F1000ResearchF1000Research2046-1402F1000 Research LimitedLondon, UK10.12688/f1000research.175200.1Research ArticleArticlesSecuring Healthcare IoT Ecosystems: Anomaly Detection and Resilience Mechanisms for Enhanced Data Privacy and Trustworthiness
[version 1; peer review: 1 approved with reservations, 1 not approved]
MouloodKholood J.Formal AnalysisInvestigationMethodologyProject AdministrationSoftwareSupervisionValidationVisualizationWriting – Original Draft PreparationWriting – Review & Editinghttps://orcid.org/0000-0001-6369-6939a1AtiyaOqbah SalimSoftwarehttps://orcid.org/0009-0000-8849-33452
Mathematics, Tikrit University,College of Education for Women, Tikrit, Saladin Governorate, 00964, Iraq
Computer science, Tikrit University College of Computer science and Mathematics, Tikrit, Salaheddin, 00964, Iraqkjamal@tu.edu.iq
The propagation of Internet of Things (IoT) devices in healthcare, while remote monitoring has enabled and patient care has improved, significant vulnerabilities have introduced that threaten the security of sensitive medical data. To address this crucial challenge, the study proposes a novel framework to enhance the privacy of data and trustworthiness in healthcare IoT ecosystems using advanced anomaly detection. We introduced a Customized Sand Cat Swarm driven Updated Random Forest (CSCS-URF) model, as a first step, data is preprocessed using min-max normalization and Recursive Feature Elimination (RFE). The Second step is analyzing data by an ensemble classifier optimized via a customized swarm intelligence algorithm to effectively identify security anomalies. Then, evaluate the system on the CICIoT20232 dataset, the proposed CSCS-URF method shows superior performance compared to existing benchmarks, achieving an accuracy of 97%, precision of 94%, recall of 96%, and an F1-score of 95%. These results indicate that the CSCS-URF framework is a robust solution for proactive security, enabling the early detection of potential breaches to strengthen system integrity and safeguard patient data against evolving cyber threats in the healthcare sector.
Health CareAnomaly DetectionInternet of Things (IoT)Customized Sand Cat Swarm Driven Updated Random Forest (CSCS-URF)Data PrivacyThe author(s) declared that no grants were involved in supporting this work.1. Introduction
Internet of things (IoT) is widely suggested for use in a variety of applications across several industries. IoT depends on sensors that gather environmental data for objectives including wide-area surveillance and tracking.
1 The design of smart infrastructures such as smart grids, smart cities, and smart metering systems was developed up of this potential. Remote patient care and effective data management each have been rendered accessible by the integration of IoT devices into healthcare ecosystems, which have transformed the sector.
2 Sensitive healthcare data considering and captured by such networked devices is evolving to ensure privacy and security. A variety of vulnerabilities that might be exploited by attackers, the widespread adoption of IoT devices in the medical sector raises integrity and availability of patient data.
3 Sensor buildings acquire data regarding patients and their environment across networks. The use of methods for data transmission from ports of entry to the border routers, data transfer to cloud servers for enhanced evaluation and storage, and analysis the border router.
4 Flexibility technique and anomaly detection are essential for reducing the effects of safety incident and declare the function of healthcare amenities. Proactive measures including data encryption, device authentication, entrance limits and frequent security audits are part of resilience schedules.
5 Anomaly detection, performed by monitoring device motions across time and identifying variations that point to signals of hostile behavior that is a crucial component of ecosystem protection.
6 Anomaly detection systems is automatically recognize the usual behavior of devices, users, and network traffic in a healthcare system by using modern machine learning (ML) techniques and information analytics approaches. The value of anomaly detection in protecting IoT networks for healthcare, emphasizes and integrity of digital infrastructures in healthcare environments.
7 The aim of this study anomaly detection in healthcare IoT ecosystems is to identify abnormal behavior or deviations from expected patterns within the network, devices, or data, aiming to promptly detect and mitigate potential security threats or breaches. The study contributes by Introducing a new, more sophisticated architecture using learning method (URF) integrated with optimization algorithm (CSCSO), this hybrid model outperforms the methids (GNB, KNN, DT) using accuracy, precision, recall, and F1-score as performance evaluation metrics.
