IAES
Inter
national
J
our
nal
of
Articial
Intelligence
(IJ-AI)
V
ol.
14,
No.
6,
December
2025,
pp.
4913
∼
4922
ISSN:
2252-8938,
DOI:
10.11591/ijai.v14.i6.pp4913-4922
❒
4913
Comparati
v
e
e
v
aluation
of
machine
lear
ning
models
f
or
intrusion
detection
in
WSNs
using
the
IDSAI
dataset
Mansour
Lmkaiti
1
,
Houda
Moudni
2
,
Hicham
Mouncif
1
1
LIMA
TI
Laboratory
,
F
aculty
of
Polydisciplinary
,
Uni
v
ersity
Sultan
Moulay
Slimane,
Beni-Mellal,
Morocco
2
TIAD
Laboratory
,
F
aculty
of
Sciences
and
T
echnology
,
Uni
v
ersity
Sultan
Moulay
Slimane,
Beni-Mellal,
Morocco
Article
Inf
o
Article
history:
Recei
v
ed
Aug
27,
2024
Re
vised
Oct
24,
2025
Accepted
No
v
8,
2025
K
eyw
ords:
Gradient
boosting
IDSAI
Intrusion
detection
system
Logistic
re
gression
Machine
learning
Random
forest
W
ireless
sensor
netw
orks
ABSTRA
CT
This
paper
pro
vides
com
parati
v
e
assessment
of
three
lightweight
machine
learning
(ML)
models
(logistic
re
gression
(LR),
random
forest
(RF),
and
gradient
boosting
(GB)),
which
are
emplo
yed
to
detect
intrusions
in
wireless
sensor
netw
orks
(WSNs)
using
the
IDSAI
dataset.
The
goal
is
to
determine
the
most
ef
fecti
v
e
and
deplo
yable
classier
within
the
constraints
of
WSN
resources.
In
order
to
pre
v
ent
data
leakage
and
report
accurac
y
,
precision,
recall,
F1-score,
and
recei
v
er
operating
characteristic-area
under
the
curv
e
(R
OC-A
UC)
with
mean
±
SD,
we
implement
strati
ed
5-fold
cross
v
alidation
with
in
fold
preprocessing.
The
results
indicate
that
RF
pro
vides
the
most
optimal
generalization
and
o
v
erall
performance
(accurac
y
0
.
9994
±
0
.
0001
,
precision
0
.
9995
±
0
.
0001
,
recall
0
.
9994
±
0
.
0001
,
F1-score
0
.
9994
±
0
.
0001
,
R
OC–A
UC
0
.
9998
±
0
.
0000
).
RF
is
closely
follo
wed
by
GB
(accurac
y
0
.
9990
±
0
.
0001
,
precision
0
.
9995
±
0
.
0001
,
recall
0
.
9985
±
0
.
00
01
,
F1-score
0
.
9990
±
0
.
0001
,
R
OC-A
UC
≈
1
.
0000
).
LR
demonstrates
limitations
in
linearly
o
v
erlapping
classes,
as
e
videnced
by
its
high
precision
b
ut
reduced
recall
(accurac
y
0
.
9167
±
0
.
0010
,
precision
0
.
9829
±
0
.
0002
,
recall
0
.
8481
±
0
.
0018
,
F1-score
0
.
9105
±
0
.
0011
,
R
OC–A
UC
0
.
9707
±
0
.
0001
).
In
order
to
e
v
aluate
deplo
yability
,
we
characterize
the
inference
throughput
on
a
modest
PC:
LR
∼
6
.
5
×
10
5
samples/s,
GB
∼
2
.
2
×
10
5
samples/s,
and
RF
∼
1
.
3
×
10
5
samples/s,
indicating
a
tiered
intrusion
detection
system
(IDS)
(LR
at
sensors,
RF
at
cluster
-heads,
and
GB
at
the
g
ate
w
ay).
W
e
also
addre
ss
the
potential
dangers
of
o
v
ertting
that
may
arise
from
the
cleanliness
of
the
dataset
and
pro
vide
a
roadmap
for
future
v
alidation
on
a
more
di
v
erse
set
of
traf
c.
The
research
establishes
a
baseline
for
lightweight
IDS
in
actual
WSNs
that
is
deplo
yable
and
reproducible.
This
is
an
open
access
article
under
the
CC
BY
-SA
license
.
Corresponding
A
uthor:
Mansour
Lmkaiti
LIMA
TI
Laboratory
,
F
aculty
of
Polydisciplinary
,
Uni
v
ersity
Sultan
Moulay
Slimane
Beni-Mellal,
Morocco
Email:
lamkaitimansour@gmail.com
1.
INTR
ODUCTION
This
paper
i
ntroduces
a
methodical
approach
that
uses
cutting-edge
machine
learning
(ML)
[1]
algorithms
to
thoroughly
assess
the
ef
fecti
v
eness
of
intrusion
detection
systems
(IDS)
[2].
Ensuring
strong
netw
ork
security
is
crucial
in
the
quic
k
l
y
changing
c
ybersecurity
landscape
of
today
,
which
is
mark
ed
by
an
increase
in
c
yberthreats
and
the
widespread
inte
gration
of
internet
of
things
(IoT)
de
vices
[3].
IDS
[4]
are
essential
for
protecting
netw
orks
because
the
y
k
eep
an
e
ye
on
traf
c
patterns
and
spot
possible
harmful
acti
vity
.
J
ournal
homepage:
http://ijai.iaescor
e
.com
Evaluation Warning : The document was created with Spire.PDF for Python.
4914
❒
ISSN:
2252-8938
Ho
we
v
er
,
depending
on
the
detection
methods
utilized
and
the
caliber
of
the
training
and
e
v
aluation
datasets,
IDS
ef
cac
y
might
v
ary
greatly
[4].
Our
study
suggests
an
or
g
anized
strate
gy
that
includes
se
v
eral
crucial
steps
to
fully
address
these
issues:
careful
dataset
preparation
[4],
stringent
feature
selection
and
engineering
procedures,
e
xtensi
v
e
model
training
and
e
v
aluation
techniques,
reliable
c
ross-v
alidation
procedures
,
and
in-depth
performance
analysis.
