Intrusion detection method with multi-stage fusion for internet of medical things

doi:10.11772/j.issn.1001-9081.2024121844

Journal of Computer Applications ›› 2025, Vol. 45 ›› Issue (12): 3909-3915.DOI: 10.11772/j.issn.1001-9081.2024121844

• Cyber security • Previous Articles Next Articles

Intrusion detection method with multi-stage fusion for internet of medical things

Haoqun ZHENG¹^,², Lizhi CAI¹^,², Kang YANG², Xiaoyu WANG¹

^1.School of Information Science and Engineering，East China University of Science and Technology，Shanghai 200237，China
^2.Shanghai Key Laboratory of Computer Software Testing Evaluating，Shanghai Development Center of Computer Software Technology，Shanghai 201112，China

Received:2024-12-31 Revised:2025-03-18 Accepted:2025-03-20 Online:2025-04-11 Published:2025-12-10
Contact: Lizhi CAI
About author:ZHANG Haoqun， born in 1994， M. S. candidate. His researchinterest include cybersecurity.
CAI Lizhi， born in 1972， Ph. D.， research fellow. His research interest include cybersecurity，software testing， software quality.
YANG Kang， born in 1994， Ph. D. His research interests include cybersecurity， artificial intelligence.
WANG Xiaoyu， born in 2002， M. S. candidate. His research interest include cybersecurity.
First author contact:ZHANG Haoqun， born in 1994， M. S. candidate. His research interest include cybersecurity.
Supported by:
Shanghai Youth Science and Technology Talents Sailing Special Fund(24YF720000)

多阶段融合的医疗物联网入侵检测方法

郑浩群¹^,², 蔡立志¹^,², 杨康², 王晓宇¹

^1.华东理工大学信息科学与工程学院，上海 200237
^2.上海计算机软件技术开发中心上海市计算机软件评测重点实验室，上海 201112

通讯作者: 蔡立志
作者简介:郑浩群（1994—），男，福建南平人，硕士研究生，主要研究方向：网络安全
蔡立志（1972—），男，浙江金华人，研究员，博士，主要研究方向：网络安全、软件测试、软件质量
杨康（1994—），男，安徽芜湖人，博士，主要研究方向：网络安全、人工智能
王晓宇（2002—），男，甘肃陇南人，硕士研究生，主要研究方向：网络安全。
基金资助:
上海市青年科技英才扬帆专项(24YF720000)

Abstract

Abstract:

Aiming at the problems that the intrusion detection methods of Internet of Medical Things （IoMT） rely on the balance of data samples， the misuse detection based on supervised learning cannot cope with unknown attacks， and the false alarm rate of anomaly detection based on unsupervised learning is high， an intrusion detection method with multi-stage fusion for IoMT was proposed. Firstly， a feature extraction method that added header information and payload to the bidirectional flow features was adopted to reduce the dependence on the balance of data samples. Then， a three-stage intrusion detection framework was designed by combining supervised and unsupervised learning methods. In the framework， the unsupervised learning AutoEncoder （AE） model was used to filter benign traffic and detect unknown attacks， and the supervised learning hybrid model of Convolutional Neural Network （CNN）， Gated Recurrent Unit （GRU）， and Attention mechanism （Attention） was used to detect known attacks and reduce false alarms， so as to improve the detection performance. Experimental results show that Multi-stage fusion for IoMT Intrusion Detection System （MTIDS） constructed by the proposed method achieves 99.96% detection accuracy and 93.78% F1 value on the CICIoMT2024 and CICIoT2023 datasets， which are higher than those of intrusion detection models of single supervised or unsupervised learning methods such as AE. Specifically， MTIDS has an improvement of 0.82 percentage points in accuracy and 5.58 percentage points in F1 value compared to the best comparison model AE， which validates the accuracy of the proposed method in detecting known and unknown attacks.

