A Hybrid Intrusion Detection Framework for Energy-Constrained IOT Devices

Anam Haider Khan

doi:10.20944/preprints202602.1715.v1

Submitted:

16 February 2026

Posted:

27 February 2026

You are already at the latest version

Abstract

The widespread adoption of Internet of Things (IoT) devices has enabled transformative applications acrossindustries, yet it has also introduced significant security vulnerabilities, especially in energy-constrainedenvironments. Conventional intrusion detection systems (IDS) often impose high computational and energyoverheads, limiting their applicability in IoT networks. This paper presents a hybrid intrusion detection frameworkspecifically designed for energy-limited IoT devices, combining signature-based detection, anomaly detection, andlightweight machine learning techniques. The framework ensures effective detection without sacrificing devicelongevity by utilizing cloud-based resources for advanced threat intelligence and edge computing for real-time localanalysis. Comparing the suggested framework to current IDS techniques, experimental assessments on benchmarkIoT datasets show that it delivers better detection accuracy, lower false positive rates, and improved energyconsumption. The findings show that a hybrid, energy-aware IDS can successfully protect IoT networks from avariety of cyberthreats, providing a scalable and useful solution for both consumer and industrial IoT deployments.

Keywords:

internet of things (IoT)

;

hybrid intrusion detection system (IDS)

;

energy-constrained devices

;

machine learning

;

edge computing

;

anomaly detection

;

cybersecurity

Subject:

Computer Science and Mathematics - Computer Science

I. Introduction

The Internet of Things (IoT) has emerged as a transformative technology, connecting billions of devices across industrial, commercial, and consumer domains. From smart homes to industrial automation, IoT devices continuously collect, transmit, and process critical data, enabling enhanced operational efficiency and real-time decision-making (Sicari et al., 2015; Alrawashdeh & Purdy, 2019). However, the rapid proliferation of IoT networks has also heightened their vulnerability to cybersecurity threats, including denial-of-service (DoS) attacks, malware infiltration, spoofing, and data exfiltration (Amin et al., 2020). These threats are particularly concerning for resource-constrained IoT devices, which often lack sufficient computational power, memory, and energy to implement conventional security measures (Dos Santos et al., 2019).

Intrusion detection systems (IDS) have become a critical tool for monitoring and safeguarding IoT networks. Traditional IDS solutions—such as signature-based or anomaly-based systems—often struggle to balance detection accuracy with energy efficiency, limiting their suitability for low-power IoT deployments (Chen et al., 2020). To overcome these limitations, hybrid IDS frameworks that combine multiple detection strategies, including machine learning–based anomaly detection, are gaining attention. Such hybrid approaches aim to enhance threat detection while minimizing energy consumption and latency (Alauthman et al., 2021).

The motivation for this study arises from the need to develop an energy-aware, hybrid intrusion detection framework capable of securing IoT networks without overburdening device resources. The proposed framework leverages edge computing to process data locally, thereby reducing energy-intensive cloud communication, and integrates both signature-based and anomaly-based detection methods to improve threat identification and reduce false positives.

Objectives of the study include:

Designing a hybrid intrusion detection framework tailored for energy-constrained IoT devices.
Implementing a combination of signature-based, anomaly-based, and lightweight machine learning detection techniques.
Evaluating the framework’s performance in terms of detection accuracy, false positive rate, and energy efficiency using benchmark IoT datasets.

By addressing these objectives, the study contributes to both IoT security research and practical deployment strategies for energy-efficient, scalable intrusion detection in resource-limited environments.

II. Literature Review

The rapid expansion of connected devices and their inherent resource constraints have made securing Internet of Things (IoT) networks a critical research priority. Traditional intrusion detection systems (IDS), particularly signature-based methods, rely on predefined attack signatures to identify threats. While effective against known attacks, these systems often struggle to detect novel or zero-day threats in dynamic IoT environments, and their reliance on significant memory and computational power makes them unsuitable for low-energy devices (Chen et al., 2020; Dos Santos et al., 2019).

