A Critical Review of Practices and Challenges in Intrusion Detection Systems For IoT Toward Universal and Resilient Systems

3496 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 20, NO.
4, FOURTH QUARTER 2018
A Critical Review of Practices and Challenges in

Intrusion Detection Systems for IoT: Toward
Universal and Resilient Systems
Elhadj Benkhelifa, Member, IEEE, Thomas Welsh, Member, IEEE, and Walaa Hamouda , Senior Member, IEEE
Abstract—The Internet-of-Things (IoT) is rapidly becoming a truly instrumented universe where accurate data is radially
ubiquitous. However the heterogeneous nature of devices and available to inform optimal decision making.
protocols in use, the sensitivity of the data contained within, as The IoT is typically considered to have partially evolved
well as the legal and privacy issues, make security for the IoT
a growing research priority and industry concern. With many from the implementation of Radio Frequency Identification
security practices being unsuitable due to their resource intensive Devices (RFIDs) [1]. RFID consists of very low power, wire-
nature, it is deemed important to include second line defences less tags used to electronically identify physical objects and
into IoT networks. These systems will also need to be assessed animals. Whilst allowing the wireless intelligent tracking of
for their efficacy in a variety of different network types and pro- objects within confined spaces, RFID tags are passive and
tocols. To shed light on these issues, this paper is concerned with
advancements in intrusion detection practices in IoT. It provides unintelligent. Their features disallow the ability to log and
a comprehensive review of current intrusion detection systems understand their environment [2]. Thus preventing collabora-
(IDSs) for IoT technologies, focusing on architecture types. A tion with other devices and generally stunting the evolution
proposal for future directions in IoT based IDS are then pre- and further analysis of the inherent wealth of data. With the
sented and evaluated. We show how traditional practices are realization that the interconnection of these devices coupled
unsuitable due to their inherent features providing poor cover-
age of the IoT domain. In order to develop a secure, robust and with intelligent data analytics, may enhance services and facil-
optimized solution for these networks, the current research for ities in the physical world, such devices evolved from being
intrusion detection in IoT will need to move in a different direc- passive objects to interactive, cooperative, and smart devices.
tion. An example of which is proposed in order to illustrate how Although, still retaining the original mantra of low-power and
malicious nodes might be passively detected. wireless communication, these devices combine sensors with
Index Terms—Intrusion detection systems (IDS), IoT security, RFID tags to produce wireless devices capable of sensing their
wireless sensor networks, universal IDS. environment and thus producing dynamic data. However, due
to the low power nature of these devices, their range is lim-
ited. Therefore, by harnessing the enabling technologies from
wireless computing networks, the capabilities to produce wide-
I. I NTRODUCTION scale sensor networks were achieved [1]. Also, in order to
HE INTERNET-OF-THINGS (IoT) is a novel paradigm
T concerned with building a pervasive environment of smart
devices (or things), seeking to enhance everyday life through
economize on this sensor usage, it is important to implement
these networks in an efficient manner which is accomplished
by applying ad-hoc and distributed networking protocols.
ubiquitous connectivity [1]. This is accomplished via the inter- As the need for a globalised access to networks of hetero-
connectivity of sensors and actuators, in order to facilitate geneous device types was realised in all facets of society, the
smart decisions made via analysis of an inherent wealth of IoT was born as a vision of global interconnectivity where
data. The IoT technologies are expected to offer unprecedented embedded devices and sensors facilitate a new age of Internet
opportunities to interconnect human-beings. Additionally, the connected devices to improve our lives. This is famed to
proposed platform for the future IoT will be through Machine- be accomplished via a mass collection and analysis of data.
to-Machine (M2M) communications, whereby sensors and However, with this enhanced interconnectivity comes further
networks allow all things to communicate directly with each issues.
other to share vital information. This will allow us to have Security within computer networks has always been a major
issue. With sensor based networks being used in a vari-
Manuscript received June 20, 2017; revised December 12, 2017 and
April 3, 2018; accepted May 14, 2018. Date of publication June 7, 2018; ety of critical infrastructures and applications, the need to
date of current version November 19, 2018. This work was supported by secure them is arguably greater than ever [3]–[4]. With the
Staffordshire University. (Corresponding author: Elhadj Benkhelifa.) introduction of data protection laws decreeing the responsible
E. Benkhelifa and T. Welsh are with the School of Computing and
Digital Technologies, Staffordshire University, Stoke-on-Trent ST4 2DE, U.K. collection and storage of data, coupled with issues related to
(e-mail: [email protected]). privacy of the individual, the secure handling of data contained
W. Hamouda is with the Department of Electrical and Computer within IoT based networks is vital to anyone. In addition, dig-
Engineering, Concordia University, Montreal, QC H3G 2W1, Canada (e-mail:
[email protected]). ital forensics is becoming an essential tool for the police as
Digital Object Identifier 10.1109/COMST.2018.2844742 well as anyone wishing to protect their own legal interests.
1553-877X c 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: SRM Institute of Science and Technology. Downloaded on June 21,2023 at 07:00:55 UTC from IEEE Xplore. Restrictions apply.
BENKHELIFA et al.: CRITICAL REVIEW OF PRACTICES AND CHALLENGES IN IDSs FOR IoT: TOWARD UNIVERSAL AND RESILIENT SYSTEMS 3497
TABLE I
Therefore the correct logging of computer network activity is A N ON -E XHAUSTIVE L IST OF S TANDARDS AND
a must. IoT is an emerging technology, famed with being able P ROTOCOLS U SED IN I OT
to change and improve society life, as such its security is an
important issue.
This paper focuses on providing a survey of a variety
of intrusion detection solutions for the IoT. Each solution
attempts to improve the efficacy of detection in a number of
ways and/or minimise its resource footprint through varied
combinations of architectures, detection methods, and specific
attacks detected. Primarily, this paper focuses on architecture
types and the technologies which can be detected. This is
driven by a fundamental characteristic of IoT which is related
to the myriad of current and future technologies which will
support it.
This paper is reviewed for its effectiveness so as to deter-
mine the state-of-the art for IDS in IoT. From this review
comes the proposal for a security system which leverages
passive sensor nodes to negate the currently poor security
environment presented by the open-medium and constrained
devices. In turn, this enables any number or type of detection
methods to be integrated into the system and thus, increasing
accuracy and coverage for a wide variety of use cases.
This paper is structured as follows. In Section II, standards
and technologies for the IoT are introduced. Section III situ-
ates this survey within the body of work by reviewing related
surveys. In Section IV, a review of security threats to IoT consideration. An extensive survey of these technologies is
devices is provided to support the state-of-the art survey of given in [8].
IDS for IoT in Section V which then facilitates some pro- IoT may be thought of as a 3-layer model, consisting of the
posals for future directions in Section V. Section VI provides perception, transportation and application stages [7], [9]. The
an analysis of the survey which drives proposals presented in perception stage consists of the sensing technologies such as
Section VII. Finally, Section VIII concludes the work. RFID, GPS, and short range transmission such as Bluetooth
and IEEE 802.15.4. The transportation stage consists of longer
range communication involving for instance IP, IEEE 802.3,
II. I OT S TANDARDS AND T ECHNOLOGIES 4G, etc. Whilst the final application phase consists of platforms
Despite the growing adoption and interest in IoT systems, such as cloud architectures for data management and actuators
the term IoT merely describes the idea of global connectivity (e.g., traffic management systems).
among smart devices, i.e., it does not specifically define the Due to the resource constraints of the devices, some pro-
way in which these devices should communicate. Therefore tocols have been designed specifically to support low power
IoT might best be considered an umbrella term encompassing hardware. For example, IEEE 802.15.4 is a low power phys-
a variety of technologies and standards, both hardware and ical and media access specification for resource constrained
software, and does not denote any particular standardisation. wireless hardware. For instance, Zigbee and 6Lowpan are
IoT networks typically consist of heterogeneous, intercommu- both built upon this specification [10]. With networking proto-
nicating devices Or “things” and their networks. col packets being mostly too large for constrained resources,
IoT networks are (in the majority) driven by and built 6Lowpan was developed as a low resource replacement.
upon wireless networking specifications. As stated previously, Specifically designed to connect constrained devices to the
RFID is one of the founding hardware types for IoT devices. Internet; 6Lowpan provides compression in order to accom-
Other low-power wireless technologies used include Wireless modate IPv6 over IEEE 802.15.4 or other low power physical
Sensor Networks (WSNs), Near Field Communication (NFC), and media access protocols. In the literature, 6Lowpan is often
Zigbee, 6Lowpan etc. most of which are considered personal discussed with the Routing Protocol for Low-Power and Lossy
area network technologies due to their low range and band- Networks (RPL), a multi-functional routing protocol for con-
width. Networks may also be constructed upon slightly longer strained devices where both are considered the most common
range such as WiFi [5]. In addition, IoT devices may utilize IoT based networking set-ups [11].
wide area protocols [6] such as General Packet Radio Service Within security specifically, the lack of standardiza-
(GPRS), 3G, 4G, WiMax etc. or bridging with wired pro- tion creates issues when attempting to develop generalized
tocols to facilitate access to the Internet and other external research solutions to determine exactly what must be secured.
