Internet of Things and Cyber-Physical Systems 4 (2024) 258–267

Contents lists available at ScienceDirect

Internet of Things and Cyber-Physical Systems

journal homepage: www.keaipublishing.com/en/journals/
internet-of-things-and-cyber-physical-systems

Multi-objective optimization algorithms for intrusion detection in IoT

networks: A systematic review
Shubhkirti Sharma a, *, Vijay Kumar b, Kamlesh Dutta a
a
DoCSE, NIT, Hamirpur, 177005, HP, India
b
DoIT, Dr B R Ambedkar NIT, Jalandhar, 144008, Punjab, India

A R T I C L E I N F O A B S T R A C T

Keywords: The significance of intrusion detection systems in networks has grown because of the digital revolution and
Multi-objective increased operations. The intrusion detection method classifies the network traffic as threat or normal based on
Intrusion detection the data features. The Intrusion detection system faces a trade-off between various parameters such as detection
IoT
accuracy, relevance, redundancy, false alarm rate, and other objectives. The paper presents a systematic review of
Optimization
intrusion detection in Internet of Things (IoT) networks using multi-objective optimization algorithms (MOA), to
identify attempts at exploiting security vulnerabilities and reducing the chances of security attacks. MOAs provide
a set of optimized solutions for the intrusion detection process in highly complex IoT networks. This paper
presents the identification of multiple objectives of intrusion detection, comparative analysis of multi-objective
algorithms for intrusion detection in IoT based on their approaches, and the datasets used for their evaluation.
The multi-objective optimization algorithms show the encouraging potential in IoT networks to enhance multiple
conflicting objectives for intrusion detection. Additionally, the current challenges and future research ideas are
identified. In addition to demonstrating new advancements in intrusion detection techniques, this study attempts
to identify research gaps that can be addressed while designing intrusion detection systems for IoT networks.

1. Introduction issues in IoT-based networks, abnormality or intrusion detection is one

Cyber-physical systems (CPS) along with IoT enable communication,
handling, and monitoring of remote devices using the internet. IoT
remote operation is possible with network infrastructure that enables the
integration of devices to get better performance. These networks consist
of interconnected sensors, gadgets, and devices that can exchange
different types of data through the Internet without human intervention
[1]. Large-scale exchanges of complex, real-time, high-dimensional, and
functionally-physically diverse data and information sent between de-
vices happen via the internet, making it vulnerable to attacks. Devices
such as low-power, less computationally capable devices, obsolete assets
such as missed updates or incorrectly configured software, service, or
device), complex environments, inconsistent security standards, etc. pose
a threat to the security of IoT-based networks. Moreover, CPS usually has
low risks because of security infrastructure availability, but its integra-
tion with IoT may do so [2]. Traditional intrusion detection methods like
firewalls, encryption, access control network segmentation, etc. are not
suitable for IoT environments due to the various protocols and limited
processing and storage capabilities of IoT devices [3]. To address security
possible solution [4].
Intrusion detection is a practical proactive approach to identify ma-
licious behavior in IoT networks and assure network security. The pur-
pose of intrusion detection is to secure an IoT network by using different
kinds of procedures to track, detect, evaluate, and handle any attacks or
malicious behavior that threaten the security of the network [5]. Intru-
sion detection can either be host- or node-based, network-based or
distributed based on placement strategy. The host-based approach de-
tects intrusions at the node level and depends on its operating system to
function accordingly. Host-based intrusion detection cannot detect some
types of attacks because it is unable to read the packet headers. The
network-based approach analyzes the network events to identify attacks.
It scans a packet sniffer program that analyzes raw packets in a local
network segment [6]. Based on detection strategy, intrusion detection
can be categorized as signature-based and anomaly-based techniques.
The signature-based intrusion detection techniques detect known pat-
terns of attack using a set of rules, instances, decision chains, or data
mining frameworks. These techniques use an existing database of pre-
viously intercepted attacks to detect attacks that need to be updated with

* Corresponding author.
E-mail address: [email protected] (S. Sharma).

https://doi.org/10.1016/j.iotcps.2024.01.003
Received 29 June 2023; Received in revised form 29 January 2024; Accepted 29 January 2024
Available online 10 February 2024
2667-3452/© 2024 The Authors. Published by Elsevier B.V. on behalf of KeAi Communications Co., Ltd. This is an open access article under the CC BY license (http://
creativecommons.org/licenses/by/4.0/).
S. Sharma et al.
time. Such techniques cannot identify unknown threats [7].
Anomaly-based intrusion detection techniques use a base database and
check continuously for abnormal behavior of network activities to mark
them as attacks using techniques like clustering, classification, etc. [8].
The increasing data, malicious behavior, and security attacks are a
challenge for existing intrusion detection strategies as they require
pre-processing a large number of attributes.
Intrusion detection techniques based on artificial intelligence have
emerged as a promising solution to address these challenges, offering
significant advantages over traditional methods in terms of adaptability
to new threats and dynamic networks, pattern recognition to identify
attack patterns in large amounts of data and real-time detection and
response capabilities [9]. Intrusion Detection in IoT Networks involves
the analysis of large complex datasets, but, the irrelevant or duplicate
features can consume more resources like time and storage [4].
The primary fundamental design objectives of an intrusion detection
approach are the reduction of false positive alarm occurrences and an
improvement in detection accuracy. Both these goals have a trade-off
relationship therefore intrusion detection is considered a multi-
objective problem [10]. Therefore, that concept must be taken into ac-
count during the design and implementation of any intrusion detection
approach. Feature selection solves this problem of large dimensions of
network datasets by selecting the relevant features that best describe the
dataset of a network and can support the classification process. In this
study, features are the attributes or characteristics of network data that
are utilized to identify intrusions [11]. Some of the features of data are
arrival time of frame, Source or destination IP address, source/destina-
tion port, HTTP request/response, query, acknowledge flags, transaction
identifier, etc. [12]. Multi-objective optimization (MO) based intrusion
detection has become the dominant system in the intrusion detection
research field in recent years [13]. Intrusion detection based on MO
techniques is reliable and effective at spotting network threats. Such
techniques not only detect a threat but also help to identify various attack
classes or categories [14,73]. An MO technique is used to choose the most
relevant features subset from the input data, which improves the overall
performance of intrusion detection by reducing computational
complexity, false alarms, and detection time, and increasing accuracy
and detection rates [15].
1.1. Contribution
1. Multiple intrusion detection objectives for IoT networks are
identified.
2. Meta-analysis of various multi-objective optimization algorithms and
their implementation strategies for intrusion detection in IoT net-
works is carried out.
3. Several datasets utilized in intrusion detection for IoT networks are
examined.
4. Various challenges and future directions are identified.
This study reviews the multi-objective algorithms for intrusion
detection in IoT networks. Section 2 presents the multi-objective opti-
mization for intrusion detection including the general steps utilized for
intrusion detection followed by the multiple objectives used. The rele-
vant work on applying multi-objective optimization algorithms for
intrusion detection is covered in Section 3. Section 4 presents the datasets
used in the detection of intrusion in IoT networks. Section 5 includes the
discussions and analysis. Section 6 presents future research directions
followed by concluding remarks.
2. Multi-objective optimization for intrusion detection
In IoT networks, the performance of intrusion detection based on
accuracy, relevance, and redundancy could not always give better results
because there may be a case where a false alarm and detection rate are
low, yet accuracy is high. Also, when the number of features is decreased,
259
Internet of Things and Cyber-Physical Systems 4 (2024) 258–267
classification accuracy will decrease. Hence, the problem of Intrusion
detection is combinatorial and multi-objective in IoT networks and calls
for the use of multi-objective optimization algorithms (MOA) that pro-
vide the best-optimized solutions in an automatic and timely manner.
The MOAs are used for the optimization of features of network flow and
packet information that lowers the false alarm rate, and increases clas-
sification accuracy, along with decreasing response time and computa-
tional complexity.Besides intrusion detection, MOAs have been used for
feature selection in other applications such as engineering design opti-
mization [74], biomedical data classification [75], image classification
[76], data clustering and prediction [77], community detection in social
media [78], image segmentation [79], etc.
2.1. General methodology for multi-objective intrusion detection
Intrusion detection using multi-objective optimization methods is
shown in Fig. 1. The various steps involved in this method include data
capturing, data pre-processing, data interpretation, model training,
validating, and testing [63]. The data is captured either from datasets
[47–61] or real network flow data.
When known data is collected, it is assessed using missing data
handling [38], class balancing, normalization [39], scaling, encoding
[64], or transformation techniques [62]. Missing data can be imputed
using techniques like interpolation, Minkowski distance [65], and
dropout [66]. AI-based algorithms usually perform better when the fea-
tures are scaled to a similar range. Scaling techniques such as mean
centering, variance scaling, and specified range scaling [67] are used to
scale features with a comparable distribution and range. This step pre-
vents some features from controlling the learning process based only on
their magnitudes [68]. Transformation techniques can be categorized as
one-hot encoding (binary) [6] and label encoding (categories with
integer labels) [44]. Categorical variables are changed into numerical
forms before being processed by algorithms. Feature selection or
extraction of data happens after data assessment. Feature Selection and
extraction [69] makes use of optimization algorithms to remove
non-important features [70]. It is essential to complete uniform pro-
cessing of the data before beginning data extraction, especially when
using more recent datasets or actual traffic data. The feature selection
procedure can be outlined as follows: generate an initial optimal feature
subset; compare the generated feature subset against initial subsets;
select the best feature subset; define a termination criterion; and validate
findings [10]. While some approaches perform feature selection as a
distinct step to improve the ability to describe data, others incorporate
feature selection in the classification model-building and representation
process [20].
The data will then be divided for testing and training. When super-
vised learning methods are used, data labeling is done by selecting the
suitable label types. At the first level, labels can be an attack and normal.
Attack categories such as Probe, Denial of service (DoS), and Distributed
DoS can be labeled at the second level of data labels. In the third level,
labels can be in the form of subcategories of the attacks like DoSHTTP,
DoSTCP, DoSUDP, etc. This labeled data is then used further [71]. The
classification model construction step is fundamental for both general use
cases and basic methods. The classification model is first trained with a
training set. Training the classification model is to find optimal param-
eters to maximize the performance. This process of multi-objective
optimization is repeated to fine-tune the classification process. This
classification is then tested using the testing data. The classifier gives a
classification report as an output to classify normal traffic and attack
instances [72]. In case the model is trained for multiclass classification
then the output is in the form of attack classes. The model is assessed for
performance using performance metrics such as accuracy, error rate,
response time, etc.
S. Sharma et al. Internet of Things and Cyber-Physical Systems 4 (2024) 258–267