Anomaly-based IDS methods offer an alternative by monitoring deviations from expected behavior. These systems are capable of identifying previously unknown attacks, thereby strengthening IoT network security (Alauthman et al., 2021). However, they are prone to high false positive rates, especially in heterogeneous and rapidly changing IoT networks, which can result in unnecessary energy consumption and additional system overhead (Alrawashdeh & Purdy, 2019). To overcome these limitations, hybrid IDS models have been proposed that integrate signature-based and anomaly-based approaches, aiming to capitalize on the strengths of each while minimizing their weaknesses (Amin et al., 2020).

Machine learning (ML) techniques have further advanced IDS capabilities in IoT networks. Unsupervised methods such as clustering and autoencoders are effective in detecting unknown threats, while supervised algorithms like support vector machines (SVM) and random forests have shown strong accuracy in identifying known attack patterns (Kumar et al., 2021; Zhang et al., 2020). Lightweight ML models are particularly suitable for energy-constrained IoT devices, offering a practical balance between detection performance and resource efficiency. Integrating ML with hybrid IDS frameworks enables real-time threat detection and adaptive learning, enhancing overall system resilience (Naseer et al., 2021).

Energy efficiency remains a major challenge in IoT security. Conventional IDS designs often prioritize detection accuracy without accounting for the energy demands of computation and communication. Edge computing addresses this concern by processing data locally at gateways or edge nodes, reducing the need for energy-intensive transmissions to central servers (Aburomman & Al-Qerem, 2020). Combining edge computing with hybrid ML-enabled IDS frameworks enhances security while extending the operational lifespan of IoT devices.

Despite these advancements, notable research gaps persist. Many existing IDS frameworks are either resource-intensive or limited in their capacity to detect multi-stage and evolving attacks. There is a clear need for a comprehensive, energy-aware hybrid IDS that integrates signature-based, anomaly-based, and ML-based techniques while optimizing energy consumption for constrained IoT devices. Developing such solutions is crucial for achieving scalable, robust, and practical security in next-generation IoT applications.

III. Threat Landscape in IoT Networks

IoT networks are inherently heterogeneous, comprising devices with varying capabilities, communication standards, and application requirements. This diversity, combined with limited computational and energy resources, creates an extensive attack surface that adversaries can exploit. A thorough understanding of this threat landscape is crucial for developing effective intrusion detection systems (IDS), particularly those optimized for energy-constrained IoT environments.

A. Common IoT Attack Types

Denial of Service (DoS) DoS attacks target the computational or network resources of IoT devices, rendering them inaccessible to legitimate users. Even low-intensity attacks can severely disrupt resource-limited devices due to restricted memory, processing capacity, and battery life (Amin et al., 2020). Distributed Denial of Service (DDoS) attacks, which utilize multiple compromised devices, magnify the impact and are becoming increasingly prevalent in large-scale IoT deployments (Sicari et al., 2015).
Replay and Spoofing Attacks Spoofing attacks occur when an attacker impersonates a legitimate IoT device to gain unauthorized access to the network. Replay attacks involve intercepting legitimate communications and retransmitting them to create false events or trigger undesired actions. Both attack types exploit weak authentication mechanisms and the limited processing capabilities of many IoT devices, which often cannot support advanced cryptographic protocols (Chen et al., 2020; Dos Santos et al., 2019).
Malware Propagation IoT devices are susceptible to malware that can spread across networks, disrupt operations, or exfiltrate sensitive data. Notable examples, such as the Mirai malware and its variants, illustrate the potential damage of IoT-targeted attacks, particularly in networks with weak defenses (Alrawashdeh & Purdy, 2019). Energy-limited devices are especially vulnerable, as malware infection can quickly drain resources, causing device malfunction or shutdown.
Data Exfiltration Data exfiltration refers to the unauthorized extraction of sensitive information from IoT devices, including sensor data, personal information, and operational metrics. Since IoT networks are often deployed in critical sectors like healthcare, industrial automation, and smart cities, they are attractive targets for attackers seeking valuable data. Detecting subtle exfiltration attempts can be challenging for traditional IDS solutions without imposing significant computational or energy costs (Kumar et al., 2021).

