Systematic Analysis on the Use of AI Techniques in Industrial IoT DDoS Attack Detection, Mitigation, and Prevention
Abstract
1. Introduction
1.1. Context and Motivation
1.2. Problem Statement
1.3. Research Objectives and Contributions
- To analyse current state-of-the-art AI approaches for detecting and preventing DDoS attacks in IIoT environments. This includes evaluating the approaches, performance, and effectiveness of existing AI-based models in identifying and mitigating DDoS attacks in IIoT systems.
- To identify gaps in existing solutions and challenges in practical deployment. By conducting a critical literature review of conventional, BC-based, ML-based, DL-based, and hybrid techniques, this research uncovers unaddressed limitations, issues, and bottlenecks in applying AI and ML approaches to real-world IIoT environments.
- To propose future research directions and innovations for advancing security in IIoT systems. This research outlines actionable insights and recommends approaches to bridge research gaps and advance the reliability of AI- and ML-based DDoS detection and mitigation techniques in IIoT environments.
1.4. Structure of the Paper
2. Materials and Methods
2.1. Research Questions and Objectives
- RQ1:
- What are the limitations of conventional and BC-based DDoS detection techniques?
- RQ2:
- What AI techniques have been used for detecting and mitigating DDoS attacks in IIoT environments?
- RQ3:
- What are the key strengths, gaps, limitations, and challenges in mitigating DDoS attacks in IIoT systems?
- RQ4:
- What research strategy could address the identified limitations to enhance the security of IIoT environments?
- To identify and analyse the shortcomings of traditional and BC-based DDoS detection methods, highlighting areas that require improvement.
- To explore the role of AI-driven approaches in DDoS detection and mitigation within the IIoT, assessing their effectiveness and applicability.
- To systematically examine existing methodologies, pinpoint their advantages and limitations, and identify unresolved challenges in securing the IIoT against DDoS threats.
- To propose a comprehensive research direction that effectively addresses the identified gaps while ensuring a more resilient IIoT security framework.
2.2. Search Strategy
2.3. Study Selection and Screening Process
2.4. Data Extraction and Analysis
2.5. Statistics
3. Background
3.1. Overview of IIoT
3.2. DDoS Attacks in the IIoT
Geographic Distribution of DDoS Attacks
3.3. IIoT Traffic Characteristics and Protocol-Aware Detection
4. Comprehensive DDoS Attack Detection Techniques in IIoT Systems
4.1. Conventional Approaches for DDoS Attack Detection
4.2. BC-Based Approaches for DDoS Attack Detection
4.3. ML-Based Approaches for DDoS Attack Detection
4.4. DL-Based Approaches for DDoS Attack Detection
4.5. Hybrid-Based Approaches for DDoS Detection
5. Survey and Review Papers on Related Issues
5.1. Strengths of the Review Papers
5.2. Limitations of the Review Papers
6. Results and Analysis
6.1. Key Findings
6.2. Themes and Categories
6.3. Quantitative Insights
6.4. Case Studies
7. Discussion
7.1. Critical Evaluation
7.2. Emerging Trends
7.3. Research Gaps
7.4. Challenges
7.5. Future Work
7.6. Recommendations
8. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
Abbreviations
| AI | Artificial Intelligence | APT | Advanced Persistent Threat |
| BC | Blockchain | BERT | Bidirectional Encoder Representations from Transformers |
| CNN | Convolutional Neural Network | DDoS | Distributed Denial of Service |
| DL | Deep Learning | DNN | Deep Neural Network |
| DRL | Deep Reinforcement Learning | DT | Decision Tree |
| FL | Federated Learning | GAN | Generative Adversarial Network |
| GRU | Gated Recurrent Unit | ICS | Industrial Control System |
| IDS | Intrusion Detection System | IIoT | Industrial Internet of Things |
| IoT | Internet of Things | KNN | k-Nearest Neighbours |
| LSTM | Long Short-Term Memory | M2M | Machine-to-Machine |
| ML | Machine Learning | MLP | Multi-Layer Perceptron |
| NN | Neural Network | OT | Operational Technology |
| PCC | Pearson Correlation Coefficient | PLC | Programmable Logic Controller |
| PRISMA | Preferred Reporting Items for Systematic Reviews and Meta-Analyses | RF | Random Forest |
| RL | Reinforcement Learning | RNN | Recurrent Neural Network |
| SCADA | Supervisory Control and Data Acquisition | SDN | Software-Defined Network |
| SLR | Systematic Literature Review | SVM | Support Vector Machine |
| TLS | Transport Layer Security | UAV | Unmanned Aerial Vehicle |
| WSN | Wireless Sensor Network |
References
- Chaudhary, S.; Mishra, P.K. DDoS attacks in Industrial IoT: A survey. Comput. Netw. 2023, 236, 110015. [Google Scholar] [CrossRef]
- Karie, N.M.; Sahri, N.M.; Haskell-Dowland, P. IoT Threat Detection Advances, Challenges and Future Directions. In Proceedings of the 2020 Workshop on Emerging Technologies for Security in IoT (ETSecIoT), Sydney, NSW, Australia, 21 April 2020; pp. 22–29. [Google Scholar] [CrossRef]
- Feng, Y.; Zhang, W.; Yin, S.; Tang, H.; Xiang, Y.; Zhang, Y. A Collaborative Stealthy DDoS Detection Method Based on Reinforcement Learning at the Edge of Internet of Things. IEEE Internet Things J. 2023, 10, 17934–17948. [Google Scholar] [CrossRef]
- Nie, L.; Sun, W.; Wang, S.; Ning, Z.; Rodrigues, J.J.P.C.; Wu, Y.; Li, S. Intrusion Detection in Green Internet of Things: A Deep Deterministic Policy Gradient-Based Algorithm. IEEE Trans. Green Commun. Netw. 2021, 5, 778–788. [Google Scholar] [CrossRef]
- Nguyen, T.G.; Phan, T.V.; Hoang, D.T.; Nguyen, T.N.; So-In, C. Federated Deep Reinforcement Learning for Traffic Monitoring in SDN-Based IoT Networks. IEEE Trans. Cogn. Commun. Netw. 2021, 7, 1048–1065. [Google Scholar] [CrossRef]
- Alemayehu, M.; Ghanem, M.C.; Kheddar, H.; Dunsin, D.; Kerrache, C.A.; Rathee, G. Low-Latency DDoS Detection for IIoT and SCADA Networks Using Proximal Policy Optimisation and Deep Reinforcement Learning. Information 2026, 17, 412. [Google Scholar] [CrossRef]
- Sangoleye, F.; Johnson, J.; Tsiropoulou, E.E. Intrusion Detection in Industrial Control Systems Based on Deep Reinforcement Learning. IEEE Access 2024, 12, 151444–151459. [Google Scholar] [CrossRef]
- Alemayehu, M.; Ghanem, M.C.; Kheddar, H. Edge-Optimized Deep and Transfer Learning for Efficient DDoS Detection in IIoT Networks. Mach. Learn. Knowl. Extr. 2026, 8, 166. [Google Scholar] [CrossRef]
- Borgiani, V.; Moratori, P.; Kazienko, J.F.; Tubino, E.R.R.; Quincozes, S.E. Toward a Distributed Approach for Detection and Mitigation of Denial-of-Service Attacks Within Industrial Internet of Things. IEEE Internet Things J. 2021, 8, 4569–4578. [Google Scholar] [CrossRef]
- Lu, Y.; Chai, S.; Suo, Y.; Yao, F.; Zhang, C. Intrusion detection for Industrial Internet of Things based on deep learning. Neurocomputing 2024, 564, 126886. [Google Scholar] [CrossRef]
