A forensic framework for detecting denial-of-service attacks in IoT networks using the MQTT protocol

Author Identifiers

Alaa Alatram


Date of Award


Degree Type


Degree Name

Master of Computing and Security by Research


School of Science

First Advisor

Leslie F Sikos

Second Advisor

Mike Johnstone

Third Advisor

Patryk Szewczyk

Fourth Advisor

James Jin Kang


In the domain of the Internet of Things (IoT), The Message Queueing Telemetry Protocol (MQTT) is the most widely used protocol for applications across a wide range of realms, including industrial automation, healthcare, smart homes, and smart cities; MQTT is also used in many other critical real-world applicastions. An example is BMW’s Car Sharing application, that uses MQTT to provide reliable connectivity. However, due to a lack of security considerations during the design of the MQTT protocol, all the networks implementing it are prone to cyberattacks, such as denial-of-service (DoS) attacks. While the research community has a primary focus on MQTT vulnerabilities from the perspective of intrusion detection, digital forensic considerations of the protocol have yet to be addressed. This work attempts to address this issue, specifically by generating a novel dataset based on data captured from a testbed in an IoT setting, and the application of optimised Machine Learning (ML) algorithms to differentiate between cyberattacks and benign network traffic. The philosophical assumptions guiding the conduct of this research are Positivist Paradigm, Quantitative Methodology, Experimental Research Mode, and Quasi-Experimental as a Sub-category. As a result of the IoT testbed construction, a substantial quantity of IoT data was produced, including standard MQTT data and ten different DoS and DDoS attack scenarios. In addition, a network forensic analysis of the collected data shows specific information that can be extracted and the differences between attacks and normal data. Also, eight different ML algorithms were compared, resulting in the suggestions of Random Forest (RF), XGBoost, and Artificial Neural Network (ANN) for use in the proposed framework. Gray Wolf Optimiser (GWO) was selected to combine RF and ANN in a core component of the framework. It has been demonstrated that RF with GWO and ANN with GWO can optimise results. The output of this research can have a potential impact on the implementations of MQTT-powered networks globally, thereby improving the security of modern networks that use this protocol.

Access Note

Access to this thesis is embargoed until 27 July 2023.

Access to this thesis is restricted. Please see the Access Note below for access details.