3.3.1. Entropy-Based Detection Method
Conventionally, entropy assesses the degree of information uncertainty and has been successfully used to calculate the randomness of datasets [
61]. Low entropy levels represent the concentration of a distribution, whereas high entropy levels represent a more dispersed probability distribution. Entropy has been suggested as a useful tool for analysing traffic distributions in a number of recent studies [
61,
62,
63,
64]. These studies have described its application to detect attacks in IoT and SDN networks. This method calculates the entropy by analysing the distribution of features in traffic packets, like source IP, destination IP, flow count, and port numbers. The presence of anomalies in these features is then localized by comparing the entropy values against a predetermined threshold. A sudden shift in entropy levels is typically a potential sign that a DDoS attack may have taken place. Entropy dramatically decreases in the presence of an attack because one flow count dominates. It was discovered in the research studies conducted by Ozcelik and Brooks [
65] that the degree to which the entropy changes during these attacks depends on the observed packet header field. While the entropy of the source IP increases due to an attack, the entropy of the destination IP decreases. Entropy will be constant in the absence of an attack. A typical framework for an entropy-based approach to detecting DDoS attacks is shown in
Figure 9.
In
Figure 9, for each packet of traffic at time slot
t, the IP addresses of each packet are extracted and batched in accordance with the source IP addresses. If
X represents a random variable that denotes the extracted IP, then the probability of occurrence of each batch
P(
xi) and the overall entropy
H(
X) are estimated as follows:
Entropy is computed using Shannon’s entropy theory and compared to a pre-defined threshold
T. An attack alarm is then raised if
H(
X) is greater than
T, as illustrated in (9):
Gaurav et al. [
63] included a packet discarding process in the traditional entropy-based framework in
Figure 9. When a DDoS warning occurs during this process, all the packets with the highest
P(
xi) are blacklisted and are subsequently regarded as malicious packets in the following time frame. These packets are discarded if the newly arriving IP address is on the blacklist. Otherwise, a new group of IP addresses is created, and the entropy value is calculated and compared to the threshold. The batch with the highest likelihood of occurrence is identified, and all the IP addresses in this batch are blacklisted once the entropy is above the threshold.
Advancing the studies in [
63], the authors in [
64] utilized clustering and packet scoring methods to detect and discard malicious requests. In this approach, the change during a DDoS attack is represented by a monotonically increasing convex function following Jensen’s inequality using (10) [
64]:
In (10),
H[
x] is the anticipated value of the convex function. Therefore, it is expected that the cluster entropy of legitimate traffic will be lower than that of a DDoS attack. Thus, the following inequality arises:
In (11),
H(
XNT) is the cluster entropy during normal traffic, whereas
H(
XAT) is that due to attack traffic. In this method, the cluster entropy is contrasted against a threshold, and, if it is above the threshold, then packet scoring methods are used to discard the blacklisted packets, where the score of each packet
Psc, is estimated using (12) [
64]:
where the following holds:
In (13), Pti is the incoming traffic packets at time slot t, PT is the aggregated number of packets, and n is the number of packets arriving during the time slot. The approach was implemented using OMNET++ and achieved high precision, which means that attack traffic is accurately detected.
Giotis et al. [
61] implemented an entropy-based approach proposed by [
65] for the detection of attacks using flow-based features. Anomalies are detected using pre-established thresholds based on variations in the entropy levels. For portscan, DDoS, and worm attacks, evaluation results demonstrate that good detection accuracy is attained despite having 23%, 27%, and 34% false positive rates, respectively. A three-module detection system using joint entropy metrics was also suggested by the authors in [
66]. The detection system has a module for handling incoming traffic, after which the entropy calculator module evaluates the entropy of the packet features. The detection module, which evaluates the estimated entropy against a threshold, makes up the third component. If the estimated entropy exceeds the threshold, an attack alarm is raised, as considered in [
61,
62,
63,
64,
65]. The method was successfully tested on the DARPA’99, 2009, and current CICDDoS2019 datasets. The use of a static threshold limits its applicability to real-world packets with fluctuating traffic. The threshold chosen has a significant impact on how well the entropy-based approaches function. It has been noted that the effectiveness of any entropy-based solution for DDoS attack detection depends greatly on the threshold value chosen. A static threshold might not always produce the correct results. The threshold value must be updated according to the incoming packet traffic conditions. Thus, David and Thomas [
67] proposed an adaptive threshold algorithm and fast entropy computation method for flooding attack detection using the flow count feature. In this method, fast entropy is computed during each time slot using (14) [
67]:
where the following definition is necessary:
Additionally, mean
μt and standard deviation
δ of the flow count during time slot
t are computed, and a difference between the mean and the fast entropy is estimated using (16) [
67]:
The adaptive threshold algorithm then raises an alarm by checking the difference
D(
i,
t), as shown in (16). If
D(
i,
t) >
βδ, it is assumed that attack traffic will occur, and a DDoS attack alarm will be raised; otherwise, normal traffic will occur, and the value of is updated. The adaptive threshold
β value takes the following form [
67]:
The results obtained demonstrate that using a threshold that is adaptively adjusted based on the conditions of the traffic pattern increases detection accuracy. However, the processing time increases. Additionally, the efficacy of this strategy is called into doubt when numerous slow-rate DDoS attacks with various source IP addresses surface. An updated study by the same author is presented in [
68]. In this study, DDoS attacks were detected using dynamic thresholding on flow-based features. Different traffic features were extracted in relation to packet amount, source IP, destination IP, and protocol, and then four attributes were calculated based on DDoS characteristics. Experimental observation showed that, during a DDoS attack, the estimated attribute values are extremely high. The entropy of the four attributes is compared to a threshold value, and a DDoS attack is considered to have occurred when it surpasses the threshold. The threshold is estimated in a similar manner to the research study in [
67]. The threshold values are updated on a regular basis and change depending on the state of the network. Though the false positive rate was not examined, the method has a relatively high detection rate.
Most entropy-based attack detection studies that have been conducted so far [
61,
62,
63,
64,
65,
66,
67] rely on a few entropy-based features, which may limit the type of attack that may be detected as well as the accuracy. To overcome this issue, some other studies [
69,
70,
71] have thought about using multi-entropy features. Winter et al. [
69] estimated the entropy across five flow parameters, including source and destination IPs, ports, and packets-per-flow. The outcomes demonstrate that the suggested approach can identify large alterations in network entropy time series. Although multiple features were considered, the mix of features employed is still straightforward and not comprehensive enough for practical application. Qin
et al. [
70] also utilized entropy vectors of different features from traffic flow for attack detection. The use of more thorough features to build clustering models makes this approach different from the studies in [
69]. Additionally, based on the traffic models, a detection threshold was automatically created. Experimental results proved that the suggested approach is adaptable to real-world environments and has higher detection accuracy. Although the detection speed is poor, the accuracy of the detection improves when the data scale exceeds 4000. Furthermore, it is impossible to pinpoint the rationale behind the choice of feature thresholds. Koay et al. [
71] introduced a set of new entropy-based features, including source and destination IPs, ports, and protocols. Following that, a multi-classifier system (see
Figure 10) was built using a set of various entropy-based features. The entropy of each traffic feature was computed for a 60 s interval. Regular and entropy variation features, as seen in
Figure 10, were two different forms of entropy-based features that were computed. While the latter was obtained using the fluctuation of two different regular entropy features following a Lyapunov exponent separation, the former was computed using the entropy of raw traffic features.
The performance of the approach was assessed using ISCX2012 and DARPA’98 datasets with a sensitivity of 94.7%. Although the sensitivity results are thought to be superior, the dataset utilized comprises obsolete DDoS attack vectors, making it uncertain whether the method can be applied to identifying modern attacks. An assessment of the traffic-based features used in an entropy-based approach is presented in [
72]. The results presented revealed that a better approach must be adopted for choosing traffic features. The ability to detect anomalies is distinct and frequently enhanced by behavioural distributions that are qualitatively different from port and address distributions.
