Unsupervised Anomaly Detection for Smart IoT Devices: Performance and Resource Comparison

TL;DR

This study compares the performance and resource efficiency of two unsupervised anomaly detection methods, Isolation Forest and OC-SVM, for IoT security, finding Isolation Forest more accurate and resource-friendly for edge deployment.

Contribution

It provides a comprehensive evaluation of Isolation Forest and OC-SVM on IoT data, highlighting Isolation Forest's superior detection performance and resource efficiency.

Findings

Isolation Forest outperforms OC-SVM in accuracy, precision, recall, and F1-score.

Isolation Forest has a smaller model size and lower RAM usage.

Isolation Forest is more suitable for resource-constrained IoT devices.

Abstract

The rapid expansion of Internet of Things (IoT) deployments across diverse sectors has significantly enhanced operational efficiency, yet concurrently elevated cybersecurity vulnerabilities due to increased exposure to cyber threats. Given the limitations of traditional signature-based Anomaly Detection Systems (ADS) in identifying emerging and zero-day threats, this study investigates the effectiveness of two unsupervised anomaly detection techniques, Isolation Forest (IF) and One-Class Support Vector Machine (OC-SVM), using the TON_IoT thermostat dataset. A comprehensive evaluation was performed based on standard metrics (accuracy, precision, recall, and F1-score) alongside critical resource utilization metrics such as inference time, model size, and peak RAM usage. Experimental results revealed that IF consistently outperformed OC-SVM, achieving higher detection accuracy, superior precision, and recall, along with a significantly better F1-score. Furthermore, Isolation Forest demonstrated a markedly superior computational footprint, making it more suitable for deployment on resource-constrained IoT edge devices. These findings underscore Isolation Forest's robustness in high-dimensional and imbalanced IoT environments and highlight its practical viability for real-time anomaly detection.