See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/358527617

A systematic literature review of intrusion detection systems in the cloud‐

based IoT environments

Article in Concurrency and Computation Practice and Experience · February 2022

DOI: 10.1002/cpe.6822

CITATIONS READS

5 440

3 authors, including:

Bayan Mohammed
UHD
24 PUBLICATIONS 141 CITATIONS

SEE PROFILE

All content following this page was uploaded by Bayan Mohammed on 26 February 2022.

The user has requested enhancement of the downloaded file.

Received: 6 September 2019 Revised: 5 December 2021 Accepted: 9 December 2021
DOI: 10.1002/cpe.6822

RESEARCH ARTICLE

A systematic literature review of intrusion detection systems

in the cloud-based IoT environments

Gang Luo1 Zhiyuan Chen2 Bayan Omar Mohammed3

1 Department of Architecture, Henan Technical

College of Construction, Zhengzhou, China Abstract

2 Educational Information Technology Center,
Henan Technical College of Construction,
Zhengzhou, China
3 Development Center for Research and
Training, College of Science and Technology,
University of Human Development, Kurdistan
Region, Iraq
Correspondence
Gang Luo, Department of Architecture, Henan
Technical College of Construction, Zhengzhou
450064, China.
Email: luogang96@sina.com
As the number of Internet of Things (IoT) subscribers, services, and applications grows,
there is a pressing need for a reliable and lightweight security solution that can be
used in IoT contexts. Also, due to the open nature of cloud computing, safety con-
cerns are always challenging. One potential solution for this problem is an intrusion
detection system (IDS). An ID that utilizes a machine learning method is gaining pop-
ularity since it has the benefit of automatically updating to fight against any new form
of attack. Due to the importance of IDS in cloud-based IoT, the main articles and essen-
tial techniques in this domain are examined systematically. In cloud-based IoT, IDSs
are categorized into three major categories, including learning-based, pattern-based,
and rule-based mechanisms. The findings illustrate that the biggest challenge in IDS is
precision and detection, which many researchers are trying to improve. Also, with the
rise of connected objects, the most frequently utilized centralized (cloud-based) IDS
struggles with excessive latency and network overhead, leading to delayed detection of
unauthorized users and unresponsiveness to assaults. The results will be valuable for
academicians, and they can offer visions for future research.

KEYWORDS
cloud computing, internet of things, intrusion detection systems, security, systematic literature
review

1 INTRODUCTION

The Internet of Things (IoT) is at the heart of next-generation infrastructure, allowing for the creation of intrinsically sustainable future cities.1,2
Sensors and devices in the IoT frequently gather and analyze geographical and temporal data for specific events and environments, addressing
various issues.3,4 IoT items or things have evolved, treatment has gotten more intelligent, and communication has become more instructional.5,6
As a result, IoT is utilized nearly everywhere: at home, in education, in entertainment, in finance, in tourism, in energy distribution, in smart cities,
in healthcare, in smart monitoring and even in transportation.7,8 Until 2022, it is expected that a trillion physical items will be hooked up to the
Internet.9,10 Real-time analysis of sensor data streams is carried out via IoT data-based cloud services.11,12
Cloud computing is a fast expanding subject in the world of Information Technology (IT).13 Cloud computing is described as internet-based
computing in which policies, software, infrastructure, platform, and a variety of resources are provided by virtual shared servers, which are data
centers.14,15 Nevertheless, due to its distributed and open design, which is vulnerable to attackers, security and privacy are key concerns in its
accomplishment.16,17 For instance, Sybil attack, Denial of Service (DoS), black hole, and other cryptographic attacks are not avoidable utilizing
cryptographic techniques.18,19 IDS has become the most widely utilized component of computer system security and compliance procedures for
protecting cloud environments against different threats and assaults.20,21 It uses multiple response approaches to identify vulnerabilities, report
malicious actions, and implement preventative measures to stay up with the progression of computer-related crimes.22,23

Concurrency Computat Pract Exper. 2022;e6822. wileyonlinelibrary.com/journal/cpe © 2022 John Wiley & Sons, Ltd. 1 of 17
https://doi.org/10.1002/cpe.6822
2 of 17 LUO ET AL.

We offer a summary of studies relevant to IDS for IoT security problems in this article. We concentrate on future suggestions and assistance
for IoT cybersecurity issues. Considering the creation of IDS for the IoT context poses major security issues. The paper is structured as follows:
Section 2 summarizes the literature study and associated activities. Section 3 expresses the motivation for doing research. Section 4 describes how
to conduct research. Section 5 describes research performed in recent years. Existing IDS and presentation challenges are presented in Section 6.
Future study guidelines are mentioned in Section 7. Ultimately, Section 8 brings the process to a conclusion.

2 BACKGROUND

Because of its dispersed and open character, cloud computing is a new technology in the IT industry. Because of its encouraging characteristics, such
as wide availability of resources in the form of services, cost efficiency, dynamicity, and so forth, most business and IT organizations are adopting
the cloud paradigm by moving their systems onto cloud networks.24,25 Network access to a shared pool of customizable computer resources like
servers, networks, applications, storage, and services is provided on demand in a cloud computing environment. These flaws in the cloud computing
environment attract attackers, making cloud security a critical problem to consider.26 IDSs built for IoT settings are critical for mitigating IoT-related
security threats that make use of some of these security flaws.27 Conventional IDSs may not be a solution for IoT settings because of the restricted
computation and storage potentials of IoT devices and the unique protocols employed.28,29 Organizations must use firewalls, ID and prevention
measures, encryption, authentication, and other sophisticated software and hardware security to safeguard the stored data. Attackers are looking
for security flaws to exploit. In order to provide privacy and security in the cloud environment, enterprises use ID and prevention systems (IDPS).30,31
The following is a list of articles systematically reviewed in recent years entitled network ID (NID). This work aims to find gaps and shortcomings,
recognizing which existing gaps can be filled. The found articles, their motivation, and the final findings are summarized in Table 1:
Previous research endeavors provided first reviews on IDS, which is summarized in Table 1. Although all of these articles are written systemati-
cally and provide useful information, none of them have examined and analyzed IDS with a view to “learning based”, “rule based”, and “pattern based”.
Therefore, this study aims to perform such a classification in IDS by providing a comprehensive review. Additionally, none of the literature evalua-
tions include a database, unlike our study, which includes papers dating from the beginning of the literature until July 2021. The questions that will
be answered in this study are as follows:
Q1: What is the year-by-year distribution of the experiments?
Section 4 will answer this question.
Q2: Which data collection is the most popular among investigators?
Section 5 has the explanation.
Q3: What problems and difficulties do you face while creating IDS?
Section 7 addresses these issues.

3 RESEARCH MOTIVATION

Anomaly detection systems are studied or investigated in many issue domains. However, they have not been extensively examined in the cloud
environment. Since it poses problems, the anomaly detection approach in cloud-based computing is currently under consideration and evolving. This
tendency will keep developing, and ongoing review of IDS execution at each service tier and benchmarking between systems will be critical to the
machines’ and owners’ safety. This article aims to draw the attention of well-known academics to potential solutions for creating IDSs by bringing
together the most current diverse research efforts to shed light on protecting the recently ubiquitous cloud services and resources. It also defines
ideal IDS demands for cloud computing and discusses practical consequences. This study also aims to emphasize the contributions and limits of the
current state-of-the-art in ID for IoT and assist the investigators in moving forward by suggesting important research paths. These goals aid IoT
security professionals by bringing disparate research efforts together, comparing them, and consolidating them.

