(H-DIR)2: A Scalable Entropy-Based Framework for Anomaly Detection and Cybersecurity in Cloud IoT Data Centers

Abstract

Modern cloud-based Internet of Things (IoT) infrastructures face increasingly sophisticated and diverse cyber threats that challenge traditional detection systems in terms of scalability, adaptability, and explainability. In this paper, we present (H-DIR)², a hybrid entropy-based framework designed to detect and mitigate anomalies in large-scale heterogeneous networks. The framework combines Shannon entropy analysis with Associated Random Neural Networks (ARNNs) and integrates semantic reasoning through RDF/SPARQL, all embedded within a distributed Apache Spark 3.5.0 pipeline. We validate (H-DIR)² across three critical attack scenarios-SYN Flood (TCP), DAO-DIO (RPL), and NTP amplification (UDP)-using real-world datasets. The system achieves a mean detection latency of 247 ms and an AUC of 0.978 for SYN floods. For DAO-DIO manipulations, it increases the packet delivery ratio from 81.2% to 96.4% (p < 0.01), and for NTP amplification, it reduces the peak load by 88%. The framework achieves vertical scalability across millions of endpoints and horizontal scalability on datasets exceeding 10 TB. All code, datasets, and Docker images are provided to ensure full reproducibility. By coupling adaptive neural inference with semantic explainability, (H-DIR)² offers a transparent and scalable solution for cloud-IoT cybersecurity, establishing a robust baseline for future developments in edge-aware and zero-day threat detection.

Keywords: RDF/SPARQL explainability; associated random neural network (ARNN); cloud–IoT security; entropy-based anomaly detection; hybrid distributed information retrieval; semantic adaptive cyber defense; sub-second detection latency.

Figure 1

(Workflow): simulation pipeline of the (H-DIR)² framework.

Figure 2

(Dual-scalability): Dual-scalability of the H-DIR architecture.

Figure 3

(Dual-level cycle): bidirectional semantic–neural coupling and its dynamic update cycle.

Figure 4

(ETL-bridge): the diagram shows how RDF triples and SPARQL rules are vectorized and injected into the ARNN core, producing neural activations and a dynamic attack graph.

Figure 5

(Graph matrix): (a) spatial distribution of the entropy variation ΔH in the RPL DAO-DIO attack (red = higher disorder). (b) Backlog B(t) with and without the proposed H-DIR² mitigation; the vertical dashed line marks the cutoff time, t = 0.43 s.

Figure 6

(dao-rpl): Dao Dio attack. Comparison before–after mitigation.

Figure 7

(dao-routing): NTP amplification. Dynamically reconfigured routing.

Figure 8

(NTP amp): Traffic overload observed during a spoofed NTP amplification attack (amplification ×500).

Figure 9

(NTP amp): (a) peak load reduction achieved by four mitigation stacks as the number of edge nodes increases. (b) Learning dynamics of the ARNN early-stage predictor over 20 training epochs.

Figure 10

(Scalability of stress): throughput and latency vs. device count. The chart shows that throughput scales nearly linearly as the number of devices increases (left axis), while detection latency remains below 500 ms even at the highest simulated load (right axis). This confirms both vertical and horizontal scalability of the (H-DIR)² framework under stress test conditions.

Figure 11

(Semantic graph): view of the semantic–adaptive integration loop.