A Hierarchical IDS for Zero-Day Attack Detection in Internet of Medical Things Networks

--The Internet of Medical Things (IoMT) has been emerging as the main driver for the healthcare revolution. These networks typically include resource-constrained, heterogeneous devices such as wearable sensors, smart pills, and implantable devices, making them vulnerable to diverse cyberattacks, e.g., denial-of-service, ransomware, data hijacking, and spoofing attacks. T o mitigate these risks, Intrusion Detection Systems (IDSs) are critical for monitoring and securing patients' medical devices. However, traditional centralized IDSs may not be suitable for IoMT due to inherent limitations such as delays in response time, privacy concerns, and increased security vulnerabilities. Specifically, centralized IDS architectures require every sensor to transmit its data to a central server, potentially causing significant delays or even disrupting network operations in densely populated areas. On the other hand, executing an IDS on IoMT devices is generally infeasible due to the lack of computational capacity. Even if some lightweight IDS components can be deployed in these devices, they must wait for the centralized IDS to provide updated models, otherwise, they will be vulnerable to zero-day attacks, posing significant risks to patient health and data security. T o address these challenges, we propose a novel multi-level IoMT IDS framework that can not only detect zero-day attacks but also differentiate between known and unknown attacks. In particular, the first layer, namely the near Edge, filters network traffic at coarse level (i.e., attack or not), by leveraging meta-learning or One Class Classification (OCC) based on the usfAD algorithm. Then, the deeper layers (e.g., far Edge and Cloud) will determine whether the attack is known or unknown, as well as the detailed type of attack. The experimental results on the latest IoMT dataset CICIoMT2024 show that our proposed solution achieves high performance, i.e., 99.77% accuracy and 97.8% F1-score. Notably, the first layer, using either meta-learning or usfAD-based OCC, can detect zero-day attacks with high accuracy without requiring new datasets of these attacks, making our approach highly applicable for the IoMT environment. Furthermore, the meta-learning approach requires less than 1% of the dataset to achieve high performance in attack detection. HE Internet of Things (IoT) represents a transformative concept where interconnected devices equipped with sensors collect, analyze, and interact with the physical environment, creating networks that serve diverse applications. The authors are with the School of Information Technology, Crown Institute of Higher Education, Australia.