Content uploaded by Zouhair Chiba
Author content
All content in this area was uploaded by Zouhair Chiba on Nov 23, 2022
Content may be subject to copyright.
ScienceDirect
Available online at www.sciencedirect.com
Procedia Computer Science 210 (2022) 94–103
1877-0509 © 2022 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the Conference Program Chairs
10.1016/j.procs.2022.10.124
10.1016/j.procs.2022.10.124 1877-0509
© 2022 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the Conference Program Chairs
Available online at www.sciencedirect.com
ScienceDirect
Procedia Computer Science 00 (2022) 000–000
www.elsevier.com/locate/procedia
1877-0509 © 2022 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.
The 13th International Conference on Emerging Ubiquitous Systems and Pervasive Networks
(EUSPN 2022)
October 26-28, 2022, Leuven, Belgium
A Deep Study of Novel Intrusion Detection Systems and Intrusion
Prevention Systems for Internet of Things Networks
Z.Chiba*, N.Abghour, K.Moussaid, O.Lifandali, R.Kinta
LIS Labs, Faculty of Sciences Ain Chock, Hassan II University of Casablanca, 20100, Casablanca, Morocco
Abstract
Nowadays, the Internet of Things (IoT) environments are evolving and becoming popular. The number of devices connected to the
Internet continues to raise. IoT is an interrelated network of numerous devices in which data is automatically gathered from the
environment by the sensors and transferred over the internet without human support and intervention. The IoT eases individuals
interacting with real-world applications over the internet in the IoT environment. Modern innovations in IoT have added computers,
sensors, streets, buildings, and even communities to the impression of smartness. IoT appliances function in distinct environments
to fulfill several purposes; result in the variety of computational devices and communication technologies employed in healthcare,
education, military, agriculture, and commerce. Thus, IoT holds a lot of promise for enhancing social and corporate life.
Nevertheless, IoT equipment are a soft target and prone to attacks due substantially to their resource limitations, and the nature of
their networks. There are many approaches and technologies utilized to preclude IoT from varied attacks and assaults, Intrusion
Detection System (IDS) and Intrusion Preventions System (IPS) are some of them, which can ensure the security, privacy, and
reliability of the IoT. In this paper, we provide a deep study of many recent and pertinent IDS/IPS proposed between 2019 and
2022 for IoT networks, giving their key specifics, strengths, shortcomings, and challenges in order to spot the issues that still
require to be handled. The paper also lines the mainstream research direction and opens the way for new avenues of research for
forthcoming researchers.
© 2022 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.
Keywords: Intrusion Detection System (IDS), Intrusion Prevention System (IPS), IoT Networks.
1. Introduction
Currently, many electronic appliances can be connected to the Internet and offer data and services to users. The
Internet of Things (IoT) environments are evolving and becoming popular. The number of devices connected to the
Internet continues to increase. IoT is seen in most fields : home, culture, school, energy distribution connected to the
* Zouhair Chiba. Tel.: +212-671-657-123.
E-mail address: ZOUHAIR.CHIBA@univh2c.ma
Available online at www.sciencedirect.com
ScienceDirect
Procedia Computer Science 00 (2022) 000–000
www.elsevier.com/locate/procedia
1877-0509 © 2022 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.
The 13th International Conference on Emerging Ubiquitous Systems and Pervasive Networks
(EUSPN 2022)
October 26-28, 2022, Leuven, Belgium
A Deep Study of Novel Intrusion Detection Systems and Intrusion
Prevention Systems for Internet of Things Networks
Z.Chiba*, N.Abghour, K.Moussaid, O.Lifandali, R.Kinta
LIS Labs, Faculty of Sciences Ain Chock, Hassan II University of Casablanca, 20100, Casablanca, Morocco
Abstract
Nowadays, the Internet of Things (IoT) environments are evolving and becoming popular. The number of devices connected to the
Internet continues to raise. IoT is an interrelated network of numerous devices in which data is automatically gathered from the
environment by the sensors and transferred over the internet without human support and intervention. The IoT eases individuals
interacting with real-world applications over the internet in the IoT environment. Modern innovations in IoT have added computers,
sensors, streets, buildings, and even communities to the impression of smartness. IoT appliances function in distinct environments
to fulfill several purposes; result in the variety of computational devices and communication technologies employed in healthcare,
education, military, agriculture, and commerce. Thus, IoT holds a lot of promise for enhancing social and corporate life.
Nevertheless, IoT equipment are a soft target and prone to attacks due substantially to their resource limitations, and the nature of
their networks. There are many approaches and technologies utilized to preclude IoT from varied attacks and assaults, Intrusion
Detection System (IDS) and Intrusion Preventions System (IPS) are some of them, which can ensure the security, privacy, and
reliability of the IoT. In this paper, we provide a deep study of many recent and pertinent IDS/IPS proposed between 2019 and
2022 for IoT networks, giving their key specifics, strengths, shortcomings, and challenges in order to spot the issues that still
require to be handled. The paper also lines the mainstream research direction and opens the way for new avenues of research for
forthcoming researchers.
© 2022 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.
Keywords: Intrusion Detection System (IDS), Intrusion Prevention System (IPS), IoT Networks.
1. Introduction
Currently, many electronic appliances can be connected to the Internet and offer data and services to users. The
Internet of Things (IoT) environments are evolving and becoming popular. The number of devices connected to the
Internet continues to increase. IoT is seen in most fields : home, culture, school, energy distribution connected to the
* Zouhair Chiba. Tel.: +212-671-657-123.
E-mail address: ZOUHAIR.CHIBA@univh2c.ma
2 Author name / Procedia Computer Science 00 (2018) 000–000
Internet continues to increase. IoT is seen in most fields: home, culture, school, energy distribution, healthcare, finance,
tourism, smart cities, and also for transport. The objects of IoT are getting cleverer, interactions are becoming
instructive, and diagnosis is smarter [1]. The development of various technology fields, like automatic identification,
sensors, tracking, wireless communications, embedded computing, distributed services, and 5G networks, has risen
the possibility of utilizing advanced objects in our daily activities via the Internet [2]. IoT is a joint network of
interconnected devices; these devices can treat captured information from miscellaneous types of sensors albeit
receiving and sending data using the Internet platform, further they can decide without any human interventions. In
the IoT, a thing can be anything on the planet: a person with a blood pressure monitor implant, a car endowed with
sensors that alert the conductor when the tire pressure is low, a farm animal with a transponder, or any object that can
be assigned an IP address and the potential to transfer data over a network. IoT devices could also be healthcare
devices, wearables, industrial robots, smart televisions, smart city infrastructures that can be watched and controlled
remotely. The IoT is defined by the intersection of the Internet and intelligent objects capable of communication and
interaction. This new paradigm has been identified as a key player in the Information and Communications Technology
(ICT) business in the coming years. Cisco Systems forecasted that the Internet of Things would generate $ 14.4 trillion
in income and cost savings for businesses between 2013 and 2022 [3].
With the huge growing of smart IoT devices, the users are attentive towards privacy and security. The networks are
incessantly facing diversified cyber-attacks from large number of IoT devices. These IoT nodes are extremely prone
to various threats and attacks. The progress in many IoT based applications such as healthcare, smart city, smart home,
industry, agriculture, transportation and so on, are indirectly inviting attackers to acquire the worthwhile sensitive
information. The constrained resources, non-standard implementation and deficiency of suitable techniques to offer
security in software and hardware create major loopholes in IoT based networks. The heterogeneity and large -scale
devices of the complex network are primary features which distinguishes the security problem of IoT from
conventional networks, and these features appear to security of IoT devices more challenging. As result, The Smart
IoT infrastructures are unprotected to malignant and malevolent behaviors and the main security threats are intrusion,
malware propagation, distributed denial-of-service (DDoS) attack, routing attack, jamming attack, sinkhole attack,
sensor attack, replay attack, and mischievous sequence attack [4].
Two major solutions are found in the literature for detecting or preventing attacks, namely Intrusion Detection
System (IDS) and Intrusion Prevention System (IPS) respectively. IDS is a precautionary measure where the system
itself takes no action in case of intrusion/attack; instead, an alarm is elevated. IPS is the punitive measure where an
action is taken by the system in case of intrusion. In IPS, an issue arises in the case of false positives as legitimate
users can also get blocked. Table 1 represents a detailed comparative analysis of IDS and IPS systems [5].
Table 1. Comparative analysis of IDS and IPS systems.
The rest of this paper is organized as follow: Section 2 gives the main security challenges and issues in IoT networks.
Sections 3 and 4 present a study of several novel and relevant IDS and IPS systems conceived for IoT networks,
Intrusion Detection System (IDS)
Intrusion Prevention System (IPS)
IDS recognizes the threat and monitors the
system
IPS is a regulatory system as it monitors and defends
the system
Human intervention is required for action
IPS takes action based on the rule set, and no human
intervention is required
IDS does not impact system performance
IPS may slow down the system
False alarm rate does not impact performance to
the same extent as that for IPS
False alarm rate is high concern
Legitimate users are not blocked as the system
does not take action
Legitimate traffic might be blocked due to false alarms
Z. Chiba et al. / Procedia Computer Science 210 (2022) 94–103 95
Available online at www.sciencedirect.com
ScienceDirect
Procedia Computer Science 00 (2022) 000–000
www.elsevier.com/locate/procedia
1877-0509 © 2022 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.
The 13th International Conference on Emerging Ubiquitous Systems and Pervasive Networks
(EUSPN 2022)
October 26-28, 2022, Leuven, Belgium
A Deep Study of Novel Intrusion Detection Systems and Intrusion
Prevention Systems for Internet of Things Networks
Z.Chiba*, N.Abghour, K.Moussaid, O.Lifandali, R.Kinta
LIS Labs, Faculty of Sciences Ain Chock, Hassan II University of Casablanca, 20100, Casablanca, Morocco
Abstract
Nowadays, the Internet of Things (IoT) environments are evolving and becoming popular. The number of devices connected to the
Internet continues to raise. IoT is an interrelated network of numerous devices in which data is automatically gathered from the
environment by the sensors and transferred over the internet without human support and intervention. The IoT eases individuals
interacting with real-world applications over the internet in the IoT environment. Modern innovations in IoT have added computers,
sensors, streets, buildings, and even communities to the impression of smartness. IoT appliances function in distinct environments
to fulfill several purposes; result in the variety of computational devices and communication technologies employed in healthcare,
education, military, agriculture, and commerce. Thus, IoT holds a lot of promise for enhancing social and corporate life.
