AN ADAPTIVE ZERO-DAY INTRUSION DETECTION AND TRAFFIC CLASSIFICATION FRAMEWORK FOR IOT NETWORKS USING AUTOENCODER-BASED ANOMALY ISOLATION
Keywords:
IoT Security; Zero-Day Attacks; Intrusion Detection System; Autoencoder; Adaptive Thresholding; Anomaly DetectionAbstract
The rapid expansion of Internet of Things (IoT) networks has significantly increased security risks due to heterogeneous device behavior, constrained computational resources, and the continuous emergence of novel cyberattacks. Traditional intrusion detection systems (IDS) predominantly rely on predefined attack signatures or supervised learning approaches that require labeled attack data, making them ineffective against previously unseen zero-day attacks. This paper presents a deployment-oriented adaptive intrusion detection framework for zero-day attack detection in IoT networks using autoencoder-based anomaly isolation. The proposed autoencoder is trained exclusively on benign IoT traffic to learn normal behavioral patterns without relying on attack signatures. Anomaly detection is initially performed using static thresholding and subsequently enhanced through an adaptive thresholding mechanism that dynamically adjusts the decision boundary based on recent traffic statistics. To evaluate real-world applicability, live IoT traffic is captured using Wireshark, transformed into flow-based features using CICFlowMeter, and analyzed through an online adaptive detection process without retraining the model. Experimental results show that static thresholding performs poorly under dynamic and imbalanced traffic conditions, achieving only 36% detection accuracy. In contrast, the proposed adaptive thresholding approach achieves detection accuracy of up to 96–97% on benchmark 18 datasets while effectively reducing false alarms. Validation on real IoT traffic reveals that 19 approximately 10% of flows are identified as anomalous, reflecting realistic deployment 20 behavior rather than excessive false positives. The lightweight nature of the proposed model, with a memory footprint below 0.5 MB and an inference latency of approximately 62 ms, demonstrates its suitability for real-time IoT deployments.
