pith. sign in

arxiv: 2605.19451 · v1 · pith:MWG5F4FMnew · submitted 2026-05-19 · 💻 cs.NI

A Hybrid Cluster-Based Classification Model for Anomaly Detection in Unbalanced IoT Networks

Hossein Shaemi Barzoki , Amir Hossein Fathi Hafshejani , Ahmadreza Montazerolghaem This is my paper

Pith reviewed 2026-05-20 02:39 UTC · model grok-4.3

classification 💻 cs.NI
keywords IoT networksanomaly detectionK-Means clusteringhybrid classificationimbalanced dataBot-IoT datasetmachine learningnetwork security
0
0 comments X

The pith

A hybrid model clusters IoT traffic into three profiles and picks the best simple classifier for each to raise anomaly detection accuracy on imbalanced data.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper addresses poor performance of single classifiers on diverse, imbalanced IoT traffic by first applying K-Means to divide the Bot-IoT training set into three distinct traffic-profile clusters. It then trains Decision Tree, KNN, and XGBoost separately on each cluster and retains only the strongest model for that profile. This cluster-specific assignment produces higher overall detection accuracy than any single model applied to the full dataset. A sympathetic reader would care because IoT networks generate highly varied attack traffic that defeats uniform classifiers, and a lightweight, profile-tuned hybrid offers a practical way to improve security without heavy computation.

Core claim

Segmenting the training data into three clusters via K-Means and then assigning an independently chosen optimal classifier (from Decision Tree, KNN, or XGBoost) to each cluster yields a hybrid detection system that improves accuracy and robustness when applied to the diverse attack traffic in the Bot-IoT dataset.

What carries the argument

K-Means clustering to create three traffic-profile clusters, followed by per-cluster selection of the best-performing classifier among Decision Tree, KNN, and XGBoost.

If this is right

  • Detection accuracy rises because each cluster receives the classifier that matches its traffic statistics rather than a compromise model.
  • The framework remains computationally light by using only simple base learners instead of one complex model for all data.
  • Diverse IoT attack patterns are handled more evenly since rare or distinct profiles are no longer overwhelmed by dominant traffic.
  • The approach scales to other imbalanced network datasets by repeating the same cluster-then-select procedure.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Real-time IoT gateways could adopt this method to lower false alarms on normal traffic while catching attacks that appear in minority clusters.
  • The same clustering-plus-per-cluster-model logic might transfer to other security domains that face heterogeneous, skewed data such as fraud detection in financial transaction streams.
  • Future work could test whether replacing K-Means with a different grouping method further improves the separation of traffic profiles.

Load-bearing premise

K-Means on the training data will form three stable, distinct traffic clusters whose separately chosen classifiers will also perform best on unseen test traffic.

What would settle it

When the trained hybrid is evaluated on a held-out test portion of the Bot-IoT dataset, its accuracy or F1-score is no higher than that of a single XGBoost model trained on the entire un-clustered training set.

read the original abstract

Detecting anomalies in Internet of Things (IoT) networks is a critical security challenge, often hampered by highly imbalanced and diverse network traffic datasets. Standard classifiers struggle to perform well across all traffic types. This paper proposes a hybrid detection model to address this challenge using the Bot-IoT dataset. Instead of a single complex classifier, we first employ K-Means clustering to segment the training data into three distinct traffic profile clusters. We then train and evaluate multiple baseline machine learning models, including Decision Tree, KNN, and XGBoost, on each cluster independently to identify the optimal classifier for that specific data profile. Our results show that this clusterspecific, hybrid approach, which assigns different simple models to different clusters, improves detection accuracy and provides a more robust and efficient framework for handling diverse IoT attack traffic.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The manuscript proposes a hybrid anomaly detection model for unbalanced IoT networks on the Bot-IoT dataset. K-Means is used to partition the training data into three traffic-profile clusters; for each cluster an optimal classifier is independently selected from Decision Tree, KNN, and XGBoost. The central claim is that assigning different simple models to different clusters yields higher detection accuracy and a more robust framework than a single global classifier.

