The Internet of Things (IoT) is the fastest-growing collection of physical entities embedded with technologies to sense and exchange information with other connected devices over the Internet.Since IoT systems are resource-constrained and ad hoc, they are an obvious target for cyberattacks. IoT system security thus requires continual observation and analysis. The application of machine learning (ML) to IoT security holds particular promise for identifying any anomalies in the system's typical operation. In this paper, we propose to design a Random Forest-Support Vector Machine (RF-SVM) based Anomaly detection framework for IoT. The RF classifier is applied for selecting the optimal features from the extracted traffic data. It includes removing the outliers, redundant data, and choosing the best features with high weight values. Then, SVM is applied for classifying the extracted features and detecting the anomalies. The fitness function is derived in terms of true positives, false positives, and false negatives. From the detected anomalies, the attack type is then determined, and a corresponding warning is sent to the monitoring nodes.In the experimental results, it is shown that the proposed RF-SVM classifier attains increased detection accuracy with reduced detection overhead and packet drops.

Similar to Hybrid Anomaly Detection Mechanism for IOT Networks

More from IJCNCJournal

Recently uploaded

Hybrid Anomaly Detection Mechanism for IOT Networks

• 1.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025DOI: 10.5121/ijcnc.2025.17607 115HYBRID ANOMALY DETECTION MECHANISM FORIOT NETWORKSHarish Kumar Saini, Monika PoriyeDepartment of Computer Science and Applications, Kurukshetra University, IndiaABSTRACTThe Internet of Things (IoT) is the fastest-growing collection of physical entities embedded withtechnologies to sense and exchange information with other connected devices over the Internet.Since IoTsystems are resource-constrained and ad hoc, they are an obvious target for cyberattacks. IoT systemsecurity thus requires continual observation and analysis. The application of machine learning (ML) to IoTsecurity holds particular promise for identifying any anomalies in the system's typical operation. In thispaper, we propose to design a Random Forest-Support Vector Machine (RF-SVM) based Anomalydetection framework for IoT. The RF classifier is applied for selecting the optimal features from theextracted traffic data. It includes removing the outliers, redundant data, and choosing the best featureswith high weight values. Then, SVM is applied for classifying the extracted features and detecting theanomalies. The fitness function is derived in terms of true positives, false positives, and false negatives.From the detected anomalies, the attack type is then determined, and a corresponding warning is sent tothe monitoring nodes.In the experimental results, it is shown that the proposed RF-SVM classifier attainsincreased detection accuracy with reduced detection overhead and packet drops.KEYWORDSIoT, Machine Learning, Ensemble, Anomaly detection1. INTRODUCTIONThe Internet of Things (IoT) is the network of physical devices, such as smartphones, and othersmart objects that exchange information and provide useful services online. The Internet ofThings is a global revolution. It provides the potential for use in a wide range of applicationareas. It has been widely used in retail, agriculture, smart cities, smart homes, smart industries,and environmentmonitoring, among other areas. Connecting devices is the aim of the Internet ofThings. Wireless Sensor Network (WSN) upgrades are very common. WSNs connect IoT devicesto gather environmental data. Due to its limited energy, memory, and processing capabilities, IoTis resource-constrained [1].Due to IoT systems' ad hoc and limited resources, they are an obvious target for cyber-attacks. Asa result, protecting IoT systems requires constant monitoring and analysis. Prior to an attack, it'scritical to know what to do in the event of an unforeseen situation, take precautions, protectimportant data, and assure continuity [2]. During the routing of data packets, data packets arequite likely to be exposed. The data packets would be lost if the rogue node invaded the nodes.Asa result, the security of data packets in IoT-constrained devices has a significant impact because itis linked to the users [3]. For resource-constrained environments, standard security measures areprohibitively expensive. [4]In IoT based sensor network, a Distributed Denial of Service (DDoS) attack is feasible whosemain purpose is to interrupt the data transfer between end users. This exploit generates malicious
