The Internet of Things (IoT) is a distributed information and communication system (ICS) that encompasses billions of devices connected to a global network that can automatically collect, analyze, and exchange data. Thanks to the active development of network infrastructure and the reduction in the cost of hardware components, IoT is rapidly spreading in various areas of human activity, from everyday life to industry, creating the basis for smart ecosystems [1]. The basic idea of IoT is to integrate sensors, actuators, and software into everyday objects to improve their functionality. Smart homes, cities, transportation networks, medical facilities, agricultural complexes, and industrial enterprises are all now becoming part of a single information environment. For example, in agriculture, sensors monitor soil moisture and microclimate, in beekeeping, they track the movement of the bee colony and honey consumption in winter [2], in medicine, they monitor patients' vital signs, and in cities, IoT helps manage energy efficiency, transportation, and even garbage containers [3-4]. Biosensors integrated with IoT allow monitoring various physiological parameters [5-7]. IoT is also used to measure pollution concentrations, collect and process data in real time for quick decision-making by air monitoring systems [8]. Rapid growth makes IoT one of the main drivers of digital transformation. On the one hand, it opens up new opportunities for automation and efficiency, and on the other hand, it creates challenges in terms of security, privacy, and scalability [9].

Cyberattacks on IoT systems are becoming increasingly large and complex, encompassing a wide range of methods that threaten the integrity, confidentiality, and availability of digital environments[10]. The most common are DDoS attacks, in which IoT devices become infected with malware and turn into botnets that can paralyze entire services by overloading network traffic[ 1113]. Other common attack vectors include port scanning, brute force password guessing, SQL injections, cross-site scripting (XSS), and man-in-the-middle (MITM) attacks, which allow attackers to intercept or modify traffic between devices [ 14]. Hackers are also actively using unencrypted communication channels and typical password protection, which is a characteristic flaw of many IoT devices. Attacks on IoT applications can be aimed at blocking access to services, stealing sensitive data, or gaining control over computing resources. In a smart home, hackers can gain access to video surveillance cameras, locks, or thermostats, which creates not only digital but also physical risks. In smart cities, attacks can disrupt lighting, transportation, or environmental monitoring systems. Attackers are using modified versions of well-known botnets, such as Mirai or Mozi, which use automated vulnerability exploitation to create large botnets. The use of cryptomining malware is also common, where IoT devices are used to mine cryptocurrencies without the owners' knowledge. [15-16]

Intrusion Detection and Prevention Systems (IDS/IPS) are essential for securing IoT networks, as traditional security tools often fail to cope with the peculiarities of these environments – a large number of heterogeneous devices, limited computing resources, and high traffic dynamics. IDS/IPS analyzes network activity in real time, detecting and neutralizing anomalies, malicious activities, and unauthorized access attempts. There are two main types of IDSs: signature-based, which recognize attacks based on known patterns, and anomaly-based, which detect deviations from normal behavior, making them particularly useful for identifying zero-day attacks. In the IoT environment, machine learning and deep learning methods are increasingly used to allow such systems to adapt to new threats and improve detection accuracy, reducing the number of false positives [17-19]. IPS systems go even further, blocking threats in real time by changing access rules or terminating suspicious connections. Deep neural networks provide flexibility and scalability for such solutions, enabling them to analyze high-dimensional data typical of IoT networks. IDS/IPS detect a wide range of threats: from DDoS attacks and phishing to sophisticated botnets and malware intrusions [20-21]. However, despite their effectiveness, modern IDS/IPS systems have a number of significant limitations. First, deep learning models are resource-intensive and difficult to scale on devices with limited computing power. Secondly, they require complex configuration, constant updates, and skilled administration, which is not always feasible in a largescale IoT environment. In addition, the problem of data imbalance and the need for high-quality samples for model training remain open issues. Given these shortcomings, it is becoming increasingly important to explore alternative solutions that are lighter, more energy-efficient, easier to maintain, and less dependent on complex architectures that can provide a basic but reliable level of protection without overloading the system [22].

