ALL Metrics
-
Views
-
Downloads
Get PDF
Get XML
Cite
Export
Track
Research Article

Artificial intelligence model for internet of things attack detection using machine learning algorithms

[version 1; peer review: 1 approved with reservations]
PUBLISHED 25 Feb 2025
Author details Author details
OPEN PEER REVIEW
REVIEWER STATUS

This article is included in the Artificial Intelligence and Machine Learning gateway.

Abstract

Background

The rapid growth of the Internet of Things (IoT) has brought transformative benefits across industries, yet it also presents significant security challenges due to the proliferation of connected devices.

Methods

This study proposes an artificial intelligence (AI) model leveraging machine learning algorithms to detect and classify multiple types of IoT attacks, including distributed denial of service (DDoS), reconnaissance, brute force, spoofing, and Mirai attacks, using the CICIoT2023 dataset. The dataset was divided into training and testing sets to ensure accurate performance assessment. After training, the models were tested, and their effectiveness was evaluated through metrics like accuracy and confusion matrices.

Results and conclusions

Among the algorithms used, the decision tree model outperformed than others, achieving an impressive accuracy of 98.34%. In contrast, Bayes classifiers, support vector machines (SVM), and logistic regression achieved accuracy rates of 92%, 91.5%, and 75%, respectively. These results highlight the significant potential of machine learning techniques in detecting and mitigating various IoT attacks, offering promising avenues for enhancing IoT security. The improvement of the performance of the IoT attack detection model using large datasets and the appropriate using deep learning algorithms with their parameters will be our future consideration in the domain.

Keywords

Internet of Things, cyber-attacks, Internet of Things security, machine learning

1. Introduction

The Internet of Things (IoT) is a network of hundreds of millions of gadgets that can communicate with one another with little help from users. IoT attack is a type of cyber-attack that targets systems made up of physical things, cars, buildings, and other objects integrated with software that allows them to exchange or collect data.1 As described by Anwer A. & et al.,2 there were about 28 billion IoT devices in use in 2018. By 2022, this sum is predicted to reach 49.1 billion, and the IoT is projected to reach a display size of approximately ten trillion. IoT is acknowledged as a technique for appropriate mechanisms connected via servers, sensors, and different software.2

According to the Ethiopian Information Network Security Administration (INSA) director report, they saved 23.2 billion birrs by defending against cyber-attacks. During 2022/2023, more than 6,859 cyber-attacks occurred and only 6,768 cyber-attacks got solutions. Banking and financial institutions, national intelligence security services, media institutions, selected governmental institutions, regional offices, health and higher institutions are the most targeted centers. According to the report, website attacks, malware attacks, port scans, distributed denial of service (DDoS), and structured query language (SQL) Injection are the most frequently occurring types of attacks in Ethiopia during 2022/23.3

It is difficult to produce IoT security data that is useful for actual applications for several reasons. Having a vast network made up of multiple actual IoT devices, akin to the topologies of actual IoT applications, is one of the primary issues. Due to the widespread adoption of IoT, its inherent mobility, and standardization limitations, numerous researchers have looked into the risks that IoT devices pose to large corporations and smart towns. As a result, smart mechanisms that can automatically detect suspicious movement on IoT devices connected to local networks are required.2,4 The pervasive growth of the IoT creates an expanding attack surface for malicious actors. Detecting these attacks effectively is crucial for securing IoT systems and protecting sensitive data. This paper explored the use of machine learning (ML) for attack detection in IoT environments, focusing on the challenge of imbalanced datasets and potential solutions.

The IoT has become a crucial component of today’s technological landscape, as it allows various devices and systems to connect and communicate with each other over the Internet. This interconnected network of devices has revolutionized many industries, including healthcare, transportation, manufacturing, and smart homes. The IoT has become increasingly significant in today’s world by connecting everyday objects to the Internet, automating tasks and processes, enhancing data-driven decision-making, and creating new opportunities.

