Intelligent MITM Attack Detection Systems Using Ensemble Learning for IoT Network Security
DOI:
https://doi.org/10.66279/4x2kb812Keywords:
Man-in-the-Middle, Attack Detection, Ensemble Learning, TON_IoTAbstract
The expansion of Internet of Things (IoT) deployments has widened the attack surface available to adversaries, and the man-in-the-middle (MITM) attack remains one of the most damaging threats facing these networks. In a MITM attack, two parties that believe they are communicating directly are in fact exchanging traffic through an intermediary that silently alters or observes the exchange. Common realizations of this threat include ARP spoofing, DNS hijacking, and SSL stripping, each producing a distinct signature in network traffic that a classifier can learn to recognize. This study evaluates and compares five ensemble learning algorithms, Random Forest, Extra Trees, XGBoost, CatBoost, and LightGBM, for the detection of MITM activity in the TON_IoT network traffic dataset. Performance is assessed using accuracy, precision, recall, F1-score, area under the ROC curve, and computational cost. CatBoost obtained the highest detection accuracy (99.2%) and F1-score (0.987), while LightGBM required roughly one third of CatBoost’s training time at a negligible cost in detection quality. Across all five algorithms, boosting methods showed a small but consistent advantage over bagging methods, and detection was effective for every MITM technique considered, with SSL stripping proving the most difficult to identify. The results suggest that the choice among these algorithms in an operational deployment should depend on whether the priority is raw detection accuracy, inference speed, or interpretability, rather than on accuracy alone.
Downloads
References
1] F. A. Alaba, M. Othman, I. A. T. Hashem, and F. Alotaibi, “Internet of things security: A survey,” Journal of network and computer applications, vol. 88, pp. 10–28, 2017. DOI: https://doi.org/10.1016/j.jnca.2017.04.002
[2] M. Conti, N. Dragoni, and V. Lesyk, “A survey of man in the middle attacks,” IEEE communications surveys & tutorials, vol. 18, no. 3, pp. 2027–2051, 2016. DOI: https://doi.org/10.1109/COMST.2016.2548426
[3] A. L. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Communications surveys & tutorials, vol. 18, no. 2, pp. 1153–1176, 2015. DOI: https://doi.org/10.1109/COMST.2015.2494502
[4] Z.-H. Zhou, Ensemble methods: foundations and algorithms. Chapman and Hall/CRC, 2025. DOI: https://doi.org/10.1201/9781003587774
[5] Y. A. Satar, A. Mohamed, and A. A. Hassanain, “Nsga-ii optimization of probabilistic neural networks for robust sql injection attack detection,” Engineering Systems and Intelligent Technologies (ESIT), vol. 1, no. 1, pp. 29–41, 2026.
[6] Y. A. Satar, H. A. Almansouri, and A. A. Hassanain, “Cvar-optimized distributionally robust stacked ensemble with range-based current signatures for reliable fault detection in photovoltaic farms,” Engineering Systems and Intelligent Technologies (ESIT), vol. 1, no. 1, pp. 1–14, 2026.
[7] N. Moustafa, “A new distributed architecture for evaluating ai-based security systems at the edge: Network ton_iot datasets,” Sustainable Cities and Society, vol. 72, p. 102994, 2021. DOI: https://doi.org/10.1016/j.scs.2021.102994
[8] T. G. Dietterich, “Ensemble methods in machine learning,” in International workshop on multiple classifier systems, pp. 1–15, Springer, 2000. DOI: https://doi.org/10.1007/3-540-45014-9_1
[9] L. Breiman, “Random forests,” Machine learning, vol. 45, no. 1, pp. 5–32, 2001. DOI: https://doi.org/10.1023/A:1010933404324
[10] P. Geurts, D. Ernst, and L. Wehenkel, “Extremely randomized trees,” Machine learning, vol. 63, no. 1, pp. 3–42, 2006. DOI: https://doi.org/10.1007/s10994-006-6226-1
[11] T. Chen and C. Guestrin, “Xgboost: A scalable tree boosting system,” in Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining, pp. 785–794, 2016. DOI: https://doi.org/10.1145/2939672.2939785
[12] G. Ke, Q. Meng, T. Finley, T. Wang, W. Chen, W. Ma, Q. Ye, and T.-Y. Liu, “Lightgbm: A highly efficient gradient boosting decision tree,” Advances in neural information processing systems, vol. 30, 2017.
[13] L. Prokhorenkova, G. Gusev, A. Vorobev, A. V. Dorogush, and A. Gulin, “Catboost: unbiased boosting with categorical features,” Advances in neural information processing systems, vol. 31, 2018.
