Development of Hybrid Intrusion Detection Systems for IoT Enabled Devices Utilizing Resource Constraint Learning Frameworks

This manuscript is structured as pursues: Section 2 evaluates the related work and relevant studies conducted by various researchers in the domain of intrusion detection. Section 3 provides an overview of the LSTM, GRU, Hyperparameter tuned Grid Search techniques, along with a described explanation of the proposed LSTM-GRU hybrid model architecture. Section 4 describes the CICIDS 2017 dataset, outlines the experimental setup, and presents a comprehensive analysis of the results. Atlast, Section 5 wraps up the study and highlights potential directions for future research and development.

Shahid et al. (2024) [11] propose a Hybrid Intrusion Detection System (IDS) built for for IoT networks utilizing ML and DL approach. Their work focuses on the Routing Protocol for Low-Power and Lossy Networks (RPL), which is inclined to various attacks due to IoT devices’ inherent constraints, such as limited memory and processing power. By analyzing network traffic features using statistical graphs, they evaluate multiple machine learning models and deep learning architectures. However, a notable drawback is the limited consideration of scalability and adaptability to dynamic IoT environments, where real-time attack detection and system overhead remain critical challenges.

Yaras and Dener (2024) [12] proposed an IoT-based IDS leveraging a hybrid DL algorithm to address the increasing cyber threats, particularly DDoS attacks, in IoT networks. The study highlights that traditional methods struggle to analyze network traffic efficiently because of large amount data generated by numerous sensor nodes. The researchers employed PySpark with Apache Spark in Google Colab for big data analysis, utilizing the CICIoT2023 and TON_IoT datasets. They reduced the features in the datasets utilizing the correlation method to include only significant features. A hybrid model combining one-dimensional CNN and LSTM was developed and achieved impressive accuracy rates. Additionally, the energy consumption and computational cost associated with implementing such hybrid models in resource-constrained IoT devices were not addressed.

Sajid, M., Malik, K.R., Almogren, A., et al. (2024) [13] proposed a hybrid approach for intrusion detection utilizing ML and DL approach. The study highlights the challenges in maintaining network security as data volumes surge due to advancements in cloud computing, IoT, and automotive networks. The findings demonstrated a high detection rate, good accuracy, and a low False Acceptance Rate (FAR), examining the model’s effectiveness. However, the approach has a drawback in terms of computational complexity due to the integration of multiple feature selection algorithms and deep learning models, potentially limiting its scalability for real-time applications in Constrained-resource contexts.

Almotairi et al. (2024) [14] proposed an innovative approach to enhance intrusion detection in IoT networks by employing a diverse ML-based stack classifier model. The study utilized the K-Best algorithm for feature selection, identifying the top 15 critical features from the Ton IoT dataset, and incorporated ensemble modeling to improve classification metrics. The ensemble model combines the strengths of various traditional machine learning models to achieve exceptional performance compared to individual models. However, a notable drawback of this approach is its reliance on computationally intensive processes for feature selection and model training, which may not be feasible for real-time applications in resource-constrained IoT devices.

Walling and Lodh (2024) [15] proposed a novel feature selection methodology for anomaly-based Network IDS in IoT security using machine learning and statistical techniques. Their approach utilizes 1-way ANOVA and Pearson correlation coefficient as filter-based methods to extract relevant features from the datasets. By leveraging union and intersection principles of set theory, they identified optimal features for intrusion detection. Despite these promising results, the methodology may face scalability challenges in highly dynamic IoT environments due to the computational overhead of the feature selection process and the inherent diversity of IoT devices, which may limit its real-time applicability.

Meliboyev et al. (2024) [16] conducted a study on the development of an IoT network IDS using ML techniques. The authors highlight that the rapid proliferation of IoT devices has revolutionized industries by offering smart and automated solutions but has also brought about substantial security concerns, particularly in network intrusion. Their research focuses on analyzing network traffic to identify anomalous patterns, proposing a machine learning-based IDS as a robust and scalable solution. Despite its promise, the proposed system primarily addresses anomaly detection and does not delve deeply into the complexities of real-time detection in highly dynamic IoT environments, which could limit its effectiveness in certain use cases.