Fig. 1. Intrusion detection using multi-objective Algorithms in IoT networks.

2.2. Multiple objectives for intrusion detection Tn

f5 ¼ (5)
Tn þ Fp
The multiple objectives of IoT network intrusion detection are listed
F6 refers to the number of selected features in the subsets. nmin and
in Table 1 along with the required values. These objectives have con-
nmax are the minimum and maximum number of features selected.
flicting relations between them.
Mathematically, these objectives can be represented as eq (6).
Classification Accuracy, also known as classification rate (f1) is the
ability to measure accurate identification of attacks and non-attack ac- n  fs
f6 ¼ (6)
tivities. It is calculated as shown in eq (1): nmax  nmin

Tp þ Tn Category detection F7 refers to finding the relevance or type of

f1 ¼ (1) intrusion (attack) that has been classified, such as DoS, DDoS, etc. Its
Tp þ Tn þ Fp þ Fn
mathematical representation is as in eq (7).
Here n is the number of features; Tp represents a correctly labeled case of
X
n
an attack. Tn denotes a correctly labeled case of normal activity. Fp il- f7 ¼ Yi  Fwi (7)
lustrates the normal network activity wrongly labeled as an attack. Fn i¼1
denotes the attack case wrongly labeled as normal activity.
Yi represents whether a feature is selected (if Yi ¼ 1) or not (if Yi ¼ 0).
The detection rate (f2) is also known as recall or sensitivity. It is
Fwi is the weight of the ith feature.
defined as the number of attacks predicted (Tp) out of all the traffic cases
Response time (F8 ), memory usage (F9 ), and computational
in the dataset. The mathematical formulation of detection rate (DR) is as
complexity depend upon the specific method or algorithm used for
shown in eq (2):
implementing intrusion detection.
Tp
f2 ¼ (2) 3. Related works
Tp þ Fn
Precision (f3) measures the precision of the classifier by calculating This section provides a review of multi-objective optimization algo-
the number of true positive predictions among all positive predictions. It rithms for intrusion detection. This was conducted using established
is calculated as in eq (3). electronic databases Google Scholar, Taylor & Francis, MDPI, IEEE, etc.
The articles used multi-objective optimization algorithms for intrusion
Tp
f3 ¼ (3) detection that were published between 2018 and 2023. Intrusion
Tp þ Fp
detection is based on examining all the features of network packets to
False Alarm (f4) rate measures the instances of attacks that were find patterns of intrusion, abuse, and interruption [16]. The feature se-
incorrectly chosen. False alarm rate (FAR) can be written mathematically lection method is considered one of the important techniques used for
as eq (4). intrusion detection. Intrusion detection methods manage huge volumes
of data that have random, repetitive, and redundant features [17].
Fp
f4 ¼ (4) Numerous multi-objective algorithms (MOA) have been used for
Tn þ Fp intrusion detection in IoT networks. This section presents previous works
Specificity (f5) is the ability of the method to identify negative results. on the use of MOA in intrusion detection. There are many MOAs used for
It is measured as the ratio of true negatives that were predicted as feature selection and parameter reduction in intrusion detection. Table 2
negative predictions. The mathematical formulation of specificity is as shows the comparative analysis of multi-objective techniques in the
shown in eq (5): detection of intrusion.
Multi-objective Binary Bat Algorithm (MOBBA) [6] is used for feature
selection with multiple objectives such as precision, accuracy, false alarm
rate, detection rate, specificity, and sensitivity. High precision is equiv-
alent to accuracy and detection rate. The study states that the number of
Table 1 features, error rate, and false alarm rate do not impact each other and are
Multiple-Objectives for intrusion detection in IoT networks. considered for the objective function. The highest weightage is assigned
S.No Objective Desired values (Type of problem) to the error rate followed by false alarm rate and the number of features
1 Classification accuracy (f1) Largest possible (Maximization)
respectively. For the KDD cup 1999 dataset the minimum features chosen
2 Detection rate/recall (f2) Largest Possible (Maximization) is 17 with an average accuracy of 94.24%, detection rate of 96.09%, and
3 Precision (f3) Largest Possible (Maximization) false alarm rate of 0.0786. NSL-KDD dataset with 12 features achieved
4 False alarm/error rate (f4) Lowest possible (Minimization) DT of 99.38%, false alarm rate of 0.0148, specificity of 98.51%, precision
5 Specificity (f5) Largest Possible (Maximization)
of 99.49%, and accuracy of 99.16%. ISCX-2012 dataset obtained 10
6 Number of features (f6) Lowest possible (Minimization)
7 Response time (f7) Lowest possible (Minimization) features, 99.14% accuracy, 98.98% detection rate, 0.0042 false alarm
8 Memory usage (f8) Lowest possible (Minimization) rate, 99.71% specificity, and 99.42% precision. For the UNSW-NB15
9 Category Detection (f9) Either true or false dataset, 13 features, 97.63% accuracy, 98.18% detection rate, 0.0326

260
S. Sharma et al. Internet of Things and Cyber-Physical Systems 4 (2024) 258–267

Table 2 Table 2 (continued )

