Description:DESCRIPTION
FIELD OF THE INVENTION
[0001] The present invention is related to an intrusion detection system for IoT devices more particularly using convolution neural network (CNN) and long short-term memory (LSTM) deep learning models.

BACKGROUND
[0002] In conventional intrusion detection systems (IDS), while data collection and reduction processes are often automated, the core analysis of that data typically remains a manual or semi- automated task. Various profiling and pattern recognition techniques have been applied to assist in this analysis by modelling typical system, application, or user behaviours. Off-line analysis is commonly employed to establish a baseline of "normal" behaviour. This process involves observing system activity over a defined period and generating rule sets or statistical models that represent expected behaviour. During live operation, significant deviations from this baseline referred to as anomalous behaviour are flagged as potential intrusions.

[0003] Anomaly-based IDS approaches rely on detecting statistically significant deviations from established behaviour profiles. These systems compare current behaviour patterns to historical norms in an attempt to identify actions that fall outside expected thresholds. False positives occur when legitimate activity is incorrectly classified as malicious. These misclassifications can overwhelm security personnel, lead to alert fatigue, and undermine trust in the IDS. False negatives happen when actual intrusions go undetected. This failure to recognize malicious activity can result in delayed or no response, potentially leading to system compromise, data loss, or financial damage. False negatives are particularly problematic in systems where behavioral models fail to adequately account for the diverse tactics and strategies employed by sophisticated intruders. The lack of specificity in the profiling models reduces their effectiveness in predicting and identifying malicious behavior that subtly diverges from the norm.

[0004] The existing invention discloses a computer-implemented intrusion detection system and method that monitors a computer system in real-time for activity indicative of attempted or actual access by unauthorized persons or computers. The system identifies unauthorized access attempts by analyzing user behavior against dynamically generated user profiles. These profiles are created when a user first logs in and are continuously updated with each subsequent login. By comparing real-time behavior to these evolving profiles, the system reduces false alarms. It detects events indicating unauthorized access, alerts a control function, and automatically responds to threats. Additional features include log auditing, port scan detection, and session monitoring.

[0005] Moreover, the other invention discloses An intrusion detection method based on flow visualization and machine learning algorithm comprises the following steps: s1: capturing traffic using a high speed capture device; s2: sending the traffic which cannot be identified by the intruder database and the required packet header information to a data processing layer for data processing; s3: converting the received flow for data processing into a gray-scale image; s4: based on semi-supervised learning, clustering the gray level maps by using a K-means algorithm, classifying the gray level maps of each clustered cluster by using CNN (CNN), and judging whether unknown intrusion occurs or not based on an entropy theory and a classification result; s5: according to the classification result, based on an antibody theory in an AIS algorithm, a decision tree algorithm is adopted to purify the specific attack, and a detection result is obtained; the invention solves the problems that each attack cannot be accurately detected, the network attack cannot be detected in real time, the speed of establishing an intrusion system is slow, the feature extraction is complex and the resource occupancy rate is high in the prior art.

[0006] The above addressed invention has limitations of machine learning models with limited support for zero-day attack detection. Hence an intrusion detection system has been proposed in the present invention using hybrid deep learning (LSTM + VAE + Transfer Learning) for adaptive and zero-day intrusion detection.

SUMMARY
[0007] The proposed intrusion detection system (IDS) is specifically designed for securing Internet of Things (IoT) environments through a comprehensive five-stage architecture. The system begins with traffic classification, where a hybrid deep learning model combining convolutional neural networks (CNN) and long short-term memory (LSTM) network are employed to analyze packet data and classify network traffic into benign, known attacks, and unknown threats. This enables early filtering of malicious packets.

[0008] The device identification is performed using the same hybrid model applied to full packet data, allowing the system to accurately fingerprint IoT devices and generate behaviour profiles. This contextual awareness of device types enhances detection accuracy and response relevance.

[0009] The intrusion detection, leverages an advanced fusion of hybrid deep learning, Variational Autoencoders (VAE), and transfer learning to detect complex and previously unseen attacks. This module outputs threat scores and identifies affected devices, forming the basis for informed response actions.

[0010] A blockchain-based mitigation layer ensures secure and transparent threat response. Alerts including attack types, severity scores, and affected devices are recorded on a tamper-proof, decentralized blockchain ledger. This layer also supports the automated execution of smart contracts that can enforce actions like IP blacklisting, device isolation, and network-wide alert dissemination.

[0011] A Quality of Experience (QoE) prediction and feedback module. Using CNNs and attention-based deep learning models, it predicts the impact of security actions on end-user experience. This enables the system to dynamically adjust defense strategies, ensuring optimal security without unnecessary disruption to IoT services.

[0012] Together, these stages form an intelligent, adaptive, and secure IDS architecture that balances robust threat detection with system performance and user experience in IoT networks.

BRIEF DESCRIPTION OF THE DRAWINGS
[0013] Figure-1 illustrates the block diagram of the proposed invention.

[0014] Figure-2 illustrates the layered architecture of the proposed framework.

[0015] Figure-3 illustrates the feedback workflow of the system.