networks [7]. Whilst these protocols and technologies are not Therefore, this section described an overview of the charac-
specifically designed for IoT, their integration and potential teristics of IoT technologies, including the networking tech-
use is illustrative of the array of protocols which will require nologies used and the specific device features. IoT based
3498 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 20, NO. 4, FOURTH QUARTER 2018
networking stacks may be considered as a typical layered (MANET) IDS to WSN. It is to be noted that these solutions
networking stack, with each layer being dependent upon the are not directly applicable to static WSNs. Additionally the
other. authors in [14] conclude with a number of recommendations
As IoT based networks may still be quite diverse, it is which allow the selection of the most appropriate architec-
important to consider all types of IoT protocols. A non- ture and detection method according to use-case. As with the
exhaustive overview of protocols and standards which may previous studies, these use-cases fail to take into account het-
be seen in current IoT systems are depicted in Figure 1. Here erogeneous technologies and use-cases which will be prevalent
we focus on intrusion detection for those developed specifi- to IoT.
cally for IoT networks (such as 6Lowpan) in addition to short Cyber Physical Systems (CPS) are related to IoT systems
range wireless network protocols (personal area networks). in that they are composed of both physical sensors and actu-
For a more comprehensive coverage of IoT enabling protocols ators networked with computer-based control systems. Some
please see [7]. of the key differences include: the time and critical nature
of the applications in addition to not requiring connection
to the Internet. A survey of IDS for CPS is given in [15].
III. R ELATED S URVEYS After a classification of detection methods and the qualify-
Due to the key point made in the previous section regarding ing audit data, Mitchell and Chen [15] propose a summary
the diverse array of technologies composing the IoT, likewise of their findings although many are intuitive and apply to all
there is a variety of surveys to match them. What follows is a IDS solutions (such as the relationship between false posi-
non-exhaustive list of some surveys which are relevant to IoT. tive/negatives against detection methods.) However the authors
Many reviews which cover traditional (predominately do indicate the most effective techniques for CPS according
wired) networks can be found. However as a consequence to use-case and additionally highlight a number of gaps in
of the maturity of the field, in addition to the diversity of literature. These include: a lack of IDS metrics (validation
techniques available, these surveys tend to focus on a par- issues as before), lack of multitrust data, little research focus-
ticular aspect of IDS. The array of methods used to merely ing on attacker behaviour, a lack of anomaly-based models,
detect attacks is evidenced via the variety of surveys available. and a lack of research focusing on specific CPS use-cases
For example, machine learning and data mining techniques (e.g., automotive). Whilst this survey also not focused on the
are often leveraged due to the vast array of networking data characteristics of IoT, the similarities prevalent within these
available. areas provide some cross-over.
Buczak and Guven [12] provide a survey on machine- In contrast to the previously discussed reviews,
learning and data-mining techniques focused on IDS for Gendreau and Moorman [16] present a brief survey
general systems which are regularly mentioned in literature focused on IDS specific to IoT. They note that IDS cover
specific to IoT and WSNs (i.e., although the survey is not a number of different technologies, including RFID, LANS,
inclusive of these WSNs). They highlight a number of issues WANs, WLANs, AD-Hoc networks, cloud systems, and
with these methods, in particular the variety and complexity of mobile devices. The key point being that implementation and
these methods requiring optimisation according to the specific detection methods are different depending on the particular
use-case and technique. Additionally they note that one of the technology. This is important point in the context of IoT
driving factors for the success and validation of these meth- due to the variety of technology types available. In [16],
ods, the availability of quality data, appears to be somewhat it is highlighted that a successful IDS for IoT will require
lacking. coverage of all service layers. A less brief survey focusing
IDS for WSNs have received considerable attention in litera- on IDS in IoT is presented in [17]. In their work, the authors
ture, perhaps due to their resource constrained nature ensuring introduce an overview of IoT devices, suggesting that the IoT
their security is difficult. Abduvaliyev et al. [13] provide a paradigm consists of 3 phases: 1) collection, 2) transmission,
very comprehensive survey of the characteristics of IDS in 3) processing, management, and utilisation. In the same
WSN (such as architecture, detection methods etc.) and high- work, the authors present an array of technologies available
light a number of interesting shortcomings in current works. to IoT devices with a focus on novel wireless technologies.
These shortcomings include the low amounts of data available The survey concludes by highlighting a number of issues
for validation (such as through simulation or implementation), including: the lack of solutions which cover a range of
poor energy consumption optimisation, and the lack of uni- technology types, attack types and as with the previous
versal attack detection. A key point which is relevant to IoT studies, poor validation of solutions.
within [13] is that these WSN IDS solutions fail to take into In summary, the aforementioned surveys highlight the fol-
account Internet-enabled attacks (such as Distributed Denial of lowing points:
Service (DDoS) attacks) which will often be launched external • Detection methods - A variety of detection methods exist
to the network. Therefore, these solutions are only suited to with varying effectiveness. Often they only detect specific
one section of an IoT network. attacks and for specific technologies.
A similar review to [13], which focuses on IDS for WSN, is • Technologies detected - The vast majority of work
introduced in [14]. Whilst still covering the fundamental char- appears to only cover one technology type, e.g., WSN,
acteristics of the IDS solutions, one of the main contributions 6LowPan or RFID, there is a distinctive lack of works
in this paper is the applicability of Mobile Ad-hoc Network which universally covers the entire IoT domain.
TABLE II
N ETWORK L AYER I NSECURITIES predominate sensing nature of the devices, theft of data is con-
sidered the largest risk. Unfortunately, the data is often seen
to be too trivial for concern. However, this tends to be far
from the truth, e.g., Smart Meters can betray privacy and even
physical security breaches through the leaking of data [20]. A
deeper concern is with smart cities, where data privacy issues
may cause “an unequal society” through discrimination [21].
To manage the scope of this section, it primarily highlights
threats within the perception layer of the IoT Model. This is as
threats to traditional networks are covered extensively through-
• Validation of use-cases - whilst a vast array of techniques out literature and link with the transportation and application
are shown, many are improperly validated via simula- layers predominately.
tion. Additionally there is a lack of comparable data sets
available. A. Perception
• Unsuitability of traditional IDS - a highlighted point
Whilst the architectural features of IoT networks at the per-
agreed amongst numerous surveys is that traditional IDS
ception layer ensure that their applications are employed eco-
techniques are unsuitable for IoT networks. Not only due
nomically, efficiently and reliably, these networks still remain
to the lack of technology coverage, as detailed above,
vulnerable to a variety of attacks due to inherent security issues
but also due to the pervasive non-determinable nature of
relating to resource constrained devices, open-access network
device traffic and location.
medium and the heterogeneity of the devices [9], [22]. When
The diversity in the aforementioned surveys indicates that
modelling IoT based devices upon a network protocol hierar-
a review of security for IoT must be scoped effectively.
chy (e.g., OSI), it should first be considered that many attacks
Specifically, none of these surveys cover all technology aspects
may originate from the physical layer. This is where the per-
of IoT, which is deemed essential due to the heterogeneous
ception layer lies on the IoT model. These issues are similar
nature of modern IoT environments. Therefore, this survey will
to those found in WSNs [19] and fundamentally stem from
attempt to review IDS for IoT from a broader technological
device limitations such as limited battery life, constrained
scale and propose advisories to these shortcomings.
computational process, and open wireless networking medium
which cause the implementation of traditional security pro-
IV. I OT S ECURITY: T HREATS AND P RACTICES cesses to be difficult [14]. Some solutions have been presented
to mitigate issues at this layer, which predominately involve
In this section, an overview of currently known security
the inclusion of the aforementioned security features in a con-
issues within IoT are critically reviewed. Predominately, these
strained form or physical security to the device itself. Many
security issues relate to the CIA model. Due to the heavy
of these solutions have been shown to be flawed, due to
data collection and processing aspects of IoT, it is particu-
the constrained nature as mentioned previously (such as with
larly prevalent to ensure data security (Availability, Integrity,
IEEE 802.15.4 [23], Bluetooth [24], RFID [25] or WiFi [26]).
Confidentiality). Types of attacks on data may be classified as
Additionally, these solutions do not protect attacks from upper
being passive or active [18]. While passive attacks are con-
layers as this requires an adequate IDS [9].
cerned with the theft of data or privacy subversion, active
Although it is essential to assess all layers within this model,
attacks are concerned with the destruction, or subversion of
a strong focus should be on the physical layer. A major attack
data within the network. Table II lists the features at each
surface is presented at this layer in which the devices are
networking layer which have been known to create security
deployed in external areas ensuring they are open to attack.
related issues within IoT networks.