Key words: Internet of Medical Things (IoMT), intrusion detection, deep learning, anomaly detection, unknown attack

摘要：

针对医疗物联网（IoMT）入侵检测方法依赖数据样本的平衡性，采用有监督学习的误用检测无法应对未知攻击，而采用无监督学习的异常检测误报率高的问题，提出一种多阶段融合的IoMT入侵检测方法。首先，采用双向流特征中加入包头信息和有效载荷的特征提取方法，减少对数据样本平衡性的依赖；其次，结合有监督和无监督学习方法设计一个三阶段的入侵检测框架，即通过无监督学习的自编码器（AE）模型过滤出良性流量并检测未知攻击，而通过有监督学习的卷积神经网络（CNN）、门控循环单元（GRU）和注意力机制（Attention）的混合模型检测已知攻击减少误报，从而提高检测性能。实验结果表明，所提方法构建的多阶段医疗物联网入侵检测系统（MTIDS）在CICIoMT2024和CICIoT2023数据集上实现了99.96%的检测准确率和93.78%的F1值，相较于AE等单一有监督或无监督学习方法的入侵检测模型，均有提高，其中，MTIDS在准确率和F1值上比对比模型中最优的AE分别提升了0.82和5.58个百分点，验证了所提方法在已知和未知攻击检测方面的准确性。

关键词: 医疗物联网, 入侵检测, 深度学习, 异常检测, 未知攻击

CLC Number:

TP393.08

Haoqun ZHENG, Lizhi CAI, Kang YANG, Xiaoyu WANG. Intrusion detection method with multi-stage fusion for internet of medical things[J]. Journal of Computer Applications, 2025, 45(12): 3909-3915.

郑浩群, 蔡立志, 杨康, 王晓宇. 多阶段融合的医疗物联网入侵检测方法[J]. 《计算机应用》唯一官方网站, 2025, 45(12): 3909-3915.

