Autoencoder for Anomaly Detection in

IoT Network Traffic

Submitted by:

Shubh Gupta
B.Tech CSAI - NSUT

Abstract
With the proliferation of IoT devices, safeguarding network traffic is critical. This project
introduces an Autoencoder-based anomaly detection system trained on normal IoT traffic
to detect security threats. Using the CICIDS 2018 dataset, we preprocess data, design an
Autoencoder model, and evaluate it using standard classification metrics. Our results show
that Autoencoders perform robustly compared to traditional models like Isolation Forest
and One-Class SVM.

1. Introduction
IoT devices generate vast volumes of network traffic, making anomaly detection vital.
Unlike traditional methods that rely on labeled data or hand-crafted features, this project
employs a neural network-based Autoencoder to learn patterns from normal traffic and
detect deviations that may represent attacks.

2. Dataset Description
We utilize a subset of the CICIDS 2018 dataset, a comprehensive benchmark with labeled
normal and attack traffic. The dataset includes multiple attack types and was preprocessed
to include only relevant features and clean instances for effective modeling.

3. Methodology

3.1 Data Preprocessing

• Missing and infinite values were removed.
• Categorical variables were label encoded.
• Feature normalization was applied using StandardScaler.
• Only 'normal' traffic samples were used to train the Autoencoder.
3.2 Autoencoder Model Design
• Encoder and Decoder implemented using fully connected Dense layers.
• Mean Squared Error used as loss function.
• Trained using Adam optimizer for 50 epochs.
• Anomalies were detected based on reconstruction error with a threshold set using 95th
percentile of normal traffic error.

3.3 Performance Evaluation

• Metrics: Accuracy, Precision, Recall, F1-score, AUC.
• Confusion matrix created for evaluation.
• Compared with Isolation Forest and One-Class SVM.
• Autoencoder achieved superior recall and AUC.

3.4 Hyperparameter Tuning

• Grid Search was applied to tune Isolation Forest parameters.
• Best estimators were compared with Autoencoder’s performance.
• Tuning improved model robustness across evaluation metrics.

3.5 Comparison with Other Classifiers

• Supervised models (Random Forest, SVM) were trained on labeled data.
• Autoencoder, trained in an unsupervised manner, performed competitively, especially on
rare attack types.
• Autoencoder's advantage lies in its independence from labeled anomaly data.

4. Results and Discussion

Autoencoder-based detection showed:
• Accuracy: ~94%
• F1-score: High balance between precision and recall
• AUC: Higher than both Isolation Forest and One-Class SVM
The results support the use of Autoencoders for detecting previously unseen anomalies.

5. Conclusion
This project demonstrates the effectiveness of Autoencoders in anomaly detection within
IoT network traffic. By modeling normal behavior, the Autoencoder can accurately detect
anomalies with minimal false positives. It outperforms unsupervised alternatives and
approaches the effectiveness of supervised classifiers without needing labeled attack data.

6. Future Enhancements
• Implement LSTM Autoencoders to capture temporal dependencies.
• Experiment with larger and more diverse datasets.
• Integrate into real-time intrusion detection systems.
• Use Bayesian optimization for more efficient hyperparameter tuning.