Transformer-Based Multi-Class Intrusion Detection Using CICIoMT2024 Dataset for Secure IoMT Networks

Authors

  • Eko Arip Winanto Computer Engineering, Dinamika Bangsa University, Indonesia
  • Sharipuddin Informatics, Dinamika Bangsa University, Indonesia
  • Benni Purnama Information System, Dinamika Bangsa University, Indonesia
  • Nurhadi Business Digital, Dinamika Bangsa University, Indonesia
  • Lasmedi Afuan Informatics, Universitas Jenderal Soedirman, Indonesia

DOI:

https://doi.org/10.52436/1.jutif.2026.7.3.5512

Keywords:

CICIoMT Dataset, Deep Transformer, IoMT Security, Intrusion Detection, Multi-Class Classification

Abstract

Internet of Medical Things (IoMT) ecosystems significantly enhance healthcare services but simultaneously expand the attack surface, exposing medical networks to diverse cyber threats such as distributed denial-of-service and spoofing attacks. Existing intrusion detection systems for IoMT are often limited to binary classification and struggle to capture complex multi-class attack behaviors, particularly under highly imbalanced data distributions. This study proposes a deep Transformer-based intrusion detection model as a reproducible baseline for multi-class intrusion detection in IoMT environments. The model is evaluated on the CICIoMT2024 dataset, which comprises 19 traffic classes including benign and multiple attack categories. Data preprocessing involves stratified data splitting, feature normalization, and label encoding to ensure fair evaluation. The proposed baseline employs a six-layer Transformer encoder with eight attention heads and is trained using the AdamW optimizer. Experimental results demonstrate an overall accuracy of 98.76% and a macro F1-score of 0.92, indicating strong detection capability across most attack classes. The model achieves excellent performance on benign traffic and high-volume attacks such as DDoS and DoS, while performance degradation is observed on minority classes, including ARP spoofing, highlighting the impact of class imbalance. These findings establish the proposed Transformer model as a transparent and robust baseline for IoMT intrusion detection research. By providing reproducible performance benchmarks, this work supports future development of hybrid and imbalance-aware detection mechanisms aimed at enhancing real-time security in medical cyber-physical systems.

Downloads

Download data is not yet available.

References

K. S. Bughio, D. M. Cook, and S. A. A. Shah, “GenAI in Rule-based Systems for IoMT Security: Testing and Evaluation,” Procedia Comput. Sci., vol. 246, pp. 5330–5339, 2024, doi: 10.1016/j.procs.2024.09.652.

K. Vaisakhkrishnan, G. Ashok, P. Mishra, and T. G. Kumar, “Guarding Digital Health: Deep Learning for Attack Detection in Medical IoT,” Procedia Comput. Sci., vol. 235, pp. 2498–2507, 2024, doi: 10.1016/j.procs.2024.04.235.

L. A. Daher, “Towards Secure IoMT: Attack Detection Using Deep Q-Learning in Healthcare Networks,” in 2023 16th International Conference on Developments in eSystems Engineering (DeSE), Istanbul, Turkiye: IEEE, Dec. 2023, pp. 407–412. doi: 10.1109/DeSE60595.2023.10468942.

J. Doménech, I. V. Martin-Faus, S. Mhiri, and J. Pegueroles, “Ensuring patient safety in IoMT: A systematic literature review of behavior-based intrusion detection systems,” Internet Things, vol. 28, p. 101420, Dec. 2024, doi: 10.1016/j.iot.2024.101420.

I. A. Khan et al., “Fed-Inforce-Fusion: A federated reinforcement-based fusion model for security and privacy protection of IoMT networks against cyber-attacks,” Inf. Fusion, vol. 101, p. 102002, Jan. 2024, doi: 10.1016/j.inffus.2023.102002.

M. Pinar, A. Aktas, and E. E. Ulku, “Feature efficiency in IoMT security: A comprehensive framework for threat detection with DNN and ML,” Comput. Biol. Med., vol. 186, p. 109603, Mar. 2025, doi: 10.1016/j.compbiomed.2024.109603.

