Cluster Computing

https://doi.org/10.1007/s10586-022-03776-z (0123456789().,-volV)(0123456789().,-volV)

Internet of Things intrusion detection systems: a comprehensive

review and future directions
Arash Heidari1,2 • Mohammad Ali Jabraeil Jamali2

Received: 25 March 2022 / Revised: 16 June 2022 / Accepted: 3 October 2022

 The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2022

Abstract
The Internet of Things (IoT) is a paradigm that connects objects to the Internet as a whole and enables them to work
together to achieve common objectives, such as innovative home automation. Potential attackers see the scattered and open
IoT service structure as an appealing target for cyber-attacks. So, security cannot be dealt with independently. Security
must be designed and built-in to every layer of the IoT system. IoT security concerns not only network and data security
but also human health and life attacks. Therefore, the development of the loT system to provide security through resistance
to attacks is a de facto requirement to make the loT safe and operational. Protecting these things is very important for
system security. Plus, it is important to integrate the Intrusion Detection System (IDS) with IoT systems. IDS intends to
track and analyze network traffic from different resources and detect malicious activities. It is a significant part of
cybersecurity technology. In short, IDS is a process used to detect malicious activities against victims by several methods.
Besides, the method of Systematic Literature Review (SLR) is used to classify, review, and incorporate results from all
similar research that answers one or more IDS research topics and perform a detailed empirical research analysis on IDS
techniques. Furthermore, depending on the detection technique, we classify IDS approaches in IoT as signature-based,
anomaly-based, specification-based, and hybrid. Also, for the IDS approaches, the authors give a parametric comparison.
The benefits and drawbacks of the chosen mechanisms are then addressed. Eventually, there is an analysis of open
problems as well as potential trend directions.

Keywords Internet of Things (IoT)  IDS  Intrusion detection  Distribution  Security  Review

1 Introduction
The fast growth of decentralized and Internet-based tech-
nologies like cloud computing and the Internet of Things
(IoT) has resulted in an explosion of information in prac-
tically every technical and commercial field today [1–3].
The IoT integrates a wide range of objects, sensors, and
smart nodes that can communicate without human inter-
vention [4]. Also, hardware resources, including smart
& Arash Heidari
[email protected]
& Mohammad Ali Jabraeil Jamali
[email protected]
1
Department of Computer Engineering, Tabriz Branch,
Islamic Azad University, Tabriz, Iran
2
Department of Computer Engineering, Shabestar Branch,
Islamic Azad University, Shabestar, Iran
sensors, that monitor and gather all types of device data
and social life, are included in the IoT [5, 6]. Plus, IoT is a
network of physical objects that can be monitored and
controlled via the Internet [7, 8]. Besides, millions of
objects can be found in the IoT via a Wireless Sensor
Network (WSN) through different types of actuators and
sensors connected to the Internet [9, 10]. IoT sensors
usually have low memory, low power, battery, and network
limitations, so IoT data needs to be computed, stored,
accessed, and analyzed [11, 12]. Furthermore, large
amounts of heterogeneous data and objects are growing, so
a platform is needed to deal with all this [13, 14].
Moreover, because of the rapid growth of the IoT, its
security has become one of the most challenging topics in
such a connected and shared system. Data and its integrity
can be jeopardized by malicious software, viruses, and
hackers [15]. Data insecurity can directly reduce the
security of the entire IoT, resulting in numerous dangerous

123

behaviors [16]. So, many wireless communications allow
for unrestricted eavesdropping. The Intrusion Detection
System (IDS) aims to detect unauthorized computer system
use [5, 17]. Some of these access protection systems and
networks include Local Area Networks (LANs), Wireless
Personal Area Networks (WPANs), ad hoc networks, and
Wireless Local Area Networks (WLANs). WSNs, mobile
phones, and Radio-Frequency Identification (RFID) are the
three most common networks in the WPAN family [18].
So, protection has become a hot topic in the IoT [19].
Systemic security architectures and cryptographic security
frameworks are examples of existing security strategies
[20]. The vulnerability of cyberattacks, including a large
number of requests to IoT services in a short period or the
presence of unauthorized users on certain services, can
result in catastrophic failures [21]. The IDS on these sys-
tems and networks can be generally categorized based on
the detection techniques used, for example, anomalies,
stateful packet testing, or rule-based [22]. With the growth
of IoT and the growing number of cyber-attacks, several
methods have been suggested for the IDS methods in the
IoT realm [23]. Moreover, the IDS presents a vital role in
identifying and blocking various threats from accessing the
network and providing a strong safety mechanism [24]. In a
system, the sheer volume of sensors has drawbacks, such as
storage, interoperability, and scalability, whereas security
methods such as IDS could not work well because a large
amount of labeled data is required to perform, detect
intrusions and detect new attacks [4]. By and large, to
protect IoT environments against different security threats,
IDSs are a fundamental and essential security mechanism.
Generally, there are four main forms of IDSs. Signature-
based IDS is the first type that defines characteristics for
each sort of attack that the IDS can recognize. When
unusual activity fits the pattern, an alarm will be raised
[25]. This is a straightforward approach for detecting pro-
ven attacks. The start-up phase of an anomaly-based IDS
gathers data about the identified system’s expected activi-
ties. The IDS then establishes a threshold that must be
crossed by suspicious activity for an alarm to be raised.
This system can detect intrusion attempts, but it is com-
putationally very expensive and requires a lot of memory to
analyze the data [26]. A combination of signature-based
and anomaly IDS attempts to strike a balance between the
signature-based detection mechanism’s storage cost and
the computational cost and false-positive alarm problem of
the anomaly-based detection system [27]. The specifica-
tion-driven approach IDS defines common system activi-
ties and verifies current operations against those operations
[28]. Then, they were classified into various groups based
on the types of threats they could identify. A denial of
service attack, sinkhole attack, replay attack, black hole
attack, selective forwarding attack, Sybil attack, false data
123
Cluster Computing
attack, jamming attack, and wormhole attack are examples
of these kinds of attacks [29].
Also, it is important to conduct a thorough analysis of
the current literature and publications to simplify the use of
IDSs in the IoT and to identify the shortcomings and
strengths of these systems. In contrast to the importance of
IDSs in the IoT, state-of-the-art mechanisms do not have a
detailed and wide-ranging Systematic Literature Review
(SLR). Therefore, this paper systematically analyses all
literature between the years 2018 and 2022. To improve the
analysis, four types are conducted: (1) anomaly-based, (2)
signature-based, (3) specification-based, and (4) hybrid
IDSs. Furthermore, this paper considers the analysis and
evaluation of the works to categorize the current IDSs in
the IoT, compare various IDS techniques, and summarize
the benefits and drawbacks of the examined IDSs. Then,
future recommendations on the implementation of IDSs in
the IoT will be prepared for researchers. One of the goals
of this paper is to systematically examine the existing
techniques in this domain. In brief, the paper’s contribu-
tions are as follows:
• Offering an overview of the IoT’s existing IDS
challenges;
• Providing an SLR overview of the state-of-the-art
techniques for IDS and other important activities in this
domain;
• Providing a taxonomy of some techniques that are
important in IDS;
• Outlining important areas where the discussed methods
can be improved in the future;
The following sections describe the structure of this
paper: the background of IoT-IDS and basic terminologies
are discussed in Sect. 2. Section 3 provides the research
methodologies and mechanisms for the selection of papers.
Four main categories of selected IDS methods are descri-
bed in Sect. 4. The results and comparisons are presented
in Sect. 5. The open issues and the conclusion part are
defined in Sects. 6 and 7, respectively. Also, Table 1 shows
the abbreviations used in the paper.
2 Basic concepts and related terminologies
This section will first introduce IoT architecture, the next
IDS and their approaches, and then cover the many forms
of attacks. Following that, the assessment metrics and
network structure are detailed.
2.1 Architecture of IoT
Adoption of a single IoT reference model is critical for the
progress and spread of IoT services and applications. In
Cluster Computing

Table 1 Abbreviation table

Abbreviation Definition Abbreviation Definition

AE Auto Encoder M2M Machine-to-Machine

BANs Body Area Network ML Machine Learning
CIDNs Collaborative Intrusion Detection Systems NIDS Network Intrusion Detection Systems
CNN Convolutional Neural Network NSA Negative Selection algorithm
DIDS Distributed IDS OPF Optimum-Path Forest
DNN Deep Neural Network PCA Patient-Controlled Analgesia
DBN Deep Belief Network PCA-GWO Principal Component Analysis-Grey-Wolf Optimization
DoS Denial-of-Service PSO Particle Swarm Optimization
DODAG Destination Oriented Directed Acyclic Graph RBM Restricted Boltzmann Machines
DT Danger Theory RPL Routing Protocol for Low-Power and Lossy Networks
DL Deep Learning (DL) RFID Radio-Frequency Identification
ECAE Elastic Contractive Auto Encoder RL Reinforcement Learning
EPC Electronic Product Code RNN Recurrent Neural Networks
ESM Exclusive Signature Matching SDN Software Definition Network
GA-GWO Genetic Algorithm and Grey Wolf Optimize SH-IDS Specification Heuristics based Intrusion Detection System
GPS Global Positioning System SLR Systematic Literature Review
HIDS Host-based Intrusion Detection Systems UDP User Datagram Protocol
IDS Intrusion Detection System UID Ubiquitous ID
IoT Internet of Things WLAN Wireless Local Area Networks
IETF The Internet Engineering Task Force WPAN Wireless Personal Area Networks
LAN Local Area Networks WSN Wireless Sensor Network

recent years, a variety of architectural solutions have been
presented, including academic and research institutions,
enterprises, stakeholders, and civil society organizations, as
well as international standard organizations such as ETSI,
IETF, IEEE, W3C, OASIS, and others. Manufacturing
sight is also a crucial component of IoT deployment [30].
IoT can be divided into three layers: the layer of percep-
tion, the layer of the network, and the layer of the appli-
cation. The layer of perception consists of a two-
dimensional code tag and code reader, Global Positioning
System (GPS), camera, RFID tag, sensor network of all
kinds, Machine-to-Machine (M2M) terminal, and sensor
gateway. So, the perception layer’s primary role is to
observe, recognize, gather and capture data. The network
layer is made up of a converged network of all forms of
communications infrastructure as well as the Internet. This
part was widely accepted as the most mature part. Besides,
the network layer includes both the loT management center
and the information center, implying that the network layer
ought to be able to control the networks but also increase
its potential to function information. The IoT platform
which becomes a public utility is the network layer [31]. In
addition, IoT and industrial experience are used to create
the application layer, which allows for a wide range of
innovative applications. IoT could eventually accomplish
an interconnection of IT and industries by utilizing the
application layer [32]. The application layer’s key issue is
sharing of information and data security. There seems to be
no generally approved IoT design at the moment. Elec-
tronic Product Code (EPC) Global IoT, which is sponsored
by Europe, the U.S, and the Japanese loT system Ubiqui-
tous ID (UID) is the most significant structure in the IoT
[33].
2.2 Intrusion detection system
IDSs are software or hardware platforms that recognize and
respond to computer attacks autonomously. Intrusion
response systems continually monitor system health based
on IDS warnings to efficiently identify and resolve possible
events or improper behaviors. Intrusion response systems
use appropriate countermeasures to ensure computer
security. As a result, implementing alert protocols is a good
way to ensure that such platforms are responding optimally
[34]. Systems for quantitatively identifying and classifying
attacks based on how they affect data integrity, availability,
and secrecy are also required. For example, if an attacker
compromises the integrity of an enterprise database system,
a proper reaction is required to ensure data integrity. If the
threat is directed against the system, meanwhile, the

