Enhancing IoT network security: a literature review of intrusion detection systems and their adaptability to emerging threats

2.1 IoT devices

Nowadays with all the technological advancements, there is a widespread in the use of IoT devices all over the world. At the outset, the term IoT describes machines and devices that use the Internet to operate, gather, and share data. Without human-to-human or human-to-computer interaction, objects in the IoT can exchange data. Besides, the IoT devices can interact with their surroundings, relaying data to other devices or centralized servers, and enabling remote monitoring and control [5]. IoT applications range from day-to-day activities to industrial machines. Moreover, Industries may achieve greater efficiency, automation, and better decision-making by utilizing IoT capabilities. Enabling smarter functioning and greater user control improves the intelligence of our life tasks while also making them easier and simpler [6].

IoT facilitates real-time data extraction and allows users to review and retrieve how their systems are currently operating and help enterprises undergo a digital transformation [7]. The IoT is an expansion of SCADA (Supervisory Control and Data Acquisition) systems [8]. IoT systems are made up of sensors, processors, and communication hardware that enable the sharing of system data. The sensor gathers data, then either analyzes it locally or sends it to a cloud over the internet for sharing and analysis. Depending on the system’s goals, these devices can also control other devices in addition to providing data. The majority of IoT systems do not need human involvement in any of their activities, although users may still access data, modify programs, and change instructions. The three stages of the process that take place in IoT systems are data collection, data transfer, and data analysis. Sensors, antennae, or microcontrollers are just a few examples of IoT devices that are employed in the first step of this process.

The second stage resides in the IoT hub (internet cloud) where data transfer occurs, while the user interface or analytics application stage represents the last stage [7]. An example of an IoT ecosystem is RFID (Radio-Frequency Identification) tags and smart home systems [9]. The third and final stage entails analyzing the collected data and formulating reports, with the possibility of taking action if prompt interference through actuators was one of the IoT system’s features [10].

Businesses are utilizing IoT technology more frequently to enhance productivity, efficiency, and decision-making. IoT offers real-time business insights by offering information on the operation and performance levels of the company. Adopting IoT in businesses also helps them provide better customer service, save time and money, make wiser decisions, and increase profitability. Manufacturing, transportation, agriculture, and home automation are areas in which IoT is widely employed in [7]. Similar to all newly adopted technologies, the IoT has advantages and disadvantages. Looking at the benefits, IoT offers real-time data accessibility at any time or location, making systems more convenient and simple to use. Additionally, this technology offers improved communication among the system’s connected devices. Additionally, IoT system automation makes it possible to obtain services and goods of a higher caliber, which increases client satisfaction.

However, there are significant drawbacks to adopting IoT, including the fact that the likelihood of a system hack increases with the number of devices in the system. This even makes the system more complex, making it difficult to analyze data and operate additional equipment. Moreover, another concern IoT introduces is that defects and intrusions with one of the connected devices will affect the network as a whole. Additionally, using devices made by different manufacturers may make it difficult for the devices to couple and communicate with one another [7]. Furthermore, due to the potential gathering and transmission of sensitive data, security and privacy considerations are crucial and necessitate strong protections to reduce risks of intrusion.

2.2 IoT network and communication

Network and communication technologies are crucial elements of IoT systems for devices to connect and share data. The development of dependable, secure, and scalable IoT systems that can successfully gather, transmit, and analyze data for numerous applications requires a solid understanding of the IoT network and communication components. To begin with, different network technologies, such as Wi-Fi, cellular networks (3G, 4G, and 5G), Bluetooth, Zigbee, Z-Wave, LoRaWAN, and NB-IoT, can be used to link IoT devices to the internet. The choice of network technology is influenced by several variables, including deployment needs, data transmission rate, range, and power consumption. Moreover, depending on the IoT deployment, multiple communication protocols could be deployed by IoT devices to share data and fulfill the system requirements [11].

The protocols MQTT (Message Queuing Telemetry Transport), CoAP (Constrained Application Protocol), HTTP (Hypertext Transfer Protocol), and WebSocket are among the popular IoT communication protocols secured by [12]. By defining the guidelines and formats for data transfer, these protocols guarantee interoperability and effective communication between devices and IoT systems. Adding to that, IoT gateways serve as mediators between devices and the cloud, offering protocol translation and data management. IoT data can be processed, stored, and analyzed via cloud services. Furthermore, considering that IoT network security is a major threat due to the numerous linked devices and potential weaknesses. Data and equipment need to be protected from unwanted access and cyberattacks through security mechanisms like authentication, encryption, access control, and firmware updates. Moreover, these security countermeasures work together to provide a network system that allows safe connectivity and communication throughout the IoT ecosystem. IoT devices can be remotely upgraded via OTA updates without manual assistance, keeping the systems secure and functional [13].

As for the commonly known network architecture, mesh networks are frequently used in IoT applications where devices connect with one another to establish a network without depending on a centralized infrastructure. Devices in a mesh network can send and receive data, relaying it to other devices nearby. This decentralized strategy broadens the coverage area and increases reliability, yet causes the whole system to be more vulnerable [14].

Furthermore, edge computing is essential in IoT networks for boosting productivity and cutting latency. In contrast to delivering data to the cloud, edge computing includes processing and analyzing data closer to the source (at the network’s edge). Edge computing makes real-time decision-making possible while reducing the volume of data carried across the network. IoT networks must support a very large number of devices, ranging from a few to millions. Effectively managing the growing number of devices and data traffic requires scalability, this can be achieved through cloud computing where data management, processing, and analysis occur on an online platform. Regardless of the underlying technologies or protocols, interoperability makes sure that devices from different manufacturers and platforms may interact and cooperate in an effortless manner [15].

2.3 IoT architecture

In the IoT dimension, networks usually follow a three-layer architecture consisting of the perception layer, the network layer, and the application layer. While each layer serves its purpose by utilizing various technologies and features and generating a large scale of data continuously, new challenges and unique security issues are posed and introduced. In this section, we provide an overview of the Three-layer IoT architecture and associated threats in each layer [16]. Figure 2 shows the three-layer architecture.