J. Cao, X. Di, J. Li, K. Yu, and L. Zhao, “IoVST: An anomaly detection method for IoV based on spatiotemporal feature fusion,” Future Gener. Comput. Syst., vol. 166, p. 107636, May 2025, doi: 10.1016/j.future.2024.107636.

S. S. N. Chintapalli, S. P. Singh, J. Frnda, P. Bidare Divakarachari, V. L. Sarraju, and P. Falkowski-Gilski, “OOA-modified Bi-LSTM network: An effective intrusion detection framework for IoT systems,” Heliyon, vol. 10, no. 8, p. e29410, Apr. 2024, doi: 10.1016/j.heliyon.2024.e29410.

I. Martins, J. S. Resende, P. R. Sousa, S. Silva, L. Antunes, and J. Gama, “Host-based IDS: A review and open issues of an anomaly detection system in IoT,” Future Gener. Comput. Syst., vol. 133, pp. 95–113, Aug. 2022, doi: 10.1016/j.future.2022.03.001.

Á. L. P. Gómez, L. F. Maimó, A. H. Celdrán, and F. J. G. Clemente, “SUSAN: A Deep Learning based anomaly detection framework for sustainable industry,” Sustain. Comput. Inform. Syst., vol. 37, no. July 2021, p. 100842, 2023, doi: 10.1016/j.suscom.2022.100842.

M. A. H. Zamrai, K. M. Yusof, and M. A. Azizan, “Random Forest Stratified K-Fold Cross Validation on SYN DoS Attack SD-IoV,” in 2024 7th International Conference on Communication Engineering and Technology (ICCET), Tokyo, Japan: IEEE, Feb. 2024, pp. 7–12. doi: 10.1109/ICCET62255.2024.00008.

A. Stewart, “Malware dynamic behavior classification: SVM-HMM applied to malware API sequencing,” 2014, [Online]. Available: https://securedorg.github.io/docs/MDBC_API_Sequencing.pdf

Md. A. Hossain and Md. S. Islam, “A novel feature selection-driven ensemble learning approach for accurate botnet attack detection,” Alex. Eng. J., vol. 118, pp. 261–277, Apr. 2025, doi: 10.1016/j.aej.2025.01.042.

Y. Shang, “Prevention and detection of DDOS attack in virtual cloud computing environment using Naive Bayes algorithm of machine learning,” Meas. Sens., vol. 31, no. November 2023, p. 100991, 2024, doi: 10.1016/j.measen.2023.100991.

R. A. Abed, E. K. Hamza, and A. J. Humaidi, “A modified CNN-IDS model for enhancing the efficacy of intrusion detection system,” Meas. Sens., vol. 35, no. August, p. 101299, 2024, doi: 10.1016/j.measen.2024.101299.

H. Issaoui, A. Eladel, A. Zouinkhi, M. Zaied, L. Khriji, and S. H. Nengroo, “Defending CNN Against FGSM Attacks Using Beta-Based Personalized Activation Functions and Adversarial Training,” IEEE Access, vol. 12, pp. 138341–138350, 2024, doi: 10.1109/ACCESS.2024.3432773.

T. E. T. Djaidja, B. Brik, S. Mohammed Senouci, A. Boualouache, and Y. Ghamri-Doudane, “Early Network Intrusion Detection Enabled by Attention Mechanisms and RNNs,” IEEE Trans. Inf. Forensics Secur., vol. 19, pp. 7783–7793, 2024, doi: 10.1109/TIFS.2024.3441862.

E. D. L. Hoz, E. D. L. Hoz, A. Ortiz, J. Ortega, and A. Martínez-Álvarez, “Feature selection by multi-objective optimisation: Application to network anomaly detection by hierarchical self-organising maps,” Knowl.-Based Syst., vol. 71, pp. 322–338, 2014, doi: 10.1016/j.knosys.2014.08.013.

