Insights into Modern Intrusion Detection Strategies for Internet of Things Ecosystems

Isong, Bassey; Kgote, Otshepeng; Abu-Mahfouz, Adnan

doi:10.3390/electronics13122370

Open AccessReview

Insights into Modern Intrusion Detection Strategies for Internet of Things Ecosystems

by

Bassey Isong

^1,*

,

Otshepeng Kgote

¹

and

Adnan Abu-Mahfouz

²

¹

Computer Science Department, North-West University, Mafikeng 2790, South Africa

²

Council of Scientific and Industrial Research (CSIR), Pretoria 0184, South Africa

^*

Author to whom correspondence should be addressed.

Electronics 2024, 13(12), 2370; https://doi.org/10.3390/electronics13122370

Submission received: 5 May 2024 / Revised: 1 June 2024 / Accepted: 7 June 2024 / Published: 17 June 2024

(This article belongs to the Special Issue IoT in the Industry Revolution 4.0)

Download

Browse Figures

Versions Notes

Abstract

:

The swift explosion of Internet of Things (IoT) devices has brought about a new era of interconnectivity and ease of use while simultaneously presenting significant security concerns. Intrusion Detection Systems (IDS) play a critical role in the protection of IoT ecosystems against a wide range of cyber threats. Despite research advancements, challenges persist in improving IDS detection accuracy, reducing false positives (FPs), and identifying new types of attacks. This paper presents a comprehensive analysis of recent developments in IoT, shedding light on detection methodologies, threat types, performance metrics, datasets, challenges, and future directions. We systematically analyze the existing literature from 2016 to 2023, focusing on both machine learning (ML) and non-ML IDS strategies involving signature, anomaly, specification, and hybrid models to counteract IoT-specific threats. The findings include the deployment models from edge to cloud computing and evaluating IDS performance based on measures such as accuracy, FP rates, and computational costs, utilizing various IoT benchmark datasets. The study also explores methods to enhance IDS accuracy and efficiency, including feature engineering, optimization, and cutting-edge solutions such as cryptographic and blockchain technologies. Equally, it identifies key challenges such as the resource-constrained nature of IoT devices, scalability, and privacy issues and proposes future research directions to enhance IoT-based IDS and overall ecosystem security.

Keywords:

Internet of Things; IDS; machine learning; deep learning; anomaly detection; network security

1. Introduction

In recent years, the Internet of Things (IoT) has gained significant attention in academia, industrial innovation, and societal advancement. It is characterized by a network of tangible entities, commonly referred to as “things”, which are integrated with sensors, software, and network connectivity, enabling them to communicate and exchange data with other devices, systems, and environments via the Internet [1,2,3,4]. These entities possess the capability to autonomously make informed decisions and execute tasks based on the acquired data. The spectrum of objects ranges from everyday smartphones, wearable devices, and household appliances to infrastructure such as smart homes and cities [4]. Moreover, with its interconnected nature and data-sharing ability, it has revolutionized various aspects of human life, industries, homes, healthcare, cities, transportation, military, agriculture, etc. [2,3,4,5]. This facilitation of remote access is bolstered by a variety of wireless technologies, including Wi-Fi, Radio Frequency Identification (RFID), Bluetooth, and cellular networks, which enhance the efficiency of data transfer and introduce additional layers of intelligence within IoT environments [2,3,4]. Tracing the genesis of IoT, estimates place its inception around 2008–2009, although the term itself was coined earlier by Kevin Ashton in 1999. Ashton intended to advocate for RFID technology, comprising embedded sensors and actuators, to underscore its potential in streamlining goods management through effective communication of information [1,4]. Presently, the global landscape boasts more than 20 billion interconnected devices, with the IoT market valued at approximately $150 billion [4]. Projections for 2024 have suggested a surge in connected devices to over 30 billion, with a market valuation expected to approach $1 trillion [1,4,6].

Despite the numerous advantages and growing adoption of IoT, it confronts significant challenges that span business, societal, and technological domains, with security and privacy being paramount concerns [1,2,6]. The exponential increase in diverse smart devices connecting to the Internet has escalated security and privacy issues [1,2]. Consequently, many IoT devices and their associated networks are increasingly susceptible to cyber threats and various forms of malicious attacks [1,2,5]. These devices collect and store large amounts of personal data, rendering them prime targets for hackers and cybercriminals. The repercussions of such threats are profound, potentially leading to system disruptions, loss of critical data, exposure of private information with social or emotional ramifications for users, physical damage to hardware, and even complete system outages, which further expose the system to additional intrusions and threats [1,2,6]. IoT security is aimed at safeguarding these devices and networks against illicit access, tampering, or destruction. However, the task of providing robust security for IoT devices is challenging due to their inherent limitations in resources, diversity of protocols, and often inadequate encryption and updates [1,2].

Therefore, to ensure the security and privacy of IoT, it is imperative to satisfy the requirements of confidentiality, integrity, and availability concerning the information and services. It is crucial to ensure trust and reliability and to guarantee the safety of the data [2]. Over the years, several security measures involving various actions and tools have been deployed to regulate secure and reliable networking within the IoT, safeguarding devices against unauthorized access, manipulation, or damage across all architectural layers. These measures include changing default passwords, limiting unnecessary internet access to IoT devices, implementing vulnerability scanners, applying network access control, conducting software updates, and utilizing risk assessment techniques [1,2]. Intrusion detection systems (IDSs) [7,8,9,10] and other intrusion detection and prevention models have also been integral in protecting IoT devices and networks from a wide range of attacks. In particular, modern IDSs employ a range of detection techniques, such as anomaly, signature, specification, and hybrid-based methods [8,9,11]. Additionally, machine learning (ML) and deep learning (DL) technologies are increasingly being used in modern IDSs as viable mechanisms to enhance the protection of IoT devices and networks [7,9,11,12,13]. However, despite research advancements, challenges persist in improving IDS detection accuracy, reducing false positive rates (FPRs), and identifying new types of attacks. Thus, this paper brings together state-of-the-art IDS techniques in the IoT realm with a special interest. Although there are several existing survey papers in the literature, each focuses on specific aspects such as ML/DL, detection methodology, and so on. Our paper considered both ML-based and non-ML-based IDS, and the main contribution is summarized as follows:

We carried out a systematic study to select recent research papers, both journal articles and some relevant conference proceedings with a focal point on ML/DL-based and non-ML-based IDS strategies published between 2016 and 2023;
We comprehensively reviewed and analyzed each selected paper and discussed several aspects, including the techniques applied and their effectiveness, attacks and threats, evaluation metrics, and the datasets used;
We also highlighted various challenges facing IoT-based IDS and the security of IoT environments and provided different important future directions.

The rest of the paper is organized as follows: Section 2 presents the background study on IoT and IDS, Section 3 presents some of the related works in the literature, Section 4 presents the methodology applied, and Section 5 presents the analysis of IoT security and modern IDS strategies. In the same vein, Section 6 discusses the findings of the review and the future research opportunities, while Section 7 concludes the paper.

2. Background Information

2.1. Internet of Things Overview

IoT is a dynamic ecosystem composed of smart devices of diverse capabilities and sizes, all interconnected via the Internet [4]. These devices autonomously gather and exchange data and make decisions based on the information collected. The ecosystem is built upon several core components: devices, sensors, actuators, connectivity options, data processing units, cloud infrastructure, and various applications and services [4,5]. The connectivity scope of IoT is broadening beyond mere machine-to-machine communication, and despite the distinct purposes of IoT applications and services, they share fundamental similarities [3,4,5]. Specifically, every connected smart device is expected to support the functionalities associated with each architectural layer of IoT to function effectively within IoT networks. IoT architecture provides a structured framework that describes the interaction and communication of IoT devices and systems over the Internet, which can be adapted to suit specific applications, domains, and use cases [3,4,5]. Currently, there is no universally accepted reference architecture for IoT, and the development of such a standard is complex despite ongoing efforts toward standardization [5]. Moreover, various IoT architectures have been proposed over time, including three-layer, four-layer, five-layer, and seven-layer models [3,4,5]. Generally, a typical four-layer IoT architecture is comprised of four principal layers: the perception/sensing layer, network layer, data processing layer, and application layer [3,4,5], as depicted in Figure 1, where each layer fulfils specific functions to realize the collective goals of the IoT ecosystem.

As shown in Figure 1, the perception or sensing layer of IoT is composed of tangible elements like sensors, actuators, RFID tags, and cameras, which are utilized to gather environmental data or execute command-driven actions [6]. The network layer ensures connectivity and communication between the perception and data processing layers. It includes many protocols and technologies for data transmission, such as Zigbee, Bluetooth, Wi-Fi, NFC, RFID, and cellular networks, including 4G, 5G, and LoRaWAN [3,4,5]. Moreover, the layer includes routers and gateways that serve as intermediaries for connecting devices to the Internet, as well as security measures such as encryption and authentication to prevent unauthorized access [4]. The data processing or middleware layer processes and analyses the collected IoT data to derive actionable insights [4,5]. It consists of both software and hardware components that manage, process, and analyze data using technologies like ML, artificial intelligence (AI), cloud computing, edge computing, fog computing, and big data platforms, facilitating informed decision-making and automation [4]. The application layer, on the other hand, provides the user interface and functionalities that enable end-users to interact with and control IoT devices and systems [4]. It leverages software and applications to offer services and solutions, allowing users to engage with applications, visualize data, and connect with external systems for various purposes, such as sending emails, toggling devices, and activating security systems [5]. Protocols integral to IoT include IEEE 802.15.4, 6LoWPAN, RPL (networking), CoAP, MQTT, AMQP, and DSS (application) [4,5]. IoT, as an emerging computing paradigm, offers numerous benefits, including enhanced efficiency and automation, data-centric decision-making, and improvements in safety, security, and quality of life [1,2,3,4]. However, it also encounters several challenges and concerns, such as issues related to security and privacy, device interoperability, scalability, complexity, ethical considerations, device management, bandwidth constraints, end-user difficulties, and the absence of standardized regulations [1,2].

2.2. Intrusion Detection

IDS within the IoT serves as a security mechanism that continuously monitors and analyses the IoT network traffic and device behaviour to detect and prevent malicious activities or policy violations in the ecosystem of IoT [7,8]. Such malicious actions aim to illicitly penetrate IoT devices and networks, thereby compromising their confidentiality, integrity, and availability. These breaches may originate from adversaries both within and outside the organization [7]. Consequently, IDS is designed to bring forth the level of security by monitoring malicious activities on network traffic, and if anything that violates the network policies is detected, it sends immediate alerts to the administrator [7,8]. The proliferation of different attack types in the network [5,10] and the growing increase in the exchange of data between devices pose the requirement to secure IoT networks and devices. Currently, there are different techniques to detect such attacks [7,8,12,13,14], and Figure 2 presents the techniques involved in deploying and detecting intrusions or attacks in IDS.

Anomaly-based IDS (AIDS) are designed to identify malicious activities by establishing a baseline of normal device or network behaviour and signalling any deviations as potential intrusions. They utilize a variety of methodologies, including statistical, knowledge, and ML approaches [7,8,11]. In the perspective of ML-based IDS, which has seen predominant use in recent times, the techniques are categorized according to the data utilized for model creation: supervised learning (SL), unsupervised learning (USL), semi-supervised learning (SSL), and reinforcement learning [9,11,12,13]. SL techniques are subdivided into classification and regression methods, including algorithms like artificial neural networks (ANN), support vector machines (SVM), decision trees (DT), random forest (RF), Naïve Bayes (NB), logistic regression (LR), linear regression (Linear R), and k-nearest neighbours (KNN). Furthermore, ensemble methods based on Boosting and the DL techniques that span both SL and USL, such as convolutional neural networks (CNN), deep neural networks (DNN), multilayer perceptions (MLP), recurrent neural networks (RNN), autoencoders (AE), and Boltzmann machines (BM), generative adversarial network (GAN), hybrid DL techniques, etc. are employed. See Figure 3. More information about each algorithm can be found in the primary studies that applied them. Each technique offers distinct advantages and limitations in constructing an IDS model, particularly concerning accuracy and detection rates. Likewise, advancements in ML, such as transfer learning (TL) and feature engineering techniques, have been instrumental in improving the robustness of IDS in IoT systems, enabling efficient and cost-effective computations, and facilitating the generation of precise models through the analysis of complex datasets [8,11]. In contrast, the signature-based IDS (SIDS) identify intrusions by matching network packets or device activities against known attack patterns or rules, while specification-based IDS (SPIDS) delineates correct or expected network or device behaviour or protocols [8,9]. Hybrid-based IDS (HIDS) combines multiple existing techniques to refine detection accuracy and reduce false positives [8,9,10].

In the IoT domain, IDS are implemented similarly to traditional networks and are classified into network-based, host-based, and hybrid categories [8,9,10]. Network-based IDSs are tasked with scrutinizing network traffic to detect malicious activities, whereas host-based IDSs monitor the activities of IoT devices and sensors. A hybrid IDS combines the capabilities of both network-based and host-based systems. These systems can be deployed in various configurations within IoT devices and networks, including centralized, distributed, hierarchical, or collaborative approaches [10]. Furthermore, to develop an effective IDS, factors such as resources to be protected, models to determine the typical behaviour of these resources, methods for making comparisons of the activities of these resources to their expected behaviours, and ultimately, methods to determine what constitutes anomalous or intrusion behaviour are crucial considerations [9]. Several IDS that have been developed have been validated utilizing different methods such as simulations, theoretical, hypothetical, empirical, emulation, testbeds, or real-world deployment [7,8,10,11]. In this paper, we bring together the recent trends in IDS development, including ML/DL-based and non-ML-based strategies.

3. Related Works

This section presents some of the review and survey studies on intrusion detection within IoT environments and associated technologies. Touqeer et al. [6] examined the evolution of IoT, detailing device specifications and the multi-layered architecture of IoT environments while addressing security issues in smart homes and proposing remedial strategies. Likewise, Thakkar and Lohiya [7] offered an overview of intrusion detection, analysing a range of algorithms from ML, DL, and software evolution, highlighting feature selection, dataset diversity, practical IDS applications, challenges, and future research directions. Heidari and Jamali [8] equally provided a systematic review of IDS techniques in IoT, evaluating their pros and cons and pinpointing areas for continued research and emerging trends. In the same effort, Fernandes et al. [9] surveyed anomaly detection, organizing their review across five dimensions and examining current methods, ongoing challenges, and unresolved issues. Alghanmi et al. [11] also reviewed anomaly detection methods in IoT, discussing datasets, concerns, and future research directions, while Ahmad et al. [12] reviewed contemporary network IDS solutions, discussing ML and DL-based IDS advancements, methodologies, evaluation metrics, dataset choices, research challenges, and potential future research trajectories.

Moreover, Umer et al. [13] analyzed ML methods for intrusion detection across a 10-dimensional framework, evaluating their effectiveness in certain scenarios, pinpointing challenges, and suggesting areas for future research and enhancement. Concurrently, Nweke [14] thoroughly reviewed SPIDS techniques for Cyber-Physical Systems (CPS), classifying them by different characteristics, and provided insights into ongoing challenges and directions for future research, particularly in specification extraction and validation. Likewise, Zarpelão et al. [15] examined IoT-based IDSs to discern trends, challenges, and future research opportunities, emphasizing strategies for IDS deployment, detection methodologies, security threats, and validation processes. Martins et al. [16] also conducted a comprehensive review of cybersecurity threats in IoT. Their study not only examined the various challenges and attacks threatening IoT but also offered suggestions for real-time IDS and proposed publicly available real-time datasets for evaluating security systems against various cyber threats. Equally, Gendreau and Moorman [17] delved into the core aspects of IoT-based IDS research and the prevailing comprehensive trends. The study analyzed and presented guidelines for future IDS development, along with highlighting ongoing research challenges.

The authors of [18] also evaluated IDS solutions, comparing ML-based and DL-based systems, detailing their functions, advantages, disadvantages, and use cases, while Singh and Khare [19] equally discussed publicly available labelled intrusion datasets and ML methods. They noted their constraints and the common issues that impair network-based IDS performance, such as FPR, false negative rates (FNR), and data imbalance. Similarly, Adat and Gupta [20] provided an overview of IoT by analyzing its security architecture and presented a taxonomy of defence techniques alongside the security challenges within the IoT ecosystem. The researchers in [21] pinpointed susceptibilities in IoT, the types of attacks that exploit them, and potential remedies, as well as the cybersecurity tools for detection and monitoring. Similarly, Elrawy et al. [22] conducted a thorough review of the latest IoT-based IDSs, focusing on methodologies, features, and processes, while Albulayhi et al. [23] surveyed DL methods for anomaly-based IDSs in IoT, identifying gaps and suggesting a neutral reference model, while assessing key metrics and detection rates using LR, SVM, DT and ANN across various attack types.

The studies discussed above highlighted some of the survey and review studies in the realm of IoT ecosystems. While most of these studies focused on specific aspects such as IDS techniques, ML-based IDS methods, attacks, DL-based IDS, security challenges, etc., this study comprehensively surveyed all aspects: attacks, challenges, IDS techniques, performance measures, datasets, and research directions.

4. Methodology

In this paper, we followed the principles of a systematic literature review informally, which involves a structured and systematic approach to identifying, appraising, and synthesizing evidence [24,25]. In this case, we defined the research questions (RQs), the search strategy and terms, keywords, inclusion, and exclusion criteria, such as considering studies from 2016 and 2023, IoT IDS papers written in English, with implementation and results, etc. Moreover, the study defined the important and reputable electronic databases to use, such as IEEE Xplore, SpringerLink, Google Scholar, ACM, ScienceDirect, Scopus, and Web of Science. With this, we applied the search strategy and terms and the inclusion and exclusion criteria to extract the important, relevant articles with a focus on both ML-based and non-ML-based IDS in the IoT ecosystem. The search terms used were “IoT security”, “intrusion detection in IoT”, “anomaly detection in IoT”, “threat detection in IoT”, “ML intrusion detection in IoT”, etc., as guided by Boolean operators of “OR” and “AND”. The search span involved both journal articles and conference papers published in the English language and available in full text. For each article or paper that meets the defined criteria, we critically evaluated the quality of each study based on the RQs and, lastly, synthesized the findings from the selected studies. The RQs answered in this paper include the following:

i.: What are the various types of attacks and threats that affect the IoT ecosystem?
ii.: What are the challenges faced by IoT and IoT-based IDS methods?
iii.: What are the current IoT-based IDS techniques and their effectiveness?
iv.: What are the important evaluation metrics used in evaluating the IDS models?
v.: What are the important benchmark datasets utilized in training and testing IDS models?
vi.: What are some important research directions for future research?

With the search terms used on the electronic databases, a vast quantity of papers was found and based on the defined criteria, only 75 papers were found relevant for consideration manually in this paper. As shown in Figure 4, out of the 75 papers considered, 10 were conference proceedings, and 65 were journal articles. Furthermore, the RQs were strictly used in analyzing the relevant articles and papers identified and findings presented as state-of-the-art. These RQs were strictly used to analyze the papers considered in this study.

5. Trendy Analysis of IoT-Based Intrusion Detection Strategies

This section presents an analysis of some of the recent research work on intrusion detection for IoT. The analysis performed on each study is primarily based on the following aspects, as indicated in the RQs: challenges faced by IoT and IoT-based IDS methods, some of the various types of attacks and the effectiveness of threats, and IDS techniques and their limitations. Moreover, we highlighted the central evaluation metrics and benchmark datasets and provided some important research directions.

5.1. IoT Security Attacks

The swift expansion and pervasive integration of the IoT, coupled with rapidly advancing technologies and insufficient security protocols, have escalated the security risks, rendering IoT susceptible to a broad spectrum of cyberattacks [5,13]. These attacks are devised to bypass, incapacitate, or impair the functionality and performance of IoT devices. Thus, prioritizing security is imperative to shield businesses and individuals from potential data breaches and associated damages. A comprehensive examination of vulnerabilities, security frameworks, and potential threats is vital to materialize the envisioned IoT securely and successfully [5]. The surge in malicious attacks targeting IoT devices is alarming and continues to grow at an exponential rate. Such attacks can severely disrupt IoT applications and inflict damage, including catastrophic incidents like power grid failures resulting in blackouts and fatalities.

