This paper presents an integrated, resource-conscious framework for detecting and mitigating security threats in ZigBee-based IoT networks. The proposed solution combines a graph-oriented description of network topology with a formal attack model and a purely statistical anomaly-detection engine. Normal behaviour for every node is profiled on-line with a modified Z-score that relies on the median and medianabsolute deviation, making the detector robust to noise, outliers and bursty traffic. Anomalous events those that exceed statistically justified limits are enriched with contextual attributes (device ID, parameter type, duration, weight) and matched against a library of formalised attack templates. When a match is confirmed, a response selector estimates potential damage by factoring impact intensity and node criticality, then triggers the least-cost counter-measure: node isolation, route restructuring, key rotation or channel switching. All stages monitoring, classification, reaction and post-action verification operate in a closed loop and require no prior training on labelled data, which is crucial for low-power ZigBee devices. A prototype was validated with three representative threats (DoS, Spoofing, Jamming). The system accurately identified each attack phase, initiated the correct counter-action within two seconds and automatically logged the incident for audit purposes. Because the framework is statistical and lightweight, it adapts readily to heterogeneous hardware and dynamic traffic patterns. Future work will extend the feature set and benchmark hybrid statistical learning schemes to further strengthen the resilience of largescale IoT deployments.
Drill-free, low-impact security measures have progressed from niche solutions to broadly adopted technologies underpinning intelligent alarm systems, automated controls, and industrial sensing networks. Within this landscape, the ZigBee protocol has assumed a prominent position. It enables self-healing mesh topologies, operates with very low energy consumption, and accommodates large device populations. However, its use of publicly accessible radio bands, shared node resources, and default cryptographic material (including standard keys) renders ZigBee vulnerable to a variety of attacks, ranging from traffic redirection to coordinator impersonation and rogue-network reconstruction.
The growing incidence of such attacks in both domestic and commercial environments demonstrates that mere detection of anomalous activity is insufficient. A critical performance metric is response latency the interval between threat emergence and its localization and neutralization. Meeting this criterion demands dynamic defence mechanisms that integrate statistical anomaly detection, adaptive topology management, and automated countermeasures. Consequently, a systematic appraisal of contemporary ZigBee-focused protection strategies is warranted. Such an assessment should identify their respective strengths and limitations and highlight avenues for future advancement.
Signature-based intrusion-detection systems (IDSs) operate by matching observed traffic against a database of known attack patterns. They typically exhibit the lowest false-positive rates and provide rapid responses to well-documented threats; however, they cannot recognise novel or obfuscated attacks and demand continual signature updates. Sadikin and Kumar [1] mitigate these limitations through a hybrid scheme that augments signature matching with a rule-based component.
Rule-based IDSs rely on deterministic heuristics or statistical thresholds to flag anomalies. They require neither training nor significant computational resources, which is advantageous for ZigBee deployments. Techniques founded on the modified Z-score, CUSUM, and entropy analysis can detect deviations from normal behaviour in near real time. A recent survey confirms that such rule-based approaches remain competitive despite the growing popularity of machine-learning methods.
Autoencoder-based IDSs constitute a class of machine-learning models that identify anomalies by reconstructing input data and measuring reconstruction error. Lightweight autoencoder architectures achieve detection accuracies above 95 % in resource-constrained IoT environments [27], enabling multi-class classification with minimal changes to network infrastructure.
Reference [8] proposes a convolutional neural network (CNN) combined with a long short-term memory (LSTM) layer, thereby capturing both spatial and temporal dependencies in traffic flows. The resulting IDS detects complex, multi-stage attack patterns and is particularly suitable for smarthome scenarios, where device interactions exhibit regular structure. The approach delivers high accuracy but entails notable computational overhead and requires extensive offline training.
Federated-learning (FL) frameworks, exemplified by FLAD, aggregate locally trained models without transmitting raw data, thus preserving privacy. Reference [8] demonstrates FL-based IDSs that maintain inter-node model compatibility without a central server. Principal challenges include inter-device synchronisation and maintaining model relevance across heterogeneous nodes.
Reinforcement learning (RL) employs an agent that interacts with its environment and iteratively refines its policy via reward feedback. Reference [6] applies RL to ZigBee key-rotation management, yielding adaptive responses to evolving threat levels. Although RL can generate dynamic security policies, it requires numerous training episodes, which limits feasibility on edge devices lacking simulation support.