123

reaction could increase resource availability and system
performance. When an intrusion is detected, an IDS sends
out an alarm in the form of a report and notice. IDS is
ineffective without a proper security countermeasure. To
aid in locating the source of an attack, a response system
should be connected with IDS. Traditional IDS rules tend
to be static due to the static nature of the monitored sys-
tems, whereas node groups have steady characteristics that
have been recognized through time. The monitored IoT
nodes are constantly added and withdrawn, unlike in a
traditional system [35]. Furthermore, the security needs of
each IoT node vary. Also, a system administrator who is
responsible for the overall security of the system usually
establishes and manages the security policies. Because the
switch is virtualized, there are further challenges with
visibility into inter IoT traffic on a platform. As a result,
traditional physical monitoring solutions are unable to
inspect this network traffic. Furthermore, the new virtual-
ization systems may have vulnerabilities that may lead to a
major breach, thus they should be monitored and examined
for configuration problems, updates, and other issues. In
conclusion, traditional solutions are unable to be deployed
in IoT contexts, which have their own unique needs and
characteristics. There may not be a traditional IDS that can
effectively satisfy these requirements [36]. So, IDS is a
monitoring process for unauthorized entry, activity, or file
modification by computers or networks. The traditional
IDS architecture in IoT is demonstrated in Fig. 1. The
architecture has the following units, as follows: Sensor,
packet analyzer, attack detection, generation rules, and as
output, IP tables rules, which are the generated firewall
rules. The packet analyzer in the intrusion detection engine
Fig. 1 In the IoT, the structured layers of IDS
123
Cluster Computing
is important for detecting attack patterns in the systems.
Packets from multiple locations are collected in a packet
analyzer and analyzed by an IDS engine deployed in the
network. With the highly dynamic IoT users, the packet’s
threshold value may change since the continuous threshold
value is ineffective and results in inaccurate results. As a
result, it must be flexible and dynamic in categorizing
threat behaviors. Based on packet header information,
packets are classified as normal or attacked in a packet
analyzer. The packet analyzer will examine the packets
based on the packet header’s packet arrival time, packet
count, and packet size. Also, the attack detection compo-
nent is in charge of identifying the node’s attack. It has its
decision-making process based on internal rules, heuristics,
and knowledge from its knowledge base. From a huge
number of attack patterns, the rule generation engine
component could build a few rules. As a result, an IoT
device can be processed with the fewest rules possible to
efficiently detect an attack. Attacks occur mostly in sepa-
rate groups known as incidents. Outside attacks are
described as outsider attacks. Plus, insider attacks involve
unauthorized internal users who attempt to gain and abuse
unauthorized access privileges [37]. While many incidents
are malicious, many others are not; for example, a person
can mistake a computer’s address and accidentally try to
connect to another system without permission [38]. So, we
need an IoT immune system. For this reason, IDS monitors
malicious actions or policy violations in IoT [39]. Also,
any malicious activity or violation with an IDS was nor-
mally reported or centrally collected by the administrator
[40]. To identify malicious activity from false alerts, IDS
integrates the outputs from numerous sources with alarm
filtering mechanisms. IDS offers a variety of sizes, ranging
from single machines to big networks. The two primary
conventional classifications offered in the articles are
Network Intrusion Detection Systems (NIDS) and Host-
based Intrusion Detection Systems (HIDS). Signature-
based detection, such as recognizing harmful patterns, and
anomaly-based detection, such as finding departures from a
good traffic model, which typically relies on ML, are two
types of IDS detection approaches [41].
2.3 Kinds of attacks
The attacks can be broken down into active or passive
attacks. Plus, the attack features an attacker who tries to
break into the IoT. The intruder inserts data into the system
and potentially changes data inside the system until an
active attack is carried out. Active attack types are Denial
of Service (DoS), session replay, and masquerade dis-
tributed. Examples of active attacks are viruses, worms,
and Trojans. Moreover, the passive attack tries to learn or
use system information without affecting system resources.
Cluster Computing
Tapping, scanning, and encryption are some kinds of pas-
sive attacks. An attack may also be carried out by a com-
pany outsider or an insider. An insider attack is a malicious
attack against a person with authorized system access on a
network or computer system. UBS PaineWebber is one
inside attack type. An outsider attack was initiated by the
system’s illegal use. Spoofing, spam, and spin are some of
the external attack types [42].
2.4 Commonly used metrics
This section defines the most frequent assessment measures
for assessing the effectiveness of IDS approaches. Appro-
priate IDS aids in improving detection accuracy, lowering
false alarm rates, increasing resource usage, and detecting
threats with minimal latency. Some metrics are highly
important for evaluating the effectiveness of IDSs, and they
are as follows: The difference between the number of
resources required before the system’s function and the
level of resources released once the activity is completed is
referred to as resource consumption. Also, scalability
refers to the IDS’s capacity to keep up with the system’s
evolution while maintaining relative detection accuracy
[43]. The ability of a network to adapt and move forward
when new conditions occur is often referred to as flexibility
[44]. The response time of a function is the latency
between when it is started in the system and when it is
finished. The cost of operating or monitoring IoT at a
specific period is also included in the cost. The computa-
tional complexity refers to the number of resources
required to operate it. In this case, the computational
complexity is the lowest of all potential difficulties for IDS
approaches in IoT situations. Also, IDS performance can be
measured utilizing measures like specificity, recall (sensi-
tivity), accuracy, precision, Confusion Matrix (CM),
specificity; and F1 Score. So, accuracy is specified as the
ratio of total correctly classified observations to total pre-
dicted observations. When all values in a Confusion Matrix
are added together, the ratio of True Negatives to True
Positives is calculated. So, accuracy is calculated as fol-
lows [45]:
STN þ STP
Accuracy ¼  100 ð1Þ
STP þ STN þ SFN þSFP
Precision is a measurement for determining the amount
of confidence in forecasts. In comparison to all favorably
predicted observations, the fraction of True Positive
anticipated observations. In addition, STP represents the
total number of true positives, whereas SFP represents the
total number of false positives [45].
STP
Precision ¼ ð2Þ
STP þ SFP
Recall, as represented by Recall, is a metric that informs
us how many real positive observations we can forecast
with accuracy. SFN also stood for all false negatives in
Eq. (3) [45].
STP
Recall ¼  100 ð3Þ
STP þ SFN
In addition, the F1 is a composite performance mea-
surement that includes Precision and Recall. Precision and
recall are represented by the Harmonic mean.
2  ReCall  P
F1score ¼  100 ð4Þ
ReCall þ P
In addition, the CM is an evaluating performance matrix
that uses False Positives, True Positives, False Negatives,
and True Negatives labels to compare actual and expected
observations. True Negatives and True Positives make up
the overall right forecasts, while False Positives and False
Negatives make up the total wrong predictions [45].
STP SFP
ð5Þ
SFN STN
True Positives are also forecasts that are both positive
and right for a class. True negatives, on the other hand, are
inaccurate predictions that are negative to a class. False
Positives (Type 1 Error) are forecasts for a class that are
both positive and wrong. False Negatives (Type 2 Error)
are forecasts of a class that are negative but incorrect.
Specificity is a metric that indicates how well the target
classes were identified in the test set. If there are 100
positive classes in the test set and the classifier properly
identifies 80 of them while mistakenly identifying the
remaining 20, the classifier correctly identified 80% of the
real samples in the data. As a result, specificity is computed
as follows [45]:
Specificity ¼ ðSTN =STN þ SFP Þ  100 ð6Þ
2.5 Network structure
Based on the network structure, there are three main types
of IDS: centralized, distributed, and hybrid. The data is
examined in a fixed number of locations in a centralized
IDS, regardless of how many hosts are being tested. In
these structures, the IDS is configured in the border router
or cluster head, which sends node traffic to the core IDS,
which therefore analyzes the traffic collected by sensors to
detect intrusions [46]. In addition, the detection system in
Distributed IDS (DIDS) is installed on the sensors of IoT
networks, and each sensor can detect the intrusion locally
after collecting the environment’s traffic. A DIDS is made
up of many IDSs in a wide network that are all linked to
each other or a central server, making it simple to track the
123

network and investigate the occurrence of an attack [47].
The hybrid IDS is a hybrid of dispersed and centralized
strategies that takes advantage of their strengths while
avoiding their weaknesses. Each sensor node contains an
IDS, which can detect intrusions on a local level. Fur-
thermore, the border router node’s IDS can detect intru-
sions globally after detecting intrusions on nodes [48].
3 Research methodology
This paper aims to offer comprehensive guidelines for SLR
for researchers. The SLR is a way to evaluate and inter-
pret all available research relevant to a specific research
problem, topic, or phenomenon of interest [49]. The SLR is
designed to provide a fair assessment of a research topic
using a rigorous, auditable, and reliable methodology with
multiple IDS approaches, but few specify different IoT
environments. The SLR method usually contains a
description of the research collection [50]. Section 3.1
identifies carefully prepared research questions for inves-
tigating IDS techniques in the IoT domain. The article
selection procedure is discussed in Sect. 3.2. Figure 2.
depicts the article search and selection method used in this
study.
3.1 Question formalization
In this systematic review, the following Analytical Ques-
tions (AQ) are answered in full based on the objectives and
scope of the proposed research:
• AQ1: What are IDS methods in the IoT realm?
• AQ2: Which IDS platforms have been selected for IoT?
• AQ3: What assessment criteria are used to assess IDS?
• AQ4: What are the popular IDS tools used for IoT
modeling?
• AQ5: What supports IDS with the existing IoT
algorithms?
• AQ6: What are the future and open prospects for IDS in
the IoT?
Fig. 2 The stages of the article search and selection procedure
123
Cluster Computing
3.2 Process of article selection
The papers are systematically selected through the fol-
lowing phases, including automated abstract-dependent
investigation, publication quality, keywords, title-depen-
dent paper opting, and analysis of reference and
publication.
3.2.1 Stage 1: automated search
In this section, the authors present an evaluation based on
the SLR as a research study evaluation and an important
evaluation for the categorization of IDS methods in IoT
environments. The following discovery string was defined
by adding the main elements to substitutes and other syn-
onyms [51]. ‘‘Intrusion Detection’’ OR ‘‘IDS’’ OR ‘‘mali-
cious detection ‘‘OR ‘‘system detection’’ OR ‘‘Anomaly
detection’’ OR ‘‘Attack mitigation’’ OR ‘‘artificial immune
systems’’) AND (‘‘IoT’’ OR ‘‘Internet of Things’’).
The distribution of articles over time was shown in
Fig. 3 based on the review process and citations of articles
like IEEE, Springer, Elsevier, Taylor & Francis, Wiley, and
ACM Table 2 also contains some electronic databases,
including IEEE and Science Direct, which are employed in
SLR.
3.2.2 Stage 2: article selection
In the first step, the screening criteria employed were
selected to confirm high-quality publications and papers in
the study. By searching for journal papers according to the
results obtained, the search string is limited. All other
groups of studies are henceforth omitted from the original
quest. To satisfy the supposed database search engine’s
syntax needs, the search string uses all databases to be
adapted. Editorial notices, studies, reviews, non-English
language articles, survey articles, and papers are not
included in this review. However, 75 papers were taken
into account to be examined.
Cluster Computing

Fig. 4 The distribution of the selected articles by the publishers

Fig. 3 Distribution by Publisher of research papers (updated on Feb 4 IDS mechanisms in IoT based
2022) on the detection method

Table 2 Electronic databases were used in selecting the article The selected papers are checked and the most widely dis-
cussed IDSs are listed to respond to research questions. The
Online database URL address
IoT has different types of IDSs, such as hybrid, anomaly-
Springer http://link.springer.com/ based, signature-based, and specification-based. Their
ACM http://dl.acm.org/ mechanism for finding malicious nodes, they vary. In a
Science Direct http://www.sciencedirect.com/ nutshell, an IDS is a set of protection mechanisms for
Taylor & Francis http://www.tandfonline.com/ capturing and analyzing packets in a computer network. If
John Wiley http://onlinelibrary.wiley.com/ any abnormalities are discovered after the investigation,
Emerald https://www.emerald.com/insight/ the goal is to terminate the harmful behavior and create a
IEEE http://ieeexplore.ieee.org/ history of similar actions for further network security
Scopus https://www.scopus.com/ policy adjustments. It is essential to retrieve past infor-
mation to help with defense policy adjustments, including
the form of threat, attackers’ and victims’ IP addresses,
attackers’ and victims’ IP ports, and so on. The used tax-
3.2.3 Stage 3: publication analysis onomy is designed by the detection method presented in
Fig. 5.
The authors review the selected papers to ensure the In addition, a general perspective of the IDS approaches
validity of those studies. Key elements for decision-making can be presented in Fig. 6. The model consists of four
are the subject, journal rating, and year of publication. major components as shown below.
Three levels have been refined for the selected papers. Six
notable publishers and IoT intrusion detection studies will 4.1 Anomaly-based mechanisms
be selected after the filter is used. Consequently, 24 papers
have been identified, reviewed, and analyzed. The authors This part covers the key characteristics of anomaly-based
choose a document that (1) is presented in the domain of IoT techniques. Finally, Sect. 4.1.3 refers to comparing and
IoT intrusion detection, (2) clearly describes the proposed summarizing anomaly-based mechanisms.
mechanism, and (3) considers some parameters that have
been established. Finally, among the 24 selected papers, 6 4.1.1 Overview of the anomaly-based mechanisms
publications were anomaly-based, 6 were signature-based,
6 were specification-based, and 6 were hybrid. In addition, System actions and operations against a usual behavior
Fig. 4 depicts the distribution of the selected papers by profile at once generate an alert when a deviation from
their publishers. normal behavior exceeds an anomaly-based threshold rel-
ative to IDSs. The detection of new attacks, especially
those related to resource abuse, is efficient. Anything that
does not conform to typical conduct, on the other hand, is
regarded as an intrusion, and learning the entire spectrum
of normal behavior is not an easy process. Also, this
method usually has high false-positive rates. Researchers
usually use statistical or Deep Learning (DL) techniques,

