Information Sciences 626 (2023) 315–338

Contents lists available at ScienceDirect

Information Sciences
journal homepage: www.elsevier.com/locate/ins

Fuzzy logic-based DDoS attacks and network traffic anomaly

detection methods: Classification, overview, and future
perspectives
Danial Javaheri a, Saeid Gorgin a, Jeong-A Lee a,⇑, Mohammad Masdari b,⇑
a
Department of Computer Engineering, Chosun University, Gwangju 61452, Republic of Korea
b
Department of Computer Engineering, Urmia Branch, Islamic Azad University, Urmia, Iran

a r t i c l e i n f o a b s t r a c t

Article history: Nowadays, cybersecurity challenges and their ever-growing complexity are the main con-
Received 3 April 2022 cerns for various information technology-driven organizations and companies. Although
Received in revised form 8 January 2023 several intrusion detection systems have been introduced in an attempt to deal with
Accepted 10 January 2023
zero-day cybersecurity attacks, computer systems are still highly vulnerable to various
Available online 13 January 2023
types of distributed denial of service (DDoS) attacks. This complicated cyber-attack caused
many system failures and service disruptions, resulting in billions of dollars of financial loss
Keywords:
and irrecoverable reputation damage in recent years. Considering the nonnegligible impor-
Anomaly detection
Fuzzy logic
tance of business continuity in the Industry 4.0 era, this paper presents a comprehensive,
Cyber-attacks systematic survey of DDoS attacks. It also proposes a hierarchy for this severe cyber threat,
Denial of service besides conducting deep comparisons from various perspectives between the studies pub-
Network security lished by reputed venues in this area. Furthermore, this paper recommends the most effec-
Business sustainability tive defensive strategies, with a focus on recently offered fuzzy-based detection methods, to
mitigate such threats and bridge the gaps existing in the current intrusion detection sys-
tems and related works. The outcomes and key findings of this survey paper are highly
advantageous for private companies, enterprises, and government agencies to be imple-
mented in their local or global businesses to significantly improve business sustainability.
Ó 2023 Elsevier Inc. All rights reserved.

1. Introduction

Over recent years, cyber threats and malicious attacks have increased drastically against numerous domains, ranging
from IT companies to finance, energy, and health sectors [1]. Computer networks and systems are susceptible to a variety
of reported and undiscovered anomalies, including DDoS attacks. Despite the fact that security solutions like encryption
algorithms, authentication procedures, firewalls, and honeypots can reduce security threats to a certain extent, computer
networks continue to be plagued by numerous harmful activities [2]. Intrusion detection systems (IDS) are intriguing instru-
ments aiming to locate and identify cyber-attacks. Multiple strategies have been investigated by the research community to
improve the accuracy and performance of intrusion detection systems. Depending on their characteristics, intrusion detec-

⇑ Corresponding authors.
E-mail addresses: [email protected] (D. Javaheri), [email protected] (S. Gorgin), [email protected] (J.-A. Lee), [email protected]
(M. Masdari).

https://doi.org/10.1016/j.ins.2023.01.067
0020-0255/Ó 2023 Elsevier Inc. All rights reserved.
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

tion systems can be classified as signature-based, anomaly-based, and hybrid approaches. The signature-based detection
methods are able to scan unique sequences among network traffic related to a certain attack and precisely identify that
attack [3]. Nonetheless, as a disadvantage, they cannot recognize zero-day attacks and attacks with different signatures since
they have not learned their behavioral or structural patterns. As a result, signature-based detection schemes need an accu-
rate and up-to-date database containing all known attacks, making maintenance very complicated and cumbersome. The
other type of intrusion detection system is based on anomaly detection, which relies on the profile of typical actions and
detects any deviation as a potential intrusion. However, the threshold between normal and abnormal activities may not
be well-defined in establishing the essential profiles for normal behaviors. As a result, even a little change in the monitored
traffic may be misidentified as an attack, increasing the rate of false-positive alarms. Hybrid approaches can benefit from the
privileges of both categories of intrusion detection systems; however, they are difficult to be implemented and synchronize.
Consequently, the imprecise and uncertain nature of today’s security attacks makes it much harder to detect and recog-
nize them correctly. To deal with the before-mentioned challenges, fuzzy anomaly detection frameworks have recently been
introduced to incorporate different fuzzy techniques in various operations steps in order to detect cyber-attacks more accu-
rately when the data is inaccurate and uncertain. The methodologies for anomaly detection can be categorized as host-based
or network-based schemes. This article focuses on the fuzzy approaches from the latter category. In the following, Fig. 1 illus-
trates different types of intrusion detection systems where the classes studied in this survey paper were highlighted.
As shown in Fig. 1, fuzzy schemes for network-based anomaly detection are classified into supervised, unsupervised, and
semi-supervised learning. According to the results of running queries on the academic libraries, several fuzzy logic-based
solutions have been presented in the literature, aiming to deal with DDoS attacks and other anomalies in computer net-
works. However, there is a significant lack of comprehensive surveys to study and discuss these schemes, as well as demon-
strate their advantages, disadvantages, and shortcomings. To bridge this gap, we present a comprehensive study on the fuzzy
DDoS anomaly detection approaches introduced in recent years by reputable venues. At first, the details and properties of
our systematic survey are presented, and then, we cover the background concepts and knowledge in the anomaly detection
domain to identify DDoS attacks. This study explores different types of DDoS attacks and various properties of anomaly-
based IDS schemes. Afterward, we classify the investigated schemes based on the applied fuzzy algorithms and methods.
The main contribution, details, and properties, such as applied datasets, evaluation metrics, fuzzy membership functions,
and, most importantly, their limitations, are indicated. Besides, a comparative comparison between these schemes from var-
ious perspectives is presented. This comparison includes the name and rates of fuzzy algorithms, evaluation metrics, datasets
used in the literature, etc. Eventually, the main challenges and future research directions in the contexts of fuzzy DDoS and
anomaly detection are highlighted.

2. Research method

This section demonstrates the systematic research method applied to conduct this survey, including the steps and library
addresses. A systematic process containing four steps was used to search and find the fuzzy-based intrusion detection meth-
ods proposed in the literature. Fig. 2 shows the steps of this systematic review. In addition, the list and addresses of scientific
libraries used in this survey to run queries are reported in Table 1.
To search and retrieve published review papers related to the topic of this survey, the following search terms have been
applied.

Survey Network Intrusion Detection

Review Network Intrusion Detection

Study Network Intrusion Detection

Overview Network Intrusion Detection

Fig. 1. Intrusion detection system categories and the classes studied in this paper.

316
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Fig. 2. The systematic review and steps taken in this survey.

Table 1
The name and address of libraries used in this survey.

# LibrarName Library Address

1 IEEE explorer ieeexplore.ieee.org
2 ScienceDirect https://www.sciencedirect.com
3 Wiley https://www.wiley.com/en-us
4 Springer https://www.springer.com
5 Hindawi https://www.hindawi.com
6 Inderscience https://www.inderscience.com
7 Google Scholar scholar.google.com
8 OXFORD academic academic.oup.com
9 Emerald https://www.emeraldinsight.com
10 Sage journals.sagepub.com
11 ACM https://www.acm.org
12 MDPI https://www.mdpi.com
13 PLOS journals.plos.org

Survey Network Anomaly Intrusion Detection

Review Network Anomaly Intrusion Detection

Study Anomaly Intrusion Detection

Overview Anomaly Intrusion Detection

Several related works were found using the above-mentioned research queries. Table 2 indicates and categorizes these
related woks, in addition to the limitations for each related work.
As shown in Table 2, some related works focused on the topics like deep learning, machine learning, ensemble learning,
etc. In contrast, others addressed specific environments like mobile ad hoc networks, sensor networks, cloud computing, and
software-defined network (SDN). SDN is a new approach to networking that, unlike conventional networks, applies

Table 2
The current related surveys.

Item Ref. Main Topic Limitations

1 [3] Misuse detection This survey only discusses the fuzzy misuse detection schemes
2 [4] Intrusion detection This survey only studies the schemes provided for wireless ad hoc networks
3 [5] This survey only studies the intrusion detection methods in SDN
4 [6] This survey only studies the intrusion detection approaches in data-driven SDN
5 [7] This survey only studies the network-based intrusion detection approaches
6 [8] Anomaly detection This survey only studies the anomaly detection approaches in SDNs
7 [9] This survey only studies the deep learning-based anomaly detection schemes
8 [10] This survey has only studied DDoS detection method regarding IoT devices

317
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

software-based controllers to manage the data traffic on the network hardware equipment. SDN has emerged as a revolu-
tionary technology in computer networks, and its architecture consists of three layers, including the infrastructure layer,
control layer, and application layer. Generally, SDN attempts to decouple the data routing capabilities of computer networks
from network control. Using this method, the underlying network infrastructure will be abstracted from the upper layers,
enabling the computer network’s control to be programmable. In recent years, SDN has been introduced to be one of the
effective solutions in the detection of networks-based attacks [6]. Some surveys have also focused on network intrusion
detections, and some others have addressed host-based intrusion detections. However, none of them has covered the detec-
tion of DDoS attacks and various anomalies using fuzzy logic-based techniques. Hence, our survey is the first attempt to pro-
vide a comprehensive study, discussion, and comparison of papers focused on employing fuzzy logic to detect anomalies of
DDoS attacks. The following search terms and strings were used to find literature reviews on fuzzy logic-based network
anomaly detection:

Survey Fuzzy Anomaly Detection

Overview Fuzzy Anomaly Detection

Review Fuzzy Anomaly Detection

Study Comparative Fuzzy Anomaly Detection

Survey Fuzzy DDoS Detection

Overview Fuzzy DDoS Detection

Review Fuzzy DDoS Detection

Comparative Study Fuzzy DDoS Detection

As mentioned, no survey article has been found related to fuzzy logic and network anomaly detection context using the
above-mentioned terms up to this date. To search and find the new fuzzy techniques used for anomaly detection approaches,
we used the following search strings:

