A Major Project Report on

DETECTION OF REAL TIME INTRUSIONS

AND ATTACKS IN IOT DEVICES

submitted in partial fulfillment for award of the degree of Bachelor of Technology in

Information Technology

By

K Amulya 21321A1209
B Deeksha 21321A1221
P Kaveri 21321A1240

Under the Esteemed Guidance of

Internal Guide
Saleha Farha
Assistant Professor, Information Technology

Bhoj Reddy Engineering College for Women

Department of Information Technology
(Sponsored by Sangam Laxmibai Vidyapeet, Accredited by NAAC with A Grade, Approved by AICTE and Affiliated to JNTUH)
Recognized by UGC under section 2(f) of the UGC Act, 1956.
Vinay Nagar, IS Sadan Crossroads, Saidabad, Hyderabad – 500 059, Telangana. [Link]

AY 2024–25
 Bhoj Reddy Engineering College for Women
Department of Information Technology
(Sponsored by Sangam Laxmibai Vidyapeet, Accredited by NAAC with A Grade, Approved by AICTE and Affiliated to JNTUH)
Recognized by UGC under section 2(f) of the UGC Act, 1956.
Vinaynagar, IS Sadan Crossroads, Saidabad, Hyderabad – 500 059, Telangana. [Link]

Ref No: BRECW/IT Dept/Project 2024-25/PJ-A-16 Date: 11.06.2025

CERTIFICATE

This is to certify that the Mini Project entitled “Detection of Real Time Intrusions and

attacks in IOT Devices” is a bonafide work carried out by

K Amulya 21321A1209
B Deeksha 21321A1221
P Kaveri 21321A1240

In partial fulfillment for award of the degree of Bachelor of Technology in Department of Information
Technology from Bhoj Reddy Engineering College for Women, Hyderabad affiliated to Jawaharlal
Nehru Technological University Hyderabad (JNTUH).

Saleha Farha Dr C Murugamani External Examiner

Internal Guide Head of the Department

Sangam Laxmibai Vidyapeet is an educational society for promotion of education among girls and women.
It is established in 1952 and registered under the Telangana Societies Registration Act.
 ACKNOWLEDGEMENT

It is our pleasure to express our whole hearted thanks to our internal guide Saleha Farha,
Assistant Professor, Department of Information Technology, for her extreme guidance and
support in completing this project successfully.
We are thankful to our project coordinator Tasneem Rahath, Assistant Professor,
Department of Information Technology, for her dynamic valuable guidance and constant
management.
We express thanks and gratitude to Dr C Murugamani, Professor & Head of the
Department, Information Technology, for his encouragement and guidance in carrying out
the mini project presentation.
We would also like to thank Dr J Madhavan, Professor & Principal of Bhoj Reddy
Engineering College for Women for encouragement in carrying out our mini project
successfully. We are also thankful to the staff members of Information Technology department,
my friends and to our parents who helped us in completing this project successfully.

By

K Amulya (21321A1208)
B Deeksha (21321A1221)
P Kaveri (21321A1240)
 Index
Contents Page No
List of Tables i

List of Figures ii

Abstract iii

1. Introduction 1-5
1.1 Introduction of the Project 2-3
1.2 Purpose 3-4
1.3 Existing System 4
1.4 Proposed System 4-5

2. Related Work 6-8

2.1 Survey 6-8

3. Requirement Analysis 9-13

3.1 Functional Requirements 10

3.2 Non-Functional Requirements 11

3.3 Tools/ Technology Requirement 11-12

3.4 Computational Requirements 13

3.4.1 Software Requirements 13

3.4.2 Hardware Requirements 13

4. Design 14-30
4.1 Architecture 15

4.1.1 System Design 15

4.1.2 System Architecture 15-17

[Link] HTML, CSS, JavaScript 16

[Link] Database 16

[Link] Training & Testing Set 16

4..1.2.4 Hidden Leagues 17

 4.1.3 Technical Architecture 17-19

[Link] Training database 18

[Link] Normalization 18

[Link] Feature Selection 18

[Link] IOT attacks detection 19

4.1.4 Modules 19-30

[Link] 31-49
5.1 Deep learning 32-33
5.2 Technologies 33-39
5.2.1 Frontend Interface 33-34
[Link] Flask 33
[Link] HTML, CSS, JavaScript 34
5.2.2 Python 34-35
5.2.3 Backend Data handling 35-36
[Link] NumPy 35
[Link] Pandas 36
[Link] Scikit- learn 36
[Link] TensorFlow 36
5.2.4 Utility & Support 37-38
[Link] Matplotlib 37
[Link] Label Encoder 37
[Link] Min Max Scaler 37
[Link] Adam Optimize 38
5.3 Code 39-49
[Link] 50-56
[Link] & Validation 57-61
[Link] 62-63
[Link] Scope 64-65
 List of Tables

S. No Table name Page No

1 Test Cases 60

2 Test Validation 60

i
 List of Figures

S. No Figure Name Fig. No Page No

1 System Architecture [Link] 15

2 Technical Architecture [Link] 17

3 Screenshots 6.1-6.15 51-56

ii
 ABSTRACT

A computer network can be significantly compromised by a wide array of malicious threats,

including viruses, trojans, spyware, ransomware, and various forms of cyber-attacks such as
Denial of Service (DoS), phishing, and brute force attacks. As digital infrastructures expand and
IoT devices proliferate, the attack surface grows, making conventional defense mechanisms
increasingly inadequate. Intrusion Detection Systems (IDS) have emerged as a vital component
of modern network security architectures, acting as active, intelligent monitors that detect
unauthorized access, suspicious behavior, or policy violations. However, traditional IDS
approaches often rely on signature-based detection or shallow machine learning models, which
suffer from limitations such as low detection accuracy, inability to recognize previously unseen
(zero-day) attacks, and high false positive rates. The framework incorporates both unsupervised
and discriminative learning strategies, combining models such as CNN, RNN, and DNN with a
Generative Adversarial Network (GAN) to boost detection robustness. GANs play a crucial role
by generating realistic synthetic attack patterns that improve model generalization and resilience.
The proposed system is extensively validated on benchmark intrusion detection datasets—NSL-
KDD, KDDCup99, and UNSW-NB15—covering a wide variety of modern and evolving threats.
Experimental results show that our deep learning models consistently outperform traditional
methods, achieving higher accuracy, reduced false positives, and superior generalization.
Specifically, the framework demonstrates outstanding performance in detecting advanced attack
types such as BruteForceXXS, BruteForceWEB, and DoS_Hulk_Attack, with elevated True
Negative Rate (TNR) and High Detection Rate (HDR), affirming the efficacy and scalability of
the proposed IDS in complex, real-world IoT environments.

Keywords: Computer Network Security, Intrusion Detection, Deep Learning, Detection

Accuracy, Generative Adversarial Network, IoT, Cyber-Physical Systems, GAN, CNN, RNN,
DNN, Anomaly Detection.
1. Introduction
Detection of Real-time Intrusions & attacks in IOT devices Introduction
Introduction

1. Introduction

1.1 Introduction of project:

An Intrusion Detection System (IDS) is a critical component in cybersecurity frameworks
designed to monitor network traffic for signs of malicious activity or policy violations. When such
activity is detected, the IDS promptly raises alerts, enabling timely responses. Functioning as a
secondary line of defense, IDS software scans network behaviors using predefined rules and
benign traffic patterns to distinguish between legitimate and harmful interactions.

Modern IDS solutions increasingly utilize data mining techniques to enhance accuracy and
behavior modeling. This allows them to respond more effectively to sophisticated and evolving
cyber threats than traditional systems. Despite their evolution, existing IDSs still face notable
limitations, particularly in detecting novel or complex attacks. Issues such as low detection
accuracy, high false positive rates, and limited adaptability to new threat vectors remain prevalent
challenges in the cybersecurity landscape. With the exponential growth of the Internet of Things
(IoT), especially within Industrial Internet of Things (IIoT) environments, the security stakes have
become even higher. Industrial Control Systems (ICS), forming the backbone of critical
infrastructures, are now more vulnerable due to the increasing number of connected devices. This
surge in connectivity has expanded the attack surface, making it imperative to develop more robust
intrusion detection mechanisms. To address these concerns, the proposed project introduces an
advanced IDS framework based on deep-autoencoder-based LSTM models, specifically tailored
for IIoT-powered Industrial Internet of Cyber-Physical Systems (IICs).
This approach not only enhances detection capabilities but also significantly lowers the false
positive rate.

Furthermore, the system integrates an ensemble learning method to boost overall accuracy and
reliability, combining the strengths of multiple models for more comprehensive intrusion analysis.
By integrating cutting-edge deep learning methods and emphasizing real-time detection with
reduced false alerts, this project aims to provide a more effective, scalable, and secure IDS solution
for modern, dynamic, and high-risk network environments such as those driven by IoT and IIoT
infrastructures.

Department of IT, BRECW Page 2

Detection of Real-time Intrusions & attacks in IOT devices Introduction
Introduction
Objective:
The primary objective of this research is to develop a robust and intelligent intrusion detection
system that leverages the power of deep learning to enhance the security posture of computer
networks. By addressing the shortcomings of traditional systems—such as limited detection
accuracy, high false alarm rates, and inflexibility to evolving threats—the proposed solution aims
to provide a more reliable and proactive approach to threat identification and prevention.

Another key objective is to integrate advanced deep learning techniques, including both
unsupervised and discriminative models, to effectively detect and classify cyber threats in cyber-
physical systems, particularly within IoT-driven Industrial Internet of Cyber-Physical Systems
(IICs). The system aims to handle complex network environments by improving the detection of
novel and sophisticated attack patterns that conventional method often misses.

It is to ensure the confidentiality, of sensitive user and system data during the training and testing
phases. By incorporating a GAN into the detection framework, the system is designed to achieve
high detection and true positive rates across multiple datasets and attack scenarios, while
maintaining a strong defense against a wide range of cybersecurity threats.

