Hybrid AI-Driven IDS for IoT Using Cooja and Explainable Deep Learning

The explosive growth in the adoption of the Internet of Things (IoT) has unveiled important security concerns, especially considering energy and computational constraints for low-power devices, increased levels of advanced routing attacks for RPL-based networks. Current IDSs are concentrated mainly on detection of anomaly with no clear explanation of the reason behind, which limits their application in safety systems. In addition, the lack of IoT-related benchmark datasets also prevents the construction of generalizable IDS systems. To narrow the gap, we design a hybrid AI-based IDS with combining Convolutional Neural Networks (CNNs), Bidirectional LSTM (BiLSTM) and Random Forest (RF) together for spatial, temporal and decision-level feature extraction. When modelling sinkhole, version number manipulation, or flooding attacks in the Contiki-NG Cooja simulator, three IoT-specific datasets were derived that allow a detailed packet-level investigation of realistic network behaviour. The proposed model outperforms traditional deep learning methods (CNN, LSTM and CNN-AO), showing better accuracy, precision, recall, F1-score AUC and MCC results. We use explainable AI (XAI) techniques, namely SHAP and LIME, to provide intuitive explanation on the feature contribu- tions and attack signatures. Experimental results show that the model has strong detection ability, low false alarm rate and is applicable for realtime deployment in a resource limited IoT environment. This work proposes a fully traceable IoT specific ready-to-use powerful IDS framework intensively validated through comprehensive simulation and evaluation with novel IoT-specific datasets.