https://www.mdu.se/

Smart-home networks host heterogeneous IoT devices that expand the attack surface while limiting on-device defenses. This thesis investigates whether flow-based machine learning can enhance smart-home intrusion detection without payload inspection. Using the public CIC-IoT-2023 corpus and home-lab traces converted to Zeek bidirectional flows, we evaluate three supervised classifiers (Random Forest, XGBoost, LightGBM) and two one-class detectors (Isolation Forest, Autoencoder). The pipeline prioritizes recall on malicious flows via validation-time thresholding and examines feature ablation to approach gateway-feasible models. Results across the two datasets indicate that ensemble classifiers can reach the recall target with moderate false-alarm rates, while one-class methods provide complementary coverage for previously unseen behaviours at a higher falsepositive cost. Feature pruning retains effectiveness with a compact subset of timing, size, and flag features, supporting edge deployment under privacy constraints. We discuss ethical considerations of flow-only analysis, operational trade-offs for recall-first alerting, and practical steps toward integration on resource-constrained hubs. The work contributes a payload-agnostic evaluation of ML-based fingerprinting for smart-home security and a methodology for balancing detection quality with deployability.