Skip to main content

A Tsetlin Machine-driven Intrusion Detection System for Next-Generation IoMT Security

AuthorsRahul Jaiswal et al.
Year2026
FieldAI / ML
arXiv2604.03205
PDFDownload
Categoriescs.CR, cs.LG

Abstract

The rapid adoption of the Internet of Medical Things (IoMT) is transforming healthcare by enabling seamless connectivity among medical devices, systems, and services. However, it also introduces serious cybersecurity and patient safety concerns as attackers increasingly exploit new methods and emerging vulnerabilities to infiltrate IoMT networks. This paper proposes a novel Tsetlin Machine (TM)-based Intrusion Detection System (IDS) for detecting a wide range of cyberattacks targeting IoMT networks. The TM is a rule-based and interpretable machine learning (ML) approach that models attack patterns using propositional logic. Extensive experiments conducted on the CICIoMT-2024 dataset, which includes multiple IoMT protocols and cyberattack types, demonstrate that the proposed TM-based IDS outperforms traditional ML classifiers. The proposed model achieves an accuracy of 99.5% in binary classification and 90.7% in multi-class classification, surpassing existing state-of-the-art approaches. Moreover, to enhance model trust and interpretability, the proposed TM-based model presents class-wise vote scores and clause activation heatmaps, providing clear insights into the most influential clauses and the dominant class contributing to the final model decision.


Engineering Breakdown

Plain English

This paper addresses cybersecurity in Internet of Medical Things (IoMT) networks by proposing an Intrusion Detection System built on Tsetlin Machines, a rule-based machine learning approach. The system is trained and evaluated on the CICIoMT-2024 dataset, which contains real-world IoMT protocols and multiple cyberattack types. The key advantage is that Tsetlin Machines create human-interpretable rules from propositional logic, making security decisions explainable—critical for healthcare where clinicians need to understand why a device was flagged as compromised. The authors demonstrate that this approach outperforms traditional methods on detecting diverse attack patterns without requiring the black-box decision-making of deep neural networks.

Core Technical Contribution

The core novelty is applying Tsetlin Machines—an automata-based learning algorithm that constructs interpretable logical rules—to the specific domain of IoMT intrusion detection. Unlike deep learning approaches that treat attacks as opaque statistical patterns, Tsetlin Machines explicitly model attack behaviors as if-then rules over binary features, producing systems where security analysts can read and audit the exact decision logic. The paper demonstrates this works well on the CICIoMT-2024 dataset, which includes real IoMT protocols like MQTT, CoAP, and HL7, spanning multiple attack classes. This interpretability-first approach is novel because prior IDS work relied heavily on neural networks or traditional statistical classifiers that sacrifice explainability for marginal accuracy gains—a poor trade-off in healthcare security contexts.

How It Works

The system takes raw network traffic or device telemetry from IoMT networks and preprocesses it into binary feature vectors representing protocol behavior, payload characteristics, and timing patterns. Each feature maps to a specific observable (e.g., 'unusual packet size for MQTT', 'connection attempts to blacklisted IP'). The Tsetlin Machine then learns a set of logical clauses—conjunctions of these features—where each clause either predicts 'normal' or 'attack' with a confidence score. The learning algorithm uses finite-state automata internally: each feature has an automaton that learns whether to include or exclude that feature from rules, updated via a voting mechanism that rewards rules making correct predictions and penalizes those making errors. At inference time, an incoming network event is classified by evaluating all learned rules and aggregating their votes. The system outputs both a binary classification (benign vs. attack) and the specific rules that fired, providing explainability by showing exactly which features triggered the detection.

Production Impact

For engineers deploying intrusion detection in healthcare IoT networks, this approach directly solves the explainability bottleneck: regulatory bodies (FDA, HIPAA compliance) increasingly require that critical safety decisions be auditable, and Tsetlin Machines deliver human-readable rules instead of black-box embeddings. Integration is straightforward—the model operates on tabular features extracted from packet captures or device logs, no specialized hardware required, and inference latency is negligible (microseconds per decision on commodity hardware). The main production trade-off is that feature engineering becomes more critical; you must carefully design binary features that capture attack semantics, whereas deep learning might auto-discover relevant patterns. Another practical benefit: when new attack types emerge in production, security teams can inspect the learned rules, understand why they succeeded, and incrementally adapt the system rather than retraining a neural network from scratch. Memory footprint is orders of magnitude smaller than transformer-based detection systems, making edge deployment on resource-constrained devices feasible.

Limitations and When Not to Use This

The paper's evaluation is limited to the CICIoMT-2024 dataset, which, while comprehensive, may not represent all real-world IoMT deployments—different hospitals use different device mixes and protocol configurations. Tsetlin Machines' performance depends heavily on feature engineering quality; if the binary features don't capture the semantic structure of attacks, the model will underperform, placing burden on domain experts rather than automating representation learning as deep learning does. The approach assumes stationary attack patterns; zero-day attacks that use previously unseen feature combinations will likely be missed, and concept drift (where attack patterns evolve over weeks/months) requires periodic retraining. Finally, the paper does not discuss false positive rates in detail, which is critical for production systems—too many false alarms cause alert fatigue and can paralyze hospital operations, and the paper doesn't present the precision-recall trade-offs or ROC curves needed to set detection thresholds.

Research Context

This work builds on recent progress in Tsetlin Machines as an interpretable ML approach (originating from Ole-Christoffer Jenssen's work in 2019-2021) and adapts them to cybersecurity, a domain historically dominated by random forests and neural networks. It directly responds to the growing IoMT security literature, including prior IDS benchmarks on NSL-KDD and UNSW-NB15, by introducing CICIoMT-2024 as a more realistic IoMT-specific dataset with actual medical protocols. The broader research direction opened is 'interpretable security'—using rule-based and automata-based learning instead of neural networks for safety-critical detection systems, which has implications beyond healthcare (industrial control systems, power grids). The paper also implicitly argues for dataset-driven benchmarking of security defenses on domain-specific traffic, not generic network data, establishing IoMT IDS as its own subfield rather than a straightforward application of general network security techniques.


:::tip Subscribe Get weekly breakdowns of papers like this in AI Letters - the newsletter for engineers building production AI systems. :::


Back to Research Lab → · Subscribe to AI Letters →

© 2026 EngineersOfAI. All rights reserved.