Optimizing IoT Intrusion Detection with Tabular Foundation Models for Smart City Forensics

TL;DR

This paper evaluates transformer-based foundation models for IoT intrusion detection in smart cities, showing they offer faster inference with high accuracy and are suitable for real-time security operations.

Contribution

It introduces the first systematic comparison of TabPFNv2.5 with traditional ensemble classifiers for IoT intrusion detection, proposing a hybrid detection pipeline.

Findings

TabPFNv2.5 achieves 40x faster inference than Random Forest.

Maintains 97% accuracy in binary classification.

Scanning attacks are the hardest to detect with an F1 score of 69.8%.

Abstract

Security operations in smart cities demand detection systems that balance accuracy with response time. While ensemble methods like Random Forest achieve high accuracy, their computational overhead impedes real-time forensic triage. We present the first systematic evaluation of TabPFNv2.5, a transformer-based foundation model, against traditional ensemble classifiers for IoT intrusion detection. Using the TON IoT dataset, we demonstrate that TabPFNv2.5 achieves 40 faster inference than Random Forest while maintaining 97% binary classification accuracy. We propose a hybrid pipeline in which TabPFNv2.5 performs rapid threat screening, while ensemble models handle detailed classification. Our analysis reveals that scanning attacks remain the hardest to detect (F1: 69.8%) and cross-device generalization depends critically on feature similarity. These findings establish foundation models as viable components for time-sensitive IoT security operations