Figures/Tables 13

References 22

[1]	王晨，谢礼梅，郭晓玲. 基于物联网的智慧医疗系统应用及其发展趋势分析［J］. 消费电子， 2024（11）： 245-247.
	WANG C， XIE L M， GUO X L. Application and development trend analysis of smart healthcare system based on Internet of Things［J］. Consumer Electronics Magazine， 2024（11）： 245-247.
[2]	HERNANDEZ-JAIMES M L， MARTINEZ-CRUZ A， RAMÍREZ-GUTIÉRREZ K A， et al. Artificial intelligence for IoMT security： a review of intrusion detection systems， attacks， datasets and Cloud-Fog-Edge architectures［J］. Internet of Things， 2023， 23： No.100887.
[3]	HINDY H， BAYNE E， BURES M， et al. Machine learning based IoT intrusion detection system： an MQTT case study （MQTT-IoT-IDS2020 dataset）［C］// Proceedings of the 2020 International Networking Conference， LNNS 180. Cham： Springer， 2021： 73-84.
[4]	HORE S， GHADERMAZI J， SHAH A， et al. A sequential deep learning framework for a robust and resilient network intrusion detection system［J］. Computers and Security， 2024， 144： No.103928.
[5]	KUMAR P， GUPTA G P， TRIPATHI R. An ensemble learning and fog-cloud architecture-driven cyber-attack detection framework for IoMT networks［J］. Computer Communications， 2021， 166： 110-124.
[6]	GHOURABI A. A security model based on LightGBM and Transformer to protect healthcare systems from cyberattacks［J］. IEEE Access， 2022， 10： 48890-48903.
[7]	SAHEED Y K， AROWOLO M O. Efficient cyber attack detection on the internet of medical things-smart environment based on deep recurrent neural network and machine learning algorithms［J］. IEEE Access， 2021， 9： 161546-161554.
[8]	NANDY S， ADHIKARI M， KHAN M A， et al. An intrusion detection mechanism for secured IoMT framework based on swarm-neural network［J］. IEEE Journal of Biomedical and Health Informatics， 2022， 26（5）： 1969-1976.
[9]	ZACHOS G， ESSOP I， MANTAS G， et al. An anomaly-based intrusion detection system for internet of medical things networks［J］. Electronics， 2021， 10（21）： No.2562.
[10]	THAMILARASU G， ODESILE A， HOANG A. An intrusion detection system for internet of medical things ［J］. IEEE Access， 2020， 8： 181560-181576.
[11]	CHOWDHURY R R， IDRIS A C， ABAS P E. A deep learning approach for classifying network connected IoT devices using communication traffic characteristics［J］. Journal of Network and Systems Management， 2023， 31（1）： No.26.
[12]	HADY A A， GHUBAISH A， SALMA T， et al. Intrusion detection system for healthcare systems using medical and network data： a comparison study ［J］. IEEE Access， 2020， 8： 106576-106584.
[13]	CHAGANTI R， MOURADE A， RAVI V， et al. A particle swarm optimization and deep learning approach for intrusion detection system in internet of medical things［J］. Sustainability， 2022， 14（19）： No.12828.
[14]	RAVI V， PHAM T D， ALAZAB M. Deep learning-based network intrusion detection system for internet of medical things ［J］. IEEE Internet of Things Magazine， 2023， 6（2）： 50-54.
[15]	DADKHAH S， NETO E C P， FERREIRA R， et al. CICIoMT2024： a benchmark dataset for multi-protocol security assessment in IoMT［J］. Internet of Things， 2024， 28： No.101351.
[16]	ZUKAIB U， CUI X， ZHENG C， et al. Meta-IDS： meta-learning-based smart intrusion detection system for Internet of Medical Things （IoMT） network［J］. IEEE Internet of Things Journal， 2024， 11（13）： 23080-23095.
[17]	ElSAYED Z， ElSAYED N， BAY S. A novel zero-trust machine learning green architecture for healthcare IoT cybersecurity［C］// Proceedings of the IEEE SoutheastCon 2024. Piscataway： IEEE， 2024： 686-692.
[18]	DONG Y， LI Q， WU K， et al. HorusEye： a realtime IoT malicious traffic detection framework using programmable switches［C］// Proceedings of the 32nd USENIX Security Symposium. Berkeley： USENIX Association， 2023： 571-588.
[19]	AHMED M， BYREDDY S， NUTAKKI A， et al. ECU-IoHT： a dataset for analyzing cyber attacks in internet of health things ［J］. Ad Hoc Networks， 2021， 122： No.102621.
[20]	ZUBAIR M， GHUBAISH A， UNAL D， et al. Secure bluetooth communication in smart healthcare systems： a novel community dataset and intrusion detection system［J］. Sensors， 2022， 22（21）： No.8280.
[21]	HUSSAIN F， ABBAS S G， SHAH G A， et al. A framework for malicious traffic detection in IoT healthcare environment［J］. Sensors， 2021， 21（9）： No.3025.
[22]	RADOGLOU-GRAMMATIKIS P， ROMPOLOS K， SARIGIANNIDIS P， et al. Modeling， detecting， and mitigating threats against industrial healthcare systems： a combined software defined networking and reinforcement learning approach［J］. IEEE Transactions on Industrial Informatics， 2022， 18（3）： 2041-2052.

流量类型	攻击方式	描述
Benign		良性流量
Mirai	Mirai-udpplain	物联网僵尸网络攻击
Recon	Ping Sweep	主机探测
	Recon VulScan	漏洞扫描
	OS Scan	操作系统扫描
	Port Scan	端口扫描
MQTT	Malformed Data	畸形报文攻击
	DoS Connect Flood	连接泛洪攻击
	DDoS Publish Flood	分布式发布泛洪攻击
	DoS Publish Flood	发布泛洪攻击
	DDoS Connect Flood	分布式连接泛洪攻击
DoS	DoS TCP	TCP（Transmission Control Protocol）拒绝服务攻击
	DoS ICMP	ICMP（Internet Control Message Protocol）拒绝服务攻击
	DoS SYN	SYN（SYnchronize sequence Numbers）拒绝服务攻击
	DoS UDP	UDP（User Datagram Protocol）拒绝服务攻击
DDoS	DDoS SYN	SYN分布式拒绝服务攻击
	DDoS TCP	TCP分布式拒绝服务攻击
	DDoS ICMP	ICMP分布式拒绝服务攻击
	DDoS UDP	UDP分布式拒绝服务攻击