A method for identifying traffic-based attacks using UAV and Wavelet Packet Energy Entropy (UWPEE) is suggested in Xie et al. [
11]. The wavelet packet energy entropy is used in the UWPEE system to identify attacks, while UAVs are sent to collect the real traffic from IoT devices. In this method, the traffic sequence is partitioned into multiple layers of wavelet packets, and the wavelet packet coefficients of each layer are then reconstructed to reveal the sequence’s influencing factors. The energy entropy is then calculated to determine if the traffic data exhibit distinct properties at various scales. A traffic signal with a higher degree of order has a lower entropy value than one with a higher degree of disorder [
11]. Entropy can, therefore, reflect the distinct traits of malicious nodes when they periodically emit fake packets. The experimental results show that the UWPEE scheme can effectively identify traffic-based attacks with an accuracy rate of 84.47% and an average recognition efficiency of 4.89 for malicious nodes. Meanwhile, compared with the greedy algorithm, the flight path of the UAVs is reduced by 15.44%. In [
73], a threshold-based detection scheme was proposed to detect RREQ flooding attacks in mobile ad hoc networks (MANET). In this study, the throughput, packet delivery fraction, and end-to-end delay of network traffic were compared with legitimate network traffic (without flooding attacks) and a network with one or more flooder nodes. A sender node is regarded as normal if its rate of RREQ falls below a certain threshold; otherwise, it is considered malicious. Simulation results indicate that a flooding attack could be detected, although the effectiveness depends on the threshold value chosen. Additionally, the method experiences more false positives and misdetections due to seasonal fluctuations in network traffic.
3.3.2. Queue Modelling-Based Detection Methods
In this approach, a multidimensional algorithm is used to analyse how networking components process traffic based on traffic theory. Since DDoS attackers aim to engulf servers’ resources and prevent legitimate clients from accessing them, a good queue management algorithm enables the system to manage access to a fixed amount of bandwidth by identifying which packets should be transferred and which ones should be dropped when the queue limit is fully occupied. In the queuing model, the memory of a server is assumed to be fixed [
74]. It is then easy for an attacker to launch the attack and somehow disable the server, preventing it from providing the service to its legitimate user. A simple queue system is illustrated in
Figure 11.
In
Figure 11,
λ represents the arrival rate of packets at the queue, with a waiting time of
W, until they receive no response from server M, while
µ indicates the system’s service rate. This system is based on Little’s law [
75], which is expressed as shown:
The expression in (18) describes the average number of packets in a queue. DDoS attacks try to clog up the system’s queue so that legitimate users cannot obtain service. By imposing sophisticated computational processes on the victim device, DDoS attacks can extend the time it takes to process packets or increase their service rate [
76]. This attack scenario can be evaluated using queueing theory, which estimates the likelihoods of bandwidth, memory, and CPU exhaustion. In [
77], the probability of bandwidth exhaustion
Pb is represented by a M/G/K/K queue model. In this model,
Pb is estimated using (19) [
77]:
In (19),
k indicates the number of communication channels between the attacker and the target server,
λb is the arrival rate of packets, which determines the attack intensity,
µb indicates the service rate, and
ρ denotes the utilization factor for the queue system. When the DDoS attack exhausts the CPU of the target server, the probability of CPU consumption is represented by a simple M/M/1 queue model, described by (20) [
77]:
In (20), L indicates the time the attack spent on the network, tw indicates the amount of time a legitimate client is prepared to wait to be served, and λc and µc are the arrival and service rates due to the CPU exhaustion. The total depletion probability is obtained by evaluating the likelihood attributable to buffer exhaustion. The result of the simulation shows that the attack probabilities increase as the arrival rates increase.
In most of the queue strategies for attack detection, such as drop-tail, random early detection (RED), and nonlinear random early detection (NLRED) [
78], a pre-defined value is set for the maximum length of the queue. Newly arriving packets are discarded when the length of the queued packets exceeds the set threshold. In this queue approach, all the traffic packets are considered equal, regardless of the traffic type. The attacker will then send fewer TCP packets before waiting for the target server to respond because of packet loss. Consequently, the TCP session’s throughput will decline [
79]. In most queue modelling studies [
77,
78,
79,
80,
81,
82], Poison distribution is used to describe packet arrival according to a random process. According to Singh et al. [
74], for traffic analysis, the queue must support exponential data, and requests must be processed using a first-come-first-served queuing analogy with a single server and obviously finite buffer state. Using this concept, a collection of data patterns was generated, and UDP floods were detected. In [
80], a framework to identify DDoS attacks using the packet flows of particular protocols was presented. In this study, the normal behaviour is estimated using a Gaussian parametrical mixture model, while the attacks are detected using a queue model. The results show the approach is effective with reasonable detection accuracy. Khan and Traore [
81] analysed the effects of attacks on variables such as queue growth rate using a standard M/M/1/K queue model with round robin discipline. The given results demonstrate that the queue growth rate linearly increases as the frequency of flooding attacks increases. The authors in [
82] presented the use of the queueing model for network router attack detection. In this study, the traffic congestion due to attack packets can be readily noticed at locations near the target rather than the attack sources; consequently, it is anticipated that the technique will have a comparatively higher false negative rate. In [
83], a queue scheme was developed for detecting malicious attacks. In this study, the arrival requests are provided with a queue service at a base station that oversees assessing the forwarded packets. Once the traffic is backed up for an extended period, malicious attacks are discovered.
In [
84,
85], the effectiveness of queuing management mechanisms under DDoS attack detection were evaluated. Five distinct queuing algorithms—drop-tail, RED, deficit round robin (DRR), fair queue (FQ), and stochastic fair queue (SFQ)—were tested for how UDP flooding affected their performance in [
84]. The study demonstrates that SFQ outperforms the other queuing mechanisms for UDP traffic. Recently, using NS2 software, Wei et al. [
85] evaluated the effectiveness of drop-tail, RED, and REM queue management mechanisms on ad hoc networks under attack. This study evaluated the performance of the three mechanisms under small-, medium-, and large-scale DDoS attacks based on the packet rate and average end-to-end latency. Simulation results revealed that drop-tail was less effective at detecting medium- and small-scale DDoS attacks than REM and RED. However, all three mechanisms showed inadequate detection abilities when subjected to large-scale DDoS attacks.
3.3.3. Statistical-Based Detection Methods
This approach analyses the statistical features of normal traffic to create a baseline traffic pattern. Any incoming traffic that falls outside the baseline is judged to be malicious traffic. This approach processes network traffic using sophisticated statistical algorithms and differentiates anomalous traffic from legitimate patterns of established network traffic. With the statistical technique, expected behaviour can be inferred from observations without any prior knowledge of the target system’s typical operations. This can potentially lead to more accurate detection of malicious activity. Statistical algorithms used for DDoS attack detection may include, among others, statistical forecasting and time series methods, as shown in
Figure 8.
Chi-squareapproach: The Chi-square (χ
2) is a test of independence used to determine if two categories of variables are connected to one another. Given the overall frequency of each category, it looks for patterns in these observations to determine whether any combinations of the categories occur more frequently than would be predicted by chance. A very small value of χ
2 indicates a good correlation between the actual and expected values, whereas a large value implies that the actual values do not closely match the anticipated values. This approach has been used in several research studies [
86,
87,
88,
89] for anomaly detection in internet-based networks. Ref. [
86] tested it to assess the prevalence of TCP–SYN flag values and protocol numbers. In method in this study, service ports are examined using the Chi-square method while considering HTTP, FTP, and DNS. Similarly, packet lengths are binned into ranges. If there are
N numbers of incoming traffic packets while
B represents the available bins, the amount packets with values within the
ith bin is represented by
Ni, and
ni denotes the anticipated number of packets in this bin based on the usual distribution. Thus, χ
2 is estimated using (21):
Abouzakhar and Bakar [
87] used the same expression for attack detection by analysing RST, SYN, ACK, and ICMP packets. The proposed method consists of a database storage block, a Chi-square test block, a feature extraction and distribution block, a distribution and categorization block, and a decision-making block, as shown in
Figure 12.
