MQTTFlowLyzer: interpretable TabNet-based flow-level MQTT intrusion detection for IoT
摘要
MQTT is widely used in IoT systems, but its lightweight design makes it vulnerable to various cyberattacks. This paper reviews existing intrusion detection methods for MQTT and shows their limitations in detecting new and complex threats. In this study, we introduce an interpretable deep learning-driven intrusion detection framework that begins with raw PCAP data and applies flow-based behavioral analysis to identify both known and novel attacks. We present MQTTFlowLyzer, a protocol-aware analyzer designed to extract detailed MQTT flow features and generate an augmented dataset, BCCC-IoT-MQTT-IDS-Augmented-2025 that captures realistic and diverse attack scenarios. These contributions serve as the foundation for training interpretable DL models, specifically TabNet, an inherently interpretable, attention-based DL architecture for tabular data that integrates feature selection, classification, and confidence-based detection of zero-day threats. Furthermore, we evaluate the proposed framework against other state-of-the-art interpretable deep tabular algorithms, including GANDALF and NODE, to provide a comprehensive comparison of performance and interpretability. Our approach leverages model transparency to highlight the behavioral uniqueness of each attack class and uses attention-driven explanations to identify influential features. Experimental results show that the model accurately detects attacks such as brute force and maintains high performance across other categories. By profiling class-specific behaviors and incorporating confidence thresholds, the system also successfully flags previously unseen traffic. These findings underscore that interpretable DL approaches can deliver both high accuracy and actionable insights for real-time, resilient MQTT intrusion detection.