Design of an Efficient Forensic Layer for IoT Network Traffic Analysis Engine Using Deep Packet Inspection via Recurrent Neural Networks

.


INTRODUCTION
The rapid expansion of the Internet of Things (IoT) has revolutionized numerous industries by enabling seamless device connectivity and communication.However, this interconnectivity presents unprecedented security challenges as IoT networks become potential targets for a variety of cyberthreats.Network traffic analysis is vital for identifying and mitigating these threats, enabling proactive defense measures and ensuring the integrity and security of IoT ecosystems [1][2][3].

Key contributions and objectives
This paper presents a comprehensive approach to IoT network traffic analysis, aiming to establish a robust forensic layer that seamlessly integrates deep packet inspection (DPI) and recurrent neural networks (RNNs).The primary objectives of our work are:

Effective parameter extraction
To extract and analyze crucial network packet parameters, including protocol, source and destination addresses, port numbers, payload, timestamp, packet length, sequence number, flags, quality of service markings, content-type, contentlength, user-agent, and referrer fields.These parameters offer valuable insights into the nature and behavior of network traffic sets.

Temporal dependencies with LSTM and GRU
To harness the capabilities of LSTM (Long Short-Term Memory) and GRU (Gated Recurrent Unit) architectures within the RNN model.LSTM and GRU are specialized RNN variants that excel in capturing temporal dependencies in sequential data, making them ideally suited for time-series IoT network traffic analysis.By encoding the temporal values of extracted parameters into LSTM and GRU feature sets, our approach equips the RNN model to effectively identify anomalous behavior and learn patterns.

Advantages of LSTM, GRU, and RNNs
Before delving into the details, it is essential to highlight the key advantages of incorporating LSTM, GRU, and RNNs into our methodology: • Enhanced Precision and Dependability: LSTM and GRU architectures empower our model to uncover long-term dependencies within network traffic, enhancing the accuracy and reliability of attack detection.Traditional methods often struggle to capture intricate relationships between different packets over time, resulting in false positives or missed detections.However, LSTM and GRU excel at preserving critical information from preceding packets, thereby elevating the precision and dependability of our analysis.
• Improved Performance Metrics: The integration of LSTM and GRU features enhances the precision, accuracy, and recall of our IoT network traffic analysis engine.Leveraging the potential of deep learning, our approach achieves remarkable metrics, including a precision of 97.5%, accuracy of 98.3%, and recall of 98.9%.These results signify a high level of confidence in accurately identifying diverse attack types, thereby minimizing the risk of false positives and false negatives.This heightened accuracy is instrumental in streamlining manual threat verification and response efforts.• Superior AUC and ROC Scores: Our method's utilization of LSTM and GRU features yields superior Area Under the Curve (AUC) and Receiver Operating Characteristic (ROC) scores.This augmentation enhances the model's capacity to distinguish between normal network behavior and malicious actions, ultimately increasing the effectiveness and efficiency of detection and response systems.Moreover, our method excels in minimizing processing delay compared to existing approaches.The effective utilization of LSTM and GRU capabilities expedites the processing and analysis of network traffic, reducing the delay between packet capture and detection.This swift response is particularly crucial in time-sensitive situations where immediate action is required to prevent or mitigate potential attacks.
This paper presents an advanced method for IoT network traffic analysis, strategically integrating deep packet inspection and harnessing LSTM and GRU features within RNNs.The resulting framework significantly enhances precision, accuracy, recall, AUC, ROC scores, and processing speed.By effectively detecting and identifying various attack types, our approach bolsters the security and integrity of IoT networks, safeguarding sensitive data and ensuring the uninterrupted operation of IoT devices and services.

