Towards achieving lightweight intrusion detection systems in Internet of Things, the role of incremental machine learning: A systematic literature review

Promise Ricardo Agbedanu; Richard Musabe; James Rwigema; Ignace Gatare; Theofrida Julius Maginga; Destiny Kwabla Amenyedzi

doi:10.12688/f1000research.127732.1

Home Browse Towards achieving lightweight intrusion detection systems in Internet...

ALL Metrics

-

Views

-

Downloads

Get PDF

Get XML

Export

▬

✚

Systematic Review

Towards achieving lightweight intrusion detection systems in Internet of Things, the role of incremental machine learning: A systematic literature review

[version 1; peer review: 1 not approved]

Promise Ricardo Agbedanu ¹, Richard Musabe², James Rwigema¹, Ignace Gatare³, Theofrida Julius Maginga¹, Destiny Kwabla Amenyedzi¹

Promise Ricardo Agbedanu ¹, Richard Musabe², [...] James Rwigema¹, Ignace Gatare³, Theofrida Julius Maginga¹, Destiny Kwabla Amenyedzi¹

PUBLISHED 24 Nov 2022

Author details Author details

¹ African Centre of Excellence in Internet of Things, University of Rwanda, Kigali, Rwanda
² Rwanda Polytechnic, Kigali, Rwanda
³ College of Science and Technology, University of Rwanda, Kigali, Rwanda

Promise Ricardo Agbedanu
Roles: Conceptualization, Formal Analysis, Funding Acquisition, Resources, Software, Writing – Original Draft Preparation

Richard Musabe
Roles: Investigation, Supervision, Validation, Writing – Review & Editing

James Rwigema
Roles: Investigation, Supervision, Writing – Review & Editing

Ignace Gatare
Roles: Methodology, Supervision, Writing – Review & Editing

Theofrida Julius Maginga
Roles: Formal Analysis, Methodology, Writing – Review & Editing

Destiny Kwabla Amenyedzi
Roles: Investigation, Methodology, Software, Writing – Review & Editing

OPEN PEER REVIEW

REVIEWER STATUS

This article is included in the Artificial Intelligence and Machine Learning gateway.

Abstract

While the benefits of IoT cannot be overstated, its computational constraints make it challenging to deploy security methodologies that have been deployed in traditional computing systems. The benefits and computational constraints have made IoT systems attractive to cyber-attacks. One way to mitigate these attacks is to detect them. In this study, a Systematic Literature Review (SLR) has been conducted to analyze
the role of incremental machine learning in achieving lightweight intrusion detection for IoT systems. The study analyzed existing incremental machine learning approaches used in designing intrusion detection systems for IoT ecosystems, emphasizing the incremental methods used in detecting intrusions, the datasets used to evaluate these methods, and how the method achieves lightweight status. The SLR outlined the contributions of each study, focusing on their strengths and gaps, the datasets used, and the incremental machine learning model used. This study revealed that incremental learning approaches in detecting intrusion in IoT systems are in their infant stage. Over 12 years, from 2010 to 2022, a total of twenty-one (21) studies were carried out in IDSs using incremental machine learning, with eight (8) studies carried out in IoT systems. In addition to reviewing the literature, we offer suggestions for improving existing solutions and achieving lightweight IDS for IoT systems. We also discussed some problems with making lightweight IDS for IoT systems and areas where
more research could be done in the future.

Keywords

Internet of Things, Incremental Machine Learning, Online Machine Learning, Intrusion Detection System, Anomaly Detection, Network Security

Corresponding author: Promise Ricardo Agbedanu

Competing interests: No competing interests were disclosed.

Grant information: This work was supported by the PASET Regional Scholarship and Innovation Fund and Google PhD Fellowship Program.
The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Copyright: © 2022 Agbedanu PR et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite: Agbedanu PR, Musabe R, Rwigema J et al. Towards achieving lightweight intrusion detection systems in Internet of Things, the role of incremental machine learning: A systematic literature review [version 1; peer review: 1 not approved]. F1000Research 2022, 11:1377 (https://doi.org/10.12688/f1000research.127732.1) First published: 24 Nov 2022, 11:1377 (https://doi.org/10.12688/f1000research.127732.1) Latest published: 24 Nov 2022, 11:1377 (https://doi.org/10.12688/f1000research.127732.1)

Introduction

The past three decades have seen a massive paradigm shift in computing technology. This shift is mainly due to increased computing power and communication speed. The latter has enabled us to develop intelligent devices that can communicate with each other. These intelligent devices make up the Internet of Things (IoT) ecosystem. The IoT ecosystem is deployed in cities, healthcare, energy, agriculture, transportation, and industries. Moreover, the internet of things has become a household name because of its numerous benefits to the various domains it has been applied to. However, these benefits have made the IoT ecosystem attractive to cyber attackers. Over the years, security methodologies like encryption, authentication, data confidentiality, access control, and privacy have been proposed by several researchers to ensure security in IoT environments. Despite these security solutions, IoT systems are still vulnerable and highly susceptible to cyber-attacks. An alternative approach to fighting these attacks is to detect them using Intrusion Detection Systems (IDS). In traditional computer networks, IDS monitors the network’s activities. Although the concept of intrusion detection has been well explored in traditional computing and network systems as far back as the 1980s, the idea is in its infant stage in IoT security¹. The computational constraints of IoT systems make it practically impossible to implement traditional IDS in IoT environments. Although many IDS solutions have been proposed, most use offline or batch machine learning models. This situation makes these models computationally expensive and difficult to deploy on IoT devices. An alternative to the above-mentioned the approach is to build IDS that learn from data streams, which can produce IDS with minimal computational usage. In this paper, the authors seek to present a systematic review of incremental ML-based IDS in IoT systems. Several surveys and review articles have been done in IDS for IoT. But to the best of our knowledge, none of these surveys or SLRs focuses on the role of incremental machine learning and how they can lead to lightweight IDS that are suitable for the IoT ecosystem. This study covers work done using incremental ML to develop IDS for IoT systems from 2010 to 2022. The period from 2010 to 2022 was adopted for this study because we wanted to analyze the research trend of incremental ML-based IDS in IoT systems since 2010. We used the methods identified by 2,3 to conduct our studies. This work differs from other existing studies by exploring how incremental machine learning methods achieve lightweight IDS that fit into the computational constraint nature of IoT systems. The study further considers some of the general potential problems facing the implementation of IDS in IoT environments. A total of 168 studies were returned based on our search criteria, but eight (8) studies were found to be IoT-based after applying our formulated inclusion and exclusion criteria. However, because the number was small, we decided to include studies that satisfied the inclusion criteria but were not IoT-based, which yielded 13 studies. This brought the total number of studies considered in this SLR to 21. However, most of our analyses were primarily focused on IoT-based studies since this study’s objective. The primary contributions of our study are as follows:

Conducting a comprehensive systematic literature review of incremental ML methods in designing IDS for IoT systems.
This work also provides a detailed analysis and discussion of how incremental ML models could effectively fit into real-time IDSs for IoT systems.
Furthermore, the study analyzes the strengths and weaknesses of the IoT-based articles considered in this systematic literature review.
This work also identifies the most critical problems with IDS research in IoT systems and suggests future research.

The following is how the paper is structured. Sections 2 and 3 discuss related works and the research methodology employed. Sections 4 and 5 discuss the findings, challenges, and future research directions. Section 6 discusses validity threats, while Section 7 discusses the study’s conclusion.

Related works

This section presents some survey and review papers that are closely related to our study. We considered existing survey and review studies focusing on intrusion detection in IoT systems for the past five years, 2017–2022. We considered the past five years because most surveys and SLRs for IoT-based intrusion detection systems that are of interest to our study were done during this period.

During their investigation, 4 conducted a comprehensive survey of the latest intrusion detection systems designed specifically for IoT systems. The study focused on the methods, features, and methods implemented in each study while providing insights into the various architectures used in IoT and some emerging vulnerabilities. The authors also looked at factors that affect the performance of IDS in intelligent environments. Some factors identified were detection accuracy, false positive rate, energy consumption, processing time, and the overall performance overhead.

In their research, 5 also presented a review of IDS for IoT environments, focusing on the techniques and deployment strategies used by each of the studies included in their work. The authors also considered the validation strategies and the datasets used in the respective works covered in their studies. Moreover, the study discussed some challenges facing intrusion detection in IoT systems.