IoT-based applications are prone to various forms of attacks, including active, passive, and specifically engineered attacks [5,8,10]. Several studies have discussed these security issues. For instance, Krishna et al. [5] provided an in-depth analysis of IoT security, offering a classification of threats and attacks across different IoT architectural layers, along with threat assessments, mitigation approaches, and advanced security measures, while also pinpointing directions for future research. Concurrently, Khraisat and Alazab [10] reviewed intrusive attack detection and, thus, categorized IoT attacks into physical, software, and networks, as well as presented a taxonomy of IoT IDS techniques. The study further stressed that IoT devices are particularly vulnerable to attacks due to their constant connectivity, complex security landscape, and often inadequate encryption and passwords, making attacks on interconnected devices relatively straightforward to execute [10]. As outlined in [5,10], there are several IoT threats at different layers of the IoT architecture, including battery drainage, hardware failure, disclosure of critical information, device compromise, node cloning and replication, illegal access to devices, information theft, rough device insertion, unfair access, malicious code, badmouthing, software modification, data tampering, and more. The research papers reviewed in this study synthesize the most prevalent and severe attacks and their impact on the different layers of the IoT architecture, as summarized in Table 1.

As depicted in Table 1, the susceptibility of IoT layers to cyberattacks varies, with certain layers being more prone to exploitation based on the attackers’ objectives and methodologies. This underscores the necessity for a holistic security approach that covers all layers to effectively neutralize a wide range of threats. Thus, to mitigate IoT security threats, it is essential to implement strong authentication, regularly update firmware and software, encrypt communications, network segmentation, monitor network traffic for anomalies [7,8,9,10], and educate users about security best practices. Moreover, IoT device manufacturers must prioritize security in their designs and continuously release security patches to address vulnerabilities. Security standards and regulations for IoT devices are continually evolving to address these threats. This paper focuses on the different strategies to monitor network traffic for anomalies based on IDS.

5.2. Key Challenges of Intrusion Detection in IoT

There are several challenges affecting the IoT ecosystem, which is dominated by key security challenges. This section presents some of the critical challenges identified in the studies considered in this paper. These challenges are as follows:

Data characteristics and dimensions: The complexity of managing network traffic data is heightened due to its high-dimensional features and the extensive number of access points within Internet-connected services [26]. In addition, the categorization of botnet intrusions in IoT networks through the KNN algorithm becomes particularly difficult when confronted with voluminous datasets [27]. In the same vein, the prevalence of class imbalance within IoT IDS adversely impacts the efficiency and accuracy of ML models that are developed based on these skewed datasets [28];
Security vulnerabilities and attacks: Addressing IoT networks’ security vulnerabilities and attacks is inherently challenging, especially those that incorporate cloud technologies, as they are prone to various attacks [29]. The task of ensuring the security and privacy of IoT-based infrastructures within smart city environments is also challenging, notably in safeguarding commands in industrial IoT against forgery and misrouting [30,31]. Moreover, the strategic deployment of IDS that can precisely identify DDoS attacks is vital for preserving the operability of IoT frameworks [32]. The task is further complicated by the need to counteract the increasingly sophisticated and varied threats that plague IoT, particularly in mesh networks [33,34,35]. Also, the deliberate prolongation of packet transmission times by cyber-attacks aimed at depleting network resources represents a significant issue [36]. Furthermore, the development of security protocols that authenticate sensor nodes and safeguard their anonymity in mobile WSNs, which are susceptible to both overlapping sensory fields and attacks from internal and external sources, is a pressing concern [37]. These multifaceted challenges underscore the complexity of securing IoT environments against a wide range of threats;
ML and DL techniques for intrusion detection in IoT networks: A key challenge is the implementation of network IDS utilizing ML and DL strategies, which necessitate distinct datasets for optimal operation [38]. It is essential to develop an IDS that accurately identifies threats while minimizing false alarms [7,39], and a significant problem is developing an IDS capable of autonomously detecting anomalies and cyberattacks within IoT networks to prevent system failures [40]. Furthermore, another challenge lies in designing high-quality attack scenarios to train cybersecurity solutions for industrial CPSs, given their expanded susceptibility to enhanced network and computational technologies [41]. Implementing ML-assisted solutions for IoT security poses a great challenge as it often assumes access to large training datasets, which can be difficult to obtain as data originate at the edge and is continuously generated by IoT devices [42]. Moreover, training ML-based detection algorithms on centralized servers raise privacy concerns, especially when collecting data from multiple edge servers [43]. In the realm of Industrial IoT (IIoT), the process of identifying device failures necessitates the transfer of unprocessed data to a centralized server for model training. This practice carries the risk of disclosing confidential corporate information, thereby raising privacy concerns [44]. In addition, the task of detecting malware within IIoT and compromised IoT devices presents ongoing challenges [45], as these devices are particularly vulnerable to malware engineered to exploit existing weaknesses. In addition, detecting adversarial attacks on DNNs used in IIoT applications is complex, as they aim to deceive DNNs with subtle modifications to the inputs, posing a significant challenge in maintaining device integrity [46]. Moreover, existing intrusion detection solutions often rely on SL methods, requiring substantial labelled data for accuracy, which is challenging to source in the vast size of IoT networks [47]. The training of such ML models is time-consuming and less adaptable to dynamic IoT settings. Concurrently, applying ML methods for the analysis of big data and decision-making autonomy in IoT applications can be computationally intensive and requires large and varied datasets, leading to high false positive rate results [7,48,49,50];
Privacy preservation and FL methods in IoT networks: The effort to maintain the confidentiality of local data in IoT networks while concurrently training models via FL approaches presents a multifaceted challenge. This includes the need to protect against adversaries who may exploit shared parameters to compromise industrial applications [51]. Furthermore, there is a pressing need to strengthen the effectiveness, resilience, and security of FL-oriented methods to improve detection capabilities and ensure privacy preservation of privacy [52,53];
Resource constraints and availability: The issues surrounding resource constraints and availability involve several challenges. One such challenge is the acquisition of publicly accessible datasets that accurately represent recent network behaviours and specific IoT network characteristics for research purposes [54]. Also, detecting intrusions on systems like smart home devices, where network traces alone may not be reliable, poses another challenge [55]. It is crucial to operate intrusion detection strategies efficiently within the resource constraints of IoT network devices [56]. Moreover, implementing precise IDSs on IoT devices, which are frequently deployed in environments with limited computational resources and energy constraints, is a significant challenge [57];
Inadequacy and limitations of traditional security measures and IDSs for IoT: IoT devices and networks are prone to inherent vulnerabilities stemming from their limited resources, heterogeneous nature, and exposure to a variety of attacks [58,59,60]. Such conditions reveal the inadequacy of traditional security protocols and IDS for IoT environments. The vast quantity and heterogeneity of devices, coupled with technical constraints, render standard monitoring and security techniques inadequate for IoT [61]. Lightweight IoT devices, especially those reliant on Wi-Fi for communication, face challenges in implementing conventional security and are vulnerable to traditional Wi-Fi attacks [62]. In addition, developing IDSs tailored for IoT networks is challenging as they are required to effectively handle and analyse massive and diverse data streams in real-time [48,59,63,64,65,66]. Therefore, mitigating these challenges is essential to bolster the security framework of IoT ecosystems;
Routing and communication protocols in IoT networks: In the context of IoT networks, the mitigation of attacks on the routing protocol for RPL, which is crucial for IoT applications, poses a difficult challenge. The complexity of this task is intensified by the limited resources and significant control overhead [63]. Equally important is the detection of insider routing attacks that threaten the integrity and security of IoT networks [64]. Thus, securing the MQTT communication protocol, prevalent in IoT settings, is imperative due to its vulnerability to attacks that exploit its publish-subscribe model [67]. Moreover, guaranteeing communication security in IoT networks is a formidable task, particularly as reliance on cloud and communication technologies grows for various digital services. This includes the implementation of safeguards such as mutual authentication and the protection of IoT-specific application layer protocols [68]. Mitigating RPL protocol vulnerabilities in Advanced Metering Infrastructure (AMI) within smart grid applications is another significant challenge [69], as these attacks can drastically affect the efficiency and security of routing in smart grid networks. Additionally, the development of IDS solutions that cater to the specific needs of IPv6-connected IoT environments is challenging, as many existing systems are designed for either WSN or traditional Internet configurations, which may not be suitable for IPv6-connected IoT contexts [70];
DDoS attacks and anomaly detection in IoT networks: The task of identifying and neutralizing DDoS attacks within IoT networks, which also extends to blockchain-integrated IoT systems, is fraught with considerable challenges [49,71,72]. Such attacks are detrimental to both the performance and the security of the network, thereby endangering the stability of IoT ecosystems. Consequently, it is imperative to establish defences against botnet attacks, notably those executed by malware like Mirai and BASHLITE, to prevent DDoS attacks [73]. Typically, these attacks originate from compromised surveillance devices, potentially causing extensive disruptions. The widespread presence of unsecured IoT devices exacerbates the severity of DDoS attacks, thus intensifying the difficulty of defence [74]. Another difficulty is differentiating DDoS traffic from regular network activity, which can result in FPR, low accuracy, and a low detection rate. Furthermore, implementing effective anomaly mitigation strategies on IoT devices is critical to combat DDoS attacks, especially given their constrained computational capabilities [75]. The design of a rule-based model for the identification of DDoS threats in network traffic necessitates an algorithm for feature selection and extraction [76]. Tackling these issues is crucial for enhancing the robustness of IoT networks against DDoS incursions. The challenges associated with anomaly detection in IoT include the necessity for dependable systems that can detect and signal anomalies or attacks in real-time while withstanding attacks or system failures [77]. Furthermore, managing and analyzing the vast, dynamic data emanating from millions of sensors in IIoT settings [78], as well as detecting novel attacks that elude conventional methods [79], are essential for maintaining an edge over evolving threats;
Spam transaction attacks in cryptocurrency networks: The challenges associated with spam transaction attacks in cryptocurrency networks are multifaceted. One significant issue is the complexity involved in the automatic extraction of features necessary for identifying such attacks, which contributes to reduced detection efficacy [80]. Identifying the principal intrusion tactics of spam transaction attacks is particularly challenging, as they frequently masquerade within regular data traffic [80]. Moreover, the scarcity of adequate threat test samples for the training of detection models poses a barrier, leading to low accuracy and an increased rate of false alarms in the identification of these attacks;
Zero-day attacks and their detection: The realm of cyberspace is increasingly confronted with the threat of zero-day attacks, which exploit a range of protocols and present a difficult challenge. The detection of these attacks, which are often subtle alterations of existing cyber threats, is a complex task [81]. Furthermore, the reliance on traditional ML techniques for identifying zero-day attacks is considered inadequate, as these methods depend on historical data and predetermined features, rendering them less flexible in the face of new and evolving threats [7,81];
Security of smart industrial systems and CPS: The security of smart industrial systems and CPS is vital, especially as they are integral to the advancement of Industry 4.0. These systems face the challenge of defending against malicious attacks that take advantage of their interconnected and open architecture [82]. Identifying attacks on CPS is particularly challenging due to the deliberate and sophisticated strategies employed by cybercriminals, which can severely disrupt system operations [83]. Additionally, the development and deployment of collaborative IDS for SDN-supported CPS involve complex considerations. These include optimizing resource distribution and maintaining the quality of service, all while detecting and neutralizing insider threats [84];
Edge computing: Deploying edge computing for IoT devices introduces challenges related to vulnerability to attacks and the selection of monitoring or guard nodes in dynamic wireless sensor networks [85].

These are unique challenges in the evolving landscape of connected devices and networks. Thus, addressing these challenges is crucial to ensure the security and resilience of IoT and related technologies.

5.3. Intrusion Detection Techniques

To address some of the challenges highlighted in the previous subsection, this subsection presents the analysis of the existing solutions for IoT-based intrusion detection. These solutions’ analyses are categorized based on ML and non-ML techniques and are summarized in Table 2, Table 3, Table 4, Table 5, Table 6 and Table 7.

5.3.1. Machine Learning Based

Supervised and Semi-supervised based

The IDS techniques, which are based on SL, allow the algorithm to be trained on a labelled dataset where each algorithm learns a mapping from inputs to outputs, enabling it to make predictions or classify new, unknown attacks. On the other hand, SSL combines elements of both SL and USL, where the algorithm is first trained on the labelled data and then fine-tuned or adapted using the unlabelled data to improve overall performance. In the studies considered in this paper, IDS techniques based on supervised or semi-supervised are presented in this subsection and summarized in Table 2a,b.

To enhance the security of smart devices against threats, Anthi et al. [58] proposed a three-layered IDS using SL where Layer I categorizes the normal behaviour of IoT devices based on type and profile, Layer II detects malicious packets during attacks using the ML model, and Layer III classifies the detected attack type. Its effectiveness was verified through evaluation on a smart home testbed, testing against 12 attacks, including DoS, MitM, reconnaissance, and replay attacks, as well as four multi-stage attack scenarios. The results obtained show high F-measure scores of 96.2%, 90.0%, and 98.0% for various network-based attacks, confirming the proposed IDS’s ability to distinguish IoT devices, classify network activity, and identify specific attacks. Likewise, in mitigating the challenge of large, labelled datasets in SL for better accuracy in IoT networks, Ravi et al. [47] proposed an IDS based on the SSL model, DNNs, and the unsupervised clustering technique, k-means. This yielded the SDRK model, a combination of SSL deep feed-forward neural network (DFNN), repeated random sampling (RRS), and k-means (K). When placed in fog nodes between IoT and cloud layers, these algorithms detect and mitigate network intrusions without significantly impacting network latency. The proposed IDS was experimentally evaluated using the NSL-KDD dataset, and the results demonstrated that it outperformed existing solutions in terms of high accuracy in detecting security breaches and overcoming labelling issues in large datasets. SDRK achieved an accuracy, F1-score, and MCC of 99.78%, 99.72%, and 99.44%, respectively, for detecting the data deluge attack.

Wazirali [81] also proposed a solution to address the challenges posed by minor variations of previous cyberattacks, specifically focusing on effectively SL for IoT-based IDS. By employing KNN with hyperparameters and five-fold cross-validation, the method demonstrated robustness but faced challenges in real-time detection with varying dataset record sizes. It effectively detected DoS, Probe, User to Root, and Remote Local attacks, achieving the best results in DoS detection with 99.61% precision, 99.92% recall, and 99.17% F-measure. The overall accuracy for detecting the four attacks was 98.87%, which outperformed existing approaches. In the same vein, Hodo et al. [86] suggested an IDS framework to address significant threats in the IoT ecosystem with a focal point on DoS/DDoS attacks. Utilizing a multi-level perceptron, a supervised ANN algorithm, the model was trained on Internet packet traces to classify normal and threat patterns in the network. Its effectiveness was evaluated using simulation experiments, achieving a 99.4% accuracy in detecting DoS/DDoS attacks. Equally, He et al. [87] proposed a bi-layered smart home network IDS based on device behaviour profiling to identify malicious network traffic, expose attack types, and automatically generate a rule set representing benign device behaviours. They created a testbed for network traffic collection from real-world smart homes, and the performance of both IDS and the system was evaluated based on seven models for classifying these attacks and several performance measures. The results showed that GBDT outperformed other models with an accuracy of 99.53%, a precision of 99.57%, a recall of 99.55%, and an F1 score of 99.56%.

Concurrently, Facchini et al. [65] tackled the challenge of identifying network components’ unexpected behaviours, which are exploited when different IoT devices collaborate. The solution is a multi-level distributed IDS located in every node in the smart home ecosystem, which leverages collaboration across diverse IoT devices using a distributed hash table (DHT) where nodes share network and system information. It detects unexpected network component behaviours using a binary classifier by analyzing and aggregating incoming traffic features from both the network and the DHT. Experimental evaluations were performed and compared with different classifiers, revealing AdaBoost outperformed other models with an accuracy of 99.39%, 99.36% precision, and 99.33% recall in terms of detecting Mirai malware botnets. Moreover, to deal with computational overhead and scalability issues related to known attack signatures, Paudel et al. [71] proposed a graph-based outlier detection in IoT (GODIT) for smart home networks. It represents IoT traffic as a real-time graph stream and efficiently processes it to detect DoS attacks. The experimental results showed that the solution outperformed other anomaly detection approaches, achieving a precision of 92.0%, with DT showing the best recall at 92%. The algorithms were applied to binary classification, specifically identifying the attacks as DoS attacks. In a similar vein, Gassais et al. [55] suggested an IDS technique that combines user space, kernel space, hardware, and network input information with ML techniques to detect different types of attacks in smart devices. The host-based automated framework utilizes tracing techniques to gather device behaviour data and employs various ML models, including SL and SSL methods, to realize high detection capabilities. Evaluation of a realistic home automation system with actual threats demonstrated its effectiveness in terms of accuracy and efficiency. Accordingly, DT, RF, and WGBT were identified as the best-performing models with accuracies of 99.9%, 99.9%, and 100%, as well as detection latencies of 1.23 ms, 1.68 ms, and 9.28 ms for GBT, respectively.

Table 2. Summary of Supervised/Semi-supervised based techniques.

(a)
Ref.	Methods	Algorithms	Implementation	Datasets	Attacks	Application
[58]	SL, 3-layered IDS, MAC address scanning	J48 DT, CART, SVM, RF, kNN	Simulations: Weka tool Evaluation: Precision, Recall, F1-score	Real Testbed	DoS, MitM, spoofing, reconnaissance, reply	Smart home
[47]	SSL, SDRK-DNN and clustering method	DFNN, K-means	Testbeds deployment: IoT Fog cloud testbed, Cisco nexus switch, Raspberry Pi model 3B, sensors Evaluation: Accuracy, F1-score, MCC	NSL-KDD	Data deluge	Fog IoT systems
[81]	PCA-semi supervised	kNN	Simulations. Evaluation: Accuracy, Recall, FPR, MCC, Precision, F1-score, and ROC curve	NSL-KDD	DoS, Prope attack, user to Root attack, Remote to Local.	IoT systems
[86]	Supervised ANN	MLP	Simulations: C programming environment Evaluation: Confusion matrix	Real Testbed	DDoS/DoS	IoT systems
[87]	SL, Bi-layered NIDS	GBDT, LR, DT, RF, kNN, MLP, SVM	Simulations: Scikit-learn python library, CICFlowmeter Testbed Deployment: XiaoDu AudioSpeaker, QingPing Temperature Monitor, TP Link NetCam, and GoSund SmartPlug Evaluation: Accuracy, F1-score, Recall, Precision.	loT-23	C&C, DDoS, FileDownload, HeartBeat PortScan, botnets (Mirai, Torii, Okiru)	Smart Homes
[65]	DHT, Multi-level Distributed IDS	MLP, KNN, DT, SVM, GNB, RF, Adaboost.	Simulation: Wireshark Sniffing tool, Sysdig tool, Raspberry Pi 2 modelEvaluation: Accuracy, Precision, Recall, F1-score	Real Testbed	Botnet (Marai malware.)	Smart Homes
[71]	GODIT, discriminative n-shingle, Outlier Detection (Graph-Based)	DT, SVM, Gradient Boosting, RF.	Simulations: Python environment Testbed deployment: Netatmo Camera, TP-Link Plug, WEMO Power Switch, Samsung Camera, and WEMO Motion Sensor Evaluation: Precision, Recall, F1-score	TON_IoT	DoS attack.	Smart Homes
[55]	Host-Based Automated IDS, Tracing Techniques, Supervised and Semi-Supervised	DT, RF, GBT, SVM, MLP, LSTM	Experiment: Home automation system Raspberry Pi 3, Debian Linuz Evaluation: Accuracy, Precision, Recall, F1-score, Latency	Real Testbed	Mirai botnet, nmap scan, Metasploit, Ransomware	Smart Devices
(b)
Ref.	Methods	Algorithms	Implementation	Datasets	Attacks	Application
[88]	SL, AIDS, IDSBPSO, Statistical Analysis	RF	Simulation: Python, Anaconda navigator Evaluation: Accuracy, Precision, Recall, F1-score	IoTID20, UNSW-NB15	DoS, Exploits, Analysis, Fuzzers Reconnaissance, Backdoor, Shellcode, Worms, Host Port OS Brute Force, HTTP Flooding, UDP Flooding, Syn Flooding, ARP Spoofing.	IoT systems
[57]	Lightweight IDS, MI2G Feature Selection	LR, LDA, NB, DT, RF, SVM, GBM	Simulation: Contiki cooja and FIT IoT-LAB, Wireshark tool Evaluation: Accuracy, Precision, Recall, F1-score, training time, testing time	CICIDS2018	Brute-force, Heartbleed, Botnet, DoS, DDoS, Web, and infiltration	IoT systems
[75]	AIDS, Feature Selection (Correlation Coefficient, SHAP), fog computing	KNN, CUSUM, EWMA	Simulation: Jupyter Notebook, Python-based Scikit-Learn, Matplotlib, Scipy, Pandas, Detecta, and Scikit-learnEvaluation: Accuracy, Precision, Recall, F1-score, FPR	BoT-IoT	DDoS	IoT systems
[40]	Supervised ML, Unique feature set	KNN, SVM, DT, RF, LR, MLP(ANN)	Experiment: Python-Pandas, Numpy, matplotlib, seaborn, sci-kit-learn, Keras Framework Evaluation: Accuracy, Recall, Precision, F-Score, ROC	BoT-IoT	DoS, DDoS, Reconnaissance, Information theft	IoT systems
[89]	A two-stage IDS based on CCIs and AMoF, mobility models	Linear R, Random Way Point, Gauss Markov	Simulation: node velocity (NS1P3, NS15P7), Power Level Evaluation: TPR, TNR, FPR, FNR, Precision, F1-Score	Real Testbed	Blackhole, DDoS	Mobile IoT systems

