FPR-CONSTRAINED HYBRID DEEP LEARNING FOR IOT ANOMALY DETECTION
Abstract
Abstract: Existing IoT anomaly detection studies have achieved high classification performance, but most focus on accuracy and F1-score without explicitly controlling the false positive rate (FPR). In addition, many approaches rely on a single detection perspective, limiting their operational reliability. To address this gap, this study proposes a hybrid anomaly detection framework integrating Long Short-Term Memory (LSTM), Shannon entropy, and autoencoder reconstruction error. Shannon entropy is incorporated as an additional feature, while LSTM and the autoencoder capture temporal and reconstruction characteristics. The resulting hybrid representation is processed by a constraint-based threshold selection mechanism that enforces FPR . Experiments on the TON-IoT and Edge-IIoTset datasets achieved average F1-scores of 0.9250 and 0.9934, while maintaining average FPR values of 0.0091 and 0.0714, respectively. Analysis of entropy distributions showed consistent differences between normal and anomalous traffic across both datasets, indicating that Shannon entropy provides discriminative information for anomaly detection. These results demonstrate strong detection performance with controlled false alarms, while ablation studies confirm the significant contribution of Shannon entropy to overall model performance.
Keywords: false positive rate; hybrid deep learning; Internet of Things; network anomaly detection; Shannon entropy
Abstrak: Penelitian deteksi anomali Internet of Things (IoT) telah menunjukkan performa klasifikasi yang tinggi, namun sebagian besar masih berfokus pada accuracy dan F1-score tanpa mengendalikan false positive rate (FPR) secara eksplisit. Selain itu, banyak pendekatan hanya memanfaatkan satu perspektif deteksi sehingga reliabilitas operasionalnya masih terbatas. Untuk mengatasi kesenjangan tersebut, penelitian ini mengusulkan kerangka deteksi anomali hybrid yang mengintegrasikan Long Short-Term Memory (LSTM), Shannon entropy, dan autoencoder reconstruction error. Shannon entropy digunakan sebagai fitur tambahan, sedangkan LSTM dan autoencoder menangkap karakteristik temporal dan deviasi rekonstruksi. Representasi hybrid yang dihasilkan kemudian diproses melalui mekanisme constraint-based threshold selection dengan batas FPR . Hasil pengujian pada dataset TON-IoT dan Edge-IIoTset menghasilkan F1-score rata-rata sebesar 0,9250 dan 0,9934, dengan FPR rata-rata sebesar 0,0091 dan 0,0714. Perbedaan nilai entropy yang konsisten antara trafik normal dan anomali pada kedua dataset menunjukkan bahwa Shannon entropy menyediakan informasi diskriminatif untuk deteksi anomali. Hasil tersebut menunjukkan performa deteksi yang kuat dengan false alarm yang terkendali, sementara studi ablasi mengonfirmasi kontribusi signifikan Shannon entropy terhadap performa model.
Kata kunci: deteksi anomali jaringan; false positive rate; hybrid deep learning; Internet of Things; Shannon entropy
References
B. Rathi et al., “Realizing the po-tential of Internet of Things (IoT) in Industrial applications,” Dec. 01, 2025, Springer Nature. doi: 10.1007/s43926-025-00141-5.
Z. A. Haider et al., “A Survey on anomaly detection in IoT: Tech-niques, challenges, and opportuni-ties with the integration of 6G,” Oct. 01, 2025, Elsevier B.V. doi: 10.1016/j.comnet.2025.111484.
A. Amara Korba, A. Diaf, M. A. Bouchiha, and Y. Ghamri-Doudane, “Mitigating IoT botnet attacks: An early-stage explainable network-based anomaly detection approach,” Comput. Commun., vol. 241, Sep. 2025, doi: 10.1016/j.comcom.2025.108270.
M. O. Kaya, M. Ozdem, and R. Das, “A new hybrid approach combining GCN and LSTM for real-time anomaly detection from dynamic computer network data,” Computer Networks, vol. 268, Aug. 2025, doi: 10.1016/j.comnet.2025.111372.
A. Alsaedi, N. Moustafa, Z. Tari, A. Mahmood, and Adna N Anwar, “TON-IoT telemetry dataset: A new generation dataset of IoT and IIoT for data-driven intrusion detection systems,” IEEE Access, vol. 8, pp. 165130–165150, 2020, doi: 10.1109/ACCESS.2020.3022862.
S. Ismail, S. Dandan, and A. Qushou, “Intrusion Detection in IoT and IIoT: Comparing Light-weight Machine Learning Tech-niques Using TON_IoT, WUSTL-IIOT-2021, and EdgeIIoTset Da-tasets,” IEEE Access, vol. 13, pp. 73468–73485, 2025, doi: 10.1109/ACCESS.2025.3554083.
M. A. Ferrag, O. Friha, D. Hamouda, L. Maglaras, and H. Janicke, “Edge-IIoTset: A New Comprehensive Realistic Cyber Security Dataset of IoT and IIoT Applications for Centralized and Federated Learning,” IEEE Ac-cess, vol. 10, pp. 40281–40306, 2022, doi: 10.1109/ACCESS.2022.3165809.
Z. Zamanzadeh Darban, G. I. Webb, S. Pan, C. Aggarwal, and M. Salehi, “Deep Learning for Time Series Anomaly Detection: A Survey,” ACM Comput. Surv., vol. 57, no. 1, Oct. 2024, doi: 10.1145/3691338.
N. Pandey and P. K. Mishra, “Conditional entropy-based hybrid DDoS detection model for IoT networks,” Comput. Secur., vol. 150, Mar. 2025, doi: 10.1016/j.cose.2024.104199.
A. Katbi and R. Ksantini, “One-class IoT anomaly detection sys-tem using an improved interpolat-ed deep SVDD autoencoder with adversarial regularizer,” Digital Signal Processing: A Review Journal, vol. 162, Jul. 2025, doi: 10.1016/j.dsp.2025.105153.
A. Salehiyan, P. S. Moghaddam, and M. Kaveh, “An Optimized Transformer–GAN–AE for Intru-sion Detection in Edge and IIoT Systems: Experimental Insights from WUSTL-IIoT-2021, EdgeII-oTset, and TON_IoT Datasets,” Future Internet, vol. 17, no. 7, Jul. 2025, doi: 10.3390/fi17070279.
C. E. Shannon, “A Mathematical Theory of Communication,” 1948. doi: 10.1002/j.1538-7305.1948.tb01338.x.
S. Axelsson, “The Base-Rate Fal-lacy and the Difficulty of Intrusion Detection,” 2000. doi: 10.1145/357830.357849.
B. Liu, Z. Zhang, S. Hu, S. Sun, D. Liu, and Z. Qiu, “A Security Trade-Off Scheme of Anomaly Detection System in IoT to Defend against Data-Tampering Attacks,” Computers, Materials and Continua, vol. 78, no. 3, pp. 4049–4069, 2024, doi: 10.32604/cmc.2024.048099.
S. Sørbø and M. Ruocco, “Navi-gating the metric maze: a taxono-my of evaluation metrics for anomaly detection in time series,” Data Min. Knowl. Discov., vol. 38, no. 3, pp. 1027–1068, May 2024, doi: 10.1007/s10618-023-00988-8.