2. Related work
The research
8 explained a smart health care system that predicts heart disease utilizing feature fusion and ensemble deep learning (DL). The technique known as feature fusion generates relevant healthcare data by integrating features that have been obtained from healthcare data with recorded. Heart disease data are used to test the recommendation, and contrasted to standard classifiers based on combination of features, choice of features, and weighing approach. The study
9 explained convolutional neural network (CNN) based techniques for structural health monitoring (SHM) approaches to exploit of recorded compact response data. Confusion matrices and training accuracy records are used to evaluate each CNN implementation’s performance in combination to other performance measures. The article
10 described a medical image cryptosystem that generates two separate sets of chaotic randomized vectors using a stacked auto-encoder (SAE) networks. The benefits of parallel SAE calculation which decrease the intricacy and runtime cryptosystem effective, the findings shows structure might be beneficial and suitable for services offered by the medical sector. The research
11 described intends to develop a stable platform for early detection by integrating artificial intelligence (AI) and fog computing with smart health. The performance of the framework was evaluated in terms of power consumption, latency, network use, and storage utilization. To classify F1 score, accuracy, and precision are evaluated. The article
12 provided a framework for secure healthcare monitor that merge edge cloud and named data networking (NDN) in IoT. The model uses ciphertext and signatures to enable healthcare data transmission security and make of NDN’s capabilities to enhancethe medical data retrieval. The framework has a numerical assessment. The research
13 provided an empirical confirmation of the connection among IoT deployment and how patient care service engagement was affected by adoption. Results demonstrates how the use of IoT devices in healthcare establishes new opportunity and challenges the established model by allowing patients to participate in selection and increasing their involvement with the system. The study
14 offered an IoT was real-time health monitormodel powered by DL. The suggested system measures vital signs using wearable medical equipment and derives pertinent information using a variety of DL methods. Various numerically based performance assessment criteria are taken into consideration when conducting a thorough evaluation of the proposed system’s performance utilizing a cross-validation
test.
3. Methodology
The purpose of CSCS- URF method is used to enhance data privacy safeguard sensitive patient information. In this section firstly dataset is gathered and data cleaning is employed using min max normalization, to enhance interpretability feature selection using RFE. Our proposed CSCS-URF method is executed and explained in detail.
Figure 1 shows that workflow of methodology.
Overview of proposed workflow.
Step 1: Data Preprocessing (data cleaning and normalization).
Step 2: Splitting the dataset.
Step 3: Feature selection using recursive feature elimination (RFE).
This study employs IoT attack dataset, CICIoT20232,
15 in purpose of the dataset is to stimulate the development of security analytics applications that might be used in real-world IoT operations. The researchers used a topology of 105 IoT devices to execute out 33 distinct attacks.
15 The seven categories into these attacks divided intodenial of service (DoS), distributed denial of service (DDoS), web based, recon, brute force, spoofing, and mirai. There are 169 files in the collection, which are stored in packet capture (PCAP) and CSV file formats.
3.2 Data cleaning using min max normalization
The Min-max normalization is a method used in safe IoT healthcare to scale data along a range, maintaining data privacy and facilitating precise analysis and measurement of health-related data. After normalization is applied, the system provides effective outputs. Using max and min values modifies the data values in anassuredvarietyamong 0 and 1. Min max approach is used to compile data with the intention of improving access to healthcare. The range of particular
min(Gctm)from each data to execute
Equation (1),
Gctm−min(Gctm)
After that, adjust the data such that the upper bound is 1. To accomplish that, multiply each value by the initial range. It is stated as
Equation (2),
Gctmmax(Gctm)−min(Gctm)
Finally, the normalized number might be obtained by combining
Equations (2) and (3),
minMax=Gctm−min(Gctm)max(Gctm)−min(Gctm)
The lowest and maximum values are used to replace the missing values in accordance with the aforementioned techniques, which enhance the data integrity.
3.2.1 Splitting data
After the cleaning process, we split the data into two parts: one is testing and the other one is training. Training includes 80% of dataset; testing includes 20% of dataset.
