Intelligent MITM Attack Detection Systems Using Ensemble Learning for IoT Network Security

Authors

  • Yasser AbdelSatar Sphinx University image/svg+xml Author
  • Fatma Elzahraa Mohamed Arab Academy for Science, Technology, and Maritime Transport image/svg+xml Author
  • Shimaa AbdelNasser Assiut University image/svg+xml Author
  • Ayah Alaa Mohamed Arab Academy for Science, Technology, and Maritime Transport image/svg+xml Author

DOI:

https://doi.org/10.66279/4x2kb812

Keywords:

Man-in-the-Middle, Attack Detection, Ensemble Learning, TON_IoT

Abstract

The expansion of Internet of Things (IoT) deployments has widened the attack surface available to adversaries, and the man-in-the-middle (MITM) attack remains one of the most damaging threats facing these networks. In a MITM attack, two parties that believe they are communicating directly are in fact exchanging traffic through an intermediary that silently alters or observes the exchange. Common realizations of this threat include ARP spoofing, DNS hijacking, and SSL stripping, each producing a distinct signature in network traffic that a classifier can learn to recognize. This study evaluates and compares five ensemble learning algorithms, Random Forest, Extra Trees, XGBoost, CatBoost, and LightGBM, for the detection of MITM activity in the TON_IoT network traffic dataset. Performance is assessed using accuracy, precision, recall, F1-score, area under the ROC curve, and computational cost. CatBoost obtained the highest detection accuracy (99.2%) and F1-score (0.987), while LightGBM required roughly one third of CatBoost’s training time at a negligible cost in detection quality. Across all five algorithms, boosting methods showed a small but consistent advantage over bagging methods, and detection was effective for every MITM technique considered, with SSL stripping proving the most difficult to identify. The results suggest that the choice among these algorithms in an operational deployment should depend on whether the priority is raw detection accuracy, inference speed, or interpretability, rather than on accuracy alone.

Downloads

Download data is not yet available.

Author Biographies

  • Yasser AbdelSatar, Sphinx University

    Department of Artificial Intelligence, Faculty of Computers and Artificial Intelligence, Sphinx University, Assiut 71511, Egypt

  • Fatma Elzahraa Mohamed, Arab Academy for Science, Technology, and Maritime Transport

    Department of Computer Science, Arab Academy for Science, Technology and Maritime Transport, Alexandria, Egypt

  • Shimaa AbdelNasser, Assiut University

    Department of Computer Science, Assiut University, Assiut, Egypt

  • Ayah Alaa Mohamed, Arab Academy for Science, Technology, and Maritime Transport

    Department of Computer Science, Arab Academy for Science, Technology and Maritime Transport, Aswan, Egypt

References

1] F. A. Alaba, M. Othman, I. A. T. Hashem, and F. Alotaibi, “Internet of things security: A survey,” Journal of network and computer applications, vol. 88, pp. 10–28, 2017. DOI: https://doi.org/10.1016/j.jnca.2017.04.002

[2] M. Conti, N. Dragoni, and V. Lesyk, “A survey of man in the middle attacks,” IEEE communications surveys & tutorials, vol. 18, no. 3, pp. 2027–2051, 2016. DOI: https://doi.org/10.1109/COMST.2016.2548426

[3] A. L. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Communications surveys & tutorials, vol. 18, no. 2, pp. 1153–1176, 2015. DOI: https://doi.org/10.1109/COMST.2015.2494502

[4] Z.-H. Zhou, Ensemble methods: foundations and algorithms. Chapman and Hall/CRC, 2025. DOI: https://doi.org/10.1201/9781003587774

[5] Y. A. Satar, A. Mohamed, and A. A. Hassanain, “Nsga-ii optimization of probabilistic neural networks for robust sql injection attack detection,” Engineering Systems and Intelligent Technologies (ESIT), vol. 1, no. 1, pp. 29–41, 2026.

[6] Y. A. Satar, H. A. Almansouri, and A. A. Hassanain, “Cvar-optimized distributionally robust stacked ensemble with range-based current signatures for reliable fault detection in photovoltaic farms,” Engineering Systems and Intelligent Technologies (ESIT), vol. 1, no. 1, pp. 1–14, 2026.

[7] N. Moustafa, “A new distributed architecture for evaluating ai-based security systems at the edge: Network ton_iot datasets,” Sustainable Cities and Society, vol. 72, p. 102994, 2021. DOI: https://doi.org/10.1016/j.scs.2021.102994

[8] T. G. Dietterich, “Ensemble methods in machine learning,” in International workshop on multiple classifier systems, pp. 1–15, Springer, 2000. DOI: https://doi.org/10.1007/3-540-45014-9_1

[9] L. Breiman, “Random forests,” Machine learning, vol. 45, no. 1, pp. 5–32, 2001. DOI: https://doi.org/10.1023/A:1010933404324

[10] P. Geurts, D. Ernst, and L. Wehenkel, “Extremely randomized trees,” Machine learning, vol. 63, no. 1, pp. 3–42, 2006. DOI: https://doi.org/10.1007/s10994-006-6226-1

[11] T. Chen and C. Guestrin, “Xgboost: A scalable tree boosting system,” in Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining, pp. 785–794, 2016. DOI: https://doi.org/10.1145/2939672.2939785

[12] G. Ke, Q. Meng, T. Finley, T. Wang, W. Chen, W. Ma, Q. Ye, and T.-Y. Liu, “Lightgbm: A highly efficient gradient boosting decision tree,” Advances in neural information processing systems, vol. 30, 2017.