REVIEW OF MODELS USED FOR ANALYSIS OF IOT POCKETS
As the Internet of Things (IoT) continues to grow, the need for efficient network forensics tools and techniques becomes of the utmost importance levels.Analyzing IoT packets is essential for identifying potential security breaches, detecting malicious activity, and ensuring the availability and integrity of IoT networks.This literature review aims to provide an overview of the models used for the analysis of Internet of Things (IoT) packets in the context of network forensics, highlighting their advantages, limitations, and recent developments via use of Asynchronous Dilation Graph Convolutional Network (ADGCN) process [4][5][6].
Deep packet inspection entails inspecting the contents of network packets in depth, enabling a comprehensive analysis of IoT traffic.Protocol headers, payload, source and destination addresses, port numbers, timestamps, and other metadata are extracted from packets using sophisticated algorithms by DPI-based models.DPI models can detect anomalies, identify suspicious patterns, and classify network traffic based on specific criteria by analyzing these parameters.DPI is highly effective at detecting known attacks, but due to the limitations of signature-based detection, it may struggle to identify novel or sophisticated threats [7][8][9].

Supervised learning
Support vector machines (SVM), random forests (RF), and neural networks are examples of supervised learning algorithms that have been applied to IoT packet analysis for network forensics.These models are trained on labeled datasets using features extracted from IoT packets to classify benign and malicious traffic.Using historical data, supervised learning models can effectively identify known attack types via Lightweight Deep Neural Network (LDNN) process [10][11][12].However, their performance is highly dependent on the quality and representativeness of the training data, and they may have difficulty detecting zero-day or emerging attacks.

Unsupervised learning
Without prior knowledge of attack patterns, IoT packets are analyzed using unsupervised learning algorithms, such as clustering and anomaly detection techniques.These models identify out-of-the-ordinary behaviours and patterns that may indicate malicious activity.Approaches to unsupervised learning can identify previously unknown attack types and adapt to evolving threats.However, they may produce a greater number of false positives and require extensive manual analysis for accurate results interpretations & conclusions via Federated Deep Reinforcement Learning (FDRL) process [13][14][15].
In analyzing IoT packets for network forensics, deep learning techniques, such as convolutional neural networks (CNNs), recurrent neural networks (RNNs), and generative adversarial networks (GANs), have demonstrated remarkable promise.CNNs excel at extracting spatial characteristics from packet payloads, enabling precise content-based analysis and anomaly detection.RNNs are effective at capturing temporal dependencies in packet sequences, allowing for the detection of attack patterns spanning multiple packets or time intervals.GANs can generate realistic Internet of Things (IoT) traffic samples for training and testing, thereby facilitating the development of robust models [16][17][18].Deep learning models offer the benefit of automatic feature extraction and can adapt to IoT environments that are both complex and dynamic use cases.However, they frequently require vast quantities of labeled data for training and can be computationally costly for real-time scenarios [19,20].
Integration of multiple models [21][22][23], hybrid architectures, and the application of transfer learning and reinforcement learning techniques are recent developments in the field of IoT packet analysis for network forensics.Combining the strengths of multiple algorithms, hybrid models improve precision and performance.Transfer learning enables the transfer of knowledge from pre-trained models to new tasks or domains, thereby reducing the need for large amounts of training data.The techniques of reinforcement learning can optimize the decision-making process in real-time, thereby enhancing the efficacy of network forensics [24,25].
Nonetheless, network forensics analysis of IoT packets continues to present obstacles.The increasing complexity and diversity of IoT devices and protocols impede the development of all-encompassing models capable of handling heterogeneous traffic.The absence of standard datasets and benchmarking methodologies hinders the evaluation and comparison of various models.In addition, privacy concerns and legal considerations must be addressed to ensure that IoT packet analysis techniques are used ethically and legally for different scenarios [26][27][28].
The analysis of IoT packets for network forensics is crucial for ensuring the security and integrity of IoT ecosystems, as determined by network forensics.In identifying network threats, detecting anomalies, and classifying IoT traffic, deep packet inspection, machine learning models, and deep learning models offer various advantages.Recent developments in hybrid models, transfer learning, and reinforcement learning techniques have the potential to improve the precision and performance of IoT packet analysis.Addressing challenges associated with the complexity of IoT environments, dataset standardization, and privacy concerns will contribute to the continued development of this field and enable the creation of more effective network forensics solutions.

Deep packet inspection (DPI)
DPI involves a comprehensive analysis of IoT traffic by inspecting packet contents.It extracts metadata like protocol, addresses, timestamps, etc., enabling anomaly detection and pattern classification.DPI excels at known attack detection but struggles with novel threats.
• Supervised Learning: Algorithms like SVM, RF, and neural networks classify benign and malicious traffic using labeled datasets.Effective for known attack types but dependent on training data quality, they might miss emerging threats.• Unsupervised Learning: Clustering and anomaly detection techniques identify unusual patterns, including unknown attacks.They adapt to evolving threats but may generate more false positives.

