Real-Time SIEM-Based Cybersecurity Framework for Threat Detection and Prevention in IoMT Environments

Real-Time SIEM-Based Cybersecurity Framework for Threat Detection and Prevention in IoMT Environments

Gunasekara A.G.M.K, Firaz M.M.N, Basheer M.S, Ukasha M.M.M.

Department of Information Technology, Sri Lanka Institute of Information Technology (SLIIT), Sri Lanka Supervisor: Mr. Kanishka Yapa Co-Supervisor: Mr. Deemantha Siriwardhana

Abstract – The majority of current healthcare information is generated by the Internet of Medical Things (IoMT), enabling connected hospitals and continuous remote patient monitoring. This paradigm shift allows patient medical records to act as dynamic big data facilities. However, this evolution poses vital cybersecurity challenges due to the heterogeneous and resource- constrained nature of medical devices, rapidly expanding the attack surface of healthcare infrastructures. Consequently, sen- sitive patient data, including Personal Health Information (PHI), is highly vulnerable to threats such as unauthorized access, data breaches, and Distributed Denial-of-Service (DDoS) at- tacks. Traditional Security Information and Event Management (SIEM) systems and Intrusion Detection Systems (IDS) lack the contextual awareness, real-time prioritization capabilities, and healthcare-specic data protection mechanisms required to secure these environments.

This paper proposes a novel Real-Time SIEM-Based Cyber- security Framework for IoMT environments, engineered upon a multi-layer pipeline architecture. The framework dynami- cally mitigates threats across the hardware, AI/ML intelligence, adaptive correlation, and automated response layers. A realistic clinical testbed was developed using ESP32-based IoMT nodes. Real-time telemetry is transmitted via MQTT and processed utilizing advanced machine learning models.

The primary contribution of this work is three-fold: First, a Proactive Temporary Isolation mechanism instantly quarantines high-risk anomalies at the AI/ML layer, halting lateral attack propagation. Second, an Adaptive Incident Correlation Engine (AICE) introduces patient-aware severity scoring to drastically reduce false positive rates. Third, a PHI-aware Automated Re- sponse System (ARS) dynamically sanitizes sensitive healthcare data. Experimental evaluations demonstrate that the proposed framework signicantly improves threat detection accuracy and minimizes alert fatigue.

Index TermsInternet of Medical Things (IoMT), Security Information and Event Management (SIEM), Cybersecurity, Ma- chine Learning, Adaptive Incident Correlation Engine (AICE), Explainable AI (XAI), SHAP.

1. Introduction

   HE rapid advancement of digital healthcare technologies is spearheaded by the widespread adoption of the Internet

   of Medical Things (IoMT) [1], [4], [5]. Within this ecosystem, interconnected medical devices continuously monitor patient physiological conditions and transmit real-time telemetry. Devices such as pulse oximeters, Electrocardiogram (ECG)

   Manuscript received April X, 2026; revised XXX. This work was supported by the Sri Lanka Institute of Information Technology (SLIIT).

   monitors, temperature sensors, and fall detection systems play a critical role in modern clinical environments [21].

   However, the integration of these heterogeneous, resource- limited, and network-connected devices has signicantly ex- panded the cybersecurity attack surface of healthcare in- frastructures [15], [18]. IoMT environments are particularly vulnerable due to limited built-in security mechanisms, frag- mented communication protocols, and the continuous trans- mission of sensitive Personal Health Information (PHI) [25]. Cyber threats such as unauthorized access, ransomware, data tampering, and DDoS attacks can directly impact patient safety [10], [17].

   Traditional cybersecurity solutions, including conventional Intrusion Detection Systems (IDS) and SIEM platforms, are not natively designed for IoMT ecosystems [19]. These legacy systems often generate massive volumes of irrelevant alerts, lack clinical context awareness, and fail to provide real-time, automated response capabilities. To address these critical vul- nerabilities, this research proposes a Real-Time SIEM-Based Cybersecurity Framework tailored for IoMT environments.