4 DATA STATISTICS AND RESEARCH METHODOLOGY

Literature reviews aim to provide a systematic assessment of the literature environment in order to detect research gaps and knowledge
limitations.43 The main benefit of the current investigation is the utilization of a systematic research method44 in collecting research papers and
analyzing and reviewing existing research. The aim of using a systematic research method to conduct review research is to provide a comprehensive,
complete, and fair review to be able to: (1) gather and review all existing research in a field; (2) examine all available sources that contain information
about the issue under study; (3) prevent from studying a research project, intentionally or unintentionally, in order to direct the research findings
towards a specific goal. Several valid systematic research methods are introduced that researchers have widely used in various fields.44
LUO ET AL. 3 of 17

TA B L E 1 Features of review articles

Motivation &
Article Publisher findings Limitations

Ahmadian Ramaki, et al.32 WILEY Motivation: A thorough examination of ID approaches based on Has no suggestions for future work
hidden Markov models and a discussion of the domain’s major
issues and unsolved issues Findings: The findings revealed that
hidden Markov models-based ID methods had six major benefits:
1. Detection of new and unexpected incursions
2. Precise ID
3. Predicting the intruder’s possible next moves
4. Utilization of heterogeneous data sources as input
5. Utilization in real-time applications by processing data streams
on-the-fly and
6. Visual representation of gained information in comparison to other
machine learning (ML) approaches

Öney and Peker33 IEEE Motivation: Investigating research on the use of artificial neural Does not have a separate section for
network (ANN) methods in NID to find out what the main trends future work
are Findings:
1. Based on the increasing publication rates lately and the promising
findings of ANN methods in NID, research in this subject will grow
considerably in the future
2. Deep NN and variations were the most current and widely utilized
ANNs in the NID System (NIDS) area
3. The findings revealed that the KDD’99 dataset is the most widely
utilized in investigations of NID employing ANNs. This dataset and
the NSL-KDD datasets are becoming more popular

Gonçalves et al.18 IEEE Motivation: Presenting an extensive systematic literature review Does not have a separate section for
(SLR) on the usage of intelligent IDS in vehicular ad hoc network future work
(VANET) Findings: The research was evaluated, and it was
discovered that most of them did not properly disclose how their
datasets and assaults were produced. None made their datasets
accessible for peer assessment on the Internet. Some make
utilization of well-known, publicly available datasets, like the Kyoto
dataset and the NSL-KDD. These, on the other hand, are not
collected through VANETs and may distort the ultimate findings

Ganeshan and Daniya34 IOP Motivation: Examining diverse anomaly-based IDSs utilized to provide 1. The method is not clearly stated
cyber security by classifying them based on a variety of variables 2. Does not have a separate section
and assessing them in terms of datasets employed, accuracy for future work
attained, assessment metrics, and deployment tools Findings: It is
possible that several experiments used MATLAB and the KDD
CUP99 dataset to construct the intrusion detection method

Mishra and Pandya35 IEEE Motivation: Reviewing a multi-layered assessment of several security No categories suggested for studies
concerns existing in IoT layers: support layer, network layer,
perception layer, and application layer, with a special emphasis on
Distributed Denial of Service (DDoS) threats Findings:
1. Addressing various forms of DDoS assaults, DDoS attack effects,
DDoS attacks in IoT devices, and mitigation methods
2. Comparing and contrasting ID and prevention models for prevent-
ing DDoS assaults, with an emphasis on ID models
3. Addressing IDS categorization, numerous IDS models based on
datasets, diverse anomaly detection approaches, multiple ML and
DL approaches for data pre-processing and malware detection
4. Talking about research issues, suggested solutions, and future aspi-
rations

(Continues)
4 of 17 LUO ET AL.

TA B L E 1 (Continued)
Motivation
Article Publisher & findings Limitations

Salo, IEEE Motivation: In the realm of IDS, doing an SLR to examine Data Mining (DM) Does not have a separate section for future
et al.36 methods. Their inspiration stemmed from pertinent experimental research work
published in journals and conferences during the period in question
Findings:
1. BN, DT, support vector machines (SVM), and ANN are the most widely
utilized DM methods in IDSs
2. Counting the several sorts of attacks that IDSs are meant to protect
against, such as DoS, User to Root (U2R), Remote to Local (R2L), and Probe
3. There is a scarcity of study on real-time IDS
4. Finding 25 public and private datasets that are utilized in IDS
5. Summarizing the strengths and weaknesses of the utilized DM techniques

Sangher IEEE Motivation: An comprehensive literature review is conducted to compare the The method is not clearly stated
and most recent IDS, and a system is suggested based on the findings that
Singh37 include a peer-to-peer layout system and the utilization of web robots to
detect the attack and log it in a format that will be beneficial for forensic
exploration and analysis work Findings: In cyber-attacks and forensics,
DL-based techniques decrease the constraints of massive data processing
while simultaneously providing findings with sophisticated analytical skills

Salo, ARXIV Motivation: From 2013 to2018, performing an SLR of DM methods utilized in Has not raised open issues for future
et al.38 IDS-based solutions Findings: researchers
1. The most commonly used DM techniques with big data in IDS are: DT, BN,
k-Means, ANN, and SVM
2. Hadoop was the most popular DSF with a frequency of 12 experiments
3. Enumerating the evaluation metrics in terms of efficiency and perfor-
mance
4. Most of the experiments have classified attacks as either normal or mali-
cious

Kaur and ACADEMIA Motivation: Surveying the different existing mobile IDS and their advantages The method is not clearly stated
Pateriya39 and limitations Findings: Currently available IDS are not able to provide
detection over a wide range. They need devices that can detect patterns
over a larger area and control malware or data-related attacks

Idrissi, IEEE Motivation: The research concentrates on the current status of IoT security Does not have a separate section for future
et al.40 risks and vulnerabilities by classifying some well-known security concerns work
using Cisco’s IoT reference model framework Findings: IoT security has
received a lot of attention lately. Deep Learning (DL) has been used in a
variety of academic disciplines, like cybersecurity and IDS, where
cybersecurity has yielded some promising outcomes, opening the way for
more robust security in IoT contexts. However, most of these studies are
either theoretical or merely dataset benchmarking utilizing DL methods at
this time. Developing a genuine IDS for IoT is a long process; to that
purpose, investigators must integrate their models into actual IDS systems
and test them with real network traffic

Aludhilu UCI Motivation: An review of the benefits and drawbacks of several ID methods, Does not have a separate section for future
and including statistical anomaly, pattern matching, DM, and ML Findings: ML is work
Puente41 the best option for developing IDS solutions due to its capacity to function
as an automated procedure that requires little human interaction.
Recurrent neural networks are the ideal approach for implementing this
type of system

Ferdiana42 IEEE Motivation: Analysis and identification of research trends in methodologies, Has not raised open issues for future
datasets, and approaches utilized on IDS subjects from January 2016 to researchers
May 2020 Findings: Clustering, estimate, categorization, prediction,
association, statistic, and dataset analysis are the seven approaches that
research in the IDS area presently focuses on, according to a study of
chosen main papers
LUO ET AL. 5 of 17

In the current research, we have systematically reviewed the ongoing research in the relevant field with keywords such as: “Intrusion Detection
System in the Cloud,” “Intrusion Detection Methods,” “Evaluation Criteria of Intrusion Detection Systems”, “Intrusion Detection AND IoT” AND
“Intrusion Detection in cloud” OR “Intrusion Detection AND learning based” OR “Intrusion Detection AND pattern based” OR “Intrusion Detection
AND rule based” in sources such as: Scopus, Google Scholar, Science Direct, and so forth.
In the research process, the resources in English are reviewed. However, most of the researched sources are valid articles. To determine whether
the articles obtained contain relevant information, their titles and abstracts are studied. Finally, our findings based on existing research in this field
are shown in Table 1. We applied the criterion “IoT AND Intrusion Detection” and received about 25,000 document results, indicating a significant
amount of interest among scientists in the subject of IoT security. Figure 1 shows all of this research by year of publication. As can be seen from the
chart, the number of studies conducted on IoT intrusion detection systems has increased nearly a thousand fold in the last 10 years.
The studies have been published in many articles. The number of these articles in the most prestigious journals during the last 10 years has been
expressed separately by the journals in the form of the following diagram. According to the chart in Figures 1, 7500 articles related to the subject
are published in various publications in 2020. The reason for the curvature of the bottom of the chart is that we are still in early 2021, and we will
definitely see a reversal by the end of the year.
Figure 2 clearly illustrates the frequency of research conducted in recent years in terms of article publication. The diagram in Figure 2 shows
that IEEE publications had the largest number of articles related to the topic under discussion last year, 2020, followed by Springer in the second
row and Elsevier in the third. The following diagram illustrates this fact more clearly.
Much information can be deduced from Figure 3. Citeseer publishing has not published an article on this subject in the last 5 years. According
to the total number of articles found in 2020 (seen in the figure above), including 7500 articles, IEEE publications in 2020 account for approximately
21.46% of the total articles published in that year. These calculations can also be performed for other publications in different years. At a glance, the
diagram in Figure 4 illustrates the articles published so far in a more general and non-year-by-year manner.
Therefore, half of the existing articles belongs to the mentioned publications, and the other half belongs to other publications. The IEEE has
the largest number of articles, with 25% of all articles published. This study intends to focus on the latest work done and includes newer and more
up-to-date studies in our review. The articles in reputable magazines are critical if the aim is to review 25 articles. If a particular topic has not been
studied recently, articles with high citations will be acceptable for review. According to Figure 4, for example, if 15% of all articles belong to Springer,
it should include 15% of the selected articles. For instance, if the selected articles are 25, 3.75 of the selected articles are included. This number is

FIGURE 1 Distribution of IDS architectures based on years

FIGURE 2 Distribution of publications per year

6 of 17 LUO ET AL.