• 2.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025116traffic flooding, causing other valid nodes to receive unnecessary packets. Actions of theseattackers contribute to the deterioration of the network in terms of greater bandwidth usage,memory utilization, energy consumption, etc. [5]. Malicious Control, Malicious Operation, andWrong Setup are just some of the additional assaults and abnormalities that might cause an IoTdevice to malfunction [6].An intrusion-detection system (IDS) is a must for any IoT traffic environment that is particularlysensitive. A majority of current research on IDS for the Internet of Things is based on rule-baseddetection. Anomaly-based detection methods are crucial in IoT environments [7] for efficientthreat detection.Any anomalies in the system's behaviour can be detected by using machine learning (ML) for IoTsecurity. An aberrant situation can be detected and protected by a variety of machine learningalgorithms. [6][7].Among the ML algorithms,SVM and RF have been widely used in recent years to suggestfeasible solutions to the IDS problem. SVM can provide good decision surfaces by maximizingmargins using soft-margin approaches. Though SVM is slightly more accurate,it consumes moretime. RF produces similar accuracy in a much faster manner if given modelling parameters.Hence,by combining these two classifiers and creating a hybrid RF-SVM classifier will result inincreased accuracy in less time [11].In this paper, RF-SVM classifier is designed to detect the IoT network traffic anomalies. Incontrast to the existing RF-SVM classifiers, here RF classifier is applied for extracting theoptimal features from the network traffic data and theSVM is applied for classifying the extractedfeatures and detecting the anomalies.This paper is organized as follows. Section 2 presents the related works on anomaly detectionusing ML classifiers and RF-SVM classifiers. Section 3 presents the detailed methodology of theproposed RF-SVM classifier. Section 4 presents the experimental results and Section 5 presentsthe conclusion.2. RELATED WORKS2.1. Anomaly Detection using Machine learning (ML) classifiersIoT attacks and anomalies can be detected using a group of ML classifiers [6]. Decision Tree(DT), Logistic Regression (LR), Support Vector Machine (SVM), Neural Network (ANN). Finalmodels were created using an optimization method based on the training datasets.This system uses a Deep Learning [7] algorithm to identify fraudulent traffic in IoT networks.Network traffic is organised into sessions and anomalous activity is examined. During thetraining phase, the work is done offline and spans a long period of time. When the data is pre-processed, tuples of features are generated and used to train the model. The perceptual learningmodel utilises information gained at each perceptual layer to filter out the preferred traits beforefeeding it to the next perceptual layer.To combat DDoS attacks, a machine-learning framework [8] was developed. The IoT devicetraffic capture mechanism is capable of capturing a wide range of data. Categorizing andretrieving features based on IoT activity has been done and as a final step, a variety of binary
• 3.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025117classification techniques were used to correctly distinguish between normal communication andDoS communications.For low-resource IoT devices, a game theory-based lightweight anomaly detection approach hasbeen proposed [9]. IoT security has been shown as a game between IDS agents and the attackersin this approach. There are new attack patterns that need to be tracked down by the IDS agent.The training, classification, and rule-making phases of the anomaly detection process are allincluded.Using deep migrating learning, a new IoT data feature extraction and IDS has been developed[10]. This document outlines the migration learning model and data feature extraction. Migratingfrom one subject or activity to another is a process of acquiring new knowledge. Research showsthat an IDS model can effectively shorten clustering times while retaining the accuracy requiredto identify intrusions. However, the accuracy of categorisation can suffer throughout thecompression process.2.2. RF-SVM Classifiers for Anomaly DetectionShanmuga sundari et al [12] have shown that fraud detection using RF and SVM techniques maybe compared in terms of accuracy. Using data mining algorithms, they are able to identify bothnormal and fraudulent transactions based on the past information, including exchanges that havebeen misrepresented.Prithi et al [13] have proposed a two-stage hybrid classification technique for intrusion detection.Anomaly detection is done using SVM, while abuse detection is done using (RF)/Decision Tree(DT). In the beginning, the abnormalities are spotted. Second-stage investigation recognises themost common types of DoS and Probe, as well as recognised R2L assaults and User to Root(U2R) assaults.Two categorization models have been developed by Md. Al MehediHasan et al [14]. The SVMand RF model are used for each. Experiments have shown that any classifier works here. SVM isa little more accurate, but it takes a lot longer to run. RF provides the same level of precision in aconsiderably faster manner if the model parameters are provided. These classifiers can helpimprove the accuracy of an IDS system. The KDD'99 Dataset is employed in this study in orderto determine which intrusion detector is more effective on this dataset.In [15], RF-SVM classifier has been applied to classify the gene expression data in ChronicKidney Disease (CKD). Here, RF is highly accurate and is interpretable and SVM effectivelypredicts the gene expression data with very high dimensions.2.2.1. ChallengesDeveloping an effective and efficient anomaly detection model using machine learningalgorithms is a challenging process because of the following reasons[16]:• The classical machine learning algorithms are weak in extracting the best features torepresent the given data.• It’s difficult to deploy a machine learning model over resource-constrained IoT devices.• A huge amount of data is required to train machine learning models to reduce falsepositives and false negatives.
