Anomaly-Based Intrusion Detection Systems in IoT Using Deep Learning: A Systematic Literature Review
Abstract
:1. Introduction
2. Contributions
- 1.
- This study systemically explores the existing techniques on an anomaly-based intrusion detection system that uses the DL techniques in IoT.
- 2.
- A general taxonomy is proposed for the different deep learning techniques used for constructing the anomaly-based IDS in IoT.
- 3.
- An analysis of the state-of-art DL-based techniques of anomaly-based intrusion detection systems in IoT, which use DL, is introduced in this survey.
- 4.
- This study discusses the challenges and future direction of DL-based anomaly detection in the IoT domain.
3. Background and Related Works
4. Review Method
4.1. Development of the Protocol
4.2. Planning the Review
4.3. The Need for a Systematic Review
4.4. Research Questions
- Q1
- What is the comprehensive taxonomy of anomaly-based intrusion detection in IoT using deep learning techniques?
- Q2
- What is the performance of anomaly-based intrusion detection in IoT using deep learning techniques?
- Q3
- What are the challenges in the existing anomaly intrusion detection deep learning techniques in IoT?
4.5. The Review Protocol
5. Search Strategy
5.1. Primary Records Selection
5.2. Secondary Records Selection
5.3. Inclusion Criteria
- 1.
- Publication of articles in peer-reviewed journals.
- 2.
- Accessible research articles.
- 3.
- Relevant content to anomaly intrusion detection system in IoT, using deep learning.
5.4. Exclusion Criteria
- 1.
- Research articles published in predatory journals according to Beals’ list.
- 2.
- Inaccessible articles.
- 3.
- Irrelevant to anomaly intrusion detection system in IoT using deep learning.
5.5. Quality Assessment (QA) of the Eligible Included Records
- 1.
- QA1: Is the topic related to anomaly intrusion detection in IoT using deep learning techniques?
- 2.
- QA2: Is the research methodology adequately interpreted in the manuscript?
- 3.
- QA3: Is there an adequate clarification on the background review in which the study was conducted?
- 4.
- QA4: Is there a comprehensible declaration regarding the research objectives?
5.6. Data Extraction and Synthesis of the Systemic Literature Review
6. Results
6.1. Studies Selection and Quality Assessment
6.2. Overview of Publication Sources
7. Outcomes
7.1. RQ1: What Is the Comprehensive Taxonomy of Anomaly Intrusion Detection in IoT Using Deep Learning Techniques?
- Supervised: in a supervised manner, anomalies detecting labeled datasets by constructing the network or system is normal behavior. Supervised anomaly detection techniques can leverage the measurement of distance as well as the density of clusters for the detection of intrusions.
- Unsupervised: in an unsupervised manner, the approach assumes a greater frequency of normal behaviors, thus leading to the establishment of the model on assumptions, wherein there is no need for any labeled data for training.
- Semi-supervised: in a semi-supervised manner, the algorithm is trained upon a combination of labeled and unlabeled data.
7.2. RQ2: What Is the Performance of Anomaly Intrusion Detection in IoT Using Deep Learning Techniques?
7.2.1. Analysis of Accuracy Range
7.2.2. Analysis of Type of Attacks Detected
7.2.3. Tools and Environments Applied by the Studied Work
7.2.4. Analysis of the Used Datasets
7.3. RQ 3: What Are the Challenges Faced in Current Anomaly Intrusion Detection Deep Learning Techniques in IoT?
7.3.1. Threat Detection
7.3.2. Computational and Resource Constraint
7.3.3. Time Complexity
7.3.4. Edge Computing and Security
7.3.5. Training Time
8. Discussion
9. Future Direction
10. Limitation of the Study
- 1.
- This review is limited to articles and does not include books, magazines, and conferences related to deep learning in IoT.
- 2.
- This review is limited to papers available in the English language.
11. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Conflicts of Interest
References
- Atzori, L.; Iera, A.; Morabito, G. Understanding the Internet of Things: Definition, potentials, and societal role of a fast evolving paradigm. Ad Hoc Netw. 2017, 56, 122–140. [Google Scholar] [CrossRef]
- Elrawy, M.F.; Awad, A.I.; Hamed, H.F.A. Intrusion detection systems for IoT-based smart environments: A survey. J. Cloud Comput. 2018, 7, 21. [Google Scholar] [CrossRef] [Green Version]
- Da Xu, L.; He, W.; Li, S. Internet of things in industries: A survey. IEEE Trans. Ind. Inform. 2014, 10, 2233–2243. [Google Scholar]
- Lin, J.; Yu, W.; Zhang, N.; Yang, X.; Zhang, H.; Zhao, W. A Survey on Internet of Things: Architecture, Enabling Technologies, Security and Privacy, and Applications. IEEE Internet Things J. 2017, 4, 1125–1142. [Google Scholar] [CrossRef]
- Almiani, M.; AbuGhazleh, A.; Al-Rahayfeh, A.; Atiewi, S.; Razaque, A. Deep recurrent neural network for IoT intrusion detection system. Simul. Model. Pract. Theory 2020, 101, 102031. [Google Scholar] [CrossRef]
- Moore, S.J.; Nugent, C.D.; Zhang, S.; Cleland, I. IoT reliability: A review leading to 5 key research directions. CCF Trans. Pervasive Comput. Interact. 2020, 2, 147–163. [Google Scholar] [CrossRef]
- Ferrag, M.A.; Shu, L.; Yang, X.; Derhab, A.; Maglaras, L. Security and Privacy for Green IoT-Based Agriculture: Review, Blockchain Solutions, and Challenges. IEEE Access 2020, 8, 32031–32053. [Google Scholar] [CrossRef]
- Farooq, M.S.; Riaz, S.; Abid, A.; Abid, K.; Naeem, M.A. A Survey on the Role of IoT in Agriculture for the Implementation of Smart Farming. IEEE Access 2019, 7, 156237–156271. [Google Scholar] [CrossRef]
- Ruan, J.; Wang, Y.; Chan, F.T.S.; Hu, X.; Zhao, M.; Zhu, F.; Shi, B.; Shi, Y.; Lin, F. A Life Cycle Framework of Green IoT-Based Agriculture and Its Finance, Operation, and Management Issues. IEEE Commun. Mag. 2019, 57, 90–96. [Google Scholar] [CrossRef]
- Pal, S.; Hitchens, M.; Rabehaja, T.; Mukhopadhyay, S. Security Requirements for the Internet of Things: A Systematic Approach. Sensors 2020, 20, 5897. [Google Scholar] [CrossRef]
- Ghaleb, F.A.; Maarof, M.A.; Zainal, A.; Rassam, M.; Saeed, F.; Alsaedi, M. Context-aware data-centric misbehaviour detection scheme for vehicular ad hoc networks using sequential analysis of the temporal and spatial correlation of the consistency between the cooperative awareness messages. Veh. Commun. 2019, 20, 100186. [Google Scholar] [CrossRef] [Green Version]
- Hameed, S.; Khan, F.I.; Hameed, B. Understanding Security Requirements and Challenges in Internet of Things (IoT): A Review. J. Comput. Netw. Commun. 2019, 2019, 9629381. [Google Scholar] [CrossRef] [Green Version]
- Diro, A.A.; Chilamkurti, N. Distributed attack detection scheme using deep learning approach for Internet of Things. Futur. Gener. Comput. Syst. 2018, 82, 761–768. [Google Scholar] [CrossRef]
- Thamilarasu, G.; Chawla, S. Towards Deep-Learning-Driven Intrusion Detection for the Internet of Things. Sensors 2019, 19, 1977. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Yang, Y.; Zheng, K.; Wu, C.; Yang, Y. Improving the classification effectiveness of intrusion detection by using improved conditional variational autoencoder and deep neural network. Sensors 2019, 19, 2528. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Shi, W.-C.; Sun, H.-M. DeepBot: A time-based botnet detection with deep learning. Soft Comput. 2020, 24, 16605–16616. [Google Scholar] [CrossRef]
- Munir, M.; Siddiqui, S.A.; Dengel, A.; Ahmed, S. DeepAnT: A Deep Learning Approach for Unsupervised Anomaly Detection in Time Series. IEEE Access 2018, 7, 1991–2005. [Google Scholar] [CrossRef]
- Shone, N.; Ngoc, T.N.; Phai, V.D.; Shi, Q. A Deep Learning Approach to Network Intrusion Detection. IEEE Trans. Emerg. Top. Comput. Intell. 2018, 2, 41–50. [Google Scholar] [CrossRef] [Green Version]
- Hajiheidari, S.; Wakil, K.; Badri, M.; Navimipour, N.J. Intrusion detection systems in the Internet of things: A comprehensive investigation. Comput. Netw. 2019, 160, 165–191. [Google Scholar] [CrossRef]