Multi-objective optimization algorithms for Intrusion Detection. S.No Technique Objectives Dataset(s) Classifier(s)
S.No Technique Objectives Dataset(s) Classifier(s)
optimization
1 Multi- Convergence NSL-KDD and GHSOM-pr algorithm
objective speed of UNSW-NB15 (GSO) with
immune classification and Principal
algorithm classification Component
[23] accuracy Analysis
2 Binary Whale Classification KDD CUP 99 SVM (PCA) [17]
Optimization accuracy and 16 Hybrid Gorilla Feature selection NSL-KDD, KNN
Algorithm dimensional Troops and accuracy CICIDS2017,
[27] reduction Optimizer UNSW-NB15 and
3 Elephant Herd Optimization KDD CUP 99 SVM based on bird BoT-IoT
optimization accuracy and swarms
algorithm convergence Optimization
based on Levy performance Algorithm
Flight [11]
Strategy [28] 17 Equilibrium Precision, recall, NSL-KDD ANN
4 Grasshopper Running time KDD CUP 99 SVM Optimization F-measure,
optimization and accuracy Algorithm prediction
algorithm [38] accuracy, energy
[29] consumption,
5 Non- Maximize CICIDS2017 ELM and storage
dominated relevance, utilization
sorting classifier 18 Multi- Classification AWID and CIC- CNN
genetic accuracy, recall, objective accuracy, IDS2017
algorithm-II number of Evolutionary Complexity
with jumping features, Algorithm
gene [19] precision, With accuracy
minimize emphasis [39]
redundancy 19 Multi- Feature selection NSL-KDD, MLP
6 I-NSGA-III Increase Gure-KDD, GHSOM-pr objective and parameter ISCX-2012,
[20] classification KDDcup99, Binary optimization UNSW-NB15
accuracy and NSL-KDD Bat Algorithm KDD- 99,
decrease [6] CICIDS2017
computational 20 NSGA-II with Feature selection Ton-IoT SVM
complexity Chi-square, and accuracy
7 Butterfly Reduce features NSL-KDD MLP Pearson's
optimization and increase correlation
algorithm classification coefficient,
[30] accuracy and Mutual
8 Transitory Accuracy, KDDCup-99, Convolutional information
search specificity, and BoT-IoT, NSL- Neural [40]
optimization sensitivity, F1 KDD, and Network 21 Honey Badger Computational CIC-IDS2017 ANN
algorithm measure, and CICIDS2017 (CNN) Optimization cost reduction
[31] CPU time Algorithm and faster
9 Binary Feature selection, CICIDS2017, Gated [41] convergence
bacterial classification NSL-KDD 2015 Recurrent Unit 22 Multi- Mean squared KDDcup99 Back-
foraging accuracy, hyper- (GRU) objective error, average Propagation
optimization parameter genetic false-positive Neural
algorithm optimization algorithm rate, and true- Network
[32] [42] positive rate (BPNN)
10 Binary gray Decrease CICIDS2017,NSL- CNN 23 Improved Feature NSL-KDD, CICIDS SVM
wolf complexity, and KDD teaching- Selection, 2017
optimization number of learning- Accuracy
algorithm parameters and based
[33] increase accuracy optimization
11 Chaotic Crow Accuracy, LITNET-2020 KNN, DT, Algorithm
Search detection rate, Random Forest [43]
Algorithm precision, false (RF), SVM, 24 Intelligent Detection KDD-99, NSL- Multiclass
[34] alarm rate, F- MLP, and Multi- Accuracy, false KDD, CIDD SVM
score and LSTM objective PSO positive rate
specificity [44]
12 Whale Attack detection KDD CUP 99 Recurrent 25 Enhanced Detection NSL-KDD, TON- RF, CNN
Optimization accuracy and Neural Multi- Accuracy, no. of IoT
Algorithm computational Network objective features
[35] complexity Capuchin
13 Flower- Feature selection UNSW-NB15, SVM, DT(ID3), Search
pollination and better NSL-KDD RF Algorithm
Algorithm convergence [45]
[36]
14 Firefly Hyperparameter UNSW-NB15 ANN, KNN, LR,
Algorithm optimization and SVM, DT, false alarm rate, 96.74% specificity, and 97.99% precision values were
[37] classification XGBoost obtained. For the CIC-IDS2017 dataset accuracy was 99.23%, detection
accuracy
rate was 99.26%, false alarm rate was 0.013, Specificity was 98.65, and
15 Glow-worm Categorization NSL-KDD GSO
swarm and optimization precision was 99.92.
In [11], the GTO-BSA algorithm the performance comparison of
various algorithms was done in terms of accuracy, sensitivity, specificity,

261
S. Sharma et al.
selected features, and computational time. The algorithm got 95.59%
accuracy, 91.42% sensitivity, 97.38% specificity, 14.75 features, and
10205.83 s of computational time for the NSL-KDD dataset. For
CICIDS-2017, the algorithm obtained 98.79 % accuracy, 97.26% sensi-
tivity, 99.67% specificity, 10 features, and 2270.9 s of computational
time.For the UNSW-NB15 dataset, the GTO-BSA algorithm achieved
71.01% accuracy, 81.53% sensitivity, 87.70% specificity, 16.6 features,
and 161.23 s of computational time. The algorithm using the BoT-IoT
dataset got 94.85% accuracy, 99.28% sensitivity, 96.22% specificity,
2.5 features, and 145.74s of computational time.
In [14], the multi-objective Harris hawks optimization with mutation
mechanism has been used to detect intrusions (botnets) in IoT combined
with the K-Nearest Neighbor (KNN), Multi-layer Perceptron (MLP), De-
cision Tree (DT), and Support Vector Machine (SVM) classifiers. The
performance of the method was evaluated using datasets from UCI.
Glow-worm swarm optimization algorithm with principal component
analysis algorithm was used in Ref. [17], for intrusion detection. The
proposed algorithm had a multi-class average detection rate of 95.12%,
false alarm rate of 2.97%, accuracy of 93.90%, and precision of 91.90%.
In [18], the NSGA-II algorithm was used for optimizing mutual in-
formation, standard deviation, and information gain to select over 19-30
relevant features. KDD ‘99, Kyoto 2006þ, and NSL-KDD datasets are used
with SVM, DT, and KNN classifiers. This technique used an unsupervised
approach and unlabelled information. For the KDD dataset, the algorithm
obtained a weighted average accuracy of 99.78%, a detection rate of
99.27, a precision of 99.29, and 0.2 false alarm rate. For NSL-KDD, the
results were 99.83 accuracy, 99.16 detection rate, 98.73 precision, and
0.18 false alarm rate. Also, in the case of Kyoto 2006þ algorithm ob-
tained 99.65% accuracy, 99.65% detection rate, 99.65% precision, and
0.3 false alarm rate.
In [19], NSGA-II with the jumping gene method is used for maxi-
mizing relevance, accuracy, recall, and precision along with minimizing
redundancy and features over the CICIDS2017 dataset for DDoS attacks.
The binary classifier Extreme Learning Machine (ELM) is used to extract
features for the detection of distributed denial-of-service attacks. With 6
features, the algorithm obtained 99.9% accuracy, 79% relevance, 100%
recall, 99.8% precision, 0.02 s runtime, and 0.19% redundancy of fea-
tures. The obtained results in all aspects considered were better with
feature selection than without feature selection.
In [20], an improved multi-objective algorithm named NSGA-III is
presented to reduce the complexity and improve the classification ac-
curacy. NSGA-III used a domination method, multi-target search, and
bias selection process. Growing Hierarchical Self-Organizing Map is
utilized by employing a probabilistic relabeling (GHSOM-pr) classifier to
distinguish both attack-related and non-attack-related data, as well as
several attack types (U2R, R2L, Probe, DoS, and new attack types). This
technique used KDD ‘99, and Gure-KDD datasets. In the case of the
Gure-KDD dataset, with 20 features, the algorithm got 92.96 % average
accuracy and 99.62% detection rate. For the KDD ‘99 dataset the per-
formance obtained was 99.77% average accuracy and 99.37 % detection
rate.
In [21], a negative selection algorithm is used to identify botnet at-
tacks. ISOT and ISCX benchmark datasets are used for experimentation.
This method used CNN and long short-term memory (LSTM) as classi-
fiers. This method used correlation for feature selection. It also changes
the type/category of the features in the dataset such as those that are
acceptable, safe, doubtful, unsafe, dangerous, fun, etc. The algorithm got
99% accuracy, 98% precision, and 100% recall values for 400k sample
data.
In [22], a hybrid multi-objective approach based on Artificial
Ecosystem and sine cosine algorithm was proposed. This method also
utilized opposition-based learning, bit-wise, and disruption operators.
KNN was used for the classification of attacks. The datasets utilized were
from the UCI data repository. The algorithm got 98.5% accuracy, 0.014
false alarm rate, 98.6% specificity, 98.2 % detection rate with 20
features.
262
Internet of Things and Cyber-Physical Systems 4 (2024) 258–267
In [23], the multi-objective immune algorithm was used for feature
selection. This algorithm was based on the elite selection, reference
vectors, and GHSOM-pr classifier. It can identify many attack types in
NSL-KDD (U2R, DoS, Probe, R2L) and UNSW-NB15 (DoS, Backdoor,
Exploits, Analysis, Fuzzers, Generic, Worms, Shellcode, Reconnaissance)
datasets. The objectives considered were convergence speed, classifica-
tion accuracy, and different types of attack. The algorithm obtained
94.60 % accuracy, 95.11% precision, and 97.05% recall with 24 features
for NSL-KDD. In UNSW-NB15, the algorithm for 10 class classification got
10.63% false alarm rate, 95% accuracy, 95% precision, and 98% detec-
tion rate.
Kasongo and Sun [24] explored the XGBoost algorithm for feature
selection in intrusion detection. It utilized the UNSW-NB15 dataset.
Artificial Neural Networks (ANN), KNN, DT, Logistic Regression (LR),
and SVM classifiers were employed in this study. It demonstrated that
this method works well for majority classes but fails for minority classes.
Therefore, there is a need to increase the minority class occurrences in
the training phase.
In [25], a hybrid machine learning approach using Naive Bayes and
SVM was discussed. The NSL-KDD dataset was used and grouped into two
categories, one contains all classes and the other group only contains
R2L, U2R, and normal classes. Feature selection was applied on both
layers using inter-sectional correlated feature selection and principal
component analysis. Layer1 checks for attacks, and if the attack is not
detected, then data passes through layer2. The algorithm got 88.97%
accuracy, 88.17% precision, 93.11% detection rate, and 11.82% false
alarm rate. for NSL- KDD dataset1. For the second dataset i.e. 20% of the
original dataset got 87.55% accuracy, 88.16% precision, and 90.24%
detection rate.
Khanday et al. [26] presented a lightweight approach for intrusion
detection. Different classifiers were used to detect distributed denial of
service (DDoS) attacks in IoT networks. BOT-IoT and TON-IoT network
datasets were used for analysis and experimentation. Attacks were clas-
sified in binary and multi-classes. For classification, 20 features are
selected using decision trees and feature importance index methods. The
model obtained 98% accuracy, 98% precision, and 98% recall for binary
classification using the BOT-IoT dataset. For the classification of DDoS
attacks, the model got 99% accuracy, 100% precision, and 100% recall.
Considering the TON-IoT dataset, the model obtained 99% accuracy,
100% precision, and 99% recall for binary classification and 99% accu-
racy, 100% precision, and 100% recall for DDoS attack classification.
Xu et al. [27] presented an intrusion detection model based on
multi-objective feature selection using a binary whale optimization al-
gorithm. The paper utilized four datasets from the UCI database. For
dataset 1, the algorithm obtained 98.49% accuracy using less than half
i.e. 5 features. Algorithm with 4 features obtained 96.27% accuracy for
dataset 2, and 95.79% accuracy for dataset 3. For the fourth dataset, the
algorithm managed to obtain 96.86% accuracy using just 2% features.
The algorithm was also analyzed using the KDD Cup 99 dataset, where
the algorithm had an accuracy of 97.89% with just 5 features.
In [28], a levy flight-based elephant herd optimization algorithm was
used. The algorithm focused on data size (memory) used to obtain better
accuracy. KDD CUP 99 dataset was used for classification.
A multi-objective evolutionary algorithm was used in Ref. [39] for
binary and multi-classification of intrusions. The model had 99.68%
precision, and 99.98% recall values for Binary classification using AWID
dataset. Using the same dataset for multi-classification, the algorithm had
99.5% precision, and 99.95% recall. For the CIC-IDS2017 dataset in bi-
nary classification, precision was 99.8% and recall was 99.75%.For
multi-classification, the algorithm with some degradation gota minimum
precision of 97.89% and a minimum recall of 20%.
Multi-objective particle swarm optimization algorithm used in
Ref. [44] select 16 features in KDD cup dataset, 11 features in Cloud
Intrusion Detection Dataset (CIDD) dataset and 17 features in NSL-KDD
dataset. The algorithm had an average precision of 89.93%, an average
recall of 83.825, an average training time of 14.95 s, and an average
S. Sharma et al. Internet of Things and Cyber-Physical Systems 4 (2024) 258–267

