Abstract The Internet of Medical Things (IoMT) is transforming patient and healthcare management by enabling continuous monitoring, real-time decision support, and remote therapeutic interventions. However, the critical nature of connected medical devices, coupled with the use of lightweight protocols such as MQTT and CoAP, exposes these ecosystems to significant cybersecurity risks. Traditional Intrusion Detection/Prevention System (IDS/IPS) solutions, typically designed for enterprise networks, are often ineffective in IoMT contexts; conversely, complex Artificial Intelligence-based approaches, while accurate, demand computational resources incompatible with resource-constrained e-health environments. This work introduces SurIoT, an explainable and lightweight approach for the automated generation of Suricata and Snort rules aimed at detecting threats in IoMT network traffic within simulated IoT/IoMT environments. The system extracts low-level network features directly from raw packet captures and utilizes a Decision Tree to derive interpretable detection logic. These decision boundaries are then translated into deployable Suricata and Snort rules, allowing for seamless integration into existing monitoring infrastructures while ensuring decision transparency. Evaluation across four datasets, three targeted simulated attack scenarios (Crafted IoMT, DoS Flood, and Slow DoS) and one high-fidelity scenario with heterogeneous attacks (IoMT-Traffic-Data) demonstrates that the rules synthesized by SurIoT faithfully replicate the classification behaviour of the underlying Decision Tree, on every dataset. F1-scores reach 100% on Crafted traffic, 99. 77% on DoS Flood, and 99. 85% on the IoMT corpus; the Slow DoS scenario yields 83. 08% F1, reflecting the inherent difficulty of separating slow-rate TCP attacks from legitimate handshake traffic at the per-packet level without temporal features. From an operational standpoint, Suricata processes the same traffic between 31 31 × and 57 57 × faster than the full machine learning inference pipeline, with no degradation in detection accuracy relative to the Decision Tree. SurIoT emerges as a technically feasible and explainable approach, providing a foundation for strengthening security in IoMT/IoT networks through automated rule synthesis.
Aversano et al. (Wed,) studied this question.