C-Means Anomaly Detection Fuzzy

Clustering Anomaly Detection Fuzzy

K-Medoids Anomaly Detection Fuzzy

K-Means Anomaly Detection Fuzzy

ANFIS Anomaly Detection Fuzzy

Fuzzy Adaptive Network FIS Anomaly Detection

KNN Anomaly Detection Fuzzy

Neural Network Anomaly Detection Fuzzy

Rule Interpolation Anomaly Detection Fuzzy

Inference System Anomaly Detection Fuzzy

Rule Generation Anomaly Detection Fuzzy

PCA Anomaly Detection Fuzzy

Principal Component Analysis Fuzzy

Intuitionistic Fuzzy Set Anomaly Detection

Bayesian Anomaly Detection Fuzzy

Rough Set Anomaly Detection Fuzzy

SVM Anomaly Detection Fuzzy

DDoS attacks Anomaly Detection Fuzzy

Distributed Denial-of-Service attacks Fuzzy

Security Attacks Anomaly Detection Fuzzy

Moreover, to include the fuzzy techniques used for detecting DDoS attacks, the following search queries were used on
each scientific library:

C-Means DDOS Detection Fuzzy

Clustering DDOS Detection Fuzzy

K-Medoids DDOS Detection Fuzzy

K-Means DDOS Detection Fuzzy

ANFIS DDOS Detection Fuzzy

Fuzzy Adaptive Network FIS DDOS Detection

KNN DDOS Detection Fuzzy

Neural Network DDOS Detection Fuzzy

Rule Interpolation DDOS Detection Fuzzy

Inference System DDOS Detection Fuzzy

318
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Rule Generation DDOS Detection Fuzzy

PCA DDOS Detection Fuzzy

Principal Component Analysis Fuzzy

Intuitionistic Fuzzy Set DDOS Detection

Bayesian DDOS Detection Fuzzy

Rough Set DDOS Detection Fuzzy

SVM DDOS Detection Fuzzy

DDoS Attacks DDOS Detection Fuzzy

Distributed Denial-of-Service Attacks Fuzzy

Security Attacks DDOS Detection Fuzzy

Running these search terms resulted in retrieving many articles. To focus on the most recent and important studies, the
query output has been refined to include papers published in recent four years. Also, we have merely investigated the papers
primarily dedicated to the security and intrusion detection contexts and dealt with challenges in these domains. In this pro-
cess, the articles that focused on anomaly detection in a context rather than security were removed and excluded from fur-
ther processing. In addition, articles that lacked the proper contributions or did not conduct the required evaluation and
verification steps were excluded. Fig. 3 illustrates the proportion of each scientific library publishing paper on DDoS detec-
tion approaches and fuzzy network anomaly detection architectures.
As shown in Fig. 3, the majority of articles were obtained from conferences or journals in the IEEE library, followed by the
Elsevier library. Besides, the number of fuzzy anomalies and DDoS detection schemes published in various scientific libraries
since 2016 is shown in Fig. 4; however, as mentioned, papers published in recent four years have been investigated in this
survey, aiming to focus on the most recent works and introduce novel methodologies.
Considering the number of recently published papers, it can be concluded that employing fuzzy techniques to detect net-
work traffic anomalies is an active and ongoing research topic. Therefore, the main research questions that are covered and
addressed by this survey are listed as follows:

RQ1- Which fuzzy-based algorithms and data mining techniques have been employed to detect anomalies in network
traffic?
RQ2- Which security services and capabilities are provided by each studied scheme?
RQ3- What are the advantages, disadvantages, and limitations of the studied fuzzy anomaly detection schemes?
RQ4- Which evaluation metrics and datasets have been used to evaluate the investigated fuzzy approaches?
RQ5- What are the possible subsequent issues that should be addressed in the future in the fuzzy anomaly detection and
DDoS detection domains?

3. Background concepts

This section explains the fundamental concepts in cybersecurity related to DDoS attacks, data anomalies, and intrusion
detection to help readers better comprehend the approaches for anomaly-based intrusion detection under investigation.

Fig. 3. The portion of the scientific libraries in published papers related to this survey’s topic.

319
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Fig. 4. The number of papers related to fuzzy anomalies and DDoS detection frameworks.

3.1. Distributed Denial of Service attacks

The most common type of DDoS is flooding attacks, where the attacker floods the target with an excessive amount of traf-
fic. In addition, flooding attacks vary regarding the protocol type employed to flood the victim. In Bandwidth Distributed
DDoS (BW-DDoS), the attacker tries to deprive the victim of valid traffic. This type of attack and malicious activities heavily
are carried out by botnets where a large number of compromised zombies are responsible for sending spoofed IP packets.
In Reflection-based DDoS attacks, uncompromised systems were incorporated to send a massive traffic load to the victim
system in order to consume and over flow its network bandwidth. As an advantage, this tactic allows attackers to transfer
traffic to the victim system implicitly and assists the attacker in staying undetected for a long time. The attacker sends IP
packets containing the victim’s IP address in the field of the IP packet’s source address. As the server receives this request,
it sends its response to the victim node, never to the real packet source node. Smurf is one of the most well-known
Reflection-based DDoS attacks.
In amplification attacks, the attacker manages a set of slave and master zombies and instructs them to flood a huge vol-
ume of requests into the reflector systems. To intensify the attack and prevent detection, botnets may be used by attackers to
launch more extreme reflective attacks. The amplifying Reflective DDoS attacks, which use certain protocols to augment the
victim’s reflected traffic, are a special subtype of DDoS attacks. The underlying challenge with this attack is that there are
more applied response messages than the attacker’s request messages. Consequently, the reflector servers, overwhelming
the resources and bandwidth of the victim host or site, exacerbate the data flow toward the victim system. To launch ampli-
fication attacks running protocols like domain name service (DNS) or network time protocol (NTP) that amplify the traffic is
needed. A comprehensive hierarchy of DDoS attacks is indicated in Fig. 5.

3.1.1. Zero-day DDoS attacks

Zero-day attacks attempt to exploit unpublished and unknown vulnerabilities, including security flaws and system faults,
in network protocols, operating systems, and software applications. Dealing with these attacks is a very hard and compli-
cated task as they cannot be detected by traditional signature-based IDS methods. Although anomaly-based IDS schemes
can deal with these attacks by distinguishing the normal behavior of protocols from under-attack traffic, the novel attack
patterns are able to mislead even the anomaly-based methods.

3.1.2. Slow-rate DDoS attacks

Unlike other large-scale DDoS attacks that exhaust the destination with a huge amount of traffic, this kind of DDoS attack
targets the victim servers by benefiting from a small and slow traffic pattern, aiming to bypass the anomaly-based intrusion
detectors. This attack pattern is very similar to legitimate traffic as it comes with a very slow rate, making it hard to detect. In
this type of attack, there is no need for a substantial amount of systems resources; it can be taken place with merely-one
single computer or network component. This makes it possible for the attackers to establish unrecognizable large-size bot-
nets to launch DDoS attacks as they are based on running a tiny malware stub on the victim’s systems for a long time with
gaps between the attack’s events. Hence, this type can be considered an advanced persistent threat (APT) attack pattern.

3.2. Datasets

This subsection introduces and describes the datasets employed by the anomaly detection methods studied in this paper.
Some of these datasets are pretty old; in the evaluation of newly proposed anomaly detection schemes, the most up-to-date
and state-of-the-art datasets should be used as they contain newer attack traffic to malicious behavior.
320
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Fig. 5. A hierarchy of DDoS attacks on TCP/IP layers.

321
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

3.2.1. KDD-Cup99
This dataset is the most famous and established produced from the DARPA 1998 dataset and presented by the Lincoln
Labs at MIT University. It contains 41 features, which can be classified as host-based traffic features, time-based features,
basic features, as well as content features. The KDD-Cup’99 dataset consists of 4,898,430 records of attacks, such as:

User to root (U2R) attacks, in which the attacker logs in to the computer systems like normal users. Afterward, exploiting
some existing vulnerabilities, the attacker tries to scale their role to an administrator user.

Remote to local (R2L) attacks, in which the attacker exploits certain security flaws to log in to the remote systems.

Probing attacks, in which the attacker attempt to extract and gather some data about the network equipment and
systems.

DDoS Attacks.

The main challenge with this dataset is the existence of many duplicated records, in which 78 % of the training dataset
and 75 % of the testing data are replicated. Fig. 6 indicates the number of records in the KDD-Cup99.

3.2.2. UCLA
This dataset was created by the network research lab at the University of California, Los Angeles (UCLA), in August 2001. It
consists of UDP flood traffic traces with 1001 bytes of data packets. In its captured file, the attack was aborted at the end of
the tracing process and proceeded with normal traffic. This dataset is quite old and cannot effectively train detector models
considering today’s complicated cyber-attacks.

3.2.3. ISOT
The ISOT dataset is generated from two malicious traffic datasets of Waledac and Storm botnets involved in the Honeynet
Project. Typically, Waledac is the successor of the Storm botnet and is considered a well-known peer-to-peer (P2P) botnet
that uses a decentralized protocol for communication. It uses Overnet and a fast-flux-based DNS network to establish com-
munication channels. In contrast, traffic from two separate datasets - one from the Lawrence Berkeley National Lab and the
other from the Ericsson research traffic lab in Hungary - represents non-malicious traffic. The Ericsson Lab dataset consists of
five subclasses containing applications’ traffic, such as web browsing, gaming, and BitTorrent. This dataset collected data
from 22 sub-networks from October 2004 to January 2005.
The Center for Applied Internet Data Analysis (CAIDA) published this DDoS dataset produced by the Networks Laboratory
of Ahmad Dahlan University in Indonesia. This dataset has been created in the Pcap format using a packet sniffer program
installed on the routers in a network with a star topology. This dataset consists of 5 min of anonymous network traffic under
a DDoS attack that occurred on 4th August 2007. CAIDA dataset does not contain benign traffic; it only has malicious traffic,
including the inbound attacks and victims’ responses to the attacks.

3.2.4. NSL-KDD
NSL-KDD is a descendant of the KDD-cup’99, which has rectified many of its problems, such as eliminating the duplicated
records from both testing and training subsets. This important modification can lead to unbiased results in intrusion detec-
tion schemes and improve the detection rate. NSL-KDD has contained 37 types of attacks, of which 14 are in the testing sub-

Fig. 6. The number of records in the KDD-Cup’99 dataset.

322
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

set, and 24 are in the training subset. In addition, this dataset has 41 features with five traffic classes, including one normal
traffic and four malicious traffic.