In their work, 6 presented a survey that captures the practices and challenges facing intrusion detection systems in the internet of things. Benkhelifa et al.⁶ considered various IDS solutions used in IoT environments in their work. Each solution identified in the study was considered an improvement strategy to improve the detection methods.

Mishra et al.⁷ presented a study that compares models that detect and prevent distributed denial of service attacks. The study also discussed the different classifications of methods, models, and datasets used to build IDS. The study also looked at research challenges in IDS and proposed some solutions to mitigate these challenges. The authors presented some areas that can be considered studies for the future.

In their study, 8 provided an overview of the current security challenges of the IoT and how these challenges can be solved using IDS. The study also explored future challenges in IoT and how they can be addressed using intrusion detection.

In a similar study, 9 presented a review of machine learning-based intrusion detection systems in IoT environments, discussing various Machine Learning (ML) approaches used in designing IDS with emphasis on their advantages and disadvantages. The authors concluded their study by looking at some of the research challenges and possible future direction for work around IDS in IoT.

Arshad et al.¹⁰ conducted a comprehensive study on existing intrusion detection systems for IoT systems using three parameters, namely, computational overhead, energy consumption, and privacy implications. The study also identified some open challenges that exist in the area of their study.

In another study, 11 conducted a systematic review of the literature to examine existing works in anomaly-based intrusion detection that use deep learning techniques. The study also discussed the challenges faced by DL-based anomaly detection in the IoT domain and some areas that can be considered for future work.

Similarly, 1 conducted a survey of intrusion detection in IoT environments with a focus on the detection methods, placement strategy, security threats, and validation strategy.

Seyfollahi et al.¹² reviewed machine learning techniques used in designing intrusion detection systems for the Low-Power and Lossy Networks (RPL) protocol. The study also identified open issues and challenges related to their study’s domain.

In their study, 13 showed an overview of intrusion detection systems for IoT networks and presented some suggestions for future work that could help make IoT networks more secure.

Chaabouni et al.¹⁴ also conducted a survey that sought to classify IoT security threats and challenges. The study analyzed and compared the state-of-the-art NIDS in the context of IoT networks. The study considered the architecture, detection methodologies, validation strategies, and deployed algorithms.

Saranya et al.¹⁵ evaluated the performance analysis of machine learning models used in the design of IDS for IoT systems. Besides the fact that none of the surveys or SLRs considered incremental ML-based IDSs in their studies, these studies had other gaps which have been considered in our study.

A summary of the related literature is shown in Table 1 below.

Table 1. Summary of Related Literature.

SN	Studies	Type of Study	Year of Publication	Research Gap
1	1	Survey	2017	The study did not report on the strengths and weaknesses of the papers considered in the study.
2	14	Survey	2019	The study did not report on the strengths and weaknesses of the papers considered in the study. The study also did not report on how these IDSs methodologies impact IoT resources.
3	15	Review	2020	The primary objective of the study is not focused on IoT environment. The study did not report on the strengths and weaknesses of the papers considered in the study.
4	12	Survey	2021	The study is focused on IDSs for RPL routing protocol.
5	11	Survey	2021	The study only considered anomaly-based IDSs in IoT that uses deep learning approaches.
6	10	Review	2020	The study did not report on the strengths and weaknesses of the papers considered in the study. The study also did not report the impact these IDSs methodologies have on IoT devices.
7	9	Review	2020	The study did not report on the strengths and weaknesses of the papers considered in the study. The study also did not report the impact these IDSs methodologies have on IoT devices.
8	8	Review	2019	The study did not analyse the strengths and weaknesses of the papers selected for the study. The study also did not report the impact these IDSs methodologies have on IoT devices.
9	7	Review	2021	The study did not report the impact these IDSs methodologies have on IoT devices.
10	6	Review	2018	The study focuses only on the architectural design and detection approaches used in Intrusion Detection Systems.
11	5	Review	2021	The study did not analyse the strengths and weaknesses of the papers selected for the study. The study also did not report the impact these IDSs methodologies have on IoT devices.
12	4	Review	2018	The study primary focuses on the general overview of IDS without considering the specific challenges IoT based IDS faces. The study did not analyse the strengths and weaknesses of the papers selected for the study. The study also did not report the impact these IDSs methodologies have on IoT devices.
13	13	Review	2019	The study did not analyse the strengths and weaknesses of the papers selected for the study. The study also did not report the impact these IDSs methodologies have on IoT devices.

Research method

In this section, we outlined this study’s method deployed by 2,3. We used general principles in conducting systematic reviews. The methodology proposed by 2 and 3 has five steps as follows:

The formulation of crucial research questions.
The formulation of the search process
The formulation of the general criteria for the selection of articles.
The data extraction process, and
The execution of analysis and classification

Research questions

The following four research questions were considered in selecting the various papers used in this study.

RQ1: What is the primary contribution of the paper?
RQ2: What incremental or online machine learning algorithm was used in this study?
RQ3: How does the proposed method handle data, feature, or concept drift?
RQ4: How do the proposed IDS handle the computational constraints of IoT systems?

RQ1 focuses on the primary contribution of each of the papers considered in our study. We looked at studies that used incremental or online machine-learning approaches to deploy intrusion detection in IoT environments. The goal is to provide readers and researchers with an overview of the problem and how it is addressed.

RQ2 examines which incremental or online machine-learning algorithm was used in each study.

RQ3 focuses on how the method proposed in RQ2 handles data, feature, or concept drift. Static models are generated by machine learning using historical data. However, once in production, ML models become unreliable, obsolete, and degrade over time. Changes in data distribution may occur during production, resulting in biased predictions. User behavior may have changed compared to the baseline data used to train the model, or there may have been additional factors in real-world interactions that influenced the predictions. Data drift is a significant cause of model accuracy deterioration over time.

The fourth research question (RQ4) aims to answer how the methods or models proposed in each of the studies handle the computation constraints of IoT devices. One limitation of IoT devices is their limited computational resources, which is one reason why traditional IDS cannot be deployed in IoT environments. It is in this regard that we looked at how each study handled the resource constraints of IoT systems while building an IDS for the same environment.

Protocol and phases of the study

This work was conducted using the guidelines stipulated in the Preferred Reporting Items for SLRs and Meta-Analyses (PRISMA)¹⁶. To suite the guidelines proposed by PRISMA to Computer Science, we incorporated the PRISMA guidelines with the guidelines proposed by Kitchenham¹⁷. Figure 1 below shows the flow diagram of inclusion and exclusion process.

Figure 1. PRISMA flow diagram¹⁸.

Inclusion and exclusion criteria

In this study, we considered articles published in peer-reviewed journals. In order for an article to be included in our study, it must fulfill seven criteria, which are elaborated on in Table 2.

Table 2. Inclusion and exclusion criteria.

SN	Criteria	Justification
1	The study must not be a review or survey paper but an original research paper	Review and surveys papers will not fully answer our research questions.
2	The proposed IDS must use incremental or online machine learning methods and must either be deployed in IoT environments or non IoT based environment.	The study seeks to analyse incremental ML based IDS in IoT. Therefore, papers included in the study must use incremental ML approach to solve IDS problems in IoT systems.
3	The article must be written in English	The English language was the common medium of communication for all authors involved in this study.
4	The IDS model proposed must be evaluated using a real world dataset or network traffic	The study intends to inform readers about the applicability of the proposed solutions, which can be accomplished when these solutions are properly evaluated.
5	The study must be a full-length paper	Short papers like abstracts may not cover all the important aspects of a study. Some details of proposed solutions could be left out as well evaluation details.
6	The study should have been published from 2010 to 2022	The period considered for this SLR was from 2010 to 2022.
7	The study has to be published in a peer reviewed journal and must not be a conference proceeding	Journal articles are rigorously peer reviewed.