3.3 Feature selection using recursive feature elimination (RFE)
RFE selects the most effective features for anomaly detection, improving the security of the healthcare IoT. By selecting features that are beneficial to detection accuracy, RFE frequently eliminate irrelevant data. It protects healthcare IoT networks against cyber attacks and ensures patient data integrity by deliberately optimizing feature sets to increase anomaly detection performance. Eliminating features that contribute to oversights and identifying factors that might enhance results are the main objectives of feature selection. To develop a low-weight security solution that works with healthcare systems, features have to be limited to the capabilities that are essential for testing and training systems. The model’s computational efficiency and performance are improved by determining whether attributes have an effective connection with the target indicator. Feature selection was done using the wrapper strategy with RFE. This method separates the input data into separate subgroups, which is used to build a different model. Subsequently, certain performance metrics are used to determine which characteristics are most desired. Secure the healthcare data feature sets depend on RFE which is a necessary input for ML models. The feature set that RFE acquired is follows in
Equation (4):
RFE=(Ev,R=1)
Anomaly detection is essential for protecting sensitive data and preventing cyberattacks in the healthcare industry. It functions by recognizing anomalies in patient data, device activity, or network traffic. Anomaly detection increases security measures by using ML, protecting the confidentiality and integrity of patient information and healthcare systems.
Integrating anomaly detection systems with CSCSO technology is essential to secure healthcare IoT. While CSCSO maintains a network of compact flexible drones to observe and threat response, anomaly detection detects anomalous activity. In healthcare IoT instances, this combination strategy improves real-time monitoring and security against various cyber and physical risks. A brand-new swarm intelligence (SI) based metaheuristic technique is called CSCSO, With an emphasis on the distinctive ability of hearing and hunting skills that distinguish desert-dwelling cats, this algorithm is designed for adaptive and balanced throughout its exploration-exploitation operations. Utilizing such special abilities, the cats can follow the actions and locations of their victims. Sand cats have two main phases to their foraging, based on their behavioral traits. A sand cat is allocated to each problem’s unavailable parameter in this population-based method. Each cat, or search agent is perceived as a vector that’s length matches to the scale of that problem. The performance of algorithm based fitness function of each problems
Equation (5),
Fitness=eTandcat=eTD1,TD2,…,TDm;∀wj,(calculated in healthcare system)
The following
Equations (2) through (5) represent the mathematical frameworks which function in the SCSO’s searching (exploration) and hunting (exploitation) stages.
d→=T−T∗sS
The following
Equations (6) through (7) represent the mathematical models which function well in the SCSO’s finding (exploration) and hunting (exploitation) stages.
Q→=2×d→×rand−d→q→=d→×rand
Equation (8) is coefficients of
randfunction sincecats have sensitive hearing,
q is accountable for directing the algorithm to act in an equal secure data in healthcare.
Updated Random Forest (URF)
Healthcare IoT Ecosystem security is essential and anomaly detection is essential to secure the patient data. URF stands to be an effective medication. By providing increased randomness to the feature selection process, URF improves on classic are ensemble methods of learning. This increases the system’s resilience to a variety of attacksand anomalies in the intricate healthcare IoT context. URF utilizes the original data and generates several subtraining sets and matching test sets using a random sampling technique. To resampling, duplicate data appears in every training subset, preventing local extremes from becoming problems. To get at the ultimate preference, multiple decision tree models are trained using testing data. It builds each individual tree using bootstrap and feature randomness to produce a forest of uncorrelated trees with a forecast that is higher to any particular tree. The following is the method for building a URF with
N trees regarding each
n=1,…,N.
Figure 2 illustrates that structure of URF. Create a bootstrapped test
xn using
Equation (9),
f(y)=1N∑j=1nb(x)
The structure of Updated Random Forest (URF).
URF creates many decision trees by using various data subsets and input variables. The final outcome of the URF is the combined prediction of random variable in each tree, which is training data subset of the input parameters in secures the patient data. The security of the healthcare IoT ecosystem is ensured by CSCS-URF. It improves data privacy and reliability by using resilience and anomaly detection techniques. In IoT instances, CSCS-URF provides robust safety against attacks, improving the integrity of medical data. Pseudocode 1 illustrates that CSCS-URF.
Input:
Dataset: Preprocessed data (normalized by Min-Max normalization, feature selected using RFE).
N_agents: population size (Number of sand cat swarm agents).
N_trees: Number of decision trees in the URF.
Max_iterations: Maximum number of iterations.
Output:
Optimized_URF_Model: A trained URF model with hyperparameters optimized by the CSCSO.
Begin
Initialization Phase:
Initialize the population of sand cat swarm agents Xi (i = 1 to N_agents). Each agent’s position represents a candidate solution, typically a vector of hyperparameters for the URF model (max. depth of trees, features’ number to consider at a split).