For example, physical access to the device provides an attacker
A number of inherent characteristics of IoT cause security
with the ability to alter the integrity or availability of the
issues to be prevalent and varied from conventional security
device, whilst the open networking medium is susceptible to
issues. These mostly stem from the perception layer, due to
jamming or breach of confidentiality [27], [28]. A breakdown
the constrained nature of these devices. According to [19], all
of known attacks on these systems is given in Table III.
these security issues can be thought of an extension of device
power limitations, something conventional security solutions
do not suffer from due to their non-mobile nature. As a uncon- B. Transportation
strained energy source is able to support large amounts of In upper networking layers, such as those related to the
memory and processing, cryptographic principles which are transportation layer of IoT, characteristics of the networking
the foundation of information security require considerable protocols used create further issues: multi-hop or broadcast
processing and memory for key storage and processing in routing, an open network medium, decentralized architecture
order for it to be effective [19]. However, technology and and many more are just some examples of the widely preva-
implementation related issues are not the only area which lent multi-layer insecurities [27]. To mitigate these issues,
causes IoT devices to be insecure. Profit-driven business and inspiration may be found within traditional computer secu-
a novel, competitive market causes device manufacturers to rity solutions within which application layer protocols and
consider security as an afterthought, if at all [9]. Due to the services are often protected by firewalls or IDS at the lower
TABLE III
P ERCEPTION L EVEL I OT ATTACK S USCEPTIBILITY
levels. Unfortunately, implementations of typical computing difficult to implement [41]. The scope of this paper is on
security practices are heavy in terms of resource usage; and reviewing IDS built for IoT networks. This is different from
resources on IoT devices are constrained so as to keep the works such as [42] which involve building an IDS for phys-
cost of device to a minimum. In this way, security is often ical intrusions from IoT devices. IDS may also be found in
an afterthought of most manufacturers and not given priority different forms: host-based and network-based, where host-
over functionality [9]. based systems monitor activity on the system itself (API
Using protocols further away from the perception devices calls, disk activity, memory usage etc.) whereas network-based
tends to be more secure, leveraging features such as IPSec for systems monitor network activity and communications. In a
end-to-end, authentication and integration encryption in IPv4/6 general sense, IDS will monitor behaviour (either host activ-
which is feasible due to the larger resources available upon ity or network traffic) for signs of attack, working under the
the devices. However as this traffic crosses from the less con- assumption that nominal behaviour and malicious behaviour
strained to the highly constrained, novel solutions are needed. are distinct [43]. There are two prominent metrics for measur-
Additionally some technologies still suffer from fundamental ing the efficacy of an IDS; referred to as false positives and
issues such as DNS spoofing [29], IPv4 and IPv6 [30] man- false negatives. A false positive occurs when legitimate traffic
in-the-middle, and routing attacks [31]. Although these may is reported as illegitimate where false negatives occur when
be more easily detected with the use of an IDS than their illegitimate activity is not detected at all. It is noted that due
constrained counterparts. to the sparse availability of data sets for IDS, the efficacy of
measuring their performance is contentious [44].
C. Application Many different techniques have been proposed in litera-
ture for building various types of IDS. The majority of these
IoT Application layer technologies typically involve those
are particularly resource intensive due to the scale of both
involved with the service themselves, often situated around
signature-based databases and anomaly models [45]. In addi-
message passing [9] and may traverse all areas of the network
tion, both of the aforementioned detection methods require
from the perception layer sensors to the back-end support sys-
aperiodic updates in order to keep the database or models
tems. The result of which creates the variety of “SMART”
accurate. Due to this inherently heavy resource, both detec-
solutions available such as smart cities [21]. Therefore the
tion methods are not well suited to the constrained resources
application layer will span a multitude of devices. Hence, the
of IoT embedded devices [14]–[16]. Different attack detec-
security solutions will need to reflect this accordingly.
tion methods are covered widely across literature and other
As with the transport layer, cryptography is easily deployed
surveys. The review will categorise the work upon archi-
on the back-end or end-user devices but less supported on
tecture type employed but with a focus on the technology
the perception devices with IDS are also more easily sup-
detected.
ported [17]. Therefore, protection at this layer will ideally
In general, detection types are typically classified as: mis-
need to span all networking layers where interoperability
use, anomaly, specification or a hybrid [14]. Misuse detection
amongst them is cited as a key issue for the security of
techniques employ a database of known attacks. Activities
IoT [9], [32], [33].
such as network traffic or system-level actions are compared
to signatures within this database. If there is match, then the
V. S TATE - OF - THE -A RT I NTRUSION D ETECTION IN I OT activity is flagged as suspicious. Examples of suspicious net-
This section begins by an overview of IDS followed by an work activity might be repeatedly testing for open ports, or
extensive survey of IDS characteristics for IoT. the detection of shell code within network packets. Misuse
IDS are a widely established networking security compo- detection is very successful on detecting attacks that are
nent. Although they are a form of detection (second line known (low false positives) but are poor at detecting attacks
of defence), and not protection; their use in wireless net- that are unknown (high false negatives). This is due to the
working is unparalleled as preventative security measures are lack of signature for novel attacks. Additionally, storing and
updating databases of signatures is impractical on constrained nodes have a greater responsibility for processing than
devices [13]. others. Decentralised architectures are grouped under
Anomaly detection techniques take a contrasting approach hierarchical.
in which a model of typical activity is built which then enables • Hybrid - any combinations of the above. Often found in
current activity to be compared against this model where tandem with multiple detection types.
any discrepancies are flagged as suspicious. For example, the Figure 1 illustrates some examples of the architectural dif-
model might record the time and usage of all applications ferences between IDS placement strategies reviewed. The
on a system and if an application is used outside of normal following subsections will review the surveyed work following
hours (e.g., at midnight instead of during working hours) then the categories as above.
anomalous activity will be flagged. Alternatively with net-
working based activity models, if a server is suddenly seen
to be connecting to an address or service which is not typ- A. Centralised
ical then malicious activity will be flagged again. Anomaly Systems which monitor data from a single location and con-
detection techniques excel at detecting new attacks where mis- duct processing on an external device have advantages in that
use detection methods would typically fail and thus, have they do not impose an extra overhead on the sensor nodes.
low false positive rate. However, they tend to suffer from Moreover these single node systems do not create additional
a high rate of false positives if the model is not periodi- points for subversion and allow for greater depth of processing.
cally updated. The varying nature of wireless communications However, by moving the data analysis to an external agent,
may cause false positives. Additionally, periodically updating they create a single point of failure. In contrast, alternative
the models may be resource intensive and thus put strain on methods involve monitoring at the sensor node level such as
resource-constrained devices [14]. in [46]. Stelte and Rodosek [46] develop an anomaly based
Specification based techniques combine attributes of network intrusion detection system (NIDS) where each sen-
anomaly and misuse detection. As before, this involves the sor node contains a lightweight application to monitor its own
detection of anomalous activity from a pre-defined model. and/or other communication to detect ZiGBee devices only.
However, in contrast, the activity must be confirmed as Nash et al. [36] present an anomaly host-based intrusion
malicious by a human participant [14]. This technique is detection system (HIDS) which detects battery exhaustion
advantageous due to the increased accuracy but introduces attacks (a type of DoS) which targets one process, an attack
a delay in the creation of a signature due to the human particularly relevant to IoT devices due to their constrained
interaction, which causes the process to not be timely. power source but specific for mobile devices such as lap-
Hybrid detection techniques will involve any combination tops. Whilst a similar approach is seen in [47], both of
of the above, whereby issues related to the efficacy of one these methods use anomaly profiling as a HIDS. Although
technique is mitigated by the strengths of another [17]. able to detect a specific attack, the validity of the results is
As previously mentioned, IoT technologies are wide and limited due to potential subversion of the devices. On differ-
varied. The classification of work according to technology ent front, Oh et al. [48] develop methods to deploy misuse
type can be difficult for a number of reasons. Often due to detection upon the constrained devices through optimised pat-
the vagueness of the solution such as a lack of implementa- tern matching algorithms. Whilst the methods were evaluated
tion and pure theoretical proposal. A large amount of work in a centralised manner upon one device, the value of this
merely lists WSNs, which themselves may be composed of paper shows that these techniques may permit distributed or
differing protocols, whilst others list a specific device type decentralised distribution of an IDS over multiple constrained
such as mobile (smart phones, laptops) multi-layers/standards devices. However, arguably the hardware used has still greater
or merely atomic standards, e.g., Bluetooth. The review as resources than more constrained nodes such as those employed
detailed in the following sections has attempted to list these in WSN. A similar approach which uses optimised matching
as accurately as possible given the available information. algorithms for constrained devices but for anomaly detection
This section has noted that there is a variety of IDS architec- is presented in [49]. The method in [49] involves deep packet
ture implementations. Therefore, it is necessary to evaluate the inspection and its accuracy and performance is shown to be
efficacy of this software under varying conditions including: rather effective. Such a centralised implementation would need
attack types, architecture, detection method and performance. to be deployed depending on particular use-case. For exam-
Here, we classify the work according to architecture type with ple, on a device which is constrained but relatively isolated
a focus on technology detected. In contrast to previous surveys from other constrained devices so as to not be able to leverage
which classify the IDS work into varying architecture types, collaborative resources.