- Fahim, M.; Sillitti, A. Anomaly Detection, Analysis and Prediction Techniques in IoT Environment: A Systematic Literature Review. IEEE Access 2019, 7, 81664–81681. [Google Scholar] [CrossRef]
- da Costa, K.A.; Papa, J.P.; Lisboa, C.O.; Munoz, R.; de Albuquerque, V.H.C. Internet of Things: A survey on machine learning-based intrusion detection approaches. Comput. Netw. 2019, 151, 147–157. [Google Scholar] [CrossRef]
- Chalapathy, R.; Chawla, S. Deep learning for anomaly detection: A survey. arXiv 2019, arXiv:1901.03407. [Google Scholar]
- Sharma, B.; Sharma, L.; Lal, C. Anomaly Detection Techniques using Deep Learning in IoT: A Survey. In Proceedings of the 2019 International Conference on Computational Intelligence and Knowledge Economy (ICCIKE), Dubai, United Arab Emirates, 11–12 December 2019; IEEE: Piscataway, NJ, USA, 2020. [Google Scholar]
- Alsoufi, M.A.; Razak, S.; Siraj, M.M.; Ali, A.; Nasser, M.; Abdo, S. Anomaly Intrusion Detection Systems in IoT Using Deep Learning Techniques: A Survey; Springer International Publishing: Cham, Switzerland, 2021. [Google Scholar]
- Kitchenham, B.; Charters, S. Guidelines for Performing Systematic Literature Reviews in Software Engineering; EBSE Technical Report; Keele University: Keele, UK, 2007. [Google Scholar]
- Kitchenham, B.; Brereton, P. A systematic review of systematic review process research in software engineering. Inf. Softw. Technol. 2013, 55, 2049–2075. [Google Scholar] [CrossRef]
- Milani, B.A.; Navimipour, N.J. A Systematic Literature Review of the Data Replication Techniques in the Cloud Environments. Big Data Res. 2017, 10, 1–7. [Google Scholar] [CrossRef]
- Safaei, M.; Asadi, S.; Driss, M.; Boulila, W.; Alsaeedi, A.; Chizari, H.; Abdullah, R.; Safaei, M. A systematic literature review on outlier detection in wireless sensor networks. Symmetry 2020, 12, 328. [Google Scholar] [CrossRef] [Green Version]
- Nidhra, S.; Yanamadala, M.; Afzal, W.; Torkar, R. Knowledge transfer challenges and mitigation strategies in global software development—A systematic literature review and industrial validation. Int. J. Inf. Manag. 2013, 33, 333–355. [Google Scholar] [CrossRef] [Green Version]
- Xu, R.; Cheng, Y.; Liu, Z.; Xie, Y.; Yang, Y. Improved Long Short-Term Memory based anomaly detection with concept drift adaptive method for supporting IoT services. Futur. Gener. Comput. Syst. 2020, 112, 228–242. [Google Scholar] [CrossRef]
- Nguyen, G.; Dlugolinsky, S.; Tran, V.; Garcia, A.L. Deep Learning for Proactive Network Monitoring and Security Protection. IEEE Access 2020, 8, 19696–19716. [Google Scholar] [CrossRef]
- Li, X.; Xu, M.; Vijayakumar, P.; Kumar, N.; Liu, X. Detection of Low-Frequency and Multi-Stage Attacks in Industrial Internet of Things. IEEE Trans. Veh. Technol. 2020, 69, 8820–8831. [Google Scholar] [CrossRef]
- Parra, G.D.L.T.; Rad, P.; Choo, K.-K.R.; Beebe, N. Detecting Internet of Things attacks using distributed deep learning. J. Netw. Comput. Appl. 2020, 163, 102662. [Google Scholar] [CrossRef]
- Kim, J.; Kim, J.; Kim, H.; Shim, M.; Choi, E. CNN-Based Network Intrusion Detection against Denial-of-Service Attacks. Electronics 2020, 9, 916. [Google Scholar] [CrossRef]
- Jung, W.; Zhao, H.; Sun, M.; Zhou, G. IoT botnet detection via power consumption modeling. Smart Health 2020, 15, 100103. [Google Scholar] [CrossRef]
- Li, Y.; Xu, Y.; Liu, Z.; Hou, H.; Zheng, Y.; Xin, Y.; Zhao, Y.; Cui, L. Robust detection for network intrusion of industrial IoT based on multi-CNN fusion. Measurement 2020, 154, 107450. [Google Scholar] [CrossRef]
- Yin, C.; Zhang, S.; Wang, J.; Xiong, N.N. Anomaly Detection Based on Convolutional Recurrent Autoencoder for IoT Time Series. IEEE Trans. Syst. Man Cybern. Syst. 2020, 1–11. [Google Scholar] [CrossRef]
- Al-Hawawreh, M.; Moustafa, N.; Sitnikova, E. Identification of malicious activities in industrial internet of things based on deep learning models. J. Inf. Secur. Appl. 2018, 41, 1–11. [Google Scholar] [CrossRef]
