The substantial increase in the use of connected devices to enhance business and individual experiences anywhere in the world continues to trend higher and higher each year. Traditional connected devices, such as smartphones and computers, are no longer the only devices connected to public and private networks. Simple devices, such as security cameras, appliances, sensors attached to industrial machinery, and remote weather monitoring stations, are being connected and operated remotely, creating a vast network of connected and interactive devices or “things” (Marr, 2024).

The number of connected devices to the Internet of Things (IoT) increased by approximately 13% in 2024, reaching an estimated 18.8 billion connections worldwide, and 51% of Enterprise IoT investors plan to increase their IoT adoption budgets by 10% in 2025 (Sinha, 2024).

As IoT networks expand and more devices connect, the risk of cybercriminals and nation-state bad actors disrupting services, stealing data, and damaging devices increases significantly.

IoT networks are easy targets for cyberattacks. They typically have a different industry standard for security, and 98% of IoT network traffic is often unencrypted (Joshi, 2023). IoT devices usually have limited memory and processing resources. This prevents software security solutions, such as deploying an Intrusion Detection System (IDS), from running on or scanning the device. Thus, some IoT cyberattacks may go undetected for longer periods (Kenanf, 2023).

The convolution of the data generated by IoT devices, device heterogeneity, and ever-evolving threats to IoT networks increases the need for accurate, ML-based cyberattack identification solutions (Alwahedi et al., 2024) and prioritizing which attacks to mitigate first.

Quickly responding to ongoing IoT attacks is paramount to prevent service disruption or damage to IoT networks and devices. Most incident response teams still use manual prioritization methods to determine the order of attack mitigation steps during an incident response event, which creates a scalability problem when responding to large volumes of events (Kumar, 2024).

This praxis demonstrates an open-source, low-cost, Machine-Learning (ML), driven IoT cyberattack identification solution that accurately identifies active IoT network attacks. The solution utilizes Machine Learning binary classification models to meet the proposed cyberattack detection and accuracy requirements.

Thirteen supervised ML models were developed and evaluated on the RT_IoT 2022 open-source dataset (Sharmila & Nagapadma, 2023) to classify IoT cyberattacks. These models include Decision Tree (DT), Random Forest (RF), Support Vector Machine Classifier (SVC), Stochastic Gradient Descent (SGD), Naïve Bayes (NB), Logistic Regression (LR), Ridge Classifier, Cat Boost, XG Boost, Neural Networks (NN) Perceptron, Multilayer Perceptron (MLPs), and two “stacked ensemble” hybrid ML models that utilized the top four best-performing base models, including XG Boost, Cat Boost, DT, and RF in this praxis research to make cyberattack predictions. The research concludes that a machine learning model can accurately detect and classify intrusions in near real-time and be used to prioritize incident response activities automatically.

The XG Boost and Cat Boost classifiers outperform the other models regarding model prediction accuracy and F1 scores, with XG Boost having the highest accuracy of 99.08% and F1 score of .9931 and Cat Boost delivering an accuracy score of 99.00% and F1 score of .9925

These “best-performing” ML classification models are suitable for identifying cyberattacks on IoT networks in resource-constrained environments, where accurately identifying attacks is critical to mitigating them.

Furthermore, the second contribution of this praxis introduces a model-generated output referred to as a Response Prioritization Report (RPR), which prioritizes IoT cyberattack response and mitigation activities to improve efficiency over many of the current manual incident response processes used by Incident Response Teams (IRTs) (Haque et al., 2020).

The RPR solution focuses on enhancing three key activities performed by IRTs: responding to active cyberattacks through attack identification, prioritizing attack containment, and eradicating attacks.

Enhancement of these three tasks is achieved by the RPR providing the predicted attack records, ranked by urgency, and the attack source ports to automate attack port blocking for containment and eventual eradication by the IRTs.

The Sysadmin, Audit, Network, and Security (SANS) Institute, founded in 1989, is one of the foremost experts in providing documented cybersecurity standards and training. The SANS Institute has developed and publicly released a six-tier incident response framework known as the Incident Handling Model (IHM) that prioritizes identifying, containing, and eradicating cyberattacks on traditional and IoT networks (Bromiley, 2020).

While other incident response frameworks exist, such as the National Institute of Standards and Technology (NIST) incident response, the SANS Institute's six-tier framework specifically prioritizes incident response activities (Logsign, 2023).

Therefore, the SANS Incident Handling and Response (IHR) Model best aligns with the intent of this practice solution, which is to support IRTs in mitigating cyberattacks on IoT environments with greater accuracy and efficiency by accurately identifying attacks on IoT systems and generating the RPR solution.

The NIST Cybersecurity Framework (CSF), version 2.0, was also selected as a cybersecurity risk management guideline for this praxis study. The CSF 2.0 outlines the best practices for identifying and responding to cyberattacks and the critical areas that security professionals and incident response teams should address while protecting network systems, IT services, and organizational architectures.

The NIST CSF 2.0, a recent release (2022), can be broadly applied to IoT security and is free to the user, which aligns with the open source and low-cost requirement outlined in this praxis.

Finally, the findings of this research significantly contribute to the existing body of knowledge by demonstrating that XG Boost is a preferred model for predicting cyberattacks on IoT systems, and that the model’s predicted attack output transformed into the RPR can be used to prioritize incident response activities and then automate incident response tasks aligned with the SANS IHM.