Nevertheless, IoT equipment are a soft target and prone to attacks due substantially to their resource limitations, and the nature of
their networks. There are many approaches and technologies utilized to preclude IoT from varied attacks and assaults, Intrusion
Detection System (IDS) and Intrusion Preventions System (IPS) are some of them, which can ensure the security, privacy, and
reliability of the IoT. In this paper, we provide a deep study of many recent and pertinent IDS/IPS proposed between 2019 and
2022 for IoT networks, giving their key specifics, strengths, shortcomings, and challenges in order to spot the issues that still
require to be handled. The paper also lines the mainstream research direction and opens the way for new avenues of research for
forthcoming researchers.
© 2022 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.
Keywords: Intrusion Detection System (IDS), Intrusion Prevention System (IPS), IoT Networks.
1. Introduction
Currently, many electronic appliances can be connected to the Internet and offer data and services to users. The
Internet of Things (IoT) environments are evolving and becoming popular. The number of devices connected to the
Internet continues to increase. IoT is seen in most fields : home, culture, school, energy distribution connected to the
* Zouhair Chiba. Tel.: +212-671-657-123.
E-mail address: ZOUHAIR.CHIBA@univh2c.ma
Available online at www.sciencedirect.com
ScienceDirect
Procedia Computer Science 00 (2022) 000–000
www.elsevier.com/locate/procedia
1877-0509 © 2022 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.
The 13th International Conference on Emerging Ubiquitous Systems and Pervasive Networks
(EUSPN 2022)
October 26-28, 2022, Leuven, Belgium
A Deep Study of Novel Intrusion Detection Systems and Intrusion
Prevention Systems for Internet of Things Networks
Z.Chiba*, N.Abghour, K.Moussaid, O.Lifandali, R.Kinta
LIS Labs, Faculty of Sciences Ain Chock, Hassan II University of Casablanca, 20100, Casablanca, Morocco
Abstract
Nowadays, the Internet of Things (IoT) environments are evolving and becoming popular. The number of devices connected to the
Internet continues to raise. IoT is an interrelated network of numerous devices in which data is automatically gathered from the
environment by the sensors and transferred over the internet without human support and intervention. The IoT eases individuals
interacting with real-world applications over the internet in the IoT environment. Modern innovations in IoT have added computers,
sensors, streets, buildings, and even communities to the impression of smartness. IoT appliances function in distinct environments
to fulfill several purposes; result in the variety of computational devices and communication technologies employed in healthcare,
education, military, agriculture, and commerce. Thus, IoT holds a lot of promise for enhancing social and corporate life.
Nevertheless, IoT equipment are a soft target and prone to attacks due substantially to their resource limitations, and the nature of
their networks. There are many approaches and technologies utilized to preclude IoT from varied attacks and assaults, Intrusion
Detection System (IDS) and Intrusion Preventions System (IPS) are some of them, which can ensure the security, privacy, and
reliability of the IoT. In this paper, we provide a deep study of many recent and pertinent IDS/IPS proposed between 2019 and
2022 for IoT networks, giving their key specifics, strengths, shortcomings, and challenges in order to spot the issues that still
require to be handled. The paper also lines the mainstream research direction and opens the way for new avenues of research for
forthcoming researchers.
© 2022 The Authors. Published by Elsevier B.V.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/)
Peer-review under responsibility of the Conference Program Chairs.
Keywords: Intrusion Detection System (IDS), Intrusion Prevention System (IPS), IoT Networks.
1. Introduction
Currently, many electronic appliances can be connected to the Internet and offer data and services to users. The
Internet of Things (IoT) environments are evolving and becoming popular. The number of devices connected to the
Internet continues to increase. IoT is seen in most fields : home, culture, school, energy distribution connected to the
* Zouhair Chiba. Tel.: +212-671-657-123.
E-mail address: ZOUHAIR.CHIBA@univh2c.ma
2 Author name / Procedia Computer Science 00 (2018) 000–000
Internet continues to increase. IoT is seen in most fields: home, culture, school, energy distribution, healthcare, finance,
tourism, smart cities, and also for transport. The objects of IoT are getting cleverer, interactions are becoming
instructive, and diagnosis is smarter [1]. The development of various technology fields, like automatic identification,
sensors, tracking, wireless communications, embedded computing, distributed services, and 5G networks, has risen
the possibility of utilizing advanced objects in our daily activities via the Internet [2]. IoT is a joint network of
interconnected devices; these devices can treat captured information from miscellaneous types of sensors albeit
receiving and sending data using the Internet platform, further they can decide without any human interventions. In
the IoT, a thing can be anything on the planet: a person with a blood pressure monitor implant, a car endowed with
sensors that alert the conductor when the tire pressure is low, a farm animal with a transponder, or any object that can
be assigned an IP address and the potential to transfer data over a network. IoT devices could also be healthcare
devices, wearables, industrial robots, smart televisions, smart city infrastructures that can be watched and controlled
remotely. The IoT is defined by the intersection of the Internet and intelligent objects capable of communication and
interaction. This new paradigm has been identified as a key player in the Information and Communications Technology
(ICT) business in the coming years. Cisco Systems forecasted that the Internet of Things would generate $ 14.4 trillion
in income and cost savings for businesses between 2013 and 2022 [3].
With the huge growing of smart IoT devices, the users are attentive towards privacy and security. Th e networks are
incessantly facing diversified cyber-attacks from large number of IoT devices. These IoT nodes are extremely prone
to various threats and attacks. The progress in many IoT based applications such as healthcare, smart city, smart home,
industry, agriculture, transportation and so on, are indirectly inviting attackers to acquire the worthwhile sensitive
information. The constrained resources, non-standard implementation and deficiency of suitable techniques to offer
security in software and hardware create major loopholes in IoT based networks. The heterogeneity and large -scale
devices of the complex network are primary features which distinguishes the security problem of IoT from
conventional networks, and these features appear to security of IoT devices more challenging. As result, The Smart
IoT infrastructures are unprotected to malignant and malevolent behaviors and the main security threats are intrusion,
malware propagation, distributed denial-of-service (DDoS) attack, routing attack, jamming attack, sinkhole attack,
sensor attack, replay attack, and mischievous sequence attack [4].
Two major solutions are found in the literature for detecting or preventing attacks, namely Intrusion Detection
System (IDS) and Intrusion Prevention System (IPS) respectively. IDS is a precautionary measure where the system
itself takes no action in case of intrusion/attack; instead, an alarm is elevated. IPS is the punitive measure where an
action is taken by the system in case of intrusion. In IPS, an issue arises in the case of false positives as legitimate
users can also get blocked. Table 1 represents a detailed comparative analysis of IDS and IPS systems [5].
Table 1. Comparative analysis of IDS and IPS systems.
The rest of this paper is organized as follow: Section 2 gives the main security challenges and issues in IoT networks.
Sections 3 and 4 present a study of several novel and relevant IDS and IPS systems conceived for IoT networks,
Intrusion Detection System (IDS)
Intrusion Prevention System (IPS)
IDS recognizes the threat and monitors the
system
IPS is a regulatory system as it monitors and defends
the system
Human intervention is required for action
IPS takes action based on the rule set, and no human
intervention is required
IDS does not impact system performance
IPS may slow down the system
False alarm rate does not impact performance to
the same extent as that for IPS
False alarm rate is high concern
Legitimate users are not blocked as the system
does not take action
Legitimate traffic might be blocked due to false alarms
96 Z. Chiba et al. / Procedia Computer Science 210 (2022) 94–103
Author name / Procedia Computer Science 00 (2018) 000–000 3
respectively. While section 5 provides discussion of IPS/IDS studied in two previous sections and offers researches
new guidelines and avenues of research. Finally, section 6 ends with conclusions.
2. Security Challenges and Issues In IoT Networks
IoT devices are a soft target for unauthorized users or hackers as they are easier to taint than regular PCs for the
subsequent reasons [6,7,8]:
• Countless IoT devices are connected to the Internet without any updates in security. Moreover, IoT software
manufacturers don't regularly upgrade their apps unless the user initiates firmware updates.
• IoT devices do not incorporate powerful security features because there are restricted computing and power
resources. Thus, these systems cannot run full-fledged protection protocols, accordingly, IoT devices are prone
to attacks.
• For conception and development of IoT appliances, security is given a low priority.
• Login credentials that are either provided by the user or by the manufacturer are feeble in IoT devices.
• Sometimes few backdoors are left by vendors of IoT equipment to give remote support for that device.
• IoT devices are commonly associated with the Internet without experiencing a firewall.
• IoT devices function more in an unattended and unsupervised environment, hence there is a sound risk that an
attacker can gain physical access to them deliberately.
• Attackers can obtain valued information via the communication channel by eavesdropping on the conversation
covertly, since most IoT devices use wireless links.
• Low integrity verification.
• Improper authentication or authorization.
• Insecure web interfaces : Low password protection mechanism, SQL injection attack, insufficient account
lockout, and cross-site scripting.
Beside the aforementioned challenges, as listed above, there are important security issues [4] that characterize the
security demands for various IoT based applications.
• Authentication
• Confidentiality
• Self-Heating
• Fault-Tolerance
• Resilience
• Data Freshness
• Anonymity
• Liability
• Trust
3. Intrusion Detection Systems For IoT
This section exhibits a critical study of five recent and pertinent research, providing novel IDSs for IoT networks.
As shown by Table 2, for each one, we give the category of the methodology proposed, the mechanisms employed to
build the IDS and hence enabling the detection of attacks targeting IoT networks, and the IDS datasets used.
Furthermore, we highlight the characteristics/strengths and the limitations/challenges of these works.
Kasongo [9] conceived an advanced IDS system for Industrial IoT (IIoT), which was assessed using the UNSW-
NB15 dataset. This IDS was conceived using two stages. The first stage involved implementing the Genetic Algorithm
(GA) in conjunction with the Random Forest (RF) model to pick the most prominent features to be used by Tree-
based classifiers such as RF, Decision Tree (DT), Extra-Trees (ET), and Extreme Gradient Boosting (XGB). This
stage produced two sets of feature vectors. The first feature set, Vb, included 10 feature vectors destined for the binary
classification procedure. The second feature set, Vm, contained 7 feature vectors that were utilized for the multiclass
4 Author name / Procedia Computer Science 00 (2018) 000–000
modeling process. The second stage consists of implementation of the aforementioned intrusion detection classifiers
( RF, DT, ET and XGB) in two classification processes, namely binary classification and multiclass classification.