Initialize (URF) model with random hyperparameters.
Define the fitness function as the primary evaluation metric,
Evaluate the initial fitness for each solution.
Repeat until Max_iterations is reached:
For each sand cat agent i in the population:
Exploration & Hunting Behavior
Calculate the sensitivity range r for hearing (
q→=d→∗rand).
Generate a random angle θ between 0 and 360 degrees.
If|Q|> 1 (Exploration Phase - searching for new regions):
Random movement based on the agent’s current position, the best candidate position (T), and the controlling parameters d and Q.
Else|Q|≤ 1 (Exploitation Phase):
move towards the best solution found (T), The new position is calculated as:
Xnew=T−r∗sign(cos(θ))∗x_current.
Fitness Evaluation
Configure URF model with new position’s (Xi) hyperparameters.
Train the URF model on the training subset.
Calculate the trained model’s fitness on the validation subset.
Update Best Solution:
If the fitness of new position > its previous or the global best, update the solution (T).
Update the RFU (Integrate with Best Solutions):
After evaluate all solutions in the current iteration, identify the G_best agent
The URF model’s hyperparameters are set the G_best agent’s position.
Final Model Training:
Using the G_best agent, train the URF model using the entire training set.
the final output is The resulting Optimized_URF_Model
is.
Return Optimized_URF_Model
End
4. Results
In this study, utilizing the Python platform and the RAM of a laptop refers to 8.00 GB the access data quickly an Intel
® Core i9 Processors, and Windows 11. To evaluate the proposed method’s performance in terms of precision, recall, f1-score, accuracy and the existing methods such as Gaussian naive bayes (GNB),
16 k-nearest neighbors (KNN),
16 decision tree (DT)
16 that are explained in detail.
Table 1 show that numerical outcomes of existings and proposed.
Existing and proposed outcomes.
Methods
Recall (%)
F1-score (%)
Precision (%)
Accuracy (%)
GNB
16
92.508
91.936
91.806
92.508
KNN
16
92.753
92.99
91.994
92.753
DT
16
91.963
92.01
92.061
91.963
CSCS-URF [Proposed]
96
95
94
97
Accuracy: Accuracy in anomaly detection is crucial for protecting IoT networks in the healthcare industry. Anomalies indicated that potential security breaches might be detected and fixed through continually monitoring data flow and device activity. By implementing this proactive measure, the IoT infrastructure’s delicate medical data is better protected.
The comparison of accuracy among the existing approaches and proposed methods is displayed in
Figure 3. When compared to existing approaches, our proposed CSCS-URF approach achieved 97% and existing methods are GNB attains 92.508%, KNN attains 92.753%, and DT attains 91.963 %. It demonstrates the greater efficiency in ensures healthcare IoT ecosystem security by using our proposed approach.
Result of accuracy, compare the accuracy of proposed method with DT, KNN, and GNB.
Precision: Robust anomaly detection algorithms are essential for precision in healthcare IoT ecosystem security. Anomalies indicative of potential security breaches or malfunctions was quickly detected by monitoring data flow and device performance. In healthcare IoT contexts, precision ensures prompt clarification, reducing threats to patient data integrity and system stability.
The comparison of precision among the existing approaches and proposed methods is displayed in
Figure 4. When compared to other existing approach, our proposed CSCS-URF approach achieved 94% and existing methods are GNB attains 91.806%, KNN attains 91.994%, and DT attains 92.061%. It demonstrates the greater efficiency in ensures healthcare IoT ecosystem security by using our proposed approach.
Result of precision, compare the precision of proposed method with DT, KNN, and GNB.
Recall: Protecting medical IoT networks is the main goal of anomaly detection. It makes use of anomaly detection methods to spot anomalous patterns of behaviour that can point to security flaws or other system issues. It improves IoT security for healthcare by quickly identifying abnormalities and protecting the security and integrity of private patient information.
The comparison of recall among the existing approach and proposed methods is displayed in
Figure 5. When compare to other existings approach, our proposed CSCS-URF approach achieved 96% and existings methods are GNB attains 92.508%, KNN attains 92.753%, and DT attains 91.963%. It demonstrates the greater efficiency in ensures healthcare IoT ecosystem security by using our proposed approach.
Result of recall, compare the recall of proposed method with DT, KNN, and GNB.