Section 2 provides an overview of related work. Section 3 describes the models used for traffic classification and anomaly detection. Section 4 presents the proposed hybrid method combining signature classification, self-similarity analysis, and fuzzy inference. Section 5 presents experimental results and discussion, including performance evaluation on WSN-DS and CICIoT2023 datasets. Finally, Section 6 summarizes the paper.

The authors of [23] propose a comprehensive solution for detecting and mitigating DDoS attacks in IoT networks by creating an intelligent system based on three algorithms: exponentially weighted moving average, cumulative sum algorithm, and K-nearest neighbors method. The combination of these methods allows to increase the accuracy of anomaly detection, reduce the frequency of false positives, and compensate for the shortcomings of each individual approach due to the backup principle of decision-making. Paper [24] proposes a method for detecting DDoS and DoS attacks in IoT networks by using a conditional tabular generative adversarial network. The main idea is to create synthetic samples of network traffic that reliably imitate legitimate behavior patterns and use this data to train machine and deep learning algorithms. The proposed IDS combines the capabilities of generative modeling and discriminative analysis. Publication [25] describes a method for detecting DoS and DDoS attacks based on deep learning using an improved architecture of the convolutional neural network DCBAM (DenseNet with Block Attention). The method covers four main stages: data preprocessing, data augmentation using conditional GAN for class alignment, deep feature extraction using pyramidal attentional attention, and selection of the most significant features.

Paper [26] proposes an LPCOCN approach for detecting anomalies at the edge of IoT networks, which combines efficient feature selection, their conversion to a visual format, and classification using a capsule neural network. The system is based on four key modules: feature selection using a multi-layer LPCO algorithm, image formation from selected features using Manhattan distance, model training using a capsule network, and final anomaly detection. To evaluate the proposed approach, five network traffic datasets are used, including NSL KDD, UNSW NB, CICIDS, CSE-CICIDS, and UNSW Bot-IoT. The authors of [27] propose a comprehensive approach to detecting attacks in IoT networks based on the analysis of the full BoT-IoT dataset, combining machine learning, big data processing strategies (Hadoop-Spark), and advanced methods of synthetic data generation. Paper [28] investigates the effectiveness of the k-nearest neighbors algorithm for detecting botnet attacks in IoT networks, focusing on overcoming its limitations when working with large amounts of data. To improve the classification accuracy in a large set of Bot-IoTs, the researcher applies three feature selection strategies: information gain, direct selection, and backward elimination. Combining these techniques with the kNN algorithm allows identifying the most relevant attributes.

Paper [29] proposes an intelligent intrusion detection system for IoT networks that combines the use of a recorder, sensors, and artificial intelligence to improve cybersecurity. The authors also describe a structured methodology based on machine learning, including the use of five different classifiers to analyze network traffic and identify potential threats. Paper [30] proposes a method for detecting attacks in the IoT based on the architecture of a double convolutional neural network (CNN-CNN). The peculiarity of the approach is the use of two interconnected CNN models: the first one performs an automated selection of the most informative features from raw network traffic, and the second one classifies traffic into normal and malicious. This approach overcomes the limitations of traditional methods due to the ability of deep learning to detect hidden patterns and correlations in data that go unnoticed by other techniques. Article [31] is devoted to a framework for detecting botnets in IoT networks, combining the capabilities of graph neural networks with the temporal dynamics of IoT communications. The proposed Graph-based Gated Convolutional Network model uses a multi-graph structure with timestamps to accurately model the complex connections and traffic patterns inherent in botnet attacks. The method is based on a two-tier architecture that handles both spatial and temporal characteristics of the graph through message transmission, aggregation, and updating of node and edge embeddings using GRU. The authors of [32] propose a hybrid method for detecting botnet attacks in IoT networks by combining the SMOTE resampling method with a deep recurrent neural network to overcome the problem of severe data imbalance in a multi-class environment. By creating synthetic minority samples using SMOTE, the researcher ensures a balance between classes, which allows the DRNN model to train efficiently on a representative dataset. Thanks to its architecture, which includes a recurrent layer and several dense layers, the DRNN is able to study time dependencies in network traffic and detect hidden patterns of botnet activity.