123

Fig. 5 The taxonomy of IDS
mechanisms in IoT by detection
method
Fig. 6 The overall IDS framework in IoT, as well as its connections to other platforms, such as cloud environments
which can be too heavy for low-capacity IoT nodes, to
create a normal behavior profile. Therefore, this feature
should be taken into account by anomaly-based IoT net-
work mechanisms [52]. The main assumption of an
anomaly-based IDS is that new attacks can be detected.
The assumption is that a new or known attack has behav-
iors that are substantially different from the use of a typical
system to identify the outliers. However, incoming events
are generally classified according to similarities with pre-
viously identified events in the training data set. As a result,
new threats can be accurately categorized if they match
known attacks. By definition, an unknown attack cannot
train a Machine Learning (ML) detection system. Con-
trolling the events in the test dataset, on the other hand,
may be used to assess an IDS’s capabilities. A system
could be taught and evaluated with a specific sort of attack,
or with attacks that are similar but not identical. The def-
inition of the similarity of events depends on the context
and its expertise. The process is displayed in Fig. 7. Known
attacks are kept in the cloud, fog, or edge dataset per usage
123
Cluster Computing
of the system in the basic anomaly-based architecture.
After that, similar and new attacks are evaluated, and
lastly, alarms are generated.
4.1.2 Review of the selected anomaly-based mechanisms
For detecting intrusions and tracking misuse behavior,
anomaly-based IDS is used. Using threshold classifies this
behavior as regular or abnormal. These types of IDSs track
the activity of a normal network in the IoT to set a
threshold. So, the network’s behavior is compared to the
threshold to detect intrusions, and any deviation from this
value is considered anomalous.
Almalawi [53] suggested a technique for unsupervised
detection called the global anomaly threshold, which is
being used as an add-on element to enhance the precision
of unsupervised IDS. At first, this was done by learning two
labeled small datasets from the unlabeled data, where each
dataset reflects whether in normal or abnormal behavior. A
collection of supervised classifiers was therefore trained
Cluster Computing
Fig. 7 The overall model of anomaly-based IDS in the IoT realm
with query datasets to build an ensemble-based decision-
making model that can then be incorporated into both
unsupervised anomaly scoring and clustering-based IDSs.
In the former, the approach is being used to reduce the
sensitivity of the anomaly threshold, whereas, in the latter,
it is used to effectively identify the clusters created as
normal or abnormal. Results showed that when integrated
into a clustering-based IDS as a labeling technique for the
produced clusters, their method showed significant and
promising outcomes. Compared to other benchmarks, their
approach demonstrated better performance and high relia-
bility. Their strategy also suffers from poor scalability and
low robustness.
Also, Eskandari [54] implemented a technique called
Passban, a smart anomaly-based IDS that is intentionally
devised to be hosted and accomplished by a standard edge
system directly. First, they designed an IoT testbed that
looks like a traditional smart home automation setting.
Later, the IoT testbed was designed as 2 distinct scenarios
to analyze the effectiveness of the suggested IDS in terms
of both threat detection accuracy and computational
resources needed by the implementing scheme. In one, the
IDS is been directly implemented and performed on the
IoT gateway: in this particular instance, Passban seemed to
be successful in gaining the latter and all IoT
objects connected directly to it. Utilizing two one-class
classification methods, they used Passban and tested it
against four common attacks. The evaluation revealed that
Passban IDS can provide high detection accuracy in terms
of threat detection accuracy. It also suffers from poor
scalability as well.
Plus, the anomaly detection method proposed by Kim
[55] is a mechanism that could be implemented and run in
real-time regardless of the form or mark of an endpoint
event log. To determine suspicious conduct that differs
from typical behavior, they employed two models. Ano-
malous detection examines the event log to determine
anomaly ratings. The model detected hazards based on the
anomaly score and the rules produced by the attack model.
Besides, attack characteristics categorize attacks represent
the frequency with which events happen and assess threats
based on criteria derived from unusual activity associa-
tions. The results showed, that in terms of response time,
the mechanism has better detection. Additionally, for
reliable anomaly detection on each endpoint system, dif-
ferent policies can be implemented. The biggest downside
of the approach is that different attacks can not be
protected.
By using stochastic and evolutionary game models,
Gothawal and Nagaraj [56] introduced anomaly-based IDS
for Routing Protocol for Low-Power and Lossy Networks
(RPL). To calculate the probability of transfer, their tech-
nique considered the stochastic game theory model and
formulated the player interactions on control packets and
packet routing. Besides, applying the evolutionary game
model efficiently verifies the calculated likelihood of
transformation using a synchronization algorithm. In the
presence of malicious players over IoT networks, it illus-
trated the successful attack detection accuracy and RPL
efficiency. States and the observation of state change with
the awareness of RPL rules ensure the prevention of RPL
success and topology-based attacks. Their method recog-
nized the attackers and provided the stable RPL for IoT by
validating the outcomes of the stochastic gaming model in
the calculation of specious state transfer likelihood using
the evolutionary game model. High efficiency in detecting
123

threats is the key benefit of the technique. The approach
also has high overhead computation.
Alhakami [57] addressed the issue of anomaly-based
IDS, and for the infinite bounded generalized gaussian
mixture model, they established a new completely Baye-
sian-based approach. A significant feature of the estab-
lished model is that it incorporated a framework for feature
selection to prevent the modeling process from being
affected by irrelevant features. Also, their use of the
technique of Bayesian inference is motivated by the fact
that it helped them to avoid under- and over-fitting, for-
malize their previous information, and communicate their
uncertainty through distributions of probability. Further-
more, the key aim of using such an infinite assumption
rather than the finite one is its ability to simultaneously
learn (for example estimation of parameters and model
selection) the parameters and many components of the
model. The integration of a feature selection method, on
the other hand, aimed to remove redundant features and
take into account only the most important features, and
then improve efficiency in terms of accuracy. The efficacy
of their methodology is verified by evaluating it on the
demanding application, namely the anomaly IDS while
comparing it to other analogous literature methods
reported.
Finally, Roy [58] presented an IDS model that employed
ML to identify cyber-attacks and anomalies in resource-
constrained IoT systems. The model determined the most
relevant attributes to detect intrusions employing consid-
erably fewer training data and less training time thanks to a
combination of optimizations that include the removal of
multicollinearity, sampling, and dimensionality reduction.
Comprehensive studies were conducted on the NSL-KDD
and CICIDS2017 databases to assess the method. The
findings of their system on different datasets revealed that
it has a low false alarm rate and high detection rate. It
surpassed previous systems across several performance
parameters and is consistent in identifying serious cyber-
attacks. Most notably, in contrast to typical resource-in-
tensive IDS, the suggested system is lightweight and could
be installed on IoT devices with limited power and
memory.
5 Summary of the reviewed anomaly-based
mechanisms
Anomaly-based IDS is being used to detect intrusions and
monitor the operation of misuse. This behavior is catego-
rized as normal or abnormal by the use of a threshold. In
the IoT, to establish a threshold, these kinds of IDSs will
monitor the behavior of the normal network. The network
behavior is correlated with the threshold to detect the
123
Cluster Computing
intrusions, and any deviation from this value is considered
an anomaly. Also, Table 3 summarizes the detection
approaches discussed based on anomalies and presents
their significant advantages and challenges.
5.1 Signature-based mechanisms
This part describes IoT signature-based methods and their
major characteristics. Finally, Sect. 4.2.3 refers to com-
paring and summarizing Signature-based mechanisms.
5.1.1 Signature-based mechanisms
IDS threats were identified using this method when net-
work activity matched an attack signature contained in the
IDS internal databases. If any system or network behavior
fits the recorded patterns/signatures, an alarm will be
generated. Plus, IDSs based on signatures are accurate and
very efficient in identifying known threats and their method
is easy to understand. Nevertheless, since one matching
signature for these cyberattacks is unknown whether the
platform or network activity meets an attack signature
contained in the IDS internal datasets, this technique is
useless in identifying new attacks and variations of old
attacks. An alarm is issued if any model and network
activity fit the stored patterns/signatures. Signature-based
IDSs seem to be accurate and effective in detecting known
threats, and their mechanisms are simple to comprehend.
Furthermore, this method fails to detect new attacks and
known variations since a matching signature for these
assaults has yet to be discovered [52, 59]. Also, Fig. 8
represents the overall model of the signature-based
approaches in IoT that consists of four components: IDS
engine, cloud database, signature extraction, and signature
matching phase. The IDS engine extracts signatures first,
then compares them to the database for signature matching.
After that, an output and an alert are created.
5.1.2 Review of the selected Signature-based mechanisms
After decades of growth in both academic and industrial
research, signature-based identification schemes play a key
role in protecting against various attacks. It is based on the
assumption that the signatures of different attacks are
usually unchangeable, and that since the number of mali-
cious patterns is small, they could be detected early on.
Signature-based detection methods compare the network’s
current activity to known attack trends. Signatures are first
assessed and stored on the device in the IoT, and each
signature corresponds to a specific attack. Signature-based
approaches are commonly used and require a signature for
each attack. The rest of this section is a review of the
selected papers in this area.
Cluster Computing

Table 3 Discussed an Anomaly-based approach and its properties

Detection method: anomaly-based
# Authors Main idea Advantages Challenges Placement Validation Architecture
strategy strategy

1 Almalaw Proposing the global anomaly threshold High reliability Lack of Centralized Simulation IoT
[53] for unsupervised anomaly density High elaborate
technique-based detection performance evaluation of
traditional
attacks
Poor scalability
Low robustness
2 Eskandari Presenting a platform-independent Improving the It is not Hybrid Implementation IoT-Edge
[54] anomaly-based IDS that operates detection appropriate for
directly on the edge efficiency a realistic
High accuracy scenario
High latency
3 Kim [55] Proposing a method for identifying risks The distributed Different attacks Distributed Simulation IoT
based on the attack profile’s generated IDS problem can not be
rules and the anomaly score of IoT is detected
resolved
Low detection
time
4 Gothawal Proposing a method for using stochastic High High Hybrid Simulation IoT
and and evolutionary game models to performance computation
Nagaraj achieve greater accuracy of detection in detecting overhead
[56] threats High
complexity
5 Alhakami Learning the patterns of the activities via High accuracy Poor scalability Hybrid Simulation IoT
[57] a Bayesian-based inference for infinite High efficiency High latency
bound Gaussian generalized mixture
models
6 Roy [58] Presenting an IDS model that employs High detection Weak Centralized Python IoT
ML to identify cyber-attacks and rate robustness
abnormalities in resource-constrained A low false High memory
IoT networks alarm rate overhead

Fig. 8 The overall model of signature-based detection in IoT

123

On signature-based detection, Li [60] created a general
architecture for collaborative signature-based blockchain
IDSs that uses blockchains to gradually share and construct
a trusted signature database. Their strategy used block-
chains to maximize the efficacy of collective IDSs based on
signatures. Their approach focused primarily on signature-
based detection, which, in comparison to anomaly-based
detection, has a larger application in practice. Anomaly-
based IDSs frequently generate a large number of false
alarms due to the difficulties of creating an appropriate
profile. They aimed to explore the feasibility of the use of
blockchain in Collaborative Intrusion Detection Systems
(CIDNs) and to encourage more research into the design of
robust CIDN signature sharing. Their approach showed
high efficiency and elevated robustness. It also suffers from
poor scalability and limited accuracy.
Also, Li [61] proposed a two-stage AI-based IDS
implemented on IoT networks. It leveraged the Software-
Defined Network (SDN) that contributes to global status
monitoring as well as traffic capture. To diagnose inno-
vative intrusions with a self-learning skill, combines and
coordinates two steps of IDS, involving flow classification
and feature selection. To choose optimal features and
design network flow classification techniques, they
enhanced the bat algorithm by improving the RF algorithm.
In achieving higher precision and lower overhead, the
results validate the optimality of their algorithms. Their
results also showed that without much time consumption,
the device improves its detection capability. Also, their
mechanism Inefficiencies in large and complex networks.
Plus, Meng [62] suggested a single character frequency-
based Exclusive Signature Matching (ESM) allowed
blockchain, which can create a verifiable database of
malicious payloads through blockchains. The single char-
acter frequency-based ESM can be used to protect the
smart environment to enhance the process of signature
matching for collective IDS. Plus, such an ESM method
can be vulnerable to hostile environments, i.e., under
character padding attacks. They concentrated on this
challenge and suggested a single character frequency-based
ESM that is blockchain-enabled. Their findings validated
that, in most situations, PackSig observation always holds
and that the output of single character frequency-based
ESM in a hostile network may be degraded. The findings
also showed that their blockchain-enabled system, by
reducing the incidence of worst cases, will increase the
robustness of the original system.
By using the Jacobi symbol, Kumar [63] provided an
IDS-based authentication protocol method. High compu-
tational bilinear pairing procedures are not supported by
the suggested methodology. In addition, their technique is
more computationally efficient than competing ones when
compared to other comparable methods in terms of the
123
Cluster Computing
computing time consumed during the signature creation
and verification procedures. The system is built based on
the suggested modified interactive quadratic waste concept
and is seen to be existentially unforgettable. Moreover, to
evaluate its security, the scheme does not rely on the ran-
dom oracle model. The overall analysis concluded that
their scheme in various cloud-IoT environments is versa-
tile, effective, and reliable. Since most smart devices have
recently had low storage space, their framework suffers
from high overhead.
Also, Otoum and Nayak [64] presented a signature-
based IDS replacement approach. Traffic filtering, prepro-
cessing, and IDS are the three steps discussed here. The
IoT gateway extracts and validates the characteristics of the
arriving packet streams during the traffic filtering step. The
characteristics are translated into numeric values, normal-
ized, and redundancy is removed during preprocessing. The
network traffic with the dataset is concentrated via pre-
processing. The traffic packets subsequently enter the sig-
nature-based IDS phase, in which the LightNet algorithm
and signature matching are used to apply signature-based
IDS. The anomaly-based IDS examined all unknown
packets, and the deep Q-learning system classifies attacks
using SNR and bandwidth. The developed model outper-
formed existing IDS approaches once the results were
analyzed.
Finally, Dı́az-Verdejo [65] presented a methodology to
better understand the ramifications of employing prede-
termined rulesets in signature-based IDS performance.
They tested the effectiveness of three signature-based IDSs
in the context of web attacks. Utilizing seven attack data-
sets, they measured the detection rate obtained with pre-
determined subsets of rules for Snort, ModSecurity, and
Nemesida. They also used a big trace from a public website
to determine the precision and rate of alarm issued by each
detector in a real-life instance. The maximum detection
rate attained by the model under evaluation is insufficient
to properly safeguard systems and is lower than predicted
for recognized attacks, according to the studies. The choice
of preconfigured settings active on each detector also has a
significant impact on its detection capability and false
alarm rate, according to the findings. Ultimately, they
presented an effective approach for systematically evalu-
ating which rules in a ruleset should be deactivated to
lower the false alarm rate in a target environmental context.
6 Summary of the reviewed signature-based
mechanisms
Table 4 summarizes the discussed signature-based detec-
tion methods and introduces their important advantages
and challenges. In contrast with anomaly-based methods,
Cluster Computing