3.2.5. CTU-13
The CTU-13 has been captured at Czech Technical University (CTU) in the Czech Republic and has real botnet traffic con-
taining normal and background traffic. This dataset was created in 2013 and included thirteen scenarios of various samples.
To produce this dataset, malware programs were run with some protocols in which each scenario has three different traffic
packets in a Pcap file. In the CTU-13, each scenario has the following files:

The Pcap file (.pcap) contains the botnet traffic traces.

The bidirectional NetFlow file (.biargus) contains types of traffic and labels. These files differentiate between the server
and client and have more data and detailed labels.

An executable (.exe) file.

3.2.6. UNSW-NB 15
The UNSW-NB 15 dataset was created at the University of New South Wales in Sydney. It contained 49 different features
and was produced by generating synthetic attacks and modern normal behaviors using the Tcpdump tool from 100 Giga-
bytes of raw traffic. Furthermore, the Argus and BrO-IDS software tools and several algorithms were employed to generate
features and the classes’ labels. This dataset has 2,540,044 records with nine types of attacks, including:

Fuzzers: The attacker discovers security loopholes by feeding massive data, aiming to crash the system.

Generic: It causes a collision in the block cipher that applies hash functions.

Shellcode: Attackers send a code for the victim aiming to obtain its control.

Backdoor: Bypassing authentication mechanisms and providing illegal access to the remote hosts.

DoS: Overloading the computer resources and preventing authorized access to a host.

Reconnaissance: Gathering information from computer networks to bypass their defensive mechanism.

Worm: Attackers replicate themselves to be spread on other computers.

Analysis: A kind of intrusion that penetrates the victim’s web applications via emails, scripts, and ports.

Exploit: Taking advantage of bugs or vulnerabilities, leading to unsuspected behaviors at the victim.

Six groups of features, such as basic features, flow features, time features, content features, labeled features, and addi-
tional features, have been provided in this dataset. Flow features have server-to-client or client-to-server features, while
basic features represent protocols’ connections. The content features demonstrate the attributes of TCP/IP, and time features
have properties such as round trip time, start/end packet time, and arrival time of packets. The additional features indicate
general connection attributes, and eventually, the labeled features indicate the label/s for each record.

3.2.7. CICDDoS 2019

This dataset in relatively new and contains real-world traffic of DDoS attacks, labeled based on the timestamp, ports, IPs,
protocols, and the name of attack. Similar to other datasets, CICDDoS2019 has a training set (about 7 h of captured data) and
a testing set (about 6 h of captured data), in which the training set consists of 175,341 records while the testing part has
82,332 records. Moreover, this dataset contains the traffic of various network protocols, such as HTTPS, HTTP, SSH, FTP, etc.
There are 12 different DDoS attacks in the training part of this dataset, such as TFTP, WebDDoS, MSSQL, PortMap, LDAP,
NetBIOS, UDP, UDP-Lag, NTP, SYN, SNMP, and DNS, besides seven types of cyber-attacks in the testing part. These attacks are
NetBIOS, UDP-Lag, MSSQL, SYN, UDP, PortScan, and LDAP. Deficiencies with this dataset are the size of WebDDoS traffic,
which is very small and insufficient for accurate model training. PortScan traffic can only be found in the testing set, making
it an imbalanced dataset.

3.2.8. IoT-23
In recent years, IoT botnets connected to external command and control (C&C) centers have been responsible for conduct-
ing large-scale distributed DDoS attacks. Detecting DDoS attacks initiated from IoT botnets is more difficult as these devices
are often heterogeneous. Mirai and Athena are the most notorious samples of IoT botnets able to perform DDoS attacks and
are responsible for many recent cyber-attacks against big companies and the financial sector [11]. The IoT-23 dataset was
published in January 2020 by the Avast AIC laboratory and contained the real and labeled IoT traffic, aiming to train models
to deal with DDoS attacks originating from IoT devices. In this dataset, three non-malicious devices - these IoT devices are
real hardware and not simulated, such as Somfy smart door’s lock, an Amazon Echo home intelligent personal assistant, and
a Philips HUE smart LED lamp – were used to generate benign traffic traces. Then, the traffic traces of twenty malicious
devices were captured under different attack scenarios and added to the dataset.
In the following, Table 3 conducts a comparison between the properties of the datasets used by anomaly detection
schemes studied in this paper.
323
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Table 3
A comparison between datasets employed by fuzzy-based anomaly detection schemes.

# Dataset Pub. Num. of Dataset Size Types of Attacks Access Link

Names Year Features
1 KDD- 1999 42 Training data: 24 attacks in the training set and 14 attacks in the https://kdd.ics.uci.
Cup’99 4,898,430 records testing set. edu/databases/kddcup99/
Testing data: kddcup99.html
2,000,000 records
2 UCLA 2001 N/A UDP flood traffic with 1001 DDoS Attacks https://www.lasr.cs.ucla.edu/
bytes of data packets ddos/traces/public/usc.
3 ISOT 2004 N/A N/A N/A N/A
4 CAIDA 2007 N/A 5 min of DDoS attacks in DDoS Attacks https://www.caida.
the form of anonymized org/catalog/datasets/ddos-
traffic 0070804_dataset/
5 NSL-KDD 2009 42 Training data: Total: This dataset contains 24 attacks in the training set 1- https://www.kaggle.com/
4,898,431 and 14 attacks in the testing set. datasets/hassan06/nslkdd
Attacks: 3,925,650 2- https://www.unb.ca/cic/
Normal: 972,781 datasets/nsl.html
Testing data:
Total: 311,027
Attacks: 250,436
Normal: 60,591
6 CTU-13 2013 6 N/A Botnet traffic https://www.stratosphereips.
org/datasets-ctu13
7 UNSW- 2015 49 2,540,044 records 9 attacks: Reconnaissance, Generic, Fuzzers, https://research.unsw.edu.au/
NB 15 Analysis, DoS, Exploits, Shellcode, Backdoors, and projects/unsw-nb15-dataset
Worms.
8 CICDDoS 2019 Over Training data: 175,341 Training data: 12 DDoS attacks https://www.unb.
2019 80 records, Testing data: 7 attacks ca/cic/datasets/ddos-2019.
Testing data: 82,332 html
9 IoT-23 2020 N/A Captured traffic of 3 benign DDoS Attacks https://www.stratosphereips.
IoT devices. org/datasets-iot23
Traffic traces of 20
malicious devices

3.3. Machine learning classifiers

Considering the sheer number of cyber-attacks occurred daily, AI-assisted systems are vitally required to detect and con-
front them automatically. Hence, machine learning techniques have been widely employed to train detector and classifier
models accurately in recent years [12]. This subsection introduces the classifiers used by the fuzzy anomaly detection
schemes studied in this paper.

3.3.1. ANFIS
Adaptive Neuro-Fuzzy Inference System (ANFIS) is an interesting method consisting of a Takagi-Sugeno-based fuzzy
inference system (FIS) and a neural network. In this method, fuzzy logic has been employed to convert input data into output
using a neural network model. Also, ANFIS uses the ANN to tune the FIS and deep learning hyper-parameters, like learning
rate, batch size, number of hidden layers, number of neurons, etc. In recent studies, fuzzy adaptive models have widely been
employed to detect new deception cyber-attacks, including DDoS [13]. Although the ANFIS model can solve many classifi-
cation problems in different domains, One of the disadvantages of the ANFIS is its sensitivity to its initial fuzzy rules. Besides,
the computation overhead is another drawback of the ANFIS, worsened by increasing the number of fuzzy rules required to
address the problem.

3.3.2. ANNS
The biological neural networks of the human brain to solve decision-making, classification, and prediction problems
inspire artificial neural networks (ANN). An ANN model is a set of connected artificial neurons that can get some signals
and sends them to the other connected neurons after conducting a certain process. Different kinds of ANN models have been
presented, which benefit from different architectures, optimization techniques, hash functions, and learning methods to
solve linear and non-linear problems. ANN models need larger size datasets compared to traditional machine learning algo-
rithms, but there is no need for reprogramming and manual feature extraction as they can select and extract the most effec-
tive features automatically. Besides, given the parallel nature of ANNs, if any elements of the model get failed, the model is
still able to proceed and complete the task, but the accuracy might be affected. Nonetheless, the training and testing process
of the ANN models is time-consuming and incurs high computational overheads.
324
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

3.3.3. Bayesian network

A Bayesian network aims to represent knowledge using a probabilistic graphical model that performs probability com-
putation using the Bayesian theorem. In a Bayesian network, each node represents random variables, and an edge is a con-
ditional probability for the transition between random variables. Therefore, by indicating conditional dependence in a
directed acyclic graph, a Bayesian network can model the conditional dependence. Consequently, it can be used to conduct
inference on random variables. As an advantage, the Bayesian network’s training and classification can be carried out very
fast without any sensitivity to unrelated features. Furthermore, it is able to handle different types of data. However, as a dis-
advantage, it considers that features are independent of each other.

3.3.4. SVM
In machine learning, Support Vector Machine (SVM) is a supervised method widely have been used for regression and
classification problems. In an SVM classifier, the classification process applies a non-linear transformation using a hyper-
plane to separate two data items. Different types of SVM classifiers have been provided in the literature for binary and
multi-class classification and have been effectively used in intrusion detection functions. The SVM classifier can be a better
option when the data structure is unknown, as it can handle semi-structured and even unstructured data. Besides, the risk of
over-fitting errors is much less in this classifier, so noisy data can be tolerated up to a good point. However, selecting a proper
kernel function for the SVM and tuning its parameters is not an easy task. As another disadvantage, the training time of this
algorithm is relatively high for large-size datasets.

3.3.5. k-NN
k-Nearest Neighbors (k-NN) is a non-parametric algorithm proposed by Joseph Hodges and Evelyn Fix in 1951. This algo-
rithm is a supervised learning method that applies k nearest data points as input to address the regression and classification
problems. As the advantages, k-NN is easy to understand and be implemented, its training time is very fast, and it is resilient
against noisy data. However, the classification (inference) time for this algorithm is relatively long and consumes much
memory. Besides, k-NN requires all features of the dataset to be trained accurately.

3.3.6. SOM
In machine learning, self-organizing map (SOM) is an unsupervised dimensionality reduction method to produce low-
dimension data from a higher-dimension dataset while the data structure is maintained. Generally, SOM is a kind of artificial
neural network that uses a competitive learning approach instead of error-correction learning for training mode. SOMs oper-
ate in training to generate a lower-dimensional dataset, and then, in the mapping step, the input data are classified using a
generated map. As an advantage, the algorithm provides reasonable interpretation and visualization. However, sometimes
sub-optimal results can be seen in the output. Also, SOM needs similar behavior for nearby data to be effective.
In the following, Table 4 exhibits a comparison between the machine learning classifiers applied by the fuzzy anomaly
detection approaches studied in this survey paper.