Summarizing the results of the considered approaches to detecting attacks in IoT networks, we can conclude that they are highly effective in terms of classification accuracy, ability to adapt to complex traffic patterns, and detect anomalies in real time. The use of modern methods, such as CTGAN, GGCN, CNN-CNN, DRNN or SMOTE-DRNN, demonstrates significant potential for ensuring reliable cybersecurity in IoT environments. However, despite their technical advantages, the implementation of these solutions is accompanied by a number of significant challenges. In particular, the complexity of the models often leads to high requirements for computing resources, long training time, and the need for qualified specialists to support, configure, and scale them. In addition, deploying such systems in a real-world IoT environment is technically challenging and requires careful integration with existing infrastructure. In this regard, it is important to search for alternative solutions that can strike a balance between the effectiveness of threat detection and the practicality of implementation - by simplifying models [33], reducing their power consumption, optimizing training algorithms, and developing more accessible tools.

This study proposes a formalized approach to representing incoming traffic in the form of signatures, which allows for accurate packet classification in ICS networks. Each signature is described by a multi-component tuple. Based on this representation, a hybrid method for detecting abnormal traffic has been developed, consisting of three blocks: signature classification by features, self-similarity analysis, and fuzzy inference.

One of the fragments of the proposed model is the formation of signatures that describe each individual network packet through a set of its features. The incoming traffic is represented as a set of signatures: ( 1 ) ( 2 ) ( 4 ) where di – element of the set, input generated signature; i – initial value; N d – number of elements of the input signatures set.

The packet signature will allow you to uniquely identify the source of the traffic that initiates it, determine the size of the packet and the time when it was analyzed.

The packet signature will be represented as a multi-component tuple: where k – number of components in the tuple.

For the case under consideration, let's assume k =9 and define these components: d1 - source IP address; d2 - destination IP address; d3 - source port; d 4 - destination port; d5 – protocol used for data transmission; d6 – traffic intensity, defined in bits/s; d7 - time of receipt of the package for inspection; d8 – MAC address of the device that sends data from the network; d9 – package size.

Each generated signature will belong to the set D:

∀ di∈ D ( 3 )

The next part of the model is the process of classifying traffic by features to classify traffic into allowed, forbidden, and requiring further analysis using sets of allowed, forbidden, and undefined signatures.

Represent the set of allowed signatures as follows:

Nd D=U {di}

i=0 d =⟨ d1 , d2 , … , dk ⟩ ,

DG= UNg {di}

i=0 where N g – number of allowed signatures; di – signature assigned to the set of allowed signatures.

Let's represent the set of forbidden signatures as follows: where N b – number of forbidden signatures; di – signature assigned to the set of forbidden signatures.

Represent the set of undefined signatures as follows: where N u – number of undefined signatures; di – signature that is assigned to the set of undefined signatures.

The process of traffic classification based on signature analysis is represented as a partitioning of the set D:

DB= UNb {di} i=0

Nu DU =U {di} i=0 ( 5 ) ( 6 ) ( 7 ) ( 8 ) ( 9 ) ( 10 ) ( 11 ) DG={d j∈ D|If ∃ di∈ DG that di1=d1j ⋀ di2=d2j } DB={d j∈ D|If ∃ di∈ DB that di1=d1j ⋁ di2=d2j }

DU ={d j∈ D|If d j∉ DG ⋀ d j∉ DB } where d j – the signature of the incoming traffic being analyzed.

As sets DG, DB та DU are partitions of D the following statements are true:

D= DG∪ DB∪ DU

DG ∩ DB=∅ , DG ∩ DU =∅ , DB ∩ DU =∅

Next, we will describe a fragment of the traffic classification process based on self-similarity, which involves the use of a similarity metric between new signatures and previously verified ones that are part of the set of allowed ones. Self-similarity is an effective criterion that minimizes the need to use resource-intensive fuzzy methods when evaluating unknown traffic patterns. Its advantage lies in the ability to identify stable patterns of behavior in traffic even when it varies in the time dimension. By analyzing consecutive time intervals, it is possible to verify new signatures based on previously obtained data, providing a dynamic update of the authorized traffic profile without the need to completely review the accumulated records.