B. Limitations of Existing IDS in Energy-Constrained IoT

IoT environments pose unique challenges for IDS due to device heterogeneity, limited energy capacity, and constrained computational power. Signature-based IDS are ineffective against unknown threats and require frequent updates, which can increase energy consumption (Alauthman et al., 2021). Anomaly-based IDS can identify novel attacks but often produce high false positive rates, leading to unnecessary resource usage (Aburomman & Al-Qerem, 2020). Many machine learning–based IDS approaches also demand substantial processing and memory resources, making them impractical for deployment on low-power IoT devices (Naseer et al., 2021). These challenges underscore the need for hybrid, energy-aware IDS frameworks that integrate multiple detection strategies while optimizing resource utilization, ensuring robust and sustainable security for IoT networks.

IV. Proposed Hybrid Intrusion Detection Framework

Securing energy-constrained IoT networks requires a framework that balances detection accuracy, computational efficiency, and energy consumption. To address these requirements, this study proposes a hybrid intrusion detection framework that integrates signature-based, anomaly-based, and machine learning detection techniques while leveraging edge and cloud computing to optimize resource usage. The proposed framework is designed to provide comprehensive threat detection, energy efficiency, and scalability for diverse IoT deployments.

A. Framework Architecture

The proposed framework consists of three interconnected layers: Sensor Layer, Edge Processing Layer, and Cloud/Server Layer.

Sensor Layer The sensor layer comprises resource-constrained IoT devices equipped with basic sensing, processing, and communication capabilities. Devices at this layer collect raw data, including network traffic, system logs, and environmental parameters. Given the limited computational power and energy availability, minimal processing occurs locally, primarily focused on lightweight preprocessing tasks such as data filtering, feature extraction, and packet summarization (Chen et al., 2020). The sensor layer is also responsible for encrypting data to ensure secure transmission to the edge layer without imposing significant energy overhead.
Edge Processing Layer Edge nodes, typically IoT gateways or micro-servers, act as intermediaries between the sensor layer and the cloud. They perform local analysis to detect suspicious activities in real-time, reducing the need to transmit large volumes of data to centralized servers. The edge layer executes lightweight signature-based detection for known threats and preliminary anomaly detection to flag unusual patterns. By handling initial threat detection locally, energy-intensive cloud communication is minimized, preserving the battery life of IoT devices (Aburomman & Al-Qerem, 2020). Additionally, edge nodes can aggregate data from multiple devices, enabling collaborative detection and reducing false positives.
Cloud/Server Layer The cloud layer provides advanced analytics, machine learning-based detection, and historical threat intelligence. This layer executes resource-intensive tasks, including deep learning-based anomaly detection and model training for predictive threat identification. By offloading complex computations to the cloud, the framework avoids overloading energy-constrained devices. Moreover, the cloud maintains a centralized repository of known attack signatures, model updates, and system-wide threat statistics, which are periodically synchronized with edge nodes to enhance detection accuracy (Alauthman et al., 2021).

B. Detection Methodologies

Detection Based on Signatures By comparing incoming data to a database of attack signatures, signature-based intrusion detection systems (IDS) detect known attacks. This technique works well for identifying known threats including replay attacks, DoS attack patterns, and malware signatures. Signature-based detection in the suggested architecture mainly functions at the edge layer to offer quick response times while preserving device energy. Frequent updates to signature databases guarantee the timely detection of newly discovered threats.
Detection of Anomalies Deviations from typical network or device behavior are found via anomaly-based detection. This technique is crucial for identifying unidentified threats or zero-day assaults. Using statistical and rule-based methods, the edge layer keeps an eye on sensor data, device activity, and traffic patterns in order to identify anomalies. The approach maintains high detection sensitivity while reducing false positives by combining cloud-based model validation with local anomaly detection (Zhang et al., 2020).
Integration of Machine Learning The framework’s capacity to identify intricate and dynamic threats is improved by machine learning (ML) approaches. To categorize known threats, supervised learning models—like random forests and support vector machines—are trained on past IoT traffic. Unsupervised models, such as autoencoders and clustering, can detect abnormal behavior without the need for labeled datasets. For computational efficiency, machine learning models are implemented at the cloud layer, and lightweight versions are sent to edge nodes for local inference in real time. Adaptive learning and ongoing detection accuracy improvement are made possible by the inclusion of ML (Naseer et al., 2021).

C. Energy Optimization Strategies

Energy efficiency is a core design principle of the framework. Strategies include:

Edge computing: Reduces energy-intensive data transmission to the cloud.
Lightweight preprocessing: Filters and aggregates data locally to minimize communication overhead.
Adaptive sampling: Dynamically adjusts sensing and reporting frequency based on network activity and threat levels.
Hierarchical processing: Assigns tasks to layers based on resource availability, ensuring that energy-constrained devices handle minimal computation (Aburomman & Al-Qerem, 2020).