4. Fuzzy-based DDoS and anomaly detection approaches

This section presents a comprehensive study of fuzzy techniques for detecting DDoS attacks and network anomalies. To
this aim, this paper first classifies the existing methods based on the type of fuzzy techniques, as indicated in Fig. 7. Then, it
describes the capabilities of these methods in detecting network anomalies and DDoS attacks. Besides a comparison between
the studied approaches is presented at the end of each section. In a holistic view, these schemes highly benefit from the

Table 4
A comparison between the classifiers employed by anomaly detection schemes.

# Classifier’s name Advantages Disadvantages

1 ANN Handling non-linear problems High training and testing time
Incurs high computational overheads
2 Bayesian Network High training and classification speed Features independence assumption
No sensitivity to unrelated features
Can handle different types of data.
3 SVM Support for semi-structured and unstructured data. High training time
Low over-fitting risk Difficult to learn
Tolerance for noisy data Need for kernel selection
Tuning its parameters
4 k-NN Easy to understand Long classification time
Easy to learn High memory requirements
Low training time Need for all features
Resilience against noisy data
5 SOM Easy to understand Need sufficient data
Observable process
Low training time

325
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Fig. 7. A taxonomy of the fuzzy-based anomaly detection approaches.

Sugeno or Mamdani fuzzy models. Despite the Mamdani model, the number of output functions and fuzzy rules in the
Sugeno models is the same. The Sugeno model also uses a weighted average to evaluate the crisp outputs during the defuzzi-
fication stage, whereas the Mamdani model merely generates fuzzy outputs without any evaluation.
Some of the studied schemes operate offline, which cannot be useful in preventing ongoing attacks and anomalies. In con-
trast, some others allow real-time detection, which can effectively be employed to deal with ongoing attacks. A hierarchy of
fuzzy-based approaches to detect DDoS attacks and networks anomalies is shown in Fig. 7.

4.1. Fuzzy supervised learning-based schemes

This subsection studies the DDoS detection approaches that benefit from a fuzzy supervised learning method to detect
DDoS attacks, as well as some other anomalies in computer networks.

4.1.1. Fuzzy ANN

The most recent approaches that have applied any kind of fuzzy neural network to detect DDoS and anomalies are pre-
sented in this subsection.
Alsaadi et al. [14] presented an IDS scheme that applies an information gain method to choose eight essential features in
the intrusion detection process. Moreover, ANFIS is used to process the achieved features and classify network data packets
into normal or attack packets. This scheme applies two functions, i.e. denoted faster-scaled conjugate gradient and Jang’s
Neuro-fuzzy. In the experiments conducted in MATLAB software, datasets such as ISCX, NSL-KDD, and KDDcup99 are applied
to evaluate this fuzzy anomaly detection scheme. The authors indicated that the scheme could achieve higher precision in
finding attack or normal behaviors regarding the root mean square error (RMSE) metric. In addition, it gains better time pro-
cesses and accuracy in the classification process and detects different intrusions more effectively. Nonetheless, the authors
failed to compare their scheme with other recently proposed IDS schemes to further verify the achieved results.
In [15], the authors applied two fuzzy techniques, namely a FIS and an ANFIS model, to efficiently detect and handle flood-
ing attacks in a homogeneous WSN. This method uses a fuzzy method for clustering based on factors such as trust factor,
mobility, and residual energy. Afterward, the cluster’s data is collected by the anchor node and then evaluated by the ANFIS
model, which utilizes metrics such as packet transfer rate and node’s energy consumption to recognize the maliciousness of
data packets. In the next step, if the data packets are recognized to have been sent from a non-malicious node, then the
anchor node sends the packets to the sink node located in the middle of the WSN. The authors evaluated their scheme in
MATLAB software by considering 500 sensor nodes with 1 J energy over a 500  500 square meter area. These tests evaluate
the proposed scheme and some other recent security solutions regarding metrics such as detection delay, detection rate,
energy consumption, packet drop ratio, delay, and throughput.
Vijayakumar et al. [16] presented a fuzzy logic-based scheme for recognizing jamming attacks, which may lead to denial
of service in wireless sensor networks. For this purpose, they applied ANFIS and FIS to detect the jamming regarding detec-
326
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

tion metrics such as Received Signal Strength Indicator (RSSI) and packet delivery ratio. If there is a jammed sensor in the
cluster, this scheme detects it based on such metrics. The scheme utilizes a Takagi–Sugeno-based FIS to optimize the jam-
ming detection metrics. The authors conducted experiments in MATLAB software to evaluate their presented ANFIS and FIS
models based on metrics such as false detection and true detection ratios.
Karthiga et al. [17] introduced an anomaly-based detection method that applies convolutional neural networks and ANFIS
for detecting security attacks in Vehicular Ad Hoc Networks (VANETs). This method consists of two components denoted as
unknown and known IDS modules for detecting unknown and unknown attacks. This scheme applies ANFIS to detect known
malicious attacks and deep learning to find unknown attacks. Besides, it presents MLNET, a Modified LeeNET architecture for
recognizing the unknown attack type. For the evaluation of this scheme, datasets such as i-VANET and CIC-IDS 2017 are
applied. The latter consists of infiltration attacks, web attacks, DDoS attacks, heart-bleed attacks, botnet attacks, and Brute
Force attacks. The authors carried out their experiments using MATLAB software based on metrics, including accuracy, pre-
cision, sensitivity, and specificity.
Farhin et al. [18] proposed a security solution for the Internet of Things that detects malicious attacks using an SDN. In
this scheme, the incoming and outgoing traffic flows are analyzed using the SDN controller, and the anomalies are detected
and blocked. SDN applies a fuzzy neural network-based attack detection system that recognizes malicious behaviors such as
malicious code, side-channel, man-in-the-middle, and DDoS attacks. The authors conducted the necessary experiments on
the Matlab-Simulink software tool. They applied the expert opinion for designing the fuzzy rule-based system and, after-
ward, trained the model and tested it based on the features attained from the NSL-KDD dataset. Carried out with an F-1
score, recall, precision, and accuracy, these evaluations show that this scheme can accurately recognize the malicious attacks
against the IoT. Nonetheless, the scheme was not evaluated on the more recent IDS and DDoS datasets.
In order to mitigate the false alarm rate and improve the accuracy of intrusion detection, Manimurugan et al. [19] applied
the ANFIS and Crow Search Optimization algorithm in a network intrusion detection system. They applied the Crow search
optimization algorithm to optimize the proposed ANFIS model. The authors performed their experiments and tests on the
NSL-KDD dataset and analyzed the performance of their approach based on metrics such as accuracy, false positive rate, pre-
cision, and recall. This scheme was compared with other schemes such as PSOANFIS, GA-ANFIS, FC-ANN, and BPNN. It was
demonstrated that the detection rate of this scheme was 95.80 %, with a false positive rate of 3.45 %. Nonetheless, the authors
failed to evaluate the performance of their scheme using other new datasets and the old dataset used for their evaluations,
which may not contain the recent attacks.

4.1.2. Fuzzy rule generation-based schemes

This subsection addresses the fuzzy DDoS and anomaly detection schemes that try to extract a minimized subset of rules,
which can recognize anomalies with high accuracy and a low false-positive rate.
In [20], the authors introduced the FT-EHO, a fuzzy DDoS attack detection framework that uses the Taylor-elephant herd
optimization algorithm and a deep belief network. It performs a rule-learning process using the Taylor series, EHO, and a
fuzzy classifier. Using KDD-Cup99 and two other synthetic datasets, the authors analyzed their scheme and exhibited that
it could present percentages of 93.81 %, 97.20 %, 94.981 %, and 93.833 % for accuracy, detection rate, precision, and recall,
respectively.
Moreover, the authors of [21] put forward an approach for the classification of logs using a time-varying evolving fuzzy-
rule-based classification model and sliding time windows. They extracted time window attributes to develop an evolving
Gaussian fuzzy classifier and improved its accuracy and compactness.
To detect DDoS attacks in cloud computing environments, Velliangiri and Pandey [22] introduced FT-EHO-DBN, a classi-
fier created by combining the T-EHO optimization algorithm, fuzzy logic, and DBN classifier. In this scheme, requests are sent
to a feature extraction module for extracting the packets’ features. The extracted features are then sent to a feature selector
engine for extracting the selective features using a holoentropy-based feature selection method. Afterward, the classification
module is tasked to detect DDoS attacks by applying the fuzzy classifier and DBN. In this scheme, the T-EHO algorithm is
used for rule learning in the fuzzy classifier. The KDDcup database was used to evaluate this scheme, and the proposed
scheme was compared with the other classifiers such as SVM, ANN, and an ensemble regarding evaluation metrics such
as precision, accuracy, detection accuracy, and recall. Nonetheless, this scheme suffers from high computational costs.

4.2. Fuzzy unsupervised learning-based schemes

Unlike the non-fuzzy clustering methods (hard clustering), in fuzzy clustering (soft clustering), each data point can simul-
taneously belong to several clusters to some degree. Fuzzy clustering-based methods are widely incorporated for unsuper-
vised anomaly detection problems in which no labeled dataset exists for anomaly detection. Fuzzy clustering has widely
been used in various approaches to detect DDoS attacks and network security anomalies in combination with optimization
algorithms for tuning hyper-parameters and improving the accuracy of fuzzy clustering [23]. Table 5 summarizes the prop-
erties of the fuzzy supervised learning-based schemes.

4.2.1. FCM-based schemes

Fuzzy c-means (FCM) is a fuzzy clustering method applied in many anomaly intrusion detection approaches. FCM allows
soft data clustering in which each data point belongs to several clusters by some membership degrees. However, the results
327
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Table 5
The properties of the fuzzy supervised learning-based schemes.

