Artificial Intelligence Algorithms for Detecting and Classifying MQTT Protocol Internet of Things Attacks

Abstract

The Internet of Things (IoT) grew in popularity in recent years, becoming a crucial component of industrial, residential, and telecommunication applications, among others. This innovative idea promotes communication between physical components, such as sensors and actuators, to improve process flexibility and efficiency. Smart gadgets in IoT contexts interact using various message protocols. Message queuing telemetry transfer (MQTT) is a protocol that is used extensively in the IoT context to deliver sensor or event data. The aim of the proposed system is to create an intrusion detection system based on an artificial intelligence algorithm, which is becoming essential in the defense of the IoT networks against cybersecurity threats. This study proposes using a k-nearest neighbors (KNN) algorithm, linear discriminant analysis (LDA), a convolutional neural network (CNN), and a convolutional long short-term memory neural network (CNN-LSTM) to identify MQTT protocol IoT intrusions. A cybersecurity system based on artificial intelligence algorithms was examined and evaluated using a standard dataset retrieved from the Kaggle repository. The dataset was injected by five attacks, namely brute-force, flooding, malformed packet, SlowITe, and normal packets. The deep learning algorithm achieved high performance compared with the developing security system using machine learning algorithms. The performance accuracy of the KNN method was 80.82%, while the accuracy of the LDA algorithm was 76.60%. The CNN-LSTM model attained a high level of precision (98.94%) and is thus very effective at detecting intrusions in IoT settings.

1. Introduction

When the Internet of Things (IoT) is implemented, physical devices (also known as IoT nodes) are connected to the internet, enabling them to collect and exchange data with other nodes in the network without the need for human participation [1]. Message queuing telemetry transfer (MQTT) gained widespread use in a range of applications, such as in smart homes [2,3,4], agricultural IoT [5,6], and industrial applications. This is mainly due to its capacity to communicate at low bandwidths, the necessity for minimum memory, and reduced packet loss [1,7,8,9]. Figure 1 depicts the architecture of the MQTT protocol for use in the IoT.

The IoT and associated technologies evolved at a rapid rate, with 15 billion linked devices in 2015, which is likely to increase to 38 billion devices by 2025, according to Gartner [11]. The IoT is a network of objects—linked by sensors, actuators, gateways, and cloud services—that delivers a service to users [12]. The MQTT protocol was integrated into a number of IoT applications. Figure 2 depicts how the MQTT protocol maintains IoT applications.

Traditional intrusion detection systems (IDSs) are only successful when dealing with data that move slowly or with small volumes of data [14,15]. They are currently inefficient when dealing with big data or networks and are unable to cope with high-speed data transmission. Therefore, technologies capable of dealing with massive volumes of data and identifying any indications of network penetration are crucial. When it comes to big data, data security and privacy are perhaps the most pressing concerns, especially in the context of network assaults [16]. Distributed denial-of-service (DDoS) attacks are one of the most common types of cyberattacks. They target servers or networks with the intent of interfering with their normal operation [17]. Although real-time detection and mitigation of DDoS attacks is difficult to achieve, a solution would be extremely valuable, since attacks can cause significant damage [18].

Machine learning (ML) studies are always being improved through the use of training data and the exploitation of available information. Some consider ML to be a component of artificial intelligence. Depending on the information provided, various types of learning can be undertaken, including supervised learning—for example, the support vector machine (SVM) algorithm and the k-nearest neighbors (KNN) algorithm—semi-supervised learning, and unsupervised learning (e.g., clustering methods). Deep learning (DL) models combined with ML techniques produce excellent results in cybersecurity systems used for detecting attacks. ML techniques are used in multiple contexts, such as in healthcare. For example, they are being used to forecast COVID-19 outbreaks, osteoporosis, and schistosomiasis, among other health-related problems [19,20,21,22,23,24]. Many researchers employed classification algorithms to detect and resolve DDoS attacks with the goal of reducing the number of attacks. DDoS attacks are simple to carry out because they take advantage of network flaws and generate requests for software services [25,26]. DDoS attacks take a long time to identify and neutralize, and this solution is particularly useful, since these attacks may cause major harm. There are significant drawbacks to the current methods used to detect DDoS attacks, such as high processing costs and the inability to handle enormous quantities of data reaching the server [27]. Using a variety of classification methods, classification algorithms differentiate DDoS packets from other kinds of packets [28,29,30]. To secure the IoT against anomalous adversarial attacks, various security-enhancing solutions were developed. These approaches are often used to detect attacks in IoT networks by monitoring IoT node operations, such as the rate at which data are sent. In this paper, we introduce a brief review of the literature to highlight recent advancements in IoT security systems, with a particular emphasis on IDSs that target the MQTT protocol. The authors of [31] provided a process tree-based intrusion detection technique for MQTT protocols based on their previous work. It describes network behavior in terms of the hierarchical branches of a tree, which can then be used to detect assaults or aberrant behavior in the network. The detection rate was used to evaluate the model, and four frequent types of assaults were introduced into the network to assess its performance. However, little consideration was given to newly created adversarial attacks and intrusions. The study [32] proposes a fuzzy logic model for intrusion detection that is specifically built to safeguard IoT nodes that use the MQTT protocol from denial-of-service (DoS) attacks. Although fuzzy logic demonstrated its efficacy in a variety of systems, including sensor device intrusion detection in the IoT [33], its high difficulty with increasing input dimensions limits its ability to detect attacks on IoT platforms where large amounts of data are transferred on a continuous basis.