Al Sawafi et al. (2023) [17] proposed a hybrid DL-based IDS for routing protocol for low-power and lossy networks (RPL) in IoT environments. The study introduced the IoTR-DS dataset, designed for IoT networks using the RPL protocol. The proposed system achieved a detection accuracy of 98% with an F1-score of 92% for pre-programmed (known) attacks and an F1-score of 87% for untrained (unknown) attack behaviours. However, a significant drawback is that the system’s performance is dataset-dependent, and its generalizability to other IoT protocols or real-world IoT network conditions remains unaddressed. Additionally, the approach may face challenges in resource-constrained IoT environments due to the computational overhead associated with hybrid deep learning models.

Awajan et al. (2023) [18] proposed a novel DL-based IDS for IoT networks, addressing the increasing threat of cyber-attacks on IoT devices and communication channels. The system leverages a four-layer fully connected deep learning architecture to detect suspicious traffic and supports a protocol-independent design to simplify deployment across diverse IoT environments. Despite its promising results, the study not dealwith the computational complexity or resource requirements of the system, which are critical factors for real-time deployment in resource-constrained IoT devices. Additionally, its generalizability to more complex or evolving intrusion patterns remains unexplored.

Singh et al. (2022) [19] proposed an Edge-based Hybrid IDS (EHIDF) tailored for Mobile Edge Computing (MEC) circumstances to address security challenges associated with edge network architectures. MEC, with its rapid delivery approach, attracts users but remains vulnerable to Internet-based attacks. Traditional intrusion detection models primarily detect known attacks and exhibit low efficiency in real-time traffic monitoring, often failing to identify new, unknown threats. The EHIDF demonstrates an improvement in detection accuracy by 10.78% and a reduction in FAR by 93% compared to previous works. Despite its promising results, the study highlights limitations like the need for further optimization of detection modules for more complex attack scenarios and scalability issues in broader MEC deployments.

Smys et al. (2020) [20] presents a hybrid IDS for IoT networks to deal with the increasing security issues posed by the growing number of IoT devices. The recommended approach leverages a CNN-based model to recognize and mitigate these security threats effectively. Experimental results indicate that the recommended approach outperforms traditional ML and DL models in terms of sensitivity to attacks, tailoring it for various IoT implementations.

For the development and evaluation of the recommended approach, we utilize a widely utilize network traffic dataset CICIDS 2017 dataset. These datasets consists labeled network traffic data, including standard and suspicious traffic, from varied types of threats, making them suitable for evaluating IDS. The CICIDS 2017 dataset contains realistic traffic data with advanced attack situations, including DoS, DDoS, and APTs. The CICIDS 2017 dataset includes a mix of benign and malicious traffic with labeled attack types, including DoS, DDoS, Port Scanning, Botnet, and Brute Force, which are representative of real-world attack scenarios. The dataset is divided into training and testing sets, ensuring a balanced representation of both normal and attack traffic.

Before training, the unprocessed data undergoes preprocessing to ensure its suitability for the deep learning models:

Any missing values in the dataset are handled utilizing imputation techniques.

Features are scaled to a range between 0 and 1 utilizing Min–Max scaling to assure that every attributes contribute equally to the model’s learning.

The categorical features, such as the attack type or protocol type, are encoded utilizing label encoding or one-hot encoding to convert them into numerical values suitable for the model.

Proposed Model:

3.3.1

Long Short Term Memory (LSTM)

LSTM networks are a type of RNN devised to address the limitations of traditional RNNs, particularly the problem of vanishing gradients. LSTM networks excel at identifying long-term relationships within sequential data, which constructs them highly suitable for applications such as forecasting time series, speech recognition, and also in intrusion detection in IoT networks. LSTMs are devised to learn and retain information over long periods of time while discarding irrelevant data.