- Ferrag, M.A.; Maglaras, L.; Benbouzid, M. Blockchain and Artificial Intelligence as Enablers of Cyber Security in the Era of IoT and IIoT Applications. J. Sens. Actuator Netw. 2023, 12, 40. [Google Scholar] [CrossRef]
- Rashid, M.M.; Khan, S.U.; Eusufzai, F.; Redwan, M.A.; Sabuj, S.R.; Elsharief, M. A Federated Learning-Based Approach for Improving Intrusion Detection in Industrial Internet of Things Networks. Network 2023, 3, 158–179. [Google Scholar] [CrossRef]
- Kumar, R.; Kandpal, B.; Ahmad, V. Industrial IoT (IIOT): Security Threats and Countermeasures. In Proceedings of the 2023 International Conference on Innovative Data Communication Technologies and Application (ICIDCA), Dehradun, India, 14–16 March 2023; pp. 829–833. [Google Scholar] [CrossRef]
- Ghanem, M.C.; Chen, T.M.; Ferrag, M.A.; Kettouche, M.E. ESASCF: Expertise Extraction, Generalization and Reply Framework for Optimized Automation of Network Security Compliance. IEEE Access 2023, 11, 129840–129853. [Google Scholar] [CrossRef]
- Qureshi, S.S.; He, J.; Zhu, N.; Jia, M.; Qureshi, S.; Ullah, F.; Nazir, A.; Wajahat, A. A New Deep Learning Paradigm for IoT Security: Expanding Beyond Traditional DDoS Detection. Int. J. Netw. Secur. 2024, 26, 349–360. [Google Scholar]
- Irshad, A.; Mallah, G.A.; Bilal, M.; Chaudhry, S.A.; Shafiq, M.; Song, H. SUSIC: A Secure User Access Control Mechanism for SDN-Enabled IIoT and Cyber–Physical Systems. IEEE Internet Things J. 2023, 10, 16504–16515. [Google Scholar] [CrossRef]
- Zainudin, A.; Ahakonye, L.A.C.; Akter, R.; Kim, D.S.; Lee, J.M. An Efficient Hybrid-DNN for DDoS Detection and Classification in Software-Defined IIoT Networks. IEEE Internet Things J. 2023, 10, 8491–8504. [Google Scholar] [CrossRef]
- Kheddar, H.; Dawoud, D.W.; Awad, A.I.; Himeur, Y.; Khan, M.K. Reinforcement-Learning-Based Intrusion Detection in Communication Networks: A Review. IEEE Commun. Surv. Tutor. 2024, 27, 2420–2469. [Google Scholar] [CrossRef]
- Zhou, Y.; Cheng, G.; Zhao, Y.; Chen, Z.; Jiang, S. Toward Proactive and Efficient DDoS Mitigation in IIoT Systems: A Moving Target Defense Approach. IEEE Trans. Ind. Inform. 2022, 18, 2734–2744. [Google Scholar] [CrossRef]
- Wang, J.; Liu, J. Deep Learning for Securing Software-Defined Industrial Internet of Things: Attacks and Countermeasures. IEEE Internet Things J. 2022, 9, 11179–11189. [Google Scholar] [CrossRef]
- Jyothi, E.V.N.; Kranthi, M.; Sailaja, S.; Sesadri, U.; Koka, S.N.; Reddy, P.C.S. An Adaptive Intrusion Detection System in Industrial Internet of Things (IIoT) Using Deep Learning. In Proceedings of the 2024 1st International Conference on Innovative Sustainable Technologies for Energy, Mechatronics, and Smart Systems (ISTEMS), Dehradun, India, 26–27 April 2024; pp. 1–6. [Google Scholar] [CrossRef]
- Tharewal, S.; Ashfaque, M.W.; Banu, S.S.; Uma, P.; Hassen, S.M.; Shabaz, M. Intrusion Detection System for Industrial Internet of Things Based on Deep Reinforcement Learning. Wirel. Commun. Mob. Comput. 2022, 2022, 9023719. [Google Scholar] [CrossRef]
- Frankó, A.; Hollósi, G.; Ficzere, D.; Varga, P. Applied Machine Learning for IIoT and Smart Production—Methods to Improve Production Quality, Safety and Sustainability. Sensors 2022, 22, 9148. [Google Scholar] [CrossRef] [PubMed]
- Horak, T.; Strelec, P.; Huraj, L.; Tanuska, P.; Vaclavova, A.; Kebisek, M. The Vulnerability of the Production Line Using Industrial IoT Systems Under DDoS Attack. Electronics 2021, 10, 381. [Google Scholar] [CrossRef]
- Hristov, A.; Pavlova, G.; Raynova, K. Developing and Experimenting Simulation Model of DDoS Attacks in IIoT Networks Using Python. In Proceedings of the 2023 31st National Conference with International Participation (TELECOM), Sofia, Bulgaria, 16–17 November 2023; pp. 1–4. [Google Scholar] [CrossRef]
- Hristov, A.V.; Hristov, V.P. Investigation of Time for Conducting a Successful DDoS Attacks in IIoT Network. In Proceedings of the 2024 12th International Scientific Conference on Computer Science (COMSCI), Sozopol, Bulgaria, 13–15 September 2024; pp. 1–4. [Google Scholar] [CrossRef]
- Kebande, V.R.; Awad, A.I. Industrial Internet of Things Ecosystems Security and Digital Forensics: Achievements, Open Challenges, and Future Directions. ACM Comput. Surv. 2024, 56, 263. [Google Scholar] [CrossRef]
- NETSCOUT Systems. Unmasking the Swarm: The Evolving Tactics of Botnet-Driven DDoS Attacks; DDoS Threat Intelligence Report; Issue 16; Technical Report; NETSCOUT Systems, Inc.: Westford, MA, USA, 2026. [Google Scholar]
- Tange, K.; Donno, M.D.; Fafoutis, X.; Dragoni, N. A Systematic Survey of Industrial Internet of Things Security: Requirements and Fog Computing Opportunities. IEEE Commun. Surv. Tutor. 2020, 22, 2489–2520. [Google Scholar] [CrossRef]
- Alashhab, A.; Zahid, M.S.; Muneer, A.; Abdullahi, M. Low-Rate DDoS Attack Detection Using Deep Learning for SDN-Enabled IoT Networks. Int. J. Adv. Comput. Sci. Appl. 2022, 13, 371–377. [Google Scholar] [CrossRef] [PubMed]
- Prabavathy, S.; Reddy, I.R.P. Fog Computing Based Distributed Denial of Service Attack Detection Method for Large-Scale Internet of Things. In Proceedings of the 2023 10th International Conference on Signal Processing and Integrated Networks (SPIN), Noida, India, 23–24 March 2023; pp. 70–75. [Google Scholar] [CrossRef]
- Mekala, S.H.; Baig, Z.; Anwar, A.; Zeadally, S. Cybersecurity for Industrial IoT (IIoT): Threats, Countermeasures, Challenges and Future Directions. Comput. Commun. 2023, 208, 294–320. [Google Scholar] [CrossRef]
- Kim, B.K.; Kang, Y. Abnormal Traffic Detection Mechanism for Protecting IIoT Environments. In Proceedings of the 2018 International Conference on Information and Communication Technology Convergence (ICTC), Jeju, Republic of Korea, 17–19 October 2018; pp. 943–945. [Google Scholar] [CrossRef]
- Snehi, M.; Bhandari, A. Vulnerability retrospection of security solutions for software-defined Cyber–Physical System against DDoS and IoT-DDoS attacks. Comput. Sci. Rev. 2021, 40, 100371. [Google Scholar] [CrossRef]
- Du, M.; Wang, K. An SDN-Enabled Pseudo-Honeypot Strategy for Distributed Denial of Service Attacks in Industrial Internet of Things. IEEE Trans. Ind. Inform. 2020, 16, 648–657. [Google Scholar] [CrossRef]
- Yan, Q.; Huang, W.; Luo, X.; Gong, Q.; Yu, F.R. A Multi-Level DDoS Mitigation Framework for the Industrial Internet of Things. IEEE Commun. Mag. 2018, 56, 82–89. [Google Scholar] [CrossRef]
- Rahman, A.; Islam, M.J.; Band, S.S.; Muhammad, G.; Hasan, K.; Tiwari, P. Towards a blockchain-SDN-based secure architecture for cloud computing in smart industrial IoT. Digit. Commun. Netw. 2023, 9, 411–421. [Google Scholar] [CrossRef]
- Rathee, G.; Ahmad, F.; Sandhu, R.; Kerrache, C.A.; Azad, M.A. On the design and implementation of a secure blockchain-based hybrid framework for Industrial Internet-of-Things. Inf. Process. Manag. 2021, 58, 102526. [Google Scholar] [CrossRef]