Table 4 Discussed the Signature-based approach and its properties

Detection method: signature-based
# Authors Main idea Advantages Challenges Placement Validation Architecture
strategy strategy

1 Li [60] Proposing a blockchain-based architecture High Cannot cover Distributed Implementation IoT
through the combination of blockchains efficiency all of the
in an IoT High various
robustness threats
Low accuracy
poor scalability
2 Li [61] Proposing an advanced IDS using DL Lower Inefficiencies Distributed Simulation IoT
algorithms based on SD-IoT overhead in large and
architectures computation complex
High networks
accuracy
Suitable for
devices
with low
power
3 Meng [62] Combining blockchain technology in IoT High Poor scalability Distributed Simulation IoT-cloud
with single-character frequency- robustness High
dependent ESM High Security complexity
4 Kumar Proposing a quadratic residue-based High High overhead Distributed Implementation IoT-cloud
[63] signature pairing-free method that Reliability High delay
authenticates IoT devices and cloud- Strong
centered data security
5 Otoum Providing a Q-learning IDS architecture to Low High energy Distributed Python IoT
and address the shortcomings of signature- overhead consumption
Nayak based IDS Low delay Low robustness
[64]
6 Dı́az- Employing predefined ruleset settings in High High response Distributed Simulation Distributed
Verdejo the scope of SIDS that identify URI web precision time environments
[65] attacks Reduce false
alarms

due to their lower false alarm rate, signature-based detec-
tion also has a broader acceptance. While the signature
matching process is a significant bottleneck, in which the
workload is at least linear to the target string size. The
signature-based detection method plays an important role
in taking an important place in industrial and academic
research after decades of development to protect against
multiple attacks. It is based on the idea that because the
number of harmful patterns is restricted, the signatures of
diverse assaults are typically unaltered and may be iden-
tified at an early stage. Signature-based detections compare
current network activity to pre-defined attack patterns.
Signatures are first discovered and stored on the device in
the IoT, and each signature is then matched to a specific
threat. Methods commonly based on signatures are simple
to use, requiring a signature for each attack.
6.1 Specification-based mechanisms
This section is about the specification-based methods of
IoT as well as their main features. Lastly, Sect. 4.3.3 refers
to comparing and summarizing specification-based
methods.
6.1.1 Overview of the Specification-based mechanisms
The specification is a system of principles and thresholds
that govern how network elements like protocols, nodes,
and routing tables should behave. Specification-based
methods have been used to identify intrusion when network
activity differs from specification specifications [66]. So,
specification-based detection aims to achieve the same
objectives as anomaly-based detection: to discover devia-
tions from normal [67]. There is a fundamental distinction
between both techniques: with specification-based

123

techniques, a human expert manually specifies the princi-
ples of each specification. When opposed to anomaly-based
detection, manually generated requirements generally
result in reduced false-positive rates [68]. However, spec-
ification detection units do not require a training phase, as
they can start working immediately after the specification
has been set. Even though manually defined specifications
cannot be adapted to different environments and can take
time and be prone to errors [69]. Also, the overall system
architecture of specifications-based is demonstrated in
Fig. 9. This sort of architecture, as shown in Fig. 9, is
generally made up of an analysis engine, a specifications
database, and an IDS engine for generating alarms. These
architectures can be deployed at the edge or in the fog,
depending on the application.
6.1.2 Review of the selected Specification-based
mechanisms
The specification-based IDSs are being discussed in this
section. Specification-based and anomaly-based IDSs are
identical in the IoT since they both detect intrusions when a
deviation from normal behavior occurs. So, Sharma [70]
suggested a Behavior Rule specification-based IDS in IoT
called BRIoT. For any embedded IoT device, BRIoT can
formally verify the correctness of behavior rules and col-
lect/analyze compliance data for detection of misconduct.
BRIoT is particularly applicable to mission-critical CPSs
with defined security specifications, irrespective of whether
the attacks are known or unknown since it detects the
misconduct of an IoT system as a result of attacks. BRIoT
was developed as a tool that enables a user to define an
embedded IoT device’s operational profile as an input. The
tool then created a set of security requirements and a set of
behavior rules automatically, checks the correctness of the
produced behavior rules, and turns the behavior rules into a
state machine for detecting misbehavior during runtime.
The overall operating cost is very low and in three potential
cases, i.e. non-localized residuals, localized residuals, and
unavailable residuals, it can be run both in on-device and
Fig. 9 The overall system architecture of specifications-based
123
Cluster Computing
off-device mode. Their tested strategy has high efficiency
and suffers from poor scalability.
Also, specification-based misconduct detection for the
IoT realm is suggested by Choudhary [71] which could be
extended to realistic IoT-embedded cyber-physical systems
for very lightweight embedded IoT devices that are an
integral part of the overall system architecture. With a
Patient-Controlled Analgesia (PCA) interface embedded in
a medical cyber-physical system where a peer PCA plays
the function of a monitor node, they demonstrated the
feasibility of their procedure. In terms of low run time,
computation overhead, memory, and high misbehavior
detection prediction accuracy, they placed their behavior
rule specification-based misbehavior detection method as
the only feasible solution to ensure the security of resource-
constrained embedded IoT objects against zero-day attacks.
The technique also suffers from low response time and
high complexity.
To detect attacks at the device level, Siu and Panda [72]
developed a specification-based algorithm. Two false data
injection attack vectors were formulated that targeted the
automatic generation control and frequency measurement
signal, and a risk assessment was carried out. In addition,
studies were conducted on a model of a three-area power
grid, and findings showed that in different situations, the
algorithm was able to detect false data injection attacks.
Besides, to establish a digital forensics technique, the
knowledge obtained by this detection algorithm will be
used. Their method can be useful for finding the source of
the attack, monitoring the attack signal, and restoring any
data loss, enabling mitigating measures to be in place to
restore the system’s service. Their method benefits from
high robustness and high availability but suffers from poor
scalability.
Babu and Reddy [73] proposed the ‘‘Specification
Heuristics based Intrusion Detection System (SH-IDS)’’ as
a model for defending IoT network intrusion. The model,
known as specification heuristics for positive and negative
labels, is depicted as a specification form. The proposed
scale makes it possible to predict which IoT networks
Cluster Computing
would be vulnerable. The approach for defining specifica-
tion heuristics depicts special n-gram sequential patterns of
values for sequential patterns of characteristics from both
positive and negative mark records. The method SH-IDS is
highly significant, according to the experiment, because it
has a detection accuracy of more than 91%, which is sig-
nificantly higher than benchmarks. In addition, as com-
pared to other benchmarks, the energy and memory
consumption overheads observed from the model SH-IDS
are minimal and linear. The main drawback of the system
is poor scalability and low robustness.
Plus, Violettas [74] developed an IDS approach for RPL
with various profiles to address the aforementioned con-
cerns, which mitigated at least 13 attacks. They proposed a
software IDS that provides a comprehensive way to protect
an RPL-based IoT network from various forms of threats.
Their approach is influenced by the SDN model, in that it
offloads computational and communication costs by
transferring functionality from constraining end nodes to
central premises, i.e., the controller. Other options go up to
eight at the same time. The solution, which is built on the
network softwarization concept, provided an expandable
workflow that includes four RPL specification-based pro-
cesses, an attacker identification procedure, and several
attack mitigation strategies. Their system also included an
adjustable control and monitoring protocol, which trades
overhead for accuracy based on network conditions. The
proof-of-concept studies indicated that the technique has a
minimal overhead for the various modes of operation it
supports, reaching up to 30% less than competing methods.
At the same time, it keeps power usage to a manageable
level.
Finally, Santos [75] presented an IP flow-based IDS
architecture for real-time monitoring and protection of IoT
networks from possible attacks. Instead of employing
packet header fields and their payload, the suggested
scheme gathers IP flows from an IoT system and analyzes
them to monitor and identify attacks, intrusions, and other
sorts of abnormalities at different IoT architectural levels
depending on specific flow attributes. The framework was
created with both the IoT network architecture and other
IoT contextual features in mind, including adaptability,
diversity, compatibility, and the efficient use of IoT net-
work resources in mind. The system is network-based and
has a hybrid design, including components for both cen-
tralized analysis and distributed data collecting. The
scheme employed a specification-based method based on
standard traffic standards for detection. The findings indi-
cated that the approach can detect intrusions and abnor-
malities with 100% accuracy and 0% false positives.
7 Summary of the reviewed specification-
based mechanisms
Table 5 summarizes the discussed specification-based
detection methods and introduces their important advan-
tages and challenges. In the IoT, IDSs based on specifi-
cation and anomaly are identical since both consider
intrusions when a deviation from usual behavior occurs.
Specification-based methods, however, do not rely on
techniques for ML. Specifications are created manually and
valid device activities are captured in these schemes.
7.1 Hybrid mechanisms
This section discusses IoT hybrid mechanisms and their
main characteristics. Finally, Sect. 4.4.3 refers to compar-
ing and summarizing hybrid mechanisms.
7.1.1 Overview of the hybrid mechanisms
This method makes use of signature and anomaly-based
detection principles to maximize their benefits while min-
imizing their drawbacks. As stated above, new attacks are
continually updated by the signature-based IDS and they
do not detect a new attack. Especially problems with the
IDS misuse can not be updated with every new type of
attack. The second method is anomaly-based IDS, which
identifies new attacks and unknown attacks. The first
advantage of anomaly detection is that the database is not
required to update the data, because the usual profile
databases are constantly maintained to detect unknown
attacks (or null-day attacks). The third approach is to
employ hybrid IDS, whereby detects signatures as well as
anomalous techniques, to increase IDS performance and
potential at the moment. A detailed view of the hybrid IDS
framework can be found in Fig. 10. The hybrid framework,
as illustrated in Fig. 10, is made up of various components,
including a correlation module, a signature-based module,
feature extraction, and a decision-making system. To detect
threats, these components operate together. Depending on
their function and the settings in which they are utilized,
such frameworks may include a variety of components and
elements.
7.1.2 Review of the selected hybrid mechanisms
The anomaly-based IDS uses a training process to achieve
a high detection rate when detecting a node’s normal
actions. Anomaly-based IDS has a high false-positive rate
and high computing costs, whereas signature-based IDS
has a high storage cost and a low number of attack
detections. Then, to address the shortcomings of both
123
 Cluster Computing

Table 5 Discussed the Specification-based approach and its properties

Detection method: specification-based
# Title Main idea Advantages Challenges Placement Validation Architecture
strategy strategy

1 Sharma[70] Proposing a method to define an embedded High efficiency Poor Distributed Simulation IoT
IoT device’s operational profile as an Low cost scalability
input
2 Choudhary Proposing lightweight specification-based High accuracy High Hybrid Simulation Healthcare-
[71] misbehavior management Low overhead complexity IoT
Low
response
time
3 Siu and Developing a technique based on High robustness Poor Distributed Simulation MEC
Panda requirements to detect false data High availability scalability
[72] injection attacks
4 Babu and Using heuristics-based specification IDS in High accuracy Low Distributed Using the IoT
Reddy the IoT realm Low energy robustness simulator
[73] consumption Poor CUPCORBAN
Low memory scalability
usage
5 Violettas Proposing a software IDS-inspired SDN Low overhead Low Hybrid Cooja IoT
[74] that provides a comprehensive way to High accuracy availability
protect an RPL-based IoT network from Low
Low energy
various forms of assaults scalability
consumption
6 Santos [75] Introducing a paradigm for IDS in IoT Lower High Hybrid Python IoT
systems for detecting internal or external computational complexity
attacks in real-time resources
usage
High accuracy

Fig. 10 Hybrid framework in general

systems, a hybrid scheme is presented. The signature-based
method was used to identify known attacks in the hybrid
scheme, while the anomaly detection method was used
when an unknown attack was detected. Some hybrid IDS
have high computational overhead and consume a lot of
resources. Many of them have a significant lag. The rest of
this section is devoted to a review of the selected articles.
To minimize wireless traffic, which is the key issue
facing IDS, Davahli [76] proposed a hybrid intelligent
method using a Genetic Algorithm (GA) and Grey Wolf