Figure 2:

Long Short Term Memory Network

3.3.1.1.

Forget Gate (ft)

It resolves what information to dispose from the cell state. That is the forget gate operates how much of the previous cell state (Ct−1) should be carried forward to the current cell state. It takes the previous hidden state (ht−1) and the current input (xt) as inputs and outputs a value among 0 and 1, which is then used to scale the previous cell state. (1) ft=σ(Wf⋅[ht−1,xt]+bf) $${f_t} = \sigma \,({W_f} \cdot [{h_{t - 1}},{x_t}] + {b_f})$$

3.3.1.2.

Input Gate (it)

The input gate resolves how much of the new information should be carried to the cell state. The candidate cell state depicts the potential new information that can be carried to the cell state. The input gate is processed as follows: (2) it=σ(Wi⋅[ht−1,xt]+bi) $${i_t} = \sigma ({W_i} \cdot \,[{h_{t - 1}},{x_t}] + {b_i})$$

3.3.1.3.

Update Cell State (Ct)

The cell state is upgraded by infusing the previous cell state (Ct−1) and the new candidate cell state (C͠_t), controlled by the forget gate and the input gate. The update rule is as follows: (3) Ct=ft⋅Ct−1+it⋅Ct˜ $${C_t} = {f_t} \cdot {C_{t - 1}} + {i_t} \cdot \widetilde {{C_t}}$$

Where C_t is the updated cell state, f_t controls quantity of the previous cell state is carried forward and i_t controls how much of the new candidate cell state is added to the cell state.

3.3.1.4.

Output Gate (ot) and Hidden State (ht)

The output gate elects what the next hidden state (ht) will be. The hidden state is based on the updated cell state (C_t), which is taken to the output gate and squashed utilizing the tanh function. The output gate is computed as follows: (4) ot=σ(Wo⋅[ht−1,xt]+bo) $${o_t} = \sigma ({W_o} \cdot [{h_{t - 1}},{x_t}] + {b_o})$$ (5) ht=ot⋅tanh(Ct) $${h_t} = {o_t} \cdot \tanh ({C_t})$$

Where o_t is the output gate’s output, h_t is the hidden state, W_o is the weight matrix for the output gate, b_o is the bias term and the tanh (C_t) function squashes the cell state to ensure that the hidden state is between −1 and 1. These gates and states allow LSTMs to effectively remember and forget information over long sequences, elevating them suitable for tasks such as time series prediction, language modelling, and intrusion detection in IoT networks, where temporal patterns play a crucial role in identifying attacks.

3.3.2

Gated Recurrent Unit

The GRU is a type of RNN scheme that is devised to solve the vanishing gradient problem encountered in traditional RNNs and to efficiently capture dependencies over time in sequential data. GRUs are a simpler form of the LSTM networks, infusing the functions of memory cells and gates in a more compact form.

Figure 3:

Gated Recurrent Unit Network

The GRU cell has the following mathematical equations:

3.3.2.1

Update Gate (zt)

The update gate resolves how much of the previous hidden state should be taken forward to the next time step. If zt is 1, the model retains the old memory, and if zt is 0, the new memory completely replaces the old memory. (6) zt=σ(Wzxt+Uzht−1+bz) $${z_t} = \sigma ({W_z}{x_t}\, + \,{U_z}{h_{t - 1}} + {b_z})$$

A value of 1 means the network retains all of ht−1, and a value of 0 means the network completely updates the hidden state with new information.

3.3.2.2

Reset Gate (rt)

The reset gate determines amount of the previous hidden state should be used when computing the candidate memory.. (7) rt=σ(Wrxt+Urht−1+br) $${r_t} = \sigma ({W_r}{x_t} + {U_r}{h_{t - 1}} + {b_r})$$

The reset gate operates the amount of previous hidden state ht−1 should be discarded when computing the new candidate memory.