• 4.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025118• The processing overhead due to data dimensionality is also an issue in selecting anyanomaly detection mechanism.3. Proposed Solution3.1. OverviewIn this paper, we propose to design RF-SVM-basedAnomaly detection mechanism for IoT. HereRF-SVM classifier module is applied to detect the IoT network traffic anomalies. Although thereare hybrid RF–SVM pipelines, our work is different in three significant ways: A fitness-drivenSVM objective that explicitly optimizes TP, FP, and FN to prioritize anomalous-event recallunder IoT IDS constraints, a gateway-centric RF feature selection with an empirically tunedstability threshold that filters redundant/noisy traffic fields before classification, and adeployment-oriented evaluation in NS-2 with TwoRayGround propagation and workload sweeps(monitoring interval and attack-rate) that reports accuracy as well as detection delay and packetdrop as first-class metrics pertinent to IoT networks. Together, these components represent anovel experimental and methodological contribution that goes beyond the simple statement, "RFfor features, SVM for classification. The RF classifier is applied for selecting the optimal featuresfrom the extracted traffic data. It includes removing the outliers, redundant dataand choosing thebest features with high weight values. Then, SVM is applied for classifying the extracted featuresand detecting the anomalies. The fitness function is derived in terms of true positives, falsepositives and false negatives. From the detected anomalies, the attack type is then determined,and a corresponding warning will be sent to the monitoring nodes.3.2. Decision TreesThe decision tree is a type of supervised learning algorithm that is mostly used in classificationproblems. The simplicity and efficiency are considered the major attributes in the decision treeswhich are very useful in applications where the computational power resources are scarce.The decision trees adopt a top-down approach in splitting the data samples in smaller subsetsbased on different decision criteria, which will be discussed. The root node is considered the bestpredictor. The decision node is the attribute where the highest splitting criterion (information gain,for example) is achieved. At a terminal node or leaf node, the splitting process halts; it representsa decision. In this case, a splitting criterion such as the information gain is equal to zero.A major type of decision tree is an ensemble-based decision tree or Random Forest (RF).3.2.1. Random Forest (RF) AlgorithmRF algorithm is a set of trees and a supervised classification algorithm that generates each treeusing a basic sample of the exclusive training data. In order to classify a new item from an inputtrace, the trace will be positioned beneath each tree in the forest. There is a direct correlationbetween the number of trees in a forest and the potential fallout; that is, the more trees there are,the more accurate the result. Each and every tree offers a vote to indicate the tree's preferenceregarding the item's category. The group that generates the most votes out of all the trees ischosen by the forest. [14][17].There are two stages in the RF algorithm: (i) RF creation, (ii) creating a calculation from thearbitrary forest classifier made in the preliminary phase [17].