1. Perception Layer: The perception layer also called the physical layer, serves as the lowest layer in the IoT architecture model and is considered the main working of IoT. In this layer, data and information is collected through sensing devices. This includes the use of physical devices such as sensors, actuators RFID tags, and embedded devices that collect data from the surroundings. Edge devices are also utilized in this layer such as actuators which communicate with their surroundings. Triggers may also be used by these sensing devices such as the detection of special patterns and the identification of other smart devices in the environment [16]. Threats in this layer include:

   1. Eavesdropping: is the unauthorized real-time interception and monitoring of private communications between sensing devices or smart devices. Attackers may eavesdrop on wireless transmissions as well, where RF signals and Wi-Fi communications will be captured so the attacker can extract sensitive data to obtain insights on the IoT device functionality. Captured data by the attacker may include sensor readings, special patterns, credentials, user activities, and many other valuable data that may be of use to an attacker for more sophisticated exploits [17].

   2. Node Capture: refers to when an attacker obtains physical access and control of an IoT device which is one of the most damaging threats at the perception layer. For instance, an attacker may gain complete control of a gateway node where all communication may be leaked. When an attacker obtains control over a node, the attacker will be able to modify its functionality or configurations and tamper with data or simply disclose data that is meant to be private [17].

   3. Fake and Malicious Nodes: involves a scenario where an attacker inserts a node into the system which then generates and transmits fake data disrupting the transmission of genuine data in the network. This happens due to the consumption of valuable energy resources belonging to real nodes by the fraudulent node potentially causing network destruction [18].

2. Network Layer: Due to the wide network infrastructure of IoT devices, there becomes a necessity for the distribution of the data collected at the perception layer which is the responsibility of the network layer. This layer binds and connects smart IoT devices enabling sensor data and facilitating communication processing between network devices, servers, and IoT devices. In this layer, network components are utilized as per requirements such as protocols, gateways, and access points [16]. The threats at this layer include:

   1. Denial of Service (DoS): this attack aims to prevent legitimate users from accessing devices or other resources and disrupting the operation of IoT networks by flooding targeted IoT devices, overwhelming network resources, and rendering them unavailable. Attackers flood resources with traffic exhausting the bandwidth and capacity of the network. In return, IoT devices become unresponsive and fail to serve real users [19].

   2. Man in the Middle (MiTM): involves attackers intercepting and altering the communication in an IoT network. The attackers work on positioning themselves between the communicating parties allowing the attacker to obtain unauthorized disclosure of data in transit and enabling him to modify the data for malicious purposes [19].

   3. Storage Attacks: data collected from the perception layer along with user-related information may be stored either on storage devices or the cloud, which may be targeted by an attacker. The attacker is then able to tamper with the user’s data. This attack compromises the confidentiality and integrity of data being stored as an attacker can access, manipulate, and extract valuable information [18].

3. Application Layer: is the level at which the user communicates with application-specific services. This layer enables the analysis of collected data and the decision-making process to deliver IoT functionality. Users in this layer interact with provided software resources such as a mobile application user interface where the user can obtain control of IoT devices. It is easier to understand this layer in the context of smart houses [16]. This layer has several threats. Some are mentioned below:

   1. Cross-Site Scripting (XSS): involves the attacker injecting malicious codes into a trusted site which may be accessed by users or even IoT devices. When a user interacts with the infected site, the injected scripts will execute, allowing attackers to access sensitive and private data or perform malicious actions [20].

   2. Data Loss Due to Mass Data: The application layer in IoT networks deals with a large number of devices and thus deals with the storage and processing of a large volume of data from IoT devices which can cause data loss leading to severe consequences [21].

   3. Malicious Code Attacks: This refers to the presence of malicious code within the software which aims at causing harm to the system. These attacks are unfortunately not always detected by anti-virus tools. The malicious code may be inactive waiting for a trigger event or can be self-activated [18].

Figure 2:

Three-layers IoT architecture.

2.4 IDS

Exploring IoT architecture layers and their associated threats highlights the need to emphasize IDSs and their importance. IDSs are a very important element of network security infrastructure, where they detect and address unauthorized access, normal behavior, and suspicious behavior, therefore, detecting potential security breaches. However, IDS is there to complement other security measures such as firewalls, antivirus, and encryption. On its own, the IDS will not be enough to protect the network security infrastructure. IDS acts as an extra layer of protection against cyber attacks on the network [22]. Additionally, IDS serves a crucial purpose in swiftly detecting and notifying network administrators or security personnel about potentially detrimental or questionable activities that may pose a threat to the confidentiality, integrity, or availability of network resources. By continuously analyzing network traffic and system logs, IDS possesses the ability to identify irregularities, patterns, or deviations that could indicate unauthorized endeavors to breach security, malware encroachments, or various forms of security breaches [23]. Furthermore, IDS fulfills critical roles within network security, encompassing various essential functions [24]:

1. Detection of Threats: quickly identify possible security risks, IDS attentively and continuously monitor network traffic, system logs, and other relevant data sources.

2. Enabling Forensic Analysis: IDS plays a key role in producing numerous logs and records of security events, which are essential for assisting post-incident investigations. These detailed records are incredibly valuable because they provide precious information that may be used to determine the root causes, extent, and effects of security breaches.

3. Supporting Compliance and Auditing: by methodically tracking and recording security-related occurrences, IDS actively assists corporate compliance activities. IDS assists in meeting legal duties and abiding with industry-specific rules by offering thorough audit logs and reporting on security occurrences.

4. Conducting Vulnerability Assessments: Some IDS can incorporate vulnerability scanning functions, enabling them to find flaws like gaps, improper configurations, or out-of-date software versions that may be vulnerable to exploitation by intruders [25].