- Shahidinejad, A.; Abawajy, J. Efficient Provably Secure Authentication Protocol for Multidomain IIoT Using a Combined Off-Chain and On-Chain Approach. IEEE Internet Things J. 2024, 11, 15241–15251. [Google Scholar] [CrossRef]
- Fikriansyah, M.I.; Karimah, S.A.; Setiadi, F. Detection of DDOS Attacks in IIoT Case Using Machine Learning Algorithms. In Proceedings of the 2024 International Conference on Data Science and Its Applications (ICoDSA), Kuta, Indonesia, 10–11 July 2024; pp. 117–121. [Google Scholar] [CrossRef]
- Laiq, F.; Al-Obeidat, F.; Amin, A.; Moreira, F. DDoS Attack Detection in Edge-IIoT using Ensemble Learning. In Proceedings of the 2023 7th Cyber Security in Networking Conference (CSNet), Montreal, QC, Canada, 16–18 October 2023; pp. 204–207. [Google Scholar] [CrossRef]
- Latif, S.; Zou, Z.; Idrees, Z.; Ahmad, J. A Novel Attack Detection Scheme for the Industrial Internet of Things Using a Lightweight Random Neural Network. IEEE Access 2020, 8, 89337–89350. [Google Scholar] [CrossRef]
- Jia, Y.; Zhong, F.; Alrawais, A.; Gong, B.; Cheng, X. FlowGuard: An Intelligent Edge Defense Mechanism Against IoT DDoS Attacks. IEEE Internet Things J. 2020, 7, 9552–9562. [Google Scholar] [CrossRef]
- Abdel-Basset, M.; Chang, V.; Hawash, H.; Chakrabortty, R.K.; Ryan, M. Deep-IFS: Intrusion Detection Approach for Industrial Internet of Things Traffic in Fog Environment. IEEE Trans. Ind. Inform. 2021, 17, 7704–7715. [Google Scholar] [CrossRef]
- Hasan, T.; Malik, J.; Bibi, I.; Khan, W.U.; Al-Wesabi, F.N.; Dev, K.; Huang, G. Securing Industrial Internet of Things Against Botnet Attacks Using Hybrid Deep Learning Approach. IEEE Trans. Netw. Sci. Eng. 2023, 10, 2952–2963. [Google Scholar] [CrossRef]
- Alkhafaji, N.; Viana, T.; Al-Sherbaz, A. Integrated Genetic Algorithm and Deep Learning Approach for Effective Cyber-Attack Detection and Classification in Industrial Internet of Things (IIoT) Environments. Arab. J. Sci. Eng. 2024, 50, 12071–12095. [Google Scholar] [CrossRef]
- Gupta, R.; Jadav, N.K.; Mankodiya, H.; Alshehri, M.D.; Tanwar, S.; Sharma, R. Blockchain and Onion-Routing-Based Secure Message Exchange System for Edge-Enabled IIoT. IEEE Trans. Ind. Inform. 2023, 19, 1965–1976. [Google Scholar] [CrossRef]
- Mrabet, H.; Alhomoud, A.; Jemai, A.; Trentesaux, D. A Secured Industrial Internet-of-Things Architecture Based on Blockchain Technology and Machine Learning for Sensor Access Control Systems in Smart Manufacturing. Appl. Sci. 2022, 12, 4641. [Google Scholar] [CrossRef]
- Salim, M.M.; Comivi, A.K.; Nurbek, T.; Park, H.; Park, J.H. A Blockchain-Enabled Secure Digital Twin Framework for Early Botnet Detection in IIoT Environment. Sensors 2022, 22, 6133. [Google Scholar] [CrossRef] [PubMed]
- Arat, F.; Akleylek, S. Attack Path Detection for IIoT-Enabled Cyber Physical Systems: Revisited. Comput. Secur. 2023, 128, 103174. [Google Scholar] [CrossRef]
- Mosteiro-Sanchez, A.; Barcelo, M.; Astorga, J.; Urbieta, A. Securing IIoT using Defence-in-Depth: Towards an End-to-End Secure Industry 4.0. J. Manuf. Syst. 2020, 57, 367–378. [Google Scholar] [CrossRef]
- Pedroso, C.; Santos, A. Dissemination control in dynamic data clustering for dense IIoT against false data injection attack. Int. J. Netw. Manag. 2022, 32, e2201. [Google Scholar] [CrossRef]
- Yang, Y.S.; Lee, S.H.; Chen, W.C.; Yang, C.S.; Huang, Y.M.; Hou, T.W. Securing SCADA Energy Management System under DDos Attacks Using Token Verification Approach. Appl. Sci. 2022, 12, 530. [Google Scholar] [CrossRef]
- Yu, Y.; Chen, R.; Li, H.; Li, Y.; Tian, A. Toward Data Security in Edge Intelligent IIoT. IEEE Netw. 2019, 33, 20–26. [Google Scholar] [CrossRef]
- Zhou, H.; Pal, S.; Jadidi, Z.; Jolfaei, A. A Fog-Based Security Framework for Large-Scale Industrial Internet of Things Environments. IEEE Internet Things Mag. 2023, 6, 64–68. [Google Scholar] [CrossRef]
- Zhou, L.; Guo, H.; Deng, G. A fog computing based approach to DDoS mitigation in IIoT systems. Comput. Secur. 2019, 85, 51–62. [Google Scholar] [CrossRef]
- Toko, T.M.N.N.; Bellaiche, M.; Halabi, T. A Game-theoretic Approach for DDoS Attack Mitigation in IIoT Deterministic Networking. In Proceedings of the NOMS 2024 IEEE Network Operations and Management Symposium, Seoul, Republic of Korea, 6–10 May 2024; pp. 1–5. [Google Scholar] [CrossRef]
- Mounika, G.; Sai, V.R.; Yeshaswini, V.; Hemalatha, P.; Sharan, A.S. SDN-Based Framework for Real-Time DDoS Detection and Mitigation using Mininet, POX, and Snort. In Proceedings of the 2025 5th International Conference on Soft Computing for Security Applications (ICSCSA), Salem, India, 4–6 August 2025; pp. 77–84. [Google Scholar] [CrossRef]
- Srivastava, A.; Sinha, D. FP-growth-based signature extraction and unknown variants of DoS/DDoS attack detection on real-time data stream. J. Inf. Secur. Appl. 2025, 89, 103996. [Google Scholar] [CrossRef]
- Wang, W.; Xu, H.; Alazab, M.; Gadekallu, T.R.; Han, Z.; Su, C. Blockchain-Based Reliable and Efficient Certificateless Signature for IIoT Devices. IEEE Trans. Ind. Inform. 2022, 18, 7059–7067. [Google Scholar] [CrossRef]
- Yeasmin, S.; Baig, A. Permissioned Blockchain-based Security for IIoT. In Proceedings of the 2020 IEEE International IoT, Electronics and Mechatronics Conference (IEMTRONICS), Vancouver, BC, Canada, 9–12 September 2020; pp. 1–7. [Google Scholar] [CrossRef]
- Rajesh, H.; Moradpoor, N.; Waqas, M.; Maglaras, L. A Blockchain-Powered Defence System Against DDos Attacks with Incentivised Collaboration. In Proceedings of the 2025 21st International Conference on Distributed Computing in Smart Systems and the Internet of Things (DCOSS-IoT), Lucca, Italy, 9–11 June 2025; pp. 721–728. [Google Scholar] [CrossRef]
- Moudoud, H.; Abou El Houda, Z.; Brik, B. A Blockchain-Based Cross-Domain DDoS Mitigation in Consumer Networks. IEEE Trans. Consum. Electron. 2025, 71, 7095–7104. [Google Scholar] [CrossRef]
- Mohy-Eddine, M.; Guezzaz, A.; Benkirane, S.; Azrour, M.; Farhaoui, Y. An Ensemble Learning Based Intrusion Detection Model for Industrial IoT Security. Big Data Min. Anal. 2023, 6, 273–287. [Google Scholar] [CrossRef]
- Ellappan, V.; Manikandan, N.; Alotaibi, S.S.; Althubiti, S.A.; Alruwaili, M.; Abdel-Khalek, S.; Mansour, R.F. Sliding Principal Component and Dynamic Reward Reinforcement Learning Based IIoT Attack Detection. Sci. Rep. 2023, 13, 20843. [Google Scholar] [CrossRef] [PubMed]
- Kumar, P.; Mullick, S.; Das, R.; Nandi, A.; Banerjee, I. IoTForge Pro: A Security Testbed for Generating Intrusion Dataset for Industrial IoT. IEEE Internet Things J. 2024, 11, 36245–36258. [Google Scholar] [CrossRef]
- Qaddoori, S.L.; Ali, Q.I. An Efficient Security Model for Industrial Internet of Things (IIoT) System Based on Machine Learning Principles. Al-Rafidain Eng. J. 2023, 28, 329–340. [Google Scholar] [CrossRef]
- Qaiser, G.; Chandrasekaran, S.; Chai, R.; Zheng, J. Classifying DDoS Attack in Industrial Internet of Services Using Machine Learning. In Proceedings of the 2023 15th International Conference on Computer and Automation Engineering (ICCAE), Sydney, Australia, 3–5 March 2023; pp. 546–550. [Google Scholar] [CrossRef]