It includes ensuring real-time adaptability and scalability of the intrusion detection system in
highly dynamic IoT ecosystems. As network topologies, device behaviors, and threat vectors
evolve rapidly, the system must not only detect anomalies but also learn and adapt from ongoing
activity patterns without constant manual intervention. To this end, the proposed IDS aspires to
incorporate continuous learning mechanisms, edge-based deployment for low-latency inference,
and federated learning models that facilitate collaborative training across distributed environments
while preserving data privacy.

1.2 Purpose of project:

The purpose of this project is to enhance computer network security by developing a novel deep
learning-based intrusion detection system specifically designed for cyber-physical systems within
IoT-driven Industrial Internet of Cyber-Physical Systems (IICs). Traditional intrusion detection
systems often suffer from limitations such as low detection accuracy, high false positive rates, and
an inability to adapt to new and evolving threats. These shortcomings leave critical infrastructures
vulnerable to a wide range of cyberattacks.

Department of IT, BRECW Page 3

Detection of Real-time Intrusions & attacks in IOT devices Introduction
Introduction
To address these challenges, the proposed system employs advanced deep learning techniques,
particularly by contrasting unsupervised learning with discriminative deep learning approaches,
and integrates a Generative Adversarial Network (GAN) to enhance its detection capabilities. This
hybrid framework is designed to deliver superior performance in terms of detection rate, true
positive rate, and overall system reliability, even in complex and dynamic network environments.

1.3 Existing System:

In existing intrusion systems, they introduced a DNN, a type of deep learning model, is explored
to develop a flexible and effective IDS to detect and classify unforeseen and unpredictable
cyberattacks. The continuous change in network behavior and rapid evolution of attacks makes it
necessary to evaluate various datasets which are generated over the years through static and
dynamic approaches. This type of study facilitates to identify the best algorithm which can
effectively work in detecting future cyberattacks.

Disadvantages of Existing System:

• The existing work focuses on detecting and classifying unforeseen and unpredictable
cyberattacks in general cyber environments.
• While the existing work explores the use of a DNN along with classical machine learning
classifiers. Which may leads to decrease in performance in cyber-attack detection.
• The existing work, on the other hand, focuses on publicly available benchmark malware
datasets, which may not fully capture the complexities of modern cyber-physical systems.

1.4 Proposed System:

We propose a deep learning-based novel method to detect cybersecurity vulnerabilities and
breaches in cyber-physical systems. The proposed framework contrasts the unsupervised and deep
learning-based (RNN, CNN, and DNN) discriminative approaches. We present a generative
adversarial network (RBN, DBN, DBM., and DA) to detect cyber threats in IoT-driven IICs
networks.

Department of IT, BRECW Page 4

Detection of Real-time Intrusions & attacks in IOT devices Introduction
Introduction

Advantages of proposed system:We specifically target cybersecurity vulnerabilities and

breaches in cyber-physical systems, which may allow for a more specialized and tailored approach
to threat detection.

• We introduce a more diverse range of deep learning techniques and various generative
adversarial network (GAN) architectures (RBN, DBN, DBM, and DA). This broader range
of approaches might lead to improved detection performance and adaptability.

Department of IT, BRECW Page 5

2. Related Work
Detection of Real-time Intrusions & attacks in IOT devices Related work
Related Work

2. Related Work
2.1 Survey:
João Azevedo et al. conducted a comprehensive evaluation of several Convolutional Neural
Network (CNN) architectures—namely AlexNet, VGG, Inception, and ResNet—to assess their
performance in both static image classification and dynamic video recognition tasks. The models
were initially tested using the ImageNet dataset to determine their accuracy and error margins.
Following this, their ability to detect temporal patterns and classify human activities in video
streams was analyzed. Among the models, ResNet and Inception demonstrated superior accuracy,
each exceeding a 70% success rate. This study reinforces the feasibility of applying CNN-based
deep learning models to interpret and classify video data generated from sensor-fed environments,
such as surveillance or human activity monitoring systems.

Eric Gyamfi et al. focused on the growing vulnerabilities within the Internet of Things (IoT)
ecosystem, especially in the context of constrained devices. Their survey highlighted how the rapid
expansion of IoT applications increases the computational load and network traffic, while
simultaneously exposing these lightweight devices to heightened cybersecurity threats. As
traditional security mechanisms are often unsuitable for such environments, the authors reviewed
the applicability of Network Intrusion Detection Systems (NIDS) integrated with Mobile Edge
Computing (MEC) and machine learning techniques. Their work emphasizes the importance of
dataset availability, evaluation metrics, and real-time deployment models, culminating in the
proposal of a robust, MEC-supported NIDS framework tailored for secure IoT communication.

Abdullah Ayub Khan et al. introduced B-Drone, a novel framework for drone-based data
management that integrates fog computing with blockchain smart contracts, specifically
Hyperledger Fabric. This architecture ensures secure data transmission using SHA-256 hash
encryption and employs smart contracts to manage communication between drones and fog nodes.
Their work aims to enhance the traceability and security of UAV networks, particularly in
surveillance or logistics applications. However, the study also cautions that careless
dimensionality reduction could lead to data loss, emphasizing the need for dataset-specific tuning
during training and evaluation phases.

Department of IT, BRECW Page 6

Detection of Real-time Intrusions & attacks in IOT devices Related work
Related Work

In another study, Mr. Amit Kr. Balyan et al. proposed a hybrid intrusion detection system that
combines Evolutionary Genetic Algorithms (EGA) and Particle Swarm Optimization (PSO) with
an enhanced Random Forest classifier. This two-phase approach first selects the most relevant
features using a multi-objective genetic function, thus reducing data dimensionality and
complexity. In the second phase, an improved Random Forest model eliminates non-contributing
features and utilizes ensemble decision trees to enhance classification performance. The model
addresses limitations of earlier techniques that suffered from imbalance and false detections due
to sparse training data.

Karan Gupta et al. discussed the dual-edged nature of connected healthcare devices. While these
technologies enable scalable and accessible medical services, they also introduce significant
cybersecurity risks, potentially threatening patient privacy and safety. Their work underscores the
need for secure architectural designs to protect sensitive health data transmitted across networks.

Further contributions by Abdullah Ayub Khan et al. addressed the growing communication
demands in UAV-assisted vehicle networks within smart cities. Their research proposed a
blockchain-powered lifecycle framework that enables secure and transparent communication
among distributed vehicle nodes. Despite its potential, the framework poses challenges in terms of
system complexity and processing overhead, which must be addressed for real-world
implementation.

In the healthcare domain, Khan et al. also proposed a blockchain-based architecture named BIoMT
(Blockchain-based Internet of Medical Things), tailored for managing sensitive patient data. The
architecture employs serverless networks, NuCypher-based re-encryption for data privacy, and
smart contracts for automation of device registration and ledger management. Though the system
provides enhanced security and traceability, it also introduces complexity in terms of
cryptographic overhead and blockchain governance, particularly in resource-constrained medical
environments.

Department of IT, BRECW Page 7

Detection of Real-time Intrusions & attacks in IOT devices Related work
Related Work

Overall, the related literature highlights a strong trend toward hybrid architectures that integrate
machine learning, blockchain, and edge/fog computing to meet the demands of modern
applications in security, healthcare, and video processing. However, challenges around data
privacy, computational resource constraints, and system scalability remain critical areas for
continued research and innovation.

Department of IT, BRECW Page 8

3. Requirement Analysis
 Detection of Real-time Intrusions & attacks in IOT devices Requirement Analysis
Related Work

[Link] Analysis
Taking into account the comparative analysis stated in the previous section we could start specifying
the requirements that our website should achieve. As a basis, an article on all the different
requirements for software development was taken into account during this process. We divide the
requirements in 2 types: functional and non- functional requirements.

3.1 Functional Requirements:

Functional requirements clearly explain what a system should do to meet its goals. They describe
how the system should take input, process it, and give the right output based on user and business
needs. These requirements guide the entire project—from planning to delivery—by showing what
features and functions the system must have.

They should be easy to understand, specific, and detailed so developers know exactly what to build
and testers know what to check. By defining how users and the system interact, functional
requirements help with design, planning, and keeping everything on track. In short, they reduce
confusion and help ensure the system works the way users expect.

• Registration
• Authentication
• Dataset Overview
• Traffic Monitoring
• Alerting
• Intrusion Classification
• Dataset Management
• System Scaling

Department of IT, BRECW Page 10

 Detection of Real-time Intrusions & attacks in IOT devices Requirement Analysis
Related Work

3.2 Non-Functional Requirements:

Describe user-visible aspects of the system that are not directly related with the functional behavior
of the system. Non- functional Requirements allows you to impose constraints or restrictions on the
design of the system across the various agile backlogs.

• Usability
• Serviceability
• Data Integrity
• Capacity
• Manageability
• Recoverability
• Security
• Availability

3.3 Tools/Technologies Requirements:

The development and implementation of the proposed system rely on a robust set of tools and
technologies that facilitate efficient coding, model development, testing, and visualization. These
technologies were chosen based on their industry relevance, ease of use, and comprehensive
ecosystem support. The key tools employed in this project include Python, Anaconda, and Jupyter
Notebook.

Python: Python serves as the core programming language used throughout the project. Its simple
and readable syntax makes it an ideal choice for both beginners and experienced developers.
Python’s emphasis on code clarity and modularity significantly reduces the cost and complexity of
maintaining and scaling software applications. One of Python’s key strengths lies in its extensive
standard library and active community support, which offers a wide range of packages and
frameworks for various tasks, including data processing, visualization, and machine learning.
Furthermore, Python is a cross-platform language, and its interpreter, along with the majority of its
libraries, is freely available in both source and binary forms, making it highly accessible and cost-
effective for academic and industrial use.

