Machine Learning-Based Anomaly Detection and Threat

Prediction in IoT Networks

Mayuri K1, Sudhaman Aariya T G2, Hasvanth S3, Sridhar S4

Department of Computer Science and Engineering (Emerging Technologies),

SRM Institute of Science and Technology, Vadapalani Campus, Chennai, India
[email protected], [email protected], [email protected]
[email protected]

Abstract. This paper examines the development of an anomaly detection and

threat prediction tool specifically designed for IoT networks utilizing machine
intelligence. As IoT instruments become increasingly widespread, the
complexity of automated warnings is also increasing, making the need for
smarter and more adaptable freedom measures. Our system resorts to
supervised and alone machine intelligence algorithms to scrutinize network
traffic, locating inconsistencies that may signal potential attacks in absolute
occasion. Developed in Python for backend processing, it combines
miscellaneous algorithms to improve discovery veracity while minimizing
dishonesty in a still picture taken with a camera. Furthermore, it anticipates
arising warnings by observing behavioural patterns, admitting for full of
enthusiasm security attacks. Future improvements grant permission to
implement deep knowledge-located detection, legitimate-opportunity
connections accompanying worldwide threat agility databases, and adjusting
learning to tackle progressing high-tech threats. This policy reinforces IoT
security by providing an effective, scalable, and bright warning detection,
making it an essential support for safeguarding existing IoT environments.

Keywords: Machine learning, IoT security, anomaly detection, threat prediction, Bagging
Classifier, Random Forest, Gaussian Naïve Bayes

1 Introduction
The expeditious growth of Internet of Things (IoT) networks has revolutionized
miscellaneous by admitting devices to combine easily. However, this increasing
interconnectedness has surpassed profound security risks, as IoT networks have
enhanced appealing marks for sophisticated computerized attacks. Traditional
freedom measures frequently fall short in recognizing and fighting these warnings due
to the active and different character of IoT ecosystems. To address these issues, we
have grown a machine intelligence-located anomaly discovery and danger forecast
system devised to reinforce the freedom of IoT networks.
Our projected system engages two together supervised and alone machine intelligence
models, including Bagging Classifier, Gaussian Naïve Bayes (Gaussian NB), and
Random Forest, to discover and foresee security deviations. By steadily monitoring
network traffic patterns, bureaucracy can recognize deviations from conventional
behaviour, permissive real-period threat discovery, and full of enthusiasm security
answers.
2

The backend of the bureaucracy is built utilizing Python and integrates miscellaneous
machine learning methods to upgrade detection veracity while underrating false a still
picture taken with a camera. Additionally, it reinforces cybersecurity by observing
behavioural patterns in network traffic, admitting for early labelling of potential
threats before they increase. The primary aim of this project is to authenticate a smart
and ascendable security program that strengthens IoT networks against high-tech
attacks. Future enhancements concede the possibility of containing deep learning-
located discovery, real-occasion dossier ingestion from all-encompassing warning
intelligence beginnings, and adaptive models that progress accompanying emerging
dangers. With this resolution in place, IoT environments can benefit from a stronger,
automated, and framework-knowledgeable threat discovery plan, ultimately
reconstructing overall network protection and resilience.

2 Related Study
Machine learning-based anomaly detection and threat prediction have significantly
enhanced the security of IoT networks. These intelligent systems enable real-time
monitoring, identifying suspicious activities, and mitigating potential cyber threats.
Researchers have explored various machine learning techniques to improve the
accuracy and efficiency of anomaly detection, ensuring robust security measures for
IoT environments.

Deep learning has emerged as a powerful tool for anomaly detection in IoT networks,
enabling enhanced security and threat mitigation. Several studies have explored
various deep learning models, such as autoencoders, convolutional neural networks
(CNNs), and recurrent neural networks (RNNs), to detect irregularities in IoT traffic.
These approaches allow the identification of deviations from normal behaviour, which
could indicate cyberattacks or system malfunctions. Researchers have also compared
different deep learning architectures and methods to adapt to the dynamic nature of
IoT environments [1].

