Date of Graduation

5-2026

Document Type

Thesis

Degree Name

Bachelor of Science in Computer Science

Degree Level

Undergraduate

Department

Computer Science and Computer Engineering

Advisor/Mentor

Farnell, Chris

Committee Member

Farnell, Chris

Second Committee Member

Jin, Kevin

Third Committee Member

Nelson, Alexander

Abstract

Industrial Internet of Things (IIoT) networks underpin critical infrastructure worldwide, yet securing them remains an open challenge. Traditional intrusion detection systems require labeled attack data for training, a resource that is rarely available in real industrial deployments. They also fail against novel threats, a model trained on known attacks has no basis for detecting anything outside its training set. This thesis presents a Flow-Level Autoencoder for Intrusion Recognition, or FLAIR, a fully unsupervised deep learning system for network intrusion detection in IIoT environments. FLAIR is built on a Gated Recurrent Unit (GRU) autoencoder trained exclusively on normal network traffic. Rather than learning to classify known attacks, it learns a compact representation of what normal traffic looks like. At inference time, flow windows the model cannot reconstruct accurately are flagged as potential intrusions. No labeled attack data is required at any stage of training, threshold selection, or deployment. To capture temporal attack patterns that span multiple flows, FLAIR processes sliding windows of ten consecutive flow records. Categorical network features, source port, destination port, and protocol, are encoded through learned embedding layers, allowing the model to discover semantic relationships among port and protocol identifiers without imposing a false numeric ordering. Evaluated on the WUSTL-IIoT-2021 dataset, a realistic benchmark derived from a physical IIoT testbed emulating a water treatment facility, FLAIR is assessed across three data split configurations. On the primary 80/10/10 split, it achieves an F1 score of 93.20%, a ROC AUC of 0.9994, and a PR AUC of 0.9932. Performance remains consistent across all three configurations, with F1 never falling below 92.53% and ROC AUC never falling below 0.9991, demonstrating that the model learns a stable representation of normal IIoT traffic rather than overfitting to any particular split boundary. These results are competitive with supervised classifiers evaluated on the same testbed while requiring no attack labels, making FLAIR a practical candidate for deployment in environments where collecting labeled intrusion data is infeasible.

Keywords

anomaly detection; intrusion detection; Industrial Internet of Things; GRU autoencoder; network flow analysis; unsupervised learning

Download

Included in

Cybersecurity Commons

Share

COinS