Quality assessment criteria

To eliminate bias and to make our study easily reproducible, we used a quality assessment criteria procedure based on 17. Quality assessment criteria play a vital role in conducting systematic literature reviews. The concept of quality assessment criteria (QAC) is to use a process that improves the criteria for selecting research papers. The QAC was deployed using a set of quality assessment questions (QAQs). The QAQs were used to create a checklist against which we compared each paper to ensure that it met the QAC and answered our RQs. If a study answers a question from the QAC checklist, we mark it as "Yes," and if it doesn’t, it is marked "No." However, some papers partially answer some of the questions in the QAC. Such criteria are "P" to represent a partial response. Scores were assigned to each of the questions considered in the QAC. A "Yes" answer is worth one point, a "No" answer is worth zero points, and a "P" answer is worth 0.5 points. Each paper is evaluated against the QA, and the marks are summed. After awarding the mark to each QA, we decided to select papers whose summation was above 2.5. The value of 3.0 was chosen because we did not want to include papers that partially (50%) answered the quality assessment questions formulated for this study. Table 3 and Table 4 below show the quality assessment questions and the quality evaluation results we used in this study.

Table 3. Quality assessment questions.

Number	Quality Assessment Questions (QAQ)
QA 1	Are the research’s goals or objectives clearly stated?
QA 2	Is there any response to the posed RQs in the paper?
QA 3	Is there any connection between the objectives, methodology, experimentation, and conclusion?
QA 4	Is there an experimental validation in the study to answer the research question?
QA 5	Are the study’s findings compared to other works?

Table 4. Quality evaluation of the selected studies.

SN	Study	QA1	QA2	QA3	QA4	QA5	Total Score
1	19	Yes	Yes	Yes	Yes	Yes	5.0
2	20	Yes	Yes	Yes	Yes	Yes	5.0
3	21	Yes	Yes	Yes	Yes	Yes	5.0
4	22	Yes	P	Yes	Yes	Yes	4.5
5	23	Yes	Yes	Yes	Yes	Yes	5.0
6	24	Yes	P	Yes	Yes	Yes	4.5
7	25	Yes	Yes	Yes	Yes	Yes	5.0
8	26	Yes	Yes	Yes	Yes	Yes	5.0
9	27	Yes	Yes	Yes	Yes	Yes	5.0
10	28	Yes	Yes	Yes	Yes	Yes	5.0
11	29	Yes	P	Yes	Yes	Yes	4.5
12	30	Yes	Yes	Yes	Yes	Yes	5.0
13	31	Yes	Yes	Yes	Yes	Yes	5.0
14	32	Yes	Yes	Yes	Yes	Yes	5.0
15	33	Yes	Yes	Yes	Yes	Yes	4.5
16	34	Yes	Yes	Yes	Yes	Yes	5.0
17	35	Yes	P	Yes	Yes	Yes	4.5
18	36	Yes	P	P	Yes	Yes	4.0
19	37	Yes	Yes	Yes	Yes	Yes	4.5
20	38	Yes	P	Yes	Yes	Yes	4.5
21	39	Yes	P	Yes	Yes	Yes	4.5

Information sources and selection process

We manually searched for the articles included in this study in research six databases. The databases considered in this study are as follows;

IEEE Xplore
ScienceDirect
Wiley
ACM Digital Library
MDPI
Springer

The search process involved five keywords: incremental learning, online machine learning, internet of things, intrusion detection, and anomaly detection. The keywords were connected using the words "AND" and "OR." Generally, the search terms were framed as "Internet of Things AND Incremental Learning AND Intrusion Detection OR Anomaly Detection OR Online Machine Learning. The search terms were targeted at the author’s keywords provided in the paper.

Results

In this section, we present the results of the systematic literature review carried out.

Publications by journal

In Table 5, we looked at the research databases considered in our studies and the number of articles published in each journal during the period considered in our study before applying the inclusion and exclusion criteria. The search results returned a total of 159 articles. IEEE Xplore returned 68 results, Science Direct, returned 21 results, and Wiley returned 8 results. MDPI, Springer, and ACM returned 8, 44, and 10 results, respectively. Table 6 shows the number of articles considered in this study after applying our quality assessment criteria. A total of twenty-two (22) articles were selected from the six databases after applying the inclusion and exclusion criteria. IEEE Xplore had nine (9) publications, ScienceDirect had seven (7) publications meeting the QA criteria, MDPI had three (3) papers, Wiley had three (3) papers, and Springer and ACM Digital Library had 0 papers each.

Table 5. Publications by journal before applying inclusion and exclusion criteria.

SN	Journal	Number of Publications
1	IEEE	68
2	Science Direct	21
3	Wiley	8
4	MDP1	8
5	Springer	44
6	ACM	10

Table 6. Publications by Journal after applying inclusion and exclusion criteria.

SN	Journal	Number of Publications
1	IEEE	9
2	Science Direct	6
3	MDPI	3
4	Wiley	3
5	Springer	0
6	ACM	0

Contributions of each study

The parameters considered in determining the contribution of a study are how these studies handle drift adaption, the lightweight status of models, the running time of models, and the memory consumption of models. The parameters considered for the contribution of the studies are shown in Figure 1 below.

In Table 7, we presented the contributions of each study based on the area of drift adaption, the lightweight status of models, the running time of models, and the memory consumption of models. Only the 8 IoT-based studies were considered in this analysis. Two of the eight (8) studies deployed solutions that could handle drifts in either data or concepts. Eight out of the nine studies focused on designing lightweight models. We also looked at how each of the studies handled computational complexity. Four (4) out of the eight (8) studies reported time complexity, while only two out of the eight (8) studies reported the space complexity of their proposed model. None of the eight IoT-based studies reports on the energy consumption of their proposed model.

Table 7. Contributions of each IoT based study.

SN	Study	Drift adaption	Lightweight model	Model running time	Memory consumption	Computational complexity
1	26		✓	✓
2	30		✓			✓
3	29	✓
4	28	✓	✓	✓	✓
5	39		✓
6	27		✓	✓
7	31		✓
8	21		✓

Strength and weakness of each study

In Table 8 and Table 9, we presented a summary of the strengths and weaknesses of the IoT-based intrusion detection studies are considered in our study. We chose to report on the strengths and weaknesses of the IoT-based IDSs because that is the core of our studies.

Table 8. Strength and weakness of each study.

SN	Study	Models used	Strengths	Weakness
1	26	Incremental Support Vector Machine	This article is unique in that it employs classifier selection to determine whether the one-class SVM classification is reasonably reliable.	The study did not report on how the proposed method would impact on the computational resource of cyber- physical systems.
2	30	Online sequential Extreme learning machine Recursive least squares based classifiers Ensemble learning	The research presents a general-purpose, online learning, decentralized anomaly detection framework with a diverse set of local anomaly detection algorithms and computational resources that are compatible with the stringent limitations of embedded platforms commonly used in WSNs.	Although the study used a simulator to calculate the computational complexity of the various methods, it did not report the actual CPU and memory consumption of their proposed model.
3	29	Online Deep Learning Principal Component Analysis	Using a deep neural network that adjusts neural network sizes dynamically based on the Hedge weighting mechanism. As new data becomes available, the goal is to encourage continuous learning and model adaptation.	Even though the study’s primary focus is detection intrusion under data and concept drifts, it is important to report how the method used to detect drifts affects the model’s memory and training time.
4	27	Convolutional Neural Network	To reduce the overhead on the centralized edge classifier, a distributed IDS concept is proposed, resulting in the shortest possible latency between the pre-processing and decision-making phases.	The study reported on the time complexity of the method used. The space complexity wasn’t reported. The dataset used for the experimental validation is a non IoT- based dataset.
5	31	Adaptive Random Forest Hoeffding Adaptive Tree	Using an incremental learning approach to detect botnet attacks in IoT environments.	The study did not report on time and memory consumption of the proposed method. The study did not report the framework and libraries used to build the proposed model.
6	28	Light Gradient Boosting Machine Optimized Adaptive and Sliding Windowing Particle Swarm Optimization	The study proposed Optimized Adaptive Sliding Windowing (OASW), a novel drift adaptation method, to address the problem of concept drifting.	The study only focused on binary classification.
7	39	Online incremental Support Vector Data Description Adaptive Sequential Extreme Learning Machine	On IIoT devices, a lightweight NIDS based on an online incremental Support Vector Data Description anomaly detection system and an Adaptive Sequential Extreme Learning Machine on a multi-access edge computing server is proposed.	The proposed method’s time and memory consumption were not reported in the study.

Table 9. Strength and weakness of each study.