However, the widespread adoption of IoT devices has also introduced new security challenges and vulnerabilities. IoT devices are often designed with limited processing power and memory, making them more susceptible to attacks. Additionally, many IoT devices lack robust security features, such as encryption and secure authentication mechanisms, interconnectedness, and privacy concerns, making them easy targets for cybercriminals. There are different types of attacks targeting IoT devices namely; malware, DoS attacks, man-in-the-middle attacks, botnet attacks, and physical attacks. IoT devices, with their limited processing power, are vulnerable to cyberattacks, making them attractive targets for hackers seeking unauthorized access or control. These devices collect vast amounts of personal data, and inadequate security can lead to serious privacy breaches. Many are integrated into critical infrastructure, meaning attacks can cause widespread disruption and economic damage. Compliance with regulations is essential to avoid legal and reputational consequences. Security flaws in one device can compromise entire networks, emphasizing the need for robust protection. High-profile breaches can erode consumer trust, hinder adoption, and result in significant financial losses. If security risks are not addressed, innovation in IoT may slow down. Ensuring long-term sustainability requires continuous investment in security measures, and collaboration among organizations, developers, and policymakers is crucial for a secure IoT ecosystem.

The main contributions of this work are summarized as:

  • (1) Prominent result: The proposed model is focusing on evaluating ML algorithms’ performance using unbalanced datasets and the prominent result was resulted. Moreover, the authors also compared the results from the existed related works and performance has been improved.

  • (2) Automation and efficiency: ML algorithms can analyze large amounts of IoT network data more quickly and accurately than manual methods. This could enable the detection of attacks in real time, enhancing the security of IoT systems.

  • (3) Scalability: As the number of IoT devices continues to grow rapidly, ML based systems can scale efficiently to handle large networks with numerous devices, ensuring comprehensive attack identification and protection.

2. Related works

Several scholars used various methodologies to carry out studies on cyber-attack detection.

In their study,2 outlined a methodology for identifying suspicious network activity. They achieved a performance result of 85.34% using a random forest (RF) algorithm. Using the NSL KDD dataset, the suggested framework was used, and the results were compared for training, prediction time, specificity, and accuracy.

In their study,5 several detection techniques are assessed using the recently created Bot-IoT dataset. During the implementation stage, seven distinct ML algorithms were employed, with the majority demonstrating exceptional performance. Throughout the deployment, new features were taken from the Bot-IoT dataset.

In their study,6 they used six distinct algorithms RF, Logistic Regression (LR), SVM, NB, K-Nearest Neighbors (KNN), and multilayer perceptron (MLP) to conduct a comparative analysis of IoT cyber-attack detection techniques.

In their study,7 To effectively detect attacks and abnormalities in IoT systems, the authors of the paper compared the performances of numerous ML models. LR, SVM, decision tree (DT), RF, and artificial neural network (ANN) are the ML algorithms that were employed in this case.

In their study,8 they performed IoT behavior classification, monitoring the expected IoT behaviors and evaluating the efficacy of our optimally selected classifiers versus the superset of specialized classifiers by applying them to our IoT traffic traces.

In their study,9 the study attempts to secure IoT devices by employing a Raspberry Pi as a honeypot to mimic IoT devices and verify the user’s intent, examine various attack patterns, and shield IoT devices from known threats. The purpose of these honeypots is to protect various protocols in IoT devices that are susceptible to assaults.

In their study,10 Using an extended topology made up of multiple real IoT devices, they conducted a novel realistic IoT attack dataset, adopting IoT devices as both attackers and victims. They carried out, recorded, and gathered information from 33 attacks against IoT devices, categorized into seven types, and they showed how they could be replicated. Using the CICIoT2023 dataset, they assessed how well ML and deep learning algorithms classified and detected benign or malicious IoT network traffic.

