IoT Intrusion Detection Using Transformer-Based Anomaly Learning
DOI:
https://doi.org/10.29304/jqcsm.2025.17.32432Keywords:
IoT security, intrusion detection, TransformersAbstract
We present a Transformer-based intrusion detection system (IDS) for IoT network flows. Raw traffic is converted into windowed flow sequences (47 features; 30-s window; 10-s stride; sequence length 64) and fed to a compact Transformer encoder (4 layers, 8 heads, hidden size 256) with dual heads for binary (anomaly) and multiclass (attack type) inference. Evaluated on UNSW-NB15, BoT-IoT, and ToN_IoT against CNN, LSTM, Random Forest, and SVM baselines, the model achieves state-of-the-art discrimination with lower false-alarm behavior: UNSW-NB15: F1 = 95.1%, FAR = 2.1%, ROC-AUC = 0.984; BoT-IoT: F1 = 97.2%, FAR = 1.4%, ROC-AUC = 0.992; ToN_IoT: F1 = 92.9%, FAR = 2.6%, ROC-AUC = 0.973. Precision–Recall analysis confirms higher PR-AUC and better precision at matched recall than all baselines, which aligns with fewer benign flows escalated as alerts. Attention maps and SHAP attributions surface feature-time drivers (e.g., SYN bursts, DNS probing, TLS exfiltration cues) and are distilled into short reason codes attached to each alert. A deployment-oriented alert policy (default threshold with abstain band, 2-of-3 window aggregation, session de-duplication, and rate limiting) turns scores into compact, auditable outputs suitable for operations
Downloads
References
Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, 41(3), 1–58.
Apruzzese, G., Colajanni, M., Ferretti, L., Guido, A., & Marchetti, M. (2018). On the effectiveness of ML for botnet detection. 2018 Intl. Conf. on Cyber Conflict, 371–390.
Vaswani, A., Shazeer, N., et al. (2017). Attention is All You Need. NeurIPS, 5998–6008.
Moustafa, N. (2021). TON_IoT datasets: Telemetry, network, and logs for IIoT/IoT cybersecurity. IEEE DataPort (dataset descriptor).
Roman, R., Zhou, J., & Lopez, J. (2013). On the features and challenges of security and privacy in distributed IoT. Computer Networks, 57(10), 2266–2279.
Lin, J., Yu, W., Zhang, N., Yang, X., Zhang, H., & Zhao, W. (2017). A survey on IoT: Architecture, enabling technologies, security and privacy, and applications. IEEE Internet of Things Journal, 4(5), 1125–1142.
Moustafa, N., & Slay, J. (2015). UNSW-NB15: A comprehensive data set for network intrusion detection systems. MilCIS, 1–6.
Mirsky, Y., Doitshman, T., Elovici, Y., & Shabtai, A. (2018). Kitsune: An ensemble of autoencoders for online network intrusion detection. NDSS Symposium 2018.
(Anonymous author group). (2024). An innovative network intrusion detection system (AT-LSTM) on UNSW-NB15. International Journal of Data and Network Science, 8(1).
Tseng, S.-M., Wang, Y.-Q., & Wang, Y.-C. (2024). Multi-class intrusion detection based on Transformer for IoT networks using CIC-IoT-2023 dataset. Future Internet, 16(8), 284.
Moustafa, N., & Slay, J. (2015). UNSW-NB15: A comprehensive data set for network intrusion detection systems. MilCIS, 1–6.
Koroniotis, N., Moustafa, N., Sitnikova, E., & Turnbull, B. (2019). Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: BoT-IoT dataset. Future Generation Computer Systems, 100, 779–796.
Moustafa, N. (2021). ToN_IoT datasets: A new generation of telemetry datasets for evaluating AI-enabled cybersecurity systems. IEEE Access, 9, 114–129.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Hayder Salah Abdulameer
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