To quantify the degree of self-similarity, the Hearst coefficient is used to determine the level of correlation between the characteristics of signatures. This ensures high accuracy in classifying new packets - whether they belong to legitimate traffic or require more detailed inspection. This approach is important for a timely response to potential cyber threats, as it provides an effective balance between processing speed and detection accuracy. Thanks to the self-similarity property, the amount of traffic that remains undetected is significantly reduced, thereby optimizing the monitoring process and increasing the overall efficiency of the anomaly detection system.

To take into account traffic self-similarity, we define the following time parameters (Fig. 1) t1−t 3 – the time interval for analyzing signatures for self-similarity, consisting of two subintervals, t1−t 2 – the time interval of signatures previously analyzed for self-similarity, t 2−t 3 – the time interval of new signatures.

Define the set M of signatures previously analyzed for self-similarity:

M ={di∈ DG∪ DU │ t1< di7 ≤ t 2} and a set M ' of new signatures that have not been analyzed for self-similarity before:

M '={di∈ DG∪ DU │ t 2< di7 ≤ t 3}, where di7 – time of receipt of the package for inspection.

Define the similarity function: where T – signature set, T ⊂ D; y – numerical similarity measure, y∈ [ 0,1].

To determine the similarity of a packet signature to a set of previously defined packet signatures, we define the function S ( n ) of the standard deviation. ( 12 ) ( 13 ) ( 14 ) (15) (16) (17) (18)

Define the Hurst coefficient for the packet signature as the average of the Hurst coefficients for each component of the tuple:

y =f (T ) , S j ( n)=√ 1 n

∑ ( dij−d j )2 , n i=1 H j= ln (

R j ( n)

S j ( n) ln ( n )

) H =f (T )= 1 ∑k H j k j=1 where n=|T| – number of signatures in a set T ; j – component number in the tuple; dij – is the value of the j-th component of the i-th tuple of the set; d j – average value of the j-th component of tuples of the set.

And the function R ( n ) range of the accumulated deviation of the function:

k k R j ( n)=max ∑ dij−d j−min ∑ dij−d j , k =1 , n

i=1,n m=1 i=1,n m=1 Determine the Hurst coefficient for each component of the tuple: where j – number of components in the tuple.

The process of classifying undefined traffic based on signature similarity analysis is presented as follows:

DG={DG∪ M '|f ( M ∪ M ' )>0,5 }, DU ={DU ∖ M '|f ( M ∪ M ' )>0,5 }, (19) (20)

After the analysis is completed, the set DU will contain signatures that are undefined or different from the allowed signatures and require further analysis.

To unambiguously classify the signatures left over from the previous stages, we will use the process of fuzzy detection of abnormal traffic.

The structural organization of the fuzzy inference system for classifying the features of signature elements involves the integration of the following main components: fuzzification, membership functions, fuzzy inference mechanism, and defuzzification. The system's workflow is implemented in the following sequence: the initial input data X is sent to the fuzzification module, where it is transformed into fuzzy values X ' by applying the appropriate membership functions. The next stage involves performing fuzzy logical inference, which involves implication, aggregation, activation, and accumulation based on a given base of fuzzy rules, resulting in the output fuzzy data Y '. At the final stage, the defuzzification procedure transitions from fuzzy results Y ' to a clear output value Y , which serves as the basis for the final decision. The process of fuzzification provides transformation of deterministic input data into fuzzy terms to account for possible undefined uncertainties in the input characteristics. For example, if the parameter d6 is 10,000 bits/s, its intensity will be classified as “above average” using the membership function. The fuzzy inference algorithm is implemented through a sequence of four core operations. At the implication stage, the input fuzzy values X ' are transformed into the corresponding output fuzzy sets. Aggregation combines the results of implication obtained from different rules for each term of the output variable. The activation stage evaluates the degree of truth of each rule, usually using minimization methods. Accumulation performs the integration of the obtained initial fuzzy sets into a single set Y '. Defuzzification is responsible for converting the obtained fuzzy conclusion into a clear value of Y , which is necessary for making a specific decision. As a result of the system's operation, the output variable result is formed, which takes on one of two intervals: “allowed” [0, 50] or ‘forbidden’ [50, 100]. If the signature is classified as “allowed”, the data is transmitted and the signature is registered in the database of allowed connections. If the signature is identified as “ forbidden”, the system blocks the connection by the source IP and MAC addresses, and the corresponding signature is added to the register of forbidden connections.