Our
research
intends
to
impro
v
e
the
accurac
y
and
dependability
of
IDS
implementations
by
utilizing
the
v
ariety
of
real-w
orld
intrusion
scenarios
captured
in
the
IDSAI
dataset
[4].
IDS
models
are
de
v
eloped
and
e
v
aluated
using
ML
[1]
algorithms,
including
gradient
boosting
(GB),
random
forest
(RF)
[5],
and
logistic
re
gression
(LR)
[6],
in
order
to
impro
v
e
their
ability
to
ef
fecti
v
ely
detect
and
mitig
ate
security
breaches
[7].
By
using
this
systematic
and
empirical
research,
our
study
aims
to
of
fer
detailed
insight
into
the
adv
antages
and
disadv
antages
of
ML
based
IDS
[8],
[9]
techniques.
W
e
help
de
v
elop
more
e
xible
and
ef
fecti
v
e
security
measures
suited
to
the
comple
x
dynamics
of
modern
netw
orks
and
the
changing
terrain
of
c
yberthreats
by
critically
assessing
the
performance
of
dif
ferent
algorithms
ag
ainst
benchmark
datasets
and
a
range
of
attack
scenarios
[10].
Pre
viously
,
classical
classiers
were
frequently
e
v
aluated
on
synthetic
or
restricted
IoT
datasets
without
taking
into
account
genuine
wireless
sensor
netw
ork
(WSN)
constraints.
This
w
ork
addresses
that
lacuna
by
introducing
a
rob
ust
statistical
v
alidation
(mean
±
SD,
95%
condence
interv
al),
assessing
computational
feasibility
at
the
sensor
,
cluster
-head,
and
g
ate
w
ay
le
v
els,
and
benchmarking
three
interpretable,
lightweight
models
on
the
IDSAI
dataset.
The
k
e
y
contrib
utions
of
this
study
are
as
follo
ws.
First,
an
e
v
aluation
approach
that
can
be
replicated
for
lightweight
IDS
benchmarking
using
the
IDSAI
dataset
is
proposed.
Second,
LR,
RF
,
and
GB
are
inte
grated
in
a
hierarchical
IDS
architecture
for
scalable
WSN
security
.
Third,
statistical
tests,
including
Friedman
and
W
ilcoxon,
are
used
to
v
alidate
the
rob
ustness
of
the
model.
F
ourth,
computational
footprint
and
inference
throughput
are
included
in
the
deplo
yment
analysis.
Finally
,
a
plan
for
upcoming
v
alidation
with
a
v
ariety
of
scenarios
is
outlined.
2.
RELA
TED
W
ORK
Much
research
has
been
done
in
the
eld
of
computer
security
[8],
especially
in
WSNs,
to
address
the
changing
challenges
posed
by
security
threats
[9].
Numerous
strate
gies
for
impro
ving
WSN
security
,
such
as
intrusion
detection,
encryption
methods
and
secure
routing
protocols,
ha
v
e
been
e
xamined
in
earlier
research
[10],
[11].
The
creation
and
assessment
of
IDS
[8]
designed
especially
for
WSNs
constitutes
a
substantial
eld
of
study
[12].
By
k
eeping
an
e
ye
on
netw
ork
traf
c
and
spotting
unusual
acti
vity
suggesti
v
e
of
malicious
acti
vity
,
these
systems
are
essential
in
detecting
and
pre
v
enting
security
breaches
[7]
within
WSNs.
Numerous
st
udies
ha
v
e
used
a
v
ariety
of
datasets
and
e
v
aluation
metrics
t
o
assess
the
ef
fecti
v
eness
of
IDS
in
WSNs
[13],
[14].
These
tests
seek
to
determine
ho
w
well
IDS
identify
dif
ferent
kinds
of
assaults,
such
as
routing
attacks,
data
manipulation
and
denial-of-service
attacks
[14],
[15].
Researchers
ha
v
e
shed
important
light
on
the
adv
antages
and
disadv
antages
of
current
IDS
in
WSNs
by
compar
ing
v
arious
to
common
datasets
and
attack
scenarios.
Additionally
,
research
has
focused
on
creating
lightweight
security
measures
that
are
suited
for
WSN
de
vices
with
limited
resources
[16].
These
safe
guards
are
designed
to
reduce
ener
gy
usage
and
computational
o
v
erhead
while
of
fering
strong
defense
ag
ainst
security
risks
[16].
T
o
address
the
particular
security
issues
presented
by
WSNs,
methods
lik
e
ener
gy-ef
cient
k
e
y
management
techniques,
se
cure
routing
protocols,
and
lightweight
cryptograph
y
ha
v
e
been
de
v
eloped
[12].
Additionally
,
research
has
look
ed
into
ho
w
to
incorporate
cutting-edge
technologies
lik
e
machine
intelligence
and
blockchain
into
WSN
security
designs
[16]–[20].
While
ML
[18],
[19],
[21],
[22]
methods
pro
vide
for
adapti
v
e
and
autonomous
intrusion
detection
capabilities,
blockchain
[17]-based
techniques
pro
vide
decentralized
and
tamper
-resistant
mechanisms
for
safe
guarding
WSN
data
and
transactions.
Recent
research
has
in
v
estig
ated
the
use
of
anomaly-based
methods
(e.g.,
one-class
support
v
ector
machine
(SVM),
isolation
forest)
and
long
short-term
memory
(LSTM),
as
well
as
autoencoders,
for
the
purpose
of
intrusion
detection
in
IoT/WSN.
Although
these
methods
are
frequently
precise,
the
y
typically
necessitate
substantial
rening
and
higher
compute
and
ener
gy
b
udgets.
W
e
concentrate
on
the
de
v
elopment
of
interpretable
and
lightweight
model
s
that
are
appropriate
for
decentralized
WSN
nodes.
In
the
future,
we
will
in
v
estig
ate
the
inte
gration
of
on-node
lightweight
classiers
with
g
ate
w
ay-le
v
el
deep
feature
e
xtraction.