2. Literature Review

   The IoMT has signicantly transformed modern healthcare by enabling continuous patient monitoring, real-time data analysis, and intelligent clinical decision-making [22], [24]. By integrating wearable sensors, implantable devices, and smart healthcare systems, IoMT supports proactive and personalized treatment [2]. However, this rapid digital transformation intro- duces severe cybersecurity challenges [5], [13].

   IoMT systems typically operate through multi-layered archi- tectures. Data is frequently transmitted via wireless protocols and processed using cloud or edge computing models. From a security perspective, IoMT environments remain highly vulnerable. Common attack vectors include DoS/DDoS, Man- in-the-Middle (MITM), ransomware, and data spoong [11], [16].

   Articial Intelligence (AI) has played a major role in enhancing IoMT cybersecurity [6], [14]. Machine Learning (ML) and Deep Learning (DL) models have achieved high accuracy in detecting known attack patterns [3], [8]. However, these approaches face limitations: most models depend heavily on static or ofine datasets, lack integration with real-time streaming pipelines, and critically, do not consider clinical

   context when prioritizing threats [20], [26]. Furthermore, Explainability (XAI) has become an essential requirement in healthcare cybersecurity, as automated decisions must be transparent and trustworthy [9].

   TABLE I

   Approach	Method	Dataset	Real-Time	SIEM	XAI	Limitation
   ML-based IDS	RF, SVM	CIC datasets	×	×	×	Ofine only
   DL-based IDS	CNN, LSTM	CIC datasets	×	×	×	High complexity
   DRL-based IDS	Deep Q-Learning	Simulated	Partial	×	×	No real deployment
   Federated Learning	Distributed ML	Private data	×	×	Limited	Comm. overhead
   XAI-based IDS	Ensemble + SHAP	Public datasets	×	×		No system integration
   Proposed Work	RF + IF + SIEM	Hybrid dataset				Real-time validated

   Comparative Analysis of Existing IoMT Security Approaches

   C. Adaptive Incident Correlation Engine (AICE)

   Raw alerts generated by the AI models are frequently noisy. AICE intercepts these alerts and applies temporal grouping, condence ltering, and patient-aware severity scoring.

   As shown in Table III, AICE successfully reduced raw alerts from 40,320 down to 146 actionable incidents, effectively ltering out 88.5% of false positives.

   TABLE III

   AICE Correlation Performance and False Positive Reduction

3. Methodology

   This research adopts a Design Science Research (DSR) methodology integrated with rigorous experimental validation. The system is deployed in a realistic mini-hospital testbed, where multiple ESP32-based medical devices operate within a localized private network.

   A. IoMT Device Layer (Hardware & Data Acquisition)

   To simulate a realistic clinical environment, the system integrates four distinct IoMT monitoring nodes operating on ESP32 microcontrollers.

   The hardware layer continuously generates physiological telemetry and network trafc logs. The data is transmitted securely via an MQTT broker to a centralized MongoDB database.

   TABLE II

   IoMT Device Layer Components and Sensor Configurations

   Device Node Sensor Module Primary Output

   Category Raw Input Alerts Correlated Output Reduction

   True Attacks 39,050 485 98.0%

   False Positives 1,270 146 88.5%

   D. Automated Response System (ARS) and Data Privacy

   The ARS dynamically assigns mitigation strategies. Re- sponses are categorized into four actions: Isolate, Monitor, No Action, and Rollback.

   To guarantee regulatory compliance, a dedicated PHI pro- tection module redacts sensitive patient identiers prior to logging. The module achieved a 96% accuracy rate in dis- tinguishing safe telemetry from PHI-laden data [23] (Fig. 13 and Fig. 14).

4. Results and Discussion

   A. Overall System Performance Evaluation

   The achieved combined system accuracy of 96% demon- strates that the proposed hybrid model is highly robust. To further validate the reliability of the classication thresholds under imbalanced healthcare datasets, Receiver Operating

   Pulse & SpO2 Monitor ECG Monitor Temperature Node

   MAX30102 AD8232 MLX90614

   Heart rate (BPM), SpO2 Analog ECG waveform Body Temperature (C)

   Characteristic (ROC) and Precision-Recall (PR) analyses were conducted.