Membership functions determine the degree to which each input value belongs to certain terms. Define a linguistic variable ld, that takes one of the values from the term set ld∈ {ld1 , ld2 , … , ldm} , where m is the number of terms. Form the linguistic variables used to analyze network traffic and corresponding to the components of tuple ( 2 ): ld1 , ld2 , … , ldk . It should be noted that the model of the process of fuzzy detection of abnormal traffic does not use the first component of the tuple, the source IP address (d1), the third - the source port (d3), seventh - time of receipt of data for verification (d7) and the eighth - the MAC address of the device (d8). Since the source IP address ( d1 ), which determines the device that initiates the connection and transmits the data, is not a reliable indicator for analysis, as it can change due to the use of dynamic IP, NAT, or proxy servers, as well as be subject to spoofing. Source port ( d3 ), The source port, which identifies the incoming point of communication on the sender's side, is usually randomly generated by the operating system, making it unpredictable and of little importance in the context of fuzzy anomaly classification. Packet arrival time ( d7 ), expressed in a 24-hour format, depends on many external factors, such as network delays, peak loads, and changes in traffic depending on the time of day. This creates a significant level of variability, which can make it difficult to correctly fuzzify abnormal patterns. MAC address of the device ( d8 ), that sends the data is also not used due to its local nature, as this address is not transmitted through routed networks and can be easily spoofed or changed at the device level. The exclusion of these parameters is aimed at improving the accuracy of the model by eliminating variables that may introduce unnecessary noise. Thus, only those characteristics that provide stability and high differentiation between normal and potentially threatening traffic remain for fuzzy analysis.

The second component in the tuple is the destination IP address ( d2), which can be displayed as a character variable that takes one of the values of the set of identifiers ld2∈ {ld12 , ld22 , ld32}, namely: ld12=«IP address of the allowed traffic»; ld22=«IP address of unspecified traffic»; ld32=«IP address of abnormal traffic».

The fourth component in the tuple is the destination port (d4 ), which can be displayed as a character variable that takes one of the values of the set of identifiers ld 4∈ {ld14 , ld24 , ld34 }, namely : ld14=«port of normal typical traffic»; ld24=«port of undefined traffic»; ld34=«port of abnormal traffic».

The fifth component in the tuple is the protocol (d5 ), which can be displayed as a character variable that takes one of the values of the set of identifiers ld5∈ {ld15 , ld52 , ld53}, namely: ld15 =«secure protocols»; ld52=«neutral protocols»; ld53=«undefined protocols»; ld54=«suspicious protocols»; ld55=«dangerous protocols».

Traffic intensity in the ICS ( d6) can be considered from two approaches: objective and subjective. Objective traffic intensity is defined as the ratio of the amount of information transmitted through the communication channel for a certain period of time to the total available network resource. This approach is based on measuring and analyzing the actual performance of the system, for example, the number of packets or bytes passing through the system per unit of time. Subjective traffic intensity reflects the assessment of experts or users of the system regarding the level of congestion of communication channels at a certain moment or during a certain period. It is based on perceptions or estimates of system performance, as well as on forecasts of system performance depending on the current or expected volume of information transmitted. In situations where obtaining accurate statistics is difficult, experts use a logical-linguistic approach. In this case, the traffic intensity is represented by a linguistic variable ( ld6) with a basic term set, which allows formalizing qualitative assessments and ensuring their convenient interpretation for further analysis: where m – the number of terms for which the order ratio is valid ld16<ld26< …<ld6m. For example, when m=5 for the specified linguistic variable, you can form sets of terms ld6=⋃ i5=1 ldi6={« low » , « below average » , « average » , « above average » , « high »}, which is represented by fuzzy numbers with corresponding membership functions. You can also enter other values of the terms, such as “very low (VL)”, “very high (HV)”, etc. The ninth component in the tuple is the package size (d9). This component can be represented numerically or through a linguistic variable: (21) (22) where y – the number of terms for which the order ratio is valid ld19<l d29< …<ld9y. For all fuzzy sets that are used, the membership function is defined as the intersection of all sets: ld6=⋃ im=1 ldi6 ld9=⋃ iy=1 ldi9 where μMd2 ∩ μMd4 ∩ μMd5 ∩ μMd6 ∩ μMd9=( μMd2 ( x ) , μMd4 ( x ) , μMd5 ( x ) , μMd6 ( x ) , μMd9 ( x )) ,