this survey categorises them into the following: Two IDS in [50] and [51] which are concerned with
• Centralised - the entire IDS is placed in a central, either Bluetooth technologies both employ misuse detection, in a
remote or host-based location. centralised manner, as a remote NIDS. The efficacy of this
• Distributed - the IDS nodes are places among multiple or approach is considered higher than employing the system on
all nodes within the network and responsibility is divided the target nodes. This is due to the increased resources avail-
amongst them. able for storage and processing of networking data. Similarly,
• Hierarchical - may be stand-alone or in combina- Kasinathan et al. [52] deploy their misuse detection in a
tion with another architecture type in which some centralised remote server which monitors 6lowPan networks
Fig. 1. The traditional architecture types which are currently proposed for IoT based networks. The letter I represents the placement of the IDS. The top two
networks indicate a distributed and hierarchical architecture. The edges between nodes indicate available communication paths. The bottom diagrams indicate
3 possible solutions for centralised processing. The leftmost diagram indicates centralised processing upon the border router, the central on an external node
and the third on a single node.
through the use of probes. As is often the shortcoming with involves a subset of the network monitoring the other nodes.
misuse detection, this technique only permits the detection of Yadav and Srinivasan [55] employ a statistical trust-based
distributed denial-of-service (DDoS) attacks and for only one method for attack detection in WSN which shows good lev-
technology. However, the authors claim that the platform has els of success against a variety of attacks. Song et al. [56]
the ability to be integrated as a hybrid detection method, which attempt to minimise the resource consumption of anomaly
would considerably improve the performance. methods using weak hidden Markov models in addition to
An improvement on the host-based centralised detection is the watch-dog technique. They employ both NIDS and HIDS
shown in [53] where the authors present a system to detect and show success in detecting some specific attacks although
DoS attacks using a hybrid detection method. In that, an exter- with variable accuracy. Another watch-dog based method pre-
nal host monitors the network via secure wired probes. Unlike sented in [57], detects attacks under the assumption that nodes
previously discussed works, this system is designed for 6low- in the local cluster will behave alike. Even though the authors
Pan networks. Therefore, its solution is dedicated to IoT based claim that this method is unlike anomaly and misuse meth-
networks. ods, the method is in fact a hybrid model. Whilst watch-dog
Using specialised hardware and smart batteries, based models may have benefits such as reducing the resource
Buennemeyer et al. [54] employ an HIDS for anomaly requirements of the overall IDS, the watch-dog nodes them-
detection. Despite the additional expense, a method such as selves may still suffer from subversion and thus monitoring
this indicates how trust can be employed locally through the the other nodes may be untrusted.
application of “trusted” hardware. Of course an adversary Misra et al. [58] successfully leverage learning automata
who might subvert the hardware would still be able to subvert (LA) on a distributed architecture to detect DDoS attacks. The
the device at the physical layer. However an attack such as method is particularly commendable as it is designed for het-
that would likely be costly. erogeneous devices and therefore, covers a wide area of the
IoT. The solution fails, however, to take into account subver-
B. Distributed sion of the system or protocol itself. For example by falsifying
A number of anomaly detection techniques employ dis- a DDoS it may be possible to cause a DoS against the net-
tributed architectures but in a watch-dog based manner. This work. Along the same lines, Gupta et al. [59] propose a hybrid
detection system which leverages Computation Intelligence of this method. The watch-dogs have attacks specific to their
(CI) in an attempt to overcome numerous shortcomings of location which aid in resource optimisation and minimisation
traditional WIDS. The details of the proposal are slim so of false positives. A watch-dog NIDS in [66] applied to hier-
evaluating its success and performance is difficult. However archical clusters is shown to detect sink-hole attacks using a
encompassing multiple architectures and detection types is cer- trust method for 6lowPan networks. Similarly, the concept for
tainly of merit, although one might argue the complexity of a distributed and hierarchical, watch-dog based NIDS use for
such an architecture increases the attack surface of the system. anomaly detection in RPL is given in [67]. It is shown that the
Through clustering, a specification method in [60] was hierarchical component which relies on the edge router’s lack
presented to optimise resource consumption of the overall of subversion is a single point of failure within this system.
IDS, leveraging host and network monitoring. The downside An NIDS for detecting sink-hole attacks for Routing
to this architecture is its difficulty in detecting other types Protocol for Low-power (RPL) devices, which deploys one
of attacks. On the other hand, Eludiora et al. [61] present component on the border router and others distributed across
an anomaly NIDS which utilises mobile-agents for IDS of the remaining nodes is presented in [68]. The hierarchical
enhanced resource optimisations and fault-tolerance. In [61], nature of this system, which relies upon nodes forward-
it is noted that using purely distributed over hierarchical meth- ing packets for other nodes again creates an attack target
ods decreases the chance of subversion. However, although the for subversion. On the other hand, Raza et al. [11] present
mobile agents decrease resource consumption for the IDS, they NIDS described as specifically for the IoT. The proposed IDS
increase energy consumption on the particular nodes they are employs a hybrid of both anomaly and signature techniques to
active upon and thus skew the node’s current work. detect routing attacks via the RPL metric. Shreenivas et al. [69]
Liu et al. [62] describe an artificial-immune system based provide an extension to this paper which utilises another metric
machine-learning approach “for the IoT”. The method appears to detect attacks using an anomaly method. Despite this, the
to be a hybrid/specification based due to signatures created by architecture covers only 6lowpan technologies. Whilst 6low-
the technique which then must be inserted by the administra- pan is arguably the most considered IoT technology, it does not
tor. However, the particular technologies this system applies cover all types. The architecture is decentralised and hierarchi-
to and the problem of IDS placement need further investiga- cal due to processing more data on higher resource edge node.
tion. Similar work has shown that such techniques may be Another hierarchical anomaly based NIDS is presented in [70]
employed in a distributed manner but the resource require- which uses learning automata upon resource (or energy) infor-
ments for constrained devices are questionable. A practical mation of forwarded packet (routing) attacks in WSN only.
implementation which is evaluated under simulation is found A similar technique can be seen in [71] where the authors
in [63] which is designed specifically for WSN. The authors propose an NIDS which combines both misuse and anomaly
note that false positives are often generated due to fluctuations detection to cover multiple attack types. In that, the work is
in the RF signal quality. aimed at mitigating issues relating to accuracy via the hybrid
method which also results in greater complexity and resource
consumption on each node. Furthermore, Yu and Tsai [72] also
C. Hierarchical apply anomaly based machine-learning for detection in a hier-
Artificial immune systems (AIS) have shown success as archical manner. However, this time the authors employ both
an anomalous detection in conventional networks. In [3], the HIDS and NIDS but the implementation was not discussed to
system spans multiple network scales in a hierarchical fash- indicate the efficacy of the solution. Another anomaly method
ion. It utilises NIDS, HIDS and wireless intrusion detection which leverages ant-colony optimisation upon cluster heads
system (WIDS) showing success in interoperability across het- is found in [73]. This method detects routing attacks only,
erogeneous network types. The system takes into account although the authors discuss that their detection method is
the excessive false positives within anomaly based methods able to detect both internal and external attacks, as opposed
via cooperative information to dramatically increase accu- to just one.
racy. Systems of this form are likely to be highly deployable
across large and heterogeneous IoT networks, although there VI. A NALYSIS
are many issues which must be considered regarding the
Overall, there is considerable variety in the reviewed work.
complexity of the system.
Table IV provides an overview of the key characteristics
Coppolino et al. [64] introduce a distributed system which
reviewed. A summary of key points is presented below.
inherits a hierarchical approach by applying data-mining as
an NIDS. The detection method is also hybrid by employing
a modelling method which detects multiple attack types. It A. Technology Coverage
is noted that the architecture employing a centralised agent Overall, network solutions are typically tailored to a specific
creates a single point of failure in this system. On a dif- protocol, e.g., Bluetooth, 6Lowpan or WSNs. Few works focus
ferent front, a hierarchical watch-dog based NIDS in [65] is entirely on all proposed technologies within the IoT domain.
employed to detect a multitude of attacks using a specification- Therefore proposing to name these works as IoT IDS is ques-
based scheme on IPv6 WSNs. In this case, a rule must first tionable and may lead to end-users being unaware of the scope
be detected but then approved by an administrator. The effi- of their products, or organisations requiring multiple products
cacy of the proposed latency in detection is a shortcoming to cover multiple technology types and areas. Questions of
TABLE IV
OVERVIEW OF S URVEYED IDS FOR I OT L ITERATURE
interoperability and effectiveness between interactive compo- activity monitoring appears to be the monitoring of device
nents are left not specified, as such the future of this area is resources (e.g., [74]), as embedded devices are typically
uncertain, giving rise to further issues relating to attack sur- designed around their power usage. Numerous mitigation
face and solution complexity. Some works such as [3] and [52] methods for false positives have also been proposed in lit-
attempt to mitigate these issues by encompassing a wide vari- erature, which is a major issue due to the variable nature
ety of components. However, even these solutions do not cover of RF-based communications. In addition, unconventional AI
all three phases of the IoT layers and not in a holistic manner. based methods such as [73]) may be seen with good levels of
In general, WSNs are given much focus in the literature. As success. However, these methods will typically cover only a
stated within the previous surveys, WSNs share similar proto- few types of attacks and not all layers.
cols, technologies and resources but fail to consider Internet Misuse techniques are seen less in the IoT work covered
driven attacks, e.g., DDoS or additional protocols, e.g., IEEE within this review and others. Largely due to the constraints
802.3. IDS in WSNs are seen in all architecture forms except upon the majority of these devices preventing the storage of
a centralised manner. In contrast the IEEE 802.11 standards database of signatures. This would explain why these tech-
(within a constrained and IoT context) are seen in a variety of niques are mostly seen within centralised architecture types
architecture types, although work is considerably less than the which provide greater resilience against subversion but which
WSNs. Similarly protocols for 6Lowpan can be seen across may maintain an incomplete picture of network activity if the
all architecture types. Therefore, we argue that the wide vari- area is not sufficiently covered. The fact that misuse-based
ety of technologies across the IoT is a driving force for its methods are exemplar at detecting known attacks yet so little
security due to the aforementioned issues related to detection work is seen is likely due to these resource constraints and the
and interoperability. ever increasing prominence of zero-day attacks negating their
effectiveness.