Department of IT, BRECW Page 11

Detection of Real-time Intrusions & attacks in IOT devices Requirement Analysis
Related Work

Anaconda: Anaconda is a powerful open-source distribution that simplifies package management

and deployment for Python and R programming languages. It is widely adopted in the fields of data
science, machine learning, and artificial intelligence due to its user-friendly interface and pre-
configured environment. Anaconda comes bundled with numerous essential packages such as
NumPy, pandas, scikit-learn, TensorFlow, and Jupyter Notebook, thereby eliminating the need for
individual installations. One of the most useful features of Anaconda is Conda, its built-in package
and environment manager, which allows users to create isolated environments for different projects,
manage dependencies, and resolve package conflicts with ease. This streamlines the development
workflow and ensures reproducibility across different systems.

Jupyter Notebook: Jupyter Notebook is an open-source, web-based interactive development

environment that plays a critical role in the research and experimentation phase of the project. It
allows developers to write, run, and debug Python code in a cell-based modular format, which is
highly beneficial for iterative development and data exploration. One of Jupyter’s strengths is its
ability to blend live code, equations, visualizations, and narrative text within a single document,
making it ideal for both development and documentation. This functionality enhances transparency
and traceability in the machine learning workflow, especially during data preprocessing, model
training, performance evaluation, and result visualization. Furthermore, Jupyter supports various
extensions and integrations, allowing seamless usage with libraries like matplotlib, seaborn, pandas,
and TensorFlow.

Department of IT, BRECW Page 12

 Detection of Real-time Intrusions & attacks in IOT devices Requirement Analysis
Related Work

3.4 Computational Resource Requirements:

Requirements Software Requirements
Software : Anaconda
Primary Language : Python
Front-End Technologies : HTML, CSS, JavaScript and Bootstrap4

Hardware Requirements
Operating System : Windows Only
Processor : i5 and above
Ram : 8gb and above
Hard Disk : 25 GB in local drive

Deployment Requirements
Dataset : KDDCUP99, NSL KDD ,UNSW-NB15

Department of IT, BRECW Page 13

4. Design
Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

[Link]

4.1 Architecture:

4.1.1 System Design:

System design is transition from a user-oriented document to programmers. The design is a

solution, how to approach to the creation of a new system. This is composed of several steps.
It provides the understanding and procedural details necessary for implementing the system
recommended in the feasibility study. Designing goes through logical and physical stages of
development, logical design reviews the present physical system, prepare input and output
specification, details of implementation plan and prepare a logical design walkthrough.

4.1.2 System Architecture:

It describes the structure and behavior of technology infrastructure of an enterprise, solution or

system. In other words, System architecture can be described as the flow of application which
is represented below:

Fig4.1.2.1SystemArchitecture

Department of IT, BRECW Page 15

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

[Link] HTML, CSS, JavaScript:

HTML, CSS, and JavaScript collectively form the core front-end technologies used to create
interactive, user-friendly web interfaces that facilitate communication between the user and the
system. HTML structures the content of the web pages, defining the layout and positioning of
elements such as input forms, buttons, and display sections. CSS enhances the visual
appearance by applying styling elements like colors, fonts, and layouts, ensuring the interface
is aesthetically pleasing and responsive across devices. JavaScript adds dynamic functionality,
enabling real-time interaction, form validation, and asynchronous communication with backend
systems. In this project, these technologies allow users to input data, trigger backend processes,
and view model outputs such as predictions or visualized results—like graphs and charts—
within a seamless and engaging browser-based environment.

[Link] Database:
SQLite3 is a lightweight, file-based database used for storing input data, user logs, and
historical predictions in a structured format. It integrates easily with Python and Jupyter
Notebooks, making it ideal for data analysis and machine learning workflows. The database
supports fast and efficient data retrieval, enabling smooth access during model training and
testing phases. Its portability allows it to operate without the need for a dedicated server, making
it convenient for deployment across various environments.

[Link] Training and Testing Set:

The training set is used to train machine learning and deep learning models by providing both
input features and their corresponding labeled outputs in a supervised learning setup. It enables
the model to detect and learn patterns within the data, forming the foundation for accurate
predictions. Typically comprising 70–80% of the full dataset, the training set is carefully
curated to ensure comprehensive learning. The test set is essential for model evaluation, used
after training to assess how well the model performs on unseen data. It plays a key role in
measuring accuracy through metrics such as precision, recall, and F1-score, offering a
quantitative understanding of model effectiveness. Typically, it comprises 20–30% of the
original dataset, set aside specifically for this evaluation purpose.

Department of IT, BRECW Page 16

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

[Link] Hidden Layers (Neural Network)

The model architecture integrates a combination of advanced neural networks to enhance
learning and prediction capabilities. RNNs are employed to capture sequential or time-series
dependencies, making them ideal for processing temporal data. RBMs contribute by learning
probabilistic representations and extracting meaningful features from the input. DNNs offer
multiple fully-connected layers that support complex classification and prediction tasks. CNNs
are incorporated to extract spatial features, particularly effective in handling image or structured
grid-like data.

4.1.3 Technical Architecture:

A deep learning-based IoT intrusion detection system. It starts with a training database
containing network traffic data, which undergoes normalization to standardize and clean the
input. Important features are then selected to reduce unnecessary complexity and improve
learning accuracy. These selected features are passed into different learning algorithms
including RNN (for sequence learning), MLP (for basic classification), and DNN (for complex
pattern recognition). Each model processes the data to identify potential threats. The final
output is the detection of IoT-based cyber-attacks. This layered and systematic approach
improves detection accuracy and reduces false alarms in real-time environments.

Fig4.1.3.1 Technical Architecture

Department of IT, BRECW Page 17

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

[Link] Training Database

The training database serves as the foundational component for model learning, storing the raw
input data required to train deep learning algorithms. It typically contains labeled or structured
IoT network traffic data, including both normal behavior and various types of attack records.
This dataset enables the models to learn distinguishing patterns between benign and malicious
activities. As the primary data source, it plays a crucial role in powering the entire IoT attack
detection pipeline, ensuring the models are exposed to diverse and representative samples
during training.

[Link] Normalization
Normalization is a data preprocessing technique used to scale numerical input features to a
common range, typically between 0 and 1. This process ensures that no single feature dominates
the learning algorithm simply because of its scale. In many machine learning models—
especially those based on distance calculations, like k-NN, or gradient-based optimizations, like
neural networks—features with larger numeric values can unintentionally carry more weight,
skewing the model's understanding and leading to biased or inefficient learning. By normalizing
the data, each feature contributes equally to the learning process, improving the stability,
convergence speed, and overall performance of the model. This step also helps reduce the
impact of outliers and ensures that the model is not sensitive to the units or magnitude of the
raw data.

[Link] Feature Selection

Feature selection is a critical step in the data preprocessing pipeline that focuses on identifying
and retaining the most relevant, meaningful, and informative attributes from a dataset while
eliminating redundant or irrelevant ones. This process reduces the dimensionality of the data
and simplifies the model, leading to faster training times and improved computational
efficiency. More importantly, feature selection enhances the model’s ability to generalize by
minimizing the risk of overfitting, which can occur when the algorithm learns noise or
unimportant patterns. By narrowing the input to only the most impactful variables, the model
can focus on significant relationships within the data, resulting in better performance and easier
interpretability. This step is especially important when working with high-dimensional datasets,
where excessive features can overwhelm the learning algorithm and degrade prediction quality.

Department of IT, BRECW Page 18

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

[Link] IOT Attacks Detection

IoT attacks detection is a crucial component in securing modern interconnected systems, where
vast numbers of resource-constrained devices are vulnerable to cyber threats. The final output
of an intrusion detection system (IDS) based on machine learning or hybrid techniques is a
classification decision that labels incoming data as either normal or indicative of an attack. This
classification is derived from a trained model that has learned patterns associated with known
malicious behaviors and benign activities. By automating this decision-making process, the
system significantly enhances the security framework of IoT infrastructures, enabling real-time
detection of anomalies or intrusions. This automation not only reduces the dependency on
continuous manual monitoring but also helps prevent potential damages caused by delayed
responses to cyber threats. As a result, it contributes to building a more resilient and self-
adaptive IoT environment that can effectively respond to evolving attack vectors while
maintaining system integrity and performance.

4.1.4 Modules:
Module is a part of a program. Programs are composed of one or more independently developed
modules. A module description provides detailed information abou t a module and its supported
components. The modules are:
• Dataset Collection
• Data Preprocessing
• Deep Learning Models
• Training and Testing
• Performance Metrics Analysis
• Real-Time Detection and Response

Dataset Collection:
Dataset collection serves as the foundation of an effective intrusion detection system. Utilizing
benchmark datasets such as NSL-KDD, KDDCup99, and UNSW-NB15 ensures that the system
is trained and tested on diverse and representative data. These datasets provide both labeled and
unlabeled records, enabling the models to learn patterns associated with various types of attacks
as well as normal activities.

Department of IT, BRECW Page 19

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

Data Preprocessing:
Data preprocessing is essential to ensure that the input data is clean, consistent, and optimized
for machine learning. This phase involves normalizing and scaling the data to maintain
uniformity across features, which is vital for improving model performance. Feature extraction
techniques are employed to reduce redundancy by selecting the most relevant attributes, thereby
enhancing computational efficiency.

Deep Learning Models:

Deep learning models form the backbone of modern intrusion detection systems (IDS), offering
the capability to automatically learn and recognize intricate patterns in large volumes of
network traffic data. Unlike traditional rule-based approaches, deep learning techniques such
as Convolutional Neural Networks (CNNs), Recurrent Neural Networks (RNNs), and Long
Short-Term Memory (LSTM) networks can detect subtle and previously unseen attack
signatures by analyzing temporal and spatial correlations within the data. These models excel
at handling high-dimensional and unstructured input, making them particularly suitable for real-
time IoT threat detection. Additionally, this module explores the use of ensemble learning
methods, where multiple deep learning models are combined to form a more robust system. By
leveraging the strengths of different algorithms, ensemble approaches significantly improve
detection accuracy and reduce false positives—two major challenges in IDS deployment.
Ultimately, integrating deep learning and ensemble techniques enhances the adaptability,
precision, and reliability of the intrusion detection system, ensuring stronger defense
mechanisms for complex and evolving cybersecurity threats.