123
Cluster Computing
Optimize called GA-GWO. In designing the IDS model in
the IoT realm, the hybrid method using the benefits and
good features of GA and GWO attempted to intelligently
classify the most informative wireless traffic for the help
vector machine classifier. Moreover, by removing obsolete
and obsolete traffic data, the dimensionality of the
tremendous wireless traffic data has been reduced and the
computational complexity of the IDS has subsequently
been reduced. It is also important to remember that the IDS
output is kept the same or has been marginally worse after
removing the vast number of functions. The findings
revealed that their method dramatically decreased compu-
tational time with high precision and offers superior effi-
ciency. Besides, results have shown that the mechanism
suffers from low scalability and robustness.
To identify the attacks, RM [77] suggested a hybrid
PCA-GWO based Deep Neural Network (DNN) Classifier
Model. Their approach may be better suited to the medical
IoT environment in which smart medical objects commu-
nicate with each other using unique IP addresses based on
the network. The data created is too big and DNN-based
methods will best manage it. The approach helps to mini-
mize the number of characteristics and instances derived by
the use of the DNN model for the classification process.
The results showed high accuracy and the time needed for
the classification model to be trained was low. Also, the
mechanism suffers from high complexity.
Also, Li [78] proposed semi-supervised learning and
collaborative IDS architecture by applying a semi-super-
vised learning algorithm based on disagreement. In par-
ticular, they invented a simple semi-supervised learning
algorithm based on disagreement and investigated its
intrusion detection efficiency. Besides, it is important to
deploy collaborative IDS to secure the distributed ecosys-
tem due to the existence of IoT networks. The method was
further developed to explore the use of semi-supervised
disagreement-based learning in the aspects of detection
enhancement and alarm filtration. In the assessment, two
experiments were carried out specifically to study success
with datasets and in a real IoT system, respectively. Their
findings suggested that by using unlabeled data in the
training phase, the disagreement-based approach could
perform better than conventional approaches in terms of
both detection efficiency and false alarm reduction. The
results from the experiments showed that insiders and
cyber-attacks in IoT are high-performance simultaneously.
Also, the mechanism suffers from poor scalability and has
vulnerabilities to different data characteristics. Besides, it
is vulnerable to advanced insider attacks.
Plus, to overcome the problems of the previous method,
a real-time hybrid IDS framework was based on anomaly
and specification-based IDS proposed by Bostani and
Sheikhan [79]. In detecting two IoT insider attacks, named
sinkhole attacks and selective forwarding, the ability of the
model was investigated. Furthermore, the potential of
blackhole, rank, and wormhole attacks was examined in the
suggested model. The proposed model analyzes the traffic
and non-traffic-related characteristics of host nodes in the
intrusion detection module based on specifications. Local
results were then sent via data packets to the root node. In
particular, the objects in 6LoWPAN are usually restricted,
so the proposed specification-based IDS is a light IDS
agent that eliminates the results of the local analysis after it
is sent to the root node. The anomaly-based IDS projected
some anomaly detection models using the traffic-related
features extracted from the incoming data packets based on
an unsupervised Optimum-Path Forest (OPF). According to
the local and global results of IDS agents based on speci-
fications and anomalies, the root node made a general
decision on the anomalies that occurred in the network
using a voting system.
Moizuddin and Jose [80] suggested an IDS based on the
Generalized Mean GWO algorithm with stacked Elastic
Contractive Auto Encoder (ECAE). The approach detects
intrusions in 2 steps: feature extraction and classifications.
The GMGWO method used in their study is proven to
choose appropriate features for training the classifier
model. The study also introduced ECAE, which combines
the advantages of lasso and ridge regression. When eval-
uated on two datasets, the classifier model outperformed
state-of-the-art methods in terms of binary and multi-class
classification performance measures. The suggested model,
which showed to be accurate using optimal subsets of
features from two separate datasets, is suited for existing
traffic situations with thousands of characteristics.
Finally, to detect threats at a faster speed, de Souza [81]
introduced an IDS architecture that operates on the fog
layer. Some methods employed different learning methods
and selected the one with the best performance. To achieve
good accuracy, others sought to modify the hyper-param-
eters of a model. There are ML issues, though, that even
the best model is not accurate enough. To reduce the
instability of the models, it is necessary to combine models
using hybrid mechanisms. To compose the first stage of the
two-stage detection system of the architecture presented,
they also suggested a hybrid method of binary classifica-
tion with high precision and recovery rates. Performance of
the suggested binary classifier over existing methods of
ML. These findings indicate that the technique has high
precision, limited use of memory, and less processing time.
The process, however, suffers from high complexity.
123
 Cluster Computing

8 Summary of the reviewed Hybrid 9 Results and comparisons

mechanisms
Hybrid IDSs mostly is developed to overcome the disad-
vantages of signature, anomaly, and specification-based
detection. Also, most of these approaches suffer from high
complexity. Table 6 summarizes the discussed hybrid
detection approaches and introduces their important
advantages and challenges.
The examination of IDS methods for IoT is still develop-
ing, the authors observed. A broad variety of attacks and
IoT technologies are not protected by the suggested solu-
tions. Besides, it is not clear which process and placement
strategies of detection are more suitable for IoT systems.
This paper provided a comprehensive taxonomy and
advanced IDS to consider IoT IDS solutions for research-
ers. Particular attention was paid to the characteristics of
IoT devices and the current challenges of banning the IoT
IDS extension. For this reason, firstly, the authors selected
24 articles in Sect. 3 and then reviewed the selected papers

Table 6 Discussed the Hybrid approach and its properties

Detection method: hybrid
# Authors Main idea Advantages Challenges Placement Validation strategy Architecture
strategy

1 Davahli Proposing to developing a bio- High precision It is still Distributed Simulation IoT-WSN
[76] inspired hybrid method called High efficiency susceptible to
GA–GWO various
threats
Low scalability
Low robustness
2 RM [77] Proposing a DNN Classifier Model High accuracy High Distributed Simulation Healthcare-
based on the hybrid PCA-GWO Low detection complexity IoT
to identify attacks time High energy
consumption
3 Li [78] Proposing a semi-supervised High performance Low scalability Distributed Simulation IoT
learning algorithm based on High accuracy vulnerabilities
disagreement, which can use the to different
unlabeled classification data data
characteristics
Vulnerable to
advanced
insider
attacks
4 Bostani and Proposing IDS based on the Can run on a High Hybrid Simulation IoT
Sheikhan MapReduce architecture distributed space complexity By C#.Net
[79] in parallel Low scalability programming
This can lead to a
substantial
reduction in
communication
costs
5 Moizuddin Proposing an IDS in the form of a High accuracy High energy Hybrid MATLAB ? NSL- IoT
and Jose two-stage design, with selecting Low delay consumption KDD and BoT-
[80] features conducted by a IoT
-Low complexity
GMGWO and an ECAE
6 de Souza Proposing a high-precision and Low memory High Hybrid Simulation IoT-Fog
[81] recall a hybrid system of binary usage complexity By Python
classification Low processing High energy
time consumption
High accuracy

123
Cluster Computing
in Sect. 4 that proposed special approaches of IDS for the
IoT area based on SLR goals. The papers between 2018
and 2022 were published. Although, the authors presented
a classification to categorize selected papers, which is
dependent on the considering properties: (1) IDS place-
ment strategy (2) detection method (3) main ideas (4)
challenges (5) advantages, and (6) validation strategy.
Also, the authors perceived that the research of IDS
mechanisms for IoT is still in the initial stage. The put
forward solutions do not envelop a vast scope of attacks
and IoT platforms. It is because of that many attack
methods have become complex more than before and it
requires advanced and smart techniques such as ML
methods for dealing with new attacks. Besides, almost it is
not obvious which placement strategies and detection
methods are enough for IoT platforms. Finally, validation
strategies are not a well effective or coherent whole. In the
following, the authors briefly describe a summary of the
above-mentioned methods.
IDS server placement is a critical success factor for
attack detection. In the centralized configuration, IDS
examines all traffic that enters and exits the border router
from the associated IoT objects. The downside of the
centralized deployment technique is that it does not detect
threats within internal IoT environments. The IDSs in the
dispersed deployment technique are scattered among the
network’s numerous IoT objects. Because of the resource
constraints of the IoT network, each system should be
designed separately, and the IDS must be lightweight. The
centralized and dispersed placement strategies are com-
bined in the hybrid IDS placement. It focuses on the ben-
efits of both strategies while avoiding their drawbacks.
Distributed IDS is made up of two or more IDS points
spread throughout a network(s) that communicate with one
another. A centralized IDS is used in certain dispersed
systems to oversee the other security systems deployed in
other IoT systems on the same system. In a distributed IoT
MEC context, distributed IDS functions through a mecha-
nism of cooperative smart applications deployed over the
network. Because of the limited resources available in IoT,
distributed data-flow programming models are employed to
create IoT applications on the MEC system. The IDS is at
the center of the centralized approach based on the MEC
platforms. Most network system administrators use cen-
tralized placement tactics and deploy intrusion detection
systems in the border router. Monitoring network infor-
mation that passes via the border router, on the other hand,
is insufficient for detecting assaults involving IoT devices
on the network. The scientists must next design an IDS -
that can analyze the communication between IoT objects.
IDS could be deployed independently of IoT, edge, fog, or
in a cloud server. The positioning of the IDS in the cloud
server and the cloud server’s separate placement has a
significant impact on the cloud server’s CPU and RAM
use. Using a separate IDS server to detect attacks from
within the virtual machine in cloud computing is quite
tough (IDS server placement outside the cloud server). An
IDS server must be installed on the cloud server to detect
cloud computing threats. Considering such attempts, the
majority of IoT IDS systems are centralized, in which
devices transfer their local data to cloud data centers or
servers with significant processing resources, where it is
analyzed using ML/DL methods. Such a scenario poses
several important considerations that must be considered.
Firstly, end users may be concerned about the leak of IoT
devices’ local data since an attacker may deduce users’
daily activities by examining the traffic of their gadgets,
such as wearables. Such an element might potentially be
problematic for a business if nodes exchange network
traffic with third parties. Secondly, given the dynamics of
typical IoT systems, the time necessary to notice a possible
attack might become a critical feature (or a limiting factor
if computation time is significant) in preventing its prop-
agation in a system. It could be especially important to
offer early detection of generic malware used to take over
weak IoT systems and quickly propagate to construct
botnets. In the event of employing conventional cloud
datacenters, the delay resulting from communicating a
significant amount of data with datacenters may be costly
or may reduce the efficacy of the IDS placement. Though
current techniques advocate the use of edge/fog comput-
ing, to balance computational resources in IDS deploy-
ment, such a method still creates privacy problems because
device data is shared with other individuals, namely,
edge/fog nodes. Thirdly, numerous IoT applications
include resource-constrained objects connecting via wire-
less networks with restricted throughput and bandwidth.
Regular transfer of device network data may constitute a
significant overhead for IoT systems with a large number
of linked objects. Furthermore, despite the potential bene-
fits of using ML methods to enhance IoT IDS methods, the
majority of such ML-enabled IDS implementations are
centralized, with a single entity receiving network traffic
data from many objects to train a specific ML model. As a
result, this entity has access to the entire network traffic
resulting from the communication of the multiple
objects participating in the training process, as well as the
local data of the devices. That might lead to privacy
problems. Because of the volume and sensitivity of data
shared through specific objects, including wearable or
eHealth systems, this problem may be worsened in IoT
systems; hence, decentralized data management methods
are critical.
Our findings, as shown in Fig. 11, reveal that detection
accuracy is high in 14 of the 24 publications examined.
Consequently, detection accuracy has the highest rating,
123