Detection techniques cover a range of attack types and net-
B. Detection Types, Effectiveness and Suitability work layers but none appear to be comprehensive in terms
There is diversity in architecture and detection types with of attack type detected, wireless technologies, and network-
varying degrees of effectiveness to the variety of attack types ing layers. An IDS which was developed truly for IoT would
detected. NIDS are seen more than any other, often found be required to detect all types of attacks. In addition, it
with anomaly detection methods. On the other hand, HIDS are could be argued that due to the previously discussed issues
seen less commonly due, largely due to the excess resource regarding the open and insecure physical layer, implementing
consumption required on the already constrained nodes. an IDS on any sensor node itself can never be guaranteed
Anomaly-based detection methods are seen more over mis- to be reliable. However these implementations which are in
use detection methods due to their smaller memory footprint software on the target device, as opposed to dedicated hard-
and as such are proven more effective on constrained proto- ware, may be suitable for less mission critical applications.
cols. One alternative and most promising methods to network Although for networks with sensitive data which must be
vitally protected (e.g., military, health or any other under juris- attempting to maximize the efficacy of the process. This is
diction of data-protection and privacy legislation’s), this lack accomplished through additional software and or networking
of guarantee is unacceptable. At the minimum, it should be layer. Unfortunately this ensures additional overhead and com-
known whether such intrusion software is reliable or not which plexity within the IoT network itself, which is arguably not
may be guaranteed via a third party. acceptable in heterogeneous networks of the IoT. A more
effective solution would remove this complexity and excess
C. Architecture resource consumption away from the IoT network. In addition,
whilst distributing the collection or analysis of data amongst
In regards to architecture, the least commonly seen form
nodes appears to be an effective method of solving scala-
is a centralised architecture. Typically data collection and/or
bility issues; poor physical security still leaves the issue of
analysis is conducted in a decentralised manner. The ad-hoc
subvertible devices open. Therefore, this does not comprehen-
and distributed nature of the wireless networks being the most
sively cover all network layers. In what follows, we summarise
prominent reason for this. Primarily as wireless communica-
important issues:
tions are difficult to comprehensively detect from a centralised
1) A wide variety of technology types amongst the IoT
location due to the nature of RF transmission. Additionally
causes poor coverage of all three IoT layers from any
providing a more scalable and adaptable system is suited to
solution. Multiple issues such as complexity and inter-
this architecture type.
operability must be solved to mitigate this issue. Whilst
The majority of the work reviewed focuses on minimiz-
individual solutions may be suitable for individual use-
ing the footprint of the application in order to economise
cases, issues of expendability and interoperability still
on resource usage within distributed applications. However,
exist.
it could be argued that employing such mechanisms creates
2) A considerable amount of detection techniques have
multiple additional layers of complexity within the network
been presented with variable detection accuracy and
and system. This has many disadvantages such as an increase
attack coverage. None appear to be able to cover all
in resource usage, increased attack surface, and general main-
attack types with good accuracy. This is partially due
tainability issues. Foremost, network overhead is considerably
to the variability of RF-based communications and the
increased, which will put more strain on the already con-
resources available for capturing and processing. The
strained bandwidth. Finally, additional strain is put onto the
only real effective detection methods are hybrid methods
sensor nodes with increased processing and memory usage.
which require these resources.
Further issues occur during implementation of such a system,
3) The distributed nature of these systems causes dis-
whereby each node to contain IDS software needs to have
tributed or hierarchical IDS to be the most prominent.
additional code developed for it. Whilst this might be justi-
However, due to constrained resources these are difficult
fied for homogeneous network types, it proves more difficult
to implement effectively and securely.
for IoT based networks. Due to the various devices, architec-
4) Fundamentally, the open-medium and constrained nature
ture types vary considerably and thus; additional development
of IoT devices leave them liable to subversion at the
time may increase with network complexity. Also this addi-
physical layer. As such, they cannot be trusted security
tional complexity creates new potential security vulnerabilities.
services.
High-level programming solutions may mitigate the majority
Taking the above into account, it is proposed that the most
of these issues but put considerable strain on the resources
effective and secure IDS solution would be one in which RF
of these constrained devices. An alternative to this distributed
monitoring is passively conducted via network probes, simi-
architecture is hierarchical systems which are also seen often
lar to the work in [77] which applies this technique to WIFI
within this paper. They attempt to mitigate the aforementioned
networks and [52] which applies this to 6Lowpan networks.
issues of resource consumption on constrained nodes through
Both of these techniques show merit and through various adap-
distributing this paper more appropriately via node placement.
tations could be extended to cover a wide number of IoT
For example, more resource intensive tasks will be undertaken
technologies and attack scenarios. Specifically, a novel pro-
by those nodes with more resources, or sometimes handled in
posed system would use hard-wired or secure point-to-point
the majority by a central node. Dependent upon the particular
links to connect network probes to an external site. These
structure of the network, hierarchical structures may introduce
would be modular in nature and thus permit a wide variety
multiple weak points in the architecture by having one or
of technology types in an extensible manner. For instance,
more points of failure/subversion (e.g., through falsifying or
optimised antennas could provide varying levels of coverage
nullifying alerts).
across long distance and large areas and for differing protocol
types. The probes could provide coverage of this communica-
VII. P ROPOSED I OT-IDS A RCHITECTURE tion to a back-end system which would permit a number of
In the previous sections, we reviewed work within the modular detection methods. In this case, a cloud-based system
area of IDS for IoT and provided an analysis of the work. would be advantageous to provide scalability; with potentially
In this section, we look at ways of mitigating some of the unlimited processing facilitating any data analysis necessary.
seen issues via an architectural solution. The majority of the At the expense of greater financial investment, such a solution
work presented proposes solutions which seek to minimise will have the following advantages over currently proposed
resource usage upon the resource constrained network whilst solutions.
Fig. 2. This diagram illustrates the proposed IDS for IoT which covers all three layers of the IoT model. The proposed IDS placement is indicated in red.
A local IDS sits close to the perception layer and provides static probes across the sensing environments to receive network data. Simultaneously it probes
network traffic heading for the application layer. This data is collaborated with a remote IDS which sits within the application layer and monitors traffic from
the service platform.
• Ability to externally process data and thus conduct • The cost incurred of potentially monitoring multiple RF
resource intensive detection methods and comprehen- frequencies.
sively detecting attack types as described throughout • The security of an external monitoring platform.
literature. • The specific detection methods to employ.
• The ability to detect attacks on the physical layer and • Lack of full coverage of a site and thus; getting an
above, which will provide monitoring for the entire net- incomplete picture of the network traffic.
work and mitigate issues related to the open-medium and However it is believed that for many mission-critical applica-
untrustworthy nodes. tions costs are negligible. The technology to implement such
• Facilitate the monitoring of multiple node types whilst not a system is already available, with success shown in similar
requiring additional code through a universal monitoring systems for homogeneous WIFI networks [52].
solution. Modularisation would enable extensibility and
negate issues related to constrained technologies.
• Remote processing would negate any additional strain on A. System Description and Comparison
the resource constrained network or devices, in addition Figure 2 illustrates the ideal solution and a description of
to no additional layer of complexity. its components and implementation considerations are given
• Create a more secure solution by moving the system to below.
a different layer than that to be monitored. Architecture from the perspective of an IoT network would
It is believed that such a system would be the most com- be externally based in order to mitigate issues with the solu-
prehensive (in terms of attack and device types monitored) tions reviewed within this paper. Whilst other architectures
and a secure way to develop an IDS tailored specifically to have issues relating to attack detection range and technology
IoT. However, the following negative aspects will need to be type, these will be negated via probes and long range antennas.
reviewed: Other reviewed architectures are presented in a distributed or
• Ensuring a secure connection between sniffer nodes hierarchical form within only the perception layer. However,
(point-to-point wireless links, or hard-wired lines). these architectures may suffer from subversion due to place-
• The cost of additional hardware. ment in a hostile environment whilst hierarchical architectures
suffer from varying single points of failure. Whilst a cen- the impact of a potential security breach. A final issue which
tralised architecture might also suffer from single point of a may occur with such a passive system is, of course, subver-
failure, the proposed system could be supported by cloud/edge sion of the sniffer nodes themselves. This may be mitigated by
and other dynamic and scalable infrastructures which mitigate multiple collection nodes which will compare data and secure
this issue. links back to the remote processing site.