4,3∙109 M d2={md2i}i=0 – he set of possible values of the destination IP address; 65535 - the set of possible values of destination ports; M d5={md5i}i3=6 0 - the set of possible M d4={md4i}i=0

10∙109 - the set of possible values of traffic intensity; M d9={md9i}i=0 protocols; M d6={md6i}i=0 65535 - a set of possible values of packet size.

A fuzzy knowledge base contains a set of fuzzy rules that define the relationships between input and output variables. Each rule has the form “If X, then Y”.

We propose a hybrid method for detecting abnormal traffic (Fig. 2), which combines the advantages of several approaches – signature classification, self-similarity analysis, and fuzzy inference. Such a multi-level structure provides more accurate, reliable, and adaptive anomaly detection, reducing the number of undefined cases and optimizing security system resources.

Step 3. Connect a file with a set of undefined signatures (DU).

Step 4. Upload a file with a list of rules.

Step 5. Forming a packet signature d j from the original data stream (D ), that you want to check.

Step 6. Performing the traffic classification method by features. If the signature is classified, you go to step 7. Otherwise, you go to step 9.

Step 7. If you need to continue checking the signatures, you go to step 5. Otherwise, you go to step 8.

Step 8. Finish the work.

Step 9. Perform the traffic classification method based on self-similarity. If the signature is classified, you go to step 7. Otherwise, you go to step 10.

Step 10. Performing a fuzzy method for detecting abnormal traffic. Go to step 7. The result of the work is an unambiguous classification of signatures as allowed or abnormal. Fig. 3 shows a diagram of data interaction in the hybrid method for detecting abnormal traffic. The set of initial data (D ) is the source of input information for the traffic classification block by features ( 1 ). Also, the input data for this method is the set of forbidden signatures DB( 2 ) and the set of allowed signatures DG( 3 ). The result of the method is a set of undefined signatures DU( 4 ). The input to the traffic classification block based on self-similarity is a set of allowed signatures DG( 8 ) and a set of undefined signatures DU( 9 ). As a result of the block operation, the signatures are written to the set of allowed signatures DG( 7 ) and are removed from the set of undefined signatures DU( 10 ) or the sets remain unchanged. The input data for the fuzzy method of detecting abnormal traffic is a set of undefined signatures DU( 11 ) and a set of rules ( 12 ). As a result, the signature method from the set of undefined signatures DU classifies and overwrites to the set of forbidden signatures DB( 5 ) or a set of allowed signatures DG( 6 ), by removing them from the set of undefined signatures DU( 13 ).

Based on the proposed hybrid method of detecting abnormal traffic, a system model was formed that covers the full cycle of network flow processing - from capturing raw traffic to making a decision on the security of the connection. At the initial stage, the specialized module integrates with the network environment, where it performs preliminary data processing: filtering by features, normalizing formats, and aggregating packets into sessions. This preparation provides a high-quality basis for further traffic analysis and accurate detection of potential threats.

The received data is transferred to the traffic classification module, which identifies signatures according to the sets of allowed and forbidden connections. The signature database is dynamically updated in real time, which allows detecting both known threats and modified or new attack variants. At the same time, a traffic classification subsystem based on self-similarity compares current characteristics with models of typical user and attacker behavior, detecting abnormal deviations, including zero-day attacks.

The main element of the model is a fuzzy abnormal traffic detection unit that uses linguistic variables and membership functions to generate an integrated risk score. The system operates on a fuzzy logic rule base that allows for a generalized threat level assessment based on parameters such as transmission speed, number of connection attempts, signature matching, etc.