FIGURE 3 Distribution of publications per year

FIGURE 4 Distribution of publication

calculated for other publications as follows: Since we do not want to select articles from other publications, we multiply the answers by 2. Results
will be rounded so that the number of articles in each numerical journal is correct.
IEEE → 5. * 2 = 11.
SPRINGER → 3.75 * 2 = 7.5 ≅ 7.
ELSEVIER → 2* 2 = 4.
ACM → 0.25 * 2 = 0.5 ≅ 0.
WILEY → 0.5 * 2 = 1.
IGI → 0.25 * 2 = 0.5 ≅ 0.
SAGE → 0.25 * 2 = 0.5 ≅ 0.
EMERALD → 0.
CITESEER → 0.
LUO ET AL. 7 of 17

Finally, 11 articles from IEEE Publications, seven from Springer Publications, four from Elsevier Publications, and one from Wiley’s recent pub-
lications will be selected for review. Table 2 illustrates these articles. As a result, we created a one-of-a-kind IoT IDS taxonomy that explains IoT IDS
approaches, their benefits and drawbacks, IoT attacks that target IoT communication systems, and the associated sophisticated IDS and detecting
powers to identify IoT assaults. Finally, 27 articles are obtained and analyzed, which are divided into three sections:

1. Learning-based mechanisms;
2. Pattern-based mechanisms;
3. Rule-based mechanisms.

5 INTRUSION DETECTION SYSTEMS

The final aim of scheming procedures is still consuming less but having broad coverage and broader applicability to ensure effective safety con-
trol and IDS. The classification of the IDS approaches has mainly been considered in three subcategories: computation-based approach, artificial
intelligence, and biological concepts. However, it is too hard to see the entire properties of detection approaches through this classification.45 This
section aims to understand the trend of IDS on the cloud by examining all 23 selected articles. These articles have been divided into three categories:
rule-based, learning-based, and pattern-based mechanisms. Furthermore, the differences, pros, and cons of these methods have been discussed and
described.

TA B L E 2 Features of selected articles

Categories Studies Year Publisher

Learning-based 45 2018 ELSEVIER

46 2019 IEEE

47 2020 IEEE

48 2017 IEEE

49 2019 WILEY

50 2020 SPRINGER

51 2019 IEEE

52 2019 IEEE

53 2017 IEEE

Pattern-based 54 2017 IEEE

55 2017 IEEE

56 2020 ELSEVIER

57 2020 SPRINGER

58 2019 SPRINGER

59 2016 IEEE

60 2019 SPRINGER

Rule-based 61 2020 SPRINGER

62 2018 ELSEVIER

63 2021 ELSEVIER

64 2021 SPRINGER

65 2018 IEEE

66 2019 IEEE

67 2021 SPRINGER
8 of 17 LUO ET AL.

5.1 Learning-based mechanisms

Learning models are combined with learning competencies in the IDS procedure by the artificial learning methods.46 Recently, the learning meth-
ods have been widely applied in anomaly ID as the self-learning methods can automatically shape feedback of the persons’ natural behavior based
on whether they have been supervised or unsupervised.47 Also, the ML algorithm is useful for building the ID model automatically out of training
data, which will save human labor from marking the signature of intrusions or determining the natural behavior of a sensor node.48 The supervised
anomaly ID creates the standard profiles of networks by training on the labeled data groups. However, the unsupervised IDS helps to spot attacks
without any previous information about them or natural examples.45 Confirmed amounts or natural behavior of data have been kept, in case of an
anomaly or spotted that the ML its behavior, keeps the new order/rule.49 The above method provides a mechanism for enhancing functioning by
learning from prior consequences.50
Ma et al.47 presented a novel architecture for privacy-preserving multi-party DL in cloud computing, in which a huge amount of training
data is transferred among several parties. Actually, based on the ElGamal encryption, DiffieHellman key exchange protocol, and aggregate sig-
nature, Ma et al.47 presented a novel privacy-preserving collaborative deep training paradigm. Their solution allowed several parties to learn
the same NN model based on the aggregate dataset. Yet, the local dataset and learning model were kept private from the cloud server. Their
systems meet the security criteria of verifiability and privacy, according to a thorough examination. Their method also has a reasonable com-
puting efficiency and may be used in a variety of privacy-sensitive DL applications. Besides, to enhance the accuracy of the anomaly detec-
tion system, Aljamal et al.51 suggested a network-based anomaly detection system at the cloud hypervisor level that uses a hybrid approach
that combines the K-means clustering method with the SVM classification algorithm. The suggested technique and outcomes were evalu-
ated using data from the UNSW-NB15 research, which was compared to earlier investigations. Their suggested K-means clustering model has
somewhat better accuracy than others. Nevertheless, the accuracy that Aljamal et al.51 attained from the SVM model was less for supervised
methods.
Ravindranath et al.52 developed a new feature selection wrapper for NID in cloud computing scenarios that combines the whale swarm
optimizer with pearson’s correlation approach. A wrapper-based feature selection technique was developed to prepare the model with relevant
characteristics. According to the findings, feature selection wrappers boosted the dataset’s relevance levels and enhanced model prediction accu-
racy. Besides, in 100 iterations, the whale pearson feature selection wrapper gave good outcomes comparable to the current binary whale simulated
annealing with a significantly shorter CPU time. The suggested swarm intelligence technique used a random initialization approach with mutation
for the correlation bias function. Additionally, Salman et al.53 looked at both identifying and classifying abnormalities, rather than only discovering,
as was the case in most recent studies. Salman et al.53 built and tested learning models for detecting and classifying various assaults using a widely
available dataset. Salman et al.53 utilized linear regression and random forest as supervised ML approaches. Salman et al.53 demonstrated that the
classification might be less accurate even if detection is flawless due to attack similarity. The findings showed a detection accuracy of over 99% and
classification accuracy of 93.6%, with the inability to identify some assaults. In addition, Salman et al.53 claimed that the same ML approaches might
be used to categorize multicloud setups.
Otoum, Liu, and Nayak54 suggested a unique DL-based IDS for detecting serious abnormalities in ever-growing IoT-based networks. Their sug-
gested module combines the Spider Monkey Optimization method (SMO) with the stacked-deep polynomial network to gain maximum detection
accuracy. SMO chooses the best characteristics from the datasets, and a stacked-deep polynomial network categorizes the data as normal or abnor-
mal. U2R attack, DoS, probing attack, and R2L attack are examples of abnormalities identified by DL-IDS. According to the results, the suggested
DL-IDS performs better in terms of recall, precision, accuracy, and F-score. Besides, in Reference 55, research was conducted on anomaly-based IDS,
which is ideal for safeguarding IoT against DoS assaults. Random forests, gradient boosted machine, AdaBoost, classification and regression trees,
highly randomized trees, and multilayer perceptron were used to evaluate the performance of 7 ML categorization methods. Classifier performance
is evaluated using well-known metrics and validation techniques. Verma and Ranga55 also presented a way of determining the optimal classifier for
a given application. Based on the outcomes of the performance tests and statistical tests, it was determined that classification and regression trees
and the extreme gradient boosting classifier offer the best trade-off between prominent metrics and response time, making them both suitable for
developing IoT-specific anomaly-based IDS. The article’s major objectives were to encourage IoT security experts to build IDSs based on ensemble
learning and offer acceptable techniques for statistically evaluating classifier performance.
Ge et al.56 proposed a unique IDS for IoT networks that uses DL principles to classify traffic flow. Ge et al.56 used a recently released IoT dataset
to create generic characteristics from field data at the packet level. Ge et al.56 created a feed-forward neural network model for binary and multiclass
classification and DoS, reconnaissance, DDoS, and information theft attacks against IoT devices. The suggested layout’s assessment findings using
the processed dataset demonstrated that it has a high classification accuracy. In addition, Zhang, Li, and Wang57 introduced an intrusion detection
model based on the deep belief network (DBN) and improved genetic algorithm (GA). Faced with various forms of assaults, the ideal number of
hidden layers and neurons in each layer were adaptively produced by repeated iterations of the GA, resulting in an ID model based on the DBN with a
high detection rate and compact structure. Eventually, the NSL-KDD dataset was utilized to test the model and methods by simulating and evaluating
them. The empirical findings indicated that combining an enhanced intrusion detection model with DBN may successfully promote intrusion attack
identification rates while reducing the complexity of the neural network topology.
LUO ET AL. 9 of 17

