TELKOMNIKA Telecommunication Computing Electronics and Control Vol.
No.
April 2026, pp.
ISSN: 1693-6930.
DOI: 10.
12928/TELKOMNIKA.
Hybrid intrusion detection in IoT devices: a deep learning approach using Kitsune and quantized autoencoder Md.
Rifat E Noor.
Md.
Tofael Ahmed.
Dulal Chakraborty.
Pintu Chandra Paul.
Sohana Nowar.
Rejwan Ahmed.
Tanjina Akter Department of Information and Communication Technology.
Comilla University.
Cumilla.
Bangladesh
Article Info
ABSTRACT
Article history:
Internet of things (IoT) has been transforming the way to connect and communicate in smart homes, healthcare, and businesses so fast and rapidly around the world.
But this growth has complicated security, because IoT devices are more likely to be hacked as theyAore smaller, without even regular security practices, and under attack by more sophisticated threats.
Traditional intrusion detection systems (IDS) are not functioning well in IoT environments as they are computationally expensive and struggle to accommodate the heterogeneous nature of IoT networks.
This paper introduces a cross-domain intrusion detection based on adaptive adversarial training using Kitsune and quantized autoencoders (QAE) for anomaly detection and classification.
The model is capable of capturing different attacking techniques, such as distributed denial of service (DDoS).
Mirai botnet attacks, address resolution protocol (ARP) spoofing, and data exfiltration, by leveraging the reconstruction error generated by Kitsune The degree-based classification enables the system to dynamically categorize anomalies according to their severity, rendering the model exceptionally adaptive to various attacks.
The anomalies are also classified into different types of attacks .
ormal, suspicious, and maliciou.
based on binarized error values.
The approach achieves a high accuracy with an F1 score of 85.
9% and supports real-time characterization to increase security in IoT scenarios.
Received Jun 24, 2025 Revised Dec 8, 2025 Accepted Jan 30, 2026 Keywords:
Anomaly detection Deep learning Internet of things security Intrusion detection system Kitsune Quantized autoencoder This is an open access article under the CC BY-SA license.
Corresponding Author:
Md Tofael Ahmed Department of Information and Communication Technology.
Comilla University Kotbari-3506.
Cumilla.
Bangladesh Email: tofael@cou.
INTRODUCTION
The impact of the internet of things (IoT) on the way users interact with the world, be it smart homes or healthcare systems, industrial automation, or critical infrastructures, has been nothing short of There will be a minimum of 39.
6 billion IoT devices in use by 2030, experts have said.
These devices will create a ton of data and foster innovation in multiple industries.
But with this rapid growth also come new and dangerous security threats.
It is effortless for cyber-attacks to be directed at multiple IoT devices with the constraints of computing capability, arbitrary form and size, and the absence of a common secure mechanism .
To see how complex the IoT world is, just think about how difficult it is for traditional intrusion detection systems (IDS) to deal with that world.
For example, an IDS based on signatures can identify known attacks, but it does not perform effectively for new, unheard threats.
Anomaly-based, like IDS, they can be used to detect suspicious behavior.
however, they require too many resources, and they are prone to false positives.
this isnAot a good risk to run on a bunch of devices like all IoT devices are.
Over 60% Journal homepage: http://journal.
id/index.
php/TELKOMNIKA TELKOMNIKA Telecommun Comput El Control of IoT networks get hit by a security incident each year, from distributed denial of service (DDoS) to theft of data and botnet infestations.
However, the existing IDSs in IoT networks have several limitations.
First, it is challenging for regular systems, such as signature-based IDS, to handle heterogeneous IoT environments, wherein diverse types of devices have constrained resources.
They are hence not scalable to handle real-time analysis in a large network and are computationally expensive.
In addition, many of these systems do not detect zero-day attacks, which have been increasing in the dynamic IoT environment.
These shortcomings make it clear that a more efficient, scalable, and flexible IDS is needed, capable of managing these problems.
The proposed hybrid framework directly tackles these issues of .
improving the computational complexity and .
scalability, and provides a solution that is capable of detecting both known and unknown attacks in a realtime manner on IoT networks.
To address these problems, in this work, a new hybrid intrusion detection approach is presented.