IDS plays an important role in protecting IoT networks. IDS monitors and safeguards the devices, protocols, and communications inside the ecosystem since they were created expressly for IoT configurations. Lightweight and effective IDS solutions are crucial for overcoming obstacles like resource limitations and complexity imposed by various devices and protocols. IDS goes beyond threat detection in IoT networks. They swiftly notify network administrators or security teams, allowing for quick investigation and security problem remediation. By doing this, harm done to IoT devices and the network infrastructure is reduced. IDS also enforces security regulations and access controls to guarantee that only authorized parties may access the network. IDS interfaces with other security tools like firewalls, encrypting software, and device management platforms seamlessly, creating a robust and effective security architecture [26]. There are various conventional types of IDS designed for IoT devices, each employing unique methods to detect attacks. Some of these types include [26]:

1. Signature-based IDS: In this type of IDS a database of signatures and patterns for well-known attacks is facilitated. The IDS will then compare the traffic of the network with this database, and raise an alarm when it does match to alert the security administrators.

2. Anomaly-based IDS: In this type the network traffic will be compared to the normal behavior model that the device will conduct in several ways, raising an alarm when facing something abnormal.

3. Specification-based IDS: also known as Rule-based IDS depends on predefined specifications, rules, and thresholds. The IDS will compare the traffic to the predefined rules and raise an alarm when it finds something that does not match the rules.

4. Network-based IDS: examines network traffic and observes communication patterns to identify potentially malicious activities. This IDS can detect unauthorized access efforts, unusual data flows, and abnormal network behavior.

5. Host-based IDS: operates on the system level, constantly observing and evaluating single IoT devices for activity and events occurring related to the devices. For HIDS, the user behavior, system logs, and changes in file integrity data are monitored for signs of any malicious activities.

Five types of IDS systems are going to be examined in this work: Signature, Anomaly, Specification, Hybrid, and Adaptive. The investigation will tackle devices from each classification, contrast them using concrete factors, and analyze their performance. The reason for investigating these different IDS types is to understand the strengths and vulnerabilities in protecting the IoT network.

3.1 Signature-based intrusion detection method

This approach relies on the identification of malicious patterns in network activity by comparing them with attack signatures that are stored within an internal database. The way the approach works is by triggering an alert when an attack signature matches a signature in the database. This technique provides the ability to rapidly identify known attacks and provide effective detection and prevention of attack exploitation. While this approach effectively functions in identifying known attacks, it may pose many challenges in IoT networks due to the constant discoveries and new exploits in IoT where it becomes hardly feasible to detect new attacks whose signatures are not yet stored in the internal database used for intrusion detection. In addition, different variants of attacks stored in the database may also remain undetected using this approach [27]. Moreover, this method is deemed to be inefficient when it comes to zero-day vulnerabilities, considering that a zero-day threat will not be part of the predefined signatures in the system database. Additionally, signature-based IDSs in IoT networks demand high costs due to limited resources such as memory required to store attack signatures in the internal database, computational resources and processing ability required for the algorithms that are utilized for checking signatures and detecting intrusions, and energy constraints [27], [28]. Thus, to develop a robust signature-based IDS for IoT networks, careful consideration of the device resource limitations must be present.

1. Approaches utilizing Signature-based IDS

   1. Dynamic coding mechanism for signature-based IDS in IP-USN

A research conducted by Amin et al. [29] showcased a dynamic coding mechanism for distributed signature-based IDS in IP-based Ubiquitous Sensor Networks (IP-USN). The proposed approach involves sending signatures of varying lengths to relative bloom filters where the output of a bloom filter consists of a bit array containing signature codes. As incoming packets are received and processed, the patterns stored in bloom filters shown in Figure 3 will be used to check if the packets are malicious based. The sensor node will then halt any packet being processed and trigger an alarm when a match is found, and the corresponding signature code is then sent to the sink for verification.

Figure 3:

Generation of signature-code for the signatures with same length.

The proposed approach was then assessed using a widely recognized IDS for IP networks called Snort Signatureset. With 13,339 signature strings available in Snort version 2.8 and the limited program availability in IP-USN, the collection of signatures provided by Snort can be considered the upper limit for the number of signatures in IP-USN. With a false positive rate of 0.024, this method utilizes only 13 KB of storage devoted to Snort Signatureset, while traditional methods usually require 252 KB. This method achieved an employment of 13,339 signatures with no collisions, low false alarms, high detection accuracy, low memory and energy consumption rates, and a lightweight design. Nonetheless, this IDS implementation does not regulate unnecessary real-time network transactions and usually produces limitations due to memory consumption for attack signature storage and difficulty in detecting a diverse range of attacks as predefined attack signatures are a prerequisite [30].

1. DEMO IDS framework

This study evaluates the DEMO IDS framework designed for use in IoT networks that utilize 6LoWPAN technology. The goal of this framework is to detect Denial-of-Service (DoS) attacks which when implemented, disrupt communication in 6LoWPAN networks. The experimental setup for this study included IDS probes, a PenTest system, and various software components. The general architecture is presented in Figure 4. The probes will be used to capture network packets and forward them to the IDS for analysis. To capture and send packets, the probes will utilize a virtual interface and the Scapy packet manipulation program. The PenTest system in this approach is used for the simulation of attacks and to test the proposed framework’s effectiveness by employing Scapy probes for attack initiation where the flooding would occur to implement a DoS attack on 6LoWPAN nodes. For the detection of attacks, the framework makes use of Suricata which is an IDS engine crafted for traditional networks. Due to its lack of adaptation to the 6LoWPAN protocol, it was necessary to implement additional decoders to allow incoming packet inspection where specific rules were added for the detection of attacks including DoS attacks that involve flooding [31].

Figure 4:

DoS protection architecture.

The IDS was also integrated with Prelude which is an event monitoring system that enhanced the IDS’s capabilities by minimizing false positives. The experiment included forwarding alerts to Prelude from attacks detected by Suricata. The alerts were presented to the end-user using the web interface for Prelude named Prewikka demonstrated in Figure 5. The results of the experiment validate the effectiveness and stability of the proposed IDS framework by demonstrating the correct detection of flooding attacks and triggering alerts accordingly [31].

1. Lightweight Signature-Based IDS

Figure 5:

Alerts displayed in Prewikka [31].