In their study,11 applied a hybrid deep learning technique to handle the problem of uneven data classification in attack detection. Convolutional neural networks (CNNs) and long short-term memory (LSTM) networks are two components of a hybrid deep learning model that the authors suggest using to enhance classification performance. They draw attention to the difficulties that imbalanced datasets present in precisely identifying attacks. CNNs are useful for extracting spatial properties from the data, they say, whereas LSTM networks are better at extracting temporal dependencies from sequential data. The hybrid deep learning model’s performance is compared with that of conventional ML methods by the authors through experimentation on attack datasets that are not balanced. The results demonstrate that the hybrid deep learning approach outperforms traditional methods in detecting attacks in imbalanced datasets, showcasing the effectiveness of combining CNNs and LSTM networks for improved classification accuracy.

In their study,12 explains in detail the many ML methods that are employed to identify IoT botnets. In the IoT ecosystem, botnets pose an increasing threat, as the review emphasizes the significance of IoT security. It covers the many ML techniques and algorithms that have been put forth to identify and lessen IoT botnet threats. To give readers an understanding of the current status of this field of research, the manuscript carefully assesses the advantages and disadvantages of different methodologies. For those working on botnet detection and IoT security, the paper is an invaluable resource overall.

The study,13 examined how ML approaches applied to Industrial Internet of Things (IIoT) systems security are affected by imbalanced datasets. To better understand how class imbalances in datasets impact ML models’ ability to identify security vulnerabilities in IIoT environments, the study looks into how these imbalances may impact model performance and accuracy. Within the framework of IIoT security, it addressed several problems and difficulties associated with unbalanced datasets, including minority class misclassification and biased model predictions. Additionally, to improve the efficacy of machine learning-based security mechanisms in IIoT systems, the book suggests possible approaches and answers to these problems. Overall, the study provided valuable insights into the implications of imbalanced datasets on the security of IIoT and offers recommendations for improving the robustness and reliability of security measures in industrial IoT settings.

However, the security issue of IoT has not addressed yet and further investigations are required. Therefore, we the authors are focusing on such issues to improve the performances of the existing works and evaluating other ML algorithms in this paper.

3. Methods

This study followed crucial steps illustrated in the proposed IoT attack detection architecture to conduct rigorous experiments, as shown in Figure 1 designed by the authors.

bbed9d3e-0dd7-4639-9e4d-403b9cc58391_figure1.gif

Figure 1. Proposed model architectures of IoT attack detection.

This figure has been created by the author.

3.1 Dataset information

One of the most frequent problems faced by ML researchers is locating reliable datasets with the necessary properties. Regardless of the size of the dataset, selecting a specific learning technique is not as crucial as creating a well-cleaned representative dataset.14 In our investigation, we used a distinct IoT attack dataset from the CICIoT2023, which has a total of 221,834 occurrences that were recorded as Comma Separated Values (CSV) files. In our study, 42 relevant features were extracted, and the total dataset was labeled namely Benign Traffic, DDoS, Spoofing, SQL Injection, Recon, and Mirai. The following three key reasons were taken into account why selecting the aforementioned dataset: i) the dataset contains 42 attributes extracted from different categories of IoT attack features; ii) the dataset contains 221,834 dataset instances which are cleaned, imbalanced, and contain the required features as shown in Table 1; iii) the dataset contains raw datasets so that it is possible to generate new features as needed.

Table 1. Dataset information.

IoT attack classesCollected datasetDataset source
Mirai50,632Canadian Institute for Cyber Security CICIoT2023
Recon6,094
SQL Injection185
Benign Traffic21102
DDoS137,941
Spoofing5880
Total dataset221,834

3.2 Data Preprocessing and feature selection

Preprocessing data and feature extraction for IoT attack detection with an imbalanced dataset is an important step to ensure the effectiveness of ML approaches. The researcher implemented dimensionality reduction, data splitting, and data cleaning. To ensure its quality and reliability, the researcher handles missing values, outliers, and any inconsistencies in the dataset.