Training and Testing:

The training and testing phase is crucial for ensuring that the system is well-equipped to detect
intrusions accurately. During this phase, labeled datasets are used to train the models to
recognize specific attack patterns, while testing validates their performance on unseen data.
This process helps evaluate the model’s ability to generalize and respond effectively to real-
world threats. Key performance metrics such as accuracy, precision, recall, and F1-score are
analyzed to measure the model's effectiveness. Proper tuning and validation during this phase
ensure that the intrusion detection system can reliably distinguish between normal behavior and
malicious activity.

Department of IT, BRECW Page 20

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

Performance Metrics Analysis:

Performance metrics are crucial for evaluating and improving the intrusion detection system.
Key metrics such as accuracy, precision, recall, and false positive rates provide valuable
insights into the system's effectiveness. This module also involves benchmarking the system's
performance against existing solutions to validate improvements and ensure competitiveness in
the cybersecurity landscape.

Department of IT, BRECW Page 21

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

Department of IT, BRECW Page 22

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

Real-Time Detection and Response:

Real-time detection and response are vital for protecting IoT networks and industrial systems
from evolving threats. Deploying the intrusion detection system for live monitoring allows it to
identify attacks as they occur, providing immediate insights into potential security breaches.
Automated responses to detected intrusions ensure minimal downtime.

Algorithm:
Convolutional Neural Network:
Convolutional Neural Networks (CNNs) are a class of deep learning models widely recognized
for their ability to extract hierarchical features from input data through convolutional
operations. Although traditionally employed for image recognition tasks, CNNs have been
effectively adapted in this project for intrusion detection by learning spatial patterns and
relationships between features in network traffic data. The CNN model processes structured
inputs—such as protocol types, service requests, and flag statuses—by identifying local feature
combinations that may signify cyber threats. By automatically learning these representations,
CNNs contribute significantly to reducing false positives and increasing detection accuracy in
recognizing specific types of known attacks within IoT networks.

This is especially valuable because IoT devices generate vast amounts of data, often hiding
attack patterns within large volumes of network traffic. CNNs can efficiently process this data
in real time, learning hierarchical representations that help identify both known and unknown
threats, including Denial-of-Service (DoS) attacks, data injection, spoofing, botnets, and
malicious firmware updates.

Structure of a CNN for Intrusion Detection in IoT Devices

A Convolutional Neural Network (CNN) used for detecting intrusions and attacks in IoT
networks typically consists of several interconnected layers, each playing a vital role in
transforming the raw input data into a meaningful prediction or classification.

Department of IT, BRECW Page 23

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

The CNN architecture is designed to identify complex patterns in IoT traffic data and
distinguish between normal behavior and potential threats in real time. The main components
of such a CNN are:

Input Layer
The input layer is the entry point of the CNN model, where raw data is fed into the network. In
the context of IoT intrusion detection, this input is usually structured data derived from network
traffic. Common features include packet size, protocol type, source and destination IP
addresses, port numbers, time intervals between packets, and the type of network connection.

Convolutional Layers (Hidden Layers)

Convolutional layers are the first set of hidden layers in a CNN and are responsible for learning
spatial patterns from the input data. These layers apply multiple small filters (also called
kernels) that slide over the input matrix and perform mathematical operations (dot products) to
produce feature maps. Each filter is trained to detect specific patterns, such as an abnormal
packet rate or frequent connections to unfamiliar IPs.

Activation Functions (ReLU)

After convolution operations, an activation function is applied to introduce non-linearity into
the model. The most common activation function used in CNNs is ReLU (Rectified Linear
Unit). ReLU works by setting all negative values in the feature maps to zero, keeping only the
positive values. This step is essential because most real-world relationships in network traffic
data are non-linear.

Pooling Layers
Pooling layers are used to downsample the feature maps generated by the convolutional layers.
They reduce the spatial size of the data while retaining the most important [Link] pooling
is the most common type, where the highest value in each small region of the feature map is
selected. For intrusion detection, max pooling ensures that the most significant feature
indicating malicious behavior (e.g., an unusual spike in requests) is preserved while less
relevant data is discarded.

Department of IT, BRECW Page 24

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

Fully Connected (Dense) Layers

Once the relevant features have been extracted and summarized, they are passed into one or
more fully connected layers, also known as dense layers. Here, every neuron is connected to
every neuron in the previous layer. These layers act as [Link] dense layers
combine the learned patterns and begin to associate them with specific output classes. The final
dense layer before the output helps prepare the network for classification by integrating all the
previously learned spatial and abstract features into a format suitable for output.

Output Layer
The output layer is the final part of the CNN and is responsible for generating the prediction
result. This layer provides the final decision—identifying the type of network behavior based
on the patterns learned by the hidden layers. For real-time systems, this output can trigger alerts
or automated defenses.

Recurrent Neural Network (RNN)

Recurrent Neural Networks (RNNs) are particularly suited for handling time-series and
sequential data. In this project, RNNs are utilized to capture temporal dependencies and
evolving patterns in network traffic, which are essential for detecting persistent and time-
dependent intrusions. RNNs operate by maintaining a memory of previous inputs in the form
of internal hidden states, which allows the model to make predictions based on both current and
past input sequences. This capability is crucial for identifying attacks that may span multiple
time frames or demonstrate patterns that unfold gradually. As a result, the integration of RNNs
enhances the system’s ability to detect complex, multi-step intrusions in real time.

IoT devices generate data in a time-ordered sequence, such as packet logs, command signals,
sensor readings, and communication timestamps. Unlike standard machine learning models,
RNNs can remember previous inputs using their internal memory, making them ideal for
detecting patterns that unfold over [Link] are effective in identifying:
• Gradual increase in data flow (e.g., slow DoS attacks)
• Periodic malicious access attempts (e.g., brute-force login)
• Sudden deviation from normal behavior
• Complex, multi-step attacks

Department of IT, BRECW Page 25

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

Recurrent Neural Networks (RNNs) are well-suited for detecting intrusions in IoT
environments due to their ability to process and learn from time-sequential data. Their
architecture mimics how events occur in real time, making them ideal for analyzing network
traffic that unfolds over multiple time steps.

The input layer receives sequences of time-ordered features such as packet size, IP addresses,
ports, protocols, timestamps, and sensor outputs. Unlike traditional models that treat inputs as
isolated points, this layer structures the data chronologically, allowing the RNN to analyze the
behavioral flow of network activity as it naturally occurs.

RNN’s hidden layers contain recurrent units that maintain memory across time steps, enabling
the model to recognize evolving patterns such as gradual traffic anomalies or multi-stage
attacks. Advanced forms like LSTM and GRU (Gated Recurrent Unit) enhance this capability
by managing what information to retain or forget, making them effective at identifying long-
term dependencies and suppressing irrelevant [Link] handle non-linear and complex attack
patterns, activation functions like Tanh, ReLU, and Sigmoid are applied within the network.
These functions help the model learn from nuanced variations in data, which is critical for
detecting stealthy or rare attacks that don't follow simple [Link] output layer interprets the
learned sequence patterns and classifies network behavior into categories such as normal, DoS,
probe, or malware attack. Depending on the setup, it uses Sigmoid (for binary classification) or
Softmax (for multi-class classification) to produce predictions. The results from this layer can
trigger automatic security responses or alert systems.

Deep Neural Network with Multi-Layer Perceptron (DNN with MLP)

DNN with MLP architecture plays a central role in the classification of known intrusion types.
DNNs consist of multiple fully connected layers that are capable of learning intricate non-linear
relationships among features. The MLP used in this project includes input, hidden, and output
layers with activation functions such as ReLU, sigmoid, and softmax, enabling effective multi-
class classification. The model is trained on labeled datasets like KDDCup99 and NSL-KDD
to identify various attack types, including DoS, probe, R2L, and U2R. The simplicity and
scalability of DNNs make them an essential component of the system’s classification pipeline.

Department of IT, BRECW Page 26

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work
A CNN+MLP model consists of two core functional blocks:
• CNN Block: Automatically extracts patterns from raw network traffic data, detecting
irregularities or malicious trends.
• MLP Block: Takes these extracted patterns and determines whether the traffic is normal
or an attack, and if so, classifies its type.

By feeding the CNN with structured, image-like input, we empower the model to simulate how
network behaviors unfold, thereby offering a more accurate understanding of real-time events.
This is crucial in cybersecurity because attack behaviors are rarely linear or straightforward.
ReLU ensures that the model focuses only on impactful signals, ignoring noise or irrelevant
fluctuations in the data. To manage computational complexity and prevent overfitting, pooling
layers (such as Max Pooling) are used after some convolutional layers.

After feature extraction is complete, the output from the CNN layers—typically in the form of
multi-dimensional arrays—is flattened into a one-dimensional vector. This flattening step
translates spatial patterns into a feature vector that can be used for classification. The flattened
vector is then passed into the Multilayer Perceptron (MLP) block of the model, which serves as
the decision-making engine.

The hidden MLP layers are particularly valuable in intrusion detection because they can learn
complex decision boundaries. For instance, they can distinguish between normal file uploads
and malicious data exfiltration, even if the surface-level behavior looks similar. The ability to
combine and interpret multiple high-level features allows the model to make fine-grained
distinctions—a necessity when dealing with cleverly disguised or multi-stage attacks.
Additionally, MLPs can generalize well from training data, making the model robust against
previously unseen attack patterns.