   The proposed framework deliberately balances a 96% ac-

   Fall Detection Node MPU6050

   B. AI/ML Threat Detection Layer

   Motion / Accelerometer

   curacy with lightweight, real-time edge processing, making it distinctly superior for practical clinical deployment.

   B. Explainable AI (XAI) Integration Using SHAP

   The core intelligence of the framework utilizes a hybrid AI approach, combining supervised learning for known threat signatures and unsupervised learning for zero-day anomalies [7], [12].

   1. Supervised Detection (Random Forest): A Random For- est (RF) classier was trained on a hybrid dataset to detect known network and device-level attacks. To ensure the models robustness, a 5-Fold Cross-Validation was conducted (Fig. 3). The RF model achieved a high aggregate accuracy of 98.50%. The specic classication performance is detailed in the confusion matrix (Fig. 4) and corresponding metrics

      (Fig. 5).

      Feature importance extraction conrms that network-level parameters are the primary indicators of compromise (Fig. 6).

   2. Anomaly Detection (Isolation Forest): To identify zero- day vulnerabilities, an Isolation Forest algorithm was de- ployed, efciently isolating anomalies with an accuracy of 99.28% (Fig. 7 and Fig. 8).

   To address the black-box dilemma in medical AI, SHapley Additive exPlanations (SHAP) were integrated to provide dy- namic transparency into the models decision-making process. As evidenced in Fig. 18, the SHAP visualizations conrm that the framework correctly prioritizes logical network indica- tors and device criticality tiers over arbitrary noise, validating

   its contextual awareness.

5. Conclusion

This paper presented a comprehensive, real-time SIEM- based cybersecurity framework tailored exclusively for Inter- net of Medical Things (IoMT) environments. Unlike conven- tional security solutions that rely on isolated and context-blind detection mechanisms, the proposed framework integrates a four-layer architecture: Hardware edge nodes, AI/ML Detec- tion, an Adaptive Incident Correlation Engine (AICE), and an Automated Response System (ARS).

Fig. 1. Layered system architecture of the proposed framework, encompassing the Hardware Layer, AI/ML Layer, Correlation Layer, and Response Layer.

Fig. 2. IoMT-Based Multi-Device Circuit Architecture Using ESP32 Nodes, detailing sensor pinouts and gateway connectivity.

Experimental deployment within an ESP32-based clinical testbed demonstrated that the hybrid AI approach yields a formidable 98.5% and 99.28% detection accuracy for known and zero-day threats, respectively. Crucially, the AICE module successfully mitigated alert fatigue by ltering out 88.5% of false positives. Furthermore, the integration of XAI (SHAP) for transparent decision-making and a dedicated PHI-masking module ensures that the framework inherently complies with stringent healthcare privacy regulations.

The proposed framework offers a highly scalable, context- aware, and privacy-preserving security paradigm, making it

Fig. 3. 5-Fold Cross Validation Accuracy across training subsets, demonstrat- ing excellent model generalization and stability.

Fig. 4. Confusion Matrix for the Random Forest model.

Fig. 5. Calculated Performance Metrics for the Random Forest Model.

Fig. 6. Top Feature Importance (Random Forest), indicating the features with the highest predictive weight.

Fig. 10. Multi-class Confusion Matrix evaluating the granular prediction of specic response categories.

Fig. 11. Confusion Matrix illustrating the high accuracy of ARS action execution across the four operational states.

Fig. 7. Confusion Matrix for the Isolation Forest anomaly detection module.

Fig. 12. Statistical distribution of automated response actions triggered during the experimental timeframe.

Fig. 8. Performance Metrics Calculation for the Anomaly Detection module.

Fig. 9. Logical pipeline ow from raw IoMT device telemetry to Alert Detection and nal Correlation.

Fig. 13. Confusion Matrix evaluating the PHI Detection and dynamic masking capabilities.

