Behind the Paper: Detecting the “Invisible” Attacks in the Internet of Medical Things (IoMT)

Healthcare systems are rapidly becoming smarter, more connected, and increasingly dependent on the Internet of Medical Things (IoMT). From wearable sensors and smart infusion pumps to remote patient monitoring systems and intelligent hospital networks, these technologies are transforming healthcare delivery and improving patient outcomes. However, this transformation also introduces new cybersecurity risks that traditional defense mechanisms are often unable to detect.

Our recent publication, “Resource-aware ML framework for multi-level cross-layer and cross-protocol attack detection in IoMT,” published in the Journal of Supercomputing, explores one of the emerging and overlooked cybersecurity threats in IoMT environments: Cross-Protocol (CP) and Cross-Layer (CL) attacks. Springer Article

Why We Started This Research

Most intrusion detection systems (IDS) are designed around isolated protocol analysis. In practice, this means they inspect traffic at a single network layer or focus on one communication protocol at a time. While this approach can detect many traditional attacks, modern attackers have become far more sophisticated.

Cross-Protocol and Cross-Layer attacks exploit interactions between multiple protocols and layers simultaneously. Instead of attacking a system directly, adversaries manipulate the relationships between communication layers or tunnel malicious traffic through unexpected protocols. This allows malicious activity to bypass conventional security monitoring tools.

In healthcare environments, such attacks can be extremely dangerous. Imagine a malicious actor manipulating communication between wearable sensors and hospital monitoring systems, delaying alerts, or disrupting medical data transmission. Even a small delay or misclassification could affect patient safety.

Despite the growing importance of IoMT security, we found that most existing research focused primarily on binary attack detection or conventional multi-class classification. Very little attention had been given to CP and CL attacks, especially under resource constraints typical in IoMT systems.

This gap motivated us to design a lightweight yet highly effective machine learning framework capable of detecting these advanced attack patterns in real time.

The Core Challenge

IoMT devices are fundamentally different from traditional computing systems. They are often resource-constrained, with limited memory, processing power, and energy availability. This means that many computationally expensive deep learning solutions may not be practical for real-world healthcare deployment.

The challenge was therefore twofold:

1. Develop a detection framework capable of identifying sophisticated CP and CL attacks.

2. Ensure the framework remains lightweight and efficient enough for deployment in practical IoMT settings.

Balancing security effectiveness with computational efficiency was a central theme of this work.

Building the Framework

To address this challenge, we designed a resource-aware intrusion detection framework using machine learning techniques. We evaluated it on the CICIoMT2024 dataset, which contains realistic Wi-Fi and MQTT traffic for IoMT environments. (researchgate.net)

Our framework included several important stages:

• Standardized preprocessing for stable and fair evaluation.

• Hierarchical balancing to handle data imbalance across labels and categories.

• Feature clustering and dimensionality reduction using Principal Component Analysis (PCA).

• Comparative evaluation of multiple machine learning models.

We intentionally explored both PCA and non-PCA configurations because dimensionality reduction can significantly influence model stability and computational cost.

One particularly interesting finding involved the Multi-Layer Perceptron (MLP) model. Without PCA, the MLP struggled significantly in CP detection. However, after applying PCA, its performance improved dramatically. This highlighted how preprocessing decisions can heavily impact the effectiveness of machine learning in cybersecurity applications.

At the same time, Random Forest consistently delivered the best balance between accuracy, stability, and efficiency.

What We Found

Among all evaluated models, Random Forest without PCA achieved the most reliable and consistent performance. The framework achieved accuracy values above 99% and F1-scores reaching 0.9951 for Cross-Protocol attacks and 0.9926 for Cross-Layer attacks. (researchgate.net)

Equally important, the framework demonstrated very low computational overhead:

• Approximately 0.02 seconds per test instance.

• Less than 1 MiB memory usage.

These results are highly significant because IoMT environments require low-latency and lightweight security solutions. In healthcare systems, delayed detection may directly lead to delayed medical decisions.

Our results demonstrated that high detection performance does not necessarily require extremely heavy deep learning architectures. Carefully designed resource-aware machine learning solutions can still provide strong protection while remaining deployable in constrained environments.

Beyond Accuracy Metrics

One lesson we learned from this work is that cybersecurity research should not focus solely on accuracy percentages. In many publications, very high accuracy values are reported without considering whether the proposed systems can realistically operate in constrained real-world environments.

For healthcare applications, deployability matters as much as detection capability.

This is why we emphasized resource awareness throughout the paper. A practical IDS for IoMT should not only detect attacks accurately but also

• Operate with minimal latency.

• Consume limited memory and computational resources.

• Adapt to heterogeneous communication protocols.

• Maintain reliability under realistic traffic conditions.

Future cybersecurity research should increasingly evaluate models from this operational perspective.

The Human Side of the Project

This work was also a rewarding collaborative effort between researchers and students working on advanced cybersecurity challenges in emerging healthcare technologies. One of the exciting aspects of the project was exploring how relatively classical machine learning techniques could still outperform more complex methods when combined with proper preprocessing, balancing, and evaluation strategies.

Another rewarding aspect was working with realistic IoMT traffic rather than overly simplified benchmark datasets. Real healthcare communication environments are noisy, heterogeneous, and dynamic, making the problem substantially more challenging.

Throughout the project, we repeatedly refined preprocessing pipelines, experimented with balancing strategies, and analyzed why certain models failed under specific attack scenarios. Many of the final insights emerged only after extensive iterative experimentation.

Looking Ahead

Cross-Protocol and Cross-Layer attacks are likely to become increasingly common as interconnected healthcare ecosystems continue to grow. Future IoMT systems will integrate AI-driven diagnostics, cloud-assisted healthcare, edge computing, wearable devices, and autonomous medical systems, all communicating through diverse protocols and layers.

This increasing complexity will inevitably expand the attack surface.

Future research directions may include:

• Federated and privacy-preserving intrusion detection for distributed healthcare systems.

• Explainable AI techniques for interpretable medical cybersecurity decisions.

• Real-time adaptive IDS frameworks capable of evolving with new attack patterns.

• Hybrid edge-cloud architectures for scalable IoMT security.

• Integration of post-quantum cryptographic protection with intelligent intrusion detection.

We hope this work contributes toward building more secure and trustworthy healthcare infrastructures.

Final Thoughts

Cybersecurity in healthcare is no longer optional. As medical systems become smarter and more interconnected, attackers are also becoming more creative and adaptive.

Our goal with this research was not only to improve attack-detection performance but also to demonstrate that practical, lightweight, and deployable security solutions are achievable in IoMT environments.

Ultimately, protecting digital healthcare systems means protecting patients themselves.

We are excited to continue exploring intelligent and resource-aware cybersecurity solutions for next-generation cyber-physical and healthcare systems.

Published article:
“Resource-aware ML framework for multi-level cross-layer and cross-protocol attack detection in IoMT” in The Journal of Supercomputing. (researchgate.net)