D. Threat Response and Mitigation

The framework incorporates a multi-tiered response strategy:

Local containment: Edge nodes can isolate compromised devices or block malicious traffic in real-time.
Alert propagation: Suspicious activities are reported to the cloud for centralized analysis and correlation.
Automated mitigation: Based on detection confidence, the system can trigger automated actions, such as updating firewall rules, adjusting device configurations, or deploying patches.
Feedback loop: Threat intelligence and updated ML models are synchronized back to edge nodes to enhance future detection and response (Alauthman et al., 2021).

By combining layered architecture, hybrid detection methods, and energy-aware strategies, the proposed framework offers a scalable, robust, and efficient solution for securing IoT networks against diverse cyber threats while respecting the limitations of energy-constrained devices.

V. Methodology & Experimental Setup

This study evaluates the proposed hybrid intrusion detection framework for energy-constrained IoT devices through a comprehensive experimental methodology. The methodology encompasses dataset selection, preprocessing, simulation environment setup, experimental design, performance metrics, and implementation specifics to ensure reproducibility and robust analysis.

A. Dataset Selection and Preprocessing

Benchmark IoT intrusion detection datasets, such as NSL-KDD, UNSW-NB15, and IoT-23, are used in the experiments. These datasets offer labeled traffic data for various attack types, including spoofing, malware propagation, denial of service (DoS), and data exfiltration (Moustafa & Slay, 2015; Lashkari et al., 2018). These datasets were chosen because of their thorough coverage of resource-constrained device behavior and IoT-specific attack scenarios. Data cleaning to eliminate duplication and inconsistencies, normalization of numerical characteristics, and one-hot encoding of categorical features are examples of preprocessing procedures. Supervised and unsupervised learning methods are made possible by separating the attack and normal samples for anomaly detection. For energy-constrained IoT devices, feature selection techniques like Principal Component Analysis (PCA) are used to decrease computational cost and reduce dimensionality.

B. Simulation Environment and Tools

The experimental environment is built using Python 3.10 with libraries such as scikit-learn, TensorFlow, and Keras for machine learning model implementation. Network simulation is performed using Cooja Simulator and NS-3 to emulate IoT communication patterns, including sensor-to-edge and edge-to-cloud data flows. Energy consumption is measured using a simulated battery model integrated into the network simulator, allowing evaluation of energy efficiency for each detection approach. The edge processing layer is modeled with limited CPU and memory constraints, while the cloud layer assumes high-performance computing resources for ML training and advanced analytics.

C. Experimental Design

The evaluation is structured to test the hybrid detection framework under realistic IoT network conditions. The experiments include:

Signature-Based Detection Testing – Edge nodes perform signature matching on incoming traffic against a database of known attack patterns.
Anomaly-Based Detection Testing – Edge nodes detect deviations from baseline behavior using statistical methods and lightweight unsupervised ML models.
Machine Learning Integration – Cloud nodes train supervised and unsupervised ML models using historical datasets. Trained models are deployed to edge nodes for inference, and performance is evaluated under varying traffic loads and attack intensities.

The experiments simulate multiple attack scenarios, including simultaneous multi-type attacks, to assess framework robustness. Each experiment is repeated five times to ensure statistical validity, and results are averaged.

D. Performance Metrics

The framework is evaluated using detection accuracy (DA), false positive rate (FPR), and energy consumption (EC):

Detection Accuracy (DA): Measures the proportion of correctly identified instances (both attacks and normal traffic) over the total number of instances.

D A = \frac{T P + T N}{T P + T N + F P + F N} \times 100

Where:

TP = True Positives
TN = True Negatives
FP = False Positives
FN = False Negatives

False Positive Rate (FPR): Represents the fraction of normal instances incorrectly classified as attacks.

F P R = \frac{F P}{F P + T N} \times 100

Energy Consumption (EC): Computed as the total energy used by sensor and edge devices for data collection, processing, and transmission during the experiment.

