AI-Based Intrusion Detection for IoT Networks
Authors
Thapa, Rajeev ; Rai, Kushal
Term
4. semester
Education
Publication year
2026
Submitted on
2026-06-04
Abstract
This thesis tackles key security challenges in IoT networks, where resource-constrained devices, homogeneous firmware landscapes, and inadequate signature-based perimeters enlarge the attack surface. The work addresses two major gaps in current defenses: telemetry silos between network traffic and host-level system metrics, and a passive reasoning gap between detection and timely response. We design and validate a lightweight Agentic AI Intrusion Detection and Response (AIDR) framework that fuses network features with system resource data from the CIC-YNU-IoTMal dataset via row-level multi-modal fusion and links detection to an autonomous, escalating response chain (logging, alerting, blocking, and isolation) with a feedback mechanism that adapts thresholds during operation without retraining. Methodologically, the study includes a PRISMA-based literature review, a data and modeling pipeline with ablation studies (PCAP only, SAR only, coarse-grained fusion versus the proposed row-level fusion), and an agentic architecture comprising Perception, Reasoning, and Action layers. Results show that row-level fusion with a Random Forest achieves an F1 macro of 0.9766, far outperforming network-only features (0.4636), while coarse-grained fusion harms minority-class detection. In pipeline evaluation, the lightweight agentic system attains 99.6% attack containment with zero false positives on benign traffic, demonstrating a tight link between accurate detection and self-operating defense at the IoT gateway. A noted limitation is confusion between Gafgyt and Mirai, and the study also discusses dynamic adaptation and operational performance.
Denne afhandling adresserer centrale sikkerhedsudfordringer i IoT-netværk, hvor ressourcebegrænsede enheder, homogene firmwaremiljøer og utilstrækkelige signaturbaserede perimetre øger angrebsfladen. Projektet fokuserer på to huller i eksisterende forskning: telemetri-siloer mellem netværkstrafik og værtsnære systemmålinger samt den passive “reasoning gap” mellem detektion og respons. Vi designer og validerer et letvægts Agentic AI Intrusion Detection and Response (AIDR)-framework, der kombinerer netværksfunktioner med systemressource-data fra CIC-YNU-IoTMal-datasættet via række-niveau multimodal fusion og kobler det til en autonom responskæde med trinvis eskalering (logning, alarmering, blokering og isolering) samt en feedbackmekanisme, der tilpasser tærskler under drift uden modelretræning. Metodisk omfatter arbejdet en PRISMA-baseret litteraturgennemgang, en data- og modelpipeline med ablationsstudier (PCAP alene, SAR alene, grovkornet fusion versus den foreslåede række-niveau-fusion) og en agentisk arkitektur med Perception-, Reasoning- og Action-lag. Resultaterne viser, at række-niveau-fusion med Random Forest opnår en F1 macro på 0,9766 og markant overgår netværks-features alene (0,4636), mens grovkornet fusion forværrer minoritetsklassers detektion. I pipeline-evaluering opnår det letvægts agentiske system 99,6 % inddæmning af angreb uden falske positiver på benign trafik, hvilket demonstrerer koblingen mellem præcis detektion og selvkørende forsvar på IoT-gatewayen. En observeret begrænsning er forveksling mellem Gafgyt og Mirai, og der diskuteres desuden dynamisk tilpasning og driftsegenskaber.
[This apstract has been generated with the help of AI directly from the project full text]