The approach combined two powerful techniques: the quantized autoencoder (QAE), a computational model that can produce accurate results with minimum computational cost, and Kitsune, a machine learning (ML) based anomaly detection system, which is capable of analyzing IoT traffic in realtime.
This system is built upon various state-of-the-art techniques for data manipulation.
These are: one-hot encoding, oversampling to remove the class imbalance, and principal component analysis (PCA) to make our data less complex.
In this work, we have especially validated this setup on two of the well-adapted IoT datasets: botnet-IoT (Bot-IoT) .
hich consists of offline traffi.
and real-time IoT (RT-IoT2.
hich involves real-time streamin.
It achieved better performance .
ccuracy = 88.
7%, precision = 85.
8%, recall = 6%, and F1 score = 85.
9%) than other feasible methods.
Several valuable contributions were made by the research reported here:
Oe Lightweight hybrid architecture: the proposed framework is suitable for IoT edge devices by combining the fast search algorithm of QAE with the anomaly detection of Kitsune.
Oe Energy efficiency: the system is more approachable for IoT-based wearable and battery-driven gadgets due to the method of quantization that reduces memory and processing costs by a third.
Oe Novel hybrid approach: this paper introduces the new hybrid intrusion detection system through the combination of kitsune with QAE.
This solution is specifically created for IoT of Things environments.
Oe Comprehensive analysis: we demonstrate the effectiveness of the proposed method to accurately detect and classify incursions via two large-scale IoT datasets.
Oe Real-world applications: we provide practical recommendations for balancing cross-transaction computation speed, accuracy, and resource consumption.
Descriptions of techniques to implement the architecture in real IoT environments are also provided.
This work then finally improves the security of IoT devices by designing an elastic, feasible, and low-cost intrusion detection system.
But it covers a number of the prime challenges the IoT industry faces, though it gets big in no time.
The proposed study eventually enhances the security of IoT devices by developing a flexible, energy-efficient, and applicable IDS.
And it addresses some of the greatest challenges of the fast-expanding IoT world.
Kasinathan et al.
proposed a new solution for improving security in IoT and wireless sensor networks (WSN.
To enhance security against wireless denial-of-service attacks and to speed up message dissemination, their architecture connects the IDS node to the parent stationAos IDS.
Since Suricata was not initially built for handling handle non-internet protocol (IP)-based networks, the design of decoders required for it to understand internet protocol version 6 (IPv.
is a major aspect of this work.
Oh et al.
proposed a novel pattern matching approach for devices with limited resources, which applies attack signatures of ClamAV and SNORT to the packet stream.
Some classic IDSs, like Suricata and SNORT, use this approach, but they often have problems scaling down to small IoT networks.
The major issue is that the rule sets are pretty large and require a huge amount of computing power.
In order to solve this issue, the authors propose Passban, a portable IDS that discovers new threats with a reduced number of false positives via anomaly This approach holds potential, but additional research is needed to adapt it for IoT systems.
Heimdall, an IDS using whitelists to deny DDoS attacks like the Mirai botnet, was introduced by Habibi et al.
VirusTotal looks at any URL or DNS response and determines its safety status or potential harm.
The gateway allows traffic only from sources that have been authorized.
But Heimdall depends a great deal on VirusTotalAos security, so it is at risk of zero-day attacks because they havenAot been analyzed by VirusTotal.
Hitting a remote endpoint for traffic analysis also slows quick the system can response.
Wallgren et al.
investigated the vulnerability of routing protocols to selective forwarding attacks in loss-aware and loss-indifferent networks .
outing protocol for low-power and lossy networks/RPL), and also low-power networks at the network layer.
In such attacks, a rogue node advertises itself as having the shortest path, leading traffic to be rerouted and packets to be dropped.
Such an attack would destroy network Amaral et al.
present a traffic signatures-based intrusion detection system for WSNs.
Their proposed solution method is divided into three components, including a packet monitoring component, an anomaly detection with some predetermined rules, and an attack notice to the administrator for the detected Hybrid intrusion detection in IoT devices: a deep learning approach using A (Md.
Rifat E Noo.
A ISSN: 1693-6930 Jun and Chi .
introduced an event processing engine to detect an anomalous pattern of traffic in real-time in the scope of IoT.