Firstly, TCP flags are extracted for each input packet from the network traffic dataset. Under the data distribution and categorization block, packets are distributed and categorized into the number of RST, SYN, ACK, and ICMP packets per second, along with other TCP packets. After categorization, a Chi-square approach is employed to carry out anomaly detection, where a χ2 value is estimated using (21) and compared to a tabular χ2 value. When there is a large difference between these two values, an intrusion alert is triggered.
Leu and Lin [
88] used the goodness-of-fit test of the χ
2 approach to detect attacks. The method examines the number and variation of packets sent from sources, as well as IP address distribution statistics. When an attacker floods the system with many packets from random source IPs, the approach estimates its Chi-square value and checks to see if it exceeds a predetermined threshold to trigger an attack alarm. Experimental findings demonstrate the approach’s capability to quickly identify DoS and DDoS attacks. Other studies reporting the use of χ
2 value for attack detection may be found in [
89]. In [
89], χ
2 was estimated based on moving averages while considering how frequently events appeared in the Solaris BMS audit record. The results obtained showed that the χ
2 values based on the moving average were sufficient to detect anomaly attacks.
Statistical forecasting models: A conventional statistical forecasting model makes predictions about future occurrences using statistics derived from historical data. Using historical data to analyse and observe past network traffic patterns, this method forecasts future observations. A plethora of statistical forecasting models have been developed for attack detection. Moving average (MA), weighted moving average (WMA), simple exponential smoothing (SES) or exponential WMA, double exponential smoothing (DES), and triple exponential smoothing (TES) are a few examples of this. Each of these models has its own accuracies and deficiencies. MA is a smoothing technique that observes the underlying pattern of a data set to forecast future values. While SES, EWMA, and DES consider both historical observations and historical forecasts, MA and WMA base their forecasts solely on prior observations. The authors in [
90] revealed that the EWMA models could be used for detecting rapid changes in event intensity when demonstrated on the publicly available DARPA dataset. In [
90], an adaptive threshold algorithm based on the EWMA model was developed for detecting SYN flooding attacks. Real traffic traces were employed to analyse the effectiveness of the algorithm. A satisfactory result was observed when high-intensity attacks were considered. However, the algorithm performs terribly when handling attacks of low intensity. Similar to the studies presented in [
90], Machaka et al. [
91] assessed the use of the EWMA algorithm for DDoS attack detection in IoT infrastructure. A high detection rate was achieved with a 40 s delay when demonstrated on an artificially generated dataset for a high-rate attack. While the detection rate of this approach is relatively high for attacks with high intensity, its performance deteriorates for attacks with low intensity. The use of an adaptive fusion of multiple characteristics (MAF–ADM) for the detection of low-intensity attacks was suggested by Zhan et al. [
92] as a solution to this problem. Under a low-intensity attack, the time-frequency joint distribution of the legitimate TCP traffic changes; therefore, several statistical features of this distribution were selected to create isolation trees. The potential to isolate samples containing low-intensity attacks was then combined to create an anomaly score. The anomaly score was smoothed using a WMA to lower the potential number of errors that may result due to noise in the network traffic. The result shows that the method can effectively detect low-intensity attacks with a relatively low false negative rate when demonstrated on the WIDE2018 and LBNL datasets. The approach has two shortcomings. First, neither of the two datasets had evidence of low-intensity attacks; instead, this was simply assumed to exist. Second, the extraction of features requires very high data processing expenses and is time-consuming. These two drawbacks constrain its use for real-time online detection of low-intensity attacks. The authors in [
93] used SES and wavelet analysis to track incoming bytes, packet counts, and the ratio of incoming to outgoing packets to detect UDP flooding DDoS attacks. This approach detects multiple attack scenarios without producing any false positives. The application of TES for TCP–SYN flood and slammer worm detection was reported in [
94]. In this investigation, the traffic packets’ source IP, destination IP, and ports were examined within a 900 s interval. The effectiveness of the approach was verified using the Brazilian National Research and Education Network dataset, which has 5 days of network traffic. Results indicated that the approach was successful in identifying TCP–SYN flooding. For this approach, the false alarm rate and detection accuracy were not assessed.
Some other time series models, such as auto-regressive (AR), autoregressive integrated moving average (ARIMA), and linear regression model (LRM), are reportedly used for DDoS attack detection. Zhang et al. [
95] used the ARIMA framework to identify DDoS attacks via the NS2 simulator. Yaacob et al. [
96] introduced a novel algorithm with the use of the ARIMA technique to detect possible attacks that may occur in computer networks. Their approach offers the network administrator a means for early warning. In [
97], a combination of ARIMA and a chaotic system was used to detect attacks, with a true positive rate of 94.4%. Additionally, false positives and false negatives of 0.1% and 5.6%, respectively, were recorded. The authors in [
98] looked at the relationship between the average and standard deviation of the network traffic throughput to evaluate DDoS attacks. The research demonstrates that, in non-attack situations, the rise in standard deviation caused by a traffic surge increases the average network throughput, as seen in
Figure 13. However, in a DDoS attack scenario, the standard deviation is not affected by the increased network throughput because of the attack. This hypothesis was used to produce an attack detection method with linear regression. The efficacy of the developed approach was confirmed using the CAIDA dataset. The results obtained revealed that DDoS attacks may be accurately identified with a low proportion of false positives.
In [
99], the authors used several forecasting algorithms, including MA, WMA, EWMA, and LRM, to predict the intensity of SYN, DNS, and ICMP floods. For the predictions in this study, a window size of 60 s was established to track the number of packets. The results for the three attack types demonstrate that LRM best detects the magnitude of TCP–SYN flood, while EWMA is best at detecting the attack intensity of DNS, TCP and ICMP floods. The algorithms are said to produce an overall error rate of 1%.
The research studies presented have shown that forecasting models can be used for attack detection with a relatively high level of accuracy. The inherent errors generated by these models are a significant disadvantage. Every forecast model generates a succession of errors between the predicted and overserved values. Accordingly, if the network traffic data contains one forecast for each feature, then the total errors from all the features amount to the following:
where
ei is the error generated by the n-feature. Therefore, significant forecast errors are anticipated, given the intermittent nature of internet traffic. In addition, because the models depend on prior statistical features, they may not work well with actual internet data series [
100].
Other statistical approaches are also reported in the literature. These range from the use of a simple
t-test to a more sophisticated cumulative sum (CUMSUM) approach. Additional reported techniques are the statistical segregation method (SSM), multivariate correlation analysis (MCA), and analysis of covariance, among others. In the two-sample
t-test proposed by Chen [
101], the authors examined the statistics of the normal SYN arrival rate (SAR) by sampling the input traffic flow. Then, the dissimilarity between the number of SYN and ACK packets as well as the dissimilarity between the arriving SAR and normal SAR are estimated to ascertain the occurrence of an attack. Simulation results revealed that the proposed method has a quick detection rate and a low likelihood of both false positives and false negatives. Additionally, computational overhead is not too high and, in the event of a sudden shift in traffic, can detect DDoS flood attacks. In low-traffic areas, it might, however, miss an attack.
