IoT Cybersecurity Threats and Detection Mechanisms: A Review

: Now a day the Internet of thing (IoT) grab the attention of many researchers and companies due to different direction of utilization. The cyber security of IoT become one of the aspects of the critical challenges. There are many intrusion detection systems (IDSs) to solve different issues of IoT-Cyber security threats. In this article, we review the state-of-the-art of IoT-IDS, focusing on the strategy that was devised and executed, the dataset that was utilized, the findings, and the assessment that was undertaken. Additionally, the surveyed articles undergo critical analysis and statements in order to give a thorough comparative review. Machine learning and deep learning methods, as well as new classification and feature selection methodologies, are studied and researched. Thus far, each technique has proved the capability of constructing very accurate intrusion detection models.

-Spoofing attack: It refers to the use of credentials belonging to others to access an inaccessible service. Credentials can be obtained directly from a device or installed on the communication or phishing channel. There are three types of spoofing i) IP address spoofing; ii) ARP spoofing; and iii) DNS server spoofing [9].
-routing attacks: The most direct attack against a routing protocol is to target the routing information exchanged between nodes. By intimidating, altering, or replaying routing information, adversaries may be able to create routing loops, attract or block network traffic, extend or shorten source routes, generate false error messages, split the network, increase overall latency, etc. [10].
-Sinkhole attack: this attack is the most threatening attack on the network layer that sends fake information assuming it is the shortest path to the base station so that the entire Traffic network is drawn towards it. Present an imaginary path as the optimal routing path [11].
-forwarding attack: It is possible to launch DOS attacks that target malicious nodes selectively. This attack is primarily aimed at disrupting routing paths; However, it can be used to filter any protocol. For example, an attacker could redirect all RPL control messages and drop the rest of the traffic. This attack has serious consequences when combined with other attacks, for example, pelvic attacks [12].
-black hole attack: One or more malicious nodes advertise themselves as the best ways to (partially or completely) drop data packets that are routed through them, to disrupt the normal network traffic [13].
-wormhole attack: At least two malicious nodes communicate using a separate wired or wireless link called a "tunnel" to forward packets faster than normal paths [13].
-tampering attack: It is classified as i) tampering with the device, and 2) tampering with data. Device tampering can be carried out easily especially when the IoT device spends most of the time unattended. It can be easily stolen without being noticed and used maliciously. The device can be Stolen as hardware or as software. Data tampering involves malicious modification of data for example data stored in databases or data transmission between two devices [5].
-Repudiation attack: By passing controls to properly track and record users' behavior, an application or system is vulnerable to disavowal attacks. A malicious user can use this technology to change the authorship information of their actions, which leads to the recording of inaccurate data. Similar to spoofing emails, it can be used to process data on behalf of others [5].
-information disclosure: It is the act of disclosing information to an entity that does not have permission to see it. This includes accidental exposure, targeted attack, and inference or association. An attacker can obtain information by eavesdropping on the network channel, physically gaining access to the device, or by accessing the device over the network [9].
-elevation of privilege: It is when an unblocked user gets privileged access to a device/service. This can be achieved by installing a fraudster in the system pretending to be another device, having privileged access to the system [6].
-MITM (Man-In-The-Middle): A type of attack where a malicious third party secretly controls the communication channel between one or more endpoints. A MITM attacker can intercept, alter or replace the communications traffic of the targeted victims (this distinguishes MITM from simple eavesdropping). Moreover, the victims are unaware of the intruder, which is why the communication channel is believed to be protected. The attack can be carried out in different communication channels such as GSM, UMTS, Long Term Evolution (LTE), Bluetooth, Near Field Communication (NFC), and Wi-Fi. The targets of the attack are not only the actual data flowing between the endpoints but also the confidentiality and integrity of the data itself [14].
-cloning Nodes: These types of attacks are known as identity attacks. In a clone identifier attack, the attacker copies a valid node identity to multiple physical nodes; However, the attacker copies many logical identities onto a single physical node in a Sybil attack. Such an attack enables a malicious user to take control of the system, insert false information, disable functions, etc. [8].
-Denial-of-Service(DoS): The most common attacks especially in IoT networks/fog related to social IoT such as smart cities, etc. Indicates a property that is inaccessible when requested by an authorized user. The system must have the ability to continue running even when some unwanted actions are performed by malicious users. This class of attacks can be carried out by stealing the device, manipulating its software, or disrupting the communication channel [9].
-Distributed Denial of Service(DDoS): this attack is performed by multiple vulnerable nodes together from different geographic locations. Furthermore, a DOS attack involves a malicious attacker attempting to consume network resources, targeting the CPU time and/or bandwidth of legitimate users by flooding the system with rogue and amplifying traffic. To conduct an effective DDoS attack, bots are used. They are networks of devices infected with the Internet [15].