The extreme gradient boosting (XGBoost) algorithm, gated recurrent units (GRUs), and LSTM are only a few of the ML methods used in [34,35] to create a cybersecurity system for the MQTT protocol in the IoT. The MQTT dataset, which contains three forms of attacks, including intrusion (illegal entrance), DoS, and malicious code injection and man-in-the-middle attack (MitM), was used to verify the proposed techniques. To test a range of ML approaches, the MQTT-IoTIDS2020 dataset was used. Using these ML approaches, it was found that a system for detecting MQTT attacks could be designed, and this was later validated by the researchers. An MQTT-enabled IoT cybersecurity system demonstrated the use of an ANN approach for intrusion detection [36].

Ujjan et al. [37] presented an entropy-based features section to identify the important features in network traffic for detecting DoS attacks by employing an encoder (SAE) and CNN models. CPU consumption was significantly higher and took significantly longer. The models were accurate to within 94% and 93% of the true value, respectively. Using LSTM and CNN, Gadze et al. [38] introduced DL models to identify DDoS intrusions on a software-defined network’s centralized controller (CNN). The accuracy of the models was lower than expected. When data were split out in a 70/30 ratio, the accuracies of LSTM and CNN were 89.63% and 66%, respectively. However, when using an LSTM model to detect intrusions in network traffic, DDoS was found to be the most time-consuming attempt out of all 10 attempts tested. A hybrid ML model, SVM combined with random forest (SVC-RF), was created by Ahuja et al. [39] and used to distinguish between benign and malicious traffic. The authors extracted features from the original dataset that were used to build a new dataset: the SDN dataset, which had innovative features. It was determined that the SVC-RF classifier is capable of accurately categorizing data traffic with an accuracy of 98.8% when using the software defined networking (SDN) dataset. Wang et al. [40] revealed that a unique DL model based on an upgraded deep belief network (DBN) can be used to identify network intrusions more quickly. They replaced the back propagation approach in DBN with a kernel-based extreme learning machine (KELM), which was created by the researchers and is still in development. Their model outperformed other current neural network approaches by a wide margin. In this study, the researchers examined and tested the accuracy of a number of different categorization algorithms and techniques. The results reveal that the DBN-KELM algorithm obtained an accuracy of 93.5%, while the DBN-EGWO-KELM method achieved an accuracy of 98.60%. The following list summarizes the study’s contributions:

• A convolutional long short-term memory neural network (CNN-LSTM) was proposed to detect MQTT protocol IoT intrusions.
• An ML approach to MQTT attack detection, namely the KNN algorithm and linear discriminant analysis (LDA).
• The security system was examined using standard datasets containing MQTT attacks.
• Compared to other current systems, the suggested approach was highly accurate.

2. Materials and Methods

The framework of the MQTT protocol based on the intrusion detection system is presented in Figure 3.

2.1. Datasets

The MQTT protocol is widely used in the IoT to facilitate communication between machines. The proliferation of IoT devices and protocols necessitated the development of new and effective IDSs. However, to implement IoT IDSs, data are needed to analyze, train, and test models. The collection is made up of MQTT-based IoT sensors that represent real-world networks. The MQTT broker was created with Eclipse Mosquitto, and the network had eight sensors. Given that each sensor’s behavior differed, the scenario was based on a smart home setting where sensors gather data on temperature, humidity, CO₂ levels, motion, smoke, doors, and fans.

Table 1. MQTT attacks.

