A Survey on Machine Learning Based Intrusion

Detection System for IoT Networks

Jai Prakash Kushwaha1*, Saumya Bhadauria1 and
Shashikala Tapaswi1
1* Department of Computer Science and Engineering, ABV-Indian
Institute of Information Technology and Management Gwalior, Morena
Link Road, Gwalior, 474015, Madhya Pradesh, India.

*Corresponding author(s). E-mail(s): [email protected];

Contributing authors: [email protected]; [email protected];

Abstract
The increasing adoption of Internet of Things (IoT) devices has increased security
threats, making intrusion detection systems (IDS) crucial in protecting IoT net-
works. Machine learning (ML) has emerged as a promising approach for detecting
intrusions in IoT networks due to its ability to learn from large amounts of data
and adapt to new threats. This survey paper provides an overview of the cur-
rent literature on ML-based IDS for IoT networks. The paper covers various ML
algorithms, techniques, and methodologies used for intrusion detection in IoT net-
works, including supervised, unsupervised, and semi-supervised approaches. The
survey also highlights the strengths and limitations of existing ML-based IDS,
challenges, and future research directions in this field. The outcomes of this sur-
vey paper will be of great value to researchers and may motivate them to address
current issues in the field of IoT security, providing a thorough understanding of
the current state of the art in ML-based IDS for IoT networks.

Keywords: Internet of Things, Intrusion Detection System, Security, Literature review

1 Introduction
With the expeditious development of communication networks and computers, the
Internet revolutionizes mankind’s life in the form of the Internet of Things (IoT). IoT is
a collection of electronic devices (like sensors, actuators, embedded systems, etc.) that

1
are connected and share information without human interaction. These devices are
uniquely identifiable over the internet [1]. IoT has revolutionized the way devices and
systems communicate with each other. It has made possible the inter-connectivity of
billions of devices and systems, creating smart homes, smart cities, and smart factories
[2][3]. IoT has various applications in human life like supply chains, smart homes,
smart healthcare, smart wearables, self-driven cars, smart industry, smart agriculture,
and many more as shown in Figure 1.

Fig. 1 Application of IoT.

IoT devices are very small in size and have various constraints like low storage,
low computational power, small battery, etc. These devices are vulnerable to cyber-
attacks that can compromise the confidentiality, integrity, and availability of connected
devices and networks. One can exploit the vulnerability and cause financial damage
and compromised IoT devices or networks can cause serious threats to human life. Due
to the constrained nature of IoT, we cannot use traditional security algorithms for
the security of IoT devices. Firewalls provide security to IoT devices and networks to
some extent but are insufficient to tackle new advanced attacks. An intrusion detection
system (IDS) is one of the efficient approaches for providing security to IoT devices and
networks [4]. IDS was first time introduced in 1980 by Jim Anderson [5]. Since then,
various IDS were developed to provide security to IoT networks and devices. However,
due to the rapid evolution of technology, the network size and devices are increasing
exponentially and cyber-attacks are also getting smarter with time which makes them
very difficult to detect. Due to this in an IoT network, each node is vulnerable to a
security threat that is a concern and needs security.
IDS has emerged as a critical technology to detect and mitigate cyber-attacks
on IoT networks. Traditional IDS approaches, such as signature-based detection and
anomaly-based detection, have limitations in terms of accuracy and scalability. With

2
the growth in the volume and complexity of IoT networks, there is a need for more
efficient and accurate IDS techniques. Machine learning (ML) has shown great poten-
tial in addressing these challenges by enabling automated and adaptive detection of
cyber-attacks. ML-based IDS for IoT networks can leverage the power of big data
analytics and advanced algorithms to detect and classify cyber-attacks accurately and
efficiently. ML-based IDS techniques can learn from past network traffic patterns and
identify deviations from the norm, which can be indicative of cyber-attacks.
There has been significant research in ML-based IDS for IoT networks in recent
years, and this paper aims to provide a comprehensive review of the state-of-the-art
in this field. In this paper, various ML-based IDS techniques, including supervised
learning, unsupervised and semi-supervised learning, and their applicability to IoT
networks have been discussed. Section 2 discusses the concept and classification of
IDS. In section 3 various literature are reviewed and their strength and weakness are
highlighted. In section 4 various evaluation metrics for IDS are discussed. Section 5
contains research problems in the field of ML-based IDS for IoT networks.

2 IDS: CONCEPT AND CLASSIFICATION

In this section firstly concept of IDS is discussed, later a detailed classification of IDS
has been provided.

2.1 Concept of IDS

An IDS is a security mechanism that is designed to detect and alert the adminis-
trator of any unauthorized or malicious activities in a network. An IoT IDS works
by monitoring the network traffic, analyzing packets, and detecting any suspicious or
anomalous behavior. The system can be configured to recognize specific types of secu-
rity threats and trigger an alert or take other remedial action in response. This helps
to ensure the security and reliability of the IoT networks [6] and prevent damage to
connected devices and data.

2.2 Classification of IDS

As shown in Figure 2, IDS can be categorized as follows:

2.2.1 Detection method based IDS

On the basis of Detection based IDS [7], we can classify IDS into four categories
Signature-based IDS, Anomaly-based IDS, Specification-Based IDS, and
Hybrid IDS.
• Signature-based IDS: in Signature-based IDS (SIDS) the old attack patterns are
stored in local storage and when any activity happens on a device then it matches
the stored attack pattern, if matched then an alarm is generated else it does nothing.
One of the disadvantages of using SIDS is it can only detect the old attack patterns
which already have happened. It cannot detect new attacks or mutation of old
attacks [8].