Sheikh et al. propose a lightweight signature-based IDS for IoT environments using a sequence inspired by DNA patterns. The system was designed to convert labeled data into signatures that mimic nucleotides and match them to traffic patterns based on relative frequency. The IDS was tested on 10,000 samples and produced only 9 false positives, demonstrating high accuracy and efficiency. Its four-layer architecture currently only supports offline detection on resource-constrained devices, and is yet to be deployed in real-time [32].

1. Signature-Based IDS in Wireless 6G IoT Networks

Farooq et al. suggested a system that used a structured database of known harmful patterns, including hash-based, string-matching, and AI-enhanced approaches, to present a signature-based intrusion detection method for 6G IoT networks. The system guarantees reliable and efficient threat identification by including detection methods such as hybrid models, trie-based structures, and Bloom filters. For low-power, resource-constrained situations, it facilitates safe, incremental signature updates and real-time alarm production. On benchmark datasets, the system achieves 98.9 % accuracy, showing that it is highly successful at identifying known threats with minimal false positives. It provides a scalable and reliable solution for safeguarding next-generation wireless networks, and its lightweight design allows for real-time deployment in 6G-enabled IoT scenarios [33]. A summary of the reviewed signature-based intrusion detection is illustrated in Table 1.

3.2 Anomaly-based intrusion detection method

The anomaly-based intrusion detection method is used to recognize any doubtful or untrusted activities that may occur in the system or even in the network. To elaborate, this security technique functions by considering the normal behaviors as a reference point and then it constantly observes for any abnormal behaviors in comparison to the initially created reference point. If any detection of abnormal actions occurs, an alert will be sent to the managers to inform them that there is something abnormal, such as having unfamiliar network traffic or illegal access, to perform the required corrective actions. This detection technique is unique in its effectiveness in identifying new, anonymous attacks. Furthermore, this security technique uses a variety of parameters to be investigated to be able to recognize anomalies. These metrics include the traffic of the network, the behaviors of users, and the usage of the resource. Besides, careful tuning is necessary to decrease false positives by precisely setting the reference point (normal behavior). This gives the method an advantage of being potentially able to detect zero-day vulnerabilities. However, this potential security advantage is highly affected by false positives [34]. To resolve the weaknesses of this method, hybrid methods are proposed where anomaly-based intrusion detection is combined with signature-based detection.

1. Sagacious IDS in Sensor Network

Ahmed et al.’s creative project created an ML-based intrusion IDS for wireless sensor networks (WSNs) with the goal of detecting the four main DoS attack types which are TDMA, Flooding, Blackhole, and Grayhole. The study assesses the effectiveness of five classification algorithms, including KNN, Naïve Bayes, Logistic Regression, SVM, and ANN, using a large dataset created via the LEACH methodology. After testing the models in binary and multiclass classification situations, ANN and KNN proved to be the most successful, with accuracy rates of 98 % and 97 %, respectively. The study demonstrates that ANN and KNN are resilient to varying dataset sizes and uses SMOTE to solve the issue of class imbalance [35].

1. Anomaly-based IDS for IoT Application

In order to detect abnormalities in IoT settings, Bhavsar et al. introduced PCC-CNN, a lightweight and effective intrusion detection system that combines convolutional neural networks (CNN) with feature selection based on Pearson Correlation Coefficient. The authors utilized NSL-KDD, CICIDS2017, and IOTID20 benchmark datasets to evaluate the model’s binary and multiclass classification capabilities. The study contrasted PCC-CNN’s performance with that of conventional ML models, such as SVM, LDA, KNN, CART, and logistic regression. The findings demonstrate that PCC-CNN outperformed the majority of conventional models, especially in binary classification, with a constant high accuracy of 99.89 % and minimal false alarm rates. In order to show that the PCC-CNN technique is reliable and appropriate for real-time IoT security applications, the study also discusses issues including class imbalance, feature redundancy, and overfitting. However, authors noted that multiclass classification remains more complex due to imbalanced datasets and increased computational demands [36].

1. Anomaly-based DL IDS

A study by Sharma et al. addressed class imbalance by presenting a deep learning-based IDS for IoT networks. This system uses a Deep Neural Network (DNN) in conjunction with a filter-based feature selection strategy to identify various attack types using the UNSW-NB15 dataset. The authors increased accuracy from 84 % to 91 % by creating synthetic examples for minority groups using Generative Adversarial Networks (GANs). The model maintains high performance while reducing complexity and training time by eliminating strongly correlated elements. Because of this, the system ensures high performance for real-time detection in IoT situations with limited resources [37]. A summary of the reviewed anomaly-based intrusion detection is illustrated in Table 2.

3.3 Specification-based IDS

To further comprehend the operation, the paper explains the working mechanism of specifications-based IDSs. Particularly, the process starts with the security department stating certain rules that the IDS would use to recognize any possible intrusion. These rules cover the range of protocols, types of encryption, types of packets, and number of packet fragments among others. The intention for such rules is to set a limit of behavior that the IDS would not learn and would allow it to determine all other activities that are outside the learning scope. If the IDS recognizes any activity that is not in line with the ordinary or set scheme, it generates an indicator suggesting that something unusual has happened. This indicator is then sent to the systems administrator for further action.

Further, the rules may also specify details addressing issues of system load, together with the capture of DoS attacks including all other attacks. In any of these situations, the IDS is set to trend and perform the loading of the relevant side, and the loads are set within an expectation range. If the load of the system exceeds that expectation range, then it is a signal that a DoS attack is being undertaken. In response to this situation, the IDS undertakes two actions; it alerts the administrator and takes steps to thwart or prevent the attack [26]. Additionally, the Specification-based IDS is a type of customizable type of IDS whereby the organization is allowed to have its own rules around its system. Thus, it uses certain rules or guidelines set for the multiclass networks to identify possible attacks on it. Nevertheless, the creation of precise and effective specifications acceptable for specification-based IDSs is strictly dependent on the degree of knowledge possessed by the network administrator. It is very important to get the specifications right. Otherwise, security may be compromised because of over or under threat detection, which leads to false positives or false negatives, respectively [30]. Specification-based IDSs do have the ability to detect zero-day vulnerabilities, but the extent of this ability is extensively dependent on the network administrator’s experience and the sophistication of the zero-day threat.

