AI Against Cybercrime: New Method Aims to Detect Cyberattacks on IoT Devices With Near-Perfect Accuracy

Our world is getting smarter: households and businesses are using smart door locks, surveillance cameras, thermostats, or kitchen appliances, all controllable via app – often even remotely. Behind the scenes, billions of so-called IoT devices are busily exchanging data, automating processes, and becoming ‘invisible helpers’ in everyday life and industry. Yet, this increasing interconnectedness is also attracting the attention of cybercriminals.

To detect and prevent attacks in time, so-called Intrusion Detection Systems (IDS) are used. These “digital watchdogs” monitor network communication, look for anomalies, and trigger alarms when suspicious patterns are found. However, with the triumph of IoT, not only the number and variety of devices grows, but also the complexity and obfuscation of attacks. Especially problematic are:

• The enormous volume of network data in which the “needle in the haystack” must be found;
• Severe imbalance: malicious activities are extremely rare and often account for far less than 1% of all network connections;
• Many features (such as protocols, ports, time series, etc.) in the data are not relevant for attack detection – they only bloat the analysis;
• Previous protection systems often raise false alarms or miss sophisticated, well-camouflaged attacks.

AI against cybercrime: Opportunities and limitations

In recent years, machine learning methods and increasingly deep learning have been deployed for pattern recognition in IT security. Especially Convolutional Neural Networks (CNN) and Long Short-Term Memory Networks (LSTM) have been able to identify complex attack patterns – at least with highly balanced and clean training datasets.
The CNN extracts spatial features from the data (e.g. patterns in network traffic at a certain moment), while the LSTM tracks the temporal evolution of these features (e.g. how an attack unfolds over several points in time).

The combination of both networks enables highly accurate detection of complex and hidden attack patterns in the network.
But especially in the IoT context, there is often a lack of good attack data. Most models struggle to detect rare attacks and suffer from a so-called “class imbalance.” Furthermore, many irrelevant, redundantly stored data points lead to high computational effort and slower learning.

Three-stage AI inspection system for reliable attack detection

In the recently published article in Scientific Reports on nature.com, “An attack detection method based on deep learning for internet of things“, scientists from the Naval University of Engineering Wuhan, China, present a three-stage method designed to reliably detect cyberattacks on IoT devices at an early stage.

1. Feature Selection via Genetic Algorithm Instead of evaluating all available network features, a so-called genetic search algorithm automatically filters out those attributes that provide truly relevant clues for attacks. A genetic algorithm is a method that solves problems based on the principles of natural evolution, especially complex optimization tasks. The core idea is: many possible solutions are first randomly generated (“population”). Then, over several rounds (“generations”), the best solutions are selected, combined, and slightly altered (“mutation” and “crossover”), resulting in increasingly better solutions over time. This model is designed to learn faster and more efficiently and requires fewer resources.
2. Equalization Loss v2 – preventing missed rare attacks When training artificial intelligence, success is steered by the so-called “loss function.” Here, the researchers use an enhanced variant: attacks that are particularly rare in the training dataset receive higher “weight” during learning. This way, even rare attacks can be reliably detected without normal connections constantly being falsely flagged as dangerous.
3. Combined CNN-LSTM model – considers both spatial and temporal aspects The core deep learning model combines the strengths of two approaches:
   • CNNs analyze patterns occurring simultaneously – for example: which ports are addressed in parallel?
   • LSTM analyzes how network events evolve over time – i.e., attacks that unfold over many small, sequential actions. This makes it possible to identify complex, slow-moving, or particularly “silent” attacks.

Validation with diverse test datasets

The method was tested with two internationally recognized datasets:

• NSL-KDD: An improved and streamlined version of KDD CUP99, simulating various real-world scenarios.
• CIC-IDS-2017: Contains real network data with a wide range of real-world attacks, especially from the IoT sector.

Both datasets are publicly available and have been benchmark standards for research and development of new security solutions for years. Results: In their publication, the researchers report up to 99.8% hit rate with minimal false alarms

• On the NSL-KDD dataset, the system reportedly achieved a recognition rate (“accuracy”) of 99.21%, with similarly high values for precision and sensitivity;
• On the CIC-IDS-2017 dataset, even 99.83% was reached, with an extremely low false alarm rate of only 0.11%

In direct comparison with established competing methods (classic machine learning, other deep learning solutions, complex sampling techniques), the new method proved consistently superior or at least equivalent, especially when it came to correctly detecting rare but dangerous attacks. An added benefit: Because the intelligent feature selection eliminates unnecessary computation, the approach is especially suitable, according to the researchers, for devices with limited resources – a crucial point for IoT endpoints, which often lack storage or processing power.

Learning protection mechanisms for rapidly growing digital infrastructure

With every smart LED lamp, every “intelligent” coffee machine, and every sensor in a factory, the attack surface for cybercriminals grows. At the same time, it is impossible to manually secure each component or keep them constantly up to date. Automated, learning protection mechanisms are therefore key for the future of our digital infrastructure.

• Highly automated, AI-based detection of even sophisticated attacks;
• Very low false alarm rates – important to prevent “alarm fatigue” in operations;
• Real-time applicability even on resource-limited hardware;
• A modular technical approach that can be applied to further device categories and new attack techniques in the future.

Real-life tests still pending after benchmarking

The authors stress that they have so far worked exclusively with publicly available benchmark data. Next steps are already planned: expansion to various real IoT environments – from industrial robots to smart homes – and further optimization for mobile devices and edge-cloud scenarios.

Researchers satisfied with their results

The presented method is a major breakthrough for attack detection in IoT. By combining a sophisticated feature-filter mechanism with modern deep learning architecture and smart error correction, it detects both common and rare attacks almost flawlessly – efficiently, robustly, and scalably.

(Source: Yu, Y., Fu, Y., Liu, T. et al. An attack detection method based on deep learning for internet of things. Sci Rep 15, 28812 (2025).) https://www.nature.com/articles/s41598-025-14808-0