[14] H. Zhang, L. Huang, C. Q. Wu, and Z. Li, “An effective convolutional neural network based on smote and gaussian mixture model for intrusion detection in imbalanced dataset,” Computer Networks, vol. 177, p. 107315, 2020. DOI: https://doi.org/10.1016/j.comnet.2020.107315
[15] M. Hasan, M. M. Islam, M. I. I. Zarif, and M. Hashem, “Attack and anomaly detection in iot sensors in iot sites using machine learning approaches,” Internet of Things, vol. 7, p. 100059, 2019. DOI: https://doi.org/10.1016/j.iot.2019.100059
[16] M. A. O. Ahmed, Y. Abdelsatar, R. Alotaibi, and O. Reyad, “Enhancing internet of things security using performance gradient boosting for network intrusion detection systems,” Alexandria Engineering Journal, vol. 116, pp. 472–482, 2025. DOI: https://doi.org/10.1016/j.aej.2024.12.106
[17] M. A. Ahmed, R. Alotaibi, Y. A. Satar, N. Gaber, N. F. Omran, and O. Reyad, “Fast detection of acute lymphoblastic leukemia through stacked pre-trained ensemble learning and efficient segmentation,” Arabian Journal for Science and Engineering, pp. 1–14, 2025. DOI: https://doi.org/10.1007/s13369-025-10404-6
[18] M. Saed and A. Aljuhani, “Detection of man in the middle attack using machine learning,” in 2022 2nd International Conference on Computing and Information Technology (ICCIT), pp. 388–393, IEEE, 2022. DOI: https://doi.org/10.1109/ICCIT52419.2022.9711555
[19] A. B. M. Sultan, S. Mehmood, and H. Zahid, “Man in the middle attack detection for mqtt based iot devices using different machine learning algorithms,” in 2022 2nd international conference on artificial intelligence (ICAI), pp. 118–121, IEEE, 2022. DOI: https://doi.org/10.1109/ICAI55435.2022.9773590
[20] Á. Michelena, J. Aveleira-Mata, E. Jove, M. Bayón-Gutiérrez, P. Novais, O. F. Romero, J. L. Calvo-Rolle, and H. Aláiz-Moretón, “A novel intelligent approach for man-in-the-middle attacks detection over internet of things environments based on message queuing telemetry transport,” Expert Systems, vol. 41, no. 2, p. e13263, 2024. DOI: https://doi.org/10.1111/exsy.13263
[21] M. Narang, A. Jatain, and N. Punetha, “A survey on detection of man-in-the-middle attack in iomt using machine learning techniques,” in International Conference on Computational Intelligence, pp. 117–132, Springer, 2023. DOI: https://doi.org/10.1007/978-981-97-3526-6_10
[22] H. Fereidouni, O. Fadeitcheva, and M. Zalai, “Iot and man-in-the-middle attacks,” Security and Privacy, vol. 8, no. 2, p. e70016, 2025. DOI: https://doi.org/10.1002/spy2.70016
[23] M. A. Ali and S. A. H. Al-Sharafi, “Intrusion detection in iot networks using machine learning and deep learning approaches for mitm attack mitigation,” Discover Internet of Things, vol. 5, no. 1, p. 48, 2025. DOI: https://doi.org/10.1007/s43926-025-00104-w
[24] S. Whalen, “An introduction to arp spoofing,” Node99 [Online Document], vol. 563, 2001.
[25] S. Son and V. Shmatikov, “The hitchhiker’s guide to dns cache poisoning,” in International Conference on Security and Privacy in Communication Systems, pp. 466–483, Springer, 2010. DOI: https://doi.org/10.1007/978-3-642-16161-2_27
[26] M. Marlinspike, “New tricks for defeating ssl in practice,” Black Hat DC, vol. 2, 2009.
[27] M. I. Java, U. I. Shabrina, R. N. Fahmi, B. A. Pratomo, et al., “Enhancing cybersecurity: Two-phase detection approach for intrusion network for anomaly data,” in 2024 IEEE International Conference on Artificial Intelligence and Mechatronics Systems (AIMS), pp. 1–6, IEEE, 2024. DOI: https://doi.org/10.1109/AIMS61812.2024.10512863
Downloads
Published
Issue
Section
Categories
License
Copyright (c) 2026 Engineering Systems and Intelligent Technologies (ESIT)

This work is licensed under a Creative Commons Attribution 4.0 International License.
Engineering Systems and Intelligent Technologies (ESIT) content is published under a Creative Commons Attribution License (CCBY). This means that content is freely available to all readers upon publication, and content is published as soon as production is complete.
Engineering Systems and Intelligent Technologies (ESIT) seeks to publish the most influential papers that will significantly advance scientific understanding. Selected articles must present new and widely significant data, syntheses, or concepts. They should merit recognition by the wider scientific community and the general public through publication in a reputable scientific journal.