流量类型	攻击方式	描述
Benign		良性流量
Mirai	Mirai-udpplain	物联网僵尸网络攻击
Recon	Ping Sweep	主机探测
	Recon VulScan	漏洞扫描
	OS Scan	操作系统扫描
	Port Scan	端口扫描
MQTT	Malformed Data	畸形报文攻击
	DoS Connect Flood	连接泛洪攻击
	DDoS Publish Flood	分布式发布泛洪攻击
	DoS Publish Flood	发布泛洪攻击
	DDoS Connect Flood	分布式连接泛洪攻击
DoS	DoS TCP	TCP（Transmission Control Protocol）拒绝服务攻击
	DoS ICMP	ICMP（Internet Control Message Protocol）拒绝服务攻击
	DoS SYN	SYN（SYnchronize sequence Numbers）拒绝服务攻击
	DoS UDP	UDP（User Datagram Protocol）拒绝服务攻击
DDoS	DDoS SYN	SYN分布式拒绝服务攻击
	DDoS TCP	TCP分布式拒绝服务攻击
	DDoS ICMP	ICMP分布式拒绝服务攻击
	DDoS UDP	UDP分布式拒绝服务攻击

类别	总样本数	训练样本数	测试样本数
总计	9 218 136	6 422 880	2 795 256
Benign	18 349	14 658	3 691
Mirai	1 189 538	0	1 189 538
Recon	20 479	16 385	4 094
MQTT	493 408	394 733	98 675
DoS	2 704 729	2 163 831	540 898
DDoS	4 791 633	3 833 273	958 360

类别	总样本数	训练样本数	测试样本数
总计	9 218 136	6 422 880	2 795 256
Benign	18 349	14 658	3 691
Mirai	1 189 538	0	1 189 538
Recon	20 479	16 385	4 094
MQTT	493 408	394 733	98 675
DoS	2 704 729	2 163 831	540 898
DDoS	4 791 633	3 833 273	958 360

超参数	异常检测器参数	新类型检测器参数
Encoder	［70，70，50，25，12］	［150，100，50，25，12］
Decoder	［12，25，50，70，70］	［12，25，50，100，150］
Activations	［Leaky ReLU， ReLU］	［Leaky ReLU， ReLU］
Latent	6	6
Loss	MAE	MAE
Optimizer	Adam	Adam
Batch size	256	256
Epoch size	100	100

Intrusion detection method with multi-stage fusion for internet of medical things

多阶段融合的医疗物联网入侵检测方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 22

Related Articles 15

Recommended Articles

Metrics

超参数	参数设置	超参数	参数设置
InputLayer	（77，1）	Activations	ReLU
Conv1D	（75，16）	Output activation	Sigmoid
MaxPooling1D	（37，16）	Loss	Binary crossentropy
GRU	（77，16）	Optimizer	Adam
Attention	（37，16）	Metrics	Accuracy
Flatten	592	Batch size	512
Dense	64	Epoch size	20
Dropout	64
Dense	1

模型代号	模型	准确率	精确率	召回率	F1值
A	SVM	89.47	58.45	94.59	61.70
B	RF	93.53	62.21	96.54	67.91
C	DNN	89.78	58.47	94.51	61.73
D	CNN-GRU	89.76	58.38	94.00	61.59
E	CNN-LSTM-Attention^［14］	91.41	59.43	95.09	63.47
F	AE^［17］	99.14	83.12	95.70	88.20
G	Magnifier^［18］	98.55	79.86	96.11	86.14
H	MTIDS	99.96	90.89	97.10	93.78

类别	阶段1			阶段2			阶段3
类别	总计	良性	异常	总计	良性	恶意	总计	良性	恶意
Benign	3 691	2 579	1 112	1 112	1 051	61	1 051	899	152
Mirai	1 189 538	105	1 189 433	1 189 433	1 130 288	59 145	1 130 288	496	1 129 792
Recon	4 094	23	4 071	4 071	24	4 047	24	12	12
MQTT	98 675	0	98 675	98 675	5	98 670	5	0	5
DoS	540 898	4	540 894	540 894	6	540 888	6	3	3
DDoS	958 360	96	958 264	958 264	97	958 167	97	35	62