3
Fig. 2 Classification of IDS.

• Anomaly-based IDS: Anomaly-based IDS (AIDS) makes the profile of every gen-
uine activity. Any deviation from that profile is predicted as an Intrusion and the
alarm is triggered. One of the advantages of AIDS is it can detect new attacks.
Anomaly-based IDS has one disadvantage: it can generate a high number of false
alarm rates [9].
• Specification-based IDS: Specification-Based Intrusion Detection System (IDS)
is a type of IDS that detects malicious activity by comparing network traffic or sys-
tem behavior against a pre-defined set of rules or specifications [10]. This rule and
threshold are manually defined by a human expert. The rules or specifications can
be based on factors such as known attack patterns, system configuration policies, or
behavioral anomalies. One of the main disadvantages of a Specification Based Intru-
sion Detection System (IDS) is its dependence on pre-defined rules or specifications
[11].
• Hybrid IDS: in Hybrid IDS, SIDS, and AIDS are combined to overcome the dis-
advantages of SIDS and AIDS [12]. AIDS helps to detect unknown attacks in IoT
networks and SIDS helps to detect well-known attacks in IoT networks. One of the
major advantages of this IDS is it reduces the false alarm rate.

2.2.2 Data based IDS

On the basis of data, IDS is classified into three categories Host-based IDS,
Network-based IDS, and Hybrid-based IDS.
• Host-based IDS: Host-based IDS (HIDS) is a security solution that monitors
activity on an individual computer or host. It detects and alerts malicious or sus-
picious behavior on that specific host. HIDS operates by analyzing system activity
logs, file changes, user account management, and other system-level events [13].

4
• Network-based IDS: Network-based Intrusion Detection System (NIDS) is a secu-
rity measure that diligently monitors and scrutinizes network traffic to identify and
provide alerts for any dubious or malevolent conduct. Differing from a host-based
IDS that functions at the host level, NIDS operates at the network level. [14].
• Hybrid-based IDS: Hybrid IDS combines the features of both HIDS and NIDS
to provide a comprehensive security solution [15]. It is also sometimes referred to
as Network-based and Host-based IDS (N-HIDS).

2.2.3 Time of Detection based IDS

Time of Detection-based IDS is classified into two categories Real-Time IDS and
Non-Real-Time IDS.
• Real-Time IDS: Real-time IDS monitors and analyzes network traffic for signs
of malicious activity in real-time. It operates by continuously monitoring network
traffic for suspicious activity and alerts network administrators or security teams
when it detects any potential threats [16]. Real-time IDS systems are designed to
detect various types of security threats, including malware, viruses, unauthorized
access attempts, and other security breaches. This IDS typically uses an integration
of signature-based and behavioral analysis techniques to detect and respond to
security threats.
• Non-Real-Time IDS: Non-Real-time IDS analyzes network traffic and system
logs to detect potential security threats or unauthorized activities after they have
occurred. Unlike real-time IDS systems that analyze traffic and events as they hap-
pen, Non-Real-time IDS systems are usually used for post-incident analysis and
forensics. Non-real-time Intrusion Detection Systems (IDS) are designed to function
by gathering information from different sources, including network devices, security
logs, and servers. The data obtained is then subjected to diverse methodologies such
as anomaly detection, signature-based detection, and statistical analysis with the
aim of identifying potential security threats [17].

2.2.4 Locality based IDS

Locality-based IDS can be classified into three categories Centralized, Distributed,
and Hierarchal.
• Centralized; Centralized IDS serves as a crucial security mechanism that metic-
ulously scrutinizes all network traffic to identify any potential threats that may
compromise the system’s security. Upon detection of any suspicious activity, the
IDS promptly notifies the security personnel, thus enabling them to take necessary
measures to prevent any further security breaches. In a centralized IDS, all moni-
toring and analysis are conducted in a single location, usually a security operations
center (SOC). Centralized IDS systems typically work by collecting network traffic
data from sensors placed strategically throughout the network, and analyzing that
data to detect malicious patterns of activity that could indicate an intrusion. The
data is then aggregated and analyzed in a centralized location, allowing security
analysts to identify and respond to threats more quickly and effectively [18]. One of
the main advantages of a centralized IDS is that it allows for a more holistic view

5
 of network activity, as all data is analyzed in a single location. This can make it
easier to detect malicious activity patterns and correlate information from different
sources to identify potential threats.
• Distributed: Distributed IDS placement is a technique used to improve the effi-
ciency and effectiveness of intrusion detection in large-scale networks. Instead of
relying on a single IDS to monitor the entire network, multiple IDS sensors are dis-
tributed throughout the network to provide more comprehensive coverage [19]. The
placement of IDS sensors in a distributed IDS system should be based on [20] net-
work topology, traffic volume, risk analysis, resource constraints, and redundancy.
By carefully considering these factors, organizations can deploy an effective and
efficient distributed IDS system that provides comprehensive coverage and detects
potential security threats in a timely manner.
• Hierarchal; Hierarchical IDS (Intrusion Detection System) is a type of IDS archi-
tecture where multiple IDS sensors are arranged in a hierarchical structure [21]. The
hierarchical structure consists of multiple tiers, with each tier responsible for moni-
toring a specific segment of the network. Each tier is connected to the tier above it
and the tier below it, forming a hierarchical chain. The main purpose of a hierarchi-
cal IDS is to efficiently manage and monitor large-scale networks. The hierarchical
architecture allows for the distribution of IDS sensors, which reduces the processing
load on individual sensors and provides a scalable and efficient solution for intrusion
detection.

