Abstract
With the continuous increase in cyberattacks over the past few decades, the quest to develop a comprehensive, robust, and effective intrusion detection system (IDS) in the research community has gained traction. Many of the recently proposed solutions lack a holistic IDS approach due to explicitly relying on attack signature repositories, outdated datasets or the lack of considering zero-day (unknown) attacks while developing, training, or testing the machine learning (ML) or deep learning (DL)-based models. Overlooking these factors makes the proposed IDS less robust or practical in real-time environments. On the other hand, detecting zero-day attacks is a challenging subject, despite the many solutions proposed over the past many years. One of the goals of this systematic literature review (SLR) is to provide a research asset to future researchers on various methodologies, techniques, ML and DL algorithms that researchers used for the detection of zero-day attacks. The extensive literature review on the recent publications reveals exciting future research trends and challenges in this particular field. With all the advances in technology, the availability of large datasets, and the strong processing capabilities of DL algorithms, detecting a completely new or unknown attack remains an open research area. This SLR is an effort towards completing the gap in providing a single repository of finding ML and DL-based tools and techniques used by researchers for the detection of zero-day attacks.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abdalgawad N, Sajun A, Kaddoura Y, Zualkernan IA, Aloul F (2022) Generative deep learning to detect cyberattacks for the IoT-23 dataset. IEEE Access 10:6430–6441. https://doi.org/10.1109/ACCESS.2021.3140015
Agrawal S, Sarkar S, Aouedi O, Yenduri G, Piamrat K, Bhattacharya S, Maddikunta PKR, Gadekallu TR (2021) Federated learning for intrusion detection system: concepts, challenges and future directions. https://arxiv.org/abs/2106.09527v1
Ahmad R, Alsmadi I (2021) Machine learning approaches to IoT security: a systematic literature review. Internet Things 14:100365. https://doi.org/10.1016/j.iot.2021.100365
Alam MS, Yakopcic C, Subramanyam G, Taha TM (2020) Memristor based neuromorphic adaptive resonance theory for one-shot online learning and network intrusion detection. In: International conference on neuromorphic systems 2020, pp 1–8
Aljawarneh S, Aldwairi M, Yassein MB (2018) Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model. J Comput Sci 25:152–160. https://doi.org/10.1016/j.jocs.2017.03.006
Al-Zewairi M, Almajali S, Ayyash M (2020) Unknown security attack detection using shallow and deep ANN classifiers. Electronics 9(12):2006. https://doi.org/10.3390/electronics9122006
Andresini G, Appice A, Mauro ND, Loglisci C, Malerba D (2020) Multi-channel deep feature learning for intrusion detection. IEEE Access 8:53346–53359. https://doi.org/10.1109/ACCESS.2020.2980937
Andropov S, Guirik A, Budko M, Budko M (2017) Network anomaly detection using artificial neural networks. In: 2017 20th conference of open innovations association (FRUCT), pp 26–31. https://doi.org/10.23919/FRUCT.2017.8071288
Anindya IC, Kantarcioglu M (2018) Adversarial anomaly detection using centroid-based clustering. In: 2018 IEEE international conference on information reuse and integration (IRI). IEEE, pp 1–8
Anthi E, Williams L, Słowińska M, Theodorakopoulos G, Burnap P (2019) A supervised intrusion detection system for smart home IoT devices. IEEE Internet Things J 6(5):9042–9053. https://doi.org/10.1109/JIOT.2019.2926365
Asam M, Khan SH, Akbar A, Bibi S, Jamal T, Khan A, Ghafoor U, Bhutta MR (2022) IoT malware detection architecture using a novel channel boosted and squeezed CNN. Sci Rep 12(1):15498. https://doi.org/10.1038/s41598-022-18936-9
Ashfaq Khan M, Karim M, Kim Y (2019) A scalable and hybrid intrusion detection system based on the convolutional-LSTM network. Symmetry 11:583. https://doi.org/10.3390/sym11040583
Ashi Z, Al-Fawa’reh M, Al-Fayoumi M (2020) Fog computing: security challenges and countermeasures. Int J Comput Appl 175(15):30–36. https://doi.org/10.5120/ijca2020920648
Ashiku L, Dagli C (2021) Network intrusion detection system using deep learning. Procedia Comput Sci 185:239–247. https://doi.org/10.1016/j.procs.2021.05.025