Feature selection involves selecting and transforming relevant features from the raw data to improve the performance of the ML model. The researcher extracted 42 informative features using principal component analysis techniques.

3.3 Train-test dataset spit ratios

Train-test dataset splits are required before feeding datasets to the learning algorithms. This is because it’s anticipated that learning model(s) would be evaluated using unidentified datasets to assess how well they can forecast new IoT threats. Most studies employed train-test dataset split ratios of 80%:20%.15 However, the study groups could not agree on how much train-test dataset split ratio to use for how many dataset instances. This is why the suggested study chose a dataset split ratio that yields improved training and testing set accuracy for each classifier by using 80%:20% train-test dataset split ratios on each classifier.

As a result, for our model experiment from the total dataset, we have taken 80% (177,467) of the dataset used for training, and 20% (44,367) used for testing our model performance accuracy.

3.4 Implementation Tools and Algorithms

The study conducted extensive experiments using Python to test and train the suggested Supervised ML algorithms using high-speed computing. Python was chosen as the implementation language for the study due to its abundance of libraries and packages tailored for ML research.

We the authors employed four well-known ML algorithms, namely; decision tree, SVM with default parameters, SVM with sigmoid kernel, LR, and Naïve Bayes1619 to identify IoT attacks.

DTs are versatile and intuitive models that make predictions by recursively splitting the data based on different features. They are known for being interpretable and can handle both categorical and numerical data. We used default DT parameters like Max depth, minimum samples per leaf, splitting criteria, and maximum features per split.

SVM is a powerful algorithm that separates data points into different classes by finding the best hyperplane that maximizes the margin between the classes. The default parameters refer to the default values set by the algorithm, which may vary depending on the implementation. SVM can also utilize different kernels, such as the sigmoid kernel, which allows for non-linear separation of data points. The sigmoid kernel maps the data into a higher-dimensional space to find a decision boundary.

Despite its name, LR is a classification algorithm rather than a regression algorithm. It calculates the probability of an instance belonging to a certain class using a logistic function. It’s commonly used for binary classification problems. To control the degree of regularization, penalizing complex models, and reducing overfitting we used the regularization parameter (lambda). Chooses gradient descent algorithm used to find the optimal model parameters. Sets the maximum number of iterations for the solver to find the optimal parameters.

Naïve Bayes is a probabilistic classifier that calculates the probability of an instance belonging to a particular class based on Bayes’ theorem, assuming that all features are independent. We used the following key parameters to implement the Naïve Bayes algorithm for IoT attack detections. Smoothing parameter (Alpha): Adds a small value to the estimated probabilities to avoid division by zero and improve stability, especially with sparse data. Feature selection: Choosing the subset of features most relevant for classification can improve performance and interpretability.

4. Experimental result evaluation

4.1 Evaluation metrics

It’s critical to specify performance metrics appropriate for the task at hand when assessing ML models. We employed the most significant performance metrics for, the accuracy, and confusion matrix to assess our findings.20

Accuracy is calculated as the sum of two accurate predictions (TP + TN) divided by the total number of data sets (P + N). The best accuracy is 1.0, and the worst is 0.00.20

(1)
Accuracy=TP+TNP+N

4.2 Experimental results and comparisons

To attain better performance results, we conducted data preprocessing techniques. The dataset is transformed into a structure appropriate for ML using pre-processing data transformation techniques.21 To make the dataset more accurate and efficient, this stage also involves cleaning it by deleting any irrelevant or corrupted data.

We employed various supervised ML techniques, including LR, DT, SVM, and NB, to carry out this investigation. DT outperformed other ML algorithms by achieving accuracy of 98.34%, as shown in Table 2.

Table 2. Applied ML algorithm performance result.