The CUMSUM method estimates the cumulative sum of the difference between an input sequence’s actual and expected values, which is then compared to a threshold value [
102]. A CUMSUM value above the threshold signifies a change in statistical features in the network traffic over time series. This method is used to estimate variations in traffic features. The authors of [
103] suggested a simple method for detecting SYN flooding attacks using the non-parametric CUMSUM model. The results of the simulation showed that TCP–SYN flooding may be accurately detected with a low false alarm ratio and a high detection ratio. In the research study presented in [
102], the authors investigated the use of CUMSUM for detecting DDoS attacks in an IoT network. The algorithm has a good detection rate for high-rate attacks but is poor for low-intensity attacks. A combination of CUMSUM and an entropy-based method is reported in [
104]. The CUMSUM is used in this work to handle traffic entropy. For the observed entropy data, additional signal processing, utilizing wavelet pre-filtering, is used. This helps to improve detection efficiency over other CUMSUM approaches that rely solely on the entropy of the packet header field without further processing. The findings revealed high detection accuracy and a low proportion of false positives. The authors in [
105] investigated the potential of SSMs to minimize false detection during DDoS attacks. With this method, the traffic flow is sampled at regular intervals to identify the distinctions between legitimate and malicious traffic. After that, correlation analysis is used to separate attacks from legitimate flows by comparing the samples to pre-specified attack state conditions. Evaluation results reveal a mix of segregation methods that could significantly lower the likelihood of false detections during DDoS attacks. The results also demonstrate higher detection latency and increased computational overhead. Tan et al. [
106] used MCA for attack detection. In this study, the patterns of legitimate network traffic are examined, and the traffic is then classified by obtaining the geometrical correlations between network traffic parameters. To expedite the MCA procedure, a triangle-area-based approach was also added. The effectiveness of this method was assessed with the KDD Cup’99 dataset. The approach has excellent performance with 99.95% detection accuracy. However, some poor performance was observed when the false positive rate was analysed. The proposed approach could be further validated on some other dataset with the updated DDOS attack vectors. More advanced categorization algorithms and the use of real-world data would also reduce the false positive rate. In [
107], the analysis of covariance was proposed. The method’s efficacy in detecting SYN flood attacks has been established. The approach has relatively high detection accuracy. The approach does, however, have certain drawbacks. There is no theoretical justification for the high detection rate. The method also faces the difficult task of choosing an adequate observed time window for the covariance analysis. An improvement on the covariance approach is presented in [
108]. In this study, a covariance criterion was used to generate a profile of typical network traffic and identify anomalous activities. Then, a decision-making rule that considered all the data in the covariance matrix was integrated using the Chebyshev difference. The results show that the detection rate improved. However, because there is so much data to handle in the covariance matrix, the approach has a huge computational complexity problem. Peng et al. [
109] use a sequential-non-parametric change point for detecting bandwidth attacks. The approach involves tracking a rising number of new IP addresses, followed by a statistical analysis of the incoming traffic over a period to determine the typical time interval. The arrival rate of new IPs is then compared to the normal value, and, when this exceeds the average arrival time, a bandwidth attack alarm is generated. Although the technique records a relatively good detection rate, a significant drawback was noticed. Since the detection method can only identify an attack when there is a dramatic change in the volume of existing network traffic, a spoof IP address will bypass the detection approach.
The use of feature–feature score (FFSc) for DDoS attack detection was suggested by Hoque et al. [
110]. In this method, the behaviour of network traffic was examined using three fundamental network traffic parameters: packet rate, entropy of source IPs, and changes in source IPs. Next, a similarity value is calculated for each network traffic sample using the FFSc. The FFSc is contrasted against a pre-defined threshold, and, if it is above the threshold, an attack alarm is raised. The viability of the approach was verified using CAIDA and DARPA datasets. It was noticed that the pre-defined threshold greatly affects the detection accuracy. The accuracy of the method substantially declines as the detection threshold increases. Thus, the choice of the detection threshold is a major concern. Continuous rand probability score (CRPS) has also been used in recent years to distinguish between legitimate and attack traffic. The CRPS is primarily employed to assess the correctness of a statistical forecasting methodology [
111]. It is presently utilized for anomaly detection since CRPS can compare a whole distribution with an observation [
112,
113,
114]. To use the CRPS for DDoS attack detection, the CRPS is generated for every traffic measurement. Each incoming traffic network measurement is then contrasted with the traffic distribution under no attack. It is assumed that, in an attack-free network, the traffic distribution is Gaussian [
112] with mean
µ and variance
σ2. The CRPS is computed using (23) [
112,
113]:
where Φ and
φ are the Gaussian probability and cumulative density functions, respectively. The monitored traffic is considered normal when the CPRS exhibits values that are very small and close to zero. Higher CRPS values, however, point to the existence of malicious traffic in the network traffic being monitored. With these metrics, it is feasible to know which traffic is legitimate or an attack. The CRPS results are subjected to an exponential smoothing approach by Bouyeddou et al. [
112] to set a decision threshold and increase the existence of attack traffic. The proposed approach performed well when demonstrated on ICMPv6 and DARPA datasets, with a 100% detection rate. The authors argued that the proposed attack detection method is for a single timescale and may be inappropriate to identify malicious activities at different scales. Motivated by [
112], Sharma et al. [
114] used a similar procedure to detect attacks in fog-enabled IoT, with better detection accuracy when validated using the DARPA’99 dataset.
3.3.6. Machine Learning-Based Detection Methods
This approach involves the use of algorithms to identify malicious traffic from a pool of network traffic simply by learning the characteristics of the network traffic. After learning the characteristics of traffic features, these algorithms may develop an extremely accurate model for identifying these features. Several machine learning algorithms are employed for attack detection. In this section, we investigate attack detection studies in the IoT and some other emerging networks.
Attack detection in IoT and SDN using machine learning: The research work discussed in [
22] demonstrates the use of ANN for DDoS attack detection. Based on distinctive patterns that distinguish DDoS attacks from normal traffic, the ANN can identify TCP, UDP, and ICMP DDoS attacks. The efficacy of the approach was compared to backpropagation (BP), Chi-square, SVM, and Snort based on accuracy, precision, and sensitivity. The results demonstrate that it outperforms its competitors (BP, Chi-square, SVM, and Snort), with a detection accuracy of 98% attained. Additionally, the method records a precision value of 100% and a sensitivity value of 96%. As the accuracy only totals 98%, the precision value of 100% still needs further substantiation. This method has a significant flaw in that it cannot detect DDoS attacks when the protocol headers are encrypted using any encryption scheme. Alshamrani et al. [
131] suggested employing SVM to detect attacks in an SDN-based network. This method involves the routine collection of network packets, from which 24 features are extracted. SVM is then used to categorize these features and find abnormalities. The method was validated through the NSL–KDD dataset, and its performance was compared to that of the J48 and Naïve Bayes (NB) classification methods. The approach has a detection accuracy of 99.4%, compared to 99.75% and 95.87% for the J48 and NB algorithms, respectively. It can be shown that the J48 classification method continues to perform better in terms of accuracy than the suggested approach. The method also has a significant processing overhead. The study in [
132] uses SVM to classify additional traffic features that are periodically obtained from a flow table. These are aggregated features that pertain to DDoS attacks. They include the speed of the source IP and port, the speed of flow entries, the standard deviation of the flow bytes and packets, and the ratio of pair–flow. The validity of the approach was verified by simulation. Evaluation results show that a detection rate of 95.24% was achieved, even with a small amount of flow data. The method does, however, record some false alarms. The average false alarm rate generated was 1.26%.
