M.S. Applied Data Science - Capstone Chronicles 2025

7

issues within IoT environments. Erksine (2025) leveraged the CIC-IoT2023 dataset to develop this dual component model and tested the performance of the model on the 34-class categorization experiment, choosing to forgo the 8 category and binary classification tasks for a more granular assessment of attack type. Additionally, Erksine (2025) included decision trees (DT) and support vector machines (SVM) models for comparative baselines, contributing to the advancement and implementation of traditional machine learning models in the space of intrusion detection. The newly developed DLMIDPSM reported strong performance metrics, outperforming baseline models from previous studies, with results across 80 training epochs of 85% overall accuracy and a precision of 99% emphasizing its strength in reducing the false positive rate even amongst 34 classes. The baseline DT model reported precision values around 74% depending on the class, while the SVM models achieved a precision of roughly 83% depending on the class of attack. Erksine (2025) highlighted the strength of hybrid approach deep learning and machine learning models in the ability for granular attack type classification within large-scale IoT environments. 3.4 A Computational Framework for IoT Security Integrating Deep Learning Based Semantic Algorithms for Real Time Threat Response Real-time IoT defense benefits from combining accurate pattern learning with contextual semantics to keep alerts actionable under latency and resource constraints (Patel et al., 2025). The framework pairs temporal-spatial deep learning with a compact semantic layer: CNNs learn flow-level spatial patterns, LSTMs capture sequential dynamics, and a knowledge-graph module contributes device

roles, typical peers, and protocol relations (Patel et al., 2025). At inference, flows are scored by the CNN-LSTM, then re-scored with device context to suppress routine behavior and prioritize truly risky activity. The validation on CICIoT2023 and a custom IoT testbed demonstrates high detection performance with low latency processing suitable for deployments (Neto et al., 2023; Patel et al., 2025). Contemporary reviews similarly emphasize AI-enabled anomaly detection and trend toward hybrid designs combining learning and context to curb false positives and improve operational usefulness (Kohli & Chhabra, 20215; Ofusori et al., 2024). 3.5 Device Identification and Anomaly Detection in IoT Environments Different device types, such as a camera, thermostats, and PLCs, exhibit distinct behavioral patterns; treating them identically drives false alarms (Kohli & Chhabra, 2025). The pipeline first identifies the device (or device class) from stable fingerprints (e.g., service usage and timing patterns). The identified class then selects class-aware anomaly models and thresholds tuned to expected behavior. For each device class, the model learns common rhythms (polling intervals, request-response cadence, flow length) and flags departures match reconnaissance, brute force, web exploits, spoofing, or DDoS (distributed denial of service) (Neto et al., 2023). The identification step also feeds the semantic layer (e.g., an edge camera typically communicates via RTSP/HTTPS with an NVR), which helps ignore routine updates while elevating unusual cross-segment traffic (Patel et aI., 2025). Performance is reported using per-device F1, class-conditional ROC-AUC, mean time-to-detection, and the proportion of alerts accompanied by explanations for analysts, LSTM-based baselines on CIC-IoT2023 provide a strong temporal benchmark for comparison (Jony & Arnob, 2024; Kohil & Chhabra, 2025)

245