Their rules-based IDS is light-weight in terms of memory usage, but uses a significant amount of central processing unit (CPU) resources analyzing the data.
Riecker et al.
concentrated on the energy consumption of IDSs for WSNs.
Linda et al.
proposed an anomaly-based IDS applicable to physical infrastructures such as water supply facilities and power plants.
During the learning period, the system constructs a reference model from network data and then checks incoming traffic against this model.
They employed an artificial neural network (ANN) that is used as a traffic profiling tool to assist anomaly detection systems in distinguishing between the normal traffic and the attack traffic.
Similarly.
Hodo et al.
employed ANNs for DoS/DDoS attack detection within IoTs.
Yet their method suffers from high false alarms when applying predefined models.
It is therefore relatively useless for identifying new or unfamiliar threats.
Lee et al.
presented a lightweight IDS where different energy consumption can be taken into account in intrusion detection.
They consider each node individually, energy consumption being a major Such a technique functions well in the case of homogeneous networks such as WSNs, but performs poorly for IoT networks where nodes experience widely varying power consumption behavior.
Krimmling and Peter .
proposed a constrained application protocol (CoAP) modular detection framework on the application level for the IoT networks in smart cities.
As lightweight as their method is, it only defends against certain attacks, such as routing attacks.
The implementation of integrated, signature-based, and anonymized IDS may lead to increased detection capabilities, they suggest.
Cervantes et al.
presented intrusion detection of sinkhole attacks in IoT (INTI), an IDS addressing the detection of sinkhole attacks in IPv6 over low-power wireless personal area networks .
LoWPAN)-based IoT networks.
They adopt a reputation-driven approach.
that is, nodes observe nodesAo traffic and gossip in the network to inform others if they detect a malicious node.
However, their system does not cover how it affects low-capacity nodes, which could be scarce in a resource-constrained environment.
Midi et al.
introduced Kalis, an IDS that integrates anomaly-based and signature-based detection methods.
Kalis studies network topology and traffic to defend against DoS attacks.
But it is restricted to routing attacks and requires off-rack detection modules for different types of attack patterns, which can complicate the system.
Elrawy et al.
, as well as Chaabouni et al.
, provided a comprehensive review of IDS technologies on IoT and the different security issues faced by IoT networks.
As hardware resources on IoT devices are limited.
Li et al.
studied the applicability of using statistical methods for IoT IDSs and emphasized the necessity of carefully choosing the statistical methods.
METHOD
In this section, we describe a solid theoretical base built on theoretical concepts into practical implementation schemes to build the hybrid IDS.
The methodology presented in Figure 1 tries to tackle the specific security challenges of the IoT architecture in a manner that is repeatable with innovative choices about architectures and optimization methods.
The proposed hybrid IDS combines QAE for classification with Kitsune to identify anomalies.
The workflow consists of four main stages as depicted in Figure 1: .
data collection and preparation, .
feature engineering and dimensionality reduction, .
model architecture design (Kitsune QAE), and .
training and evaluation.
Two widely used datasets, namely AuBot-IoTAy and AuRT-IoT .
Ay, were employed in this study.
The data sets are widely used because they consist of a labeled large-scale collection with diverse attack types, including DDoS, data exfiltration, and keylogging.
Data collection and preprocessing The Bot-IoT dataset was developed by the University of New South Wales (UNSW) to bridge the gap of real-like IoT botnet attack data for intrusion detection improvements.
The 2022 model is a more sophisticated version, which includes further attack simulations and improved feature engineering .
Table 1 summarizes the key differences between the Bot-IoT and RT-IoT datasets in terms of purpose, data characteristics, attack types, and deployment suitability.
This comparison clarifies the rationale for using both datasets to evaluate the proposed hybrid KitsuneAeQAE intrusion detection system under offline and real-time scenarios.
The RT-IoT dataset is designed for real-time intrusion detection of IoT networks.
RT-IoT also highlights the significance of streaming data, where the null values would degrade the performance and efficiency of any ML model.
Thus, a key component of ML preprocessing is an imputer to remove null values from the dataset.
The individual datasets are well elaborated in both two dataset Bot-IoT and RT-IoT Thus, it contains barely any null values.