The effectiveness of SVM and deep feed forward (DFF) algorithms for detecting DDoS attacks in IoT networks was examined in [
133]. The effectiveness of these algorithms was analysed using the DARPA’09 dataset. Evaluation results revealed that DFF has superior accuracy to SVM. However, the SVM method outperformed the DFF algorithm in terms of processing time. The detection accuracy recorded by the DFF is 99.63%, compared to 81.23% for the SVM. This demonstrates that DFF performs roughly 22% better than SVM. The findings also showed that the DFF has a higher computational overhead, which has a big impact on its detection speed. Rahman et al. [
134] designed an SDN framework and applied four machine learning classifiers independently for the detection and mitigation of ICMP and TCP floods. J48, RF, SVM, and k-nearest neighbours (k-NN) were the machine learning classifiers considered. In this approach, a synthesized dataset having normal and DDoS traffic with 24 packet-level features was employed to assess the effectiveness of the classifiers. Aside from DDoS attack detection, a mitigation code was also developed to restrict the attackers’ switch ports for 30 s. Evaluation results show that the J48 classifier outperforms the other algorithms in terms of processing speed. While SVM and k-NN have zero errors, some cases of errors were observed with J48 and RF. In addition, there is a great deal of variation in the processing times of these algorithms. It is noted that SVM requires the most testing time, whereas k-NN requires the least training time. Similar to this, the authors of [
135] concentrated on the employment of more machine learning classifiers to detect DDoS attacks. In this method, six classifiers were evaluated for attack detection: logistic regression (LR), NB, k-NN, SVM, decision tree (DT), and RF. This contrasts with a previous study [
134] that simply used conventional flow features for attack detection. This approach used extended features. Evaluation results show that RF performs best in terms of detection accuracy, whereas k-NN records the worst performance. The accuracy of detection by RF is 99.76%, compared to 86.41% for k-NN. While the models can accurately detect attacks within a few seconds (specifically, less than 1 s), the probability of dropping normal traffic is also observed. Koroniotis et al. [
136] investigated the application of machine learning models with recurrent neural network (RNN) and LSTM for attack detection on the BoT–IoT dataset. The features extracted from the dataset were classified into two categories. The top 10 features selected from a filter with a correlation coefficient and joint entropy make up the first category, while the second category has all 35 features in the dataset. The effectiveness of these models was evaluated based on this category. When the top 10 features were considered, the RNN performed better, with an accuracy of 99.74%, while the SVM performed the worst, with an accuracy of 88.37%. However, the SVM outperforms other models in terms of precision and processing time. When all 35 features were considered, the SVM had superior performance in terms of accuracy, precision, and processing times. The SVM records an accuracy of 99.99%. One of the shortcomings of this study lies in the dataset used. Gopalan [
137] reported that the dataset is unbalanced, which may have positively affected the identification of attacks due to data bias. The studies in [
138] tried to solve the issue of dataset class imbalance resulting from the use of the BoT–IoT dataset in [
136]. Using the same dataset as the previous study, several machine and deep learning methods were employed to create a novel DDoS and DoS attack detection method on an IoT network. These models included RF, DT, LSTM, gated recurrent units (GRU), MLP, RNN, and SVM. To prevent feature dependencies, the binary and multiclass classifications in this study used three separate feature sets. Evaluation results show that the RF and DT are more accurate for both binary and multiclass classifications. Both versions exhibit excellent performance across the board for every feature set. For instance, when the initial feature set for multiclass classification is considered, the DT model has an accuracy of 99.95%, whereas the RF model has an accuracy of 99.92%. When binary classification is considered, the accuracies for DT and RF rise to 99.97% and 99.95%, respectively.
Chen et al. [
139] employed DT for DDoS attack detection in a multi-layer IoT environment. IoT gateways, cloud servers, SDN switches, and IoT devices make up the multi-layer IoT environment, as shown in
Figure 14. In this study, eight smart poles were used to build a wireless sensor network that collected sensor data across a campus. Each smart pole was equipped with an LED lamp, an access point, a camera, smart signage, a communication box, and an equipment box. The study used Wi-Fi, Bluetooth, ZigBee, and LoRa to transmit sensor data. Smart poles SP1–SP4 equipped with Wi-Fi access points connected to the internet without a backbone connection, while SP4–SP8 smart poles required Ethernet to send and receive packets. Additionally, SP2 and SP3 supported ZigBee, SP5 supported Bluetooth, and SP2 and SP8 supported LoRa. Each pole was fitted with Raspberry Pi 3, which oversaw gathering of the sensor data because it can communicate with Ethernet, Bluetooth, ZigBee (via the I
2C protocol), and Wi-Fi devices as a heterogeneous gateway.
The IoT gateway gathered and pre-processed sensor data packets. As part of the procedure, DT classifiers were trained using the extracted packet attributes, such as packet length, timestamp, protocol, source IP and MAC, and destination IP and MAC, based on the types of DDoS attacks. The classifier determined whether packets are normal or anomalous. It is thought that, in normal conditions, sensors send data at a set frequency; however, in attack scenarios, hackers infect IoT devices and control the sensors, causing them to send data continuously. To determine whether the IoT devices are in a normal state, a timestamp is chosen for the sensor data, and an estimation of the total number of packets for a set period is made. Since ICMP packets are typically sparse on the network, it is simple to detect ICMP attacks. Therefore, receiving many ICMP packets quickly indicates that a device has been compromised. Experimental results show that ICMP flooding, SYN flooding, and UDP flooding were detected with 97.39% accuracy and an F1-score above 97%. The gateway alerts the user as soon as it identifies the flood of sensor data attacks. The SDN controller equipped with the RT166P SDN switch is used to blacklist the compromised device so that IP and MAC addresses from such devices are blocked and network traffic is restricted. Blacklisting compromised devices is performed by the SDN controller via bandwidth control and port mirroring. In port mirroring, a switch sends a copy of every packet received on one port to another port, which is used to store the packets and analyse the data. The bandwidth in the mirror port, which gathers all packets from the eight smart poles for varying numbers of malicious devices that perform DDoS attacks on the Internet, is then examined. The outcome demonstrates that, in an attack-free environment, the mirror port’s capacity is approximately 10 Mbps, whereas a single UPD flood records a bandwidth between 80 and 100 Mbps. Therefore, the bandwidth control rule of the SDN switch was set to 800 Mbps to prevent devices from entering overload status when attackers conduct a significant DDoS attack. For a huge DDoS attack, the bandwidth is predicted to be in the range of Gbps or even Tbps.
Mihoub et al. [
140] presented an attack detection and mitigation architecture for IoT networks using machine learning. In this study, a multi-class classifier was developed using DT, RF, k-NN, multi-layer perception (MLP), RNN, and LSTM to classify the extracted features from the BoT–IoT dataset. This classifier follows the looking-back idea, where the sub-categories of the attacks are also localized. Evaluation results show that looking-back-enabled RF has the highest accuracy, while the lowest is observed with the k-NN under the same concept. The authors of [
141] implemented k-NN, SVM, NB, DT, RF, and LR machine learning algorithms in WEKA tools to analyse their detection performance using the CICDDoS2019 datasets. Evaluation results show that both DT and RF record the highest accuracy, while the NB has the lowest detection accuracy. Nevertheless, the DT has superior performance in terms of processing time. The DT classifier requires 4.53 s to process the data, whereas the RF classifier needs roughly 84.2 s. Similar to the earlier studies in [
141], the authors of [
142] analysed the potential of SVM, MLP, DT, and RF classifiers for attack detection in a simulated SDN environment using Scapy tool with a list of valid IPs. Results show the superiority of the RF over other classifiers in terms of detection accuracy. The DT, however, has a quicker processing time. The primary drawback of this study is that all traffic was generated artificially and that some traffic characteristics, including IP, protocols, and packet size, were randomly selected. The choice of these features was not discussed. Additionally, these features were insufficient to provide successful detection performance. Aslam et al. [
143] proposed a three-layer adaptive machine learning framework for attack detection and mitigation in IoT networks. An adaptive multi-layered feed-forwarding scheme was developed using machine learning classifiers to examine the static features of SDN-enabled IoT network traffic to detect attacks. Within the first layer, classifiers were used to develop a DDoS detection model from the datasets. The findings from this layer were then compiled using an ensemble voting (EV) approach that was applied to the classifiers. The last layer was where live network traffic was measured and compared with the accumulated output of the classifiers to detect anomalies. Results indicate that the framework achieved accuracy ranging from 95% to 98.8%. The accuracy is found to be proportional to the number of test flows. The highest test flows produce the best accuracy. As observed in most of the previous studies [
131,
132,
133,
134,
135,
136,
137,
138,
139,
140,
141,
142,
143], the choice of feature selection has a considerable effect on the detection accuracy. To improve this, a plethora of multi-class machine learning approaches have been proposed. However, feature selection is still a difficult task. The study presented in [
144] applied a hybrid methodology of feature selection to RF, DT, k-NN, and Extreme Gradient Boosting (XGBoost) classifiers. The hybrid feature selection methods are Chi-square, Extra Tree, and ANOVA. The effectiveness of this approach was validated using the CICDDoS2019 dataset. Evaluation results show that XGBoost with ANOVA has superior performance, with an accuracy of 98.35%. This performance was achieved with just 15 features and an 82.5% feature reduction ratio. When all the features were considered, the accuracy of XGBoost dropped to 96.7%.