OBJECTIVES OF THE INVENTION
[0016] The main objective of the proposed invention provides accurate network traffic classification into benign, known attack and unknown attack categories using a hybrid deep learning model (CNN + LSTM).
[0015] The proposed invention detects and filter harmful packets in real-time to prevent early- stage threats from spreading within the network.

[0017] The intrusion detection system detects and profile IoT devices based on full packet data to support context-aware threat detection and tailored mitigation.

[0018] Detects both known and unknown intrusions using a combination of hybrid deep learning, variational autoencoders (VAE), and transfer learning techniques.

[0019] Score and localize threats by evaluating the severity of attacks and identifying affected devices to prioritize response.

DETAILED DESCRIPTION OF THE INVENTION:
[0020] An integrated intrusion detection system for IoT users has been proposed in the present invention as shown in figure-1. The proposed intrusion detection system operates in five stages. Stage-1 comprises a traffic classification module and a hybrid deep learning model. The traffic classification uses hybrid deep learning model. The hybrid deep learning model is a combination of convolution neural network (CNN) and long short-term memory (LSTM). The hybrid deep learning model classifies the traffic flow into known and unknown attacks, the hybrid deep learning model detects and filters harmful packets. The traffic classification module collects a packet data of known and unknown attacks.

[0021] The stage-2 of proposed intrusion detection system comprises a device identification module. The hybrid deep learning model is performed on the full packet data to accurately fingerprint and detects internet of things (IoT) devices and the device identification module detects outputs device types and behaviour profiles. Stage-3 includes an intrusion detection module which is formed from the hybrid deep learning model, a variational autoencoders (VAE) which is a federated leaning model, and transfer learning. The intrusion detection module detects the known and unknown attacks, outputs scores and affected devices. Enables unsupervised and semi-supervised detection, enhancing adaptability. Stage-4 contains a block chain-based mitigation layer. The known and unknown attacks, outputs scores and affected devices alerts intrusion detection module are recorded on a tamper-proof blockchain ledger.

[0022] The block chain-based mitigation layer triggers a smart contract automatically. The smart contracts are IP blacklisting, device isolation and alert dissemination across the intrusion detection system. The block chain-based mitigation layer ensures tamper-proof, decentralized, and auditable response mechanisms. Stage-5: a quality of experience (QoE) prediction and feedback module. The quality of experience (QoE) prediction and feedback module predicts internet of things (IoT) users using a convolution neural network (CNN) deep learning model and an attention model. The quality of experience (QoE) prediction and feedback module enables security decisions, ensuring that mitigation actions do not degrade the user experience unnecessarily. The quality of experience (QoE) prediction and feedback module connects security actions like blocking traffic with QoE impact assessments and adjusts network defense strategies dynamically to balance security and user experience.

[0023] Ensure secure and transparent threat response through a tamper-proof, decentralized blockchain ledger. Automate mitigation actions using smart contracts for real-time enforcement of IP blacklisting, device isolation, and system-wide alert dissemination. Predict the impact of security actions on user Quality of Experience (QoE) using CNNs and attention-based models. Balance security with user experience by dynamically adjusting defense strategies based on QoE feedback. Provide a scalable, intelligent, and adaptive IDS framework tailored for the unique challenges of IoT environments.

[0024] The proposed invention introduces a comprehensive, AI-driven, and blockchain-empowered framework designed to address key challenges in managing IoT networks as shown in figure-2. Specifically, it targets traffic classification, device identification, behavior-aware intrusion detection, Quality of Experience (QoE) optimization, and secure mitigation. The system is structured using a layered architecture that integrates embedded intelligence, distributed learning, and tamper-proof security to enable real-time threat detection and service quality assurance within smart IoT environments.

[0025] A vertically modular system architecture that ensures scalability, traceability, and support for distributed intelligence has been proposed. The IoT Device and Edge Network Layer comprises sensors, meters, and actuators that generate telemetry data. Edge devices act as local computation nodes capable of supporting federated learning and privacy-preserving analytics. The Data Collection Layer interacts with gateway nodes to capture and securely log raw network traffic while also allowing controlled attack injections to evaluate the robustness of downstream components. Following this, the Data Processing and Feature Extraction Layer converts raw packet streams into structured features through techniques like packet parsing, session correlation, and temporal analysis. This layer extracts relevant features such as packet length distribution, inter-arrival times, burst patterns, and protocol usage frequencies.

[0026] The security and traffic analysis layer executes the system’s core machine learning algorithms. These include traffic classification to identify flow types (benign, malicious, or anomalous), device identification to associate traffic with specific device types based on behavioural signatures, and an intrusion detection system (IDS) that applies temporal anomaly detection for accurate threat recognition. Above this, the Application Layer integrates QoE prediction models and blockchain-based enforcement logic. Smart contracts within this layer autonomously respond to detected threats by initiating actions such as IP blacklisting or device isolation, while also recording these events on-chain to ensure transparency and auditability. Finally, the User Interface Layer presents real-time visualizations of system analytics, including device behaviours, detected anomalies, QoE states, and smart contract executions, enabling effective monitoring and decision-making by administrators.