Fig. 14. Detailed Performance Metrics (Precision, Recall, F1-Score) for Safe vs. PHI data classications.

Fig. 15. Receiver Operating Characteristic (ROC) Curve representing the trade-off between True Positive and False Positive rates.

an ideal defense architecture for modern, resource-constrained digital healthcare infrastructures.

References

1. U. Bamel, A. Kumari, S. Kumar, and K. Dutta, Securing Internet of Medical Things: Exploring Vulnerabilities and Attack Vectors, in Proc. 8th Int. Conf. Parallel, Distributed and Grid Computing (PDGC), 2024,

   pp. 678680.

2. A. Zhou and S. Piramuthu, Smart IoMT Applications in Senior Healthcare: Balancing Functionality, Security, and Privacy Challenges, in Proc. 9th Int. Conf. Mobile and Secure Services (MobiSecServ), 2024.

3. L. A. Daher, Towards Secure IoMT: Attack Detection Using Deep Q- Learning in Healthcare Networks, in Proc. 16th Int. Conf. Developments in eSystems Engineering (DeSE), 2023.

   Fig. 16. Precision-Recall Curve highlighting the models performance stability in imbalanced IoMT attack datasets.

   Fig. 17. SHAP interaction value plot mapping the correlative impact of features such as timestamp, deviceid, and devicetype.

   Fig. 18. SHAP summary bar plot detailing the average impact magnitude of features across the classication classes.

4. T. Soni, D. Gupta, M. Uppal, and A. Kumari, Transforming Healthcare: The Synergy of Articial Intelligence and Internet of Medical Things, in Proc. Asian Conf. Intelligent Technologies (ACOIT), 2024.

5. M. Mushtaq, M. A. Shah, and A. Ghafoor, The Internet of Medical Things (IoMT): Security Threats and Issues Affecting Digital Econom, 2023.

6. Machine Learning-Based Detection for Cyber Attacks in Internet of Medical Things Devices, 2023.

7. Real-Time Anomaly Detection in IoMT Networks Using Stacking Model and a Healthcare-Specic Dataset, 2023.

8. Image-Based Zero-Day Malware Detection in IoMT Devices: A Hybrid AI-Enabled Method, 2023.

9. Explainable Ensemble-Based Detection of Cyber Attacks on Internet of Medical Things, 2023.

10. Detection of DoS and DDoS Attacks Using Machine Learning and Blockchain in IoMT Networks, 2023.

11. Enhancing Machine Learning Approach Based on Nilsimsa Finger- printing for Ransomware Detection in IoMT, 2023.

12. A Novel Experience-Driven and Federated Intelligent Threat-Defense Framework in IoMT, 2023.

13. Hacking Health: Unveiling Vulnerabilities in BLE-Enabled Wearable Sensor Nodes, 2023.

14. Data-Driven Neural Speech Enhancement for Smart Healthcare in Consumer Electronics Applications, 2023.

15. Applied Layered-Security Model to IoMT, 2023.

16. Analysis of the Primary Attacks on IoMT Communication Protocols, 2023.

17. A Recent Assessment for Ransomware Attacks Against the Internet of Medical Things (IoMT): A Review, 2023.

18. Improving Security Architecture of Internet of Medical Things: A Systematic Literature Review, 2023.

19. Intrusion Detection System for Defending Against DoS Attacks in the IoMT Ecosystem, 2023.

20. IoMT Malware Detection Approaches: Analysis and Research Chal- lenges, 2023.

21. IoMT Real-Time Health Monitoring System, 2023.

22. IoT-Based Health Monitoring and Automated Predictive System to Confront COVID-19, 2023.

23. Preventive and Reactive Cybersecurity Techniques on IoT Devices in Healthcare Environments, 2023.

24. Recent Advances in the Internet-of-Medical-Things (IoMT) Systems Security, 2023.

25. Review of Security and Privacy for the Internet of Medical Things (IoMT), 2023.

26. Review on IoMT Security through Distributed Machine Learning, 2023.