{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,9]],"date-time":"2026-06-09T15:18:59Z","timestamp":1781018339397,"version":"3.54.1"},"reference-count":43,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2024,4,24]],"date-time":"2024-04-24T00:00:00Z","timestamp":1713916800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,4,24]],"date-time":"2024-04-24T00:00:00Z","timestamp":1713916800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Consiglio Nazionale Delle Ricerche"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["SN COMPUT. SCI."],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>In the context of the Internet of Things (IoT), particularly within medical facilities, the detection and categorization of Internet traffic remain significant challenges. While conventional methods for IoT traffic analysis can be applied, obtaining suitable medical traffic data is challenging due to the stringent privacy constraints associated with the health domain. To address this, this study proposes a network traffic simulation approach using an open-source tool called IoT Flock, which supports both CoAP and MQTT protocols. The tool is used to create a synthetic dataset, to simulate IoT traffic originating from various smart devices in different hospital rooms. The study shows a complete anomaly detection analysis of IoT-Flock-generated traffic, both normal and malicious, by leveraging and comparing traditional machine learning techniques, deep learning models with multiple hidden layers, and explainable artificial intelligence techniques. The results are very promising. For the binary classification, for example, the obtained accuracy is close to <jats:inline-formula><jats:alternatives><jats:tex-math>$$100\\%$$<\/jats:tex-math><mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                  <mml:mrow>\n                    <mml:mn>100<\/mml:mn>\n                    <mml:mo>%<\/mml:mo>\n                  <\/mml:mrow>\n                <\/mml:math><\/jats:alternatives><\/jats:inline-formula> in the case of the CoAP protocol. Good results are also obtained when the multinomial classification is performed, observing that CoAP packets are classified better than MQTT packets, even if the identification of the different MQTT packets reaches very high metrics for the most of the considered algorithms. Moreover, the obtained classification rules are also meaningful in the considered IoT context. The results indicate that IoT-Flock synthetic data can effectively be used to train and test machine and deep learning models for detecting abnormal IoT traffic in medical scenarios. This research attempts also to bridge the gap between IoT security and healthcare, providing useful insights into securing medical IoT networks in general.<\/jats:p>","DOI":"10.1007\/s42979-024-02830-4","type":"journal-article","created":{"date-parts":[[2024,4,24]],"date-time":"2024-04-24T15:01:56Z","timestamp":1713970916000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":10,"title":["Explainable Anomaly Detection of Synthetic Medical IoT Traffic Using Machine Learning"],"prefix":"10.1007","volume":"5","author":[{"given":"Lerina","family":"Aversano","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mario Luca","family":"Bernardi","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Marta","family":"Cimitile","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Debora","family":"Montano","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5948-5845","authenticated-orcid":false,"given":"Riccardo","family":"Pecori","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Luca","family":"Veltri","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2024,4,24]]},"reference":[{"key":"2830_CR1","doi-asserted-by":"publisher","first-page":"13960","DOI":"10.1109\/ACCESS.2019.2894819","volume":"7","author":"E Hossain","year":"2019","unstructured":"Hossain E, Khan I, Un-Noor F, Sikander SS, Sunny MSH. Application of big data and machine learning in smart grid, and associated security concerns: a review. IEEE Access. 