- Sivakumar, S.; Raffik, R.; Kumar, K.K.; Hazela, B. Scada energy management system under the distributed decimal of service attack using verification techniques by IIoT. In Proceedings of the 2023 International Conference on Artificial Intelligence and Knowledge Discovery in Concurrent Engineering (ICECONF), Chennai, India, 5–7 January 2023; pp. 1–4. [Google Scholar] [CrossRef]
- Salim, M.M.; Azzaoui, A.E.; Deng, X.; Park, J.H. FL-CTIF: A federated learning based CTI framework based on information fusion for secure IIoT. Inf. Fusion 2024, 102, 102074. [Google Scholar] [CrossRef]
- Estupiñán Cuesta, E.P.; Martínez Quintero, J.C.; Avilés Palma, J.D. DDoS Attacks Detection in SDN Through Network Traffic Feature Selection and Machine Learning Models. Telecom 2025, 6, 69. [Google Scholar] [CrossRef]
- Mallela, R.B.; O, S.; Goud, E.A.; Rapaka, A.; Sruthi, P.R.; Yasaswi, S.N. Optimizing IoT DDoS Detection with Hybrid Feature Selection and Ensemble Learning. In Proceedings of the 2025 3rd International Conference on Sustainable Computing and Data Communication Systems (ICSCDS), Erode, India, 6–8 August 2025; pp. 1004–1008. [Google Scholar] [CrossRef]
- Hirsi, A.; Audah, L.; Alhartomi, M.A.; Salh, A.; Ansa, G.O.; Hamdi, M.M.; Saputri, D.G.; Ahmed, S.; Farah, A. HSF: A Hybrid SVM-RF Machine Learning Framework for Dual-Plane DDoS Detection and Mitigation in Software-Defined Networks. IEEE Access 2025, 13, 112303–112323. [Google Scholar] [CrossRef]
- Guezzaz, A.; Azrour, M.; Benkirane, S.; Mohy-Eddine, M.; Attou, H.; Douiba, M. A Lightweight Hybrid Intrusion Detection Framework Using Machine Learning for Edge-Based IIoT Security. Int. Arab J. Inf. Technol. 2022, 19, 822–828. [Google Scholar] [CrossRef]
- Khan, I.A.; Keshk, M.; Pi, D.; Khan, N.; Hussain, Y.; Soliman, H. Enhancing IIoT Networks Protection: A Robust Security Model for Attack Detection in Internet Industrial Control Systems. IEEE Access 2024, 12, 15244–15259. [Google Scholar] [CrossRef]
- Zainudin, A.; Akter, R.; Kim, D.S.; Lee, J.M. FedDDoS: An Efficient Federated Learning-based DDoS Attacks Classification in SDN-Enabled IIoT Networks. In Proceedings of the 2022 13th International Conference on Information and Communication Technology Convergence (ICTC), Jeju Island, Republic of Korea, 19–21 October 2022; pp. 1279–1283. [Google Scholar] [CrossRef]
- Amaizu, G.C.; Nwakanma, C.I.; Bhardwaj, S.; Lee, J.M.; Kim, D.S. Composite and Efficient DDoS Attack Detection Framework for B5G Networks. Comput. Netw. 2021, 188, 107871. [Google Scholar] [CrossRef]
- Benaddi, H.; Jouhari, M.; Ibrahimi, K.; Othman, J.B.; Amhoud, E.M. Anomaly Detection in Industrial IoT Using Distributional Reinforcement Learning and Generative Adversarial Networks. Sensors 2022, 22, 8241. [Google Scholar] [CrossRef] [PubMed]
- Karacayılmaz, G.; Artuner, H. A Novel Approach Detection for IIoT Attacks via Artificial Intelligence. Clust. Comput. 2024, 27, 10467–10485. [Google Scholar] [CrossRef]
- Magaia, N.; Fonseca, R.; Muhammad, K.; Segundo, A.H.F.N.; Neto, A.V.L.; Albuquerque, V.H.C.D. Industrial Internet-of-Things Security Enhanced With Deep Learning Approaches for Smart Cities. IEEE Internet Things J. 2021, 8, 6393–6405. [Google Scholar] [CrossRef]
- Nandanwar, H.; Katarya, R. Deep learning enabled intrusion detection system for Industrial IOT environment. Expert Syst. Appl. 2024, 249, 123808. [Google Scholar] [CrossRef]
- Qaiser, G.; Chandrasekaran, S.; Chai, R.; Zheng, J. Classification of DDoS traffic for Industrial Internet of Services using Deep learning approaches. In Proceedings of the 2023 IEEE International Conference on Artificial Intelligence, Blockchain, and Internet of Things (AIBThings), Mount Pleasant, MI, USA, 16–17 September 2023; pp. 1–9. [Google Scholar] [CrossRef]
- Rahman, M.A.; Hossain, M.S. A Deep Learning Assisted Software Defined Security Architecture for 6G Wireless Networks: IIoT Perspective. IEEE Wirel. Commun. 2022, 29, 52–59. [Google Scholar] [CrossRef]
- Sankaran, K.S.; Kim, B.H. Deep learning based energy efficient optimal RMC-CNN model for secured data transmission and anomaly detection in industrial IOT. Sustain. Energy Technol. Assess. 2023, 56, 102983. [Google Scholar] [CrossRef]
- Yu, K.; Tan, L.; Mumtaz, S.; Al-Rubaye, S. Securing Critical Infrastructures: Deep-Learning-Based Threat Detection in IIoT. IEEE Commun. Mag. 2021, 59, 76–82. [Google Scholar] [CrossRef]
- Ferrag, M.A.; Friha, O.; Hamouda, D.; Maglaras, L.; Janicke, H. Edge-IIoTset: A New Comprehensive Realistic Cyber Security Dataset of IoT and IIoT Applications for Centralized and Federated Learning. IEEE Access 2022, 10, 40281–40306. [Google Scholar] [CrossRef]
- Ain, N.U.; Sardaraz, M.; Tahir, M.; Abo Elsoud, M.W.; Alourani, A. Securing IoT Networks Against DDoS Attacks: A Hybrid Deep Learning Approach. Sensors 2025, 25, 1346. [Google Scholar] [CrossRef] [PubMed]
- Akhi, M.; Eising, C.; Dhirani, L.L. Securing IoT Using Lightweight TCN for Edge Deployment on Raspberry Pi 4. IEEE Open J. Commun. Soc. 2026, 7, 442–460. [Google Scholar] [CrossRef]
- Halder, S.; Newe, T. Radio fingerprinting for anomaly detection using federated learning in LoRa-enabled Industrial Internet of Things. Future Gener. Comput. Syst. 2023, 143, 322–336. [Google Scholar] [CrossRef]
- Chaabouni, N.; Mosbah, M.; Zemmari, A.; Sauvignac, C.; Faruki, P. Network intrusion detection for IoT security based on learning techniques. IEEE Commun. Surv. Tutor. 2019, 21, 2671–2701. [Google Scholar] [CrossRef]
- Jadav, N.K.; Kakkar, R.; Mankodiya, H.; Gupta, R.; Tanwar, S.; Agrawal, S.; Sharma, R. GRADE: Deep Learning and Garlic Routing-Based Secure Data Sharing Framework for IIoT Beyond 5G. Digit. Commun. Netw. 2023, 9, 422–435. [Google Scholar] [CrossRef]
- Kaur, A. Intrusion Detection Approach for Industrial Internet of Things Traffic Using Deep Recurrent Reinforcement Learning Assisted Federated Learning. IEEE Trans. Artif. Intell. 2025, 6, 37–50. [Google Scholar] [CrossRef]
- Alsaedi, A.; Moustafa, N.; Tari, Z.; Mahmood, A.; Anwar, A. TON-IoT Telemetry Dataset: A New Generation Dataset of IoT and IIoT for Data-Driven Intrusion Detection Systems. IEEE Access 2020, 8, 165130–165150. [Google Scholar] [CrossRef]
- Memos, V.A.; Psannis, K.E.; Lv, Z. A Secure Network Model Against Bot Attacks in Edge-Enabled Industrial Internet of Things. IEEE Trans. Ind. Inform. 2022, 18, 7998–8006. [Google Scholar] [CrossRef]
- Selvarajan, S.; Srivastava, G.; Khadidos, A.O.; Khadidos, A.O.; Baza, M.; Alshehri, A.; Lin, J.C.-W. An artificial intelligence lightweight blockchain security model for security and privacy in IIoT systems. J. Cloud Comput. 2023, 12, 38. [Google Scholar] [CrossRef] [PubMed]