Ref. Pub. Dataset Names Simulation Factors Membership Restrictions

Year Function
[24] 2019 Self-collected Sensitivity, Specificity – It should be tested on other datasets as well.
[19] 2020 NSL-KDD Precision, – Only one outdated dataset was used for analysis. It is not contrasted
False-positive rate, with other approaches for detecting anomalies.
Recall
[20] 2020 KDD-Cup’99, Two Accuracy, – –
synthetic Detection rate,
datasets Precision, Recall
[21] 2020 Self-collected Accuracy, Gaussian It can only handle host-based anomaly detection schemes.
Number of Rules, Time
[22] 2020 KDD-Cup’99 Recall, Accuracy, Triangular Only one outdated dataset was used for evaluation.
Precision
[25] 2020 Self-collected Energy consumption – It is not contrasted with other algorithms and anomaly detection
techniques.
[26] 2020 KDD-Cup’99 Accuracy, Gaussian Only one outdated dataset is used for evaluation. It was not properly
Sensitivity, compared to other anomaly detection techniques.
Specificity, AUC
[27] 2020 NSL-KDD, Accuracy, – More comparisons with different classifiers are required to confirm the
UNSW-NB15 Average time cost, findings because this technique was only tested against the SVM
Influence of device classifier.
traffic on detection
efficiency
[28] 2021 DDoS-2016 True positive rate, – It was not compared with other approaches.
True negative rate,
False negative rate,
False positive rate,
Detection rate
[29] 2021 NSL-KDD, Accuracy, Triangular The results were only compared using the accuracy metric, and other
UCI dataset Number of rules, metrics were not considered in comparisons.
Run time

show that FCM is sensitive to the initial centroids or cluster centers and may suffer from local optima problems. The com-
putation complexity of the algorithm is OðNF  P2  DIÞ, in which DI is the dimension, P is the number of subsets, and NF is
the number of features. Some anomaly intrusion detection-based schemes have improved the FCM clustering method using
metaheuristic algorithms or other techniques. On the other hand, some systems have accepted the deficiencies of the FCM
and applied it in combination with different strategies for anomaly detection. Moreover, selecting the optimal number of
clusters in FCM is another issue that should be dealt with in this clustering algorithm. Plenty of FCM-based anomaly detec-
tion approaches have been proposed in the literature.
In [30], the authors suggested a detection algorithm for DDoS attacks based on various graph features such as index, out-
degree, betweenness, and eigenvector centrality. These functions calculate node values, such as source and destination IP
addresses. The standard and attack behaviors of the network are modeled using these features. In addition, suspicious
and safe IP addresses are identified using a fuzzy clustering method. The algorithm was tested on the real data obtained from
the network of Boğaziçi University. However, the authors failed to verify their anomaly detection approach by conducting
the necessary experiments on standard datasets.

4.2.2. Fuzzy k-Medoids-based schemes

k-Medoids is a clustering algorithm proposed by Kaufman and Rousseeuw to partition the dataset into clusters. Then, it
minimizes the distance between the centroids and data points assigned to each cluster. In selecting the centroids, the k-
Medoids algorithm selects the data points as centroids, which performs better than other clustering algorithms such as k-
Means. Besides, as an advantage, the k-Medoids algorithm can be applied with any dissimilarity metric, but the k-Means
method needs Euclidean distances. The computation complexity of the k-Medoids algorithm is O(N2), in which N is the num-
ber of data items. Some schemes employ this clustering algorithm for detecting anomalies and DDoS attacks.

4.2.3. Fuzzy K-Means-based schemes

Another popular clustering technique in data mining, K-means, seeks to separate the data into a predetermined number
of clusters. The key issue is its sensitivity to the original data, which could result in the local optima problem [31]. The com-
putation complexity of this clustering algorithm is O(N2), in which N is the number of data items. A variety of fuzzy k-means-
based DDoS attacks and anomaly detection schemes have been presented in the literature, some of which will be studied in
this section.
Table 6 lists the properties of the Fuzzy Unsupervised Learning-Based and Fuzzy Feature Extraction-Based approaches, as
well as makes a comparison between them.
328
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Table 6
Properties of the fuzzy unsupervised learning-based and fuzzy feature extraction-based approaches.

Ref. Pub. Dataset Names Simulation Factors Membership Restrictions

Year Function
[30] 2019 Self-collected N/A Triangular It does not provide the required experimental results on the
Trapezoidal standard datasets.
[32] 2019 UCI dataset, msnbc.com Detection rate, N/A It can only handle session anomalies and cannot be used for
False-positive rate network anomalies.
[33] 2019 KDD-Cup’99 Detection rate Gaussian N/A
False-positive rate
[34] 2020 Synthetic dataset, Recall, Precision, N/A N/A
UCI dataset F-measure, AUC
[35] 2020 NSL-KDD Accuracy, Missing rate Gaussian Experiments were conducted only on one dataset.
False-positive rate,
F1-measure
[36] 2020 KDDCup-99, Detection rate, Gaussian N/A
NGIDS-DS, False negative rate,
ToN_IoT False-positive rate
[37] 2020 N/A Decryption times, Triangular The number of clusters should be indicated and reported.
Execution times,
Encryption times,
Specificity, Sensitivity
[38] 2020 Synthetic dataset, IBRL, Accuracy N/A N/A
NSL-KDD False-positive rate,
Benchmark,
Numenta Anomaly,
[39] 2021 Synthetic dataset F-Measure, Precision, N/A N/A
Recall
[40] 2021 Synthetic dataset Accuracy, Calinski– N/A It has not applied standard IDS datasets to further verify the
Harabasz Index, results.
Silhouette Coefficient
[41] 2021 N/A Accuracy, N/A It lacks evaluation and comparison against other anomaly
False-positive rate detection methods.

4.3. Fuzzy feature extraction-based schemes

This section investigates DDoS and anomaly detection approaches that have applied fuzzy feature selection and extrac-
tion methods.

4.3.1. Fuzzy principal component analysis-based schemes

Principal component analysis (PCA) is a feature extraction method employed in the anomaly intrusion detection field by a
few researchers. Since these works were not new, they were excluded from this survey.

4.3.2. Fuzzy-rough set theory-based schemes

Fuzzy rough set theory is used by several schemes for DDoS and anomaly detection. Furthermore, the anomaly detection
framework in [33] applies a fuzzy rough set-based SVM classifier and a fuzzy rough set. This scheme uses two intelligent
agents for feature selection and decision-making. The first one selects better features using a fuzzy rough set. In contrast,
the second tries to make a decision. It also uses a fuzzy rough-based SVM for finding anomalies. They used the KDD-
Cup’99 dataset and demonstrated that they could provide better results in terms of the false-positive rate and accuracy.
Furthermore, an anomaly detection model is presented in [35] that uses a fuzzy rough set and information gain ratio in
feature selection and presents a GA-based pattern learning method. The authors provided a clustering method, named GA-
GOGMM, based on a Gaussian mixture model and used it to extract normal and intrusion patterns. GA-GOGMM attains the
optimal GMM for pattern clustering and avoids the clustering method’s susceptibility to the initial data. In this scheme, the
required experiments were conducted using NSL-KDD and self-collected network traffic. They proved that their approach
outperformed other schemes regarding detection accuracy and false-positive rate.
In [36], the authors proposed FGMC-HADS or Fuzzy Gaussian Mixture-based Correntropy, which operates using mecha-
nisms such as correntropy, GMM, or Gaussian mixture model, and FRAR or fuzzy rough set attribute reduction. FGMC-HADS
uses the GMM and Correntropy approaches for fusing multivariate features and conducting anomaly detection. The FGMC-
HADS was evaluated using the KDDCup-98, NGIDS-DS, and ToN_IoT datasets. The authors indicated that their proposed
scheme made hosts more secure against unknown attacks.

329
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

4.4. Fuzzy inference system-based schemes

A fuzzy inference system processes the input values and produces an output vector by considering the fuzzy set theory
and using some fuzzy rules and fuzzy membership functions. In addition, it is important to note that the FIS output is a fuzzy
set. Generally, a fuzzy inference system consists of a fuzzifier, defuzzifier, and inference engine, of which two types, namely
Mamdani and Sugeno, are used. The fuzzifier is responsible for converting crisp values into fuzzy sets. The fuzzification pro-
cess applies various membership functions such as Gaussian, triangular, and trapezoidal to represent the fuzzy sets. In this
step, three different fuzzifiers, such as trapezoidal or triangular fuzzifiers, Gaussian fuzzifiers, and singleton fuzzifiers can be
applied. At last, in the defuzzification step, a decision-making algorithm is used to achieve a crisp value from the fuzzy infer-
ence results. Besides, methods such as the center of the largest area, center of sums, maxima, and center of gravity can be
employed in the defuzzification step. Fig. 8 exhibits the architecture of a fuzzy inference system.
Several schemes have applied the FIS for DDoS detection and anomaly detection. For Instance, Scarnati et al. [42] put for-
ward an anomaly detection system that applies the artificial immune system to detect network event variations to recognize
attacks with no prior information. In this scheme, fuzzy logic is employed to decrease uncertainty when a clear boundary
does not exist between abnormal and normal traffics. They applied a dataset containing different DDoS attacks and evaluated
attacks such as flooding and portscan. They proved that their system could outperform the naive Bayes and KNN classifiers
regarding metrics such as F-measure. However, this approach has not addressed distinguishing the DDoS attacks from the
flash crowd.
In [43], Novaes et al. introduced LSTM-FUZZY, a solution for monitoring, detecting, and decreasing network anomalies in
the SDN. The architecture of this method for anomaly detection is shown in Fig. 9.
It has three modules, in which the first one characterizes the network traffic and predicts the network’s normal behavior
by using short-term long memory. In the second module, attacks are recognized using fuzzy logic and Bienaymé-Chebyshev’s
inequality. The third module applies automatic anomaly reduction policies to reduce the attack damages. The authors val-
idated their scheme using the Floodlight controller and Mininet emulator and considered Portscan and DDoS attacks in the
first scenario. They also applied the CICDDoS2019 dataset in another scenario. They proved that their scheme could outper-
form KNN, SVM, LSTM-2, MLP, as well as PSO-DS regarding precision, false-positive rate, recall, and area under the curve
(AUC) rate. Nevertheless, this scheme was not evaluated against other types of DDoS attacks and vulnerabilities in different
SDN topologies.
Nguyen et al. [44] introduced an entropy-based FIS model to detect the data anomaly from the packets’ interval arrival
time. This FIS model provided the required rules to find the varied mean and sensor traffic variance. The authors showed that
this scheme outperformed the entropy-based Shannon method in terms of detection rate with the conducted experiments.
However, analyzing their schemes with other intrusion detection metrics and various types of anomalies can provide useful
insight into their system, which the authors failed to achieve.
Alsirhani et al. [45] presented a DDoS detection approach that employs a fuzzy logic system, a distributed system, and
some classifiers. In this scheme, the classifiers are applied to classify the network traffic into normal traffic and DDoS attacks.
To be more specific, this scheme benefits from classifiers such as random forest, decision tree (Gini), decision tree (entropy),
and naive Bayes. In addition, for recognizing the DDOS attacks, it applies the fuzzy logic for choosing one of these classifiers
dynamically based on their execution delay and accuracy. This scheme applies the real-world traffic traces of the CAIDA col-
lected from high-speed monitors on a commercial backbone link from 2008 to 2019. In this process, they used a software
tool, T-shark, a command terminal version of the Wireshark network analysis tool. T-shark is applied for getting packet fields
from the dataset and converting the dataset into the CSV format. They exhibited that the selection of the appropriate clas-
sification algorithm can be carried out using the fuzzy logic system based on the traffic status. In these experiments, they
used evaluation metrics, including false positive rate, F-measure, Recall, precision, and accuracy. The results of the experi-
ments indicated that the fuzzy logic could choose the correct classifier, and this scheme could get a trade-off between delay
and accuracy. Nonetheless, their scheme cannot get the same performance for different datasets.