SN	Study	Models used	Strengths	Weakness
8	21	Online Growing Random Trees	The study proposes an iterative anomaly detection method for data streams based on tree ensembles. This unsupervised technique adds a tree growth procedure that can incorporate new data information into the existing model on a continuous basis.	The proposed method’s time and memory consumption were not reported in the study.

Datasets used for validation

This study also considered the datasets used for experimental validation in the 8 IoT-based papers considered in this work. The datasets used in the IoT-based studies include N-BaIoT, NSL-KDD, KDD CUP 99, UNSW-NB15, IoTID20 and DS2OS traffic trace datasets. The rest are Intel Lab, sensorscope, and the secure water treatment dataset. Among the datasets used, N-BaIoT, Intel Lab, UNSW-NB15, and IoTID20 are datasets based on IoT traffic. Table 10 shows the summary of the datasets used in each study.

Table 10. Dataset Used for validation.

Dataset	Papers	Count
N-BaIoT	31	1
NSL-KDD	28, 27	2
KDD CUP 99	27	1
UNSW-NB15	39	1
IoTID20	28	1
DS2OS traffic traces	29	1
Intel Lab	30	1
Sensorscope	30	1
Secure Water Treatment	21, 26	2

Number of publications per year

In this subsection, we analyzed the number of publications per year using our established quality assessment criteria. The number of publications per year is shown in Table 11. From Table 11 below, no publication met the criteria of our studies in the years 2010, 2012, 2016, and 2018. The years 2011, 2014, 2017, and 2019 recorded one publication each. The highest number of publications was recorded in 2020, when nine (9) publications were recorded. There were 2 publications in 2013 and 2021, and 3 publications in 2022. Drawing our attention to the IoT-based studies, there was one (1) publication in 2015, two (2) publications in 2020, 3 publications in 2021, and 2 publications in 2022.

Table 11. Publication by Year.

SN	Year of Publication	Number of Publications
1	2010	0
2	2011	1
3	2012	0
4	2013	2
5	2014	1
6	2015	1
7	2016	0
8	2017	1
9	2018	0
10	2019	1
11	2020	9
12	2021	2
13	2022	3

Challenges and directions for future work

In this section, we present some challenges we identified based on the analysis of our study. To begin with, we found out that 2 of the IoT-based studies used datasets (NSL-KDD and KDD CUP 99) that are no longer relevant when designing modern-day IDS.

Additionally, these datasets are non-IoT-based. Therefore, we recommend that future work use datasets from IoT environments to build and evaluate IDS for IoT systems. Secondly, from our studies, we discovered that seven (7) studies out of the 8 IoT-based studies designed lightweight IDS for IoT systems. However, only one reported on the proposed system’s memory consumption, and three (3) reported on the running time of the proposed methods. Only one study reported the computational complexity of the model used in designing their proposed IDS.

Additionally, in designing lightweight IDSs for IoT systems, parameters such as time and space complexity and power consumption of the proposed IDS should be evaluated. The portability of an IoT-based IDS is as important as its accuracy, precision, or recall. Therefore, we propose that future work include a performance matrix that measures the time and space complexity and power consumption of the proposed methods. Additionally, none of the IoT-based studies considered in this work deployed the proposed IDS on an IoT device. It is crucial not only to model IDSs for IoT ecosystems but these IDS models should be deployed on IoT devices. Deploying these models on real devices will help to evaluate parameters such as space complexity and energy consumption. Deployment models on real devices help to evaluate the model’s performance on drift adaptation and determine the model’s accuracy in production environments. We recommend that future studies on IDS for IoT systems incorporate model deployment on physical devices to evaluate how these models will perform in production environments.

Concept Drift in Machine Learning refers to a situation in which the statistical properties of the target variable change over time. In other words, the meaning of the input data used to train the model has changed significantly over time, but the model in production is unaware of the change and thus cannot make accurate predictions. Although incremental machine learning has the advantage of detecting concept drifts, only 2 out of 8 IoT-based studies considered in this work considered concept drift adaption in their studies. Network traffic is usually dynamic, and attackers try to circumvent IDSs by changing the attack signatures of knowns, which leads to a change in the target variable. Future IDSs for the IoT ecosystem must focus on how to build IDSs that can detect drifts and learn from those drifts with minimal human intervention.

Furthermore, the datasets used in the IoT-based studies and most datasets used in modeling IDSs are imbalanced, which gives these models higher accuracy but lower precision. To solve this challenge, more studies can be conducted on creating balanced datasets from IoT systems. Moreover, unlike traditional computing IDSs, which primarily focus on detection speed, precision, and accuracy, IDSs for the IoT ecosystem need a balance between accuracy, speed, precision, lightweight, and low energy consumption. Therefore, researchers must look at these parameters holistically to ensure that proposed IDSs for IoT systems can be deployed in such environments. It is recommended that future work in this domain should focus on using models that are not computationally intensive in designing IDSs for IoT systems.

Finally, the results from the various experimental validations done in IoT-based studies considered in this SLR show that incremental learning is capable of achieving the lightweight IDS status that most IDS problems in IoT systems seek to attain. However, more studies need to be done using the approach mentioned above in the IoT ecosystem to determine the viability of incremental learning to solve the problem of high speed, high accuracy, low energy, and minimal space complexity IDS for IoT systems.

Threats to validity of the study

Validity threats hampered the data extraction process and the quality assessment of the papers chosen for this SLR protocol. Using the threats identified by 40, we divided the threats into validity. Internal, external, construct, and conclusion validity are the threats identified by 40. Each of the threats is briefly described in the preceding paragraphs.

Internal validity: This threat focuses on implementing the SLR protocol, which includes search terms, the data extraction process, the method used for the research, and quality assessment criteria.
Construct validity: Construct validity is related to how search strings are constructed, the formulation of research questions, the online databases selected, and the inclusion and exclusion criteria. The search string used in this study was comprehensively formulated to answer the formulated research questions.
External validity: External validity focuses on the degree that the SLR results reflect the topic under review. We mitigated this threat by repeating the procedure used in our study.
Conclusion validity: The nature of SLR makes it not possible to capture all relevant studies that answer the formulated research questions. There is a probability that some papers were missed. Using inclusion and exclusion criteria lessens the gravity of personal bias and subjectivity.

Limitations of our study

We will discuss some of the study’s limitations in this section. The research focused on a few carefully selected but highly referenced databases in the field of study. We admit that, like most SLRs, we had difficulty locating all of the papers associated with this study. We also admit that some papers were left out due to the difficulty in identifying all papers related to this study. The method used in this study is meant to help us with our research on incremental machine learning-based intrusion detection in IoT systems.

This study’s analysis is limited to incremental machine learning-based intrusion detection systems on the internet of things and does not represent the complete analysis of the individual papers. We made every effort in this regard to analyzing the papers presented in this work in order to provide answers to the research questions posed in this study.

Conclusion

This study comprehensively analyzed incremental machine learning-based intrusion detection systems in the internet of things. The aim of the study was to help us understand existing work in the domain of our study and provide suggestions on how future work in IDS for IoT systems can be enhanced. The Internet of Things (IoT) has not only become a household name through its application in smart homes but has also been used in domains like agriculture, healthcare, transportation, and cities and grid systems. Whereas the advantages of IoT cannot be downplayed; its computational constraints make it difficult to deploy security methodologies that have been deployed in traditional computing systems. The study examined the existing state-of-the-art incremental machine learning approaches used to design lightweight intrusion detection systems for IoT environments, as well as the datasets used and how these studies are designing IDS without overburdening IoT device computational resources. As the number of things connected to the internet increases, researchers must use various methods to ensure the security of these things. The application of ML and DL in intrusion detection has proven to be an effective mitigation strategy on traditional computers, and the trend of current research shows that it will become an effective mitigation strategy in detecting intrusions in IoT environments.

Data availability

Underlying data

All data underlying the results are available as part of the article and no additional source data are required.

Reporting guidelines

The completed PRISMA checklist of this study is found on a public repository with details as below: Figshare: PRISMA checklist for ’Towards achieving lightweight intrusion detection systems in Internet of Things, the role of incremental machine learning: A systematic literature review’, https://doi.org/10.6084/m9.figshare.21436152.v1⁴¹.

Data are available under the terms of the Creative Commons Zero "No rights reserved" data waiver (CC0 1.0 Public domain dedication).

