling IoT network attacks that focuses on generalizability, yet also leads to better detection and performance. We first introduce an improved rolling window approach for feature extraction. To reduce overfitting, we then apply a multi-step feature selection process where a Genetic Algorithm (GA) is uniquely guided by exogenous feedback from a separate, independent dataset. To prevent common data leaks that have limited previous models, we build and test our models using strictly isolated train and test datasets. The resulting models are rigorously evaluated using a diverse portfolio of machine learning algorithms and datasets. Our window-based models demonstrate superior generalization compared to traditional flow-based models, particularly when tested on unseen datasets. On these stringent, cross-dataset tests, IoTGeM achieves F1 scores of 99% for ACK, HTTP, SYN, MHD, and PS attacks, as well as a 94% F1 score for UDP attacks. Finally, we build confidence in the models by using the SHAP (SHapley Additive exPlanations) explainable AI technique, allowing us to identify the specific features that underlie the accurate detection of attacks.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"270 ","pages":"Article 111550"},"PeriodicalIF":4.6000,"publicationDate":"2025-07-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625005171","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Previous research on behaviour-based attack detection for networks of IoT devices has resulted in machine learning models whose ability to adapt to unseen data is limited and often not demonstrated. This paper presents IoTGeM, an approach for modelling IoT network attacks that focuses on generalizability, yet also leads to better detection and performance. We first introduce an improved rolling window approach for feature extraction. To reduce overfitting, we then apply a multi-step feature selection process where a Genetic Algorithm (GA) is uniquely guided by exogenous feedback from a separate, independent dataset. To prevent common data leaks that have limited previous models, we build and test our models using strictly isolated train and test datasets. The resulting models are rigorously evaluated using a diverse portfolio of machine learning algorithms and datasets. Our window-based models demonstrate superior generalization compared to traditional flow-based models, particularly when tested on unseen datasets. On these stringent, cross-dataset tests, IoTGeM achieves F1 scores of 99% for ACK, HTTP, SYN, MHD, and PS attacks, as well as a 94% F1 score for UDP attacks. Finally, we build confidence in the models by using the SHAP (SHapley Additive exPlanations) explainable AI technique, allowing us to identify the specific features that underlie the accurate detection of attacks.

查看原文本刊更多论文

IoTGeM：基于行为的物联网攻击检测的通用模型

先前对物联网设备网络基于行为的攻击检测的研究导致机器学习模型的适应未知数据的能力有限，而且往往没有得到证明。本文介绍了IoTGeM，这是一种建模物联网网络攻击的方法，侧重于通用性，但也会带来更好的检测和性能。首先介绍了一种改进的滚动窗特征提取方法。为了减少过拟合，我们应用了一个多步骤的特征选择过程，其中遗传算法（GA）由来自一个单独的、独立的数据集的外生反馈唯一地指导。为了防止常见的数据泄漏，限制了以前的模型，我们使用严格隔离的训练和测试数据集构建和测试我们的模型。使用不同的机器学习算法和数据集对生成的模型进行严格评估。与传统的基于流的模型相比，我们基于窗口的模型具有更好的泛化能力，特别是在未见过的数据集上进行测试时。在这些严格的跨数据集测试中，IoTGeM对于ACK、HTTP、SYN、MHD和PS攻击达到了99%的F1分数，对于UDP攻击达到了94%的F1分数。最后，我们通过使用SHAP （SHapley Additive explanation）可解释的人工智能技术来建立对模型的信心，使我们能够识别准确检测攻击的具体特征。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.