3.3.2.3

Candidate Memory (h͠_t)

The candidate memory is the new memory created by combining the input at the current time step with the previous hidden state (after being varied by the reset gate). It denotes the new content to be potentially carried to the final hidden state. (8) ht˜=tanh(Whxt+Uh(rt⊙ht−1)+bh) $$\widetilde {{h_t}} = \tanh \,({W_h}{x_t} + {U_h}({r_t} \odot {h_{t - 1}}) + {b_h})$$

Where tanh is the hyperbolic tangent activation function, which outputs values among −1 and 1, Wh and Uh are weight matrices for the input xt and the previous hidden state ht−1, respectively. rt ⊙ ht−1 represents element-wise multiplication of the reset gate rt and the previous hidden state ht−1, allowing the reset gate to control which part of the previous hidden state influences the candidate memory.

3.3.2.4

Final Hidden State (ht)

The final hidden state is derived by blending the prior hidden state with the newly generated candidate memory, weighted by the update gate.

ht=(1−zt)⊙ht−1+zt⊙ht˜ $${h_t} = (1 - {z_t}) \odot {h_{t - 1}} + {z_t} \odot \widetilde {{h_t}}$$

Where ht−11 is the previous hidden state, h͠_t is the candidate memory at the current time step, zt is the update gate and (1-zt) is the complementary part of the update gate.

The update gate zt resolves the weight of the new memory (h͠_t) versus the old memory (ht−1).

3.3.2.5

Features of GRU

Simplified Structure: GRUs have fewer parameters compared to LSTMs, they don’t have individual memory cell. This makes them more computationally efficient.

Capturing Temporal Dependencies: Like LSTMs, GRUs are qualified of capturing long-term and short-term dependencies in sequential data, tailored for time series and sequence-based tasks.

Less Computational Overhead: Since GRUs have fewer gates and parameters, they are computationally less expensive to train and often perform equally well to LSTMs on many tasks.

While both GRUs and LSTMs are devised to mitigate the vanishing gradient problem, GRUs are a simplified version of LSTMs. This reduction in complexity often makes GRUs faster to train and more efficient while achieving similar or better performance on certain tasks.

The GRU architecture is an efficient and powerful model for sequence learning tasks, especially in time-sensitive applications like intrusion detection. Its ability to handle long-term dependencies, coupled with its simpler architecture compared to LSTMs, makes it an attractive option for sequential modelling in environments like IoT networks.

3.3.3

Hyperparameter Tuned Grid Search Method

Hyperparameter tuning is significant in optimizing ML or DL approaches to achieve the best performance. Hyperparameters are settings or configurations that are set before training the model like number of layers, batch size, learning rate, or dropout rates. Unlike model attributes, hyperparameters are not learned in training and detailed by the user.

The grid search method is one of the most commonly used techniques for hyperparameter optimization. It systematically explores a predefined set of hyperparameters and evaluates the model for each combination to identify the optimal configuration.

3.3.3.1

Steps in Grid Search Hyperparameter Tuning

Define the Hyperparameter Space: The first step involves specifying the hyperparameters to tune and defining their possible values. For example:

Table 1

Hyperparameter Tuning for proposed Model

Learning Rate	No. of units	Dropout Rate	Optimizer
0.001	16	0.2	Adam
0.01	32	0.3	SGD
0.1	64	0.5	RMSProp

This creates a hyperparameter grid where each combination represents a unique set of hyperparameters.

The model is trained on the training dataset for whole possibilities of hyperparameters in the grid. During this process, the model’s weights are upgraded relied on the training data, and performance metrics are computed on a validation set. The results are stored for comparison. The hyperparameter configuration that delivers the highest performance on the validation dataset is identified as the optimal set after thorough evaluation. Using these optimal hyperparameters, the model is subsequently fine-tuned by training it on the complete training dataset, and its performance is tested on the unseen test set.