Z. Ali, W. Tiberti, A. Marotta, and D. Cassioli, “Empowering Network Security: BERT Transformer Learning Approach and MLP for Intrusion Detection in Imbalanced Network Traffic,” IEEE Access, vol. 12, pp. 137618–137633, 2024, doi: 10.1109/ACCESS.2024.3465045.

S. Ancy and D. Paulraj, “Handling imbalanced data with concept drift by applying dynamic sampling and ensemble classification model,” Comput. Commun., vol. 153, pp. 553–560, Mar. 2020, doi: 10.1016/j.comcom.2020.01.061.

S. W. Ahmed, F. Kientz, and R. Kashef, “A Modified Transformer Neural Network (MTNN) for Robust Intrusion Detection in IoT Networks,” in 2023 International Telecommunications Conference (ITC-Egypt), Alexandria, Egypt: IEEE, July 2023, pp. 663–668. doi: 10.1109/ITC-Egypt58155.2023.10206134.

T. Hu, C. Xu, S. Zhang, S. Tao, and L. Li, “Cross-site scripting detection with two-channel feature fusion embedded in self-attention mechanism,” Comput. Secur., vol. 124, p. 102990, 2023, doi: 10.1016/j.cose.2022.102990.

F. Peng, S. Meng, and M. Long, “Presentation attack detection based on two-stream vision transformers with self-attention fusion,” J. Vis. Commun. Image Represent., vol. 85, p. 103518, May 2022, doi: 10.1016/j.jvcir.2022.103518.

R. Iijima, S. Shiota, and H. Kiya, “A Random Ensemble of Encrypted Vision Transformers for Adversarially Robust Defense,” IEEE Access, vol. 12, pp. 69206–69216, 2024, doi: 10.1109/ACCESS.2024.3400958.

S.-M. Tseng, Y.-Q. Wang, and Y.-C. Wang, “Multi-Class Intrusion Detection Based on Transformer for IoT Networks Using CIC-IoT-2023 Dataset,” Future Internet, vol. 16, no. 8, p. 284, Aug. 2024, doi: 10.3390/fi16080284.

S. Dadkhah, E. C. P. Neto, R. Ferreira, R. C. Molokwu, S. Sadeghi, and A. A. Ghorbani, “CICIoMT2024: A benchmark dataset for multi-protocol security assessment in IoMT,” Internet Things, vol. 28, p. 101351, Dec. 2024, doi: 10.1016/j.iot.2024.101351.

M. M. Islam, T. Ahmad, and D. Truscan, “An Evaluation of Transformer Models for Early Intrusion Detection in Cloud Continuum,” in 2023 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), Naples, Italy: IEEE, Dec. 2023, pp. 279–284. doi: 10.1109/CloudCom59040.2023.00052.

S. Li, J. Wang, Y. Wang, G. Zhou, and Y. Zhao, “EIFDAA: Evaluation of an IDS with function-discarding adversarial attacks in the IIoT,” Heliyon, vol. 9, no. 2, p. e13520, Feb. 2023, doi: 10.1016/j.heliyon.2023.e13520.

A. Salehpour, M. Norouzi, M. A. Balafar, and K. SamadZamini, “A cloud‐based hybrid intrusion detection framework using XGBoost and ADASYN‐Augmented random forest for IoMT,” IET Commun., vol. 18, no. 19, pp. 1371–1390, Dec. 2024, doi: 10.1049/cmu2.12833.

Additional Files

Published

2026-06-15

How to Cite

[1]
E. A. Winanto, S. Sharipuddin, B. . Purnama, N. Nurhadi, and L. . Afuan, “Transformer-Based Multi-Class Intrusion Detection Using CICIoMT2024 Dataset for Secure IoMT Networks”, J. Tek. Inform. (JUTIF), vol. 7, no. 3, pp. 2395–2410, Jun. 2026.

Issue

Vol. 7 No. 3 (2026): JUTIF Volume 7, Number 3, June 2026

Section

Articles

License

Copyright (c) 2026 Eko Arip Winanto, Sharipuddin, Benni Purnama, Nurhadi, Lasmedi Afuan

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Most read articles by the same author(s)

1 2 3 > >>