Loukas et al.58 proved the feasibility and advantages of offloading the persistent task of intrusion detection based on DL utilizing a tiny
four-wheel robotic land vehicle as a case study. It employed real-time data from both cyber and physical processes as input, which it fed into a
neural network layout as time-series data. Loukas et al.58 utilized a recurrent neural network architecture and a deep multilayer perceptron. The
latter benefited from a hidden layer with a long-short term memory, which was particularly beneficial for understanding the temporal context of
various attacks. As instances of cyberattacks relevant to a robotic vehicle, Loukas et al.58 used denial of command injection, service, and malware.
Loukas et al.58 created a mathematical model to assess whether compute offloading was advantageous given characteristics linked to the network’s
operation and the DL model’s processing requirements, utilizing detection latency as the criteria. The higher the decrease in detection latency
accomplished by offloading, the more dependable the network and the larger the processing needs.
In this section, nine articles were reviewed. The advantages and disadvantages of each were examined. Some of these studies have used a
specific framework, method, or algorithm extracted from the articles, as illustrated in Table 3.

5.2 Pattern-based mechanism

Pattern-based IDSs are commonly used when the intrusion patterns are modeled, corresponded, and detected according to the package head, con-
tent, or both. The intrusion patterns could also be recognized in host-oriented IDSs through concatenating the words indicating the system calls in a
system audit trail. For example, this group uses more fuzzy systems.59 With the constant development of novel kinds and various types of intrusions,
signatures continuously rise, leading to a more costly pattern regarding computational expenses.45 The traffic current in a network is tracked sepa-
rately (from the payload data in the current). The traffic current pattern has been compared with a group of predetermined malign traffic patterns
descriptions. An event has been started to match a subgroup of the traffic patterns and the predetermined malign traffic descriptions.60
Huang et al.61 presented a visual sensor NID method. They offered an active learning strategy to cope with the challenge of large and unbalanced
training data and a traffic model for deriving useful characteristics that are fed into a hierarchical self-organizing map neural network to learn traffic
patterns and identify intrusions. Their learning approach effectively addresses the issue of class imbalance while also increasing the training pace

TA B L E 3 Some details of the reviewed in learning-based articles

Methodology/framework/
Article Advantages/disadvantages algorithm/dataset used

Ma et al.47 + Preserving data privacy + Ensuring Noise-adding, fully

privacy without compromising accuracy privacy-preserving multiparty
DL

Aljamal et al.51 + High accuracy - Not real time UNSW-NB15, K-means, SVM
52
Ravindranath et al. + Improving prediction accuracy - Model Pearson’s correlation, Whale
needs further performance improvement Pearson

Salman et al.53 + Accuracy in anomaly detection - Three of UNSW

the attacks were not categorized -
Categorization accuracy is comparatively
lower

Otoum, Liu, and Nayak54 + High accuracy + Better performance in KDD’99, NSL-KDD, DL-IDS
recall and F1-score - Limitation of
detection efficiency

Verma and Ranga55 + The best trade-off between prominent CIDDS 001, UNSWNB15,
metrics and response time - Only NSL-KDD
supervised learning-based ML classifiers
are used

Ge et al.56 + High classification accuracy - The BoT-IoT

classifier has a relatively low precision for
data exfiltration and keylogging attacks

Zhang, Li, and Wang57 + Reducing the complexity of the neural NSL-KDD
network structure + Improve the
recognition rate of intrusion attacks -
Training time is long

Loukas et al.58 + High accuracy ML, SVM

10 of 17 LUO ET AL.

of the self-organizing map. The suggested technique has a high detection accuracy and good real-time performance, according to empirical records.
Besides, when deciding if an attack exists in network traffic, Aparicio-Navarro et al.62 advised integrating high-level information about the monitored
network, such as the pattern-of-life and the network administrator’s prior knowledge. Aparicio-Navarro et al.62 offered two new methods to the one
already given in Reference 63, which combined a fuzzy cognitive map (FCM) with an IDS to incorporate contextual information into the detection
procedure. The data was collected over 9 days from a real, local area network at a research office, including regular traffic and traces of port scanning
assaults. The findings show that including the FCM into the IDS improves its efficacy. In addition, the outcomes demonstrate that changing the basic
probability assignments (BPA) prior to data fusion allows for the most effective utilization of pattern-of-life in the detection procedure. Their goal
was to figure out how to utilize an FCM in combination with an IDS in the most efficient way possible.
Liu et al.64 introduced an ANID (adaptive NID) technique that combines fuzzy rough set feature selection with greedy algorithm-based global
optimum GMM-based pattern learning. Based on the fuzzy rough set theory, fuzzy rough set-feature selection finds the best feature subset by
assessing the information gain rate of each potentially sensitive characteristic. GA-GOGM can calculate the clusters automatically using an incre-
mental learning technique, avoiding the detrimental impact of the first cluster centers. They are carried out in order to achieve the automated
extraction of the best pattern features from both normal and attack network connection instances for pattern matching based NID. Concur-
rently, with the online NID findings, an online pattern updating approach was proposed to update the learned normal and attack pattern libraries
by mining the frequent patterns and rejecting outdated patterns. With low false alarms and missed reporting rates, the suggested NID model
can respond to the dynamic changes in the network architecture and attain high NID accuracies on both known and unknown threats. The use-
fulness and uniqueness of the suggested ANID technique were demonstrated by extensive validation and comparison analysis outcomes on the
benchmark dataset NSL-KDD and a self-built nidsbench-based network simulation system. In terms of physical simulation, tests can accom-
plish high detection accuracy on actual network environments with few false alarms, which can be used extensively for real-world cybersecurity
monitoring.
In Reference 65, the researcher investigated intrusion detection and performance simulation based on an enhanced sequential pattern mining
technique. Wang et al.65 used DM methods to create the IDS; the simulation findings demonstrate the method’s efficacy. Whenever the minimum
support was extremely tiny, the simulation revealed that prefixspan took a lot less time to execute than the other approach, and the difference
between the two was clear. Because the IDS mining method is relatively independent of specific data and systems, the IDS based on DM to data
source need is extremely low. Rao and Raju66 also attempted to match the pattern by parallelizing a matching algorithm utilizing MapReduce on
a graphics processing unit. Rao and Raju66 used the MapReduce platform to parallelize a pattern-matching approach. The early results of the sug-
gested approach was a decrease in searching time due to the use of the GPU. To look for signatures in the content file, the well-known two-way
two-window pattern matching was used. While testing the enormous quantity of data, a massive difference between CPU and GPU timings was
noted. The GPU was used in the MapReduce process to reach the next degree of parallelism.
The goal of Reference 67 was to look at the accuracy and speed of a payload-based network IDS that used a pattern-recognition processor
and a unigram feature extraction method. The findings of Reference 67 revealed that employing pattern recognition processors for NIDS offered
performance benefits in terms of speed. Irrespective of the size of the training data set, the pattern recognition engine demonstrated that detection
could be completed in a short amount of time. Furthermore, the findings revealed that payload-based IDS utilizing parallel-based pattern recognition
processors performs better than sequential-based CPU processors in terms of processing performance.
The IDS system now in operation has one rule set with numerous attach patterns recorded in multiple databases. The entire network traffic is
promptly compared against this in order to avoid any additional unlawful or unauthorized actions. So, in Reference 68, in the case of the provided
cloud, the structure optimized multilayer ANN was based on the IDS. The GSO–TS, a hybrid glow swarm optimization–tabu search, was utilized
for structure optimization, reducing convergence time, and overcoming traditional issues, such as entrapment of local optima and their premature
convergence. The results proved that the ANN—one hidden layer having a lower rate of average detection by about 0.39% for ANN—the two hidden
layer and further by about 0.73% for ANN—the three hidden layers. The GSO-Tabu-ANN—the one hidden layer having a lower average detection
rate by about 0.65% for the GSO-Tabu- ANN—the two hidden layer and then by 0.22% for the GSO-Tabu-ANN—the three hidden layer.
The articles reviewed provided methods based on the model. These papers use algorithms, frameworks, and methods for an efficient IDS. These
factors are listed in Table 4, along with some advantages and disadvantages.

