Ensemble Machine Learning Models for Real-Time Intrusion Detection in Heterogeneous IoT Environments

Abstract

The high rate of IoT devices proliferation has considerably augmented the attack space of the current networks, making effective intrusion detection critical in supporting the security and reliability of the Internet of Things environment. Complex and diverse attack patterns in real time cannot easily be detected with the standard security measures, so clever detecting methods are required. A complete analysis of the network traffic using 80 extracted features was performed using the RT-IoT2022 dataset which contained both the normal and malicious network activity of devices such as ThingSpeak-LED, Wipro-Bulb and MQTT-Temp as well as the simulated attacks of Brute-force SSH, DDoS and Nmap scan. ML classifiers such as KNN, Gradient Boosting, XGBoost, SVM, RF, DT and Extremely randomized Trees were used to identify bad behavior. In accuracy, precision, recall, and F1-score, we found that RF and Extremely Randomized Trees worked better than the rest with a 99.9% score on all the scores. Such an approach demonstrates that the level of accuracy in determining intrusions in complex IoT networks can be extremely high and real-time. It is an important milestone towards a proactive mitigation of threats and intelligent implementation of network security.

Introduction

The rapid expansion of the Internet of Things (IoT) has enabled smart cities, healthcare systems, industrial automation, and home management to operate through interconnected sensing, communication, and computing services. However, this multi-layered IoT architecture (perception, network, and application layers) has significantly expanded the digital attack surface. Due to limited device resources, weak authentication mechanisms, and dynamic traffic patterns, IoT systems are highly vulnerable to cyber threats such as eavesdropping, spoofing, denial-of-service (DoS), malware, and other advanced attacks.

Traditional intrusion detection systems (IDS), which rely on signature-based methods, struggle to detect novel or sophisticated attacks and often suffer from high false positive rates and scalability issues. To address these limitations, this research focuses on evaluating intelligent, data-driven machine learning (ML) intrusion detection models specifically tailored for IoT environments.

Literature Review Overview

Recent studies highlight the growing use of ML-based IDS to enhance IoT security:

• Traditional ML models outperform signature-based systems in detecting unseen attacks but often lack adaptation to resource-constrained IoT environments.

• IoT-specific datasets such as RT-IoT2022 enable standardized benchmarking, though comparative studies remain limited.

• Hybrid IDS approaches combining statistical and ML methods improve detection but face scalability and computational cost challenges.

• Deep learning models achieve high detection accuracy but are computationally expensive and difficult to interpret.

• Addressing data imbalance (e.g., using SMOTETomek) improves detection rates but is often tailored to specific network types rather than general IoT systems.

Overall, there remains a gap in developing scalable, efficient, and highly accurate IDS solutions suitable for large-scale IoT deployments.

Proposed Methodology

The study proposes a robust ML-based intrusion detection framework using the RT-IoT2022 dataset, which contains:

• 123,117 network traffic records

• 85 features

• 9 attack types (including DoS, DDoS, ARP poisoning, SSH brute force, scanning)

The workflow includes:

1. Data Collection – Using RT-IoT2022 from Kaggle.

2. Preprocessing – Data cleaning, visualization, feature scaling, and class balancing.

3. Training & Testing – 80/20 train-test split.

4. Model Implementation – Evaluating multiple ML classifiers:

   • K-Nearest Neighbors (KNN)

   • Support Vector Machine (SVM)

   • Decision Tree (DT)

   • Gradient Boosting

   • XGBoost

   • Random Forest (RF)

   • Extra Trees

Performance was measured using Accuracy, Precision, Recall, and F1-Score.

Experimental Results

The comparative evaluation revealed extremely high performance across models, with ensemble methods performing best:

Key Findings:

• Random Forest and Extra Trees achieved the highest accuracy (99.9%), making them the most effective models.

• Ensemble methods significantly outperform single classifiers due to improved generalization and reduced overfitting.

• Feature scaling and proper preprocessing contributed to model stability and performance.

