pith. sign in

arxiv: 2605.16707 · v1 · pith:UAQA3WUPnew · submitted 2026-05-15 · 💻 cs.CR · cs.LG

On-Device Interpretable Tsetlin Machine-Based Intrusion Detection for Secure IoMT

Rahul Jaiswal , Per-Arne Andersen , Linga Reddy Cenkeramaddi , Lei Jiao , Ole-Christoffer Granmo This is my paper

Pith reviewed 2026-05-20 15:53 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords Tsetlin Machineintrusion detectionInternet of Medical ThingsIoMTcybersecurityinterpretabilityedge computingon-device
0
0 comments X

The pith

A Tsetlin Machine identifies cyberattacks on medical IoT devices at 97.83 percent accuracy while showing the logical rules behind each alert.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper builds an on-device intrusion detection system for Internet of Medical Things networks that uses a Tsetlin Machine to learn attack patterns as explicit logical rules. The system classifies different phases of cyberattacks and reaches 97.83 percent accuracy on the MedSec-25 dataset, exceeding standard machine learning models. It supplies human-readable explanations through feature contributions, vote scores, and heatmaps of active clauses. Real-time inference runs directly on a Raspberry Pi, removing the need for cloud processing. The combination supports secure patient monitoring where both reliable detection and understandable decisions are required.

Core claim

The Tsetlin Machine encodes network traffic patterns as propositional logic clauses that vote on intrusion phases within IoMT environments. Evaluated on the MedSec-25 dataset covering multiple realistic attack stages, the model attains 97.83 percent classification performance while generating explicit explanations via feature-level contributions, class-wise vote scores, and clause activation heatmaps. Deployment on Raspberry Pi hardware confirms real-time on-device operation suitable for resource-limited medical devices.

What carries the argument

Tsetlin Machine, a logic-driven model that represents attack patterns as conjunctive clauses, aggregates clause votes for classification, and exposes active clauses to produce feature contributions and heatmaps.

If this is right

  • Real-time on-device detection cuts response time and avoids sending sensitive medical data off-site.
  • Clause-based explanations let security staff verify alerts quickly instead of treating the system as a black box.
  • Phase-specific classification supports earlier intervention before an attack reaches its most damaging stage.
  • The same hardware footprint allows integration into existing medical gateways without major redesign.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Hospitals could adopt the system more readily because the logical rules reduce regulatory concerns around opaque AI decisions.
  • The clause representation may transfer to anomaly detection in other sensor-heavy domains such as industrial IoT or vehicle networks.
  • Testing the model against deliberately crafted adversarial traffic would show whether the explicit logic offers any inherent resistance to evasion.

Load-bearing premise

The MedSec-25 dataset accurately reflects the distribution and progression of cyberattacks that occur in real deployed IoMT systems, and the reported accuracy and explanations remain stable under live network conditions and new attack variants.

What would settle it

Run the trained model on fresh traffic traces collected from an operational hospital IoMT network that include attack phases absent from MedSec-25; accuracy below 90 percent or explanations that security experts reject as mismatched to the observed events would disprove the central performance and transparency claims.

Figures

Figures reproduced from arXiv: 2605.16707 by Lei Jiao, Linga Reddy Cenkeramaddi, Ole-Christoffer Granmo, Per-Arne Andersen, Rahul Jaiswal.

