Intrusion detection in Internet of Things(IoT)environments presents challenges due to heterogeneous devices,diverse attack vectors,and highly imbalanced datasets.Existing research on the ToN-IoT dataset has largely em...Intrusion detection in Internet of Things(IoT)environments presents challenges due to heterogeneous devices,diverse attack vectors,and highly imbalanced datasets.Existing research on the ToN-IoT dataset has largely emphasized binary classification and single-model pipelines,which often showstrong performance but limited generalizability,probabilistic reliability,and operational interpretability.This study proposes a stacked ensemble deep learning framework that integrates random forest,extreme gradient boosting,and a deep neural network as base learners,with CatBoost as the meta-learner.On the ToN-IoT Linux process dataset,the model achieved near-perfect discrimination(macro area under the curve=0.998),robust calibration,and superior F1-scores compared with standalone classifiers.Interpretability was achieved through SHapley Additive exPlanations–based feature attribution,which highlights actionable drivers ofmalicious behavior,such as command-line patterns,process scheduling anomalies,and CPU usage spikes,and aligns these indicators with MITRE ATT&CK tactics and techniques.Complementary analyses,including cumulative lift and sensitivity-specificity trade-offs,revealed the framework’s suitability for deployment in security operations centers,where calibrated risk scores,transparent explanations,and resource-aware triage are essential.These contributions bridge methodological rigor in artificial intelligence/machine learning with operational priorities in cybersecurity,delivering a scalable and explainable intrusion detection system suitable for real-world deployment in IoT environments.展开更多
文摘Intrusion detection in Internet of Things(IoT)environments presents challenges due to heterogeneous devices,diverse attack vectors,and highly imbalanced datasets.Existing research on the ToN-IoT dataset has largely emphasized binary classification and single-model pipelines,which often showstrong performance but limited generalizability,probabilistic reliability,and operational interpretability.This study proposes a stacked ensemble deep learning framework that integrates random forest,extreme gradient boosting,and a deep neural network as base learners,with CatBoost as the meta-learner.On the ToN-IoT Linux process dataset,the model achieved near-perfect discrimination(macro area under the curve=0.998),robust calibration,and superior F1-scores compared with standalone classifiers.Interpretability was achieved through SHapley Additive exPlanations–based feature attribution,which highlights actionable drivers ofmalicious behavior,such as command-line patterns,process scheduling anomalies,and CPU usage spikes,and aligns these indicators with MITRE ATT&CK tactics and techniques.Complementary analyses,including cumulative lift and sensitivity-specificity trade-offs,revealed the framework’s suitability for deployment in security operations centers,where calibrated risk scores,transparent explanations,and resource-aware triage are essential.These contributions bridge methodological rigor in artificial intelligence/machine learning with operational priorities in cybersecurity,delivering a scalable and explainable intrusion detection system suitable for real-world deployment in IoT environments.