2019;7:13960\u201388. https:\/\/doi.org\/10.1109\/ACCESS.2019.2894819.","journal-title":"IEEE Access"},{"issue":"1","key":"2830_CR2","doi-asserted-by":"publisher","first-page":"49","DOI":"10.1007\/s42979-023-02448-y","volume":"5","author":"SA Ajagbe","year":"2023","unstructured":"Ajagbe SA, Awotunde JB, Florez H. Ensuring intrusion detection for iot services through an improved CNN. SN Comput Sci. 2023;5(1):49. https:\/\/doi.org\/10.1007\/s42979-023-02448-y.","journal-title":"SN Comput Sci"},{"key":"2830_CR3","doi-asserted-by":"publisher","unstructured":"Ghazanfar S, Hussain F, Rehman AU, Fayyaz UU, Shahzad F, Shah GA. IoT-Flock: an open-source framework for IoT traffic generation. In: 2020 International Conference on Emerging Trends in Smart Technologies (ICETST), 2020;1\u20136. https:\/\/doi.org\/10.1109\/ICETST49965.2020.9080732.","DOI":"10.1109\/ICETST49965.2020.9080732"},{"key":"2830_CR4","doi-asserted-by":"crossref","unstructured":"Aversano L, Bernardi M, Cimitile M, Montano D, Pecori R, Veltri L. anomaly detection of medical IoT traffic using machine learning. In: Proceedings of the 12th International Conference on Data Science, Technology and Applications-DATA, 2023:173\u2013182. SciTePress","DOI":"10.5220\/0012132000003541"},{"key":"2830_CR5","unstructured":"OASIS Standard: MQTT Version 5.0. OASIS Standard. Version 5. (2019). https:\/\/docs.oasis-open.org\/mqtt\/mqtt\/v5.0\/os\/mqtt-v5.0-os.html. Accessed Jan 2023"},{"key":"2830_CR6","unstructured":"Internet Engineering Task Force (IETF): The Constrained Application Protocol (CoAP). Internet Engineering Task Force (IETF). Updated by: RFC 7959, 8613, 8974, 9175. (2019).  https:\/\/www.rfc-editor.org\/rfc\/rfc7252. Accessed Jan 2023"},{"key":"2830_CR7","unstructured":"CVE-2016-10523, Common Enumeration of Vulnerabilities. https:\/\/www.cve.org\/CVERecord?id=CVE-2016-10523. Accessed 30 Jan 2023."},{"key":"2830_CR8","unstructured":"CVE-2019-12101, Common Enumeration of Vulnerabilities. https:\/\/www.cve.org\/CVERecord?id=CVE-2019-12101. Accessed 30 Jan 2023."},{"key":"2830_CR9","unstructured":"CVE-2019-9004, Common Enumeration of Vulnerabilities. https:\/\/www.cve.org\/CVERecord?id=CVE-2019-9004. Accessed 30 Jan 2023."},{"key":"2830_CR10","doi-asserted-by":"publisher","DOI":"10.1016\/j.cosrev.2021.100389","volume":"40","author":"L Aversano","year":"2021","unstructured":"Aversano L, Bernardi ML, Cimitile M, Pecori R. A systematic review on Deep Learning approaches for IoT security. Comput Sci Rev. 2021;40: 100389.","journal-title":"Comput Sci Rev"},{"key":"2830_CR11","unstructured":"Rish, I. An empirical study of the naive bayes classifier. In: IJCAI 2001 Workshop on Empirical Methods in Artificial Intelligence, 2001;3:41\u201346."},{"key":"2830_CR12","doi-asserted-by":"publisher","unstructured":"Suthaharan, S. Machine learning models and algorithms for big data classification. In: Integrated Series in Information Systems, Springer, 2016;36:1\u201312. https:\/\/doi.org\/10.1007\/978-1-4899-7641-3","DOI":"10.1007\/978-1-4899-7641-3"},{"key":"2830_CR13","unstructured":"Wright, RE. Logistic regression. (1995)."