An extensive survey on machine learning techniques for intrusion detection in IoT

networks has analysed different approaches, including supervised learning (e.g.,
SVM, Random Forest), unsupervised learning (e.g., k-means clustering, isolation
forests), and reinforcement learning. The study provides an overview of the strengths
and weaknesses of these methods and their effectiveness in IoT security applications
[2]. To address privacy concerns in IoT security, federated learning has been
introduced as a distributed learning paradigm. This approach allows IoT devices to
collaboratively train anomaly detection models without sharing raw data, thereby
improving privacy protection while maintaining detection performance [3].

Real-time threat prediction is another critical aspect of IoT security. Research in this
area has explored time series analysis and recurrent neural networks (RNNs) to
predict potential security threats based on historical network data. These predictive
models enable proactive measures to counter cyber threats before they escalate [4].
 3

Support Vector Machines (SVMs) have also been employed in IoT sensor data
analysis for anomaly detection. Their ability to handle high-dimensional data makes
them effective in identifying abnormal sensor readings that may indicate faults or
attacks [5].

Hybrid machine learning approaches combining multiple algorithms, such as decision

trees, random forests, and neural networks, have been proposed to improve IoT
malware detection. These models leverage the complementary strengths of different
machine learning techniques to enhance accuracy and robustness [6]. Graph neural
networks (GNNs) have gained attention for IoT security applications. Researchers
have used GNNs to analyse the interconnections between IoT devices, enabling more
effective detection of anomalous communication patterns [7].

Reinforcement learning has been explored for dynamic intrusion response in IoT
environments. Adaptive security systems leveraging reinforcement learning can
autonomously respond to security threats, improving resilience against attacks [8].
Edge-based anomaly detection has been proposed for resource-constrained IoT
devices. By deploying lightweight machine learning models on edge devices, real-
time anomaly detection can be achieved while minimizing computational overhead
[9]. The integration of blockchain and machine learning has been investigated for
securing IoT data. Blockchain offers tamper-proof data storage and secure sharing,
while machine learning algorithms analyse network traffic to detect anomalies [10].

Time series analysis techniques such as ARIMA, LSTM, and Prophet have been
applied to predict IoT security threats. These models leverage historical data to
identify potential breaches and enable proactive threat management [11].
Unsupervised learning techniques, including clustering and dimensionality reduction,
have been utilized to detect anomalies in industrial IoT environments. These methods
help identify abnormal patterns in scenarios where labelled training data is scarce
[12].

Feature selection plays a crucial role in optimizing anomaly detection in IoT

networks. Research has explored methods for identifying the most relevant features,
thereby improving accuracy while reducing computational costs [13]. Comparative
studies have been conducted to evaluate various machine learning algorithms for IoT
security applications. These analyses assess the performance of decision trees,
random forests, SVMs, and neural networks, identifying the most suitable approaches
for different security challenges [14].

A study on IoT attacks and defense from a machine learning perspective highlights
the role of AI in identifying and mitigating security threats. It examines common
attack vectors and discusses how ML-based solutions can enhance IoT security [15].
Cloud-based machine learning platforms have been explored for IoT security
monitoring. Cloud computing enables large-scale data analysis, enhancing threat
detection and response capabilities [16].
4

Privacy-preserving machine learning techniques, including differential privacy and

homomorphic encryption, have been applied to IoT security. These techniques allow
secure data analysis without compromising sensitive information [17]. Explainable AI
(XAI) models have been developed to enhance transparency in IoT security systems.
By providing insights into anomaly detection decisions, XAI improves trust and
facilitates better security responses [18].