Challenge response protocols enable authentication without disclosing secret credentials. Reference [9-12] presents a lightweight ZigBee-oriented protocol that thwarts replay and nodesubstitution attacks. Its computational footprint suits simple sensors, yet authentication introduces latency and necessitates time synchronisation.
Ensemble-based classifiers combine outputs from multiple base learners (e.g., random forest, support-vector machine) to enhance robustness. Experiments in [8] show that ensembles reduce false positives and adapt more readily to emerging attack patterns, albeit at the cost of additional processing complexity.
The Phy-MAC-NWK framework [13] performs multi-layer traffic analysis, simultaneously examining physical, MAC, and network-layer parameters. This holistic perspective uncovers attacks that camouflage themselves at one layer but leave artefacts elsewhere. Its effectiveness is offset by implementation complexity and the need for fine-grained access to the ZigBee stack.
Z-Fuzzer [14] subjects ZigBee implementations to malformed and boundary-value inputs, exposing vulnerabilities prior to deployment. Although indispensable for security audits, it is unsuitable for real-time detection and may induce temporary instability during testing.
Reference [15] employs wavelet transforms to examine low-level radio signals, enabling the detection of physical-layer attacks such as jamming. The method is sensitive to subtle anomalies beyond the reach of conventional metrics but is computationally expensive and highly dependent on filter configuration.
Finally, the authors of [16] present an anomaly detector that leverages the structure of MQTT topic graphs, demonstrating its efficacy in identifying atypical communication patterns within ZigBee-enabled IoT systems.
An analysis of attacks on wireless IoT networks ZigBee in particular reveals a steady increase in both the complexity and variability of malicious techniques designed to destabilise the network or seize control of its operation.
Building on classical intrusion models, we have developed an adapted framework that captures the full attack chain for ZigBee infrastructures. Similar to traditional compromise scenarios that exploit human error, network weaknesses, or device-level vulnerabilities, ZigBee-focused attacks frequently proceed through multi-stage actions directed at individual end devices, routers, communication links, or the network coordinator [17].
Within this framework, the threat actor delivers a crafted impact against a selected segment of the ZigBee infrastructure. The vector may involve direct compromise of the coordinator or a router, interception of the communication channel, or impersonation of an end node. Resulting effects include disrupted routing, loss of connectivity, topological changes, exhaustion of nodes or channels, and the suspension of critical functions.
The model distinguishes local attacks those limited to a small subset of nodes (e.g.,
denial-ofservice, spoofing, flooding) from global attacks that reshape the topology or trigger cascading
failures. Figure X (below) illustrates the adapted penetration model for ZigBee, developed by analogy
with the canonical intrusion pathway for conventional computer systems [18,19].
the network as a coordinated ensemble of logically related components, each of which fulfils a
description of the behaviour of network elements under normal conditions, but also enables the
actions. By modelling the ZigBee network as a functionally distributed system, we define its structure
as the following set:
= { , , , , , }
(
Where = { ℎ1, ℎ2, … , ℎ } a set of communication channels that implement physical or logical routing between nodes, = { 1, 2, … , } a plurality of terminal devices that collect, or generate, or receive data; = { 1, 2, … , } a set of routers responsible for relaying, building and maintaining the route; = { } network coordinator, the central element of network management and initialization; = { 0, 1, … , } a set of functional roles and services that ensure the operation of the ZigBee network: addressing management, routing, protection, synchronization; = { 0, 1, … , } a set of activation conditions that determine the dependence of the operation of elements on events, requests, or topology changes.