- Taher, F.; Abdel-Salam, M.; Elhoseny, M.; El-Hasnony, I.M. Reliable Machine Learning Model for IIoT Botnet Detection. IEEE Access 2023, 11, 49319–49336. [Google Scholar] [CrossRef]
- Villegas-Ch, W.; Govea, J.; Gutierrez, R.; Mera-Navarrete, A. Optimizing Security in IoT Ecosystems Using Hybrid Artificial Intelligence and Blockchain Models: A Scalable and Efficient Approach for Threat Detection. IEEE Access 2025, 13, 16933–16958. [Google Scholar] [CrossRef]
- Jyothsna, B.; Jyothsna, V. Design of an Improved Model for DDoS Mitigation in SDN-IoT Using TGNN, QAOA, and the Federated Adversarial Learning Process. Eng. Technol. Appl. Sci. Res. 2025, 15, 29056–29061. [Google Scholar]
- Ali, S.; Li, Q.; Yousafzai, A. Blockchain and Federated Learning-Based Intrusion Detection Approaches for Edge-Enabled Industrial IoT Networks: A Survey. Ad Hoc Netw. 2024, 152, 103320. [Google Scholar] [CrossRef]
- Alotaibi, B. A Survey on Industrial Internet of Things Security: Requirements, Attacks, AI-Based Solutions, and Edge Computing Opportunities. Sensors 2023, 23, 7470. [Google Scholar] [CrossRef] [PubMed]
- Asharf, J.; Moustafa, N.; Khurshid, H.; Debie, E.; Haider, W.; Wahab, A. A Review of Intrusion Detection Systems Using Machine and Deep Learning in Internet of Things: Challenges, Solutions and Future Directions. Electronics 2020, 9, 1177. [Google Scholar] [CrossRef]
- Latif, S.; Driss, M.; Boulila, W.; Huma, Z.e.; Jamal, S.S.; Idrees, Z.; Ahmad, J. Deep Learning for the Industrial Internet of Things (IIoT): A Comprehensive Survey of Techniques, Implementation Frameworks, Potential Applications, and Future Directions. Sensors 2021, 21, 7518. [Google Scholar] [CrossRef] [PubMed]
- Nuaimi, M.; Fourati, L.C.; Hamed, B.B. Intelligent approaches toward intrusion detection systems for Industrial Internet of Things: A systematic comprehensive review. J. Netw. Comput. Appl. 2023, 215, 103637. [Google Scholar] [CrossRef]
- Ortega-Fernandez, I.; Liberati, F. A Review of Denial of Service Attack and Mitigation in the Smart Grid Using Reinforcement Learning. Energies 2023, 16, 635. [Google Scholar] [CrossRef]
- Shahin, M.; Maghanaki, M.; Hosseinzadeh, A.; Chen, F.F. Advancing Network Security in Industrial IoT: A Deep Dive into AI-Enabled Intrusion Detection Systems. Adv. Eng. Inform. 2024, 62, 102685. [Google Scholar] [CrossRef]
- Sharma, P.; Jain, S.; Gupta, S.; Chamola, V. Role of machine learning and deep learning in securing 5G-driven industrial IoT applications. Ad Hoc Netw. 2021, 123, 102685. [Google Scholar] [CrossRef]
- Urquhart, L.; McAuley, D. Avoiding the internet of insecure industrial things. Comput. Law Secur. Rev. 2018, 34, 450–466. [Google Scholar] [CrossRef]
- Zhukabayeva, T.; Buja, A.; Pacolli, M. Evaluating Security Mechanisms for Wireless Sensor Networks in IoT and IIoT. J. Robot. Control 2024, 5, 100371. [Google Scholar] [CrossRef]
- Wainwright, R.; Bagheri, M.; Salama, A.; Saatchi, R. Software-Defined Networking Security Detection Strategies and Their Limitations with a Focus on Distributed Denial-of-Service for Small to Medium-Sized Enterprises. Appl. Sci. 2025, 15, 12389. [Google Scholar] [CrossRef]
- Abdulrahman, N.F.; Singh, M.S.J. Deep learning approaches for DDoS attack detection in communication networks and iot: A comprehensive review. J. Kejuruter. 2025, 37, 323–333. [Google Scholar]
- Vadlamudi, S.; Viswa Bharathy, A.M. Systematic Study on AI-Enabled Defense Against DDoS Attacks in IoT. In Proceedings of the 2025 International Conference on Intelligent Systems and Computational Networks (ICISCN), Bidar, India, 24–25 January 2025; pp. 1–7. [Google Scholar] [CrossRef]
- Harshitha, R.; Naralasetti, N.; Kolipakula, P.K.; Guntamukkala, S.; Faisal, S.M. Systematic Analysis of ML Techniques for Identifying DDoS Attacks in SDN Environments. In Proceedings of the 2025 IEEE 6th India Council International Subsections Conference (INDISCON), Rourkela, India, 21–23 August 2025; pp. 1–9. [Google Scholar] [CrossRef]
- Hassan, M.M.; Huda, S.; Sharmeen, S.; Abawajy, J.; Fortino, G. An Adaptive Trust Boundary Protection for IIoT Networks Using Deep-Learning Feature-Extraction-Based Semisupervised Model. IEEE Trans. Ind. Inform. 2021, 17, 2860–2870. [Google Scholar] [CrossRef]
- Bagaa, M.; Taleb, T.; Bernabe, J.B.; Skarmeta, A. A Machine Learning Security Framework for Iot Systems. IEEE Access 2020, 8, 114066–114077. [Google Scholar] [CrossRef]
- Gavric, N.; Bhandari, G.P.; Shalaginov, A. Towards Resource-Efficient DDoS Detection in IoT: Leveraging Feature Engineering of System and Network Usage Metrics. J. Netw. Syst. Manag. 2024, 32, 69. [Google Scholar] [CrossRef]
- Lawal, M.A.; Shaikh, R.A.; Hassan, S.R. A DDoS Attack Mitigation Framework for IoT Networks using Fog Computing. Procedia Comput. Sci. 2021, 182, 13–20. [Google Scholar] [CrossRef]
- Dake, D.K.; Gadze, J.D.; Klogo, G.S. DDoS and Flash Event Detection in Higher Bandwidth SDN-IoT Using Multiagent Reinforcement Learning. In Proceedings of the 2021 International Conference on Computing, Computational Modelling and Applications (ICCMA), Brest, France, 14–16 July 2021; pp. 1–6. [Google Scholar] [CrossRef]
- Mishra, N.; Pandya, S. Internet of things applications, security challenges, attacks, intrusion detection, and future visions: A systematic review. IEEE Access 2021, 9, 59353–59377. [Google Scholar] [CrossRef]
- Abuhasel, K.A.; Khan, M.A. A Secure Industrial Internet of Things (IIoT) Framework for Resource Management in Smart Manufacturing. IEEE Trans. Ind. Inform. 2023, 19, 8241–8252. [Google Scholar] [CrossRef]
- Oesch, S.; Chaulagain, S.; Weber, J.; Sager, S.; Carter, D.; Agbe, N.; Poloskey, G.; Lindsley, B.; Nichols, J.; Huffer, K.; et al. Towards a High Fidelity Training Environment for Autonomous Cyber Defense Agents. In Proceedings of the 17th Cyber Security Experimentation and Test Workshop, Philadelphia, PA, USA, 13 August 2024; pp. 91–99. [Google Scholar] [CrossRef]
- Lopez-Martin, M.; Carro, B.; Sanchez-Esguevillas, A. Application of deep reinforcement learning to intrusion detection for supervised problems. Expert Syst. Appl. 2020, 141, 112963. [Google Scholar] [CrossRef]
- Lin, F.; Zhou, Y.; An, X.; You, I.; Choo, K.K.R. Fair Resource Allocation in an Intrusion-Detection System for Edge Computing: Ensuring the Security of Internet of Things Devices. IEEE Consum. Electron. Mag. 2018, 7, 45–50. [Google Scholar] [CrossRef]
- Oh, C.; Ha, J.; Roh, H. A Survey on TLS-Encrypted Malware Network Traffic Analysis Applicable to Security Operations Centers. Appl. Sci. 2021, 12, 155. [Google Scholar] [CrossRef]
- Kheddar, H.; Himeur, Y.; Awad, A.I. Deep transfer learning for intrusion detection in industrial control networks: A comprehensive review. J. Netw. Comput. Appl. 2023, 220, 103760. [Google Scholar] [CrossRef]
- Jain, R. WUSTL-IIOT-2018: ICS (SCADA) Cybersecurity Dataset; Washington University in St. Louis: St. Louis, MO, USA, 2018; Available online: https://www.cse.wustl.edu/~jain/iiot/index.html (accessed on 25 June 2026).
