Criticality aware behavioural intrusion detection for XACML integrated virtual ward IoMT systems
摘要
Virtual wards depend on connected medical devices for continuous remote patient monitoring, but access control systems are structurally blind to attackers who build a malicious outcome from a sequence of individually permitted actions. For cardiac monitors and infusion pumps, that blind spot carries direct patient-safety consequences. We propose the Behavioural Information Point (BIP), an extension to the eXtensible Access Control Markup Language (XACML) access control architecture that introduces real-time behavioural anomaly detection into the policy enforcement pipeline without modifying any policy rule. Its detection engine, CritIDS, jointly analyses device command sequences and message timing patterns, with a criticality-aware training objective aligned with IEC 62443 so that higher-risk devices receive proportionally tighter scrutiny. Evaluation on synthetic virtual ward traffic covering eight wards, ten device types, and more than 700,000 Message Queuing Telemetry Transport (MQTT) access-control events shows that CritIDS achieves an F1-score of 0.938 (a combined measure of detection accuracy and completeness; optimal value is 1.0) and an AUC-ROC of 0.937 (a measure of how reliably the model separates normal from anomalous behaviour; optimal value is 1.0), reducing false alarms by 56% relative to the best baseline. Ablation studies confirm that both the dual-pathway architecture and criticality-aware weighting contribute independently to that performance. To our knowledge, this is the first framework to use XACML Policy Decision Point audit logs as the primary data source for behavioural anomaly detection, bridging attribute-based access control and application-layer security monitoring.