T
able
1
summarizes
recent
IDS
studies
in
WSN
and
IoT
en
vironments.
Int
J
Artif
Intell,
V
ol.
14,
No.
6,
December
2025:
4913–4922
Evaluation Warning : The document was created with Spire.PDF for Python.
Int
J
Artif
Intell
ISSN:
2252-8938
❒
4915
T
able
1.
Comparati
v
e
summary
of
recent
IDS
studies
in
WSNs
and
IoT
en
vironments
Study
Dataset
Model
Accurac
y
(%)
Main
limitation
Dharini
et
al
.
[9]
WSN-LEA
CH
XGBoost
98.7
High
computational
cost
Meenakshi
and
Karunkuzhali
[10]
IoT
-Custom
GAN-V
AE
99.2
Comple
x
training
Ajmi
et
al
.
[16]
Hardw
are
IDS
CNN
96.8
Not
ener
gy-ef
cient
This
study
IDSAI
RF
/
GB
/
LR
99.9
Dataset
simplicity
3.
TYPES
OF
CYBERSECURITY
A
TT
A
CKS
WSNs
are
at
risk
from
a
number
of
frequent
assaults,
s
uch
as
ARP
spoong,
SYN/A
CK
ooding,
and
ICMP
Echo
oods,
which
can
o
v
erwhelm
nodes
and
reroute
communication
channels.
Brute-force
SSH
attempts
and
UDP
port
scans
tak
e
use
of
service
a
ws,
while
distrib
uted
denial-of-service
(DDOS)
attacks
use
a
lot
of
netw
ork
capacity
by
making
a
lot
of
requests
at
once.
These
assaults
demonstrate
the
need
for
ef
fecti
v
e
and
portable
IDS
that
can
identify
anomalous
acti
vity
at
se
v
eral
netw
ork
tiers.
As
sho
wn
in
Figure
1,
the
main
dataset
parameters
and
attack
classes
are
illustrated.
Figure
1.
Dataset
parameters
4.
METHODOLOGY
Using
the
IDSAI
dataset
[4],
we
emplo
yed
a
systematic
e
v
aluation
procedure
in
this
study
to
e
v
aluate
the
ef
fecti
v
eness
of
IDS
models
based
on
ML
algorithms
[20],
[23].
Dataset
preparation,
feature
engineering
and
selection,
model
training,
cross-v
alidation,
and
performance
e
v
aluation
are
the
v
e
primary
processes
of
the
methodology
.
The
hierarchical
IDS
architecture
emplo
yed
in
this
in
v
estig
ation
is
depicted
in
Figure
2,
with
RF
functioning
at
the
cluster
-head
le
v
el,
LR
at
the
sensor
layer
,
and
GB
at
the
g
ate
w
ay
for
retraining
and
v
alidation.
4.1.
Dataset
pr
eparation
The
IDSAI
dataset,
which
replicates
actual
c
yberattacks
in
WSNs,
we
emplo
yed.
The
IDSAI
datas
et
w
as
originally
introduced
by
Fernando
et
al
.
[4],
and
it
has
been
widely
used
for
e
v
aluating
IDS
in
IoT
en
vironments.
Labeled
traf
c
cases
from
a
range
of
attack
methods,
including
DDoS,
ARP
spoong,
and
port
scanning,
are
including
this
collection.
The
IDSAI
dataset
comprises
more
than
eighty
thousand
labeled
o
ws
that
encompass
both
standard
traf
c
and
a
v
ariety
of
at
tack
cate
gories,
including
DDoS,
ARP
spoong,
SYN
ooding,
and
port
scanning.
In
order
to
maintain
the
distrib
ution
of
labels
across
folds,
we
emplo
yed
stratied
sampling
and
v
eried
class
proportions.
V
ariance
analysis
re
v
ealed
lo
w
noise
and
partial
feature
redundanc
y
,which
may
result
in
prominent
metrics
being
inated.
Consequently
,
we
pro
vide
fold-wise
statistics
and
e
xplicitly
address
o
v
ertting
risks
in
sections
5.1
and
5.2.
4.2.
F
eatur
e
selection
and
engineering
W
e
used
lter
-based
feature
se
lection
techniques,
such
a
s
mutual
information
and
v
ariance
thresholding,
to
increase
model
ef
cienc
y
and
decrease
o
v
ertting.
Based
on
their
contrib
ution
to
classication
Compar
ative
e
valuation
of
mac
hine
learning
models
for
intrusion
detection
in
...
(Mansour
Lmkaiti)
Evaluation Warning : The document was created with Spire.PDF for Python.
4916
❒
ISSN:
2252-8938
performance,
we
k
ept
the
most
discriminati
v
e
feat
ures
that
were
pertinent
to
intrusion
detection.
This
choice
enhances
interpretability
,
reduces
redundanc
y
,
and
e
xpedites
training
without
compromising
the
quality
of
detection.
Figure
2.
Hierarchical
IDS
architecture
for
WSN
4.3.
Model
training
W
e
chose
three
popular
ML
classiers:
RF
[23],
LR
[24],
and
GB
[25].
L2
re
gulari
zation
w
as
used
to
train
the
LR
model.
Grid
search
w
as
used
to
determine
the
in
v
erse
of
re
gularization
strength
(C).
4.4.
Mathematical
o
v
er
view
The
LR
model
minimizes
the
ℓ
2
-re
gularized
ne
g
ati
v
e
log-lik
elihood:
J
(
θ
)
=
−
1
m
m
X
i
=1
h
y
i
log
h
θ
(
x
i
)
+
(1
−
y
i
)
log
1
−
h
θ
(
x
i
)
i
+
λ
∥
θ
∥
2
2
,
(1)
with
h
θ
(
x
)
=
1
1+exp(
−
θ
⊤
x
)
.
RF
aggre
g
ates
T
decision
trees
{
f
t
}
T
t
=1
by
majority
v
ote,
ˆ
y
=
mo
de
f
1
(
x
)
,
.
.
.
,
f
T
(
x
)
.