2.2.5 Frequency uses based IDS

According to frequency uses IDS can be categorized into two categories Continuous
and Periodical.
• Continuous: this category of IDS monitors the network continuously for anomaly
detection.
• Periodical: this category of IDS monitors the network for a specific amount of time
for anomaly detection.

3 Literature Review
Machine learning (ML) algorithms have been widely used in IDS due to their ability to
identify patterns in data and detect previously unknown attacks. Several studies have
used machine learning algorithms for intrusion detection in IoT networks as shown in
Table 1.
In [22] author proposed a two-layer fog cloud intrusion detection system in which
for binary classification at the fog layer Feedforward neural network (FNN) with
stacked autoencoder is used and for multiclass classification, at the cloud layer five-
layer FNN is used. It gives better accuracy than existing techniques. Node failure is
an issue in this literature.
In [23] author proposed an efficient packet-based botnet detection method. This
approach consists of two stages development and deployment stage. In the development
stage data preprocessing will be done and in the deployment stage preprocessed data
is passed through XGBoost classifiers and detect whether the data is malicious or not,

6
it uses the explainable concept of machine learning for explainability. The model gives
better detection accuracy than existing work. This approach faces high computational
complexity issues.
In [24] author proposed an ensemble approach that works in two steps for anomaly
detection. In the first step, an extra tree classifier classifies incoming traffic as benign
or intrusive. In the second step, intrusive traffic is passed to the second step for multi-
class classification which consists ensemble classifier of Multilayer perceptron (MLP),
Random forest, and extra tree. The proposed approach gives good accuracy but the
model did not cover routing-based attacks and classification attacks.
In [25] author proposed machine learning-based IDS for IoT networks. Min-max
normalization is used to preprocess the dataset during the first step. Then in the second
step the normalized dataset feed into the principle component analysis (PCA) which
select the 10 most important component. The selected component is then applied to the
six ml algorithm XGB, Catboost, KNN, SVM, and QDA. This approach outperformed
the existing approach in terms of detection accuracy. In this approach, high training
time is an issue.
In [26] author proposed a machine-learning approach that works in a collaborative
manner for the early detection of IoT botnets. This approach used full-time series data
for early detection of IoT botnets. An executable file is executed in a sandbox envi-
ronment and corresponding behavior is recorded. Then these raw data is preprocessed
and important features are extracted. The selected most important features are then
applied to three ML ensemble classifiers in the form of a feature vector. The final out-
put gives the prediction. This approach gives better detection accuracy on minimum
available data. One limitation of this approach is it takes long time to record the data
in the sandbox environment.
In [27] author proposed a human immune-based IDS for fog computing. In this
approach at the fog layer, there are two kinds of nodes IDS nodes and fog nodes. IDS
nodes used an artificial neural network (ANN) for checking network flow, whether the
network traffic is malicious or benign. On the other hand, fog nodes use a statistical
approach for checking whether data traffic is malicious or not. When the fog node
detects any traffic malicious then pass the data to the IDS node which checks whether
the data traffic is malicious or not by using ANN. If the IDS node finds any data
traffic malicious then it verifies it through the Negative Selection Algorithm (NSA)
at the cloud layer. After the verification, if data traffic is found malicious then the IP
address of the data source will be blocked. A high false positive rate is an issue in this
approach.
In [28] author proposed a fog cloud hybrid approach for IoT security. It provides
threefold protection. First, to secure the communication channel of IoT devices, it uses
VPN. Second, it uses a ML based detection module to classify traffic as suspicious,
untrusted and trusted. Third, to protect the VPN server it uses challenge-response
authentication to authenticate suspicious traffic sources. One issue with this approach
is resource-demanding.
In [29] author presented an IDS to identify numerous attacks on IoT networks.
They use an integration of Particle Swarm Optimization (PSO) and Grey Wolf Opti-
mization (GWO) to extract important features from IoT networks. These extracted

7
features are then applied to a RF classifier which gives promising detection accuracy
on KDDCup99, CICIDS-2017, NSL-KDD datasets. In this research, the author did
not discuss the model’s computational complexity, which is a major issue in large-scale
networks.
In [30] author presented an innovative deep feed-forward neural network repeated
random sampling K-means (SDRK) model intended to detect intrusion in IoT
networks. The proposed methodology utilizes a combination of unsupervised and
supervised learning techniques to effectively train a classifier capable of detecting intru-
sions in IoT networks. This classifier is trained using a labeled dataset of known attacks
and a larger unlabeled dataset of normal network traffic. The authors conducted an
evaluation of the proposed approach using the NSL-KDD dataset and obtained highly
promising results. However, it should be noted that this evaluation only utilized a
single dataset, which may not be sufficient in representing all possible attacks.
In [31] author proposed a federated learning-based technique for the protection of
the fog layer and cloud layer in IoT networks named Fogfed. On the fog layer federated
binary classifier is used similarly at the cloud layer federated multiclass classifier is
used. Fogfed allows multiple fog nodes to collaborate and detect the intrusion in fog
nodes and try to mitigate it.
In [32] author proposed a disagreement-based semi-supervised and collaborative
learning-based IDS. This approach used try training algorithm for the labeling of the
dataset. The false alarm filtration method is also proposed in this literature which
minimizes false alarms in a collaborative environment. Finally, a disagreement-based
semi-supervised collaborative Intrusion detection is discussed in the literature in which
the challenge-response method is used for the authentication purpose of the collab-
orator. This approach will detect intrusion in a collaborative environment with few
labeled data. In both approaches, the advanced insider attack is an issue.
In [33] author proposed a Hybrid anomaly detection technique in which two
machine learning algorithm is used for the detection of an anomaly in the IoT net-
work. The author used Random forest for feature selection. The selected features were
then applied to the classification and regression tree (CART) for the prediction. This
method shows good performance but the false alarm rate is an issue with this approach.
Sometimes only one classifier is not enough for the learning of complex data so
we used an ensemble learning classifier which is a combination of three classifiers. It
enhances the detection accuracy and increased the robustness of the method.
In [34] author proposed a new ensemble learning technique in which naive Bayes,
logistic regression, and decision tree are deployed with a voting classifier. In this article,
hard voting is used which gives the prediction of the model.
In [35] author proposed a tree-based stacking ensemble method for the detection
of intrusion in IoT networks. Data is preprocessed and select important features using
the selectkbest model of sklearn. These selected features are then applied to the base
ensemble model which is made of DT, RF, and XGBoost. The output of the based
model constitutes a database for Metamodel which Is XGBoost. Metamodel will give
the final prediction. High cost is an issue with this approach.
In [36] author proposed an IDS, coined as UTEN-IDS. This unsupervised
technique-based UTEN-IDS is used to detect anomalies in the network. The proposed