Fig. 8. The schematic of the fuzzy inference system.

330
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Fig. 9. The architecture of network anomaly detection [43].

Since the SDN controller is among the important components of the SDNs, it is vulnerable to various types of DDoS secu-
rity attacks, and successful attacks can make them unreachable to the rest of the SDNs. This can be more sensible in the wire-
less SDNs that employ wireless links between the SDN devices and controllers. To deal with this issue, Rios et al. [46]
introduced a DDoS detection scheme using Euclidean Distances, MLP, and a FIS for the detection of RoQ or Reduction of Qual-
ity DDoS attacks that try to reduce the QoS (Quality of Service) of the victim service regardless of the transport protocol used
for communication. This method does not employ a feature selection method, and the authors handpicked the applied fea-
tures to achieve good results in the classification step. They used three features such as entropy, an average inter-arrival
time, and packet number, for the classification and detection of DDoS attacks. The scheme applies four Internet traffic traces,
two of which are used for evaluation and obtained from real and emulated environments. The authors created a dataset for
each of these traces, consisting of three features, i.e. the number of packets, entropy rate, and the average inter-arrival time.
They created an attack tool named M-RoQ for generating attacks used to create the traffic traces. In their experiments, they
used metrics such as confusion matrix, F1-score, precision, and recall and indicated that their proposed fuzzy approach could
outperform MLP in detecting RoQ attacks. However, this scheme was not analyzed over well-known standard datasets, and
more evaluations are needed to be verified. Besides, no feature selection method was used in this scheme, and it could be
enhanced by various feature selection techniques.

4.5. Type 2-based fuzzy schemes

The DDoS detection schemes that have applied type-2 fuzzy sets will be addressed in this subsection. For instance, Sri-
latha and Shyam [47] introduced an IDS scheme for cloud computing environments, which applies the kernel FCM integrated
with a classifier to prevent unauthorized activities in cloud computing. This scheme for finding new attacks trains the type-2
fuzzy neural network using attack data and clusters the training data with the kernel FCM method. In addition, the lion opti-
mization algorithm is used for tuning the parameters of the type-2 fuzzy neural network. This scheme, after the training step,
will be able to recognize security attacks. The training and testing steps were carried out using the NSL-KDD dataset. Besides,
for evaluating this scheme, experiments were conducted in the CloudSim tool and JDK 1.6 using metrics such as F-measure,
recall, and precision. The achieved results were compared against other classifiers such as the k-nearest neighbor, fuzzy logic
controller, ANN, and naive Bayes. Nonetheless, a legacy dataset was employed for testing this scheme.
Pajila et al. [48] introduced FBDR, a solution for detecting and handling DDoS attacks in WSNs. It applies to type-1 fuzzy
logic to recognize the DDoS attacks in sensor nodes and utilizes the type-2 fuzzy sets for recovering from the attacks. Detect-
ing DDoS attacks, this scheme is able to mitigate the power consumption of sensor nodes and enhance the WSNs’ lifetime.
The authors conducted their experiments using MATLAB software in a 500  500 square environment, in which the number
of sensor nodes varied from 50 to 500. The evaluations were conducted regarding metrics such as network lifetime, number
of alive nodes, packet drop rate, energy consumption, response time, buffer usage, detection rate, and execution time.

4.6. Intuitionistic fuzzy time series-based schemes

Intuitionistic fuzzy time series are used by some schemes to handle DDoS attacks and anomalies in computer networks.
For instance, Wang et al. [49] applied intuitionistic fuzzy time series-based graph mining to detect anomalies in the network
traffic. First, they used multiple parallel variable ordering heuristic intuitionistic fuzzy time series to present forecasting
models for multi-dimension feature entropy of traffic data. Then, they built an intuitionistic fuzzy time-series-based graph
using change amplitudes in entropy and edge weights between vertices defined by similarity. Finally, they frequently per-
formed the mining of subgraphs on the intuitionistic fuzzy time-series graph and built anomaly vectors using the mining
results. The authors analyzed this scheme using three datasets; the first one was the DDoS 2007 dataset; the second one
331
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

was achieved from the traffic traces from the trans-Pacific backbone link in 2007; the third one was the Witty Worm dataset.
Besides, in those experiments, the proposed anomaly detection scheme was regarding false alarm rate and detection rate.
Fan et al. [50] have proposed a long-term intuitionistic fuzzy time series method to forecast network traffic. In this
method, the network traffic was intuitionistically fuzzyfied and vector quantized, and the time series vectors were created
using an improved version of intuitionistic fuzzy c-means clustering techniques. The authors have claimed that their pro-
posed fuzzy c-mean clustering algorithm can enhance the discrimination of time series segments and improves the effi-
ciency of forecasting while the computational complexity reduces compared to other related works. Furthermore, this
makes it possible to perform preprocessing data, mimicking nonlinear features of a network to be applied in detecting DDoS
anomalies in realtime.
A comparison between the FIS-based intrusion detection methods is reported in Table 7.

5. Discussion

This section provides useful information regarding the methods and techniques used to defend against network anoma-
lies and DDoS attacks. Such information is very useful in finding the areas that can be further studied in the next research. To
be more specific, the following are analyzed in this section:

Percentage of the schemes provided using different learning and fuzzy techniques

Percentage of the applied fuzzy classifiers

Percentage of the datasets utilized anomaly detection processes

Percentage of the employed FLC types

Percentage of anomaly detection and DDoS detection schemes

Number of the schemes that have applied different membership functions

Fig. 10 demonstrates the percentage of the applied different techniques in the investigated schemes. As shown in this fig-
ure, most of the studied schemes use fuzzy supervised and unsupervised learning methods to identify anomalies and con-
front DDoS attacks. Since unsupervised learning-based DDoS detection methods do not require any training, they are much
faster than the supervised detection approaches, but the latter provides more accuracy in detecting anomalies and attacks.
The number of the schemes that have applied different fuzzy algorithms in the fuzzy supervised learning and fuzzy unsu-
pervised learning-based categories are depicted in Fig. 11. As shown in this figure, different types of fuzzy ANN models and
FCM clustering algorithms are used by most investigated schemes to deal with DDoS attacks and network anomalies.
Nonetheless, the security schemes that utilize the fuzzy ANN models should deal with the overfitting problem, especially

Table 7
The properties of the FIS-based anomaly intrusion detection schemes.

Ref. Pub. Dataset Names Simulation Factors Membership Restrictions

Year Function
[44] 2019 Synthetic traffic Abnormal detection rate N/A It was not compared with other
intrusion detection metrics and
other anomalies.
[42] 2020 CICDDoS 2019 Precision, Accuracy, Triangular It cannot distinguish DDoS attacks
ROC curve, Gaussian originating the flash crowd; only
False-positive rate, one dataset was used in
Recall, F-measure experiments.
[43] 2020 CICDDoS 2019 Recall, Precision, Triangular This method was evaluated
AUC rates, against other DDoS attacks in
False-positive rate different SDN topologies.
[49] 2020 DDoS 2007 dataset, the traffic False alarm rate, N/A N/A
traces from the trans-Pacific Detection rate
backbone link, Witty Worm
dataset
[45] 2021 Self-collected dataset Recall, Accuracy, Triangular N/A
F-Measure, precision,
False-positive rate,
True-positive rate
[46] 2021 Self-collected Confusion matrix, This scheme was not evaluated
F1-score, with the standard IDDS and DDoS
Precision, Recall attacks datasets.
[47] 2021 NSL-KDD F-measure, recall, and precision Gaussian A legacy dataset was employed for
testing this scheme.
[48] 2022 N/A Network lifetime, number of alive nodes, Triangular, Standard datasets were not
packet drop rate, energy consumption, Gaussian applied for the evaluation of this
response time, buffer usage, detection rate, and scheme.
execution time

332
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Fig. 10. The percentage of the applied fuzzy techniques.

Fig. 11. The number of fuzzy methods applied in the fuzzy supervised and unsupervised learning-based schemes.

when the fuzzy ANN models have many parameters to be tuned. Clustering methods such as FCM are very fast and incur very
low overhead because they do not need any training. This makes them ideal for low-powered environments, as well as cases
where there is a lack of labeled data. Nonetheless, they suffer from a high false positive rate and are sensitive to the initial
data. Therefore, most clustering-based methods try to improve the clustering method by using, for instance, metaheuristic
algorithms and achieve better results.
In the following, the anomaly detection datasets applied in the studied fuzzy logic-based DDoS detection and anomaly
detection methods are indicated in Fig. 12. As shown in this figure, the majority of the approaches have used KDD-
Cup’99, synthetic, and self-collected datasets. In addition, few schemes have used the new datasets, such as UNSW-NB15
and CICDDoS datasets. The important issue in this context is that almost 69 % of the investigated approaches have used only
one dataset, 26 % have used two datasets, and only 5 % have used three or more datasets in their evaluations.
The percentage of FLC types used in the examined frameworks is shown in Fig. 13. As shown in this chart, Mamdani FLC
has been the most widely used fuzzy DDoS detection and anomaly detection approach due to its simplicity and efficiency.
Additionally, Fig. 14 lists the number of various membership functions used in a few fuzzy anomaly detection techniques,
which has helped shed light on the specifics of their fuzzy methodology.
Besides, the percentage of fuzzy DDoS detection and anomaly detection systems is shown in Fig. 15. Considering this fig-
ure, it is evident that merely a few fuzzy DDoS detection systems have been presented so far, and the majority of the schemes

333
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Fig. 12. The datasets used in the studied anomaly detection methods.