• 5.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025119The whole process is shown below:(i) Arbitrary forest formation1. Select "K" aspects at random from the aggregate "M" aspects where K < M.2. Use the finest divided point to assess the node "D" among the "K" aspects.3. Use the best split to split the node into daughter nodes.4. Repeat steps 1 through 3 until "L" nodes are reached.5. Create a forest by repeating steps 1 through 4 "N" times to create "N" trees.(ii) Arbitrary forest estimation1. Uses the test features and each decision tree's rubrics to compute the outcome andstore the anticipated outcome (objective).2. Calculate the number of votes for each anticipated goal.3. Use the highly voted anticipated objective as the arbitrary forest procedure'sclosing expectation.3.2.2. RF-based Feature SelectionRF uses a technique called bootstrap aggregation (Bagging), which samples the data set used inthe classification task, randomly with replacement. The bootstrap method is a resamplingtechnique to generate slightly different data sets from the original training data set, and baggingcombines many classifiers trained with slightly.Let m represent how many instances there are in the real training set. Create a bootstrap model ofdimension m using the real training data. Let m represent the total number of input structuresfound in the real training set. For each tree where k<m, only k features are randomly chosen fromthe bootstrap model data. At each node of the tree, the traits from this group form the bestpossible fragment. The value of m should remain constant throughout the forest's ascent [18].The original Packet Capturing Files (PCAP),which have the network packages were primarilychanged and characterized in a Packet Description Markup Language (PDML) format.The features that reflect the device characteristics and behaviour related to various attacks areonly considered. Each feature has been assigned a weight value. The best subset of features withhigher weight values is selected by RF algorithm.Table 1 :Extracted features and assigned weightsS.No Features Weight value1 Protocol type 12 src (bytes) 23 sest (bytes) 24 Duration 15 Flag 16 Service 37 dst_host_count 38 serv_count 29 serv_error_rate 410 same_serv_rate 311 diff_serv_rate 3
• 6.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025120S.No Features Weight value12 dst_host_same_serv_rate 213 dst_host_diff_serv_rate 214 dst_host_same_src_port 315 dst_host_diff_src_port 316 Dst_host_serror_rate 517 No_failed_attempts 518 No_file_creations 419 No_access_files 420 No_compromized 5Let S be the source node and {F} be the set of selected features. Let DS(A) be the actual data set,BSm(A) represents the bootstrap model of m features, and DS(C) represent the collected datasetby each gateway . The overall weight value (W) is the number of most repeated features dividedby the total number of features. Let MinWbe the minimum threshold or lower bound of W. In ourwork, the value of MinW is kept as 3 based on sensitivity analysis by testing the MinW value (1-5) and observing that MinW = 3 provided the best detection accuracy without an increase in falsepositives.The features which are having weight values greater than MinW are included forclassification. The features that were given the highest weight values, as shown in Table 1, wererated the highest due to being accountable, through the Random Forest feature selection andimportance ranking, for the greatest strength in distinguishing normal traffic from compromisedtraffic or exhibiting the most discriminative power. These features (e.g., repeated failed attemptsor session errors) are clearly related to attack behavior and are therefore useful signals for theSVM classifier. The selection of these parameters, along with their high weighting, iscorroborated by previous research and domain knowledge, confirming that anomalies found inthese domains are significant indicators of malicious activity or intrusion attempts in IoTenvironments.The proposed RF-based feature selection algorithm is presented below:Algorithm: RF-based feature selection_____________________________________________1. For each IoT gateway2. Read DS(A)3. construct BSm(A) using RF4. Divide BSm(A) into training and trial5. DS is provided for training in RF6. Train (BSm(A)7. Estimate DR8. End For9. For each gatewayGj10. At time interval ti,11. Collects data from its devices12. Constructs DS(C)13. Estimates W using the RF classifier14. Transmit all W to SCH15. Gj transmits W towards S16. S computes the variance (W)17. For each feature fi18. If W(fi) >MinW, then19. S adds fi into {F}20. End For
