A Multi-Stage Intrusion Detection Framework for IoT Networks Using Decision Tree, SVM, and KNN Classifiers

Authors

  • Ali Mohammed Noori Tarab Computer and Communications, Faculty of Engineering, Islamic University of Lebanon,

DOI:

https://doi.org/10.31185/wjes.Vol14.Iss2.952

Keywords:

Intrusion Detection System, Internet of Things, Multi-Stage Classification, Decision Tree, Support Vector Machine

Abstract

The surge in Internet of Things (IoT) appliances has heightened security threats as they function with minimal processing, memory, and energy. In these conditions, detection systems face the problem of detecting correctly while utilizing less computation. This paper presents a multi-stage intrusion detection framework based on a confidence-based cascade of Decision Tree (DT), Support Vector Machine (SVM), and K-Nearest Neighbors (KNN) classifiers.  According to the proposed model, DT resolve the 78.9% samples, SVM refine 20.6% samples, and KNN verify only 0.6% samples under highly ambiguous condition. Experiments on N-BaIoT benchmark dataset with 8,000 samples and 115 statistical features show that the framework achieves an accuracy of 94.06%, F1 score of 0.9502, false alarm rate of 0.0656 and per-sample detection time of 0.0363 ms. When standing alone, this SVM reduces latency while maintaining a reasonable level of detection performance. The study gives a meaningful accuracy-latency trade-off for timely intrusion detection in constrained IoT edge-gateway environments.

References

[1] L. Atzori, A. Iera, and G. Morabito, “The Internet of Things: A survey,” Computer Networks, vol. 54, no. 15, pp. 2787–2805, 2010. https://doi.org/10.1016/j.comnet.2010.05.010

[2] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of Things (IoT): A vision, architectural elements, and future directions,” Future Generation Computer Systems, vol. 29, no. 7, pp. 1645–1660, 2013. https://doi.org/10.1016/j.future.2013.01.010

[3] A. Mosenia and N. K. Jha, “A comprehensive study of security of Internet-of-Things,” IEEE Transactions on Emerging Topics in Computing, vol. 5, no. 4, pp. 586–602, 2017. https://doi.org/10.1109/TETC.2016.2606384

[4] Y. Meidan, M. Bohadana, Y. Mathov, Y. Mirsky, A. Shabtai, D. Breitenbacher, and Y. Elovici, “N-BaIoT—Network-based detection of IoT botnet attacks using deep autoencoders,” IEEE Pervasive Computing, vol. 17, no. 3, pp. 12–22, 2018. https://doi.org/10.1109/MPRV.2018.03367731

[5] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT: Mirai and other botnets,” Computer, vol. 50, no. 7, pp. 80–84, 2017. https://doi.org/10.1109/MC.2017.201

[6] M. Antonakakis et al., “Understanding the Mirai botnet,” in Proc. 26th USENIX Security Symposium, Vancouver, BC, Canada, 2017, pp. 1093–1110.

[7] H. Hindy, D. Brosset, E. Bayne, A. Seeam, C. Tachtatzis, R. Atkinson, and X. Bellekens, “A taxonomy of network threats and the effect of current datasets on intrusion detection systems,” IEEE Access, vol. 8, pp. 104650–104675, 2020. https://doi.org/10.1109/ACCESS.2020.3000179

[8] M. A. Al-Garadi, A. Mohamed, A. K. Al-Ali, X. Du, I. Ali, and M. Guizani, “A survey of machine and deep learning methods for Internet of Things (IoT) security,” IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 1646–1685, 2020. https://doi.org/10.1109/COMST.2020.2988293

[9] A. L. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Communications Surveys & Tutorials, vol. 18, no. 2, pp. 1153–1176, 2016. https://doi.org/10.1109/COMST.2015.2494502

[10] I. Ahmad, M. Shahabuddin, T. Kumar, J. Okwuibe, A. Gurtov, and M. Ylianttila, “Security for 5G and beyond,” IEEE Communications Surveys & Tutorials, vol. 21, no. 4, pp. 3682–3722, 2019. https://doi.org/10.1109/COMST.2019.2916180

[11] J. R. Quinlan, “Induction of decision trees,” Machine Learning, vol. 1, no. 1, pp. 81–106, 1986. https://doi.org/10.1007/BF00116251

[12] C. Cortes and V. Vapnik, “Support-vector networks,” Machine Learning, vol. 20, no. 3, pp. 273–297, 1995. https://doi.org/10.1007/BF00994018

[13] T. Cover and P. Hart, “Nearest neighbor pattern classification,” IEEE Transactions on Information Theory, vol. 13, no. 1, pp. 21–27, 1967. https://doi.org/10.1109/TIT.1967.1053964

[14] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly detection: A survey,” ACM Computing Surveys, vol. 41, no. 3, pp. 1–58, 2009. https://doi.org/10.1145/1541880.1541882

[15] M. A. Ferrag, L. Maglaras, A. Moschoyiannis, and H. Janicke, “Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study,” Journal of Information Security and Applications, vol. 50, p. 102419, 2020. https://doi.org/10.1016/j.jisa.2019.102419

[16] J. R. Quinlan, C4.5: Programs for Machine Learning. San Francisco, CA, USA: Morgan Kaufmann, 1993.

[17] B. Schölkopf, A. J. Smola, R. C. Williamson, and P. L. Bartlett, “New support vector algorithms,” Neural Computation, vol. 12, no. 5, pp. 1207–1245, 2000. https://doi.org/10.1162/089976600300015565

[18] S. Zhang, X. Li, M. Zong, X. Zhu, and R. Wang, “Efficient kNN classification with different numbers of nearest neighbors,” IEEE Transactions on Neural Networks and Learning Systems, vol. 29, no. 5, pp. 1774–1785, 2018. https://doi.org/10.1109/TNNLS.2017.2673241

[19] Y. Freund and R. E. Schapire, “A decision-theoretic generalization of on-line learning and an application to boosting,” Journal of Computer and System Sciences, vol. 55, no. 1, pp. 119–139, 1997. https://doi.org/10.1006/jcss.1997.1997.1504

[20] L. Breiman, “Random forests,” Machine Learning, vol. 45, no. 1, pp. 5–32, 2001. https://doi.org/10.1023/A:1010933404324

[21] M. Belgrana, A. Benamrane, and S. Harous, “Network intrusion detection system using neural network and condensed nearest neighbors,” in Proc. IEEE Int. Conf. Innovations in Information Technology (IIT), Al Ain, UAE, 2012, pp. 21–25. https://doi.org/10.1109/INNOVATIONS.2012.6207676

[22] R. Panigrahi and S. Paul, “A hybrid intrusion detection system for IoT networks using machine learning algorithms,” in Proc. IEEE Int. Conf. Computing, Communication and Automation (ICCCA), Greater Noida, India, 2021, pp. 1–6. https://doi.org/10.1109/ICCCA52192.2021.9666302

[23] A. A. Diro and N. Chilamkurti, “Distributed attack detection scheme using deep learning approach for Internet of Things,” Future Generation Computer Systems, vol. 82, pp. 761–768, 2018. https://doi.org/10.1016/j.future.2017.08.043

[24] P. Viola and M. Jones, “Robust real-time face detection,” International Journal of Computer Vision, vol. 57, no. 2, pp. 137–154, 2004. https://doi.org/10.1023/B:VISI.0000013087.49260.fb

[25] W. Hu, W. Hu, and S. Maybank, “AdaBoost-based algorithm for network intrusion detection,” IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics), vol. 38, no. 2, pp. 577–583, 2008. https://doi.org/10.1109/TSMCB.2007.914695

Downloads

Published

2026-06-01

Issue

Vol. 14 No. 2 (2026): Wasit Journal of Engineering Sciences

Section

Computer Engineering

License

Copyright (c) 2026 Ali Mohammed Noori Tarab

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Ali Mohammed Noori Tarab. (2026). A Multi-Stage Intrusion Detection Framework for IoT Networks Using Decision Tree, SVM, and KNN Classifiers. Wasit Journal of Engineering Sciences, 14(2), 487-503. https://doi.org/10.31185/wjes.Vol14.Iss2.952