},{"key":"2830_CR14","volume-title":"Decision Trees for Decision Making","author":"JF Magee","year":"1964","unstructured":"Magee JF. Decision Trees for Decision Making. MA, USA: Harvard Business Review Brighton; 1964."},{"key":"2830_CR15","doi-asserted-by":"publisher","DOI":"10.1155\/2021\/9054336","author":"L Aversano","year":"2021","unstructured":"Aversano L, Bernardi ML, Cimitile M, Pecori R, Veltri L. effective anomaly detection using deep learning in IoT systems. Wirel Commun Mobile Comput. 2021. https:\/\/doi.org\/10.1155\/2021\/9054336.","journal-title":"Wirel Commun Mobile Comput"},{"key":"2830_CR16","doi-asserted-by":"publisher","unstructured":"Pecori R, Tayebi A, Vannucci A, Veltri L. IoT Attack detection with deep learning analysis. In: 2020 International Joint Conference on Neural Networks (IJCNN), 2020:1\u20138. https:\/\/doi.org\/10.1109\/IJCNN48605.2020.9207171.","DOI":"10.1109\/IJCNN48605.2020.9207171"},{"key":"2830_CR17","doi-asserted-by":"publisher","unstructured":"Aversano L, Bernardi ML, Cimitile M, Pecori R. Anomaly detection of actual IoT traffic flows through deep learning. In: 2021 20th IEEE International Conference on Machine Learning and Applications (ICMLA), 2021:1736\u20131741. https:\/\/doi.org\/10.1109\/ICMLA52953.2021.00275.","DOI":"10.1109\/ICMLA52953.2021.00275"},{"key":"2830_CR18","doi-asserted-by":"publisher","first-page":"946","DOI":"10.2991\/ijcis.d.210212.001","volume":"14","author":"P Ducange","year":"2021","unstructured":"Ducange P, Marcelloni F, Pecori R. Fuzzy Hoeffding decision tree for data stream classification. Int J Comput Intell Syst. 2021;14:946\u201364.","journal-title":"Int J Comput Intell Syst"},{"issue":"20","key":"2830_CR19","doi-asserted-by":"publisher","first-page":"4340","DOI":"10.1016\/j.ins.2011.02.021","volume":"181","author":"MJ Gacto","year":"2011","unstructured":"Gacto MJ, Alcal\u00e1 R, Herrera F. Interpretability of linguistic fuzzy rule-based systems: an overview of interpretability measures. Inf Sci. 2011;181(20):4340\u201360.","journal-title":"Inf Sci"},{"key":"2830_CR20","doi-asserted-by":"publisher","first-page":"3343","DOI":"10.1109\/ACCESS.2019.2962829","volume":"8","author":"S Pundir","year":"2019","unstructured":"Pundir S, Wazid M, Singh DP, Das AK, Rodrigues JJ, Park Y. Intrusion detection protocols in wireless sensor networks integrated to Internet of Things deployment: survey and future challenges. IEEE Access. 2019;8:3343\u201363.","journal-title":"IEEE Access"},{"key":"2830_CR21","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1016\/j.asoc.2018.05.049","volume":"72","author":"S Rathore","year":"2018","unstructured":"Rathore S, Park JH. Semi-supervised learning based distributed attack detection framework for IoT. Appl Soft Comput. 2018;72:79\u201389.","journal-title":"Appl Soft Comput"},{"key":"2830_CR22","doi-asserted-by":"crossref","unstructured":"Rughoobur P, Nagowah L. A lightweight replay attack detection framework for battery depended IoT devices designed for healthcare. In: 2017 International Conference on Infocom Technologies and Unmanned Systems (Trends and Future Directions)(ICTUS), 2017:811\u2013817. IEEE.","DOI":"10.1109\/ICTUS.2017.8286118"},{"key":"2830_CR23","doi-asserted-by":"crossref","unstructured":"Alrashdi I, Alqazzaz A, Alharthi R, Aloufi E, Zohdy MA, Ming H. FBAD: fog-based attack detection for IoT healthcare in smart cities. In: 2019 IEEE 10th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), 2019:0515\u20130522. IEEE.","DOI":"10.1109\/UEMCON47517.2019.8992963"},{"key":"2830_CR24","unstructured":"DARPA Intrusion Detection Evaluation Dataset. (1998). https:\/\/www.ll.mit.edu\/r-d\/datasets\/1998-darpa-intrusion-detection-evaluation-dataset. Accessed Jan 2023."