5.3 Rule-based mechanisms

These kinds of anomaly ID have also been proposed to ID the application of nonconformities in audit trails. This method applies the groups of rules
to show and store the consumption patterns in audit data, not statistical formulations to detect consumption patterns.69 Rule-oriented IDS is one of
the primary techniques for ID misuses. These mechanisms encrypt invasive situations consistent with a group of rules coordinated facing the audit
or network traffic data.45
Kumar et al.70 suggested a unique misuse-based IDS to identify five types in a network, including DoS, Exploit, generic, Probe, and normal, and
tested its effectiveness on both conventional offline data and online real-time data. In contrast to other current techniques, the suggested model’s
LUO ET AL. 11 of 17

TA B L E 4 Some details of the reviewed in pattern-based articles

Methodology/framework/
Article Advantages/disadvantages algorithm used

Huang et al.61 + High detection accuracy + Good N-gram, active subset selection
real-time performance + This learning (ASS)
method can fairly well address the
class imbalance problem - Learning
speed is low

Aparicio-Navarro et al.62 + Reducing the total number of false Basic probability assignment
alarms - Multistage attack detection (BPA)
capabilities are low - Not very
efficient in practice

Liu et al.64 + Improvement in detection accuracies ANID

+ Low false alarms - Its function in the
actual distributed physical network is
unclear

Wang et al.65 + Result reflects the effectiveness of the C-average

methodology + Runtime is much
shorter than other algorithms

Rao and Raju66 + High speed + Reduction of searching MapReduce

time + conducting the experiments on
real-world data set

Iqbal and Calix67 - Only evaluated up to 4096 training CogniBlox modules

samples in the hardware

Manickam and Rajagopalan68 + Structure optimization + Better GSO-ANN, GSO, NN, hybrid
performance GSO-TS

performance using UNSW-NB15 (benchmark data set) and real-time data set (RTNITP18) revealed greater accuracy, mean F-measure, attack detec-
tion rate, attack accuracy, average accuracy, and false alarm rate. The suggested IDS model operates as a dog watcher in the network, detecting
various sorts of threats. Besides, Papamartzivanos, Mármol, and Kambourakis71 introduced dendron, a unique approach for developing decision
tree classifiers utilizing GA in the context of misuse detection systems, intending to produce detection rules. Their approach included linguisti-
cally interpretable regulations in an attempt to improve security managers’ productivity and make their tasks easier. Furthermore, their technique
addresses a number of problems given by the nature of network traffic and counteracts the propensity of ML algorithms to mainly ignore minority
attack types. The suggested technique was tested on three ID datasets: NSL-KDD, KDDCup’99, and UNSW-NB15; it outperformed the competition
in terms of average metrics AvgAcc, MFM, and AttAcc.
Haugerud, Tran, Aitsaadi, and Yazidi72 developed a novel architecture for a parallel NIDS based on network rule distribution and function virtu-
alization. The IDS functionalities were virtualized utilizing Open vSwitch and Docker containers running Snort, resulting in elasticity and flexibility
in the face of changing network traffic. In order to accomplish intelligent rule ordering, Haugerud et al.72 presented two adaptive algorithms that
dynamically alter and distribute the signature rules equitably among NIDS nodes utilizing a node-level parallelism approach. Their ideas were put to
the test in real-world scenarios by building a working prototype that used a variety of current networking technologies. The prototype demonstrated
a network function virtualization of IDS that used Docker and Open vSwitch containers running Snort to offer an elastic system. The threshold was
established to be at a total CPU load of roughly 50% in the prototype trials.
In Reference 73, the security log rule basis is important for security managers to perform vulnerability detection and intrusion detection. A
technique based on an adaptive-miner algorithm is provided to create a rule base for cyber ID. Analysis of multisource heterogeneous logs yielded
effective security principles. Their technique was built on Apache Spark cluster setting and provided distributed association rule mining-based
MapReduce calculation model to speed up the computation of the algorithm. A series of simulated assaults tests were used to assess the sug-
gested technique. According to the findings, the technique calculates quicker than the conventional Apriori algorithm and two additional parallel
association rule mining algorithms. In addition, real-time intrusion detection was conducted. The studies revealed that the suggested technique
outperformed other techniques in terms of recall, accuracy, and f-measure.
Riyaz and Ganapathy74 suggested a novel fuzzy rule and information gain ratio-based feature selection technique for choosing the highest
number of characteristics that were utilized to categorize the records as attacks and normal, as opposed to unsupervised and supervised learn-
ing models. Furthermore, established classifiers such as SVM and least square support vector machine were employed for successful classification.
12 of 17 LUO ET AL.

TA B L E 5 Some details of the reviewed in rule-based articles

Article Advantages/disadvantages Datasets used

Kumar et al.70 + Higher accuracy + Higher attack detection rate - Not UNSW-NB15, RTNITP18
able to detect any zero-day attacks - Not able to
categorize new unknown attacks - Not able to
detection rate on real-time data set

Papamartzivanos et al.71 + Attack detection accuracy + Able to significantly NSL-KDD, UNSW-NB15,

detect rare intrusive incidents + Able to outperform KDDCup’99
other modern and older approaches under various
classification measures - Some solutions cannot
identify the problem of detecting rare intrusive
events

Haugerud et al.72 + Increasing the amount of virtual components that Real-life

analyze network traffic to allow the system to scale
+ Deploying virtual machines, software-defined
networks, and containers in a variety of
infrastructures - Not yet efficient

Lou et al.73 + The suggested technique outperforms existing KDD’99

algorithms in terms of speed + In terms of recall,
accuracy, and f-measure, it outperforms the
competition - There is a latency in real-time ID

Riyaz and Ganapathy74 + The suggested technique outperforms other NSLKDD

techniques in terms of decision-making - Attack
detection accuracy is not good for all attacks

Kshirsagar and Shaikh75 + The decision table performs better than other DoS-GoldenEye
rule-based algorithms - This method is only defined
for DoS attacks

Panigrahi, Borah, and Mishra76 + The PART classifier emerged as the best classifier for NSL-KDD, ISCXIDS2012,
NSL-KDD and ISCXIDS2012 datasets. - The CICIDS2017
proposed architecture has not been developed

The NSLKDD dataset was utilized to perform various experiments in order to evaluate the suggested method. Compared to current algorithms on
classification for feature selection, the acquired results from their study demonstrated that the suggested approach outperforms them. In addition,
Kshirsagar and Shaikh75 proposed a data preparation, feature selection, and rule-based classifiers method to intrusion detection. The feature selec-
tion was made utilizing a ranker and information acquisition. In CICIDS2018, the technique was developed and tested using rule-based classifiers
on the dataset of the GoldenEye tool. The study of rule-based classifiers was completed, and their performance was compared.
In Reference 76, 12 rule-based classifiers were evaluated in a high-class imbalance scenario to determine the best classifier that could be used
as the IDS’s base learner. Three class imbalance incursion datasets were evaluated to generate a class imbalance scenario. The receiver operating
classification accuracy, characteristic value, and false alarm rate were utilized to evaluate the classifier’s performance. The top classifier for the
ISCXIDS2012 and NSL-KDD datasets was the projective adaptive resonance theory classifier. In the CICIDS2017 dataset, a decision table with
naïve Bayes hybrid beats other classifiers. The research findings were utilized to create ID architecture for the CICIDS2017 dataset using naïve
Bayes and a decision table hybrid.
In this section, seven articles were selected and reviewed from recent studies. The datasets in which these studies tested their methods are
extracted. Also, some of the advantages and disadvantages of these methods are stated; the results are illustrated in Table 5.

6 DISCUSS AND RESULTS

Twenty-three studies were studied and analyzed in three groups in this article. In the “based on education” group, nine articles were reviewed, and
their methods were extracted. The same thing was done in each of the “model-based” and “method-based” groups. The analysis of these studies
produced the following results:
The effectiveness of IDS is dependent on the speed with which it can identify threats and the precision it can detect them, and the fact that a
high incidence of false alarms plagues it. So, our study focuses on integrating the extreme learning machine and GA to function as IDS with a high
LUO ET AL. 13 of 17

rate of detection and accuracy. We propose dividing the training mode into virtual training and virtual testing to guarantee that the best classifier is
selected for the second challenge. Various techniques are used to create IDS. The IDS should, in theory, be able to identify various kind of intrusion
(U2R, DoS, R2L, and Probing, Web Attack, Heartbleed, PortScan). Various ID methods have their own set of pros and cons. ML is a fully automated
procedure that requires little human interaction.

