A Multi-Stage Intrusion Detection Framework for IoT Networks Using Decision Tree, SVM, and KNN Classifiers
DOI:
https://doi.org/10.31185/wjes.Vol14.Iss2.952Keywords:
Intrusion Detection System, Internet of Things, Multi-Stage Classification, Decision Tree, Support Vector MachineAbstract
The surge in Internet of Things (IoT) appliances has heightened security threats as they function with minimal processing, memory, and energy. In these conditions, detection systems face the problem of detecting correctly while utilizing less computation. This paper presents a multi-stage intrusion detection framework based on a confidence-based cascade of Decision Tree (DT), Support Vector Machine (SVM), and K-Nearest Neighbors (KNN) classifiers. According to the proposed model, DT resolve the 78.9% samples, SVM refine 20.6% samples, and KNN verify only 0.6% samples under highly ambiguous condition. Experiments on N-BaIoT benchmark dataset with 8,000 samples and 115 statistical features show that the framework achieves an accuracy of 94.06%, F1 score of 0.9502, false alarm rate of 0.0656 and per-sample detection time of 0.0363 ms. When standing alone, this SVM reduces latency while maintaining a reasonable level of detection performance. The study gives a meaningful accuracy-latency trade-off for timely intrusion detection in constrained IoT edge-gateway environments.
References
[1] L. Atzori, A. Iera, and G. Morabito, “The Internet of Things: A survey,” Computer Networks, vol. 54, no. 15, pp. 2787–2805, 2010. https://doi.org/10.1016/j.comnet.2010.05.010 DOI: https://doi.org/10.1016/j.comnet.2010.05.010
[2] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of Things (IoT): A vision, architectural elements, and future directions,” Future Generation Computer Systems, vol. 29, no. 7, pp. 1645–1660, 2013. https://doi.org/10.1016/j.future.2013.01.010 DOI: https://doi.org/10.1016/j.future.2013.01.010
[3] A. Mosenia and N. K. Jha, “A comprehensive study of security of Internet-of-Things,” IEEE Transactions on Emerging Topics in Computing, vol. 5, no. 4, pp. 586–602, 2017. https://doi.org/10.1109/TETC.2016.2606384 DOI: https://doi.org/10.1109/TETC.2016.2606384
[4] Y. Meidan, M. Bohadana, Y. Mathov, Y. Mirsky, A. Shabtai, D. Breitenbacher, and Y. Elovici, “N-BaIoT—Network-based detection of IoT botnet attacks using deep autoencoders,” IEEE Pervasive Computing, vol. 17, no. 3, pp. 12–22, 2018. https://doi.org/10.1109/MPRV.2018.03367731 DOI: https://doi.org/10.1109/MPRV.2018.03367731
[5] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT: Mirai and other botnets,” Computer, vol. 50, no. 7, pp. 80–84, 2017. https://doi.org/10.1109/MC.2017.201 DOI: https://doi.org/10.1109/MC.2017.201
[6] M. Antonakakis et al., “Understanding the Mirai botnet,” in Proc. 26th USENIX Security Symposium, Vancouver, BC, Canada, 2017, pp. 1093–1110.
[7] H. Hindy, D. Brosset, E. Bayne, A. Seeam, C. Tachtatzis, R. Atkinson, and X. Bellekens, “A taxonomy of network threats and the effect of current datasets on intrusion detection systems,” IEEE Access, vol. 8, pp. 104650–104675, 2020. https://doi.org/10.1109/ACCESS.2020.3000179 DOI: https://doi.org/10.1109/ACCESS.2020.3000179
[8] M. A. Al-Garadi, A. Mohamed, A. K. Al-Ali, X. Du, I. Ali, and M. Guizani, “A survey of machine and deep learning methods for Internet of Things (IoT) security,” IEEE Communications Surveys & Tutorials, vol. 22, no. 3, pp. 1646–1685, 2020. https://doi.org/10.1109/COMST.2020.2988293 DOI: https://doi.org/10.1109/COMST.2020.2988293
[9] A. L. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Communications Surveys & Tutorials, vol. 18, no. 2, pp. 1153–1176, 2016. https://doi.org/10.1109/COMST.2015.2494502 DOI: https://doi.org/10.1109/COMST.2015.2494502
[10] I. Ahmad, M. Shahabuddin, T. Kumar, J. Okwuibe, A. Gurtov, and M. Ylianttila, “Security for 5G and beyond,” IEEE Communications Surveys & Tutorials, vol. 21, no. 4, pp. 3682–3722, 2019. https://doi.org/10.1109/COMST.2019.2916180 DOI: https://doi.org/10.1109/COMST.2019.2916180
