This study proposes a focused and explainable multi-class intrusion detection system (IDS) to detect four web-based attacks (DDoS, SQL Injection, Cross-Site Scripting (XSS), and Brute Force) that are frequently encountered in IoT environments. Using the ML-Edge-IIoT dataset containing realistic and heterogeneous traffic scenarios, the relevant attack types are meticulously selected and relabeled to create a targeted classification environment. Five different machine learning models (Random Forest, XGBoost, LightGBM, TabNet, and LSTM) are implemented, and the highest success is achieved by the Random Forest model. The decisions of the model are interpreted by SHAP-based explainability analysis, and the protocol-level deterministic features that affect the detection performance are revealed. The system has proven its real-time operation with low latency and minimal resource consumption; in this context, the paper offers a structure that can be integrated into edge devices. To the best of our knowledge, this study presents the first explainable and multi-class IDS solution that focuses on these four web attack types in IoT systems.
IoT, web attack types, SQLi, XSS, Brute Force, DDoS
© IACyC is conducted under the administration of the CyberMACS Erasmus-Mundus Masters Programme. cybermacs.org