Figure 1
Figure 1. Figure 1: Overview of IoMT in healthcare. The Deloitte Health Care Report 2026 [2] highlights that IoMT and digital health technologies are driving healthcare to￾ward a “Care Anywhere” model, making virtual healthcare ser￾vices more accessible and efficient. However, the use of IoMT medical devices introduces several critical challenges. Since these devices are connected to the Internet and continuously transmit hig… view at source ↗
Figure 2
Figure 2. Figure 2: Proposed TM-Based IDS architecture. In the second stage, the TM model is trained to learn discriminative patterns from the processed data. This includes hyperparameter tuning, clause formation, and model optimiza￾tion. To ensure reliable performance and reduce overfitting, k-fold cross-validation [25] is employed. During training, the TM captures interpretable logical relationships in the form of positive … view at source ↗
Figure 3
Figure 3. Figure 3: Class imbalance: Multi-class (five-class) classification. [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Balanced training class. 1 2 3 4 5 6 7 8 9 101112131415161718192021222324252627282930313233343536373839404142434445 Epochs 0.00 0.05 0.10 0.15 0.20 0.25 0.30 0.35 0.40 0.45 0.50 0.55 0.60 0.65 0.70 0.75 0.80 0.85 0.90 0.95 1.00 1.05 Accuracy Training Accuracy Testing Accuracy [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Training and testing accuracy of the TM model. [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: TM confusion matrix. which show comparatively lower performance. These results highlight the strong capability of the models to distinguish between benign traffic and various attack classes. Among all models, the TM model achieves the highest F1-score of 97.83%, demonstrating superior classification performance. However, this comes with a slightly higher inference time of 66.24 µs. In contrast, Logistic Re… view at source ↗
Figure 7
Figure 7. Figure 7: Feature-level contribution of a Benign sample. [PITH_FULL_IMAGE:figures/full_fig_p007_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Class-wise votes of the same Benign sample. [PITH_FULL_IMAGE:figures/full_fig_p007_8.png] view at source ↗
Figure 11
Figure 11. Figure 11: Class-wise votes of the Exfiltration sample. [PITH_FULL_IMAGE:figures/full_fig_p007_11.png] view at source ↗
read the original abstract

The rapid evolution of digital health technologies is redefining healthcare services worldwide. The integration of wireless communication and Internet-enabled medical devices within Internet of Medical Things (IoMT) networks enables continuous, real-time patient monitoring. However, this increased connectivity raises cybersecurity and patient safety risks due to increasingly sophisticated cyberattacks. This paper proposes a novel on-device, interpretable Tsetlin Machine (TM)-based Intrusion Detection System (IDS) to identify various phases of cyberattacks in IoMT environments. The TM is a rule-driven and transparent machine learning (ML) approach that represents attack patterns using propositional logic. Extensive evaluations on the MedSec-25 dataset, encompassing various phases of realistic cyberattacks, show that the proposed model outperforms ML models and state-of-the-art methods, attaining a classification performance of 97.83\%. Moreover, the proposed model offers explicit explanations of its decisions to enhance transparency using feature-level contributions, class-wise vote scores, and clause activation heatmaps. Edge deployment (Raspberry Pi) further supports real-time on-device inference and intrusion detection. The combination of interpretability and high performance makes the proposed model well-suited for IoMT healthcare, where trust, reliability, safety, and timely decision-making are critical.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes a novel on-device, interpretable Tsetlin Machine (TM)-based Intrusion Detection System (IDS) for IoMT networks to detect various phases of cyberattacks. It evaluates the approach on the MedSec-25 dataset, reporting 97.83% classification performance that outperforms standard ML models and state-of-the-art methods, while providing explicit interpretability via feature-level contributions, class-wise vote scores, and clause activation heatmaps. Real-time inference is demonstrated through deployment on a Raspberry Pi.

Significance. If the performance claims and interpretability features hold under detailed scrutiny, the work could advance trustworthy, edge-deployable security solutions for safety-critical IoMT environments by combining rule-based transparency with high accuracy and low-latency on-device processing.

major comments (2)
  1. [Evaluation] Evaluation section: The reported 97.83% accuracy and outperformance lack specification of train/test splits, baseline implementations, statistical significance tests, or controls for data leakage on MedSec-25. This directly affects verifiability of the central performance claim.
  2. [Deployment] Deployment and generalization discussion: Assertions that the model is well-suited for live IoMT healthcare rely solely on single-dataset results from MedSec-25 without cross-dataset validation, adversarial robustness checks, or testing on actual sensor traffic. This is load-bearing for the safety-critical suitability claim.
minor comments (2)
  1. [Abstract] Abstract: The phrase 'various phases of realistic cyberattacks' is used without defining or enumerating the phases or their representation in MedSec-25.
  2. [Throughout] Notation: Ensure consistent expansion of acronyms (TM, IDS, IoMT) on first use in all sections.

