DOI: 10.3390/electronics15132869 ISSN: 2079-9292

Lightweight Machine Learning Intrusion Detection for IoT/IIoT Networks: Quantisation Strategies and Physical Deployment on Resource-Constrained Microcontrollers

Emanuele Pio De Bernardis, Oleksandr Kuznetsov, Marco Arnesano, Polatova Zhansaya, Madina Sydykova

Intrusion detection in IoT and IIoT networks must operate under tight resource constraints, yet most published machine learning-based IDS solutions report accuracy on held-out data without addressing whether the trained model can actually run on the target hardware. We address this gap with an end-to-end study spanning dataset preprocessing, model training, INT8 quantisation, and physical execution on two real microcontrollers. Five supervised classifiers—Logistic Regression, Decision Tree (depth 5), Random Forest, XGBoost, and LightGBM—plus an MLP deep learning baseline are evaluated on binary and ten-class intrusion detection tasks using the TON_IoT network dataset. A 5-fold stratified cross-validation confirms stable performance across splits, with LightGBM reaching F1=0.9993±0.0001. Models are then exported through three quantisation pipelines: m2cgen C code generation for the two lightest classifiers, TensorFlow Lite Micro full-integer INT8 for the MLP (9.34× size reduction to 13.03 KB), and a custom post-training INT8 binary format for XGBoost and LightGBM (18.91× compression for LightGBM to 73.85 KB). All five quantised models are deployed to an Arduino Mega 2560 (ATmega2560, 16 MHz, 8 KB SRAM) and an ESP32-C3 SuperMini (RISC-V, 160 MHz, 400 KB SRAM) and benchmarked on physical hardware across 500 timed inferences per model (250 per input class), with firmware predictions confirmed to match the Python 3.11 float model on both test vectors. The Decision Tree achieves 5.6 µs inference on the ESP32-C3; LightGBM INT8 (F1=0.9992) provides the best accuracy–size trade-off among ensemble models. Cross-platform comparison reveals that the RISC-V device is 5.8–7.8× faster than the 8-bit AVR for identical model code. A cross-domain evaluation using CIC-IoT-Dataset2023 identifies large normalised distribution shifts (up to δ=5.95 in packet asymmetry), quantifying the generalisation gap that remains an open challenge.

More from our Archive