I published two IEEE Access papers as an undergrad, one on IoT security, one on cancer detection

Ahmad Mustafa — Fri, 12 Jun 2026 05:42:07 +0000

I'm a 6th semester CS student at COMSATS University Islamabad. Over the past few months I've been doing deep learning research alongside my coursework, and we've submitted two papers to IEEE Access. Here's what we built and what I learned.

Paper 1 — IoT Intrusion Detection

IoT devices get attacked constantly. The problem with most deep learning IDS research is that models are validated on one dataset and never tested anywhere else — so you don't actually know if they generalize.

We took the CNN-DNN architecture from Nazari et al. (validated on Kitsune) and re-evaluated it on CICIDS-2017 — 2.8 million network flow records, 12 attack classes. It didn't just hold up, it improved: from 98.47% to 99.50% accuracy. That's the generalizability proof the original paper left open.

We also benchmarked a Transformer. Theoretically appealing for traffic classification — self-attention should model complex feature dependencies well. In practice on tabular network flow data, it landed at 96.98% and struggled on specific classes. Not bad, but behind CNN-DNN, and consistent with what the literature says about vanilla transformers on tabular data.

The finding I'm most proud of: a Lightweight model with only 17,772 parameters hit 97.55% accuracy — 21× fewer parameters than CNN-DNN — without needing GPU acceleration. That's actually deployable on constrained IoT edge hardware.

SMOTE applied only to the training set took CNN-DNN from 92.35% to 99.50%. Never touch the test set with synthetic samples.

Paper 2 — Breast Cancer Grading

Binary benign/malignant histopathology classification is a mostly solved problem — models hit 98%+ routinely. But a binary label isn't clinically useful. A surgeon needs to know if it's ductal carcinoma or lobular carcinoma because the treatment differs.

We extended the CBAM-VGGNet framework from Ijaz et al. (which did binary classification and explicitly listed multi-class grading as future work) to 8-class subtype grading on the BreakHis dataset. Replaced VGGNet with ResNet50V2, evaluated across all four magnification factors combined rather than individual subsets, and added GradCAM explainability.

Final result: 82.81% on the 8-class task, 96.27% binary accuracy. The GradCAM heatmaps attend to anatomically correct regions — nuclear pleomorphism for ductal carcinoma, organized acinar patterns for adenosis. That alignment with pathological criteria is what makes a model credible in a clinical setting, not just accurate.
Lobular carcinoma (F1: 0.67) and papillary carcinoma (F1: 0.74) were the hardest — morphological overlap with other malignant subtypes is a real challenge, not just a model failure.

What doing research as an undergrad actually taught me

Honest reporting matters more than clean numbers. Both papers include a limitations section that explicitly calls out where the models fail and why. Web Attack XSS got near-zero F1 across all three models in Paper 1 — we reported it, explained the structural reason (26 real test samples), and didn't hide it.

Two-phase fine-tuning in Paper 2 — frozen backbone first, then selective unfreezing — is not just a trick. Without it, fine-tuning a deep pretrained network on a small medical dataset will catastrophically forget useful features before the head stabilizes.

And SMOTE is not magic. It helped massively, but it can't compensate for insufficient real test samples. Know what it can and can't do.
Both papers are under review at IEEE Access. I'll update this post when they publish.

I'm Ahmad Mustafa, a Full Stack Developer and deep learning researcher based in Islamabad, Pakistan. I build AI-powered products and publish work in IoT security and medical imaging.

🔗 Research Repository: https://github.com/ahmadmustafa02/iot-malware-detection-research
📄 Paper 1 — IoT Intrusion Detection: Under review · IEEE Access
📄 Paper 2 — Breast Cancer Grading: Under review · IEEE Access
Website: https://ahmadmustafa.me/
LinkedIn: https://www.linkedin.com/in/ahmadmustafa01/

I built an AI code review GitHub App that tracks your team's mistake patterns, here's how

Ahmad Mustafa — Fri, 12 Jun 2026 05:36:15 +0000

Most AI code review tools tell you what's wrong in a PR. CodePulse tells you what your team keeps getting wrong, week after week.

I built CodePulse as a GitHub App that does two things regular code review bots don't: it stores every finding per developer over time, and sends a personalized weekly digest summarizing each person's recurring issue categories. The idea is simple — if you're writing the same type of bug every week, you should know about it.

How it works

Install the GitHub App on your repos. Every time a PR is opened, CodePulse fetches the diff, runs a two-pass AI analysis using Groq's Llama 3.3 70B with structured tool-calling, and posts inline review comments pinned to exact lines with severity labels — Critical, High, Medium, Low.
Every finding gets stored against the developer who wrote it, the repo, and the PR. This is what makes CodePulse different from a one-shot reviewer — it builds a history.
Every Sunday, developers who opt in get a personalized email digest aggregating their issue categories from the past week. Not a wall of comments — a summary of patterns.

The Stack

Backend runs on Node.js, Express, TypeScript with Prisma ORM and Neon PostgreSQL on Azure. Frontend is React with TanStack Router on Vercel. Weekly digests go out via Resend, triggered by a GitHub Actions cron job.
The trickiest part was the two-pass analysis — a file triage pass first to skip lockfiles, minified assets, and generated files, then a chunked deep review pass that returns typed JSON per issue via structured tool-calling. Getting Groq to return consistent structured output at speed was the core engineering challenge.

What I learned
Webhook reliability is everything in a GitHub App. HMAC-SHA256 verification, idempotent processing, and logging every delivery from GitHub's Advanced tab saved me hours of debugging. If you're building on GitHub webhooks, treat the Recent Deliveries panel as your best friend.
Multi-tenant isolation also required more upfront schema design than I expected, scoping every query by GitHub App installation ID from day one is non-negotiable.

Try it

Live at getcodepulse.vercel.app — install the GitHub App on any repo and open a PR. Inline comments appear within 1–3 minutes.
Source on GitHub: https://github.com/ahmadmustafa02/CodePulse

I'm Ahmad Mustafa, a Full Stack Developer based in Islamabad, Pakistan. Building AI-powered products and publishing research in deep learning for IoT security and medical imaging.

LinkedIn: https://www.linkedin.com/in/ahmadmustafa01/
Website: https://ahmadmustafa.me/
Github:

DEV Community: Ahmad Mustafa

I published two IEEE Access papers as an undergrad, one on IoT security, one on cancer detection

I built an AI code review GitHub App that tracks your team's mistake patterns, here's how