8
methodology employs a combination of autoencoders and an Isolation Forest algorithm
in an ensemble fashion to attain superior classification performance and surmount the
constraints of supervised learning techniques. Computational overhead is an issue in
this literature.
In [29] author presented a novel IDS model that employs the techniques of feature
engineering and machine learning techniques. This is achieved through the integration
of Pearson Correlation Coefficient (PCC) and Isolation Forest (IF), thereby lower-
ing the prediction time and computational cost. The IDS performance is bolstered by
the Random Forest (RF) classifier. The effectiveness of the proposed model is eval-
uated using two datasets and demonstrates superior performance when compared to
corresponding models. Lack of scalability and lack of explanation is an issue in this
literature.
In [39] author proposed an ensemble method that is based on a modified pigeon-
inspired optimization (PIO). In this literature, local search-based PIO is used for
feature selection. The selected features are then applied to the ensemble module which
is the combination of IF, Local Outlier Factor (LOF) and one class support vector
machine (OC-SVM) The final weighted output gives the prediction of the model. This
approach gives a high false positive rate.

4 Evaluation Metric
In this section, a few evaluation metrics are discussed for the Machine learning model.
After reading various research papers few evaluation metrics are considered which are
very important to evaluate the performance of a machine learning model. It is not
necessary that one classifier performs well for all metrics, it may perform poorly for
other metrics. So aim of selecting a metric is to gain the maximum performance value
of the model. Focus is only on a few metrics which plays a significant role in prediction
[7].
• True Positive (TP): the data instances that are correctly classified as an attack
instance.
• True negative (TN): the data instances that are correctly classified as normal
instances.
• False Negative (FN): the data instance that is wrongly classified as a normal
instance.
• False Positive (FP): the data instance that is wrongly classified as a attack
instance.
• Accuracy (ACC): it is also called detection accuracy. It is the ratio of correctly
classified instances to the total no of instances in a dataset.
TP + TN
ACC = (1)
TP + TN + FP + FN
• Precision: due to an unbalanced dataset sometime an Ml model gives good accuracy
but when input is changed it will fail to perform. So it is necessary to use precision
evaluation matric. It will indicate how well the model classified an instance. Precision

9
 Table 1 Table - 1 Literature survey of ML-based IDS for IoT network

Authors Year Summary Technique Accuracy(%) Dataset Limitation

Li, W et al. 2020 Proposed a disagreement- Tri-training algo, 94.23 DARPA The advanced insider
[32] based semi-supervised and challenge-response attack is an issue and
collaborative learning- authentication Outdated dataset used
based IDS for IoT networks for evaluation

Chkirbene 2020 Proposed a Hybrid RF, CART 95.37 UNSW-NB15 High false alarm rate is
et al. [33] anomaly detection tech- an issue
nique for intrusion
detection in IoT network
Maharaja 2020 Proposed a threefold fog VPN, challenge- - Private data This approach is
et al. [32] cloud hybrid approach for based authentication resource-demanding
IoT security
Ravi et al. 2020 Presented a novel semi- k-means, DFNN 99.78 NSL-KDD evaluation is done on
[30] supervised model, namely a single dataset, which
SDRK which uses unsuper- may not be sufficient,
vised clustering techniques, not scalable for large
and DFNN to detect intru- network
sion in fog nodes. the aim
of this study is to pro-
vide security to fog layer
by using semi-supervised
techniques

10
Abbas et 2021 Proposed a new ensemble Naive Bayes, Logis- 88.94 CICIDS-2017 Evaluation is done only
al. [34] learning technique based tic regression, Deci- one dataset that is not
IDS for IoT networks sion tree enough