Given that a ZigBee network is usually geographically or logically distributed, and its components
can be located on different physical devices or in different spatial zones, each component of the
model will be represented as a combination of components of the corresponding subnetworks (or
groups of nodes), which operate autonomously, but perform functions within the general
infrastructure:
=
= =1
= =1
= =1
= =1
= =1 ,
{ = =1 ,
(
Where [0,1] weight coefficient reflecting the importance of the type of components in the overall structure of the network; ≈ 1.0 the coordinator is a critical point of failure; [0.7; 0.9] routers are of high importance for topology stability; с [0.5; 0.8] channels are vulnerable to intentional overloading; [0.2; 0.4] end devices have local impact
To build an effective system for detecting and countering attacks in ZigBee networks, it is
necessary to formally describe malicious influences as a set of parameters that characterize the
nature of the attack, its time dynamics, scope, and consequences for the integrity of the
infrastructure. In general, the attack can be represented as a five-component structure:
= ( , , ϕ ( ), ψ , δ ) (
Where ∈ T type of attack (e.g., DoS, spoofing, MITM, jamming); ⊆ V ∪ E the target
subset of network elements (nodes or links) on which the influence is directed; ϕ ( ): + → [0,1] the attack
intensity function over time, which describes the evolution of the threat; ψ () damage function, which
determines whether the component will fail at time t depending on the impact force and the resistance
threshold
ψ () = {1 ϕ > та ∈ (
0, δ () = ()ψ () — assessment of the criticality of the consequences for each element, taking into account its weight in the network structure. The total impact of an attack on the infrastructure at time t can be expressed as: Δ ( ) = ∑ δ ()
∈V
This value allows you to calculate the degree of degradation of the network operation caused by a specific attack scenario. Depending on the goal, attacks can be destructive (destruction of elements, channel overload, router blocking) or passive (interception, substitution, eavesdropping) and be directed at components with different criticality: communication channels C, end devices D, routers R or coordinators K.
This formalized approach allows you to unify the description of attacks, provide their analysis in dynamics and determine which network elements are most vulnerable to specific types of influences. Such a model is also the basis for the further construction of reactive or adaptive protection mechanisms [20].
The next step is to adapt the anomaly detection method to the conditions of the network model,
taking into account typical attacks and their expected dynamics. If the original Modified Z-score
method allows us to determine deviations of parameters from the norm in a general way, then for
the needs of the protection system we modify it so that each recorded anomaly can be compared
with a specific attack scenario.
(
This is achieved by introducing additional attributes to each anomalyThis is achieved by introducing additional attributes to each anomaly: spatial localization (device identifier ); functional context (the type of parameter is related to the impact of the attack), time duration τ as an analogue of the integral force of influence, the weight of the parameter μ to take into account the criticality of the deviation, The interaction is described by the correspondence condition: → ⇔
~ > { τ > τmin
logical ψ ( ) = 1 ∧ δ ( ) >0.6 Building an
∧ (υ) = 0 ∧ W(υ) cryptographic ∈ {spoofing, key exposure}
> 0.7 > 0.5 v ∈ C =∧ ( ) > ∧ о =
∧ > ∆( ) > 0.8 parameter , anomaly the device affected by the anomaly,
type of attack corresponding to the nature of the deviation threshold for the device, τmin minimum significant duration of the
Thus, is interpreted as the implementation of if this system of conditions is met. This allows us to integrate signal observations into a formal model of malicious influence and proceed to decision-making in the protection system [21].
After detecting an anomaly and comparing it with the formalized attack model, the next stage is necessary - making decisions on response in order to minimize the consequences and prevent the escalation of the impact on the network. Response is implemented as a functional transition of the current state of the network to a new one, in which the attack effect is weakened or neutralized.
Formally, each counteraction is defined as a function:
= ∶ ( ) → `( + )
Where ( ) is the current structural state of the network, and
is the reaction implementation
time. The result is a new state Z^` with reduced attack impact.
(
The choice of response is based on the attributes of the detected anomaly , which are associated with the attack consequences, which is evaluated using a damage δ ( ) = ( ) ψ ( ) (9)
If the damage δ ( ) for a node exceeds a predetermined threshold, the corresponding reaction is activated that best matches the nature of the attack and the type of target. For example, when Quantification of detected anomalies in IoT device traffic
detecting a flooding attack on a router with a weighting factor W=0.9, if a long-term anomaly with intensity ( )=3.1 is observed, then the calculated damage δ ( 3)1 = 0.9*1 = 0/9 leads to the activation of reaction 1 isolation of the affected node.
The expected effect of applying the reaction is to reduce the harm function: ∆( ) = ∑ δ ( ) ⇒ Δ′(t + δt) < ∆( )
or returning the node state to active: ( , + δt ) =1 (10) (11) The diagram on Figure 2 shows the general architecture of the proposed ZigBee network protection system. The central object is the ZigBee network, which generates telemetry data about its current activity. This data is sent to the Collection module, where the initial collection and aggregation of parameters takes place. Then the information is transferred to two parallel logical blocks.