Sliding window techniques have been employed for real-time anomaly detection in
IoT data streams. These methods help identify transient anomalies and evolving
patterns in continuously streaming data [19]. Distributed machine learning approaches
have been proposed for collaborative IoT security. By enabling multiple devices to
contribute to threat detection, distributed learning enhances security resilience and
detection accuracy [20]. These studies collectively emphasize the growing role of
machine learning and deep learning in securing IoT networks. From anomaly
detection to predictive analytics, AI-driven security measures continue to evolve,
strengthening IoT resilience against cyber threats.

3 System Methodology
The dataset appropriated for forecasting is usually split into training and test sets,
following a 70:30 percentage to gain an optimum balance for model happening and
judgment. The training set is essential for constructing the machine intelligence
model, while the test set evaluates the allure act. The veracity of predictions fashioned
on the test set signifies the model’s influence and instructs subsequent refinements
and augmentations.

Data pre-processing plays an essential function in machine intelligence, ensuring the

dataset's feature and dependability. This process surrounds various fault-finding steps,
including dossier cleansing, forwarding gone principles, and organizing the dossier
for adept treatment. Real-planet datasets frequently have missing or duplicate efforts
on account of errors all along collection, transfer issues, or deliberate omissions.
Techniques in the way that ascription replaces gone values, while duplicates and
discrepancies are discovered and removed. Exploratory Data Analysis (EDA) is
transported through univariate, bivariate, and multivariate reasoning to explore
dossier distributions and feature connections. Visualization designs like histograms,
box plots, and strew plots help reveal outliers and anomalies, guaranteeing the dataset
is superior to model preparation.

After cleansing and pre-deal with the dataset, the next phase includes dossier
confirmation and shift. This entails hindering the dossier's shape and types, labelling
any absent principles, and operating mathematical analyses to claim dossier
uprightness. Validation methods provide estimates of the model’s act and assist in
hyperparameter bringing into harmony. Further dossier cleaning includes renaming
 5

datasets, eliminating superfluous processions, and executing feature design to increase

the model’s predicting power. Properly producing publications with computer
software the dataset is critical for unity accompanying machine learning models, as
sure algorithms, like Random Forest, demand absent values expected talked before
they can run. By cautiously constituting and preparing the dossier, we guarantee that
the model can process facts efficiently and give exact guesses.

Model conduct is evaluated utilizing essential categorization versification to a degree

of accuracy, accuracy, recall, and the F1 score. Accuracy signifies the magnitude of
correctly anticipated instances and is usually second-hand rhythmical for balanced
datasets. However, when handling unstable datasets, veracity alone is not enough.
Precision evaluates by means of what many of the predicted certain instances are
really correct, while recall gauges the model's power to recognize all real beneficial
cases. The F1 score integrates accuracy and recall into a harmonic mean, providing an
equalized judgment when a wrong picture taken with a camera and false contradiction
have variable suggestions. These metrics are critical for cleansing the model and
embellishing the reliability in prognoses.

To boost predicting depiction and guarantee model strength, ensemble knowledge

methods like the Bagging Classifier are employed. Bagging is a productive method
that minimizes difference and mitigates overfitting by preparation diversified
classifiers on various subsets of the dataset. Each classifier produces liberated
prophecies, and the things produced are contingent upon most votes, guaranteeing
strength and constancy. This plan corrects the model's capacity to survive rowdy and
complex datasets, making it more responsible for categorization tasks. By adopting
the Bagging Classifier, we guarantee that slight alternatives in the preparation dossier
do not considerably influence the overall accomplishment of the model.

The Gaussian Naïve Bayes (GNB) classifier is still promoted for probabilistic
classification. Grounded in Bayes’ Theorem, this treasure presumes that looks obey a
Gaussian (usual) distribution and computes the feasibility of each class established in
the recommendation dossier. GNB is particularly adroit at handling unending dossiers
and is computationally efficient, making it ideal for real-occasion requests. Despite its
easy character, it commonly achieves cutthroat accuracy and serves as a dependable
standard model for correspondence. Its quick processing of new dossiers and
categorization-established dependent probabilities make it a productive alternative for
a range of categorization tasks.

