An Intrusion Detection System for the Internet of Things Based on Machine Learning: Review and Challenges
<p>Taxonomy of intrusion detection system (IDS) systems.</p> "> Figure 2
<p>Classes’ distribution in terms of sample sizes for the KDD99 dataset.</p> "> Figure 3
<p>Classes’ distribution in terms of sample sizes for the NSL dataset.</p> "> Figure 4
<p>Classes’ distribution in terms of samples sizes for the Kyoto dataset.</p> ">
:1. Introduction
2. Contributions
- It is the first review article that tackles the problem of IDS from three perspectives, namely, concept drift, high dimensionality, and computational efficiency.
- It discusses the evolving aspect of IDS attacks. It argues about the impact of the changes in the statistical distribution of the data and their corresponding classes, which requires developing concept drift-aware intrusion detection systems.
- It focuses on reviewing the computational load of the approaches and their impact on the feasibility of applying them in real-world systems.
- It provides a thorough discussion of the future challenges in IDS and the solutions that must be developed.
3. Intrusion Detection Systems
3.1. Definition
3.2. Intrusion Detection System Taxonomy
- Anomaly-Based Technique
- Statistical-based anomaly IDS The statistical-based anomaly IDS matches the periodically captured statistical features from the traffic with a generated stochastic model of the normal operation or traffic [26]. The attack is reported as the deviation between the two statistical patterns, i.e., the normal memorized one and the current captured one.
- Knowledge-based anomaly IDS In knowledge-based anomaly detection, numerous rules are provided by experts in the form of an expert system or fuzzy-based system to define the behavior of normal connections and attacks. In fuzzy-based anomaly detection, the rule-based is connected to inputs. A subset of the rules is enabled based on the input values [27], sometimes heuristics or an UML-based description of the attack’s behavior is provided [25].
- Machine learning-based anomaly IDS An explicit or implicit model of the analyzed patterns is developed in a machine learning-based anomaly IDS. These models are revised regularly to boost intrusion detection efficiency based on past results. Section 4 and Section 5 include more information and an analysis of the machine learning models for IDS.
- 2.
- Signature-Based Technique
- 3.
- Specification-Based Technique
4. Concept Drift
Concept Drift Aware Machine Learning Models
5. High Dimensional Aware Machine Learning
6. Computational Efficient Machine Learning
7. Dataset
7.1. KDD99 Dataset
- A denial of service (DoS) attack occurs when an attacker makes the computing or memory resource too busy or complete to handle legitimate requests or denies a legitimate user access to a computer.
- A user-to-root attack (U2R) is a type of exploit in which the attacker gains access to a system’s regular user account (possibly through password sniffing, a dictionary attack, or social engineering) and exploits a vulnerability to gain root access.
- A remote-to-local attack (R2L) occurs when an attacker can send packets to a computer over a network. Still, no account on that machine exploits a vulnerability to gain local access as that machine’s user.
- A probing attack is an effort to collect information about a network of computers to obfuscate its security controls.
7.2. NSL Database
7.3. Kyoto Dataset
8. Challenges and Discussion
- (1)
- In concept drift, attacks are not conducted using the same way. Hence, it is needed to handle their evolving aspect. The evolving aspects of attacks imply changes in the statistical distribution of the data and their corresponding classes. Such change is named concept drift. The approaches for solving concept drift can be summarized as follows: (1) They assume that prior knowledge of the concept is not a valid assumption in a practical world. (2) They also assumes concepts can be captured by data reduction only, which is not always true. (3) Some of them do not handle sequential classification, which is an essential part of IDS theory.
- (2)
- High dimensionality IoT-based systems are categorized as high-dimensional systems, and therefore the issue of high dimensionality must be handled in IDSs for the IoT. The approaches developed in the literature for high dimensionality suffer from the following: (1) They can cause a complicated architecture of storing the data. (2) Moreover, they have only considered the computational aspect of analyzing high-dimensional data with less attention to memory consumption. (3) They also assume a normal distribution of data, which is not a valid assumption in all real-world problems.