The Attack Model component stores formalised attack templates and matches incoming events against known threat scenarios, whereas the Anomaly Detection module performs statistical analysis of network parameters applying the modified Z-score to flag abnormal deviations. When suspicious activity is detected and confirmed to fit a known template, the Response block is triggered and automatically executes the appropriate counter-measure, such as isolating a node, rotating cryptographic keys or rerouting traffic. Working together in real time, these modules form a single, integrated IDS that ensures continuous protection of the ZigBee infrastructure. On the Figure 3 shows the algorithm of operation of the integrated detection and response system in ZigBee networks.
The integrated detection-and-response algorithm for ZigBee networks relies on a formalised model of device behaviour combined with statistical deviation criteria. The system continuously monitors key node parameters in real time. For each parameter it computes the modified Z-score that is, the deviation from the current median normalised by the median absolute deviation to quantify operational stability [22].
If the calculated deviation remains below the predefined threshold, the system simply resumes monitoring. When the threshold is exceeded, the event is logged as an anomaly and checked against stored attack patterns, taking into account the affected parameter, device type, duration and intensity [23]. Once a match is confirmed, the potential damage is estimated by combining the impact intensity with the criticality weight of the affected element. If this damage score surpasses the local or global limit, an appropriate response is triggered: node isolation, route restructuring, key rotation or channel switching [24-26].
After the response is executed, the system reassesses the deviation and verifies whether normal functionality has been restored. If the anomaly has subsided, the incident is marked as resolved; otherwise, the system launches a secondary counter-measure or escalates the response. This closedloop strategy enables fully automated, adaptive protection against threats while respecting the resource constraints typical of ZigBee environments.
The presented block diagram reflects the final stage of the functioning of the integrated detection and response system, which is activated after fixing an anomaly interpreted as an attack. Its purpose is to implement an adaptive approach to minimizing the impact of malicious influence through sequential analysis, execution of measures and evaluation of the result. This allows not only to automatically identify the incident, but also to provide the logic of further actions without operator intervention.
The scheme covers the key stages: receiving the generated anomaly with the appropriate parameters, comparing it with known attack patterns, calculating the criticality of the damage and selecting the appropriate response mechanism. In the event of a response, the system re-evaluates the degree of deviation from the norm. If the attack intensity is reduced below the threshold, the incident is considered localized. Otherwise, an escalation scenario or a retry is activated.
The presence of such a model provides a structured, consistent and scalable response in real time, which is critically important for ZigBee networks with limited resources. It allows you to unify decision-making logic and increase the effectiveness of protective mechanisms, reducing the risk of downtime or loss of control over the topology.
This study presents a purely statistical approach for detecting anomalies in ZigBee network traffic. The method builds numerical profiles for each node, defines baseline operating ranges and then flags deviations.
By combining a modified Z- -Winters exponentialsmoothing model, the system can capture both isolated and clustered anomalies in time-series data without any prior training on labelled datasets, a vital advantage for resource-constrained IoT devices.
On the figure 4 the algorithm is computationally lightweight, adaptable to heterogeneous hardware and capable of running on low-power edge nodes. The obtained plots on figure 5 illustrate the typical behaviour of a ZigBee network in three stages: before the attack, during the DoS impact, and after the defence mechanism is applied. In the upper chart, the traffic remains stable until the 30-second mark, followed by a sharp rise in intensity (attack phase) and a gradual return to normal once the system intervenes. This patter incident in real time, but also the effectiveness of the response mechanism, which reduces traffic to a safe level.
The lower chart depicts the real-time calculation of the modified Z-score. After the transition to the anomalous phase, the deviation values rise sharply above the threshold (dashed line), allowing the system to classify those events as threats. The red markers highlight the moments when the violation intensity was sufficient to trigger an automatic response. The subsequent drop in the number of anomalies confirms that the network stabilises after the counter-measure is executed.
The bar chart depicts the number of detected anomalies across the three operational phases of the system: before the attack, during the attack, and after the response measures have been applied. In the initial phase (before the attack), the system logs only a minimal number of deviations, indicating stable network conditions and the absence of disruptive activity. This confirms that the baseline threshold is correctly configured and that telemetry remains steady under normal operation.
During the attack phase, the anomaly count rises sharply because the traffic parameters deviate threat period. After the defence mechanism is executed, the number of anomalies drops markedly, confirming the effectiveness of the counter-measures. Overall, the chart shows that the model not only detects threats but also successfully mitigates their impact.