Once a prediction is made, the output can trigger various actions such as generating alerts,
updating intrusion logs, quarantining affected devices, or adjusting firewall rules. The CNN
layers uncover meaningful patterns in raw traffic data, while the MLP layers interpret these
features to make accurate, real-time decisions. The overall effectiveness of this layer, however,
hinges on the quality of learning that occurs in the hidden CNN and MLP layers—which makes
them the backbone of the system. They transform raw data into actionable insights, enabling

Department of IT, BRECW Page 27

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work
systems to predict, prevent, and respond to intrusions before they cause harm—making them
essential for the security of IoT networks.

Restricted Boltzmann Machine (RBM)

The Restricted Boltzmann Machine (RBM) is a type of generative stochastic neural network
employed in this project for unsupervised learning and anomaly detection. RBMs learn to model
the distribution of normal network traffic patterns, enabling the detection of deviations that
could indicate potential cyber-attacks. Unlike discriminative models, RBMs do not require
labeled data, making them highly suitable for identifying previously unseen or zero-day attacks.
By integrating RBMs into the system, the project adds a robust mechanism for uncovering
hidden threats in the IoT network, thereby enhancing the detection of anomalous behavior
beyond the scope of known attack categories.

An RBM is a type of generative stochastic neural network that is capable of learning the
probability distribution of input data. Unlike standard feedforward neural networks, RBMs are
designed to discover hidden patterns in data by using unsupervised learning. This makes them
particularly useful for identifying anomalous behavior unknown attack types in network traffic,
which is often hard to label and categorize.

The hidden layer in an RBM is where most of the learning and abstraction happen. Each hidden
neuron tries to detect useful features or patterns that exist in the input. Here's how the hidden
layer becomes vital in an IoT intrusion detection system:

• Feature Discovery: The hidden layer learns to discover patterns that are not explicitly
labeled. It may detect common sequences or statistical irregularities that indicate
suspicious activity.
• Unsupervised Learning: RBMs are unsupervised, so the hidden layer doesn't require
labeled attack data to start learning. This is important for IoT, where new types of
attacks can emerge frequently, and labeled datasets are limited.
• Dimensionality Reduction: The hidden layer compresses high-dimensional network
traffic data into a smaller number of meaningful features, making it easier to analyze
and visualize.

Department of IT, BRECW Page 28

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

• Anomaly Detection: Once the RBM learns the distribution of normal traffic, any
significant deviation detected by the hidden layer's activation can be flagged as an
anomaly, which might indicate a cyberattack.

The RBM-based intrusion detection process begins with preprocessing, where raw IoT traffic
data is cleaned, normalized, and encoded before being fed into the visible layer. In the training
phase, the RBM uses Contrastive Divergence to learn patterns in normal behavior by
minimizing reconstruction error between input and output. When new data is introduced, the
hidden layer activates neurons based on previously learned patterns. If the input cannot be well
reconstructed, it's flagged as anomalous. This allows the model to detect zero-day attacks or
unknown threats. Although RBMs don’t have an output layer by default, the extracted features
can be passed to a classifier like softmax or logistic regression for final intrusion classification.
Alternatively, detection can rely solely on reconstruction error [Link] hidden layers in

RBMs serve several purposes in the context of real-time intrusion detection for IoT:

• Learning from Unlabeled Data: IoT traffic data is mostly unlabeled. RBMs thrive in
this setting by learning useful features.

• Detecting Unknown Attacks: Because they model what normal behavior looks like,
RBMs can flag any unfamiliar or odd pattern as an anomaly even if it's a completely
new form of attack.

• Low Computational Load: Hidden layers in RBMs are computationally efficient.

Unlike deeper networks with many layers, a single hidden layer in an RBM can already
provide meaningful insights, which suits real-time detection on IoT devices.

• Flexible Integration: The features from the hidden layer can be used as input to other
models like SVM, Decision Trees, or Deep Neural Networks, making RBMs a great
pre-processing or feature-extraction tool in larger intrusion detection pipelines.

Department of IT, BRECW Page 29

Detection of Real-time Intrusions & attacks in IOT devices Design
Related Work

Restricted Boltzmann Machines offer a powerful yet lightweight approach to real-time intrusion
detection in IoT systems. The model’s hidden layers are particularly valuable they learn
underlying structures, recognize normal patterns, and identify anomalies with high accuracy.
Unlike traditional rule-based systems, RBMs adapt to the dynamic nature of IoT environments
and help detect both known and unknown threats. Their ability to function with minimal labeled
data and low computational needs makes them an excellent fit for securing modern IoT
deployments.

Department of IT, BRECW Page 30

5. Implementation
Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation

[Link]

Deep learning drives many artificial intelligence (AI) applications and services that improve
automation, performing analytical and physical tasks without human intervention. Deep
learning technology lies behind everyday products and services (such as digital assistants,
voice-enabled TV remotes, and credit card fraud detection) as well as emerging technologies
(such as self-driving cars).

5.1 Deep learning

Deep learning neural networks, or artificial neural networks, attempts to mimic the human brain
through a combination of data inputs, weights, and bias. These elements work together to
accurately recognize, classify, and describe objects within the data.

Deep neural networks consist of multiple layers of interconnected nodes, each building upon
the previous layer to refine and optimize the prediction or categorization. This progression of
computations through the network is called forward propagation. The input and output layers
of a deep neural network are called visible layers. The input layer is where the deep learning
model ingests the data for processing, and the output layer is where the final prediction or
classification is made.

Another process called backpropagation uses algorithms, like gradient descent, to calculate
errors in predictions and then adjusts the weights and biases of the function by moving
backwards through the layers in an effort to train the model. Together, forward propagation and
backpropagation allow a neural network to make predictions and correct for any errors
accordingly. Over time, the algorithm becomes gradually more accurate.

Deep learning drives many artificial intelligence (AI) applications and services that improve
automation, performing analytical and physical tasks without human intervention. Deep
learning technology lies behind everyday products and services (such as digital assistants,
voice-enabled TV remotes, and credit card fraud detection) as well as emerging technologies
(such as self-driving cars).

Department of IT, BRECW Page 32

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation

5.2 Technologies:
5.2.1 Frontend Interface:
[Link] Flask:
Flask is a lightweight Python micro-framework used to build the frontend interface of the
intrusion detection system. It provides core features like routing, request handling, and
templating via Jinja2, while allowing developers the flexibility to add extensions as needed.
This minimalistic design makes Flask ideal for custom web applications where control over the
architecture is important. In this project, Flask enables smooth integration between the user
interface and the machine learning backend, allowing real-time display of predictions and alerts
with minimal overhead.

Department of IT, BRECW Page 33

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
[Link] HTML, CSS & JavaScript:
HTML, CSS, and JavaScript form the foundational technologies of modern web development
and are integral to building interactive and user-friendly interfaces. HTML (HyperText Markup
Language) acts as the structural framework of web pages, defining elements such as headings,
paragraphs, buttons, input forms, tables, and links. It tells the browser what content to display
and how different components are hierarchically related. CSS (Cascading Style Sheets) controls
the visual presentation of these elements, allowing developers to define layouts, color schemes,
fonts, spacing, and responsive behavior across different screen sizes. Advanced layout
techniques like Flexbox and CSS Grid help maintain design consistency and responsiveness,
making the interface visually appealing and user-centric. JavaScript brings dynamic
functionality to the interface, enabling real-time interactions such as form validation,
animations, toggling content, and fetching data without reloading the page using AJAX. In the
context of this project, HTML, CSS, and JavaScript work together to allow users to interact
with the system effortlessly—submitting input data, receiving feedback, viewing visualizations,
and navigating the dashboard seamlessly. Their combined use ensures the frontend is not only
functional but also intuitive, responsive, and engaging.

5.2.2 Python:
Below are some facts about Python. Python is currently the most widely used multi-purpose,
high-level programming language. Python allows programming in Object-Oriented and
Procedural paradigms. Python programs generally are smaller than other programming
languages like Java. Programmers have to type relatively less and indentation requirement of
the language, makes them readable all the time. The biggest strength of Python is huge
collection of standard libraries which can be used for the following:
• GUI Applications (like Kivy, Tkinter, PyQt etc.)
• Web frameworks like Django (used by YouTube, Instagram, Dropbox)
• Image processing (like Opencv, Pillow)
• Web scraping (like Scrapy, Beautiful Soup, Selenium)
• Test frameworks
• Multimedia

Department of IT, BRECW Page 34

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
Advantages of Python:
Let’s see how Python dominates over other languages.
• Extensive Libraries
• Extensible
• Improved Productivity
• IOT Opportunities
• Simple and Easy
• Readable
• Object-Oriented
• Free and Open-Source

Disadvantages of Python
So far, we’ve seen why Python is a great choice for your project. But if you choose it, you
should be aware of its consequences as well. Let’s now see the downsides of choosing Python
over another language.
• Speed Limitations
• Weak in Mobile Computing and Browsers
• Design Restrictions
• Underdeveloped Database Access Layers

5.2.3 Backend Datahandling:

[Link] NumPy:
Numpy is a general-purpose array-processing package. It provides a high-performance
multidimensional array object, and tools for working with these [Link] is the fundamental
package for scientific computing with Python. It contains various features including these
important ones:
• A powerful N-dimensional array object
• Sophisticated (broadcasting) functions
• Tools for integrating C/C++ and Fortran code

Department of IT, BRECW Page 35

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
[Link] Pandas
Pandas is an open-source Python Library providing high-performance data manipulation and
analysis tool using its powerful data structures. Python was majorly used for data munging and
preparation. It had very little contribution towards data analysis. Pandas solved this problem.
Using Pandas, we can accomplish five typical steps in the processing and analysis of data,
regardless of the origin of data load, prepare, manipulate, model, and analyze. Python with
Pandas is used in a wide range of fields including academic and commercial domains including
finance, economics, Statistics, analytics, etc.