- (3)
- One significant issue of IDSs for the IoT systems is computational concerns. Studies in the literature have taken numerous approaches for addressing this concern. However, they still suffer from a lack of focus on modifying the inside algorithm to make it computationally lighter with less attention for the iterative training approaches such as backpropagation.
9. Summary and Conclusions
Author Contributions
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
- Ogudo, K.A.; Nestor, D.M.J.; Khalaf, O.I.; Kasmaei, H.D. A device performance and data analytics concept for smartphones’ IoT services and machine-type communication in cellular networks. Symmetry 2019, 11, 593. [Google Scholar] [CrossRef] [Green Version]
- Darwish, A.; Hassanien, A.E.; Elhoseny, M.; Sangaiah, A.K.; Muhammad, K. The impact of the hybrid platform of internet of things and cloud computing on healthcare systems: Opportunities, challenges, and open problems. J. Ambient Intell. Humaniz. Comput. 2019, 10, 4151–4166. [Google Scholar] [CrossRef]
- Rehman, M.H.u.; Yaqoob, I.; Salah, K.; Imran, M.; Jayaraman, P.P.; Perera, C. The role of big data analytics in industrial Internet of Things. Future Gener. Comput. Syst. 2019, 99, 247–259. [Google Scholar] [CrossRef] [Green Version]
- Zolanvari, M.; Teixeira, M.A.; Gupta, L.; Khan, K.M.; Jain, R. Machine Learning-Based Network Vulnerability Analysis of Industrial Internet of Things. IEEE Internet Things J. 2019, 6, 6822–6834. [Google Scholar] [CrossRef] [Green Version]
- Teng, H.; Liu, Y.; Liu, A.; Xiong, N.N.; Cai, Z.; Wang, T. A novel code data dissemination scheme for Internet of Things through mobile vehicle of smart cities. Future Gener. Comput. Syst. 2019, 94, 351–367. [Google Scholar] [CrossRef]
- Muthuramalingam, S.; Bharathi, A.; Kumar, S.R.; Gayathri, N.; Sathiyaraj, R.; Balamurugan, B. Iot based intelligent transportation system (IoT-its) for global perspective: A case study. Intell. Syst. Ref. Libr. 2019, 154, 279–300. [Google Scholar]
- Kraemer, F.A.; Ammar, D.; Braten, A.E.; Tamkittikhun, N.; Palma, D. Solar energy prediction for constrained IoT nodes based on public weather forecasts. In Proceedings of the Seventh International Conference on the Internet of Things, Linz, Austria, 22–25 October 2017. [Google Scholar]
- Helbing, D. Societal, Economic, Ethical and Legal Challenges of the Digital Revolution: From Big Data to Deep Learning, Artificial Intelligence, and Manipulative Technologies. In Towards Digital Enlightenment; Springer: Cham, Switzerland, 2015. [Google Scholar]
- Nabi, R.M.; Saeed, S.A.M.; Haron, H. Artificial intelligence techniques and external factors used in crime forecasting in violence and property: A review. J. Comput. Sci. 2020, 16, 167–182. [Google Scholar] [CrossRef] [Green Version]
- Al-Naeem, M.; Rahman, M.A.; Ibrahim, A.A.B.; Rahman, M.M.H. AI-based techniques for DDoS attack detection in WSN: A systematic literature review. J. Comput. Sci. 2020, 16, 848–855. [Google Scholar] [CrossRef]
- Mahdavinejad, M.S.; Rezvan, M.; Barekatain, M.; Adibi, P.; Barnaghi, P.; Sheth, A.P. Machine Learning for Internet of Things Data Analysis. Digit. Commun. Netw. 2017, 4, 161–175. [Google Scholar] [CrossRef]
- Xiao, L.; Wan, X.; Lu, X.; Zhang, Y.; Wu, D. IoT Security Techniques Based on Machine Learning. IEEE Signal Process. Mag. 2018, 35, 41–49. [Google Scholar] [CrossRef]
