IoT Network Security Anomaly Detection
Embedded system intrusion detection with extreme imbalance (10% anomalies). BiLSTM+Attention: PR-AUC=0.186, Recall=33.3%. 5× augmentation (Gaussian/MixUp/masking). MC-Dropout uncertainty. Focal loss.
1,000 IoT network records — 90/10 imbalance
ADASYN + 5× augmentation → focal loss DL → MC-Dropout uncertainty
Anomaly detection for IoT network intrusion with extreme class imbalance.
Dataset
- ▸1,000 records, 14 features, 90% normal / 10% anomaly (100 anomaly examples)
- ▸Features: packet size, inter-arrival time, spectral entropy, TCP flags, traffic intensity
Pipeline
- ▸Random Forest feature selection → 14 key features
- ▸ADASYN oversampling (100 → 614 minority samples)
- ▸5× data augmentation → 6,220 total training samples:
- ▸Gaussian noise injection
- ▸Feature masking (cutout)
- ▸MixUp (interpolate between samples)
- ▸Class-conditional noise
- ▸Focal loss (γ=2.0, α=0.25) + cosine LR decay
Architecture Comparison
| Model | PR-AUC | F1 | Recall |
|---|---|---|---|
| Random Forest | 0.140 | 0.21 | 0.28 |
| XGBoost | 0.160 | 0.22 | 0.31 |
| Residual DNN | 0.172 | 0.22 | 0.30 |
| Dilated CNN | 0.165 | 0.21 | 0.29 |
| BiLSTM+Attention | 0.186 | 0.238 | 0.333 |
5-fold CV BiLSTM: PR-AUC = 0.1456 ± 0.0302
MC-Dropout Uncertainty 30 forward passes → mean + std per prediction. High-std samples flagged for manual review.
Honest Assessment PR-AUC 0.186 is modest. 100 anomaly examples are genuinely insufficient. In production, active learning or semi-supervised approaches would be more effective than supervised models on this dataset size.