F1-score: A statistic called the F1-score is used to assess classification models function. It is a single number that combines precision and recall. This is especially helpful in cases when datasets are unbalanced, since it offers a fair evaluation of a model’s capacity to identify irregularities in Healthcare IoT networks.
The comparison of f1-score among the existing approach and proposed methods is displayed in
Figure 6. When compare to other existing approach, our proposed CSCS-URF approach achieved 96% and existing methods are GNB attains 91.936%, KNN attains 92.99%, and DT attains 92.01%. It demonstrates the greater efficiency in ensures healthcare IoT ecosystem security by using our proposed approach.
Result of F1-score, compare the F1-score of proposed method with DT, KNN, and GNB.
5. Conclusion
Securing healthcare IoT networks requires the use of anomaly detection technologies. Device performance and network traffic patterns might be frequently examined so that abnormalities indicating potential risks or malfunctions identified promptly and fixed. Robust anomaly detection systems are essential for protecting sensitive medical data and maintaining the integrity of healthcare operations as the sector depends on IoT devices to provide effective and efficient patient care. Challenges include data privacy; interoperability, false positives/negatives, and the need for resilient and flexible algorithms arise while securing healthcare IoT using anomaly detection. To conquerthis problem we proposed CSCS-URF techniques comprehensive approach to address the challenges by focusing on anomaly detection and resilience mechanisms to enhance data privacy and trustworthiness in healthcare IoT ecosystems. The findings of this study offers an outcome of accuracy (97%), F1-score (95%), precision (94%), recall (96%) which shows that our proposed CSCS-URF approach produces the precision with an outstanding results.
6. Limitations and future scope
False positives in anomaly detection in healthcare IoT networks might result in pointless warnings and possible alarm overload among medical personnel, overly sensitive detection systems might overlook real threats, which reduce their ability to protect patient information and medical equipment from cyberattacks. The future scope includes building IoT-specific security standards to protect healthcare ecosystems from emerging threats, integrating blockchain for secure data communication, and developing anomaly detection algorithms using machine learning.
Software accessibility
The suggested Customized Sand Cat Swarm driven Updated Random Forest (CSCS-URF) framework’s source code is made available to the public to promote transparency and reproducibility. The implementation is available in a public GitHub repository under the MIT License (OSI-approved). The application has been given a Digital Object Identifier (DOI) for citation and long-term access after being permanently archived in Zenodo.
All of the scripts necessary for data preparation, feature selection, optimization, and model training are included in the repository.
https://doi.org/10.5281/zenodo.1833551417
ReferencesKavithaMSrinivasPVVSKalyampudiPL:
Machine learning techniques for anomaly detection in smart healthcare.2021 Third International Conference on Inventive Research in Computing Applications (ICIRCA).IEEE;2021, September; pp.1350–1356.PathakAKSagunaSMitraK:
Anomaly detection using machine learning to discover sensor tampering in IoT systems.ICC 2021-IEEE International Conference on Communications.IEEE;2021, June; pp.1–6.GopePGheraibiaYKabirS:
A secure IoT-based modern healthcare system with fault-tolerant decision making process.IEEE J. Biomed. Health Inform.2020;25(3):862–873.
10.1109/JBHI.2020.3007488IwendiCAnajembaJHBiambaC:
Security of things intrusion detection system for smart healthcare.Electronics.2021;10(12):1375.
10.3390/electronics10121375HaqueNIKhalilAARahmanMA:
Biocad: Bio-inspired optimization for classification and anomaly detection in digital healthcare systems.2021 IEEE International Conference on Digital Health (ICDH).IEEE;2021, September; pp.48–58.YaoWZhangKYuC:
Exploiting ensemble learning for edge-assisted anomaly detection scheme in e-healthcare system.2021 IEEE Global Communications Conference (GLOBECOM).IEEE;2021, December; pp.1–7.WangZLuoNZhouP:
GuardHealth: Blockchain empowered secure data management and Graph Convolutional Network enabled anomaly detection in smart healthcare.J. Parallel Distrib. Comput.2020;142:1–12.
10.1016/j.jpdc.2020.03.004AliFEl-SappaghSIslamSR:
A smart healthcare monitoring system for heart disease prediction based on ensemble deep learning and feature fusion.Inf. Fusion.2020;63:208–222.
10.1016/j.inffus.2020.06.008AzimiMPekcanG:
Structural health monitoring using extremely compressed data through deep learning.Comput. Aided Civ. Inf. Eng.2020;35(6):597–614.