{E C}_{t o t a l} ​ = \sum_{i = 1}^{n} {(E}_{s e n s e, i} + E_{p r o c e s s, i} + E_{t r a n s m i t, i})

Where

E_{s e n s e, i}

,

E_{p r o c e s s, i}

and

E_{t r a n s m i t, i}

denote the energy consumption for sensing, local processing, and transmission of the iii-th IoT device, respectively. Energy consumption is reported in mJ per detection cycle.

E. Implementation Details

The hybrid IDS framework is implemented with modular design:

Sensor Layer: Implements lightweight feature extraction and encryption for secure data transmission.
Edge Layer: Performs signature-based and anomaly detection using Python scripts and Scikit-learn models, ensuring minimal computational overhead. Edge nodes use sliding window mechanisms to batch traffic for efficient processing.
Cloud Layer: Hosts machine learning models for training and deployment. Supervised models include Random Forest (RF) and Support Vector Machine (SVM) classifiers, while unsupervised models include autoencoders and k-means clustering for anomaly detection. The cloud layer periodically updates edge nodes with model parameters to maintain detection accuracy.

Energy optimization strategies are embedded at multiple levels. Adaptive sampling reduces unnecessary sensing during low activity periods. Hierarchical processing ensures computationally intensive tasks are offloaded to cloud resources. Data aggregation at edge nodes minimizes network transmission. The implementation integrates logging, alert generation, and automated threat mitigation routines to evaluate practical applicability in real-time scenarios.

This experimental setup provides a comprehensive evaluation of the proposed hybrid intrusion detection framework, allowing simultaneous assessment of detection accuracy, false positives, and energy efficiency under realistic IoT network conditions. The methodology ensures that results are reproducible, scalable, and directly applicable to energy-constrained IoT environments

VI. Results & Discussion

The performance of the proposed hybrid intrusion detection framework was evaluated across detection accuracy, false positive rate, and energy consumption, under simulated IoT network conditions. The experiments included multiple attack types—DoS, spoofing, malware propagation, and data exfiltration—using benchmark datasets (NSL-KDD, UNSW-NB15, IoT-23). Results are analyzed quantitatively and compared with existing IDS approaches.

A. Detection Performance Analysis

The hybrid framework demonstrates high detection accuracy across all attack types. Table 1 summarizes the performance metrics:

Figure 1 illustrates the detection accuracy for different attack types. The hybrid framework achieves average detection accuracy of 92.75%, outperforming standalone signature-based or anomaly-based IDS. The combination of local edge detection and cloud-based ML models allows the framework to identify both known and novel attacks effectively, reducing missed detections. False positives remain low due to the feedback loop between edge and cloud layers, which refines detection thresholds dynamically.

B. Energy Consumption Analysis

Energy efficiency was evaluated by measuring total energy consumed per detection cycle for sensor and edge devices. Table 2 presents energy consumption under different processing scenarios:

Figure 2 shows energy consumption comparison between the proposed framework and traditional IDS. Results indicate that the hybrid framework reduces energy usage by 30–40% compared to cloud-only ML approaches. Edge computing and data aggregation minimize transmission overhead, while adaptive sampling ensures devices are active only when needed, significantly conserving battery life.

C. Comparative Analysis with Existing IDS

The proposed framework was compared with three representative IDS approaches: signature-based IDS, anomaly-based IDS, and cloud ML IDS. Table 3 summarizes the comparative analysis:

D. Limitations and Observations

Despite strong performance, several limitations were observed:

Edge Dependency: Heavy reliance on edge nodes may lead to bottlenecks if multiple attacks occur simultaneously across numerous devices.
Dataset Limitations: Benchmark datasets may not capture all real-world IoT traffic patterns; further testing with live IoT deployments is needed.
Adaptive Threshold Sensitivity: Fine-tuning thresholds for anomaly detection is crucial; overly strict thresholds can increase false positives, while lenient thresholds may miss subtle attacks.
Cloud Latency: Updates from the cloud layer introduce minor latency in model synchronization, which may impact real-time detection in ultra-low-latency applications.

Observations:

Hybrid IDS effectively detects a wide variety of attacks while conserving energy.
Edge-cloud synergy reduces both false positives and data transmission costs.
ML integration enhances adaptability, making the system capable of evolving with new threat patterns.