GB
b
uilds
an
additi
v
e
model
F
M
(
x
)
=
P
M
m
=1
η
h
m
(
x
)
,
where
h
m
are
shallo
w
trees
tted
stage-wise
to
the
ne
g
ati
v
e
gradients
of
the
loss,
and
η
is
the
learning
rate.
Grid
search
selected
h
yperparamet
ers
to
balance
bias
and
v
ariance.
4.5.
Cr
oss-v
alidation
and
generalization
assessment
During
model
e
v
aluation,
we
used
stratied
5-fold
cross-v
alidation
to
guarantee
the
rob
ustness
and
generalizability
of
our
ndings.
In
order
to
monitor
training
beha
vior
and
identify
an
y
possible
o
v
ert
ting
or
undertting
tendencies,
learning
curv
es
were
created.
All
preprocessing
stages
(feature
selection,
scaling
when
applicable,
and
model
tting)
were
e
x
ecuted
within
each
training
fold
of
the
stratied
5-fold
cross-v
alidation
pipeline.
T
est
folds
were
concealed
until
the
nal
scoring
in
order
to
pre
v
ent
optimistic
bias.
4.6.
P
erf
ormance
metrics
Precision,
recall,
F1-s
core,
accurac
y
,
and
recei
v
er
operating
characteri
stic-area
under
the
curv
e
(R
OC-A
UC)
are
common
classication
metrics
that
we
used
to
e
v
aluate
the
performance
of
the
models.
Prediction
probability
histograms,
R
OC
curv
es,
and
precision-recall
curv
es
were
used
to
display
these
metrics,
which
were
calculated
for
e
v
ery
model.
Ev
ery
outcome
w
as
e
xamined
in
light
of
the
models
interpretability
and
usefulness
for
IDS
deplo
yment
in
WSNs
[26].
Int
J
Artif
Intell,
V
ol.
14,
No.
6,
December
2025:
4913–4922
Evaluation Warning : The document was created with Spire.PDF for Python.
Int
J
Artif
Intell
ISSN:
2252-8938
❒
4917
5.
RESUL
TS
OF
D
A
T
ASET
T
o
achie
v
e
our
research
objecti
v
es,
we
propose
a
systematic
methodology
for
e
v
aluating
IDS
performance
with
ML
algorithms.
Figure
3
illustrates
the
precision-recall
curv
es
for
LR,
RF
,
and
GB
models,
highlighting
that
GB
and
RF
maintain
near
-perfect
precision
across
almost
the
entire
recall
range,
whereas
LR
sho
ws
a
noticeable
drop
in
performance
as
recall
increases.
Figure
4
demonstrates
that
while
LR
suf
fers
from
o
v
ertting,
RF
generalizes
ef
fecti
v
ely
with
gro
wing
data.
GB
impro
v
es
v
alidation
scores
whil
e
pro
viding
a
balanced
performance.
Figure
3.
Precision-Recall
curv
e
for
LR,
RF
,
and
GB
models
Figure
4.
Learning
curv
es
(train
vs.
CV)
sho
wing:
LR
o
v
erts
as
data
gro
ws
(g
ap
persists),
RF
maintains
high
and
stable
generalization,
and
GB
impro
v
es
v
alidation
steadily—aligning
with
the
metric
ranking
in
T
able
1
Compar
ative
e
valuation
of
mac
hine
learning
models
for
intrusion
detection
in
...
(Mansour
Lmkaiti)
Evaluation Warning : The document was created with Spire.PDF for Python.
4918
❒
ISSN:
2252-8938
Figure
5
illustrates
the
learning
trajectories
of
the
three
models.
RF
demonstrates
a
high
de
gree
of
generalization,
with
v
alidation
scores
that
continue
to
impro
v
e
as
the
training
set
e
xpands.
GB
closely
matches
RF
and
enhances
v
alidation
performance,
whereas
LR
o
v
erts
in
late
re
gimes
(training
v
alidation),
which
e
xplains
its
lo
wer
recall
and
F1-score.
Figure
5.
Learning
curv
es
conrm
RF’
s
superior
generalization;
GB
is
a
close
second;
LR
e
xhibits
persistent
train–v
alidation
g
ap
(o
v
ertting),
consistent
with
its
lo
wer
recall
and
F1-score
5.1.
Pr
ediction
pr
obability
distrib
ution
Figure
6
sho
ws
that
ensemble
models
(RF
and
GB)
gi
v
e
more
condent
predictions,
whil
e
LR
sho
ws
more
uncertainty
in
its
probability
estimates.
T
abl
e
2
summarizes
the
performance
of
the
three
classiers
(mean
±
SD
o
v
er
5
strat
ied
folds).
RF
achie
v
es
the
best
o
v
erall
performance
across
all
metrics;
GB
is
a
close,
well-balanced
runner
-up.
LR
attains
high
precision
b
ut
noticeably
lo
wer
recall,
leading
to
a
lo
wer
F1-score
than
the
ens
emble
methods.
T
o
pre
v
ent
leakage,
all
preprocessing
is
conducted
within
each
training
fold,
and
these
interv
als
are
calculated
o
v
er
v
e
stratied
folds.
W
e
report
95%
condence
interv
als
together
with
fold-wise
means
and
standard
de
viations
for
all
metrics
o
v
er
v
e
stratied
folds.
F
or
accurac
y
,
RF
attains
the
highest
score
(
0
.
9994
±
0
.
0001
;
95%
CI
[0.9994,
0.9995]),
GB
is
close
(
0
.
9990
±
0
.
0001
;
[0.9989,
0.9991]),
while
LR
is
lo
wer
(
0
.
9167
±
0
.
0010
;
[0.9158,
0.9175]).
LR’
s
lo
wer
recall
leads
to
a
lo
wer
F
1-score
than
the
ensemble
methods.
In
order
to
e
v
aluate
the
performance
disparities
among
models,
a
non-parametric
Friedman
test
w
as
implemented
on
fold-wise
F1-scores.
The
results
indicated
that
at
least
one
model
performed
dif
ferently
,
as
e
videnc
ed
by
the
signicant
aggre
g
ate
dif
ference
(
χ
2
(2)
=
10
.
00
,
p
=
0
.
0067
).
