Network traffic inspection to enhance anomaly detection in the Internet of Things using attention-driven Deep Learning

Anomaly detection methods are being developed to enhance the security of the Internet of Things (IoT) in the healthcare sector, particularly against cyberattacks targeting network vulnerabilities. On the other hand, supervised Machine learning (ML) algorithms have been leveraged because of their potential to handle large amounts of data and identify patterns. However, their effectiveness in identifying unknown attacks is uncertain, and the limited labeled data in the Internet of Medical Things (IoMT) environments challenges the adoption of these methods. In response, unsupervised ML-based anomaly detection methods have been proposed. Unfortunately, their performance remains suboptimal compared to supervised ML and unsupervised Deep Learning (DL) models due to the challenges posed by the heterogeneous nature of IoT data, which complicates the extraction and selection of relevant network traffic features—critical processes to ensure the effectiveness of these methods. To address these challenges, this study proposes a novel attention-driven deep neural network algorithm for network traffic representation, resulting in an improved unsupervised anomaly detection performance of the One-Class Support Vector Machine and performance comparable to current unsupervised DL-based methods. This novel network traffic characterization method relies on just nine generic features and the knowledge of which communication protocols are present or absent by applying principles from two natural language processing techniques. On the CICIoMT2024 dataset, our proposal achieves a precision of 84.43%, a recall of 98.73%, and an F1-score of 91.02%. On the MQTT-IoT-IDS2020 dataset, we achieve 92.14%, 99.17%, and 95.53% of precision, recall, and F1-score, respectively.