1. Specification-Based IDS for RPL Network

A research paper by Le et al. [38] introduced a specification-based IDS for identifying topological assaults in RPL-based networks. It presents an Extended Finite State Machine (EFSM) that represents valid RPL behavior through the analysis of simulation traces using a semi-automated profiling approach. Through node activity monitoring in a cluster-based intrusion detection system, the generated specification is utilized to identify protocol rule breaches. According to simulation findings, the system’s scalability in extensive IoT contexts is supported by its high detection accuracy, low false positive rate of 6.3 %, and minimal overhead. The approach does have major drawbacks, though identifying some attacks such as Local Repair and DIS, takes longer monitoring periods to collect enough evidence, and false positive rates rise over time as compromised nodes affect their neighbors. The system is presently only able to detect topology-based assaults, not performance-related threats, and faces challenges with data reporting synchronization, which might result in misclassification.

1. Specification-based Automotive IDS using CAN.

Olufowobi et al. presented a specification-based IDS tailored for modern automotive in-vehicle networks. SAIDuCANT utilizes real-time schedulability analysis to model expected Controller Area Network (CAN) message timings and detect anomalies that indicate intrusions, such as message injection or spoofing attacks. The system infers message timing parameters, including periods, jitters, and response times from normal CAN traffic without prior knowledge, forming a behavioral specification against which runtime activity is compared. Experimental evaluation was conducted using both real CAN logs from passenger vehicles and an open-source dataset comprising various attack scenarios. The results demonstrate that SAIDuCANT achieves a high accuracy of approximately 99 % on normal and synthetic data, low Time To Detection (TTD) often between 0 and 10 ms, and minimal False Positives Before Attack (FPBA), typically 0–1, which underscores its suitability for real-time applications. Additionally, F1 scores consistently exceeded 0.88 in attack scenarios, outperforming traditional interval and frequency-based IDS methods. These results highlight SAIDuCANT’s strong balance of detection performance and efficiency, suggesting it could be employed in a service-oriented architecture as shown in Figure 6. However, the system currently struggles with handling aperiodic messages and multiple-period messages under a single ID [39].

1. SH-IDS

Figure 6:

Service oriented architecture for IoT.

Babu et al. introduced a Specification Heuristics-Based IDS called SH-IDS, which is designed to operate in constrained IoT environments. The novelty of this system in comparison to conventional IDSs lies in employing a light distributed approach. This approach is based on specification heuristics obtained through n-gram patterns in a network’s transaction record, which allows local detection at the device level. The system was evaluated through UNSW-NB15 dataset and showed superiority against TLA-IDS with an accuracy rate of 91.77 %. Despite the innovative approach used by SH-IDS, the system has not yet fully leveraged the potential of n-gram attributes, which will be utilized in future research [40]. A summary of the reviewed specification-based intrusion detection is illustrated in Table 3.

3.4 Hybrid IDS

The recent research endeavors attempted to eliminate some of the limitations introduced by conventional IDS methods by proposing a hybrid IDS approach. Depending on the context and application, this approach often combines two or more neural network models, while it could also combine two or more IDS detection methods in the form of layers. For instance, an IDS could be designed with a layer of signature-based IDS and a layer of anomaly-based IDS. This approach is better equipped with zero-day attack detection than a signature-only IDS, this is due to anomaly-based IDS being part of the Hybrid system.

1. Anomaly/Signature-Based IDS

In order to enhance network security, Shaikh and Gupta suggested an enhanced IDS that blends anomaly-based and signature-based detection. The system employed DL using ResNet50 for anomaly detection, which achieves 97.25 % accuracy, and Decision Tree methods for signature detection, which achieve 96.96 % accuracy. By combining the outcomes of the two approaches, the hybrid model successfully identified both known and unknown assaults, achieving a final detection accuracy of 98.98 %. Real-world network breaches may be detected with more precision and efficiency thanks to this integrated technique [41].

1. Hybrid IDS for IoT

Smys et al. presented a hybrid IDS for IoT networks that combines CNN and Long Short-Term Memory (LSTM) models. This approach enhances detection accuracy by efficiently extracting features and learning temporal patterns in network data. Experimental validation using the UNSW NB15 dataset showed that the proposed system demonstrates a higher accuracy of 98.6 %, faster detection time, and a lower misclassification rate in comparison to conventional RNN models [42]. A similar approach with extensive testing was employed by Altunay et al., testing showed that the system achieved a 92.9 % accuracy for multi-class classification on the UNSW-NB15 dataset and 99.8 % on the more complex X-IIoTID dataset [43]. Both proposed systems face a limitation due to their reliance on a single dataset that is not synthetic enough to provide data verifying its employability in real-world.

1. Hybrid IDS for IoT Layers

In contrast to many models that only concentrate on one layer, an increasing interest is being focused on methods to identify assaults on all three layers of the IoT architecture. Khan et al. suggested a hybrid DL-based IDS for IoT networks that blends Gated Recurrent Units (GRU) with Recurrent Neural Networks (RNN). The system was trained and assessed using the ToN-IoT dataset, which contains detailed data for every layer of the IoT architecture. The experimental findings showed high performance, with 98 % accuracy on application layer datasets and 99 % accuracy on network traffic datasets. In multilayer IoT systems, results demonstrate how well the hybrid RNN-GRU model can recognize a variety of attacks. Despite the success of this system, it is still highly dependent on the ToN-IoT dataset, which does not include a comprehensive landscape of real-world attacks [44]. A summary of the reviewed Hybrid-based intrusion detection is shown in Table 4.