The
post-hoc
W
ilcoxon
signed-rank
tests
with
Holm
correction
re
v
ealed
no
signicant
dif
ference
between
RF
and
GB
(
p
adj
>
0
.
05
),
thereby
conrming
that
both
ensemble
models
obtain
consistently
high
performance.
This
statistical
consistenc
y
emphasizes
the
reliability
and
rob
ustness
of
the
data,
thereby
bolstering
the
credibility
of
the
comparati
v
e
frame
w
ork.
5.2.
Ov
ertting
consideration
The
unusually
high
v
alues
of
precision
and
recall
(near
1.0)
require
critical
consideration.
These
may
be
due
to:
i)
well-separated
class
boundaries
in
the
IDSAI
dataset,
ii)
feature
redundanc
y
or
lo
w
noise,
and
iii)
lack
of
real-w
orld
di
v
ersity
in
attack
v
ectors.
W
e
mitig
ated
o
v
ertting
risks
through
5-fold
stratied
Int
J
Artif
Intell,
V
ol.
14,
No.
6,
December
2025:
4913–4922
Evaluation Warning : The document was created with Spire.PDF for Python.
Int
J
Artif
Intell
ISSN:
2252-8938
❒
4919
cross-v
alidation
and
comparison
across
multiple
metrics
and
plots.
Nonetheless,
future
w
ork
will
inte
grate
more
challenging
datasets
to
further
assess
generalizability
.
Figure
6.
Prediction
probability
distrib
utions:
RF/GB
yield
condent,
well-separated
posteriors;
LR
sho
ws
broader
uncertainty
,
consistent
with
its
reduced
recall
T
able
2.
Classication
performance
(mean
±
SD
o
v
er
5
stratied
folds)
Model
Accurac
y
Precision
Recall
F1-score
R
OC–A
UC
LR
0.9167
±
0.0010
0.9829
±
0.0002
0.8481
±
0.0018
0.9105
±
0.0011
0.9707
±
0.0001
RF
0.9994
±
0.0001
0.9995
±
0.0001
0.9994
±
0.0001
0.9994
±
0.0001
0.9998
±
0.0000
GB
0.9990
±
0.0001
0.9995
±
0.0001
0.9985
±
0.0001
0.9990
±
0.0001
1.0000
±
0.0000
Lo
w
label
noise
and
well-separated
classes
are
corroborated
by
the
nearly
a
wless
metrics.
In
spite
of
this,
learning
curv
es
indicate
disparities
in
c
apacity
(LR
o
v
ertting
in
late
re
gimes
v
ersus
RF
stability).
There
are
plans
for
future
v
alidation
on
a
wider
range
of
traf
c,
such
as
unseen
de
vices,
and
blended
protocols,
to
stress-test
generalization.
The
computational
footprint
of
each
model
is
summarized
in
T
able
3.
T
raining
is
performed
of
ine;
inference
reects
on-de
vice
cost
in
deplo
yment.
Interpretation:
LR
is
the
optimal
choice
for
embedded
ltering
at
sensor
nodes
due
to
its
ability
to
generate
the
quick
est
inference
(
∼
6
.
5
×
10
5
samples/s).
RF
achie
v
es
a
rob
ust
accurac
y-cost
trade-of
f
(
∼
1
.
3
×
10
5
samples/s)
that
is
suitable
for
cluster
-heads,
while
GB
remains
viable
at
the
g
ate
w
ay
with
competiti
v
e
inference
speed
(
∼
2
.
2
×
10
5
samples/s)
despite
being
more
e
xpensi
v
e
to
train.
These
on-de
vice
inference
costs
are
the
primary
constraint
for
real-w
orld
deplo
yment,
as
training
is
conducted
of
ine.
T
able
3.
Computational
footprint
on
a
modest
PC
Model
T
raining
time
(s)
Inference
on
9
.
98
×
10
5
samples
(s)
Throughput
(samples/s)
LR
823.40
1.54
6
.
48
×
10
5
RF
125.02
7.48
1
.
33
×
10
5
GB
460.33
4.47
2
.
23
×
10
5
6.
DISCUSSION
OF
THE
RESUL
TS
The
results
demonstrate
the
strong
capabilities
of
ML
algorithms
in
detecting
intrusions
in
WSNs.
RF
achie
v
es
the
strongest
o
v
erall
performance;
GB
is
a
close,
well-balanced
alternati
v
e.
LR
attains
high
precision
b
ut
lo
wer
recall,
leading
to
a
lo
wer
F1-score
than
the
ensemble
methods.
Ho
we
v
er
,
learning
curv
es
re
v
eal
o
v
ertting
as
dataset
size
increases,
limiting
its
generalization.
GB
is
a
well-balanced,
close
alternati
v
e
to
RF
,
Compar
ative
e
valuation
of
mac
hine
learning
models
for
intrusion
detection
in
...
(Mansour
Lmkaiti)
Evaluation Warning : The document was created with Spire.PDF for Python.
4920
❒
ISSN:
2252-8938
which
obtains
the
strongest
o
v
erall
performance.
The
F1-score
is
l
o
wer
than
that
of
the
ensemble
methods
due
to
the
f
act
that
LR
achie
v
es
high
precision
b
ut
a
reduced
recall.
GB
of
fered
balanced
performance,
with
high
condence
in
predictions
and
competiti
v
e
scores
across
all
metrics.
In
order
to
minimize
f
alse
ne
g
ati
v
es
in
IDS,
precision-recall
curv
es
v
erify
that
RF
and
GB
ha
v
e
good
precision
e
v
en
as
recall
rises.
Additionally
,
prediction
probability
dist
rib
utions
demonstrate
that,
in
contrast
to
LR,
RF
,
and
GB
of
fer
more
certain
classications
.
The
near
-perfect
metrics
may
be
indicati
v
e
of
minor
o
v
ertting
or
dataset
simplicity
,
despite
the
highly
encouraging
results.
Therefore,
these
disco
v
eries
should
be
v
eried
in
future
research
using
datasets
that
are
more
intricate
and
di
v
erse.