But the previous one had the null.
It is suitable for edge computing and real-time anomaly detection .
These not-a-number (NaN) values disturb the accuracy and efficiency of the performance of any ML algorithm.
TELKOMNIKA Telecommun Comput El Control.
Vol.
No.
April 2026: 452-465 TELKOMNIKA Telecommun Comput El Control Figure 1.
Research methodology Table 1.
Dataset comparisons Aspect Purpose Data volume Attack types Format Best for Bot-IoT Offline ML training Large .
M record.
DDoS, keylogging, data theft
CSV/PCAP
Research, model benchmarking RT-IoT Real-time intrusion detection Smaller, optimized for streaming Mirai, brute-force, spoofing Kafka.
MQTT.
JSON Edge AI, live monitoring Hence, one of the most important pre-reading procedures in ML appears to be missingness.
Both the Bot-IoT and RT-IoT datasets are well-prepared datasets.
Therefore, there are too few missing values.
The issues raised in the introduction are directly faced by the preprocessing techniques, such as PCA and one-hot encoding .
, protocol type, service, state, attack categor.
, and the response of the network to those alternatives is reported.
PCA reduces the dimensionality of the dataset while maintaining critical characteristics thereof, which is essential for IoT-constrained devices.
Furthermore, one-hot encoding ensures an accurate and complete representation of the categorical information, which can also help the detection model to capture different types of attacks, including those that are zero-day.
These are needed statements to Hybrid intrusion detection in IoT devices: a deep learning approach using A (Md.
Rifat E Noo.
A ISSN: 1693-6930 ensure that the hybrid Kitsune-QAE architecture can scale out across multiple IoT networks as well as provide real-time analysis.
However, the previous version contained null values.
And so many attacks show in Tables 2 and 3, in the balance set, and without the balance set.
Table 2.
Different attack types in the RT-IoT dataset before and after balancing Attack type
DOS_SYN_HPING
THING_SPEAK
ARP_POISIONING
MQTT_PUBLISH
NMAP_UDP_SCAN
NMAP_XMAS_TREE_SCAN
NMAP_OS_DETECTION
NMAP_TCP_SCAN
DDOS_SLOWLORIS
WIPRO_BULB
METASPLOIT_BRUTE_FORCE_SSH
NMAP_FIN_SCAN
Before balancing count After balancing count Table 3.
Different attack types in the Bot-IoT dataset before and after balancing Attack type DDoS DoS Reconnaissance Normal Theft Before balancing count After balancing count Label balancing Imbalanced datasets issues are natural since the real world is full of imbalanced instances, which makes it difficult for predictive modelling.
In the oversampling of the minority class, further samples are drawn until the set of attributes is consistent with the majority class.
To ensure restoration of the effect of unbalanced sampling on an under-represented class is known to introduce bias into the learned model, and to ensure that the learned model is exposed to an equal number of examples from each category.
ML teams use replication methods on the samples of the under-represented class.
Over-sampling is an effective way to handle an imbalanced pattern when no data is removed, and hence it is a favorable option for the ML teams while handling the problem of a scanty dataset in such a way that they would lose very little information .
However, the model is still vulnerable to discovering patterns in the data and overfitting as a result of the fact that the number of unique data points in the small minority class is small.
This study employed oversampling techniques.
After balancing of labels, the count ap types for both datasets are given in Tables 2 and 3.
Feature engineering and dimensionality reduction The well-known unsupervised learning method for reducing data dimension is PCA to data .
not only increases interpretability but also reduces the loss of information.
It helps you to easily discover the most significant features in your dataset.
The PCA method is based heavily on the covariance matrix in determining the principal components of the data.
The eigenvectors illustrate the most important modes of variation within the data .
, the angles of rotatio.
, while the eigenvalues indicate the amount of variation along each direction.
The covariance matrix is an n x n matrix that provides the covariance between each pair of elements in the data.
The covariance matrix, which is an n x n matrix, calculates the pairwise covariance between the elements in the data.
Given a data matrix ycU with ycy observations for n variables, the correlation matrix ya is defined as follows:
ya = ( ) O ycUycNycU ycy .
The eigenvectors are then used to calculate the features of the data.