Fig. 11 The parameters in the papers were evaluated
but scalability has the lowest. Flexibility is ranked second,
and energy consumption is ranked third, while false posi-
tive, robustness, and complexity are ranked lowest. This is
normal because anomaly-based approaches have a high
false-positive rate. All of the papers in the signature-based
techniques have high detection accuracy because signature-
based detection can identify specific attacks. However, in a
real-world IoT setting with a variety of other attacks,
detection accuracy plummets. Because of the complexity
of computation, 77% of the papers in the hybrid IDS are
real-time, and 21% are about resource consumption; thus,
we can assume that the hybrid scheme’s resource con-
sumption is high. 61% of studies in the specification-based
IDS have good detection accuracy, but the majority of
them have a high false-positive rate and resource usage.
Furthermore, as seen in Fig. 12, 43.8% of the simulations
were performed in the Cooja environment, 28.1% in
Python, 12.5% in NS-3, 9.4% in MATLAB, and the
remainder were theoretical.
Besides, anomaly detection is concerned with the iden-
tification of events that appear anomalous concerning
normal system behavior. A wide range of techniques,
including hidden Markov models and statistical modeling,
have been investigated in different directions to address the
problem of anomaly detection [82]. The anomaly-based
approach involves data collection for legitimate user con-
duct over a period and then the use of statistical tests to
determine whether or not this behavior is legitimate [83]. It
has the advantage that attacks not previously identified
have been detected. The key element for using this
approach efficiently is the generation of rules so that the
Fig. 12 The distribution of different simulation environments used in
IoT-IDS
123
Cluster Computing
false alarm rate can be reduced for unknown and known
attacks [84]. Also, signature-based approaches are intro-
duced to provide appropriate detection results for identi-
fied, specified, and well-known attacks. Although new
unknown intrusions cannot be detected, even if they are
constructed as minimal variants of already known attacks,
as well as anomaly-based attacks have a big advantage over
signature-based attacks: they can detect threats for which
no signature exists yet, including zero-day attacks. Curi-
ously enough, these claims are not empirically supported in
the literature [85].
The specification-based provides the desired behavior of
a system through its functionality and the use of security
policy. Any sequence of operations carried out outside the
specifications of the system is regarded as a security breach
[86]. To maintain high precision detection while reducing
the costs of defining the requirements manually, specifi-
cation-based methods have been integrated with an auto-
mated reaction or combined with anomaly-based methods.
The cost of defining the specifications was always a barrier
to extending the IDS application beyond some protocols
based on specifications [87]. So, specifications-based
methods are similar to the detection of anomalies because
they detect attacks as abnormalities. Also, contrary to ML
approaches, specification-based approaches are based on
manually developed specifications that capture legitimate
system behavior. They avoid the high rate of false alerts in
the anomaly detection approach due to legitimate but
unseen behavior. However, their downside is that it may
take time to develop detailed requirements. Therefore,
trade-off-based development efforts must be made to
achieve higher false negative values [88].
The hybrid approaches combine the positive character-
istics of both IDSs to achieve greater detection accuracy,
lower false alarms, and thus an increased cyber trust [89].
Usually, hybrid detection systems train and abuse a
detection model and an anomaly detection model sepa-
rately, then aggregate the findings [90]. For example, if at
least one of the two models categorizes a traffic connection
as an attack, Hybrid IDS considers it an attack. The
detection rate has improved in this scenario, but the IDS is
still prone to false positives. False alarms are decreased,
but many attack connections might be ignored if the hybrid
technique considers an attack only when both models
identify the link as an attack [91]. Furthermore, our
statistics as shown in Fig. 13 that the IoT environment is
the most extensively used in papers for IDS usage,
accounting for 56% of all papers and being used in almost
every category. Also, cloud-IoT systems ranked second in
the papers with 16%. Furthermore, medical-IoT is the third
most regularly utilized context in these studies, accounting
for 8% of the total. Moreover, as demonstrated in Fig. 14,
when it comes to placement strategy analysis, distributed
Cluster Computing
Fig. 13 The frequency of environments is utilized in IoT-IDS
Fig. 14 Analysis of placement strategies in reviewed publications and
their frequency
ranks first with 53%, hybrid ranks second with 37.5%, and
centralized ranks last with 8.3%.
In IDS, data may be acquired in two different ways:
firstly, by utilizing existing datasets, and secondly, by
developing one’s dataset. Various databases are widely
employed. KDD-99 is one of the oldest and biggest data-
sets, and although being very unbalanced, it is still utilized
owing to a lack of alternatives. NSL-KDD was designed to
address the problems with KDD-99. This is one of the
baseline databases used for IDS methods, regardless of
whether it is old because the threats in this database are
generally outdated. UNSW-NB15, with 49 features and 10
target classes, essentially eliminates the skewness of KDD-
99 and NSL-KDD, whereas KDD has 41 features and 5
targeted classes. CTU13 has 13 scenarios for Botnets; each
of these Botnet instances is currently in operation. For each
capture, a distinct malware is activated, which conducts
various tasks utilizing distinctive protocols. ISOT is a
widely used dataset, especially for IoT Botnet attack
datasets. Figure 15 shows a comprehensive analysis of
some of the datasets utilized in the examined articles. In the
research, there are various tools and approaches for con-
structing a dataset. Wireshark is a network traffic capture
and presentation tool. Because DoS tools generate pre-
dictable traffic, detection rates are high. In addition, anal-
ogous to DARPA, Spleen is a software tool for building a
dataset. Further components can be added to this program
to improve its effectiveness. CICFlowmeter is a java-based
network feature extraction application for raw network
Fig. 15 Analysis of datasets in reviewed publications and their
frequency
samples. It records 80 characteristics and saves them as a
pcap or CSV file for statistical evaluation. Also, Kyoto
2006 ? used honeypots, darknet sensors, email servers, a
web crawler, and other network security measures to col-
lect network traffic records for the Kyoto 2006 dataset.
From 2006 through 2015, the most recent dataset contains
traffic statistics. Each record includes 24 statistical attri-
butes, 14 of which are obtained from the KDD Cup’99
dataset and the other ten are optional.
In addition, when it comes to ML and DL approaches,
they are widely utilized in the IoT-IDS domain. Convolu-
tional Neural Networks (CNNs) are a type of DL structure
that is better suited to data stored in arrays. It has an input
layer, a feature extraction stack comprising convolutional
and pooling layers, and a fully connected layer with a
softmax classifier in the classification layer. In the realm of
medical imaging and computer vision, CNN is a huge
success. They are utilized in the IDS to perform supervised
feature extraction and classification. Recurrent Neural
Networks (RNN) are developed to model sequence data
and enhance the capabilities of standard feed-forward
neural networks. Input, hidden, and output units make up
an RNN, with the hidden units serving as memory com-
ponents. Every RNN unit uses its current input and the
output of the previous input to make a decision. Auto-
Encoder (AE) is a widely used DL approach that pertains
to the unsupervised neural network class. It is based on the
principle of learning the best attributes and matching the
output as closely as possible to the input. It has the same
input and output layers as the input layer, but the hidden
levels are usually smaller than the input layer. AE is
symmetric and operates in an Encoder-Decoder mode.,
Sparse AE, Variational AE, and Stacked AE are three
kinds of AE. DNN is a fundamental DL framework that
allows the model to learn in layers. It has an input layer, an
output layer, and several hidden layers. Complex nonlinear
systems are also modeled using DNN. An increase in the
number of hidden layers improves the model’s abstraction
level and hence its capabilities. Deep Belief Network
(DBN) is a DL system that is built by layering numerous
Restricted Boltzmann Machines (RBM) and then adding a
123

softmax classification layer. An RBM is a two-layer model
that allows data to flow both ways. Each node in a layer is a
connected node in the preceding and subsequent levels in
DBN, nodes within one layer are not interconnected. DBN
is unsupervised pre-trained using the greedy layer-wise
learning strategy, then fine-tuned for meaningful features
using a supervised fine-tuning approach. DBN is utilized
by IDS for feature extraction and categorization.
Also, after gathering data on study assessment tech-
niques, 94% of papers use simulation techniques, while 6%
use theoretical or implementation techniques. As shown in
Fig. 16, 29% of papers detect DoS attacks, according to
distinguishable attacks. Flooding attacks were second with
11.3%, while User Datagram Protocol (UDP) and BOT
together were third with 9.7%. The majority of the papers
are about detecting DoS attacks, as far as we can tell. The
detection of other forms of attacks is covered in a small
number of articles. The total information gathered in this
analysis aids investigators in becoming acquainted with
highly established studies in the IDS field. Because of the
memory, storage, power, and computing limits of the
linked devices, routing in RPL-based networks is a difficult
undertaking. The RPL protocol has several configurable
settings to meet a variety of needs, including large-scale
deployments, diversity, and portability, as well as change-
adaptive mechanisms. Nevertheless, malicious actions,
including DoS, physical damages, and/or extraction of
sensitive information, such as Destination Oriented
Directed Acyclic Graph (DODAG) version, nodes’ rank
values, and IDs, are inevitably attracted to such network
contexts, which include resource-constrained nodes, sup-
porting dynamic topologies, and based on the passive
nature of the wireless medium. In essence, several devices
could be harmed by exploiting RPL; if the node plays a
significant role in the system, including parent nodes or
sinks, a combination of attacks could be used, with severe
implications ranging from node resource depletion result-
ing in a sharp increase in control overhead to severe
degradation of the protocol’s data delivery efficiency.
Fig. 16 Distinguished attacks that is employed for evaluations
123
Cluster Computing
Additionally, network-based attacks may not be specifi-
cally targeting RPL, including (Distributed) DoS attacks.
Because of the characteristics of RPL-based IoTs, includ-
ing evolving typologies, the passive essence of the wireless
medium, and resource-constraint nodes, RPL-related
threats are diverse and can be divided into three categories:
network traffic attacks, network topology attacks, and
resource depletion attacks. Resource depletion threats, in
particular, are hostile operations that aim to exhaust nodes’
processing, storage, or energy resources by giving the
appearance of continuing activity. Considering that the
node’s functioning is intrinsically related to the use of
computing, memory, and energy assets, any overhead is
proportional to their excessive usage. Local consequences
may occur, or, even worse, network availability and per-
formance may be impacted, resulting in routing loops,
needless, congestion and network traffic. Sub-optimization
and Isolation threats, which disturb node communication
and DODAG structure, accordingly, are two types of net-
work topology strikes. In reality, sub-optimization threats
harm the network’s capacity to achieve optimal conver-
gence, for example, they hinder the development of opti-
mal routes, affecting network traffic and degrading network
services. Topology inconsistencies, considerable packet
losses, increased end-to-end delays, network congestion,
and node resource depletion are some of the most prevalent
results. Because of the mobility of the nodes, the afore-
mentioned effects can be more harmful in dynamic net-
works. Also, isolation threats take use of the RPL
network’s tree topology to cut off part(s) of the network by
stopping nodes’ connection with their parent or sink-node.
Loss of network traffic, increased end-to-end delays, con-
siderable service quality degradation, and isolation of sub-
graph sections with starving of their participating nodes are
just a few of the consequences. Blackhole attacks are the
most prevalent isolation attacks. Furthermore, network
traffic attacks to monitor and intercept network traffic to
obtain or deduce information, such as rank value, or DO-
DAG version, that can later be exploited by attacks.
eavesdropping and misappropriation attacks are classed
based on how the traffic is impacted. In the first scenario,
the attacker watches and examines network communica-
tions, whether via broken node or by directly ‘‘listening’’ to
wirelessly transmitted packets. In this manner, he/she has
accessibility to the structure and routing-related details or
even to the relevant information of the transmitted packets.
Two of the most well-known eavesdropping techniques are
sniffing and network traffic analysis.
Cluster Computing
10 Open issues
One of the most crucial challenging issues in the area of
IDSs, and there is a variety of work to be done in this
domain. A large number of research articles on IDSs for
IoT have been published. Also, papers show the assessment
of their methods based on synthesized datasets and discuss
a particular problem that does not work in real-world
scenarios. As can be seen from this and other relevant
modern studies carried out on the IDS for IoT, it is very
difficult to create an IDS that embraces at least the most
important viewpoints of a powerful IDS, in essence, is
scalable, online, operates effectively on real data, deploy-
able and meets the requirements of all stakeholders.
Preferably, much of the published work shares the findings
of the evaluation tested on built datasets covering a single
or any portion of the process, and uses biased criteria to
describe the performance. So. we are discussing some of
the problems that need to be considered in this part in the
future. Therefore, one of the judgments in this investigation
is that it is very difficult to create a comprehensive IDS that
can provide guarantees of robustness, scalability, accuracy,
and assurance against all types of threats. Here are some of
the big obstacles facing researchers today and in the future.
Since the IoT security standards have not yet matured,
there is tremendous scope for future research in this field,
especially through the use of ML techniques.
10.1 ML
As a challenge to future work, researchers can explore the
use of ML techniques with specialized cloud-based IDS to
gather knowledge. Transfer learning, Reinforcement
Learning (RL), and semi-supervised learning methods are
still not well investigated and analyzed with the purpose of
the IoT security to reach significant aims, such as accel-
erated training, and real-time and unified IoT anomaly
detection models, and are potential fields for future study.
Besides, using RL in conjunction with a DNN will be an
important research field because their combined use can be
useful in IoT network scenarios that involve broad data
dimensionality and non-stationary environments. To train a
large dataset model, ML-based and DL approaches are
commonly used, and this has allowed cyber-attacks to be
successfully managed. Some issues need to be addressed in
terms of the use of DL algorithms to detect attacks; for
example, resource limitations with IoT devices hinder the
use of ML or DL algorithms to protect IoT networks.
Another problem with the use of DL techniques in dis-
tributed networks, such as IoT networks, is that, for
instance, concerning the various scenarios of IoT imple-
mentation, they face scalability problems. The use of an
ensemble of DNNs that served better compared to a
specific ML algorithm is one possible solution to the
constraints of the particular DL method proposed; how-
ever, such methods were computationally costly and thus
created network latency problems that can not be managed
in sensitive systems that need risks to human lives, such as
health and autonomous life.
Also, It is very demanding to create an online and real-
time, anomaly-based IDS for IoT networks. This is because
such an IDS will involve studying normal behavior to
recognize abnormal behavior first. The learning process
implies that no noise or attack traffic can not be guaranteed
during this time. Such an IDS will produce false alarms if
these problems are not dealt with. Also, some of the net-
work-based IDS anomalies seek to build a model that
records the profile of all possible regular traffic incidents or
patterns. However, this is very complicated, since it has
been shown that some models seem to tend toward the
dominant class of nature. The regular class results in high
rates of false-positive. Besides, all potential normal con-
siderations that may be made on the network, especially in
the heterogeneous context of the IoT network, which
increases false-negative rates, cannot be reported. Another
research challenge in the IDS network is to completely
minimize or eliminate false-negative rates and false-posi-
tive rates. Also, developing models trained on particular
types of devices will be important. Using a common style
of object, these templates can be extended to IDSs in other
organizations. This would benefit other organizations that
can deploy these models and thus save the resources nee-
ded to gather the knowledge and train the IDSs. It would
benefit to spot malicious IoT objects that are already
infected because their actions will vary from the usual
behavior that qualified models capture. It is a daunting
activity and a promising area for future study to build such
models. Also, several studies focused on using IoT data
mining methods to make it more intelligent and provide
intelligent devices and services. Therefore, the use of data
mining techniques and computational intelligence methods
is yet another candidate for future work to improve the IDS
framework performance.
10.2 The efficiency of the IDS methods
IoT objects are resource-restricted because, along with
short battery life, they have less storage and processing
capability. Computing and storage-intensive procedures
that demand more power in terms of such parameters
cannot be carried out by such devices. It is also suggested
that small message sizes be used in the IDS method. The
reasoning behind this is that when sending and receiving
large messages, it may utilize other object resources that
cause rapid battery drainage of the sensors. The IDSs must
123

therefore be designed in such a way that, without sacri-
ficing the technique itself, the suggested method should
have lower communication and storage costs. As another
challengeable future work, to evaluate the behavior of the
IDS in IoT, new tests will be conducted using a larger
number of virtual machines that perform DoS attacks.
Attacks using a real machine are also carried out because it
is evaluated if some variations in detections occur.
10.3 Multi-stage attacks
Over multiple stages, a common intrusion is accomplished,
each trying to exploit a special vulnerability. These
advanced attacks are known as multi-stage attacks, and
common techniques such as IoT are common and emerging
computing systems. Authors assume that IoT systems’
dynamic essence is non-trivial, requiring specific efforts to
address the challenge of multi-stage attack detection. It is
an interesting area for further work to address protection
and detection within the IoT systems against multi-stage
attacks.
10.4 IDS Cross-platform
The heterogeneity of the IoT ecosystem creates problems
when the authors plan to deploy IDS and it allows for the
interconnection of different fields of operation, but it cre-
ates challenges for the efficient design of the IDS method.
For example, to access the data, a smart home application
requires a health care sensing device, the IDS must be
compatible and powerful, so that the data from the target
network can be recovered without any issues. It should be
noted, however, that data is most of the time saved on a
cloud for which various IDS methods are needed. For such
applications, authors need successful and powerful IDSs to
present smooth communication over the different IoTs.
10.5 IDS security
The IoT IDS techniques are typically not secure because
they do not have full evidence of protection against dif-
ferent kinds of attacks. Any of the approaches in the lit-
erature are particular attacks and do not achieve several
attacks simultaneously. It is therefore important for authors
to create such an IDS approach that should be both secure
and resilient against multiple attacks at the same time.
Outlining such a technique may be a challenge owing to the
resource restrictions of IoT objects.
10.6 Scalability
WSN combined IoT is a variety of different large-scale
networks with numerous communication models and
123
Cluster Computing
applications with their abilities and conditions. By and
large, for this form of communication environment, the
IDS will be a challenging challenge. Authors may have
electronic health records of those users saved for further
analysis on an IoT-enabled cloud server. Different objects
generate information and send it to the cloud inside the
Body Area Network (BANs). Consequently, multiple
communicative instruments creates a heterogeneous net-
work. Therefore, researchers require a special form of IDS
that can preserve all kinds of objects in a communication
environment of this nature. In the future in this direction, a
further deep investigation is needed.
10.7 Cloud server data privacy
Data privacy outlines how the details of the various
resources should be maintained. Also, IoT-based system is
utilized for information-sensitive purposes such as smart
healthcare. Smart health objects are placed around the
patient’s body in such a privacy-demanding environment to
identify her or his health data and send data for processing
and storage to the cloud servers. As we know, such a form
of communication environment will be targeted by various
kinds of intrusions. Besides, this creates a disturbance in
data processing and loss of stored data as well. Maintaining
the privacy of data, i.e. data stored and data in transit, then
becomes essential. Researchers also need modern, effective
schemes to protect the privacy of stored data and data in
transit. Furthermore, the privacy-aware IDS should be
configured to protect the privacy of the system and user in
the IoT environment.
10.8 IoT environment heterogeneity
As we have various kinds of things ranging from full-edge
desktops, notebooks, and personal digital assistants to low-
powered sensing objects and low-end RFID tags, IoT-based
communication circumstances vary in nature. Besides,
these objects operate under the guidelines of various forms
of protocols for communication. It is also necessary to bear
in mind that these devices vary in terms of their operating
system, range of communication, processing power, and
storage. Researchers need to develop an efficient IDS in
such a way that all various kinds of objects and associated
technologies are covered.
In addition, exploring the formal verification and
behavioral modeling of the examined strategies are
promising research directions for the future. Eventually,
combining some meta-heuristic techniques like world cup
optimization algorithm, differential evolution, harmony
search, Particle Swarm Optimization (PSO), bee colony,
mixed-integer genetic algorithm, imperialist competitive
algorithm, and imperialist competitive method with neural
Cluster Computing
networks and fuzzy logic for designing efficient IDSs is an
exciting line of research for the future.
10.9 Low power networks (LP-WPANs)
The presented IDSs primarily assume a network scenario
with a set amount of nodes in a static environment. A low
power network, on the other hand, is a lossy and unsta-
ble dynamic network. Devices may shift in and out of the
system constantly. Therefore, the number of nodes fluctu-
ates over time. Moreover, while building IDS for RPL, it is
critical to address such a dynamic, unpredictable, and
scalable network since such factors have a direct impact on
the detection of attacks including selective-forwarding
attacks, sinkholes, flooding, and so on. In addition, one of
the primary constraints that make IDS adoption in IoT
contexts difficult is the resource-constrained nature of IoT
systems. Because of the computational cost, traditional
IDSs cannot be applied in an IoT context. These method-
ologies need a large number of resources, including
memory/storage for data categorization, which is not nor-
mally accessible in such situations. As a result, lightweight
IDSs with fewer resources are required. Also, maintaining
all security criteria is a big challenge for low-cost IoT
devices. Because of these limits, DL methods’ capabilities
could not be used. DL approaches combined with sophis-
ticated hyperparameter adjustment methods might be used
to solve this problem. However, DL does not always
necessitate feature engineering, doing so makes the design
lighter. The models may then be employed at the node
level, providing for speedier action in the event of an
attack. So, effectively employing DL methods will help
alleviate the effect of resource constraints while also uti-
lizing newly accessible methodologies.
10.9.1 Industrial IoT
To ensure the safety of linked systems and supplied ser-
vices in the new era of Industry 4.0 and IIoT, a unique
IDS must be designed. Prevention techniques for particular
threats to the IIoT ecosystem, such as smart grid, trans-
portation, smart industrial, and so on, require further
investigation. Creating a lightweight security strategy for
smart grid applications based on a low-computation
method appropriate for restricted devices.
10.9.2 IoT devices with federated learning
In terms of memory, processing power, and energy con-
sumption, the computational needs of well-known ML
techniques may not be met by restricted IoT devices. This
problem could be exacerbated when using DL approaches,
which need far more processing resources than ML. A
contemporary trend is to employ intermediary nodes at the
network edge to solve these restrictions, with end devices
sending their data to these nodes functioning as federated
learning clients. In a federated learning scenario, some
authors utilize intermediary entities in charge of executing
local training. Nevertheless, exchanging network traffic
with these intermediary nodes to identify possible threats
might still cause privacy problems. Other options include
segmenting and displaying data to reduce the amount of
data that has to be provided, as well as studying feature
selection. As a result, further research is needed to better
understand the practical constraints of federated learning
methodologies in IoT contexts, as well as the privacy and
security implications of edge computing systems. A
promising study topic in this regard is the use of TinyML
frameworks, such as TensorFlow Lite, in federated learning
settings.
11 Conclusion and limitation
To the remarkable growth experienced by IoT, the amount
and range of security threats for such methods have risen in
number, demonstrating the value of an effective IDS.
While common security solutions are used in software
systems like firewalls and access control mechanisms, IDS
is also very important. Also, IDS is a flow that detects
malicious actions against the victims using a range of
mechanisms. Many techniques have already been presented
to detect possible intrusions into software systems. There is
also a need for the making of more robust IoT security
solutions. One of the principal approaches for IoT security
is ML-based IDS which is capable of the IDS method
acting intelligently. In this paper, a review of IDS inves-
tigation works for IoT was provided by the authors. In the
literature, the authors picked 24 papers that suggested
particular IoT IDS methods or developed IoT attack
detection techniques that could be elements of an IDS. The
papers considered for review have been published since
2018 based on the investigation of the state-of-the-art IDS
methods. The authors used a classification, which is based
on the detection process, to classify these articles. How-
ever, the main contribution of the authors in this paper is
divided into three parts: (1) An in-depth review of modern
IDS methods; (2) a detailed comparison of methods; and
(3), finally, suggestions for a wide range of challenges and
opportunities for future direction. The retrieved results
revealed that detection accuracy is at its peak of 35.9%. We
can see that 8.3% of the studies are centralized, while 54%
are distributed. Simulation approaches are used in 94% of
the publications, whereas theoretical or implementation
techniques are used in 6% of the studies. Furthermore,
Contiki/Cooja is used in 43.8% of simulation-based
123

