The Internet of Things (IoT) is rapidly expanding in agriculture, healthcare, and industry, where secure real-time communication is essential. IoT devices often use lightweight protocols such as MQTT due to their limited resources. However, weak security exposes them to cyberattacks, increasing the need for effective Intrusion Detection Systems (IDS). Traditional heuristic methods, including signature-based IDSs, face challenges in MQTT environments due to limited protocol awareness, encrypted payloads, and elusive traffic patterns, leading to high false-positive rates. However, AI-based IDSs improve detection but often suffer from high computational costs and adapt poorly to zero-day attacks. To address these challenges, we propose MGIDS , a hybrid IDS for MQTT IoT networks that handles both encrypted and unencrypted traffic. MGIDS uses unified covariance-distance encoding ( CovDist ) maps flows into quantised bins, which are processed using a dynamic grid-based graph structure ( DYNGrid ). While MGIDS defines the overall framework, DYNGrid serves as the core learning and inference engine. The system adopts a two-stage hierarchical classification strategy, where Stage-1 performs coarse-grained separation, and Stage-2 refines decisions into specific attack types. The proposed method achieves 97.82%, 93.08%, and 97.26% accuracy for known attacks, and 92.80%, 84.86%, and 94.80% for unknown attacks, outperforming existing approaches while demonstrating scalability and robustness.
Kumar et al. (Wed,) studied this question.