Simulated Author's Rebuttal

2 responses · 0 unresolved

Thank you for the detailed review. We address the major comments point-by-point below, making revisions to enhance the manuscript's clarity and address concerns about verifiability and generalization.

read point-by-point responses

  1. Referee: [Evaluation] Evaluation section: The reported 97.83% accuracy and outperformance lack specification of train/test splits, baseline implementations, statistical significance tests, or controls for data leakage on MedSec-25. This directly affects verifiability of the central performance claim.

    Authors: We agree with this assessment. The revised manuscript now includes a comprehensive description of the train/test split methodology, the implementation details for all baseline models, the statistical tests conducted to assess significance of performance differences, and explicit measures implemented to control for data leakage. This revision directly addresses the verifiability concerns. revision: yes

  2. Referee: [Deployment] Deployment and generalization discussion: Assertions that the model is well-suited for live IoMT healthcare rely solely on single-dataset results from MedSec-25 without cross-dataset validation, adversarial robustness checks, or testing on actual sensor traffic. This is load-bearing for the safety-critical suitability claim.

    Authors: We acknowledge that the suitability claims for IoMT healthcare are primarily supported by results on the MedSec-25 dataset. In the revised manuscript, we have strengthened the Deployment and Discussion sections by adding explicit discussion of the single-dataset limitation, the value of the Raspberry Pi deployment for demonstrating real-time capability, and future work on cross-dataset validation, adversarial testing, and real sensor traffic evaluation. We believe this provides a more nuanced view while maintaining that the current results support the proposed approach's potential. revision: partial

Circularity Check

0 steps flagged

No circularity: empirical performance claims rest on direct dataset evaluation

full rationale

The paper's central claims consist of empirical classification accuracy (97.83% on MedSec-25) and interpretability outputs obtained by running the Tsetlin Machine model on a fixed dataset, followed by edge-device timing measurements. No derivation chain, equation, or prediction is presented that reduces by construction to fitted parameters, self-citations, or renamed inputs. The reported metrics are the direct result of standard train/test evaluation rather than any self-referential step that would force the outcome. The paper therefore remains self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Based solely on abstract; no explicit free parameters, axioms, or invented entities are described beyond standard assumptions of ML model suitability and dataset representativeness for IoMT attacks.

pith-pipeline@v0.9.0 · 5762 in / 1263 out tokens · 94845 ms · 2026-05-20T15:53:13.861352+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

28 extracted references · 28 canonical work pages

  1. [1]

    Internet of Medical Things: A Systematic Review,

    C. Huang, J. Wang, S. Wang, and Y . Zhang, “Internet of Medical Things: A Systematic Review,”Neurocomputing, vol. 557, p. 126719, 2023

    work page 2023

  2. [2]

    Global Health Care Outlook 2026

    Deloitte, “Global Health Care Outlook 2026.” [Online]. Available: https://www.deloitte.com/us/en/insights/industry/health-care/ life-sciences-and-health-care-industry-outlooks.html

    work page 2026

  3. [3]

    Global Threat Report 2026

    CrowdStrike, “Global Threat Report 2026.” [Online]. Available: https://www.crowdstrike.com/en-us/global-threat-report/

    work page 2026

  4. [4]

    Overview on Intrusion Detection Systems for Computers Networking Security,

    L. Diana and D. Paolini, “Overview on Intrusion Detection Systems for Computers Networking Security,”Computers, vol. 14, p. 87, 2025

    work page 2025

  5. [5]

    A Compre- hensive Review of Tsetlin Machines: Concepts, Applications, Analysis, and the Future,

    S. Kundu, S. S. Patkar, S. M. Mishra, and F. Merchant, “A Compre- hensive Review of Tsetlin Machines: Concepts, Applications, Analysis, and the Future,”IEEE Internet of Things Journal, pp. 1–25, 2026

    work page 2026

  6. [6]