Deep learning techniques
Deep learning, including CNNs, RNNs, and GANs, shows promise: • CNNs: Extract spatial characteristics from packet payloads for precise content-based analysis and anomaly detection.Automatic feature extraction and adaptability to complex IoT environments are advantages, but they require substantial labeled data and can be computationally costly.

Recent developments
Integration of multiple models, hybrid architectures, transfer learning, and reinforcement learning improve precision and performance.Hybrid models combine algorithm strengths, transfer learning reduces data requirements, and reinforcement learning optimizes real-time decision-making.

Critiques and limitations
• Complex IoT Environments: IoT's complexity impedes all-encompassing models.The literature lacks a unified approach to handling heterogeneous traffic, a challenge for IoT network security.The analysis of IoT packets for network forensics is crucial for ensuring the security and integrity of IoT ecosystems, as determined by network forensics.In identifying network threats, detecting anomalies, and classifying IoT traffic, deep packet inspection, machine learning models, and deep learning models offer various advantages.Recent developments in hybrid models, transfer learning, and reinforcement learning techniques have the potential to improve the precision and performance of IoT packet analysis.Addressing challenges associated with the complexity of IoT environments, dataset standardization, and privacy concerns will contribute to the continued development of this field and enable the creation of more effective network forensics solutions.

DESIGN OF THE PROPOSED MODEL FOR POCKET ANALYSIS
During the review of existing models that are proposed for packet analysis, it was observed that these models are either highly complex, or do not perform with high-efficiency levels under real-time cloud deployments.To overcome these issues, this section discusses design of an efficient multidomain packet analysis for identification of attacks.As per Figure 1, Deep packet inspection (DPI) and recurrent neural networks (RNNs) are proposed as a novel method for analyzing IoT network traffic are used in this text.The method focuses on extracting and analyzing important parameters including protocol, source and destination addresses, port numbers, payload, timestamp, packet length, sequence number, flags, quality of service markings, content-type, content-length, user-agent, and referrer sets.The temporal values of these parameters are converted into LSTM and GRU feature sets, which are then fed to RNNs for the classification of various attack types.This work is necessary due to the increasing complexity and variety of attacks against IoT networks.
The LSTM and GRU models are initialized by accumulating and converting packet samples into 1D vector sets.These vector sets are provided to a variance estimation procedure, which aids in obtaining an initiation vector as per Eq. ( 1): where, xin is the group of collected input packet samples, U and W represent LSTM constants which are continuously tuned, and h is a kernel matrix that is modified incrementally to acquire multimodal feature sets.Eq. ( 2) assists in the evaluation variance (var) levels.
N represents the total number of input samples.By evaluating intermediate feature (f) and augmented output (o) features, Eqs. ( 3) and ( 4) augment these variant features to aid in the selection of high variance feature sets. = (  *   + ℎ −1 *   ) (3) All of these extracted sets are utilized to estimate an initial convolution (C) feature vector using Eq. ( 5), which utilized tangent operations to eliminate exponential value sets.
Eq. ( 6) augments these convolutional methods to estimate a ternary vector (T), which aids in merging prior input samples with initialization characteristics.
In Eq. ( 7), the estimated ternary vector is subsequently processed to evaluate an updated kernel metric (hout), which is employed by GRU operations for enhanced feature analysis.
The revised kernel metric, together with the output ternary vector, is fed into the GRU engine, as shown in Figure 2, to determine inferred impedance (z) and resistance (r) values with the help of Eqs. ( 8) and ( 9), shown as follows: As shown in Eqs. ( 10) and ( 11), these measures are merged to provide an output feature vector (xout) and an updated kernel metric (ht): This approach is repeated for several cycles until the variance across feature sets increases linearly, indicating that the model can recognize continuously variable feature sets.After this evaluation, we have a sequence of features represented by x1, x2, ..., xn, which are classified into one of K attack classes.This is done via RNN, which uses a SoftMax based classification layer via Eq.( 12): where, p(yt ┤| x1, x2, ..., xn) represents the probability distribution over the classes, softmax represents the softmax activation function that normalizes the input into a probability distribution via Eq.( 13), Wh is the weight matrix that maps the hidden state ht to the output space, which is done as per Network Training operations, ht represents the hidden state at time step t, and b is the bias vector, which is used to tune the results.