Sarwar et al. [88] mitigated the issue of high data dimensionality in anomaly detection within dynamic and diverse IoT environments. They introduced an enhanced anomaly detection framework that integrates traditional methods with an Improved Dynamic Sticky Binary Particle Swarm Optimization (IDSBPSO) algorithm. This algorithm is designed to efficiently select key features, thereby refining the detection process. IDSBPSO, which uses a flipping probability rather than velocity, serves as a wrapper-based feature optimization technique. It reduces the search space dynamically and selects pertinent, non-redundant features for the IDS. The IDS utilizes statistical and ML algorithms to identify and classify malicious network traffic. When tested on the IoTID20 and UNSW-NB15 datasets, the IDS demonstrated superior performance over conventional PSO-based selection methods, achieving 89.52% accuracy in identifying various attacks while also reducing computational demands and the number of features required. Equally, Kaushik et al. [57] tackled the inherent weaknesses of IoT systems, such as extreme environmental conditions, low computational resources, and limited energy, which expose them to cyber threats. The study suggested a novel, resource-efficient IDS and a dual feature-selection technique named MI2G. This method prioritizes features with high mutual information and low entropy, optimizing for computational efficiency. The strategy employs a USL model to analyze network traffic and pinpoint anomalies indicative of cyber intrusions. Tests on the CICIDS2018 dataset, alongside comparisons with other research using the same and the benchmark UNSW-NB15 dataset, revealed that the DT classifier surpassed alternative ML classifiers. It achieved 99.5% accuracy, precision, and recall rates, proving its efficacy for IoT environments with constrained computational capabilities.

Alzahrani and Alzahrani [75] developed an improved method for detecting anomalies and preventing DDoS attacks in IoT networks. Their approach combines three statistical algorithms: the Exponentially Weighted Moving Average (EWMA), KNN, and the Cumulative Sum (CUSUM). By integrating fog computing into IoT, they mitigated security challenges such as botnet attacks. Feature selection methods, including the correlation coefficient and SHAPley Additive explanations (SHAP), were employed to refine the accuracy and efficiency of the IDS. Evaluation with the Bot–IoT dataset, the model demonstrated high effectiveness, with an accuracy of 99.00%, a score of 99.16%, and a precision of 100%, while maintaining a low false positive rate and successfully differentiating between IoT and non-IoT traffic. Concurrently, Tyagi and Kumar [40] created a specialized IDS based on SL for IoT settings, featuring a unique set of seven lightweight attributes tailored for IoT. This system effectively differentiates between normal and harmful network activities, such as DDoS, DoS, reconnaissance, and data theft. The study assessed the performance of various supervised machine learning algorithms, with both DT and RF achieving 99.9% accuracy. Particularly, RF was faster, processing in just 0.03 s, making it the preferred algorithm for this IDS. In a separate study, Amouri et al. [89] introduced an IDS that aligns with the distributed nature and resource constraints of IoT. The system operates in two phases: data gathering through dedicated sniffers and analysis by a super node using linear R to distinguish between safe and malicious nodes. The system’s efficacy was evaluated under various network conditions by considering factors such as power and node velocity. Two mobility models, Random Way Point (RWP) and Gauss Markov (GM), were used, concentrating on blackhole and DDoS attacks. The results indicated that the IDS was highly effective, with detection rates over 98% in high power and speed scenarios, although performance dipped to around 90% when power and speed were low.

2.: Deep Learning-based

DL is a part of ML that uses neural networks with multiple layers, also known as deep architectures. It aims to learn intricate data representations automatically, enabling the model to grasp complex patterns and features. As shown in Figure 2, DL models can either be SL or USL techniques. In the studies considered in this paper, several IDS techniques were designed based on DL models to enhance the performance of the IDS in terms of accuracy, detection rate, time and more. Some of these studies are discussed in this subsection and summarized in Table 3a–c.

Yang et al. [80] introduced the GRU-WGAN-div model to address the limitations of conventional transaction spam detection in IoT. This model leverages DL and multi-level learning to autonomously identify features indicative of network intrusions. The WGAN-div variant remarkably improved accuracy by 94.8% over ADvISE, 5.54% over SVDD, and 4.53% over OC-SVM, while also significantly lowering false alarm rates (FAR) by 68.87% and 77.97% against SVDD and OC-SVM, respectively. In parallel, Khan et al. [67] suggested a DNN-based IDS for MQTT-based IoT systems designed to safeguard sensor or event data communication. The DNN structure includes an input layer, two hidden layers with ReLU activation, and an output layer with sigmoid or softmax activation for binary or multi-class classification, respectively. Evaluated on the MQTT-IoT-IDS2020 dataset, the DNN-based IDS exhibited exceptional performance, achieving high accuracy rates of 99.92%, 99.75%, and 94.94% for different data flows in binary classification, and 97.08%, 98.12%, and 90.79% in multi-label classification. It also outperformed LSTM and GRUs, recording the highest accuracy of 97.13% for the MQTT dataset. Furthermore, Katib and Ragab [72] tackled the security, privacy, and reliability concerns in centralized IoT storage by introducing H3SC-DLIDS, a hybrid IDS. This system combines Harris Hawks optimization (HHO) and sine cosine algorithm (SCA) for feature engineering and employs an LSTM auto-encoder (LSTM-AE) model for intrusion detection. The Arithmetic Optimization Algorithm (AOA) is utilized for fine-tuning the LSTM-AE model. On the BoT-IoT dataset, H3SC-DLIDS outshone traditional methods, achieving a peak accuracy of 99.05%, a precision of 96.65%, and F-scores of 95.67% and 96.14%.

Shanmuganathan and Suresh [77] also suggested an anomaly detection algorithm that merges Markov chains and LSTM networks to enhance reliability in edge-based computing devices, which are often vulnerable to attacks and failures. This method involves real-time data collection with timestamps, followed by noise reduction through data averaging. It employs a Markov-based filter to mitigate sensor-related anomalies and uses LSTM for further anomaly detection. In experimental simulations with DHT sensors for environmental monitoring, the algorithm showed a 96.03% anomaly detection rate and a 92.48% training accuracy, outperforming the KNN algorithm in both aspects. Similarly, Sankaran and Kim [78] developed a data transmission scheme for IIoT that ensures energy efficiency and security, and a privacy-preserved data communication scheme for outlier detection. This system uses industrial data optimized by Multi-scale Grasshopper Optimization (MGO) and secures transmissions with a dynamic honeypot encryption algorithm (DHPEA). The data are stored in the IoT cloud, with blockchain managing the encryption keys while a Robust Multi-cascaded CNN (RMC-CNN) classifier detects various attack types. The system’s performance, which was assessed using power, loop, and land sensor datasets, outperformed existing methods in terms of throughput, delay, and detection rates, confirming its effectiveness. The authors also computed encryption, decryption, and execution times against current standards.

Table 3. Summary of Deep Learning-based Techniques.

(a)
Ref.	Methods	Algorithms	Implementation	Datasets	Attacks	Application
[80]	Spam Transaction Detection based on GRU-WGAN-div	GRU-WGAN-div, ADvISE, SVDD, OC-SVM	Simulation: Open-source spam transaction	Real Testbed	Spam	SpamTransaction in IoT Systems
[67]	DNN-based IDS Sigmoid/Softmax Activation, Forward and Backward Propagation	NB, RF, kNN, DT, LSTM, GRUs	Experiment: Python 3.9.5 PL (Keras, DL API, Jupyter notebook), ADAM optimiser Evaluation: Accuracy, F-measure, Recall, Precision	MQTT-IoT-IDS2020, MQTT	MitM, DoS, Intrusions	MQTT-based IoT systems
[72]	H3SC-DLIDS for hybrid intrusion detection, HHO, SCA, AOA	LSTM-AE	Experiment: Python 3.6.5 toolEvaluation: Accuracy, Recall, Precision, F-score, AUC score	BoT-IoT	DDoS	Blockchain-enabled IoT systems
[77]	DL-based Anomaly detection, Markov Networks, Edge computing	KNN, LSTM-Markov	Experiment: DHT sensors, MQTT protocolEvaluation: Accuracy, Efficiency, Root-Mean-Square Logarithmic Error (RMSLE), Mean Absolute Error (MAE), Determination Coefficient (R²)	Real Testbed	-	Edge-based IoT systems
[78]	DL, MGO, DHPEA, Blockchain, Cloud	RMC-CNN, LSTM-Gauss-NBayes, LSTM-NN, MLP, and Stacked Bi-LSTM	Simulations Evaluations: Accuracy, Precision, Recall, F1-Score, Throughput, Delay, Detection rate	Real Testbed	Sybil, DoS	IIoT systems
(b)
Ref.	Methods	Algorithms	Implementation	Datasets	Attacks	Application
[85]	DL (P-DNN, TensorFlow), Feature Engineering, KPCA, Softmax Activation Function	P-DNN, KNN, SVM, NB	Experiment: Python 3, Raspberry Pi, Kali OS, Nmap, Wireshark, Bruip suit, Linux, Snort and Suricata Evaluation: Accuracy, Precision, Recall, F1 score. CPU consumption, Memory utilization, and processing time	Real Testbed	SSH brute, DDoS-Slowloris DDoS-hping, FIN SCAN OS Fingerprinting, UDP scan, XMAS Tree scan	IoT systems
[90]	DL, Whale Optimized GRU	SVM, ANN, KNN, RF, Light+GB IGLGBM, SLGBM MLELM, LSTM, WOGRU	Experiment: Tensorflow v1.18 with Keras API, Evaluation: Accuracy, Recall, Precision, Specificity, and F1-score	WSN-DS	Flooding, Scheduling, Black Hole, Grey Hole	Healthcare systems
[26]	DL, HW-DBN-Based DeepIoT.IDS, WDNN	BB-RBM, BB-DBN, deep AE HW-DBN, Deep GB-RBM	Experiment: Python—TensorFlow 1.2 v Evaluation: Accuracy, Recall, Precision, Specificity, F1-score, G-mean, Testing time	CICIDS2017	Web (BENIGN, brute force, XSS, SQL injection attacks), bot	Cybersecurity
[29]	DL, LeNet-Based IDS	CNN, SVM, RNN	Experiment: Python—TensorFlow, Anaconda Evaluation: Accuracy, Precision, Detection rate, FPR	NSL-KDD	DoS, Probe, R2L, U2R	Multi-cloud IoT systems
[31]	DLMNN, Entropy-HOA, SMO, KH-AES algorithm	SVM, NB, KNN, ANN.	Experiment: Java Evaluation: Accuracy, F-score, Sensitivity	NSL-KDD	DoS, Probe, R2L, U2R	Smart Cities
[54]	Hybrid DLIDS	CNN, RF, XGBoost, KNN, NB, LR	Experiment: Python, TensorFlow-GPU, Keras, imbalanced-learn package Evaluation: Accuracy, Detection rate, Precision, Recall, F1-score, AUC. CPU/GPU memory consumed, computation runtimes	CCD-INID-V1, BaIoT, DoH20	ARP Poisoning (MITM), ARP DoS, UDP Flood (DoS), Hydra Brute force with Asterisk protocol (Brute force), and SlowLoris (DDoS), 5 BASHLITE, 5 Mirai	Cybersecurity
(c)
Ref.	Methods	Algorithms	Implementation	Datasets	Attacks	Application
[91]	DL-based hybrid IDS and IDPS (AIDS, SIDS), entropy Optimizer	LSTM	Simulation: Java, Keras Evaluation: Accuracy	CICDDoS2019.	DoS/DDoS	IoT DoS and DDoS detection
[92]	DL, Adaptive and intelligent AIS-IDS, F-PSO algorithm	HNN, RNN, RF, KNN	Simulation: Python platform Evaluation: Accuracy, Error, Precision, Recall, F1-score, Negative predictive energy, FNR	BoT-IoT	Service scanning, OS Fingerprinting, DDoS/DoS, Keylogging, Data theft	IoT DoS and DDoS detection
[32]	Distributed IDS Framework OPTIMIST, WGAN, Weighted Minimum Vertex Cover, K-uniform Hypergraph, Approximation Algorithm	LSTM	Simulation: Contiki cooja and FIT IoT-LAB, Wireshark tool Evaluation: Accuracy, Precision, Recall, F1-score, Memory Consumption, CPU Energy, Throughput	IoT-23, Real Testbed	DDoS	DDoS attacks in IoT systems
[34]	AI-Based Framework, Autoencoder (SAE, AE), Unsupervised Pre-training	DNN	Simulation: Cooja simulator, TShark, Network PacketAnalyser. Evaluation: Accuracy, precision and F1 score.	Real Testbed	Clone ID	Clone attacks in IoT systems
[35]	Hybrid IDS, Target Encoder, Z-score, DHE, HMS, GST, BMA, Deep Q-learning	Lightweight NN	Simulation: NS3.26-, C++, NS-3 PyVizEvaluation: Detection rate FAR, Specificity, F-measure, Computation time	NSL-KDD	DoS, Probe, U2R, R2L	Known and Unknown Attacks in IoT Systems
[76]	DL-Based IDS, Feature Selection and Extraction	LSTM, KNN, ANN, DNN	Evaluation: Accuracy, precision, recall, F1-score	CICDDoS2019	MSSQL, SYN, PortScan, LDAP, NetBIOS, UDP-Lag, and UDP	DDoS Threats for IoT Systems
[28]	DL-Based IDS with Focal Loss	FNN, CNN	Experiment: Nvidia GPU driver, Cuda, Tensorflow Evaluation: Accuracy, Recall, Precision, F-Score, MCC Score	Bot-IoT, WUSTL-IIoT-2021, WUSTL-EHMS-2020	DoS/DDoS, Reconnaissance, Information theft, Command Injection, Backdoor	Class Imbalance in IoT Systems

Sharmila and Rohini [85] developed a Parallel DNN (P-DNN) IDS framework to address the shortcomings of conventional alert-based IDS systems, particularly in the context of new types of attacks and devices with limited resources. This comprehensive framework involves attack generation, feature engineering, and signature-based classification, leading to enhanced detection rates while being mindful of resource limitations. The P-DNN model, which was trained on a proprietary IoT-based network attack dataset from Raspberry Pi devices and utilized TensorFlow and DL, showed superior performance compared to other ML algorithms and traditional IDS tools like Snort and Suricata. It achieved an impressive 99.88% accuracy rate while also reducing CPU usage, memory needs, and processing time. Likewise, Ramana et al. [90] suggested a novel IDS framework named Whale Optimized Gate Recurrent Unit (WOGRU), which is grounded in whale optimization and GRU network training principles. This is aimed at mitigating the challenge of healthcare data attacks and the increased FARs in existing IDS for WSN-IoT networks. The WOGRU model excels in identifying various cyberattacks by fine-tuning hyperparameters through whale optimization. When tested on the WSN-DS dataset, it outperformed other learning models with an average detection performance of 99.85% for various attacks, including flooding, scheduling, black hole, and grey hole attacks. Furthermore, Maseer et al. [26] introduced the DeepIoT.IDS, a hybrid weighted deep belief network (HW-DBN) algorithm, to combat cyberattacks in contemporary IoT networks. This robust intrusion detection model combines the Gaussian-Bernoulli restricted Boltzmann Machine (Deep GB-RBM), an unsupervised DL algorithm, with a weighted DNN (WDNN) classifier. The Deep GB-RBM is responsible for extracting network traffic features to distinguish between normal and malicious traffic, thereby reducing errors. Concurrently, the WDNN applies backpropagation for supervised DL to classify both labelled and unlabeled network traffic, resulting in an optimized classification model within the HW-DBN framework. In the evaluations performed, the DeepIoT.IDS outperformed competing models, achieving a 99.38% accuracy rate in detecting web attacks and a near-perfect 99.99% accuracy in identifying botnet attacks, proving its efficacy in detecting low-frequency attacks using the CICIDS 2017 dataset.

Furthermore, Selvapandian and Santhosh [29] mitigated the issues of extended training durations and low classification accuracy in neural network-based IDS within IoT contexts by developing a multi-cloud IoT environment IDS that capitalizes on DL. It employs a CNN to detect network anomalies strategically positioned between cloud and IoT gateways to safeguard both realms. The process encompasses feature selection, extraction, data normalization, and the classification of anomalies. DL is harnessed to refine detection capabilities by thoroughly perfecting features derived from network traffic with convolutional operations at various layers. The LeNet model’s efficacy was validated using the NSL-KDD dataset, yielding a 97.51% detection rate, 96.28% accuracy, and 94.41% precision. Duraisamy et al. [31] suggested an IDS framework that utilizes a DL-based Multilayer Neural Network (DLMNN) for smart city IoT infrastructures to enhance security and attack detection. It includes preprocessing, optimal feature selection, and classification, with DLMNN’s feature weights augmented by the Spider Monkey Optimization (SMO) algorithm. The Entropy-Hummingbird Optimization Algorithm (HOA) is applied for feature engineering, boosting accuracy, detection rates, and classifier efficiency. The DLMNN showcased excellent performance with a 90.3% accuracy rate, and the KH-AES method achieved a 96% security level during data transformation. Equally, Liu et al. [54] tackled cybersecurity concerns in IoT networks by introducing a scalable, efficient, and lightweight DL-based IDS. This system integrates two hybrid models, RCNN (Random Forest + CNN) and XCNN (XGBoost + CNN), to accurately identify and categorize cyberattacks. RF and XGBoost serve as feature selectors, enhancing detection rates and reducing computation time. The models demonstrated high accuracy and swift computation, outperforming KNN. RCNN achieved AUC scores of 95.5% on CCD-INID-V1, 99.9% on Balot, and 0.986 on DoH20, while XCNN scored 9.98% on CCD-INID-V1 and 99.9% on both Balot and DoH20. Both models are effective against zero-day attacks and suitable for deployment on both central servers and edge devices with limited resources.

Shurman et al. [91] introduced a hybrid IDS model that enhances the detection of DoS/DDoS attacks in IoT networks by combining IDPS with DL algorithms. This model merges SIDS and AIDS for comprehensive DoS attack detection. SIDS compares traffic against known attack patterns in the KAS-DB, blocking attacks upon a signature match, while AIDS analyzes behaviour and byte patterns when no match is found. For DDoS attack detection, an LSTM-based DL model is trained on diverse attack scenarios. Tested with the CICDDoS2019 dataset, this LSTM model surpassed traditional IDS methods, achieving 99.19% accuracy. In a similar effort, Sabitha et al. [92] developed an IDS that utilizes Artificial Immune Systems (AIS-IDS) to improve the detection of DoS/DDoS attacks in IoT networks, aiming to increase accuracy and reduce FARs. The AIS-IDS employs Hopfield Neural Networks (HNN) and incorporates danger theory principles with fixed weights for precise classification and response to threats. Fast-Particle Swarm Optimization (F-PSO) is used to select optimal features to improve accuracy. The system scrutinizes network traffic to differentiate between normal and malicious patterns, achieving a high detection rate of 99.8% accuracy and reducing false alarms by 8%, making it highly effective for real-time environments.