Conclusion

In large-scale IoT networks, advanced cyberattacks are difficult to identify and prevent, and therefore, these networks need to be secured to protect their networks and ensure a smooth operation. Intelligent intrusion detection framework was developed using RT-IoT2022 dataset. This data contains realistic normal traffic of devices such as ThingSpeak-LED, Wipro-Bulb, MQTT-Temp, and adversarial traffic such as Brute-force SSH, DDoS and several scans using Nmap with 80 features extracted network traffic each. We used KNN, Gradient Boosting, XGBoost, SVM, DT, RF and Extremely Randomized Trees in finding the best classifier to identify IoT threats. RF and Extremely Randomized Trees were the strongest and most generalizable and had an accuracy, precision, recall, and F1-score of 99.9%. These findings indicate that ensemble learning is a strong and consistent method of categorizing complex IoT traffic. The developed intrusion detection system is a stable and scalable security system that can automatically identify threats and enhance real-time decision-making process to a strong, robust IoT network infrastructures. The future development can focus on the application of deep learning models, such as LSTM and Transformer-based models, to enhance the detection of temporal attacks in dynamic IoT traffic. The inclusion of XAI practices would make the automated decision more comprehensible and credible. Real-time detection can be done with less lag time using lightweight edge-computing frameworks to be deployed. In addition, the presence of testing under various conditions of IoT uses and zero-day attacks would also render large-scale, real-life network structures more flexible, scalable, and robust.