3.5 Adaptive IDS

The latest scope of research concentrates on a more dynamic IDS method, often referred to as Adaptive IDS. Adaptive IDSs are designed with the main building block of DL that allows the system to learn and adjust itself to the threats being faced by the IoT network, regardless of the attack’s degree of familiarity. This makes Adaptive IDSs a suitable candidate for IoT networks, considering their dynamic and heterogeneous nature. Real-time learning and reactivity to emerging threats make adaptive IDSs the most effective options for identifying zero-day vulnerabilities. Hybrid IDSs enhance static systems, but adaptive IDSs go one step further by altering their parameters to reflect the dynamic threat environment.

1. Adaptive IDS for IoT Networks

Aravamudhan et al. used Fast R–CNN with Gradient Boost Regression (GBR) to provide an adaptive intrusion detection model designed for IoT scenarios. The authors use Principal Component Analysis (PCA) and Singular Value Decomposition (SVD) to improve detection accuracy and decrease data dimensionality. Adaptability in changing network settings, sluggish detection speed, and false positives are some of the major issues this combo tackles. The NIDS V.10 2017 dataset is used to train and assess the model, which achieved a high accuracy of 99.5 %. The precision, recall, and F1-score are all stated to be 98.75 %. These results show that the suggested technique is successful in reliably identifying both binary classifications (normal/abnormal) and multiclass intrusions, such as DoS, DDoS, R2L, U2R, and Probe in IoT networks, outperforming various existing IDS models by a wide margin. Although the system performs as desired on imbalanced datasets, the system still lacks rigorous real-time testing. [45].

1. Adaptive IDS for IoT Smart Home

Sallay presented a brand-new, device-aware IDS architecture that uses edge computing and software-defined networking (SDN) to achieve low-latency detection. Based on the traffic characteristics of classified IoT devices, the system dynamically assigns optimum machine learning models (ML), including several Extreme Learning Machine (ELM) versions. Both detection accuracy and system responsiveness are improved by this customized model selection. With the lowest latency of 1.44 s and excellent accuracy, precision, recall, and F1 scores of 99 %, Regularized ELM distinguished itself from the other benchmarked models and proved its applicability in real-time, resource-constrained settings. Benchmarking against the extensive CICIoT2023 dataset validated the architecture’s efficacy, but the system is yet to be demonstrated in real-time homes on a large scale while preserving minimal processing cost [46].

1. Adaptive IDS Autoencoder-FNN for IoT

Shirley implemented a novel adaptive IDS model that combines a Feedforward Neural Network (FNN) for classification with an Autoencoder (AE) for unsupervised feature extraction. This dual-stage architecture, known as AE-FNN, combines DL’s ability to recognize intricate patterns with effective classification to overcome the shortcomings of conventional signature-based and standalone anomaly-based systems. The authors point out that earlier methods, such as ensemble models and CNN-LSTM hybrids, sometimes lacked scalability or real-time application, particularly on edge devices. Their methodology is notable for addressing class imbalance, a common problem in IDS datasets, by employing a two-stage data balancing technique that uses SMOTE and random under-sampling. The CICIoT2023 dataset shows exceptional results in empirical evaluation, with 99.55 % binary classification accuracy and 90.91 % multiclass classification accuracy. In terms of accuracy, recall, and ROC-AUC metrics, these findings far outperform many current methods, but the system is limited by overfitting on imbalanced datasets and the lack of interpretability typical of complex neural networks [47]. A summary of the reviewed adaptive-based intrusion detection can be viewed in Table 5.

4.1 Dynamic coding mechanism for signature-based IDS in IP-USN

1. Advantages

   1. Utilization of bloom filters and signature codes allows effective and accurate detection of attacks by pattern matching in incoming packets.

   2. Low rate of false positives, high detection accuracy, low memory and energy consumption, and lightweight design.

   3. Utilization of Snort Signature set provides a robust foundation for assessing effectiveness.

2. Disadvantages

   1. Not implemented in real-time, limiting timely detection and triggering of alarms.

   2. May lead to increased network congestion and resource consumption (Res Cons) due to unnecessary transmissions.

   3. Limited to detection of predefined attack signatures only.

3. Characterization

   1. Functionality: Strengthens IP-USN security through a distributed IDS using signature-based detection; reduces the likelihood of successful intrusions.

   2. Privacy: Privacy concerns are not directly addressed.

   3. Performance: Low false alarm rate, high detection accuracy, efficient memory and energy usage. Not real-time; unnecessary transmissions may impact performance.

4.2 DEMO IDS framework

1. Advantages

   1. Effective in detecting flooding attacks and triggering alerts.

   2. Integration with Prelude enhances capabilities and reduces false positives.

   3. Use of rules and decoders allows detection of various attacks through packet inspection.

   4. Real-time monitoring and visualization via GUI.

2. Disadvantages

   1. Suricata engine is not designed for 6LoWPAN and requires additional decoders.

   2. Signature-based detection has limitations in detecting unknown attacks or variants.

   3. Does not address zero-day attacks in IoT networks.

3. Characterization

   1. Functionality: Detects known attacks, especially DoS flooding, but is limited against variants and unknown attacks.

   2. Privacy: Does not address privacy protection in IoT networks.

   3. Performance: Demonstrates stability and scalability; performance may vary with traffic volume and complexity.

4.3 Lightweight signature-based IDS

1. Advantages

   1. Converts labeled data into DNA-inspired signatures for effective pattern matching.

   2. Achieved high accuracy with only 9 false positives in 10,000 samples.

   3. Four-layer architecture supports real-time detection on resource-constrained devices.

   4. Improved scalability and performance compared to traditional misuse detection systems.

2. Disadvantages

   1. Relies on labeled data for generating signatures.

   2. Cannot accommodate zero-day or previously unseen attacks.

3. Characterization

   1. Functionality: Detects known attack patterns efficiently using DNA-inspired signature encoding.

   2. Privacy: Privacy concerns are addressed to an extent.

   3. Performance: High accuracy, real-time capability, and minimal false positives; suitable for low-resource IoT environments.

