TY - GEN
T1 - A Device-Centric and Temporal Learning Framework for Malicious IoT Traffic Detection
AU - Daraghmeh, Mustafa
AU - Obaidat, Islam
AU - Jararweh, Yaser
AU - Agarwal, Anjali
AU - Kaur, Kuljeet
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - The rapid increase of Internet of Things (IoT) devices has introduced substantial security risks, necessitating robust security solutions to detect malicious traffic. In this paper, we propose a machine-learning solution to identify malicious IoT traffic while adhering to the constraints of the IoT environment. Our solution segments network packets into time windows and groups them by source IP. This approach enables the extraction of statistical, behavioral, and entropy-based features that preserve important temporal and device-level characteristics. To address data imbalance, we employ synthetic oversampling (SMOTE), followed by a suite of standard classification models (such as k-nearest Neighbors and Random Forest) calibrated via a sigmoid function to refine probabilistic predictions. Our pipeline is evaluated on Edge-IIoTset, a comprehensive dataset encompassing traffic from multiple IoT devices and 14 different attacks. Results indicate that k-Nearest Neighbors outperforms alternative classifiers, achieving an F1 score of up to 0.8696 and demonstrating high robustness to complex traffic patterns. These findings highlight the effectiveness of time-segmented, IP-based feature aggregation and underline the importance of calibrated classifiers in enhancing IoT network security.
AB - The rapid increase of Internet of Things (IoT) devices has introduced substantial security risks, necessitating robust security solutions to detect malicious traffic. In this paper, we propose a machine-learning solution to identify malicious IoT traffic while adhering to the constraints of the IoT environment. Our solution segments network packets into time windows and groups them by source IP. This approach enables the extraction of statistical, behavioral, and entropy-based features that preserve important temporal and device-level characteristics. To address data imbalance, we employ synthetic oversampling (SMOTE), followed by a suite of standard classification models (such as k-nearest Neighbors and Random Forest) calibrated via a sigmoid function to refine probabilistic predictions. Our pipeline is evaluated on Edge-IIoTset, a comprehensive dataset encompassing traffic from multiple IoT devices and 14 different attacks. Results indicate that k-Nearest Neighbors outperforms alternative classifiers, achieving an F1 score of up to 0.8696 and demonstrating high robustness to complex traffic patterns. These findings highlight the effectiveness of time-segmented, IP-based feature aggregation and underline the importance of calibrated classifiers in enhancing IoT network security.
KW - Cyber Attack Detection
KW - Feature Extraction
KW - IoT Traffic Classification
KW - Network Traffic Analysis
UR - https://www.scopus.com/pages/publications/105016611513
U2 - 10.1109/ICSC65596.2025.11140133
DO - 10.1109/ICSC65596.2025.11140133
M3 - Contribution to conference proceedings
AN - SCOPUS:105016611513
T3 - 2025 5th Intelligent Cybersecurity Conference, ICSC 2025
SP - 130
EP - 136
BT - 2025 5th Intelligent Cybersecurity Conference, ICSC 2025
A2 - Alsmirat, Mohammad
A2 - Alkhabbas, Fahed
A2 - Al-Abdullah, Muhammad
A2 - Jararweh, Yaser
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 5th Intelligent Cybersecurity Conference, ICSC 2025
Y2 - 19 May 2025 through 22 May 2025
ER -