Goda, BryanGrande, Payton Rose2026-04-202026-04-202026-04-202026Grande_washington_0250O_29229.pdfhttps://hdl.handle.net/1773/55517Thesis (Master's)--University of Washington, 2026The growth of the Internet of Medical Things (IoMT) has increased connectivity across healthcare environments, but it has also reduced visibility into how many medical devices actually behave. Many of these devices run on constrained hardware and provide little to no detailed logging, which makes traditional host-based monitoring difficult in practice. This creates a detection challenge: how to identify abnormal behavior early without adding heavy security tooling or sending large amounts of telemetry to a centralized system.This thesis presents the design and evaluation of an edge-based, unsupervised anomaly detection pipeline for IoMT telemetry, with a specific focus on how detections integrate into real Security Information and Event Management (SIEM) workflows. An Isolation Forest model is trained using baseline telemetry that represents normal device behavior and then deployed in inference-only mode at the edge, where the model scores new events without retraining or updating parameters during operation. Instead of giving raw model scores to analysts, anomaly outputs are normalized into SOC-centric severity levels and formatted as structured alerts for ingestion into Elasticsearch and visualization in Kibana. Evaluation was conducted in two phases. Under controlled injection-based conditions, anomaly scores showed near-perfect separability between normal and abnormal telemetry (ROC AUC = 1.000), indicating that the model can clearly rank strongly defined abnormal deviations. When evaluated on a more realistic dataset where normal and abnormal behavior overlap and anomalies are more subtle, performance decreased (as expected), but was still usable (ROC AUC = 0.783). A threshold sweep was used to explore how detection performance changes as the decision cutoff for an anomaly is adjusted. This analysis showed that the system could be tuned to keep the false positive rate below 1% while still detecting a meaningful portion of anomalous events. Additional analysis confirmed that anomaly scores were normalized consistently, that severity labels were applied predictably, and that alert generation remained stable over longer runs. Runtime feasibility was measured in both a virtualized environment and on Raspberry Pi–class hardware as a representative constrained edge gateway platform. Mean per-event latency increased from approximately 5 ms in the virtualized baseline to roughly 23 ms when running on edge hardware, which reflects the expected increased overhead of operating with tighter resource limits. Inference still completed without memory exhaustion, swapping, or process failure. These results suggest that lightweight unsupervised scoring can operate within realistic resource limits. This system is not designed to explain exactly what happened or who carried out an attack. Its purpose is to flag unusual behavior early so it can be investigated further. More broadly, this work shows how lightweight statistical ranking at the edge can help security teams prioritize abnormal behavior earlier and feed those detections into the centralized monitoring workflows that they already use.application/pdfen-USnoneAnomaly DetectionCybersecurity Threat DetectionIndustrial Control Systems (ICS)Intrusion Detection Systems (IDS)Security Information and Event Management (SIEM)Unsupervised Machine LearningInformation technologyInformation scienceThesis