Fig. 13. The percentage of the FLC types used in the studied methods.

are devoted to dealing with anomaly detection issues. Therefore, more efforts might be made to further enhance fuzzy DDoS
detection techniques.
At the end of this section, Table 8 indicates a comparison from various perspectives between the IDS models that have
employed various datasets, including CICDDoS, NSL-KDD, and KDD-Cup’99, to evaluate their proposed solutions.
Furthermore, it can be concluded that, in addition to the accuracy of detection and performance, the energy consumption
of intrusion detection systems should be taken into account due to rapid advances and the pervasive nature of wireless envi-
ronments like wireless sensor networks, as well as new smart battery-powered devices. The usage of these devices and wire-
less communications have become more frequent than ever with emerging new smart cities and the Internet of Things.

6. Conclusions and future researches directions

Albeit rapid advances in information technology and artificial intelligence has offered many facilities, including ease of
access and high availability, they caused a paradigm shift in cybersecurity threats. The large number of daily cyber-
attacks indicates that computer systems and networks are highly vulnerable to cybersecurity threats. Anomaly detection
systems have played a critical role in the security of organizations and businesses by finding new and Zero-day malicious
behavior and cyber-attacks. These systems employ AI-powered models to learn the normal profiles and behavioral patterns
and identify any deviation from such patterns as anomalies. However, distinguishing between normal and suspicious behav-
334
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Fig. 14. The number of the schemes that have applied different membership functions.

Fig. 15. The percentage of anomaly detection and DDoS detection schemes.

Table 8
A Comparison of the IDS schemes applying different datasets.

Ref. Dataset Name Accuracy Rate Detection Rate False-positive Rate Precision Recall F-value
[42] CICDDoS 89.03 – – 88.65 26.46 92.28
[43] – – 2.2 97.89 93.13 –
[19] NSL-KDD 97.41 95.80 3.45 – – –
[29] 94.54 – – – – –
[38] – 97.59 1.05 – – –
[20] KDD-Cup’99 93.811 % 97.200 – 94.981 93.833 –
[22] – – – – –
[26] 93.811 97.200 – 94.981 93.833 –
[36] 75.24 – 6.73 – – –

ior patterns is difficult in today’s large-scale networks and the sheer amount of data production. In this paper, we conducted
a systematic literature review and comprehensive survey on recent advances have made in the area of anomaly-based intru-
sion detection systems that employ fuzzy logic to correlate network behavioral features. This paper also presented a new
hierarchy to categorize various types of DDoS attacks based on their internal mechanism and technology. Our findings indi-
cated that fuzzy logic could effectively be incorporated into a wide variety of network anomaly detection schemes as a highly
reliable solution with the purpose of increasing the accuracy of intrusion detection while the performance of the network is
maintained.
Over recent years, cyber-attacks led to billions of dollars in financial loss to companies, businesses, individuals, univer-
sities, and even hospitals, while most victims were well-equipped with intrusion detection and anti-malware devices. The

335
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

underlying reason is that there were several gaps and security holes in the secure configuration of defensive devices. The key
findings and outcomes of this survey paper pave the way to implement novel generations of anomaly-based intrusion detec-
tion systems and tackle a wide range of challenges and gaps that exist in the current intrusion detection systems and meth-
ods. Providing the most effective and best-offered defensive strategies, this paper’s recommendations are highly beneficial
for institutions, enterprises, and governmental agencies to mitigate cyber threats and make their digital data more secure
and their business more sustainable.

6.1. Future perspectives

Although the fuzzy DDoS detection and anomaly detection domains are studied deeply and thoroughly, some limitations
and issues can be considered for the next study:

Low run-time complexity should be a requirement for real-time anomaly detection methods. Therefore, it is important to
explore and develop new, low-cost methods in the future.

The performance of the fuzzy anomaly detection schemes is decreased by a large amount of data and high dimensionality
found in the anomaly detection datasets. In that case, the features used for detecting different anomalies can be investi-
gated, and in various datasets, important features can be recognized and prioritized to be used in the anomaly detection
process. Thus, further research on the feature selection/extraction methods should be conducted, and new methods
should be devised to find the best features with the lowest possible overhead.

The investigated fuzzy schemes have often used the Mamdani-based FLCs, and very few have used the Sugeno FLCs. Con-
sequently, Sugeno FLCs can be further focused on in the future.

A few anomaly intrusion detection techniques have used type-2 fuzzy sets, but the majority of the schemes under study
have used type-1 fuzzy sets. Consequently, type-2 fuzzy sets should be studied in future research.

Only a small number of the numerous novel metaheuristic algorithms proposed in the literature have been applied to
adjusting the FIS’s parameters or locating fuzzy rules. Thus, the future generation of fuzzy anomalous intrusion detection
frameworks should make use of more recent metaheuristic algorithms, especially multi-objective ones.

Network intrusion detection systems protect organizations whose operations are evolving and changing from time to
time. Ideally, network anomaly detection approaches should deal with such changes; otherwise, their false-positive rate
will increase. Although a few methods, such as incremental learning, are provided for dealing with such issues, this issue
must be investigated further in subsequent studies.

Only a few investigated frameworks are specially designed for environments such as cloud computing, SDNs, WSNs,
WBANs, IoT, etc. Thus, environment-specific anomaly detection approaches should be further studied regarding the IT
domain’s rapid developments. For this purpose, environment-specific datasets are also needed to evaluate these new
methods.

Other machine learning and data mining methods can be integrated with them to further enhance the fuzzy network
anomaly detection process and cover the possible limitations of the fuzzy solutions.

Most fuzzy network anomaly detection approaches apply the genetic algorithm to produce rules and collect a compact set
of them. However, the other metaheuristic algorithms are not involved in this context, which should be addressed in
future fuzzy anomaly detection approaches.

Failing to deal with encrypted traffic is one of the common vulnerabilities of the security components such as firewalls
and intrusion detection systems. In this context, only a few network anomaly detection models are developed to deal with
anomalies in encrypted traffic. Thus, further research in this domain seems necessary.

Clustering is an unsupervised learning method that has been successfully integrated into various steps of anomaly detec-
tion methods. However, most applied clustering algorithms need to know the number of clusters to prove helpful. Thus,
in future studies, auto-clustering and dynamically determining the number of clusters should be further investigated.

Regarding the architectural style, from the studied fuzzy anomaly detection schemes, one can conclude that most of them
are centralized, and few studies enjoy a distributed architecture. Thus, regarding the distributed nature of computer net-
works, distributed fuzzy network anomaly detection schemes should be focused on in subsequent studies to deal with a
broader range of network anomalies.

Challenging issues in the DDoS attacks detection domain, such as distinguishing DDoS attacks from the flash crowd,
should be further investigated in the subsequent fuzzy network anomaly detection schemes.

Different kinds of fuzzy deep learning techniques introduced in this survey can be beneficial for detecting various types of
DDoS attacks and anomaly detections in different environments.

Online training or incremental learning for continuous training of the DDoS and anomaly detection schemes should be
further investigated in the future.

The investigated schemes have often been evaluated on old datasets or un-standard self-collected datasets. Thus, a com-
plete set of experiments on standard and up-to-date datasets should be conducted in subsequent security studies. Also,
real network traces should be used to verify the achieved results.

Since very few schemes from the investigated ones addressed the imbalanced datasets problem, this problem can be
investigated and handled in the future.

336
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

Considering the emerging security attacks, new datasets should be created, or the existing ones should be updated to
thoroughly evaluate the new proposals in the DDoS attacks and anomaly detection contexts.

Data availability

No data was used for the research described in the article.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have
appeared to influence the work reported in this paper.

Acknowledgment

This research was supported by Basic Research Program through the National Research Foundation of Korea (NRF) funded
by the Ministry of Science and ICT (RS-2022-00166712).