𝑠𝑜𝑓𝑡𝑚𝑎𝑥(𝑧 𝑖 ) = 𝑒𝑥𝑝(𝑧 𝑖 ) 𝑠𝑢𝑚 (𝑒𝑥𝑝(𝑧 𝑗 )) 𝑓𝑜𝑟 𝑗 = 1 𝑡𝑜 𝑛 (13)
Based on this evaluation, the proposed model is able to classify collected packets, and their metadata sets into different attack classes.Performance of this model was evaluated in terms of different evaluation metrics in the next section of this text.These modules process the sequential data by maintaining hidden states that can capture long-term dependencies, which is essential for detecting attack patterns that may span multiple packets or occur over extended time intervals & scenarios.

Selection of extracted features
The proposed method focuses on extracting and analyzing a comprehensive set of parameters from IoT network packets.These parameters include: • Protocol • Source and destination addresses • Referrer sets These parameters are selected based on their significance in characterizing IoT network traffic and identifying potential attack patterns.For instance, protocol and port numbers can provide insights into the communication protocol being used and the specific services or applications involved.Timestamps and sequence numbers help establish the temporal order and relationships between packets.
By analyzing these parameters, the proposed method aims to capture patterns that might indicate malicious activity.For example, a sudden surge in payload size or unusual combinations of flags and protocol types could be indicative of an attack.Content-related parameters like content-type and user-agent might help in identifying suspicious communication patterns.

Parameter tuning
Parameter tuning is a critical aspect of training deep learning models such as LSTM and GRU.The efficiency and effectiveness of the model depend on finding the right set of hyperparameters.Some of the key hyperparameters that are typically tuned include: • Learning Rate: Learning rate controls the size of the steps taken during gradient descent optimization.It needs to be adjusted to ensure that the model converges to the optimal solution without overshooting or getting stuck in local minima.These parameters affect the model's capacity and ability to capture temporal dependencies.The tuning process involves experimenting with different combinations of these hyperparameters to optimize the model's performance.This is typically done by training the model on a subset of the data and validating its performance on a separate validation set.The hyperparameters that result in the best performance are then selected for the final model.
In summary, the proposed method leverages LSTM and GRU modules to capture temporal dependencies in packet sequences.It extracts a comprehensive set of relevant parameters from IoT network packets to detect attack patterns.Parameter tuning is essential to optimize the model's performance, and it involves adjusting hyperparameters such as learning rate, epochs, batch size, and LSTM/GRU-related parameters.Performance of this model was evaluated in terms of different evaluation metrics in the next section of this text.

Datasets
The paper uses four datasets for evaluating the proposed model: IoT-23, CICIDS2017, IoT-Traffic, and UNSW-NB15.These datasets contain network traffic data, including normal and malicious traffic, from IoT environments or general network scenarios.

Data fusion
The datasets are fused together to create a larger dataset with a total of 900k records.Out of these, 200k records are used for validation, 600k for training, and 100k for testing.

Model architecture
The model architecture incorporates a fusion of Long Short-Term Memory (LSTM) and Gated Recurrent Units (GRU).These models are designed to estimate high variance feature sets from the network traffic data.

Performance measures
The performance of the model is evaluated using several performance measures: precision (P), accuracy (A), recall (R), and delay (d).Eqs. ( 14), ( 15), (16), and ( 17) in your description outline the formulas for calculating these measures.

Comparison
The performance of the proposed model is compared with existing methods including ADGCN [5], LDNN [12], and FDRL [15] in terms of precision, accuracy, recall, and delay levels.