[13] L. Prokhorenkova, G. Gusev, A. Vorobev, A. V. Dorogush, and A. Gulin, “Catboost: unbiased boosting with categorical features,” Advances in neural information processing systems, vol. 31, 2018.

[14] H. Zhang, L. Huang, C. Q. Wu, and Z. Li, “An effective convolutional neural network based on smote and gaussian mixture model for intrusion detection in imbalanced dataset,” Computer Networks, vol. 177, p. 107315, 2020. DOI: https://doi.org/10.1016/j.comnet.2020.107315

[15] M. Hasan, M. M. Islam, M. I. I. Zarif, and M. Hashem, “Attack and anomaly detection in iot sensors in iot sites using machine learning approaches,” Internet of Things, vol. 7, p. 100059, 2019. DOI: https://doi.org/10.1016/j.iot.2019.100059

[16] M. A. O. Ahmed, Y. Abdelsatar, R. Alotaibi, and O. Reyad, “Enhancing internet of things security using performance gradient boosting for network intrusion detection systems,” Alexandria Engineering Journal, vol. 116, pp. 472–482, 2025. DOI: https://doi.org/10.1016/j.aej.2024.12.106

[17] M. A. Ahmed, R. Alotaibi, Y. A. Satar, N. Gaber, N. F. Omran, and O. Reyad, “Fast detection of acute lymphoblastic leukemia through stacked pre-trained ensemble learning and efficient segmentation,” Arabian Journal for Science and Engineering, pp. 1–14, 2025. DOI: https://doi.org/10.1007/s13369-025-10404-6

[18] M. Saed and A. Aljuhani, “Detection of man in the middle attack using machine learning,” in 2022 2nd International Conference on Computing and Information Technology (ICCIT), pp. 388–393, IEEE, 2022. DOI: https://doi.org/10.1109/ICCIT52419.2022.9711555

[19] A. B. M. Sultan, S. Mehmood, and H. Zahid, “Man in the middle attack detection for mqtt based iot devices using different machine learning algorithms,” in 2022 2nd international conference on artificial intelligence (ICAI), pp. 118–121, IEEE, 2022. DOI: https://doi.org/10.1109/ICAI55435.2022.9773590

[20] Á. Michelena, J. Aveleira-Mata, E. Jove, M. Bayón-Gutiérrez, P. Novais, O. F. Romero, J. L. Calvo-Rolle, and H. Aláiz-Moretón, “A novel intelligent approach for man-in-the-middle attacks detection over internet of things environments based on message queuing telemetry transport,” Expert Systems, vol. 41, no. 2, p. e13263, 2024. DOI: https://doi.org/10.1111/exsy.13263

[21] M. Narang, A. Jatain, and N. Punetha, “A survey on detection of man-in-the-middle attack in iomt using machine learning techniques,” in International Conference on Computational Intelligence, pp. 117–132, Springer, 2023. DOI: https://doi.org/10.1007/978-981-97-3526-6_10

[22] H. Fereidouni, O. Fadeitcheva, and M. Zalai, “Iot and man-in-the-middle attacks,” Security and Privacy, vol. 8, no. 2, p. e70016, 2025. DOI: https://doi.org/10.1002/spy2.70016

[23] M. A. Ali and S. A. H. Al-Sharafi, “Intrusion detection in iot networks using machine learning and deep learning approaches for mitm attack mitigation,” Discover Internet of Things, vol. 5, no. 1, p. 48, 2025. DOI: https://doi.org/10.1007/s43926-025-00104-w

[24] S. Whalen, “An introduction to arp spoofing,” Node99 [Online Document], vol. 563, 2001.

[25] S. Son and V. Shmatikov, “The hitchhiker’s guide to dns cache poisoning,” in International Conference on Security and Privacy in Communication Systems, pp. 466–483, Springer, 2010. DOI: https://doi.org/10.1007/978-3-642-16161-2_27

[26] M. Marlinspike, “New tricks for defeating ssl in practice,” Black Hat DC, vol. 2, 2009.

[27] M. I. Java, U. I. Shabrina, R. N. Fahmi, B. A. Pratomo, et al., “Enhancing cybersecurity: Two-phase detection approach for intrusion network for anomaly data,” in 2024 IEEE International Conference on Artificial Intelligence and Mechatronics Systems (AIMS), pp. 1–6, IEEE, 2024. DOI: https://doi.org/10.1109/AIMS61812.2024.10512863

Downloads

Published

29-06-2026

How to Cite

Intelligent MITM Attack Detection Systems Using Ensemble Learning for IoT Network Security. (2026). Engineering Systems and Intelligent Technologies (ESIT), 3(2), 49-58. https://doi.org/10.66279/4x2kb812

Similar Articles

You may also start an advanced similarity search for this article.