In a similar effort, Bhale et al. [32] presented OPTIMIST, a distributed IDS framework for IoT, designed to accurately detect DDoS attacks while optimizing IDS node placement for energy efficiency. OPTIMIST employs a novel placement strategy, modelled as a weighted minimum vertex cover problem on a K-uniform hypergraph, and uses an approximation algorithm to minimize network overhead and conceal IDS nodes within the IoT network. The framework incorporates an LSTM module trained offline with artificial flows generated by a Wasserstein GAN (WGAN). This improves the stability and convergence of the GAN training by reducing dataset distribution biases. When evaluated against IoT-23 and other datasets, the LSTM model demonstrated better performance, with an accuracy of 98.40%, precision of 95.40%, recall of 96.49%, and F1 score of 96.30%. However, the WGAN model showed limited effectiveness with intentionally varied data distributions. Concurrently, Morales-Molina et al. [34] suggested an AI-based IDS architecture to tackle clone ID attacks in IoT networks. This model uses Sparse AE (SAE) and AE for unsupervised pre-training to extract essential features from RPL network samples. A DNN is then applied for deep feature engineering, boosting classification outcomes, and safeguarding against identity theft. The DNN model is trained on data involving network topology, routing metrics, and behavioural patterns, effectively distinguishing between authentic and cloned node IDs. The SAE and AE serve as optimal feature selectors and extractors. Testing on an IoT network emulator, the SAE+DNN architecture achieved a high accuracy of 99.65% in detecting clone ID attacks, outperforming other machine learning and deep learning methods.

Otoum and Nayak [35] also proposed a hybrid IDS that integrates AIDS and SIDS to detect both known and novel attacks in IoT networks. The SIDS component employs a Lightweight Neural Network (LightNet) and algorithms like Human Mental Search (HMS), Boyer Moore, and Generalized Suffix Tree (GST) for known attack patterns. AIDS uses Deep Q-learning, leveraging signal-to-noise ratio (SNR) and bandwidth to identify various attack types such as DoS, Probe, U2R, and R2L. The system’s effectiveness is validated using the NSL-KDD dataset, achieving an average detection rate of 96.9%, with 96.6% sensitivity and 96.8% specificity. Equally, Kumar et al. [76] introduced an IDS using a DL model based on LSTM networks to detect DDoS threats in network traffic. The LSTM IDS framework incorporates a feature selection algorithm based on random sampling to identify optimal features, achieving up to 98.6% accuracy on the CICDDoS2019 dataset and surpassing traditional machine learning methods like KNN and ANN. Additionally, Dina et al. [28] addressed the challenge of imbalanced datasets in ML with an IDS that employs a focal loss function, which prioritizes difficult examples during training. This approach, combined with the CNN and Feed-forward Neural Network (FNN) architectures, showed improved performance over models using cross-entropy loss, with up to 24% higher accuracy, 39% better precision, 39% increased F1-score, and 60% higher Matthews Correlation Coefficient (MCC). It also outperformed advanced methods like CNN-BiLSTM and PB-DID.

3.: Unsupervised Learning based

Unlike the SL techniques, the USL counterpart involves training a model on an unlabelled dataset, where the algorithm must find patterns, relationships, or structures in the data without explicit output labels. It aims to discover inherent structures within the data, such as clusters or representations, without specific guidance. In the studies considered in this paper, few IDS techniques were based on unsupervised methods either for detection or feature engineering. Some of these studies are presented in this subsection and summarized in Table 4.

Violettas et al. [63] introduced ASSET, an IDS tailored for resource-constrained devices within RPL networks, capable of countering at least 13 different attacks. ASSET is structured into an adaptable workflow, three collaborative anomaly detection mechanisms, and four based on RPL specifications. It employs distributed RPL for node-level anomaly detection and SDN’s centralized control for k-means algorithm-based controller-level detection. ASSET demonstrated excellent performance in experiments, with 100% accuracy in detecting specific or clone ID attacks, low overheads averaging 6.28%, and moderate energy consumption between 0.18% and 1.54%. Similarly, Bostani and Sheikhan [64] suggested a hybrid IDS for the 6loWPAN protocol to mitigate resource constraints challenge by deploying lightweight IDS agents for both AIDS and SIDS modules. The SIDS agent is in the router nodes, while the AIDS agent is in the root node, which decides on network anomalies using an unsupervised optimum-path forest (OPF) algorithm. This solution proved effective in detecting sinkholes and selective-forwarding attacks, with a 76.19% True Positive Rate TPR and a 5.92% FPR for concurrent wormhole attacks. In addition, Zhou et al. [93] addressed security and energy issues in heterogeneous IoT networks by devising a dynamic IDS placement strategy using the ULEACH clustering algorithm. This approach optimizes node threshold computation, enhancing node utilization and network performance while conserving energy. The IDS model, informed by game theory and a modified PSO, balances detection efficiency with energy consumption, achieving a 73% detection rate with 10% attack nodes, outperforming LHDS and HHEDS models.

Table 4. Summary of Unsupervised based techniques.

Ref.	Methods	Algorithms	Implementation	Datasets	Attacks	Application
[63]	Unsupervised, ASSET, Collaborative Anomaly Detection	K-means	Simulations: Cooja contiki simulator. Evaluation: Accuracy, Power consumption, Control overhead	Real Testbed	Black Hole, Grey Hole, Flooding, Replay, Neighbour, Clone-ID, Sinkhole, DODAG Inconsistency, DODAG Version, Global Repair, Local Repair.	RPL Vulnerabilities
[64]	Hybrid (AIDs, SIDs), agent programming, MapReduce architecture	Unsupervised OPFC, clustering models	Simulations: MatlabR2014a, Net Framework, C#.Net programming Evaluation: TPR, FPR, Accuracy	Real Testbed	Warm Hole, Sinkhole, Selective Forward	6loWPAN in Smart city
[93]	ULEACH Clustering, Game theory, modified POS	Clustering	Experiment: DeterLab Platform Evaluation: Detection rate, Energy consumption, R-square, RMSE	Real Testbed	Routing, DoS, Forgery/Spoofing, Botnet Hajime, Whale Shark” Worm, OMNI Botnet	IDS Placement for Heterogeneous IoT Networks

4.: Ensemble and transfer learning-based

Ensemble learning is an effective regression-based ML technique that involves the building and combination of multiple models to improve the overall performance compared to individual models, such as the SL model. It leverages the diversity of multiple models with known different strengths and weaknesses to enhance predictive accuracy, generalization, and robustness. On the other hand, in TL, the model trained on one task is adapted for a related task with limited or no labelled data. TL tends to transfer knowledge gained from a source task to a target task, speeding up training and potentially improving the IDS’s performance in accurately identifying network anomalies. In the studies considered in this paper, several IDS techniques were based on an ensemble model, TL, or both to improve its performance. Some of these are presented in this subsection and summarized in Table 5a,b.

Khraisat et al. [59] aimed to safeguard against the increasing threats posed by the proliferation of devices and developed a hybrid IDS employing a dual-stage approach with SIDS and AIDS, which utilizes C5 and SVM classifiers. SIDS detects known threats, while AIDS targets unknown, particularly zero-day, attacks. The system boosts detection accuracy and reduces false alarms by combining features from the IoT ecosystem using a boosting method. AIDS creates profiles for normal behaviour, contrasting them with incoming requests to spot anomalies, while SIDS uses these data to prevent future attacks. The hybrid IDS achieved an outstanding accuracy of 99.97% and a decrease in FARs after the stages of implementation showing high accuracy in malware detection. In a similar effort, Marabissi et al. [60] proposed a physical layer authentication method for secure IoT communication, using wireless fingerprinting authenticated by physical channel characteristics and multipath fading channels. DT classifies nodes based on attributes or IDs, ensuring message origin integrity. The system proved high accuracy in identifying legitimate users and detecting spoofing across various scenarios. The CART algorithm achieved accuracies ranging from 87.96% to 96.66%, while the RF algorithm exhibited accuracies from 89.74% to 96.66%. In parallel, Kumar et al. [49] presented a distributed IDS for blockchain-based IoT networks, leveraging fog computing to identify suspicious transactions against a minimum pool and bolster defences against DDoS attacks. The IDS, integrated into the mining pool, showed high effectiveness and performance in detection, with RF and XGBoost algorithms achieving accuracies above 99.8% and excellent multi-class classification results.

Table 5. Summary of Ensemble and Transfer learning-based techniques.

(a)
Ref.	Methods	Algorithms	Implementation	Datasets	Attacks	Application
[59]	Two-stage HIDS (SIDS, AIDs)	C4.5 DT, SVM NB, RF, MLP CART, kNN	Simulations: python Evaluation: Accuracy, TPR, F1-score, FPR.	Bot-IoT	Dos DDoS, Reconnaissance, Keylogging, Zero-Day	IoT Device Security
[60]	SL, Ensemble-based, Continuous authentication, Wireless fingerprinting	DT, RF, CART	Simulations: MATLAB, Simulink software platforms Evaluation metrics: F measure	Real Testbed	Spoofing	Physical Layer Authentication and Spoofing detection
[49]	Ensemble learning, Fog Computing-based IDS	RF, XGBoost.	Simulations: Python Evaluation: Accuracy, TPR, F1 score, Detection rate.	BoT-IoT	DoS/DDoS	Blockchain-based IoT Networks
[69]	AIMS IDS—Stacked ensemble, SMO, Consensus Mechanism, Light-chain Cryptography, Cryptocurrency	SVM, NB, KNN, DTEnsemble: SE, LGBM, XGB	Simulation: Contiki/Cooja, 5 topologies with 50 AMI devices Evaluation: Accuracy, Precision, Recall, F-score, Overhead, Packet loss, Packet delivery ratio, Convergence time	Real Testbed	Rpl	RPL Security in Smart Grids AMI
[94]	Blockchain, Arbiter PUFs, ECDSA	Linear R, DT, RF, SVM	Simulation: Hyperledger Fabric-1.4 version Evaluation: Accuracy, Detection rate, Precision, Recall, F-score, FPR, Security and privacy analysis	CICDDoS2019	DDoS(Botnet and Unknown)	Blockchain-Protected IoT Smart City data
[83]	Fog computing ECSO-based ensemble model	ECSO-LR, ECSO-DT, ECSO-kNN, ECSO-RF, ECSO-RNN	Simulation: Python, Fog and Cloud nodes Evaluation: Accuracy, Kappa, F1 score, ROC	NSL-KDD	DoS, R2L, U2R, Probe	Fog-Enabled CPS
[30]	Blockchain-SDN-Based RSL-KNN IDS, Blockchain, SDN	LSVM, BN, NB-K, KNN, AdaBoostM1, Bagging, DT, RF, RSL-KNN	Experiment: Weka, Cross-validation Evaluation: Accuracy, FPR	15 SCADA	Forged Commands, Misrouting	IIoT
(b)
Ref.	Methods	Algorithms	Implementation	Datasets	Attacks	Application
[27]	Suricata-based IDS, IG, FS, BE	KNN, DT, RF, GN, kNN-IG, kNN-FS, kNN-BE	Experiment: Raspberry Pi, Suricata IDS tool Evaluation: Accuracy, Precision, Recall, F1-score, Processing time	Bot-IoT	DDoS, Reconnaissance, DoS, Theft	Large IoT Datasets
[39]	Ensemble, Model Selection Method (MSM), ENClf (Edge-ENClf, Cloud-ENCLF)	SVM, NB, DT, KNN, LR, MLP, RF, AdaBoost, and GBT	Experiment: Compute Canada-Cedar cluster, Python, sci-kit learn, 5-fold cross-validation Evaluation: F_efficiency, ROC_AUC_efficiency, Explained_variance_efficiency	NSL-KDD, UNSW-NB15, BoTNeTIoT, and BoTIoT	DoS, Probe, R2L, and U2R. Mirai and Gafgyt botnet Reconnaissance, DDoS, Theft	IoT Networks
[33]	Ensemble, MQTT Protocol Analysis	Bagging, Boosting, StackingVarious ML Techniques	Simulation: Python, Sklearn, TensorFlow, Keras Evaluation: Accuracy, F1-score, MCC	MQTT	MQTT	MQTT Protocol
[53]	Passban: NetMate-based IDS, Supervised ML, Ensemble TL-IDS	iForest, LOF	Experiment: Python—Scikit-learn, Raspberry Pi 3 model B running the AGILE gateway software Evaluation: precision, F-measure, Recall	Real Testbed	Port Scanning, HTTP Login Brute Force, SSH Login Brute Force, SYN Flood	Edge-based IoT Systems
[38]	Ensemble TL-IDS, HPO	CNN models (VGG16, VGG19, Inception, MobileNet, EfficientNets)	Experiment: Python, Numpy, Pandas, Matplotlib, sci-kit learn, Keras, TensorFlow Evaluation: Accuracy, Precision, Recall, F1-score, AUC, MCC	CIC-IDS2017, CSE-CICIDS2018	Bot, Brute Force, DoS, DDoS, Infiltration, Heartbleed, PortScan, Web	Centralized IoT Devices to Cloud Server
[48]	TL-based IDS, RPL protocol	TL	Simulations: Cooja contiki simulator and power-trace Evaluation: Accuracy, Detection rate and FPR	Real Testbed	RPL-specific attacks (Decreased rank, DIS flood, Increased version, and Worst parent)	Dynamic IoT Security
[66]	HIDS: Deep Ensemble-based IDS with Lambda Architecture	LSTM, CNN, ANN	Experiment: Python 3.7 with Tensorflow 2.6 Evaluation: Recall, Precision, Accuracy, F-score, Throughput		DDoS, Okiru, Port scan, C&C	IoT systems

Moreover, Savitha and Basarkod [69] introduced the Attack-aware Intelligent ML IDS (AIMS), a system aimed at predicting, identifying, and mitigating RPL security threats within the Advanced Metering Infrastructure (AMI). Utilizing a Stacked ensemble ML model and the AMI-RPL Attack Dataset (ARAD), AIMS improves AMI’s security by forecasting and recognizing attacks while also improving computational efficiency through a light-chain cryptography approach. Its cryptocurrency-based mitigation strategy distinguishes between normal and malicious behaviour, thus ensuring the network’s reliability and maximum lifetime. AIMS has proven to be highly effective in simulations, significantly outperforming the PROTECT system in detection accuracy by 88.18% and 67.53%, proving its robustness against RPL security issues in AMI systems. In a similar vein, Babu et al. [94] suggested a permissioned blockchain framework to safeguard IoT smart city data against cyber threats. This system employs the Arbiter Physically Unclonable Functions (PUFs) to secure IoT devices’ cryptographic keys with minimal overhead, utilizing the Elliptic Curve Digital Signature Scheme (ECDSA) for device authentication. To counter DDoS attacks, it advocates a collaborative anomaly detection mechanism integrated with blockchain technology, which effectively reduces FARs and improves detection precision. The system leverages ML ensemble techniques, including DT, LR, RF, and SVM, achieving an impressive 97.39% accuracy and 98.53% detection rate, thereby outperforming other methods in terms of lower FPRs and higher F1 scores.

Alohali et al. [83] developed an IDS model for fog-enabled CPS to mitigate cyber-attacks. This model utilizes fog nodes to decrease response times and network latency. It features Enhanced Chicken Swarm Optimization (ECSO) for feature selection by selecting optimal features from pre-processed data. The model was tested with various ensemble classifiers, such as ECSO-LR, ECSO-DT, ECSO-kNN, ECSO-RF, and ECSO-RNN, on the NSL-KDD dataset. The ECSO-RNN classifier emerged as the most effective, achieving 99.2% accuracy, a 98.9% F1 score, and a 97.8% MCC, indicating outstanding performance in detecting real-time attacks within the fog layer of CPS environments. Similarly, Derhab et al. [30] proposed a security solution for the IIoT to mitigate the misrouting and forgery of commands. Their architecture merges blockchain and SDN technologies. It includes an IDS that uses Random Subspace Learning (RSL) and the KNN algorithm (RSL-KNN) to identify and counteract forged command attempts. The IDS benefits from feature-bagging via RSL, enhancing its predictive and classification capabilities. In addition, a Blockchain-based Integrity Checking System (BICS) is incorporated to verify command routing integrity and prevent unauthorized changes. Tests with the Industrial Control System Cyber-attack dataset showed the RSL-KNN-based IDS to be highly accurate, with 96.73% for binary class detection and 91.07% for multi-class detection. The BICS achieved a perfect 100% detection rate in spotting fraudulent flow rules.

Syamsuddin and Barukab [27] improved the KNN algorithm for IoT botnet attack classification by selecting optimal features through a technique named SUKRY, which is part of a Suricata-based IDS. They employed data preprocessing, feature selection, and anomaly classification with KNN. Three feature selection methods, Information Gain (IG), Feature Scoring (FS), and Backward Elimination (BE), were used, leading to the development of KNN-IG, kNN-FS, and kNN-BE variants. The kNN-FS variant demonstrated excellent performance, achieving 99.89% accuracy, 99.77% precision, 97.82% recall, 98.78% F1 score, and the fastest execution time of 7 s. Equally, Alhowaide et al. [39] designed an efficient IDS for IoT networks, focusing on high accuracy and low false alarms. Their model employed an ensemble of classifiers selected through an automatic Model Selection Method (MSM), which ensures optimal model choice and confidence in decision-making for multiclass features. The ensemble classifier (ENClf), formed by soft voting among the top three models, was proposed for deployment at both edge and cloud levels, showing an average of 98% F scores and 99% ROC-AUC scores across datasets, with DT, RF, and gradient boosting being the best for the cloud ensemble. Further, Zeghida et al. [33] also suggested an IDS that uses various ML techniques within an ensemble learning framework to detect MQTT protocol attacks. By employing bagging, boosting, and stacking methods, the system analyzes network traffic and communication patterns for anomalies indicative of attacks. This ensemble approach enhances prediction performance by leveraging the strengths of multiple models. The effectiveness of this system is confirmed on a balanced MQTT dataset, where it showed a significant improvement in the IDS’s capability to detect and mitigate MQTT protocol attacks.

Furthermore, Eskandari et al. [53] proposed Passban, an intelligent IDS framework designed to safeguard IoT devices against advanced cyber threats. Its components include modules for detecting packet flow, extracting features via NetMate, training and loading models, managing actions, and a web interface for management. It employs statistical learning methods like Local Outlier Factor (LOF) and Isolation Forest (iForest) to differentiate between normal and malicious network traffic. LOF assesses the local density of data points, while iForest identifies anomalies through the structure of tree branches. Passban is optimized for deployment on economical IoT gateways and utilizes edge computing to detect threats at their source. In tests against four types of attacks and across two scenarios, Passban’s IDS achieved F-scores above 0.9, with iForest reaching a high of 0.99 and a low of 0.79. Okey et al. [38] also addressed the security issues in IoT data transmission from devices to cloud servers by proposing an IDS framework that uses a lightweight, optimized ensemble TL model based on CNN. This framework, named ELETL-IDS, integrates five pre-trained CNN architectures—VGG16, VGG19, Inception, MobileNet, and EfficientNets to form an ensemble optimized for the Cloud of Things (CoT) devices. The ensemble model demonstrated high efficiency and effectiveness, achieving 100% accuracy in attack detection with a low FPR. The model’s performance was further validated with an MCC of 0.9996, demonstrating its reliability in securing IoT networks.

