ALMANET: A hybrid online learning IDS for real-time IoT security

IF 4.3 3区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Egyptian Informatics Journal Pub Date : 2025-08-28 DOI:10.1016/j.eij.2025.100764

Promise Ricardo Agbedanu , Shanchieh (Jay) Yang , Richard Musabe , Ignace Gatare , James Rwigema

{"title":"ALMANET: A hybrid online learning IDS for real-time IoT security","authors":"Promise Ricardo Agbedanu , Shanchieh (Jay) Yang , Richard Musabe , Ignace Gatare , James Rwigema","doi":"10.1016/j.eij.2025.100764","DOIUrl":null,"url":null,"abstract":"<div><div>Although some modern Intrusion Detection Systems (IDSs) for Internet of Things (IoT) have explored online machine learning (ML) approaches to build these IDSs, most IoT-based IDSs are designed using offline ML techniques. IDSs built with offline ML approaches cannot adapt to rapidly changing IoT network conditions. They need continuous retraining and require a lot of computational power. To address these limitations, we propose ALMANET (ALMA+NET), a hybrid intrusion detection approach combining Approximate Large Margin Algorithm (ALMA) with Stochastic Weight Averaging (SWA) and an online neural network (NET). ALMANET leverages the power of online learning, which updates models incrementally and allows real-time adaptation to evolving network traffic, making it suitable for IoT environments. We validated ALMANET on four benchmark datasets, namely, NF BoT IoT, NF ToN IoT, NF UNSW, and NF CSE 2018 datasets. We demonstrated the proposed technique’s performance in terms of accuracy, recall, ROCAUC, and robustness against adversarial attacks. We compared the performance of ALMANET against RF, SVM, LR, and ALMA. ALMANET records up to 98.58% ROCAUC and demonstrates high throughput, low false positive rates, and efficient memory usage of 14.64 KB across all datasets, making it feasible for deployment on edge devices.</div></div>","PeriodicalId":56010,"journal":{"name":"Egyptian Informatics Journal","volume":"31 ","pages":"Article 100764"},"PeriodicalIF":4.3000,"publicationDate":"2025-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Egyptian Informatics Journal","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1110866525001574","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Although some modern Intrusion Detection Systems (IDSs) for Internet of Things (IoT) have explored online machine learning (ML) approaches to build these IDSs, most IoT-based IDSs are designed using offline ML techniques. IDSs built with offline ML approaches cannot adapt to rapidly changing IoT network conditions. They need continuous retraining and require a lot of computational power. To address these limitations, we propose ALMANET (ALMA+NET), a hybrid intrusion detection approach combining Approximate Large Margin Algorithm (ALMA) with Stochastic Weight Averaging (SWA) and an online neural network (NET). ALMANET leverages the power of online learning, which updates models incrementally and allows real-time adaptation to evolving network traffic, making it suitable for IoT environments. We validated ALMANET on four benchmark datasets, namely, NF BoT IoT, NF ToN IoT, NF UNSW, and NF CSE 2018 datasets. We demonstrated the proposed technique’s performance in terms of accuracy, recall, ROCAUC, and robustness against adversarial attacks. We compared the performance of ALMANET against RF, SVM, LR, and ALMA. ALMANET records up to 98.58% ROCAUC and demonstrates high throughput, low false positive rates, and efficient memory usage of 14.64 KB across all datasets, making it feasible for deployment on edge devices.

查看原文本刊更多论文

ALMANET：用于实时物联网安全的混合在线学习IDS

尽管一些用于物联网（IoT）的现代入侵检测系统（ids）已经探索了在线机器学习（ML）方法来构建这些入侵检测系统，但大多数基于物联网的入侵检测系统都是使用离线ML技术设计的。使用离线机器学习方法构建的ids无法适应快速变化的物联网网络条件。他们需要不断的再训练，需要大量的计算能力。为了解决这些限制，我们提出了ALMANET (ALMA+NET)，这是一种将近似大裕度算法（ALMA）与随机加权平均（SWA）和在线神经网络（NET）相结合的混合入侵检测方法。ALMANET利用在线学习的力量，逐步更新模型，并允许实时适应不断变化的网络流量，使其适合物联网环境。我们在四个基准数据集上对ALMANET进行了验证，即NF BoT IoT、NF ToN IoT、NF UNSW和NF CSE 2018数据集。我们在准确性、召回率、ROCAUC和对抗性攻击的鲁棒性方面展示了所提出的技术的性能。我们将ALMANET与RF、SVM、LR和ALMA的性能进行了比较。ALMANET记录了高达98.58%的ROCAUC，并在所有数据集上展示了高吞吐量、低误报率和14.64 KB的高效内存使用，使其在边缘设备上部署可行。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Egyptian Informatics Journal Decision Sciences-Management Science and Operations Research

CiteScore

11.10

自引率

1.90%

发文量

审稿时长

110 days

期刊介绍： The Egyptian Informatics Journal is published by the Faculty of Computers and Artificial Intelligence, Cairo University. This Journal provides a forum for the state-of-the-art research and development in the fields of computing, including computer sciences, information technologies, information systems, operations research and decision support. Innovative and not-previously-published work in subjects covered by the Journal is encouraged to be submitted, whether from academic, research or commercial sources.