Performance analysis
The proposed model collects multiple packet information sample sets, and represents them by a fusion of Long-Short-Term-Memory (LSTM) and Gated Recurrent Units (GRU), processes.These models assist in estimation of high variance feature sets, which are classified into different attack classes via RNN based classification process.To estimate performance of this model, it was evaluated on the following datasets & samples,

IoT-23
This dataset contains network traffic data captured from a simulated IoT environment.It includes various IoT devices and their interactions, both normal and malicious.It is freely available at, http://iotanalytics.unsw.edu.au/iottraces.html.

CICIDS2017
The CICIDS2017 dataset is a comprehensive collection of labeled network traffic data that includes a specific subset for IoT attacks.It covers a wide range of attacks and can be used for analyzing IoT network traffic.It is freely available at https://www.unb.ca/cic/datasets/ids-2017.html.

IoT-traffic
This dataset provides network traffic captures from different IoT devices, allowing for the analysis of various types of traffic patterns.It includes both benign and malicious traffic samples.It is freely available at, https://github.com/telekom-security/innovationlab/tree/master/datasets/IoT-traffic.

UNSW-NB15
Although not specific to IoT traffic, the UNSW-NB15 dataset includes network traffic data that can be used for intrusion detection and analyzing network attacks.It covers a range of attack scenarios and can be a valuable resource for studying network security.It is freely available at, https://www.unsw.adfa.edu.au/unsw-canberracyber/cybersecurity/ADFA-NB15-Datasets/.
These sets were fused to obtain a total of 900k records, out of which 200k were used for validation, 600k for training, and 100k for testing operations.Based on this strategy, the model was evaluated, and parameters including precision (P), accuracy (A), recall (R), & delay (d) needed during classification were estimated as per 14, 15, 16 & 17 and compared with ADGCN [5], LDNN [12], and FDRL [15], which use similar prediction methods.

Figure 3. Precision levels observed for attack analysis on different model sets
The suggested model can assess multiple attack types with high accuracy levels due to the usage of high-density feature extraction models and the RNN method.When this precision was evaluated with respect to different test samples, it was discovered that the suggested model was able to enhance attack analysis accuracy by 8.3% when compared to ADGCN [5], 3.5% when compared to LDNN [12], and 4.9% when compared to FDRL [15] under various use situations.This accuracy was also increased by combining LSTM with GRU, which aided in improving classification performance even with fewer data samples.Similar to this performance, the classification accuracy was calculated and can be shown in Figure 4.The suggested model may give improved classification with high accuracy levels due to the utilization of multidomain feature representation models in conjunction with the RNN classification process.The suggested model was able to enhance the attack detection precision by 4.5% when compared to ADGCN [5], 2.9% when compared to LDNN [12], and 5.5% when compared to FDRL [15] under diverse use situations when this accuracy was assessed w.r.t.different test samples in Figure 4 for real-time analysis.This accuracy was further increased by using highly variant feature analysis to analyse the gathered input samples, which aided in improving classification performance even with fewer data sets.The recall of categorization was calculated similarly to this performance, as shown in Figure 5.
Because of the usage of LSTM and GRU for feature representation, as well as the RNN-based classification procedure, the suggested model may produce highly consistent classifications with high recall levels.When this recall was assessed using various test samples (as shown in Figure 5), the suggested model was able to enhance the attack detection recall by 10.5% when compared to ADGCN [5], 4.9% when compared to LDNN [12], and 8.5% when compared to FDRL [15] under diverse use scenarios.These actions also aided in increasing classification speed, as seen in Figure 6.

Figure 6. Delay levels observed for attack analysis on different model sets
The suggested model may offer classifications at greater rates due to the usage of multidomain feature representation.The suggested model was able to enhance the speed of recommendation by 4.5% when compared to ADGCN [5], 8.3% when compared to LDNN [12], and 12.5% when compared to FDRL [15] under various use scenarios when these speed levels were evaluated w.r.t.different test samples in Figure 6.This latency was further reduced as a result of the implementation of RNN-based classification, which aided in the effective representation of classes and recommendations under various assault types.Because of these improvements, the suggested model is very helpful for many real-time situations and can be scaled for diverse attack types.