The conceptualisation within Figure 2 illustrates that the
architecture encompasses all layers of the IoT model, as VIII. C ONCLUSION
opposed to just one which is covered by the majority of the
As interest in the IoT grows, its application will involve
reviewed work.
more data sensitive projects. As such, ensuring its security
Detection Methods traditionally vary in effectiveness
is a priority. With preventative measures difficult to be imple-
across IDS work reviewed in the IoT. Through hosting this IDS
mented due to inherent architectural constraints, solutions must
on an external and scalable hardware, pluggable modules will
turn to second line methods of defence. We examined IDS as
permit a wide variety of detection methods, as dictated within
one such defence and determined that despite the variety of
literature, which will permit a wider range of attacks detected
existing systems available; none are able to defend against
than any other previously cited. In Figure 2, the remote IDS
all types of attacks (from the physical layer up) due to their
is placed on a cloud service which will permit the introduc-
architectural implementation. Therefore, we discussed the case
tion of any and all detection methods required, with scalable
that these methods are out-dated whilst not holistically cover-
resources able to support them. This is deemed essential to
ing the whole IoT model. In order to comprehensively secure
an IoT solution due to the constantly evolving attacks, tech-
IoT based networks built of heterogeneous device types, a new
nologies, and environments. However, this method will only
approach must be taken. This involves the application of more
be able to utilise network and not host-based detection which
physical hardware, using network probes to collect data and
is considered more reliable and effective within this context.
securely transport it to a remote server (likely cloud-based) so
Despite many of the reviewed works have considerable merit
as to perform detection types as resource intensive as required.
with their method of detection, the solutions suffer from poor
Future works should consider full implementations through
architectural underpinnings.
development of an IDS for IoT, where data processing will be
Technology Coverage is a fundamental issue within IoT
computed upon a cloud system. The system will be tested on a
that drives security-based issues. Through external processing
variety of physical hardware to examine the effect of monitor-
placement and passive probes, which may use wide spectrum
ing multiple different protocols in varied environments, upon
and software defined radios, all technology types and protocols
the data collection and analysis process.
may be covered through minimal hardware adaptations. This
The adoption of IoT based networks is inevitable, with
enables highly adaptable, extensible and software-automated
similar systems already seen for monitoring and control of
upgrades that were not provided in the reviewed solutions.
industrial systems (energy, water etc.). It is essential that cor-
In Figure 2, the proposed placement of the IDS also illus-
rect security solutions be found before wide-scale adoption of
trates that monitoring of other IoT layers including wired
insecure processes which widely assist modern society. The
WAN protocols and those at the application layer. This pro-
solution presented here could be considered as a relatively
vides enhanced coverage than those reviewed in literature.
simple one, although further development and research will
Additionally through applying an external IDS, the integra-
need to take place to ensure it is optimal in a wide variety of
tion of audit logs from multiple areas (i.e., those covering
situations.
the transmission and application phases of IoT) can provide a
holistic intrusion detection analysis.
R EFERENCES
[1] L. Atzori, A. Iera, and G. Morabito, “The Internet of Things: A survey,”
B. System Analysis Comput. Netw., vol. 54, no. 15, pp. 2787–2805, 2010.
The ability to retrieve information passively and export it [2] G. Kortuem, F. Kawsar, D. Fitton, and V. Sundramoorthy, “Smart objects
as building blocks for the Internet of Things,” IEEE Internet Comput.,
securely for remote processing offers great advantages. In the vol. 14, no. 1, pp. 44–51, Jan./Feb. 2010.
previous section’s simplified example, it was shown that analy- [3] Y. Zhang, L. Wang, W. Sun, R. C. Green, and M. Alam, “Artificial
sis of the data as it is being sent by each node greatly increases immune system based intrusion detection in a distributed hierarchical
network architecture of smart grid,” in Proc. Power Energy Soc. Gen.
this capability. Purely transporting the raw, captured data per- Meeting, 2011, pp. 1–8.
mits any processing needed through accomplishing this on a [4] A. H. FathiNavid and A. B. Aghababa, “A protocol for intrusion detec-
remote server. tion based on learning automata in forwarding packets for distributed
wireless sensor networks,” in Proc. Cyber Enabled Distrib. Comput.
Many different attack types may be identified at an increased Knowl. Disc. (CyberC), 2012, pp. 373–380.
rate, whilst minimising any additional resource load or com- [5] A. Zanella, N. Bui, A. Castellani, L. Vangelista, and M. Zorzi, “Internet
plexity within the IoT network itself. Overall, this creates a of Things for smart cities,” IEEE Internet Things J., vol. 1, no. 1,
pp. 22–32, Feb. 2014.
more secure IoT based network, albeit at a greater expense [6] A. Ali, M. Elsaadany, and W. Hamouda, “Cellular LTE-A technologies
of introducing further hardware and requiring secure links for the future Internet-of-Things: Physical layer features and challenges,”
to a remote server. However, as the set of use-cases of the IEEE Commun. Surveys Tuts., vol. 19, no. 4, pp. 2544–2572, 4th Quart.,
2017.
IoT widens and societal infrastructure becomes more inter- [7] E. Borgia, “The Internet of Things vision: Key features, applications
twined with these systems, this additional cost may outweigh and open issues,” Comput. Commun., vol. 54, pp. 1–31, Dec. 2014.
[8] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and [31] M. Conti, N. Dragoni, and V. Lesyk, “A survey of man in the middle
M. Ayyash, “Internet of Things: A survey on enabling technologies, pro- attacks,” IEEE Commun. Surveys Tuts., vol. 18, no. 3, pp. 2027–2051,
tocols, and applications,” IEEE Commun. Surveys Tuts., vol. 17, no. 4, 3rd Quart., 2016.
pp. 2347–2376, 4th Quart., 2015. [32] S. Soursos et al., “Towards the cross-domain interoperability of IoT
[9] M. Frustaci, P. Pace, G. Alot, and G. Fortino, “Evaluating critical secu- platforms,” in Proc. Eur. Conf. Netw. Commun. (EuCNC), Jun. 2016,
rity issues of the IoT world: Present and future challenges,” IEEE pp. 398–402.
Internet Things J., to be published. [33] G. Cerullo, G. Mazzeo, G. Papale, B. Ragucci, and L. Sgaglione,
[10] J. A. Gutierrez et al., “IEEE 802.15.4: A developing standard for low- “Chapter 4—IoT and sensor networks security,” in Security and
power low-cost wireless personal area networks,” IEEE Netw., vol. 15, Resilience in Intelligent Data-Centric Systems and Communication
no. 5, pp. 12–19, Sep. 2001. Networks (Intelligent Data-Centric Systems), M. Ficco and F. Palmieri,
[11] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: Real-time intrusion Eds. London, U.K.: Academic, 2018, pp. 77–101.
detection in the Internet of Things,” Ad Hoc Netw., vol. 11, no. 8, [34] R. Dubey, V. Jain, R. S. Thakur, and S. D. Choubey, “Attacks in wireless
pp. 2661–2674, 2013. sensor networks,” Int. J. Sci. Eng. Res., vol. 3, no. 3, pp. 1–4, 2012.
[12] A. L. Buczak and E. Guven, “A survey of data mining and machine [35] D. G. Padmavathi and M. Shanmugapriya, “A survey of attacks, security
learning methods for cyber security intrusion detection,” IEEE Commun. mechanisms and challenges in wireless sensor networks,” Int. J. Comput.
Surveys Tuts., vol. 18, no. 2, pp. 1153–1176, 2nd Quart., 2016. Sci. Inf. Security, vol. 4, no. 1, pp. 117–125, 2009.
[13] A. Abduvaliyev, A.-S. K. Pathan, J. Zhou, R. Roman, and W.-C. Wong, [36] D. C. Nash, T. L. Martin, D. S. Ha, and M. S. Hsiao, “Towards an
“On the vital areas of intrusion detection systems in wireless sensor intrusion detection system for battery exhaustion attacks on mobile com-
networks,” IEEE Commun. Surveys Tuts., vol. 15, no. 3, pp. 1223–1237, puting devices,” in Proc. Pervasive Comput. Commun. Workshops, 2005,
3rd Quart., 2013. pp. 141–145.
[14] I. Butun, S. D. Morgera, and R. Sankar, “A survey of intrusion detection [37] K. Xing, F. Liu, X. Cheng, and D. H. Du, “Real-time detection of
systems in wireless sensor networks,” IEEE Commun. Surveys Tuts., clone attacks in wireless sensor networks,” in Proc. IEEE 28th Int. Conf.
vol. 16, no. 1, pp. 266–282, 1st Quart., 2014. Distrib. Comput. Syst. (ICDCS), 2008, pp. 3–10.