},{"key":"2830_CR25","unstructured":"KDD Cup 1999 Data. (1998). (http:\/\/kdd.ics.uci.edu\/databases\/kddcup99\/kddcup99.html. Accessed Jan 2023."},{"key":"2830_CR26","unstructured":"NSL-KDD Dataset. (1999). https:\/\/www.unb.ca\/cic\/datasets\/nsl.html. Accessed Jan 2023."},{"key":"2830_CR27","unstructured":"(2023). https:\/\/defcon.org\/html\/links\/dc-ctf.html. Accessed Jan 2023."},{"key":"2830_CR28","unstructured":"LBNL\/ICSI Enterprise Tracing Project. (2023). (http:\/\/www.icir.org\/enterprise-tracing\/. Accessed Jan 2023."},{"key":"2830_CR29","unstructured":"Center for Applied Internet Data Analysis (CAIDA). (2023). https:\/\/catalog.caida.org\/. Accessed Jan 2023"},{"key":"2830_CR30","unstructured":"UNIBS: Data Sharing. (2009). http:\/\/netweb.ing.unibs.it\/~ntw\/tools\/traces\/index.php. Accessed Jan 2023"},{"key":"2830_CR31","doi-asserted-by":"publisher","first-page":"1775","DOI":"10.1109\/COMST.2023.3280465","volume":"3","author":"N Moustafa","year":"2023","unstructured":"Moustafa N, Koroniotis N, Keshk M, Zomaya AY, Tari Z. Explainable intrusion detection for cyber defences in the internet of things: opportunities and solutions. IEEE Commun Surv Tutor. 2023;3:1775\u2013807. https:\/\/doi.org\/10.1109\/COMST.2023.3280465.","journal-title":"IEEE Commun Surv Tutor"},{"key":"2830_CR32","doi-asserted-by":"publisher","first-page":"11604","DOI":"10.1109\/JIOT.2021.3130156","volume":"13","author":"IA Khan","year":"2022","unstructured":"Khan IA, Moustafa N, Pi D, Sallam KM, Zomaya AY, Li B. A new explainable deep learning framework for cyber threat discovery in industrial IoT networks. IEEE Internet Things J. 2022;13:11604\u201313. https:\/\/doi.org\/10.1109\/JIOT.2021.3130156.","journal-title":"IEEE Internet Things J"},{"key":"2830_CR33","doi-asserted-by":"publisher","unstructured":"Nguyen QP, Lim KW, Divakaran DM, Low KH, Chan MC. GEE: A gradient-based explainable variational autoencoder for network anomaly detection. In: 2019 IEEE Conference on Communications and Network Security (CNS), 2019:91\u201399. https:\/\/doi.org\/10.1109\/CNS.2019.8802833.","DOI":"10.1109\/CNS.2019.8802833"},{"key":"2830_CR34","doi-asserted-by":"publisher","unstructured":"Fazzolari M, Ducange P, Marcelloni F. An explainable intrusion detection system for IoT networks. In: 2023 IEEE International Conference on Fuzzy Systems (FUZZ), 2023:1\u20136. https:\/\/doi.org\/10.1109\/FUZZ52849.2023.10309785.","DOI":"10.1109\/FUZZ52849.2023.10309785"},{"key":"2830_CR35","doi-asserted-by":"publisher","unstructured":"Khelifati A, Khayati M, Cudr\u00e9-Mauroux P, H\u00e4nni A, Liu Q, Hauswirth M. VADETIS: an explainable evaluator for anomaly detection techniques. In: 2021 IEEE 37th International Conference on Data Engineering (ICDE), 2021;2661\u20132664. https:\/\/doi.org\/10.1109\/ICDE51399.2021.00298.","DOI":"10.1109\/ICDE51399.2021.00298"},{"key":"2830_CR36","doi-asserted-by":"publisher","DOI":"10.3390\/math10081267","author":"S Aziz","year":"2022","unstructured":"Aziz S, Faiz MT, Adeniyi AM, Loo K-H, Hasan KN, Xu L, Irshad M. Anomaly detection in the internet of vehicular networks using explainable neural networks (xNN). Mathematics. 