Statistical significance analysis
In order to validate the performance gains of the proposed model over other methods, statistical significance tests were conducted using ANOVA (Analysis of Variance).ANOVA is a statistical technique that is commonly used to determine if there are significant differences between the means of multiple groups.
In this analysis, the performance metrics (precision, accuracy, recall, and delay) of the proposed model and the three existing methods (ADGCN, LDNN, and FDRL) were compared across different numbers of test samples (NTS).The goal was to assess whether the differences in performance between the models are statistically significant.
The null hypothesis (H0) for each performance metric was that there are no significant differences in the means of the models' performance across the different numbers of test samples.The alternative hypothesis (H1) was that there are significant differences.
The following tables present the results of the ANOVA tests for each performance metric.
The p-value associated with the precision metric is less than the significance level (α=0.05),indicating that there are significant differences in precision between the models across different numbers of test samples as shown in Table 1.

Table 1. Precision
Precision F-Statistic p-Value Precision 13.28 0.001 The p-value associated with the accuracy metric as shown in Table 2 is also less than the significance level (α=0.05),indicating significant differences in accuracy between the models across different numbers of test samples.

Performance Metric F-Statistic p-Value
Accuracy 11.64 0.002 The p-value for the recall metric is less than the significance level (α=0.05),indicating significant differences in recall between the models across different numbers of test samples as presented in Table 3.

Performance Metric F-Statistic p-Value
Recall 15.72 0.001 The p-value associated with the delay metric is less than the significance level (α=0.05),indicating significant differences in delay between the models across different numbers of test samples as given in Table 4.

Performance Metric F-Statistic p-Value
Delay 18.49 0.001 Based on the results of the ANOVA tests, it can be concluded that there are statistically significant differences in precision, accuracy, recall, and delay between the proposed model and the existing methods (ADGCN, LDNN, and FDRL) across different numbers of test samples.This confirms that the proposed model consistently outperforms the existing methods in terms of these performance metrics.

Insights into the proposed model's performance
The proposed model represents a significant advancement in the field of IoT network security, particularly in the domain of attack detection and analysis.Its superior performance can be attributed to several key factors: 1. LSTM and GRU Feature Extraction: The incorporation of Long Short-Term Memory (LSTM) and Gated Recurrent Units (GRU) plays a pivotal role in capturing the temporal dependencies in packet sequences.These recurrent neural network (RNN) architectures are exceptionally well-suited for analyzing sequential data, making them ideal choices for packet analysis.LSTM and GRU models excel at preserving important information from previous packets, allowing the model to consider the context of each packet within the sequence.This temporal awareness is crucial for accurately identifying attack patterns and distinguishing them from normal network traffic.This decrease in latency is a critical factor for rapid response to attacks, ensuring timely mitigation operations.In conclusion, the proposed model's success lies in its ability to harness the power of LSTM and GRU for feature extraction, capture high variance feature sets, and leverage RNN-based classification.These components work in synergy to elevate the model's precision, accuracy, recall, and speed in IoT network attack analysis.As IoT networks continue to face evolving threats, the proposed method stands as a robust and adaptable solution, with the potential for further enhancements and applications in diverse network settings.Its contributions to IoT network security are significant, offering a path forward for more effective and efficient attack detection and mitigation operations.

CONCLUSIONS
In conclusion, this study introduces a novel approach to significantly enhance the precision, recall, and speed of attack analysis in IoT network data.The proposed model, which combines high-density feature extraction models with a recurrent neural network (RNN) technique, has demonstrated remarkable performance improvements compared to existing methods, including ADGCN, LDNN, and FDRL.

Recap of Key Results:
The proposed model has achieved the following key results: • Enhanced Precision: The model outperforms existing methods, achieving an 8.3% improvement in precision compared to ADGCN, 3.5% compared to LDNN, and 4.9% compared to FDRL.This heightened precision is vital for minimizing false alarms and accurately identifying attack patterns.
• Improved Accuracy: The model significantly enhances the accuracy of attack detection, surpassing ADGCN by 4.5%, LDNN by 2.9%, and FDRL by 5.5%.This increase in accuracy enhances the reliability of IoT network security.
• Exceptional Recall: The model exhibits outstanding recall rates, surpassing ADGCN by 10.5%, LDNN by 4.9%, and FDRL by 8.5%.This heightened recall ensures that a high proportion of attacks are effectively identified, reducing the risk of false negatives in real-time scenarios.
• Reduced Delay: The proposed model demonstrates significantly reduced delay in attack analysis, outperforming ADGCN by 4.5%, LDNN by 8.3%, and FDRL by 12.2%.This reduced latency is crucial for rapid response to attacks, enhancing the model's effectiveness in real-time scenarios.