[15] R. Mitchell and I.-R. Chen, “A survey of intrusion detection techniques [38] K. Sharma and M. Ghose, “Wireless sensor networks: An overview on
for cyber-physical systems,” ACM Comput. Surveys, vol. 46, no. 4, p. 55, its security threats,” IJCA Special Issue Mobile Ad Hoc Netw. MANETs,
Mar. 2014. vol. 1, no. 1, pp. 42–45, 2010.
[16] A. A. Gendreau and M. Moorman, “Survey of intrusion detection sys- [39] C. Karlof and D. Wagner, “Secure routing in wireless sensor net-
tems towards an end to end secure Internet of Things,” in Proc. IEEE works: Attacks and countermeasures,” Ad Hoc Netw., vol. 1, nos. 2–3,
4th Int. Conf. Future Internet Things Cloud (FiCloud), Aug. 2016, pp. 293–315, 2003.
pp. 84–90. [40] J.-S. Cho, S.-S. Yeo, and S. K. Kim, “Securing against brute-force attack:
[17] B. B. Zarpelão, R. S. Miani, C. T. Kawakani, and S. C. de Alvarenga, A hash-based RFID mutual authentication protocol using a secret value,”
“A survey of intrusion detection in Internet of Things,” J. Netw. Comput. Comput. Commun., vol. 34, no. 3, pp. 391–397, 2011.
Appl., vol. 84, pp. 25–37, Apr. 2017. [41] B. Sun, L. Osborne, Y. Xiao, and S. Guizani, “Intrusion detection tech-
[18] H. Modares, R. Salleh, and A. Moravejosharieh, “Overview of security niques in mobile ad hoc and wireless sensor networks,” IEEE Wireless
issues in wireless sensor networks,” in Proc. 3rd Int. Conf. Comput. Commun., vol. 14, no. 5, pp. 56–63, Oct. 2007.
Intell. Model. Simulat., Sep. 2011, pp. 308–311. [42] B. Arrington, L. Barnett, R. Rufus, and A. Esterline, “Behavioral model-
[19] W. Trappe, R. Howard, and R. S. Moore, “Low-energy security: Limits ing intrusion detection system (BMIDS) using Internet of Things (IoT)
and opportunities in the Internet of Things,” IEEE Security Privacy, behavior-based anomaly detection via immunity-inspired algorithms,”
vol. 13, no. 1, pp. 14–21, Jan. 2015. in Proc. 25th Int. Conf. Comput. Commun. Netw. (ICCCN), Aug. 2016,
[20] M. R. Asghar, G. Dán, D. Miorandi, and I. Chlamtac, “Smart meter pp. 1–6.
data privacy: A survey,” IEEE Commun. Surveys Tuts., vol. 19, no. 4, [43] H. E. Poston, “A brief taxonomy of intrusion detection strategies,” in
pp. 2820–2835, 4th Quart., 2017. Proc. Aerosp. Electron. Conf. (NAECON), Dayton, OH, USA, 2012,
[21] D. Eckhoff and I. Wagner, “Privacy in the smart city— pp. 255–263.
Applications, technologies, challenges, and solutions,” IEEE [44] M. Tavallaee, E. Bagheri, W. Lu, and A. A. Ghorbani, “A detailed analy-
Commun. Surveys Tuts., vol. 20, no. 1, pp. 489–516, 1st Quart., sis of the KDD CUP 99 data set,” in Proc. 2nd IEEE Int. Conf. Comput.
2018, doi: 10.1109/COMST.2017.2748998. Intell. Security Defense Appl., Ottawa, ON, Canada, 2009, pp. 53–58.
[22] Y. Yang, L. Wu, G. Yin, L. Li, and H. Zhao, “A survey on security and [45] A. Milenkoski, M. Vieira, S. Kounev, A. Avritzer, and B. D. Payne,
privacy issues in Internet-of-Things,” IEEE Internet Things J., vol. 4, “Evaluating computer intrusion detection systems: A survey of common
no. 5, pp. 1250–1258, Oct. 2017. practices,” ACM Comput. Surv., vol. 48, no. 1, pp. 1–12, Sep. 2015.
[23] C. Hennebert and J. D. Santos, “Security protocols and privacy issues [46] B. Stelte and G. D. Rodosek, “Thwarting attacks on ZigBee—Removal
into 6LoWPAN stack: A synthesis,” IEEE Internet Things J., vol. 1, of the KillerBee stinger,” in Proc. Netw. Service Manag. (CNSM), 2013,
no. 5, pp. 384–398, Oct. 2014. pp. 219–226.
[24] Y. Qu and P. Chan, “Assessing vulnerabilities in Bluetooth low energy [47] B. R. Moyers, J. P. Dunning, R. C. Marchany, and J. G. Tront, “The
(BLE) wireless network based IoT systems,” in Proc. IEEE 2nd Int. multi-vector portable intrusion detection system (MVP-IDS): A hybrid
Conf. Big Data Security Cloud (BigDataSecurity) IEEE Int. Conf. High approach to intrusion detection for portable information devices,” in
Perform. Smart Comput. (HPSC) IEEE Int. Conf. Intell. Data Security Proc. Wireless Inf. Technol. Syst. (ICWITS), 2010, pp. 1–4.
(IDS), Apr. 2016, pp. 42–48. [48] D. Oh, D. Kim, and W. W. Ro, “A malicious pattern detection engine for
[25] N. Desai and M. L. Das, “On the security of RFID authentication pro- embedded security systems in the Internet of Things,” Sensors, vol. 14,
tocols,” in Proc. IEEE Int. Conf. Electron. Comput. Commun. Technol. no. 12, pp. 24188–24211, 2014.
(CONECCT), Jul. 2015, pp. 1–5. [49] D. H. Summerville, K. M. Zach, and Y. Chen, “Ultra-lightweight deep
[26] M. Vanhoef and F. Piessens, “Key reinstallation attacks: Forcing nonce packet anomaly detection for Internet of Things devices,” in Proc.
reuse in WPA2,” in Proc. ACM Comput. Commun. Security, Nov. 2017, IEEE 34th Int. Perform. Comput. Commun. Conf. (IPCCC), Dec. 2015,
pp. 1313–1328. pp. 1–8.
[27] N. A. Alrajeh, S. Khan, and B. Shams, “Intrusion detection systems in [50] T. OConnor and D. Reeves, “Bluetooth network-based misuse detec-
wireless sensor networks: A review,” Int. J. Distrib. Sensor Netw., vol. 9, tion,” in Proc. Comput. Security Appl. Conf., Anaheim, CA, USA, 2008,
no. 5, pp. 1–7, 2013. pp. 377–391.
[28] Y. Zou, J. Zhu, X. Wang, and L. Hanzo, “A survey on wire- [51] K. M. J. Haataja, “New efficient intrusion detection and prevention sys-
less security: Technical challenges, recent advances, and future tem for Bluetooth networks,” in Proc. 1st Int. Conf. MOBILe Wireless
trends,” Proc. IEEE, vol. 104, no. 9, pp. 1727–1765, Sep. 2016, MiddleWARE Oper. Syst. Appl., 2008, p. 16.
doi: 10.1109/JPROC.2016.2558521. [52] P. Kasinathan, G. Costamagna, H. Khaleel, C. Pastrone, and
[29] M. A. Hussain et al., “DNS protection against spoofing and poison- M. A. Spirito, “DEMO: An IDS framework for Internet of Things
ing attacks,” in Proc. 3rd Int. Conf. Inf. Sci. Control Eng. (ICISCE), empowered by 6LoWPAN,” in Proc. ACM SIGSAC Conf. Comput.
Jul. 2016, pp. 1308–1312. Commun. Security (CCS), Berlin, Germany, 2013, pp. 1337–1340.
[30] C. Ouseph and B. R. Chandavarkar, “Prevention of MITM attack caused [Online]. Available: http://doi.acm.org/10.1145/2508859.2512494
by rogue router advertisements in IPv6,” in Proc. IEEE Int. Conf. [53] P. Kasinathan, C. Pastrone, M. A. Spirito, and M. Vinkovits, “Denial-
Recent Trends Electron. Inf. Commun. Technol. (RTEICT), May 2016, of-service detection in 6LoWPAN based Internet of Things,” in Proc.
pp. 952–956. Wireless Mobile Comput. Netw. Commun. (WiMob), 2013, pp. 600–607.
[54] T. K. Buennemeyer et al., “Mobile device profiling and intrusion detec- [77] C. I. Ezeife, M. Ejelike, and A. K. Aggarwal, “WIDS: A sensor-based
tion using smart batteries,” in Proc. 41st Annu. Hawaii Int. Conf. Syst. online mining wireless intrusion detection system,” in Proc. Int. Symp.
Sci., 2008, p. 296. Database Eng. Appl. (IDEAS), 2008, pp. 255–261.
[55] K. Yadav and A. Srinivasan, “iTrust: An integrated trust framework for
wireless sensor networks,” in Proc. ACM Symp. Appl. Comput., 2010,
pp. 1466–1471.
[56] X. Song, G. Chen, and X. Li, “A weak hidden Markov model based
intrusion detection method for wireless sensor networks,” in Proc. Intell.
