HAMAD: A Lightweight Network Anomaly Detection Framework for IoT and Edge Computing

HAMAD is an innovative lightweight machine learning framework designed for real-time network anomaly detection. It aims to resolve the core contradiction in IoT and edge computing environments: traditional deep learning models consume too many resources, while lightweight models lack sufficient accuracy. Through technologies like hybrid attention mechanisms, it maintains high accuracy while meeting the real-time requirements of edge deployment, making it an important exploration of edge-friendly detection solutions in the field of network security.

With the explosive growth of IoT devices and the popularization of edge computing, network security faces new challenges. Traditional deep learning models have high detection accuracy but require significant resources, making them difficult to deploy on edge devices; lightweight models, on the other hand, cannot meet production accuracy requirements. Thus, HAMAD (Hybrid Attention-based Multi-scale Anomaly Detection) was born, aiming to balance high accuracy and real-time requirements in edge environments. It was developed by Samyadeep Saha during his master's studies in cybersecurity at NIT Agartala.

The core innovations of HAMAD include:

1. Hybrid Attention Ensemble Learning: Combines Random Forest (high-dimensional feature processing, anti-noise) and XGBoost (captures non-linear relationships), dynamically assigns weights through attention-weighted fusion to balance stability and flexibility;
2. Adaptive Threshold Mechanism: Dynamically adjusts anomaly judgment criteria based on reconstruction errors—relaxes thresholds during traffic peaks to avoid false positives, tightens them during stable periods to improve sensitivity, with no manual intervention required;
3. Multi-scale Temporal Feature Extraction: Captures both short-term (sudden anomalies such as DDoS) and long-term (slow intrusions such as APT) traffic patterns to address diverse threats.

HAMAD performed excellently in evaluations on three authoritative datasets:

Dataset	Accuracy	Precision	Recall	F1 Score
NSL-KDD	99.45%	99.32%	99.58%	99.45%
UNSW-NB15	99.71%	99.68%	99.74%	99.71%
CICIDS2017	99.62%	99.55%	99.69%	99.62%

• NSL-KDD (improved version of KDD Cup): 99.45% accuracy;
• UNSW-NB15 (modern attack types): 99.71% accuracy and 99.71% F1 score;
• CICIDS2017 (25 attack types): 99.62% accuracy with strong generalization ability.

HAMAD has excellent engineering design:

1. End-to-end Data Pipeline: Automates data acquisition to feature engineering, supporting one-click download and preprocessing of mainstream datasets;
2. Interactive Monitoring Dashboard: Built on Streamlit, providing real-time metrics, confusion matrices, ROC/PR curves, and other visualizations;
3. Edge-ready Architecture: Lightweight design that can run on low-power devices like Raspberry Pi, meeting the real-time needs of IoT gateways;
4. MLOps Support: Docker containerization, model version management, reproducible experimental environments, and unit test coverage.

HAMAD is suitable for multiple scenarios:

• Industrial IoT (IIoT) Security: Deployed on PLCs or edge gateways to monitor anomalies in industrial control networks and prevent device attacks;
• Smart Home Networks: Integrated into home router firmware to provide enterprise-level intrusion detection for ordinary users;
• 5G Edge Computing Nodes: Implement real-time anomaly detection at 5G edge nodes to protect network infrastructure.

Limitations:

1. Currently validated only on three public datasets; performance on private industry datasets remains to be tested;
2. Robustness against adversarial examples needs further verification;
3. Real-time latency metrics (e.g., P99) are not clearly defined. Future Directions:

• Introduce federated learning to support distributed privacy-preserving training;
• Explore model quantization techniques to reduce edge resource consumption;
• Integrate online learning mechanisms to adapt to changes in network environments.

HAMAD reconciles deep learning capabilities with edge computing constraints. Through technologies like hybrid attention mechanisms and adaptive thresholds, it achieves lightweight deployment while maintaining an accuracy of over 99%. It is an important representative of edge-friendly intrusion detection solutions, suitable for security engineers, IoT security researchers, and developers in need of intelligent security functions to pay attention to and try.