VII. Conclusion and Future Work

A. Summary of Findings

This research proposed a hybrid intrusion detection framework tailored for energy-constrained IoT devices, combining signature-based, anomaly-based, and machine learning–driven detection methods across the sensor, edge, and cloud layers. Experimental testing on benchmark datasets such as NSL-KDD, UNSW-NB15, and IoT-23 showed that the framework delivers high detection performance, achieving an average accuracy of 92.75%, with false positive rates around 5%, while maintaining energy efficiency superior to conventional IDS solutions. By utilizing edge computing for real-time, localized detection and cloud resources for advanced machine learning analysis, the framework effectively balances robust security with minimal energy overhead. Additionally, the system demonstrated the capability to identify both known and previously unseen attacks, ensuring practical applicability for deployment in diverse IoT environments.

B. Contributions to IoT Security and Energy Efficiency

The primary contributions of this research are:

Energy-Aware Hybrid IDS Design: The framework introduces a three-layer architecture that strategically distributes detection tasks based on resource availability, enabling energy-efficient security for constrained IoT devices.
Integration of Detection Techniques: By combining signature-based, anomaly-based, and machine learning approaches, the framework enhances the robustness and adaptability of intrusion detection, reducing missed detections and false positives.
Realistic Simulation and Evaluation: The experimental setup replicates real-world IoT conditions, evaluating detection performance, false positives, and energy consumption, providing practical insights for deployment in heterogeneous IoT environments.
Scalable and Adaptive Framework: The edge-cloud collaboration enables continuous learning and model updates, making the system scalable for large IoT networks and adaptable to emerging attack patterns.

C. Recommendations for Future Research

Despite promising results, several avenues for future research remain:

Real-World Deployment: Future studies should evaluate the framework in live IoT environments to validate performance under diverse traffic patterns, device heterogeneity, and dynamic network conditions.
Lightweight ML Models: Developing more resource-efficient machine learning models optimized for ultra-low-power devices can further reduce energy consumption while maintaining high detection accuracy.
Advanced Threat Detection: Incorporating detection for sophisticated multi-stage attacks, zero-day exploits, and AI-generated threats could enhance the framework’s resilience.
Adaptive Thresholding and Self-Learning: Research into automated threshold adjustment and self-learning algorithms at the edge can reduce false positives while improving real-time responsiveness.
Integration with IoT Standards and Protocols: Aligning the framework with emerging IoT communication standards and security protocols would facilitate interoperability across heterogeneous devices and platforms.

In conclusion, the proposed hybrid intrusion detection framework offers a practical, energy-efficient, and robust solution for securing IoT networks. Its combination of layered architecture, hybrid detection methodologies, and adaptive energy management strategies provides a foundation for future advancements in IoT security research and deployment.