[Link] Scikit – learn

Scikit-learn is one of the most widely used machine learning libraries in Python, offering a
broad range of efficient tools for both supervised and unsupervised learning tasks. It provides
a clean and consistent API that simplifies the implementation of algorithms such as
classification, regression, clustering, dimensionality reduction, and model evaluation. Built on
top of foundational libraries like NumPy, SciPy, and matplotlib, Scikit-learn is optimized for
performance while remaining user-friendly, making it highly suitable for both beginners and
experienced practitioners. In this system, Scikit-learn plays a critical role in model development
and evaluation, supporting tasks like data preprocessing, feature selection, and applying
algorithms such as Random Forest, SVM, and logistic regression.

[Link] Tensorflow
TensorFlow is a free and open-source software library for dataflow and differentiable
programming across a range of tasks. It is a symbolic math library and is also widely used for
machine learning applications such as neural networks. TensorFlow is employed for both
research and production at Google and was originally developed by the Google Brain team for
internal use. It was released under the Apache 2.0 open-source license on November 9, 2015.
The library supports deployment across various platforms, including desktops, mobile devices,
and edge systems, making it highly versatile. Its scalable architecture allows for easy training
and deployment of models on both CPUs and GPUs, enabling efficient handling of large
datasets.

Department of IT, BRECW Page 36

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
5.2.4 Utility & Support
[Link] Matplotlib:
Matplotlib is a Python 2D plotting library which produces publication quality figures in a
variety of hardcopy formats and interactive environments across platforms. Matplotlib can be
used in Python scripts, the Python and IPython shells, the Jupyter Notebook, web application
servers, and four graphical user interface toolkits. Matplotlib tries to make easy things easy and
hard things possible. You can generate plots, histograms, power spectra, bar charts, error charts,
scatter plots, etc., with just a few lines of code. For examples, see the sample plots and
thumbnail gallery.

[Link] LabelEncoder:
These preprocessing tools from scikit-learn convert text or categorical values into numerical
formats ML models can understand:
LabelEncoder maps each unique class (e.g. “Paris”, “Tokyo”) to an integer (0, 1, 2…), useful
for target labels or ordinal features OneHotEncoder creates binary columns for each category,
avoiding implying order (e.g. Paris → [1,0,0]), essential for non-ordinal features like protocol
types One-hot encoding ensures that categorical variables are represented in a way that doesn't
mislead machine learning models.

[Link] MinMaxScaler:
MinMaxScaler is a widely used normalization technique in data preprocessing that transforms
numeric feature values into a fixed range, typically between 0 and 1. It works by rescaling each
feature individually based on its minimum and maximum values using the formula:
X_scaled = (X – [Link]) / ([Link] – [Link]) × (max – min) + min.
This method is especially important when working with machine learning models that are
sensitive to the scale of input features, such as neural networks, support vector machines, or
gradient descent-based algorithms. Without scaling, features with larger magnitudes can
dominate the learning process, leading to biased models and slower convergence. By ensuring
that all features are on the same scale, MinMaxScaler improves model performance, speeds up
training, and allows for more balanced learning. Additionally, it helps in reducing the impact
of unit disparities between features, making the data more suitable for algorithms that assume
equal importance and distribution of input variables.

Department of IT, BRECW Page 37

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
[Link] Adam optimizer:
Adam (Adaptive Moment Estimation) is a popular stochastic optimization algorithm used in
Keras/TensorFlow. It adapts the learning rate per parameter by estimating both the first (mean)
and second (variance) moments of the gradients, combining benefits of momentum and
RMSProp.
Advantages include:
• Efficient memory usage and computational ease
• Invariance to diagonal gradient scaling
• Robust performance on large datasets and deep neural networks
• Little hyperparameter tuning required
This makes it ideal for training complex models like CNNs and LSTMs.

Department of IT, BRECW Page 38

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
5.3 Code:
import pandas as pd
import numpy as np
import gzip
import requests
import [Link] as plt
import seaborn as sns

from [Link] import LabelEncoder

from sklearn.model_selection import train_test_split
from [Link] import MinMaxScaler
from [Link] import accuracy_score
from [Link] import OneHotEncoder

# from ann_visualizer.visualize import ann_viz

from [Link] import Sequential

from [Link] import plot_model
from [Link] import Dense
from [Link] import Adam
df = pd.read_csv('/kaggle/input/kdd-cup-1999-data
/kddcup.data_10_percent.gz', header=None)
cols = pd.read_csv('/kaggle/input/kdd-cup-1999-data
/[Link]',header=None)
[Link]()
with open('/kaggle/input/kdd-cup-1999-data
/training_attack_types', 'r') as f:attack_types = [Link]()
print(attack_types)

## Creating a dictionary of attack types

types = dict()

types['normal'] = 'normal'

Department of IT, BRECW Page 39

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
for line in attack_types.split("\n"):
if line:
attack, description = [Link](" ", 1)
types[attack] = description

print(types)

if cols[0][0] == 'back':
cols = [Link]([Link][0])
cols.reset_index(drop=True, inplace=True)

cols = [Link](axis=1)
[Link]()
cols[[0,1]] = cols[0].[Link](':',expand = True)

[Link]()
names = cols[0].tolist()
[Link]('label')
[Link] = names
[Link]()

df['Attack Type'] = df['label'].apply(lambda x: types[x[:-1]])

[Link]()

AT_count = df['Attack Type'].value_counts()

AT_count

AT_per = AT_count/len(df)*100
AT_per
lab_count = [Link].value_counts()
lab_count
lab_per = lab_count/len(df)*100
lab_per
print("Shape :",[Link])
Department of IT, BRECW Page 40
Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation

print("Number of features :",len([Link]))

print("Number of unique services :",[Link]())

print("Number of labels :",len(df['label'].unique()))

print("missing values :",[Link]().sum().sum())

[Link]().sum().sum()
categorical = df.select_dtypes(include=['object']).columns
print("Categorical features :",categorical)
categorical = [Link]()
print("Categorical features list:",categorical)
[Link]('label')
[Link]('Attack Type')
print("Extracted categorical features list:",categorical)
fig, ax = [Link](figsize=(7, 7))
[Link](x='protocol_type', data=df, ax=ax, palette='Blues_d')
sns.set_style("darkgrid")

for p in [Link]:
[Link](str(p.get_height()),
(p.get_x() * 1.005, p.get_height() * 1.005))

df.protocol_type.value_counts()/len(df)*100
fig, ax = [Link](figsize=(17, 7))
[Link](x='service',data=df,ax=ax,palette='Spectral',
order=df['service'].value_counts().index,linewidth=0)

Department of IT, BRECW Page 41

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
sns.set_style("dark")
[Link](rotation=90)
[Link]()

[Link].value_counts()/len(df)*100
fig, ax = [Link](figsize=(10, 8))
[Link](x='flag',data=df,ax=ax,palette='Blues_r',
order=df['flag'].value_counts().index,linewidth=0)
[Link]()

[Link].value_counts()/len(df)*100
# sum of all the attack types except SF, S0 and REJ
(df['Attack Type'].value_counts().sum() –
df['Attack Type'].value_counts()[0]
- df['Attack Type'].value_counts()[1] –
df['Attack Type'].value_counts()[2])/
(df['Attack Type'].value_counts().sum())*100
fig, ax = [Link](figsize=(15,5))

[Link](x='AttackType',data=df,ax=ax,palette='Greens_r',order=df['Attack
Type'].value_counts().index,linewidth=0)
[Link]()

print('Top 3 the attack types are : ',

df['Attack Type'].value_counts().index[:3].tolist())
fig,axis = [Link](figsize=(12,10))
[Link]([Link](), cmap='cool')

print("we can see that there are no missing values in the dataset")
[Link]("Missing values in the dataset")
axis.set_xlabel("Features")
axis.set_ylabel("Rows")

[Link]()
Department of IT, BRECW Page 42
Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation

df = df[[col for col in df if df[col].nunique() > 1]]

corr = [Link]()
print([Link])
fig, ax = [Link](figsize=(17, 15))
[Link](corr, cmap='coolwarm', ax=ax, linewidths=0.1)
[Link]("Correlation between features")
[Link]()
high_corr = corr[abs(corr) > 0.8] # type: ignore

high_corr_pairs = high_corr.unstack().sort_values(kind="quicksort",
ascending=False).drop_duplicates()

high_corr_pairs
[Link]('num_root', axis=1, inplace=True)
[Link]('srv_rerror_rate', axis=1, inplace=True)
[Link]('dst_host_srv_rerror_rate', axis=1, inplace=True)
[Link]('dst_host_rerror_rate', axis=1, inplace=True)
[Link]('srv_serror_rate', axis=1, inplace=True)
[Link]('dst_host_srv_serror_rate', axis=1, inplace=True)
[Link]('dst_host_serror_rate', axis=1, inplace=True)
[Link]('dst_host_same_srv_rate', axis=1, inplace=True)
[Link]
[Link]

df['protocol_type'].value_counts()
df['service'].value_counts()
df['flag'].value_counts()
Le = LabelEncoder()
df['protocol_type'] = Le.fit_transform(df['protocol_type'])
df['service'] = Le.fit_transform(df['service'])
df['flag'] = Le.fit_transform(df['flag'])
df['protocol_type'].value_counts()
df['service'].value_counts()
Department of IT, BRECW Page 43
Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
df = [Link](['service'], axis=1)
df['flag'].value_counts()
[Link]()
df.to_csv('processed_kdd.csv', index=False)