Faculty Opinions recommended

References

1. Zarpelão BB, Miani RS, Kawakani CT, et al.: A survey of intrusion detection in internet of things. J Netw Comput Appl. 2017; 84: 25–37. Publisher Full Text
2. Staffs Keele, Guidelines for performing systematic literature reviews in software engineering. Technical report, Technical report, ver. 2.3 ebse technical report. ebse, 2007. Reference Source
3. Petersen K, Vakkalanka S, Kuzniarz L: Guidelines for conducting systematic mapping studies in software engineering: An update. Inf Softw Technol. 2015; 64: 1–18. Publisher Full Text
4. Elrawy MF, Awad AI, Hamed HFA: Intrusion detection systems for iot-based smart environments: a survey. J Cloud Comp. 2018; 7(1): 21. Publisher Full Text
5. Khraisat A, Alazab A: A critical review of intrusion detection systems in the internet of things: techniques, deployment strategy, validation strategy, attacks, public datasets and challenges. Cybersecur. 2021; 4(1): 18. Publisher Full Text
6. Benkhelifa E, Welsh T, Hamouda W: A critical review of practices and challenges in intrusion detection systems for iot: Toward universal and resilient systems. IEEE Communications Surveys & Tutorials. 2018; 20(4): 3496–3509. Publisher Full Text
7. Mishra N, Pandya S: Internet of things applications, security challenges, attacks, intrusion detection, and future visions: A systematic review. IEEE Access. 2021; 9: 59353–59377. Publisher Full Text
8. Hajiheidari S, Wakil K, Badri M, et al.: Intrusion detection systems in the internet of things: A comprehensive investigation. Computer Networks. 2019; 160: 165–191. Publisher Full Text
9. Asharf J, Moustafa N, Khurshid H, et al.: A review of intrusion detection systems using machine and deep learning in internet of things: challenges, solutions and future directions. Electronics. 2020; 9(7): 1177. Publisher Full Text
10. Arshad J, Azad MA, Amad R, et al.: A review of performance, energy and privacy of intrusion detection systems for iot. Electronics. 2020; 9(4): 629. Publisher Full Text
11. Alsoufi MA, Razak S, Md Siraj M, et al.: Anomaly-based intrusion detection systems in iot using deep learning: A systematic literature review. Appl Sci. 2021; 11(18): 8383. Publisher Full Text
12. Seyfollahi A, Ghaffari A: A review of intrusion detection systems in rpl routing protocol based on machine learning for internet of things applications. Wirel Commun Mob Comput. 2021; 2021. Publisher Full Text
13. Ali Khan Z, Herrmann P: Recent advancements in intrusion detection systems for the internet of things. Security and Communication Networks. 2019; 2019. Publisher Full Text
14. Chaabouni N, Mosbah M, Zemmari A, et al.: Network intrusion detection for iot security based on learning techniques. IEEE Communications Surveys & Tutorials. 2019; 21(3): 2671–2701. Publisher Full Text
15. Saranya T, Sridevi S, Deisy C, et al.: Performance analysis of machine learning algorithms in intrusion detection system: A review. Procedia Comput Sci. 2020; 171: 1251–1260. Publisher Full Text
16. Liberati A, Altman DG, Tetzlaff J, et al.: The prisma statement for reporting systematic reviews and meta-analyses of studies that evaluate health care interventions: explanation and elaboration. J Clin Epidemiol. 2009; 62(10): e1–e34. PubMed Abstract | Publisher Full Text
17. Kitchenham B, Charters S: Guidelines for performing systematic literature reviews in software engineering. 2007. Reference Source
18. Page MJ, McKenzie JE, Bossuyt PM, et al.: The prisma 2020 statement: an updated guideline for reporting systematic reviews. Syst Rev. 2021; 10(1): 89. PubMed Abstract | Publisher Full Text | Free Full Text
19. Gao J, Chai S, Zhang B, et al.: Research on network intrusion detection based on incremental extreme learning machine and adaptive principal component analysis. Energies. 2019; 12(7): 1223. Publisher Full Text
20. Qaiwmchi NAH, Amintoosi H, Mohajerzadeh A: Intrusion detection system based on gradient corrected online sequential extreme learning machine. IEEE Access. 2020; 9: 4983–4999. Publisher Full Text
21. Liu L, Hu M, Kang C, et al.: Unsupervised anomaly detection for network data streams in industrial control systems. Information. 2020; 11(2): 105. Publisher Full Text
22. Darem AA, Ghaleb FA, Al-Hashmi AA, et al.: An adaptive behavioral-based incremental batch learning malware variants detection model using concept drift detection and sequential deep learning. IEEE Access. 2021; 9: 97180–97196. Publisher Full Text
23. Tang Y, Li C: An online network intrusion detection model based on improved regularized extreme learning machine. IEEE Access. 2021; 9: 94826–94844. Publisher Full Text
24. Wu Z, Gao P, Cui L, et al.: An incremental learning method based on dynamic ensemble rvm for intrusion detection. IEEE Transactions on Network and Service Management. 2021; 19(1): 671–685. Publisher Full Text
25. Baldini G, Amerini I: Online distributed denial of service (ddos) intrusion detection based on adaptive sliding window and morphological fractal dimension. Computer Networks. 2022; 210: 108923. Publisher Full Text
26. Reis LHA, Piedrahita AM, Rueda S, et al.: Unsupervised and incremental learning orchestration for cyber-physical security. Transactions on emerging telecommunications technologies. 2020; 31(7): e4011. Publisher Full Text
27. Tabassum A, Erbad A, Mohamed A, et al.: Privacy-preserving distributed ids using incremental learning for iot health systems. IEEE Access. 2021; 9: 14271–14283. Publisher Full Text
28. Yang L, Shami A: A lightweight concept drift detection and adaptation framework for iot data streams. IEEE Internet of Things Magazine. 2021; 4(2): 96–101. Publisher Full Text
29. Wahab OA: Intrusion detection in the iot under data and concept drifts: Online deep learning approach. IEEE Internet Things J. 2022; 9(20): 19706–19716. Publisher Full Text
30. Bosman HHWJ, Iacca G, Tejada A, et al.: Ensembles of incremental learners to detect anomalies in ad hoc sensor networks. Ad Hoc Netw. 2015; 35: 14–36. Publisher Full Text
31. Shao Z, Yuan S, Wang Y: Adaptive online learning for iot botnet detection. Information Sciences. 2021; 574: 84–95. Publisher Full Text
32. Martindale N, Ismail M, Talbert DA: Ensemble-based online machine learning algorithms for network intrusion detection systems using streaming data. Information. 2020; 11(6): 315. Publisher Full Text
33. Yi Y, Wu JS, Xu W: Incremental svm based on reserved set for network intrusion detection. Expert Syst Appl. 2011; 38(6): 7698–7707. Publisher Full Text
34. Data M, Aritsugi M: T-dfnn: An incremental learning algorithm for intrusion detection systems. IEEE Access. 2021; 9: 154156–154171. Publisher Full Text
35. Chitrakar R, Huang C: Selection of candidate support vectors in incremental svm for network intrusion detection. Comput Secur. 2014; 45: 231–241. Publisher Full Text
36. Jiang F, Sui Y, Cao C: An incremental decision tree algorithm based on rough sets and its application in intrusion detection. Artif Intell Rev. 2013; 40(4): 517–530. Publisher Full Text
37. Tsai CW: Incremental particle swarm optimisation for intrusion detection. IET networks. 2013; 2(3): 124–130. Publisher Full Text
38. Noorbehbahani F, Fanian A, Mousavi R, et al.: An incremental intrusion detection system using a new semi-supervised stream classification method. Int J Commun Syst. 2017; 30(4): e3002. Publisher Full Text
39. Gyamfi E, Jurcut AD: Novel online network intrusion detection system for industrial iot based on oi-svdd and as-elm. IEEE Internet Things J. 2022. Publisher Full Text
40. Wohlin C: Guidelines for snowballing in systematic literature studies and a replication in software engineering. In: Proceedings of the 18th international conference on evaluation and assessment in software engineering. 2014; 1–10. Publisher Full Text
41. Agbedanu P, Musabe R, Rwigema J, et al.: Towards achievi ng lightweight intrusion detection systems in Internet of Things, the role of incremental machine learning: A systematic literature review.figshare. Online resource. 2022. http://www.doi.org/10.6084/m9.figshare.21436152.v2

Comments on this article Comments (0)

Version 1

VERSION 1 PUBLISHED 24 Nov 2022

Author details Author details

¹ African Centre of Excellence in Internet of Things, University of Rwanda, Kigali, Rwanda
² Rwanda Polytechnic, Kigali, Rwanda
³ College of Science and Technology, University of Rwanda, Kigali, Rwanda

Promise Ricardo Agbedanu
Roles: Conceptualization, Formal Analysis, Funding Acquisition, Resources, Software, Writing – Original Draft Preparation

Richard Musabe
Roles: Investigation, Supervision, Validation, Writing – Review & Editing

James Rwigema
Roles: Investigation, Supervision, Writing – Review & Editing

Ignace Gatare
Roles: Methodology, Supervision, Writing – Review & Editing

Theofrida Julius Maginga
Roles: Formal Analysis, Methodology, Writing – Review & Editing

Destiny Kwabla Amenyedzi
Roles: Investigation, Methodology, Software, Writing – Review & Editing

Competing interests

No competing interests were disclosed.