Attacks/Normal	Description
Brute-force	There are a number of ways to carry out brute-force attacks, including the use of trial and error. Every possible combination is tested by hackers with the goal of making a correct guess.
Flooding	Attacks described as flooding are also known as denial-of-service (DoS) attacks. As the name implies, attackers use a flood attack to overwhelm a system with traffic, preventing it from properly inspecting and allowing legitimate network data.
Malformed packet	A malformed packet attack is a kind of single-packet attack. In most single-packet attacks, the attacker employs one of the following techniques: devices malfunction or crash as a result of malicious packets sent by an attacker.
SlowITe	A slow DoS against Internet of Things environments (SlowITe) is a new MQTT DoS attack. It attacks network services while using little bandwidth and resources.

shows the number of MQTT attacks and the normal. The dataset is available here: https://www.kaggle.com/cnrieiit/mqttset (accessed on 16 July 2022).

The numbers of the classes for the entire MQTT-based intrusion detection system over the IoT is presented in Figure 4.

2.2. Preprocessing Approaches

The IoT has a very complex format because it is connected to different networks; therefore, a preprocessing approach is needed to handle the features of the dataset. For the categorical features, we used a hot encoding function to convert these features into numeric form.

Standard normalization was used to scale the data to the same format, making it easier for the classification algorithm to obtain high accuracy. This was done by subtracting data from the mean and dividing by the standard deviation.

2.3. Proposed Model Based on Classification Algorithms

An explanation of the methods employed in this study, including KNN, LDA, and DL techniques such as CNN or LSTM, is provided in this section.

2.3.1. K-Nearest Neighbors

KNN is a form of learning that requires supervision. The KNN method places the new case or data into a category that is consistent with the instances that are already there by comparing it to the previous cases. The KNN algorithm saves all available data and compares it to previous data points. The KNN method can easily classify fresh data into suitable categories [4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45]. Classification issues are usually solved using the KNN method. In other words, it makes no assumptions about the underlying facts. As a lazy learner algorithm, KNN saves the training set and then uses it to classify it. This algorithm saves data and subsequently classifies fresh data into comparable categories.

$${\mathrm{E}}_{\mathrm{i}}=\sqrt{\left({\mathrm{a}}_1-{\mathrm{a}}_2\right)+{({\mathrm{b}}_1-{\mathrm{b}}_2)}^2},$$

(1)

where a₁, a₂, b₁, and b₂ are the IDS input data.

2.3.2. Linear Discriminant Analysis

Handling high-dimensional applications is a challenge. We can simplify intrusion detection by splitting the data into two categories—normal packets and hazardous packets—and then swapping the data between the two groups using LDA, a linear ML approach [46]. Figure 5 depicts the LDA technique for analyzing intrusion classes and normal classes on the IoT network, with the blue line denoting a linear separation between the two types of data.

2.3.3. Deep Learning Models

CNNs have five layers: an input layer for handling the MQTT training data, a convolutional layer using a filter of the MQTT training data, a pooling layer, a fully connected (FC) layer, and an output layer. There are a wide range of CNN layer combinations from which to select [47]. The CNN structure used in this study is illustrated in Figure 6.

$$x_i=f\left(w_i\otimes x_{i-1}+b_i\right),$$

(2)

where $x_i$ is the IoT network data received from convolution filter l, $i$ is the convolution kernel of the CNN layer, and $\otimes$ is the convolution operation. To transfer the output from the CNN layer to obtain the final output, the activation function $f\left(x\right)$ was used. The main goal of convolutional is to extract significant features from the data it receives. Convolution kernels can comprise multiple layers used to filter input data, each of which corresponds to a different weight and deviation coefficient [48]. The weighted parameter values indicate w_i, and the b_i is bias values. The following is an expression of the convolution process:

$$f\left(x\right)=tanh\left(x\right)=\frac{2}{1+e^{-2x}}-1,$$

(3)

where $tanh$ is the function and $x$ is the training input data. X_i is the output obtained from the CNN filters I, which denotes the convolution process, and the activation function is denoted by f(x). A relatively large unit (ReLU) was chosen for the activation function of the convolutional layer. At the time of the model’s implementation, we used all activation functions, such as sigmoid and tanh, among others. We found that the ReLU activation function was appropriate for processing our data, as it showed faster model training and a more efficient prevention of gradient disappearance throughout the training process. In what follows, we describe the expression of the ReLU.