- Diro, A.A.; Chilamkurti, N. Distributed Attack Detection Scheme using Deep Learning Approach for Internet of Things. Future Gener. Comput. Syst. 2017, 82, 761–768. [Google Scholar] [CrossRef]
- Zhao, Q.; Chen, S.; Liu, Z.; Baker, T.; Zhang, Y. Blockchain-based privacy-preserving remote data integrity checking scheme for IoT information systems. Inf. Process. Manag. 2020, 57, 102355. [Google Scholar] [CrossRef]
- Hu, Y.; Ren, P.; Luo, W.; Zhan, P.; Li, X. Multi-resolution representation with recurrent neural networks application for streaming time series in IoT. Comput. Netw. 2019, 152, 114–132. [Google Scholar] [CrossRef]
- Leech, C.; Raykov, Y.P.; Ozer, E.; Merrett, G.V. Real-time room occupancy estimation with Bayesian machine learning using a single PIR sensor and microcontroller. In 2017 IEEE Sensors Applications Symposium (SAS); IEEE: Hoboken, NJ, USA, 2017. [Google Scholar]
- Iwashita, A.S. An Overview on Concept Drift Learning. IEEE Access 2019, 7, 1532–1547. [Google Scholar] [CrossRef]
- Ghaddar, B.; Naoum-Sawaya, J. High dimensional data classification and feature selection using support vector machines. Eur. J. Oper. Res. 2018, 265, 993–1004. [Google Scholar] [CrossRef]
- Al-yaseen, W.L.; Ali, Z.; Zakree, M.; Nazri, A. Real-time multi-agent system for an adaptive intrusion detection system. Pattern Recognit. Lett. 2017, 85, 56–64. [Google Scholar] [CrossRef]
- Anderson, J.P. Computer security threat monitoring and surveillance. In Technical Report; James P Anderson Company: Fort Washingt, PA, USA, 1980; p. 56. [Google Scholar]
- Javed, A.R.; Beg, M.O.; Asim, M.; Baker, T.; Al-Bayatti, A.H. AlphaLogger: Detecting motion-based side-channel attack using smartphone keystrokes. J. Ambient Intell. Humaniz. Comput. 2020, 0123456789. [Google Scholar] [CrossRef] [Green Version]
- Newsome, J.; Shi, E.; Song, D.; Perrig, A. The Sybil attack in sensor networks: Analysis & defenses. In Proceedings of the Third International Symposium on Information Processing in Sensor Networks IPSN, Berkeley, CA, USA, 27 April 2004; pp. 259–268. [Google Scholar]
- Liao, H.; Lin, C.R.; Lin, Y.; Tung, K. Journal of Network and Computer Applications Intrusion detection system: A comprehensive review. J. Netw. Comput. Appl. 2013, 36, 16–24. [Google Scholar] [CrossRef]
- Fernandes, G.; Rodrigues, J.J.; Carvalho, L.F.; Al-Muhtadi, J.F.; Proença, M.L. A comprehensive survey on network anomaly detection. Telecommun. Syst. 2018, 70, 447–489. [Google Scholar] [CrossRef]
- Hamamoto, A.H.; Carvalho, L.F.; Sampaio LD, H.; Abrão, T.; Proença, M.L., Jr. Network anomaly detection system using genetic algorithm and fuzzy logic. Expert Syst. Appl. 2018, 92, 390–402. [Google Scholar] [CrossRef]
- Kabir, E.; Hu, J.; Wang, H.; Zhuo, G. A novel statistical technique for intrusion detection systems. Future Gener. Comput. Syst. 2017, 79, 303–318. [Google Scholar]
- Petkovic, M.; Basicevic, I.; Kukolj, D.; Popovic, M. Evaluation of takagi-sugeno-kang fuzzy method in entropy-based detection of DDoS attacks. Comput. Sci. Inf. Syst. 2018, 15, 139–162. [Google Scholar] [CrossRef] [Green Version]
- Dupont, G.; den Hartog, J.; Etalle, S.; Lekidis, A. Network intrusion detection systems for in-vehicle network—Technical report. arXiv 2019, arXiv:1905.11587. [Google Scholar]
- Schlimmer, J.C.; Granger, R.H. Incremental learning from noisy data. Mach. Learn. 1986, 1, 317–354. [Google Scholar] [CrossRef]
- Priya, S.; Uthra, R.A. Comprehensive analysis for class imbalance data with concept drift using ensemble based classification. J. Ambient Intell. Humaniz. Comput. 2020. [Google Scholar] [CrossRef]