• 7.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 202512121. Move to the next interval T(i+1)22. End For23. Stop___________________________________________________________According to this algorithm, the optimum features selected by the RF classifier algorithm are:serv_error_rate, Dst_host_serror_rate, No_failed_attempts, No_file_creations, No_access_files,and No_compromized.3.3. SVM ClassifierThe basic principle of SVM is finding the optimal linear hyperplane in the feature space thatmaximally separates the two target classes [16]. Geometrically, the SVM modelling algorithmfinds an optimal hyperplane with the maximal margin to separate two classes,In SVM, the training set is provided as(x1,y1),(x2,y2),….(xn,yn) , xjnR , yj }1,1{ −+ .Here, xj is the input characteristic vector of thejthmodel, and yj is the output catalogue = +1 or -1.SVM splits the +ve and -ve instances by means of a hyperplane asRbRwbxw n=+ ,,0.. (1)Here, w.x signifies the dot product of w & x.SVM calculates the finest hyperplane by exploiting the border.The choice function f(x) = sgn(g(x)) for an event is provided asg(x) = +=liiii bxxy1.. (2)where i is the numerical limit for imminent vector xiFigure 3 Concept of SVM
• 8.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 20251223.4. Detection Algorithm using SVMFor classifying the extracted features and detecting the anomalies, we use SVM. The fitnessfunction (F) is derived in terms of True positives (TP), False positives (FP) and False negatives(FN) as follows:F = 2. TP / (TP+FP+FN) (3)Since the algorithm focuses on anomalous event prioritization and minimization of misseddetections True negatives are excluded, as recommended in IoT IDS literature.By means of the training vector in two sets and the label vector y, the provision vector methodneeds the resolution of the succeeding issue=+liiTvbwvCww1,, 21min(4)subject to y livvbxw iiiTy ,...1,0,1))(( =−+where w dR is the mass vectorC + R is the regularization constant is the mapping function that projects the training data into a suitable feature space so asto allow non-linear decision surfaces.The following algorithm shows the process of the SVM classifier to classify the malicious trafficflows.Procedure: SVM Classification________________________________________________________________1. Remove deal data equivalent to 10 aspects2. Build the feature vector Xij, i=1..10,j=1….n3. Construct the training set (xij, yij)4. Utilise the labelled data to train the sample5. For every input user Uj of aspect Fi6. Do7. Remove the data from Uj8. For every classifier j9. Do10. Regulate the symbol by means of gj(x) via (2)11. While (i<10)12. End For13. Evaluate the utmost output (select the maximum output)14. Regulate the ideal brim.15. Return the equivalent operator Uj such that Fi=max(Fi)16. End For_______________________________________________________The features of legitimate devices will have unique fitness values, whereas the features ofcompromised devices will deviate from others. Hence, the fitness function is applied to the
• 9.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025123extracted features and the, features having the least fitness values are considered as anomalies.The corresponding device or user is fetched from the PCAP history and blocked from furtheroperations.4. EXPERIMENTAL RESULTS4.1. Dataset and PDMLThe training and testing were performed on the DARPA 2009 IDS dataset. Though the DARPA2009 dataset is old and not specific to IoT, it is still used in some research for baselinebenchmarking and method validation purposes. The dataset is well-structured and the labeledtraffic is publicly available, allowing researchers to compare their results with a large number ofprevious studies that were conducted using the same dataset and its labeled traffic. In doing so,the DARPA 2009 dataset allows researchers to have a common dataset to refer to whenevaluating a new algorithm against the established results from a long-standing body of intrusiondetection research. Additionally, the DARPA 2009 dataset can also serve as a useful avenue fortesting the general detection capacity of models as they are deployed and applied to morecomplex and heterogeneous datasets after testing them first under a controlled and well-established environment.The dataset comprises about 7000 PCAP files. The dataset comprises a variety of security eventsand attack types. PCAP files are data files generated using tools such as Libpcap of Linux. Thesefiles contain packet data of a network and are used to analyze the network characteristics. Theyalsocontribute to controlling the network traffic and determining network status.Wireshark can save network packet dissections in a PDML