To expedite the training process of ML models for intrusion detection and adapt to changing environments without starting from scratch, Yilmaz et al. [48] developed a TL-based IDS tailored for dynamic IoT security, enabling the system to quickly adapt to new attack types and devices without retraining from scratch. The study focused on three scenarios: single-to-single, single-to-multi, and multi-to-multi, leveraging TL to devise algorithms that are energy-efficient for various devices and capable of detecting novel attacks. Focusing on the RPL protocol, the system was tested against specific RPL-based IoT network attacks. The TL method surpassed traditional techniques, achieving 93.4% accuracy for increased version attacks and at least 79.7% accuracy for decreased rank attacks. The F1 scores were impressive, ranging from 93% to 99.36%, with FPR between 1.3% and 12%. In a similar effort, Alghamdi and Bellaiche [66] tackled the issue of data aggregation from diverse IoT devices, which poses a challenge for standard ML algorithms in real-time processing. They introduced a deep ensemble-based IDS employing the Lambda architecture, which consists of batch, speed, and serving layers, to improve overall system performance and efficiency. For binary classification, the LSTM networks were used to differentiate between normal and malicious traffic, while multi-class attacks were identified using a combination of LSTM, CNN, and ANN. This approach demonstrated outstanding accuracy, exceeding 99.93%, and improved processing time.

5.: Federated learning-based

FL is considered a decentralized ML approach which involves training a model using data stored in various devices and servers. The model is trained collaboratively without exchanging raw data, keeping data localized, thereby preserving privacy and security. In this case, each device updates the model with its local data, and the global model is improved through the aggregation of these updates. In the study considered in this paper, several IDS techniques were designed based on FL to ensure both the security and privacy of IoT devices and networks. This subsection presents some of these studies and is summarized in Table 6a,b.

Frihla et al. [82] developed 2DF-IDS, a secure, decentralized system designed to protect smart industrial environments from cyber threats. This system employs FL with differential privacy (DP) and secure key exchange protocols to ensure safe communication and prevent attacks on the aggregation server. The decentralized nature of 2DF-IDS reduces the risk of single points of failure or targeted attacks on the server. In testing, 2DF-IDS demonstrated exceptional capability in detecting cyber-attacks, achieving 94.37% accuracy with centralized learning and outperforming traditional FL with 93.91% accuracy. It also showed a 12% increase in F1 score, 13% in recall, and 9% in precision. However, the study recognizes the need for further research into the trade-offs between privacy and performance. Similarly, Tabassum et al. [50] suggested a Federated DL Generative Adversarial Network-based IDS (FEDGAN-IDS) to address data imbalance issues that affect the accuracy of FL-based IDS. FEDGAN-IDS aims to detect cyber threats across various smart IoT systems by employing a GAN network distributed among IoT devices for training with improved local data. This approach maintains privacy while contributing to a global intrusion detection model. Tests across multiple datasets confirmed the approach’s effectiveness, with high accuracies of 99% for binary classification and 98% for multiclass classification. Specifically, using the ACGAN and CNN models on the UNSW-NB15 dataset, FEDGAN-IDS achieved 99.4% accuracy, 99.56% precision, and 99.3% recall.

Cui et al. [52] also tackled the limitations of FL-based IDS by creating a blockchain-enabled decentralized and asynchronous architecture to enhance network anomaly detection in IoT. The study introduced a DP-FL technique, DP-GAN, to improve accuracy and ensure privacy-preserving requirements. This is achieved by optimizing the utility of data during the training process while the local model parameters’ privacy is protected. The approach achieved over 90% accuracy in both vertical and horizontal FL, showcasing its effectiveness in accuracy, efficiency, security, and privacy. In the same vein, Li et al. [41] aimed to secure large, complex, and heterogeneous industrial CPS with a federated DL IDS named DeepFed. Utilizing the CNN and GRU, DeepFed facilitates collaboration among industrial CPSs while maintaining data privacy. A secure communication protocol based on the Paillier cryptosystem ensures the confidentiality of model parameters during training. DeepFed’s performance on real-world industrial CPS datasets confirmed its efficacy, with accuracies of 99.20% for various K values, outperforming contemporary methods. Concurrently, Mothukuri et al. [42] addressed the privacy of data generated by local IoT devices using an FL-based IDS. The study leveraged decentralized data and trained GRU models for proactive intrusion detection, sharing only model weights with the aggregation server to preserve data privacy. This ensemble approach enhanced the global ML model’s accuracy, achieving an average accuracy of 99.5% in detecting anomalies, with a low FAR, underscoring its privacy-preserving strengths.

Table 6. Summary of Federated learning-based techniques.

(a)
Ref.	Methods	Algorithms	Implementation	Datasets	Attacks	Application
[82]	Decentralized DP FL-IDS	DNN, OPF	Experiment: Google Col. platform, Python 3 PL (NumPy, Pandas, Scikit-learn with PyTorch, SMOTE, Opacus) Evaluation: Accuracy, F-score, Recall, Precision	Edge-IIoT	Backdoor, Vulnerability_scanner, DDoS_ICMP, Password, Port_Scanning, DDoS_UDP Uploading, DDoS_HTTP, SQL_injection, Ransomware, DDoS_TCP, XSS, MITM, Fingerprinting	IIoT system
[50]	FEDGAN-IDS, Federated DL	ACGAN, CNN	Experiment: Evaluation: accuracy, loss, recall, precision, F1-score, AUC score Convergence rate	NSL-KDD, KDD99, UNSW-NB15	U2R, R2L, PROBE, DoS, Analysis Shell-code Worms Backdoor Generic Reconnaissance Exploits Fuzzers	Smart systems
[52]	Blockchain-Enabled FL Architecture, DP-GAN FL	CNN	Experiment: Raspberry Pi (4b), Sensors Evaluation: Accuracy, RMSE, Efficiency, Data utility	KDD KDD’99	DoS, R2L, U2R, Probe	IoT systems
[41]	Privacy-Preserving Federated DL IDS Paillier cryptosystem	CNN-GRU	Experiment: Keras API, FL, lightweight Python framework Flask Evaluation: Accuracy, Recall, Precision, Specificity, F1-score	GasPipeline	FL-related Eavesdropping, Native malicious and complex malicious response injections, malicious state, parameter function command injection, DoS, Reconnaissance	IoT-based CPS
[42]	FL, GRU Models	GRU Non-FL	Experiment: Python (PySyft, Pytorch DL frameworks) Evaluation: Accuracy, Recall, Precision, Specificity, F1-score	Modbus network	Ping DDoS Flood, MITM, Modbus Query Flood, SYN DDoS	Privacy at Edge IoT Devices
(b)
Ref.	Methods	Algorithms	Implementation	Datasets	Attacks	Application
[43]	DFF-SC4N, FL, RMUs, DL, DP	GRU, CNN	Experiment: Python (Keras, Numpy, Scikit-learn, TensorFlow) Evaluation: Accuracy, Recall, Precision, Specificity, F1-score	TON_IoT	Mitm, Dod, Ddos, Scanning, Password, Injection, XSS, Ransomware, Backdoor	Privacy-Preserving SC 4.0 Networks
[45]	FL-Based Fed-IIoT, GAN, A3GAN, ByzantineMedian, ByzantineKrum	CNN, RandomForestRegressor	Experiment: Python (Keras, TensorFlow) Evaluation: Accuracy	Drebin, Genome, Contagio	GAN, FedGAN, A3GAN	Android Malware Detection in IIoT Systems
[46]	FL, FDA³ Federated Defense, Adam optimizer	CNN	Experiment: Python (Keras, TensorFlow) Cloud Evaluation: Accuracy	MNIST, CIFAR10	5 well-known adversary types of attacks: FGSM, BIM, JSMA, CW2 and DeepFool	Cloud-based IIoT systems
[44]	Blockchain-Enhanced FL, CDW_FedAvg,	SGD, LR and NN	Experiment: MySQL 5.7.25, Java, Ethereum, Smart contracts, 4 Raspberry Pi Evaluation: Accuracy, Recall, Precision, Specificity, F1-score	Real Testbed	Device Failure	IIoT Device Failure Detection
[95]	DIoT: FL-Based Autonomous Self-Learning IDS, Device-Type-Specific Communication Profile	RNN-GRU	Experiment: Kali Linux, Gateways, 33 IoT devices like IP cameras, smart power plugs, light bulbs, sensors, etc. Evaluation: FPR, TPR	Real Testbed	Mirai Malware,(preinfection, infection) scanning, DoS	IoT-based Systems
[51]	FL, PEFL, Homomorphic Encryption, DP	CNN	Experiment: C++-library HElib, Python, TensorFlow Evaluation: Accuracy, Computational and Communication Complexity	MNIST	Privacy loss	IAI

Moreover, Khan et al. [43] proposed DFF-SC4N, an FL-based security system for Supply Chain 4.0 (SC4) networks, which mitigates the limitations and privacy issues of traditional ML in combating cyber-attacks. DFF-SC4N leverages distributed local data training with Recurrent Managed Units (RMUs) and GRUs to share parameters without compromising local data integrity. DF learning is applied to preserve data privacy, and the global model’s accuracy is improved through updates aggregated from multiple servers. DFF-SC4N showed outstanding performance over centralized models, achieving 99.33% accuracy with the GRU-based model, which is 1.39% higher than the CNN model. Concurrently, Taheri et al. [45] tackled malware threats in IIoT with Fed-IIoT, an FL-based architecture for detecting malware in Android apps. Fed-IIoT consists of a participant side that uses GANs for dynamic data generation and a server side that oversees the global model, utilizing an advanced GAN network (A3GAN) and GAN-based countermeasure algorithms (ByzantineMedian and ByzantineKrum) to maintain robustness against poisoning attacks. This allows secure participation of devices in IIoT without sacrificing privacy. Fed-IIoT outperformed other solutions by about 8% in data privacy preservation for Android users, with A3GAN achieving 96% accuracy and FedGAN-BM and FedGAN-BK obtaining 89.51% and 93.24% accuracies, respectively, showcasing its effectiveness against novel attacks.

Song et al. [46] proposed FDA3, a federated defence mechanism for DNN-based IDS in IIoT devices, to protect against adversarial attacks while maintaining data privacy. FDA3 gathers and disseminates defence strategies against a variety of adversarial attacks to bolster the resilience of DNNs. It demonstrated the ability to withstand more malicious attacks than existing methods, achieving 73.8% accuracy on the MNIST test set, which is higher than the ALL+AdvTrain model’s 71.9% accuracy, proving the effectiveness of FL in IIoT environments. In a separate study, Zhang et al. [44] introduced a blockchain-based FL method to detect device failures in IIoT. This approach uses a central server to coordinate client servers in training a collective model, preserving data privacy with the Centroid Distance Weighted Federated Averaging (CDW FedAvg) algorithm. CDW FedAvg reduces the influence of data diversity by considering the centroid distance of classes in local data. Blockchain technology ensures the integrity of client data and provides incentives for participation through smart contracts. The prototype’s success demonstrates the viability of this method, with satisfactory accuracy and performance.

Nguyen et al. [95] also addressed the rise of malware targeting IoT devices by proposing DIoT, an FL-based IDS. DIoT is an autonomous system that uses device-specific communication profiles to detect unusual behaviour indicative of cyber threats. It aggregates these profiles using FL, enabling the detection of both known and novel attacks without human input or labelled data. DIoT proved effective in swiftly identifying Mirai malware, achieving a 95.6% detection rate with a response time of about 257 milliseconds. In addition, Hoa et al. [51] developed a Privacy-Enhanced FL (PEFL) method to safeguard industrial applications from adversaries exploiting shared parameters in FL. PEFL uses homomorphic encryption for secure aggregation and DP with distributed Gaussian mechanisms to maintain the privacy of training data. This non-interactive approach prevents data leakage, even with potential collusion among entities. On the MNIST dataset, PEFL demonstrated its effectiveness, achieving 96.0% accuracy under standard conditions and maintaining high accuracy even with collusion, although performance degrades significantly when collusion rates exceed 0.5.

5.3.2. Non-Machine Learning Based

This subsection presents some of the IDS techniques which did not employ ML models but apply some concepts used in the context of ML and data analysis, as well as specifications in the detection of intrusions in IoT devices and networks. Table 7a,b presents the summary of these studies.

Chauhan et al. [96] developed an IDS using the Logical Analysis of Data (LAD) method for IoT security. LAD employs binary data to form patterns that identify malicious activities through logical rules. The system’s feature engineering, guided by the IG ratio, selects the most effective features for various LAD classifiers to detect different attack types. The LAD-based IDS excelled in performance, achieving 99.98% accuracy, 99.98% precision, and 99.99% recall, proving its real-time attack detection capability with minimal data usage. Moreover, Babu and Reddy [56] suggested a Specification Heuristics (SH) based IDS, which employed heuristics to identify attacks in IoT networks. The SH model defines expected behaviours for IoT devices and network traffic, creating n-gram sequential patterns from transaction records to distinguish between normal and abnormal activities. The SH-IDS compares current behaviour against these patterns to detect intrusions. Tested on the UNSW-NB15 dataset, SH-IDS demonstrated superior intrusion detection with 91% accuracy, 47% less memory usage, and around 70% lower energy consumption compared to TLA-IDS.

Ashraf et al. [73] also developed IoTBoT-IDS, a statistical learning-based anomaly detection system for smart city networks. This framework preprocesses network data, selects key parameters, and employs a mixture model with expectation maximization for estimating probability densities. It uses correntropy metrics to compare benign and attack traffic, learning normal traffic patterns under a Bivariate Mixture Model (BMM) for multivariate distribution. IoTBoT-IDS achieved a 99.2% detection accuracy across three IoT benchmark datasets, surpassing other methods like AdaBoost, fuzzy c-means, and deep neural networks. In the same effort, Santos et al. [61] developed an IDS framework that integrates centralized and distributed elements as well as applies a specification-based method to analyze IoT communications via IPFIX flow records. The IDS, with local and cloud-based modules, consults a knowledge database to check against expected traffic patterns. The framework demonstrated a 100% detection rate, TPR, and FPR in classifying typical flow data, with detected threats triggering alerts in the system’s database. Furthermore, Sanwar Kaur [37] proposed a privacy-preserving node mobility model called PdRWP for authentication in 3D WSNs. It uses hashed IDs, created by a secret hash function, for node authorization. The model proved effective in identifying malicious nodes, with detection rates ranging from 91–97% when 10% of nodes were malicious and 76–82% when all nodes were malicious.

Table 7. Summary of non-Machine learning-based techniques.

(a)
Ref.	Methods	Implementation	Datasets	Attacks	Application
[96]	LAD, Binarization process, IG ratio	Experiment: laptop computer with 24 GB RAM and an Intel i5 processor. Evaluation: Accuracy, Precision, Recall, F-score	Bot-IoT	Reconnaissance, DDoS, DoS, Theft	IoT systems
[56]	SPID, N-gram Sequential Patterns, Heuristic-based detection SH	Simulation: CUPCORBAN, Java platform. Evaluation: Accuracy, Specificity, Sensitivity, Energy Consumption, Memory usage	UNSW-NB15	Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode and Worms.	IoT systems
[73]	Statistical Learning, Anomaly Detection, Mixture Model, Expectation-Maximization, Correntropy Metrics	Testbed deployment: Desktop Windows OS, Raspberry Pi 4 Evaluation: Accuracy, Precision	Kitsune IoT network, ISCX 2012	Botnet, DoS, MitM	Smart cities
[61]	SPIDS, IPFIX Flow Records, Centralized and Distributed Components, Knowledge Database	Simulations: Python, Ubuntu server 1, Net scan tools (nmap and hping), Raspberry PI, Coap, MQTT application protocols Evaluation: Functionality testing, other tests	User-generated data.	Flooding, abnormal/invalid MQTT, CoAP actions.	IoT systems
[37]	PdRWP, Hashed IDs, Secret Hash Function	Simulations: MATLAB R2017a Evaluation: Detection rate, TPR	User-generated data.	Malicious nodes	IoT systems
[85]	Hybrid Routing and Monitoring Protocol, Two-Fish Symmetric Key, Optimized Link State Multipath Routing, Ad hoc On-demand Multipath Distance Vector Routing	Simulations: NS-2.34 Evaluation: Detection ratio	User-generated dataset.	Wormhole, IP spoofing	IoT systems
[68]	3-Factor Authentication, ECC, Hash Chains	Simulations: Scyther, Linux OS Evaluation: Communicational Overhead and Cost	User-generated data.	Confidentiality, Mutual Authentication, MitM, Replay Known Session Key, Sub	IoT systems
[70]	6mapper, SVELTE, Mini-Firewall, SICSLoWPAN, lIP	Simulation: Cooja Contiki, power trace Evaluation: Detection rate, TPR	User Generated Data.	Spoofed/Altered Information, Sinkhole, Selective Forwarding	IoT systems
(b)
Ref.	Methods	Implementation	Datasets	Attacks	Application
[36]	Analytical Approach, Model for Participating Nodes’ Desires	Simulations: OMNeT Evaluation: pa, α, L, β	User-generated	Ping of deaths	IoT systems
[97]	IPS Technique, Risk Analysis Model, Secrecy, Authentication, Access Control	Simulation: NS3 Evaluation: Transmission rate, Response time.	User-generated	Eavesdropping, Brute force, DoS	Smart Home
[98]	DistBlockNet, Distributed SDN Architecture, Blockchain	Simulations: Mininet SDN emulation, POX controller, OpenFlow switch, server machines, data plane caches Evaluation: Accuracy, Scalability, Defence effect, Efficiency	User-generated	Cache poising/ARP spoofing, DDoS/DoS	SDN-based IoT smart systems
[99]	SDN, Blockchain	Simulation: Mininet emulator, Wireshark, Ethereum platform, Ryu controller Evaluation: Response Time, Bandwidth, Packet Loss, Energy Utilization	User-generated	Any	SDN-based IoT smart Cities.
[61]	RAP Algorithm, Information-Theoretic Approach, Real-Time, Lightweight, WiFi-Enabled IoT Devices	Simulation: Raspberry Pi 3, TP-Link AP, virtualized RAP, Debian Linux OS, Tenda wireless USB adapter Evaluation: Detection rate, CPU utilization	User-generated	Sybil	WiFi-enabled IoT systems
[73]	Co-IoT Framework, Blockchain, SDN, Ethereum’s Smart Contracts	Simulation: Ganache, Ropsten Ethereum’s smart contract, solidity Evaluation: Flexibility, Efficiency, Security, Cost-Effectiveness	-	DDoS	Smart cities
[100]	IPv6 Routing Protocol, Hybrid IDS (SIDS, AIDS, SPIDS)	Experiment: Contiki-NG Evaluation: detection accuracy, consumed CPU, TX and RX power usage, and memory usage	-	Routing, DoS, Flooding	IoT systems
[84]	CIDS, Blockchain, SDN	Experiment: Open vSwitch, POX controller, 10 sensors, 5 Actuators, Snort Evaluation: Packet-in arrival rate, Alarm aggregation errors, Average trust value	-	DDoS, insider Threats	SDN-assisted CPS

Deebak and Al-Turjman [85] developed a hybrid routing and monitoring protocol for sensor networks, employing a two-fish symmetric key method to prevent attacks. The protocol alternates between Optimized Link State Multipath Routing and Ad hoc On-demand Multipath Distance Vector Routing using a modified Two-Fish algorithm. The approach proved to be effective, with an 85% detection rate for IP spoofing and 80% for wormhole attacks. In parallel, Saqib et al. [68] proposed a three-factor authentication model for IoT applications, incorporating identity, password, and digital signatures with ECC and hash chains. The model is efficient, with a low computational cost of 0.190 s and 2560 bits for messages and the ability to thwart various cyber threats, including replay and MITM attacks. Moreover, Raza et al. [70] suggested a detection solution for spoofed, sinkhole, and selective forward attacks in IoT networks. They integrated SVELTE and a mini firewall into Contiki OS, using its RPL routing and SICSLoWPAN and lIP for communication. The system showed a 90% TPR for sinkhole attacks and a 100% detection rate for selective forward attacks.

Furthermore, Abdollahi et al. [36] proposed an analytical model for an IDS to detect ping-of-death attacks in IoT networks. The model calculates the probability of missed detections and sets a threshold for packet length, effectively filtering out over-length packets during an attack and maintaining queue lengths. Parameters used in the evaluation included pa = 0.05, α = 0.1, L = 19 bytes, and β = 0.1. Similarly, James [97] created an IPS that emphasizes secrecy and access control to counter DoS, brute force, and eavesdropping attacks. A risk analysis model assists in choosing mitigation strategies, and the evaluation showed that handling increased false requests reduced processing time, bolstering the system’s resilience. Sharma et al. [98] also introduced DistBlockNet, a distributed SDN architecture integrated with blockchain for IoT. This model merges the advantages of SDN and blockchain to provide a secure, scalable, and efficient network. The experimental evaluation confirmed DistBlockNet’s capability to detect various cyber threats, including DDoS and ARP poisoning, with high scalability and defence effectiveness.