3-IDS in IoT studies
Internet of Things (IoT) -Intrusion Detection System(IDS) focused on the efficiency of the NIDS in IoT networks. Alaa Alhowaide et al. [16] ] utilized a classification model which was automatically selected and build ensemble detection models based on machine learning. The evaluated model is Based on F_scores, ROC-AUC scores, and accuracy. The proposed model achieved 0.99, 0.95, 1, and 0.99 F scores and 1, 0.98, 1, and 1 ROC-AUC scores when applied to the NSL-KDD, UNSW-NB15, BoTNe-TIoT, and BoTIoT benchmark datasets. This research is incapable of detecting the attack type. moreover, the proposed MSM algorithm incorporates different decision combination methods and more efficient measurements. However, the proposed ENCLF models were tested on session-based datasets. In the future, the challenge is how to build a model that is able to detect the type of attack, not just detect if there was an attack or not.
Shafiq et al. [17] had focused on the high dimensionality of the IoT network data. The authors proposed the corrAUC model as a wrapper feature selection technique to select highly relevant features. The proposed model combined Correlation Attribute Evaluation (CAE) with the Area Under Roc Curve (AUC) metric to overcome the problem of effective feature selection by using a specific machine learning (ML) algorithm. the integrated TOPSIS and Shannon Entropy based on a bijective soft set were utilized as fitness functions. The accuracy, precision, and sensitivity were utilized as evaluation metrics when the bot-IoT dataset was utilized as a benchmark dataset. The proposed mode achieved an efficient best result up to >96%.
YANPING SHEN et al. [18] focused on effectively producing individual learners with a strong ability for generalization and large differences in ensemble-based IDS efficiency. The authors propose an Ensemble pruning framework. It is the intermediate phase between the construction of the sub-classifiers and the final decision; the main job of ensemble pruning is to reduce the size of the classifiers for the ensemble. Moreover, the proposed framework is based on the selection using the bat algorithm (BA) to choose the learner subset for intrusion detection in this paper. Moreover, the ELM, generated based on random subspace, is selected as the core learning algorithm in the ensemble. The selected models are combined using the majority voting method. KDD99, NSL, and Kyoto datasets are used to evaluate and know the results of the method. The model utilizes old datasets KDD Cup'99, NSL-KDD, and Kyoto for evaluation of the proposed model. Further, the model realizes lower detection accuracy for the U2R attack.
Daniele Midi et al. [19] focused on the performance efficiency of Knowledge-driven Adaptable Intrusion Detection for the Internet of Things. The authors proposed Kalis, a self-adapting, knowledge-driven expert Intrusion Detection System, where capable of detecting attacks in real-time. the Kalis is an overall approach that detects attacks for IoT that do not target individual protocols or applications and adjust strategy for specifying network characteristics. The evaluation method shows, that Kalis is effective and efficient in detecting attacks in IoT systems. the model depends on accuracy, CPU usage, RAM usage, and detection rate to evaluate the results. The proposed model achieved 100% accuracy, 91% detection rate, 0.19% CPU usage and 13978.62% RAM usage (kb). This method may not be appropriate for limited computing objects. kalis propose gathering time Publishing that may not important for resource-limited sensors that may be resource-limited in comparison to WSN nodes.
Yakub Kayode Saheed. [20] focused on increasing the performance of the IDS in IoT by reducing the data dimensionality. The authors proposed the PCA algorithm for dimensionality decreasing to a select few components. The classifier XGBoost, CatBoost, K Nearest neighbor (KNN), Support vector Machine(SVM), and Quadratic discriminant analysis(QDA)to classify the intrusion detection data. The proposed method evaluated from where of validation data-set, accuracy, the area under the curve, recall, F1, precision, kappa, and Mathew correlation coefficient (MCC). The dataset utilized in this paper UNSW-NB15 dataset. The best results from this work are an accuracy of 99.9% and an MCC of 99.97%. This paper used the old dataset UNSW-NB15 and used a single model rather than an ensemble model. Amar Amouri et al. [21] focused on Enhancing the performance of the IDS due to the distributed nature and the limited resources available in the IoT networks. The authors proposed a new model that is composed of two stages; stage one collects data through dedicated sniffers (DSS) and generates the CCI which is sent in a periodic fashion to the super node(SN), and in stage two the SN performs the linear regression process for the collected CCIs from different DSs in order to differentiate the benign from the malicious nodes. The evaluated model depends on the power level, node velocity, F1 score, false positive rate (FPR), and true positive rate (TPR). The proposed model achieved the best results up to, 98% for high power/node velocity scenarios On the other side they drop to around 90% for low power/node velocity scenarios, and the F1 score varied between 93% and 99.36%. This work finds the false positive rate (FPR) that ranged between 1.3% and 12% across various scenarios this is a restriction on IDS.