Attack detection in UAV/IoD/FANET using machine learning: In [
13], a machine learning-based approach was suggested for the detection and categorization of GPS spoofing attacks on UAVs. This study implemented three testing scenarios in an outdoor setting, where a sequence of GPS signal characteristics was gathered, and the UAV was subjected to spoofing attacks using an SDR transceiver module. Thereafter, a variety of machine learning classifiers were developed utilizing the datasets obtained from the testing setups of authentic and spoofed flight scenarios. The results presented revealed that the approach permitted detection of GPS spoofing attacks in UAV networks with a detection rate (DR), misdetection rate (MDR), and false alarm rate (FAR) better than 92%, 13%, and 4%, respectively. In [
145], a hybrid of LR and RF was utilized to address security concerns with IoT-enabled drones. In this method, cybersecurity vulnerabilities were reduced by incorporating tactics inspired by artificial intelligence within the framework of a drone network. The performance of the developed approach was verified using KDD drone data and GPS characteristic data. Evaluation results indicated that an accuracy of 98.58% was achieved. Additionally, the approach was also evaluated using precision, recall, and F-measure metrics of 97.68%, 98.59%, and 99.01%, respectively. In [
146], the authors modelled SYN traffic using Bayesian inference and created an algorithm to identify SYN flood attacks in several wireless ad hoc networks, including MANET, VANET, and FANET. Other than SYN flooding attack detection, the proposed algorithm also detects Hello flooding attacks, RREQ flooding attacks, data flooding attacks, and UDP flooding attacks without a dedicated server node. The DARPA 1999 dataset was used to demonstrate the effectiveness of the proposed scheme. The findings show that the algorithm records a higher true positive rate and precision level. Ouiazzane et al. [
147] proposed a multi-agent and DT-based machine learning approach for the detection of DoS attacks in IoD networks. The approach permits the detection of both unknown and known DoS attacks in UAV networks, with low false positive and negative rates and good performance when demonstrated on the CICIDS2017 dataset.
Attack detection in RPL-based IoT using machine learning: IoT devices have limited resources, so they cannot use conventional Internet routing protocols. As a solution to this problem, the RPL defined by the IETF is seen as a viable method to satisfy the routing requirements of Internet of Things networks and reduce resource consumption along the routing path. This protocol can adapt to various situations and has several secure modes. The RPL is a distance-vector routing protocol that builds its topology on a Destination-Oriented Directed Acyclic Graph (DODAG) [
148]. In this architecture, traffic is routed to one or more root nodes using a point-to-point (P2P), multi-point-to-point (MP2P), or point-to-multipoint (P2MP) network topology, since all nodes are connected in such a way that there are no round-trip pathways. It has been shown that malicious nodes can carry out their operations while the packets are being routed and forwarded; thus, the security of RPL routing data in the IoT has been a significant challenge. This enables several attack types to take place within the routed data [
149]. One of the primary attacks on RPL is flooding attack. In this attack, an excessive amount of traffic is created in a network using the Hello message to disable nodes and links. This attack consumes the resources of the nodes, such as storage, energy, and processing, to cause a denial of service. Other notable forms of attacks in RPL-based IoT networks, such as Sybil attack, wormhole (WH), selective forward (SF) attack, sinkhole (SH) attack, clone ID (CID), version number (VN), and blackhole (BH) attack, have been reported [
150,
151,
152]. The Sybil attack is extremely similar to a clone ID attack, which allows for the control of a sizable portion of a network without the use of actual physical nodes. Due to variations in topology and complexity, as well as dissimilarity in traffic patterns, conventional security measures, such as those centred around encryption and threshold, are ineffective in detecting attacks in RPL-based IoT networks. Machine learning and deep learning models has been used because of this. Mehbodniya et al. [
153] investigated the use of machine learning for Sybil attack detection in RPL-based IoT networks. In this study, NB, RF, and LR classifiers were applied to the data that were generated using the Contiki–Cooja simulator. The performance of the algorithms was evaluated using the accuracy and packet delivery ratio. Experimental results show that NB has the best performance, with 92.14% accuracy, and the best packet delivery ratio, while LR has the worst performance in terms of both metrics. In Osman et al. [
154], an attack detection framework was proposed for VN attack detection in RPL-based IoT networks using light gradient boosting machine (LGBM). The dataset for this work was largely created through simulations using Cooja tools for VN attacks. This was followed by a feature extraction module, an LGBM-based classification algorithm, and model parameter optimization. Simulation results proved that the proposed method is effective in identifying VN attacks, with a 99.6% accuracy rate. Additionally, 99.6% precision and a 99.6% F1-score were recorded. The proposed approach occasionally generates false alarms. Additionally, only one attack can be localized. Moreover, the method requires lengthy processing times and high computational overhead.
In [
155], ANN was employed in RPL-based IoT networks to identify HF, DR, and VN attacks. Ten-fold cross-validation techniques were utilized in this study to prevent over-fitting. The performance of the proposed model was compared, considering both the holdout approach and the ten-fold cross-validation technique. The results of the simulations demonstrate that the proposed model is 100% accurate in localizing the attacks in each scenario. To generate datasets, the authors, however, employed a small network. Similarly, Verma and Ranga [
156] examined the efficacy of machine learning classifiers for the detection of SH, BH, Sybil, CID, SF, and Hello flooding (HF) attacks in RPL-based IoT networks using Boosted Trees, subspace discriminant, RUSBoosted Tree, and bagged trees. Hold-out and cross-validation methods were used to investigate this performance. According to simulation results, the subspace discriminant model performs the worst, with an accuracy of 77.8% and an area under the curve (AUC) of 0.87 for a 40% hold-out validation, while the ensemble of Boosted Trees performs the best, with an accuracy of 94.5% and an AUC of 0.98. The Boosted Trees and RUSBoosted Trees have the best accuracy and AUC, respectively, in the cross-validation scenario. In Sharma et al. [
157], the potential of three machine learning classifiers was examined for attack detection in RPL networks. The Cooja network simulator was used in this study to create a multi-class dataset that included a standard traffic pattern and four RPL attacks, including HF, flooding, VN, and DR attacks. These datasets were evaluated independently using the classifiers RF, NB, and J48. Experimental results indicated that the RF classifier has the best performance. Superior to NB and J48, RF achieved precision, recall, and accuracy values of 99.4%, 99.3%, and 99.33%, with the J48 classifier performing the worst.