[1]	Hongjun ZHANG, Gaojun PAN, Hao YE, Yubin LU, Yiheng MIAO. Multi-source heterogeneous data analysis method combining deep learning and tensor decomposition [J]. Journal of Computer Applications, 2025, 45(9): 2838-2847.
[2]	Jin LI, Liqun LIU. SAR and visible image fusion based on residual Swin Transformer [J]. Journal of Computer Applications, 2025, 45(9): 2949-2956.
[3]	Bing YIN, Zhenhua LING, Yin LIN, Changfeng XI, Ying LIU. Emotion recognition method compatible with missing modal reasoning [J]. Journal of Computer Applications, 2025, 45(9): 2764-2772.
[4]	Weigang LI, Jiale SHAO, Zhiqiang TIAN. Point cloud classification and segmentation network based on dual attention mechanism and multi-scale fusion [J]. Journal of Computer Applications, 2025, 45(9): 3003-3010.
[5]	Zhixiong XU, Bo LI, Xiaoyong BIAN, Qiren HU. Adversarial sample embedded attention U-Net for 3D medical image segmentation [J]. Journal of Computer Applications, 2025, 45(9): 3011-3016.
[6]	Panfeng JING, Yudong LIANG, Chaowei LI, Junru GUO, Jinyu GUO. Semi-supervised image dehazing algorithm based on teacher-student learning [J]. Journal of Computer Applications, 2025, 45(9): 2975-2983.
[7]	Lina GE, Mingyu WANG, Lei TIAN. Review of research on efficiency of federated learning [J]. Journal of Computer Applications, 2025, 45(8): 2387-2398.
[8]	Yanhua LIAO, Yuanxia YAN, Wenlin PAN. Multi-target detection algorithm for traffic intersection images based on YOLOv9 [J]. Journal of Computer Applications, 2025, 45(8): 2555-2565.
[9]	Peng PENG, Ziting CAI, Wenling LIU, Caihua CHEN, Wei ZENG, Baolai HUANG. Speech emotion recognition method based on hybrid Siamese network with CNN and bidirectional GRU [J]. Journal of Computer Applications, 2025, 45(8): 2515-2521.
[10]	Shuo ZHANG, Guokai SUN, Yuan ZHUANG, Xiaoyu FENG, Jingzhi WANG. Dynamic detection method of eclipse attacks for blockchain node analysis [J]. Journal of Computer Applications, 2025, 45(8): 2428-2436.
[11]	Jinxian SUO, Liping ZHANG, Sheng YAN, Dongqi WANG, Yawen ZHANG. Review of interpretable deep knowledge tracing methods [J]. Journal of Computer Applications, 2025, 45(7): 2043-2055.
[12]	Zhenzhou WANG, Fangfang GUO, Jingfang SU, He SU, Jianchao WANG. Robustness optimization method of visual model for intelligent inspection [J]. Journal of Computer Applications, 2025, 45(7): 2361-2368.
[13]	Qiaoling QI, Xiaoxiao WANG, Qianqian ZHANG, Peng WANG, Yongfeng DONG. Label noise adaptive learning algorithm based on meta-learning [J]. Journal of Computer Applications, 2025, 45(7): 2113-2122.
[14]	Xiaoyang ZHAO, Xinzheng XU, Zhongnian LI. Research review on explainable artificial intelligence in internet of things applications [J]. Journal of Computer Applications, 2025, 45(7): 2169-2179.
[15]	Tianchen HUA, Xiaoning MA, Hui ZHI. Portable executable malware static detection model based on shallow artificial neural network [J]. Journal of Computer Applications, 2025, 45(6): 1911-1921.

模型	准确率	精确率	召回率	F1值
MTIDS	99.96	90.89	97.10	93.78
w/o 阶段1	99.95	90.51	96.48	93.29
w/o 阶段2	96.82	51.90	95.97	52.85
w/o 阶段3	59.55	50.16	78.70	37.62

模型	准确率	精确率	召回率	F1值
MTIDS	99.96	90.89	97.10	93.78
w/o 阶段1	99.95	90.51	96.48	93.29
w/o 阶段2	96.82	51.90	95.97	52.85
w/o 阶段3	59.55	50.16	78.70	37.62