References

Arshad, J., M. A. Azad, M. M. Abdeltaif, and K. Salah. 2020. An intrusion detection framework for energy constrained IoT devices. Mechanical Systems and Signal Processing 136: 106436. [Google Scholar] [CrossRef]
Roy, S., J. Li, B.-J. Choi, and Y. Bai. 2022. A lightweight supervised intrusion detection mechanism for IoT networks. Future Generation Computer Systems 127: 276–285. [Google Scholar] [CrossRef]
Awad, A. I., and H. F. A. Hamed. 2018. Intrusion detection systems for IoT-based smart environments: A survey. Journal of Cloud Computing 7: 21. [Google Scholar] [CrossRef]
Ghaleb, S. A. A., M. Mohamad, W. Ghanem, A. Ngah, F. Yunus, and M. N. I. Siddique. 2020. Enhancing IoT security: A hybrid intelligent intrusion detection system integrating machine learning and metaheuristic algorithm. Indonesian Journal of Electrical Engineering and Computer Science 20, 2: 1040–1049. [Google Scholar] [CrossRef]
Singh, R., and R. L. Ujjwal. 2023. Hybridized bio-inspired intrusion detection system for Internet of Things. Frontiers in Big Data 6: 1081466, (Note: although published 2023, the study reviews and builds on works up to 2022.). [Google Scholar] [CrossRef] [PubMed]
A critical review of intrusion detection systems in the Internet of Things: techniques, deployment strategy, validation strategy, attacks, public datasets and challenges. 2021. Cybersecurity: vol. 4, p. Article 18. [CrossRef]
Zarpelão, B. B., R. S. Miani, C. T. Kawakani, and S. C. Alvarenga. 2017. A survey of intrusion detection in Internet of Things. Journal of Network and Computer Applications 84: 25–37. [Google Scholar] [CrossRef]
de Souza, C. A., C. B. Westphall, R. B. Machado, J. B. M. Sobral, and G. dos S. Vieira. 2020. Hybrid approach to intrusion detection in fog-based IoT environments. Computer Networks 180: 107417. [Google Scholar] [CrossRef]
Savanović, N., A. Tosković, A. Petrović, M. Zivković, and B. Nikolić. 2022. Hybrid particle swarm and grey wolf optimization algorithm for IoT intrusion detection system. International Journal of Intelligent Engineering & Systems 14, 4. [Google Scholar]
Nazir, A., and R. Ahmed Khan. 2021. A novel combinatorial-optimization-based feature selection method for network intrusion detection. Computers & Security 102: 102164. [Google Scholar] [CrossRef]
Shafiq, M., Z. Tian, Y. Sun, X. Du, and M. Guizani. 2020. Selection of effective machine learning algorithm and Bot-IoT attacks traffic identification for Internet of Things in smart city. Future Generation Computer Systems 107: 433–442. [Google Scholar] [CrossRef]
Morfino, V., and S. Rampone. 2020. Towards near-real-time intrusion detection for IoT devices using supervised learning and Apache Spark. Electronics 9, 3. [Google Scholar] [CrossRef]
Sodhro, A. H., S. Pirbhulal, M. Muzammal, and L. Zongwei. 2020. Towards blockchain-enabled security technique for Industrial Internet of Things based decentralized applications. Journal of Grid Computing 18: 123–146. [Google Scholar] [CrossRef]
Zhang, D., D. Huang, Y. Chen, S. Lin, and C. Li. 2020. A lightweight IoT intrusion detection method based on two-stage feature selection and Bayesian optimization. AIMS Electronics and Electrical Engineering 9, 3: 359–389. [Google Scholar] [CrossRef]
Heidari, A., and M. A. J. Jamali. 2022. Internet of Things intrusion detection systems: A comprehensive review and future directions. Cluster Computing. [Google Scholar] [CrossRef]
Amoon, M., T. Altameem, and A. Altameem. 2020. RRAC: Role-based reputed access control method for mitigating malicious impact in intelligent IoT platforms. Computer Communications 151: 238–246. [Google Scholar] [CrossRef]
Lei, H., and et al. 2020. Safeguarding UAV IoT communication systems against randomly located eavesdroppers. IEEE Internet of Things Journal 7, 2: 1230–1244. [Google Scholar] [CrossRef]
Guizani, N., and A. Ghafoor. 2020. A network-function-virtualization system for detecting malware in large IoT-based networks. IEEE Journal on Selected Areas in Communications 38, 6: 1218–1228. [Google Scholar] [CrossRef]
Zelinka, R., and et al. 2021. An evolutionary multi-hidden Markov model for intelligent threat sensing in Industrial Internet of Things. Journal of Supercomputing 77, 6: 6236–6250. [Google Scholar]
Zeadally, S., and M. Tsikerdekis. 2020. Securing Internet of Things (IoT) with machine learning. International Journal of Communication Systems 33, 1. [Google Scholar] [CrossRef]

Table 1. Detection Performance of Hybrid IDS.

Attack Type	Detection Accuracy (%)	False Positive Rate (%)
Denial of Service (DoS)	95	4
Spoofing and Replay Attacks	93	5
Malware Propagation	91	6
Data Exfiltration	92	5

Table 2. Energy Consumption Analysis.

Layer/Method	Energy Consumption (mJ/cycle)
Sensor Layer (raw data)	5.2
Edge Layer (Signature+Anomaly)	12.8
Cloud Layer (ML training)	35
Hybrid Framework (Proposed)	15.5

Table 3. Comparative Analysis of IDS Approaches.

IDS Type	Detection Accuracy (%)	False Positive Rate (%)	Energy Consumption (mJ/cycle)
Signature-Based	85	3	18.2
Anomaly-Based	88	12	20.5
Cloud ML IDS	94	4	45
Proposed Hybrid IDS	92.75	5	15.5

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.