X = [Link](['label', 'Attack Type'], axis=1)

y = df['Attack Type']

scaler = MinMaxScaler()
X = scaler.fit_transform(X)
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.2, random_state=42)
y_train = [Link](y_train)
y_test = [Link](y_test)
encoder = OneHotEncoder()
y_train = encoder.fit_transform(y_train.reshape(-1, 1)).toarray()
y_test = encoder.fit_transform(y_test.reshape(-1, 1)).toarray()
## checking how a model performs with different learning rates

fig, ax = [Link](4,figsize=(10, 8))

ax = [Link]()

learning_rates = [0.1, 0.01, 0.001, 0.0001]

for i, lr in enumerate(learning_rates):
opt = Adam(learning_rate=lr)
model = Sequential()
[Link](Dense(X_train.shape[1], input_dim=X_train.shape[1], activation='relu'))
[Link](Dense(12, activation='relu'))
[Link](Dense(5, activation='softmax'))
[Link](loss='categorical_crossentropy', optimizer=opt, metrics=['accuracy'])
trials = [Link](X_train, y_train, epochs=10, validation_data=(X_test, y_test))

ax[i].plot([Link]['accuracy'], label= str(lr))

ax[i].set_title('Learning Rate: ' + str(lr))

Department of IT, BRECW Page 44

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
ax[i].set_xlabel('Epoch')
ax[i].set_ylabel('Accuracy')
ax[i].legend()
plt.tight_layout()
[Link]()
fig, ax = [Link](4,figsize=(10, 8))
ax = [Link]()

activation_func = ['sigmoid', 'tanh', 'relu', 'elu']

for i, acfn in enumerate(activation_func):
opt = Adam(learning_rate=0.001)
model = Sequential()
[Link](Dense(X_train.shape[1], input_dim=X_train.shape[1], activation='relu'))
[Link](Dense(12, activation = acfn))
[Link](Dense(5, activation='softmax'))

[Link](loss='categorical_crossentropy', optimizer=opt, metrics=['accuracy'])

trials = [Link](X_train, y_train, epochs=10, validation_data=(X_test, y_test))

ax[i].plot([Link]['accuracy'], label= str(acfn))

ax[i].set_title('Activation Function: ' + str(acfn))
ax[i].set_xlabel('Epoch')
ax[i].set_ylabel('Accuracy')
ax[i].legend()

plt.tight_layout()
[Link]()
X_train.shape[1]
opt = Adam(learning_rate=0.001)
model = Sequential()
[Link](Dense(X_train.shape[1], input_dim=X_train.shape[1], activation='relu'))
[Link](Dense(12, activation='relu'))
[Link](Dense(5, activation='softmax'))
Department of IT, BRECW Page 45
Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
[Link](loss='categorical_crossentropy', optimizer=opt, metrics=['accuracy'])
trials = [Link](X_train, y_train, epochs=10, validation_split=0.2, batch_size=64)
plot_model(model, to_file='model_diagram.png', show_shapes=True, show_layer_names=True)
# ann_viz(model, title="Neural Network Model",view=True, filename="[Link]")
fig, ax = [Link](figsize=(15, 15))
[Link]([Link]['accuracy'])
[Link]([Link]['val_accuracy'])

[Link]('model accuracy')
[Link]('accuracy')
[Link]('epoch')
[Link](['train', 'test'], loc='upper left')
[Link]()
loss, accuracy = [Link](X_test, y_test)
print(loss, accuracy)
[Link](loss, accuracy)
[Link]('Loss vs Accuracy')
[Link]('Loss')
[Link]('Accuracy')
[Link]()
[Link]('NN_model.h5')

Department of IT, BRECW Page 46

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
5.3.1 Sample Logic Implementation:

from [Link] import Sequential

from [Link] import Dense

from [Link] import Model, load_model

from [Link] import to_categorical

from [Link] import Dropout

from [Link] import Flatten

from [Link] import Conv1D

from [Link] import MaxPooling1D

verbose, epoch, batch_size = 1, 100, 4

activationFunction='relu'

def CNN()

cnnmodel = Sequential()

[Link](Conv1D(filters=128,kernel_size=2,

activation='relu',input_shape=(X_train.shape[1],X_train.shape[2])))

[Link](MaxPooling1D(pool_size=2))

[Link](Dropout(rate=0.2))

[Link](Flatten())

[Link](Dense(5, activation='softmax'))

[Link](optimizer='adam', loss='categorical_crossentropy',metrics=['accuracy'])

[Link]()

Department of IT, BRECW Page 47

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
return cnnmodel

cnnmodel = CNN()

modelhistory = [Link](X_train, Y_train, epochs=10,

verbose=verbose, validation_split=0.2, batch_size = batch_size)

# Plot of accuracy vs epoch for train and test dataset

[Link]([Link]['accuracy'])

[Link]([Link]['val_accuracy'])

[Link]("Plot of accuracy vs epoch for train and test dataset")

[Link]('accuracy')

[Link]('epoch')

[Link]()

# Plot of loss vs epoch for train and test dataset

[Link]([Link]['loss'])

[Link]([Link]['val_loss'])

[Link]("Plot of loss vs epoch for train and test dataset")

[Link]('loss')

[Link]('epoch')

[Link](['train', 'test'], loc='upper right')

[Link]()

cnnpredictions = [Link](X_test, verbose=1)

cnn_predict=[Link](cnnpredictions,axis=1)

Department of IT, BRECW Page 48

Detection of Real-time Intrusions & attacks in IOT devices Implementation
Implementation
y_pred = [Link](X_test, verbose=1)

y_pred = [Link](y_pred,axis=1)

#y_prob = cnnmodel.predict_proba(X_test)[:, 1]

cnn_acc = accuracy_score(y_pred, y_test)

cnn_prec = precision_score(y_pred, y_test,average='weighted')

cnn_rec = recall_score(y_pred, y_test,average='weighted')

cnn_f1 = f1_score(y_pred, y_test,average='weighted')

#storeResults('CNN',cnn_acc,cnn_prec,cnn_rec,cnn_f1)

storeResults('CNN',cnn_acc,cnn_prec,cnn_rec,cnn_f1)

Department of IT, BRECW Page 49

6. Screenshots
Detection of Real-time Intrusions & attacks in IOT devices Screenshots
Screenshots

6. Screenshots

Screenshot 1: project files

Department of IT, BRECW Page 51

Detection of Real-time Intrusions & attacks in IOT devices Screenshots
Screenshots

Screenshot 2: Copying path

Screenshot 3 :Run the server

Department of IT, BRECW Page 52

Detection of Real-time Intrusions & attacks in IOT devices Screenshots
Screenshots

Screenshot 4: Open Web

Screenshot 5: Signup page

Department of IT, BRECW Page 53

Detection of Real-time Intrusions & attacks in IOT devices Screenshots
Screenshots

Screenshot 6: Login credentials

Screenshot 7: Homepage

Department of IT, BRECW Page 54

Detection of Real-time Intrusions & attacks in IOT devices Screenshots
Screenshots

Screenshot 8: Enter Input

Screenshot 9: Entered Input

Department of IT, BRECW Page 55

Detection of Real-time Intrusions & attacks in IOT devices Screenshots
Screenshots

Screenshot 10: Result If Attack

Screenshot 11: Result If No Attack

Department of IT, BRECW Page 56

7. Testing
&
Validation
Detection of Real-time Intrusions & attacks in IOT devices Testing & Validation
Test Validation

7. Testing & Validation

7.1 Test Cases

Test strategy and approach
Field testing will be performed manually and functional tests will be written in detail.

Features to be tested
• Verify that we get proper output
• Verify that all painters and eraser work

7.2 Types of Testing

There are many types of testing methods are available in that mainly used testing methods are

• Unit testing: Unit testing involves the design of test cases that validate that the internal
program logic is functioning properly, and that program inputs produce valid outputs.
All decision branches and internal code flow should be validated. It is the testing of
individual software units of the application .it is done after the completion of an
individual unit before integration. This is a structural testing, that relies on knowledge
of its construction and is invasive.
Unit tests perform basic tests at component level and test a specific business process,
application, and/or system configuration. Unit tests ensure that each unique path of a
business process performs accurately to the documented specifications and contains
clearly defined inputs and expected results.

• Integration testing: Integration tests are designed to test integrated software

components to determine if they actually run as one program. Testing is event driven
and is more concerned with the basic outcome of screens or fields. Integration tests
demonstrate that although the components were individually satisfaction, as shown by
successfully unit testing, the combination of components is correct and consistent.
Integration testing is specifically aimed at exposing the problems that arise from the
combination of components.

Department of IT, BRECW Page 58

Detection of Real-time Intrusions & attacks in IOT devices Testing & Validation
Test Validation
• Functional test: Functional tests provide systematic demonstrations that functions
tested are available as specified by the business and technical requirements, system
documentation, and user manuals.
Functional testing is centered on the following items:
Valid Input: identified classes of valid input must be accepted.
Invalid Input: identified classes of invalid input must be rejected.
Functions: identified functions must be exercised.
Output: identified classes of application outputs must be exercised.
Systems/Procedures: interfacing systems or procedures must be invoked.
Organization and preparation of functional tests is focused on requirements, key
functions, or special test cases. In addition, systematic coverage pertaining to identify
Business process flows; data fields, predefined processes, and successive processes
must be considered for testing. Before functional testing is complete, additional tests
are identified and the effective value of current tests is determined.

• System Test: System testing ensures that the entire integrated software system meets
requirements. It tests a configuration to ensure known and predictable results. An
example of system testing is the configuration-oriented system integration test. System
testing is based on process descriptions and flows, emphasizing pre-driven process links
and integration points.

• White Box Testing: White Box Testing is a testing in which in which the software
tester has knowledge of the inner workings, structure and language of the software, or
at least its purpose. It is purpose. It is used to test areas that cannot be reached from a
black box level.

• Black Box Testing: Black Box Testing is testing the software without any knowledge
of the inner workings, structure or language of the module being tested. Black box tests,
as most other kinds of tests, must be written from a definitive source document, such
asspecification or requirements document, such as specification or requirements
document. It is a testing in which the software under test is treated, as a black box you
cannot “see” into it. The test provides inputs and responds to outputs without
considering how the software works.

