Comprehensive Feature Selection for Machine Learning-Based Intrusion Detection in Healthcare IoMT Networks

The rapid growth of the Internet of Medical Things (IoMT) has increased the vulnerability of healthcare networks to cyberattacks. While Machine learning (ML) techniques can effectively detect these threats, their success depends on the quality and quantity of features used for training to improve detection efficiency in IoMT environments, which are typically resource-constrained. In this paper, we aim to identify the best-performing feature sets for IoMT networks, as measured by classification performance metrics such as F1-score and accuracy, while considering the trade-offs between resource requirements and detection effectiveness. We applied an ML workflow that benchmarks various filter-based feature selection methods for ML-based intrusion detection. To test and train our binary and multi-class models, we used two well-developed IoMT datasets (CICIoMT2024 and IoMT-TrafficData). We applied filter-based feature reduction techniques (Fisher Score, Mutual Information, and Information Gain) for different machine learning models, i.e., Extreme Gradient Boosting (XGBoost), K-Nearest Neighbors (KNN), Decision Tree (DT), and Random Forest (RF). Our study demonstrates that 3-4 features can achieve optimal F1-score and accuracy in binary classification, whereas 7-8 features give reasonable performance in most of the multi-class classification tasks across both datasets. The combination of Information Gain and XGBoost with 15 features provides excellent results in binary and multi-class classification settings. Key features—protocol types, traffic metrics, temporal patterns, and statistical measures—are essential for accurate IoMT attack classification.