10.1111/mice.12517El-ShafaiWKhallafFEl-RabaieESM:
Proposed neural SAE-based medical image cryptography framework using deep extracted features for smart IoT healthcare applications.Neural Comput. & Applic.2022;34(13):10629–10653.
10.1007/s00521-022-06994-zSinghPDDhimanGSharmaR:
Internet of things for sustaining a smart and secure healthcare system.Sustainable computing: informatics and systems.2022;33:100622.
10.1016/j.suscom.2021.100622WangXCaiS:
Secure healthcare monitoring framework integrating NDN-based IoT with edge cloud.Futur. Gener. Comput. Syst.2020;112:320–329.
10.1016/j.future.2020.05.042BhattVChakrabortyS:
Improving service engagement in healthcare through internet of things based healthcare systems.Journal of Science and Technology Policy Management.2023;14(1):53–73.
10.1108/JSTPM-03-2021-0040Muthu SubramanianPRajeswariA:
IoT-enabled real time student health monitoring and interactive system using LoRa.Cognitive Sensors, Volume 2: Applications in smart healthcare.Bristol, UK:
IOP Publishing;2023; pp.1–2.KhanMMAlkhathamiM:
Anomaly detection in IoT-based healthcare: machine learning for enhanced security.Sci. Rep.2024;14(1):5872.
3846770910.1038/s41598-024-56126-xUppalMGuptaDJunejaS:
Cloud-based fault prediction for real-time monitoring of sensor data in hospital environment using machine learning.Sustainability.2022;14(18):11667.
10.3390/su141811667kholood26:
kholood26/CSCSURF-Anomaly-Detection: v1.0 (v1.0).Zenodo.2026.
10.5281/zenodo.1833551410.5256/f1000research.193163.r472649Reviewer response for version 1JeslinJ. Gnana1Refereehttps://orcid.org/0000-0002-8438-3808
R.M.K. College of Engineering and Technology, Puduvoyal, India
Competing interests: No competing interests were disclosed.
Clarify or remove privacy/resilience claims – either implement actual privacy-preserving techniques or revise the framing to focus solely on anomaly detection.
Provide complete implementation details:
Hyperparameter search ranges
Final hyperparameter values
Number of features selected by RFE
Computational time
Fix mathematical presentation: renumber equations sequentially, define all variables before use.
Is the work clearly and accurately presented and does it cite the current literature?
No
If applicable, is the statistical analysis and its interpretation appropriate?
No
Are all the source data underlying the results available to ensure full reproducibility?
Partly
Is the study design appropriate and is the work technically sound?
No
Are the conclusions drawn adequately supported by the results?
No
Are sufficient details of methods and analysis provided to allow replication by others?
No
Reviewer Expertise:
IoT, block Chain, Cloud Computing, data Security
I confirm that I have read this submission and believe that I have an appropriate level of expertise to confirm that it is of an acceptable scientific standard, however I have significant reservations, as outlined above.
10.5256/f1000research.193163.r460298Reviewer response for version 1AkhiMirza1Refereehttps://orcid.org/0009-0008-4718-187X
University of Limerick, Limerick, County Limerick, Ireland
Competing interests: No competing interests were disclosed.
The study focuses on healthcare-IoT anomaly detection, yet the experiments rely on the CICIoT2023 dataset, which is a general IoT attack dataset rather than one specifically designed for healthcare-IoT environments. This limits the domain relevance of the evaluation.
To better align the experimental validation with the paper’s stated objective, the authors should consider using or at least discussing healthcare-IoT–specific datasets. For example, the following publicly available datasets could be considered and cited in the revised manuscript:
https://zenodo.org/records/15305814
https://zenodo.org/records/17100208
Using healthcare-IoT datasets would strengthen the experimental validity and provide a more realistic evaluation of the proposed approach in healthcare environments.
2. Dataset naming error
The dataset name is reported incorrectly as “CICIoT20232” in multiple places, including the abstract. This appears to be a typographical error, and the correct name is likely CICIoT2023. Such an error, especially in the abstract, reduces the manuscript’s credibility.
3. Lack of clear attack definition
The manuscript does not clearly specify which attacks are actually detected in the experiments. Although the dataset description lists categories such as DoS, DDoS, web-based attacks, reconnaissance, brute force, spoofing, and Mirai, the paper does not explicitly state whether the task is binary classification, multiclass classification, or anomaly detection. This should be clarified.