testing time of 6.36 s. 4. Datasets

In [73], the multi-objective quantum-based binary horse optimization
algorithm obtained 99% accuracy, 99% precision, and 98% sensitivity Intrusion detection gets increasingly challenging as cyber-attacks
score with the NSL-KDD dataset. With the CIC-IDS2018 dataset, it had become more advanced. To assess the performance of intrusion detec-
99.78% accuracy, 99.56% precision, and 98.87% sensitivity score. It tion techniques, researchers need different types of datasets. Datasets are
considered eight features. made up of the traffic information of the network, usually in the form of a
According to the analysis of data in Table 2, AI techniques have table with rows representing event occurrences and columns represent-
recently become more and more prevalent. The detection time for attack ing network elements [46]. This information is either packet-based or
identification, detection, and classification accuracy are crucial in these flow-based. The packet-based information includes payload information,
strategies. To improve the efficiency and precision of intrusion detection, while the flow-based information includes data on network connections.
multi-objective optimization algorithms can be used. These algorithms For analyzing an intrusion detection method, identification of the key
can provide the optimal results more quickly for large datasets by features is done so that different datasets can be compared side by side
reducing features. Also, these can be used for tuning the hyper- and similarities in those datasets for the specific situation of intrusion
parameters of the classifiers. This lessens the usage of computational assessment can be found. Table 4 summarizes the datasets used for
space and power while improving complexity. intrusion detection.
Table 3 summarizes various objectives considered by various algo- In addition to these datasets, IoT network traffic data can be obtained
rithms by the respective researchers for intrusion detection as listed in from various data repositories, includingAZSecure, Contagiodump,
Table 2. All the papers presented used at least two objectives for intrusion IMPACT, DEFCON, Internet Traffic Archive, Kaggle, MAWI-Lab,
detection i.e. accuracy (f1) and number of features (f6). These objectives OpenML, SecRepo, RIPE, VAST challenge, etc. Additionally, artificial
have conflicting relations. Intrusion detection methods are generally intelligence(AI) tools such as Generative Adversarial Networks of
evaluated using datasets with actual network traces which are generally frameworks like INSecS-DCS, GENESIDS, Moirai, etc. [61] can be used to
large. Larger datasets need greater time, processing, and memory. The change input traffic data by introducing attack patterns, or synthetic
size of such data/datasets is reduced by feature selection techniques network traffic can also be created in this way.
which can decrease time but may compromise accuracy, detection rate,
and false alarm rate [6,11]. Multiple classes of attacks can be detected to 5. Discussion and analysis
increase the accuracy and detection rate, but this will degrade the per-
formance by increasing the training time, and complexity of the classi- This study demonstrates how AI techniques significantly improve
fication. Also, when hybrid intrusion detection methods are utilized to intrusion detection efficiency, and how crucial dataset quality is in
improve accuracy and reduce false positives, the complexity of the sys- determining how efficient a method will be. Many of the studies exam-
tem increases [16]. This reflects a trade-off between various objectives. ined in this study, employed labeled data for improving the training of
Hence, multi-objective optimization algorithms are a necessity of Intru- the model. These AI-based methods, however, do not work well in the
sion detection techniques (see Table 4). case of actual traffic data and unlabelled datasets. Thus, new methods
must be adopted to get better solutions.
Table 3 Optimization techniques are also currently being used for hyper-
Multiple objectives used for Intrusion Detection. parameter optimization in machine and deep learning methods. These
have been proven to be effective in boosting the performance of these
Ref. f1 f2 f3 f4 f5 f6 f7 f8 f9
methods. Yet several issues, including computational time, memory
[6] ✓ ✓ ✓ ✓ ✓ ✓    usage, and the training process, still need to be resolved, to improve
[11] ✓ ✓   ✓ ✓  ✓ 
[14] ✓ ✓  ✓   ✓  
computational performance and decrease data analysis. AI-based
[17] ✓ ✓ ✓ ✓      methods learn to extract important feature subsets from datasets. Thus,
[18] ✓ ✓ ✓ ✓  ✓    intrusion detection systems must be trained with up-to-date actual
[19] ✓ ✓ ✓   ✓ ✓   network data frequently to make intrusion detection efficient against
[20] ✓ ✓    ✓ ✓  
zero-day attacks. Additionally, this process requires more power,
[21] ✓ ✓ ✓   ✓ ✓  
[22] ✓ ✓  ✓ ✓ ✓ ✓   computational resources, and time for training an efficient model.
[23] ✓ ✓ ✓ ✓  ✓ ✓   Techniques like feature selection or extraction can be used to reduce
[24] ✓ ✓ ✓   ✓ ✓   complexity or the amount of resources that complicated models require.
[25] ✓ ✓ ✓ ✓  ✓ ✓   Feature selection reduces computational complexity, removes redundant
[26] ✓ ✓ ✓    ✓  
[27] ✓     ✓   
data features, reduces training time, and elevates the accuracy of deep
[28] ✓     ✓    learning and machine learning methods by simplifying data. The accu-
[29] ✓     ✓    racy of intrusion detection heavily relies on effective feature selection.
[30] ✓     ✓ ✓   The complexity of a problem is proportional to the number of features.
[31] ✓ ✓ ✓    ✓  
Feature selection helps in reducing the cost of acquiring data, model size,
[32] ✓ ✓ ✓   ✓  ✓ 
[33] ✓ ✓ ✓   ✓ ✓ ✓ ✓ and training classification models, and improving the performance, and
[34] ✓ ✓ ✓ ✓ ✓ ✓ ✓   interpretability of classification models. The effectiveness of multi-
[35] ✓ ✓ ✓ ✓  ✓    objective optimization in feature extraction and selection has been
[36] ✓ ✓ ✓ ✓  ✓ ✓   demonstrated. Grid-based searches have proven to be useful in multi-
[37] ✓ ✓ ✓   ✓ ✓  
[38] ✓ ✓ ✓      ✓
objective optimization methods.
[39] ✓ ✓ ✓ ✓   ✓ ✓ ✓ It can also be observed that many techniques make use of older
[40] ✓     ✓    datasets like KDD ‘99 and NSL-KDD, which are considered out of date, for
[41] ✓     ✓ ✓   testing their models. When these techniques were applied to recent
[42] ✓ ✓  ✓   ✓  
datasets the accuracy and efficiency of the system decreased. The use of
[43] ✓ ✓ ✓ ✓ ✓ ✓  ✓ 
[44] ✓ ✓  ✓  ✓ ✓ ✓  IoT and wireless devices has significantly increased in recent days,
[45] ✓ ✓ ✓ ✓  ✓    leading to the development of numerous new, strong attacks. So training
[47] ✓ ✓  ✓   ✓ ✓  on newer datasets and threats is important to demonstrate the effec-
[49] ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ tiveness of modern new world networks. This was also related to the low
[73] ✓ ✓ ✓   ✓   
detection of attack types with fewer instances in the dataset (referred to