In
general,
GB
pro
vides
a
balanced
performance,
LR
is
appropriate
for
straightforw
ard
scenarios,
and
RF
remains
the
most
scalable
and
dependable
option
for
intrusion
detection
in
real
WSNs
7.
CONCLUSION
AND
DEPLO
YMENT
INSIGHTS
W
e
recommend
a
hierarchical
IDS,
which
consists
of
LR
at
sensor
nodes
(ne
gligible
latenc
y),
RF
at
cluster
-heads
(rob
ust
aggre
g
ation),
and
GB
at
the
g
ate
w
ay
(v
alidation
and
periodic
retraining).
This
approach
minimizes
communication
o
v
erhead
and
concentrates
hea
vier
computation
in
areas
where
resources
are
less
constrained.
Using
the
IDSAI
dataset,
this
study
of
fered
a
systematic
assessment
of
ML-based
IDS
in
WSNs.
W
e
illustrated
the
benets
of
each
model
by
contrasting
RF
,
GB,
and
LR
.
On
IDSAI,
RF
e
xhibited
superior
generalization
and
stability
,
while
GB
w
as
a
close,
well-balanced
second.
The
F1-score
w
as
lo
wer
than
that
of
the
ensemble
methods
due
to
the
f
act
that
LR
achie
v
ed
high
precision
b
ut
a
reduced
recall.
The
ndings
highlight
ho
w
cruc
ial
it
is
to
choose
ML
models
based
on
the
particular
deplo
yment
conte
xt,
whether
that
conte
xt
is
one
of
scalability
,
accurac
y
,
or
interpretability
.
In
order
to
increase
IDS
reliability
,
the
study
also
e
xamined
o
v
ertting
concerns
and
the
requirement
for
realistic,
di
v
erse
attack
data.
T
o
sum
up,
our
results
conrm
the
importance
of
ML
in
protecting
WSNs
and
recommend
that
more
sophisticated
and
adaptable
methods
that
can
manage
dynamic
and
di
v
erse
IoT
settings
be
e
xplored
in
future
studies.
In
order
to
further
enhance
IDS
e
xibility
in
dynamic
IoT
conte
xts,
future
research
will
concentrate
on
mer
ging
federated
and
h
ybrid
learning
methodologies.
A
CKNO
WLEDGMENTS
The
authors
w
ould
lik
e
to
thank
the
LIMA
TI
Laboratory
and
the
F
aculty
of
Polydisciplinary
at
Uni
v
ersity
Sultan
Moulay
Slimane
for
their
scientic
guidance,
technical
resources,
and
continuous
support
during
the
preparation
of
this
w
ork.
FUNDING
INFORMA
TION
The
author(s)
recei
v
ed
no
nancial
support
for
the
research,
authorship,
and/or
publication
of
this
article.
A
UTHOR
CONTRIB
UTIONS
ST
A
TEMENT
This
journal
uses
the
Contrib
utor
Roles
T
axonomy
(CRediT)
to
recognize
indi
vidual
author
contrib
utions,
reduce
authorship
disputes,
and
f
acilitate
collaboration.
Name
of
A
uthor
C
M
So
V
a
F
o
I
R
D
O
E
V
i
Su
P
Fu
Mansour
Lmkaiti
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
Houda
Moudni
✓
✓
✓
✓
✓
✓
✓
Hicham
Mouncif
✓
✓
✓
✓
✓
✓
✓
✓
C
:
C
onceptualization
I
:
I
n
v
estig
ation
V
i
:
V
i
sualization
M
:
M
ethodology
R
:
R
esources
Su
:
Su
pervision
So
:
So
ftw
are
D
:
D
ata
Curation
P
:
P
roject
Administration
V
a
:
V
a
lidation
O
:
Writing
-
O
riginal
Draft
Fu
:
Fu
nding
Acquisition
F
o
:
F
o
rmal
Analysis
E
:
Writing
-
Re
vie
w
&
E
diting
Int
J
Artif
Intell,
V
ol.
14,
No.
6,
December
2025:
4913–4922
Evaluation Warning : The document was created with Spire.PDF for Python.
Int
J
Artif
Intell
ISSN:
2252-8938
❒
4921
CONFLICT
OF
INTEREST
ST
A
TEMENT
Authors
state
no
conict
of
interest.
D
A
T
A
A
V
AILABILITY
The
data
underpinning
the
results
of
this
study
are
accessible
from
the
corresponding
author
upon
reasonable
request.
REFERENCES
[1]
C.
S.
W
.
Ng,
M.
N.
Amar
,
A.
J.
Ghahf
arokhi,
and
L.
S.
Imsland,
“
A
surv
e
y
on
the
application
of
machine
learning
and
metaheuristic
algorithms
for
intelligent
proxy
modeling
i
n
reserv
oir
simulation,
”
Computer
s
&
Chemical
Engineering
,
v
ol.
170,
Feb
.
2023,
doi:
10.1016/j.compchemeng.2022.108107.
[2]
S.
T
abbassum
and
R.
K.
P
athak,
“Ef
fecti
v
e
data
trans
mission
through
ener
gy-ef
cient
clustering
and
fuzzy-Based
IDS
routing
approach
in
WSNs,
”
V
irtual
Reality
&
Intellig
ent
Har
dwar
e
,
v
ol.
6,
no.
1,
pp.
1–16,
Feb
.
2024,
doi:
10.1016/j.vrih.2022.10.002.
[3]
B.
Suresh
and
G.
S.
C.
Prasad,
“
An
ener
gy
ef
cient
secure
routing
scheme
using
LEA
CH
protocol
in
WSN
for
IoT
netw
orks,
”
Measur
ement:
Sensor
s
,
v
ol.
30,
Dec.
2023,
doi:
10.1016/j.measen.2023.100883.
[4]
G.-P
.
Fernando,
A.-A.
H.
Brayan,
A.
M.
Florina,
C.-B.
Liliana,
A.-M.
H.
-Gabriel,
and
T
.-S.
Reinel,
“Enhancing
intrusion
detection
in
IoT
communications
through
ML
model
generalization
with
a
ne
w
dataset
(IDSAI),
”
IEEE
Access
,
v
ol.
11,
pp.