The Logistic Regression (LR) and Naïve Bayes (NB) algorithms were used as baseline models in binary classification
and multiclass classification experiments respectively. The experimental findings demonstrated that for the binary
modeling process, the GA-RF achieved a Test Accuracy (TAC) of 87.61% and an Area Under the Curve (AUC) of
0.98, using a feature vector that contained 16 features. When modeling for the multiclass classification, the outcomes
showed that the GA-ET got a TAC of 77.64% using a feature vector that included 17 attributes.
The Internet of Things (IoT) is burgeoning as a fresh technology for the development of various critical
applications. Nonetheless, these applications are still working on centralized storage architecture and have numerous
pivotal challenges like privacy, security, and single point of failure. In recent times, the blockchain technology has
emerged as a backbone for the IoT-based application development. The blockchain can be leveraged to redress
privacy, security, and single point of failure (third-part dependency) topics of IoT applications [10]. The integration
of blockchain with IoT can avail both individual and society. albeit blockchain is verifiable and immutable, even so it
is vulnerable to various attacks. The IoT and blockchain integration has experienced massive growing in
revolutionizing the stand-alone IoT applications. However, the number of attacks has also raised consequently. DDoS
attacks often caused by flooding on mempool/memory pool in blockchain network has harsh consequences to lawful
users. Kumar et al. [10] developed a novel distributed Intrusion Detection System (IDS) using fog computing to
identify or recognize DDoS attacks against mining pool in blockchain-enabled IoT Network. The suggested distributed
detection system works on three primary engines. The first, traffic processing engine, includes fog nodes for
preprocessing of network traffic by normalizing features using StandardScaler, that scale features to a specific scale.
The second, intrusion detection engine that follows data preprocessing step and finally IoT incoming traffic was
analyzed based on two AI-based Machine Learning (ML) techniques, random forest and XGBoost for the detection
of normal and abnormal transactions. The third, transaction handling engine, based on detection outcomes transactions
are classified into normal and malicious instances. Normal transactions are executed by miners in mining pool and
then gets inserted to blockchain network. The proposed model efficiency is evaluated using an actual IoT-based dataset
i.e., BoT-IoT, which includes most up-to-date attacks found in blockchain-enabled IoT network. The results point out,
for binary attack-detection XGBoost outperforms whilst for multi-attack detection Random Forest outperforms. On
the whole on distributed fog nodes RF takes less time for training and testing compared to XGBoost.
Due to limited resources (energy, memory, and processing capabilities) of IoT devices, fast and accurate detection
of the intrusion requires a high accuracy neural network with a lightweight and efficient architecture and the use of a
few number of parameters. To this end, Basani and Faghih suggested [11] a novel deep neural network-based NIDS
for IoT networks with is characterized by a new and lightweight architecture based on Parallel Deep Auto-Encoder
(PDAE). PDAE deep learning model uses both locally and surrounding information around individual values in the
feature vector. This type of separation of features allows them to increase the accuracy of the model while greatly
reducing the number of parameters, memory footprint, and the need for processing power. The efficiency of the
proposed model is assessed using KDDCup99, CICIDS2017, and UNSW-NB15 datasets and the outcomes
demonstrates the superiority of the suggested model over the state-of-the-art algorithms, namely MemAE (Memory-
Augmented Auto-Encoder) and NDAE (Non-symmetric Deep Auto-Encoder) algorithms in terms of both accuracy
and performance.
Saheed et al. [2] proposed a machine learning-based intrusion detection system (ML-IDS) for identification of IoT
network attacks. In the first phase of this research methodology, feature scaling was carried out by means of the
Minimum-Maximum (min–max) concept of normalization on the UNSW-NB15 dataset to limit information leakage
on the test data. This dataset is an amalgamation of recent attacks and regular or normal activities of network traffic
clustered into nine disparate attack types. In the next phase, dimensionality reduction was fulfilled with Principal
Component Analysis (PCA). Finally, six proposed machine learning models namely XGBoost, CatBoost, KNN, SVM,
QDA, and NB were trained and subsequently their prediction capabilities was evaluated on the basis of the benchmark
dataset UNSW-NB15. The experimental results of authors findings were assessed in terms of validation data-set,
accuracy, the area under the curve, recall, F1, precision, kappa, and Mathew correlation coefficient (MCC). The
findings were also benchmarked with the existing works, and their outcomes were competitive with an accuracy of
99.9% and MCC of 99.97%.
Z. Chiba et al. / Procedia Computer Science 210 (2022) 94–103 97
Author name / Procedia Computer Science 00 (2018) 000–000 3
respectively. While section 5 provides discussion of IPS/IDS studied in two previous sections and offers researches
new guidelines and avenues of research. Finally, section 6 ends with conclusions.
2. Security Challenges and Issues In IoT Networks
IoT devices are a soft target for unauthorized users or hackers as they are easier to taint than regular PCs for the
subsequent reasons [6,7,8]:
• Countless IoT devices are connected to the Internet without any updates in security. Moreover, IoT software
manufacturers don't regularly upgrade their apps unless the user initiates firmware updates.
• IoT devices do not incorporate powerful security features because there are restricted computing and power
resources. Thus, these systems cannot run full-fledged protection protocols, accordingly, IoT devices are prone
to attacks.
• For conception and development of IoT appliances, security is given a low priority.
• Login credentials that are either provided by the user or by the manufacturer are feeble in IoT devices.
• Sometimes few backdoors are left by vendors of IoT equipment to give remote support for that device.
• IoT devices are commonly associated with the Internet without experiencing a firewall.
• IoT devices function more in an unattended and unsupervised environment, hence there is a sound risk that an
attacker can gain physical access to them deliberately.
• Attackers can obtain valued information via the communication channel by eavesdropping on the conversation
covertly, since most IoT devices use wireless links.
• Low integrity verification.
• Improper authentication or authorization.
• Insecure web interfaces : Low password protection mechanism, SQL injection attack, insufficient account
lockout, and cross-site scripting.
Beside the aforementioned challenges, as listed above, there are important security issues [4] that characterize the
security demands for various IoT based applications.
• Authentication
• Confidentiality
• Self-Heating
• Fault-Tolerance
• Resilience
• Data Freshness
• Anonymity
• Liability
• Trust
3. Intrusion Detection Systems For IoT
This section exhibits a critical study of five recent and pertinent research, providing novel IDSs for IoT networks.
As shown by Table 2, for each one, we give the category of the methodology proposed, the mechanisms employed to
build the IDS and hence enabling the detection of attacks targeting IoT networks, and the IDS datasets used.
Furthermore, we highlight the characteristics/strengths and the limitations/challenges of these works.
Kasongo [9] conceived an advanced IDS system for Industrial IoT (IIoT), which was assessed using the UNSW-
NB15 dataset. This IDS was conceived using two stages. The first stage involved implementing the Genetic Algorithm
(GA) in conjunction with the Random Forest (RF) model to pick the most prominent features to be used by Tree-
based classifiers such as RF, Decision Tree (DT), Extra-Trees (ET), and Extreme Gradient Boosting (XGB). This
stage produced two sets of feature vectors. The first feature set, Vb, included 10 feature vectors destined for the binary
classification procedure. The second feature set, Vm, contained 7 feature vectors that were utilized for the multiclass
4 Author name / Procedia Computer Science 00 (2018) 000–000
modeling process. The second stage consists of implementation of the aforementioned intrusion detection classifiers
( RF, DT, ET and XGB) in two classification processes, namely binary classification and multiclass classification.
The Logistic Regression (LR) and Naïve Bayes (NB) algorithms were used as baseline models in binary classification
and multiclass classification experiments respectively. The experimental findings demonstrated that for the binary
modeling process, the GA-RF achieved a Test Accuracy (TAC) of 87.61% and an Area Under the Curve (AUC) of
0.98, using a feature vector that contained 16 features. When modeling for the multiclass classification, the outcomes
showed that the GA-ET got a TAC of 77.64% using a feature vector that included 17 attributes.
The Internet of Things (IoT) is burgeoning as a fresh technology for the development of various critical
applications. Nonetheless, these applications are still working on centralized storage architecture and have numerous
pivotal challenges like privacy, security, and single point of failure. In recent times, the blockchain technology has
emerged as a backbone for the IoT-based application development. The blockchain can be leveraged to redress
privacy, security, and single point of failure (third-part dependency) topics of IoT applications [10]. The integration
of blockchain with IoT can avail both individual and society. albeit blockchain is verifiable and immutable, even so it
is vulnerable to various attacks. The IoT and blockchain integration has experienced massive growing in
revolutionizing the stand-alone IoT applications. However, the number of attacks has also raised consequently. DDoS
attacks often caused by flooding on mempool/memory pool in blockchain network has harsh consequences to lawful
users. Kumar et al. [10] developed a novel distributed Intrusion Detection System (IDS) using fog computing to
identify or recognize DDoS attacks against mining pool in blockchain-enabled IoT Network. The suggested distributed
detection system works on three primary engines. The first, traffic processing engine, includes fog nodes for
preprocessing of network traffic by normalizing features using StandardScaler, that scale features to a specific scale.
The second, intrusion detection engine that follows data preprocessing step and finally IoT incoming traffic was
analyzed based on two AI-based Machine Learning (ML) techniques, random forest and XGBoost for the detection
of normal and abnormal transactions. The third, transaction handling engine, based on detection outcomes transactions
are classified into normal and malicious instances. Normal transactions are executed by miners in mining pool and
then gets inserted to blockchain network. The proposed model efficiency is evaluated using an actual IoT-based dataset
i.e., BoT-IoT, which includes most up-to-date attacks found in blockchain-enabled IoT network. The results point out,
for binary attack-detection XGBoost outperforms whilst for multi-attack detection Random Forest outperforms. On
the whole on distributed fog nodes RF takes less time for training and testing compared to XGBoost.
Due to limited resources (energy, memory, and processing capabilities) of IoT devices, fast and accurate detection
of the intrusion requires a high accuracy neural network with a lightweight and efficient architecture and the use of a
few number of parameters. To this end, Basani and Faghih suggested [11] a novel deep neural network-based NIDS
for IoT networks with is characterized by a new and lightweight architecture based on Parallel Deep Auto-Encoder
(PDAE). PDAE deep learning model uses both locally and surrounding information around individual values in the
feature vector. This type of separation of features allows them to increase the accuracy of the model while greatly
reducing the number of parameters, memory footprint, and the need for processing power. The efficiency of the
proposed model is assessed using KDDCup99, CICIDS2017, and UNSW-NB15 datasets and the outcomes
demonstrates the superiority of the suggested model over the state-of-the-art algorithms, namely MemAE (Memory-
Augmented Auto-Encoder) and NDAE (Non-symmetric Deep Auto-Encoder) algorithms in terms of both accuracy
and performance.