- Morris, T.; Gao, W. Industrial Control System Traffic Data Sets for Intrusion Detection Research. In Proceedings of the Critical Infrastructure Protection VIII; Butts, J., Shenoi, S., Eds.; IFIP Advances in Information and Communication Technology; Springer: Berlin/Heidelberg, Germany, 2014; Volume 441, pp. 65–78. [Google Scholar] [CrossRef]
- Canadian Institute for Cybersecurity. CICAPT-IIoT Dataset; University of New Brunswick: Fredericton, NB, Canada, 2024. [Google Scholar]
- Zhou, X.; Cheng, Z.; Wang, C.; Wang, S.; Tao, C.; Zhou, Z.; Chen, X.; Luo, J.; Wang, D.; Zhou, H. A dataset collected in real-world industrial control systems for network attack detection. Sci. Data 2026, 13, 399. [Google Scholar] [CrossRef] [PubMed]
- Liu, Y.; Tsang, K.F.; Wu, C.K.; Wei, Y.; Wang, H.; Zhu, H. IEEE P2668-Compliant Multi-Layer IoT-DDoS Defense System Using Deep Reinforcement Learning. IEEE Internet Things J. 2022, 9, 12456–12467. [Google Scholar] [CrossRef]
- Li, Y.; Zuo, Y.; Song, H.; Lv, Z. Deep Learning in Security of Internet of Things. IEEE Internet Things J. 2022, 9, 22133–22146. [Google Scholar] [CrossRef]
- Manaa, M.E.; Hussain, S.M.; Alasadi, S.A.; Al-Khamees, H.A.A. DDoS Attacks Detection Based on Machine Learning Algorithms in IoT Environments. Intel. Artif. 2024, 27, 152–165. [Google Scholar] [CrossRef]
- Song, W.; Li, X.; Afroz, S.; Garg, D.; Kuznetsov, D.; Yin, H. MAB-Malware: A Reinforcement Learning Framework for Attacking Static Malware Classifiers. arXiv 2021, arXiv:2003.03100. [Google Scholar] [CrossRef]
- Liu, J.; Wang, X.; Shen, S.; Yue, G.; Yu, S.; Li, M. A Bayesian Q-Learning Game for Dependable Task Offloading Against DDoS Attacks in Sensor Edge Cloud. IEEE Internet Things J. 2021, 8, 7546–7561. [Google Scholar] [CrossRef]
- Hamouda, D.; Ferrag, M.A.; Benhamida, N.; Seridi, H.; Ghanem, M.C. Revolutionizing intrusion detection in industrial IoT with distributed learning and deep generative techniques. Internet Things 2024, 26, 101149. [Google Scholar] [CrossRef]
- Zhang, T.; Feng, C.; Zhang, H.; Guo, S.; Lin, H.; Yu, S.R.; Wang, J. How to Mitigate DDoS Intelligently in SD-IoV: A Moving Target Defense Approach. IEEE Trans. Ind. Inform. 2023, 19, 1097–1106. [Google Scholar] [CrossRef]










| Inclusion Criteria | Exclusion Criteria |
|---|---|
| Peer-reviewed journal articles, conference proceedings, technical reports, and research articles published between 2018 and 2025. | Published before 2018. |
| Address the use of AI and ML techniques for the detection and mitigation of DDoS attacks in IIoT environments. | Do not discuss DDoS detection, DDoS mitigation, IIoT, IDS, or AI techniques. |
| Provide empirical results that demonstrate DDoS attack detection and mitigation in IIoT environments. | Lack empirical data and are solely theoretical without validation. |
| Discuss performance evaluation, including accuracy, precision, recall, F1-score, confusion matrix, execution time, and CPU usage. | No specific exclusion criteria applied for performance metrics. |
| Metric | Mathematical Description | Description |
|---|---|---|
| Accuracy | Measures the proportion of correctly identified flows (both malicious and benign) out of all flows. | |
| Precision | Measures the proportion of correctly identified malicious flows out of all predicted malicious flows. | |
| Recall | Measures the proportion of correctly predicted malicious flows out of all actual malicious flows. | |
| F1-score | The harmonic mean of precision and recall, providing a balanced evaluation. |
| Category | Papers by Year | Total |
|---|---|---|
| Conventional | 2018 (1), 2019 (2), 2020 (3), 2022 (3), 2023 (4), 2024 (1), 2025 (2) | 16 |
| BC-based | 2020 (1), 2021 (1), 2022 (1), 2023 (1), 2024 (1), 2025 (2) | 7 |
| ML-based | 2020 (1), 2023 (6), 2024 (3), 2025 (3) | 13 |
| DL-based | 2020 (2), 2021 (4), 2022 (4), 2023 (6), 2024 (15), 2025 (2) | 33 |
| Hybrid-based | 2020 (2), 2021 (2), 2022 (3), 2023 (2), 2024 (1), 2025 (3) | 13 |
| Total Overall | 82 |
| OSI Layer | Attack Class | Attack Type | Mechanism | IIoT Impact |
|---|---|---|---|---|
| Network (L3) | Volume-based | ICMP Flood, Spoofed-Packet Flood | Saturates bandwidth through high-volume traffic | Disrupts sensor-to-gateway communication; high severity |
| Transport (L4) | Protocol Exploitation | TCP SYN Flood, UDP Flood, Ping of Death, Smurf | Exploits stateful protocol handshakes to exhaust connection tables | Disables PLC and SCADA communication channels; critical severity |
| Transport (L4) | Amplification/Reflection | NTP Amplification, DNS Reflection | Exploits third-party servers to magnify traffic directed at the target | Overwhelms IIoT gateways with limited bandwidth; high severity |
| Application (L7) | Application Layer | HTTP GET/POST Flood, Modbus Flood, Slow HTTP | Mimics legitimate requests to exhaust application resources | Targets industrial web interfaces and control APIs; hard to detect; critical severity |
| Multi-layer | Low-rate/Stealthy | Slow-rate DDoS, Pulsing Attacks | Sends traffic below detection thresholds to gradually degrade service | Particularly dangerous in IIoT due to difficulty of detection against periodic traffic; high severity |
| Multi-layer | Zero-Day | Unknown protocol or application flaws | Exploits undisclosed vulnerabilities before patches are available | Circumvents all signature-based defences; critical severity in CNI |
| Approach | Zero-Day Eff. | Speed | Accuracy | Computational Cost | Dataset Size Req. | Scalability |
|---|---|---|---|---|---|---|
| Conventional | Moderate | Fast | Medium | Low to Medium | Small to Medium | Limited |
| BC-based | Low to Mod. | Moderate | High | Medium | Medium | High |
| ML-based | High | Fast | High | Medium | Large | Mod. to High |
| DL-based | Very High | Moderate | Very High | High | Very Large | High |
| Hybrid | High | Fast | Very High | Med. to High | Large | High |
| Category | Detection Paradigm | Learning Type | Deployment Tier | IIoT Suitability | Zero-Day Capability | Example Refs |
|---|---|---|---|---|---|---|
| Conventional | Rule-based/Anomaly | Non-learning | Edge/Fog | Moderate (low overhead) | Low | [33,35,36] |
| BC-based | Trust/Consensus | Non-learning | Fog/Cloud | Limited (high overhead) | Low | [37,38,39] |
| ML-based | Classification/Clustering | Supervised/Unsupervised | Edge/Fog/Cloud | High (lightweight models available) | Moderate | [3,40,41,42] |
| DL-based | Deep Feature Extraction | Supervised/RL/FL | Fog/Cloud | Moderate (high compute cost) | High | [17,43,44,45] |
| Hybrid | Multi-paradigm Fusion | Combined | Edge/Fog/Cloud | High (balanced trade-off) | High | [46,47,48,49] |
| Ref | Year | Approach | Product/System | Achievement | Limitations | Dataset/Testbed |
|---|---|---|---|---|---|---|
| [35] | 2020 | Game theory-based PHS | SDN-enabled defence system for IIoT | Lower energy consumption, effective DDoS defence | Reduced detection rate due to AHA | 12 servers, 10 honeypots (4 regular, 6 pseudo) |
| [36] | 2018 | Multi-level SDN-based framework with edge/fog/cloud computing | DDoS mitigation framework for IIoT security | Fast response time, multi-level protection | Challenges with large data processing | Mininet VM with OpenFlow switches |
| [9] | 2021 | D-ConCReCT: Distributed congestion control by duty-cycle restriction | DoS attack detection and mitigation system for IIoT | Effective in 500-node networks; faster detection than centralised approach | Variable DDoS mitigation effectiveness; needs traffic segmentation optimisation | Simulated data |
| [16] | 2023 | Cryptographic three-factor authentication scheme | User access control mechanism for SDN-enabled IIoT/CPS | Supports mutual authenticity and anonymity | Additional authentication burden on controller nodes | Smart devices and controller nodes |
| [50] | 2023 | Graph-based (DAG, DFS, Floyd–Warshall) | Graph-based vulnerability and risk assessment framework | Fast attack path detection and improved running time | Manual computation needed; limited to hop length | Transportation sector case study with CVEs |
| [33] | 2024 | Rule-based detection | Industrial cyber prevention gate | Detection with small traffic volume | Needs further stability testing in real-world scenarios | IndusCAP-Gate (Industrial Cyber Attack Prevention-Gate) |
| [51] | 2020 | Defence-in-depth with redundancy | End-to-end security framework for Industry 4.0 | Multi-layer security, network segmentation | Middleboxes require full data access; continuous decryption/re-encryption | No quantitative data |
| [52] | 2022 | CONFIT consensus-based clustering | Data dissemination control system for dense IIoT | Rapid identification and isolation of malicious networks | Requires full network knowledge for testing | Gas pressure sensor data from UCI ML repository |
| [31] | 2023 | Fog computing-based DDoS detection | Large-scale DDoS detection system for IoT | Early detection and fast response | Experimental demonstration only | Not mentioned |
| [57] | 2024 | Minimax game-theoretic with SDN | DDoS mitigation for IIoT DetNet networks | Dynamic resource allocation; 54% reduction in attack impact | Limited to latency attacks | Synthetic data using stochastic probability distribution |