The diagram on figure 6 illustrates network behaviour during a Spoofing attack, which is less aggressive than a DoS attack but can last longer and undermine node authenticity. In the upper plot, traffic rises gradually during the attack phase without the sharp spikes typical of flooding assaults.
etection system still registers the change in node behaviour and correctly flags the corresponding interval as suspicious.
The lower plot on figure 7 shows the modified Z-score calculated throughout the entire observation period. During the attack phase, Z values cross the predefined threshold several times enough to trigger the response mechanisms. Although the deviation intensity is lower than in the influences. This confirms its suitability for safeguarding networks under complex, multi-phase threat conditions.
In this study we simulated two of the most common attacks on ZigBee networks DoS (Denial of Service) and Spoofing (node impersonation) which differ fundamentally in both impact pattern and visibility figure. Logs file on figure 8-9 shows result of detected
A DoS attack produces an abrupt surge in network load, pushing traffic well beyond allowable limits and crippling routers or the coordinator.
The proposed IDS flags such behaviour by detecting a critical deviation in the traffic-intensity parameter and classifies the event as a high-priority threat. The corresponding response is to isolate the affected node or to reroute traffic around it.
By contrast, a Spoofing attack is more covert: it involves forging device identifiers or duplicating frames to compromise authenticity.
These anomalies do not cause dramatic traffic spikes; instead they are exposed through frequency analysis or inconsistencies in telemetry IDs. Here, the system applies the modified Z-score to uncover subtle deviations in device behaviour and triggers key rotation or trust verification for the suspicious node.
Both scenarios demonstrate that the proposed framework can respond effectively to highly aggressive as well as stealthy threats in ZigBee environments.
The consolidated log file presents a structured sequence of events recorded by the detection-andresponse system during several attack scenarios. Its layout mirrors standard IDS logging practice, dividing the incident life-cycle into four key stages: • • • • anomaly capture; threat classification; response initiation execution control.
Each entry contains a timestamp, node identifier, triggering parameter, computed Z-score, attack type, target, response code and a brief action description.
Such a format delivers a transparent, reproducible audit trail for security incidents. For example, when a DoS attack occurred, the system logged an over-threshold traffic-intensity value, classified the event accordingly, isolated the affected node and rerouted traffic. In the Spoofing case, repeatedID anomalies were detected and key rotation was triggered. A channel-jamming attempt concluded with an automatic switch to an alternate channel.
Collectively, the log file demonstrates the seamless integration of detection and automated response, underscoring the adaptability and practical applicability of the proposed ZigBee-security framework.
A comparative analysis of detection-and-response effectiveness across different attack types The highest accuracy 97 percent was observed for DoS attacks, owing to their pronounced symptoms, such as a sharp traffic surge. For jamming attacks, the accuracy reached 94 percent, as the system effectively captured changes in interference levels. Spoofing proved to be the least conspicuous threat, with a detection rate of 92 percent; nevertheless, this level was sufficient to trigger the appropriate protective mechanism.
The response success rate remained high across all scenarios 95 % for DoS, 93 % for jamming and 89 % for spoofing. Reaction time ranged from 1.8 seconds for DoS to 2.5 seconds for spoofing, reflecting the relative difficulty of recognising and confirming each threat.
These results on Figure 11 confirm that the system can operate effectively in real time, maintaining an optimal balance of speed, accuracy and flexibility when countering different attack models.
As a result of this research, a formalised model for detecting and responding to attacks in ZigBee networks has been developed and implemented. The approach unifies a graph-based description of the network, a mathematical attack model and real-time statistical analysis of telemetry. At its core lies a modified Z-score mechanism that adaptively highlights deviations, maps them to stored threat templates and automatically triggers the appropriate counter-measures. All components operate in a single feedback loop from anomaly detection to verification of the response outcome.
Testing with several representative attack scenarios (DoS, Spoofing, Jamming) confirmed that the system can accurately identify malicious activity and initiate effective counter-actions within the strict resource limits typical of ZigBee devices. Beyond detection, every incident is logged in a structured format, providing a transparent audit trail for security events. Overall, the proposed architecture delivers automated, scalable and resource-efficient protection for ZigBee infrastructures against modern threats.
AI tools were used solely as translation and proofreading aids. All content was originally authored by the submitting party.