Keserwani 2021 Proposed an IDS to detect Particle Swarm Opti- 99.32 KDDCup’99, High computational
et al. [37] intrusion which uses a com- mization (PSO) and NSL-KDD, complexity
bination of Particle Swarm Grey Wolf Optimiza- CIC[1]IDS-
Optimization (PSO) and tion (GWO), RF 2017
Grey Wolf Optimization
(GWO) to extract impor-
tant features from IoT net-
works
Roy et al. 2022 Proposed a two-layer fog Stacked autoencoder 99 CICIDS2017, In the case of a node,
[22] cloud intrusion detection and ANN NSL-KDD failure creates an issue
system in which binary in classification
classification will be done
at the fog layer and mul-
ticlass classification will be
done at the cloud layer
Alani et al. 2022 Proposed an efficient XGBoost and SHAP 99.7 UNSW-NB15 High computational
[23] packet-based botnet detec- complexity and Eval-
tion method uation is done in only
one dataset
 Table 2 Table 1 (Continued)

Authors Year Summary Technique Accuracy(%) Dataset Limitation

De Souza 2022 Proposed a two-step Extra tree, Ensem- 99.81 NSL-KDD, Did not cover sink-
et al. [24] ensemble approach for ble classifiers (MLP CICIDS2018, holes, wormholes, and
anomaly detection in an + RF + Extra tree) Bot-IoT selective forwarding
IoT network attacks

Saheed et 2022 Proposed six machine PCA, XGBoost, Cat- 99.99 UNSWNB-15 High training Time
al. [25] learning-based lightweight Boost, KNN, SVM, and imbalance dataset
IDS for intrusion detection QDA
in IoT networks
Nguyen et 2022 Proposed a collaborative Ensemble classifier 99.37 Private dataset The process of record-
al. [26] machine learning approach (KNN+KNN+RF), ing the data in the
for early detection of IoT soft voting sandbox environ-
botnets ment is expected to
be a time-consuming
endeavor.

Aliyu et al. 2022 Proposed a human ANN, NSA 98.8 NSL-KDD Scalability is an issue
[27] immune-based IDS for fog in this literature
and cloud computing in
IoT
Abou et al. 2022 proposed an innovative FL, SVM 99 UNSW-NB15 Adversarial attacks,
[31] technique based on fed- poisoning attack is an
erated learning, aimed at issue
ensuring the protection of
both the cloud layer and
fog layer within the IoT

11
networks
Rashid et 2022 Proposed a tree-based Decision tree, 99.9 NSL-KDD, High cost is an issue
al. [35] stacking ensemble method Random Forest, UNSWNB-15 with this approach
for the detection of intru- XGBoost, soft voting
sion in IoT networks
Wang et al. 2022 Proposed an IDS, coined as Autoencoders, RF 99.9 NSL-KDD, High computational
[38] UTEN-IDS uses an Ensem- UNSW-NB15 complexity and old
ble of autoencoders and dataset used for evalu-
forest algorithms for intru- ation
sion detection
Alghanam 2023 Proposed an ensemble PIO, Ensemble mod- 97.2 BoT-IoT, This approach gives a
at el. [39] method that is based on ule (OC-SVM + IF + UNSW-NB15, high false positive rate
a modified pigeon-inspired LOF) NLS-KDD
optimization (PIO)
Mohy- 2023 Proposed an IDS for RF, PCC 99.3 Bot-IoT, Lack of scalability and
Eddin et the Industrial Internet NF-UNSW- lack of explanation
al. [29] of Things (IIoT). The NB15-v2
system’s architecture
incorporates the employ-
ment of an Isolation
Forest (IF) to effectively
isolate and remove out-
liers within the network.
Additionally, the system
utilizes Pearson’s Correla-
tion Coefficient (PCC) for
feature engineering, specif-
ically in the selection of
essential features.
 is the ratio of correctly predicted an instance as an attack to all the instances
predicated as an attack.
TP
P recision = (2)
TP + FP
• Recall: it is also called detection rate. It is the ratio of all correctly classified
instances as attacks to all instances that really attack.
TP
Recall = (3)
TP + FN
• F1-Score: the F1 score is a useful metric for IDS because it provides a balanced
measure of both precision and recall, which are both important for detecting poten-
tial security threats while minimizing false alarms. A high value of F1 score shows
that a model has both a high value of precision and a high value of recall, while a
low F1 score may show that a model that is either overly conservative (low recall)
or too aggressive (low precision) in detecting potential security threats.
TP + TN
F1-Score = (4)
TP + TN + FP + FN
• ROC (Receiver Operating Characteristic): binary classifier performance can
easily depicted by ROC curve. True positive rate (TPR) is plotted against False
Positive Rate (FPR) at various threshold values to create ROC curve [40]. The
formula for TPR and FPR are as follows

True Positive Rate (TPR) = TP/(TP + FN) (5)

False Positive Rate (F P R) = F P/(F P + T N ) (6)

5 Research Challenges and Future Scope

This section explains recent IoT trends and the issues or challenges faced by researchers
during their research in the field of IDS as shown in Figure 3. We hope it will help
and encourage researchers to work on scalable, efficient, accurate, and robust IDS for
IoT networks and devices.
1. Updates in detection model: training of the intrusion detection model based
on ML is an important aspect of research that deserves attention. It is impera-
tive to retrain the machine learning-based detection model over time to prevent
become outdated. In the context of IoT, the network changes continuously, with
new devices being added and others being removed. So it is required to collect the
data from the newly updated network and train the IDS model with newly updated
network data to detect truly abnormal behavior. It is imperative to consider that
the training procedure may entail a significant expenditure of resources and poten-
tially overwhelm the network. Typically, machine learning models are beset by high
complexity during the training stage, as they necessitate substantial amounts of
resources and time. In the context of IoT, devices are often subject to resource
constraints, therefore, the complexity associated with retraining detection models

12
 may pose a significant challenge. Federated learning-based approaches can play a
significant role to overcome this issue but they are vulnerable to threats like poi-
soning attacks [31], and internal attacks. Further investigations are imperative to
suggest detection methodologies that are less vulnerable to changes in the network
and more efficient, with the aim of optimizing detection models in reference to time
complexity and resource utilization.
2. Unavailability of properly updated dataset: IoT infrastructure faces advanced
attacks which are very lethal and very difficult to detect because we don’t have any
datasets that are updated with the latest attack data. If the dataset is updated
with the latest network attack data then we can train our model and detect attacks
easily. So it is the need of the era to build an updated dataset that has all possible
attack patterns. Building an updated dataset is not an easy task it requires huge
resources and time.