Saheed et al. [2] proposed a machine learning-based intrusion detection system (ML-IDS) for identification of IoT
network attacks. In the first phase of this research methodology, feature scaling was carried out by means of the
Minimum-Maximum (min–max) concept of normalization on the UNSW-NB15 dataset to limit information leakage
on the test data. This dataset is an amalgamation of recent attacks and regular or normal activities of network traffic
clustered into nine disparate attack types. In the next phase, dimensionality reduction was fulfilled with Principal
Component Analysis (PCA). Finally, six proposed machine learning models namely XGBoost, CatBoost, KNN, SVM,
QDA, and NB were trained and subsequently their prediction capabilities was evaluated on the basis of the benchmark
dataset UNSW-NB15. The experimental results of authors findings were assessed in terms of validation data-set,
accuracy, the area under the curve, recall, F1, precision, kappa, and Mathew correlation coefficient (MCC). The
findings were also benchmarked with the existing works, and their outcomes were competitive with an accuracy of
99.9% and MCC of 99.97%.
98 Z. Chiba et al. / Procedia Computer Science 210 (2022) 94–103
Author name / Procedia Computer Science 00 (2018) 000–000 5
Souza et al. [12] proposed a two-step ensemble approach for intrusion detection and identification in IoT and fog
computing environments. The IDS conceived goes through two steps; namely, the detection step followed by the
identification step, aiming to classify events in specific types of attacks or non-attacks. The first step (detection phase)
carries out data analysis with a binary Extra Tree (ET) classifier, in order to categorize traffic flow captured by the
device into intrusive or non-intrusive. Traffic classed as non-intrusive is immediately released. In contrast, intrusive
traffic is submitted to the second step (identification phase). This last step has a more vigorous and solid method, and
it consists of an ensemble approach of ET, Random Forest (RF), and Dee p Neural Network (DNN). This second
method then analyzes the traffic another time and recognizes the class of intrusion. The aforementioned ensemble
approach combines classifiers (ET, RF, and DNN) by averaging their probabilistic prediction rather than all owing
each classifier to vote for a single class. The appraisal of the proposed approach was performed with the Bot-IoT,
IoTID20, NSL-KDD, and CICIDS2018 datasets proved the feasibility and robustness of the intrusion detection
method in the most various scenarios. The suggested model was able to achieve similar or superior performance in all
databases, demonstrating its effectiveness and strength.
4. Intrusion Prevention Systems for IoT
This section presents an inquiring review of six novel and relevant IPSs conceived for IoT networks. As displayed
by Table 3, for each one, we provide the class of the methodology adopted, the mechanisms employed to prevent and
mitigate attacks and malevolent activities, and the datasets employed to assess the IPS proposed. Besides, we underline
the strong points and the shortcomings of these IPSs.
Constantinides et al. [13] presented a novel online incremental learning intrusion prevention system, targeted to
mitigate known and unknown attacks in real-time with high accuracy for IoT networks. The solution proposed is based
on a modified version of Self Organizing Incremental Neural Network named “n-SOINN” to carry out on-line
clustering, coupled with multiple SVMs to perform classification. As SVM acts as a binary classification algorithm
that solves binary problems, and with the aim to fix a multi-class problem with SVMs, the Winner Takes All (WTA)
strategy is employed to reduce the single multiclass problem to a set of multiple binary classification problems. Thus,
the mixture “n-SOINN & WTA-SVM” consists the core of detection engine of the suggested framework. This
framework compromises a detection engine “n-SOINN-WTA-SVM” that represents the core of the framework, a
preprocessing module for the incoming traffic that feeds the detection engine, a validation module to assess the
outcomes of the detection engine and an update module that feeds back the failed results to the detection engine. Based
on experimental results obtained by authors with the NSL KDD dataset, the developed IPS can achieve on-line updated
incremental learning, making it appropriate for proficient and scalable industrial applications.
Jiang et al. [14] designed a network intrusion prevention strategy using edge computing in the IoT environment. In
fact, an edge intelligent gateway is conceived as a lightweight network gateway, which provides the running
environment for the detection model and security policy, and also serves as WiFi access point for home IoT devices .
Firstly, authors use an edge smart gateway, which is deployed on a Raspberry-Pi, implements the Adhoc Network
Architecture (AON), runs Open vSwitch (OVS) for virtual switch functionality, and the Floodlight based SDN
controller is employed to perform custom modules for security policy, traffic filtering, and cache management. Then,
with limited resources available on that edge gateway, a lightweight machine-learning algorithm is utilized to classify
device to device traffic and identify if there is a network intrusion. The classification model extracts features of
network traffic, trained by classic supervised learning method-Decision Tree J48, then distinguish between benign
and malicious traffic patterns observed in the network. Simulation outcomes show that the classification model has
high accuracy of intrusion detection on edge intelligent gateway and can effectively guarantee security of home IoT
interactions. At the same time, it ensures that the entire detection system will not have a great impact on network
performance; it does not do not significantly increase the network latency, further it is characterized by less the
memory footprint and CPU utilization.
Gonçalves et al. [15] proposed an IPS architecture for IoT networks overlapped in SDN. The suggested architecture
aims to structure a distributed security measure incorporating Snort IDS, firewalls on final hosts and IoT gateways,
SDN switches and the Controller entity to support Internet of Things (IoT) instances, enabling the identification of
anomalous behavior of IoT devices by the IPS, thereby leading the SDN to block the attacks as near as possible to the
sources, lessening the volume of malicious traffic and isolating the infected device from the rest of the network.
6 Author name / Procedia Computer Science 00 (2018) 000–000
Detecting malevolent traffic is the responsibility of Snort IDS. While an attack is uncovered based on its signature
database, Snort sends a syslog alert to the Controller with information about the attacker (source IP, destination IP,
destination port). With this information, the Controller saves the event in its database, creates blocking rules to prevent
the spread of the attack and mitigate of security events, and transmits these security settings to registered devices,
namely hosts/IoT gateways for adding blocking policies in their iptables. Furthermore, the security administrator car
add attack signatures in the Snort IDS to avoid some types of traffic that he does not want to allow in his network.
Validation tests show that if an attack is detectable by Snort, it can be mitigated by the proposed architecture.
Due to lack of cybersecurity mechanism in IoT end devices, many smart home devices become soft targets for
adversaries, and it is occurring without victims proper knowledge of being infected. James [16] presented a new
intrusion prevention system methodology based on three cyber security aspects, namely confidentiality,
authentication, and access control. In fact, the IPS proposed is a risk analysis model that aids to pick out an opportune
mitigation strategy for each cyber-attack related either to confidentiality, authentication, or access control. The steps
followed for creating that risk analysis model in a smart home environment are; identify the attacks/risks, prioritize
the attacks/risks, choose suitable mitigation strategies, and build mitigation solutions based on the mitigation strategies
and techniques. The experiments conducted by the author prove that the suggested IPS protects efficiently the IoT
smart home devices from critical cyber-attacks.
Sharma et al. [4] proposed a decentralized security system using blockchain for the IoT based network as intrusion
prevention approach, with the view to protect this network against intrusion and attack, because there are many
limitations in centralized security methods. The blockchain technology has many security advantages over
conventional defense system such as no involvement of third party security, high integrity, secure peer-to-peer
authentication and communications, and more. In the suggested blockchain based Internet of Things network, each
IoT device is associated with a block that encloses data, hash and timestamp value. The data generated from IoT
devices comprises network flow data, sensor data, log information and transactional data, that can be validated by
cryptographic hash algorithms. The experiences carried out by the authors demonstrate that the blockchain integrity
validation using Degree Centrality (DC) or Betweenness Centrality (DC) measurements performs better as compared
to MD5 and SHA-1.
Haghighi and Fariva [17] exhibited a Machine Learning-based approach to build zero False-Positive Intrusion
Prevention Systems (IPS) for Industrial IoT and Cyber Physical Systems (CPS) with a case study on Power Grids
Security. In fact, IPS have long been the first layer of defense against malicious attacks. Most sensitive systems utilize
instances of them (e.g. Firewalls) to secure the network perimeter and filter out attacks or unwanted traffic. A firewall,
similar to classifiers, has a boundary to decide which traffic sample is normal and which one is an attack. This
boundary is defined by configuration and is managed by a set of rules which occasionally might also filter normal
traffic by mistake. Nevertheless, for some applications, any interruption of the normal operation is not tolerable e.g.
in water distribution systems, power plants, gas or oil pipelines, etc. To overcome these issues, authors have proposed
a novel algorithm (z-Classifier) that can turn any generic classifier into a zero false positive one. Thereafter, the
algorithm output could be directly translated into firewall rules if a tree-based classifier was taken. Hence, z-Classifier
can help in building self-organizing learning firewalls. The suggested classifier was used with CART at its heart to
construct a firewall for a Power Grid Monitoring System. To further assess the algorithm, further test was carried out
based on KDD CUP’99 dataset. The outcomes confirm the effectiveness of that approach.
Table 2. Analysis of intrusion detection systems for IoT networks
Ref.
Method
Detection
Mechanism
Dataset
Characteristics / Strengths
Limitations / Challenges
[9]
Machine
Learning
Random
Forest (RF),
Decision Tree
(DT), Extra-
Trees (ET),
and Extreme
Gradient
Boosting
UNSW-NB15
dataset
- For the binary modeling
process, the GA-RF
outperformed the baseline
model LR and others Tree-
based algorithms with a
Test Ac-curacy (TAC) of
87.61%.
- For the multiclass
modeling process, the GA-
- The proposed IDS under-performed for some
minority classes such as Worms, Backdoor, and
Analysis. Hence, TAC of 77.64% attained by
GA-ET needs improvement.
- Both GA-RF and GA-ET yielded bad
prediction time of 2.2s and 3.8s respectively.
They were surpassed by DT and BN with
18.3ms and 7.96ms respectively.