The logical inference subsystem combines the results of the classification, self-similarity, and fuzzy logic modules to provide a comprehensive decision-making mechanism. If undefined or contradictory situations are detected, the system can direct the flow for additional verification, and if the threat level is high, initiate interaction with other cybersecurity components, including firewalls and intrusion prevention systems.

All events recorded during traffic processing are recorded in a centralized logging system, including IP addresses, ports, timestamps, and protocol types. This data is used not only for auditing and incident analysis, but also for feedback, which allows us to refine classification rules and update self-similarity models.

General requirements for the efficiency of solving the problem solved by an anomaly detection system can be expressed through the following well-known and frequently used quality metrics: TP (True Positive) - the number of events that are correctly classified as abnormal and are in fact so; FP (False Positive) - the number of events that are mistakenly identified as abnormal, but are not; TN (True Negative) - the number of events that are not classified as abnormal and are not in fact so (i.e., are normal); FN (False Negative) - the number of events that are not identified as abnormal, but are in fact abnormal. FPs are often referred to as first-order errors and FNs as second-order errors.

Table 1 illustrates the results of testing the developed method using two different datasets WSN-DS and CICIoT2023. For each dataset, the number of abnormal and allowed records was analyzed, and the rates of true positive (TP), true negative (TN), false positive (FP), and false negative (FN) classifications were calculated. In particular, 149,865 records were processed during the WSN-DS testing, of which 136,027 were abnormal and 13,838 were allowed. The method provided 13,187 correctly detected anomalies (TP) and 135,701 correctly identified valid records (TN), with 326 cases of false positive (FP) and 651 cases of false negative (FN) classification. During the CICIoT2023 testing, a much larger amount of data was processed - 9,337,316 records, where 9,117,677 were abnormal and 219,639 were allowed. According to the test results, 218,904 true positive classifications (TP) and 9,112,357 true negative classifications (TN) were obtained, while 5,320 false positive (FP) and 735 false negative (FN) records were detected. The results obtained indicate the high efficiency of the proposed method in processing both medium and large volumes of network traffic typical of Internet of Things (IoT) systems.

This paper proposes a hybrid method for detecting abnormal traffic in IoT networks based on a step-by-step combination of signature classification, traffic self-similarity analysis, and fuzzy inference. The proposed model allows to effectively formalize network traffic in the form of signatures, providing high accuracy of packet classification in real time. The use of the Hurst coefficient to assess the self-similarity of traffic and fuzzy decision-making systems for processing uncertain data has significantly increased the adaptability and reliability of threat detection. Experimental studies on the WSN-DS and CICIoT2023 datasets have demonstrated the high efficiency of the proposed approach. An overall classification accuracy of more than 99% was achieved, as well as high Precision, Recall, and F1 measures, which indicates a balance between correct anomaly detection and minimization of false positives. An additional advantage of the method is a significant reduction in network load with an acceptable increase in the load on computing resources.