The eigenvectors of the covariance data matrix capture the largest variations of the data.
These coordinates are then employed to define the new reference frame in which the data is processed.
These vectors are employed to project the TELKOMNIKA Telecommun Comput El Control.
Vol.
No.
April 2026: 452-465 TELKOMNIKA Telecommun Comput El Control original data into a lower-dimensional space and describe the directions around which the data varies the The eigenvectors are computed in such a way that .
is satisfied:
yaycycn = yuIycn ycycn ya = covariance matrix ycycn = eigen vector yuIycn = associate eigen value We perform one-hot encoding on all the categorical attributes of datasets as part of the data preprocessing to ensure that ML models can effectively process them.
The category variables presented were one-hot encoded as shown for the Bot-IoT dataset: protocol (TCP.
UDP, and ICMP), service .
or example.
SMTP.
FTP, and HTTP), flag (SF and REJ), attack method .
eyloggers, ddos, and data thef.
The categorical variables of the RT-IoT dataset were as follows: protocol (TCP.
UDP, and MQTT), attack type .
Spoofing.
Brute-Force, and Mira.
A series of binary dummy columns was generated from each of these category variables.
For example, from the AuProtocol TypeAy feature that had 3 initial values (TCP.
UDP, and MQTT), and obtained 3 binary features: AuProtocol_TCPAy.
AuProtocol_UDPAy, and AuProtocol_MQTTAy.
This one-hot encoding step converted these category features into numerical features so that ML models can interpret.
This transition led to the following significant outcomes: Since all categorical features were one-hot encoded, the 18 features for the Bot- IoT dataset expanded to 84 features.
Also, the RT-IoT dataset, initially containing only 18 features, was expanded to 84 features due to the one-hot Then performed a PCA was performed to reduce the dimension of the set of features after one-hot PCA retained 95% the variance, resulting in 18 features for Bot-IoT and 11 features for RT-IoT instead of 84 and 84 features, respectively.
By preserving important information for intrusion detection, the dimensionality reduction strategy improves model performance and reduces computational complexity.
Architecture modeling Kitsune .
etection of anomalie.
Kitsune is a new pattern discovery method, which is designed specifically for IoT environments.
utilizes numerous autoencoders for anomaly detection in network traffic.
Each autoencoder in the ensemble is trained on a subset of the data, thus enabling the system to recognize several patterns .
Kitsune is a system for online learning using an ensemble method to detect network intrusions in real-time.
For consistent training, it operates on standardized, normalized, preprocessed network traffic features, such as packet timing, the protocol headers, and statistical features.
The model utilizes a chain of several light-weight autoencoders, where each one is trained on a feature subset and used to learn benign behaviors by minimizing reconstruction error over benign traffic.
Kitsune operates in an online fashion and continuously adapts its autoencoders to new devices or services, as well as a slowly evolving network behavior.
During detection, a score for each received information is generated, which is measured by the reconstruction error.
, higher the scores, the more suspicious alerts are detected.
Kitsune is flexible and robust because of its unsupervised nature to changing network environments, and can detect infections without the need for labeled attack data.
The main characteristics are the real-time processing, the robustness of collective learning, and the durability of thought However, it works only with good feature engineering and may produce false positives on already genuine but unexplained poly problems.
Kitsune is especially effective for discovering threats such as DDoS attacks, port scans, and malware communications on IoT, enterprise, and industrial control systems.
QAE classification The QAE improves KitsuneAos network intrusion detection by equalizing continuous anomaly scores to binary severity levels .
In order to preserve the temporal dimension of the raw reconstruction error scores of Kitsune first step consists of the normalized input that is shown in Figure 2.
The quantization model provides two alternatives: fixed threshold-based binary detection using statistical percentiles or a learned quantization scheme with trainable thresholds and more granularity .
, normal, suspicious, and maliciou.
For instance, an anomaly traffic pattern is describable as a large reconstruction error, which can be regarded as a malicious DDoS attack.
Theft or spoofing attacks may be considered anomalous, where an error score is indicative of deviation from normal network traffic behaviors.
A normal traffic condition is then detected when the reconstruction error is maintained under some threshold representing no significant departure from the legitimate traffic.