Fig. 3 Open issues and future directions.

3. Adversarial attacks: adversarial attacks are a significant threat to machine

learning-based IDS, as they can be used to bypass or compromise the system
[41]. Adversaries can use techniques such as evasion attacks, poisoning attacks,
and model inversion attacks to manipulate the training and testing data or the
machine learning model itself. However, some works [42–45] has been proposed for
the defence against adversarial attacks. The enhancement of a classifier’s robust-
ness through defense techniques may prove beneficial, but it may also lead to a
decline in its overall performance. Therefore, it is necessary to consider a trade-off
between robustness and performance, taking into account the specific scenario in
which the NIDS application is being utilized.

13
4. Countermeasures: the identification of an intrusion alone is deemed inadequate
in achieving optimal security. The IDS capability to execute measures aimed at
mitigating the invasion is indispensable in preventing its success. The majority of
the literature fails to provide a comprehensive mitigation strategy in response to
the identified attack. Furthermore, a significant number of the proposed counter-
measures only account for a particular type of attack or protocol, thus limiting
their applicability [32, 46, 47]. It has been observed that state-of-the-art works
in the field have not comprehensively addressed important considerations pertain-
ing to the implementation of countermeasures to mitigate existing attacks in IoT
environments. Thus, it is imperative to undertake efforts to distinctly identify the
categories of attacks and the corresponding mitigation strategies. It is pertinent
to note that an ideal approach to countermeasures would involve the execution of
specific measures for each attack rather than blocking of all traffic in response to
any security threat.
5. Scalability: as the amount of data generated by systems continues to increase, it’s
becoming more challenging for IDS to keep up. Ensuring that the system is scalable
and can handle large amounts of data is critical. So IDS must be able to work on
large networks and when the network is scaled up or scaled down it does not affect
the performance of IDS. In most of the state of the art work main focus was on
performance of IDS. Many of them [27, 29, 48, 49] face lack of scalability.
6. Real-Time Detection: accuracy and speed are major requirements for any IDS.
When we develop IDS, we must remember that IDS should be fast and respond
to the attack in real-time. Feature selection and optimization techniques can help
to make IDS lightweight that will detect intrusion in real-time. It is an important
subtopic for research.
7. Data privacy and confidentiality: IDS typically rely on sensitive data to detect
intrusions, such as network traffic, user behavior, or system logs. Ensuring the
privacy and confidentiality of this data is crucial, as it can contain sensitive infor-
mation that can be used by attackers to gain unauthorized access to the system.
IDS should maintain data privacy and confidentiality during communication.

6 Conclusion
This survey paper provides an extensive literature review of the latest research
article on ML-based IDS for IoT. Through a comprehensive literature review, this
paper has presented various machine learning techniques used in developing intru-
sion detection systems for IoT networks, including supervised, unsupervised, and
hybrid approaches. Additionally, this paper highlights the various challenges associ-
ated with using machine learning algorithms in intrusion detection systems for IoT
networks, such as data quality, updates in detection models, adversarial attacks, etc.
Despite these challenges, machine learning-based intrusion detection systems have
shown promising results in detecting and mitigating attacks on IoT networks. However,
still, there are some areas that require more research. Therefore, this paper has iden-
tified several open research areas and future directions for improving the effectiveness
and efficiency of these systems.

14
Compliance with ethical standards
Conflict of interest The authors declare that they have no confict of interest.

References
[1] Verma, J., Bhandari, A., Singh, G.: inids: Swot analysis and tows inferences of
state-of-the-art nids solutions for the development of intelligent network intrusion
detection system. Computer Communications (2022)

[2] Ramson, S.J., Vishnu, S., Shanmugam, M.: Applications of internet of things
(iot)–an overview. In: 2020 5th International Conference on Devices, Circuits and
Systems (ICDCS), pp. 92–95 (2020). IEEE

[3] Agarwal, V., Tapaswi, S., Chanak, P.: A survey on path planning techniques
for mobile sink in iot-enabled wireless sensor networks. Wireless Personal
Communications 119, 211–238 (2021)

[4] Ali, M., Maqsood, F., Hou, W., Wang, Z., Hameed, K., Zia, Q.: Machine
Learning-Based Malware Detection for IoT Devices: Understanding the Evolving
Threat Landscape and Strategies for Protection. https://doi.org/10.21203/rs.3.
rs-2754989/v1

[5] Debar, H.: An introduction to intrusion-detection systems. Proceedings of

Connect 2000 (2000)

[6] Albulayhi, K., Smadi, A.A., Sheldon, F.T., Abercrombie, R.K.: Iot intrusion
detection taxonomy, reference architecture, and analyses. Sensors 21(19), 6432
(2021)

[7] Hosseini, S., Sardo, S.R.: Network intrusion detection based on deep learning
method in internet of thing. Journal of Reliable Intelligent Environments (2022)
https://doi.org/10.1007/s40860-021-00169-8