Z. Chiba et al. / Procedia Computer Science 210 (2022) 94–103 99
Author name / Procedia Computer Science 00 (2018) 000–000 5
Souza et al. [12] proposed a two-step ensemble approach for intrusion detection and identification in IoT and fog
computing environments. The IDS conceived goes through two steps; namely, the detection step followed by the
identification step, aiming to classify events in specific types of attacks or non-attacks. The first step (detection phase)
carries out data analysis with a binary Extra Tree (ET) classifier, in order to categorize traffic flow captured by the
device into intrusive or non-intrusive. Traffic classed as non-intrusive is immediately released. In contrast, intrusive
traffic is submitted to the second step (identification phase). This last step has a more vigorous and solid method, and
it consists of an ensemble approach of ET, Random Forest (RF), and Dee p Neural Network (DNN). This second
method then analyzes the traffic another time and recognizes the class of intrusion. The aforementioned ensemble
approach combines classifiers (ET, RF, and DNN) by averaging their probabilistic prediction rather than all owing
each classifier to vote for a single class. The appraisal of the proposed approach was performed with the Bot-IoT,
IoTID20, NSL-KDD, and CICIDS2018 datasets proved the feasibility and robustness of the intrusion detection
method in the most various scenarios. The suggested model was able to achieve similar or superior performance in all
databases, demonstrating its effectiveness and strength.
4. Intrusion Prevention Systems for IoT
This section presents an inquiring review of six novel and relevant IPSs conceived for IoT networks. As displayed
by Table 3, for each one, we provide the class of the methodology adopted, the mechanisms employed to prevent and
mitigate attacks and malevolent activities, and the datasets employed to assess the IPS proposed. Besides, we underline
the strong points and the shortcomings of these IPSs.
Constantinides et al. [13] presented a novel online incremental learning intrusion prevention system, targeted to
mitigate known and unknown attacks in real-time with high accuracy for IoT networks. The solution proposed is based
on a modified version of Self Organizing Incremental Neural Network named “n-SOINN” to carry out on-line
clustering, coupled with multiple SVMs to perform classification. As SVM acts as a binary classification algorithm
that solves binary problems, and with the aim to fix a multi-class problem with SVMs, the Winner Takes All (WTA)
strategy is employed to reduce the single multiclass problem to a set of multiple binary classification problems. Thus,
the mixture “n-SOINN & WTA-SVM” consists the core of detection engine of the suggested framework. This
framework compromises a detection engine “n-SOINN-WTA-SVM” that represents the core of the framework, a
preprocessing module for the incoming traffic that feeds the detection engine, a validation module to assess the
outcomes of the detection engine and an update module that feeds back the failed results to the detection engine. Based
on experimental results obtained by authors with the NSL KDD dataset, the developed IPS can achieve on-line updated
incremental learning, making it appropriate for proficient and scalable industrial applications.
Jiang et al. [14] designed a network intrusion prevention strategy using edge computing in the IoT environment. In
fact, an edge intelligent gateway is conceived as a lightweight network gateway, which provides the running
environment for the detection model and security policy, and also serves as WiFi access point for home IoT devices .
Firstly, authors use an edge smart gateway, which is deployed on a Raspberry-Pi, implements the Adhoc Network
Architecture (AON), runs Open vSwitch (OVS) for virtual switch functionality, and the Floodlight based SDN
controller is employed to perform custom modules for security policy, traffic filtering, and cache management. Then,
with limited resources available on that edge gateway, a lightweight machine-learning algorithm is utilized to classify
device to device traffic and identify if there is a network intrusion. The classification model extracts features of
network traffic, trained by classic supervised learning method-Decision Tree J48, then distinguish between benign
and malicious traffic patterns observed in the network. Simulation outcomes show that the classification model has
high accuracy of intrusion detection on edge intelligent gateway and can effectively guarantee security of home IoT
interactions. At the same time, it ensures that the entire detection system will not have a great impact on network
performance; it does not do not significantly increase the network latency, further it is characterized by less the
memory footprint and CPU utilization.
Gonçalves et al. [15] proposed an IPS architecture for IoT networks overlapped in SDN. The suggested architecture
aims to structure a distributed security measure incorporating Snort IDS, firewalls on final hosts and IoT gateways,
SDN switches and the Controller entity to support Internet of Things (IoT) instances, enabling the identification of
anomalous behavior of IoT devices by the IPS, thereby leading the SDN to block the attacks as near as possible to the
sources, lessening the volume of malicious traffic and isolating the infected device from the rest of the network.
6 Author name / Procedia Computer Science 00 (2018) 000–000
Detecting malevolent traffic is the responsibility of Snort IDS. While an attack is uncovered based on its signature
database, Snort sends a syslog alert to the Controller with information about the attacker (source IP, destination IP,
destination port). With this information, the Controller saves the event in its database, creates blocking rules to prevent
the spread of the attack and mitigate of security events, and transmits these security settings to registered devices,
namely hosts/IoT gateways for adding blocking policies in their iptables. Furthermore, the security administrator car
add attack signatures in the Snort IDS to avoid some types of traffic that he does not want to allow in his network.
Validation tests show that if an attack is detectable by Snort, it can be mitigated by the proposed architecture.
Due to lack of cybersecurity mechanism in IoT end devices, many smart home devices become soft targets for
adversaries, and it is occurring without victims proper knowledge of being infected. James [16] presented a new
intrusion prevention system methodology based on three cyber security aspects, namely confidentiality,
authentication, and access control. In fact, the IPS proposed is a risk analysis model that aids to pick out an opportune
mitigation strategy for each cyber-attack related either to confidentiality, authentication, or access control. The steps
followed for creating that risk analysis model in a smart home environment are; identify the attacks/risks, prioritize
the attacks/risks, choose suitable mitigation strategies, and build mitigation solutions based on the mitigation strategies
and techniques. The experiments conducted by the author prove that the suggested IPS protects efficiently the IoT
smart home devices from critical cyber-attacks.
Sharma et al. [4] proposed a decentralized security system using blockchain for the IoT based network as intrusion
prevention approach, with the view to protect this network against intrusion and attack, because there are many
limitations in centralized security methods. The blockchain technology has many security advantages over
conventional defense system such as no involvement of third party security, high integrity, secure pee r-to-peer
authentication and communications, and more. In the suggested blockchain based Internet of Things network, each
IoT device is associated with a block that encloses data, hash and timestamp value. The data generated from IoT
devices comprises network flow data, sensor data, log information and transactional data, that can be validated by
cryptographic hash algorithms. The experiences carried out by the authors demonstrate that the blockchain integrity
validation using Degree Centrality (DC) or Betweenness Centrality (DC) measurements performs better as compared
to MD5 and SHA-1.
Haghighi and Fariva [17] exhibited a Machine Learning-based approach to build zero False-Positive Intrusion
Prevention Systems (IPS) for Industrial IoT and Cyber Physical Systems (CPS) with a case study on Power Grids
Security. In fact, IPS have long been the first layer of defense against malicious attacks. Most sensitive systems utilize
instances of them (e.g. Firewalls) to secure the network perimeter and filter out attacks or unwanted traffic. A firewall,
similar to classifiers, has a boundary to decide which traffic sample is normal and which one is an attack. This
boundary is defined by configuration and is managed by a set of rules which occasionally might also filter normal
traffic by mistake. Nevertheless, for some applications, any interruption of the normal operation is not tolerable e.g.
in water distribution systems, power plants, gas or oil pipelines, etc. To overcome these issues, authors have proposed
a novel algorithm (z-Classifier) that can turn any generic classifier into a zero false positive one. Thereafter, the
algorithm output could be directly translated into firewall rules if a tree-based classifier was taken. Hence, z-Classifier
can help in building self-organizing learning firewalls. The suggested classifier was used with CART at its heart to
construct a firewall for a Power Grid Monitoring System. To further assess the algorithm, further test was carried out
based on KDD CUP’99 dataset. The outcomes confirm the effectiveness of that approach.
Table 2. Analysis of intrusion detection systems for IoT networks
Ref.
Method
Detection
Mechanism
Dataset
Characteristics / Strengths
Limitations / Challenges
[9]
Machine
Learning
Random
Forest (RF),
Decision Tree
(DT), Extra-
Trees (ET),
and Extreme
Gradient
Boosting
UNSW-NB15
dataset
- For the binary modeling
process, the GA-RF
outperformed the baseline
model LR and others Tree-
based algorithms with a
Test Ac-curacy (TAC) of
87.61%.
- For the multiclass
modeling process, the GA-
- The proposed IDS under-performed for some
minority classes such as Worms, Backdoor, and
Analysis. Hence, TAC of 77.64% attained by
GA-ET needs improvement.
- Both GA-RF and GA-ET yielded bad
prediction time of 2.2s and 3.8s respectively.
They were surpassed by DT and BN with
18.3ms and 7.96ms respectively.
100 Z. Chiba et al. / Procedia Computer Science 210 (2022) 94–103
Author name / Procedia Computer Science 00 (2018) 000–000 7
Table 3. Analysis of intrusion prevention systems for IoT networks
(XGB)
algorithms
ET outperformed the base-
line model NB and others
Tree-based algorithms with
TAC of 77.64%.
[10]
Machine
Learning
Random
Forest (RF)
and Extreme
Gradient
Boosting
(XGBoost)
BoT-IoT
(IoT-based
dataset) [4]
- Distributed Anomaly
IDS using fog computing
to detect DDoS attacks
against block-chain-
enabled IoT Network.
- Effective in detecting
IoT based attacks with
99.99% Accuracy, 99.8 %
DR and 99.99% F1-score.
- Detection system takes
less processing time for
training and testing.
There is no cooperation between the IDSs
deployed in fog nodes.
- The proposed IDS is anomaly IDS, so
detection of a previous attack occurred again
requires the same computational cost in the IDS.
If the signature based detection is applied prior to
anomaly detection, that will reduce
computational cost. Anomaly IDS has to detect
only unknown attacks, because known attacks are
already detected by signature IDS and denied.
- The manual management of abnormal
transactions can lead to the loss of certain
transactions which can go unnoticed by the
admin especially in the event of the enormous
flow of these transactions.
[11]
Deep
learning
Parallel Deep
Auto-Encoder
(PDAE)
KDDCup99,
CICIDS2017,
and UNSW-
NB15
datasets
- Lightweight and efficient
architecture of NN.
- Few numbers of
parameters.
- High Accuracy of
99.37%.
- For evaluating the Performance of the
proposed IDS, false alarm rate was not utilized.
A better NIDS should attain a high Detection
Rate (DR) and low False Alarm Rate (FAR).
- To assess the low computational complexity of
the proposed model, the detection time metric
was not used. The number of parameters is not a
meaningful metric for measuring time
complexity.
[2]
Machine
Learning
XGBoost,
CatBoost,
KNN, SVM,
QDA, and
NB
algorithms
UNSW-NB15
dataset
The proposed machine
leaning model achieves
high performance com-
pared to state-of-the-art
works with an accuracy of
99.9% and MCC of
99.97%.