The primary objective of the max pooling layer is to achieve invariance and minimize the complexity of the convolution layer of the CNN by removing redundant information through down sampling and reducing the number of layers. To complete pooling, there are two basic methods: averaging pooling and maximum pooling. Average pooling, the most common method, involves selecting the average value in the computing area as the pooling result of the area, whereas max pooling involves selecting the maximum values in the computing area as the pooling result of the area. Since maximum pooling can retain more vital information than average pooling, the maximum pooling method was built on the CNN model. Maximum pooling can be defined as follows:

$$Q_j=Max\left(P_j^0,P_j^1,P_j^2{P}_j^3\dots .P_j^t\right),$$

(4)

where $Q_j$ is the output from the IoT cybersecurity dataset, j is the pooling area, Max is the operation, and $P_j^t$ is the element of the pooling region j’s element t.

FC layers serve as “classifiers” throughout the CNN. The FC layer is used to map the feature values from the filter and max pool layers into one layer. When overfitting occurs in the FC layer, the dropout method is used to randomly remove neurons to prevent the occurrence of overfitting.

The recurrent neural network (RNN) is the most well-known model for training temporal data. However, the standard RNN is difficult to train because of gradient explosion and disappearance. The LSTM model [43] is used to alleviate these problems by substituting units with a memory function with those buried in the RNN. Due to its modest weight, which changes over time, the LSTM model possesses long-term memory. Figure 7 depicts the structure of the LSTM model used in this study. The model receives its core information through the horizontal line. It is based on important gates, such as the forget gate, input gate, and output gate, which are used to store and retrieve previous knowledge and learn new information, and it performs this process using new information.

$$h_t=\mathrm{sigma} (W_{xt}+U{h}_{t-1}+b^{\left(h\right)}),$$

(5)

$$f_t=\mathrm{sigma} (W^{\left(f\right)}+X_t+U^{\left(f\right)} h_{t-1}+b^{\left(f\right)}),$$

(6)

where h_t is the input data for the current cell, $h_{t-1}$ is the output data, $f_t$ is the forget gate, $W^{\left(f\right)}$ is the weight, and $b^{\left(f\right)}$ is the bias. Sigma and tanh functions were employed to update the information in the input gate. Sigma was used to decide which data needed to be updated, whereas tanh was used to produce data that needed to be updated.

$$i_t=\mathrm{sigma} (W^{\left(i\right)}+X_t+U^{\left(i\right)} h_{t-1}+b^{\left(i\right)}),$$

(7)

$$m_t=\tan \mathrm{h} (W^{\left(m\right)}+X_t+U^{\left(m\right)} h_{t-1}+b^{\left(m\right)}),$$

(8)

$$c_t=i_t·m_t+f_t·c_{t-1},$$

(9)

where $c_{t-1}$ is the cell state; $f_t$·$c_{t-1}$ and $i_t$·$m_t$ must be combined to produce the next cell state when utilizing the preceding cell’s state to update $c_t$, as the new information must be discarded.

$$o_t=\mathrm{sigma} (W^{\left(o\right)}+X_t+U^{\left(o\right)} h_{t-1}+b^{\left(o\right)}),$$

(10)

$$h_t=o_t·\tan \mathrm{h} \left(c_t\right).$$

(11)

The information filtering during the learning step is called forget gate. It has two inputs, h_t and x_t, and the current cell state is denoted by c_t; 1 indicates that the cell was totally retained, while 0 indicates that it was completely dismissed. The following is a precise expression of the forget gate in terms of its function:

The architecture of the CNN-LSTM intrusion detection model proposed in this study is shown in Figure 8. The model was built primarily by processing the features of the CNN and LSTM models, such as fusion components. Numerical processing and normalization of the input were performed in the data preprocessing component to meet the criteria of the neural networks. There were three main layers in the CNN component: the convolutional layer with 64 filters and 128 filters, the max pooling layer, and the FC layer. Its primary job was to extract the important features from the dataset and determine whether the feature distribution of information about the intrusion detection system classified as normal or attacks. Where the component LSTM model are LSTM cells, and it is mostly used to detect intrusion information through the use of its memory function, which is a feature of this component. To produce the final result, the feature fusion of the CNN and LSTM model components were constructed of multilayer perceptrons (MLPs), whose primary goal was to use the link between the CNN and LSTM models to retrieve the data from the CNN and LSTM components, as well as to normalize what is considered for classification probability obtained from the CNN component.

Table 2. Parameter values of the CNN-LSTM approach.