[11] J. R. Quinlan, “Induction of decision trees,” Machine Learning, vol. 1, no. 1, pp. 81–106, 1986. https://doi.org/10.1007/BF00116251 DOI: https://doi.org/10.1023/A:1022643204877
[12] C. Cortes and V. Vapnik, “Support-vector networks,” Machine Learning, vol. 20, no. 3, pp. 273–297, 1995. https://doi.org/10.1007/BF00994018 DOI: https://doi.org/10.1023/A:1022627411411
[13] T. Cover and P. Hart, “Nearest neighbor pattern classification,” IEEE Transactions on Information Theory, vol. 13, no. 1, pp. 21–27, 1967. https://doi.org/10.1109/TIT.1967.1053964 DOI: https://doi.org/10.1109/TIT.1967.1053964
[14] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly detection: A survey,” ACM Computing Surveys, vol. 41, no. 3, pp. 1–58, 2009. https://doi.org/10.1145/1541880.1541882 DOI: https://doi.org/10.1145/1541880.1541882
[15] M. A. Ferrag, L. Maglaras, A. Moschoyiannis, and H. Janicke, “Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study,” Journal of Information Security and Applications, vol. 50, p. 102419, 2020. https://doi.org/10.1016/j.jisa.2019.102419 DOI: https://doi.org/10.1016/j.jisa.2019.102419
[16] J. R. Quinlan, C4.5: Programs for Machine Learning. San Francisco, CA, USA: Morgan Kaufmann, 1993.
[17] B. Schölkopf, A. J. Smola, R. C. Williamson, and P. L. Bartlett, “New support vector algorithms,” Neural Computation, vol. 12, no. 5, pp. 1207–1245, 2000. https://doi.org/10.1162/089976600300015565 DOI: https://doi.org/10.1162/089976600300015565
[18] S. Zhang, X. Li, M. Zong, X. Zhu, and R. Wang, “Efficient kNN classification with different numbers of nearest neighbors,” IEEE Transactions on Neural Networks and Learning Systems, vol. 29, no. 5, pp. 1774–1785, 2018. https://doi.org/10.1109/TNNLS.2017.2673241 DOI: https://doi.org/10.1109/TNNLS.2017.2673241
[19] Y. Freund and R. E. Schapire, “A decision-theoretic generalization of on-line learning and an application to boosting,” Journal of Computer and System Sciences, vol. 55, no. 1, pp. 119–139, 1997. https://doi.org/10.1006/jcss.1997.1997.1504 DOI: https://doi.org/10.1006/jcss.1997.1504
[20] L. Breiman, “Random forests,” Machine Learning, vol. 45, no. 1, pp. 5–32, 2001. https://doi.org/10.1023/A:1010933404324 DOI: https://doi.org/10.1023/A:1010933404324
[21] M. Belgrana, A. Benamrane, and S. Harous, “Network intrusion detection system using neural network and condensed nearest neighbors,” in Proc. IEEE Int. Conf. Innovations in Information Technology (IIT), Al Ain, UAE, 2012, pp. 21–25. https://doi.org/10.1109/INNOVATIONS.2012.6207676
[22] R. Panigrahi and S. Paul, “A hybrid intrusion detection system for IoT networks using machine learning algorithms,” in Proc. IEEE Int. Conf. Computing, Communication and Automation (ICCCA), Greater Noida, India, 2021, pp. 1–6. https://doi.org/10.1109/ICCCA52192.2021.9666302 DOI: https://doi.org/10.1109/ICCCA52192.2021.9666302
[23] A. A. Diro and N. Chilamkurti, “Distributed attack detection scheme using deep learning approach for Internet of Things,” Future Generation Computer Systems, vol. 82, pp. 761–768, 2018. https://doi.org/10.1016/j.future.2017.08.043 DOI: https://doi.org/10.1016/j.future.2017.08.043
[24] P. Viola and M. Jones, “Robust real-time face detection,” International Journal of Computer Vision, vol. 57, no. 2, pp. 137–154, 2004. https://doi.org/10.1023/B:VISI.0000013087.49260.fb DOI: https://doi.org/10.1023/B:VISI.0000013087.49260.fb
[25] W. Hu, W. Hu, and S. Maybank, “AdaBoost-based algorithm for network intrusion detection,” IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics), vol. 38, no. 2, pp. 577–583, 2008. https://doi.org/10.1109/TSMCB.2007.914695 DOI: https://doi.org/10.1109/TSMCB.2007.914695
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Ali Mohammed Noori Tarab

This work is licensed under a Creative Commons Attribution 4.0 International License.