- Protogerou, A.; Papadopoulos, S.; Drosou, A.; Tzovaras, D.; Refanidis, I. A graph neural network method for distributed anomaly detection in IoT. Evol. Syst. 2020, 12, 19–36. [Google Scholar] [CrossRef]
- Manimurugan, S.; Al-Mutairi, S.; Aborokbah, M.M.; Chilamkurti, N.; Ganesan, S.; Patan, R. Effective Attack Detection in Internet of Medical Things Smart Environment Using a Deep Belief Neural Network. IEEE Access 2020, 8, 77396–77404. [Google Scholar] [CrossRef]
- Meidan, Y.; Bohadana, M.; Mathov, Y.; Mirsky, Y.; Shabtai, A.; Breitenbacher, D.; Elovici, Y. N-BaIoT—Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders. IEEE Pervasive Comput. 2018, 17, 12–22. [Google Scholar] [CrossRef] [Green Version]
- Gurina, A.; Eliseev, V. Anomaly-Based Method for Detecting Multiple Classes of Network Attacks. Information 2019, 10, 84. [Google Scholar] [CrossRef] [Green Version]
- Kim, S.; Hwang, C.; Lee, T. Anomaly Based Unknown Intrusion Detection in Endpoint Environments. Electronics 2020, 9, 1022. [Google Scholar] [CrossRef]
- Telikani, A.; Gandomi, A.H. Cost-sensitive stacked auto-encoders for intrusion detection in the Internet of Things. Internet Things 2019, 14, 100122. [Google Scholar] [CrossRef]
- Hwang, R.-H.; Peng, M.-C.; Huang, C.-W.; Lin, P.-C.; Nguyen, V.-L. An Unsupervised Deep Learning Model for Early Network Traffic Anomaly Detection. IEEE Access 2020, 8, 30387–30399. [Google Scholar] [CrossRef]
- Malaiya, R.K.; Kwon, D.; Suh, S.C.; Kim, H.; Kim, I.; Kim, J. An Empirical Evaluation of Deep Learning for Network Anomaly Detection. IEEE Access 2019, 7, 140806–140817. [Google Scholar] [CrossRef]
- Li, D.; Deng, L.; Lee, M.; Wang, H. IoT data feature extraction and intrusion detection system for smart cities based on deep migration learning. Int. J. Inf. Manag. 2019, 49, 533–545. [Google Scholar] [CrossRef]
- Lopez-Martin, M.; Carro, B.; Sanchez-Esguevillas, A.; Lloret, J. Conditional Variational Autoencoder for Prediction and Feature Recovery Applied to Intrusion Detection in IoT. Sensors 2017, 17, 1967. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Cheng, Y.; Xu, Y.; Zhong, H.; Liu, Y. Leveraging Semi-supervised Hierarchical Stacking Temporal Convolutional Network for Anomaly Detection in IoT Communication. IEEE Internet Things J. 2020, 8, 144–155. [Google Scholar] [CrossRef]
- Sokolova, M.; Lapalme, G. A systematic analysis of performance measures for classification tasks. Inf. Process. Manag. 2009, 45, 427–437. [Google Scholar] [CrossRef]
- Powers, D.M. Evaluation: From precision, recall and F-measure to ROC, informedness, markedness and correlation. arXiv 2011, arXiv:2010.16061. [Google Scholar]
- Xin, Y.; Kong, L.; Liu, Z.; Chen, Y.; Li, Y.; Zhu, H.; Gao, M.; Hou, H.; Wang, C. Machine Learning and Deep Learning Methods for Cybersecurity. IEEE Access 2018, 6, 35365–35381. [Google Scholar] [CrossRef]
- Marir, N.; Wang, H.; Feng, G.; Li, B.; Jia, M. Distributed Abnormal Behavior Detection Approach Based on Deep Belief Network and Ensemble SVM Using Spark. IEEE Access 2018, 6, 59657–59671. [Google Scholar] [CrossRef]
- Amanullah, M.A.; Habeeb, R.A.A.; Nasaruddin, F.H.; Gani, A.; Ahmed, E.; Nainar, A.S.M.; Akim, N.M.; Imran, M. Deep learning and big data technologies for IoT security. Comput. Commun. 2020, 151, 495–517. [Google Scholar] [CrossRef]
- Moustafa, N.; Slay, J. UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In Proceedings of the 2015 Military Communications and Information Systems Conference (MilCIS), Canberra, Australia, 10–12 November 2015; IEEE: Piscataway, NJ, USA, 2016. [Google Scholar]
- Koroniotis, N.; Moustafa, N.; Sitnikova, E.; Turnbull, B. Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Botiot dataset. Future Gener. Comput. Syst. 2019, 100, 779–796. [Google Scholar] [CrossRef] [Green Version]
- Song, J.; Takakura, H.; Okabe, Y. Description of Kyoto University Benchmark Data. 2006. Available online: http://www.takakura.com/Kyoto_data/BenchmarkData-Description-v5.pdf (accessed on 15 March 2016).
