A Multi-Modal AI Framework for Intrusion Detection in ‎Healthcare IoT

  • Authors

    https://doi.org/10.14419/xw7zzh51

    Received date: December 31, 2025

    Accepted date: January 24, 2026

    Published date: January 26, 2026

  • Healthcare Internet of Things (HIoT); Intrusion Detection System; Multi-Modal Security; Device Telemetry; Network Traffic Analysis; Ensemble ‎Learning; False Positive Reduction; Cyber-Physical Systems Security

  • Abstract

    The rapid adoption of Healthcare Internet of Things (HIoT) technologies has increased the exposure of safety-critical medical infrastructures ‎to sophisticated cyberattacks, while simultaneously imposing strict constraints on availability, privacy, and false alarm tolerance. Traditional ‎network-centric intrusion detection systems (IDSs) struggle to reliably detect stealthy, low-rate attacks in healthcare environments, where ‎encrypted traffic and predictable clinical communication patterns limit observability. This paper proposes a lightweight multi-modal intrusion ‎detection framework for HIoT networks that jointly analyzes network flow metadata and device telemetry using structured feature fusion ‎and ensemble meta-learning. By integrating communication behavior with device-level operational regularity, the framework provides a ‎more comprehensive representation of system activity without relying on payload inspection. An extensive evaluation was conducted using ‎heterogeneous IoT and botnet datasets, including TON_IoT, IoT-23, and MedBIoT, under realistic conditions of class imbalance. Experi-‎mental results demonstrate that the proposed framework achieves 97.1% detection accuracy and 96.5% F1-score, outperforming state-of-‎the-art network-only IDS baselines. Most notably, the framework reduces the false positive rate to 2.4%, representing a relative reduction ‎of over 38% compared to strong deep learning baselines. Attack-wise analysis shows the most significant performance gains for stealthy ‎and low-rate attack classes, where network-centric IDSs exhibit substantial degradation. Ablation studies confirm that device telemetry im-‎proves recall for stealthy threats, while ensemble meta-learning stabilizes predictions and suppresses false alarms. Latency and scalability ‎measurements further indicate that the framework remains suitable for real-time deployment at healthcare gateway nodes. Overall, the results ‎provide strong empirical evidence that multi-modal intrusion detection materially improves detection reliability, clinical safety, and robust-‎ness in healthcare IoT environments, addressing key limitations of existing single-modality IDS approaches.