263
S. Sharma et al. Internet of Things and Cyber-Physical Systems 4 (2024) 258–267

Table 4 Table 4 (continued )

Datasets for intrusion detection in IoT. S.No Dataset Attacks Included Properties
S.No Dataset Attacks Included Properties
19 IoT-23 [60] DoS, DDoS, botnet, XSS, Network-based labeled
1 DARPA 1998 [15] Denial of Service (DOS), Emulated traffic PortScan, SQL injection, data
Probe, Remote to Local SYN flood
(R2L), User to Root (U2R) 20 ToN-IoT [61] DoS, DDoS, Ransomware, Diverse attack types,
2 KDDCup99 [47] Probe, DoS, U2R, R2L Duplicate packet issue, Backdoor, scanning, heterogeneous sources
emulated traffic, injection, Password, XSS, of data
outdated Man-in-the-middle
3 Kyoto 2006 Known Attacks, Unknown Network-based real
Attacks traffic flow labeled data
from honey-pot network as minor classes). This situation known as the class imbalance problem
4 National Security DoS, Escalation, Probe Emulated traffic-labeled becomes significant when such minor class attacks emerge as zero-day
Lab- Knowledge data, 41 features
attacks.
Discovery dataset
(NSL-KDD) [48] To solve this problem, datasets were divided into groups, with one
5 UNB-ISCX 2012 Brute Force, DoS, DDoS, Network-based group made up entirely of minor classes. Different classifiers were used
[49] XSS, Infiltration, SQL emulated traffic-labeled for different groups [25]. Therefore, a hybrid approach can be considered
Injection, Portscan, and data, 20 features to improve overall intrusion detection concerns. Current research in the
Botnet
6 UNSW-NB15 [8] Backdoor, DoS, Fuzzers, Created under a
intrusion detection field is focused on achieving minimal detection time,
Exploits, Generic, synthetic environment, high detection accuracy, and identifying data features.
Analysis (Port scans), 45 features with
Shellcode, 2540044 records
6. Future research directions
Reconnaissance, worms
7 CIC-IDS 2017 [4] Brute Force(SSH-patator Network-based,
and FTP-Patator), Heart- emulated traffic labeled This section discusses the challenges and future research ideas asso-
Bleed, Bot, DoS, DDoS, data, zero-day attacks, ciated with intrusion detection in IoT networks.
Portscan (Web attack used profiling, 79
andInfiltration) features
8 CSE-CIC-IDS 2018 HeartBleed, DoS, Botnet, Network-based real
[50] DDoS, Brute Force, traffic data, 80 features 6.1. Challenges
Infiltration, Web
9 X-IIoTID [51] Brute force, and the Network-based The safety, security, and the economy can all be severely harmed or
malicious insider, reverse
negatively impacted by compromised intrusion detection techniques.
shell, dictionary attack,
and spoofing
Therefore, it is crucial to employ intrusion detection methods that have
10 WSN-DS [52] DoS (Blackhole and Wireless sensor integrated security and guarantee speedy, reliable, and flexible perfor-
Grayhole), Flooding and network-based, 17 mance. The following challenges associated with intrusion detection in
Scheduling features, 374661 IoT networks are identified.
records
11 ADFA-WDand Adduser, java- Public access, actual
ADFA-LD [53] meterpreter, military environment, 1. Low detection accuracy in real-world environments. High false
Hydra FTP, hydra SSH, Host-based real traffic positive rates reduce effectiveness.
meterpreter, web-shell labeled data, zero-day 2. Encrypted traffic data particularly in private networks cannot be
attacks monitored.
12 Edge-IIoTset [54] Flooding, spoofing, Network-based
Information gathering
3. Datasets lack multi-trust data due to the dynamic environment.
(Portscan, OS 4. Less investigation was done on the attacker's behavior.
fingerprinting, 5. There is a trade-off between real-time effectiveness and efficiency.
Injection, and Malware 6. IoT devices have limited resources like limited memory, compu-
13 CAIDA [55] DDoS Network-based real
tation power, bandwidth, etc. As a result, there is little informa-
traffic unlabelled data,
Limited data features, tion in log files, payload information, etc. for attack analysis.
and attacks 7. The occurrence of false positives and false negatives increases the
14 Botnet dataset Dos, DDoS, key logging, Network-based, real workload of security analysts and exposes potential gaps in se-
For IoT (BoT-IoT) Reconnaissance traffic labeled data with curity coverage. Intrusion detection based on AI techniques is
[56] IoT traces, zero-day
attacks
utilized to increase detection accuracy, thus it is important to
15 UNIBS [57] DoS Contain labels for refine algorithms and system parameters. Also, the computational
application protocol complexity of these algorithms is a challenge.
only, attack scenarios 8. Selecting or developing an appropriate feature selection or
focus on DoS
extraction approach to get important features for intrusion
16 Aegean Wi-Fi ReAssociation, RogueAP, Contain new multilayer
Intrusion Dataset de-authentication, labeled attacks for wifi detection in IoT networks is a challenging problem.
(AWID) [39] disassociation, Kr00k, networks, emulated 9. The improvement of intrusion detection accuracy and reduction of
Krack, Brute force, SSH, traffic, false alarm rate should not cause a rise in training and running
Malware, Botnet, SQL time.
Injection, Website
spoofing, EvilTwin, and
10. A significant difficulty is the development of a better intrusion
SSDP Amplification detection method that can withstand multiple attacks.
17 IoT-RPL [58] Blackhole, Flooding, Contain labeled data
decreased Rank, Version- specially for IoT
number environment 6.2. Future research scope
18 TUIDS [59] DoS, DDoS, Scan, Packet and flow level
probing, SSH brute force datasets, emulated
traffic 1. The type of attack can be taken into consideration while studying
effective multi-objective optimization algorithms for feature selection
or extraction.