Comput. Integr. Syst. (ICISS), 2010, pp. 887–889.
[57] H. Sedjelmaci and S. M. Senouci, “Efficient and lightweight intrusion Elhadj Benkhelifa is a Full Professor of com-
detection based on nodes’ behaviors in wireless sensor networks,” in puter science with Staffordshire University, where he
Proc. Glob. Inf. Infrastruct. Symp., 2013, pp. 1–6. is the Founding Director of the Cloud Computing
[58] S. Misra, P. V. Krishna, H. Agarwal, A. Saxena, and M. S. Obaidat, and Applications Research Laboratory and the
“A learning automata based solution for preventing distributed denial of Cybersecurity Research Laboratory. He was the
service in Internet of Things,” in Proc. 4th Int. Conf. Cyber Phys. Soc. Faculty Director of the Mobile Fusion Applied
Comput. Int. Conf. Internet Things Collocated, Oct. 2011, pp. 114–122. Research Centre from 2014 to 2016. He has
[59] A. Gupta et al., “Computational intelligence based intrusion detec- co-authored over 100 publications in journals, con-
tion systems for wireless communication and pervasive computing ferences and as book chapters and has delivered
networks,” in Proc. IEEE Int. Conf. Comput. Intell. Comput. Res., a number of keynotes at international venues. His
Dec. 2013, pp. 1–7. research interests include Cloud/Edge computing,
IoT, cybersecurity, software engineering, and applied soft computing. He is a
[60] A. Le, J. Loo, K. K. Chai, and M. Aiash, “A specification-based IDS for
member of several international research committees. He has co-founded and
detecting attacks on RPL-based network topology,” Information, vol. 7,
chaired a number of international conferences and workshops and edited a
no. 2, p. 25, 2016.
number of conference proceedings and journals special issues.
[61] S. I. Eludiora et al., “A distributed intrusion detection scheme for
wireless sensor networks,” in Proc. Electro Inf. Technol. (EIT), 2011,
pp. 1–5.
[62] C. Liu, J. Yang, R. Chen, Y. Zhang, and J. Zeng, “Research on immunity-
based intrusion detection technology for the Internet of Things,” in
Proc. 7th Int. Conf. Nat. Comput., vol. 1, Jul. 2011, pp. 212–216.
[63] Y. Liu and F. Yu, “Immunity-based intrusion detection for wireless Thomas Welsh is currently pursuing the Ph.D.
sensor networks,” in Proc. Neural Netw., 2008, pp. 439–444. degree in bio-inspired computing with a focus on
[64] L. Coppolino, S. D’Antonio, A. Garofalo, and L. Romano, “Applying self-healing cloud services. He has delivered on a
data mining techniques to intrusion detection in wireless sensor net- number of research projects, externally funded as an
works,” in Proc. P2P Parallel Grid Cloud Internet Comput. (3PGCIC), RA. He is also a member of the teaching team with
2013, pp. 247–254. the School of Computing and Digital Technologies,
[65] J. P. Amaral, L. M. Oliveira, J. J. P. C. Rodrigues, G. Han, and L. Shu, Staffordshire University.
“Policy and network-based intrusion detection system for IPv6-enabled
wireless sensor networks,” in Proc. IEEE Int. Conf. Commun. (ICC),
Sydney, NSW, Australia, Jun. 2014, pp. 1796–1801.
[66] C. Cervantes, D. Poplade, M. Nogueira, and A. Santos, “Detection of
sinkhole attacks for supporting secure routing on 6LoWPAN for Internet
of Things,” in Proc. IFIP/IEEE Int. Symp. Integr. Netw. Manag. (IM),
May 2015, pp. 606–611.
[67] N. K. Thanigaivelan, E. Nigussie, R. K. Kanth, S. Virtanen, and
J. Isoaho, “Distributed internal anomaly detection system for Internet-
of-Things,” in Proc. 13th IEEE Annu. Consum. Commun. Netw. Conf. Walaa Hamouda (SM’06) received the M.A.Sc. and Ph.D. degrees in elec-
(CCNC), Las Vegas, NV, USA, Jan. 2016, pp. 319–320. trical and computer engineering from Queen’s University, Kingston, ON,
[68] P. Pongle and G. Chavan, “Article: Real time intrusion and wormhole Canada, in 1998 and 2002, respectively. Since 2002, he has been with the
attack detection in Internet of Things,” Int. J. Comput. Appl., vol. 121, Department of Electrical and Computer Engineering, Concordia University,
no. 9, pp. 1–9, Jul. 2015. Montreal, QC, Canada, where he is currently a Professor. Since 2006, he has
[69] D. Shreenivas, S. Raza, and T. Voigt, “Intrusion detection in the RPL- been the Concordia University Research Chair in communications and net-
connected 6LoWPAN networks,” in Proc. 3rd ACM Int. Workshop IoT working. His current research interests include single/multiuser multiple-input
Privacy Trust Security (IoTPTS), 2017, pp. 31–38. multiple-output communications, space-time processing, cooperative commu-
nications, wireless networks, multiuser communications, cross-layer design,
[70] A. Fathinavid and M. Ansari, “Claids: Cellular learning automata based
and source and channel coding. He was a recipient of numerous awards,
approach for anomaly nodes detection in clustered mobile ad hoc
including the Best Paper Awards of the IEEE WCNC’16, the ICC 2009
networks,” Ad Hoc Sensor Wireless Netw., vol. 29, pp. 31–51, Jan. 2015.
and the IEEE Canada Certificate of Appreciation in 2007 and 2008. He
[71] T. Jiang, G. Wang, and H. Yu, “A dynamic intrusion detection scheme for
served(ing) as the Co-Chair of the Wireless Communications Symposium of
cluster-based wireless sensor networks,” in Proc. World Autom. Congr.
the IEEE ICC’2018, the Ad-hoc, Sensor, and Mesh Networking Symposium
(WAC), 2012, pp. 259–261.
of the IEEE Globecom Conference in 2017, and the ACM Performance
[72] Z. Yu and J. J. P. Tsai, “A framework of machine learning based intru- Evaluation of Wireless Ad Hoc, Sensor, and Ubiquitous Networks in 2014, the
sion detection for wireless sensor networks,” in Proc. Sensor Netw. Technical Co-Chair of the Fifth International Conference on Selected Topics in
Ubiquitous Trustworthy Comput., 2008, pp. 272–279. Mobile and Wireless Networking in 2016, the Wireless Networks Symposium,
[73] H. A. Arolkar, S. P. Sheth, and V. P. Tamhane, “Ant colony based 2012 Global Communications Conference, the Ad hoc, Sensor, and Mesh
approach for intrusion detection on cluster heads in WSN,” in Proc. Networking Symposium of the 2010 ICC, and the 25th Queen’s Biennial
Int. Conf. Commun. Comput. Security, 2011, pp. 523–526. Symposium on Communications, the Track Co-Chair of Multiple Antenna
[74] G. Han, J. Jiang, W. Shen, L. Shu, and J. Rodrigues, “IDSEP: A novel and Cooperative Communications, IEEE Vehicular Technology Conference
intrusion detection scheme based on energy prediction in cluster-based (VTC-Fall’16) and the Radio Access Techniques of the 2006 IEEE VTC
wireless sensor networks,” IET Inf. Security, vol. 7, no. 2, pp. 97–105, Fall 2006, and the Transmission Techniques of the IEEE VTC-Fall 2012.
Jun. 2013. From 2005 to 2008, he was the Chair of the IEEE Montreal Chapter
[75] K. Gerrigagoitia, R. Uribeetxeberria, U. Zurutuza, and I. Arenaza, in Communications and Information Theory. He served as an Associate
“Reputation-based intrusion detection system for wireless sensor net- Editor for the IEEE C OMMUNICATIONS L ETTERS, IET W IRELESS S ENSOR
works,” in Proc. Complex. Eng. (COMPENG), 2012, pp. 1–5. S YSTEMS, and the IEEE T RANSACTIONS ON S IGNAL P ROCESSING and
[76] A. Le, J. Loo, Y. Luo, and A. Lasebae, “Specification-based IDS for currently serves as an Associate Editor for the IEEE T RANSACTIONS
securing RPL from topology attacks,” in Proc. IFIP Wireless Days (WD), ON V EHICULAR T ECHNOLOGY , the IEEE W IRELESS C OMMUNICATIONS
Oct. 2011, pp. 1–3. L ETTERS, and the IEEE C OMMUNICATIONS S URVEYS AND T UTORIALS.

A Critical Review of Practices and Challenges in Intrusion Detection Systems For IoT Toward Universal and Resilient Systems

Uploaded by

Copyright:

Available Formats

A Critical Review of Practices and Challenges in Intrusion Detection Systems For IoT Toward Universal and Resilient Systems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Critical Review of Practices and Challenges in Intrusion Detection Systems For IoT Toward Universal and Resilient Systems

Uploaded by

Copyright:

Available Formats

3496 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 20, NO.

4, FOURTH QUARTER 2018

A Critical Review of Practices and Challenges in

You might also like