4. Proposed model description is unclear
The proposed framework, CSCS-URF, appears to combine Min-Max normalization, RFE, Sand Cat Swarm Optimization, and an Updated Random Forest classifier. However, the methodological explanation is unclear, and several equations and algorithmic steps are presented without sufficient justification or reproducibility details. The customization over standard SCSO and RF is not convincingly explained.
5. Weak novelty
The claimed novelty is not convincing. Combining a metaheuristic optimization method with a tree-based classifier is not, by itself, a strong contribution, since similar optimization-assisted intrusion detection frameworks are already common in the literature. The manuscript does not clearly establish what is technically new or superior in this specific design.
6. Introduction is underdeveloped
The introduction is too brief and mostly generic. It does not clearly define the research gap, and it lacks a dedicated contribution summary at the end of the section. This makes the paper’s motivation and claimed contribution unclear.
7. Related work is insufficient
The related work section is weak and lacks depth. Only a few studies are discussed, several are not directly focused on healthcare-IoT security, and the discussion is largely descriptive rather than critical. The authors should provide a stronger comparison with prior work by discussing key studies individually in terms of method, dataset, limitation, and distinction from the present work.
8. Missing recent healthcare-IoT literature
Several recent and relevant healthcare-IoT-focused studies are missing from the review. The following publications should be discussed in the revised manuscript and cited appropriately:
(Refer to reference no. 1&2)
Including these studies would improve the literature grounding and better position the present work within recent healthcare-IoT security research.
9. Missing ablation study
The manuscript lacks an ablation study. Since the proposed method combines several components, such as RFE, SCSO, and URF, the authors should isolate the contribution of each one. For example, results for RF only, RF + RFE, RF + SCSO, and the full CSCS-URF model would help demonstrate whether each component provides meaningful improvement.
10. Weak baseline comparisons
The proposed method is compared only with Gaussian Naive Bayes, KNN, and Decision Tree, which are very basic baselines. This is not sufficient to support strong claims of superiority. Stronger baselines, for example, Random Forest, XGBoost, LightGBM, and recent deep learning-based IDS models, should be included.
11. Experimental setup is incomplete
Important experimental details are missing, including the effective dataset size, number of selected features, class distribution, hyperparameter settings, and validation strategy. These omissions limit reproducibility and make the evaluation difficult to assess.
12. Evaluation and visualization are limited
The evaluation is too narrow. The manuscript reports only aggregate metrics and simple plots but does not provide more informative analysis such as a confusion matrix, ROC analysis, class-wise results, or statistical variation across multiple runs. This makes the performance claims less convincing.
13. Claims about privacy, trustworthiness, and resilience are not validated
The title and discussion repeatedly claim improvements in privacy, trustworthiness, and resilience, but these aspects are not evaluated experimentally. The experimental evaluation focuses only on classification performance metrics. Therefore, the broader security claims are not adequately supported by the presented results.
14. Writing quality needs major revision
The manuscript contains many grammar and wording problems, including obvious errors such as “methids,” “existings,” and “conquerthis.” These issues appear throughout the paper and significantly affect readability and professionalism. Careful language editing is required.
Is the work clearly and accurately presented and does it cite the current literature?
Partly
If applicable, is the statistical analysis and its interpretation appropriate?
Partly
Are all the source data underlying the results available to ensure full reproducibility?
Partly
Is the study design appropriate and is the work technically sound?
No
Are the conclusions drawn adequately supported by the results?
Partly
Are sufficient details of methods and analysis provided to allow replication by others?
No
Reviewer Expertise:
Healthcare IoT security, machine learning for cyberattack detection, IoT network security, and anomaly detection.
I confirm that I have read this submission and believe that I have an appropriate level of expertise to state that I do not consider it to be of an acceptable scientific standard, for reasons outlined above.
References:
TCN-Based DDoS Detection and Mitigation in 5G Healthcare-IoT: A Frequency Monitoring and Dynamic Threshold Approach.
https://ieeexplore.ieee.org/abstract/document/10845749.2025;:
Residual temporal CNNs for emerging cyber threat detection in healthcare IoT.
Discover Internet of Things.2026;6(1) :
10.1007/s43926-025-00271-w10.1007/s43926-025-00271-w