Abstract

The massive heterogeneity of Internet-of-Things (IoT) traffic makes intrusion-detection systems (IDS) especially vulnerable to the severe class imbalance that dominates real world attack logs. Using the recent CICIoT2023 benchmark, which captures 47 flow features for 33 attack types launched by 105 physical devices, we first show that two widely adopted baselines (XGBoost and RF trained on the full data) attain high overall accuracy over 99% yet fail on minority attacks. This failure drives the macro-averaged F1 score down to 79 %. To remedy this, we introduce the Attack-aware Feature Aggregation Model (AFAM). AFAM (i) partitions the training data by high-level attack domain, (ii) applies homogeneous feature selection within each partition with RF and XGBoost, and (iii) aggregates the per-domain rankings via a maximum operator before retraining a global classifier. With the top-30 aggregated features and an XGBoost decision engine, AFAM boosts macro precision/recall/F1 to 96.4%,87.3%,90.8%, while preserving ≥ 99.9 % accuracy on majority classes. Minority classes benefit most: F1 rises from 11.4 % to 67.2 % on Uploading_Attack and from 19.8 % to 71.4 % on Recon-PingSweep. A feature-importance analysis further reveals how imbalance skews conventional rankings and how AFAM recovers the critical predictors for rare threats. These results show that aggregating attack based features can lead to improved performance in heavily imbalanced IoT datasets. Therefore, the proposed method aids to build more resilient IDS deployments.

Statistics