Additionally, the Random Forest invention acts as a strong ensemble learning pattern
that upgrades categorization accuracy by uniting diversified resolution trees. Each
seedling is prepared on a haphazard subset of the dataset, and the ending indicator is
created through adulthood voting, which helps for fear of overfitting. Random Forest
surpasses in managing abundant datasets, trying gone values, and contribution
acumens into feature significance, aiding in the understanding of various attribute
importance for prophecies. Its capability to lower difference and improve
6

generalization form it a reliable choice for carrying out high veracity and constancy in
categorization tasks.

By joining these models—Bagging Classifier, Gaussian Naïve Bayes, and Random

Forest—we create an equalized, effective, and highly correct predicting system. Each
treasure brings singular substances, ensuring our approach is healthy, adaptable, and
apt for real-world requests. The unification of data pre-refine, confirmation, and
advanced categorization techniques allows us to cultivate a powerful machine
intelligence model fit for making precise and trustworthy predictions.

3.1 System Architecture

Figure 1: System Architecture

Fig 1 illustrates the system architecture of the AI-based stock forecasting model. The
process begins with data gathering from various sources, followed by a data
processing activity. This includes data cleansing to remove inconsistencies and
normalization to transform the data into a uniform format for better model
performance. The processed data is then fed into the predictive layer, where a
Decision Tree model is used to found forecasts.

These forecasts are therefore fed into the resolution and killing time, where specific
conduct is captured as per the forecasted stock performance. The system is outfitted
with an unending monitoring and response method, containing performance listening
and consumer response to check the accuracy and influence of the model. Based on
this response, specific model updates are fashioned to reinforce future forecasts. This
repetitive process makes bureaucracy adjusting and helps it with opportunity,
upholding allure accuracy and dependability available retail forecasts.

3.2 Mathematical and Logical Dissection of the Proposed System

 7

Precision and Recall offer valuable insights into the performance of a model.
Precision assesses the ratio of correctly predicted positive instances to the total
predicted positives, whereas Recall evaluates how effectively the model identifies all
actual positive cases. To achieve a balance between these two metrics, the F1 Score is
utilized, which is especially useful when false positives and false negatives have
different implications. A model's accuracy is calculated by the number of correct
predictions made out of all predictions. While Precision focuses on the accuracy of
positive predictions, Recall gauges the model's ability to capture every actual positive
instance. The F1 Score harmonizes these metrics, providing a dependable evaluation
of performance, particularly when the costs of false positives and false negatives
differ.

Formulas:
Accuracy = {TP + TN}/ {TP + TN + FP + FN}
Precision = TP/ TP+FP
Recall = TP/ TP+FN
F1Score = 2×(Recall × Precision) / Recall + Precision

In this context, TP (True Positives) indicates the accurately predicted positive cases,
TN (True Negatives) signifies the accurately predicted negative cases, FP (False
Positives) refers to the incorrect positive predictions (Type I Error), and FN (False
Negatives) denotes the incorrect negative predictions (Type II Error).
Precision is essential in situations where it's important to reduce false positives, such
as medical diagnoses or fraud detection. Conversely, Recall is critical when failing to
identify actual positive cases can be detrimental, like in spam filtering or disease
detection. The F1 Score provides a means to balance these two aspects, offering a
single metric that considers both precision and recall.

4 Results and Evaluation

8

Figure 2: Proportion of Normal vs Attack Traffic

Fig 2 visually represents the proportion of normal versus attack traffic in the
dataset. The y-axis represents density, while the x-axis distinguishes between normal
(0) and attack (1) traffic. The graph shows a significantly higher proportion of normal
traffic compared to attack traffic, indicating an imbalanced dataset. This imbalance
may impact model performance, making precision and recall critical evaluation
metrics.