70542–70559,
2023,
doi:
10.1109/A
CCESS.2023.3292267.
[5]
S.
Nieland,
R.
Oostendorp,
M.
Heinrichs,
and
R.
Cyg
anski,
“T
ransferability
analysis
of
user
groups
in
t
ra
v
el
beha
viour
surv
e
ys
using
a
random
forest
classication
model,
”
T
r
ansportation
Resear
c
h
Pr
ocedia
,
v
ol.
76,
pp.
81–95,
2024,
doi:
10.1016/j.trpro.2023.12.040.
[6]
B.
K
olukisa,
B.
K.
Dedeturk,
H.
Hacilar
,
and
V
.
C.
Gungor
,
“
An
ef
cient
netw
ork
intrusion
detection
approach
based
on
logistic
re
gression
model
and
parallel
art
icial
bee
colon
y
algorithm,
”
Computer
Standar
ds
&
Interfaces
,
v
ol.
89,
Apr
.
2024,
doi:
10.1016/j.csi.2023.103808.
[7]
N.
Balakrishnan,
A.
Rajendran,
D.
Pelusi,
and
V
.
Ponnusamy
,
“Deep
belief
netw
ork
enha
nced
intrusion
detection
system
to
pre
v
ent
security
breach
in
the
internet
of
things,
”
Internet
of
Things
,
v
ol.
14,
Jun.
2021,
doi:
10.1016/j.iot.2019.100112.
[8]
T
.
Nandy
,
R.
Md
Noor
,
R.
K
olandaisamy
,
M.
Y
.
I.
Idris,
and
S.
Bhattacharyya,
“
A
re
vie
w
of
security
attacks
and
intrusion
detection
in
the
v
ehicular
netw
orks,
”
J
ournal
of
King
Saud
Univer
sity
-
Computer
and
Information
Sciences
,
v
ol.
36,
no.
2,
Feb
.
2024,
doi:
10.1016/j.jksuci.2024.101945.
[9]
N.
Dharini,
J.
Katira
v
an,
S.
D.
M.
Priya,
and
S.
V
.
A.
Sne
ghaa,
“Intrusion
detection
in
no
v
el
WSN-Leach
Dos
attack
dataset
using
machine
learning
based
boosting
algorithms,
”
Pr
ocedia
Computer
Science
,
v
ol.
230,
pp.
90–99,
2023,
doi:
10.1016/j.procs.2023.12.064.
[10]
B.
Meenakshi
and
D.
Karunkuzhali,
“Enhancing
c
yber
security
in
WSN
using
optimized
self-attention-based
pro
visional
v
ariational
auto-encoder
generati
v
e
adv
ersarial
netw
ork,
”
Computer
Standar
ds
&
Interfaces
,
v
ol.
88,
Mar
.
2024,
doi:
10.1016/j.csi.2023.103802.
[11]
D.
A.
J.
Rajan
and
E.
R.
Nag
anathan,
“T
rust
based
anon
ymous
intrusion
detection
for
cloud
assisted
WSN-IO
T
,
”
Global
T
r
ansitions
Pr
oceedings
,
v
ol.
3,
no.
1,
pp.
104–108,
Jun.
2022,
doi:
10.1016/j.gltp.2022.04.022.
[12]
S.
Md
Zin,
N.
B.
Anuar
,
M.
L.
M.
Kiah,
and
I.
Ahmedy
,
“Surv
e
y
of
secure
multipath
routing
protocols
for
WSNs,
”
J
ournal
of
Network
and
Computer
Applications
,
v
ol.
55,
pp.
123–153,
Sep.
2015,
doi:
10.1016/j.jnca.2015.04.018.
[13]
R.
Y
ada
v
,
I.
Sreede
vi,
and
D.
Gupta,
“
Augmentation
in
performance
and
security
of
WSNs
for
IoT
applications
using
feature
selection
and
classication
techniques,
”
Ale
xandria
Engineering
J
ournal
,
v
ol.
65,
pp.
461–473,
Feb
.
2023,
doi:
10.1016/j.aej.2022.10.033.
[14]
M
.
R.
Kadri,
A.
Abdelli,
J.
B.
Othman,
and
L.
Mokdad,
“Surv
e
y
and
classication
of
Dos
and
DDos
attack
detection
and
v
alidation
approaches
for
IoT
en
vironments,
”
Internet
of
Things
,
v
ol.
25,
Apr
.
2024,
doi:
10.1016/j.iot.2023.101021.
[15]
T
.
T
.
Lai,
T
.
P
.
T
ran,
J.
Cho,
and
M.
Y
oo,
“DoS
attack
detection
using
online
learning
techniques
in
wireless
sensor
netw
orks,
”
Ale
xandria
Engineering
J
ournal
,
v
ol.
85,
pp.
307–319,
Dec.
2023,
doi:
10.1016/j.aej.2023.11.022.
[16]
H.
Ajmi
et
al
.,
“Ef
cient
and
lightweight
in-memory
com
puting
architecture
for
hardw
are
security
,
”
J
ournal
of
P
ar
allel
and
Distrib
uted
Computing
,
v
ol.
190,
Aug.
2024,
doi:
10.1016/j.jpdc.2024.104898.
[17]
M
.
Kharjana,
F
.
H.
Pohrmen,
S.
C.
Sahana,
and
G.
Saha,
“Blockchai
n-based
k
e
y
management
system
in
named
data
netw
orking:
A
surv
e
y
,
”
J
ournal
of
Network
and
Computer
Applications
,
v
ol.
220,
No
v
.
2023,
doi:
10.1016/j.jnca.2023.103732.
[18]
L.
Eck
e,
M.
Magdolen,
S.
Jaquart,
R.
Andre,
and
P
.
V
ortisch,
“
A
case
study
of
checking
national
household
tra
v
el
surv
e
y
data
with
machine
learning,
”
T
r
ansportation
Resear
c
h
Inter
disciplinary
P
er
spectives
,
v
ol.
24,
Mar
.
2024,
doi:
10.1016/j.trip.2024.101078.
[19]
D.
Ma,
X.
Li,
J.
Liang,
Z.