- Tang, T.A.; Mhamdi, L.; McLernon, D.; Zaidi, S.A.R.; Ghogho, M. Deep learning approach for network intrusion detection in software defined networking. In Proceedings of the 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), Fez, Morocco, 26–29 October 2016; IEEE: Piscataway, NJ, USA, 2016. [Google Scholar]
- Hossain, M.M.; Fotouhi, M.; Hasan, R. Towards an analysis of security issues, challenges, and open problems in the internet of things. In Proceedings of the 2015 IEEE World Congress on Services, New York, NY, USA, 27 June–2 July 2015; IEEE: Piscataway, NJ, USA, 2015. [Google Scholar]
- Kotenko, I.; Saenko, I.; Branitskiy, A. Framework for Mobile Internet of Things Security Monitoring Based on Big Data Processing and Machine Learning. IEEE Access 2018, 6, 72714–72723. [Google Scholar] [CrossRef]
- Vinayakumar, R.; Alazab, M.; Soman, K.P.; Poornachandran, P.; Al-Nemrat, A.; Venkatraman, S. Deep Learning Approach for Intelligent Intrusion Detection System. IEEE Access 2019, 7, 41525–41550. [Google Scholar] [CrossRef]
- Guo, Y.; Liu, Y.; Oerlemans, A.; Lao, S.; Wu, S.; Lew, M.S. Deep learning for visual understanding: A review. Neurocomputing 2016, 187, 27–48. [Google Scholar] [CrossRef]
- Kozik, R.; Choraś, M.; Ficco, M.; Palmieri, F. A scalable distributed machine learning approach for attack detection in edge computing environments. J. Parallel Distrib. Comput. 2018, 119, 18–26. [Google Scholar] [CrossRef]
- Lu, Z.; Wang, N.; Wu, J.; Qiu, M. IoTDeM: An IoT Big Data-oriented MapReduce performance prediction extended model in multiple edge clouds. J. Parallel Distrib. Comput. 2018, 118, 316–327. [Google Scholar] [CrossRef]
- Zhao, Z.; Kumar, A. Accurate periocular recognition under less constrained environment using semantics-assisted convolutional neural network. IEEE Trans. Inf. Forensics Secur. 2016, 12, 1017–1030. [Google Scholar] [CrossRef]
- HaddadPajouh, H.; Dehghantanha, A.; Khayami, R.; Choo, K.-K.R. A deep Recurrent Neural Network based approach for Internet of Things malware threat hunting. Futur. Gener. Comput. Syst. 2018, 85, 88–96. [Google Scholar] [CrossRef]
Paper Name | Year | IoT | Systematic Study | Anomaly-Based | Deep Learning |
---|---|---|---|---|---|
Fahim et al. [20] | 2019 | √ | √ | √ | x |
Hajiheidari et al. [19] | 2019 | √ | √ | x | x |
Sharma et al. [23] | 2019 | √ | x | √ | √ |
Alsoufi, Razak [24] | 2021 | √ | x | √ | √ |
This work | √ | √ | √ | √ |
Database Name | Keywords | Records | Total |
---|---|---|---|
IEEE explore | “Anomaly intrusion detection” AND “Internet of things” | 113 | 1263 |
“Anomaly intrusion detection” AND “Deep learning” | 109 | ||
“Anomaly intrusion detection system” AND “Internet of things” | 96 | ||
“Anomaly intrusion detection system” AND “Deep learning” | 96 | ||
“Anomaly-based” AND “Internet of things” | 411 | ||
“Anomaly-based” AND “Deep learning” | 442 | ||
Science direct | “Anomaly intrusion detection” AND “Internet of things” | 6 | 344 |
“Anomaly intrusion detection” AND “Deep learning” | 4 | ||
1 | |||
“Anomaly intrusion detection system” AND “Deep learning” | 1 | ||
“Anomaly-based” AND “Internet of things” | 188 | ||
“Anomaly-based” AND “Deep learning.” | 144 | ||
Scopus | “Anomaly intrusion detection” AND “Internet of things” | 4 | 138 |
“Anomaly intrusion detection” AND “Deep learning” | 12 | ||
2 | |||
“Anomaly intrusion detection system” AND “Deep learning” | 4 | ||
“Anomaly-based” AND “Internet of things” | 69 | ||
“Anomaly-based” AND “Deep learning” | 47 | ||
Web of science | “Anomaly intrusion detection” AND “Internet of things” | 3 | 71 |
“Anomaly intrusion detection” AND “Deep learning” | 6 | ||
2 | |||
“Anomaly intrusion detection system” AND “Deep learning” | 2 | ||
“Anomaly-based” AND “Internet of things” | 36 | ||
“Anomaly-based” AND “Deep learning” | 22 | ||
MDPI | “Anomaly intrusion detection” AND “Internet of things” | 40 | 290 |
“Anomaly intrusion detection” AND “Deep learning” | 39 | ||
“Anomaly intrusion detection system” AND “Internet of things” | 20 | ||
“Anomaly intrusion detection system” AND “Deep learning” | 20 | ||
“Anomaly-based” AND “Internet of things” | 90 | ||
“Anomaly-based” AND “Deep learning” | 81 | ||