Figure 4:

Hyperparameter tuning Grid Search Architecture

3.3.3.2

Advantages of Grid Search

➢

Since it evaluates all possible combinations in the hyperparameter grid, Grid Search ensures that the optimal hyperparameter combination is found (within the grid’s limits).

➢

It is easy to enforce and understand, make it popular choice for hyperparameter tuning.

➢

The exhaustive nature of the search ensures consistent results, which is beneficial in research and production environments.

Grid Search is a robust method for hyperparameter tuning, especially for small to moderately sized hyperparameter spaces. While computationally intensive, it provides a systematic approach to improving model performance by exploring all possible hyperparameter combinations, ensuring that the selected configuration is optimal for the given task.

The proposed model was developed using Python 3.19, leveraging libraries like Matplotlib, NumPy, Pandas, Scikit-Learn, and Seaborn for evaluation and visualization. The experiments were utilized on a PC workstation equipped with an Intel i7 processor running at 3.2 GHz, 16 GB of RAM, and an NVIDIA Tesla GPU, ensuring efficient execution and performance analysis of the IDS.

To demonstrate the effectiveness of the recommended approach, varied performance metrics are assessed and compared against more advanced deep learning models. These metrics include accuracy, precision, recall, specificity, and the F1-score, all of which offer a thorough perspective of the approach’s performance.

Four categories are utilized to examine the performance of the model. True Positive represents instances where both the actual value and the predicted value are positive, indicating a correct positive prediction. A false positive occurs when the model incorrectly predicts a positive outcome, while the actual value is negative. This type of error is crucial to minimize, as it may lead to false alarms or misidentification. In False Negative the model predicts a negative outcome when the actual value is positive. False negatives are particularly significant in many applications, such as medical diagnosis, where failing to recognise a positive case can have severe effects. True negatives refer to instances where both the actual and predicted values are negative, signifying a correct negative prediction.

Table 3 depicts a examination of varied approach, including CNN, RNN, LSTM, GRU, and the recommended approach, in terms of key performance metrics like accuracy, precision, recall, F1-score, and specificity. The outcome depicts that the recommended approach outperforms all other models, achieving the highest values across all metrics, with an accuracy of 0.95, precision of 0.96, recall of 0.95, F1-score of 0.96, and specificity of 0.95. In comparison, the GRU model shows strong performance with accuracy of 0.89, but the proposed model demonstrates a significant improvement, highlighting its superior ability to detect intrusions with higher precision and reliability.

Figure 5 depicts the performance of different DL models—CNN, RNN, LSTM, GRU, and the proposed model—based on their testing accuracy. Based the graph, it is evident that the recommended approach attains the highest testing accuracy of 0.95, significantly outperforming the other models. The GRU model follows with an accuracy of 0.89, while CNN, RNN, and LSTM have comparatively lower accuracy values, initialised from 0.77 to 0.85. This highlights the proposed model’s superior generalization ability and its effectiveness in intrusion detection tasks. The increasing accuracy across the models suggests improvements in performance with more advanced architectures like GRU and LSTM, with the proposed model setting a new benchmark.

Figure 5:

Comparative Analysis of Different Deep Learning Models Based on Evaluating the Accuracy

Figure 6 illustrates the performance of varied approaches in detecting intrusions, providing a visual comparison of their true positive rate (sensitivity) against the false positive rate (1-specificity). A higher curve closer to the top-left corner depicts better performance, as it represents a model with a higher true positive rate and a lower false positive rate. In the graph, the proposed model demonstrates the best trade-off among sensitivity and specificity, outperforming other models like CNN, RNN, LSTM, and GRU. The ROC curve further highlights the proposed model’s superior capability to discriminate among positive and negative cases with fewer errors.

Figure 6:

ROC Curve for different models in intrusion detection