264
S. Sharma et al.
2. Comparisons and conclusions regarding the performance of the MO
algorithms on recent datasets or actual data are possible. Different
classification models can also be considered.
3. It is feasible to use a variety of data transformation and normalization
methods.
4. Different computationally efficient multi-objective optimizers can be
considered for intrusion detection with different datasets, and their
performance can be tested for their capability in other optimization
tasks, such as scheduling, parameter estimations, resource manage-
ment, etc.
5. With the advancement of the techniques, new attacks also evolve. As
a result, newer labeled datasets can be developed to include newer
attacks in the IoT environment.
6. A structure that constructs new datasets by combining attributes
selected by different feature selection and extraction techniques
described in the literature can be suggested.
7. A hybrid intrusion detection approach using different classifiers on
actual traffic data with different attack types can be proposed.
7. Conclusions
This paper conducted a thorough review and analysis of the various
advances in the methodologies for intrusion detection in IoT networks.
This paper discusses the existing security procedure and multiple ob-
jectives of the problem. There are many factors available for assessing the
efficacy and performance of any approach, and it is not possible to decide
by only considering a few of them. Moreover, it explains the role of multi-
objective optimization algorithms for Intrusion detection in IoT net-
works. An additional crucial part of intrusion detection is a particular
kind of dataset that needs to be properly chosen. Therefore, different
datasets have been explored for various properties and attacks included.
Moreover, various challenges and future work to investigate MOAs in the
field of IoT intrusion detection are discussed. This study highlights the
significance of multi-objective optimization of intrusion detection, while
also introducing newcomers to the world of intrusion detection systems.
In the future, a comparison of various feature reduction/selection tech-
niques can be worked upon. Additionally, XAI techniques can be used for
intrusion detection.
Funding
No grant from any funding agency was received for this study.
References
[1] H. Mittal, A.K. Tripathi, A.C. Pandey, M.D. Alshehri, M. Saraswat, R. Pal, A new
intrusion detection method for cyber–physical system in emerging industrial IoT,
Comput. Commun. 190 (2022) 24–35, https://doi.org/10.1016/
j.comcom.2022.04.004.
[2] K. Kaushik, S. Dahiya, A. Bhardwaj, Y.E. Maleh, Internet of Things and Cyber-
Physical Systems: Security and Forensics, first ed., CRC Press, 2022 https://doi.org/
10.1201/9781003283003.
[3] A. Thakkar, R. Lohiya, A survey on intrusion detection system: feature selection,
model, performance measures, application perspective, challenges, and future
research directions, Artif. Intell. Rev. 55 (1) (2022), https://doi.org/10.1007/
s10462-021-10037-9.
[4] R. Abdulhammed, H. Musafer, A. Alessa, M. Faezipour, A. Abuzneid, Features
dimensionality reduction approaches for machine learning based network intrusion
detection, Electronics 8 (3) (2019), https://doi.org/10.3390/electronics8030322.
[5] A. Thakkar, R. Lohiya, Attack classification using feature selection techniques: a
comparative study, J. Ambient Intell. Hum. Comput. 12 (2020) 1249–1266.
[6] W.A.H.M. Ghanem, S.A.A. Ghaleb, A. Jantan, A.B. Nasser, A.M. Saleh, A. Ngah,
A.C. Alhadi, H. Arshad, A.-M.H.Y. Saad, A.E. Omolara, Y.A.B. El-Ebiary,
O.I. Abiodun, Cyber intrusion detection system based on a multi objective binary
bat algorithm for feature selection and enhanced bat algorithm for parameter
optimization in neural networks, IEEE Access 10 (2022) 76318–76339, https://
doi.org/10.1109/ACCESS.2022.3192472.
[7] I.H. Hassan, A. Mohammed, M.A. Masama, Chapter 6 - metaheuristic algorithms in
network intrusion detection, in: S. Mirjalili, A.H. Gandomi (Eds.), Comprehensive
Metaheuristics, Academic Press, 2023, pp. 95–129, https://doi.org/10.1016/B978-
0-323-91781-0.00006-5.
265
Internet of Things and Cyber-Physical Systems 4 (2024) 258–267
[8] S.M. Kasongo, Y. Sun, Performance analysis of intrusion detection systems using a
feature selection method on the unsw-nb15 dataset, Journal of Big Data 7 (1)
(2020) 105, https://doi.org/10.1186/s40537-020-00379-6, 10.1186/s40537-020-
00379-6.
[9] N. Moustafa, N. Koroniotis, M. Keshk, A.Y. Zomaya, Z. Tari, Explain-able intrusion
detection for cyber defenses in the Internet of things: Opportunities and solutions,
IEEE Communications Surveys & Tutorials 25 (3) (2023) 1775–1807, https://
doi.org/10.1109/COMST.2023.3280465.
[10] A.S. Eesa, Z. Orman, A.M.A. Brifcani, A novel feature-selection approach based on
the cuttlefish optimization algorithm for intrusion detection systems, Expert Syst.
Appl. 42 (5) (2015) 2670–2679, https://doi.org/10.1016/j.eswa.2014.11.009.
[11] S.S. Kareem, R.R. Mostafa, F.A. Hashim, H.M. El-Bakry, An effective feature
selection model using hybrid metaheuristic algorithms for IoT intrusion detection,
Sensors 22 (4) (2022), 10.3390/s22041396. URL, https://www.mdpi.com/
1424-8220/22/4/1396.
[12] M. Prasad, R.K. Gupta, S. Tripathi, A multi-level correlation-based feature selection
for intrusion detection, Arabian J. Sci. Eng. 47 (8) (2022) 10719–10729, https://
doi.org/10.1007/s13369-022-06760-2.
[13] A. Azab, M. Khasawneh, S. Alrabaee, K.-K.R. Choo, M. Sarsour, Network traffic
classification Techniques, datasets, and challenges, Digital Communications and
Networks (2022), https://doi.org/10.1016/j.dcan.2022.09.009.
[14] F.S. Gharehchopogh, B. Abdollahzadeh, S. Barshandeh, B. Arasteh, A multi-
objective mutation-based dynamic Harris Hawks optimization for botnet detection
in IoT, Internet of Things 24 (2023) 100952, https://doi.org/10.1016/
j.iot.2023.100952. ISSN 2542-6605.
[15] H. Liu, B. Lang, Machine learning and deep learning methods for intrusion detection
systems: a survey, Appl. Sci. 9 (20) (2019), 10.3390/app9204396.URL,
https://www.mdpi.com/2076-3417/9/20/4396.
[16] Q. Al-Tashi, S.J. Abdulkadir, H.M. Rais, S. Mirjalili, H. Alhussian, M.G. Ragab,
A. Alqushaibi, Binary multi-objective grey wolf optimizer for feature selection in
classification, IEEE Access 8 (2020) 106247–106263, https://doi.org/10.1109/
ACCESS.2020.3000040.
[17] C. Anusha, A. Sravani, J. Anusha, C. Lakshmi, G.S. Kumari, Intrusion detection
system in IoTnetwork by using metaheuristic algorithm with machine learning
dimensional reduction technique, in: 2022 3rd International Conference on
Computing, Analytics, and Networks (ICAN), 2022, pp. 1–6, https://doi.org/
10.1109/ICAN56228.2022.10007341.
[18] C. Suman, S. Tripathy, S. Saha, Building an Effective Intrusion Detection System
Using Unsupervised Feature Selection in a Multi-Objective Optimization
Framework, CoRR abs/1905.06562, 2019 arXiv:1905.06562. URL, http://arxiv
.org/abs/1905.06562.
[19] M. Roopak, G.Y. Tian, J. Chambers, Multi-objective-based feature selection for
DDoS attack detection in IoT networks, IET Netw. 9 (3) (2020) 120–127, https://
doi.org/10.1049/iet-net.2018.5206, arXiv, https://ietresearch.onlinelibrary.wile
y.com/doi/pdf/10.1049/iet-net.2018.5206.
[20] Y. Zhu, J. Liang, J. Chen, Z. Ming, An improved nsga-iii algorithm for feature
selection used in intrusion detection, Knowl. Base Syst. 116 (2017) 74–85, https://
doi.org/10.1016/j.knosys.2016.10.030.
[21] S. Hosseini, A.E. Nezhad, H. Seilani, Botnet detection using negative selection
algorithm, convolution neural network, and classification methods, Evolving
Systems 13 (1) (2022) 101–115, https://doi.org/10.1007/s12530-020-09362-1.
[22] F. Hosseini, F.S. Gharehchopogh, M. Masdari, Moaeosca: an enhanced multi-
objective hybrid artificial ecosystem-based optimization with sine cosine algorithm
for feature selection in botnet detection in IoT, Multimed. Tool. Appl. 82 (9) (2023)
13369–13399, https://doi.org/10.1007/s11042-022-13836-6.
[23] W. Wei, S. Chen, Q. Lin, J. Ji, J. Chen, A multi-objective immune algorithm for
intrusion feature selection, Appl. Soft Comput. 95 (2020) 106522, https://doi.org/
10.1016/j.asoc.2020.106522.
[24] S.M. Kasongo, Y. Sun, Performance analysis of intrusion detection systems using a
feature selection method on the unsw-nb15 dataset, Journal of Big Data 7 (1)
(2020) 105, https://doi.org/10.1186/s40537-020-00379-6, 10.1186/s40537-020-
00379-6.
[25] T. Wisanwanichthan, M. Thammawichai, A double-layered hybrid approach for
network intrusion detection system using combined naive Bayes and SVM, IEEE
Access 9 (2021) 138432–138450, https://doi.org/10.1109/
ACCESS.2021.3118573.
[26] S.A. Khanday, H. Fatima, N. Rakesh, Implementation of intrusion detection model
for DDoS attacks in lightweight IoT networks, Expert Syst. Appl. 215 (2023)
119330, https://doi.org/10.1016/j.eswa.2022.119330.
[27] H. Xu, Y. Fu, C. Fang, Q. Cao, J. Su, S. Wei, An improved binary whale optimization
algorithm for feature selection of network intrusion detection, in: 2018 IEEE 4th
International Symposium on Wireless Systems within the International Conferences
on Intelligent Data Acquisition and Advanced Computing Systems, (IDAACS-SWS),
2018, pp. 10–15, https://doi.org/10.1109/IDAACS-SWS.2018.8525539.
[28] H. Xu, Q. Cao, C. Fang, Y. Fu, J. Su, S. Wei, P. Bykovyy, Application of elephant herd
optimization algorithm based on levy flight strategy in intrusion detection, in: 2018
IEEE 4th International Symposium on Wireless Systems within the International
Conferences on Intelligent Data Acquisition and Advanced Computing Systems,
(IDAACS-SWS), 2018, pp. 16–20, https://doi.org/10.1109/IDAACS-
SWS.2018.8525848.
[29] Z. Ye, Y. Sun, S. Sun, S. Zhan, H. Yu, Q. Yao, Research on network intrusion
detection based on support vector machine optimized with a grasshopper
optimization algorithm, in: 2019 10th IEEE International Conference on Intelligent
Data Acquisition and Advanced Computing Systems: Technology and Applications
(IDAACS), 1, 2019, pp. 378–383, https://doi.org/10.1109/IDAACS.2019.8924234.
S. Sharma et al. Internet of Things and Cyber-Physical Systems 4 (2024) 258–267