- Webb, G.I.; Hyde, R. Characterizing Concept Drift. Data Min. Knowl. Discov. 2016, 30, 964–994. [Google Scholar] [CrossRef] [Green Version]
- Ahmadi, Z.; Kramer, S. Modeling recurring concepts in data streams: A graph-based framework. Knowl. Inf. Syst. 2017, 55, 15–44. [Google Scholar] [CrossRef]
- Stolpe, M. The Internet of Things: Opportunities and Challenges for Distributed Data Analysis. ACM SIGKDD Explor. Newsl. 2016, 18, 15–34. [Google Scholar] [CrossRef] [Green Version]
- De Andrade, J.; Raul, E.; Gama, J. An evolutionary algorithm for clustering data streams with a variable number of clusters. Expert Syst. Appl. 2017, 67, 228–238. [Google Scholar] [CrossRef]
- Almeida, P.R.L.; Oliveira, L.S.; Britto, A.S.; Sabourin, R. Adapting dynamic classifier selection for concept drift. Expert Syst. Appl. 2018, 104, 67–85. [Google Scholar] [CrossRef]
- Din, S.U.; Shao, J. Exploiting evolving micro-clusters for data stream classification with emerging class detection. Inf. Sci. 2020, 507, 404–420. [Google Scholar] [CrossRef]
- Park, S.; Kim, J. Network Intrusion Detection through Online Transformation of Eigenvector Reflecting Concept Drift. In Proceedings of the International Conference on Data Science, E-Learning and Information Systems, Madrid, Spain, 1–2 October 2018; pp. 2–5. [Google Scholar]
- Hammoodi, M.S.; Stahl, F.; Badii, A. Real-time feature selection technique with concept drift detection using adaptive micro-clusters for data stream mining. Knowl. Based Syst. 2018, 161, 205–239. [Google Scholar] [CrossRef] [Green Version]
- Wahab, O.A. Sustaining the Effectiveness of IoT-Driven Intrusion Detection over Time: Defeating Concept and Data Drifts. pp. 1–10. Available online: (accessed on 26 February 2021).
- Braverman, V. Clustering High Dimensional Dynamic Data Streams. In Proceedings of the 34th International Conference on Machine Learning, Sydney, Australia, 6–11 August 2017. [Google Scholar]
- Yin, C.; Xia, L.; Zhang, S.; Sun, R.; Wang, J. Improved clustering algorithm based on high-speed network data stream. Soft Comput. 2017, 22, 4185–4195. [Google Scholar] [CrossRef]
- Amini, A.; Saboohi, H.; Herawan, T.; Wah, T.Y. MuDi-Stream: A multi density clustering algorithm for evolving data stream. J. Netw. Comput. Appl. 2016, 59, 370–385. [Google Scholar] [CrossRef]
- Gao, X.; Shan, C.; Hu, C.; Niu, Z.; Liu, Z. An Adaptive Ensemble Machine Learning Model for Intrusion Detection. IEEE Access 2019, 7, 82512–82521. [Google Scholar] [CrossRef]
- Jaber, A.N.; Zolkipli, M.F.; Shakir, H.A.; Mohammed, R. Host Based Intrusion Detection and Prevention Model Against DDoS Attack in Cloud Computing. In International Conference on P2P, Parallel, Grid, Cloud and Internet Computing; Springer: Cham, Swizerland, 2018. [Google Scholar]
- Gao, J.; Li, J.; Zhang, Z.; Tan, P.N. An incremental data stream clustering algorithm based on dense units detection. In Pacific-Asia Conference on Knowledge Discovery and Data Mining; Springer: Berlin/Heidelberg, Germany, 2005; pp. 420–425. [Google Scholar]
- Chen, Y.; Tu, L. Density-based clustering for real-time stream data. In Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, San Jose, CA, USA, 13–17 August 2007; pp. 133–142. [Google Scholar]
- Aggarwal, C.C.; Ctr, T.J.W.R.; Han, J.; Wang, J.; Yu, P.S.; Ctr, T.J.W.R. A Framework for Clustering Evolving Data Streams. In Proceedings of the 2003 VLDB Conference, Berlin, Germany, 9–12 September 2003. [Google Scholar]