Attack detection in NDN using machine learning: Named Data Networking (NDN) is an emerging next-generation network architecture that is anticipated to replace the current IP-based internet infrastructure. It employs the content-centric networking paradigm, where content is retrieved using names rather than the network addresses of the servers hosting it [
158]. In this architecture, a source can request content by employing name prefixes rather than the present IP prefixes to route an interest request. Interest packets are routed to the location of the original source of the content. Any router and intermediary node, along the path, search their cache for identical copies of the requested content. Any piece of interest request that has a cached copy is returned to the requester along the path it originated from. All middle nodes keep a copy of the content in their caches on the way back to prepare for potential same-interest requests from incoming requests [
158]. Each NDN router maintains three fundamental data structures: the Forwarding Information Base (FIB), Pending Interest Table (PIT), and Content Store (CS) [
159]. NDN was initially projected to address the basic shortcomings of the existing internet-based network, but attackers are now using the two unique features in NDN routers, CS and PIT, to launch new variants of DDoS attacks against it. Thus, they are susceptible to new types of attacks. The two most prominent categories of DoS/DDoS attacks in NDN infrastructure are the interest flooding attack (IFA) and content/cache poisoning attack. Other forms of attack in NDN, such as cache privacy attacks, cache pollution attacks, and false locality attacks (FLA), have been reported [
159,
160]. The goal of content poisoning is to prevent users from accessing legitimate content by forcing routers to forward and send spoof data packets [
158]. The IFA is one of the most severe attacks in NDN. This attack is an extended feature of DDoS in NDN, whereby the attackers flood the network with many non-existing interest packet requests. These requests are stored in the PIT of the NDN routers in between. Due to the persistence of these entries in PITs of NDN routers, valid requests are denied space in the PITs [
158,
159]. Despite the NDN’s potential, it still lacks a good defence scheme against DoS and DDoS attacks. Deep learning and machine learning techniques have recently been developed for NDN attack detection. Kumar et al. [
160] proposed a machine learning framework for IFA attack detection in NDN. In this study, IFA was modelled and simulated to gather attack features. The most prominent features were selected based on information gain-based ranking; thereafter, DT, J48, and MLP with backpropagation machine learning classifiers were used for IFA detection. According to experimental data, MLP with BP is more appropriate in terms of identifying and mitigating IFA, while the J48 classifier works better for large network topologies.
In [
161], the authors used an SVM classifier to characterize the entropy of interest names, the satisfaction ratio, and the PIT usage of interfaces that are continuously acquired from a router. The Jensen–Shannon divergence was used to extract malicious prefixes, and an IFA activity was notified when anomalies were found. When the SVM was applied without the Jensen–Shannon divergence, a high misjudgment rate was seen. However, with the inclusion of this entropy scheme, experimental results revealed that the approach achieved high accuracy. The fact that this study can only identify one kind of attack in NDN poses a significant constraint. Other attack types cannot be identified and require further development. As with the prior solution [
160], the detection process may consume a lot of resources. In [
162], the authors set up sample sets with various detection granularities to improve detection accuracy using an RF classifier. Experimental results show that the scheme could detect IFA attacks with a high detection rate. It was possible to attain detection probabilities of 97.5% and false negative probabilities of 1.2%. Additionally, some error cases with a 3% error rate were noted.
Table 8 provides a summary of the research papers and thus far in the application of machine learning models for attack detection. These studies were compared based on the method employed, the dataset, and the application domain. A summary of the evaluation findings from each study is also provided. As shown in
Table 8, a number of studies have discussed the use of machine learning for detecting network anomalies, with varying levels of accuracy and false alarms.
3.3.7. Deep Learning-Based Detection Methods
The deep learning structure makes use of the supremacy of both supervised and unsupervised learning with its feature extraction and classification module [
163,
164]. Due to this advantage, research studies are being tailored to deep learning for DDoS attack detection in internet-enabled networks.
Attack detection in IoT and SDN using deep learning: Hassan et al. [
165] proposed a deep convolutional neural network (DCNN) model for DDoS attack detection in an optical switching network. The performance of this model was compared to SVM, k-NN, and NB. The results demonstrated that DCNN outperformed SVM, k-NN, and NB, achieving 99% detection accuracy, as compared to 88%, 93%, and 79% detection accuracy for SVM, k-NN, and NB, respectively. Additionally, a misclassification rate of 1% was observed. In [
166], the use of ANN with a signature-based method was investigated. The results presented showed that the combined approach has an accuracy of 99.98% with false positive rates of zero. Zhu et al. [
167] utilized CNN and feed-forward neural networks (FNN) models for network traffic analysis and anomaly detection. When tested on the NSL–KDD dataset, the findings revealed that an accuracy of 77.84% was recorded. When compared to the other classifiers tested, including NB, RF, J48, RT, and SVM, the accuracy value was deemed to be higher. However, a detection accuracy of 77.84% is still rather low compared to other comparable research results [
165,
166]. The study by the authors in [
168] used LSTM for DDoS attack detection in fog computing environments. Network packets recorded at a specific time interval wre employed to train the LSTM. The number of hidden layers in the LSTM was investigated for detection accuracy. The LSTM with three hidden layers and 128 units was found to be appropriate, with a detection accuracy of 98.88% when demonstrated on the ISCX 2012 dataset. The DeepDefense system proposed by Yuan et al. [
169] leverages CNN, RNN, LSTM, and a gated recurrent unit neural network (GRUNN) to localize attacks in IoT networks. The approach was demonstrated on the ICX2012 dataset. A substantial decrease in error rate was achieved when compared to the conventional machine learning approach. With a 98% detection accuracy, the deep learning model lowers the error rate by 39.69%. In research by Shurman et al. [
170], the utilization of two methodologies for attack detection in an IoT network was examined independently. The first method makes use of a hybrid intrusion detection system, while the second approach uses an LSTM deep learning model. The applicability of these approaches was demonstrated on the CICDDoS2019 dataset. The two methods had a detection accuracy of 91.9% for both DDoS and DoS attacks. In this study, a few cases of false alarms were recorded.
Ge et al. [
171] proposed a tailored deep learning approach for detecting attacks in an IoT environment. An embedding layer and an FNN approach were used in this study to perform multiclass attack prediction. Additionally, an FNN model was also developed to perform binary classification. Evaluation results reveal the success of the method. Both classifiers performed better. Particularly, the binary classifier showed detection accuracy close to 99.99%, while the multi-class classifier recorded about 99.79% accuracy. In this study, only a few attack classes were reportedly detected. Thus, detecting other forms of attack is not guaranteed. The study presented in Elsayed et al. [
172] discusses the use of an RNN with an autoencoder (AE) to improve detection accuracy during a DDoS attack in SDN. The success of this scheme was evaluated in comparison to NB, RF, DT, SVM, and linear regression classifiers. The scheme has a significant enhancement in terms of accuracy when demonstrated on the CICDDoS2019 dataset compared to existing approaches. The approach records an accuracy of 99%. The computational overhead was slightly reduced; the study, however, excluded reporting performance parameters such as model training time or samples classified. Roopak et al. [
173] evaluated the effectiveness of CNN, LSTM, MLP, and a hybrid of CNN and LSTM (that is, CNN + LSTM) for attack detection in IoT networks. The effectiveness of these models was demonstrated using the CICIDS2017 dataset. The CNN + LSTM has the highest accuracy among these models, whereas the MLP has the lowest accuracy. LSTM performs second-best, with an accuracy of 96.24%, while CNN + LSTM achieves a detection accuracy of 97.16%. However, in terms of precision, the LSTM is observed to have the lowest precision results, while the MLP has the second-best performance. The study offers no justification for this obvious disparity. An AE-based unsupervised deep learning framework was proposed by Abeshu et al. [
174] for the fog computing layer. The fog node is where training and parameter updates are carried out. The stacked AE model was pre-trained with unlabelled data, and was subsequently used to classify test data. The effectiveness of the method was demonstrated on the NSL–KDD dataset, considering 41 features. An excellent accuracy of 99.2% and a detection rate of 99.27% were recorded. In this study, only a very few cases of false alarms were recorded. The performance of the suggested approach needs to be proven on more recent data because the dataset utilized are outdated. The study presented by the authors in [
175] shows that a bidirectional long short-term memory-based RNN (BLSTM-RNN) could be effectively employed for attack detection. The performance of this approach was also compared to a unidirectional LSTM-RNN for the detection of botnet attacks. In this study, four attack vectors were considered in the generated dataset used for validation. These attack vectors include Mirai, UDP, DNS, and ACK. The method performed well in detecting Mirai, UDP, and DNS attacks with 99.0%, 98.0%, and 98.01% accuracies. When the ACK attack was considered, though, its performance deteriorated. This strategy has the significant drawback of adding computing overhead to each epoch, which increases the processing time.