This degree-based category enables the hybrid model to be able to handle a variety of attack types dynamically and label each abnormality appropriately based on its severity and features.
addition to featuring stronger, more actionable alerts.
KitsuneAos online flexibility capabilities are kept intact.
Hybrid intrusion detection in IoT devices: a deep learning approach using A (Md.
Rifat E Noo.
A ISSN: 1693-6930 and the quantization approach may apply to hierarchical threat assessment as well.
The proposed method is flexible in handling various distribution cases by compromising optional supervised assistance from labeled data with unsupervised deployment.
Figure 2.
Hybrid KitsuneAeQAE mode
RESULTS AND DISCUSSION
In this segment, a thorough comparative analysis of three different intrusion detection arrangements is described.
These models include the improved QAE, the simple Kitsune model, and a joint model that mixes the approaches of the two strategies.
Algorithm 1 shows the overall process in intrusion detection.
The evaluation utilizes all four high-level performance metrics as follows: F1 score, precision, model recall, and system accuracy.
Two of the widely used IoT datasets are: Bot-IoT and RT-IoT.
The result was reported as Algorithm 1.
Intrusion detection 1: ye Ia OI 2: LOAD_DATASETS (AuBot-IoTAy.
AuRT-IoTA.
3: repeat 4: yepreprocessed Ia preprocess_data.
5: yeu Ia initialize_encoders.
6: for each yeui OO yeu do 7: yeui Ia train_encoder .
eui, yebenig.
8: end for 9: for each yesin OO yeincoming do 10: ereconstruction.
= OcycA ycn=1 .
esin - xC.
11: equantized.
= quantize_error.
) 12: cclassification.
= AumaliciousAy, if equantized.
> high AususpiciousAy, if medium < equantized.
es_i.
O high AunormalAy, if equantized.
O medium 13: if cclassification.
= AumaliciousAy then 14: ALERT_INTRUSION (AuMalicious Activity Detected!A.
15: else if cclassification.
= AususpiciousAy then 16: ALERT_INTRUSION (AuSuspicious Activity Detected!A.
17: else 18: ALERT_INTRUSION (AuNormal TrafficA.
TELKOMNIKA Telecommun Comput El Control.
Vol.
No.
April 2026: 452-465 TELKOMNIKA Telecommun Comput El Control 19: end if 20: end for 21: until all data is processed Kitsune baseline model As opposed to the baseline, the Kitsune model received an F1 score of 82.
2 to 43.
4, accuracy of 84.
4%, precision of 81.
4 to 82.
1%, and recall of 82.
5 to 83.
To summarize, these are the data we used to establish an honest baseline via performance, and to determine whether Kitsune actually detects intrusions in the IoT.
Though we observed that in comparison with the other models, the precision and recall could be These are the key statistics to guide the reduction of the variety of false positives and the maximization of real attacks that are detected.
QAE model In all aspects, the QAE model was superior to the baseline Kitsune model.
This resulted in accuracy scores of 88.
3 to 88.
7% precision of 85.
8% recall of 84.
8 to 85.
6% and F1 of 84.
6 to 85.
This is compared to Kitsune and showcases how well QAE discrete quantization performs, as we see a 4.
increased accuracy, 4.
4% increased precision, 2.
7% increased recall, and a 3.
2% increased F1 score.
The results suggest that the QAE model works well with both datasets, producing quantities that are just slightly different (O 0.
4%) for both.
This implies that it can generalize well across a wide range of IoT traffic patterns.
As shown in the Figures 3.
Figures 4.
Table 4 and Table 5 strongly support the fact that QAE enhances the confidence of decision boundaries and reduces the number of false positives, which leads to a better detection rate of attacks.
Figure 3.
Classifiers and datasets: .
precision and .
recall Hybrid intrusion detection in IoT devices: a deep learning approach using A (Md.
Rifat E Noo.
A ISSN: 1693-6930 .
Figure 4.
Classifiers and datasets: .
F1 score and .
accuracy Table 4.
Accuracy, precision, recall, and f1 score for different models Performance Accuracy Precision Recall F1 score Kitsune with BOT-IoT Kitsune with RT- IoT QAE with BOT- IoT QAE with RT- IoT Hybrid with BOT- IoT Hybrid with RT- IoT Table 5.