Ruhul Amin et al. [22] Focused on the large amount of IoT network data that composed form the different smart devices in IoT. The authors designed new architecture for a distributed cloud environment where the private cloud stores confidential information using the Internet of Things (IoT) technique. To get secure access to confidential information from any private cloud server of the distributed system, this article designs a standard authentication protocol that resists all kinds of security attacks and provides important features such as user anonymity. Mutual authentication proof has been done using BAN logic and the protocol simulation using AVSIPA results ensures the security and safety of the protocol. Moreover, the informal cryptanalysis of the proposed protocol ensures that the protocol is security attacks protected under the hardness assumption of the hash function. This paper shows the security vulnerabilities in Cloud Computing (CC), but the protocol is weak to face Password Guessing Attacks, secret guidance, and Users' inability to track. Prosanta Gope et al. [23] focused on Improved RFID authentication schemes in IDS in IoT. The proposed model is utilizing an RFID-depended authentication structure for distributed IoT (Internet of Things). RFID uses electromagnetic fields to automatically define and track tags attached to objects. The model is evaluated in terms of Mutual Authentication, which provides strong anonymity, saving, Forward Security, scalability, and Security resettlement. in this paper, one of the main problems is The back server is very powerful so that the server can know all communication RFID tags, and when the server hack, the attacker can get all secret data. RFID schema suffers from physical and cloning attacks so It is a real concern.
Marc Barcelo et al. [24] had focused on planning to formulate service distribution problem (SDP) in IoT Cloud networks mathematically and focus on Energy consumption as a major driver of current cloud operating costs and distinguish the heterogeneous pool of resources of IoT-Cloud network. The authors present a network-flow-depend linear programming solution that optimizes the distribution of cloud services with random function relationships (e.g., service chaining) over a distributed cloud network. However, the proposed work does not take into account the increased flexibility that creates when presenting the access network and the device layer into the virtualized infrastructure, aspects that are important for the efficient delivery of IoT services. the evaluation method in this work depends on computing, sensing, transport, capacity, and energy efficiency. The proposed model achieved the best results up to 80% generally to reduce energy consumption While ensuring more robust latency restrictions from one side to the other.
John OcheOnah et al. [25] Most of the time, the fog's nodes produce massive amounts of data because of the direct contact of the end-users and the lack of available computer resources. The use of fog machines might lead to security problems. Due to the inefficiency of traditional IDS, implementing them directly on a fog computing platform may be inappropriate. Fog computing requires the use of Efficient IDSs that can deal with massive databases. This article proposed a Genetic Algorithm Wrapper-Based Feature Selection and Nave Bayes for Anomaly Detection Model (GANBADM) in a Fog Environment that eliminates superfluous attributes to minimize time complexity with high accuracy. GA is used as a random search technique with Naïve Bayes classifier as a classification method. The evaluation metrics are accuracy, precision, F1 score, and execution time as performance metrics. The result is a 98% overall true positive rate, 0.6% as False Positive Rate, and a 99.73% accuracy when utilizing NSL-KDD Dataset.
Nour Moustafa et al. [26] focused on Designing a model to improve the protection of the IoT network. The authors present a NIDS based on an AdaBoost ensemble learning algorithm that takes statistical flow features as input for recognizing malicious botnet activities. Moreover, the AdaBoost ensemble learning methodology is used to combine three classification techniques of DT, NB, and ANN for detecting and improving the performance of NIDS. The correlation coefficient is utilized for selecting the lowest correlated features that have the potential characteristics of legitimate and malicious patterns. The evaluation model is based on Accuracy, Detection Rate (DR), False Positive Rate (FPR), and ROC curves in evaluating the performance of the model. Accuracy is 99.54%, DR is 99.86%, FPR is 0.01% and ROC curves when utilized UNSW-NB15 dataset. In fact, this study is robust to overfitting, performs better than a single classifier and It reduces variance but it Increased time complexity, due to the use of multiple classifiers in parallel.