References

[1] Benamor, Z., Seghir, Z. A., Djezzar, M., & Hemam, M. (2023). A comparative study of machine learning algorithms for intrusion detection in IoT networks. Revue d\'Intelligence Artificielle, 37(3), 567-576. [2] Almotairi, A., Atawneh, S., Khashan, O. A., & Khafajah, N. M. (2024). Enhancing intrusion detection in IoT networks using machine learning-based feature selection and ensemble models. Systems Science & Control Engineering, 12(1), 2321381. [3] Kaddour, H., Das, S., Bajgai, R., Sanchez, A., Sanchez, J., Chiu, S. C., ... & Fouda, M. M. (2024, April). Evaluating the performance of machine learning-based classification models for iot intrusion detection. In 2024 IEEE Opportunity Research Scholars Symposium (ORSS) (pp. 84-87). IEEE. [4] Amouri, A., Al Rahhal, M. M., Bazi, Y., Butun, I., & Mahgoub, I. (2024, October). Enhancing Intrusion Detection in IoT Environments: An Advanced Ensemble Approach Using Kolmogorov-Arnold Networks. In 2024 International Symposium on Networks, Computers and Communications (ISNCC) (pp. 1-6). IEEE. [5] Sharma, S. B., & Bairwa, A. K. (2025). Leveraging AI for Intrusion Detection in IoT Ecosystems: A Comprehensive Study. IEEE Access. [6] J.Fox,TopCybersecurityStatistics for 2024. USA: Cobalt, 2023. [Online]. Available: https://www.cobalt.io/blog/cybersecurity-statistics-2024 [7] A. Marton and S. Systems, IoT Malware Attacks up by 37% in the First Half of 2023. IoTAC Association: EU Research and Innovation Programme, 2023. [8] S. M. Muzammal, R. K. Murugesan, and N. Z. Jhanjhi, ‘‘A comprehen sive review on secure routing in Internet of Things: Mitigation methods and trust-based approaches,’’ IEEE Internet Things J., vol. 8, no. 6, pp. 4186–4210, Mar. 2021. [9] S. A. Hamad, Q. Z. Sheng, W. E. Zhang, and S. Nepal, ‘‘Realizing an Internet of Secure Things: A survey on issues and enabling technologies,’’ IEEE Commun. Surveys Tuts., vol. 22, no. 2, pp. 1372–1391, 2nd Quart., 2020. [10] O. H. Abdulganiyu, T. A. Tchakoucht, and Y. K. Saheed, ‘‘A systematic literature review for network intrusion detection system (IDS),’’ Int. J. Inf. Secur., vol. 22, no. 5, pp. 1125–1162, Oct. 2023. [11] A. S. Dina and D. Manivannan, ‘‘Intrusion detection based on machine learning techniques in computer networks,’’ Internet Things, vol. 16, Dec. 2021, Art. no. 100462. [12] T.Saranya, S. Sridevi, C. Deisy, T. D. Chung, and M. K. A. A. Khan, ‘‘Per formance analysis of machine learning algorithms in intrusion detection system:Areview,’’Proc.Comput.Sci.,vol.171,pp. 1251–1260,Jan.2020. [13] B.S.A.R.Nagapadma,RT-IoT20222024:UCIMachineLearningRepos itory, USA, 2024. [14] M. M. Inuwa and R. Das, ‘‘A comparative analysis of various machine learning methods for anomaly detection in cyber attacks on IoT networks,’’ Internet Things, vol. 26, Jul. 2024, Art. no. 101162. [15] S. Bacha, A. Aljuhani, K. B. Abdellafou, O. Taouali, N. Liouane, and M. Alazab, ‘‘Anomaly-based intrusion detection system in IoT using ker nel extreme learning machine,’’ J. Ambient Intell. Humanized Comput., vol. 15, no. 1, pp. 231–242, Jan. 2024. [16] S. Saif et al., ‘‘HIIDS: Hybrid intelligent intrusion detection system empowered with machine learning and metaheuristic algorithms for application in IoT based healthcare,’’ Microprocess. Microsyst., 2022, Art. no. 104622. [17] M. Ahmad, Q. Riaz, M. Zeeshan, H. Tahir, S. A. Haider, and M. S. Khan, ‘‘Intrusion detection in Internet of Things using supervised machine learn ing based on application and transport layer features using UNSW-NB15 data-set,’’ EURASIPJ.WirelessCommun.Netw.,vol.2021,no.1,pp. 1–23, Dec. 2021. [18] M. A. Talukder, S. Sharmin, M. A. Uddin, M. M. Islam, and S. Aryal, ‘‘MLSTL-WSN: Machine learning-based intrusion detection using SMOTETomek in WSNs,’’ Int. J. Inf. Secur., vol. 23, no. 3, pp. 2139–2158, Jun. 2024. [19] N. Saran and N. Kesswani, ‘‘A comparative study of supervised machine learning classifiers for intrusion detection in Internet of Things,’’ Proc. Comput. Sci., vol. 218, pp. 2049–2057, Jan. 2023. [20] A. Awajan, ‘‘A novel deep learning-based intrusion detection system for IoT networks,’’ Computers, vol. 12, no. 2, p. 34, Feb. 2023. [21] D. Musleh, M. Alotaibi, F. Alhaidari, A. Rahman, and R. M. Mohammad, ‘‘Intrusion detection system using feature extraction with machine learn ing algorithms in IoT,’’ J. Sensor Actuator Netw., vol. 12, no. 2, p. 29, Mar. 2023. [22] M. Bhavsar, K. Roy, J. Kelly, and O. Olusola, ‘‘Anomaly-based intrusion detection system for IoT application,’’ Discover Internet Things, vol. 3, no. 1, p. 5, May 2023. [23] B. S. Sharmila and R. Nagapadma, ‘‘Quantized autoencoder (QAE) intru sion detection system for anomaly detection in resource-constrained IoT devices using RT-IoT2022 dataset,’’ Cybersecurity, vol. 6, no. 1, p. 41, Sep. 2023. [24] T. S. Othman, K. R. Koy, and S. M. Abdullah, ‘‘Intrusion detection systems for IoT attack detection and identification using intelligent techniques,’’ Networks, vol. 5, p. 6, Jan. 2023. [25] S. Yaras and M. Dener, ‘‘IoT-based intrusion detection system using new hybrid deep learning algorithm,’’ Electronics, vol. 13, no. 6, p. 1053, Mar. 2024. [26] H. Nandanwar and R. Katarya, ‘‘Deep learning enabled intrusion detec tion system for industrial IoT environment,’’ Exp. Syst. Appl., vol. 249, Sep. 2024, Art. no. 123808. [27] N. Islam, F. Farhin, I. Sultana, M. Shamim Kaiser, M. Sazzadur Rahman, M. Mahmud, A. S. M. Sanwar Hosen, and G. Hwan Cho, ‘‘Towards machine learning based intrusion detection in IoT networks,’’ Comput., Mater. Continua, vol. 69, no. 2, pp. 1801–1821, 2021. [28] V.Choudhary, S. Tanwar, T. Choudhury, and K. Kotecha, ‘‘Towards secure IoT networks: A comprehensive study of metaheuristic algorithms in conjunction with CNN using a self-generated dataset,’’ MethodsX, vol. 12, Jun. 2024, Art. no. 102747. [29] V. Choudhary et al., ‘‘Towards secure IoT networks: A comprehensive study of metaheuristic algorithms in conjunction with CNN using a self generated dataset,’’ MethodsX, vol. 12, 2024, Art. no. 102747. [30] A. R. Gad, A. A. Nashat, and T. M. Barkat, ‘‘Intrusion detection system using machine learning for vehicular ad hoc networks based on ToN-IoT dataset,’’ IEEE Access, vol. 9, pp. 142206–142217, 2021.

Copyright

Copyright © 2026 Jaswanth Syam Sundar Garugu. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.