Machine learning algorithmsAccuracy % Remark
Decision tree (DT)98.34%
Support Vector Machine (SVM)91.5%With default hyperparameters
69.27%With sigmoid kernel
Logistic Regression (LR)75%
Naïve Bayes (NB)92%

Accuracy is one of the most relevant performance evaluation metrics in ML as well as deep learning algorithms. This metric is also deployed in this work, as shown in Table 2 that shows DT was the highest-performing algorithm, followed by NB and SVM with default value. SVM with a sigmoid kernel received the lowest performance score of 69.27%, making it the least effective algorithm. Despite having a high-performance score, NB was notably slower than the other algorithms. Graphically, the performance result is shown in Figure 2.

bbed9d3e-0dd7-4639-9e4d-403b9cc58391_figure2.gif

Figure 2. Machine learning approach performance applied to the CICIoT2023 dataset.

In addition to accuracy, confusion matrix is also used to evaluate the performance. An N x N matrix, where N is the total number of target classes, is called a confusion matrix and is used to assess how well a classification model performs. The ML model’s predicted outcomes are compared with the actual target values in the matrix. The confusion matrix was obtained when we employed different ML algorithms of SVM, LR, NB, and DT algorithms respectively, as shown in Figure 3.

bbed9d3e-0dd7-4639-9e4d-403b9cc58391_figure3.gif

Figure 3. Confusion matrix obtained in the identification process conducted using different machine learning models (SVM (A), LR (B), NB (C), and DT (D)).

In addition to comparing and evaluating the performance of the ML algorithms deployed in this work, the authors also compared such algorithms with the existed related works, as shown in Table 3. In most of cases, the performance improvements have been achieved in the state-of-the-art even though there are different limitations and challenges that need further investigations in the domain area.

Table 3. Result comparison from the related works.

Related worksTitle of related workMethods used Performance %
5Internet of Things Cyberattacks Detection Using Machine LearningNB79%
2Attack Detection in IoT Using Machine LearningSVM, RF85.34%
4Cyberattack Detection Using Machine LearningKNN & RF88%
7Attack and anomaly detection in IoT sensors in IoT sites using machine learning approachesDT, RF & ANN99.4%
10Botnet Attack Detection in IoT Using Machine Learning TechniqueDT, LR94%
Our proposed work Artificial intelligence model for internet of things attack detection using machine learning algorithmsDT, NB, SVM, LR 98.34%

5. Conclusions

IoT security attacks have been a hot issue in recent time. This paper aimed to design a multi-class IoT attack detection model using ML algorithms. The employed four supervised ML algorithms, namely; DT, SVM, LR, and NB were used to address the proposed problem related to identifying IoT attacks. The recent Canadian Institute of Cyber Security CICIoT2023 dataset, which contains the imbalanced instances and multi-class types of attacks with six classes, was used for designing and evaluating the proposed model. The dataset was splited into 80%:20% ratio for training and testing the model, respectively. The experiments are conducted using Python in Google Co-Lab.

To evaluate the model performance, we used tabular representation (accuracy) and confusion matrix for each employed algorithm. The prominent performance result has been found. In DT, we attained the maximum prediction accuracy rate of 98.34%. DT outperforms SVM at 91.5%, LR at 75%, and Bayes classifiers (NB) at 92%. Our model performs superior accuracy in the prediction of these IoT attacks when compared to other benchmarks of ML classification approaches.

In the area of IoT threat detection, our suggested model result offers several contributions, including resolving unbalanced data issues, enhancing detection precision, increasing imbalanced data awareness, improving performance, and forwarding future directions in the area. Therefore, the result could be enhancing security, reducing response time, and enabling adaptive defense to provide a significant contribution to the domain of IoT security. The work on IoT security attack identification using ML approaches holds great promise in improving IoT security.

However, there are different limitations faced in designing IoT security attacking systems. The first limitation was the dataset used could be too small or homogeneous for a reliable assessment and generalizability. The second limitation was the adversarial attacks that can manipulate IoT network traffic to evade or mislead ML based detection systems and can exploit vulnerabilities in the ML models themselves or manipulate the input data, making it difficult for the system to detect attacks accurately. The last but not the least limitation was only the ML algorithms have been employed in this work rather than deep learning algorithms that are important for performance improvements in large dataset.