  • References

    1. R. M. Mahmud, A. N. M. Bazlur Rahman, and M. S. Hossain, “Security challenges and solutions in healthcare Internet of Things,” IEEE Access, vol. 8, pp. 102 – 121, 2020.
    2. M. Hossain and G. Muhammad, “Cloud-assisted industrial Internet of Things (IIoT) – enabled framework for health monitoring,” Computer Net-works, vol. 101, pp. 192–202, 2016, https://doi.org/10.1016/j.comnet.2016.01.009.
    3. A. Alzahrani and A. Ghorbani, “An overview of intrusion detection systems in healthcare,” Journal of Network and Computer Applications, vol. 124, pp. 72–89, 2018, https://doi.org/10.1016/j.jnca.2018.09.012.
    4. Y. Meidan et al., “Detection of unauthorized IoT devices using machine learning techniques,” arXiv preprint arXiv:1709.04647, 2017.
    5. S. McLeod and D. Dolezel, “Cyber-analytics: Modeling factors associated with healthcare data breaches,” Decision Support Systems, vol. 108, pp. 57–68, 2018, https://doi.org/10.1016/j.dss.2018.02.009.
    6. V. Paxson, “Bro: A system for detecting network intruders in real-time,” Computer Networks, vol. 31, no. 23–24, pp. 2435–2463, 1999. https://doi.org/10.1016/S1389-1286(99)00112-7.
    7. W. Wang, Y. Sheng, J. Wang, and X. Zeng, “HAST-IDS: Learning hierarchical spatial–temporal features using deep neural networks to improve intrusion detection,” IEEE Access, vol. 6, pp. 1792–1806, 2018, https://doi.org/10.1109/ACCESS.2017.2780250.
    8. A. Javaid, Q. Niyaz, W. Sun, and M. Alam, “A deep learning approach for network intrusion detection system,” in Proc. 9th EAI Int. Conf. Bio-Inspired Information and Communications Technologies, 2016, pp. 21–26. https://doi.org/10.4108/eai.3-12-2015.2262516.
    9. I. Butun, S. D. Morgera, and R. Sankar, “A survey of intrusion detection systems in wireless sensor networks,” IEEE Communications Surveys & Tutorials, vol. 16, no. 1, pp. 266–282, 2014. https://doi.org/10.1109/SURV.2013.050113.00191.
    10. J. Zhang, M. Zulkernine, and A. Haque, “Random-forests-based network intrusion detection systems,” IEEE Transactions on Systems, Man, and Cybernetics, vol. 38, no. 5, pp. 649–659, 2008. https://doi.org/10.1109/TSMCC.2008.923876.
    11. N. Moustafa and J. Slay, “UNSW-NB15: A comprehensive data set for network intrusion detection systems,” Military Communications and Infor-mation Systems Conference, 2015. https://doi.org/10.1109/MilCIS.2015.7348942
    12. R. Mitchell and I.-R. Chen, “A survey of intrusion detection techniques for cyber-physical systems,” ACM Computing Surveys, vol. 46, no. 4, pp. 1–29, 2014, https://doi.org/10.1145/2542049.
    13. S. Bhuyan, D. Bhattacharyya, and J. Kalita, “Network anomaly detection: Methods, systems and tools,” IEEE Communications Surveys & Tutori-als, vol. 16, no. 1, pp. 303–336, 2014, https://doi.org/10.1109/SURV.2013.052213.00046.
    14. Y. Mirsky, T. Doitshman, Y. Elovici, and A. Shabtai, “Kitsune: An ensemble of autoencoders for online network intrusion detection,” IEEE Trans-actions on Information Forensics and Security, vol. 13, no. 9, pp. 2300–2315, 2018, https://doi.org/10.14722/ndss.2018.23204.
    15. M. Al-Hawawreh, N. Sitnikova, and M. Slay, “Anomaly detection in industrial control systems using deep learning,” Computers & Security, vol. 92, Art. no. 101736, 2020.
    16. J. Kim and H. Kim, “An attention-based deep learning model for intrusion detection,” IEEE Access, vol. 8, pp. 165009–165021, 2020, https://doi.org/10.1109/ACCESS.2020.2986882.
    17. Y. Meidan et al., “ProfilIoT: A machine learning approach for IoT device identification based on network traffic analysis,” in Proc. ACM Symposi-um on Applied Computing (SAC), 2017, pp. 506–509, https://doi.org/10.1145/3019612.3019878.
    18. A. Marchal, X. Jiang, R. State, and T. Engel, “A big data architecture for large-scale security monitoring,” in Proc. IEEE International Conference on Big Data, 2014, pp. 56–63, https://doi.org/10.1109/BigData.2014.7004212.
    19. P. Ioulianou, V. G. Vassilakis, I. Moscholios, and M. Logothetis, “A behavior-based intrusion detection system for IoT networks,” Journal of Net-work and Computer Applications, vol. 130, pp. 64–73, 2019, https://doi.org/10.1016/j.jnca.2019.01.006.
    20. H. Hindy et al., “A taxonomy of network threats and the effect of current datasets on intrusion detection systems,” IEEE Access, vol. 8, pp. 104650–104675, 2020, https://doi.org/10.1109/ACCESS.2020.3000179.
    21. M. Abdel-Basset, G. Manogaran, A. Gamal, and V. Chang, “A novel intelligent medical decision support model based on soft computing and IoT,” IEEE Internet of Things Journal, vol. 7, no. 5, pp. 4160–4170, 2020, https://doi.org/10.1109/JIOT.2019.2931647.
    22. A. Ferrag, L. Maglaras, S. Moschoyiannis, and H. Janicke, “Deep learning for cyber security intrusion detection: Approaches, datasets, and compar-ative study,” Journal of Information Security and Applications, vol. 50, Art. no. 102419, 2020, https://doi.org/10.1016/j.jisa.2019.102419.
    23. S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, “Security, privacy and trust in Internet of Things: The road ahead,” Computer Networks, vol. 76, pp. 146–164, 2015, https://doi.org/10.1016/j.comnet.2014.11.008
    24. A. Gatouillat, Y. Badr, B. Massot, and E. Sejdić, “Internet of medical things: A review of recent contributions dealing with cyber-physical systems in medicine,” IEEE Internet of Things Journal, vol. 5, no. 5, pp. 3810–3822, 2018, https://doi.org/10.1109/JIOT.2018.2849014.
    25. A. Moustafa, M. Z. Uddin, B. K. Tripathi, and A. R. Abou-Salem, “TON_IoT: The telemetry dataset for IoT intrusion detection systems,” IEEE Access, vol. 9, pp. 82125–82141, 2021.
    26. S. García, M. Grill, J. Stiborek, and A. Zunino, “An empirical comparison of botnet detection methods,” Computers & Security, vol. 45, pp. 100–123, 2014, doi: 10.1016/j.cose.2014.05.011. (IoT-23 dataset – Stratosphere IPS) https://doi.org/10.1016/j.cose.2014.05.011.
    27. I. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull, “Towards the development of realistic botnet dataset in the Internet of Things for net-work forensic analytics: Bot-IoT dataset,” Future Generation Computer Systems, vol. 100, pp. 779–796, 2019. (MedBIoT-style botnet behavior ref-erence used in healthcare IoT evaluation). https://doi.org/10.1016/j.future.2019.05.041.
    28. J. Ren, Y. Zhang, K. Zhang, and X. Shen, “Adaptive and channel-aware detection of selective forwarding attacks in wireless sensor networks,” IEEE Transactions on Wireless Communications, vol. 15, no. 5, pp. 3718–3731, 2016, https://doi.org/10.1109/TWC.2016.2526601.
    29. F. Restuccia, S. D’Oro, and T. Melodia, “Securing the Internet of Things in the age of machine learning and software-defined networking,” IEEE Internet of Things Journal, vol. 5, no. 6, pp. 4829–4842, 2018, https://doi.org/10.1109/JIOT.2018.2846040.

  • Downloads

  • How to Cite

    Al-Balasmeh, H., Jaber , F. A. ., & Abdulsattar , S. S. . (2026). A Multi-Modal AI Framework for Intrusion Detection in ‎Healthcare IoT. International Journal of Basic and Applied Sciences, 15(1), 161-176. https://doi.org/10.14419/xw7zzh51