    The Tsetlin Machine–A Game Theoretic Bandit Driven Approach to Optimal Pattern Recognition with Propositional Logic,

    O.-C. Granmo, “The Tsetlin Machine–A Game Theoretic Bandit Driven Approach to Optimal Pattern Recognition with Propositional Logic,” arXiv preprint arXiv:1804.01508, pp. 1–42, 2018

    work page arXiv 2018

  7. [7]

    Signature-based Intrusion Detection System for IoT,

    B. Nawaal, U. Haider, I. U. Khan, and M. Fayaz, “Signature-based Intrusion Detection System for IoT,” inCyber Security for Next- generation Computing Technologies. CRC Press, 2024, pp. 141–158

    work page 2024

  8. [8]

    Anomaly-based Intrusion Detection System for IoT Application,

    M. Bhavsar, K. Roy, J. Kelly, and O. Olusola, “Anomaly-based Intrusion Detection System for IoT Application,”Discover Internet of Things, vol. 3, no. 5, pp. 1–23, 2023

    work page 2023

  9. [9]

    Artificial Intelligence Driven Security Model for Internet of Medical Things (IoMT),

    C. Anitha, C. Komala, C. V . Vivekanand, S. Lalitha, and S. Boopathi, “Artificial Intelligence Driven Security Model for Internet of Medical Things (IoMT),” in3rd International Conference on Innovative Practices in Technology and Management. IEEE, 2023, pp. 1–7

    work page 2023

  10. [10]

    A Deep Learning-based Intrusion Detection Technique for a Secured IoMT System,

    J. B. Awotunde, K. M. Abiodun, E. A. Adeniyi, S. O. Folorunso, and R. G. Jimoh, “A Deep Learning-based Intrusion Detection Technique for a Secured IoMT System,” inInternational Conference on Informatics and Intelligent Applications. Springer, 2021, pp. 50–62

    work page 2021

  11. [11]

    Enhancing IoMT Security with Deep Learning Based Approach for Medical IoT Threat Detection,

    N. C. Kavkas and K. Yildiz, “Enhancing IoMT Security with Deep Learning Based Approach for Medical IoT Threat Detection,” inIEEE International Symposium on Digital Forensics & Security, 2025, pp. 1–5

    work page 2025

  12. [12]

    CICIoMT2024: A Benchmark Dataset for Multi-Protocol Security Assessment in IoMT,

    S. Dadkhah, E. C. P. Neto, R. C. Molokwu, and A. A. Ghorbani, “CICIoMT2024: A Benchmark Dataset for Multi-Protocol Security Assessment in IoMT,”Internet of Things, vol. 28, p. 101351, 2024

    work page 2024

  13. [13]

    Towards IoT Anomaly Detection with Tsetlin Machines,

    O. Gunvaldsen, H. B. Thorsen, P.-A. Andersen, O.-C. Granmo, and M. Goodwin, “Towards IoT Anomaly Detection with Tsetlin Machines,” inIEEE International Symposium on the Tsetlin Machine, 2023, pp. 1–8

    work page 2023

  14. [14]

    Leveraging Transfer learning for Radio Map Estimation via Mixture of Experts,

    R. K. Jaiswal, M. Elnourani, S. Deshmukh, and B. Beferull-Lozano, “Leveraging Transfer learning for Radio Map Estimation via Mixture of Experts,”IEEE TCCN, vol. 12, pp. 846–863, 2025

    work page 2025

  15. [15]

    Location-free Indoor Radio Map Estimation using Transfer learning,

    R. Jaiswal, M. Elnourani, S. Deshmukh, and B. Beferull-Lozano, “Location-free Indoor Radio Map Estimation using Transfer learning,” in97th Vehicular Technology Conference. IEEE, 2023, pp. 1–7

    work page 2023

  16. [16]

    Enhanced Cervical Cancer Classification using Convolutional Tsetlin Machines with Transfer Learning,