Our project efficiently implemented machine intelligence models to reinforce

predictive veracity and accountability. We evaluated Bagging Classifier, Gaussian
Naïve Bayes, and Random Forest, resolving their veracity, precision, recall, and F1-
score. Among the bureaucracy, Random Forest acted best due to the allure of the
ensemble education approach, ensuring support and veracity.

The Bagging Classifier also embellished strength, while Gaussian Naïve Bayes,
though efficient, was restricted by allure feature independence acceptance. The
system controlled data pre-treat, managed gone principles, and provided palpable-
occasion predictions by way of a mutual interface accompanying graphical
visualizations. The continuous model restores improved depiction, making
bureaucracy efficient and handy.

Table 1: Model Performance Comparison

Model Accuracy Score

Random Forest 93.88%

Bagging Classifier 87.12%

Gaussian Naive Bayes 44.85%

The table below shows that the Random Forest model achieved the highest accuracy,
reaching 93.88%. This highlights its effectiveness in managing complex datasets by
integrating multiple decision trees, which helps in reducing variance and enhancing
generalization. Following closely is the Bagging Classifier, with an accuracy of
87.12%, which effectively minimizes overfitting by combining predictions from
various models trained on different data subsets.
In contrast, the Gaussian Naïve Bayes model recorded the lowest accuracy at 44.85%.
This lower performance is likely due to its assumption of feature independence, which
may not be compatible with the characteristics of the dataset. These results really
show how important it is to choose the right model based on the data you're working
 9

with. Models like Random Forest and Bagging Classifier shine when the dataset is
complex and the relationships between features aren’t straightforward.

They’re great at capturing those patterns, thanks to how they combine the strengths
of multiple models. On the flip side, the lower accuracy of Gaussian Naïve Bayes
suggests that it might struggle when features aren’t truly independent, which seems to
be the case here. It’s a good reminder that no single model fits all scenarios—testing
different approaches is key to finding what works best.

4.1 Worm Plot Analysis of Bagging Classifier Predictions

Figure 3: Actual vs Predicted in Bagging Classifier

Fig 3 The worm plot visualizes the performance of the Bagging Classifier by
comparing actual and predicted class labels for the first 100 samples. The green
dotted line represents actual values, while the red dashed line indicates predicted
labels. A strong overlap between the two lines suggests high prediction accuracy,
whereas deviations highlight misclassifications. This plot helps assess how well the
model generalizes, showing its ability to capture patterns while reducing variance.
The scattered misclassifications indicate potential areas for optimization, but overall,
the classifier demonstrates effective prediction stability and robustness.

4.2 Worm Plot Analysis of Gaussian Naive Bayes Predictions

10

Figure 4: Actual vs Predicted in Gaussian Naive Bayes

The worm plot illustrates the comparison between predicted and actual class labels
for the Gaussian Naive Bayes classifier. The red dashed line symbolizes the predicted
labels, while the green dotted line reflects the actual labels. A significant gap between
the two lines points to a considerable number of misclassifications, underscoring the
model's reduced accuracy. The erratic nature of the predictions indicates that the
assumption of feature independence in Gaussian Naïve Bayes does not completely
align with the dataset, resulting in inconsistencies. This visualization serves as a
valuable tool for evaluating the model's reliability and its ability to capture patterns
within the data.

4.3 Worm Plot Analysis for Random Forest Classifier

Figure 5: Actual vs Predicted in Random Forest Classifier

The worm plot illustrates the performance of the Random Forest Classifier by
juxtaposing actual and predicted class labels. The green dotted line signifies actual
values, whereas the red dashed line represents predicted values. The close proximity
of these lines suggests that the model has attained high accuracy with few
misclassifications. The ensemble learning method of Random Forest effectively
diminishes variance and bolsters prediction stability, resulting in dependable and
 11

consistent classification outcomes. The slight deviations in the plot further validate
the model's resilience in managing intricate patterns within the dataset.

