waypoint 03home / Research / Evaluating Machine Learning Models for Network Anomaly Detection in IoT Environments

status
Completed
year
2026
type
Conference Paper

Evaluating Machine Learning Models for Network Anomaly Detection in IoT Environments

A conference paper evaluating five machine learning models for binary IoT network anomaly detection using the cleaned ML-EdgeIIoT dataset.

Abstract

This conference paper evaluates traditional machine learning models for binary network anomaly detection in Internet of Things environments. The study addresses the security challenges created by the rapid growth of IoT networks, where resource-constrained devices are often exposed to attacks such as DDoS, ransomware, password attacks, port scanning, injection-based attacks, and unauthorized access. The paper uses the ML-EdgeIIoT dataset, which belongs to the Edge-IIoTset cybersecurity dataset, and defines the task as a binary classification problem using the Attack_label column, where normal traffic is separated from attack traffic. A cleaned preprocessing pipeline is applied before training, including duplicate removal, exclusion of high-cardinality text-heavy features, removal of possible leakage or proxy columns, and elimination of constant or near-constant features. After preprocessing, the experiment uses 27 numeric features, median imputation, standardization, and an 80:20 stratified train-test split. Five models are trained and evaluated under the same conditions: Logistic Regression, Decision Tree, Random Forest, K-Nearest Neighbors, and XGBoost. The comparison uses accuracy, precision, recall, F1-score, false positive rate, and prediction time in order to evaluate not only general correctness, but also practical detection behavior. The results show that XGBoost achieved the strongest overall performance, reaching an accuracy of 0.9753, recall of 0.9991, and F1-score of 0.9856. Random Forest and Decision Tree also achieved strong results, while Logistic Regression produced the lowest false positive rate but missed many attack samples because of its lower recall. KNN was less suitable due to its higher false positive rate and slower prediction time. The paper concludes that XGBoost provides the best balance for detecting attack traffic in the cleaned binary IoT anomaly detection task, while future work can extend the study toward multi-class attack classification, hyperparameter tuning, feature selection, deep learning models, and real-time or edge-based IoT deployment.

Researcher

Bilal Abdulhadi

Supervisor

Dr. Mhd Raja Abou Harb

pdf.preview

Download PDF
Loading Bilal Abdulhadi