Liqun Liu et al. [27] in this study focus on the optimization of efficiency and effectiveness of intrusion detections. The authors of this research proposed an objective prejudgment-based intrusion detection, and a frequency self-adjustment algorithm for IoT was proposed. In this algorithm, the huge data flow is integrated and analyzed. More specifically, the data is classified using the clustering algorithm: this research uses PCA for reducing data dimensionality and eliminating features with low discriminations. And Suppressed fuzzy clustering (SFC) algorithm to clustering reduced as high-risk and low-risk data clusters. detection duration (T), accuracy (P), and false alarm rate (F) were employed as evaluation parameters. Detection Duration is in the 40s, Accuracy is 97.1%, and the False alarm rate is1.5% shown in this work. In this study, the efficiency was promising. Nevertheless, it will be inefficient if the data volume increases.
The main objective of this work is to build machine learning models to identify attacks in IT networks. K. V. V. N. L Sai Kirana et al. [28] employ Machine Learning classifiers; SVM, Adaboost, decision trees, and Naïve Bayes to classify data into normal and attack classes. In their work, they used Node MCU-ESP8266, DHT11-sensor, and a wireless router to simulate an IoT environment. They then built an adversary scheme with a computer, which implements poisoning and sniffing attacks on the IoT environment. The steps they followed while building their system are as follows: Develop a testbed to mimic an IoT-based environment develop an attack-like system to obtain attack data Obtain the flow of data in the system and generate normal and attack scenarios feature Build Machine Learning and DL methods to identify and categorize network attacks. The evaluation model depends on accuracy, error rate, sensitivity (recall), specificity, precision, F1, detection rate, and false alarm rate measures. The dataset is Data Collection from think Speak.
Abhishek Verma and Virender Ranga [29] had focused is basically on utilizing ML classification algorithms for building IDS in order to secure IoT against DoS attacks. The authors are based on seven ML algorithms random forests, ad boost, gradient boosted machine, extremely randomized trees, classification and regression trees, and multi-layer perceptron to evaluate the performance of the proposed model. The evaluation model is Based on the accuracy, specificity, sensitivity, and false positives. the proposed RFbased IDS outperforms the ensemble of Random tree + Naive Bayes and single classifiers like NB Tree and Multilayer perceptron. statistical analysis based on Friedman's ranking showed that the ensemble of 800 trees achieves the best results when utilizing CIDDS-001, UNSWNB15, and NSL-KDD datasets.
Mengmeng Ge et al. [30] focused to improve both the false positive and the false negative of the IDS detection in IoT. The authors proposed multiclass and binary class schema by utilizing feed-forward neural networks(FNN). The evaluation model depends on accuracy, precision, recall, and F1 score to evaluate the result and know the effect of the model. This model achieved 99.414% accuracy when using binary class and 82% accuracy when using multiclass class. The proposed model in this work utilized the Bot-IoT dataset. In this work, the multiclass suffers from uncertainty in results due to the field information for the individual packet could not capture certain attack behavior on a large scale so the binary class shows the best results in this field.
Yazan Otoum et al. [20] ] Focused on Implementing an efficient intrusion detection system (IDS) in the Internet of Things (IoT) by defining data as normal or severe anomalies in various attacks such as (DoS, U2R, R2L, and probe). The authors combined the spider monkey optimization (SMO) algorithm and the stacked-deep polynomial network (SDPN) to implement new IDS. The SMO was utilized to reduce the network data dimensionality by selecting high relevant feature subset. Moreover, the SDPN was utilized for detecting the attack behavior. The evaluation model is based on accuracy, precision, recall, and F1-score to evaluate the proposed model. The proposed model achieved the best result in terms of accuracy (99.02%), precision (99.38%), recall (98.91%), and F1 score (99.14%) when utilizing the NSL-KDD dataset. In fact, the size of the dataset caused complexity when using deep learning algorithms.