6.1 Challenges

Despite the fact that the cyber security research community has created numerous ID algorithms and distributed frameworks capable of defending
large-scale networks, cloud-specific issues remain.
The following are some of these issues:

1. There are no universally acknowledged criteria or measure for evaluating an IDPS, despite the various suggested methodologies, models,
and deployed systems. Although receiver operating characteristic (ROC) is extensively employed for accuracy evaluation, it is not a suitable
evaluation tool since the results are frequently inadequate and misleading.77,78
2. It is a big task to develop a self-adaptation capacity to optimize and drastically decrease operator involvement.79
3. Computational complexity rises with several stages of the design and execution of NIDS, such as model training and deployment, data prepara-
tion and feature reduction, and especially, DL and ML-based NIDS.80,81 Designing an efficient NIDS and neural P systems with low computing
needs is thus another problem and future study topic.19,82
4. Intrusion detection for such paradigms is a difficult problem that has grown in importance as the number and variety of security threats to such
systems has increased dramatically. ID for IoT is a problem due to such systems’ specific features, such as battery life, bandwidth and processing
overheads, and network dynamics, which necessitates considering the trade-off between performance overhead and detection accuracy.83
5. Resource restrictions, experimental rigor, attack complexity, and the lack of relevant security data are among them.
6. The accuracy of DL modules is limited when dealing with unclear data. Nevertheless, in real-time situations, there are massive amounts of
unknown data.54
7. One of the most significant impediments to the widespread use of IDPS is the alarmingly high percentage of generated false alarms.78
8. IDSs must be more precise, capable of detecting a wide variety of intrusions with fewer false alarms.84 Most intrusion detection models have a
longer training period, which impacts the model’s performance to the point where total system performance needs to be sacrificed to minimize
training time. Due to the number of layers associated with DL models, it becomes a more important problem.35
9. To identify assaults in an off-line state, the bulk of IDSs were trained and developed utilizing virtualized/benchmark datasets. Few people
have thought about IDSs in terms of online (real-time) detection. Given the exponential growth of network data each year, real-time network
monitoring exists as a computational problem for academics.36
10. Any IDS in this area has three key challenges: detecting novel attack patterns with high accuracy, improving the human-readability of detection
rules, and correctly classifying these assaults into the appropriate category.71

7 FUTURE DIRECTIONS

Because IoT security solutions are still in their infancy, there is much room for further study in this field.

1. Future study should focus on reaching an agreement on the most appropriate placement technique and detecting mechanism. In future studies,
increasing threat detection diversity and addressing new IoT technologies should be priorities.9,85
2. Greater attempts should be made in the future to identify unknown and zero-day attacks in IoT networks and create IDSs that can automatically
update the list of potential threats as new ones emerge.86 To update their training model in real-time, in a streaming detection environment, IoT
NIDS must be familiar with ML and DL methods and big data methodologies.87,88
3. Some recent articles have advocated combining IDS with blockchain to improve the performance of anomalies based on the IoT or wireless sen-
sor networks, however, there has yet to be any technical or theoretical study of blockchain’s integration.89,90 As a result, further investigation is
required to solve this problem. Investigators can use the blockchain paradigm to build a new dynamic consensus protocol based on a collaborative
intrusion detection technique as a vision.91,92
4. The IDS design should take into account the security risks of IoT and edge computing supporting protocols and technologies.80,93
5. Highlighting theoretical and technical elements of performance evaluation and certain existing ML and DL approaches.94,95
6. The major objective is to develop an infrastructure for detecting intelligent attacks with intelligent systems.96 One of the main goals of this
project should be to create datasets large enough to allow for the effective training of ML algorithms. In addition, a detailed description of
14 of 17 LUO ET AL.

how the dataset was generated and attacks and standard messages should be provided. It must also be made publicly accessible for peer
assessment.18

8 CONCLUSION

As the IoT becomes more popular, more data-sensitive initiatives will be implemented. As a result, its cloud security is a top focus. Many security
techniques are inappropriate owing to their resource-intensive nature. Therefore, second-line defenses in IoT networks are regarded as necessary.
This study lays forth a roadmap for future research in order to develop effective IoT intrusion detection. In this article, the latest work is systemati-
cally reviewed to prevent intrusion in a cloud environment. In this study, the analyzed articles were classified into three groups. The analysis results
indicate that:

1. We believe that IoT IDS research is currently in its infancy and incipient stages. The works examined do not cover a wide range of IoT technologies
and are unable to identify a wide range of threats.
2. Since IDPS employs numerous ID and prevention methods, combining different IDPS technologies into a single protection solution significantly
decreases management costs; hence, when constructing a security strategy, it must be thorough to remain ahead of the next danger.
3. According to several recent papers, combining IDS with blockchain might improve the effectiveness of anomaly detection in an IoT environment
or wireless sensor network. This article provided an overview of the most recent relating literature in the field of anomaly detection.
4. According to the report, many investigators use an anomaly-based detection technique to identify both known and undiscovered threats by
monitoring network traffic.

As a result, we think the study has outlined future research areas for efficient IoT intrusion detection. Non-English articles were also omitted
from this research.

CONFLICT OF INTEREST
The authors declare no conflict of interest.

DATA AVAILABILITY STATEMENT

All data are reported in the paper.

ORCID
Bayan Omar Mohammed https://orcid.org/0000-0001-7043-9287

REFERENCES
1. Arshad J, Azad MA, Amad R, Salah K, Alazab M, Iqbal R. A review of performance, energy and privacy of intrusion detection systems for IoT. Electronics.
2020;9(4):629.
2. Lv Z, Chen D, Lou R, Song H. Industrial security solution for virtual reality. IEEE Internet Things J. 2020;8(8):6273-6281.
3. Gubbi J, Buyya R, Marusic S, Palaniswami M. Internet of things (IoT): a vision, architectural elements, and future directions. Future Gener Comput Syst.
2013;29(7):1645-1660.
4. Singh D, Tripathi G, Jara AJ. A survey of Internet-of-Things: future vision, architecture, challenges and services. Proceedings of the 2014 IEEE world forum
on Internet of Things (WF-IoT); 2014:287-292; IEEE.
5. Lv Z, Lou R, Li J, Singh AK, Song H. Big data analytics for 6G-enabled massive Internet of Things. IEEE Internet Things J. 2021;8(7):5350-5359.
6. Lv Z, Qiao L, Song H. ACM transactions on multimedia computing. Commun Appl (TOMM). 2020;16(3s):1-16.
7. Ahadi A, Ghadimi N, Mirabbasi D. An analytical methodology for assessment of smart monitoring impact on future electric power distribution system
reliability. Complexity. 2015;21(1):99-113.
8. Chaabouni N, Mosbah M, Zemmari A, Sauvignac C, Faruki P. Network intrusion detection for IoT security based on learning techniques. IEEE Commun
Surv Tutor. 2019;21(3):2671-2701.
9. Santos L, Rabadao C, Gonçalves R. Intrusion detection systems in Internet of Things: a literature review. Proceedings of the 2018 13th Iberian Conference
on Information Systems and Technologies (CISTI); 2018:1-7; IEEE.
10. Lv Z, Qiao L, You I. 6G-enabled network in box for internet of connected vehicles. IEEE Trans Intell Transp Syst. 2020;22(8):5275–5282.
11. Gendreau AA, Moorman M. Survey of intrusion detection systems towards an end to end secure internet of things. Proceedings of the 2016 IEEE 4th
International Conference on Future Internet of Things and Cloud (FiCloud); 2016:84-90; IEEE.
12. Zanbouri K, Jafari Navimipour N. A cloud service composition method using a trust-based clustering algorithm and honeybee mating optimization
algorithm. Int J Commun Syst. 2020;33(5):e4259.
13. Singh S, Saxena K, Khan Z. Intrusion detection based on artificial intelligence techniques. Proceedings of the International Conference of Advance
Research and Innovation (Icari-2014); 2014.
14. Kene SG, Theng DP. A review on intrusion detection techniques for cloud computing and security challenges. Proceedings of the 2015 2nd International
Conference on Electronics and Communication Systems (ICECS); 2015:227-232; IEEE.
LUO ET AL. 15 of 17