Real-World Applications & Impact:
The proposed model holds substantial potential for realworld applications in the field of IoT network security: • IoT Security Enhancement: In the rapidly evolving landscape of IoT networks, the model offers a robust solution for real-time attack detection and mitigation.Its precision, recall, speed, and adaptability to different attack types make it a valuable tool for securing IoT environments.
• Forensic Investigation: The model's adaptability to various types of attacks makes it an essential instrument for forensic investigation of IoT network data.It can assist in uncovering the details of past attacks and identifying vulnerabilities.
• Scalability: As IoT ecosystems continue to expand, the model's scalability is crucial.Future deployments can be scaled to handle extensive IoT installations with high volumes of network traffic, ensuring the security of larger and more complex networks.
• Adaptation to Different Domains: The model's transfer learning capabilities and multidomain feature representation make it adaptable to various network topologies, devices, and IoT platforms.This adaptability is essential for addressing the unique challenges posed by different IoT scenarios.

Benefits of LSTM and GRU for Feature Extraction:
The utilization of Long Short-Term Memory (LSTM) and Gated Recurrent Units (GRU) for feature extraction has played a pivotal role in the success of the proposed model: • Temporal Context Preservation: LSTM and GRU architectures excel at preserving temporal dependencies in packet sequences.They enable the model to understand the context of each packet within a sequence, facilitating the identification of attack patterns and distinguishing them from normal traffic.
• High Variance Feature Sets: The model leverages LSTM and GRU to extract high variance feature sets from network traffic data.These features encompass a wide range of parameters, allowing the model to capture subtle variations in attack patterns and enhance its ability to differentiate between benign and malicious traffic.
• Multidomain Feature Representation: LSTM and GRU enable the creation of multidomain feature representations, making the model adaptable to diverse attack scenarios.This flexibility ensures that the model can detect a wide range of attacks, even those not encountered during training.
• RNN-Based Classification: The use of recurrent neural networks for classification further enhances the model's performance.RNNs are wellsuited for sequence classification tasks, enabling precise categorization of packets into different attack classes.In summary, LSTM and GRU provide the model with the ability to extract and represent features effectively, capture temporal dependencies, and classify sequences accurately.These components, combined with the model's adaptability and scalability, make it a promising solution for enhancing IoT network security and addressing the evolving challenges in this domain for different scenarios.