4.4 Signature-based IDS in wireless 6G IoT networks

1. Advantages

   1. Utilizes a structured database with hash-based, string-matching, and AI-enhanced approaches.

   2. Integrates hybrid models, trie-based structures, and Bloom filters for efficient threat detection.

   3. Enables real-time alarms and safe, incremental signature updates for low-power environments.

   4. Achieves 98.9 % accuracy with minimal false positives on benchmark datasets.

   5. Lightweight and scalable, suitable for real-time deployment in 6G-enabled IoT networks.

2. Disadvantages

   1. Limited to known threats; unable to detect zero-day attacks.

   2. Requires frequent signature updates to maintain effectiveness.

3. Characterization

   1. Functionality: Combines traditional and AI-enhanced methods for accurate, real-time detection of known attacks.

   2. Privacy: Not explicitly discussed.

   3. Performance: Delivers high accuracy, low false positives, and efficient operation on constrained devices.

4.5 Sagacious IDS in sensor network

1. Advantages

   1. Detects multiple DoS attacks (TDMA, Flooding, Blackhole, Grayhole) using ML.

   2. ANN and KNN achieve high accuracy (98 % and 97 % respectively).

   3. Resilient to varying dataset sizes.

   4. Uses SMOTE to address class imbalance.

   5. Capable of detecting zero-day attacks due to anomaly-based nature.

2. Disadvantages

   1. Requires large and labeled datasets for effective training.

   2. May involve higher computational cost.

   3. Effectiveness depends on algorithm tuning and feature selection.

3. Characterization

   1. Functionality: ML-based anomaly detection targeting multiple DoS attacks in WSNs with high model accuracy; detects unknown threats.

   2. Privacy: Privacy concerns are addressed as part of secure anomaly monitoring.

   3. Performance: High detection rates with ANN and KNN; robust across dataset variations; computationally intensive.

4.6 Anomaly-based IDS for IoT applications

1. Advantages

   1. Combines CNN with PCC for lightweight anomaly detection.

   2. Evaluated on NSL-KDD, CICIDS2017, and IOTID20 datasets.

   3. Achieves high accuracy (99.89 %) in binary classification with minimal false alarms.

   4. Outperforms conventional ML models.

   5. Addresses class imbalance, feature redundancy, and overfitting.

   6. Suitable for real-time IoT security applications.

   7. Capable of detecting zero-day attacks through anomaly-based design.

2. Disadvantages

   1. Multiclass classification is more complex due to imbalanced datasets.

   2. Higher computational demands for deep learning model training.

3. Characterization

   1. Functionality: Efficient anomaly-based detection using deep learning with high accuracy; capable of identifying unknown threats.

   2. Privacy: Not explicitly discussed, but enhanced through proactive anomaly detection.

   3. Performance: High accuracy and low false alarms in binary classification; more resource-intensive for multiclass scenarios.

4.7 Anomaly-based DL IDS

1. Advantages

   1. Uses a DNN with filter-based feature selection for IoT intrusion detection.

   2. Employs the UNSW-NB15 dataset for evaluation.

   3. Applies GANs to generate synthetic samples, improving accuracy from 84 % to 91 %.

   4. Reduces complexity and training time by removing strongly correlated features.

   5. Suitable for real-time detection in resource-constrained IoT environments.

   6. Capable of detecting zero-day attacks due to anomaly-based architecture.

2. Disadvantages

   1. Requires synthetic data generation, which may introduce noise or instability.

   2. Deep learning models may still demand notable computational resources.

3. Characterization

   1. Functionality: Detects diverse attacks using deep learning, enhanced by GAN-based class balancing.

   2. Privacy: Indirectly supported through robust anomaly detection mechanisms.

   3. Performance: Improved accuracy (91 %), optimized for real-time and low-resource environments; potential overhead from training.

4.8 Specification-based IDS for RPL topology attacks

1. Advantages

   1. Uses EFSM to model valid RPL behavior from simulation traces.

   2. Achieves high detection accuracy with only 6.3 % overhead.

   3. Works well in large IoT networks using a cluster-based design.

2. Disadvantages

   1. Needs longer monitoring to detect some attacks like Local Repair and DIS.

   2. False positives increase over time as neighbors are affected.

   3. Cannot detect performance-related attacks.

   4. Synchronization issues may cause misclassification.

3. Characterization

   1. Privacy: Focuses on behavior monitoring; privacy not addressed.

   2. Security: Detects rule violations using protocol-specific rules.

   3. Performance: Low overhead and high accuracy, but slower for some threats.

4.9 Specification-based IDS SAIDuCANT

1. Advantages

   1. High detection accuracy exceeding 99 % on normal CAN traffic.

   2. Fast response with TTD between 0 and 10 ms.

   3. Very low false positives before attacks (FPBA of 0 or 1).

   4. Strong performance with F1 scores above 0.88.

2. Disadvantages

   1. Limited detection of aperiodic and mixed-period messages.

   2. Requires retraining after ECU or software updates.

   3. Accuracy depends on precise timing parameter estimation.

3. Characterization

   1. Privacy: Not directly addressed.

   2. Security: Effectively detects spoofing and injection attacks.

   3. Performance: High accuracy, low latency, and minimal false positives.

4.10 SH-IDS

1. Advantages

   1. Designed for constrained IoT environments with a lightweight distributed approach.

   2. Uses specification heuristics via n-gram patterns for local device-level detection.

   3. Outperformed TLA-IDS with an accuracy of 91.77 % on the UNSW-NB15 dataset.

2. Disadvantages

   1. Limited information on scalability across large-scale IoT networks.

   2. Detection may depend on the accuracy of n-gram-based heuristic specification.

3. Characterization

   1. Privacy: Not explicitly discussed.

   2. Security: Enables localized detection using specification-based heuristics; focuses on lightweight secure monitoring at the device level.