Rani et al. [99] also suggested a model integrating SDN and blockchain for IoT smart cities, using SDN to monitor IoT devices and blockchain to counteract security vulnerabilities. Performance evaluations, considering bandwidth, response time, energy utilization, and packet loss, revealed significant improvements compared to baseline methods. The solution outperformed other existing models in terms of bandwidth, response time, and packet loss for varying numbers of nodes. Likewise, Agyemang et al. [62] proposed a real-time and lightweight rogue access points (RAP) algorithm using an information-theoretic approach. The algorithm, acting as an IDS, allows WiFi-enabled IoT devices to intelligently identify and differentiate between legitimate and malicious access points. The performance evaluation in three scenarios demonstrated the algorithm’s effectiveness and efficiency in detecting and mitigating the threat of RAPs in IoT environments, achieving notable detection rates and minimal CPU usage. Furthermore, Houda et al. [74] addressed the rising threat posed by insecure IoT devices, particularly focusing on DDoS attacks and the amplification potential introduced by IoT botnets like Mirai. They proposed a Co-IoT framework based on blockchain and SDN, specifically leveraging Ethereum’s smart contracts for the secure and decentralized alliance among SDN-based domains to alleviate DDoS attacks. The framework is said to be efficient, flexible, secure, and cost-effective in contending DDoS attacks in large-scale IoT environments. Experiments on the Ethereum test network Ropsten demonstrated its effectiveness as a promising solution for mitigating DDoS attacks in the context of IoT and smart cities.

In a separate study, Ribera et al. [100] tackled the security vulnerabilities in IoT devices by focusing on the RPL protocol for IoT and IIoT networks. The study suggested a novel IDS tailored for the IPv6 routing protocol in RPL-based networks, which efficiently detects a range of attacks. This system employs a blend of AIDS, SIDS, and SPIDS detection methods and coordinates between border routers and detectors to monitor traffic. The IDS proved highly effective in attack detection, achieving substantial detection rates while maintaining low CPU (under 2%) and power (below 0.5%) consumption. Likewise, Li et al. [84] developed collaborative IDSs (CIDS) to mitigate insider threats in CPS, utilizing blockchain technology for secure, unalterable data exchange without the need for a central trusted authority. The blockchain-backed CIDS, designed for SDN-supported CPS, addresses both external and internal threats. The method’s efficacy was evaluated, revealing its ability to detect diverse attacks, preserve network bandwidth, swiftly reduce the trustworthiness of malicious nodes, and decrease the rate of false alarms.

5.4. Benchmark Datasets

This section presents some of the important IoT benchmark datasets for training and evaluating IDSs for IoT networks, as well as enhancing our understanding of cyber threats. Some of the IoT IDS datasets that are publicly available and used by most of the studies considered in this paper are highlighted as follows and summarized in Table 8:

KDD Cup’99 and NLS KDD: These datasets are widely used to study network security or for building network IDS. KDD Cup’99 contains data on normal and attack traffic with 41 features such as duration, protocol type, service, source and destination bytes, number of failed logins, etc. It has 23 labels indicating if a connection is normal or an attack, including 22 attack types such as DOS, probing, user to root, etc [50,52]. However, it is outdated and has issues like redundancy. NSL KDD is an improved version with the same features and labels with the attacks divided into four classes, but it addresses problems like redundancy and imbalance [29,31,35,39,47,50,81,83].

BoT-IoT dataset: This dataset was created by simulating a real IoT network in UNSW Canberra’s Cyber Range Lab used for testing IoT-focused IDS. It has both normal and botnet traffic with 46 features covering different IoT devices, communication protocols, and attack types such as DDoS, DoS, OS and Service Scan, Keylogging and Data exfiltration [27,28,40,59,67,72,75,92].

The UNSW-NB15 dataset: This is a network intrusion-based dataset containing normal and malicious traffic with various attacks. Created by the Australian Center for Cyber Security, it has millions of records and about 49 features obtained from Bro-IDS, Argus tools, and new algorithms [39,56,88]. It has nine types of attacks, such as DoS, worms, port scans, generic, Shellcode, backdoors, exploits, reconnaissance, and fuzzers [39,56,88].

CIC-IDS2017: This is a dataset created in 2017 by the Canadian Institute for Cybersecurity (CIC)to evaluate the effectiveness of IDS in analysing network traffic. It includes both typical and malicious traffic, making it a useful resource for developing and validating IDS models. The dataset is characterized by a mix of regular and attack traffic, which is analyzed using CICFlowMeter, capturing details like timestamps, IP addresses, and protocols [26,38]. It includes approximately 23 different scenarios, 20 of which are malicious, involving malware on a Raspberry Pi, and three benign, reflecting genuine IoT device traffic. The malicious scenarios cover a range of attacks such as DoS, DDoS, Botnet, brute-force, heartbleed, web, and infiltration attacks. While the dataset provides flow labels and protocol specifics, it faces challenges in accurately depicting real-world conditions and addressing the disparity between normal and attack traffic.

CIC-IDS2018: This is an upgraded version of CIC-IDS2017, designed to offer a more extensive and realistic dataset for testing IDSs. It contains a larger volume of data covering various cyber-attack scenarios, similar to its predecessor. However, it expands on the infrastructure with the dataset containing network traffic captures and system logs from each machine, along with 80 features extracted using CICFlowMeter-V3 [38,57]. Despite its improvements, maintaining data integrity and relevance to modern cyber threats, as well as handling increased complexity, remain challenges.

Kitsune dataset: This dataset was developed by Ben-Gurion University in Israel in 2018 and focuses on network traffic from both malicious and normal IoT devices, predominantly IP-based video security cameras. It comprises approximately five scenarios, with four being malicious and one normal, covering various IoT devices and attack types such as MitM (Video injection, ARP MitM, Active Wiretap), Reconnaissance (OS Scan, Fuzzing), DoS (SSDP flood, SYN, SSL, Renegotiation) and botnet malware (Mirai) [73]. It provides packet, unidirectional, and bidirectional features extracted from the captured traffic.

ISCX2012 dataset: This dataset was generated by the CIC in 2012 and served to build and assess IDSs and other cybersecurity tools. It was created from network packets and protocols, spanning seven days of traffic featuring various bot attacks using a profiling technique. The dataset is split into two profiles: normal and malicious attacks, encompassing full packet payloads in pcap format alongside associated profiles like email and web surfing [73]. Attack types range from normal activity to DoS, DDoS, internal network infiltration, and Brute Force SSH.

MQTT-IoT-IDS2020 dataset: This dataset was created in 2020 and features five scenarios. The scenarios comprise four malicious and one normal, covering different IoT devices and attack types, including normal operation, Sparta SSH brute-force, aggressive scan, MQTT brute-force and UDP scan. Data collection involved tcpdump, recording Ethernet traffic, and exporting to pcap files [67]. The dataset also offers packet, unidirectional, and bidirectional features extracted from the traffic captures.

CICDDoS2019 dataset: This comprises a comprehensive collection of both normal and current DDoS attacks, represented through PCAP files that mirror real-world network data. It features detailed flow labels, including timestamps, IP addresses, ports, protocols, and attack types, derived from network traffic analysis with CICFlowMeter-V3. The dataset models the behaviour of 25 users across protocols like HTTPS, FTP, SSH, and email [76,91,94]. It encompasses a variety of recent reflective DDoS attacks, such as PortMap, NetBIOS, LDAP, MSSQL, UDP, UDP-Lag, SYN, NTP, DNS, and SNMP.

ToN-IoT datasets: This dataset was developed by the UNSW Canberra Cyber team and consists of network data from both malicious and normal IoT and IIoT devices or sensor telemetry datasets. They also include datasets from Windows 7 and 10 operating systems, along with Ubuntu 14 and 18 TLS and network traffic data. The Windows datasets have 132 and 124 features, respectively, covering different IoT and IIoT devices and cyber-attack types [43,71]. Each flow in the dataset is labelled to describe its behaviour, such as scanning, downloading, or command and control activities.

Table 8. Summary of benchmark datasets.

Ref.	Dataset	Year	Attacks
[29,31,35,39,47,50,81,83]	KDD’Cup’99 NSL-KDD	1999 2009	DoS, R2U, U2R and probing
[27,28,40,59,67,72,75,92]	Bot-IoT	2018	DDoS, DoS, OS and Service Scan, Keylogging and Data exfiltration attacks
[32,66,87]	IoT-23	2020	C&C, DDoS attack, FileDownload, HeartBeat, PortScan and botnets (Mirai, Torii, Okiru)
[43,71]	ToN_IoT	2020	XSS, DDoS, DoS, password cracking, reconnaissance or verification, MITM, ransomware, backdoors, and injection
[73]	Kitsune	2018	Reconnaisance, MitM, DoS, and Botnet malware.
[73]	ISCX 2012	2012	Brute force, infiltration, HTTP DoS, and DDoS attack.
[39,56,88]	UNSW-NB15	2015	Backdoors, DoS, Exploits, Fuzzers, Generic, Port scans, Reconnaissance, Shellcode, worms
[26,38]	CIC-IDS2017	2017	Brute Force, HeartBleed, Botnet, DoS, DDoS, Web, Infiltration
[38,57]	CIC-IDS2018	2018	HeartBleed, DoS, Botnet, DDoS, Brute Force, Infiltration, Web
[67]	MQTT-IoT-IDS2020	2020	normal operation, Sparta SSH brute-force, aggressive scan, MQTT brute-force, UDP scan
[88]	IOTID-20	2020	DoS, brute-force, and scan
[82]	Edge-IIoT	2022	DoS, DDoS, information gathering, injection, MitM, Malware
[76,91,94]	CICDDoS2019	2019	PortMap, NetBIOS, LDAP, MSSQL, UDP, UDP-Lag, SYN, NTP, DNS and SNMP attack

IoT-23 dataset: This dataset is a recent collection of network traffic data originating from both normal and malicious IoT devices. It was developed by Avast Software’s Stratosphere IPS team and comprised 23 scenarios. Among these, 20 scenarios feature malware captures from IoT devices, while 3 exhibit normal IoT device traffic. Attack types range from C&C to DDoS attacks, including botnets like Mirai and Torii [32,66,87]. Each flow in the dataset is labelled to describe its network behaviour, such as scanning or downloading. Valuable for ML security tasks like traffic classification and anomaly detection, it also offers protocol information for each scenario, such as TCP, UDP, HTTP, or MQTT.

IoTID-20 dataset: This dataset was introduced by Ullah and Mahmoud in 2020 and offers network and flow-based features to assess flow-based IDS. It consists of normal and malicious traffic generated by different IoT devices, such as cameras, sensors, and smart plugs having different types of attacks, such as DoS, brute-force, and scan attacks [88]. This dataset is a valuable tool for enhancing the security and dependability of IoT networks.

Edge-IIoT dataset: This dataset, created by UNSW Canberra in 2022, is a comprehensive collection of data from a range of IoT and IIoT devices, including sensors that monitor temperature, humidity, and pH levels. It covers 14 distinct types of cyber-attacks, which are organized into five main threat categories: DoS, DDoS, information gathering, injection attacks, and malware [82]. This dataset is instrumental for developing IDSs and is compatible with both centralized and FL models.

5.5. Evaluation Metrics

Evaluating the performance and effectiveness of IoT IDS is crucial for judging their ability to identify and thwart network attacks. The research papers in this domain typically train models on datasets and apply various metrics derived from the confusion matrix: true negatives (TN), true positives (TP), false negatives (FN), and false positives (FP) to measure IDS performance. FN and FP represent incorrect classifications of normal activities and attacks, while TN and TP accurately identify them.

As shown in Table 2, Table 3, Table 4, Table 5, Table 6 and Table 7, the dominating metrics used in recent studies, apart from the MCC measure and the ROC curve, include accuracy, precision, recall (detection rate), and F1-score. Accuracy is the proportion of correctly identified attacks, precision is the ratio of true attacks among all identified attacks, and recall indicates the fraction of actual attacks detected. High precision suggests fewer false alarms and high recall indicates effective attack detection. The F1-score is the harmonic mean of precision and recall, reflecting a balance between the two. The ROC curve illustrates the trade-off between TPR and FPR, with the area under the curve (AUC) indicating overall IDS performance, where a higher AUC denotes better detection with fewer false positives. Lastly, MCC offers a balanced performance metric, particularly useful in skewed datasets, with values closer to +1, indicating superior IDS effectiveness.

The formula for computing the discussed metrics is as follows:

A c c u r a c y = \frac{T P + T N}{(P + T N + F P + F N)}

(1)

P r e c i s i o n = \frac{T P}{T P + F P}

(2)

R e c a l l = \frac{T P}{T P + F N}

(3)

F - s c o r e = 2 * \frac{P r e c i s i o n * R e c a l l}{P r e c i s i o n + R e c a l l}

(4)

M C C = \frac{T P * T N - F P * F N}{\sqrt{(T P + F P) (T P + F N) (T N + F P) (T N + F N)}}

(5)

Moreover, other metrics used include IDS model training and testing time, efficiency is used to measure the rate of IDS’ FPs and FNs in terms of computational resources and accuracy, the response time [32,54,79], which is expected to be swift since IoT devices often operate in real-time environments, energy utilization [56,63,89,93,99,100] which measure the energy consumed by the IDS as IoT devices are frequently resource-constrained with limited battery life. Moreover, most studies also measure the CPU utilization or computational cost [32,54,62,68,79,100], which requires IDS to have low CPU usage to not interfere with the main functions of the IoT device, memory usage [32,54,79], which requires IDS to be lightweight due to the limited memory resources of IoT devices. Similarly, latency or delay [55,78] measures the ability of the IDS to process and analyze data quickly to respond to threats promptly. In terms of throughput [32,66,78], the IDS model is required to handle a high amount of data, given the large volume of traffic in IoT networks. Several studies utilized metrics such as packet loss [69,99], packet delivery rate [69], flexibility [74], scalability [98], bandwidth [99], security and privacy [74,94], communication cost [68], etc. to evaluate the performance and effectiveness of IDS for IoT systems.

6. Discussion and Future Research Directions

6.1. Discussion

This study provides a comprehensive analysis of IDS strategies within IoT frameworks, examining various attacks, challenges, and performance metrics alongside a review of benchmark datasets. The paper systematically addresses six research questions (RQ1-RQ6) across different sections, detailing both ML and non-ML-based IDS approaches. Consequently, RQ1 was addressed in Section 5.1, RQ2 in Section 5.2, RQ3 in Section 5.3, and RQ4 in Section 5.4. Equally, RQ5 was addressed and discussed in Section 5.5, and RQ6 was highlighted in Section 6.2. Summarized across Table 1, Table 2, Table 3, Table 4, Table 5, Table 6, Table 7 and Table 8, the main findings show that the implementation of IDS in IoT faces several challenges, such as high FPRs, scalability issues, data security and privacy concerns, and the need for real-time detection. It also revealed that the inherent heterogeneity and limited resources of IoT devices further complicate the deployment of effective IDS. Moreover, the study identifies the predominance of ML-based IDS solutions in IoT, specifically SL, SSL, DL, and USL. Furthermore, techniques such as DL, ensemble learning, TL, and FL are noted for their potential to improve detection rates and accuracy. The generic architecture of these systems is depicted in Figure 5.

Based on the analysis, it shows that the current IDS solutions are effective to a certain extent in detecting known threats and anomalies in IoT networks. However, they often struggle with new and sophisticated attacks, which require constant updates and adaptations. Particularly, the integration of advanced technologies like ML, statistical analysis, blockchain and cryptography, as well as feature engineering and optimization techniques, are promising in enhancing the capabilities of IDS. They help in automating the detection process and improving the accuracy of threat identification, security, and privacy preservation. Analysis of the review shows that most of the IDS strategies were AIDS, which dominantly utilized ML algorithms to detect network anomalies. Only a few strategies were hybrid, utilizing both AIDS and SIDS to achieve more comprehensive threat detection, such as AIDS and SIDS agents [64]. In the same vein, the techniques that utilized the SPIDS were only found among the non-ML-based ones, such as in [56,61]. Thus, packet inspection and traffic analysis are common detection techniques used to detect malicious traffic patterns and anomalies in the IoT-based IDS, both complex and evolving threats such as DoS/DDoS, zero-day exploits, polymorphic malware, etc. However, the ML-based as well as the non-ML-based techniques consume substantial computational resources and training data which could be challenging for resource-constrained IoT devices. Moreover, IoT IDS is deployed using various architectures, including edge-based [77,78], fog-based [83], cloud-based [29,39], and hybrid solutions [39,58]. The edge/fog-based leverages local processing and analysis capabilities to detect and mitigate threats closer to the source, reducing latency and bandwidth consumption, while the cloud-based IDS centralize detection and analysis in the cloud with scalability and resource efficiency in mind.

Furthermore, to evaluate the performance of these IoT-based IDS, several evaluation metrics have been used, including detection accuracy, recall, precision, F1-score, MCC, response time, and resource overhead. The analysis based on these measures is critical to making informed decisions about the selection and deployment of the IoT IDS solutions. However, in real-world environments, performance assessment can be challenging due to the dynamic nature of IoT ecosystems and the diversity of deployed devices and applications. In a similar effort, most of the IDS strategies employed efficient feature selection and optimization techniques to bolster the accuracy of the IDS models. Such feature engineering approaches include HHO and SCA [72], ECSO [83], Deep GB-RBM [26], SMO [31], RSL [30], IG [27,96], FS and BE [27], HOA [31], RF and XGBoost [54], F-PSO [92] and SEA and AE [34]. Equally, to enhance the security and preserve-privacy of IoT data, different techniques have been utilized, such as cryptocurrency and blockchain [30,44,49,52,69,78,84,94,99], cryptography—MGO and DHPEA [78], PUFs(ECDSA) [94], homomorphic encryption [51], routing/two-fish symmetry key [85], authentication [68], access control [36], DP [51,52,82]. Additionally, most strategies incorporate techniques to minimize energy consumption, such as in [38,56,72,93,99], while others employed ByzantineMedia and ByzantineKrum [45] to ensure the reliability of the deployed IDS model. With these approaches, the finding further revealed that while the TL and ensemble techniques aimed to speed up model training and detection accuracy, as well as boost data security, the FL strategies were geared towards improving accuracy, efficiency, data imbalances, reliability as well as preserve security and privacy of the data [37,51,52,82]. Implementations were mainly on experiment simulations dominated by Python programming language and its ML libraries such as TensorFlow, Keras, Nmap, Matplotlib, Scipy, Pandas, Detecta, Scikit-learn, etc. This was followed by Java and C++ languages. In addition, several publicly available benchmark datasets were used in most studies while other studies generated their datasets in real-time via testbeds setup using devices such as Raspberry Pi, cameras, sensors, etc.

Another IoT-based intrusion detection strategy found is the CIDS, where multiple devices work together to detect and respond to threats more effectively, leveraging the collective intelligence of the network. Authors in [63] developed ASSET utilizing the SDN, [94] developed a blockchain-based approach, and [84] developed a blockchain-SDN-based approach to identify and mitigate attacks more effectively. Additionally, while significant progress has been made in the realm of IoT-based IDS for IoT, there are still many areas that require further investigation.

6.2. Future Research Directions

Based on the review conducted, there is an ongoing need for research and development to address the limitations of current IDS solutions. Some of the important future research directions are discussed.

High false alarms: The prevalence of high false alarms in IDS constitutes a significant hurdle, often resulting in high detection rates accompanied by a corresponding increase in FPs. These FPs impose considerable costs for the analysis of routine network traffic. Adaptive methodologies that incorporate automated learning are essential to manage the dynamic nature of network data and curtail the incidence of false alarms [7]. To further reduce the rates of FNs and FPs, the development of models tailored to specific devices, augmented by data mining and computational intelligence techniques, is central to bolstering the IDS’s ability to detect malicious IoT entities. It is also critical to accurately differentiate between genuine anomalies and normal dataset variations to prevent misinterpretations that could lead to false alarms. Developing strategies to detect zero-day or novel, unknown attacks can significantly enhance the precision and effectiveness of IDS [8,9]. Therefore, it is crucial to design an IDS model that achieves an equilibrium between the accurate detection of actual threats and the minimization of unwarranted alerts to maintain the IDS’s efficacy.