[30] A.S. Mahboob, M.R.O. Moghaddam, An anomaly-based intrusion detection system [53] J.H. Ring, C.M. Van Oort, S. Durst, V. White, J.P. Near, C. Skalka, Methods for host-
using a butterfly optimization algorithm, in: 2020 6th Iranian Conference on Signal based intrusion detection with deep learning, Digital Threats 2 (4) (Oct 2021),
Processing and Intelligent Systems, IC-SPIS), 2020, pp. 1–6, https://doi.org/ https://doi.org/10.1145/3461462, 10.1145/3461462.
10.1109/ICSPIS51611.2020.9349537. [54] M.A. Ferrag, O. Friha, D. Hamouda, L. Maglaras, H. Janicke, Edge-IIoTset:: a new
[31] A. Fatani, M. AbdElaziz, A. Dahou, M.A.A. Al-Qaness, S. Lu, Iot intrusion detection comprehensive realistic cyber security dataset of IoT and IIoTapplications for
system using deep learning and enhanced transient search optimization, IEEE centralized and federated learning, IEEE Access 10 (2022) 40281–40306.
Access 9 (2021) 123448–123464, https://doi.org/10.1109/ [55] I. Sharafaldin, A. Lashkari, A. Ghorbani, Toward generating a new intrusion
ACCESS.2021.3109081. detection dataset and intrusion traffic characterization, Intl Conf. on Information
[32] M.M. Althobaiti, K. Pradeep Mohan Kumar, D. Gupta, S. Kumar, R.F. Mansour, An Systems Security and Privacy (ICISSP) 1 (2018) 108–116, https://doi.org/10.5220/
intelligent cognitive computing based intrusion detection for industrial cyber- 0006639801080116.
physical systems, Measurement 186 (2021) 110145, https://doi.org/10.1016/ [56] N. Koroniotis, N. Moustafa, E. Sitnikova, B. Turnbull, Towards the development of
j.measurement.2021.110145. realistic botnet dataset in the Internet of Things for network forensic analytics: bot-
[33] Z. Wang, Z. Li, D. He, S. Chan, Alightweight approach for network intrusion IoT dataset, Future Generat. Comput. Syst. 100 (2019) 779–796, https://doi.org/
detection in industrial cyber-physical systems based on knowledge distillation and 10.1016/j.future.2019.05.041.
deep metric learning, Expert Syst. Appl. 206 (2022) 117671, https://doi.org/ [57] M. Bhuyan, D.K. Bhattacharyya, J. Kalita, Towards generating real-life datasets for
10.1016/j.eswa.2022.117671. network intrusion detection, Int. J. Netw. Secur. 17 (2015) 675–693.
[34] H. Al-Zoubi, S. Altaamneh, A feature selection technique for network intrusion [58] W. Dhifallah, M. Tarhouni, T. Moulahi, S. Zidi, A novel realistic dataset for intrusion
detection based on the chaotic crow search algorithm, in: 2022 International detection in IoT based on machine learning, in: 2021 International Symposium on
Conference on Intelligent Data Science Technologies and Applications, (IDSTA), Networks, Computers, and Communications (ISNCC), 2021, pp. 1–6, https://
2022, pp. 54–60, https://doi.org/10.1109/IDSTA55301.2022.9923108. doi.org/10.1109/ISNCC52172.2021.9615841.
[35] Z. Jie, Iot-network attack detection with optimized recurrent neural network and [59] M.H. Bhuyan, D.K. Bhattacharyya, J.K. Kalita, Towards generating real-life datasets
optimal feature selection, in: 2022 IEEE 2nd International Conference on Data for network intrusion detection, Int. J. Netw. Secur. 17 (6) (2015) 683–701.
Science and Computer Application, (ICD-SCA), 2022, pp. 951–957, https://doi.org/ [60] V. Dutta, M. Chora’s, M. Pawlicki, R. Kozik, A deep learning ensemble for network
10.1109/ICDSCA56264.2022.9987890. anomaly and cyber-attack detection, Sensors 20 (2020) 4583, https://doi.org/
[36] R. Gangula, M.M V, R.K M, Network intrusion detection system for internet of 10.3390/s20164583.
things based on enhanced flower pollination algorithm and ensemble classifier, [61] M. Ring, S. Wunderlich, D. Scheuring, D. Landes, A. Hotho, A survey of network-
Concurrency Comput. Pract. Ex. 34 (21) (2022) e7103, 10.1002/cpe.7103. URL, based intrusion detection data sets, Comput. Secur. 86 (2019) 147–167, https://
https://onlinelibrary.wiley.com/doi/abs/10.1002/cpe.7103. doi.org/10.1016/j.cose.2019.06.005, arXiv:1903.02460.
[37] L. Jovanovic, D. Jovanovic, M. Antonijevic, M. Zivkovic, N. Budimirovic, [62] U. cavusoglu, A new hybrid approach for intrusion detection using machine
I. Strumberger, N. Bacanin, The xgboost tuning by improved firefly algorithm for learning methods, Appl. Intell. 49 (Jul 2019), https://doi.org/10.1007/s10489-
network intrusion detection, in: 2022 24th International Symposium on Symbolic 018-01408-x.
and Numeric Algorithms for Scientific Computing, SYNASC), 2022, pp. 268–275, [63] P. Vanin, T. Newe, L.L. Dhirani, E. O'Connell, D. O'Shea, B. Lee, M. Rao, A study of
https://doi.org/10.1109/SYNASC57785.2022.00050. network intrusion detection systems using artificial intelligence/machine learning,
[38] S. Bebortta, S.K. Das, S. Chakravarty, Fog-enabled intelligent network intrusion Appl. Sci. 12 (22) (2022), 10.3390/app122211752. URL, https://www.mdpi.com
detection framework for internet of things applications, in: 2023 13th International /2076-3417/12/22/11752.
Conference on Cloud Computing, Data Science & Engineering, Confluence, 2023, [64] P. Kumar, G.P. Gupta, R. Tripathi, Design of anomaly-based intrusion detection
pp. 485–490, https://doi.org/10.1109/Confluence56041.2023.10048841. system using fog computing for IoT network, Automat. Control Comput. Sci. 55 (2)
[39] Y. Chen, Q. Lin, W. Wei, J. Ji, K.-C. Wong, C.A.C. Coello, Intrusion detection using (2021) 137–147, https://doi.org/10.3103/S0146411621020085.
multi-objective evolutionary convolutional neural network for the internet of things [65] Y. Otoum, D. Liu, A. Nayak, Dl-ids: a deep learning–based intrusion detection
in fog computing, Knowl. Base Syst. 244 (2022) 108505, https://doi.org/10.1016/ framework for securing IoT, Transactions on Emerging Telecommunications
j.knosys.2022.108505. Technologies 33 (3) (2022) e3803.
[40] A.K. Dey, G.P. Gupta, S.P. Sahu, Hybrid meta-heuristic based feature selection [66] S. Pokhrel, R. Abbas, B. Aryal, IoTsecurity: Botnet Detection in IoT Using Machine
mechanism for cyber-attack detection in iot-enabled networks, Procedia Comput. Learning, ArXiv abs/2104.02231, 2021. URL, https://api.semanticscholar.org
Sci. 218 (2023) 318–327, https://doi.org/10.1016/j.procs.2023.01.014. /CorpusID:233033401.
International Conference on Machine Learning and Data Engineering. [67] M. Markevych, M. Dawson, A review of enhancing intrusion detection systems for