15. Souri A, Rahmani AM, Navimipour NJ, Rezaei R. A hybrid formal verification approach for QoS-aware multi-cloud service composition. Clust Comput.
2020;23(4):2453-2470.
16. Heidari A, Jabraeil Jamali MA, Jafari Navimipour N, Akbarpour S. Internet of things offloading: ongoing issues, opportunities, and future challenges. Int
J Commun Syst. 2020;33(14):e4474.
17. Chen X, Wang T, Ying R, Cao Z. A fault diagnosis method considering meteorological factors for transmission networks based on P systems. Entropy.
2021;23(8):1008.
18. Gonçalves F, Ribeiro B, Gama O, et al. A systematic review on intelligent intrusion detection systems for VANETs. Proceedings of the 2019 11th
International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT); 2019:1-10; IEEE.
19. Wang T, Wei X, Wang J, et al. A weighted corrective fuzzy reasoning spiking neural P system for fault diagnosis in power systems with variable topologies.
Eng Appl Artif Intel. 2020;92:103680.
20. Zouhair C, Abghour N, Moussaid K, El Omri A, Rida M. A review of intrusion detection systems in cloud computing. Secur Priv Smart Sens Netw.
2018;253-283.
21. Zhao C, Liu X, Zhong S, Shi K, Liao D, Zhong Q. Secure consensus of multi-agent systems with redundant signal and communication interference via
distributed dynamic event-triggered control. ISA Trans. 2021;112:89-98.
22. Azeez, N. A.; Bada, T. M.; Misra, S.; Adewumi, A.; Van der Vyver, C.; Ahuja, R. Intrusion detection and prevention systems: an updated review. Data Manag
Anal Innovat 2020, 685–696.
23. Wang T, Liu W, Zhao J, Guo X, Terzija V. A rough set-based bio-inspired fault diagnosis method for electrical substations. Int J Electr Power Energy Syst.
2020;119:105961.
24. Rani M. A review of intrusion detection system in cloud computing. Proceedings of International Conference on Sustainable Computing in Science,
Technology and Management (SUSCOM); 2019; Amity University Rajasthan, Jaipur-India.
25. Krishnaraj N, Elhoseny M, Lydia EL, Shankar K, ALDabbas O. An efficient radix trie-based semantic visual indexing model for large-scale image retrieval
in cloud environment. Softw Pract Exper. 2021;51(3):489-502.
26. Tayyebi Y, Bhilare D. Cloud security through intrusion detection system (IDS): review of existing solutions. Int J Emerg Trends Technol Comput Sci.
2015;4(6):213-215.
27. Cai K, Chen H, Ai W, Miao X, Lin Q, Feng Q. Feedback convolutional network for intelligent data fusion based on near-infrared collaborative IoT
technology. IEEE Trans Ind Inform. 2021;18(2):1200–1209.
28. Elrawy MF, Awad AI, Hamed HF. Intrusion detection systems for IoT-based smart environments: a survey. J Cloud Comput. 2018;7(1):1-20.
29. Iwendi C, Maddikunta PKR, Gadekallu TR, Lakshmanna K, Bashir AK, Piran M. A metaheuristic optimization approach for energy efficiency in the IoT
networks. J Softw Pract Exper. 2020;51(12):2558–2571.
30. Raghav I, Chhikara S, Hasteer N. Intrusion detection and prevention in cloud environment: a systematic review. Int J Comput Appl. 2013;68:24-11.
31. Shen H, Zhang M, Wang H, Guo F, Susilo W. A cloud-aided privacy-preserving multi-dimensional data comparison protocol. Inf Sci. 2021;545:739-752.
32. Ahmadian Ramaki A, Rasoolzadegan A, Javan Jafari A. Statistical analysis and data mining: the ASA. Data Sci J. 2018;11(3):111-134.
33. Öney MU, Peker S. The use of artificial neural networks in network intrusion detection: a systematic review. Proceedings of the 2018 International
Conference on Artificial Intelligence and Data Processing (IDAP); 2018:1-6; IEEE.
34. Ganeshan R, Daniya T. A systematic review on anomaly based intrusion detection system. Proceedings of the IOP Conference Series: Materials Science
and Engineering, 2020:022010; IOP Publishing.
35. Mishra N, Pandya S. Internet of Things applications, security challenges, attacks, intrusion detection, and future visions: a systematic review. IEEE Access.
2021;9:59353–59377.
36. Salo F, Injadat M, Nassif AB, Shami A, Essex A. Data mining techniques in intrusion detection systems: a systematic literature review. IEEE Access.
2018;6:56046-56058.
37. Sangher KS, Singh A. A systematic review–intrusion detection algorithms optimisation for network forensic analysis and investigation. Proceedings of
the 2019 International Conference on Automation, Computational and Technology Management (ICACTM); 2019:132-136; IEEE.
38. Salo F, Injadat M, Nassif AB, Essex A. Data mining with big data in intrusion detection systems: a systematic literature review; 2020. arXiv preprint
arXiv:2005.12267.
39. Kaur B, Pateriya PK. A survey on security concerns in Internet of Things. Proceedings of the 2018 2nd International Conference on Intelligent Computing
and Control Systems (ICICCS 2018); June 14, 2018:27-34; IEEE.
40. Idrissi I, Azizi M, Moussaoui O. IoT security with deep learning-based intrusion detection systems: a systematic literature review. Proceedings of the
2020 4th International Conference On Intelligent Computing in Data Sciences (ICDS); 2020:1-10; IEEE.
41. Aludhilu H, Puente RR. A systematic literature review on intrusion detection approaches. Revista Cubana de Ciencias Inform. 2020;14(1):58-78.
42. Ferdiana R. A systematic literature review of intrusion detection system for network security: research trends, datasets and methods. Proceedings of
the 2020 4th International Conference on Informatics and Computational Sciences (ICICoS); 2020:1-6; IEEE.
43. Tranfield D, Denyer D, Smart P. Towards a methodology for developing evidence-informed management knowledge by means of systematic review. British
J Manag. 2003;14(3):207-222.
44. Brereton P, Kitchenham BA, Budgen D, Turner M, Khalil M. Lessons from applying the systematic literature review process within the software
engineering domain. J Syst Softw. 2007;80(4):571-583.
45. Ghorbani AA, Lu W, Tavallaee M. Network Intrusion Detection and Prevention: Concepts and Techniques. Vol 47. Springer Science & Business Media; 2009.
46. He Y, Dai L, Zhang H. Multi-branch deep residual learning for clustering and Beamforming in user-centric network. IEEE Commun Lett.
2020;24(10):2221-2225.
47. Ma X, Zhang F, Chen X, Shen J. Privacy preserving multi-party computation delegation for deep learning in cloud computing. Inform Sci.
2018;459:103-116.
48. Zhang Y, Liu F, Fang Z, Yuan B, Zhang G, Lu J. Learning from a complementary-label source domain: theory and algorithms. IEEE Trans Neural Netw Learn
Syst. 2021;1–15.
49. Sun G, Cong Y, Dong J, Liu Y, Ding Z, Yu H. What and how: generalized lifelong spectral clustering via dual memory. IEEE Trans Pattern Anal Mach Intell.
2021;1.
16 of 17 LUO ET AL.