- Computation cost, energy consumption and
required memory for the ML model in the IoT
context were not studied.
- Assessment of the effectiveness of that ML
model by means of a speci alized dataset
containing contemporary attacks targeting IoT
devices, namely BoT-IoT is needed.
[12]
Machine
Learning +
Deep
Learning
Extra Tree
(ET),
Random
Forest (RF),
and Deep
Neural
Network
(DNN)
BoT-IoT,
IoTID20,
NSL-KDD,
and
CICIDS2018
datasets
Experimental outcomes
obtained based on Bot-IoT,
IoTID20, NSL-KDD, and
CICIDS2018 datasets show
that the IDS developed
achieves high rates
(between 99% and 100%)
of DR, Recall, Precision,
and Balanced Accuracy.
- The prediction time is high compared to KNN,
RF, and NB techniques. It should be reduced.
- U2R and infiltration attacks were hard to detect
by this model; DR attained regarding these
classes are 68.75% and 13.50%, respectively.
While those attacks are perilous.
- Conception and implementation of
countermeasure module are missing.
- Robustness of that IDS against network routing
attacks such sinkhole, wormhole and selective
forwarding was not assessed.
Ref.
Method
Detection Mechanism
Dataset
Characteristics / Strengths
Limitations / Challenges
[13]
Online
Incremental
learning
Self Organizing
Incremental Neural
Network + Multiple
SVMs with the Winner
-Takes-All (WTA)
strategy
NSL-
KDD
dataset
Incremental learning based
IPS achieves Accuracy of
89.67% higher than the
offline method (Accuracy
of 82.59%).
- The dataset NSL-KDD used is quite aged,
outdated, and does not include recent type
of network attacks. Thereby, it can only be
used for a baseline evaluation. 2-3 more
recent datasets are r equired to validate the
performance of this work.
8 Author name / Procedia Computer Science 00 (2018) 000–000
5. Discussion
In the current work, we study exhaustively and deeply several state-of-the-art research published between 2019
and 2022, providing novel and pertinent IDS/IPS for IoT networks. We give the key characteristics of them such, as
the category of the methodology proposed, the mechanisms employed to build an IDS/IPS and hence enabling the
detection/prevention of attacks targeting IoT networks, and the datasets used for assessment of the model suggested.
Furthermore, the strong points and limitations (pros and cons) of these works are identified and exhibited. This helps
to pinpoint the problems that still require to be solved, well define the mainstream of research direction, and pave the
way for new paths of research for forthcoming researchers.
By way of example and without limitation, based on our review, some researchers can focus on optimization of a
few works analyzed with the view to fix the shortcomings outlined, or combination of two approaches in order to
- The time cost of the proposed framework
is higher than the offline method.
- Evaluation of memory footprint and CPU
utilization was not done.
[14]
Edge
computing
Edge Smart Gateway
in which implemented
the Adhoc Network
Architecture (AON),
and a lightweight
machine-learning
classifier Decision
Tree J48
NSL-
KDD
dataset
- It proposes an edge
computing model for data
computing for home IoT
devices (advantages of
Edge computing).
- The classification model
has high Accuracy of
97.1%.
- The dataset NSL-KDD used is quite old,
does not include new type of net-work
attacks, the traffic patterns included are like
to be outdated and unable to shed much light
on the performance of novel approaches.
- Assessment of that mod-el based on recent
datasets such BoT-IoT [2] (2019) and IoT-
23 [18] (2020) is requisite.
[15]
Security
policy
management
Based on Snort IDS
alerts, the Controller
creates fire-wall rules
for final hosts/IoT
gateways
Custom
and Real
dataset
Scanning and DoS attacks
were detected by the
proposed IPS thank to the
appropriate blocking rules
created by the Controller
for final hosts/IoT gate-
ways.
- Since the blocking rules are based on
attacks detected by Snort IDS which is a
signature-based IDS, the IPS cannot detect
and prevent new or zero-day attacks.
- Automatic deletion of rules after 2 hours
of their creation involves a supplementary
computational cost for their regeneration.
[16]
Risk analysis
model
- Cryptography :
3DES algorithm
- Password Policy :
Progress delay
- Controller policies :
Avoiding false
requests
Custom
and Real
dataset
The proposed IDS has
demonstrated its
effectiveness in defending
the IoT smart home against
eavesdropping, brute force
and DoS attack attacks.
The proficiency of the proposed model was
not evaluated with U2R (User to Root)
attacks such Buffer overflow, Load Module,
Rootkit, Perl ,Sqlattack, Xterm, Ps…and so
on.
[4]
Blockchain
Blockchain Degree
Centrality (DC) or
Between-ness
Centrality (DC)
measurements
Custom
and Real
dataset
The blockchain
technology-based integrity
Methods per-forms better
as compared to MD5 and
SHA-1 algorithms
It is needed to compare the Blockchain
integrity methods to SHA-2, since it is more
resistant to attacks and gives a longer
condensate than SHA-1 and MD5. SHA-2 is
based on the cryptographic concept
"Merkle–Damgard" construction" and is
considered highly secure
[17]
Machine
Learning
The output of Machine
Learning based zero
False Positive
Classifier (Z-
Classifier) directly
translated into firewall
rules to allow normal
traffic and reject
attacks.
KDD
CUP 99
dataset
- Z-Classifier achieves
zero false positives.
- The firewall can
configures itself
automatically
by writing preventive rules
in a conservative way that
avoids false alarms.
- z-Classifier is prune to over-fitting after the
100th iteration with the KDD CUP’99
dataset. It is needed to adopt traditional best
practices to avoid this phenomenon.
- KDD CUP 99 dataset is an old dataset that
not contain contemporary attacks.
Assessment of the proposed model via
recent datasets is requisite.
Z. Chiba et al. / Procedia Computer Science 210 (2022) 94–103 101
Author name / Procedia Computer Science 00 (2018) 000–000 7
Table 3. Analysis of intrusion prevention systems for IoT networks
(XGB)
algorithms
ET outperformed the base-
line model NB and others
Tree-based algorithms with
TAC of 77.64%.
[10]
Machine
Learning
Random
Forest (RF)
and Extreme
Gradient
Boosting
(XGBoost)
BoT-IoT
(IoT-based
dataset) [4]
- Distributed Anomaly
IDS using fog computing
to detect DDoS attacks
against block-chain-
enabled IoT Network.
- Effective in detecting
IoT based attacks with
99.99% Accuracy, 99.8 %
DR and 99.99% F1-score.
- Detection system takes
less processing time for
training and testing.
There is no cooperation between the IDSs
deployed in fog nodes.
- The proposed IDS is anomaly IDS, so
detection of a previous attack occurred again
requires the same computational cost in the IDS.
If the signature based detection is applied prior to
anomaly detection, that will reduce
computational cost. Anomaly IDS has to detect
only unknown attacks, because known attacks are
already detected by signature IDS and denied.
- The manual management of abnormal
transactions can lead to the loss of certain
transactions which can go unnoticed by the
admin especially in the event of the enormous
flow of these transactions.
[11]
Deep
learning
Parallel Deep
Auto-Encoder
(PDAE)
KDDCup99,
CICIDS2017,
and UNSW-
NB15
datasets
- Lightweight and efficient
architecture of NN.
- Few numbers of
parameters.
- High Accuracy of
99.37%.
- For evaluating the Performance of the
proposed IDS, false alarm rate was not utilized.
A better NIDS should attain a high Detection
Rate (DR) and low False Alarm Rate (FAR).
- To assess the low computational complexity of
the proposed model, the detection time metric
was not used. The number of parameters is not a
meaningful metric for measuring time
complexity.
[2]
Machine
Learning
XGBoost,
CatBoost,
KNN, SVM,
QDA, and
NB
algorithms
UNSW-NB15
dataset
The proposed machine
leaning model achieves
high performance com-
pared to state-of-the-art
works with an accuracy of
99.9% and MCC of
99.97%.
- Computation cost, energy consumption and
required memory for the ML model in the IoT
context were not studied.
- Assessment of the effectiveness of that ML
model by means of a speci alized dataset
containing contemporary attacks targeting IoT
devices, namely BoT-IoT is needed.
[12]
Machine
Learning +
Deep
Learning
Extra Tree
(ET),
Random
Forest (RF),
and Deep
Neural
Network
(DNN)
BoT-IoT,
IoTID20,
NSL-KDD,
and
CICIDS2018
datasets
Experimental outcomes
obtained based on Bot-IoT,
IoTID20, NSL-KDD, and
CICIDS2018 datasets show
that the IDS developed
achieves high rates
(between 99% and 100%)
of DR, Recall, Precision,
and Balanced Accuracy.
- The prediction time is high compared to KNN,
RF, and NB techniques. It should be reduced.
- U2R and infiltration attacks were hard to detect
by this model; DR attained regarding these
classes are 68.75% and 13.50%, respectively.
While those attacks are perilous.
- Conception and implementation of
countermeasure module are missing.
- Robustness of that IDS against network routing
attacks such sinkhole, wormhole and selective
forwarding was not assessed.
Ref.
Method
Detection Mechanism
Dataset
Characteristics / Strengths
Limitations / Challenges
[13]
Online
Incremental
learning
Self Organizing
Incremental Neural
Network + Multiple
SVMs with the Winner
-Takes-All (WTA)
strategy
NSL-
KDD
dataset
Incremental learning based
IPS achieves Accuracy of
89.67% higher than the
offline method (Accuracy
of 82.59%).
- The dataset NSL-KDD used is quite aged,
outdated, and does not include recent type
of network attacks. Thereby, it can only be
used for a baseline evaluation. 2-3 more
recent datasets are r equired to validate the
performance of this work.
8 Author name / Procedia Computer Science 00 (2018) 000–000
5. Discussion
In the current work, we study exhaustively and deeply several state-of-the-art research published between 2019
and 2022, providing novel and pertinent IDS/IPS for IoT networks. We give the key characteristics of them such, as
the category of the methodology proposed, the mechanisms employed to build an IDS/IPS and hence enabling the
detection/prevention of attacks targeting IoT networks, and the datasets used for assessment of the model suggested.
Furthermore, the strong points and limitations (pros and cons) of these works are identified and exhibited. This helps
to pinpoint the problems that still require to be solved, well define the mainstream of research direction, and pave the
way for new paths of research for forthcoming researchers.
By way of example and without limitation, based on our review, some researchers can focus on optimization of a
few works analyzed with the view to fix the shortcomings outlined, or combination of two approaches in order to
- The time cost of the proposed framework
is higher than the offline method.