4-Analysis of IDS in IoT studies:
In the Abhishek Verma et al [30] -random forests -ad boost -gradient -boosted machine. Low performance in a real-world environment because the dataset is old. Table 1: previous studies

5-The different challenges of IoT anomaly-based intrusion detection systems
In the Internet of Things environment, there are many challenges facing the researchers due to the verity nature of IoT data such as the complex, data imbalance and redundancy. Therefore, we review some of these challenges according to the device capability and the data generation of IoT environment:

IoT devices limitation:
Generally, IoT devices have limited capacity due to device limitations in terms of memory capacity, processor, and battery lifetime. In the following section, we discuss the IoT device challenges according to different environments and computational technologies.

Heterogeneity:
The environment of the Internet of Things is a wide environment where many devices, protocols, and different standards are connected to it, and therefore the heterogeneity between these devices is very large. Therefore, the data is varied and poses a real challenge for the researcher. These devices and protocols, and Because these devices and protocols are not homogeneous, they give a variety of data [5]. One of the most important problems of heterogeneity is that it brings harmful data or low-quality data and thus affects the functioning of the system. Data heterogeneity can be classified in terms of (data quality, data quantity, data quality, etc.), where the devices are different, and therefore the heterogeneity between devices leads to the emergence of gaps, and thus makes it easier for attacks to exploit these gaps and attack the system, and this would affect the performance of the model and thus reduce its efficiency at work. One of the suggested solutions to identify heterogeneity is to implement a smart central server, which relies on reinforcement learning, thus achieving better performance [37]. The Internet of Things systems are widely distributed systems, and therefore it is difficult to deal with them, and therefore the challenge appears to us in terms of protecting these systems from penetration, due to the heterogeneity that exists between them.

Time complexity and memory usage:
Time complexity can be defined as the computational complexity that describes the amount of time it takes for the model to find results, which is directly proportional to the size of the data, as an increase in the size of the data leads to an increase in the time complexity. The data of the Internet of Things is flowing data, and therefore it is large data, and therefore there will be time complexity. This is due to the large data volume [38]. One of the reasons for the complexity of time is also the diversity of data, as the heterogeneity of the devices leads to a variety of data, and thus it becomes difficult to process and takes more time for processing. To reduce the complexity of time, you must use the methods and techniques that are used to get rid of unnecessary and duplicate data that consumes a long time in processing and is useless because it may be harmful data [39].
Data in the Internet of Things requires a very large amount of memory, for several reasons, the most important of which are (data diversity, data size, and data speed) and thus pose a challenge to researchers. Due to the pressure on the Internet infrastructure due to the volume of data, one of the proposed solutions is cloud computing, which would solve the problem of storage and processing of data and thus reduce the memory problem for the Internet of Things and thus increase the efficiency and performance of the system and also allow access to data remotely and thus avoid any delay [40].

Optimal Data Capture and Processing:
A major issue is created within the framework of the Internet of Things with more information transmitted on the system. Because a huge amount of the information is meaningless to the client, the methods of filtering the information will be optimally before storage and will rise as an important search area. Collecting data from devices, shaping the topology, forwarding packets, optimizing resources and power, optimizing coverage, efficient assignment of tasks, and security are important challenges in the IoT environment [41]. The process of collecting and processing data in a short time and with good results is one of the problems in the Internet of Things environment, as traditional networks take a long time to achieve a satisfactory data delivery rate [42]. The data in the environment of the intensification of things is very large and flowing data, and therefore it is difficult to process and deal with it, because of the continuous change in the shape and size of the data. Therefore, it is a great challenge in the process of collecting and processing data. And because the shape of the data is diverse and different, we need advanced technologies to link this data with each other. Some of them are configured to be processed and extract the necessary data from them [43].

Interoperability:
The concept of interoperability can be defined as the ability to create systems or devices that cooperate with each other in an efficient manner. The basic idea of the proposed architecture is to divide the IoT environment into small spaces to facilitate its management [44]. The semantic information broker uses SIB to provide a way for agents to share semantic information with each other, and also provides real-time monitoring and updating of the physical world. The main note of the architecture is the performance after using the proxy interaction operations scale very well and it also allows interacting with the physical world in real time. The architecture needs tools to support the development and deployment of devices and applications in future IoT systems [45]. ISO/IEC defines interoperability as "the ability to communicate, execute programs, or transfer data between different functional units in a way that requires the user to have little or no knowledge of the unique properties of those units [46]. In a broader perspective, interoperability is defined by the IEEE It is defined as "the ability of two or more systems or components to exchange information and use the information that has been exchanged. According to this definition, interoperability is achieved by setting standards. Interoperability in the Internet of Things can be defined as the ability of two systems to communicate and share services with each other [47].

Different challenges in IoT-IDS datasets within machine learning:
The machine learning algorithms are used widely to solve the problems of the IoT-IDS, where The results showed the accuracy of the machine learning algorithms in such challenges. We review the following challenges:

Imbalanced Data:
Imbalanced classification refers to a classification predictive modeling problem where the number of examples in the training dataset for each class label is not balanced. That is, where the class distribution is not equal or close to equal and is instead biased or skewed. The unbalanced classification problem is an example of a classification problem in which the distribution of examples across known categories is biased or skewed. Distribution can vary from slight bias to severe imbalance where there is a single example in the minority stratum to hundreds, thousands, or millions of examples in the majority stratum or strata [48]. The machine learning algorithms utilized in this challenge are over-sampling, under-sampling, and smooth. They are utilized in data mining and data analytics to modify unequal data classes to create balanced data sets. These data analysis techniques are often used to be more representative of real-world data. The serious limitation of the sampling methods is that it involves biased selection and thereby lead us to draw erroneous conclusions. Bias arises when the method of selection of the sample employed is faulty. Relative small samples properly selected may be much more reliable than large samples poorly selected [49].

Missing values:
missing values is a common and unavoidable challenge in the data processing and analysis phase, the reason for this is due to failure to collect the samples correctly, or not to store the data, the presence of restrictions in the data acquisition process, and thus the loss of this data occurs, and thus it has a noticeable impact [50]. One of the results of the missing values is the poor knowledge extraction process, as well as the wrong conclusion process, and thus affect the work of the system, as well as the loss of efficiency and accuracy in the model extraction process. The messing value in term numeric utilized mean technique and the missing value in term nominal utilized most frequent. The strategy is "mean", which replaces missing values with the median value of the column. The "most frequent" (which replaces missing values with the most common value in the column) and "constant" (which replaces missing values with a constant value). The weakness of mean technique is "it reduces the variance". In most frequent must sure don't have very skewed class distributions [51].

Data redundancy:
The term big data refers to data that includes increasing volumes, variety, and flow velocity, and it can be referred to by the term (3V). When the data is large in terms of sampling and prediction, the algorithms face a big problem, and therefore it is difficult to deal with it [52]. This problem is solved by selecting only effective data using processing techniques, and one of the most important of these techniques is the feature selection process, as it is one of the most important operations in the pre-processing stage [53]. The feature selection process can be defined as the process of selecting relevant and influential features from the raw data set to reduce unnecessary features. The process of selecting features reduces the search area that is determined by the features, and thus the learning process is easy and simple, and also reduces memory consumption. The selection of features can be used in the data collection process, thus reducing the time and also taking the necessary samples in the early stages [54]. The set of features that have been chosen is a subset of the original data set, as it describes the original data appropriately and thus facilitates the process of understanding and working on it.

Conclusion
In conclusion, this article reviewed 22 effective techniques leveraging various machine learning and optimization processes in intrusion detection systems. The suggested analysis in this survey focused on accuracy as the primary criterion. We also checked for processing time and were disappointed to discover that they lacked any system performance data, including processing time. By and large, all groups demonstrated superior skills in terms of the accuracy measure. Additionally, we examined how machine learning methods may be used for cybersecurity and other security-related challenges. In terms of the present research, conventional security solutions have garnered considerable attention, whereas security systems based on machine learning techniques have received less attention. We've reviewed pertinent security research for each widely used technique. This article will offer an overview of the conceptualization, understanding, modeling, and reasoning processes involved in cybersecurity data science.