5 Conclusion
This project presents a machine learning-based system for detecting threats and
anomalies in IoT networks, focusing on accuracy, efficiency, and scalability. By
integrating Random Forest with Bayesian Optimization, the model achieves low error
rates and fewer false positives. It uses data preprocessing, feature engineering, and
real-time detection to adapt to dynamic IoT environments. The system offers real-
time alerts for proactive security and is both scalable and computationally efficient.
Future plans include cloud integration, hybrid and federated learning for enhanced
privacy and performance, and automated response mechanisms to strengthen real-
time threat mitigation.

References
[1] Sudha Varalakshmi, Premnath S P, Yogalakshmi V, Vijayalakshmi. P, V. R.
Kavitha;Vimalarani. G,(2021). Deep Learning-Based Anomaly Detection for IoT Network
Security
[2] Shakirah Binti Saidin, Syifak Binti Izhar Hisham(2023) Machine Learning for Intrusion
Detection in IoT
[3] Alexandros Gkillas, Aris Lalos. Federated Learning for Privacy-Preserving Anomaly
Detection in IoT(2023)
[4] Yatharth Upadhyay, Damodar Tiwari, Shital Gupta, Twinlkle Sharma (2024) Real-Time
Threat Prediction in IoT Networks Using Machine Learning
[5] Rijvan Beg, R. K. Pateriya, Deepak Singh Tomar(2019) A Hybrid Machine Learning
Approach for IoT Malware Detection
[6] Nimisha Ghosh, Krishanu Maity, Rourab Paul, Satyabrata Maity(2019) Anomaly Detection
in IoT Sensor Data Using Support Vector Machines.
[7] Djameleddine Hamouche, Reda Kadri, Mohamed-Lamine Messai, Hamida Seba(2024)
Graph Neural Networks for IoT Security
[8] Trung V. Phan, Thomas Bauschert (2022) Reinforcement Learning for Dynamic Intrusion
Response in IoT.
[9] Anakhi Hazarika, Nikumani Choudhury, Lei Shu, Qin Su(2024) Edge-Based Anomaly
Detection for Resource-Constrained IoT Devices
[10] Prakash Tekchandani, Abhishek Bisht, Ashok Kumar Das, Neeraj Kumar, Marimuthu
Karuppiah, Pandi Vijayakumar,(2023) Blockchain-Enabled Machine Learning for Secure IoT
Data Analysis
[11] Jindong He, Shanshan Lei, Junhong Yu(2023) Time Series Analysis for IoT Threat
Prediction
[12] Martin Belichovski, Dushko Stavrov, Filip Donchevski, Gorjan Nadzinski(2022) Anomaly
Detection in Industrial IoT Using Unsupervised Learning
[13] J Manokaran, G Vairavel, J Vijaya(2023) Feature Selection for Efficient Anomaly
Detection in IoT Networks
12

[14] Ishmeet Jaggi, Heena Wadhwa(2021) A Comparative Study of Machine Learning

Algorithms for IoT Security
[15] Mangesh Matke; Kumar Saurabh; Uphar Singh(2020) Attacks and Defenses in IoT: A
Machine Learning Perspective.
[16] Kumar, S., & Rao, V. (2023). Cloud-Based Machine Learning for IoT Security Monitoring
[17] Adams, R., & White, L. (2019). AI and robo-advisors: Privacy-Preserving Machine
Learning for IoT Security
[18] Zhao, Y., & Chen, H. (2022). Explainable AI for IoT Security of Attacks and Security
Monitoring.
[19] Suzan Hajj, Rayane El Sibai, Jacques Bou Abdo, Jacques Demerjian(2023) Anomaly
Detection in IoT Data Streams Using Sliding Window Techniques
[20] Zie Eya Ekolle, Hideki Ochiai, Ryuji Kohno(2023) Distributed Machine Learning for
Collaborative IoT Security.