| [53] | 2022 | Token-based authentication with TLS encryption | SCADA energy management system security | Prevents DDoS, MitM, and replay attacks | Processing time 1.7× longer than without encryption | Synthetic data from Smart Green Energy Science City, Taiwan |
| [54] | 2019 | Cloud-fog-mist-device framework with three-layer security | Edge intelligent IIoT data security system | Decentralised computation; location awareness | Heavy reliance on fog nodes | IIoT device data for fog node storage |
| [56] | 2019 | Three-level fog architecture for IIoT security | DDoS mitigation system for IIoT environments | Fast detection through cloud server coordination | Longer detection at local fog level | Metro railway control system testbed |
| [58] | 2025 | SDN-based framework using Mininet, POX, and Snort IDS | Real-time DDoS detection and honeypot-based mitigation | 100% redirection accuracy; low latency (1–2 s); automatic flow rule updates | Complex real-time synchronisation; prototype tested on small-scale virtual topology only | Mininet simulation with SYN flood, ICMP, and UDP attacks |
| [59] | 2025 | FP-Growth signature extraction and Jaccard similarity | Detection of unknown DoS/DDoS variants in IIoT | Efficient signature extraction; up to 94.87% accuracy on real-time data | Assumes correlation with known patterns; limited to high-volume attacks; ineffective for low-rate DDoS | RTNITP24 and CICIDS2017 |
| Ref | Year | Approach | Product/System | Achievement | Limitations | Dataset/Testbed |
|---|---|---|---|---|---|---|
| [37] | 2023 | BC-based SDN with cloud | DistB-SDCloud architecture for IIoT security | Low latency | Needs validation in diverse implementation scenarios | Testbed with MiniNet and OpenFlow |
| [38] | 2021 | BC-based framework for IIoT security | IIoT security management and tracking system | DDoS attack resistance, automated data validation | Computational complexity, costly | Testbed (500 m × 500 m IIoT environments) |
| [39] | 2023 | Hybrid off-chain and on-chain BC authentication | Authentication protocol for multi-domain IIoT systems | Reduced overhead | Requires BC implementation and domain server | OpenSSL cryptographic implementation tests |
| [60] | 2022 | BC-based certificateless signature using Schnorr mechanism | Security protocol for IIoT devices | Protection against device capture and replay attacks | Lightweight optimisation still needed | MIRACLE library |
| [61] | 2020 | Permissioned BC | IIoT security framework | Enhanced DDoS detection | DDoS attack success rate not quantified | Practical Byzantine Fault Tolerance (PBFT) consensus algorithm |
| [62] | 2025 | Blockchain-powered collaborative defence with NFT/crypto incentives | Decentralised threat intelligence sharing for DDoS | Incentivised collaboration; immutable IP storage; blocks 5000 IPs within 100 ms | Latency in blockchain data insertion; dependence on partner sharing quality; lacks cross-chain interoperability | Ethereum blockchain and API-based collaboration testbed |
| [63] | 2025 | SecureShare: Digital twin, SDN, NFV, and blockchain hybrid | Cross-domain DDoS mitigation for smart consumer networks | Fair resource-sharing via fuzzy logic; reputation-based decentralised trust; tested on Sepolia and Azure Digital Twins | Scalability with frequent on-chain operations; synchronisation dependency on digital twin accuracy | Sepolia (Ethereum) testnet and Microsoft Azure Digital Twins |
| Ref | Year | Approach | Product/System | Achievement | Limitations | Testbed/Dataset |
|---|---|---|---|---|---|---|
| [3] | 2023 | ML combining supervised learning and RL | DDoS attack detection for IoT | Early detection of stealthy DDoS; resource utilisation | Limited testbed scale and device types | N-BaIoT |
| [40] | 2024 | Random forest and naive Bayes | DDoS detection for IIoT | Random forest achieved 100% accuracy across tests | Small dataset size limiting tree generation | Edge-IIoTset |
| [64] | 2023 | Random forest, PCC, isolation forest ensemble | IDS | Handles imbalanced data | Limited dataset validation | Bot-IoT, NF-UNSW-NB15-v2 |
| [65] | 2023 | RL with sliding principal component | Attack detection (incl. DDoS) for IIoT | Reduced memory usage | High maintenance cost, scalability limitations, complex protocols | TON_IoT |
| [74] | 2022 | ML-based threat detection (DT, RF, GB) | Lightweight IDS for IIoT edge | High accuracy, multiple security implementations | Cannot be directly implemented on edge nodes | MQTTset |
| [66] | 2023 | ML-based security testbed (SVM, DT, RF) | Security testbed generating ForgeIIOT dataset | High accuracy | Needs to address emerging IIoT threats | ForgeIIOT |
| [41] | 2023 | XGBoost and hard voting ensemble (SVM, DT, NB) | DDoS detection for Edge-IIoT | High detection across various attacks using XGBoost | Zero-day attacks not addressed | Edge-IIoT |
| [42] | 2020 | Lightweight Random Neural Network | IIoT cyber-attack detection | Lightweight for resource-constrained IIoT | Complexity and scalability issues | DS2OS |
| [67] | 2023 | ML (DT, RF, GB) | Lightweight IDS for IIoT edge | High accuracy | Cannot be directly implemented on edge nodes | MQTTset |
| [68] | 2023 | Six ML algorithms | DDoS detection using Weka | Faster computation | Offline analysis only | CIC-IDS2017 |
| [70] | 2024 | Federated learning-based ANN with information fusion | Cloud-based security framework for IIoT | Cloud-based global security auditor | Evaluation limited to specific hardware configuration | ToN-IoT and CICDDOS |
| [69] | 2023 | Six ML algorithms (OneR, NB, SVM, KNN, RF, AdaBoost) | SCADA energy management security with token verification | Distinguishes natural, malevolent, and non-malicious disruptions | High memory needs, system delays | Testbed (1221 natural, 3711 attack, 294 no-event samples) |
| [71] | 2025 | XGBoost and random forest with customised SDN datasets | Application-layer DDoS detection in SDN | 99.99% accuracy; compares CICFlowMeter vs. NTLFlowLyzer tools | Limited to HTTP floods; no volumetric or zero-day tests; lacks public dataset benchmarks | Custom SDN datasets |
| [72] | 2025 | Hybrid feature selection (chi-squared + RFE) and XGBoost | Optimised DDoS detection for IoT networks | 99.95% accuracy with only 10 features; high computational efficiency | Performance plateaued at 10 features; not validated in SDN-based IoT settings | CICIoT2023 |
| [73] | 2025 | HSF: Hybrid SVM-RF for dual-plane monitoring | Real-time dual-plane DDoS detection in SDN | 99.2% accuracy; very low FPR (0.019%); low latency (7–12 ms) | Scalability in massive SDN deployments needs optimisation; vulnerable to adversarial poisoning | Custom SDN-DDoS dataset and NSL-KDD |
| Ref | Year | Approach | Product/System | Achievement | Limitations | Dataset/Testbed |
|---|---|---|---|---|---|---|
| [43] | 2020 | LSTM and CNN | Edge-centric DDoS defence system | Immediate detection, resource efficiency | Edge server dependent, needs continuous filter updates | CICDDoS |
| [86] | 2022 | DL with DNN, GRU | Edge-IIoTset dataset | Comprehensive dataset for IoT/IIoT | Primarily centralised validation | Edge-IIoTset |
| [17] | 2023 | Federated learning with CNN-MLP | DDoS classification system | Privacy-preserving | Limited to three DDoS attack types | CICDDoS2019 |
| [76] | 2022 | Deep federated learning with CNN-MLP and PCC | DDoS classification for SDN-IIoT | Privacy-preserving, low-complexity | Overhead due to parameter transfer | CICDDoS2019 |
| [10] | 2024 | DL with hierarchical clustering and feature selection | IIoT IDS | Improved accuracy, reduced information loss | Only tested on public datasets | NSL-KDD, CICIDS2017 |
| [22] | 2022 | DRL with LightGBM | IIoT IDS | Fast convergence, automatic information mining | Centralised architecture limitations | Natural gas pipeline data (U.S. Energy Dept) |
| [4] | 2021 | DDPG-based learning | IDS for Green IoT | Lightweight, suitable for resource-constrained devices | Struggles with significant traffic fluctuations | CICDDoS2019 |
| [89] | 2023 | FL with GRU and CFO-based radio fingerprinting | Hawk distributed anomaly detection for LoRa IIoT | Privacy-preserving, low computational complexity | Limited to specific hardware-based attacks | Real-world data from 60 LoRa devices |
| [12] | 2023 | FL with CNN and RNN | IIoT IDS | Privacy-preserving, decentralised learning | No FL-specific dataset | Edge-IIoTset |
| [44] | 2021 | Local GRU and multi-head self-attention | DL-based IDS | Overcomes RNN and attention limitations | Requires distributed fog infrastructure | UNSW-NB15 |
| [30] | 2024 | RNN and LSTM | Low-rate DDoS attack detection | Detects low-rate attacks in SDN-IoT | May miss stealthy attacks; dataset dependence | Not clear |
| [90] | 2024 | CSAE, ABILTSM, softmax with private BC | IIoT security framework | Improved detection of DDoS and other threats | Potential BC vulnerabilities | ToN-IoT, Edge-IIoT |
| [77] | 2021 | Two DNNs with PCC | DDoS detection in 5G/B5G | Detects 10 DDoS attack types | Computational overhead and latency | CICDDoS2019 |
| [78] | 2020 | Distributed RL and GAN | Anomaly detection for IIoT | Minimal false alarms, improved accuracy | High computational overhead for training | DS2OS |