Zero-day attacks: ML algorithms in IoT networks often struggle to efficiently detect zero-day attacks due to their focus on data similarities rather than on identifying anomalous patterns, resulting in a high rate of false alarms [7,12]. A more effective strategy for zero-day attack detection within IDS is necessary. This strategy should transcend traditional classification-focused methods, incorporate intrusion profiling, and employ current, systematic, and balanced datasets for model training. In addition, a robust and comprehensive IDS framework, specifically designed for modern networks such as IoT [12], should include mechanisms for regular updates of attack definitions and ongoing model training with these updates, as well as real-time data refreshment. Such measures will help maintain the model’s adaptability and precision in recognizing new threats, thereby minimizing false alarms.

ML techniques effectiveness: The integration of ML techniques with cloud-based IDS is essential for effective knowledge acquisition. Current practices predominantly utilize standard ML, DL, and ensemble methods. However, the potential of transfer learning, reinforcement learning, and SSL in IoT security remains underexplored [5,8]. Investigating these methods could lead to faster training processes and the development of real-time, cohesive models for detecting anomalies in IoT systems. Moreover, inherent constraints of IoT devices, such as limited battery life, storage, and processing power [8], hinder the efficacy of ML and DL algorithms in safeguarding IoT networks against issues such as network latency. Therefore, it is imperative to tailor and train IDS models for specific device categories to improve the precision and efficiency of threat detection.

IDS efficiency: Creating specialized IDS models for distinct IoT devices is essential due to the inherent constraints of these devices, which are not equipped to handle high-demand computing and storage processes. The size of messages processed by IoT resources is also a critical factor; larger messages can deplete battery life quickly and consume other device resources. Therefore, it is recommended that researchers develop IDS models that operate with smaller message sizes to reduce resource consumption and prevent rapid battery depletion [8]. Additionally, it is important to conduct thorough evaluations of IDS performance in various IoT contexts and against different types of attacks before implementation. Such assessments can significantly improve the IDS’s resilience and efficiency in real-world situations.

Multi-stage attacks and multi-layer security: Multi-stage attacks that leverage diverse weaknesses present a formidable challenge in the dynamic realm of IoT systems, necessitating dedicated and focused countermeasures. Effective intrusion detection must extend beyond the network layer to encompass security considerations across the entire network communication model. This comprehensive strategy entails identifying and mitigating attacks at various levels, thereby accommodating the continuously changing patterns of network behaviour and web services [7,8]. It is essential to adopt a multi-layered approach to strengthen the defence against complex, multi-stage threats.

Heterogeneity of the IoT ecosystem: The diversity of the IoT ecosystem presents significant challenges in implementing IDS, particularly due to the varied operational fields that interconnected devices span. A notable challenge arises in creating IDS methods that can efficiently integrate a range of IoT devices, such as smart home gadgets interfacing with healthcare sensors. These systems require the capability and compatibility to seamlessly access and retrieve data across various domains [8]. Consequently, IDS must be engineered to be sufficiently robust, enabling effective communication among diverse IoT devices and ensuring uncomplicated data recovery.

Cloud storage and IDS methods: In IoT applications, data storage frequently occurs in cloud environments, including fog and edge computing, which demands a variety of IDS approaches. This requirement raises substantial security and privacy issues [5,8]. Many fog and edge devices within an IoT framework are limited by their resources and may lack the capacity for secure computation, analysis, and data processing. Consequently, there is an imperative need for robust and effective IDSs that can guarantee secure and seamless communication across different IoT platforms, particularly in the context of data stored in the cloud.

Security of IoT IDS techniques: Existing IoT IDS techniques are often not secure against various types of attacks, and many focus on specific attacks rather than multiple attacks simultaneously. Thus, there is a need to develop secure and resilient IDS approaches that can effectively handle multiple types of attacks concurrently in terms of themselves and the host.

Limitation of existing datasets: The current landscape of datasets for network security is inadequate, with many failing to classify a comprehensive range of threats or being outdated, thus not reflecting the evolving spectrum of network attacks [7,11]. To address this, there is a need to enhance these datasets to capture a broader variety of attacks and leverage studies on current attack patterns to refine data samples. The scarcity of publicly accessible datasets and algorithms hampers the benchmarking process in IoT, affecting the evaluation and comparison of different solutions. Open access to these resources would promote transparency, collaboration, and reproducibility in IoT research. Furthermore, the availability of labelled data is vital for the validation and assessment of IoT models; however, many datasets do not adequately represent normal and anomalous classes or lack labels altogether [9,11]. This presents a considerable obstacle, underscoring the necessity for more comprehensively labelled datasets for anomaly detection. Current labelling practices are manual and resource-intensive, highlighting the need for further research into automated solutions to address the challenges posed by unlabeled data in IoT.

Increasing and dynamic network traffic: The surge in Internet traffic increases the challenge of establishing dependable real-time network monitoring. This increase complicates the creation of effective IDS [7,9]. Moreover, the application of computational intelligence techniques to high-dimensional datasets in ever-changing environments is not well-explored. Therefore, there is a pressing need to develop feature-engineered, ML-based IDS methods that can handle high-dimensional data in dynamic settings, enhancing performance. Again, it is crucial to evaluate the effectiveness of public datasets against private ones to verify their accuracy and detection rates [7]. Access to private datasets is often restricted due to copyright and privacy concerns, presenting another layer of complexity in IDS development.

Network feature extraction: In IDS, datasets are created by extracting and analyzing feature or payload information from network packets to establish attack patterns and signatures. However, accurately extracting these features from IoT network traffic is complex due to overlapping packets from various connections, privacy issues, and sometimes insufficient feature sets for detecting new attacks [7,12]. To mitigate these challenges, it is beneficial to extract features at both the network traffic and flow levels, as well as packet-level features [7], ensuring they represent all layers of the IoT architecture. Additionally, implementing robust data anonymization methods can safeguard the privacy of data owners while utilizing these features.

7. Conclusions

This paper presented a review of IoT-based IDS that highlights the importance of proactive security measures to mitigate the growing risks posed by cyber threats within the IoT environment. The analysis spans studies from 2016 to 2023, examining both ML and non-ML IDS approaches, their targeted attacks, challenges, detection methods and their effectiveness, performance metrics, and the datasets employed. The research underscores the variety of attacks aimed at disrupting the IoT ecosystem, noting that while most target a single layer, others like DoS and DDoS span multiple layers, incurring significant costs. The study acknowledges the challenges in implementing IoT-based IDS, particularly due to the diverse and resource-limited nature of IoT devices. It reveals a predominance of ML-based IDS, especially AIDS, complemented by hybrid AIDS and SIDS methods, with fewer instances of SPIDS among the non-ML approaches. The study highlighted the effectiveness of ML-based IDS in detecting malicious activities with techniques such as supervised, semi-supervised, deep, unsupervised, ensemble, transfer, and federated learning, alongside feature engineering and optimization to boost model accuracy and efficiency. Based on the in-depth analysis conducted in this study, deep learning and ensemble methods are identified as top-performing techniques. The paper also notes the use of advanced cryptographic measures, authentication, access control, privacy models, and blockchain technology to improve IoT data security and privacy. Moreover, performance metrics like detection accuracy, precision, recall, F1 score, etc., and benchmark datasets are utilized to assess IDS models, which are validated in simulated environments. The IDS deployments are typically in edge/fog and cloud-based settings, chosen based on goals like bandwidth reduction, latency minimization, or scalable, resource-efficient threat detection. These findings offer an in-depth understanding of the current state of IoT security and identify research directions to boost IoT resilience. Given the continuous evolution of cyber threats, the paper advocates for the creation of more advanced, efficient, and adaptable IDS solutions to protect the expanding IoT infrastructure. As a future work, we intend to design and implement an adaptive IDS for Smart homes to bolster their security.

Author Contributions

Conceptualization, B.I. and O.K.; methodology, B.I.; validation, B.I., O.K. and A.A.-M.; investigation, O.K.; writing—original draft preparation, B.I.; writing—review and editing, B.I. and O.K.; supervision, B.I.; project administration, B.I.; funding acquisition, A.A.-M. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Not applicable.

Acknowledgments

This was supported by FNAS, UDSC, and the Department of Computer Science at the North-West University, Mafikeng campus, as well as the Council for Scientific and Industrial Research (CSIR) via the Smart Networks collaboration initiative and IoT-Factory Program (funded by the Department of Science and Innovation (DSI), South Africa).

Conflicts of Interest

The authors declare no conflicts of interest.