Grant information

This work was supported by the PASET Regional Scholarship and Innovation Fund and Google PhD Fellowship Program.
The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Article Versions (1)

version 1

Published: 24 Nov 2022, 11:1377

https://doi.org/10.12688/f1000research.127732.1

Copyright

© 2022 Agbedanu PR et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Download

Export To

metrics

	Views	Downloads
F1000Research	-	-
PubMed Central Data from PMC are received and updated monthly.	-	-

Citations

0

SEE MORE DETAILS

CITE

how to cite this article

Agbedanu PR, Musabe R, Rwigema J et al. Towards achieving lightweight intrusion detection systems in Internet of Things, the role of incremental machine learning: A systematic literature review [version 1; peer review: 1 not approved]. F1000Research 2022, 11:1377 (https://doi.org/10.12688/f1000research.127732.1)

NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.

track

receive updates on this article

Track an article to receive email alerts on any updates to this article.

Open Peer Review

Version 1

VERSION 1

PUBLISHED 24 Nov 2022

Views

7

Reviewer Report 15 May 2023

Yan Naung Soe, Department of Electrical and Information Engineering, Universitas Gadjah Mada, Yogyakarta, Special Region of Yogyakarta, Indonesia

Not Approved

https://doi.org/10.5256/f1000research.140269.r171434

The authors conducted a review for the lightweight purpose of IoT-based introduction detection systems. It is interesting, but the following concerns have to be addressed.

Many typos are found.
In the

The authors conducted a review for the lightweight purpose of IoT-based introduction detection systems. It is interesting, but the following concerns have to be addressed.

Many typos are found.
In the abstract, you mentioned that your review is based on the 21 IDS research works. It is not enough to review a specific work. There are many related works in recent years. More references are necessary.

In Table-5, the authors listed the sources/publishers of their references. Many lightweight IoT-IDS could be easily found by exploring these publishers' web sources. E.g., the authors can explore many articles in their sources, like MDPI, ACM Digital Library, and so on.

In Table-6, why can “only zero article in ACM” be considered as your quality assessment criteria?
According to the title and abstract, you focus on the lightweight purpose in the detection systems, but you mentioned only 7 lightweight models.

Also, you have to check them again, are these really lightweight systems? The authors organized some lightweight models in Table 8, even if the referenced works are not deeply checked, the question arises, how could some of them be lightweight? E.g., in Table 8, in the reference [30], how it would be lightweight with computational complexity? And also, the reference [28], is it lightweight with memory consumption?
According to your abstract, you mentioned that you analyzed the systems regarding 4 kinds of criteria. But your research questions almost did not reflect them. In addition, these are not also correct. In the abstract, the authors described "The study analyzed 1) existing incremental machine learning approaches used in designing intrusion detection systems for IoT ecosystems, 2) emphasizing the incremental methods used in detecting intrusions, 3) the datasets used to evaluate these methods, and 4) how the method achieves lightweight status.

In the "Research questions" section, the authors generated 4-questions, such as RQ1: What is the primary contribution of the paper? RQ2: What incremental or online machine learning algorithm was used in this study? RQ3: How does the proposed method handle data, feature, or concept drift? RQ4: How does the proposed IDS handle the computational constraints of IoT systems?

Is there any relation between these two parts? More importantly, even showing these facts in these parts, there is no significant explanation in this review, especially on the lightweight purpose. If so, why did the authors put the important concern in IoT-IDS, "lightweight/handling the computational constraints" in these parts, such as the title, abstract, and research questions?
According to your references list, you put many published reviews and survey works. It would be better if you study them again how to arrange the contents in the review works.
The citation styles are also different. E.g., the reference numbers 7 and 8. Other references are also facing the same issue. In addition, the reference indexing style in tables is confusing.
In the conclusion, you describe that you analyzed comprehensively ML-based intrusion detection systems. However, in the current version, the manuscript seems just a report that you have studied.

The overall comment is that you have to improve your manuscript significantly, to be following the style of review works, to be focusing on the facts in the title and abstract, and be arranged as a well-structured manuscript.

Are the rationale for, and objectives of, the Systematic Review clearly stated?

Partly
Are sufficient details of the methods and analysis provided to allow replication by others?

No
Is the statistical analysis and its interpretation appropriate?

Partly
Are the conclusions drawn adequately supported by the results presented in the review?

Partly

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: IoT, Cyber-security, Machine Learning

I confirm that I have read this submission and believe that I have an appropriate level of expertise to state that I do not consider it to be of an acceptable scientific standard, for reasons outlined above.

CITE

Report a concern

Respond or Comment

Comments on this article Comments (0)

Version 1

VERSION 1 PUBLISHED 24 Nov 2022

Open Peer Review

Reviewer Status

Reviewer Reports

	Invited Reviewers
	1
Version 1 24 Nov 22	read

Yan Naung Soe, Universitas Gadjah Mada, Yogyakarta, Indonesia

Comments on this article

All Comments(0)

Add a comment

Sign up for content alerts

Browse by related subjects

Back to all reports

Reviewer Report

7 Views

15 May 2023 | for Version 1

Yan Naung Soe, Department of Electrical and Information Engineering, Universitas Gadjah Mada, Yogyakarta, Special Region of Yogyakarta, Indonesia

7 Views Cite this report Responses(0)

Not Approved

The authors conducted a review for the lightweight purpose of IoT-based introduction detection systems. It is interesting, but the following concerns have to be addressed.

Many typos are found.
In the abstract, you mentioned that your review is based on the 21 IDS research works. It is not enough to review a specific work. There are many related works in recent years. More references are necessary.

In Table-5, the authors listed the sources/publishers of their references. Many lightweight IoT-IDS could be easily found by exploring these publishers' web sources. E.g., the authors can explore many articles in their sources, like MDPI, ACM Digital Library, and so on.

In Table-6, why can “only zero article in ACM” be considered as your quality assessment criteria?
According to the title and abstract, you focus on the lightweight purpose in the detection systems, but you mentioned only 7 lightweight models.

Also, you have to check them again, are these really lightweight systems? The authors organized some lightweight models in Table 8, even if the referenced works are not deeply checked, the question arises, how could some of them be lightweight? E.g., in Table 8, in the reference [30], how it would be lightweight with computational complexity? And also, the reference [28], is it lightweight with memory consumption?
According to your abstract, you mentioned that you analyzed the systems regarding 4 kinds of criteria. But your research questions almost did not reflect them. In addition, these are not also correct. In the abstract, the authors described "The study analyzed 1) existing incremental machine learning approaches used in designing intrusion detection systems for IoT ecosystems, 2) emphasizing the incremental methods used in detecting intrusions, 3) the datasets used to evaluate these methods, and 4) how the method achieves lightweight status.

In the "Research questions" section, the authors generated 4-questions, such as RQ1: What is the primary contribution of the paper? RQ2: What incremental or online machine learning algorithm was used in this study? RQ3: How does the proposed method handle data, feature, or concept drift? RQ4: How does the proposed IDS handle the computational constraints of IoT systems?