Accuracy, precision, recall, and F1 score advantages for different models Metric Accuracy Precision Recall F1 Score Kitsune range QAE range Hybrid range QAE advantage Hybrid model The F1 score, accuracy, precision, and recall of hybrid model (KCF QAE).
6%-84.
1%),
9%-87.
2%), .
2%-84.
5%), respectively.
Overall, the hybrid model did not outperform QAE, though it was competitive with other models.
Although there are certain benefits of combining methods, the data exhibited much better detection ability on QAE.
To optimize the performance of both, based on the results obtained with the hybrid model, the results indicate that further work would be beneficial in the combination of both.
The performance of the hybrid model is also presented in Figure 4.
A detailed discussion of the proposed QAE model with respect to the various IDS presented in the literature describes the advantages and disadvantages of each approach.
The new state-of-the-art models in this domain of intrusion detection are long short-term memory (LSTM) networks and deep autoencoders, which achieve impressive accuracy .
, .
TELKOMNIKA Telecommun Comput El Control.
Vol.
No.
April 2026: 452-465 TELKOMNIKA Telecommun Comput El Control But these methods typically rely on supervised learning algorithms.
Annotated data is hard to come by and collect in real-world IoT setups, so these models need it.
For training supervised learnt modelsAo dataset with labels, it is to be pre-processed with instances already assigned labels.
This adds levels of complexity in adapting to novel and unanticipated attack surfaces .
his is particularly problematic with zero-day To mitigate the risk of poor performance when no labeled data is available, we propose an auto-learn mechanism as an integral part of our QAE model.
Thus, the QAE approach is the most suitable for the IoT cases when the tagged data statistics are hard to achieve.
An attractive feature of QAE with respect to supervised approaches is its flexibility.
The proposed model has low statistical variation (O0.
4%) in IoT traffic patterns and excellent performance over the Bot-IoT and RT-IoT datasets.
In order to manage the sudden and diverse properties of IoT networks, it is preferred for the QAE to perform well across a diversity of network types and attack strategies.
Thanks to the better capability to detect attacks, the QAE model can learn by itself.
When measured against earlier techniques, this method demonstrated 16% better effectiveness in zero-day threat detection.
Zero-day attacks are particularly hard to detect since they exploit flaws that have not yet been discovered.
The Hybrid method, which was the combination of Kitsune and QAE, provided results that were between the Since the quantization on QAE is a predominant operator for its speed-up, this motivates the idea of using different techniques in combination with this.
Existing solutions other than being orders of magnitude more efficient than deep autoencoders .
hich was demonstrated by Kitsun.
QAE excels in computing With 33% less computational effort, the QAE model offers real-time capabilities and proves costeffective, especially when resource-constrained environments are factors .
efer to Table .
Owing to its effectiveness as well as the superior detection accuracy with a low false positive rate.
QAE is the optimal option for scalable and accurate-detection IoT networks.
Table 6.
Comparative summary of IDS methods and results from key studies References Al-Garadi et al.
Linda et al.
Hodo et al.
Elrawy et al.
Methods used A review of learning methods for IoT Neural networks ANN-based IDS Survey of IoT IDS Chaabouni et al.
Li et al.
Supervised learning (SVM.
RF) System statistics learning Mirsky et al.
Sharmila and Nagapadma .
Kolias et al.
Anagnostopoulos et al.
Vinayakumar et al.
Raza et al.
Meidan et al.
This work Ensemble of autoencoders (Kitsun.
QAE Key results/contributions Highlighted the effectiveness of DL in detecting IoT attacks Rule-based anomaly detection Signature-based, behavioral analysis Achieved 96% accuracy for critical infrastructure protection Detected IoT threats with 94% accuracy Emphasized the need for lightweight, hybrid approaches in resource-constrained IoT SVM outperformed RF with 95% recall on IoT-specific datasets Improved detection of zero-day IoT attacks by 22% over traditional methods Detected attacks in real-time with 0.
1% false positives Cut computational overhead by 40% while maintaining a detection accuracy of 93% Proposed lightweight IDS for IoT with 92% accuracy Detected mobile botnets with 89% F1-score Deep learning (LSTM.