[8] Liao, H.-J., Lin, C.-H.R., Lin, Y.-C., Tung, K.-Y.: Intrusion detection system:
A comprehensive review. Journal of Network and Computer Applications 36(1),
16–24 (2013)

[9] Debar, H.: An introduction to intrusion-detection systems. Proceedings of

Connect 2000 (2000)

[10] Alrajeh, N.A., Khan, S., Shams, B.: Intrusion detection systems in wireless sensor
networks: a review. International Journal of Distributed Sensor Networks 9(5),
167575 (2013)

[11] Mitchell, R., Chen, I.-R.: A survey of intrusion detection techniques for cyber-
physical systems. ACM Computing Surveys (CSUR) 46(4), 1–29 (2014)

15
[12] Raza, S., Wallgren, L., Voigt, T.: Svelte: Real-time intrusion detection in the
internet of things. Ad hoc networks 11(8), 2661–2674 (2013)

[13] Martins, I., Resende, J.S., Sousa, P.R., Silva, S., Antunes, L., Gama, J.: Host-
based ids: A review and open issues of an anomaly detection system in iot. Future
Generation Computer Systems (2022)

[14] Maseer, Z.K., Yusof, R., Bahaman, N., Mostafa, S.A., Foozy, C.F.M.: Bench-
marking of machine learning for anomaly based intrusion detection systems in
the cicids2017 dataset. IEEE access 9, 22351–22370 (2021)

[15] Tabassum, A., Erbad, A., Guizani, M.: A survey on recent approaches in intrusion
detection system in iots. In: 2019 15th International Wireless Communications &
Mobile Computing Conference (IWCMC), pp. 1190–1197 (2019). IEEE

[16] Belouch, M., El Hadaj, S., Idhammad, M.: Performance evaluation of intrusion
detection based on machine learning using apache spark. Procedia Computer
Science 127, 1–6 (2018)

[17] Dahiya, P., Srivastava, D.K.: Network intrusion detection in big dataset using
spark. Procedia computer science 132, 253–262 (2018)

[18] Lee, T.-H., Wen, C.-H., Chang, L.-H., Chiang, H.-S., Hsieh, M.-C.: A lightweight
intrusion detection scheme based on energy consumption analysis in 6low-
pan. In: Advanced Technologies, Embedded and Multimedia for Human-centric
Computing: HumanCom and EMC 2013, pp. 1205–1213 (2014). Springer

[19] Oh, D., Kim, D., Ro, W.W.: A malicious pattern detection engine for embedded
security systems in the internet of things. Sensors 14(12), 24188–24211 (2014)

[20] Zhang, W.: An improved wu-manber multiple patterns matching algorithm. In:
2016 IEEE International Conference on Electronic Information and Communica-
tion Technology (ICEICT), pp. 286–289 (2016). IEEE

[21] Rahman, M.A., Asyhari, A.T., Leong, L., Satrya, G., Tao, M.H., Zolkipli, M.:
Scalable machine learning-based intrusion detection system for iot-enabled smart
cities. Sustainable Cities and Society 61, 102324 (2020)

[22] Roy, S., Li, J., Bai, Y.: A two-layer fog-cloud intrusion detection model for iot
networks. Internet of Things 19, 100557 (2022)

[23] Alani, M.M.: Botstop: Packet-based efficient and explainable iot botnet detection
using machine learning. Computer Communications 193, 53–62 (2022)

[24] De Souza, C.A., Westphall, C.B., Machado, R.B.: Two-step ensemble approach
for intrusion detection and identification in iot and fog computing environments.
Computers & Electrical Engineering 98, 107694 (2022)

16
[25] Saheed, Y., Abiodun, A., Misra, S., Holone, M., Colomo-Palacios, R.: A machine
learning-based intrusion detection for detecting internet of things network attacks.
Alexandria Engineering Journal 61, 9395–9409 (2022) https://doi.org/10.1016/j.
aej.2022.02.063

[26] Nguyen, G.L., Dumba, B., Ngo, Q.-D., Le, H.-V., Nguyen, T.N.: A collaborative
approach to early detection of iot botnet. Computers Electrical Engineering 97,
107525 (2022) https://doi.org/10.1016/j.compeleceng.2021.107525

[27] Aliyu, F., Sheltami, T., Deriche, M., Nasser, N.: Human immune-based intrusion
detection and prevention system for fog computing. J. Netw. Syst. Manage. 30(1)
(2022) https://doi.org/10.1007/s10922-021-09616-6

[28] Maharaja, R., Iyer, P., Zilong, Y.: A hybrid fog-cloud approach for securing
the internet of things. Cluster Computing 23 (2020) https://doi.org/10.1007/
s10586-019-02935-z

[29] Mohy-Eddine, M., Guezzaz, A., Benkirane, S., Azrour, M., Farhaoui, Y.: An
ensemble learning based intrusion detection model for industrial iot security. Big
Data Mining and Analytics 6(3), 273–287 (2023)

[30] Ravi, N., Shalinie, S.M.: Semisupervised-learning-based security to detect and

mitigate intrusions in iot network. IEEE Internet of Things Journal 7(11), 11041–
11052 (2020)

[31] El Houda, Z.A., Khoukhi, L., Brik, B.: A low-latency fog-based framework to
secure iot applications using collaborative federated learning. In: 2022 IEEE 47th
Conference on Local Computer Networks (LCN), pp. 343–346 (2022). https://
doi.org/10.1109/LCN53696.2022.9843315

