M.S. Applied Data Science - Capstone Chronicles 2025

3

simultaneously providing cybercriminals with a plethora of attack vectors from which to gain a foothold within an IoT network and steal data, disrupts processes and systems, locks down critical infrastructure, and erodes trust with consumers. Typically, IoT devices operate with limited computational resources, oftentimes outdated firmware and software, and very often weak if non-existent authentication protocols. When all these factors combine, they provide the perfect opportunity for even the most inexperienced cybercriminals to wreak havoc on personal and corporate networks. To protect IoT networks within a corporate setting, companies leverage Intrusion Detection Systems (IDS). These security mechanisms monitor network traffic and device behavior to identify any unauthorized access, policy violations, and misuse of resources and feed this information to a central Security Information and Event Management tool which helps security researchers to triage and respond to these threats in near real time. IDS’s are typically separated into two separate types. The first category of IDS framework is known as rule-based, which requires the input of predefined attack patterns, attack signatures, and excel in the identification of well documented and previously known attacks structures. The drawback to a rule-based IDS framework is it is unable to respond to the constantly evolving nature of cyberattacks or any previously unseen cyber-attack known as a ‘zero-day attacks’ (IBM, 2023). Rule-based IDS frameworks require consistent manual updating by security professionals to be effective at the identification of malicious network traffic. The second IDS framework is known as anomaly-based (Hariharasubramanian, 2025). These IDS frameworks establish a baseline of normal network traffic and then leverage ML and DL algorithms to detect deviations indicative of possible malicious network traffic. These

systems are highly adaptive and help to minimize the occurrence of false positives, which reduce the workload and documentation time spent by security analysts, allowing them to focus on responding to actual threats faster and more efficiently. Within the past 10 years, there has been a large shift towards these anomaly-based IDS frameworks, leveraging the advancements within ML and DL techniques to handle the volume, velocity, and variable nature of IoT network traffic. The Canadian Institute of Cybersecurity developed the CIC-IoT2023 Dataset to replicate a realistic IoT network using 105 different devices and capturing normal network traffic along with 33 distinct cyberattacks spread across seven categories of attack type. A breakdown of the seven attack categories is as follows: 1.​ Denial of Service (DoS) - This type of attack floods network services with the goal of disrupting network availability and compromising bandwidth. 2.​ Distributed Denial of Service (DDoS) - Similar to DoS attacks, however these involve coordinated multi-source attacks which amplify the effects of a DoS attack, with the goal of disrupting network traffic, compromising bandwidth and subsequent removal of services from the targeted network. 3.​ Reconnaissance Attacks - These attacks probe and scan networks to identify vulnerable systems, outdated software, or components that have known exploits. 4.​ Web-based Attacks - Attacks which exploit web applications and Hyper-Text Transfer Protocols. 5.​ Spoofing - Attacks mask their original source and appear as trusted entities through the forging of IP/MAC addresses and device specific identifiers.

241