W
ang,
and
W
.
Y
ang,
“Distilling
seed-assisted
zeolite
synthesis
conditions
by
machine
learning,
”
Micr
opor
ous
and
Mesopor
ous
Materials
,
v
ol.
339,
Jul.
2022,
doi:
10.1016/j.micromeso.2022.112029.
[20]
C.
Ale
x,
G.
Creado,
W
.
Almobaideen,
O.
A.
Alghanam,
and
M.
Saadeh,
“
A
comprehensi
v
e
surv
e
y
for
IoT
security
datasets
taxonomy
,
classication
and
machine
learning
mechanisms,
”
Computer
s
&
Security
,
v
ol.
132,
Sep.
2023,
doi:
10.1016/j.cose.2023.103283.
[21]
S.
M.
S.
Bukhari,
M.
H.
Zaf
ar
,
M.
A.
Houran,
Z.
Qadir
,
S.
K.
R.
Moosa
vi,
and
F
.
Sanlippo,
“Enhancing
c
ybersecurity
in
Edge
IIoT
netw
orks:
An
asynchronous
federated
learning
approach
with
a
deep
h
ybrid
detection
model,
”
Internet
of
Things
,
v
ol.
27,
Oct.
2024,
doi:
10.1016/j.iot.2024.101252.
[22]
D.
Karunkuzhali,
K.
P
.
Arunachalam,
R.
Ramamoorthi,
and
R.
K.
Kadu,
“Cyber
-ph
ysical
system
for
enhanced
WSN-IoT
security
using
spherical
graph
triple
con
v
olutional
neural
netw
ork
with
planet
optimization
algorithm,
”
Pr
o
gr
ess
in
Engineering
Science
,
v
ol.
2,
no.
3,
Sep.
2025,
doi:
10.1016/j.pes.2025.100108.
Compar
ative
e
valuation
of
mac
hine
learning
models
for
intrusion
detection
in
...
(Mansour
Lmkaiti)
Evaluation Warning : The document was created with Spire.PDF for Python.
4922
❒
ISSN:
2252-8938
[23]
I.
Saadi,
A.
Mustaf
a,
J.
T
eller
,
and
M.
Cools,
“
A
bi-le
v
el
random
forest
based
approach
for
estimating
O-D
matrices:
Preliminary
results
from
the
Belgium
national
household
tra
v
el
surv
e
y
,
”
T
r
ansportation
Resear
c
h
Pr
ocedia
,
v
ol.
25,
pp.
2566–2573,
2017,
doi:
10.1016/j.trpro.2017.05.301.
[24]
M
.
O.
M.
Mohamm
ed,
“Pre
v
alence
and
risk
f
actors
associated
with
under
-
v
e
years
children
diarrhea
in
Mala
wi:
Application
of
surv
e
y
logistic
re
gression,
”
Heliyon
,
v
ol.
10,
no.
7,
Apr
.
2024,
doi:
10.1016/j.heliyon.2024.e29335.
[25]
A.
Manoharan,
K.
M.
Be
g
am,
V
.
R.
Apar
o
w
,
and
D.
Sooriamoorth
y
,
“
Articial
neural
netw
orks,
gradient
boosting
and
support
v
ector
machines
for
electric
v
ehicle
battery
state
estimation:
A
re
vie
w
,
”
J
ournal
of
Ener
gy
Stor
a
g
e
,
v
ol.
55,
Aug.
2022,
doi:
10.1016/j.est.2022.105384.
[26]
M
.
Lmkaiti,
I.
Larhlimi,
M.
Lachg
ar
,
H.
Moudni,
and
H.
Mouncif,
“
Adv
anced
optimization
of
RPL-IoT
protocol
using
ML
algorithms,
”
International
J
ournal
of
Advanced
Computer
Science
and
Applications
,
v
ol.
16,
no.
2,
2025,
doi:
10.14569/IJ
A
CSA.2025.01602135.
BIOGRAPHIES
OF
A
UTHORS
Mansour
Lmkaiti
is
from
Department
of
Computer
Mathemati
cs,
F
aculty
of
Polydisciplinary
,
Uni
v
ersity
Sultan
Moulay
Slimane,
Morocco.
His
domains
of
interests
is
high-performance
computer
systems
and
netw
orks:
t
heory
,
machine
learning
algorithms;
high
performance
in
WSNs;
and
c
ybersecurity
in
wireless
sensor
netw
orks.
He
can
be
contacted
at
email:
lamkaitimansour@gmail.com.
Houda
Moudni
is
currently
w
orking
as
theis
an
Assistant
Professor
at
the
National
School
of
Business
and
Management,
Sultan
Moulay
Slimane
Uni
v
ersity
,
B
´
eni
Mellal,
Morocco.
She
recei
v
ed
the
Ph.D.
de
gree
in
Computer
Sciences
from
the
F
aculty
of
Sciences
and
T
echnology
of
Beni
Mellal
in
2019.
She
de
v
eloped
a
strong
interest
in
computer
netw
orking.
Her
research
w
ork
primarily
focuses
on
securing
routing
protocols
in
mobile
Ad
Hoc
netw
orks
(MANET),
wireless
sensor
netw
orks
(WSN),
and
the
internet
of
things
(IoT).
She
can
be
contacted
at
email:
h.moudni@usms.ma.
Hicham
Mouncif
is
from
Department
of
Computer
Mathematics,
Uni
v
ersity
Sultan
Moulay
Slimane,
Morocco.
He
is
currently
w
orking
as
the
Professor
at
the
Department
of
Mathematics
and
Informatics.
His
research
interests
include
computer
netw
orking,
communication
engineering,
and
securing
routing
protocols
in
wireless
sensor
netw
orks.
His
domains
of
interests
is
high-performance
computer
systems
and
net
w
orks:
theory
,
machine
learning
algorithms;
high
performance
in
WSNs
and
c
ybersecurity
.
He
can
be
contacted
at
email:
h.mouncif@usms.ma.
Int
J
Artif
Intell,
V
ol.
14,
No.
6,
December
2025:
4913–4922
Evaluation Warning : The document was created with Spire.PDF for Python.