Parameters Name	Significant Values
Convolution kernel size	3
Max pooling	5
Drop out of layer	0.50
FC layer	128
Activation function	ReLU
Optimizer function	Adam
Epochs	20
Batch size	120

shows the important parameters of CNN-LSTM.

2.4. Performance Measurements

The suggested algorithms’ efficiency in identifying MQTT protocol IoT attacks was evaluated using the following statistical measures: accuracy, specificity, sensitivity, precision, and F score. The following are the equations for the parameters in question:

$$Accuracy=\frac{TP+TN}{TP+FP+FN+TN}\times 100\%$$

(12)

$$Specificity=\frac{TN}{TN+FP}\times 100\%$$

(13)

$$Sensitivity=\frac{TP}{TP+FN}\times 100\%$$

(14)

$$Precision=\frac{TP}{TP+FP}\times 100\%$$

(15)

$$F score=\frac{2\times Precision\times Sensitivity}{Precision+Sensitivity}\times 100\%$$

(16)

3. Experiments

The proposed system was investigated using the MQTT protocol connected by using a number of IoT applications. The experiments were conducted using Python. The empirical results obtained from the proposed system were tested using various evaluation indicators.

3.1. MQTT Data Splitting

The MQTT dataset was divided such that 70% was used for training on the MQTT network traffic, and 30% was used to test the data and examine the results of the training process, which were then used to develop the model and test it as unseen data.

Table 3. Volume of datasets.

Datasets	Volume of Data	Training Process	Testing Process
MQTT	330,936	264,748	66,188

shows the volumes of the MQTT dataset.

3.2. Experimental Environments

To develop a security system, a robust environment is needed. The platforms used to run the proposed system are displayed in

Table 4. The system’s environmental preconditions and requirements.

Hardware Requirements	Software Requirements
RAM 16 GB	Used Python 3.8
CPU	Used Numpy Version 1.19.3
	Used TensorFlow Version 2.12
	Used Keras Library 3.8

.

3.3. Results

ML and DL models were shown to be particularly efficient for detecting MQTT attacks in IoT environments. In this study, a standard MQTT dataset was employed to develop a cyberattack system. The MQTT dataset had 29 features, which contained 330,936 value injections of five attacks and normal.

3.3.1. Results of Machine Learning Models

The results of the KNN models are shown in

Table 5. Empirical results for the k-nearest neighbors algorithm.

Evaluation Metric	Precision (%)	Recall (%)	F1-Score (%)	Support	Time/s
Normal label	100	62	76	49,627	135.6
Attacks label	72	100	84	49,654
Accuracy %	80.82
Weighted average %	86	81	82	99,281

. The KNN algorithm achieved an accuracy of 80.82%. We observed that the KNN showed good performance in detecting attacks. The percentage-weighted average metric of the KNN model was 86%, 81%, and 82% for both classes with respect to all performance indicators.

The results of the LDA approach are shown in

Table 6. Empirical results for the linear discriminant analysis approach.

Evaluation Metric	Precision (%)	Recall (%)	F1-Score (%)	Support	Time/s
Normal label	100	53	70	41,327	180
Attacks label	68	100	81	41,407
Accuracy %	76.72
Weighted average %	84	77	75	99,281

. Given the LDA algorithm’s performance accuracy, the LDA model is not suitable for identifying MQTT protocol IoT attacks. The obtained results are modest, as the network dataset contained nonlinear data that presented challenges in finding the patterns.

Figure 9 shows the confusion metrics of the KNN and LDA approaches for detecting MQTT attacks. The confusion metrics used four indicators—FP, FN, TP, and TN—to measure the proposed system’s performance. The results of the KNN model show that 50.01% was true positive, that is, correctly classified data; the proportion of misclassification (false positive) was 0.00%, and the true negative, which refers to data classified as normal, was 30.81%. We observed that the false negative was very high, at 19.17%. Although the results of the LDA show a true positive proportion of 50.05%, the proportion of true negatives was much lower, at 26.67%, and the false negatives were very high, at 23.28%. Overall, the model had a 0.00% misclassification rate, which suggests that the ML model is effective for predicting assaults on the MQTT protocol.

3.3.2. Deep Learning Results

The empirical results of the CNN and CNN-LSTM are presented in

Table 7. Empirical results of the CNN and CNN-LSTM deep learning models.

