Unsupervised Machine Learning for Anomaly Detection in Thread IoT Networks

Thread is a low-power, IPv6-based mesh networking protocol increasingly deployed in smart home and industrial Internet of Things (IoT) environments. However, security monitoring is largely designed for traditional IP or Wi-Fi traffic and unexplored for Thread networks. Existing intrusion detection systems are ill-suited to the protocol’s constrained, fragmented, and protocol-specific communication patterns. In this paper, we address this gap by formulating anomaly detection in Thread networks as an unsupervised machine learning problem, where models are trained exclusively on normal traffic. We present an anomaly detection pipeline tailored to low-power Thread networks, incorporating packet-level annotation, session-based segmentation, and the extraction of 33 statistical and protocol-aware features. Using this representation, we design a deep autoencoder to detect anomalies by learning normal behaviour. To determine the autoencoder efficacy, we compare against the classical One-Class Support Vector Machine (OCSVM). We conduct experiments using Carnegie Mellon University's (CMU) Thread dataset. In addition to normal behaviour, the dataset provides energy-depletion, session jamming, spoofing, and password guessing attacks. Our results show that the autoencoder consistently outperforms the OCSVM, achieving an overall F1-score of 87\% compared to 60\%. However, we show that the model has limitations detecting the spoofing and password guessing attacks. These results highlight the effectiveness of unsupervised approaches for modelling complex traffic patterns in low-power IoT networks and underscores the need for more adaptive detection strategies.