file. PDML conforms to the XMLstandard and contains details about the packet analysis.4.2. Comparison with Existing TechniquesThe proposed RF-SVM based anomaly detection framework is simulated in NS2 and comparedwith the existing Lightweight Anomaly Detection (LAD) [10] and Deep Migration Learning(DML) based IDS [11]. The performance is evaluated in terms of detection delay, detectionaccuracy, and packet drop. Table 3 shows the experimental parameters used in the simulation.Table 3: Experimental parametersNumber of Nodes 22Simulation area 500 X 500mMAC Protocol IEEE 802.11Traffic type CBR and ExponentialNumber of Wired Nodes 2Number of wireless nodes 20Propagation TwoRayGroundAntenna OmniAntennaSimulation Time 20,40,60,80 and 100 secRate 25,50,75,100 and 125Kb
• 10.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025124A. Varying the Monitoring intervalIn this first experiment we vary the simulation time as 20,40,60,80 and 100sec.Table 4 Results of detection delay for various intervalsMonitoringInterval(sec)RF-SVM (ms) DML (ms) LAD (ms)20 4.50 4.73 4.9840 7.63 10.05 10.1760 10.78 15.31 15.7680 13.91 20.61 21.45100 17.23 25.93 27.06Figure 7 Detection Delay for various intervalsTable 4 and Figure 7 show the detection delay measured for RF-SVM, LAD and DML when themonitoring intervals flows are varied. As we can see from the figure, the delay of RF-SVM is25% of lesser than DML and 27% lesser than LAD.Table 5 Results of detection accuracy for various intervalsMonitoringInterval (sec)RF-SVM DML LAD20 0.8244 0.55980.401840 0.8422 0.584 0.495960 0.8481 0.6112 0.541380 0.8531 0.6428 0.5915100 0.8539 0.6816 0.6626010203020 40 60 80 100DetectionDelay(ms)Monitoring Interval (sec)RF-SVMDMLLAD
• 11.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025125Figure 8 Detection accuracy for various intervalsTable 5 and Figure 8 show the detection accuracy measured for RF-SVM, LAD and DML whenthe monitoring intervals are varied. As we can see from the figure, the detection accuracy of RF-SVM is 28% higher when compared to DML and 65% higher than LAD.Table 6 Results of packet drop for various intervalsMonitoringInterval(sec)RF-SVM DML LAD20 523 1447 320940 963 2033 479760 1623 3784 551980 2823 4287 6187100 4453 8098 9639Figure 9 Packet drop for various intervalsTable 6 and Figure 9 show the packet drop measured for RF-SVM, LAD and DML when themonitoring intervals are varied. As we can see from the figure, the packet drop of RF-SVM is50% less when compared to DML and 93% lesser than LAD.00.10.20.30.40.50.60.70.80.920 40 60 80 100DetectionAccuracyMonitoring Interval (sec)RF-SVMDMLLAD050001000015000200002500020 40 60 80 100PacketDropMonitoring Interval (sec)LADDMLRF-SVM
• 12.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025126B. Based on Attack FrequencyIn our second experiment we vary the frequency of attacks from 25Kb/s to 125Kb/sTable 7 Results of detection delay for various attack frequencyAttackFrequency(Kb/s)RF-SVM (ms) DML (ms) LAD (ms)25 4.254 6.628 11.3050 6.916 8.692 12.5775 7.542 10.334 13.26100 8.030 11.424 13.28125 9.255 12.209 13.27Figure 10 Detection delay for various attack frequencyTable 7 and Figure 10 show the detection delay measured for RF-SVM,LAD and DML when theattack frequencies are varied. As we can see from figure, the detection delay of RF-SVM is 27%lesser then DML and 44% lesser than LAD.Table 8 Results of detection accuracy for various attack frequencyAttack Frequency RF-SVM DML LAD25 0.7791 0.7431 0.654950 0.7003 0.6254 0.582475 0.6734 0.5436 0.5141100 0.6598 0.4858 0.4681125 0.6479 0.4231 0.39690246810121425 50 75 100 125DetectionDelay(ms)Attack Frequency (Kb/s)RF-SVMDMLLAD
• 13.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025127Figure11 Detection accuracy for various attack frequencyTable 8 and Figure 11 shows the detection accuracy measured for RF-SVM, LAD and DMLwhen the attack frequencies are varied. As we can see from figure, the detection accuracy of RF-SVM is 19% high when compared to DML and 42% higher than LAD.Table 9 Results of packet drop for various attack frequencyAttackFrequencyRF-SVM DML LAD25 18 2141 275050 186 3443 464775 263 4842 5574100 337 5845 6434125 523 7722 8960Figure12 Packet drop for various attack frequencyTable 9 and Figure 12 show the packet drop measured for RF-SVM, LAD and DML when theflows attack frequencies are varied. We can see that, the packet drop of RF-SVM is 69% lesswhen compared to DML and 92% lessthan LAD.00.20.40.60.8125 50 75 100 125DetectionAccuracyAttack Frequency (Kb/s)RF-SVMDMLLAD020004000600080001000025 50 75 100 125PacketDropAttack Frequency (Kb/s)RF-SVMDMLLAD
