Akademik Veri Yönetim Sistemi
IEEE Access, cilt.14, ss.48312-48326, 2026 (SCI-Expanded, Scopus)
The Internet of Medical Things (IoMT) connects heterogeneous medical devices and enables continuous monitoring, but it also expands the attack surface and exposes healthcare networks to both known intrusions and zero-day behaviors. Many existing intrusion detection system (IDS) solutions assume closed-set classification, rely on legacy or non-IoMT datasets, and are sensitive to class imbalance and distribution shift, which can lead to overconfident errors and high false-alarm rates. We propose a multi-stage learning framework that combines fast anomaly screening with hierarchical attack attribution and an explicit reject option. A benign-trained Auto-Encoder flags anomalous flows using reconstruction error, enabling low-latency filtering. Flagged flows are then processed by supervised models in three stages: binary verification, coarse attack-category classification, and fine-grained multiclass identification using Random Forest, XGBoost, and a lightweight CNN. Oversampling and feature selection mitigate class imbalance and reduce redundancy. At the final stage, confidence-thresholding rejects low-confidence multiclass predictions as Unknown, providing practical open-set behavior for novelty detection. Experiments on CICIoMT2024 achieve 99.63% anomaly-detection accuracy, 99.89% binary accuracy, 99.95% categorical accuracy, and 99.77% multiclass accuracy. In online evaluation with held-out attacks, the framework rejects an unseen MQTT flooding attack as Unknown while showing lower rejection for unseen reconnaissance traffic due to feature overlap among reconnaissance subtypes, supporting gateway-level real-time IoMT monitoring.