- Shao, J.; Tan, Y.; Gao, L.; Yang, Q.; Plant, C.; Assent, I. Synchronization-based clustering on evolving data stream. Inf. Sci. 2019, 501, 573–587. [Google Scholar] [CrossRef]
- Fahy, C.; Yang, S.; Gongora, M. Ant Colony Stream Clustering: A Fast Density Clustering Algorithm for Dynamic Data Streams. IEEE Trans. Cybern. 2019, 49, 2215–2228. [Google Scholar] [CrossRef] [PubMed]
- Islam, M.K.; Ahmed, M.M.; Zamli, K.Z. A buffer-based online clustering for evolving data stream. Inf. Sci. 2019, 489, 113–135. [Google Scholar] [CrossRef]
- Kranen, P.; Assent, I.; Baldauf, C.; Seidl, T. The ClusTree: Indexing micro-clusters for anytime stream mining. Knowl. Inf. Syst. 2011, 29, 249–272. [Google Scholar] [CrossRef]
- Hesabi, Z.R.; Sellis, T.; Liao, K. DistClusTree: A Framework for Distributed Stream Clustering; Springer: Berlin/Heidelberg, Germany, 2018; Volume 1. [Google Scholar]
- Sharma, J.; Giri, C.; Granmo, O.C.; Goodwin, M. Multi-layer intrusion detection system with ExtraTrees feature selection, extreme learning machine ensemble, and softmax aggregation. EURASIP J. Inf. Secur. 2019, 2019, 1–16. [Google Scholar] [CrossRef] [Green Version]
- Abusitta, A.; Bellaiche, M.; Dagenais, M.; Halabi, T. A deep learning approach for proactive multi-cloud cooperative intrusion detection system. Future Gener. Comput. Syst. 2019, 98, 308–318. [Google Scholar] [CrossRef]
- Khater, B.S.; Wahab, A.W.B.A.; Idris, M.Y.I.B.; Hussain, M.A.; Ibrahim, A.A. A lightweight perceptron-based intrusion detection system for fog computing. Appl. Sci. 2019, 9, 178. [Google Scholar] [CrossRef] [Green Version]
- Jan, S.U.; Ahmed, S.; Shakhov, V.; Koo, I. Toward a Lightweight Intrusion Detection System for the Internet of Things. IEEE Access 2019, 7, 42450–42471. [Google Scholar] [CrossRef]
- Murali, S.; Jamalipour, A. A Lightweight Intrusion Detection for Sybil Attack under Mobile RPL in the Internet of Things. IEEE Internet Things J. 2020, 7, 379–388. [Google Scholar] [CrossRef]
- Rummel, M.; Rummel, M. “Der Social Entrepreneurship-Diskurs. Eine Einführung in die Thematik,” Wer Sind Soc. Entrep. Deutschland? Springer: Berlin/Heidelberg, Germany, 2011; pp. 21–38. [Google Scholar] [CrossRef]
- Song, J.; Takakura, H.; Okabe, Y.; Eto, M.; Inoue, D.; Nakao, K. Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation. In Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Salzburg, Austria, 10 April 2011; pp. 29–36. [Google Scholar]
Reference | Description | Limitation |
[35] | According to the test sample, a pool of classifiers is trained on certain concepts and adopts a dynamic or time-based selection to subset them according to the test sample to counter the concept drift. | It assumes that prior knowledge of the concept is not a valid assumption in the practical world. |
[36] | An algorithm that maintains and updates online micro-cluster to distinguish evolution and concept drift from noisy data. | It handles only clustering. |
[37] | Concept drift has been reflected in an online way to obtain the principal component’s analysis’s eigenvalues. | It assumes concept can be captured by data reduction only, which is not always true. |
[38] | Concept drift detection based on real-time feature selection using tracking adaptive statistical summaries of the data and class label distributions | It is limited to only one type of concept drift, i.e., feature changing caused concept drift. |