Attack detection in UAVs/IoD/FANET using deep learning: In [
14], the authors proposed a sea turtle foraging algorithm with a hybrid deep learning-based intrusion detection scheme (STFA-HDLID) for attack detection in an IoD environment. In this approach, the feature selection process was achieved with the STFA. Additionally, classification was performed using a Deep Belief Network (DBN) and the Sparrow Search Optimization (SSO) algorithm. The performance of the approach was demonstrated using the TON_IoT and UNSW-NB15 datasets. The results presented showed that an accuracy of 99.51 was recorded for the TON_IoT dataset, while 98.85% was achieved when the UNSW-NB15 dataset was considered. The authors of [
176] investigated a framework for attack detection in FANET utilizing recurrent neural networks. The framework has both the data collection and the data stream processing modules. The latter gathers communication data from the drones, including data relevant to intrusion detection, which is subsequently put into two RNN modules for data processing. The efficacy of the proposed approach was verified using the KDD Cup’99, NSL–KDD, UNSW-NB15, Kyoto, CICIDS2017, and TON_IoT datasets. The results showed that the framework has excellent performance. In [
177], a deep convolutional neural network (DCNN) was utilized for attack detection in UAV networks. This method made use of encrypted wireless traffic records that were gathered from three different types of frequently used UAVs: DJI Spark UAVs, Parrot Bebop UAVs, and DB Power UAVs. The performance of the proposed approach was demonstrated using the UAV-IDS-2020 dataset, which has numerous attacks against UAV networks. Experimental results show that a detection accuracy of 99.50% was achieved with a 2.77 ms prediction time. The authors of [
178] concentrated on crystal structure optimization for attack detection in the IoD environment using a deep autoencoder-based model. In this work, the feature subsets were selected using a modified deer hunting optimization-based feature selection strategy, and the attacks were classified using an AE method. The model was simulated, and the results obtained showed that an accuracy of 99.12% was achieved. However, the proposed model needs to be tested on a large-scale, real-time dataset. Zhang et al. [
179] developed an open-CNN model for the detection of unknown attacks in drone networks. Extensive experimental demonstrations showed that the developed model could detect DDoS, DoS hulk, botnet, and web attacks when tested on the CICIDS 2017 dataset. In addition, the authors compared the performance of the developed model with CNN and CNN–LSTM. The results presented revealed that the accuracy was improved by 9–30% when compared to the CNN and CNN–LSTM models.
Attack detection in RPL-based IoT using deep learning: A framework that employs stacked AE-based DNN for CID attack detection in RPL-based IoT networks was proposed by Molina et al. [
180]. To create a dataset for this study, CID attacks were implemented using the Cooja network simulator, considering three different network structures with a number of benign and malicious nodes. The SAE + DNN model was used to process and categorize these data. Experimental results showed that the framework detects CID attacks with an average accuracy of 99.65%. The proposed framework, however, is only capable of detecting CID attacks and cannot be utilized to identify other types of attacks in RPL-based IoT networks. Additionally, more computational overhead is observed, which is not good for resource-constrained IoT devices. In [
181], an ANN-based attack scheme was proposed, using MLP for attack detection in an RPL-based IoT network. The proposed approach has three stages: simulation, pre-processing, and classification. In the simulation stage, packet data are generated from the Contiki network simulator; the features of these data are extracted during pre-processing, while the classification stage involves the application of the MLP to the extracted features to identify attacks. Simulation results show that the approach could identify a VN RPL attack. Additionally, the method records a root mean square error (RMSE) of 0.0003 and a mean absolute error (MAE) of 0.0002. This study does not cover other well-known performance metrics such as accuracy, precision, recall, and F-measure. Additionally, the method has a higher computational burden, which could restrict its application to constraints devices.
In Cakir et al. [
182], a deep learning approach to detect hello flooding attacks in RPL was presented, using a gated recurrent unit (GRU) network with RRN. Similar to the studies presented in [
181], the approach also consisted of three stages: network simulation, pre-processing, and detection. The network simulation made use of the Contiki–Cooja simulator to generate datasets, which were processed and fed to the input of the GRU + RNN to differentiate between legitimate and malicious nodes. The performance of the proposed model was verified using five and four feature sets. According to the results, an accuracy of 99.96% was attained for the five-feature set and 99.90% for the four-feature set. Additionally, a mean square error of 0.05 was achieved. Similar to the research presented in [
181,
182], the authors in [
183] used an MLP classifier to distinguish between normal and malicious behaviour using a dataset generated from the Cooja simulator. Hello flooding, VN, and decreased rank (DR) attacks were all included in this dataset. Results from the simulation indicated that a 99.5% accuracy rate was attained. Additionally, according to the F1-score results, the approach has a detection rate of 94.7%, 99%, and 95% for DR, HF, and VN attacks, respectively. Analysis of other critical parameters, such as end-to-end delay and processing times, may also need to be investigated. Additionally, the used traffic data are static and do not accurately reflect the dynamic nature of internet traffic.
Attack detection in NDN using deep learning: Zeng et al. [
184] proposed a scheme based on CNN for detecting FLA in NDN. In this study, the regularity of previous requests was harnessed, and the inherent features of the cached contents, such as the request ratio, the standard deviation of repeated interests, the variance of the request interval, and the change in cache hit ratio, were used as input data to the CNN. CNN was able to classify the attacks and report whether an attack had been executed. The scheme was simulated using different network topologies, and the results revealed that the scheme is effective in detecting FLA with a detection ratio of 26.3% and a cache hit ratio of 12.2%. It also records a lower hop count. Unlike previous solutions, the authors in [
154] developed a hybrid multi-objective strategy employing optimization and a deep learning model for DoS attack detection in NDN. This was accomplished by merging the multi-objective evolutionary optimization technique with particle swamp optimization, while the prediction accuracy was improved using the radial basis function (RBF) neural network. When malicious traffic is recognized, the router notifies the source interfaces. The performance of the hybrid scheme was demonstrated in a simulated environment consisting of different network topologies. Evaluation results showed that the scheme can respond to and mitigate DoS attacks with good accuracy. An accuracy of more than 90% was recorded in terms of the average interest satisfaction ratio for legitimate users, the PIT usage, and the number of received contents. Moreover, a very low false positive rate was achieved. A feature analysis of detection parameters was not discussed in this study. Similar to the study presented in [
154], Kumar et al. [
185] applied deep learning models for IFA detection in NDN using linear and DFN network topologies in the ndnSIM and CCNx code bases. These simulated network topologies were used to generate the dataset, which was then used on MLP with back propagation (MLP + BP) and RBF with computed k-means clustering. In addition, the RBF was combined with other optimization algorithms such as PSO (RBF + PSO), RBF + JAYA, and teaching learning-based optimization (RBF + TLBO). To localize the IFA attacks in the dataset, SVM and k-NN classifiers were also created individually, and the effectiveness of these techniques was evaluated. According to experimental findings, MLP + BP, RBF + PSO, RBF + JAYA, and RBF + TLBO have more accurate detection than k-NN and SVM. The MLP + BP offers the highest precision (97.5%) and accuracy (97.3%) while using CCNx code. Additionally, a few instances of false alarms were noted.
In
Table 9, a summary of the existing research studies on the use of a deep learning model for attack detection is presented. These studies are compared based on the deep learning model used, the dataset, and the application domain. A summary of the evaluation findings from each study is also provided.
Table 10 displays a comparison of anomaly-based attack detection methods. This comparison is based on the features of each method, their advantages, and limitations.