2022. https:\/\/doi.org\/10.3390\/math10081267.","journal-title":"Mathematics"},{"key":"2830_CR37","doi-asserted-by":"publisher","unstructured":"Ha DT, Hoang NX, Hoang NV, Du NH, Huong TT, Tran KP. Explainable anomaly detection for industrial control system cybersecurity. In: 10th IFAC Conference on Manufacturing Modelling, Management and Control MIM 2022, IFAC-PapersOnLine 2022;(10):1183\u20131188. . https:\/\/doi.org\/10.1016\/j.ifacol.2022.09.550","DOI":"10.1016\/j.ifacol.2022.09.550"},{"key":"2830_CR38","doi-asserted-by":"publisher","first-page":"779","DOI":"10.1016\/j.future.2019.05.041","volume":"100","author":"N Koroniotis","year":"2019","unstructured":"Koroniotis N, Moustafa N, Sitnikova E, Turnbull B. Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-IoT dataset. Future Gener Comput Syst. 2019;100:779\u201396.","journal-title":"Future Gener Comput Syst"},{"key":"2830_CR39","doi-asserted-by":"publisher","first-page":"3025","DOI":"10.3390\/s21093025","volume":"9","author":"F Hussain","year":"2021","unstructured":"Hussain F, Abbas SG, Shah GA, Pires IM, Fayyaz UU, Shahzad F, Garcia NM, Zdravevski E. a framework for malicious traffic detection in IoT healthcare environment. Sensors. 2021;9:3025. https:\/\/doi.org\/10.3390\/s21093025.","journal-title":"Sensors"},{"key":"2830_CR40","unstructured":"Bormann C. Block-wise transfers in the constrained application protocol (CoAP). Internet Engineering Task Force (IETF). Internet Engineering Task Force (IETF). Updated by: RFC 8323. (2016). https:\/\/www.rfc-editor.org\/rfc\/rfc7959. Accessed Jan 2023."},{"key":"2830_CR41","unstructured":"Hartke K. Observing resources in the constrained application protocol (CoAP). Internet Engineering Task Force (IETF). Internet Engineering Task Force (IETF). Updated by: RFC 8323. (2015). https:\/\/www.rfc-editor.org\/rfc\/rfc7641. Accessed Jan 2023."},{"key":"2830_CR42","unstructured":"Kingma DP, Ba J. Adam: A method for stochastic optimization. arXiv preprint. (2014). arXiv:1412.6980."},{"key":"2830_CR43","unstructured":"Shamir O. the implicit bias of benign overfitting. In: Loh, P.-L., Raginsky, M. (eds.) Proceedings of Thirty Fifth Conference on Learning Theory. Proceedings of Machine Learning Research, vol. 178, pp. 448\u2013478. PMLR, USA 2022."}],"container-title":["SN Computer Science"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-024-02830-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s42979-024-02830-4\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-024-02830-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,4,24]],"date-time":"2024-04-24T15:30:24Z","timestamp":1713972624000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s42979-024-02830-4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,24]]},"references-count":43,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2024,6]]}},"alternative-id":["2830"],"URL":"https:\/\/doi.org\/10.1007\/s42979-024-02830-4","relation":{},"ISSN":["2661-8907"],"issn-type":[{"value":"2661-8907","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,4,24]]},"assertion":[{"value":"21 November 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"25 March 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"24 April 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing nor financial conflicts of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"\u2019Not Applicable\u2019","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Research Involving Human and \/or Animals"}},{"value":"\u2019Not Applicable\u2019","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Informed Consent"}}],"article-number":"488"}}