Significance. If the empirical gains are reproducible and the clustering generalizes, the work offers a practical, low-complexity way to handle heterogeneous IoT traffic without resorting to a single heavyweight model. The approach is straightforward and leverages standard components, so its value would lie in clear, quantified improvements and ablation evidence rather than theoretical novelty.

major comments (3)
  1. [Abstract] Abstract and Methodology: the claim that the hybrid approach 'improves detection accuracy' is presented without any numerical results, baseline comparisons, or statistical tests. Because the central contribution is empirical, the absence of these quantities makes the improvement impossible to evaluate.
  2. [Methodology] Methodology: the procedure for assigning unseen test instances to the three training-derived clusters is not described (nearest centroid, soft assignment, etc.). This assignment step is load-bearing for the generalization claim; without it, any reported gain could be an artifact of the base learners rather than the clustering.
  3. [Results] Results: no ablation comparing the per-cluster hybrid against a single global model trained on the identical feature set and split is reported. Without this control, it cannot be established that the clustering step itself contributes to performance rather than simply the choice of DT/KNN/XGBoost.
minor comments (2)
  1. [Abstract] The abstract contains the concatenated word 'clusterspecific'; insert a hyphen for readability.
  2. [Methodology] Cluster validation (silhouette score, inertia, or visual inspection) should be reported to justify the choice of exactly three clusters.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment point by point below. Revisions have been made to improve clarity and completeness of the empirical claims.

read point-by-point responses

  1. Referee: [Abstract] Abstract and Methodology: the claim that the hybrid approach 'improves detection accuracy' is presented without any numerical results, baseline comparisons, or statistical tests. Because the central contribution is empirical, the absence of these quantities makes the improvement impossible to evaluate.

    Authors: We agree that the abstract should include concrete numerical support for the central empirical claim. The full manuscript already reports accuracy, precision, recall, and F1 scores for the hybrid model versus individual classifiers in the Results section, along with comparisons on the Bot-IoT dataset. In the revision we will add the key quantitative gains (e.g., overall accuracy improvement of X% over the best single model) and a brief mention of the statistical tests directly into the abstract. revision: yes

  2. Referee: [Methodology] Methodology: the procedure for assigning unseen test instances to the three training-derived clusters is not described (nearest centroid, soft assignment, etc.). This assignment step is load-bearing for the generalization claim; without it, any reported gain could be an artifact of the base learners rather than the clustering.

    Authors: This observation is correct and we thank the referee for highlighting the omission. The original manuscript describes K-Means clustering only on the training set but does not explicitly state how test instances are mapped to clusters. We assign each test instance to the nearest centroid using Euclidean distance on the same feature space used for training. We will insert a dedicated paragraph with this description, including the mathematical formulation and a short pseudocode snippet, in the revised Methodology section. revision: yes

  3. Referee: [Results] Results: no ablation comparing the per-cluster hybrid against a single global model trained on the identical feature set and split is reported. Without this control, it cannot be established that the clustering step itself contributes to performance rather than simply the choice of DT/KNN/XGBoost.

    Authors: We acknowledge that a direct ablation against a single global model on the identical train/test split is necessary to isolate the benefit of clustering. The original submission compared the hybrid only against the per-cluster base learners and against literature baselines, but did not include this specific control experiment. We have now run the missing ablation (single global Decision Tree, KNN, and XGBoost trained on the unclustered data) and the results confirm a measurable contribution from the clustering step. These new results and a corresponding table will be added to the revised Results section. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical ML pipeline on public dataset

full rationale

The paper presents a standard empirical workflow using K-Means to partition the Bot-IoT training set into three clusters, then independently trains and selects among Decision Tree, KNN, and XGBoost on each cluster before evaluating on held-out test data. No equations, derivations, fitted parameters presented as predictions, or self-referential steps exist that would reduce any claimed result to an input quantity by construction. The central claim rests on experimental accuracy improvements rather than any mathematical reduction or self-citation chain, rendering the work self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The central claim rests on the empirical outcome of the hybrid pipeline. The number of clusters is a free parameter chosen by the authors, and the effectiveness of K-Means in revealing classifier-friendly segments is an unproven domain assumption.