Future Scope
Future IoT network traffic research analysis can be done based on the findings and contributions presented in this paper.Following are some of the potential areas of research and development: The model could be made more robust to makes it more resistant to some form of malevolent attack.This research can be done more by generating adversarial examples that are meant to mislead a deep learning model and use those to compute the model's vulnerability.In this way, to ensure that the model can be applied to actual practice, it will be good to develop methods that can make it more resistant to such attacks.
Inclusion of more feature extraction techniques while the proposed model utilizes high-density feature extraction models, in the future, more feature extraction techniques could be incorporated.Techniques such as wavelet analysis, spectrum analysis, and frequency domain analysis could be integrated with the current method to extract more diverse and valuable information from IoT network traffic data.
Scalability of the model: The IoT ecosystem is today rapidly increasing at an alarming rate; future research can be directed toward the model's scalability.Creating a model on a large scale with considerable IoT installations and with so much volume of Network traffic brings about some exciting complications similarly, as the model scales up to deal with massive IoT setups generating gigantic network traffic.One would need to figure out methodologies to have huge sets of data handled quickly and accurately without losing one's degree of accuracy.
The learning of Transfer learning methods and domain adaptation: There exists a way to learn the transfer learning techniques that can allow knowledge transfer from pre-trained models or existing datasets in similar domains.Hence, the model will be trained on sparse data and fine-tuned to work on new IoT scenarios while leveraging pre-trained models or extant datasets.Were domain adaptation techniques explored, the model would generalize across different network topologies' devices or IoT platforms.
As the IoT devices operate under those constraints of energy and computing resources, those need to be taken into consideration also.The paradigm proposed in this paper for resource-constrained IoT devices could be an interesting future research topic.Model compression, quantization, pruning, etc., can be explored so that the model's complexity and memory footprint are reduced while keeping an acceptable precision and efficacy of the model.
Integration of Real-Time Threat Intelligence It would update the model with current knowledge of new threats and attack patterns if one incorporates real-time threat intelligence inputs.In the future, researchers could find ways to integrate dynamically threat information from external sources into the model to improve its recognition capability for various kinds of evolving attacks.
Real-world deployment and testing: The proposed model can be considered for implementation in real-life IoT scenarios in future studies.This will help conclude whether the model is feasible for consideration as a realistic solution for solving the given problem.Extensive field testing, comparison to current approaches, and0086 Conway, M earn about the field applicability and validity, advantages, and shortcomings of the proposed model.
Interpretability and explicability Interpretability might not always be there in the case of deep learning models, so it may be hard to understand the rationale behind their predictions.Perhaps future work on techniques that could provide justifications for the choices made by the model will be presented to allow security analysts and system administrators to grasp the intrinsic factors that contribute to attack classifications.This in turn will facilitate a smooth embracing of the paradigm by critical IoT security applications for better trust and transparency.
Future studies conducted shall be directed towards addressing issues such although not limited to, putting more robustness in models; utilizing techniques of feature extraction; evaluating the model against the problems like scalability, transfer learning, and even domain adaptation; keeping in view the consumption and resource constraints; integration of threat intelligence in real-time; usage of model proposed/developed in realistic environment/scenarios; Lastly study of interpretability and explainability.This would enable researchers to move forward in the discipline of IoT network traffic analysis and to enhance the security of IoT ecosystems.

Figure 1 .
Figure 1.Design of the proposed LSTM & GRU Process for identification of IoT network attacks

Figure 2 .
Figure 2. Fused LSTM & GRU process for identification of highly variant feature sets LSTM and GRU are specialized Recurrent Neural Network (RNN) variants designed to address the challenge of capturing information over time.Unlike traditional feedforward neural networks, RNNs are designed for sequences and can retain information from previous steps in the sequence, making them ideal for analyzing packet sequences in IoT network traffic sets.In this context, LSTM and GRU modules are used to encode temporal information related to IoT network packets.These modules process the sequential data by maintaining hidden states that can capture long-term dependencies, which is essential for detecting attack patterns that may span multiple packets or occur over extended time intervals & scenarios.

•
Epochs: The number of training epochs determines how many times the entire dataset is passed through the model during training.Finding the right number of epochs prevents underfitting or overfitting.• Batch Size: Batch size determines how many samples are processed in each forward and backward pass through the network during training.It impacts the convergence speed and memory usage.• LSTM and GRU Hyperparameters: These include the number of LSTM/GRU units or layers in the network, dropout rates, and activation functions.
) where, tp represents the number of samples correctly classified into a given class, tn represents the number of samples correctly classified into an incorrect class, fp & fn are correct & incorrect counts for categorizing inputs into incorrect classes, and tscomplete & tsstart represent the timestamps for completing and starting the classification processes.The model was validated using Nr classification record sets.Based on this evaluation strategy, the performance measures were evaluated, and precision of attack classification was tabulated w.r.t.different number of test samples (NTS) in Figure 3.

Figure 4 .Figure 5 .
Figure 4. Accuracy levels observed for attack analysis on different model sets In conclusion, IoT network traffic analysis is vital for security.Deep packet inspection, machine learning, and deep learning offer various advantages.Recent advancements in hybrid models, transfer learning, and reinforcement learning hold potential to enhance precision and performance levels.Challenges include handling IoT's complexity, dataset standardization, and ethical/legal considerations, which must be addressed for effective network forensics solutions in IoT environments for different scenarios.
• Dataset Standardization: The absence of standard datasets and benchmarking methods hinders model evaluation and comparison.It poses challenges in assessing the performance of IoT network traffic analysis methods.• Privacy and Legal Concerns: Ethical and legal considerations surrounding IoT packet analysis are essential.Privacy concerns need addressing for responsible and lawful use.