- Evaluation of memory footprint and CPU
utilization was not done.
[14]
Edge
computing
Edge Smart Gateway
in which implemented
the Adhoc Network
Architecture (AON),
and a lightweight
machine-learning
classifier Decision
Tree J48
NSL-
KDD
dataset
- It proposes an edge
computing model for data
computing for home IoT
devices (advantages of
Edge computing).
- The classification model
has high Accuracy of
97.1%.
- The dataset NSL-KDD used is quite old,
does not include new type of net-work
attacks, the traffic patterns included are like
to be outdated and unable to shed much light
on the performance of novel approaches.
- Assessment of that mod-el based on recent
datasets such BoT-IoT [2] (2019) and IoT-
23 [18] (2020) is requisite.
[15]
Security
policy
management
Based on Snort IDS
alerts, the Controller
creates fire-wall rules
for final hosts/IoT
gateways
Custom
and Real
dataset
Scanning and DoS attacks
were detected by the
proposed IPS thank to the
appropriate blocking rules
created by the Controller
for final hosts/IoT gate-
ways.
- Since the blocking rules are based on
attacks detected by Snort IDS which is a
signature-based IDS, the IPS cannot detect
and prevent new or zero-day attacks.
- Automatic deletion of rules after 2 hours
of their creation involves a supplementary
computational cost for their regeneration.
[16]
Risk analysis
model
- Cryptography :
3DES algorithm
- Password Policy :
Progress delay
- Controller policies :
Avoiding false
requests
Custom
and Real
dataset
The proposed IDS has
demonstrated its
effectiveness in defending
the IoT smart home against
eavesdropping, brute force
and DoS attack attacks.
The proficiency of the proposed model was
not evaluated with U2R (User to Root)
attacks such Buffer overflow, Load Module,
Rootkit, Perl ,Sqlattack, Xterm, Ps…and so
on.
[4]
Blockchain
Blockchain Degree
Centrality (DC) or
Between-ness
Centrality (DC)
measurements
Custom
and Real
dataset
The blockchain
technology-based integrity
Methods per-forms better
as compared to MD5 and
SHA-1 algorithms
It is needed to compare the Blockchain
integrity methods to SHA-2, since it is more
resistant to attacks and gives a longer
condensate than SHA-1 and MD5. SHA-2 is
based on the cryptographic concept
"Merkle–Damgard" construction" and is
considered highly secure
[17]
Machine
Learning
The output of Machine
Learning based zero
False Positive
Classifier (Z-
Classifier) directly
translated into firewall
rules to allow normal
traffic and reject
attacks.
KDD
CUP 99
dataset
- Z-Classifier achieves
zero false positives.
- The firewall can
configures itself
automatically
by writing preventive rules
in a conservative way that
avoids false alarms.
- z-Classifier is prune to over-fitting after the
100th iteration with the KDD CUP’99
dataset. It is needed to adopt traditional best
practices to avoid this phenomenon.
- KDD CUP 99 dataset is an old dataset that
not contain contemporary attacks.
Assessment of the proposed model via
recent datasets is requisite.
102 Z. Chiba et al. / Procedia Computer Science 210 (2022) 94–103
Author name / Procedia Computer Science 00 (2018) 000–000 9
take the advantages of each technique and eliminate or mitigate their flaws. Consequently, both aforementioned
methodologies will certainly enhance the performance of IDS/IPS developed for IoT networks. Below, we afford
relevant guidelines and the main conclusions drawn from the current study :
• The UNSW-NB15 [2,9,11] is an advanced dataset used for IDS research that it is widely used in the literature.
Besides, it would be good to consider other recent IoT- specific datasets namely BoT-IoT [2] (2019), and IoT-
23 [18] (2020).
• Evaluation of IDS/IPS using only KDD CU99 or NSL-KDD datasets is not convincing. These datasets do not
include new types of network attacks, the traffic patterns included are like to be outdated and unable to shed
much light on the performance of novel approaches. In fact, these datasets are quite old, they suffer from
several problems discussed by McHugh [19] and may not be a perfect representative of existing real networks.
Thereby, they can only be used for a baseline evaluation. 2-3 more recent datasets are required to validate the
effectiveness of a given model.
• IoT objects are constrained in terms of memory capacity, energy consumption, and processing capability.
Because of these limitations, traditional IDS/IPS approaches are not suitable to implement directly in the IoT
devices. It is needed lightweight solutions. In point of fact, Basati & Faghih [11] proposed a lightweight
architecture.
• In IoT networks, there are inherent limitations in energy, memory, and processing resources. Unfortunately,
in addition to IDS/IPS for IoT exhibited in this work, other works analyzed in the survey [20] hold also the
drawback of don’t take into consideration both performance and security issues during the conception of IoT-
specific IDS/IPS. Owing to these constraints, we recommend overcoming these concerns during the designing
of IoT-specific IDS/IPS.
• Efficient intrusion or prevention detection in IoT networks requires embracing of new intelligent approaches
such as Machine Learning (ML) techniques. ML is a branch of Artificial Intelligence (AI) that empowers
numerous systems with the potential and the capacity to learn from experience and to enhance their decision-
making process without any explicit programming. One of the paramount ML techniques that have been
successfully used in addressing complex practical challenges is DNN. DNNs have the capacity to surmount
numerous problems confronted by the other current techniques used in intrusion/prevention detection [17].
• It is favored that attacks are filtered at intrusion preventions systems such as firewalls as much as possible
[17]. But blocking legitimate traffic by mistake is not tolerable in real-time industrial systems e.g. power plants,
water distribution systems, gas or oil pipelines, etc. To address this concern, authors of the paper [17] have
suggested a new algorithm “zero False Positive Classifier ” that can turn any generic classifier into a zero false
positive one. This classifier can be leveraged to construct self-organizing and learning firewalls.
• The hybrid detection approach for building IDS is the best approach enabling to raise detection accuracy.
Combining signature based detection (SD) and anomaly detection (AD) methods allows to leverage strong
points of each technique and alleviate their drawbacks. We recommend to conceive IDS for IoT based on
hybrid method [21].
6. Conclusions
Internet of Things (IoT) has emerged as a recent paradigm that has merged with our daily lives as the Internet has
evolved. As IoT is shifting, manufacturers have not paid any judicious security measurements. Unfortunately, the
striking challenge of IoT is the privacy and security issues resulting from the energy limitations and scalability of IoT
devices. Nowadays, how to improve the security and privacy challenges of IoT remains an important concern in the
computer security field. In fact, the need for security in the context of IoT networks has become a prerequisite. To this
end, the use of IDS and IPS becomes a judicious choice.
In this paper, we provide a deep study of eleven novel and pertinent IDS/IPS proposed between 2019 and 2022 for
IoT networks, giving their key specifics, strengths, shortcoming, and challenges in order to spot the issues that still
require to be handled, well outline the mainstream of research direction, and open the way for new avenues of research
for forthcoming researchers. In summary, three main conclusions are drawn; firstly, a noticeable growth in use of the
advanced dataset UNSW-NB15 for as-assessment of IDSs developed. We recommend to employ this dataset as it
10 Author name / Procedia Computer Science 00 (2018) 000–000
contains a hybrid of real modern normal activities and synthetic contemporary attack behaviors. Secondly, an effective
intrusion/prevention detection in IoT Networks requires adoption of new clever methods such as Machine Learning
and Deep Learnings algorithms. Thirdly, as in IoT networks there are inherent limitations in energy, memory, and
processing resources, researchers should consider both performance and security concerns in the course of the
conception and evaluation of IoT-specific IDS/IPS.
References
[1] Atzori, Luigi, Antonio Iera, and Giacomo Morabito. (2010) “The internet of things: A survey.” Computer networks 54 (15): 2787–2805.
[2] Saheed, Yakub Kayode, et al. (2022) “A machine learning-based intrusion detection for detecting internet of things network attacks.” Alexandria
Engineering Journal 61 (12): 9395–9409.
[3] Perera, Charith, et al. (2014) “A survey on internet of things from industrial market perspective.” IEEE Access 2 : 1660–1679.
[4] Sharma, Rajesh Kumar, and Ravi Singh Pippal. (2020) “Malicious Attack and Intrusion Prevention in IoT Network Using Blockchain Based
Security Analysis.” 2020 12th International Conference on Computational Intelligence and Communication Networks (CICN), 380–385.
[5] Mishra, Nivedita, and Sharnil Pandya. (2021) “Internet of things applications, security challenges, attacks, intrusion dete ction, and future visions:
A systematic review.” IEEE Access 9: 59353–59377.
[6] Liu, Ya-Shu, Lai Yu-Kun, Wang Zhi-Hai, and Yan And Han-Bing. (2019) “A new learning approach to malware classification using
discriminative feature extraction.” IEEE Access 7: 13015–13023.
[7] Alkhalil, Adel, and Rabie A. Ramadan. (2017) “IoT data provenance implementation challenges.” Procedia Computer Science 109: 1134–1139.
[8] Roman, Rodrigo, Jianying Zhou, and Javier Lopez. (2013) “On the features and challenges of security and privacy in distributed internet of
things.” Computer Networks 57 (10): 2266–2279.
[9] Kasongo, Sydney Mambwe. (2021) “An advanced intrusion detection system for IIoT based on GA and tree based algorithms.” IEEE Access
9: 113199–113212.
[10] Kumar, Randhir, et al. (2022) “A distributed intrusion detection system to detect DDoS attacks in blockchain-enabled IoT network.” Journal
of Parallel and Distributed Computing 164: 55–68.
[11] Basati, Amir, and Mohammad Mehdi Faghih. (2022) “PDAE: Efficient network intrusion detection in IoT using parallel deep auto-encoders.”
Information Sciences 598: 57–74.
[12] De Souza, Cristiano Antonio, Carlos Becker Westphall, and Renato Bobsin Machado. (2022) “Two-step ensemble approach for intrusion
detection and identification in IoT and fog computing environments.” Computers & Electrical Engineering 98: 107694.
[13] Constantinides, Christos, Shiaeles Stavros, Ghita Bogdan, and Kolokotronis Nicholas. (2019) “A novel online incremental learning intrusion
prevention system.” 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 1–6.
[14] Jiang, Chao, Jian Kuang, and Shirui Wang. (2019) “Home iot intrusion prevention strategy based on edge computing.” 2019 IEEE 2nd
International Conference on Electronics and Communication Engineering (ICECE), 94–98.