References

[1] D. Javaheri, P. Lalbakhsh, M. Hosseinzadeh, A novel method for detecting future generations of targeted and metamorphic malware based on genetic
algorithm, IEEE Access 9 (2021) 69951–69970, https://doi.org/10.1109/ACCESS.2021.3077295.
[2] S.-W. Lee et al, Towards secure intrusion detection systems using deep learning techniques: comprehensive analysis and review, J. Netw. Comput.
Appl. 187 (2021), https://doi.org/10.1016/j.jnca.2021.103111 103111.
[3] M. Masdari, H. Khezri, A survey and taxonomy of the fuzzy signature-based intrusion detection systems, Appl. Soft Comput. (2020) 106301.
[4] K. Khan, A. Mehmood, S. Khan, M.A. Khan, Z. Iqbal, W.K. Mashwani, A survey on intrusion detection and prevention in wireless ad-hoc networks, J. Syst.
Archit. 105 (2020) 101701.
[5] Y. Hande, A. Muddana, A survey on intrusion detection system for software defined networks (SDN), Int. J. Business Data Commun. Network. (IJBDCN)
16 (1) (2020) 28–47.
[6] P. Wang, L.T. Yang, X. Nie, Z. Ren, J. Li, L. Kuang, Data-driven software defined network attack detection: state-of-the-art and perspectives, Inf. Sci. 513
(2020) 65–83, https://doi.org/10.1016/j.ins.2019.08.047.
[7] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, A. Hotho, A survey of network-based intrusion detection data sets, Comput. Secur. 86 (2019) 147–167.
[8] T. Jafarian, M. Masdari, A. Ghaffari, K. Majidzadeh, A survey and classification of the security anomaly detection mechanisms in software defined
networks, Clust. Comput. (2020) 1–19.
[9] D. Kwon, H. Kim, J. Kim, S.C. Suh, I. Kim, K.J. Kim, A survey of deep learning-based network anomaly detection, Clust. Comput. (2019) 1–13.
[10] R. Chaganti, B. Bhushan, V. Ravi, A survey on Blockchain solutions in DDoS attacks mitigation: techniques, open challenges and future directions,
Comput. Commun. 197 (2023) 96–112, https://doi.org/10.1016/j.comcom.2022.10.026.
[11] Z. Shao, S. Yuan, Y. Wang, Adaptive online learning for IoT botnet detection, Inf. Sci. 574 (2021) 84–95, https://doi.org/10.1016/j.ins.2021.05.076.
[12] D. Javaheri, M. Hosseinzadeh, A.M. Rahmani, Detection and elimination of spyware and Ransomware by intercepting kernel-level system routines, IEEE
Access 6 (2018) 78321–78332, https://doi.org/10.1109/ACCESS.2018.2884964.
[13] H. He, W. Qi, H. Yan, J. Cheng, K. Shi, Adaptive fuzzy resilient control for switched systems with state constraints under deception attacks, Inf. Sci. 621
(2023) 596–610, https://doi.org/10.1016/j.ins.2022.11.074.
[14] H.I.H. Alsaadi, R.M. ALmuttari, O.N. Ucan, O. Bayat, An adapting soft computing model for intrusion detection system, Comput. Intell. 38 (3) (2022)
855–875.
[15] P. Beslin Pajila, E. Golden Julie, Y. Harold Robinson, ABAP: anchor node based DDoS attack detection using adaptive neuro-fuzzy inference system,
Wirel. Pers. Commun. (2022) 1–25.
[16] K. Vijayakumar, K. Pradeep Mohan Kumar, K. Kottilingam, T. Karthick, P. Vijayakumar, P. Ganeshkumar, An adaptive neuro-fuzzy logic based jamming
detection system in WSN, Soft. Comput. 23 (8) (2019) 2655–2667.
[17] B. Karthiga, D. Durairaj, N. Nawaz, T.K. Venkatasamy, G. Ramasamy, A. Hariharasudan, Intelligent Intrusion Detection System for VANET using machine
learning and deep learning approaches, Wirel. Commun. Mob. Comput. 2022 (2022).
[18] F. Farhin, I. Sultana, N. Islam, M.S. Kaiser, M.S. Rahman, M. Mahmud, Attack detection in internet of things using software defined network and fuzzy
neural network, in 2020 Joint 9th International Conference on Informatics, Electronics & Vision (ICIEV) and 2020 4th International Conference on
Imaging, Vision & Pattern Recognition (icIVPR), 2020: IEEE, pp. 1-6.
[19] S. Manimurugan, A.-Q. Majdi, M. Mohmmed, C. Narmatha, R. Varatharajan, Intrusion detection in networks using crow search optimization algorithm
with adaptive neuro-fuzzy inference system, Microprocess. Microsyst. 79 (2020) 103261.
[20] S. Velliangiri, H.M. Pandey, Fuzzy-Taylor-elephant herd optimization inspired Deep Belief Network for DDoS attack detection and comparison with
state-of-the-arts algorithms, Futur. Gener. Comput. Syst. (2020).
[21] L. Decker, D. Leite, L. Giommi, and D. Bonacorsi, Real-time anomaly detection in data centers for log-based predictive maintenance using an evolving
fuzzy-rule-based approach, in 2020 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), 2020: IEEE, pp. 1-8.
[22] S. Velliangiri, H.M. Pandey, Fuzzy-Taylor-elephant herd optimization inspired Deep Belief Network for DDoS attack detection and comparison with
state-of-the-arts algorithms, Futur. Gener. Comput. Syst. 110 (2020) 80–90.
[23] D. Javaheri, S. Gorgin, J.-A. Lee, M. Masdari, An improved discrete harris hawk optimization algorithm for efficient workflow scheduling in multi-fog
computing, Sustainable Comput. Inf. Syst. 36 (2022), https://doi.org/10.1016/j.suscom.2022.100787 100787.
[24] A. Alabdulatif, I. Khalil, H. Kumarage, A.Y. Zomaya, X. Yi, Privacy-preserving anomaly detection in the cloud for quality assured decision-making in
smart cities, J. Parallel Distrib. Comput. 127 (2019) 209–223.
[25] H. Fan, Data Monitoring and Anomaly Analysis for Information Systems based on Balanced Scorecard and Fuzzy Neural Network, in 2020 International
Conference on Inventive Computation Technologies (ICICT), 2020: IEEE, pp. 117-120.
[26] P.V. de Campos Souza, A.J. Guimarães, T.S. Rezende, V.J. Silva Araujo, V.S. Araujo, Detection of anomalies in large-scale cyberattacks using fuzzy neural
networks, AI 1 (1) (2020) 92–116.
[27] L. Fang, Y. Li, Z. Liu, C. Yin, M. Li, Z.J. Cao, A practical model based on anomaly detection for protecting medical IoT control services against external
attacks, IEEE Trans. Ind. Inf. 17 (6) (2020) 4260–4269.
[28] M. Almseidin, J. Al-Sawwa, M. Alkasassbeh, Anomaly-based intrusion detection system using fuzzy logic, in 2021 International Conference on
Information Technology (ICIT), 2021: IEEE, pp. 290-295.
[29] W. Guendouzi, A. Boukra, A new differential evolution algorithm for cooperative fuzzy rule mining: application to anomaly detection, Evol. Intel.
(2021) 1–12.

337
D. Javaheri, S. Gorgin, Jeong-A Lee et al. Information Sciences 626 (2023) 315–338

[30] Ç. Atesß, S. Özdel, E. Anarım, Graph–based anomaly detection using fuzzy clustering, in: International Conference on Intelligent and Fuzzy Systems,
Springer, 2019, pp. 338–345.
[31] M.H. Nadimi-Shahraki, H. Zamani, DMDE: Diversity-maintained multi-trial vector differential evolution algorithm for non-decomposition large-scale
global optimization, Expert Syst. Appl. 198 (2022), https://doi.org/10.1016/j.eswa.2022.116895 116895.
[32] R. Xiao, J. Su, X. Du, J. Jiang, X. Lin, L. Lin, SFAD: Toward effective anomaly detection based on session feature similarity, Knowl.-Based Syst. 165 (2019)
149–156.
[33] K. Selvakumar et al, Intelligent temporal classification and fuzzy rough set-based feature selection algorithm for intrusion detection system in WSNs,
Inf. Sci. 497 (2019) 77–90.
[34] X. Wang, H. Wang, Y. Wang, A density weighted fuzzy outlier clustering approach for class imbalanced learning, Neural Comput. Applic. 32 (16) (2020)
13035–13049.
[35] J. Liu et al, Adaptive intrusion detection via GA-GOGMM-based pattern learning with fuzzy rough set-based attribute selection, Expert Syst. Appl. 139
(2020) 112845.
[36] W. Haider, N. Moustafa, M. Keshk, A. Fernandez, K.-K.-R. Choo, A. Wahab, FGMC-HADS: Fuzzy Gaussian mixture-based correntropy models for
detecting zero-day attacks from linux systems, Comput. Secur. 96 (2020) 101906.
[37] P. Santhosh Kumar, L. Parthiban, Scalable anomaly detection for large-scale heterogeneous data in cloud using optimal elliptic curve cryptography and
gaussian kernel fuzzy C-means clustering, J. Circ., Syst. Comput. 29 (05) (2020) 2050074.
[38] S. Garg et al, En-ABC: An ensemble artificial bee colony based anomaly detection scheme for cloud environment, J. Parallel Distrib. Comput. 135 (2020)
219–233.
[39] D. Wang, Z. Shen, W. Wu, ‘‘A Fuzzy Clustering Based Anomaly Node Detection Method for Publish/Subscribe Distributed Systems,” in Journal of Physics:
Conference Series, 2021, vol. 1813, no. 1: IOP Publishing, p. 012046.
[40] S. Huang, Y. Guo, N. Yang, S. Zha, D. Liu, W. Fang, A weighted fuzzy C-means clustering method with density peak for anomaly detection in IoT-enabled
manufacturing process, J. Intell. Manuf. 32 (7) (2021) 1845–1861.
[41] S. Lu, J. Wu, R. Gu, W. Liu, M. Zhu, An anomaly detection parameter optimization algorithm for data center data, 2021 IEEE 5th Advanced Information
Technology, Electronic and Automation Control Conference (IAEAC), vol. 5, IEEE, 2021, pp. 1782–1785.
[42] G.F. Scaranti, L.F. Carvalho, S. Barbon, M.L. Proença, Artificial Immune Systems and Fuzzy Logic to Detect Flooding Attacks in Software-defined
networks, IEEE Access, 2020.
[43] M.P. Novaes, L.F. Carvalho, J. Lloret, M.L. Proença, Long short-term memory and fuzzy logic for anomaly detection and mitigation in software-defined
network environment, IEEE Access 8 (2020) 83765–83781.
[44] V.-T. Nguyen, T.-X. Nguyen, T.-M. Hoang, N.-L. Vu, ‘‘A new Anomaly Traffic Detection Based on Fuzzy Logic Approach in Wireless Sensor Networks,” in
Proceedings of the Tenth International Symposium on Information and Communication Technology, 2019, pp. 205-209.
[45] A. Alsirhani, S. Sampalli, P. Bodorik, DDoS detection system: Using a set of classification algorithms controlled by fuzzy logic system in apache spark,
IEEE Trans. Netw. Serv. Manag. 16 (3) (2019) 936–949.
[46] V. de Miranda Rios, P.R. Inácio, D. Magoni, M.M. Freire, Detection of reduction-of-quality DDoS attacks using Fuzzy Logic and machine learning
algorithms, Comput. Netw. 186 (2021) 107792.
[47] D. Srilatha, G.K. Shyam, Cloud-based intrusion detection using kernel fuzzy clustering and optimal type-2 fuzzy neural network, Clust. Comput. 24 (3)
(2021) 2657–2672.
[48] P. Pajila, E.G. Julie, Y.H. Robinson, FBDR-Fuzzy based DDoS attack Detection and Recovery mechanism for wireless sensor networks, Wirel. Pers.
Commun. 122 (4) (2022) 3053–3083.
[49] Y.-N. Wang, J. Wang, X. Fan, Y. Song, Network traffic anomaly detection algorithm based on intuitionistic fuzzy time series graph mining, IEEE Access 8
(2020) 63381–63389.
[50] X. Fan, Y. Wang, M. Zhang, Network traffic forecasting model based on long-term intuitionistic fuzzy time series, Inf. Sci. 506 (2020) 131–147, https://
doi.org/10.1016/j.ins.2019.08.023.

338