Is there any relation between these two parts? More importantly, even showing these facts in these parts, there is no significant explanation in this review, especially on the lightweight purpose. If so, why did the authors put the important concern in IoT-IDS, "lightweight/handling the computational constraints" in these parts, such as the title, abstract, and research questions?
According to your references list, you put many published reviews and survey works. It would be better if you study them again how to arrange the contents in the review works.
The citation styles are also different. E.g., the reference numbers 7 and 8. Other references are also facing the same issue. In addition, the reference indexing style in tables is confusing.
In the conclusion, you describe that you analyzed comprehensively ML-based intrusion detection systems. However, in the current version, the manuscript seems just a report that you have studied.

The overall comment is that you have to improve your manuscript significantly, to be following the style of review works, to be focusing on the facts in the title and abstract, and be arranged as a well-structured manuscript.

Are the rationale for, and objectives of, the Systematic Review clearly stated?

Partly
Are sufficient details of the methods and analysis provided to allow replication by others?

No
Is the statistical analysis and its interpretation appropriate?

Partly
Are the conclusions drawn adequately supported by the results presented in the review?

Partly

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

IoT, Cyber-security, Machine Learning

I confirm that I have read this submission and believe that I have an appropriate level of expertise to state that I do not consider it to be of an acceptable scientific standard, for reasons outlined above.

Respond to this report

Responses (0)

[1] 1. Zarpelão BB, Miani RS, Kawakani CT, et al.: A survey of intrusion detection in internet of things. J Netw Comput Appl. 2017; 84: 25–37. Publisher Full Text

[2] 2. Staffs Keele, Guidelines for performing systematic literature reviews in software engineering. Technical report, Technical report, ver. 2.3 ebse technical report. ebse, 2007. Reference Source

[3] 3. Petersen K, Vakkalanka S, Kuzniarz L: Guidelines for conducting systematic mapping studies in software engineering: An update. Inf Softw Technol. 2015; 64: 1–18. Publisher Full Text

[4] 4. Elrawy MF, Awad AI, Hamed HFA: Intrusion detection systems for iot-based smart environments: a survey. J Cloud Comp. 2018; 7(1): 21. Publisher Full Text

[5] 5. Khraisat A, Alazab A: A critical review of intrusion detection systems in the internet of things: techniques, deployment strategy, validation strategy, attacks, public datasets and challenges. Cybersecur. 2021; 4(1): 18. Publisher Full Text

[6] 6. Benkhelifa E, Welsh T, Hamouda W: A critical review of practices and challenges in intrusion detection systems for iot: Toward universal and resilient systems. IEEE Communications Surveys & Tutorials. 2018; 20(4): 3496–3509. Publisher Full Text

[7] 7. Mishra N, Pandya S: Internet of things applications, security challenges, attacks, intrusion detection, and future visions: A systematic review. IEEE Access. 2021; 9: 59353–59377. Publisher Full Text

[8] 8. Hajiheidari S, Wakil K, Badri M, et al.: Intrusion detection systems in the internet of things: A comprehensive investigation. Computer Networks. 2019; 160: 165–191. Publisher Full Text

[9] 9. Asharf J, Moustafa N, Khurshid H, et al.: A review of intrusion detection systems using machine and deep learning in internet of things: challenges, solutions and future directions. Electronics. 2020; 9(7): 1177. Publisher Full Text

[10] 10. Arshad J, Azad MA, Amad R, et al.: A review of performance, energy and privacy of intrusion detection systems for iot. Electronics. 2020; 9(4): 629. Publisher Full Text

[11] 11. Alsoufi MA, Razak S, Md Siraj M, et al.: Anomaly-based intrusion detection systems in iot using deep learning: A systematic literature review. Appl Sci. 2021; 11(18): 8383. Publisher Full Text

[12] 12. Seyfollahi A, Ghaffari A: A review of intrusion detection systems in rpl routing protocol based on machine learning for internet of things applications. Wirel Commun Mob Comput. 2021; 2021. Publisher Full Text

[13] 13. Ali Khan Z, Herrmann P: Recent advancements in intrusion detection systems for the internet of things. Security and Communication Networks. 2019; 2019. Publisher Full Text

[14] 14. Chaabouni N, Mosbah M, Zemmari A, et al.: Network intrusion detection for iot security based on learning techniques. IEEE Communications Surveys & Tutorials. 2019; 21(3): 2671–2701. Publisher Full Text

[15] 15. Saranya T, Sridevi S, Deisy C, et al.: Performance analysis of machine learning algorithms in intrusion detection system: A review. Procedia Comput Sci. 2020; 171: 1251–1260. Publisher Full Text

[16] 16. Liberati A, Altman DG, Tetzlaff J, et al.: The prisma statement for reporting systematic reviews and meta-analyses of studies that evaluate health care interventions: explanation and elaboration. J Clin Epidemiol. 2009; 62(10): e1–e34. PubMed Abstract | Publisher Full Text

[17] 17. Kitchenham B, Charters S: Guidelines for performing systematic literature reviews in software engineering. 2007. Reference Source

[18] 18. Page MJ, McKenzie JE, Bossuyt PM, et al.: The prisma 2020 statement: an updated guideline for reporting systematic reviews. Syst Rev. 2021; 10(1): 89. PubMed Abstract | Publisher Full Text | Free Full Text

[19] 19. Gao J, Chai S, Zhang B, et al.: Research on network intrusion detection based on incremental extreme learning machine and adaptive principal component analysis. Energies. 2019; 12(7): 1223. Publisher Full Text

[20] 20. Qaiwmchi NAH, Amintoosi H, Mohajerzadeh A: Intrusion detection system based on gradient corrected online sequential extreme learning machine. IEEE Access. 2020; 9: 4983–4999. Publisher Full Text

[21] 21. Liu L, Hu M, Kang C, et al.: Unsupervised anomaly detection for network data streams in industrial control systems. Information. 2020; 11(2): 105. Publisher Full Text

[22] 22. Darem AA, Ghaleb FA, Al-Hashmi AA, et al.: An adaptive behavioral-based incremental batch learning malware variants detection model using concept drift detection and sequential deep learning. IEEE Access. 2021; 9: 97180–97196. Publisher Full Text

[23] 23. Tang Y, Li C: An online network intrusion detection model based on improved regularized extreme learning machine. IEEE Access. 2021; 9: 94826–94844. Publisher Full Text

[24] 24. Wu Z, Gao P, Cui L, et al.: An incremental learning method based on dynamic ensemble rvm for intrusion detection. IEEE Transactions on Network and Service Management. 2021; 19(1): 671–685. Publisher Full Text

[25] 25. Baldini G, Amerini I: Online distributed denial of service (ddos) intrusion detection based on adaptive sliding window and morphological fractal dimension. Computer Networks. 2022; 210: 108923. Publisher Full Text

[26] 26. Reis LHA, Piedrahita AM, Rueda S, et al.: Unsupervised and incremental learning orchestration for cyber-physical security. Transactions on emerging telecommunications technologies. 2020; 31(7): e4011. Publisher Full Text

[27] 27. Tabassum A, Erbad A, Mohamed A, et al.: Privacy-preserving distributed ids using incremental learning for iot health systems. IEEE Access. 2021; 9: 14271–14283. Publisher Full Text

[28] 28. Yang L, Shami A: A lightweight concept drift detection and adaptation framework for iot data streams. IEEE Internet of Things Magazine. 2021; 4(2): 96–101. Publisher Full Text

[29] 29. Wahab OA: Intrusion detection in the iot under data and concept drifts: Online deep learning approach. IEEE Internet Things J. 2022; 9(20): 19706–19716. Publisher Full Text

[30] 30. Bosman HHWJ, Iacca G, Tejada A, et al.: Ensembles of incremental learners to detect anomalies in ad hoc sensor networks. Ad Hoc Netw. 2015; 35: 14–36. Publisher Full Text

[31] 31. Shao Z, Yuan S, Wang Y: Adaptive online learning for iot botnet detection. Information Sciences. 2021; 574: 84–95. Publisher Full Text

[32] 32. Martindale N, Ismail M, Talbert DA: Ensemble-based online machine learning algorithms for network intrusion detection systems using streaming data. Information. 2020; 11(6): 315. Publisher Full Text

[33] 33. Yi Y, Wu JS, Xu W: Incremental svm based on reserved set for network intrusion detection. Expert Syst Appl. 2011; 38(6): 7698–7707. Publisher Full Text

[34] 34. Data M, Aritsugi M: T-dfnn: An incremental learning algorithm for intrusion detection systems. IEEE Access. 2021; 9: 154156–154171. Publisher Full Text