[39] | An online deep neural network model relies on an ensemble of varying depth neural networks that cooperate and compete to enable the model to steadily learn and adapt as new data, allowing for stable and long-lasting learning. | Concern about the computational complexity. |
Reference | Description | Limitation |
[42] | The concepts of core mini-clusters and grid are useful to summarize the data, which provides a smaller version for the data to make it feasible in providing the storage and computation for clustering. | It is still limited in the case of high dimensional data. |
[48] | Extended the concept of micro-clusters from single level to multiple levels or hierarchical. | It causes a complicated architecture of storing the data. |
[49] | An ant colony stream clustering (ACSC) is based on identifying a group of micro-clusters. The algorithm uses a tumbling window model and stochastic method to find rough clusters. Next, the rough clusters are refined using ant colony optimization. | It has a computational concern because of running the optimization inside the clustering. |
[50] | Used the micro-cluster concept and updated the micro-cluster radius recursively with an approach that uses a buffer for storing and filtering out irrelevant micro-clusters. Furthermore, their algorithm used an energy updating function based on the spatial information of the data stream. | It is useful for reducing computation more than memory consumption. |
[51] | A framework for stream data clustering, named as ClusTree, was proposed to handle different speeds of the stream. It also uses the concept of micro-clusters based on statistical modeling (mean and variance). | It assumes a normal distribution of data, which is not a valid assumption in all real-world problems. |
Reference | Scope | Contribution | Limitation |
[54] | General IDS | Enabling parallel execution | Lacking focus on modifying the inside algorithm to make it computationally lighter |
[55] | IDS | Ensemble learning based | Partial IDS feedback is not adequate in ensemble learning |
[56] | Fog IDS | Multi-layer perceptron model was used and execution on raspberry pi was performed | Back-propagation training is iterative and requires time |
[57] | IoT IDS | Support vector machine SVM assisted by two or three incomplete features | SVM is the most efficient classifier |
[58] | Low power and lossy network (RPL) IDS | Tracking of the arrival time of control messages | Protocol dependent |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (
Share and Cite
Adnan, A.; Muhammed, A.; Abd Ghani, A.A.; Abdullah, A.; Hakim, F. An Intrusion Detection System for the Internet of Things Based on Machine Learning: Review and Challenges. Symmetry 2021, 13, 1011.
Adnan A, Muhammed A, Abd Ghani AA, Abdullah A, Hakim F. An Intrusion Detection System for the Internet of Things Based on Machine Learning: Review and Challenges. Symmetry. 2021; 13(6):1011.
Chicago/Turabian StyleAdnan, Ahmed, Abdullah Muhammed, Abdul Azim Abd Ghani, Azizol Abdullah, and Fahrul Hakim. 2021. "An Intrusion Detection System for the Internet of Things Based on Machine Learning: Review and Challenges" Symmetry 13, no. 6: 1011.
APA StyleAdnan, A., Muhammed, A., Abd Ghani, A. A., Abdullah, A., & Hakim, F. (2021). An Intrusion Detection System for the Internet of Things Based on Machine Learning: Review and Challenges. Symmetry, 13(6), 1011.