Based on the limitations mentioned earlier, the improvement of the performance of IoT attack detection model using large datasets and the appropriate deep learning algorithms with their parameters will be our future consideration in the domain.

Ethics and consent

Ethical approval and consent were not required.

Comments on this article Comments (0)

Version 1
VERSION 1 PUBLISHED 25 Feb 2025
Comment
Author details Author details
Competing interests
Grant information
Copyright
Download
 
Export To
metrics
Views Downloads
F1000Research - -
PubMed Central
Data from PMC are received and updated monthly.
- -
Citations
CITE
how to cite this article
Abebe A, Gebeyehu S and Alem A. Artificial intelligence model for internet of things attack detection using machine learning algorithms [version 1; peer review: 1 approved with reservations]. F1000Research 2025, 14:230 (https://doi.org/10.12688/f1000research.161643.1)
NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.
track
receive updates on this article
Track an article to receive email alerts on any updates to this article.

Open Peer Review

Current Reviewer Status: ?
Key to Reviewer Statuses VIEW
ApprovedThe paper is scientifically sound in its current form and only minor, if any, improvements are suggested
Approved with reservations A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
Not approvedFundamental flaws in the paper seriously undermine the findings and conclusions
Version 1
VERSION 1
PUBLISHED 25 Feb 2025
Views
10
Cite
Reviewer Report 17 Mar 2025
Petar Radanliev, University of Oxford, Oxford, England, UK 
Approved with Reservations
VIEWS 10
The article is well-structured and well-written. It deserves consideration for indexing. There are some corrections, which I outline in more detail below: 

The article is a bit short, I am not certain about the journal page limit, ... Continue reading
CITE
CITE
HOW TO CITE THIS REPORT
Radanliev P. Reviewer Report For: Artificial intelligence model for internet of things attack detection using machine learning algorithms [version 1; peer review: 1 approved with reservations]. F1000Research 2025, 14:230 (https://doi.org/10.5256/f1000research.177702.r370251)
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
  • Author Response 21 Mar 2025
    Anduamlak Abebe, Computer Science, Debre Tabor University, Debre Tabor, Ethiopia
    21 Mar 2025
    Author Response
    Thank you for your constructive comment. We acknowledge the reviewer’s concerns regarding to expansion of existing literature and knowledge comparision.  We also acknowledge the reviewer’s concerns regarding the conclusion section. 
    We ... Continue reading
COMMENTS ON THIS REPORT
  • Author Response 21 Mar 2025
    Anduamlak Abebe, Computer Science, Debre Tabor University, Debre Tabor, Ethiopia
    21 Mar 2025
    Author Response
    Thank you for your constructive comment. We acknowledge the reviewer’s concerns regarding to expansion of existing literature and knowledge comparision.  We also acknowledge the reviewer’s concerns regarding the conclusion section. 
    We ... Continue reading

Comments on this article Comments (0)

Version 1
VERSION 1 PUBLISHED 25 Feb 2025
Comment
Alongside their report, reviewers assign a status to the article:
Approved - the paper is scientifically sound in its current form and only minor, if any, improvements are suggested
Approved with reservations - A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
Not approved - fundamental flaws in the paper seriously undermine the findings and conclusions
Sign In
If you've forgotten your password, please enter your email address below and we'll send you instructions on how to reset your password.

The email address should be the one you originally registered with F1000.

Email address not valid, please try again

You registered with F1000 via Google, so we cannot reset your password.

To sign in, please click here.

If you still need help with your Google account password, please click here.

You registered with F1000 via Facebook, so we cannot reset your password.

To sign in, please click here.

If you still need help with your Facebook account password, please click here.

Code not correct, please try again
Email us for further assistance.
Server error, please try again.