References

Tawalbeh, L.; Muheidat, F.; Tawalbeh, M.; Quwaider, M. IoT Privacy and Security: Challenges and Solutions. Appl. Sci. 2020, 10, 4102. [Google Scholar] [CrossRef]
Litoussi, M.; Kannouf, N.; El Makkaoui, K.; Ezzati, A.; Fartitchou, M. IoT security: Challenges and countermeasures. Procedia Comput. Sci. 2020, 177, 503–508. [Google Scholar] [CrossRef]
Sethi, P.; Sarangi, S.R. Internet of Things: Architectures, Protocols, and Applications. J. Electr. Comput. Eng. 2017, 2017, 9324035. [Google Scholar] [CrossRef]
Lombardi, M.; Pascale, F.; Santaniello, D. Internet of Things: A General Overview between Architectures, Protocols and Applications. Information 2021, 12, 87. [Google Scholar] [CrossRef]
Krishna, R.R.; Priyadarshini, A.; Jha, A.V.; Appasani, B.; Srinivasulu, A.; Bizon, N. State-of-the-art review on IoT threats and attacks: Taxonomy, challenges and solutions. Sustainability 2021, 13, 9463. [Google Scholar] [CrossRef]
Touqeer, H.; Zaman, S.; Amin, R.; Hussain, M.; Al-Turjman, F.; Bilal, M. Smart home security: Challenges, issues and solutions at different IoT layers. J. Supercomput. 2021, 77, 14053–14089. [Google Scholar] [CrossRef]
Thakkar, A.; Lohiya, R. A survey on intrusion detection system: Feature selection, model, performance measures, application perspective, challenges, and future research directions. Artif. Intell. Rev. 2022, 55, 453–563. [Google Scholar] [CrossRef]
Heidari, A.; Jabraeil Jamali, M.A. Internet of Things intrusion detection systems: A comprehensive review and future directions. Clust. Comput. 2022, 26, 3753–3780. [Google Scholar] [CrossRef]
Fernandes, G.; Rodrigues, J.J.; Carvalho, L.F.; Al-Muhtadi, J.F.; Proença, M.L. A comprehensive survey on network anomaly detection. Telecommun. Syst. 2019, 70, 447–489. [Google Scholar] [CrossRef]
Khraisat, A.; Alazab, A. A critical review of intrusion detection systems in the Internet of things: Techniques, deployment strategy, validation strategy, attacks, public datasets and challenges. Cybersecurity 2021, 4, 1–27. [Google Scholar] [CrossRef]
Alghanmi, N.; Alotaibi, R.; Buhari, S.M. Machine learning approaches for anomaly detection in IoT: An overview and future research directions. Wirel. Pers. Commun. 2022, 122, 2309–2324. [Google Scholar] [CrossRef]
Ahmad, Z.; Khan, A.S.; Shiang, C.W.; Abdullah, J.; Ahmad, F. Network intrusion detection system: A systematic study of machine learning and deep learning approaches. Trans. Emerg. Telecommun. Technol. 2021, 32, e4150. [Google Scholar] [CrossRef]
Umer, M.A.; Junejo, K.N.; Jilani, M.T.; Mathur, A.P. Machine learning for intrusion detection in industrial control systems: Applications, challenges, and recommendations. Int. J. Crit. Infrastruct. Prot. 2022, 38, 100516. [Google Scholar] [CrossRef]
Nweke, L.O. A survey of specification-based intrusion detection techniques for cyber-physical systems. Int. J. Adv. Comput. Sci. Appl. 2021, 12, 37–45. [Google Scholar] [CrossRef]
Zarpelão, B.B.; Miani, R.S.; Kawakani, C.T.; de Alvarenga, S.C. A survey of intrusion detection in Internet of Things. J. Netw. Comput. Appl. 2017, 84, 25–37. [Google Scholar] [CrossRef]
Martins, I.; Resende, J.S.; Sousa, P.R.; Silva, S.; Antunes, L.; Gama, J. Host-based IDS: A review and open issues of an anomaly detection system in IoT. Future Gener. Comput. Syst. 2022, 133, 95–113. [Google Scholar] [CrossRef]
Gendreau, A.A.; Moorman, M. Survey of intrusion detection systems towards an end-to-end secure Internet of things. In Proceedings of the 2016 IEEE 4th International Conference on Future Internet of things and Cloud (FiCloud), Vienna, Austria, 22–24 August 2016; pp. 84–90. [Google Scholar]
Jamalipour, A.; Murali, S. A Taxonomy of Machine-Learning-Based Intrusion Detection Systems for the Internet of Things: A Survey. IEEE Internet Things J. 2021, 9, 9444–9466. [Google Scholar] [CrossRef]
Singh, G.; Khare, N. A survey of intrusion detection from the perspective of intrusion datasets and machine learning techniques. Int. J. Comput. Appl. 2022, 44, 659–669. [Google Scholar] [CrossRef]
Adat, V.; Gupta, B.B. Security in Internet of Things: Issues, challenges, taxonomy, and architecture. Telecommun. Syst. 2018, 67, 423–441. [Google Scholar] [CrossRef]
Neshenko, N.; Bou-Harb, E.; Crichigno, J.; Kaddoum, G.; Ghani, N. Demystifying IoT security: An exhaustive survey on IoT vulnerabilities and a first empirical look on internet-scale IoT exploitations. IEEE Commun. Surv. Tutor. 2019, 21, 2702–2733. [Google Scholar] [CrossRef]
Elrawy, M.F.; Awad, A.I.; Hamed, H.F. Intrusion detection systems for IoT-based smart environments: A survey. J. Cloud Comput. 2018, 7, 21. [Google Scholar] [CrossRef]
Albulayhi, K.; Smadi, A.A.; Sheldon, F.T.; Abercrombie, R.K. IoT Intrusion Detection Taxonomy, Reference Architecture, and Analyses. Sensors 2021, 21, 6432. [Google Scholar] [CrossRef] [PubMed]
Petersen, K.; Vakkalanka, S.; Kuzniar, L. Guidelines for conducting systematic mapping studies in software engineering: An update. Inf. Softw. Technol. 2015, 64, 1–18. [Google Scholar] [CrossRef]
Kitchenham, B.; Brereton, O.P.; Budgen, D.; Turner, M.; Bailey, J.; Linkman, S. Systematic literature reviews in software engineering–a systematic literature review. Inf. Softw. Technol. 2009, 51, 7–15. [Google Scholar] [CrossRef]
Maseer, Z.K.; Yusof, R.; Mostafa, S.A.; Bahaman, N.; Musa, O.; Al-Rimy, B.A.S. Deepiot. ids: Hybrid deep learning for enhancing IoT network intrusion detection. Comput. Mater. Contin. 2021, 69, 3945–3966. [Google Scholar]
Syamsuddin, I.; Barukab, O.M. SUKRY: Suricata IDS with Enhanced kNN Algorithm on Raspberry Pi for Classifying IoT Botnet Attacks. Electronics 2022, 11, 737. [Google Scholar] [CrossRef]
Dina, A.S.; Siddique, A.B.; Manivannan, D. A deep learning approach for intrusion detection in Internet of Things using focal loss function. Internet Things 2023, 22, 100699. [Google Scholar] [CrossRef]
Selvapandian, D.; Santhosh, R. Deep learning approach for intrusion detection in IoT-multi cloud environment. Autom. Softw. Eng. 2021, 28, 19. [Google Scholar] [CrossRef]
Derhab, A.; Guerroumi, M.; Gumaei, A.; Maglaras, L.; Ferrag, M.A.; Mukherjee, M.; Khan, F.A. Blockchain and Random Subspace Learning-Based IDS for SDN-Enabled Industrial IoT Security. Sensors 2019, 19, 3119. [Google Scholar] [CrossRef]
Duraisamy, A.; Subramaniam, M.; Robin, C.R.R. An Optimized Deep Learning Based Security Enhancement and Attack Detection on IoT Using IDS and KH-AES for Smart Cities. Stud. Inform. Control 2021, 30, 121–131, ISSN 1220-1766. [Google Scholar] [CrossRef]
Bhale, P.; Chowdhury, D.R.; Biswas, S.; Nandi, S. OPTIMIST: Lightweight and Transparent IDS With Optimum Placement Strategy to Mitigate Mixed-Rate DDoS Attacks in IoT Networks. IEEE Internet Things J. 2023, 10, 8357–8370. [Google Scholar] [CrossRef]
Zeghida, H.; Boulaiche, M.; Chikh, R. Securing MQTT protocol for IoT environment using IDS based on ensemble learning. Int. J. Inf. Secur. 2023, 22, 1075–1086. [Google Scholar] [CrossRef]
Morales-Molina, C.D.; Hernandez-Suarez, A.; Sanchez-Perez, G.; Toscano-Medina, L.K.; Perez-Meana, H.; Olivares-Mercado, J.; Portillo-Portillo, J.; Sanchez, V.; Garcia-Villalba, L.J. A Dense Neural Network Approach for Detecting Clone ID Attacks on the RPL Protocol of the IoT. Sensors 2021, 21, 3173. [Google Scholar] [CrossRef]
Otoum, Y.; Nayak, A. AS-IDS: Anomaly and Signature Based IDS for the Internet of Things. J. Netw. Syst. Manag. 2021, 29, 23. [Google Scholar] [CrossRef]
Abdollahi, A.; Fathi, M. An intrusion detection system on ping of death attacks in IoT networks. Wirel. Pers. Commun. 2020, 112, 2057–2070. [Google Scholar] [CrossRef]
Hosen, A.S.; Singh, S.; Mariappan, V.; Kaur, M.; Cho, G.H. A secure and privacy-preserving partial deterministic RWP model to reduce overlapping in IoT sensing environment. IEEE Access 2019, 7, 39702–39716. [Google Scholar] [CrossRef]
Okey, O.D.; Melgarejo, D.C.; Saadi, M.; Rosa, R.L.; Kleinschmidt, J.H.; Rodríguez, D.Z. Transfer Learning Approach to IDS on Cloud IoT Devices Using Optimized CNN. IEEE Access 2023, 11, 1023–1038. [Google Scholar] [CrossRef]
Alhowaide, A.; Alsmadi, I.; Tang, J. Ensemble Detection Model for IoT IDS. Internet Things 2021, 16, 2542–6605. [Google Scholar] [CrossRef]
Tyagi, H.; Kumar, R. Attack and Anomaly Detection in IoT Networks Using Supervised Machine Learning Approaches. Rev. d’Intell. Artif. 2021, 35, 11–21. [Google Scholar] [CrossRef]
Li, B.; Wu, Y.; Song, J.; Lu, R.; Li, T.; Zhao, L. DeepFed: Federated deep learning for intrusion detection in industrial cyber–physical systems. IEEE Trans. Ind. Inf. 2020, 17, 5615–5624. [Google Scholar] [CrossRef]
Mothukuri, V.; Khare, P.; Parizi, R.M.; Pouriyeh, S.; Dehghantanha, A.; Srivastava, G. Federated-Learning-Based Anomaly Detection for IoT Security Attacks. IEEE Internet Things J. 2022, 9, 2545–2554. [Google Scholar] [CrossRef]
Khan, I.A.; Moustafa, N.; Pi, D.; Hussain, Y.; Khan, N.A. DFF-SC4N: A Deep Federated Defence Framework for Protecting Supply Chain 4.0 Networks. IEEE Trans. Ind. Inform. 2023, 19, 3300–3309. [Google Scholar] [CrossRef]
Zhang, W.; Lu, Q.; Yu, Q.; Li, Z.; Liu, Y.; Lo, S.K.; Chen, S.; Xu, X.; Zhu, L. Blockchain-based federated learning for device failure detection in industrial IoT. IEEE Internet Things J. 2020, 8, 5926–5937. [Google Scholar] [CrossRef]
Taheri, R.; Shojafar, M.; Alazab, M.; Tafazolli, R. Fed-IIoT: A Robust Federated Malware Detection Architecture in Industrial IoT. IEEE Trans. Ind. Inform. 2021, 17, 8442–8452. [Google Scholar] [CrossRef]
Song, Y.; Liu, T.; Wei, T.; Wang, X.; Tao, Z.; Chen, M. FDA³: Federated Defense Against Adversarial Attacks for Cloud-Based IIoT Applications. IEEE Trans. Ind. Inform. 2021, 17, 7830–7838. [Google Scholar] [CrossRef]
Ravi, N.; Shalinie, S.M. Semisupervised-learning-based security to detect and mitigate intrusions in IoT network. IEEE Internet Things J. 2020, 7, 11041–11052. [Google Scholar] [CrossRef]
Yılmaz, S.; Aydogan, E.; Sen, S. A transfer learning approach for securing resource-constrained IoT devices. IEEE Trans. Inf. Forensic Secur. 2021, 16, 4405–4418. [Google Scholar] [CrossRef]
Kumar, R.; Kumar, P.; Tripathi, R.; Gupta, G.P.; Garg, S.; Hassan, M.M. A distributed intrusion detection system to detect DDoS attacks in blockchain-enabled IoT network. J. Parallel Distrib. Comput. 2022, 164, 55–68. [Google Scholar] [CrossRef]
Tabassum, A.; Erbad, A.; Lebda, W.; Mohamed, A.; Guizani, M. FEDGAN-IDS: Privacy-preserving IDS using GAN and Federated Learning. Comput. Commun. 2022, 192, 299–310. [Google Scholar] [CrossRef]
Hao, M.; Li, H.; Luo, X.; Xu, G.; Yang, H.; Liu, S. Efficient and Privacy-Enhanced Federated Learning for Industrial Artificial Intelligence. IEEE Trans. Ind. Inform. 2020, 16, 6532–6542. [Google Scholar] [CrossRef]
Cui, L.; Qu, Y.; Xie, G.; Zeng, D.; Li, R.; Shen, S.; Yu, S. Security and Privacy-Enhanced Federated Learning for Anomaly Detection in IoT Infrastructures. IEEE Trans. Ind. Inform. 2022, 18, 3492–3500. [Google Scholar] [CrossRef]
Eskandari, M.; Janjua, Z.H.; Vecchio, M.; Antonelli, F. Passban IDS: An Intelligent Anomaly-Based Intrusion Detection System for IoT Edge Devices. IEEE Internet Things J. 2020, 7, 6882–6897. [Google Scholar] [CrossRef]
Liu, Z.; Thapa, N.; Shaver, A.; Roy, K.; Siddula, M.; Yuan, X.; Yu, A. Using Embedded Feature Selection and CNN for Classification on CCD-INID-V1—A New IoT Dataset. Sensors 2021, 21, 4834. [Google Scholar] [CrossRef]
Gassais, R.; Ezzati-Jivan, N.; Fernandez, J.M.; Aloise, D.; Dagenais, M.R. Multi-level host-based intrusion detection system for Internet of Things. J. Cloud Comput. 2020, 9, 62. [Google Scholar] [CrossRef]
Babu, M.J.; Reddy, A.R. SH-IDS: Specification Heuristics Based Intrusion Detection System for IoT Networks. Wirel. Pers. Commun. 2020, 112, 2023–2045. [Google Scholar] [CrossRef]
Kaushik, S.; Bhardwaj, A.; Alomari, A.; Bharany, S.; Alsirhani, A.; Mujib Alshahrani, M. Efficient, Lightweight Cyber Intrusion Detection System for IoT Ecosystems Using MI2G Algorithm. Computers 2022, 11, 142. [Google Scholar] [CrossRef]
Anthi, E.; Williams, L.; Słowińska, M.; Theodorakopoulos, G.; Burnap, P. A supervised intrusion detection system for smart home IoT devices. IEEE Internet Things J. 2019, 6, 9042–9053. [Google Scholar] [CrossRef]
Khraisat, A.; Gondal, I.; Vamplew, P.; Kamruzzaman, J.; Alazab, A. A novel ensemble of hybrid intrusion detection system for detecting Internet of Things attacks. Electronics 2019, 8, 1210. [Google Scholar] [CrossRef]
Marabissi, D.; Mucchi, L.; Stomaci, A. IoT nodes authentication and ID spoofing detection based on joint use of physical layer security and machine learning. Future Internet 2022, 14, 61. [Google Scholar] [CrossRef]
Santos, L.; Gonçalves, R.; Rabadao, C.; Martins, J. A flow-based intrusion detection framework for Internet of Things networks. Clust. Comput. 2021, 26, 37–57. [Google Scholar] [CrossRef]
Agyemang, J.O.; Kponyo, J.J.; Klogo, G.S.; Boateng, J.O. Lightweight rogue access point detection algorithm for WiFi-enabled Internet of Things (IoT) devices. Internet Things 2020, 11, 100200. [Google Scholar] [CrossRef]
Violettas, G.; Simoglou, G.; Petridou, S.; Mamatas, L. A softwarized intrusion detection system for the RPL-based Internet of Things networks. Future Gener. Comput. Syst. 2021, 125, 698–714. [Google Scholar] [CrossRef]
Bostani, H.; Sheikhan, M. Hybrid of anomaly-based and specification-based IDS for Internet of Things using unsupervised OPF based on MapReduce approach. Comput. Commun. 2017, 98, 52–71. [Google Scholar] [CrossRef]
Facchini, S.; Giorgi, G.; Saracino, A.; Dini, G. Multi-level Distributed Intrusion Detection System for an IoT based Smart Home Environment. In Proceedings of the ICISSP, Valletta, Malta, 25–27 February 2020; pp. 705–712. [Google Scholar]
Alghamdi, R.; Bellaiche, M. An ensemble deep learning based IDS for IoT using Lambda architecture. Cybersecurity 2023, 6, 5. [Google Scholar] [CrossRef]
Khan, M.A.; Khan, M.A.; Jan, S.U.; Ahmad, J.; Jamal, S.S.; Shah, A.A.; Pitropakis, N.; Buchanan, W.J. A Deep Learning-Based Intrusion Detection System for MQTT Enabled IoT. Sensors 2021, 21, 7016. [Google Scholar] [CrossRef] [PubMed]
Saqib, M.; Jasra, B.; Moon, A.H. A lightweight three-factor authentication framework for IoT-based critical applications. J. King Saud Univ. Comput. Inf. Sci. 2022, 34, 6925–6937. [Google Scholar] [CrossRef]
Savitha, M.M.; Basarkod, P.I. Securing AMI-IoT networks against multiple RPL attacks using ensemble learning IDS and light-chain based prediction detection and mitigation mechanisms. Inf. Secur. J. A Glob. Perspect. 2023, 33, 73–95. [Google Scholar] [CrossRef]
Raza, S.; Wallgren, L.; Voigt, T. SVELTE: Real-time intrusion detection in the Internet of Things. Ad Hoc Netw. 2013, 11, 2661–2674. [Google Scholar] [CrossRef]
Paudel, R.; Muncy, T.; Eberle, W. Detecting dos attack in smart home IoT devices using a graph-based approach. In Proceedings of the 2019 IEEE International Conference on Big Data (Big Data), Los Angeles, CA, USA, 9–12 December 2019; pp. 5249–5258. [Google Scholar]
Katib, I.; Ragab, M. Blockchain-Assisted Hybrid Harris Hawks Optimization Based Deep DDoS Attack Detection in the IoT Environment. Mathematics 2023, 11, 1887. [Google Scholar] [CrossRef]
Ashraf, J.; Keshk, M.; Moustafa, N.; Abdel-Basset, M.; Khurshid, H.; Bakhshi, A.D.; Mostafa, R.R. IoTBoT-IDS: A novel statistical learning-enabled botnet detection framework for protecting networks of smart cities. Sustain. Cities Soc. 2021, 72, 103041. [Google Scholar] [CrossRef]
El Houda, Z.A.; Hafid, A.; Khoukhi, L. Co-IoT: A Collaborative DDoS Mitigation Scheme in IoT Environment Based on Blockchain Using SDN. In Proceedings of the 2019 IEEE Global Communications Conference (GLOBECOM), Waikoloa, HI, USA, 9–13 December 2019; pp. 1–6. [Google Scholar] [CrossRef]
Alzahrani, R.J.; Alzahrani, A. A Novel Multi-Algorithm Approach to Identify Network Anomalies in the IoT Using Fog Computing and a Model to Distinguish between IoT and Non-IoT Devices. J. Sens. Actuator Netw. 2023, 12, 19. [Google Scholar] [CrossRef]
Kumar, D.; Pateriya, R.K.; Gupta, R.K.; Dehalwar, V.; Sharma, A. DDoS Detection using Deep Learning. Procedia Comput. Sci. 2023, 218, 2420–2429. [Google Scholar] [CrossRef]
Shanmuganathan, V.; Suresh, A. LSTM-Markov based efficient anomaly detection algorithm for IoT environment. Appl. Soft Comput. 2023, 136, 110054. [Google Scholar] [CrossRef]
Sankaran, K.S.; Kim, B. Deep learning based energy efficient optimal RMC-CNN model for secured data transmission and anomaly detection in industrial IoT. Sustain. Energy Technol. Assess. 2023, 56, 102983. [Google Scholar] [CrossRef]
Sharmila, B.S.; Rohini, N. P-DNN: Parallel DNN based IDS framework for the detection of IoT vulnerabilities. Secur. Priv. 2023, 7, e330. [Google Scholar] [CrossRef]
Yang, J.; Li, T.; Liang, G.; Wang, Y.; Gao, T.; Zhu, F. Spam transaction attack detection model based on GRU and WGAN-div. Comput. Commun. 2020, 161, 172–182. [Google Scholar] [CrossRef]
Wazirali, R. An improved intrusion detection system based on KNN hyperparameter tuning and cross-validation. Arab. J. Sci. Eng. 2020, 45, 10859–10873. [Google Scholar] [CrossRef]
Friha, O.; Ferrag, M.A.; Benbouzid, M.; Berghout, T.; Kantarci, B.; Choo, K.R. 2DF-IDS: Decentralized and differentially private federated learning-based intrusion detection system for industrial IoT. Comput. Secur. 2023, 127, 103097. [Google Scholar] [CrossRef]
Alohali, M.A.; Elsadig, M.; Al-Wesabi, F.N.; Al Duhayyim, M.; Hilal, A.M.; Motwakel, A. Swarm intelligence for IoT attack detection in the fog-enabled cyber-physical system. Comput. Electr. Eng. 2023, 108, 108676. [Google Scholar] [CrossRef]
Li, W.; Wang, Y.; Li, J. A blockchain-enabled collaborative intrusion detection framework for SDN-assisted cyber-physical systems. Int. J. Inf. Secur. 2023, 22, 1219–1230. [Google Scholar] [CrossRef]
Deebak, B.D.; Al-Turjman, F. A hybrid secure routing and monitoring mechanism in IoT-based wireless sensor networks. Ad Hoc Netw. 2020, 97, 102022. [Google Scholar]
Hodo, E.; Bellekens, X.; Hamilton, A.; Dubouilh, P.-L.; Iorkyase, E.; Tachtatzis, C.; Atkinson, R. Threat analysis of IoT networks using artificial neural network intrusion detection system. In Proceedings of the 2016 International Symposium on Networks, Computers and Communications (ISNCC), Hammamet, Tunisia, 11–13 May 2016; pp. 1–6. [Google Scholar]
He, F.; Tong, F.; Zhang, Y. A Bi-Layer Intrusion Detection Based on Device Behavior Profiling for Smart Home IoT. In Proceedings of the 2022 IEEE 19th International Conference on Mobile Ad Hoc and Smart Systems (MASS), Denver, CO, USA, 19–23 October 2022; pp. 373–379. [Google Scholar]
Sarwar, A.; Alnajim, A.M.; Marwat, S.N.K.; Ahmed, S.; Alyahya, S.; Khan, W.U. Enhanced Anomaly Detection System for IoT Based on Improved Dynamic SBPSO. Sensors 2022, 22, 4926. [Google Scholar] [CrossRef] [PubMed]
Amouri, A.; Alaparthy, V.T.; Morgera, S.D. A Machine Learning Based Intrusion Detection System for Mobile Internet of Things. Sensors 2020, 20, 461. [Google Scholar] [CrossRef] [PubMed] [PubMed Central]
Ramana, K.; Revathi, A.; Gayathri, A.; Jhaveri, R.H.; Narayana, C.V.L.; Kumar, B.N. WOGRU-IDS—An intelligent intrusion detection system for IoT assisted Wireless Sensor Networks. Comput. Commun. 2022, 196, 195–206. [Google Scholar] [CrossRef]
Shurman, M.M.; Khrais, R.; Yateem, A.A. DoS and DDoS attack detection using deep learning and IDS. Int. Arab. J. Inf. Technol. 2020, 17, 655–661. [Google Scholar] [CrossRef]
Sabitha, R.; Gopikrishnan, S.; Bejoy, B.J.; Anusuya, V.; Saravanan, V. Network-Based Detection of IoT Attack Using AIS-IDS Model. Wirel. Pers. Commun. 2023, 128, 1543–1566. [Google Scholar] [CrossRef]
Zhou, M.; Han, L.; Lu, H.; Fu, C. Intrusion Detection System for IoT Heterogeneous Perceptual Network. Mob. Netw. Appl. 2021, 26, 1461–1474. [Google Scholar] [CrossRef]
Babu, E.S.; BKN, S.; Nayak, S.R.; Verma, A.; Alqahtani, F.; Tolba, A.; Mukherjee, A. Blockchain-based Intrusion Detection System of IoT urban data with device authentication against DDoS attacks. Comput. Electr. Eng. 2022, 103, 108287. [Google Scholar] [CrossRef]
Nguyen, T.D.; Marchal, S.; Miettinen, M.; Fereidooni, H.; Asokan, N.; Sadeghi, A.-R. DÏoT: A Federated Self-learning Anomaly Detection System for IoT. In Proceedings of the 2019 IEEE 39th International Conference on Distributed Computing Systems, Dallas, TX, USA, 7–10 July 2019. [Google Scholar]
Chauhan, S.; Gangopadhyay, S.; Gangopadhyay, A.K. Intrusion Detection System for IoT Using Logical Analysis of Data and Information Gain Ratio. Cryptography 2022, 6, 62. [Google Scholar] [CrossRef]
James, F. IoT cybersecurity based smart home intrusion prevention system. In Proceedings of the 2019 3rd Cyber Security in Networking Conference (CSNet), Quito, Ecuador, 23–25 October 2019; pp. 107–113. [Google Scholar]
Sharma, P.K.; Singh, S.; Jeong, Y.-S.; Park, J.H. Distblocknet: A distributed blockchains-based secure sdn architecture for IoT networks. IEEE Commun. Mag. 2017, 55, 78–85. [Google Scholar] [CrossRef]
Rani, S.; Babbar, H.; Srivastava, G.; Gadekallu, T.R.; Dhiman, G. Security Framework for Internet of Things based Software Defined Networks using Blockchain. IEEE Internet Things J. 2022, 10, 6074–6081. [Google Scholar] [CrossRef]
Ribera, E.G.; Alvarez, B.M.; Samuel, C.; Ioulianou, P.P.; Vassilakis, V.G. An Intrusion Detection System for RPL-Based IoT Networks. Electronics 2022, 11, 4041. [Google Scholar] [CrossRef]

Figure 1. Typical IoT Architecture.

Figure 2. Categories of intrusion detection techniques.

Figure 3. Classification of ML techniques.

Figure 4. IoT IDS publication distribution.

Figure 5. Generic IDS Architecture.

Table 1. Summary of IoT-oriented security attacks.

Attack	Description	Perception Layer	Network Layer	Processing Layer	Application Layer
DoS/DDoS	Overwhelm network bandwidth or exhaust computational resources. Can be launched from single and multiple sources, respectively.	X	X	X	X
Botnets	Use compromised devices in the network layer to launch coordinated attacks on other targets.		X	X	X
MitM	Intercepts alter or redirect the data packets in transit.		X
Spoofing	Impersonate legitimate devices or their data, servers, or users, or possibly bypass authentication or authorization mechanisms.	X	X
Code injection	Exploit vulnerabilities or inject malicious code into devices or servers.			X	X
Replay	Capture and resend valid data packets or commands sent between IoT devices and their servers, resulting in unwanted or undesirable actions or possibly bypassing authentication or authorization mechanisms.	X	X
APTs	Use stealthy and sophisticated methods to infiltrate and persist in specific devices or networks for a long period.	X	X	X	X
Encryption	Compromise the confidentiality or integrity of data or devices by targeting the encryption mechanisms or keys used by devices to decrypt, modify, or forge data.	X	X	X	X
Side-channel	Exploit the physical features or behaviours of devices or servers, including power consumption, timing, etc., to extract sensitive information such as encryption keys, passwords, etc.	X		X
Sybil	Create multiple fake identities or nodes to influence its operation, such as routing, consensus, reputation mechanisms, etc.		X	X
Eavesdropping	Intercept or monitor data packets in transit of devices, thereby compromising the confidentiality, privacy, or integrity of the data owners or users or revealing sensitive information.	X	X
Jamming attacks	Interfere with wireless communication by creating noise or signals that interrupt the frequency or channel as well as degrade the performance, availability, reliability, etc.	X	X
Sinkhole	Attract network traffic to a compromised node and then drop or modify the packets.		X	X
Wormhole	Create a tunnel between two malicious nodes and then relay packets through it to interrupt the routing, topology, and trust mechanisms or launch other attacks.		X	X
Ransomware	Encrypts IoT devices’ data and functionality and demands ransom for their restoration			X	X
Blackhole	Interrupt the regular flow of data and drop all packets received by a malicious node.		X	X
Flooding	Send many packets to a target node and cause congestion or overload.		X	X
MQTT	Exploit vulnerabilities in the MQTT protocol used for communication between devices and applications.		X		X
RF	Manipulate RF signals used by devices to cause interference or spoofing	X
Denial of sleep	Prevent devices from entering low-power sleep mode and draining their battery life.	X		X
Firmware and software vul.	Expose devices or servers to various types of attacks by exploiting bugs or flaws in their firmware or software.	X		X
Resource exhaustion	Deplete the resources of devices or servers such as memory, CPU, battery, etc., and degrade their performance.	X		X

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Isong, B.; Kgote, O.; Abu-Mahfouz, A. Insights into Modern Intrusion Detection Strategies for Internet of Things Ecosystems. Electronics 2024, 13, 2370. https://doi.org/10.3390/electronics13122370

AMA Style

Isong B, Kgote O, Abu-Mahfouz A. Insights into Modern Intrusion Detection Strategies for Internet of Things Ecosystems. Electronics. 2024; 13(12):2370. https://doi.org/10.3390/electronics13122370

Chicago/Turabian Style

Isong, Bassey, Otshepeng Kgote, and Adnan Abu-Mahfouz. 2024. "Insights into Modern Intrusion Detection Strategies for Internet of Things Ecosystems" Electronics 13, no. 12: 2370. https://doi.org/10.3390/electronics13122370

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Menu

Insights into Modern Intrusion Detection Strategies for Internet of Things Ecosystems

Abstract

1. Introduction

2. Background Information

2.1. Internet of Things Overview

2.2. Intrusion Detection

3. Related Works

4. Methodology

5. Trendy Analysis of IoT-Based Intrusion Detection Strategies

5.1. IoT Security Attacks

5.2. Key Challenges of Intrusion Detection in IoT

5.3. Intrusion Detection Techniques

5.3.1. Machine Learning Based

5.3.2. Non-Machine Learning Based

5.4. Benchmark Datasets

5.5. Evaluation Metrics

6. Discussion and Future Research Directions

6.1. Discussion

6.2. Future Research Directions

7. Conclusions

Author Contributions

Funding

Data Availability Statement

Acknowledgments

Conflicts of Interest

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI