Table 5.
A comparative analysis between AI classification methods limited to IoT security.
| AI Algorithm | Description | Application/problem in IoT security systems | Advantages | Disadvantages |
|---|---|---|---|---|
| KNN | The principle of the k-NN algorithm is based on the choice of the class from the classes of the nearest neighbors, that is to say, it is about making decisions by looking for one or more similar cases in the learning set. The trick is to determine the similarity between the data instances. k-NN captures the idea of similarity (also called distance proximity or closeness) |
KNN is used in anomaly detection, malware/intrusion detection in IoT, Security of IoT Networks, False Data Injection, detect DDoS in IoT, Impersonation Attacks, Authentication of an IoT element |
Simple and easy to apply |
KNN is a time-consuming to identify missing nodes which pose a challenge in terms of accuracy, Memory limitation |
| SVM | SVM is used for regression and classification, it is a supervised ML technique with low computational complexity. Furthermore, the original principle of this method is simple, it consists in seeking a surface of decisions or hyperplane in order to separate two classes |
Authentication of an IoT element Intrusion/malware detection, Malware analysis in IoT, Smart grid attacks, Detect DDoS in IoT, Abnormal Behavior, and Data Tampering, Security of Mobile networks |
SVM has a high level of accuracy which makes it well suited for security applications in IoT52 | It is difficult to use an optimal kernel function52 |
| DT | It is a type of ML that is mostly used for classification problems. The best-known methods for automatically building DT are the ID3 and C4.5 algorithms |
Authentication of an IoT element, Intrusion detection, Detect DDoS in IoT, Detection of suspicious traffic sources, |
Easy to implement, Simple construction, Handling large data samples52 |
DT requires a large space to store data because of its large construction52; High complexity |
| NB | NB is a probabilistic model based on Bayes theorem. The Bayesian network is a probabilistic graphical model for knowledge acquisition, enrichment and exploitation |
In IoT, NB is usually used to detect intrusion in the network layer, Anomaly Detection Security of an IoT Element52 |
Simple to understand, requiring less data for classifications, easy to implement52 |
Bayes classifiers are less accurate; Storage of training samples |
| EL | EL combines heterogeneous/ homogeneous multi-classifier to achieve an accurate result |
Anomaly/malware detection, Intrusion detection, Authentication |
It is well suited for solving most problems | High time complexity |
| RF | It’s an ensemble (a set) of DT. The goal of this category is to group all weak classifiers to form a strong classifier; |
Detect DDoS in IoT, Malware analysis in IoT, anomaly detection, Intrusion/Malware detection52 Unauthorized IoT devices identification in network surface attacks |
RF classifier handles the missing values and maintains accuracy for missing data | It needs more training data sets to create DTs which identify sudden unauthorized intrusions52 |
| NN | A NN consists of neurons connected through weighted connections. The NNs are an artificial method for addressing reasoning and learning problems. Different types of NNs are used to improve the classification (ANN, CNN, RNN) |
Detect DDoS in IoT, Increase IoT system performance, NN is being used to detect the intrusion attack |
NN techniques reduce the network response time and subsequently increases the performance of the IoT system |
NNs are computationally complex, Black box, NNs are hard to implement in a distributed IoT system |
| ANN | It is one of the types of NN. The functioning of ANN is inspired by the neurons of the human brain. The ANN network can do the following: Learning/Training, Classification and Prediction. The ANN was exploited as a mechanism of classification, detection, clustering, and diagnostic |
Anomaly/Intrusion Detection, Security of IoT networks, In IoT systems, ANN techniques were used to train the machines for anomalies detection52 DDoS attack detection, Malware analysis in IoT Classification and Detection of Ransomware |
ANN is much less complex compared to others, It gives good results |
ANN requires a learning step/ phase that takes time |
| CNN | CNN is a deep discriminative model. It is one of the types of NN. CNN is DL model. It consists of multiple hidden layers like convolutional, pooling, fully connected and normalization layers. The most important layer is convolutional layer |
Malware analysis in IoT Classification and Detection of Ransomware Intrusion detection |
CNN requires less time for training, Fast recognition of the nature of attack |
CNN requires high computational power; |
| RNN | RNN is a deep discriminative model. It is one of the types of NN. RNNs are derived from FFNN with loops and memories |
Malware analysis in IoT Intrusion/anomaly detection RNN is used to train the IDS model Classification and detection of Ransomware |
RNN solves the limitation of lack of memory to recall previous events21 |
Vanishing gradient problem, Exploding gradient, Long-term dependency |
| LSTM | It is a DL method which is a variant of RNN architecture. The LSTM consists of gates and memory cells. The LSTM method works in three stages: Forget Gate, Update Gate/input gate, and Output Gate |
Intrusion/Malware detection; Classifying malicious traffic; Detection of malicious activities; Detection of attacks in Fog-to-Things; Detecting abnormalities in the IoT; Detect SQL and XSS attacks, LSTM can be used to learn patterns and features in network data to classify them as attack or benign21 The LSTM can be used to recognize repeated attack patterns in a long sequence of packets21 The LSTM network is enormously important to detect malware injection, phishing sites |
Most powerful; Higher accuracy; Well-suited for tasks which need long-term memory, Strong against the vanishing gradient problem, Able to learn patterns in long sequences21, It is effective in21 training on unstructured datasets such as those of the IoT, It perfectly classifies normal and attack instances into their respective classes21, It reduces the burden of feature engineering21 over classical ML because LSTM operates on raw data, It is resilient against adversaries21, Gradient vanishing or explosion problem can be solved using different gate units in LSTM; This method is also designed to solve RNN problems LSTMs have a unique formulation/construct that allows them to prevent vanilla RNN scaling and training problems, avoiding the back propagation (BP) error which either explodes or decays exponentially |
More complicated |
| MLP | It is a type of ANN. The MLPs are trained with the BP (back-propagation) algorithm. It is a FFNN (Feedforward Neural Networks). FFNN is the first proposed NNs |
DoS attack detection in sensor networks, Classify network traffic, Classification and Detection of Ransomware |
MLPs solve complex problems | MLPs suffer from vanishing gradients, overfitting, and underfitting, |
| DBN | DBN is a generative model. It is a type of DNN49. It is a multi-layer belief network13 where each layer is RBM |
Intrusion Detection13 Network abnormal behavior detection49 |
DBN achieved better performance than RBM model | High Computational cost |
| RBM | RBM is a generative model. It is a kind of ANN49. The learning and testing phases are the two process types that comprises. RBMs can be used within the context of IDS | Intrusion Detection | The RBM can correctly distinguish between anomalous and normal behavior within a network9; | High Computational cost |
| DAE | DAE is a generative model. It was utilized by Shone et al., 2018 for13 cyber security intrusion detection. It consists of an input, multiple hidden layers and output layer |
IoT botnet attack detection49 Intrusion Detection |
DAE is important for feature extraction | High computational time |
| GAN | It is relatively new class of ANNs56, the main aim of which is to generate certain objects55. The GAN combines two NNs, one of which generates/creates the objects, while the second estimates them |
Anomaly detection, Intrusion detection55, Security anomalies55 |
Generation of objects from specific classes, Fast convergence55 |
Difficult to train |
| AAE | AAE (Adversarial Autoencoder) similar to FFNN. It is a probabilistic autoencoder which uses the GAN58. AAE is a generative autoencoder. | Anomaly detection | AAE increases the performance of the autoencoder with adversarial loss58 | AAE imposes complicated distributions |