   3. Performance: Demonstrates solid accuracy with reduced overhead, evaluated using the UNSW-NB15 dataset.

4.11 Anomaly/Signature-based IDS

1. Advantages

   1. Combines anomaly-based and signature-based detection for improved coverage.

   2. Uses ResNet50 for anomaly detection with 97.25 % accuracy.

   3. Uses Decision Tree for signature detection with 96.96 % accuracy.

   4. Combined model achieves 98.98 % detection accuracy.

   5. Capable of identifying both known and unknown attacks.

2. Disadvantages

   1. Increased model complexity due to hybrid integration.

   2. Potential computational overhead in real-time scenarios.

3. Characterization

   1. Functionality: Enhances detection precision by integrating anomaly and signature methods.

   2. Privacy: Not explicitly addressed.

   3. Performance: High accuracy (98.98 %); suitable for detecting real-world network breaches.

4.12 Hybrid IDS for IoT

1. Advantages

   1. Combines CNN and LSTM to extract spatial and temporal features.

   2. Achieves 98.6 % accuracy on UNSW-NB15 dataset.

   3. Faster detection time and lower misclassification compared to conventional RNNs.

   4. Altunay et al.’s model achieves 92.9 % on UNSW-NB15 and 99.8 % on X-IIoTID dataset.

2. Disadvantages

   1. Performance depends on the quality and volume of training data.

   2. DL models may require significant computational resources.

3. Characterization

   1. Functionality: Learns complex patterns in IoT traffic using deep learning.

   2. Privacy: Not directly discussed.

   3. Performance: High detection accuracy and reduced misclassification; validated on multiple datasets.

4.13 Hybrid IDS for IoT layers

1. Advantages

   1. Targets all three IoT layers (perception, network, application).

   2. Uses hybrid GRU-RNN model trained on ToN-IoT dataset.

   3. Achieves 98 % accuracy on application layer and 99 % on network traffic data.

   4. Effectively detects a variety of intrusion types in multilayer systems.

2. Disadvantages

   1. May face integration challenges across heterogeneous IoT layers.

   2. Resource constraints can affect real-time deployment.

3. Characterization

   1. Functionality: Detects attacks across multiple IoT layers using GRU-RNN.

   2. Privacy: Not explicitly addressed.

   3. Performance: High layer-specific accuracy; adaptable for complex IoT architectures.

4.14 Adaptive IDS for IoT Networks

1. Advantages

   1. Uses Fast R–CNN with GBR for adaptive detection.

   2. Applies PCA and SVD for dimensionality reduction and improved accuracy.

   3. Achieves 99.5 % accuracy; precision, recall, and F1-score at 98.75 %.

   4. Effective for both binary and multiclass intrusion detection.

   5. Detects attacks such as DoS, DDoS, R2L, U2R, and Probe.

2. Disadvantages

   1. Slow detection speed and false positives remain challenges.

   2. Complexity may limit real-time scalability in constrained environments.

3. Characterization

   1. Functionality: Adaptive DL IDS trained on NIDS V.10 2017; detects a wide range of intrusions.

   2. Privacy: Not explicitly addressed.

   3. Performance: High detection accuracy and balanced classification performance.

4.15 Adaptive IDS for IoT smart home

1. Advantages

   1. Device-aware architecture using edge computing and SDN.

   2. Dynamically assigns optimal ML models based on device traffic.

   3. Regularized ELM achieves 99 % accuracy, precision, recall, and F1-score.

   4. Lowest latency at 1.44 s.

   5. Validated on CICIoT2023 dataset; scalable and efficient.

2. Disadvantages

   1. Model complexity may introduce management overhead.

   2. Reliant on accurate device profiling and traffic classification.

3. Characterization

   1. Functionality: Dynamic model selection enables real-time detection in smart homes.

   2. Privacy: lacks results through scalable testing.

   3. Performance: Low latency, high accuracy, and scalability in resource-limited settings.

4.16 Adaptive IDS Autoencoder-FNN for IoT

1. Advantages

   1. Combines Autoencoder for feature extraction and FNN for classification.

   2. Handles class imbalance with SMOTE and random under-sampling.

   3. 99.55 % binary and 90.91 % multiclass accuracy on CICIoT2023 dataset.

   4. Suitable for resource-constrained environments.

   5. Outperforms many existing models in accuracy, recall, and ROC-AUC.

2. Disadvantages

   1. Dual-stage architecture increases system complexity.

   2. Real-time performance may be affected by deep learning resource demands.

3. Characterization

   1. Functionality: Two-stage adaptive model for high-performance intrusion detection.

   2. Privacy: Not explicitly discussed.

   3. Performance: High classification metrics; designed for practical IoT deployment.

4.17 A comparison of IDS techniques in the IoT environment

Various IDS solutions have been presented in the area of IoT security to handle the particular problems introduced by IoT environments. Table 6 compares the relevant literature discussed in the previous sections. Main metrics such as detection accuracy, false positive rate, resource consumption, real-time capabilities, scalability, adaptability, and resilience are used to assess these systems.

The comparison emphasizes the advantages and disadvantages of each strategy, assisting stakeholders in making educated decisions about the implementation of IDS in IoT systems. Given the dynamic nature of IoT environments and applications, it is evident that there is not a single IDS variant that offers a universal optimal solution. The choice of the optimal IDS relevant to the IoT application depends on the type of application, available resources, and threat profile. Considering that, the empirical results do not explicitly claim one approach is more optimal than the other, while adaptive-based IDS do not have the highest accuracy, they possess the ability to learn and enhance over time. Additionally, it is important to note that zero-day threats can be mitigated through applying hybrid IDS and adaptive methods only, rather than individual methods. It is also evident that the confidentiality and privacy of collected data are not addressed in most systems, which is a crucial aspect of assessing a system’s employability.

Based on this analysis, it is clear that, by striking a balance between detection accuracy and resilience to zero-day threats, hybrid and adaptive IDS provide the most reliable security in dynamic IoT environments. IDSs based on specifications and signatures are lightweight and efficient against known threats, but they are not flexible. Without careful calibration, anomaly-based IDSs run the danger of producing a large number of false positives. By combining techniques, hybrid approaches get over individual limits, while adaptive IDS improve performance even more through self-learning. However, data availability and computing limitations must be taken into account while deploying Hybrid and adaptive IDS. Context-driven, scalable, and in line with the resource profile and threat environment of the intended IoT system are therefore necessary for an effective IDS deployment.