[32] Li, W., Meng, W., Au, M.H.: Enhancing collaborative intrusion detection via
disagreement-based semi-supervised learning in iot environments. Journal of Net-
work and Computer Applications 161, 102631 (2020) https://doi.org/10.1016/j.
jnca.2020.102631

[33] Chkirbene, Z., Eltanbouly, S., Bashendy, M., AlNaimi, N., Erbad, A.: Hybrid
machine learning for network anomaly intrusion detection. In: 2020 IEEE Inter-
national Conference on Informatics, IoT, and Enabling Technologies (ICIoT), pp.
163–170 (2020). https://doi.org/10.1109/ICIoT48696.2020.9089575

[34] Abbas, A., Khan, M.A., Latif, S., Ajaz, M., Shah, A.A., Ahmad, J.: A new
ensemble-based intrusion detection system for internet of things. Arabian Journal
for Science and Engineering, 1–15 (2021)

[35] Rashid, M., Kamruzzaman, J., Imam, T., Wibowo, S., Gordon, S.: A tree-based
stacking ensemble technique with feature selection for network intrusion detec-
tion. Applied Intelligence 52 (2022) https://doi.org/10.1007/s10489-021-02968-1

17
[36] Keserwani, P., Govil, M., Pilli, E., Govil, P.: A smart anomaly-based intrusion
detection system for the internet of things (iot) network using gwo–pso–rf model.
Journal of Reliable Intelligent Environments 7 (2021) https://doi.org/10.1007/
s40860-020-00126-x

[37] Keserwani, P.K., Govil, M.C., Pilli, E.S., Govil, P.: A smart anomaly-based intru-
sion detection system for the internet of things (iot) network using gwo–pso–rf
model. Journal of Reliable Intelligent Environments 7, 3–21 (2021)

[38] Wang, Y., Sun, G., Cao, X., Yang, J.: An intrusion detection system for the
internet of things based on the ensemble of unsupervised techniques. Wireless
Communications and Mobile Computing 2022 (2022)

[39] Alghanam, O.A., Almobaideen, W., Saadeh, M., Adwan, O.: An improved pio
feature selection algorithm for iot network intrusion detection system based on
ensemble learning. Expert Systems with Applications 213, 118745 (2023)

[40] Berwo, M.A., Khan, A., Fang, Y., Fahim, H., Javaid, S., Mahmood, J., Abideen,
Z.U., M.S., S.: Deep learning techniques for vehicle detection and classification
from images/videos: A survey. Sensors 23(10) (2023) https://doi.org/10.3390/
s23104832

[41] Shu, D., Leslie, N.O., Kamhoua, C.A., Tucker, C.S.: Generative adversarial
attacks against intrusion detection systems using active learning. In: Proceedings
of the 2nd ACM Workshop on Wireless Security and Machine Learning, pp. 1–6
(2020)

[42] Pawlicki, M., Choraś, M., Kozik, R.: Defending network intrusion detection sys-
tems against adversarial evasion attacks. Future Generation Computer Systems
110, 148–154 (2020) https://doi.org/10.1016/j.future.2020.04.013

[43] Pujari, M., Cherukuri, B.P., Javaid, A.Y., Sun, W.: An approach to improve the
robustness of machine learning based intrusion detection system models against
the carlini-wagner attack. In: 2022 IEEE International Conference on Cyber Secu-
rity and Resilience (CSR), pp. 62–67 (2022). https://doi.org/10.1109/CSR54599.
2022.9850306

[44] Jiang, H., Lin, J., Kang, H.: Fgmd: A robust detector against adversarial attacks
in the iot network. Future Generation Computer Systems 132, 194–210 (2022)
https://doi.org/10.1016/j.future.2022.02.019

[45] Apruzzese, G., Andreolini, M., Ferretti, L., Marchetti, M., Colajanni, M.: Mod-
eling realistic adversarial attacks against network intrusion detection systems.
Digital Threats 3(3) (2022) https://doi.org/10.1145/3469659

[46] Aliyu, F., Sheltami, T., Shakshuki, E.M.: A detection and prevention technique
for man in the middle attack in fog computing. Procedia Computer Science

18
 141, 24–31 (2018) https://doi.org/10.1016/j.procs.2018.10.125 . The 9th Inter-
national Conference on Emerging Ubiquitous Systems and Pervasive Networks
(EUSPN-2018) / The 8th International Conference on Current and Future Trends
of Information and Communication Technologies in Healthcare (ICTH-2018) /
Affiliated Workshops

[47] Priyadarshini, R., Barik, R.K.: A deep learning based intelligent framework to
mitigate ddos attack in fog environment. Journal of King Saud University - Com-
puter and Information Sciences 34(3), 825–831 (2022) https://doi.org/10.1016/
j.jksuci.2019.04.010

[48] Gautam, D., Bhadauria, S., Trivedi, A.: Malware analysis using modified genetic
algorithm in cyber-physical systems. In: 2022 IEEE 6th Conference on Informa-
tion and Communication Technology (CICT), pp. 1–5 (2022). https://doi.org/
10.1109/CICT56698.2022.9997991

[49] Kayode Saheed, Y., Idris Abiodun, A., Misra, S., Kristiansen Holone, M., Colomo-
Palacios, R.: A machine learning-based intrusion detection for detecting internet
of things network attacks. Alexandria Engineering Journal 61(12), 9395–9409
(2022) https://doi.org/10.1016/j.aej.2022.02.063

19