Deep Learning Model	Loss Accuracy	Accuracy (%)	Precision (%)	Recall (%)	F1 Score (%)	Time/s
CNN	0.29	80.28	96.51	62.96	76.20	69.6
CNN-LSTM	0.11	98.94	99.27	99.07	99.17	52.02
Cross validation 5 fold
CNN		77.68	95.33	66.02	75.26	150.09
CNN-LSTM		93.22	95.68	96.12	95	130.30

. The MQTT dataset was divided into 70% as a training process for checking the ability of models to detect attacks, and 30% as testing for examining the DL models. An accuracy rate of 98.94% was reached by the CNN-LSTM model compared to 80.28% for the CNN model. Therefore, the CNN-LSTM model is appropriate for detecting MQTT protocol IoT intrusions. The main advantage of the CNN-LSTM model was that we combined two models to achieve good accuracy.

The accuracy performance and loss validation of the CNN model is presented in Figure 10. We observed that the training and validation performances reached 81% with 200 epochs, with the training and testing loss decreasing to 0.299.

Figure 11 shows the accuracy performance and accuracy loss of CNN-LSTM during the training and validation phases. The performance of the CNN-LSTM model in the training phase reached 100%, with validation accuracy increasing to 98.94%. The accuracy loss of CNN-LSTM was very low, at 0.11. In general, the CNN model’s performance in detecting MQTT protocol IoT intrusions was strong.

In addition, the mean absolute error statistical analysis (MAE), the mean squared error statistical analysis (MSE), the root mean squared error statistical analysis (RMSE), and the R² were utilized in order to calculate the percentage error that existed between the target values and the predictions. The statistical analysis of ML and DL using binary classification is broken down and summarized in

Table 8. Statically analysis.

Models	MAE	MSE	RMSE	R2 (%)
LDA	0.232	0.232	0.4824	76.72
KNN	0.1917	0.1917	0.4824	80.82
CNN	0.043	0.092	0.098	95.16
CNN-LSTM	0.0032	0.0032	0.0068	98.42

. According to the results of the CNN-LSTM model, the correlation between the target and the prediction values was the maximum it could be (R² = 98.42%), and the prediction error MSE = 0.0032.

Table 9. Results of the proposed system against existing security systems using the same datasets.

Reference	Year	Datasets	Model	Accuracy
Ref. [48]	20121	Same dataset	LSTM	97.13%
Ref. [49]	2021	Same dataset	Deep learning	97.09%
Proposed model	2022	Same dataset	CNN-LSTM	98.94%

provides a comprehensive analysis of the recommended ML and DL models by displaying the outcomes of the proposed approaches in comparison to other previous systems. These findings may be found in the Table 7. We obtained the conclusion that the accuracy of the CNN-LSTM model was 98.94%, which is a very high percentage. Both the RF tree and the LSTM demonstrated pretty respectable degrees of accuracy. Figure 12 offers a graphical depiction of the primary results achieved by the proposed algorithms in contrast to a number of the most common practices already in use.

4. Conclusions

The considerable growth in the volume of communications resulted in an increase in vulnerability, resulting in a variety of intrusions that place the integrity of the proposed security system at risk. Depending on the nature of each attack, a variety of repercussions may occur, including the introduction of malware that may cause damage to equipment, unauthorized access to network information, and DoS attacks. As a result, advanced artificial intelligence algorithms capable of detecting these attacks are being developed to maintain the integrity of IoT platforms. Detecting DoS attacks in MQTT networks using ML and DL methods was the focus of this study. These techniques were used to defend the MQTT network in an IoT context, based on the KNN and LDA methods, as well as the CNN-LSTM model. Standard MQTT network information obtained from various IoT contexts was used to create the security solution. The KNN and LDA methods, two ML algorithms, proved to be effective at detecting MQTT network attacks.

The hybrid CNN-LSTM model efficiently anticipated MQTT network breaches. Because it achieved a high degree of precision (98.94%), the CNN-LSTM model is particularly successful at identifying intrusions in IoT environments. The CNN-LSTM model showed great accuracy in identifying malicious attacks on IoT devices based on the output results of the ML and DL methods. Overall, the suggested technique was effective at identifying malicious attacks on the MQTT network. The scope of the work carried out so far is limited to the MQTT protocol attack detection. Therefore, in the future, authors can apply more advanced DL algorithms and feature selection approaches to further improve the security system. The developing system does not handle all of the MQTT vulnerabilities that were found up to this point, which is another limitation of this endeavor. In addition, one of our goals is to examine the susceptibility of a variety of Internet of Things protocols to fresh kinds of assaults. Our goal is to come up with an original model for emerging vulnerabilities that is based on deep learning.