During the preparation of this work, the authors used Grammarly in order to grammar and spell check, and improve the text readability. After using the tool, the authors reviewed and edited the content as needed to take full responsibility for the publication’s content. [15] M. Almasre, A. Subahi, Create a realistic iot dataset using conditional generative adversarial network, J. Sens. Actuator Netw. 13.5 (2024) 62. doi:10.3390/jsan13050062. [16] H. Kamal, M. Mashaly, Enhanced hybrid deep learning models-based anomaly detection method for two-stage binary and multi-class classification of attacks in intrusion detection systems, Algorithms 18.2 (2025) 69. doi:10.3390/a18020069. [17] H. Kamal, M. Mashaly, Robust intrusion detection system using an improved hybrid deep learning model for binary and multi-class classification in iot networks, Technologies 13.3 (2025) 102. doi:10.3390/technologies13030102. [18] Lypa, B., Horyn, I., Zagorodna, N., Tymoshchuk, D., Lechachenko T. Comparison of feature extraction tools for network traffic data. CEUR Workshop Proceedings, (2024), 3896, pp. 1-11. [19] Klots Y., Petliak N., Martsenko S., Tymoshchuk V., Bondarenko I. Machine Learning system for detecting malicious traffic generated by IoT devices. CEUR Workshop Proceedings, (2024), 3742, pp. 97 - 110 [20] F. Safarov, M. Basak, R. Nasimov, A. Abdusalomov, Y. I. Cho, Explainable lightweight block attention module framework for network-based iot attack detection, Future 15.9 (2023) 297. doi:10.3390/fi15090297. [21] Titova, V., Klots, Y., Cheshun, V., Petliak, N., Salem, A.-B.M.. Detection of network attacks in cyber-physical systems using a rule-based logical neural network. 1st International Workshop on Intelligent and CyberPhysical Systems, ICyberPhyS 2024, Volume 3736, 2024, Pages 255-268 [22] Y. Klots, N. Petliak and V. Titova, Evaluation of the efficiency of the system for detecting malicious outgoing traffic in public networks,” 2023 13th International Conference on Dependable Systems, Services and Technologies (DESSERT), Athens, Greece 2023, pp. 1–5, doi: 10.1109/DESSERT61349.2023.10416502. [23] R. J. Alzahrani, A. Alzahrani, A novel multi algorithm approach to identify network anomalies in the iot using fog computing and a model to distinguish between iot and non-iot devices, J.

Sens. Actuator Netw. 12.2 (2023) 19. doi:10.3390/jsan12020019. [24] B. A. Alabsi, M. Anbar, S. D. A. Rihan, Conditional tabular generative adversarial based intrusion detection system for detecting ddos and dos attacks on the internet of things networks, Sensors 23.12 (2023) 5644. doi:10.3390/s23125644. [25] F. Safarov, M. Basak, R. Nasimov, A. Abdusalomov, Y. I. Cho, Explainable lightweight block attention module framework for network-based iot attack detection, 15.9 (2023) 297. doi:10.3390/fi15090297. [26] B. A. Narayanavadivoo Gopinathan, V. Sarveshwaran, V. Ravi, R. Chaganti, LPCOCN: A layered paddy crop optimization-based capsule network approach for anomaly detection at iot edge, Information 13.12 (2022) 587. doi:10.3390/info13120587. [27] R. A. Manzano Sanchez, M. Zaman, N. Goel, K. Naik, R. Joshi, Towards developing a robust intrusion detection model using hadoop–spark and data augmentation for iot networks, Sensors 22.20 (2022) 7726. doi:10.3390/s22207726. [28] I. Syamsuddin, O. M. Barukab, SUKRY: suricata IDS with enhanced knn algorithm on raspberry pi for classifying iot botnet attacks, Electronics 11.5 (2022) 737. doi:10.3390/electronics11050737. [29] N. G. Anoh, T. Kone, J. C. Adepo, J. F. M’Moh, M. Babri, IoT intrusion detection system based on machine learning algorithms usingthe UNSW-NB15 dataset, Int. J. Adv. Sci. Res. Eng. 10.01 (2024) 16–28. doi:10.31695/ijasre.2024.1.3. [30] B. A. Alabsi, M. Anbar, S. D. A. Rihan, CNN-CNN: dual convolutional neural network approach for feature selection and attack detection on internet of things networks, Sensors 23.14 (2023) 6507. doi:10.3390/s23146507. [31] T. Altaf, X. Wang, W. Ni, G. Yu, R. P. Liu, R. Braun, GNN-Based network traffic analysis for the detection of sequential attacks in iot, Electronics 13.12 (2024) 2274. doi:10.3390/electronics13122274. [32] S. I. Popoola, B. Adebisi, R. Ande, M. Hammoudeh, K. Anoh, A. A. Atayero, SMOTE-DRNN: A deep learning algorithm for botnet detection in the internet-of-things networks, Sensors 21.9 (2021) 2985. doi:10.3390/s21092985. [33] Petliak N., Klots Y., Titova V., Salem A.-B.M. Attack detection system based on network traffic analysis by means of fuzzy inference. CEUR Workshop Proceedings, (2024), 3899, pp. 201 – 213