Other sources | “Anomaly intrusion detection” AND “Internet of things” | 2 | 10 |
“Anomaly intrusion detection” AND “Deep learning” | 1 | ||
“Anomaly intrusion detection system” AND “Internet of things” | 2 | ||
“Anomaly intrusion detection system” AND “Deep learning” | 1 | ||
“Anomaly-based” AND “Internet of things” | 2 | ||
“Anomaly-based” AND “Deep learning” | 2 |
Study | Techniques | Accuracy | Precision | Recall | FAR | F1-Measure | FPR | FNR |
---|---|---|---|---|---|---|---|---|
Lopez et al. [48] | AE | 80% | 81.59% | 80.1% | 79.08% | |||
Yang et al. [15] | VAE + DNN | 89.08% | 86.05 | 95.68 | 90.61 | 19.01 | ||
Cheng et al. [30] | LSTM | 98% | ||||||
Thamilarasu et al. [14] | DBN | 97% | ||||||
Shi et al. [16] | LSTM + RNN | 99.36% | 97.97% | 98.86%, | 98.42 | |||
Munir et al. [17] | CNN | 99% | 100% | |||||
Gurina et al. [41] | AE | 0.007 | ||||||
Manimurugan et al. [40] | DBN | 98.37% | 97.21%, | 98.34% | 97% | |||
Malaiya et al. [46] | CCN + VAE + LSTM | 99% | ||||||
Kim et al. [34] | CNN | 99%, | ||||||
Jung et al. [35] | CNN | 96.50%, | 85% | |||||
Gurina et al. [42] | AE | |||||||
Diro et al. [13] | Multi-Layer deep learning | 99.02% | 99.27% | 99.14% | 0.85% | |||
Parra et al. [33] | CNN + LSTM | 94.30% | 93.48% | 93.67% | 93.58% | 5.20% | ||
Cheng et al. [49] | CNN | 99.88% | 99.89% | 97.94% | 98.64% | |||
Moustafa et al. [38] | DFFNN | 98.4%, 92.5% | 99%, 93% | 1.8%, 8.2% | ||||
Xie et al. [31] | LSTM | |||||||
Zhao et al. [36] | CNN | 86.95% 76.67% | ||||||
Li et al. [32] | LSTM | 97.58% | 83.79% | 2.02% | 6.02% | |||
Kim et al. [43] | AE | 99.81% | ||||||
Hwang et al. [45] | CNN + AE | 100% | 100% | 100% | 100% | 0% | ||
Yin et al. [37] | CNN + AE | 99.62% | 98.78% | 97.2% | 98.78% | |||
Telikani et al. [44] | AE | 99.6 | 100% | 100% | 100% | 0.0057 | ||
Shone et al. [18] | AE | 97.85% | 100% | 100% | 85.42% | |||
Drosou et al. [39] | GNN/RNN | 99% | ||||||
Deng et al. [47] | DML | 99.78 | 98.99 | 91.05 | 0.22% |
Study | No. of Study | Techniques Used | Accuracy Range |
---|---|---|---|
[17,34,35,36,49] | 5 | CNN | (76.76–99.88%) |
[37,45] | 2 | CNN + AE | (99.62–100%) |
[18,41,42,43,44,48] | 6 | AE | (80–99.81%) |
[31,32] | 3 | LSTM | (79.58–98%) |
[33] | 1 | CNN + LSTM | (94.30%) |
[46] | 1 | CCN + VAE + LSTM | 99% |
[14,40] | 2 | DBN | (97–97.21%) |
[15] | 1 | VAE + DNN | 89.08% |
[16] | 1 | LSTM + RNN | 99.36% |
[39] | 1 | GNN/RNN | 99% |
[38] | 1 | DFFNN | 98.4% |
[13] | 1 | Multi-Layer deep learning | 99.02 |
[49] | 1 | DML | 99.78 |
Study | Techniques | TensorFlow | Keras | Scikit | PyTorch | R | SoftMax | Raspberry Pi | Cooja | MATLAB | Python | Sigmoid | Hybrid Analysis Site | Entropy, K LD |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Lopez et al. [48] | AE | √ | √ | |||||||||||
Yang et al. [15] | VAE + DNN | √ | ||||||||||||
Cheng et al. [30] | LSTM | √ | ||||||||||||
Thamilarasu et al. [14] | DBN | √ | √ | √ | ||||||||||
Shi et al. [16] | LSTM + RNN | √ | √ | √ | ||||||||||
Gurina et al. [41] | AE | √ | ||||||||||||
Manimurugan et al. [40] | DBN | √ | √ | √ | ||||||||||
Malaiya et al. [46] | CCN + VAE + LSTM | √ | √ | |||||||||||
Kim et al. [34] | CNN | √ | √ | |||||||||||
Jung et al. [35] | CNN | √ | ||||||||||||
Gurina et al. [42] | AE | √ | ||||||||||||
Diro et al. [13] | Multi-Layer deep learning | √ | ||||||||||||
Parra et al. [33] | CNN + LSTM | √ | ||||||||||||
Cheng et al. [49] | CNN | √ | ||||||||||||
Moustafa et al. [38] | DFFNN | √ | ||||||||||||
Xie et al. [31] | LSTM | √ | √ | |||||||||||
Zhao et al. [36] | CNN | √ | √ | |||||||||||
Li et al. [32] | LSTM | √ | ||||||||||||
Kim et al. [43] | AE | √ | ||||||||||||
Hwang et al. [45] | CNN + AE | √ | √ | |||||||||||
Yin et al. [37] | CNN + AE | √ | ||||||||||||
Telikani et al. [44] | AE | √ | ||||||||||||
Shone et al. [18] | AE | √ | ||||||||||||
Drosou et al. [39] | GNN/RNN | √ | ||||||||||||
Deng et al. [47] | DML | √ | ||||||||||||
Munir et al. [17] | CNN |
Study | Techniques | NSL-KDD | KDD CUP 1999 | UNSW-NB15 | CICIDS 2017 | Mirai | CSE-CIC-IDS2018 | N-BaIOT | Test-Bed | CTU-13 | Gas-Water | AWID | Yahoo Webscope S5 | Kyoto | MCFP | DS2OS | LOF | Synthetic |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Lopez et al. [48] | AE | √ | ||||||||||||||||
Yang et al. [15] | VAE + DNN | √ | √ | |||||||||||||||
Cheng et al. [30] | LSTM | √ | ||||||||||||||||
Thamilarasu et al. [14] | DBN | √ | ||||||||||||||||
Shi et al. [16] | LSTM + RNN | √ | ||||||||||||||||
Munir et al. [17] | CNN | √ | ||||||||||||||||
Gurina et al. [41] | AE | √ | ||||||||||||||||
Manimurugan et al. [40] | DBN | √ | ||||||||||||||||
Malaiya et al. [46] | CCN + VAE + LSTM | √ | √ | |||||||||||||||
Kim et al. [34] | CNN | √ | √ | |||||||||||||||
Jung et al. [35] | CNN | √ | ||||||||||||||||
Gurina et al. [42] | AE | √ | ||||||||||||||||
Diro et al. [13] | Multi-Layer deep learning | √ | ||||||||||||||||
Parra et al. [33] | CNN + LSTM | √ | ||||||||||||||||
Cheng et al. [49] | CNN | √ | ||||||||||||||||
Moustafa et al. [38] | DFFNN | √ | √ | |||||||||||||||
Xie et al. [31] | LSTM | √ | ||||||||||||||||
Zhao et al. [36] | CNN | √ | ||||||||||||||||
Li et al. [32] | LSTM | √ | √ | √ | ||||||||||||||
Kim et al. [43] | AE | √ | ||||||||||||||||
Hwang et al. [45] | CNN + AE | √ | ||||||||||||||||
Yin et al. [37] | CNN + AE | √ | ||||||||||||||||
Telikani et al. [44] | AE | √ | √ | |||||||||||||||
Shone et al. [18] | AE | √ | √ | |||||||||||||||
Drosou et al. [39] | GNN/RNN | √ | √ | |||||||||||||||
Deng et al. [47] | DML | √ |
Dataset | Published Year | IoT Specific | Features | No. of Classic | Total Normal Records | Total Attacks Records | Description |
---|---|---|---|---|---|---|---|
NSL-KDD | 2009 | NO | 43 | 4 | 77,054 | 71.463 | This dataset is an extension of the dataset “KDDCUP 99”. The duplicate records were removed and lack in modern large-scale attacks. Moreover, it is not IoT specific. It contains 22 attack types in the training dataset and 17 attack types in the test dataset, which are categorized as 4 attack classes. |
KDD CUP 1999 | 1999 | NO | 43 | 4 | 1,033,372 | 4,176,086 | This dataset does not contain modern attack data and modern large-scale attacks. Moreover, it contains unbalanced labels, and this dataset is not specific to the IoT. |
UNSW-NB15 | 2015 | NO | 49 | 9 | 2,218,761 | 321,283 | This dataset is based on a synthetic environment for generating attack activities. It contains approximately one hour of anonymized traffic traces from a DDoS attack in 2007. |
CICIDS 2017 | 2017 | NO | 80 | 14 | 2,273,097 | 557,646 | This dataset is not specific to the IoT. It contains complex features that are not present in previous datasets. However, it contains a modern large-scale attack. |
CSE-CIC-IDS2018 | 2018 | NO | 80 | 18 | N/A | N/A | This dataset is not specific to the IoT. However, it contains a modern large-scale attack. |
N-BaIOT | 2018 | YES | 115 | 8 | 17,936 | 831,298 | This dataset contains IoT traffic, but it is unbalanced, due to the normal records being smaller than malicious records. |
AWID | 2015 | NO | 155 | 4 | 530,785 | 44,858 | This dataset is not specific to the IoT. However, it contains modern types of attacks. |
Yahoo Webscope S5/A1 | 2015 | NO | - | - | 93,197 | 1669 | This dataset contains web traffic, which includes normal and attacks traffic. However, it is not specific to the IoT. |
Kyoto | 2006 | NO | 24 | - | 50,033,015 | 43,043,255 | This dataset is not specific to the IoT. However, it contains modern types of attacks [57]. |
Study | IDS Architecture | Techniques Used | Methodology | Advantages | Disadvantages |
---|---|---|---|---|---|
Lopez et al. [48] | Network-based | AE | proposed Model to perform feature reconstruction and detect malicious in IoT environment. |
|
|
Yang et al. [15] | Network-based | VAE + DNN | proposed model to perform monitoring unknown attacks using AE and DNN to learn the complex traffics and imbalanced classes. |
|
|
Cheng et al. [30] | Network-based | LSTM | proposed model that adopts an innovative concept of the drift method to improve the accuracy of anomaly detection using LSTM. |
|
|
Thamilarasu et al. [14] | Network-based | DBN | Proposed an intelligent IDS to detect malicious traffic in IoT networks using DBN. |
|
|
Shi et al. [16] | Network-based | LSTM + RNN | Proposed approach is to analyze a series of network packets to detect botnets using LSTM and RNN for better classification. |
|
|
Munir et al. [17] | Network-based | CNN | Proposed DeepAnTmodel to anomaly detection and time series prediction. |
|
|
Gurina et al. [41] | Network-based | AE | Proposed N-BaIoT to extract network traffics and detect anomalies from resource constraint devices. |
|
|
Manimurugan et al. [40] | Centralized Host-Based | DBN | Proposed approach to detect anomaly attacks in IoT environment. |
|
|
Malaiya et al. [46] | Network-based | CCN + VAE + LSTM | Proposed approach to detect anomaly in IoT networks by combining three deep learning techniques. |
|
|
Kim et al. [34] | Network-based | CNN | Proposed approach to detect anomaly in IoT environment with focusing on DoS attacks. |
|
|
Jung et al. [35] | Host-based | CNN | Proposed approach to monitoring malicious botnet on resource constraint IoT devices using three types of IoT devices. |
|
|
Gurina et al. [42] | Host-based | AE | Proposed approach to detect malicious in web server during users’ requests processing considering the MyBB web server as a case study. |
|
|
Diro et al. [13] | Distributed Network-Based | Multi-Layer deep learning | Proposed a distributed approach to detect attacks in social IoT. |
|
|
Parra et al. [33] | Distributed Network-Based | CNN + LSTM | Proposed a distributed cloud-based approach to detect and mitigate phishing and Botnet attacks on client devices. |
|
|
Cheng et al. [49] | Centralized Host-Based | CNN | Proposed a semi-supervised based model to detect anomalies in IoT communication. |
|
|
Moustafa et al. [38] | Network-based | DFFNN | Proposed anomaly detection to learn and validate the information collected from TCP/IP packets. |
|
|
Xie et al. [31] | Network-based | LSTM | Proposed approach to monitor and detect malicious from the network traffic flow. |
|
|
Zhao et al. [36] | Network-based | CNN | Proposed approach to detect intrusion in industrial IoT. |
|
|
Li et al. [32] | Network-based | LSTM | Proposed approach to detect attack interval from historic data in industrial IoT. |
|
|
Kim et al. [43] | Host-based | AE | Proposed approach to the analysis of attack profile, detect the threats and abnormal behavior that deviates from normal behavior in IoT devices. |
|
|
Hwang et al. [45] | Network-based | CNN + AE | Proposed D-PACK anomaly approach to detect features and profiling traffic with just a few first packets from each flow in IoT networks. |
|
|
Yin et al. [37] | Network-based | CNN + AE | Proposed approach to detect the anomaly and to enhance classification in time series. |
|
|
Telikani et al. [44] | Network-based | AE | Proposed CSSAE (cost-sensitive stacked auto-encoder) to solve the class imbalance problem in IDS and detect low-frequency attacks in IoT environment. |
|
|
Shone et al. [18] | Network-based | AE | Proposed model to dimensionality reduction for the data and detect malicious at the IoT environment. |
|
|
Drosou et al. [39] | Distributed Network-based | GNN/ RNN | Proposed collaborative anomaly intrusion detection to detect malicious for IoT devices. |
|
|
Deng et al. [47] | Network-based | DML | proposes an approach to detect malicious and feature extraction for smart cities. |
|
|
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Alsoufi, M.A.; Razak, S.; Siraj, M.M.; Nafea, I.; Ghaleb, F.A.; Saeed, F.; Nasser, M. Anomaly-Based Intrusion Detection Systems in IoT Using Deep Learning: A Systematic Literature Review. Appl. Sci. 2021, 11, 8383. https://doi.org/10.3390/app11188383
Alsoufi MA, Razak S, Siraj MM, Nafea I, Ghaleb FA, Saeed F, Nasser M. Anomaly-Based Intrusion Detection Systems in IoT Using Deep Learning: A Systematic Literature Review. Applied Sciences. 2021; 11(18):8383. https://doi.org/10.3390/app11188383
Chicago/Turabian StyleAlsoufi, Muaadh A., Shukor Razak, Maheyzah Md Siraj, Ibtehal Nafea, Fuad A. Ghaleb, Faisal Saeed, and Maged Nasser. 2021. "Anomaly-Based Intrusion Detection Systems in IoT Using Deep Learning: A Systematic Literature Review" Applied Sciences 11, no. 18: 8383. https://doi.org/10.3390/app11188383
APA StyleAlsoufi, M. A., Razak, S., Siraj, M. M., Nafea, I., Ghaleb, F. A., Saeed, F., & Nasser, M. (2021). Anomaly-Based Intrusion Detection Systems in IoT Using Deep Learning: A Systematic Literature Review. Applied Sciences, 11(18), 8383. https://doi.org/10.3390/app11188383