[35] 35. Chitrakar R, Huang C: Selection of candidate support vectors in incremental svm for network intrusion detection. Comput Secur. 2014; 45: 231–241. Publisher Full Text

[36] 36. Jiang F, Sui Y, Cao C: An incremental decision tree algorithm based on rough sets and its application in intrusion detection. Artif Intell Rev. 2013; 40(4): 517–530. Publisher Full Text

[37] 37. Tsai CW: Incremental particle swarm optimisation for intrusion detection. IET networks. 2013; 2(3): 124–130. Publisher Full Text

[38] 38. Noorbehbahani F, Fanian A, Mousavi R, et al.: An incremental intrusion detection system using a new semi-supervised stream classification method. Int J Commun Syst. 2017; 30(4): e3002. Publisher Full Text

[39] 39. Gyamfi E, Jurcut AD: Novel online network intrusion detection system for industrial iot based on oi-svdd and as-elm. IEEE Internet Things J. 2022. Publisher Full Text

[40] 40. Wohlin C: Guidelines for snowballing in systematic literature studies and a replication in software engineering. In: Proceedings of the 18th international conference on evaluation and assessment in software engineering. 2014; 1–10. Publisher Full Text

[41] 41. Agbedanu P, Musabe R, Rwigema J, et al.: Towards achievi ng lightweight intrusion detection systems in Internet of Things, the role of incremental machine learning: A systematic literature review.figshare. Online resource. 2022. http://www.doi.org/10.6084/m9.figshare.21436152.v2

SN	Study	QA1	QA2	QA3	QA4	QA5	Total Score
1	19	Yes	Yes	Yes	Yes	Yes	5.0
2	20	Yes	Yes	Yes	Yes	Yes	5.0
3	21	Yes	Yes	Yes	Yes	Yes	5.0
4	22	Yes	P	Yes	Yes	Yes	4.5
5	23	Yes	Yes	Yes	Yes	Yes	5.0
6	24	Yes	P	Yes	Yes	Yes	4.5
7	25	Yes	Yes	Yes	Yes	Yes	5.0
8	26	Yes	Yes	Yes	Yes	Yes	5.0
9	27	Yes	Yes	Yes	Yes	Yes	5.0
10	28	Yes	Yes	Yes	Yes	Yes	5.0
11	29	Yes	P	Yes	Yes	Yes	4.5
12	30	Yes	Yes	Yes	Yes	Yes	5.0
13	31	Yes	Yes	Yes	Yes	Yes	5.0
14	32	Yes	Yes	Yes	Yes	Yes	5.0
15	33	Yes	Yes	Yes	Yes	Yes	4.5
16	34	Yes	Yes	Yes	Yes	Yes	5.0
17	35	Yes	P	Yes	Yes	Yes	4.5
18	36	Yes	P	P	Yes	Yes	4.0
19	37	Yes	Yes	Yes	Yes	Yes	4.5
20	38	Yes	P	Yes	Yes	Yes	4.5
21	39	Yes	P	Yes	Yes	Yes	4.5

SN	Study	Drift adaption	Lightweight model	Model running time	Memory consumption	Computational complexity
1	26		✓	✓
2	30		✓			✓
3	29	✓
4	28	✓	✓	✓	✓
5	39		✓
6	27		✓	✓
7	31		✓
8	21		✓

SN	Study	QA1	QA2	QA3	QA4	QA5	Total Score
1	19	Yes	Yes	Yes	Yes	Yes	5.0
2	20	Yes	Yes	Yes	Yes	Yes	5.0
3	21	Yes	Yes	Yes	Yes	Yes	5.0
4	22	Yes	P	Yes	Yes	Yes	4.5
5	23	Yes	Yes	Yes	Yes	Yes	5.0
6	24	Yes	P	Yes	Yes	Yes	4.5
7	25	Yes	Yes	Yes	Yes	Yes	5.0
8	26	Yes	Yes	Yes	Yes	Yes	5.0
9	27	Yes	Yes	Yes	Yes	Yes	5.0
10	28	Yes	Yes	Yes	Yes	Yes	5.0
11	29	Yes	P	Yes	Yes	Yes	4.5
12	30	Yes	Yes	Yes	Yes	Yes	5.0
13	31	Yes	Yes	Yes	Yes	Yes	5.0
14	32	Yes	Yes	Yes	Yes	Yes	5.0
15	33	Yes	Yes	Yes	Yes	Yes	4.5
16	34	Yes	Yes	Yes	Yes	Yes	5.0
17	35	Yes	P	Yes	Yes	Yes	4.5
18	36	Yes	P	P	Yes	Yes	4.0
19	37	Yes	Yes	Yes	Yes	Yes	4.5
20	38	Yes	P	Yes	Yes	Yes	4.5
21	39	Yes	P	Yes	Yes	Yes	4.5

SN	Study	Drift adaption	Lightweight model	Model running time	Memory consumption	Computational complexity
1	26		✓	✓
2	30		✓			✓
3	29	✓
4	28	✓	✓	✓	✓
5	39		✓
6	27		✓	✓
7	31		✓
8	21		✓

Towards achieving lightweight intrusion detection systems in Internet of Things, the role of incremental machine learning: A systematic literature review

Abstract

Keywords

Introduction

Related works

Table 1. Summary of Related Literature.

Research method

Research questions

Protocol and phases of the study

Figure 1. PRISMA flow diagram18.

Inclusion and exclusion criteria

Table 2. Inclusion and exclusion criteria.

Quality assessment criteria

Table 3. Quality assessment questions.

Table 4. Quality evaluation of the selected studies.

Information sources and selection process

Results

Publications by journal

Table 5. Publications by journal before applying inclusion and exclusion criteria.

Table 6. Publications by Journal after applying inclusion and exclusion criteria.

Contributions of each study

Table 7. Contributions of each IoT based study.

Strength and weakness of each study

Table 8. Strength and weakness of each study.

Table 9. Strength and weakness of each study.

Datasets used for validation

Table 10. Dataset Used for validation.

Number of publications per year

Table 11. Publication by Year.

Challenges and directions for future work

Threats to validity of the study

Limitations of our study

Conclusion

Data availability

Underlying data

Reporting guidelines

References

Comments on this article Comments (0)

Open Peer Review

Comments on this article Comments (0)

Open Peer Review

Reviewer Status

Reviewer Reports

Comments on this article

Browse by related subjects

Competing Interests Policy

Stay Updated

Figure 1. PRISMA flow diagram¹⁸.

SN	Study	QA1	QA2	QA3	QA4	QA5	Total Score
1	19	Yes	Yes	Yes	Yes	Yes	5.0
2	20	Yes	Yes	Yes	Yes	Yes	5.0
3	21	Yes	Yes	Yes	Yes	Yes	5.0
4	22	Yes	P	Yes	Yes	Yes	4.5
5	23	Yes	Yes	Yes	Yes	Yes	5.0
6	24	Yes	P	Yes	Yes	Yes	4.5
7	25	Yes	Yes	Yes	Yes	Yes	5.0
8	26	Yes	Yes	Yes	Yes	Yes	5.0
9	27	Yes	Yes	Yes	Yes	Yes	5.0
10	28	Yes	Yes	Yes	Yes	Yes	5.0
11	29	Yes	P	Yes	Yes	Yes	4.5
12	30	Yes	Yes	Yes	Yes	Yes	5.0
13	31	Yes	Yes	Yes	Yes	Yes	5.0
14	32	Yes	Yes	Yes	Yes	Yes	5.0
15	33	Yes	Yes	Yes	Yes	Yes	4.5
16	34	Yes	Yes	Yes	Yes	Yes	5.0
17	35	Yes	P	Yes	Yes	Yes	4.5
18	36	Yes	P	P	Yes	Yes	4.0
19	37	Yes	Yes	Yes	Yes	Yes	4.5
20	38	Yes	P	Yes	Yes	Yes	4.5
21	39	Yes	P	Yes	Yes	Yes	4.5

SN	Study	Drift adaption	Lightweight model	Model running time	Memory consumption	Computational complexity
1	26		✓	✓
2	30		✓			✓
3	29	✓
4	28	✓	✓	✓	✓
5	39		✓
6	27		✓	✓
7	31		✓
8	21		✓