IoT Intrusion Detection Machine Learning Benchmark Framework: Multi-Class Network Threat Identification Practice

The open-source project introduced in this article is a machine learning benchmark framework for IoT network intrusion detection, which reproduces and extends the research method of Samantaray et al. (2024). This framework uses six multi-classifiers to evaluate 10 types of network threat identification on the UNSW-NB15 (packet-level) and NF-UNSW-NB15 (NetFlow flow-level) datasets, with a maximum accuracy of 94.86%.

Project Source: GitHub repository maintained by S-MILAD-J (link: https://github.com/S-MILAD-J/iot-intrusion-detection-ml-benchmark), released on May 25, 2026.

With the explosive growth of Internet of Things (IoT) devices—from smart homes to industrial control systems—hundreds of millions of devices are connected to the Internet. These devices often have limited computing power and face difficulties in security updates, making them prime targets for cyber attackers. Traditional signature-based intrusion detection systems struggle to handle new types of attacks, and machine learning technology provides a new solution to this challenge.

Dataset Architecture

Uses two key variants:

• UNSW-NB1 packet-level feature set includes protocol type, port number, packet length, flag bits, etc.
• NF-UNSW-NB flow-level records include flow-level aggregate statistics, source/destination IP ports, etc.

10 Types of Network Threats

Covers Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, Worms, and Normal traffic.

Six Machine Learning Classifiers

Random Forest, Decision Tree, K-Nearest Neighbors (KNN), Support Vector Machine (SVC), Logistic Regression, Gaussian Naive Bayes.

Technology Stack and Preprocessing

• Technology stack: Scikit-Learn, Pandas, Matplotlib/Seaborn, Jupyter Notebook
• Preprocessing: Robust standardization, outlier handling, label encoding (convert categories to numerical values).

Core Performance Metrics

• Maximum accuracy: 94.86% (ensemble tree structure model)
• Evaluation dimensions: ROC-AUC curve, macro/micro average precision-recall curve (focus on minority class attacks), confusion matrix visualization (category prediction accuracy)

Computational Efficiency Audit

Records training and inference execution time costs, providing performance-latency trade-off references for real-time edge computing deployment.

Enterprise Security Operations

1. Threat classification capability: Accurately identify attack types to support targeted responses
2. Performance benchmark selection: Provide data support for IoT intrusion detection algorithm selection
3. Edge deployment reference: Computational efficiency audit helps resource-constrained devices make trade-offs

Contributions to Researchers

1. Reproducible research: Complete code and data processing workflow
2. Extension foundation: Clear architecture facilitates adding new algorithms and datasets
3. Teaching resources: Jupyter Notebook interactive learning materials

Phase 1: Deep Learning and Hyperparameter Optimization

• Integrate neural networks like MLP, 1D-CNN, LSTM
• Use Optuna for automatic hyperparameter search to optimize recall rate of minority class attacks

Phase 2: Explainable AI (XAI)

• Integrate SHAP and LIME tools to map feature importance

Phase 3: Real-time Streaming Detection

• Encapsulate the best model into a lightweight API
• Connect to real-time packet capture tools like scapy to simulate line-speed intrusion parsing