Department of IT, BRECW Page 59

Detection of Real-time Intrusions & attacks in IOT devices Testing & Validation
Test Validation

Test Cases

Table 7: Detection of intrusion TestCases

Department of IT, BRECW Page 60

Detection of Real-time Intrusions & attacks in IOT devices Testing & Validation
Test Validation
Result Analysis:

The proposed deep learning-based Intrusion Detection System (IDS) achieved significant
improvements in detecting real-time cyber threats in IoT environments. The system was tested
using three benchmark datasets, which are widely used in intrusion detection research. Various
deep learning models, including CNN, DNN+MLP, RBM and RNN were implemented and
evaluated. Among these, the DNN+MLP hybrid model consistently outperformed others,
achieving up to 99% accuracy, especially in complex and evolving attack scenarios.

In addition to the high accuracy rates demonstrated by the hybrid models, the experimental
results also highlight the robustness of the proposed approach under varying network traffic
conditions. The models maintained consistent performance even when subjected to imbalanced
data distributions and noisy environments, which are common in real-world IoT systems.
Notably, the RBM and DNN+MLP models showed strong generalization capabilities,
effectively identifying previously unseen attack types with minimal performance degradation.

This suggests the system's ability to adapt and respond to evolving threat patterns without
requiring frequent retraining. The combination of deep feature extraction and temporal
sequence learning proved essential in achieving reliable, real-time intrusion detection suitable
for deployment in dynamic and distributed IoT networks.

The results confirmed that combining multiple deep learning architectures and ensemble
methods enhanced detection reliability, reduced computational overhead, and maintained
system integrity. The approach is scalable and adaptable to new threats, making it a robust
cybersecurity solution for modern IoT infrastructures.

Department of IT, BRECW Page 61

8. Conclusion
 Detection of Real-time Intrusions & attacks in IOT devices Conclusion
Conclusion

8. Conclusion

This paper discusses the involving challenges and limitations in previous studies, which have been
investigating how to use deep learning in the early detection and eradication of cyber threats. We
emplys deep learning techniques for cyber-attack malware detection, such as identification and
discriminative. However, we summarized the seven approaches, i.e., deep learning (RNN, CNN,
and DNN) and generative models/methods (RBN, DBN, DBM., and DA). In addition, our
investigation focuses on accuracy and provided dictionaries in the research field. The
experimentation of our work demonstrates IDS and Cybersecurity attacks, which are detected
successfully using a collaborative technological environment. Also, we have investigated to find
which DL techniques performed better among the others. According to this analysis, the use of
deep learning methods increases the investigational rate of classification intrusion while providing
a robust performance of state-of-the-art supervised systems. In this scenario, a part of future work,
this study extended to include advanced deep learning methods and transfer learning approaches.
Moreover, the robustness of the supervised system is validated using IDS training. Thus, when
designing a newfangled Intrusion Detection System (IDS), the properties can be used in the real-
time system to detect internal and external intruders and their malicious behaviors.

Department of IT, BRECW Page 63

9. Future Scope
Detection of Real-time Intrusions & attacks in IOT devices Future scope
Future Scope

[Link] Scope

The future scope of the project envisions the integration of advanced deep learning techniques,
transfer learning can be employed to leverage pre-trained models, reducing the need for extensive
data and computational resources. The system can be scaled and customized for use by various
firms and multinational corporations (MNCs) to safeguard intellectual property and digital assets.
Incorporating edge computing will allow real-time threat detection directly on IoT devices,
minimizing latency and improving system responsiveness. This also helps in optimizing
bandwidth usage and reducing dependency on centralized servers. Federated learning can be
utilized to collaboratively train models across multiple organizations without transferring sensitive
data. This approach ensures data privacy while contributing to the development of a more
generalized and robust global model. The combination of edge and federated learning provides a
decentralized yet secure framework for threat intelligence. Enhanced model explain ability and
self-learning capabilities can be introduced for adaptive threat mitigation.

Department of IT, BRECW Page 65

10. References
Detection of Real-time Intrusions & attacks in IOT devices References
Future Scope

[Link]

[1] Y. LeCun, Y. Bengio, and G. Hinton, ‘‘Deep learning,’’ Nature, vol. 521, no. 7553, pp. 436–
444, 2015.

[2] A. Krizhevsky, I. Sutskever, and G. E. Hinton, ‘‘ImageNet classification with deep

convolutional neural networks,’’ Commun. ACM, vol. 60, no. 2, pp. 84–90, Jun. 2017.

[3] M. K. Islam, M. S. Ali, M. M. Ali, M. F. Haque, A. A. Das, M. M. Hossain, D. S. Duranta, and

M. A. Rahman, ‘‘Melanoma skin lesions classification using deep convolutional neural network
with transfer learning,’’ in Proc. 1st Int. Conf. Artif. Intell. Data Analytics (CAIDA), Apr. 2021.

[4] A. Ahmim, M. Derdour, and M. A. Ferrag, ‘‘An intrusion detection system based on combining
probability predictions of a tree of classifiers,’’ Int. J. Commun. Syst., vol. 31, no. 9, p. e3547,
Jun. 2018.

[5] A. Ahmim, L. Maglaras, M. A. Ferrag, M. Derdour, and H. Janicke, ‘‘A novel hierarchical
intrusion detection system based on decision tree and rules-based models,’’ in Proc. 15th Int. Conf.
Distrib. Comput. Sensor Syst. (DCOSS), May 2019, pp. 228–233.

[6] Z. Dewa and L. A. Maglaras, ‘‘Data mining and intrusion detection systems,’’ Int. J. Adv.
Comput. Sci. Appl., vol. 7, no. 1, pp. 1–10, 2016.

[7] B. Stewart, L. Rosa, L. A. Maglaras, T. J. Cruz, M. A. Ferrag, P. Simoes, and H. Janicke, ‘‘A
novel intrusion detection mechanism for SCADA systems which automatically adapts to network
topology changes,’’ EAI Endorsed Trans. Ind. Netw. Intell. Syst., vol. 4, no. 10, p. e4, 2017.

[8] M. A. Ferrag, L. Maglaras, S. Moschoyiannis, and H. Janicke, ‘‘Deep learning for cyber
security intrusion detection: Approaches, datasets, and comparative study,’’ J. Inf. Secur. Appl.,
vol. 50, Feb. 2020, Art. no. 102419.

Department of IT, BRECW Page 67

Detection of Real-time Intrusions & attacks in IOT devices References
Future Scope

[9] Y. Imrana, Y. Xiang, L. Ali, and Z. Abdul-Rauf, ‘‘A bidirectional LSTM deep learning
approach for intrusion detection,’’ Expert Syst. Appl., vol. 185, Dec. 2021, Art. no. 115524.

[10] A. A. Salih, S. Y. Ameen, S. R. Zeebaree, M. A. Sadeeq, S. F. Kak, N. Omar, I. M. Ibrahim,

H. M. Yasin, Z. N. Rashid, and Z. S. Ageed, ‘‘Deep learning approaches for intrusion detection,’’
Asian J. Res. Comput. Sci., vol. 9, no. 4, pp. 50–64, 2021.

[11] J. Azevedo and F. Portela, ‘‘Convolutional neural network—A practical case study,’’ in Proc.
Int. Conf. Inf. Technol. Appl. Singapore: Springer, 2022, pp. 307–318.

[12] K. He, X. Zhang, S. Ren, and J. Sun, ‘‘Deep residual learning for image recognition,’’ in
Proc. IEEE Conf. Comput. Vis. Pattern Recognit. (CVPR), Jun. 2016, pp. 770–778.

[13] J. Yosinski, J. Clune, Y. Bengio, and H. Lipson, ‘‘How transferable are features in deep neural
networks?’’ in Proc. Adv. Neural Inf. Process. Syst., vol. 27, 2014, pp. 1–9.

[14] G. Awad, C. G. Snoek, A. F. Smeaton, and G. Quénot, ‘‘Trecvid semantic indexing of video:
A 6-year retrospective,’’ ITE Trans. Media Technol. Appl., vol. 4, no. 3, pp. 187–208, 2016.

[15] C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna, ‘‘Rethinking the inception
architecture for computer vision,’’ in Proc. IEEE Conf. Comput. Vis. Pattern Recognit. (CVPR),
Jun. 2016, pp. 2818–2826.

[16] M. Uddin, R. Alsaqour, and M. Abdelhaq, ‘‘Intrusion detection system to detect DDoS attack
in Gnutella hybrid P2P network,’’ Indian J. Sci. Technol., vol. 6, no. 2, pp. 71–83, 2013.

[17] R. L. Haupt and S. E. Haupt, Practical Genetic Algorithms. Wiley, 2004, doi:
10.1002/0471671746.

[18] D. Hossain, G. Capi, and J. M., ‘‘Optimizing deep learning parameters using genetic
algorithm for object recognition and robot grasping,’’ J. Electron. Sci. Technol., vol. 16, no. 1, pp.
11–15, 2018.

Department of IT, BRECW Page 68

Detection of Real-time Intrusions & attacks in IOT devices References
Future Scope

[19] O. E. David and I. Greental, ‘‘Genetic algorithms for evolving deep neural networks,’’ in
Proc. Companion Publication Annu. Conf. Genetic Evol. Comput., Jul. 2014, pp. 1451–1452.

[20] A. A. Salih, S. Y. Ameen, S. R. Zeebaree, M. A. Sadeeq, S. F. Kak, N. Omar, I. M. Ibrahim,

H. M. Yasin, Z. N. Rashid, and Z. S. Ageed, ‘‘Deep learning approaches for intrusion detection,’’
Asian J. Res. Comput. Sci., vol. 9, no. 4, pp. 50–64, 2021.

[21] J. Azevedo and F. Portela, ‘‘Convolutional neural network—A practical case study,’’ in Proc.
Int. Conf. Inf. Technol. Appl. Singapore: Springer, 2022, pp. 307–318.

Department of IT, BRECW Page 69