[15] Gonçalves, Daniel GV, et al. (2019) “IPS architecture for IoT networks overlapped in SDN.” 2019 Workshop on Communication Networks
and Power Systems (WCNPS), 1–6.
[16] James, Fathima. (2019) “IoT cybersecurity based smart home intrusion prevention system.” 2019 3rd Cyber Security in Networking
Conference (CSNet), 107–113.
[17] Haghighi, Mohammad Sayad, Faezeh Farivar, and Alireza Jolfaei. (2020) “A machine learning-based approach to build zero false-positive
IPSs for industrial IoT and CPS with a case study on power grids security.” IEEE Transactions on Industry Applications, 1–9.
[18] “IoT-23” (2020). https://mcfp.felk.cvut.cz/publicDatasets/IoT-23-Dataset/.
[19] McHugh, John. (2000) “Testing intrusion detection systems: a critique of the 1998 and 199 9 darpa intrusion detection system evaluations as
performed by lincoln laboratory.” ACM Transactions on Information and System Security (TISSEC) 3 (4): 262–294.
[20] Al-Taleb, Najla, and Nazar Abbas Saqib. (2020) “Attacks Detection and Prevention Systems for IoT Networks: A Survey. ” 2020 International
Conference on Computing and Information Technology (ICCIT-1441). IEEE, 1–5.
[21] Chiba, Zouhair, Abghour Noreddine, Moussaid Khalid, El Omri Amina, and Rida Mohamed. (2016) “A survey of intrusion detection systems
for cloud computing environment.” 2016 international conference on engineering & MIS (ICEMIS), 1–13.
Z. Chiba et al. / Procedia Computer Science 210 (2022) 94–103 103
Author name / Procedia Computer Science 00 (2018) 000–000 9
take the advantages of each technique and eliminate or mitigate their flaws. Consequently, both aforementioned
methodologies will certainly enhance the performance of IDS/IPS developed for IoT networks. Below, we afford
relevant guidelines and the main conclusions drawn from the current study :
• The UNSW-NB15 [2,9,11] is an advanced dataset used for IDS research that it is widely used in the literature.
Besides, it would be good to consider other recent IoT- specific datasets namely BoT-IoT [2] (2019), and IoT-
23 [18] (2020).
• Evaluation of IDS/IPS using only KDD CU99 or NSL-KDD datasets is not convincing. These datasets do not
include new types of network attacks, the traffic patterns included are like to be outdated and unable to shed
much light on the performance of novel approaches. In fact, these datasets are quite old, they suffer from
several problems discussed by McHugh [19] and may not be a perfect representative of existing real networks.
Thereby, they can only be used for a baseline evaluation. 2-3 more recent datasets are required to validate the
effectiveness of a given model.
• IoT objects are constrained in terms of memory capacity, energy consumption, and processing capability.
Because of these limitations, traditional IDS/IPS approaches are not suitable to implement directly in the IoT
devices. It is needed lightweight solutions. In point of fact, Basati & Faghih [11] proposed a lightweight
architecture.
• In IoT networks, there are inherent limitations in energy, memory, and processing resources. Unfortunately,
in addition to IDS/IPS for IoT exhibited in this work, other works analyzed in the survey [20] hold also the
drawback of don’t take into consideration both performance and security issues during the conception of IoT-
specific IDS/IPS. Owing to these constraints, we recommend overcoming these concerns during the designing
of IoT-specific IDS/IPS.
• Efficient intrusion or prevention detection in IoT networks requires embracing of new intelligent approaches
such as Machine Learning (ML) techniques. ML is a branch of Artificial Intelligence (AI) that empowers
numerous systems with the potential and the capacity to learn from experience and to enhance their decision-
making process without any explicit programming. One of the paramount ML techniques that have been
successfully used in addressing complex practical challenges is DNN. DNNs have the capacity to surmount
numerous problems confronted by the other current techniques used in intrusion/prevention detection [17].
• It is favored that attacks are filtered at intrusion preventions systems such as firewalls as much as possible
[17]. But blocking legitimate traffic by mistake is not tolerable in real-time industrial systems e.g. power plants,
water distribution systems, gas or oil pipelines, etc. To address this concern, authors of the paper [17] have
suggested a new algorithm “zero False Positive Classifier ” that can turn any generic classifier into a zero false
positive one. This classifier can be leveraged to construct self-organizing and learning firewalls.
• The hybrid detection approach for building IDS is the best approach enabling to raise detection accuracy.
Combining signature based detection (SD) and anomaly detection (AD) methods allows to leverage strong
points of each technique and alleviate their drawbacks. We recommend to conceive IDS for IoT based on
hybrid method [21].
6. Conclusions
Internet of Things (IoT) has emerged as a recent paradigm that has merged with our daily lives as the Internet has
evolved. As IoT is shifting, manufacturers have not paid any judicious security measurements. Unfortunately, the
striking challenge of IoT is the privacy and security issues resulting from the energy limitations and scalability of IoT
devices. Nowadays, how to improve the security and privacy challenges of IoT remains an important concern in the
computer security field. In fact, the need for security in the context of IoT networks has become a prerequisite. To this
end, the use of IDS and IPS becomes a judicious choice.
In this paper, we provide a deep study of eleven novel and pertinent IDS/IPS proposed between 2019 and 2022 for
IoT networks, giving their key specifics, strengths, shortcoming, and challenges in order to spot the issues that still
require to be handled, well outline the mainstream of research direction, and open the way for new avenues of research
for forthcoming researchers. In summary, three main conclusions are drawn; firstly, a noticeable growth in use of the
advanced dataset UNSW-NB15 for as-assessment of IDSs developed. We recommend to employ this dataset as it
10 Author name / Procedia Computer Science 00 (2018) 000–000
contains a hybrid of real modern normal activities and synthetic contemporary attack behaviors. Secondly, an effective
intrusion/prevention detection in IoT Networks requires adoption of new clever methods such as Machine Learning
and Deep Learnings algorithms. Thirdly, as in IoT networks there are inherent limitations in energy, memory, and
processing resources, researchers should consider both performance and security concerns in the course of the
conception and evaluation of IoT-specific IDS/IPS.
References
[1] Atzori, Luigi, Antonio Iera, and Giacomo Morabito. (2010) “The internet of things: A survey.” Computer networks 54 (15): 2787–2805.
[2] Saheed, Yakub Kayode, et al. (2022) “A machine learning-based intrusion detection for detecting internet of things network attacks.” Alexandria
Engineering Journal 61 (12): 9395–9409.
[3] Perera, Charith, et al. (2014) “A survey on internet of things from industrial market perspective.” IEEE Access 2 : 1660–1679.
[4] Sharma, Rajesh Kumar, and Ravi Singh Pippal. (2020) “Malicious Attack and Intrusion Prevention in IoT Network Using Blockchain Based
Security Analysis.” 2020 12th International Conference on Computational Intelligence and Communication Networks (CICN), 380–385.
[5] Mishra, Nivedita, and Sharnil Pandya. (2021) “Internet of things applications, security challenges, attacks, intrusion dete ction, and future visions:
A systematic review.” IEEE Access 9: 59353–59377.
[6] Liu, Ya-Shu, Lai Yu-Kun, Wang Zhi-Hai, and Yan And Han-Bing. (2019) “A new learning approach to malware classification using
discriminative feature extraction.” IEEE Access 7: 13015–13023.
[7] Alkhalil, Adel, and Rabie A. Ramadan. (2017) “IoT data provenance implementation challenges.” Procedia Computer Science 109: 1134–1139.
[8] Roman, Rodrigo, Jianying Zhou, and Javier Lopez. (2013) “On the features and challenges of security and privacy in distributed internet of
things.” Computer Networks 57 (10): 2266–2279.
[9] Kasongo, Sydney Mambwe. (2021) “An advanced intrusion detection system for IIoT based on GA and tree based algorithms.” IEEE Access
9: 113199–113212.
[10] Kumar, Randhir, et al. (2022) “A distributed intrusion detection system to detect DDoS attacks in blockchain-enabled IoT network.” Journal
of Parallel and Distributed Computing 164: 55–68.
[11] Basati, Amir, and Mohammad Mehdi Faghih. (2022) “PDAE: Efficient network intrusion detection in IoT using parallel deep auto-encoders.”
Information Sciences 598: 57–74.
[12] De Souza, Cristiano Antonio, Carlos Becker Westphall, and Renato Bobsin Machado. (2022) “Two-step ensemble approach for intrusion
detection and identification in IoT and fog computing environments.” Computers & Electrical Engineering 98: 107694.
[13] Constantinides, Christos, Shiaeles Stavros, Ghita Bogdan, and Kolokotronis Nicholas. (2019) “A novel online incremental learning intrusion
prevention system.” 2019 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS), 1–6.
[14] Jiang, Chao, Jian Kuang, and Shirui Wang. (2019) “Home iot intrusion prevention strategy based on edge computing.” 2019 IEEE 2nd
International Conference on Electronics and Communication Engineering (ICECE), 94–98.
[15] Gonçalves, Daniel GV, et al. (2019) “IPS architecture for IoT networks overlapped in SDN.” 2019 Workshop on Communication Networks
and Power Systems (WCNPS), 1–6.
[16] James, Fathima. (2019) “IoT cybersecurity based smart home intrusion prevention system.” 2019 3rd Cyber Security in Networking
Conference (CSNet), 107–113.
[17] Haghighi, Mohammad Sayad, Faezeh Farivar, and Alireza Jolfaei. (2020) “A machine learning-based approach to build zero false-positive
IPSs for industrial IoT and CPS with a case study on power grids security.” IEEE Transactions on Industry Applications, 1–9.
[18] “IoT-23” (2020). https://mcfp.felk.cvut.cz/publicDatasets/IoT-23-Dataset/.
[19] McHugh, John. (2000) “Testing intrusion detection systems: a critique of the 1998 and 1999 darpa intrusion detection system evaluations as
performed by lincoln laboratory.” ACM Transactions on Information and System Security (TISSEC) 3 (4): 262–294.
[20] Al-Taleb, Najla, and Nazar Abbas Saqib. (2020) “Attacks Detection and Prevention Systems for IoT Networks: A Survey. ” 2020 International
Conference on Computing and Information Technology (ICCIT-1441). IEEE, 1–5.
[21] Chiba, Zouhair, Abghour Noreddine, Moussaid Khalid, El Omri Amina, and Rida Mohamed. (2016) “A survey of intrusion detection systems
for cloud computing environment.” 2016 international conference on engineering & MIS (ICEMIS), 1–13.