articles. IoT environments are the most often used for
IDSs. Furthermore, KD-99 is the most commonly utilized
dataset. According to distinct attacks, 29% of papers detect
DoS attacks. Finally, we hope that the research findings
will be useful in the development of IDS-IoT methods in
real-world scenarios.
The goal of this research was to be comprehensive,
although there were certain limits. Some limitations
include a lack of research on local articles, a lack of
research on non-English publications, and a lack of
research on conference papers.
Funding Not applicable.
Data availability The paper contains all of the data.
Declarations
Conflict of interest The authors declare that they have no known
competing financial interests or personal relationships that could have
appeared to influence the work reported in this paper.
Ethical approval Not Applicable.
References
1. Andoni, M., et al.: Blockchain technology in the energy sector: A
systematic review of challenges and opportunities. Renew. Sus-
tain. Energy Rev. 100, 143–174 (2019)
2. Heidari, A., et al.: Internet of Things offloading: ongoing issues,
opportunities, and future challenges. Int. J. Commun Syst 33(14),
e4474 (2020)
3. Rahman, S.A., et al.: Internet of things intrusion detection: cen-
tralized, on-device, or federated learning? IEEE Network 34(6),
310–317 (2020)
4. Jamali, J. et al.: Towards the internet of things. Springer (2020)
5. Jamali, M.A.J., et al.: The IoT landscape. In: Towards the Internet
of Things, pp. 1–8. Springer, New York (2020)
6. Heidari, A. and N.J. Navimipour.: Service Discovery Mecha-
nisms in the Cloud Computing: A Comprehensive and Systematic
Literature Review. Kybernetes, (2021)
7. Venkatraman, S., Surendiran, B.: Adaptive hybrid intrusion
detection system for crowd sourced multimedia internet of things
systems. Multimedia Tools Appl. 79(5), 3993–4010 (2020)
8. Jamali, M.A.J. et al.: Towards the internet of things architectures,
security, and applications.
9. Dutta, M., Granjal, J.: Towards a secure internet of things: a
comprehensive study of second line defense mechanisms. IEEE
Access 8, 127272–127312 (2020)
10. Simoglou, G., et al.: Intrusion Detection Systems for RPL
Security: A Comparative Analysis. Computers & Security,
p. 102219 (2021)
11. Boyanapalli, A., Shanthini, A.: A Comparative study of tech-
niques, datasets and performances for intrusion detection systems
in IoT. In: Artificial Intelligence Techniques for Advanced
Computing Applications. Springer. pp. 225–236
12. Ramaiah, M., et al.: An intrusion detection system using opti-
mized deep neural network architecture. Transactions on
Emerging Telecommunications Technologies: pp. e4221
123
Cluster Computing
13. Ghobaei-Arani, M., Souri, A., Rahmanian, A.A.: Resource
management approaches in fog computing: a comprehensive
review. J. Grid Comput. 18(1), 1–42 (2020)
14. Souri, A., Ghobaei-Arani, M.: Cloud manufacturing service
composition in IoT applications: a formal verification-based
approach. Multimedia Tools Appl. pp. 1–20 (2021)
15. Jabraeil Jamali, M.A., et al.: IoT security. In: Towards the
Internet of Things: Architectures, Security, and Applications,
pp. 33–83. Springer International Publishing, Cham (2020)
16. Stojmenovic, I., et al.: An overview of fog computing and its
security issues. Concurr. Comput. 28(10), 2991–3005 (2016)
17. Balasundaram, J., A novel optimized Bat Extreme Learning
intrusion detection system for smart Internet of Things networks.
Int. J. Commun. Syst. p. e4729.
18. Almiani, M., et al.: Deep recurrent neural network for IoT
intrusion detection system. Simul. Model. Pract. Theory 101,
102031 (2020)
19. Heidari, A., et al.: Machine learning applications for COVID-19
outbreak management. Neural Comput. Appl. (2022)
20. Khraisat, A., Alazab, A.: A critical review of intrusion detection
systems in the internet of things: techniques, deployment strategy,
validation strategy, attacks, public datasets and challenges.
Cybersecurity 4(1), 1–27 (2021)
21. Heidari, A., et al.: The COVID-19 epidemic analysis and diag-
nosis using deep learning: A systematic literature review and
future directions. Comput. Biol. Med. p. 105141 (2021)
22. Jamali, M.A.J., et al.: IoT architecture. Towards Internet Things
pp. 9–31 (2020)
23. Heidari, A., et al.: A privacy-aware method for COVID-19
detection in chest CT images using lightweight deep conventional
neural network and blockchain. Comput. Biol. Med. p. 105461
(2022)
24. Yahyaoui, A., et al.: READ-IoT: reliable event and anomaly
detection framework for the internet of things. IEEE Access 9,
24168–24186 (2021)
25. Liu, Z., et al.: Intrusion detection systems in the cloud computing:
a comprehensive and deep literature review. Concurr. Comput., p.
e6646 (2021)
26. Meng, W., Li, W., Zhou, J.: Enhancing the security of block-
chain-based software defined networking through trust-based
traffic fusion and filtration. Inform. Fusion 70, 60–71 (2021)
27. Jamali, M.A.J., et al.: Some cases of smart use of the IoT. In:
Towards the internet of things, pp. 85–129. Springer, New York
(2020)
28. Balasundaram, J.: A novel optimized Bat Extreme Learning
intrusion detection system for smart Internet of Things networks.
Int. J. Commun. Syst. 34(7), e4729 (2021)
29. Kalathiripi, R.: Regression coefficients of traffic flow metrics
(RCTFM) for DDOS defense in IoT networks. Int. J. Commun
Syst 34(6), e4330 (2021)
30. Liang, W. et al.: Data Fusion Approach for Collaborative Ano-
maly Intrusion Detection in Blockchain-based Systems. IEEE
Internet Things J. (2021)
31. Heidari, A., Navimipour, N.J.: A new SLA-aware method for
discovering the cloud services using an improved nature-inspired
optimization algorithm. PeerJ Comput. Sci. (2021)
32. Sajith, P., Nagarajan, G.: Optimized intrusion detection system
using computational intelligent algorithm. In: Advances in
Electronics, Communication and Computing, pp. 633–639.
Springer, New York (2021)
33. Kumar, R., Tripathi, R.: DBTP2SF: a deep blockchain-based
trustworthy privacy-preserving secured framework in industrial
internet of things systems. Trans. Emerging Telecommun.
Technol. p. e4222 (2021)
Cluster Computing
34. Iqbal, S., et al.: On cloud security attacks: A taxonomy and
intrusion detection and prevention as a service. J. Netw. Comput.
Appl. 74, 98–120 (2016)
35. Vieira, K., et al.: Intrusion detection for grid and cloud com-
puting. It Professional 12(4), 38–43 (2009)
36. Patel, A., et al.: An intrusion detection and prevention system in
cloud computing: a systematic review. J. Netw. Comput. Appl.
36(1), 25–41 (2013)
37. Keserwani, P.K., et al.: A smart anomaly-based intrusion detec-
tion system for the Internet of Things (IoT) network using GWO–
PSO–RF model. J. Reliable Intell. Environ., pp. 1–19 (2021)
38. Manhas, J., Kotwal, S.: Implementation of intrusion detection
system for internet of things using machine learning techniques.
In: Multimedia Security, pp. 217–237. Springer, New York
(2021)
39. Hu, N., et al.: A multiple-kernel clustering based intrusion
detection scheme for 5G and IoT networks. Int. J. Mach. Learn.
Cybernet. pp. 1–16.
40. Jamali, M.A.J., et al.: Towards the Internet of Things: Archi-
tectures, Security, and Applications. Springer, New York (2019)
41. Wu, J.: Security and intelligent management for fog/edge com-
puting resources. In: Fog/Edge Computing For Security, Privacy,
and Applications, pp. 213–234. Springer, New York (2021)
42. Atul, D.J., et al.: A machine learning based IoT for providing an
intrusion detection system for security. Microprocess. Microsyst.
82, 103741 (2021)
43. Batiha, T., Krömer, P.: Design and analysis of efficient neural
intrusion detection for wireless sensor networks. Concurr. Com-
put. p. e6152 (2020)
44. Qiu, H., et al.: Adversarial attacks against network intrusion
detection in IoT systems. IEEE Internet Things J. (2020)
45. Yang, Z., et al.: A systematic literature review of methods and
datasets for anomaly-based network intrusion detection. Comput.
Secur. p. 102675 (2022)
46. Rani, R., et al.: Towards green computing oriented security: a
lightweight postquantum signature for IoE. Sensors 21(5), 1883
(2021)
47. Keserwani, P.K., et al.: A smart anomaly-based intrusion detec-
tion system for the Internet of Things (IoT) network using GWO–
PSO–RF model. J. Reliab. Intell. Environ. 7(1), 3–21 (2021)
48. Du, H., Zhang, Y.: Network anomaly detection based on selective
ensemble algorithm. J. Supercomput. 77(3), 2875–2896 (2021)
49. Irshad, M.: A systematic review of information security frame-
works in the internet of things (iot). in High Performance Com-
puting and Communications; IEEE 14th International Conference
on Smart City; IEEE 2nd International Conference on Data Sci-
ence and Systems (HPCC/SmartCity/DSS), 2016 IEEE 18th
International Conference on. IEEE (2016)
50. Bahram Abadi, R.M., Rahmani, A.M., Alizadeh, S.H.: Server
consolidation techniques in virtualized data centers of cloud
environments: A systematic literature review. Software 48(9),
1688–1726 (2018)
51. Al-Samarraie, H., Saeed, N.: A systematic review of cloud
computing tools for collaborative learning: opportunities and
challenges to the blended-learning environment. Comput. Educ.
124(May), 77–91 (2018)
52. Zarpelão, B.B., et al.: A survey of intrusion detection in Internet
of Things. J. Netw. Comput. Appl. 84, 25–37 (2017)
53. Almalawi, A., et al.: Add-on anomaly threshold technique for
improving unsupervised intrusion detection on SCADA data.
Electronics 9(6), 1017 (2020)
54. Eskandari, M., et al.: Passban IDS: An intelligent anomaly based
intrusion detection system for IoT edge devices. IEEE Internet
Things J. (2020)
55. Kim, S., Hwang, C., Lee, T.: Anomaly based unknown intrusion
detection in endpoint environments. Electronics 9(6), 1022
(2020)
56. Gothawal, D.B., Nagaraj, S.: Anomaly-based intrusion detection
system in RPL by applying stochastic and evolutionary game
models over IoT environment. Wireless Pers. Commun. 110(3),
1323–1344 (2020)
57. Alhakami, W., et al.: Network anomaly intrusion detection using
a nonparametric Bayesian approach and feature selection. IEEE
Access 7, 52181–52190 (2019)
58. Roy, S., et al.: A lightweight supervised intrusion detection
mechanism for IoT networks. Futur. Gener. Comput. Syst. 127,
276–285 (2022)
59. Vacca, J.R.: Computer and information security handbook.
Newnes (2012)
60. Li, W., et al.: Designing collaborative blockchained signature-
based intrusion detection in IoT environments. Futur. Gener.
Comput. Syst. 96, 481–489 (2019)
61. Li, J., et al.: Ai-based two-stage intrusion detection for software
defined iot networks. IEEE Internet Things J. 6(2), 2093–2102
(2018)
62. Meng, W., et al.: Towards blockchain-enabled single character
frequency-based exclusive signature matching in IoT-assisted
smart cities. J. Parall. Distribut. Comput. 144, 268–277 (2020)
63. Kumar, M., Verma, H.K., Sikka, G.: A secure lightweight sig-
nature based authentication for Cloud-IoT crowdsensing envi-
ronments. Trans. Emerging Telecommun. Technol. 30(4), e3292
(2019)
64. Otoum, Y., Nayak, A.: AS-IDS: anomaly and signature based
IDS for the Internet of Things. J. Netw. Syst. Manage. 29(3),
1–26 (2021)
65. Dı́az-Verdejo, J., et al.: On the detection capabilities of signature-
based intrusion detection systems in the context of web attacks.
Appl. Sci. 12(2), 852 (2022)
66. Mitchell, R., Chen, I.-R.: A survey of intrusion detection tech-
niques for cyber-physical systems. ACM Comput. Surveys
(CSUR) 46(4), 55 (2014)
67. Quincozes, S.E., et al.: GRASP-based Feature Selection for
Intrusion Detection in CPS Perception Layer. In: 2020 4th Con-
ference on Cloud and Internet of Things (CIoT). IEEE (2020)
68. Spathoulas, G., Katsikas, S.: Methods for post-processing of
alerts in intrusion detection: a survey. Int. J. Inform. Secur. Sci.
2(2), 64–80 (2013)
69. Cui, J.-F. et al.: Optimization scheme for intrusion detection
scheme GBDT in edge computing center. Comput. Commun.
(2020).
70. Sharma, V., et al.: BRIoT: behavior rule specification-based
misbehavior detection for IoT-embedded cyber-physical systems.
IEEE Access 7, 118556–118580 (2019)
71. Choudhary, G., et al.: Lightweight misbehavior detection man-
agement of embedded IoT devices in medical cyber physical
systems. IEEE Trans. Netw. Serv. Manage. 17(4), 2496–2510
(2020)
72. Siu, J.Y., Panda, S.K.: A Specification-Based Detection for
Attacks in the Multi-Area System. In: IECON 2020 the 46th
Annual Conference of the IEEE Industrial Electronics Society.
IEEE (2020)
73. Babu, M.J., Reddy, A.R.: SH-IDS: specification heuristics based
intrusion detection system for IoT networks. Wireless Pers.
Commun. 112(3), 2023–2045 (2020)
74. Violettas, G., et al.: A softwarized intrusion detection system for
the RPL-based Internet of Things networks. Futur. Gener.
Comput. Syst. 125, 698–714 (2021)
75. Santos, L., et al.: A flow-based intrusion detection framework for
internet of things networks. Clust. Comput. pp. 1–21 (2021)
123
 Cluster Computing

76. Davahli, A., Shamsi, M., Abaei, G.: Hybridizing genetic algo- Springer Nature or its licensor (e.g. a society or other partner) holds
rithm and grey wolf optimizer to advance an intelligent and exclusive rights to this article under a publishing agreement with the
lightweight intrusion detection system for IoT wireless networks. author(s) or other rightsholder(s); author self-archiving of the
J. Ambient Intell. Hum. Comput. (2020) accepted manuscript version of this article is solely governed by the
77. RM, S.P., et al.; An effective feature engineering for DNN using terms of such publishing agreement and applicable law.
hybrid PCA-GWO for intrusion detection in IoMT architecture. Arash Heidari received his B.Sc.
Comput. Commun. (2020) in Computer Engineering from
78. Li, W., Meng,W., Au, M.H.: Enhancing collaborative intrusion PNU, Iran, M.Sc. from IAU,
detection via disagreement-based semi-supervised learning in IoT Science and Research Branch,
environments. J. Netw. Comput. Appl. pp. 102631 (2020) Iran, in 2014 and 2017, respec-
79. Bostani, H., Sheikhan, M.: Hybrid of anomaly-based and speci- tively. Also, Ph.D. in Computer
fication-based IDS for Internet of Things using unsupervised OPF Engineering from Islamic Azad
based on MapReduce approach. Comput. Commun. 98, 52–71 University, Iran. He is the author
(2017) and co-author of several publi-
80. Moizuddin, M., Jose, M.V.: A bio-inspired hybrid deep learning cations in technical journals,
model for network intrusion detection. Knowl.-Based Syst. 238, conferences, and technical
107894 (2022) books. Besides, he is a reviewer
81. de Souza, C.A., et al.: Hybrid approach to intrusion detection in of several high-ranked journals.
fog-based IoT environments. Comput. Netw. 180, 107417 (2020) Arash is a guest editor for
82. Muhammad, G., Hossain, M.S., Garg, S.: Stacked Autoencoder- Cluster Computing (Springer),
based Intrusion Detection System to Combat Financial Fraudu- and Grid Computing journal (Springer). Moreover, Dr. Heidari is a
lent. IEEE Internet Things J. (2020) member of the IEEE ICCP conference’s technical committee. Arash is
83. Kumar, P., Gupta, G.P., Tripathi, R.: TP2SF: a trustworthy pri- also a member of IEEE, IEEE Communications Society, and IEEE
vacy-preserving secured framework for sustainable smart cities Young Professionals. In addition, Dr. Heidari is a consultant in vari-
by leveraging blockchain and machine learning. J. Syst. Archit. ous Iranian startups, including Aizheimer International Startup. His
p. 101954, (2020) current research interests are IoT and IoT Security, Resource Man-
84. Kumar, P., Gupta, G.P., Tripathi, R.: A distributed ensemble agement, Cloud Computing, Edge and Fog Computing, Image Pro-
design based intrusion detection system using fog computing to cessing, Deep Learning, and Blockchain.
protect the internet of things networks. J. Ambient Intell. Hum.
Comput. pp. 1–18 (2020) Mohammad Ali Jabraeil Jamali
85. Heartfield, R., et al.: Self-configurable cyber-physical intrusion received his B.Sc. in Electrical
detection for smart homes using reinforcement learning. IEEE Engineering from Urmia
Trans. Inf. Forensics Secur. 16, 1720–1735 (2020) University, Urmia, Iran, the
86. Satam, P. Hariri, S.: WIDS: an anomaly based intrusion detection M.Sc. in Electrical Engineering
system for Wi-Fi (IEEE 802.11) Protocol. IEEE Transactions on from Tabriz University, Tabriz,
Network and Service Management (2020) Iran, the M.Sc. in Computer
87. Gassais, R., et al.: Multi-level host-based intrusion detection Engineering from Islamic Azad
system for Internet of things. J. Cloud Comput. 9(1), 1–16 (2020) University, Science and
88. Singh, P. et al.: DaaS: dew computing as a service for intelligent Research Branch, Tehran, Iran,
intrusion detection in edge-of-things ecosystem. IEEE Internet and the Ph.D. in Computer
Things J. (2020) Engineering from Islamic Azad
89. Xu, X., et al.: Towards effective intrusion detection using log- University, Science and
cosh conditional variational autoencoder. IEEE Internet Things J. Research Branch, Tehran, Iran,
(2020) in 1994, 1997, 2003 and 2009,
90. Sadikin, F., van Deursen, T., Kumar, S.: A ZigBee intrusion respectively. He is an assistant professor of Computer Engineering at
detection system for IoT using secure and efficient data collec- Islamic Azad University, Shabestar branch. He is the author/co-author
tion. Internet Things 12, 100306 (2020) of more than 50 publications in technical journals and conferences.
91. D’Angelo, G., Castiglione, A., Palmieri, F.: A cluster-based His current research interests are processor and computer architec-
multidimensional approach for detecting attacks on connected tures, chip multiprocessors, multiprocessor systems-on-chip, networks
vehicles. IEEE Internet Things J. (2020) on chip, ad hoc and sensor networks, security, and the internet of
things.
Publisher’s Note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.

123