• 14.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 20251285. CONCLUSIONIn this paper, we propose to develop a Random Forest-Support Vector Machine (RF-SVM) basedAnomaly detection mechanism for IoT. The RF classifier is applied for selecting the optimalfeatures from the extracted traffic data. It includes removing the outliers, redundant data, andchoosing the best features with high weight values. Then, SVM is applied for classifying theextracted features and detecting the anomalies. The fitness function is derived in terms of truepositives, false positives, and false negatives. From the detected anomalies, the attack type is thendetermined, and a corresponding warning is sent to the monitoring nodes.The proposed RF-SVM attains the highest accuracy, precision, recall, and the F1-score whencompared to these algorithms. The proposed RF-SVM-based anomaly detection framework issimulated in NS2 and compared with the existing LAD and DML-based IDS techniques. Theperformance is evaluated in terms of detection delay, detection accuracy, and packet drop. In theexperimental results, it is shown that the proposed RF-SVM classifier attains increased detectionaccuracy with reduced packet drops.CONFLICTS OF INTERESTThe authors have no competing interests to declare that are relevant to thecontent of this article.There is no conflict of interest.REFERENCES[1] R. Stephen and L. Arockiam, “RIAIDRPL: Rank Increased Attack (RIA) Identification Algorithmfor Avoiding Loop in the RPL DODAG,” Int. J. Pure Appl. Math., vol. 119, no. 16, 2018.[2] F. Y. Yavuz, D. Ünal, and E. Gül, “Deep learning for detection of routing attacks in the Internet ofThings,” Int. J. Comput. Intell. Syst., vol. 12, pp. 39–58, 2018.[3] Z. A. Almusaylim, N. Z. Jhanjhi, and A. Alhumam, “Detection and mitigation of RPL rank andversion number attacks in the Internet of Things: SRPL-RP,” Sensors, vol. 20, 2020.[4] A. Aris, S. F. Oktug, and B. O. Yalcin, “RPL version number attacks: In-depth study,” in Proc.IEEE Conf., 2016.[5] B. A. Alabsi, M. Anbar, S. Manickam, and O. E. Elejla, “DDoS attack aware environment withsecure clustering and routing based on RPL protocol operation,” IET Circuits Devices Syst.,2019.[6] M. Hasan, M. M. Islam, M. I. Islam Zarif, and M. M. A. Hashem, “Attack and anomaly detection inIoT sensors in IoT sites using machine learning approaches,” Internet Things, vol. 7, 2019.[7] G. Thamilarasu and S. Chawla, “Towards deep-learning-driven intrusion detection for the Internetof Things,” Sensors, 2019.[8] R. Doshi, N. Apthorpe, and N. Feamster, “Machine learning DDoS detection for consumer Internetof Things devices,” arXiv:1804.04159v1 [cs.CR], 2018.[9] H. Sedjelmaci, S. M. Senouci, and M. Al-Bahri, “A lightweight anomaly detection technique forlow-resource IoT devices: a game-theoretic methodology,” in IEEE Int. Conf. Commun. (ICC),Mobile and Wireless Networking Symp.,2016.[10] D. Lia, L. Deng, M. Lee, and H. Wang, “IoT data feature extraction and intrusion detection systemfor smart cities based on deep migration learning,” Int. J. Inf. Manag., vol. 49, pp. 533–545, 2019.[11] F. Huang, J. Shen, Q. Guo, and Y. Shi, “eRFSVM: A hybrid classifier to predict enhancers—integrating random forests with support vector machines,” Hereditas, 2016.[12] M. Shanmugasundari and R. K. Nayak, “Master card anomaly detection using random forest andsupport vector machine algorithms,” J. Crit. Rev., vol. 7, no. 9, 2020.[13] S. Prithi and S. Sumathi, “Intrusion detection system using hybrid SVM-RF and SVM-DT inwireless sensor networks,” Int. J. Recent Technol. Eng., vol. 8, no. 2S8, 2019.[14] M. A. M. Hasan, M. Nasser, B. Pal, and S. Ahmad, “Support vector machine and random forestmodelling for intrusion detection system (IDS),” J. Intell. Learn. Syst. Appl., vol. 6, no. 1, Feb.2014.
• 15.
  International Journal ofComputer Networks & Communications (IJCNC) Vol.17, No.6, November 2025129[15] Z. Rustam, E. Sudarsono, and D. Sarwinda, “Random-Forest (RF) and support vector machine(SVM) implementation for analysis of gene expression data in chronic kidney disease (CKD),”in Proc. 9th Annu. Basic Sci. Int. Conf., 2019.[16] A. Diro et al., “A comprehensive study of anomaly detection schemes in IoT networks usingmachine learning algorithms,” Sensors, vol. 21, no. 24, Art. no. 8320, 2021.[17] Pughazendi N, Valarmathi K, Rajaraman PV, Balaji S. RETRACTED: Reliable cluster based datacollection framework for IoT-big data healthcare applications. Journal of Intelligent & FuzzySystems: Applications in Engineering and Technology. 2023;0(0). doi:10.3233/JIFS-233505.[18] B. Duraisamy, S. Gopalakrishnan, S.-Y. Hsieh, and S.-L. Peng, Intelligent Computing andInnovation on Data Science: Proceedings of ICTIDS 2021. Springer, 2021.