| [45] | 2023 | LSTM and DNN | Botnet detection in IIoT | High accuracy, zero-day detection | Lacks heterogeneity consideration | Not specified |
| [91] | 2023 | LSTM with BC and garlic routing | Secure data sharing for IIoT beyond 5G | Improves compromise rate and scalability | Needs real-time attack evaluation | X-IIoTID |
| [79] | 2024 | NN-based expert system | IIoT attack detection for PLCs | Real-time detection, low latency, high accuracy | Limited dataset and environment | Custom testbed with PLCs |
| [92] | 2024 | GRU-assisted federated deep recurrent RL | IDS for IIoT | High accuracy, handles non-IID data | Energy consumption higher than similar approaches | TON_IoT, Edge_IIoT, X-IIoTID |
| [81] | 2024 | CNN and GRU (AttackNet) | IIoT botnet detection | Advanced feature extraction | Costly due to data volume and complexity | N_BaIoT |
| [82] | 2023 | GRU, CNN, LSTM, DNN | DDoS classification for IIoS | Real-time optimisation | Weak against low-rate DDoS attacks | CIC-DDoS2019 |
| [83] | 2022 | DL-assisted software-defined security for 6G | Security architecture for OT-IT integration | Automated security orchestration | Scalability issues | Multiple (IoT Sentinel, AWID3, etc.) |
| [84] | 2023 | RMC-CNN with multi-scale grasshopper | Anomaly detection for IIoT | Secured data transmission, improved throughput | Needs resource-constrained optimisation | Testbed (power, loop, land sensor data) |
| [7] | 2024 | DQN, DDQN, D3QN, REINFORCE, A2C, PPO | NIDS for ICS/OT | Real-time adaptation | Requires adaptation for prerecorded dataset | Combined SNL-IA State OT dataset |
| [85] | 2021 | BERT-based DL for APT detection | APT detection for IIoT infrastructure | High detection accuracy | Word vector limitations may cause misjudgment | Private power grid data |
| [87] | 2025 | Hybrid CNN, LSTM, and autoencoder | DDoS detection in IoT networks | Multi-architectural synergy; captures spatial and temporal dependencies; | Poor performance on rare attack types; sensitive to data noise and class imbalance | CICIOT2023 |
| [88] | 2025 | Lightweight TCN optimised with TFLite and INT8 quantisation | DDoS detection for resource-constrained edge devices | 99.95% accuracy; ultra-low latency (0.19 ms); minimal model size (89.1 KB) | Evaluation limited to Raspberry Pi 4; lacks testing on multi-class and adversarial threats | UL-ECE-MQTT/UDP-DDoS-H-IoT2025 on Raspberry Pi 4 |
| Ref | Year | Approach | Product/System | Achievement | Limitations | Testbed/Dataset |
|---|---|---|---|---|---|---|
| [46] | 2024 | Genetic algorithm and DL | IIoT cyber-attack detection model | Improved processing time and classification | Dataset dependency, scalability, computational overhead | UNSW-NB |
| [93] | 2020 | Supervised learning and DL | IoT/IIoT IDS | Heterogeneous network traffic incorporation | Limited to specific sensors and attacks | ToN-IoT |
| [47] | 2023 | LSTM with BC | IDS for data security in IIoT | Reduced computational overhead | High infrastructure requirement | X-IIoTID |
| [94] | 2022 | VHN, cloud computing, and DL/ML | Secure network model for edge-enabled IIoT | Known/unknown bot detection | Clarity of algorithms and real-world comparison needed | TrickBot, PersiraiBot, MoziBot, LuaBot, MiraiBot, 0-day variant |
| [48] | 2022 | BC and ML | IIoT sensor access control system | Multiple proactive defence layers | Computational complexity from layered structure | TON-IoT |
| [49] | 2022 | BC-enabled digital twin with DL | Botnet detection for IIoT | Early detection, secure data sync, packet inspection | Needs better IP tracing for command and control servers | Bot-IoT |
| [95] | 2023 | AILBSM (BC, COSNN, LCPoW) | Security framework for IIoT-based ICS | Two-level privacy preservation | Overfitting issues | NSL-KDD, BoT-IoT, CICIDS2017, UNSW-NB15, DS2OS |
| [96] | 2023 | FGOA-kNN feature selection, IHHO-optimised NN | IIoT botnet detection | Efficient minimisation of unnecessary features | Classification algorithms need enhancement | N-BaIoT |
| [97] | 2025 | Hybrid blockchain and deep learning architecture | Scalable security for heterogeneous IoT (5G, LoRa, Wi-Fi) | 95.2% precision for spoofing; 15 ms latency; energy-efficient for 1000+ devices | Complexity in dynamic scenarios; requires optimisation for massive scale | UNSW-NB15 |
| [98] | 2025 | Hybrid TGNN, QAOA, and Federated Adversarial Learning | Real-time DDoS mitigation for SDN-IoT | 97.2% accuracy; 22% improvement in stealthy attack detection; 35.13 ms latency | High architectural complexity; potentially heavy for ultra-constrained devices | Mendeley-DDoS, SDN-IoT-CustomSet, IoT-EdgeTrafficSet |
| Ref | Year | Focus | Strength | Limitations |
|---|---|---|---|---|
| [18] | 2024 | Comprehensive RL/DRL IDS review | Comprehensive coverage of RL/DRL in IDSs | Focuses primarily on communication networks |
| [1] | 2023 | DDoS attacks and defence in IIoT | In-depth coverage of IIoT architecture layers | No experimental validation |
| [99] | 2024 | Hybrid (BC, FL, ML, DL) IDS analysis | Various BC- and FL-based IDSs explored | DDoS attacks not explicitly discussed |
| [100] | 2023 | IDS challenges in IIoT | Wide range of coverage | Lack of in-depth exploration, including AI use |
| [101] | 2020 | IDS security vulnerabilities in IoT | Well-structured, clear section breakdown | Limited quantitative comparison |
| [102] | 2021 | DL techniques for IIoT | Implementation framework | Only DL-focused |
| [32] | 2023 | IIoT security across IT/OT integration | Multi-domain security coverage | IoT-centric solutions for IIoT systems |
| [103] | 2023 | ML-based IDS analysis | Structured methodology | No technical solution proposal |
| [104] | 2023 | DDoS mitigation using RL | Comprehensive review of smart grid security with DRL | Lacks practical implementation challenges |
| [105] | 2024 | AI-based IDS for IoT | Comprehensive testing across multiple devices | Physical limitations of IoT (power, budget, size) |
| [106] | 2021 | 5G-enabled IoT security using ML/DL | Comprehensive coverage across security taxonomy | No clear future directions |
| [107] | 2018 | Security vulnerabilities in IIoT transition | Comprehensive analysis using energy sector example | Conceptual analysis lacking practical validation |
| [108] | 2024 | WSN security in IoT/IIoT (sinkhole attacks) | Mixed methods (quantitative and qualitative) | Gap in direct attack identification |
| [109] | 2025 | SDN-based DDoS detection and mitigation for SMEs | Identifies lightweight vs. hybrid DL trends; proposes edge-based closed-loop framework | Reliance on simulated environments and curated datasets; lacks integrated detection–mitigation benchmarks and XAI |
| [110] | 2025 | Review of DL architectures for DDoS detection in IoT and communication networks | Systematic categorisation of CNN, LSTM, RNN; identifies DL superiority over traditional methods | Qualitative focus lacks quantitative meta-analysis; ignores IIoT real-time constraints |
| [111] | 2025 | Systematic review of AI-enabled DDoS defence in IoT | Comparative analysis of 15 ML/DL models; identifies high accuracy of ensemble methods (>99%) | Focuses on accuracy over latency and overhead; lacks discussion on adversarial robustness |
| [112] | 2025 | Systematic analysis of ML/DL for DDoS detection in SDN environments | Traces detection evolution from threshold-based to spatial-aware CNNs; categorises 10+ algorithms | Literature limited to 2018–2022; lacks focus on IIoT-specific protocols and real-time determinism |
| Challenge | Brief Description | Status | Details |
|---|---|---|---|
| Resource Constraints | Computational and physical limitations of IIoT devices | Partially addressed | Resource-efficient AI models still in development; real-time updates and threat analysis remain challenging |
| Detection Accuracy Challenges | Difficulty achieving high accuracy due to data quality issues | Unaddressed | Class imbalance and noise lead to false positives/false negatives; heterogeneous network environments make model generalisation difficult |
| Dataset Standardisation | Lack of comprehensive, real-world datasets | Unaddressed | Existing datasets outdated or artificially generated; absence of standardised benchmarks hinders validation |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Share and Cite
Alemayehu, M.; Ghanem, M.C.; Kheddar, H.; Dunsin, D.; Lacerda, M.J. Systematic Analysis on the Use of AI Techniques in Industrial IoT DDoS Attack Detection, Mitigation, and Prevention. IoT 2026, 7, 51. https://doi.org/10.3390/iot7030051
Alemayehu M, Ghanem MC, Kheddar H, Dunsin D, Lacerda MJ. Systematic Analysis on the Use of AI Techniques in Industrial IoT DDoS Attack Detection, Mitigation, and Prevention. IoT. 2026; 7(3):51. https://doi.org/10.3390/iot7030051
Chicago/Turabian StyleAlemayehu, Mikiyas, Mohamed Chahine Ghanem, Hamza Kheddar, Dipo Dunsin, and Marcio J. Lacerda. 2026. "Systematic Analysis on the Use of AI Techniques in Industrial IoT DDoS Attack Detection, Mitigation, and Prevention" IoT 7, no. 3: 51. https://doi.org/10.3390/iot7030051
APA StyleAlemayehu, M., Ghanem, M. C., Kheddar, H., Dunsin, D., & Lacerda, M. J. (2026). Systematic Analysis on the Use of AI Techniques in Industrial IoT DDoS Attack Detection, Mitigation, and Prevention. IoT, 7(3), 51. https://doi.org/10.3390/iot7030051