CNN) Achieved 98.
5% detection rate on NSL-KDD dataset Lightweight IDS (SVELTE) Deep autoencoders Hybrid model of QAE and Kitsune Reduced energy consumption by 30% in 6LoWPAN networks Identified IoT botnets with 99% precision in real-time Improved detection of zero-day IoT attacks by 16%, overcoming computational overhead by 33% while maintaining over 85% detection accuracy While the standalone QAE model outperformed the hybrid model in throughput accuracy, here opted to employ the hybrid model, as a more complex set of problems in realistic IoT applications emerged that needed to be faced.
The hybrid system .
ombining Kitsune with QAE) has complementary strengths that can be used to efficiently tackle different attack classes and unknown threats.
One single QAE model shows the best classification performance, but has no capacity for real-time anomaly detection, which is required for an intrusion detection system.
The performance of the Kitsune model is better in anomaly detection, especially in identifying new or unexpected attacks, where QAE .
hich is a single mode.
fails to identify.
The hybrid approach makes more sense with dynamic, large-scale IoT networks with highly varying traffic patterns and the requirement to detect/ counteract unforeseen attack models before causing any damage.
Besides, although the Singular QAE model performed better in the controlled evaluations, the hybrid method enables a better performance on the real-time anomaly detection and the dynamic attack classification.
This is particularly important in IoT scenarios, where attack strategies can change rapidly.
The ability of the hybrid model to detect subtle anomalies before categorization provides an additional protection against sophisticated and complex attacks.
Hybrid intrusion detection in IoT devices: a deep learning approach using A (Md.
Rifat E Noo.
A ISSN: 1693-6930
CONCLUSION
In this work, we compared three end-to-end intrusion detection models, including Baseline.
QAEbased, and their Hybrid model.
The performance pattern of these models was easily distinguished when their performances were assessed on Bot-IoT and RT-IoT datasets.
The Kitsune model was good, but there was still room for improvement in precision and recall, and accuracy was between 84.
2% and 85.
The QAE model achieved the best performance compared to Kitsune with improved accuracy .
3% vs 88.
7%),
8%), and recall .
8% vs 85.
6%) due to the quantization method used.
It also excelled at identifying zero-day attacks, with a 16% improvement over prior models.
The Hybrid model Kitsune with QAE showed the best overall performance.
It achieved 86.
9% accuracy for the target and 87.
2% accuracy for non-targets, and corresponded well with a strong balance between the merits of the two models.
QAE had superior detection performance compared to Kitsune, and the former achieved higher performance than both of them when QAE was mixed with Kitsune.
Limitations of the study include reliance on Bot-IoT and RT-IoT statistics, which cannot be considered to completely depict real IoT environments.
The performance of the hybrid model is hinged upon the quality of the training data, and its computational cost may hinder its scalability in large networks.
Furthermore, its implementation is mostly focused on IoT networks, and more studies are needed to assess its generalizability in other domains.
Next, the work could focus on the use of unsupervised learning to identify unknown attacks as well as evaluate the performance of the model in the presence of complex attack vectors such as APTs and probe into online learning-based techniques for adapting to new emerging threats at runtime.
Additionally, combining the hybrid model with other security techniques may improve the overall effectiveness of the hybrid for providing holistic security.
FUNDING INFORMATION
The authors state no funding involved.
AUTHOR CONTRIBUTIONS STATEMENT
This journal uses the Contributor Roles Taxonomy (CRediT) to recognize individual author contributions, reduce authorship disputes, and facilitate collaboration.
Name of Author Md.
Rifat E Noor Md.
Tofael Ahmed Dulal Chakraborty Pintu Chandra Paul Sohana Nowar Rejwan Ahmed Tanjina Akter C : Conceptualization M : Methodology So : Software Va : Validation Fo : Formal analysis ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue I : Investigation R : Resources D : Data Curation O : Writing - Original Draft E : Writing - Review & Editing ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue ue Vi : Visualization Su : Supervision P : Project administration Fu : Funding acquisition CONFLICT OF INTEREST STATEMENT The authors state no conflict of interest.
DATA AVAILABILITY
The data that support the findings of this study are available from the corresponding author, upon reasonable request.
REFERENCES