[41] R. Chinnasamy, M. Subramanian, N. Sengupta, Designing of intrusion detection cybersecurity using artificial intelligence (ai), International conference Knowledge-
system using an ensemble of artificial neural network and honey badger Based Organization 29 (3) (2023) 30–37, https://doi.org/10.2478/kbo-2023-0072.
optimization algorithm, in: 2023 International Conference on IT Innovation and [68] M. Aljebreen, M.A. Alohali, M.K. Saeed, H. Mohsen, M. Al Duhayyim,
Knowledge Discovery, ITIKD), 2023, pp. 1–6, https://doi.org/10.1109/ A.A. Abdelmageed, S. Drar, S. Abdelbagi, Binary chimp optimization algorithm with
ITIKD56332.2023.10100161. ML-based intrusion detection for secure IoT-assisted wireless sensor networks,
[42] Y. Gong, Y. Liu, C. Yin, A novel two-phase cycle algorithm for effective cyber Sensors 23 (8) (2023), https://doi.org/10.3390/s23084073.
intrusion detection in edge computing, EURASIP J. Wirel. Commun. Netw. 2021 (1) [69] G. Eswari, G. Monica, V. Deepak, K. Sunil, B.P. Kumar, Enhancing cloud storage
(2021) 149, https://doi.org/10.1186/s13638-021-02016-z. security with intrusion detection system using cnn and gray wolf optimization
[43] M. Aljanabi, M.A. Ismail, V. Mezhuyev, Improved TLBO-JAYA algorithm for subset algorithm, in: 2023 International Conference on Sustainable Computing and Data
feature selection and parameter optimization in the intrusion detection system, Communication Systems, ICSCDS), 2023, pp. 557–563, https://doi.org/10.1109/
Complexity 2020 (2020) 5287684, https://doi.org/10.1155/2020/5287684. ICSCDS56580.2023.10104643.
[44] S. Subramani, M. Selvi, Multi-objective pso based feature selection for intrusion [70] H.A. Christopher, J.A. Ojeniyi, S.A. Adepoju, O.A. Abisoye, Cloud intrusion
detection in iot based wireless sensor networks, Optik 273 (2023) 170419, https:// detection system using antlion optimization algorithm and support vector machine
doi.org/10.1016/j.ijleo.2022.170419. (SVM) techniques, in: 2023 International Conference on Science, Engineering, and
[45] H. Asgharzadeh, A. Ghaffari, M. Masdari, F. SoleimanianGharehchopogh, Anomaly- Business for Sustainable Development Goals (SEB-SDG), 1, 2023, pp. 1–5, https://
based intrusion detection system in the internet of things using a convolutional doi.org/10.1109/SEB-SDG57117.2023.10124606.
neural network and multi-objective enhanced capuchin search algorithm, J. Parallel [71] S. Alosaimi, S.M. Almutairi, An intrusion detection system using bot-iot, Appl. Sci.
Distr. Comput. 175 (2023) 1–21, https://doi.org/10.1016/j.jpdc.2022.12.009. 13 (9) (2023), 10.3390/app13095427. URL, https://www.mdpi.com/2076-3417/
[46] Z. Azam, M.M. Islam, M.N. Huda, Comparative analysis of intrusion detection 13/9/5427.
systems and machine learning-based model analysis through the decision tree, IEEE [72] A. Heidari, M.A. JabraeilJamali, Internet of things intrusion detection systems: a
Access 11 (2023) 80348–80391, https://doi.org/10.1109/ACCESS.2023.3296444. comprehensive review and future directions, Cluster Comput. 26 (6) (2023)
[47] M.S. Hoque, M.A. Mukit, M.A.N. Bikas, An implementation of an intrusion detection 3753–3780, https://doi.org/10.1007/s10586-022-03776-z, 10.1007/s10586-022-
system using genetic algorithm, Int. J. Netw. Secur. Appl. 4 (2) (2012) 109120, 03776-z.
https://doi.org/10.5121/ijnsa.2012.4208. [73] R. Ghanbarzadeh, A. Hosseinalipour, A. Ghaffari, A novel network intrusion
[48] R. Thomas, D. Pavithran, A survey of intrusion detection models based on nsl-kdd detection method based on metaheuristic optimization algorithms, J. Ambient
data set, in: 2018 Fifth HCT Information Technology Trends, ITT), 2018, Intell. Hum. Comput. 14 (6) (2023) 7575–7592, https://doi.org/10.1007/s12652-
pp. 286–291, https://doi.org/10.1109/CTIT.2018.8649498. 023-04571-3.
[49] S. Mighan, M. Kahani, A novel scalable intrusion detection system based on deep [74] Y. Shen, C. Zhang, F.S. Gharehchopogh, S. Mirjalili, An improved whale
learning, Int. J. Inf. Secur. 20 (2021), https://doi.org/10.1007/s10207-020-00508- optimization algorithm based on multi-population evolution for global optimization
5. and engineering design problems, Expert Syst. Appl. 215 (2023) 119269, https://
[50] M. Verkerken, L. D’hooge, D. Sudyana, Y.-D. Lin, T. Wauters, B. Vol-ckaert, doi.org/10.1016/j.eswa.2022.119269. ISSN 0957-4174.
F.D. Turck, A Novel Multi-Stage Approach for Hierarchical Intrusion Detection, [75] J. Piri, P. Mohapatra, B. Acharya, F.S. Gharehchopogh, V.C. Gerogiannis,
IEEE Transactions on Network and Service Management, 2023, https://doi.org/ A. Kanavos, S. Manika, Feature selection using artificial Gorilla troop optimization
10.1109/TNSM.2023.3259474, 1–1. for biomedical data: a case analysis with COVID-19 data, Mathematics 10 (2022)
[51] M. Al-Hawawreh, E. Sitnikova, N. Aboutorab, X-IIoTID: a connectivity-agnostic and 2742, https://doi.org/10.3390/math10152742.
device-agnostic intrusion data set for industrial Internet of things, IEEE Internet €
[76] E. Ozbay, €
F.A. Ozbay, F.S. Gharehchopogh, Peripheral blood smear images
Things J. 9 (5) (2021) 3962–3977. classification for acute lymphoblastic leukemia diagnosis with an improved
[52] R. Vinayakumar, M. Alazab, K.P. Soman, P. Poornachandran, A. Al-Nemrat, convolutional neural network, J Bionic Eng (2023), https://doi.org/10.1007/
S. Venkatraman, Deep learning approach for intelligent intrusion detection system, s42235-023-00441-y.
IEEE Access 7 (2019) 41525–41550, https://doi.org/10.1109/ [77] F.S. Gharehchopogh, A.A. Khargoush, A chaotic-based interactive autodidactic
ACCESS.2019.2895334. school algorithm for data clustering problems and its application on COVID-19

266
S. Sharma et al. Internet of Things and Cyber-Physical Systems 4 (2024) 258–267

disease detection, Symmetry 15 (4) (2023) 894, https://doi.org/10.3390/ [79] F.S. Gharehchopogh, T. Ibrikci, An improved African vultures optimization
sym15040894. algorithm using different fitness functions for multi-level thresholding image
[78] F.S. Gharehchopogh, An improved Harris hawks optimization algorithm with multi- segmentation, Multimed. Tool. Appl. (2023) 1–47, https://doi.org/10.1007/
strategy for community detection in social network, J Bionic Eng 20 (2023) s11042-023-16300-1.
1175–1197, https://doi.org/10.1007/s42235-022-00303-z.

267