This repository contains the source code for the paper: "Lightweight SAX-LSTM approach for IoT Network Intrusion Detection"
Our method combines Symbolic Aggregate approXimation (SAX) and Long Short-Term Memory (LSTM) networks to detect network intrusions efficiently in resource-constrained environments using the CICIoT2023 dataset.
We present a lightweight, explainable, and modular approach to intrusion detection by:
- Converting raw packet-level time-series data into symbolic sequences using SAX
- Training an LSTM model on the symbolic representations
- Achieving competitive classification performance with low inference time (0.46–2.44 ms/record)
- Dataset: CICIoT2023
- Runtime: Kaggle IPython notebooks (no GPU/TPU required)
- Frameworks: TensorFlow, pyts, sklearn, pandas
The SAX-LSTM model achieved a binary classification accuracy of 96.79%, with inference times ranging from 0.46 ms to 2.44 ms per record.
In the multiclass setting with 18 classes, it reached an overall accuracy of 83.47% after employing random oversampling to handle the class imbalance problem.
- Our model matches or exceeds the performance of many recent approaches while requiring no GPU acceleration or heavy preprocessing.
- Inference times are consistently below 2.5 ms, making the approach deployable in latency-sensitive edge environments.
- Performance drop in multiclass is attributed to class imbalance, which was mitigated with random oversampling after SAX transformation.
- The symbolic abstraction using SAX improves model interpretability and lowers computational load.
- Symbolic abstraction of time-series payload data for enhanced explainability
- Inference-efficient design enabling real-time detection with only payload length, timestamp, and protocol type
- Modular implementation with parameterized design for easy tuning
Code Credits to the team behind this work: