Insights into Modern Intrusion Detection Strategies for Internet of Things Ecosystems
Abstract
:1. Introduction
- We carried out a systematic study to select recent research papers, both journal articles and some relevant conference proceedings with a focal point on ML/DL-based and non-ML-based IDS strategies published between 2016 and 2023;
- We comprehensively reviewed and analyzed each selected paper and discussed several aspects, including the techniques applied and their effectiveness, attacks and threats, evaluation metrics, and the datasets used;
- We also highlighted various challenges facing IoT-based IDS and the security of IoT environments and provided different important future directions.
2. Background Information
2.1. Internet of Things Overview
2.2. Intrusion Detection
3. Related Works
4. Methodology
- i.
- What are the various types of attacks and threats that affect the IoT ecosystem?
- ii.
- What are the challenges faced by IoT and IoT-based IDS methods?
- iii.
- What are the current IoT-based IDS techniques and their effectiveness?
- iv.
- What are the important evaluation metrics used in evaluating the IDS models?
- v.
- What are the important benchmark datasets utilized in training and testing IDS models?
- vi.
- What are some important research directions for future research?
5. Trendy Analysis of IoT-Based Intrusion Detection Strategies
5.1. IoT Security Attacks
5.2. Key Challenges of Intrusion Detection in IoT
- Data characteristics and dimensions: The complexity of managing network traffic data is heightened due to its high-dimensional features and the extensive number of access points within Internet-connected services [26]. In addition, the categorization of botnet intrusions in IoT networks through the KNN algorithm becomes particularly difficult when confronted with voluminous datasets [27]. In the same vein, the prevalence of class imbalance within IoT IDS adversely impacts the efficiency and accuracy of ML models that are developed based on these skewed datasets [28];
- Security vulnerabilities and attacks: Addressing IoT networks’ security vulnerabilities and attacks is inherently challenging, especially those that incorporate cloud technologies, as they are prone to various attacks [29]. The task of ensuring the security and privacy of IoT-based infrastructures within smart city environments is also challenging, notably in safeguarding commands in industrial IoT against forgery and misrouting [30,31]. Moreover, the strategic deployment of IDS that can precisely identify DDoS attacks is vital for preserving the operability of IoT frameworks [32]. The task is further complicated by the need to counteract the increasingly sophisticated and varied threats that plague IoT, particularly in mesh networks [33,34,35]. Also, the deliberate prolongation of packet transmission times by cyber-attacks aimed at depleting network resources represents a significant issue [36]. Furthermore, the development of security protocols that authenticate sensor nodes and safeguard their anonymity in mobile WSNs, which are susceptible to both overlapping sensory fields and attacks from internal and external sources, is a pressing concern [37]. These multifaceted challenges underscore the complexity of securing IoT environments against a wide range of threats;
- ML and DL techniques for intrusion detection in IoT networks: A key challenge is the implementation of network IDS utilizing ML and DL strategies, which necessitate distinct datasets for optimal operation [38]. It is essential to develop an IDS that accurately identifies threats while minimizing false alarms [7,39], and a significant problem is developing an IDS capable of autonomously detecting anomalies and cyberattacks within IoT networks to prevent system failures [40]. Furthermore, another challenge lies in designing high-quality attack scenarios to train cybersecurity solutions for industrial CPSs, given their expanded susceptibility to enhanced network and computational technologies [41]. Implementing ML-assisted solutions for IoT security poses a great challenge as it often assumes access to large training datasets, which can be difficult to obtain as data originate at the edge and is continuously generated by IoT devices [42]. Moreover, training ML-based detection algorithms on centralized servers raise privacy concerns, especially when collecting data from multiple edge servers [43]. In the realm of Industrial IoT (IIoT), the process of identifying device failures necessitates the transfer of unprocessed data to a centralized server for model training. This practice carries the risk of disclosing confidential corporate information, thereby raising privacy concerns [44]. In addition, the task of detecting malware within IIoT and compromised IoT devices presents ongoing challenges [45], as these devices are particularly vulnerable to malware engineered to exploit existing weaknesses. In addition, detecting adversarial attacks on DNNs used in IIoT applications is complex, as they aim to deceive DNNs with subtle modifications to the inputs, posing a significant challenge in maintaining device integrity [46]. Moreover, existing intrusion detection solutions often rely on SL methods, requiring substantial labelled data for accuracy, which is challenging to source in the vast size of IoT networks [47]. The training of such ML models is time-consuming and less adaptable to dynamic IoT settings. Concurrently, applying ML methods for the analysis of big data and decision-making autonomy in IoT applications can be computationally intensive and requires large and varied datasets, leading to high false positive rate results [7,48,49,50];
- Privacy preservation and FL methods in IoT networks: The effort to maintain the confidentiality of local data in IoT networks while concurrently training models via FL approaches presents a multifaceted challenge. This includes the need to protect against adversaries who may exploit shared parameters to compromise industrial applications [51]. Furthermore, there is a pressing need to strengthen the effectiveness, resilience, and security of FL-oriented methods to improve detection capabilities and ensure privacy preservation of privacy [52,53];
- Resource constraints and availability: The issues surrounding resource constraints and availability involve several challenges. One such challenge is the acquisition of publicly accessible datasets that accurately represent recent network behaviours and specific IoT network characteristics for research purposes [54]. Also, detecting intrusions on systems like smart home devices, where network traces alone may not be reliable, poses another challenge [55]. It is crucial to operate intrusion detection strategies efficiently within the resource constraints of IoT network devices [56]. Moreover, implementing precise IDSs on IoT devices, which are frequently deployed in environments with limited computational resources and energy constraints, is a significant challenge [57];
- Inadequacy and limitations of traditional security measures and IDSs for IoT: IoT devices and networks are prone to inherent vulnerabilities stemming from their limited resources, heterogeneous nature, and exposure to a variety of attacks [58,59,60]. Such conditions reveal the inadequacy of traditional security protocols and IDS for IoT environments. The vast quantity and heterogeneity of devices, coupled with technical constraints, render standard monitoring and security techniques inadequate for IoT [61]. Lightweight IoT devices, especially those reliant on Wi-Fi for communication, face challenges in implementing conventional security and are vulnerable to traditional Wi-Fi attacks [62]. In addition, developing IDSs tailored for IoT networks is challenging as they are required to effectively handle and analyse massive and diverse data streams in real-time [48,59,63,64,65,66]. Therefore, mitigating these challenges is essential to bolster the security framework of IoT ecosystems;
- Routing and communication protocols in IoT networks: In the context of IoT networks, the mitigation of attacks on the routing protocol for RPL, which is crucial for IoT applications, poses a difficult challenge. The complexity of this task is intensified by the limited resources and significant control overhead [63]. Equally important is the detection of insider routing attacks that threaten the integrity and security of IoT networks [64]. Thus, securing the MQTT communication protocol, prevalent in IoT settings, is imperative due to its vulnerability to attacks that exploit its publish-subscribe model [67]. Moreover, guaranteeing communication security in IoT networks is a formidable task, particularly as reliance on cloud and communication technologies grows for various digital services. This includes the implementation of safeguards such as mutual authentication and the protection of IoT-specific application layer protocols [68]. Mitigating RPL protocol vulnerabilities in Advanced Metering Infrastructure (AMI) within smart grid applications is another significant challenge [69], as these attacks can drastically affect the efficiency and security of routing in smart grid networks. Additionally, the development of IDS solutions that cater to the specific needs of IPv6-connected IoT environments is challenging, as many existing systems are designed for either WSN or traditional Internet configurations, which may not be suitable for IPv6-connected IoT contexts [70];
- DDoS attacks and anomaly detection in IoT networks: The task of identifying and neutralizing DDoS attacks within IoT networks, which also extends to blockchain-integrated IoT systems, is fraught with considerable challenges [49,71,72]. Such attacks are detrimental to both the performance and the security of the network, thereby endangering the stability of IoT ecosystems. Consequently, it is imperative to establish defences against botnet attacks, notably those executed by malware like Mirai and BASHLITE, to prevent DDoS attacks [73]. Typically, these attacks originate from compromised surveillance devices, potentially causing extensive disruptions. The widespread presence of unsecured IoT devices exacerbates the severity of DDoS attacks, thus intensifying the difficulty of defence [74]. Another difficulty is differentiating DDoS traffic from regular network activity, which can result in FPR, low accuracy, and a low detection rate. Furthermore, implementing effective anomaly mitigation strategies on IoT devices is critical to combat DDoS attacks, especially given their constrained computational capabilities [75]. The design of a rule-based model for the identification of DDoS threats in network traffic necessitates an algorithm for feature selection and extraction [76]. Tackling these issues is crucial for enhancing the robustness of IoT networks against DDoS incursions. The challenges associated with anomaly detection in IoT include the necessity for dependable systems that can detect and signal anomalies or attacks in real-time while withstanding attacks or system failures [77]. Furthermore, managing and analyzing the vast, dynamic data emanating from millions of sensors in IIoT settings [78], as well as detecting novel attacks that elude conventional methods [79], are essential for maintaining an edge over evolving threats;
- Spam transaction attacks in cryptocurrency networks: The challenges associated with spam transaction attacks in cryptocurrency networks are multifaceted. One significant issue is the complexity involved in the automatic extraction of features necessary for identifying such attacks, which contributes to reduced detection efficacy [80]. Identifying the principal intrusion tactics of spam transaction attacks is particularly challenging, as they frequently masquerade within regular data traffic [80]. Moreover, the scarcity of adequate threat test samples for the training of detection models poses a barrier, leading to low accuracy and an increased rate of false alarms in the identification of these attacks;
- Zero-day attacks and their detection: The realm of cyberspace is increasingly confronted with the threat of zero-day attacks, which exploit a range of protocols and present a difficult challenge. The detection of these attacks, which are often subtle alterations of existing cyber threats, is a complex task [81]. Furthermore, the reliance on traditional ML techniques for identifying zero-day attacks is considered inadequate, as these methods depend on historical data and predetermined features, rendering them less flexible in the face of new and evolving threats [7,81];
- Security of smart industrial systems and CPS: The security of smart industrial systems and CPS is vital, especially as they are integral to the advancement of Industry 4.0. These systems face the challenge of defending against malicious attacks that take advantage of their interconnected and open architecture [82]. Identifying attacks on CPS is particularly challenging due to the deliberate and sophisticated strategies employed by cybercriminals, which can severely disrupt system operations [83]. Additionally, the development and deployment of collaborative IDS for SDN-supported CPS involve complex considerations. These include optimizing resource distribution and maintaining the quality of service, all while detecting and neutralizing insider threats [84];
- Edge computing: Deploying edge computing for IoT devices introduces challenges related to vulnerability to attacks and the selection of monitoring or guard nodes in dynamic wireless sensor networks [85].
5.3. Intrusion Detection Techniques
5.3.1. Machine Learning Based
- Supervised and Semi-supervised based
(a) | ||||||
Ref. | Methods | Algorithms | Implementation | Datasets | Attacks | Application |
[58] | SL, 3-layered IDS, MAC address scanning | J48 DT, CART, SVM, RF, kNN | Simulations: Weka tool Evaluation: Precision, Recall, F1-score | Real Testbed | DoS, MitM, spoofing, reconnaissance, reply | Smart home |
[47] | SSL, SDRK-DNN and clustering method | DFNN, K-means | Testbeds deployment: IoT Fog cloud testbed, Cisco nexus switch, Raspberry Pi model 3B, sensors Evaluation: Accuracy, F1-score, MCC | NSL-KDD | Data deluge | Fog IoT systems |
[81] | PCA-semi supervised | kNN | Simulations. Evaluation: Accuracy, Recall, FPR, MCC, Precision, F1-score, and ROC curve | NSL-KDD | DoS, Prope attack, user to Root attack, Remote to Local. | IoT systems |
[86] | Supervised ANN | MLP | Simulations: C programming environment Evaluation: Confusion matrix | Real Testbed | DDoS/DoS | IoT systems |
[87] | SL, Bi-layered NIDS | GBDT, LR, DT, RF, kNN, MLP, SVM | Simulations: Scikit-learn python library, CICFlowmeter Testbed Deployment: XiaoDu AudioSpeaker, QingPing Temperature Monitor, TP Link NetCam, and GoSund SmartPlug Evaluation: Accuracy, F1-score, Recall, Precision. | loT-23 | C&C, DDoS, FileDownload, HeartBeat PortScan, botnets (Mirai, Torii, Okiru) | Smart Homes |
[65] | DHT, Multi-level Distributed IDS | MLP, KNN, DT, SVM, GNB, RF, Adaboost. | Simulation: Wireshark Sniffing tool, Sysdig tool, Raspberry Pi 2 modelEvaluation: Accuracy, Precision, Recall, F1-score | Real Testbed | Botnet (Marai malware.) | Smart Homes |
[71] | GODIT, discriminative n-shingle, Outlier Detection (Graph-Based) | DT, SVM, Gradient Boosting, RF. | Simulations: Python environment Testbed deployment: Netatmo Camera, TP-Link Plug, WEMO Power Switch, Samsung Camera, and WEMO Motion Sensor Evaluation: Precision, Recall, F1-score | TON_IoT | DoS attack. | Smart Homes |
[55] | Host-Based Automated IDS, Tracing Techniques, Supervised and Semi-Supervised | DT, RF, GBT, SVM, MLP, LSTM | Experiment: Home automation system Raspberry Pi 3, Debian Linuz Evaluation: Accuracy, Precision, Recall, F1-score, Latency | Real Testbed | Mirai botnet, nmap scan, Metasploit, Ransomware | Smart Devices |
(b) | ||||||
Ref. | Methods | Algorithms | Implementation | Datasets | Attacks | Application |
[88] | SL, AIDS, IDSBPSO, Statistical Analysis | RF | Simulation: Python, Anaconda navigator Evaluation: Accuracy, Precision, Recall, F1-score | IoTID20, UNSW-NB15 | DoS, Exploits, Analysis, Fuzzers Reconnaissance, Backdoor, Shellcode, Worms, Host Port OS Brute Force, HTTP Flooding, UDP Flooding, Syn Flooding, ARP Spoofing. | IoT systems |
[57] | Lightweight IDS, MI2G Feature Selection | LR, LDA, NB, DT, RF, SVM, GBM | Simulation: Contiki cooja and FIT IoT-LAB, Wireshark tool Evaluation: Accuracy, Precision, Recall, F1-score, training time, testing time | CICIDS2018 | Brute-force, Heartbleed, Botnet, DoS, DDoS, Web, and infiltration | IoT systems |
[75] | AIDS, Feature Selection (Correlation Coefficient, SHAP), fog computing | KNN, CUSUM, EWMA | Simulation: Jupyter Notebook, Python-based Scikit-Learn, Matplotlib, Scipy, Pandas, Detecta, and Scikit-learnEvaluation: Accuracy, Precision, Recall, F1-score, FPR | BoT-IoT | DDoS | IoT systems |
[40] | Supervised ML, Unique feature set | KNN, SVM, DT, RF, LR, MLP(ANN) | Experiment: Python-Pandas, Numpy, matplotlib, seaborn, sci-kit-learn, Keras Framework Evaluation: Accuracy, Recall, Precision, F-Score, ROC | BoT-IoT | DoS, DDoS, Reconnaissance, Information theft | IoT systems |
[89] | A two-stage IDS based on CCIs and AMoF, mobility models | Linear R, Random Way Point, Gauss Markov | Simulation: node velocity (NS1P3, NS15P7), Power Level Evaluation: TPR, TNR, FPR, FNR, Precision, F1-Score | Real Testbed | Blackhole, DDoS | Mobile IoT systems |
- 2.
- Deep Learning-based
(a) | ||||||
Ref. | Methods | Algorithms | Implementation | Datasets | Attacks | Application |
[80] | Spam Transaction Detection based on GRU-WGAN-div | GRU-WGAN-div, ADvISE, SVDD, OC-SVM | Simulation: Open-source spam transaction | Real Testbed | Spam | SpamTransaction in IoT Systems |
[67] | DNN-based IDS Sigmoid/Softmax Activation, Forward and Backward Propagation | NB, RF, kNN, DT, LSTM, GRUs | Experiment: Python 3.9.5 PL (Keras, DL API, Jupyter notebook), ADAM optimiser Evaluation: Accuracy, F-measure, Recall, Precision | MQTT-IoT-IDS2020, MQTT | MitM, DoS, Intrusions | MQTT-based IoT systems |
[72] | H3SC-DLIDS for hybrid intrusion detection, HHO, SCA, AOA | LSTM-AE | Experiment: Python 3.6.5 toolEvaluation: Accuracy, Recall, Precision, F-score, AUC score | BoT-IoT | DDoS | Blockchain-enabled IoT systems |
[77] | DL-based Anomaly detection, Markov Networks, Edge computing | KNN, LSTM-Markov | Experiment: DHT sensors, MQTT protocolEvaluation: Accuracy, Efficiency, Root-Mean-Square Logarithmic Error (RMSLE), Mean Absolute Error (MAE), Determination Coefficient (R2) | Real Testbed | - | Edge-based IoT systems |
[78] | DL, MGO, DHPEA, Blockchain, Cloud | RMC-CNN, LSTM-Gauss-NBayes, LSTM-NN, MLP, and Stacked Bi-LSTM | Simulations Evaluations: Accuracy, Precision, Recall, F1-Score, Throughput, Delay, Detection rate | Real Testbed | Sybil, DoS | IIoT systems |
(b) | ||||||
Ref. | Methods | Algorithms | Implementation | Datasets | Attacks | Application |
[85] | DL (P-DNN, TensorFlow), Feature Engineering, KPCA, Softmax Activation Function | P-DNN, KNN, SVM, NB | Experiment: Python 3, Raspberry Pi, Kali OS, Nmap, Wireshark, Bruip suit, Linux, Snort and Suricata Evaluation: Accuracy, Precision, Recall, F1 score. CPU consumption, Memory utilization, and processing time | Real Testbed | SSH brute, DDoS-Slowloris DDoS-hping, FIN SCAN OS Fingerprinting, UDP scan, XMAS Tree scan | IoT systems |
[90] | DL, Whale Optimized GRU | SVM, ANN, KNN, RF, Light+GB IGLGBM, SLGBM MLELM, LSTM, WOGRU | Experiment: Tensorflow v1.18 with Keras API, Evaluation: Accuracy, Recall, Precision, Specificity, and F1-score | WSN-DS | Flooding, Scheduling, Black Hole, Grey Hole | Healthcare systems |
[26] | DL, HW-DBN-Based DeepIoT.IDS, WDNN | BB-RBM, BB-DBN, deep AE HW-DBN, Deep GB-RBM | Experiment: Python—TensorFlow 1.2 v Evaluation: Accuracy, Recall, Precision, Specificity, F1-score, G-mean, Testing time | CICIDS2017 | Web (BENIGN, brute force, XSS, SQL injection attacks), bot | Cybersecurity |
[29] | DL, LeNet-Based IDS | CNN, SVM, RNN | Experiment: Python—TensorFlow, Anaconda Evaluation: Accuracy, Precision, Detection rate, FPR | NSL-KDD | DoS, Probe, R2L, U2R | Multi-cloud IoT systems |
[31] | DLMNN, Entropy-HOA, SMO, KH-AES algorithm | SVM, NB, KNN, ANN. | Experiment: Java Evaluation: Accuracy, F-score, Sensitivity | NSL-KDD | DoS, Probe, R2L, U2R | Smart Cities |
[54] | Hybrid DLIDS | CNN, RF, XGBoost, KNN, NB, LR | Experiment: Python, TensorFlow-GPU, Keras, imbalanced-learn package Evaluation: Accuracy, Detection rate, Precision, Recall, F1-score, AUC. CPU/GPU memory consumed, computation runtimes | CCD-INID-V1, BaIoT, DoH20 | ARP Poisoning (MITM), ARP DoS, UDP Flood (DoS), Hydra Brute force with Asterisk protocol (Brute force), and SlowLoris (DDoS), 5 BASHLITE, 5 Mirai | Cybersecurity |
(c) | ||||||
Ref. | Methods | Algorithms | Implementation | Datasets | Attacks | Application |
[91] | DL-based hybrid IDS and IDPS (AIDS, SIDS), entropy Optimizer | LSTM | Simulation: Java, Keras Evaluation: Accuracy | CICDDoS2019. | DoS/DDoS | IoT DoS and DDoS detection |
[92] | DL, Adaptive and intelligent AIS-IDS, F-PSO algorithm | HNN, RNN, RF, KNN | Simulation: Python platform Evaluation: Accuracy, Error, Precision, Recall, F1-score, Negative predictive energy, FNR | BoT-IoT | Service scanning, OS Fingerprinting, DDoS/DoS, Keylogging, Data theft | IoT DoS and DDoS detection |
[32] | Distributed IDS Framework OPTIMIST, WGAN, Weighted Minimum Vertex Cover, K-uniform Hypergraph, Approximation Algorithm | LSTM | Simulation: Contiki cooja and FIT IoT-LAB, Wireshark tool Evaluation: Accuracy, Precision, Recall, F1-score, Memory Consumption, CPU Energy, Throughput | IoT-23, Real Testbed | DDoS | DDoS attacks in IoT systems |
[34] | AI-Based Framework, Autoencoder (SAE, AE), Unsupervised Pre-training | DNN | Simulation: Cooja simulator, TShark, Network PacketAnalyser. Evaluation: Accuracy, precision and F1 score. | Real Testbed | Clone ID | Clone attacks in IoT systems |
[35] | Hybrid IDS, Target Encoder, Z-score, DHE, HMS, GST, BMA, Deep Q-learning | Lightweight NN | Simulation: NS3.26-, C++, NS-3 PyVizEvaluation: Detection rate FAR, Specificity, F-measure, Computation time | NSL-KDD | DoS, Probe, U2R, R2L | Known and Unknown Attacks in IoT Systems |
[76] | DL-Based IDS, Feature Selection and Extraction | LSTM, KNN, ANN, DNN | Evaluation: Accuracy, precision, recall, F1-score | CICDDoS2019 | MSSQL, SYN, PortScan, LDAP, NetBIOS, UDP-Lag, and UDP | DDoS Threats for IoT Systems |
[28] | DL-Based IDS with Focal Loss | FNN, CNN | Experiment: Nvidia GPU driver, Cuda, Tensorflow Evaluation: Accuracy, Recall, Precision, F-Score, MCC Score | Bot-IoT, WUSTL-IIoT-2021, WUSTL-EHMS-2020 | DoS/DDoS, Reconnaissance, Information theft, Command Injection, Backdoor | Class Imbalance in IoT Systems |
- 3.
- Unsupervised Learning based
Ref. | Methods | Algorithms | Implementation | Datasets | Attacks | Application |
---|---|---|---|---|---|---|
[63] | Unsupervised, ASSET, Collaborative Anomaly Detection | K-means | Simulations: Cooja contiki simulator. Evaluation: Accuracy, Power consumption, Control overhead | Real Testbed | Black Hole, Grey Hole, Flooding, Replay, Neighbour, Clone-ID, Sinkhole, DODAG Inconsistency, DODAG Version, Global Repair, Local Repair. | RPL Vulnerabilities |
[64] | Hybrid (AIDs, SIDs), agent programming, MapReduce architecture | Unsupervised OPFC, clustering models | Simulations: MatlabR2014a, Net Framework, C#.Net programming Evaluation: TPR, FPR, Accuracy | Real Testbed | Warm Hole, Sinkhole, Selective Forward | 6loWPAN in Smart city |
[93] | ULEACH Clustering, Game theory, modified POS | Clustering | Experiment: DeterLab Platform Evaluation: Detection rate, Energy consumption, R-square, RMSE | Real Testbed | Routing, DoS, Forgery/Spoofing, Botnet Hajime, Whale Shark” Worm, OMNI Botnet | IDS Placement for Heterogeneous IoT Networks |
- 4.
- Ensemble and transfer learning-based
(a) | ||||||
Ref. | Methods | Algorithms | Implementation | Datasets | Attacks | Application |
[59] | Two-stage HIDS (SIDS, AIDs) | C4.5 DT, SVM NB, RF, MLP CART, kNN | Simulations: python Evaluation: Accuracy, TPR, F1-score, FPR. | Bot-IoT | Dos DDoS, Reconnaissance, Keylogging, Zero-Day | IoT Device Security |
[60] | SL, Ensemble-based, Continuous authentication, Wireless fingerprinting | DT, RF, CART | Simulations: MATLAB, Simulink software platforms Evaluation metrics: F measure | Real Testbed | Spoofing | Physical Layer Authentication and Spoofing detection |
[49] | Ensemble learning, Fog Computing-based IDS | RF, XGBoost. | Simulations: Python Evaluation: Accuracy, TPR, F1 score, Detection rate. | BoT-IoT | DoS/DDoS | Blockchain-based IoT Networks |
[69] | AIMS IDS—Stacked ensemble, SMO, Consensus Mechanism, Light-chain Cryptography, Cryptocurrency | SVM, NB, KNN, DTEnsemble: SE, LGBM, XGB | Simulation: Contiki/Cooja, 5 topologies with 50 AMI devices Evaluation: Accuracy, Precision, Recall, F-score, Overhead, Packet loss, Packet delivery ratio, Convergence time | Real Testbed | Rpl | RPL Security in Smart Grids AMI |
[94] | Blockchain, Arbiter PUFs, ECDSA | Linear R, DT, RF, SVM | Simulation: Hyperledger Fabric-1.4 version Evaluation: Accuracy, Detection rate, Precision, Recall, F-score, FPR, Security and privacy analysis | CICDDoS2019 | DDoS(Botnet and Unknown) | Blockchain-Protected IoT Smart City data |
[83] | Fog computing ECSO-based ensemble model | ECSO-LR, ECSO-DT, ECSO-kNN, ECSO-RF, ECSO-RNN | Simulation: Python, Fog and Cloud nodes Evaluation: Accuracy, Kappa, F1 score, ROC | NSL-KDD | DoS, R2L, U2R, Probe | Fog-Enabled CPS |
[30] | Blockchain-SDN-Based RSL-KNN IDS, Blockchain, SDN | LSVM, BN, NB-K, KNN, AdaBoostM1, Bagging, DT, RF, RSL-KNN | Experiment: Weka, Cross-validation Evaluation: Accuracy, FPR | 15 SCADA | Forged Commands, Misrouting | IIoT |
(b) | ||||||
Ref. | Methods | Algorithms | Implementation | Datasets | Attacks | Application |
[27] | Suricata-based IDS, IG, FS, BE | KNN, DT, RF, GN, kNN-IG, kNN-FS, kNN-BE | Experiment: Raspberry Pi, Suricata IDS tool Evaluation: Accuracy, Precision, Recall, F1-score, Processing time | Bot-IoT | DDoS, Reconnaissance, DoS, Theft | Large IoT Datasets |
[39] | Ensemble, Model Selection Method (MSM), ENClf (Edge-ENClf, Cloud-ENCLF) | SVM, NB, DT, KNN, LR, MLP, RF, AdaBoost, and GBT | Experiment: Compute Canada-Cedar cluster, Python, sci-kit learn, 5-fold cross-validation Evaluation: F_efficiency, ROC_AUC_efficiency, Explained_variance_efficiency | NSL-KDD, UNSW-NB15, BoTNeTIoT, and BoTIoT | DoS, Probe, R2L, and U2R. Mirai and Gafgyt botnet Reconnaissance, DDoS, Theft | IoT Networks |
[33] | Ensemble, MQTT Protocol Analysis | Bagging, Boosting, StackingVarious ML Techniques | Simulation: Python, Sklearn, TensorFlow, Keras Evaluation: Accuracy, F1-score, MCC | MQTT | MQTT | MQTT Protocol |
[53] | Passban: NetMate-based IDS, Supervised ML, Ensemble TL-IDS | iForest, LOF | Experiment: Python—Scikit-learn, Raspberry Pi 3 model B running the AGILE gateway software Evaluation: precision, F-measure, Recall | Real Testbed | Port Scanning, HTTP Login Brute Force, SSH Login Brute Force, SYN Flood | Edge-based IoT Systems |
[38] | Ensemble TL-IDS, HPO | CNN models (VGG16, VGG19, Inception, MobileNet, EfficientNets) | Experiment: Python, Numpy, Pandas, Matplotlib, sci-kit learn, Keras, TensorFlow Evaluation: Accuracy, Precision, Recall, F1-score, AUC, MCC | CIC-IDS2017, CSE-CICIDS2018 | Bot, Brute Force, DoS, DDoS, Infiltration, Heartbleed, PortScan, Web | Centralized IoT Devices to Cloud Server |
[48] | TL-based IDS, RPL protocol | TL | Simulations: Cooja contiki simulator and power-trace Evaluation: Accuracy, Detection rate and FPR | Real Testbed | RPL-specific attacks (Decreased rank, DIS flood, Increased version, and Worst parent) | Dynamic IoT Security |
[66] | HIDS: Deep Ensemble-based IDS with Lambda Architecture | LSTM, CNN, ANN | Experiment: Python 3.7 with Tensorflow 2.6 Evaluation: Recall, Precision, Accuracy, F-score, Throughput | DDoS, Okiru, Port scan, C&C | IoT systems |
- 5.
- Federated learning-based
(a) | ||||||
Ref. | Methods | Algorithms | Implementation | Datasets | Attacks | Application |
[82] | Decentralized DP FL-IDS | DNN, OPF | Experiment: Google Col. platform, Python 3 PL (NumPy, Pandas, Scikit-learn with PyTorch, SMOTE, Opacus) Evaluation: Accuracy, F-score, Recall, Precision | Edge-IIoT | Backdoor, Vulnerability_scanner, DDoS_ICMP, Password, Port_Scanning, DDoS_UDP Uploading, DDoS_HTTP, SQL_injection, Ransomware, DDoS_TCP, XSS, MITM, Fingerprinting | IIoT system |
[50] | FEDGAN-IDS, Federated DL | ACGAN, CNN | Experiment: Evaluation: accuracy, loss, recall, precision, F1-score, AUC score Convergence rate | NSL-KDD, KDD99, UNSW-NB15 | U2R, R2L, PROBE, DoS, Analysis Shell-code Worms Backdoor Generic Reconnaissance Exploits Fuzzers | Smart systems |
[52] | Blockchain-Enabled FL Architecture, DP-GAN FL | CNN | Experiment: Raspberry Pi (4b), Sensors Evaluation: Accuracy, RMSE, Efficiency, Data utility | KDD KDD’99 | DoS, R2L, U2R, Probe | IoT systems |
[41] | Privacy-Preserving Federated DL IDS Paillier cryptosystem | CNN-GRU | Experiment: Keras API, FL, lightweight Python framework Flask Evaluation: Accuracy, Recall, Precision, Specificity, F1-score | GasPipeline | FL-related Eavesdropping, Native malicious and complex malicious response injections, malicious state, parameter function command injection, DoS, Reconnaissance | IoT-based CPS |
[42] | FL, GRU Models | GRU Non-FL | Experiment: Python (PySyft, Pytorch DL frameworks) Evaluation: Accuracy, Recall, Precision, Specificity, F1-score | Modbus network | Ping DDoS Flood, MITM, Modbus Query Flood, SYN DDoS | Privacy at Edge IoT Devices |
(b) | ||||||
Ref. | Methods | Algorithms | Implementation | Datasets | Attacks | Application |
[43] | DFF-SC4N, FL, RMUs, DL, DP | GRU, CNN | Experiment: Python (Keras, Numpy, Scikit-learn, TensorFlow) Evaluation: Accuracy, Recall, Precision, Specificity, F1-score | TON_IoT | Mitm, Dod, Ddos, Scanning, Password, Injection, XSS, Ransomware, Backdoor | Privacy-Preserving SC 4.0 Networks |
[45] | FL-Based Fed-IIoT, GAN, A3GAN, ByzantineMedian, ByzantineKrum | CNN, RandomForestRegressor | Experiment: Python (Keras, TensorFlow) Evaluation: Accuracy | Drebin, Genome, Contagio | GAN, FedGAN, A3GAN | Android Malware Detection in IIoT Systems |
[46] | FL, FDA3 Federated Defense, Adam optimizer | CNN | Experiment: Python (Keras, TensorFlow) Cloud Evaluation: Accuracy | MNIST, CIFAR10 | 5 well-known adversary types of attacks: FGSM, BIM, JSMA, CW2 and DeepFool | Cloud-based IIoT systems |
[44] | Blockchain-Enhanced FL, CDW_FedAvg, | SGD, LR and NN | Experiment: MySQL 5.7.25, Java, Ethereum, Smart contracts, 4 Raspberry Pi Evaluation: Accuracy, Recall, Precision, Specificity, F1-score | Real Testbed | Device Failure | IIoT Device Failure Detection |
[95] | DIoT: FL-Based Autonomous Self-Learning IDS, Device-Type-Specific Communication Profile | RNN-GRU | Experiment: Kali Linux, Gateways, 33 IoT devices like IP cameras, smart power plugs, light bulbs, sensors, etc. Evaluation: FPR, TPR | Real Testbed | Mirai Malware,(preinfection, infection) scanning, DoS | IoT-based Systems |
[51] | FL, PEFL, Homomorphic Encryption, DP | CNN | Experiment: C++-library HElib, Python, TensorFlow Evaluation: Accuracy, Computational and Communication Complexity | MNIST | Privacy loss | IAI |
5.3.2. Non-Machine Learning Based
(a) | |||||
Ref. | Methods | Implementation | Datasets | Attacks | Application |
[96] | LAD, Binarization process, IG ratio | Experiment: laptop computer with 24 GB RAM and an Intel i5 processor. Evaluation: Accuracy, Precision, Recall, F-score | Bot-IoT | Reconnaissance, DDoS, DoS, Theft | IoT systems |
[56] | SPID, N-gram Sequential Patterns, Heuristic-based detection SH | Simulation: CUPCORBAN, Java platform. Evaluation: Accuracy, Specificity, Sensitivity, Energy Consumption, Memory usage | UNSW-NB15 | Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode and Worms. | IoT systems |
[73] | Statistical Learning, Anomaly Detection, Mixture Model, Expectation-Maximization, Correntropy Metrics | Testbed deployment: Desktop Windows OS, Raspberry Pi 4 Evaluation: Accuracy, Precision | Kitsune IoT network, ISCX 2012 | Botnet, DoS, MitM | Smart cities |
[61] | SPIDS, IPFIX Flow Records, Centralized and Distributed Components, Knowledge Database | Simulations: Python, Ubuntu server 1, Net scan tools (nmap and hping), Raspberry PI, Coap, MQTT application protocols Evaluation: Functionality testing, other tests | User-generated data. | Flooding, abnormal/invalid MQTT, CoAP actions. | IoT systems |
[37] | PdRWP, Hashed IDs, Secret Hash Function | Simulations: MATLAB R2017a Evaluation: Detection rate, TPR | User-generated data. | Malicious nodes | IoT systems |
[85] | Hybrid Routing and Monitoring Protocol, Two-Fish Symmetric Key, Optimized Link State Multipath Routing, Ad hoc On-demand Multipath Distance Vector Routing | Simulations: NS-2.34 Evaluation: Detection ratio | User-generated dataset. | Wormhole, IP spoofing | IoT systems |
[68] | 3-Factor Authentication, ECC, Hash Chains | Simulations: Scyther, Linux OS Evaluation: Communicational Overhead and Cost | User-generated data. | Confidentiality, Mutual Authentication, MitM, Replay Known Session Key, Sub | IoT systems |
[70] | 6mapper, SVELTE, Mini-Firewall, SICSLoWPAN, lIP | Simulation: Cooja Contiki, power trace Evaluation: Detection rate, TPR | User Generated Data. | Spoofed/Altered Information, Sinkhole, Selective Forwarding | IoT systems |
(b) | |||||
Ref. | Methods | Implementation | Datasets | Attacks | Application |
[36] | Analytical Approach, Model for Participating Nodes’ Desires | Simulations: OMNeT Evaluation: pa, α, L, β | User-generated | Ping of deaths | IoT systems |
[97] | IPS Technique, Risk Analysis Model, Secrecy, Authentication, Access Control | Simulation: NS3 Evaluation: Transmission rate, Response time. | User-generated | Eavesdropping, Brute force, DoS | Smart Home |
[98] | DistBlockNet, Distributed SDN Architecture, Blockchain | Simulations: Mininet SDN emulation, POX controller, OpenFlow switch, server machines, data plane caches Evaluation: Accuracy, Scalability, Defence effect, Efficiency | User-generated | Cache poising/ARP spoofing, DDoS/DoS | SDN-based IoT smart systems |
[99] | SDN, Blockchain | Simulation: Mininet emulator, Wireshark, Ethereum platform, Ryu controller Evaluation: Response Time, Bandwidth, Packet Loss, Energy Utilization | User-generated | Any | SDN-based IoT smart Cities. |
[61] | RAP Algorithm, Information-Theoretic Approach, Real-Time, Lightweight, WiFi-Enabled IoT Devices | Simulation: Raspberry Pi 3, TP-Link AP, virtualized RAP, Debian Linux OS, Tenda wireless USB adapter Evaluation: Detection rate, CPU utilization | User-generated | Sybil | WiFi-enabled IoT systems |
[73] | Co-IoT Framework, Blockchain, SDN, Ethereum’s Smart Contracts | Simulation: Ganache, Ropsten Ethereum’s smart contract, solidity Evaluation: Flexibility, Efficiency, Security, Cost-Effectiveness | - | DDoS | Smart cities |
[100] | IPv6 Routing Protocol, Hybrid IDS (SIDS, AIDS, SPIDS) | Experiment: Contiki-NG Evaluation: detection accuracy, consumed CPU, TX and RX power usage, and memory usage | - | Routing, DoS, Flooding | IoT systems |
[84] | CIDS, Blockchain, SDN | Experiment: Open vSwitch, POX controller, 10 sensors, 5 Actuators, Snort Evaluation: Packet-in arrival rate, Alarm aggregation errors, Average trust value | - | DDoS, insider Threats | SDN-assisted CPS |
5.4. Benchmark Datasets
Ref. | Dataset | Year | Attacks |
[29,31,35,39,47,50,81,83] | KDD’Cup’99 NSL-KDD | 1999 2009 | DoS, R2U, U2R and probing |
[27,28,40,59,67,72,75,92] | Bot-IoT | 2018 | DDoS, DoS, OS and Service Scan, Keylogging and Data exfiltration attacks |
[32,66,87] | IoT-23 | 2020 | C&C, DDoS attack, FileDownload, HeartBeat, PortScan and botnets (Mirai, Torii, Okiru) |
[43,71] | ToN_IoT | 2020 | XSS, DDoS, DoS, password cracking, reconnaissance or verification, MITM, ransomware, backdoors, and injection |
[73] | Kitsune | 2018 | Reconnaisance, MitM, DoS, and Botnet malware. |
[73] | ISCX 2012 | 2012 | Brute force, infiltration, HTTP DoS, and DDoS attack. |
[39,56,88] | UNSW-NB15 | 2015 | Backdoors, DoS, Exploits, Fuzzers, Generic, Port scans, Reconnaissance, Shellcode, worms |
[26,38] | CIC-IDS2017 | 2017 | Brute Force, HeartBleed, Botnet, DoS, DDoS, Web, Infiltration |
[38,57] | CIC-IDS2018 | 2018 | HeartBleed, DoS, Botnet, DDoS, Brute Force, Infiltration, Web |
[67] | MQTT-IoT-IDS2020 | 2020 | normal operation, Sparta SSH brute-force, aggressive scan, MQTT brute-force, UDP scan |
[88] | IOTID-20 | 2020 | DoS, brute-force, and scan |
[82] | Edge-IIoT | 2022 | DoS, DDoS, information gathering, injection, MitM, Malware |
[76,91,94] | CICDDoS2019 | 2019 | PortMap, NetBIOS, LDAP, MSSQL, UDP, UDP-Lag, SYN, NTP, DNS and SNMP attack |
5.5. Evaluation Metrics
6. Discussion and Future Research Directions
6.1. Discussion
6.2. Future Research Directions
7. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Tawalbeh, L.; Muheidat, F.; Tawalbeh, M.; Quwaider, M. IoT Privacy and Security: Challenges and Solutions. Appl. Sci. 2020, 10, 4102. [Google Scholar] [CrossRef]
- Litoussi, M.; Kannouf, N.; El Makkaoui, K.; Ezzati, A.; Fartitchou, M. IoT security: Challenges and countermeasures. Procedia Comput. Sci. 2020, 177, 503–508. [Google Scholar] [CrossRef]
- Sethi, P.; Sarangi, S.R. Internet of Things: Architectures, Protocols, and Applications. J. Electr. Comput. Eng. 2017, 2017, 9324035. [Google Scholar] [CrossRef]
- Lombardi, M.; Pascale, F.; Santaniello, D. Internet of Things: A General Overview between Architectures, Protocols and Applications. Information 2021, 12, 87. [Google Scholar] [CrossRef]
- Krishna, R.R.; Priyadarshini, A.; Jha, A.V.; Appasani, B.; Srinivasulu, A.; Bizon, N. State-of-the-art review on IoT threats and attacks: Taxonomy, challenges and solutions. Sustainability 2021, 13, 9463. [Google Scholar] [CrossRef]
- Touqeer, H.; Zaman, S.; Amin, R.; Hussain, M.; Al-Turjman, F.; Bilal, M. Smart home security: Challenges, issues and solutions at different IoT layers. J. Supercomput. 2021, 77, 14053–14089. [Google Scholar] [CrossRef]
- Thakkar, A.; Lohiya, R. A survey on intrusion detection system: Feature selection, model, performance measures, application perspective, challenges, and future research directions. Artif. Intell. Rev. 2022, 55, 453–563. [Google Scholar] [CrossRef]
- Heidari, A.; Jabraeil Jamali, M.A. Internet of Things intrusion detection systems: A comprehensive review and future directions. Clust. Comput. 2022, 26, 3753–3780. [Google Scholar] [CrossRef]
- Fernandes, G.; Rodrigues, J.J.; Carvalho, L.F.; Al-Muhtadi, J.F.; Proença, M.L. A comprehensive survey on network anomaly detection. Telecommun. Syst. 2019, 70, 447–489. [Google Scholar] [CrossRef]
- Khraisat, A.; Alazab, A. A critical review of intrusion detection systems in the Internet of things: Techniques, deployment strategy, validation strategy, attacks, public datasets and challenges. Cybersecurity 2021, 4, 1–27. [Google Scholar] [CrossRef]
- Alghanmi, N.; Alotaibi, R.; Buhari, S.M. Machine learning approaches for anomaly detection in IoT: An overview and future research directions. Wirel. Pers. Commun. 2022, 122, 2309–2324. [Google Scholar] [CrossRef]
- Ahmad, Z.; Khan, A.S.; Shiang, C.W.; Abdullah, J.; Ahmad, F. Network intrusion detection system: A systematic study of machine learning and deep learning approaches. Trans. Emerg. Telecommun. Technol. 2021, 32, e4150. [Google Scholar] [CrossRef]
- Umer, M.A.; Junejo, K.N.; Jilani, M.T.; Mathur, A.P. Machine learning for intrusion detection in industrial control systems: Applications, challenges, and recommendations. Int. J. Crit. Infrastruct. Prot. 2022, 38, 100516. [Google Scholar] [CrossRef]
- Nweke, L.O. A survey of specification-based intrusion detection techniques for cyber-physical systems. Int. J. Adv. Comput. Sci. Appl. 2021, 12, 37–45. [Google Scholar] [CrossRef]
- Zarpelão, B.B.; Miani, R.S.; Kawakani, C.T.; de Alvarenga, S.C. A survey of intrusion detection in Internet of Things. J. Netw. Comput. Appl. 2017, 84, 25–37. [Google Scholar] [CrossRef]
- Martins, I.; Resende, J.S.; Sousa, P.R.; Silva, S.; Antunes, L.; Gama, J. Host-based IDS: A review and open issues of an anomaly detection system in IoT. Future Gener. Comput. Syst. 2022, 133, 95–113. [Google Scholar] [CrossRef]
- Gendreau, A.A.; Moorman, M. Survey of intrusion detection systems towards an end-to-end secure Internet of things. In Proceedings of the 2016 IEEE 4th International Conference on Future Internet of things and Cloud (FiCloud), Vienna, Austria, 22–24 August 2016; pp. 84–90. [Google Scholar]
- Jamalipour, A.; Murali, S. A Taxonomy of Machine-Learning-Based Intrusion Detection Systems for the Internet of Things: A Survey. IEEE Internet Things J. 2021, 9, 9444–9466. [Google Scholar] [CrossRef]
- Singh, G.; Khare, N. A survey of intrusion detection from the perspective of intrusion datasets and machine learning techniques. Int. J. Comput. Appl. 2022, 44, 659–669. [Google Scholar] [CrossRef]
- Adat, V.; Gupta, B.B. Security in Internet of Things: Issues, challenges, taxonomy, and architecture. Telecommun. Syst. 2018, 67, 423–441. [Google Scholar] [CrossRef]
- Neshenko, N.; Bou-Harb, E.; Crichigno, J.; Kaddoum, G.; Ghani, N. Demystifying IoT security: An exhaustive survey on IoT vulnerabilities and a first empirical look on internet-scale IoT exploitations. IEEE Commun. Surv. Tutor. 2019, 21, 2702–2733. [Google Scholar] [CrossRef]
- Elrawy, M.F.; Awad, A.I.; Hamed, H.F. Intrusion detection systems for IoT-based smart environments: A survey. J. Cloud Comput. 2018, 7, 21. [Google Scholar] [CrossRef]
- Albulayhi, K.; Smadi, A.A.; Sheldon, F.T.; Abercrombie, R.K. IoT Intrusion Detection Taxonomy, Reference Architecture, and Analyses. Sensors 2021, 21, 6432. [Google Scholar] [CrossRef] [PubMed]
- Petersen, K.; Vakkalanka, S.; Kuzniar, L. Guidelines for conducting systematic mapping studies in software engineering: An update. Inf. Softw. Technol. 2015, 64, 1–18. [Google Scholar] [CrossRef]
- Kitchenham, B.; Brereton, O.P.; Budgen, D.; Turner, M.; Bailey, J.; Linkman, S. Systematic literature reviews in software engineering–a systematic literature review. Inf. Softw. Technol. 2009, 51, 7–15. [Google Scholar] [CrossRef]
- Maseer, Z.K.; Yusof, R.; Mostafa, S.A.; Bahaman, N.; Musa, O.; Al-Rimy, B.A.S. Deepiot. ids: Hybrid deep learning for enhancing IoT network intrusion detection. Comput. Mater. Contin. 2021, 69, 3945–3966. [Google Scholar]
- Syamsuddin, I.; Barukab, O.M. SUKRY: Suricata IDS with Enhanced kNN Algorithm on Raspberry Pi for Classifying IoT Botnet Attacks. Electronics 2022, 11, 737. [Google Scholar] [CrossRef]
- Dina, A.S.; Siddique, A.B.; Manivannan, D. A deep learning approach for intrusion detection in Internet of Things using focal loss function. Internet Things 2023, 22, 100699. [Google Scholar] [CrossRef]
- Selvapandian, D.; Santhosh, R. Deep learning approach for intrusion detection in IoT-multi cloud environment. Autom. Softw. Eng. 2021, 28, 19. [Google Scholar] [CrossRef]
- Derhab, A.; Guerroumi, M.; Gumaei, A.; Maglaras, L.; Ferrag, M.A.; Mukherjee, M.; Khan, F.A. Blockchain and Random Subspace Learning-Based IDS for SDN-Enabled Industrial IoT Security. Sensors 2019, 19, 3119. [Google Scholar] [CrossRef]
- Duraisamy, A.; Subramaniam, M.; Robin, C.R.R. An Optimized Deep Learning Based Security Enhancement and Attack Detection on IoT Using IDS and KH-AES for Smart Cities. Stud. Inform. Control 2021, 30, 121–131, ISSN 1220-1766. [Google Scholar] [CrossRef]
- Bhale, P.; Chowdhury, D.R.; Biswas, S.; Nandi, S. OPTIMIST: Lightweight and Transparent IDS With Optimum Placement Strategy to Mitigate Mixed-Rate DDoS Attacks in IoT Networks. IEEE Internet Things J. 2023, 10, 8357–8370. [Google Scholar] [CrossRef]
- Zeghida, H.; Boulaiche, M.; Chikh, R. Securing MQTT protocol for IoT environment using IDS based on ensemble learning. Int. J. Inf. Secur. 2023, 22, 1075–1086. [Google Scholar] [CrossRef]
- Morales-Molina, C.D.; Hernandez-Suarez, A.; Sanchez-Perez, G.; Toscano-Medina, L.K.; Perez-Meana, H.; Olivares-Mercado, J.; Portillo-Portillo, J.; Sanchez, V.; Garcia-Villalba, L.J. A Dense Neural Network Approach for Detecting Clone ID Attacks on the RPL Protocol of the IoT. Sensors 2021, 21, 3173. [Google Scholar] [CrossRef]
- Otoum, Y.; Nayak, A. AS-IDS: Anomaly and Signature Based IDS for the Internet of Things. J. Netw. Syst. Manag. 2021, 29, 23. [Google Scholar] [CrossRef]
- Abdollahi, A.; Fathi, M. An intrusion detection system on ping of death attacks in IoT networks. Wirel. Pers. Commun. 2020, 112, 2057–2070. [Google Scholar] [CrossRef]
- Hosen, A.S.; Singh, S.; Mariappan, V.; Kaur, M.; Cho, G.H. A secure and privacy-preserving partial deterministic RWP model to reduce overlapping in IoT sensing environment. IEEE Access 2019, 7, 39702–39716. [Google Scholar] [CrossRef]
- Okey, O.D.; Melgarejo, D.C.; Saadi, M.; Rosa, R.L.; Kleinschmidt, J.H.; Rodríguez, D.Z. Transfer Learning Approach to IDS on Cloud IoT Devices Using Optimized CNN. IEEE Access 2023, 11, 1023–1038. [Google Scholar] [CrossRef]
- Alhowaide, A.; Alsmadi, I.; Tang, J. Ensemble Detection Model for IoT IDS. Internet Things 2021, 16, 2542–6605. [Google Scholar] [CrossRef]
- Tyagi, H.; Kumar, R. Attack and Anomaly Detection in IoT Networks Using Supervised Machine Learning Approaches. Rev. d’Intell. Artif. 2021, 35, 11–21. [Google Scholar] [CrossRef]
- Li, B.; Wu, Y.; Song, J.; Lu, R.; Li, T.; Zhao, L. DeepFed: Federated deep learning for intrusion detection in industrial cyber–physical systems. IEEE Trans. Ind. Inf. 2020, 17, 5615–5624. [Google Scholar] [CrossRef]
- Mothukuri, V.; Khare, P.; Parizi, R.M.; Pouriyeh, S.; Dehghantanha, A.; Srivastava, G. Federated-Learning-Based Anomaly Detection for IoT Security Attacks. IEEE Internet Things J. 2022, 9, 2545–2554. [Google Scholar] [CrossRef]
- Khan, I.A.; Moustafa, N.; Pi, D.; Hussain, Y.; Khan, N.A. DFF-SC4N: A Deep Federated Defence Framework for Protecting Supply Chain 4.0 Networks. IEEE Trans. Ind. Inform. 2023, 19, 3300–3309. [Google Scholar] [CrossRef]
- Zhang, W.; Lu, Q.; Yu, Q.; Li, Z.; Liu, Y.; Lo, S.K.; Chen, S.; Xu, X.; Zhu, L. Blockchain-based federated learning for device failure detection in industrial IoT. IEEE Internet Things J. 2020, 8, 5926–5937. [Google Scholar] [CrossRef]
- Taheri, R.; Shojafar, M.; Alazab, M.; Tafazolli, R. Fed-IIoT: A Robust Federated Malware Detection Architecture in Industrial IoT. IEEE Trans. Ind. Inform. 2021, 17, 8442–8452. [Google Scholar] [CrossRef]
- Song, Y.; Liu, T.; Wei, T.; Wang, X.; Tao, Z.; Chen, M. FDA3: Federated Defense Against Adversarial Attacks for Cloud-Based IIoT Applications. IEEE Trans. Ind. Inform. 2021, 17, 7830–7838. [Google Scholar] [CrossRef]
- Ravi, N.; Shalinie, S.M. Semisupervised-learning-based security to detect and mitigate intrusions in IoT network. IEEE Internet Things J. 2020, 7, 11041–11052. [Google Scholar] [CrossRef]
- Yılmaz, S.; Aydogan, E.; Sen, S. A transfer learning approach for securing resource-constrained IoT devices. IEEE Trans. Inf. Forensic Secur. 2021, 16, 4405–4418. [Google Scholar] [CrossRef]
- Kumar, R.; Kumar, P.; Tripathi, R.; Gupta, G.P.; Garg, S.; Hassan, M.M. A distributed intrusion detection system to detect DDoS attacks in blockchain-enabled IoT network. J. Parallel Distrib. Comput. 2022, 164, 55–68. [Google Scholar] [CrossRef]
- Tabassum, A.; Erbad, A.; Lebda, W.; Mohamed, A.; Guizani, M. FEDGAN-IDS: Privacy-preserving IDS using GAN and Federated Learning. Comput. Commun. 2022, 192, 299–310. [Google Scholar] [CrossRef]
- Hao, M.; Li, H.; Luo, X.; Xu, G.; Yang, H.; Liu, S. Efficient and Privacy-Enhanced Federated Learning for Industrial Artificial Intelligence. IEEE Trans. Ind. Inform. 2020, 16, 6532–6542. [Google Scholar] [CrossRef]
- Cui, L.; Qu, Y.; Xie, G.; Zeng, D.; Li, R.; Shen, S.; Yu, S. Security and Privacy-Enhanced Federated Learning for Anomaly Detection in IoT Infrastructures. IEEE Trans. Ind. Inform. 2022, 18, 3492–3500. [Google Scholar] [CrossRef]
- Eskandari, M.; Janjua, Z.H.; Vecchio, M.; Antonelli, F. Passban IDS: An Intelligent Anomaly-Based Intrusion Detection System for IoT Edge Devices. IEEE Internet Things J. 2020, 7, 6882–6897. [Google Scholar] [CrossRef]
- Liu, Z.; Thapa, N.; Shaver, A.; Roy, K.; Siddula, M.; Yuan, X.; Yu, A. Using Embedded Feature Selection and CNN for Classification on CCD-INID-V1—A New IoT Dataset. Sensors 2021, 21, 4834. [Google Scholar] [CrossRef]
- Gassais, R.; Ezzati-Jivan, N.; Fernandez, J.M.; Aloise, D.; Dagenais, M.R. Multi-level host-based intrusion detection system for Internet of Things. J. Cloud Comput. 2020, 9, 62. [Google Scholar] [CrossRef]
- Babu, M.J.; Reddy, A.R. SH-IDS: Specification Heuristics Based Intrusion Detection System for IoT Networks. Wirel. Pers. Commun. 2020, 112, 2023–2045. [Google Scholar] [CrossRef]
- Kaushik, S.; Bhardwaj, A.; Alomari, A.; Bharany, S.; Alsirhani, A.; Mujib Alshahrani, M. Efficient, Lightweight Cyber Intrusion Detection System for IoT Ecosystems Using MI2G Algorithm. Computers 2022, 11, 142. [Google Scholar] [CrossRef]
- Anthi, E.; Williams, L.; Słowińska, M.; Theodorakopoulos, G.; Burnap, P. A supervised intrusion detection system for smart home IoT devices. IEEE Internet Things J. 2019, 6, 9042–9053. [Google Scholar] [CrossRef]
- Khraisat, A.; Gondal, I.; Vamplew, P.; Kamruzzaman, J.; Alazab, A. A novel ensemble of hybrid intrusion detection system for detecting Internet of Things attacks. Electronics 2019, 8, 1210. [Google Scholar] [CrossRef]
- Marabissi, D.; Mucchi, L.; Stomaci, A. IoT nodes authentication and ID spoofing detection based on joint use of physical layer security and machine learning. Future Internet 2022, 14, 61. [Google Scholar] [CrossRef]
- Santos, L.; Gonçalves, R.; Rabadao, C.; Martins, J. A flow-based intrusion detection framework for Internet of Things networks. Clust. Comput. 2021, 26, 37–57. [Google Scholar] [CrossRef]
- Agyemang, J.O.; Kponyo, J.J.; Klogo, G.S.; Boateng, J.O. Lightweight rogue access point detection algorithm for WiFi-enabled Internet of Things (IoT) devices. Internet Things 2020, 11, 100200. [Google Scholar] [CrossRef]
- Violettas, G.; Simoglou, G.; Petridou, S.; Mamatas, L. A softwarized intrusion detection system for the RPL-based Internet of Things networks. Future Gener. Comput. Syst. 2021, 125, 698–714. [Google Scholar] [CrossRef]
- Bostani, H.; Sheikhan, M. Hybrid of anomaly-based and specification-based IDS for Internet of Things using unsupervised OPF based on MapReduce approach. Comput. Commun. 2017, 98, 52–71. [Google Scholar] [CrossRef]
- Facchini, S.; Giorgi, G.; Saracino, A.; Dini, G. Multi-level Distributed Intrusion Detection System for an IoT based Smart Home Environment. In Proceedings of the ICISSP, Valletta, Malta, 25–27 February 2020; pp. 705–712. [Google Scholar]
- Alghamdi, R.; Bellaiche, M. An ensemble deep learning based IDS for IoT using Lambda architecture. Cybersecurity 2023, 6, 5. [Google Scholar] [CrossRef]
- Khan, M.A.; Khan, M.A.; Jan, S.U.; Ahmad, J.; Jamal, S.S.; Shah, A.A.; Pitropakis, N.; Buchanan, W.J. A Deep Learning-Based Intrusion Detection System for MQTT Enabled IoT. Sensors 2021, 21, 7016. [Google Scholar] [CrossRef] [PubMed]
- Saqib, M.; Jasra, B.; Moon, A.H. A lightweight three-factor authentication framework for IoT-based critical applications. J. King Saud Univ. Comput. Inf. Sci. 2022, 34, 6925–6937. [Google Scholar] [CrossRef]
- Savitha, M.M.; Basarkod, P.I. Securing AMI-IoT networks against multiple RPL attacks using ensemble learning IDS and light-chain based prediction detection and mitigation mechanisms. Inf. Secur. J. A Glob. Perspect. 2023, 33, 73–95. [Google Scholar] [CrossRef]
- Raza, S.; Wallgren, L.; Voigt, T. SVELTE: Real-time intrusion detection in the Internet of Things. Ad Hoc Netw. 2013, 11, 2661–2674. [Google Scholar] [CrossRef]
- Paudel, R.; Muncy, T.; Eberle, W. Detecting dos attack in smart home IoT devices using a graph-based approach. In Proceedings of the 2019 IEEE International Conference on Big Data (Big Data), Los Angeles, CA, USA, 9–12 December 2019; pp. 5249–5258. [Google Scholar]
- Katib, I.; Ragab, M. Blockchain-Assisted Hybrid Harris Hawks Optimization Based Deep DDoS Attack Detection in the IoT Environment. Mathematics 2023, 11, 1887. [Google Scholar] [CrossRef]
- Ashraf, J.; Keshk, M.; Moustafa, N.; Abdel-Basset, M.; Khurshid, H.; Bakhshi, A.D.; Mostafa, R.R. IoTBoT-IDS: A novel statistical learning-enabled botnet detection framework for protecting networks of smart cities. Sustain. Cities Soc. 2021, 72, 103041. [Google Scholar] [CrossRef]
- El Houda, Z.A.; Hafid, A.; Khoukhi, L. Co-IoT: A Collaborative DDoS Mitigation Scheme in IoT Environment Based on Blockchain Using SDN. In Proceedings of the 2019 IEEE Global Communications Conference (GLOBECOM), Waikoloa, HI, USA, 9–13 December 2019; pp. 1–6. [Google Scholar] [CrossRef]
- Alzahrani, R.J.; Alzahrani, A. A Novel Multi-Algorithm Approach to Identify Network Anomalies in the IoT Using Fog Computing and a Model to Distinguish between IoT and Non-IoT Devices. J. Sens. Actuator Netw. 2023, 12, 19. [Google Scholar] [CrossRef]
- Kumar, D.; Pateriya, R.K.; Gupta, R.K.; Dehalwar, V.; Sharma, A. DDoS Detection using Deep Learning. Procedia Comput. Sci. 2023, 218, 2420–2429. [Google Scholar] [CrossRef]
- Shanmuganathan, V.; Suresh, A. LSTM-Markov based efficient anomaly detection algorithm for IoT environment. Appl. Soft Comput. 2023, 136, 110054. [Google Scholar] [CrossRef]
- Sankaran, K.S.; Kim, B. Deep learning based energy efficient optimal RMC-CNN model for secured data transmission and anomaly detection in industrial IoT. Sustain. Energy Technol. Assess. 2023, 56, 102983. [Google Scholar] [CrossRef]
- Sharmila, B.S.; Rohini, N. P-DNN: Parallel DNN based IDS framework for the detection of IoT vulnerabilities. Secur. Priv. 2023, 7, e330. [Google Scholar] [CrossRef]
- Yang, J.; Li, T.; Liang, G.; Wang, Y.; Gao, T.; Zhu, F. Spam transaction attack detection model based on GRU and WGAN-div. Comput. Commun. 2020, 161, 172–182. [Google Scholar] [CrossRef]
- Wazirali, R. An improved intrusion detection system based on KNN hyperparameter tuning and cross-validation. Arab. J. Sci. Eng. 2020, 45, 10859–10873. [Google Scholar] [CrossRef]
- Friha, O.; Ferrag, M.A.; Benbouzid, M.; Berghout, T.; Kantarci, B.; Choo, K.R. 2DF-IDS: Decentralized and differentially private federated learning-based intrusion detection system for industrial IoT. Comput. Secur. 2023, 127, 103097. [Google Scholar] [CrossRef]
- Alohali, M.A.; Elsadig, M.; Al-Wesabi, F.N.; Al Duhayyim, M.; Hilal, A.M.; Motwakel, A. Swarm intelligence for IoT attack detection in the fog-enabled cyber-physical system. Comput. Electr. Eng. 2023, 108, 108676. [Google Scholar] [CrossRef]
- Li, W.; Wang, Y.; Li, J. A blockchain-enabled collaborative intrusion detection framework for SDN-assisted cyber-physical systems. Int. J. Inf. Secur. 2023, 22, 1219–1230. [Google Scholar] [CrossRef]
- Deebak, B.D.; Al-Turjman, F. A hybrid secure routing and monitoring mechanism in IoT-based wireless sensor networks. Ad Hoc Netw. 2020, 97, 102022. [Google Scholar]
- Hodo, E.; Bellekens, X.; Hamilton, A.; Dubouilh, P.-L.; Iorkyase, E.; Tachtatzis, C.; Atkinson, R. Threat analysis of IoT networks using artificial neural network intrusion detection system. In Proceedings of the 2016 International Symposium on Networks, Computers and Communications (ISNCC), Hammamet, Tunisia, 11–13 May 2016; pp. 1–6. [Google Scholar]
- He, F.; Tong, F.; Zhang, Y. A Bi-Layer Intrusion Detection Based on Device Behavior Profiling for Smart Home IoT. In Proceedings of the 2022 IEEE 19th International Conference on Mobile Ad Hoc and Smart Systems (MASS), Denver, CO, USA, 19–23 October 2022; pp. 373–379. [Google Scholar]
- Sarwar, A.; Alnajim, A.M.; Marwat, S.N.K.; Ahmed, S.; Alyahya, S.; Khan, W.U. Enhanced Anomaly Detection System for IoT Based on Improved Dynamic SBPSO. Sensors 2022, 22, 4926. [Google Scholar] [CrossRef] [PubMed]
- Amouri, A.; Alaparthy, V.T.; Morgera, S.D. A Machine Learning Based Intrusion Detection System for Mobile Internet of Things. Sensors 2020, 20, 461. [Google Scholar] [CrossRef] [PubMed] [PubMed Central]
- Ramana, K.; Revathi, A.; Gayathri, A.; Jhaveri, R.H.; Narayana, C.V.L.; Kumar, B.N. WOGRU-IDS—An intelligent intrusion detection system for IoT assisted Wireless Sensor Networks. Comput. Commun. 2022, 196, 195–206. [Google Scholar] [CrossRef]
- Shurman, M.M.; Khrais, R.; Yateem, A.A. DoS and DDoS attack detection using deep learning and IDS. Int. Arab. J. Inf. Technol. 2020, 17, 655–661. [Google Scholar] [CrossRef]
- Sabitha, R.; Gopikrishnan, S.; Bejoy, B.J.; Anusuya, V.; Saravanan, V. Network-Based Detection of IoT Attack Using AIS-IDS Model. Wirel. Pers. Commun. 2023, 128, 1543–1566. [Google Scholar] [CrossRef]
- Zhou, M.; Han, L.; Lu, H.; Fu, C. Intrusion Detection System for IoT Heterogeneous Perceptual Network. Mob. Netw. Appl. 2021, 26, 1461–1474. [Google Scholar] [CrossRef]
- Babu, E.S.; BKN, S.; Nayak, S.R.; Verma, A.; Alqahtani, F.; Tolba, A.; Mukherjee, A. Blockchain-based Intrusion Detection System of IoT urban data with device authentication against DDoS attacks. Comput. Electr. Eng. 2022, 103, 108287. [Google Scholar] [CrossRef]
- Nguyen, T.D.; Marchal, S.; Miettinen, M.; Fereidooni, H.; Asokan, N.; Sadeghi, A.-R. DÏoT: A Federated Self-learning Anomaly Detection System for IoT. In Proceedings of the 2019 IEEE 39th International Conference on Distributed Computing Systems, Dallas, TX, USA, 7–10 July 2019. [Google Scholar]
- Chauhan, S.; Gangopadhyay, S.; Gangopadhyay, A.K. Intrusion Detection System for IoT Using Logical Analysis of Data and Information Gain Ratio. Cryptography 2022, 6, 62. [Google Scholar] [CrossRef]
- James, F. IoT cybersecurity based smart home intrusion prevention system. In Proceedings of the 2019 3rd Cyber Security in Networking Conference (CSNet), Quito, Ecuador, 23–25 October 2019; pp. 107–113. [Google Scholar]
- Sharma, P.K.; Singh, S.; Jeong, Y.-S.; Park, J.H. Distblocknet: A distributed blockchains-based secure sdn architecture for IoT networks. IEEE Commun. Mag. 2017, 55, 78–85. [Google Scholar] [CrossRef]
- Rani, S.; Babbar, H.; Srivastava, G.; Gadekallu, T.R.; Dhiman, G. Security Framework for Internet of Things based Software Defined Networks using Blockchain. IEEE Internet Things J. 2022, 10, 6074–6081. [Google Scholar] [CrossRef]
- Ribera, E.G.; Alvarez, B.M.; Samuel, C.; Ioulianou, P.P.; Vassilakis, V.G. An Intrusion Detection System for RPL-Based IoT Networks. Electronics 2022, 11, 4041. [Google Scholar] [CrossRef]
Attack | Description | Perception Layer | Network Layer | Processing Layer | Application Layer |
---|---|---|---|---|---|
DoS/DDoS | Overwhelm network bandwidth or exhaust computational resources. Can be launched from single and multiple sources, respectively. | X | X | X | X |
Botnets | Use compromised devices in the network layer to launch coordinated attacks on other targets. | X | X | X | |
MitM | Intercepts alter or redirect the data packets in transit. | X | |||
Spoofing | Impersonate legitimate devices or their data, servers, or users, or possibly bypass authentication or authorization mechanisms. | X | X | ||
Code injection | Exploit vulnerabilities or inject malicious code into devices or servers. | X | X | ||
Replay | Capture and resend valid data packets or commands sent between IoT devices and their servers, resulting in unwanted or undesirable actions or possibly bypassing authentication or authorization mechanisms. | X | X | ||
APTs | Use stealthy and sophisticated methods to infiltrate and persist in specific devices or networks for a long period. | X | X | X | X |
Encryption | Compromise the confidentiality or integrity of data or devices by targeting the encryption mechanisms or keys used by devices to decrypt, modify, or forge data. | X | X | X | X |
Side-channel | Exploit the physical features or behaviours of devices or servers, including power consumption, timing, etc., to extract sensitive information such as encryption keys, passwords, etc. | X | X | ||
Sybil | Create multiple fake identities or nodes to influence its operation, such as routing, consensus, reputation mechanisms, etc. | X | X | ||
Eavesdropping | Intercept or monitor data packets in transit of devices, thereby compromising the confidentiality, privacy, or integrity of the data owners or users or revealing sensitive information. | X | X | ||
Jamming attacks | Interfere with wireless communication by creating noise or signals that interrupt the frequency or channel as well as degrade the performance, availability, reliability, etc. | X | X | ||
Sinkhole | Attract network traffic to a compromised node and then drop or modify the packets. | X | X | ||
Wormhole | Create a tunnel between two malicious nodes and then relay packets through it to interrupt the routing, topology, and trust mechanisms or launch other attacks. | X | X | ||
Ransomware | Encrypts IoT devices’ data and functionality and demands ransom for their restoration | X | X | ||
Blackhole | Interrupt the regular flow of data and drop all packets received by a malicious node. | X | X | ||
Flooding | Send many packets to a target node and cause congestion or overload. | X | X | ||
MQTT | Exploit vulnerabilities in the MQTT protocol used for communication between devices and applications. | X | X | ||
RF | Manipulate RF signals used by devices to cause interference or spoofing | X | |||
Denial of sleep | Prevent devices from entering low-power sleep mode and draining their battery life. | X | X | ||
Firmware and software vul. | Expose devices or servers to various types of attacks by exploiting bugs or flaws in their firmware or software. | X | X | ||
Resource exhaustion | Deplete the resources of devices or servers such as memory, CPU, battery, etc., and degrade their performance. | X | X |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Isong, B.; Kgote, O.; Abu-Mahfouz, A. Insights into Modern Intrusion Detection Strategies for Internet of Things Ecosystems. Electronics 2024, 13, 2370. https://doi.org/10.3390/electronics13122370
Isong B, Kgote O, Abu-Mahfouz A. Insights into Modern Intrusion Detection Strategies for Internet of Things Ecosystems. Electronics. 2024; 13(12):2370. https://doi.org/10.3390/electronics13122370
Chicago/Turabian StyleIsong, Bassey, Otshepeng Kgote, and Adnan Abu-Mahfouz. 2024. "Insights into Modern Intrusion Detection Strategies for Internet of Things Ecosystems" Electronics 13, no. 12: 2370. https://doi.org/10.3390/electronics13122370