[0027] The process begins with Network Traffic Classification, where a hybrid CNN-LSTM model is employed to learn both packet-level and flow-level patterns, enabling it to distinguish between benign, anomalous, and malicious traffic. This model transforms raw, unstructured network data into labeled metadata, laying the groundwork for behaviour-aware analytics. Next is the Device Identification stage, which uses the same CNN-LSTM approach to analyze flow and session-level metadata. This module maps traffic to specific IoT device types, adding semantic context to network behaviour and supporting device-aware detection, rather than treating all traffic generically. In the intrusion detection stage, the system applies LSTM-based temporal embedding alongside variational autoencoders (VAE) for probabilistic behaviour reconstruction. This enables the IDS module to detect both known and unknown (zero-day) threats by flagging deviations where the combined anomaly score comprising reconstruction loss and KL divergence exceeds a defined threshold.

[0028] The blockchain-based smart contract integration, detected threats, associated device behaviours, and the decisions made by the models are logged on a decentralized blockchain ledger. This tamper-proof mechanism ensures transparency, non-repudiation, and regulatory compliance, particularly in sensitive domains like healthcare and smart city infrastructures. The final stage is Quality of Experience (QoE) Prediction, which uses a federated learning approach combining CNN and attention mechanisms to estimate user QoE levels across devices. Encrypted local gradients are contributed by edge nodes to preserve data privacy while enabling accurate prediction of QoE as low, medium, or high. This capability helps maintain a balance between security enforcement and user experience.

[0029] The system architecture adopts a feedback-centric design that enables continuous learning and self-optimization as shown in Figure 3. Device identification and behavioural profiling feed into the IDS, which then detects anomalies and records alerts on-chain. These alerts inform the QoE module, whose output feeds back into the IDS and traffic classifier to refine detection strategies. The blockchain not only enforces mitigation via smart contracts but also serves as a verifiable ground truth for model auditing and system improvement. This closed feedback loop ensures the system adapts over time, supports introspection, and adjusts to evolving network dynamics.

[0030] Overall, the proposed invention introduces a novel convergence of layered system architecture, deep learning models, federated training, and blockchain-based enforcement, creating a powerful solution for next-generation IoT network management. It offers robust threat detection through LSTM-VAE modeling of device behavior, high-precision device identification using CNN-LSTM fusion, decentralized QoE prediction with federated CNN-attention learning, and secure mitigation using smart contracts. Most importantly, its feedback-driven nature makes it a self-improving system capable of sustaining high performance in complex and dynamic environments. This makes it well-suited for deployment across diverse sectors such as smart healthcare, intelligent transportation, industrial IoT, and smart city ecosystems—where adaptive, secure, and user-aware network intelligence is essential.
, C , Claims:CLAIMS:
I/We Claim:
1. A multi stage intrusion detection system for internet of things (IoT) network, comprising: the intrusion detection system operates in five stages;
stage-1: a traffic classification module; a hybrid deep learning model;
the traffic classification uses the hybrid deep learning model;
the hybrid deep learning model classifies traffic flow into known and unknown attacks; whereby the hybrid deep learning model detects and filters harmful packets;
whereby the traffic classification module collects the filtered packet data of the known and the unknown attack;
stage-2: a device identification module;
the hybrid deep learning model is performed on the filtered packet data for correct fingerprint and detects internet of things (IoT) devices;
whereby the device identification module detects types of internet of things (IoT) devices and their behaviour profiles;
stage-3: an intrusion detection module;
the intrusion detection module is formed from the hybrid deep learning model, a variational autoencoders (VAE) and a transfer learning;
the outputs of stage 1 and stage 2 are received as input by the intrusion detection module;
whereby the intrusion detection module detects the known and the unknown attacks of the internet of things (IoT) devices;
stage-4: a block chain-based mitigation layer;
the block chain-based mitigation layer receives input from stage 1 and stage 3;
the known and the unknown attacks of the internet of things (IoT) devices alerts of the intrusion detection module are recorded on a tamper-proof blockchain ledger;
whereby the block chain-based mitigation layer triggers a smart contract; stage-5: a quality of experience (QoE) prediction and feedback module;
the quality of experience (QoE) prediction and feedback module predicts the internet of things (IoT) users using a convolution neural network (CNN) deep learning model and an attention model; and
the quality of experience (QoE) prediction and feedback module enables security decisions, ensuring that mitigation actions do not degrade the user experience.
2. The intrusion detection system as claimed in claim 1, wherein the hybrid deep learning models are convolution neural network (CNN) and long short-term memory (LSTM).
3. The intrusion detection system as claimed in claim 1, wherein the smart contracts are IP blacklisting, device isolation and alert dissemination across the intrusion detection system.
4. The intrusion detection system as claimed in claim 1, wherein the block chain-based mitigation layer ensures tamper-proof, decentralized, and auditable response mechanisms.
5. The intrusion detection system as claimed in claim 1, wherein the quality of experience (QoE) prediction and feedback module connects security actions like blocking traffic with QoE impact assessments and adjusts network defense strategies dynamically to balance security and user experience.