50. Sari A. A review of anomaly detection systems in cloud networks and survey of cloud security measures in cloud storage applications. J Inf Secur.
2015;6(02):142-154.
̆ A, Bekiroglu K, Sengupta S. Hybrid intrusion detection system using machine learning techniques in cloud computing environments,
51. Aljamal I, Tekeoglu
2019 IEEE 17th international conference on software engineering research, management and applications (SERA); 2019:84-89; IEEE.
52. Ravindranath V, Ramasamy S, Somula R, Sahoo KS, Gandomi AH. Swarm intelligence based feature selection for intrusion and detection system in cloud
infrastructure. Proceedings of the 2020 IEEE Congress on Evolutionary Computation (CEC); 2020:1-6; IEEE.
53. Salman T, Bhamare D, Erbad A, Jain R, Samaka M. Machine learning for anomaly detection and categorization in multi-cloud environments. Proceedings
of the 2017 IEEE 4th International Conference on Cyber Security and Cloud Computing (CSCloud); 2017:97-103; IEEE.
54. Otoum Y, Liu D, Nayak A. DL-IDS: a deep learning–based intrusion detection framework for securing IoT. Trans Emerg Telecommun Technol. 2019;30:e3803.
55. Verma A, Ranga V. Machine learning based intrusion detection systems for IoT applications. Wirel Personal Commun. 2020;111(4):2287-2310.
56. Ge M, Fu X, Syed N, Baig Z, Teo G, Robles-Kelly A. Deep learning-based intrusion detection for IoT networks. Proceedings of the 2019 IEEE 24th Pacific
Rim International Symposium on Dependable Computing (PRDC); 2019:256; IEEE.
57. Zhang Y, Li P, Wang X. Intrusion detection for IoT based on improved genetic algorithm and deep belief network. IEEE Access. 2019;7:31711-31722.
58. Loukas G, Vuong T, Heartfield R, Sakellari G, Yoon Y, Gan D. Cloud-based cyber-physical intrusion detection for vehicles using deep learning. IEEE Access.
2017;6:3491-3508.
59. Luo J, Li M, Liu X, Tian W, Zhong S, Shi K. Stabilization analysis for fuzzy systems with a switched sampled-data control. J Franklin Inst. 2020;357(1):39-58.
60. Tsvetanov TI. Pattern-based network defense mechanism. Google patents: 2008
61. Huang K, Zhang Q, Zhou C, Xiong N, Qin Y. An efficient intrusion detection approach for visual sensor networks based on traffic pattern learning. IEEE
Trans Syst Man Cybern Syst. 2017;47(10):2704-2713.
62. Aparicio-Navarro FJ, Kyriakopoulos KG, Gong Y, Parish DJ, Chambers JA. Using pattern-of-life as contextual information for anomaly-based intrusion
detection systems. IEEE Access. 2017;5:22177-22193.
63. Aparicio-Navarro FJ, Chambers JA, Kyriakopoulos K, Gong Y, Parish D. Using the pattern-of-life in networks to improve the effectiveness of intrusion
detection systems. Proceedings of the 2017 IEEE International Conference on Communications (ICC); 2017:1-7; IEEE.
64. Liu J, Zhang W, Tang Z, et al. Adaptive intrusion detection via GA-GOGMM-based pattern learning with fuzzy rough set-based attribute selection. Expert
Syst Appl. 2020;139:112845.
65. Wang Y, Liang Y, Sun H, Ma Y. Intrusion detection and performance simulation based on improved sequential pattern mining algorithm. Clust Comput.
2020;23:1927-1936.
66. Rao CS, Raju KB. MapReduce accelerated signature-based intrusion detection mechanism (IDM) with pattern matching mechanism. Soft Computing in
Data Analytics. Springer; 2019:157-164.
67. Iqbal IM & Calix RA Analysis of a payload-based network intrusion detection system using pattern recognition processors. Proceedings of the 2016
International Conference on Collaboration Technologies and Systems (CTS); 2016:398-403; IEEE.
68. Manickam M, Rajagopalan S. A hybrid multi-layer intrusion detection system in cloud. Clust Comput. 2019;22(2):3961-3969.
69. Wu Z, Li C, Cao J, Ge Y. On scalability of association-rule-based recommendation. ACM Trans Web (TWEB). 2020;14(3):1-21.
70. Kumar V, Sinha D, Das AK, Pandey SC, Goswami RT. An integrated rule based intrusion detection system: analysis on UNSW-NB15 data set and the real
time online dataset. Clust Comput. 2020;23(2):1397-1418.
71. Papamartzivanos D, Mármol FG, Kambourakis G. Dendron: genetic trees driven rule induction for network intrusion detection systems. Future Gener
Comput Syst. 2018;79:558-574.
72. Haugerud H, Tran HN, Aitsaadi N, Yazidi A. A dynamic and scalable parallel network intrusion detection system using intelligent rule ordering and network
function virtualization. Future Gener Comput Syst. 2021;124:254–267.
73. Lou P, Lu G, Jiang X, Xiao Z, Hu J, Yan J. Cyber intrusion detection through association rule mining on multi-source logs. Appl Intell. 2021;51(6):4043-4057.
74. Riyaz B, Ganapathy S. An intelligent fuzzy rule based feature selection for effective intrusion detection. Proceedings of the 2018 International Confer-
ence on Recent Trends in Advance Computing (ICRTAC); 2018:206-211; IEEE.
75. Kshirsagar D, Shaikh JM. Intrusion detection using rule-based machine learning algorithms. Proceedings of the 2019 5th International Conference on
Computing, Communication, Control And Automation (ICCUBEA); 2019:1-4; IEEE.
76. Panigrahi R, Borah S, Mishra D. A proposal of rule-based hybrid intrusion detection system through analysis of rule-based supervised classifiers. Intelligent
and Cloud Computing. Springer; 2021:623-633.
77. Gaffney JE, Ulvila JW. Evaluation of intrusion detectors: a decision theory approach. Proceedings 2001 IEEE Symposium on Security and Privacy. S&P
2001, 2000:50-61; IEEE.
78. Patel A, Taghavi M, Bakhtiyari K, Júnior JC. An intrusion detection and prevention system in cloud computing: a systematic review. J Netw Comput Appl.
2013;36(1):25-41.
79. Alkadi O, Moustafa N, Turnbull B. A review of intrusion detection and Blockchain applications in the cloud: approaches, challenges and solutions. IEEE
Access. 2020;8:104893-104917.
80. Lv Z, Qiao L, Li J, Song H. Deep-learning-enabled security issues in the internet of things. IEEE Internet Things J. 2020;8(12):9531-9538.
81. Asharf J, Moustafa N, Khurshid H, Debie E, Haider W, Wahab A. A review of intrusion detection systems using machine and deep learning in internet of
things: challenges, solutions and future directions. Electronics. 2020;9(7):1177.
82. Huang Z, Wang T, Liu W, Valencia-Cabrera L, Pérez-Jiménez MJ, Li P. A fault analysis method for three-phase induction motors based on spiking neural
P systems. Complexity. 2021;2021:1-19.
83. Vermesan O, Friess P. Internet of Things-from Research and Innovation to Market Deployment. Vol 29. River Publishers Aalborg; 2014.
84. Khraisat A, Alazab A. A critical review of intrusion detection systems in the internet of things: techniques, deployment strategy, validation strategy,
attacks, public datasets and challenges. Cybersecurity. 2021;4(1):1-27.
85. Yi H. Secure social internet of things based on post-quantum blockchain. IEEE Trans Netw Sci Eng. 2021;1.
86. Li B, Xiao G, Lu R, Deng R, Bao H. On feasibility and limitations of detecting false data injection attacks on power grid state estimation using D-FACTS
devices. IEEE Trans Ind Inform. 2019;16(2):854-864.
87. Hromic H, Le Phuoc D, Serrano M, et al. Real time analysis of sensor data for the Internet of Things by means of clustering and event processing.
Proceedings of the 2015 IEEE International Conference on Communications (ICC); 2015:685-691; IEEE.
LUO ET AL. 17 of 17

88. Ahmed E, Yaqoob I, Hashem IAT, et al. The role of big data analytics in internet of things. Comput Netw. 2017;129:459-471.
89. Lv Z, Qiao L, Hossain MS, Choi BJ. Analysis of using blockchain to protect the privacy of drone big data. IEEE Netw. 2021;35(1):44-49.
90. Dehghani M, Ghiasi M, Niknam T, et al. Blockchain-based securing of data exchange in a power transmission system considering congestion management
and social welfare. Sustainability. 2020;13(1):1-1.
91. Dehghani M, Ghiasi M, Niknam T, et al. Blockchain-based securing of data exchange in a power transmission system considering congestion management
and social welfare. Sustainability. 2021;13(1):90.
92. Gong J, Navimipour NJ. An in-depth and systematic literature review on the blockchain-based approaches for cloud computing. Clust Comput.
2021;24(4):1-18.
93. Lv Z, Chen D, Wang Q. Diversified technologies in internet of vehicles under intelligent edge computing. IEEE Trans Intell Transp Syst.
2020;22(4):2048-2059.
94. Benaddi H, Ibrahimi K. A review: collaborative intrusion detection for IoT integrating the blockchain technologies. Proceedings of the 2020 8th
International Conference on Wireless Networks and Mobile Communications (WINCOM); 2020:1-6; IEEE.
95. Lv Z, Singh AK, Li J. Deep learning for security problems in 5G heterogeneous networks. IEEE Netw. 2021;35(2):67-73.
96. Lv Z, Lou R, Singh AK. AI empowered communication systems for intelligent transportation systems. IEEE Trans Intell Transp Syst. 2020;22(7):4579–4587.

How to cite this article: Luo G, Chen Z, Mohammed BO. A systematic literature review of intrusion detection systems in the cloud-based
IoT environments. Concurrency Computat Pract Exper. 2022;e6822. doi: 10.1002/cpe.6822

View publication stats