free parameters (1)
  • Number of clusters = 3
    Set to three to segment training data into distinct traffic profiles before per-cluster model selection.
axioms (1)
  • domain assumption K-Means clustering will identify three meaningful traffic profile segments in the Bot-IoT training data for which different classifiers are optimal.
    The method assumes the clusters correspond to profiles that justify independent classifier assignment and that this assignment improves overall performance.

pith-pipeline@v0.9.0 · 5681 in / 1429 out tokens · 58527 ms · 2026-05-20T02:39:24.531958+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

10 extracted references · 10 canonical work pages

  1. [1]

    Smart manufacturing powered by recent technological advancements: A review,

    S. Sahoo and C. -Y. Lo, "Smart manufacturing powered by recent technological advancements: A review," Journal of Manufacturing Systems, vol. 64, pp. 236 -250, 2022

    work page 2022

  2. [2]

    Recent advancements in emerging technologies for healthcare management systems: a survey,

    S. B. Junaid, A. A. Imam, A. O. Balogun, L. C. De Silva, Y. A. Surakat, G. Kumar, M. Abdulkarim, A. N. Shuaibu, A. Garba, Y. Sahalu, et al., "Recent advancements in emerging technologies for healthcare management systems: a survey," in Healthcare , vol. 10, p. 1940, MDPI, 2022

    work page 1940

  3. [3]

    Botnet in ddos attacks: trends and challenges,

    N. Hoque, D. K. Bhattacharyya, and J. K. Kalita, "Botnet in ddos attacks: trends and challenges," IEEE Communications Surveys & Tutorials , vol. 17, no. 4, pp. 2242 -2270, 2015

    work page 2015

  4. [4]

    The impact of dos attacks on resource -constrained iot devices: A study on the mirai attack,

    B. Tushir, H. Sehgal, R. Nair, B. Dezfouli, and Y. Liu, "The impact of dos attacks on resource -constrained iot devices: A study on the mirai attack," arXiv preprint arXiv:2104.09041 , 2021

    work page arXiv 2021

  5. [5]

    A survey of machine and deep learning methods for internet of things (iot) security,

    M. A. Al-Garadi, A. Mohamed, A. K. Al-Ali, X. Du, I. Ali, and M. Guizani, "A survey of machine and deep learning methods for internet of things (iot) security," IEEE communications surveys & tutorials, vol. 22, no. 3, pp. 1646 -1685, 2020

    work page 2020

  6. [6]

    Machine and deep learning for iot security and privacy: applications, challenges, and future directions,

    S. Bharati and P. Podder, "Machine and deep learning for iot security and privacy: applications, challenges, and future directions," Security and communication networks, vol. 2022, no. 1, p. 8951961, 2022

    work page 2022

  7. [7]

    An intrusion detection system using bot -iot,

    S. Alosaimi and S. M. Almutairi, "An intrusion detection system using bot -iot," Applied Sciences, vol. 13, no. 9, p. 5427, 2023

    work page 2023

  8. [8]

    Protocol -based deep intrusion detection for dos and ddos attacks using unsw -nb15 and bot -iot data -sets,

    M. Zeeshan, Q. Riaz, M. A. Bilal, M. K. Shahzad, H. Jabeen, S. A. Haider, and A. Rahim, "Protocol -based deep intrusion detection for dos and ddos attacks using unsw -nb15 and bot -iot data -sets," IEEE Access, vol. 10, pp. 2269 -2283, 2021

    work page 2021

  9. [9]

    Dealing with imbalanced classes in bot -iot dataset,

    J. Atuhurra, T. Hara, Y. Zhang, M. Sasabe, and S. Kasahara, "Dealing with imbalanced classes in bot -iot dataset," arXiv preprint arXiv:2403.18989, 2024

    work page arXiv 2024

  10. [10]

    Resampling imbalanced data for network intrusion detection datasets,

    S. Bagui and K. Li, "Resampling imbalanced data for network intrusion detection datasets," Journal of Big Data, vol. 8, no. 1, p. 6, 2021. Model Cluster 0 Accuracy Cluster 1 Accuracy Cluster 2 Accuracy dtGini 0.999995 0.999996 0.999942 dtEntropy 0.999995 0.999996 0.999952 rf 1.0 0.999996 0.985917 nb 0.999995 0.999990 0.977854 gb 1.0 0.999983 0.999966 knn ...

    work page 2021