    E. Ahishakiye, L. Nkalubo, F. Kanobe, D. Taremwa, B. A. Nantongo, and S. Ahimbisibwe, “Enhanced Cervical Cancer Classification using Convolutional Tsetlin Machines with Transfer Learning,”Discover Ar- tificial Intelligence, vol. 6, no. 1, p. 301, 2026

    work page 2026

  17. [17]

    A Tsetlin Machine-driven Intrusion Detection System for Next-Generation IoMT Security,

    R. Jaiswal, P.-A. Andersen, L. R. Cenkeramaddi, L. Jiao, and O.-C. Granmo, “A Tsetlin Machine-driven Intrusion Detection System for Next-Generation IoMT Security,” in7th Silicon Valley Cybersecurity Conference. IEEE, 2026, pp. 1–8

    work page 2026

  18. [18]

    Breiman, J

    L. Breiman, J. Friedman, R. A. Olshen, and C. J. Stone,Classification and Regression Trees. Chapman and Hall/CRC, 2017

    work page 2017

  19. [19]

    CAQoE: A Novel No-reference Context- aware Speech Quality Prediction Metric,

    R. K. Jaiswal and R. Dubey, “CAQoE: A Novel No-reference Context- aware Speech Quality Prediction Metric,”ACM Trans. on Multimedia Computing, Comms. and Applications, vol. 19, no. 1s, pp. 1–23, 2023

    work page 2023

  20. [20]

    Wi-Fi based Indoor Location Positioning Employing Random Forest Classifier,

    E. Jedari, Z. Wu, and M. Saif, “Wi-Fi based Indoor Location Positioning Employing Random Forest Classifier,” inIEEE International Conference on Indoor Positioning and Indoor Navigation, 2015, pp. 1–5

    work page 2015

  21. [21]

    Xgboost: A Scalable Tree Boosting System,

    T. Chen and C. Guestrin, “Xgboost: A Scalable Tree Boosting System,” in22nd ACM SIGKDD International Conference on Knowledge Discov- ery and Data Mining, 2016, pp. 785–794

    work page 2016

  22. [22]

    Lightgbm: A Highly Efficient Gradient Boosting Decision Tree,

    G. Ke, Q. Meng, and T. Finley, “Lightgbm: A Highly Efficient Gradient Boosting Decision Tree,” in31st Conference on Neural Information Processing Systems, 2017, pp. 1–9

    work page 2017

  23. [23]

    Alpaydin,Introduction to Machine Learning

    E. Alpaydin,Introduction to Machine Learning. MIT press, 2020

    work page 2020

  24. [24]

    A Comprehensive Review on Applications of Raspberry Pi,

    S. E. Mathe, H. K. Kondaveeti, S. Vappangi, S. D. Vanambathina, and N. K. Kumaravelu, “A Comprehensive Review on Applications of Raspberry Pi,”Computer Science Review, vol. 52, p. 100636, 2024

    work page 2024

  25. [25]

    Bhagwat, M

    R. Bhagwat, M. Abdolahnejad, and M. Moocarme,Applied Deep Learn- ing with Keras: Solve Complex Real-life Problems with the Simplicity of Keras. Packt Publishing Ltd, 2019

    work page 2019

  26. [26]

    MedSec-25: Creating an IoMT Dataset for a Healthcare IoT En- vironment,

    W. Almobaideen, M. Abdullah, U. Alam, S. B. Hussain, and A. Bouhar- rat, “MedSec-25: Creating an IoMT Dataset for a Healthcare IoT En- vironment,” in7th International Conference on Blockchain Computing and Applications. IEEE, 2025, pp. 628–634

    work page 2025

  27. [27]

    Mitre Att&ck Framework 2026,

    MITRE, “Mitre Att&ck Framework 2026,”https://attack.mitre.org/

    work page 2026

  28. [28]

    Performance Analysis of V oice Activity Detector in Pres- ence of Non-stationary Noise,

    R. Jaiswal, “Performance Analysis of V oice Activity Detector in Pres- ence of Non-stationary Noise,” in11th Int. Conf. on Robotics, Vision, Signal Processing and Power Applications. Springer, 2022, pp. 59–65

    work page 2022