Attenberg J, Ipeirotis P, Provost F (2015) Beat the machine: challenging humans to find a predictive model’s “unknown unknowns.” J Data Inf Qual 6(1):11–117. https://doi.org/10.1145/2700832
Attia TM (2019) Challenges and opportunities in the future applications of IoT technology. https://www.econstor.eu/handle/10419/201752
Aygun RC, Yavuz AG (2017) Network anomaly detection with stochastically improved autoencoder based models. In: 2017 IEEE 4th international conference on cyber security and cloud computing (CSCloud), pp 193–198. https://doi.org/10.1109/CSCloud.2017.39
Bayoğlu B, Soğukpınar İ (2012) Graph based signature classes for detecting polymorphic worms via content analysis. Comput Netw 56:832–844
Bendale A, Boult TE (2016) Towards open set deep networks. In: 2016 IEEE conference on computer vision and pattern recognition (CVPR), pp 1563–1572. https://doi.org/10.1109/CVPR.2016.173
Bhargavi M, Kumar MN, Meenakshi NV, Lasya N (2019) Intrusion detection techniques used for internet of things. Internal J Applied Eng Res 14(24):5 pp. 4462–4466
Bhatia R, Benno S, Esteban J, Lakshman TV, Grogan J (2019) Unsupervised machine learning for network-centric anomaly detection in IoT. In: Proceedings of the 3rd ACM CoNEXT workshop on Big DAta, machine learning and artificial intelligence for data communication networks, pp 42–48. https://doi.org/10.1145/3359992.3366641
Bîrlog I, Borcan D, Covrig G (2020) Internet of things hardware and software. Informatica Economica 24(2):54–62. https://doi.org/10.24818/issn14531305/24.2.2020.05
Boutaba R, Salahuddin MA, Limam N, Ayoubi S, Shahriar N, Estrada-Solano F, Caicedo OM (2018) A comprehensive survey on machine learning for networking: evolution, applications and research opportunities. J Internet Serv Appl 9(1):16. https://doi.org/10.1186/s13174-018-0087-2
Brindha S, Abirami P, Arjun V, Logesh B, Mohammed S (2020) Heuristic approach to intrusion detection system. Int Res J Eng Technol 07(03):3
Campos GO, Zimek A, Sander J, Campello RJGB, Micenková B, Schubert E, Assent I, Houle ME (2016) On the evaluation of unsupervised outlier detection: measures, datasets, and an empirical study. Data Min Knowl Disc 30(4):891–927. https://doi.org/10.1007/s10618-015-0444-8
Chaabouni N, Mosbah M, Zemmari A, Sauvignac C, Faruki P (2019) Network intrusion detection for IoT security based on learning techniques. IEEE Commun Surv Tutor 21(3):2671–2701. https://doi.org/10.1109/COMST.2019.2896380
Chandola V, Banerjee A, Kumar V (2009) Anomaly detection: a survey. ACM Comput Surv 41(3):1–58
Charyyev B, Gunes MH (2020) Detecting anomalous IoT traffic flow with locality sensitive hashes. In: GLOBECOM 2020–2020 IEEE global communications conference, pp 1–6. https://doi.org/10.1109/GLOBECOM42002.2020.9322559
Chatterjee S, Hanawal MK (2021) Federated learning for intrusion detection in IoT security: a hybrid ensemble approach. https://arxiv.org/abs/2106.15349v1
Chaudhary P, Gupta BB (2019) DDoS detection framework in resource constrained internet of things domain. In: 2019 IEEE 8th global conference on consumer electronics (GCCE), pp 675–678. https://doi.org/10.1109/GCCE46687.2019.9015465
Chiba Z, Abghour N, Moussaid K, Omri AE, Rida M (2019) Newest collaborative and hybrid network intrusion detection framework based on suricata and isolation forest algorithm. In: Proceedings of the 4th international conference on smart city applications, pp 1–11. https://doi.org/10.1145/3368756.3369061
Chouhan N et al (2019) Network anomaly detection using channel boosted and residual learning based deep convolutional neural network. Appl Soft Comput 83:105612. https://doi.org/10.1016/j.asoc.2019.105612
Chung Y, Haas PJ, Upfal E, Kraska T (2019a) Learning unknown examples for ML model generalization. [Cs, Stat]. http://arxiv.org/abs/1808.08294
Chung Y, Haas PJ, Upfal E, Kraska T (2019b) Unknown examples & machine learning model generalization. [Cs, Stat]. http://arxiv.org/abs/1808.08294
Cisco (2020) Cisco annual internet report (2018–2023) white paper. Cisco. https://www.cisco.com/c/en/us/solutions/collateral/executive-perspectives/annual-internet-report/white-paper-c11-741490.html
Cook DJ, Greengold NL, Ellrodt AG, Weingarten SR (1997) The relation between systematic reviews and practice guidelines. Ann Intern Med 127(3):210–216. https://doi.org/10.7326/0003-4819-127-3-199708010-00006
Cui Z, Ke R, Pu Z, Wang Y (2019) Deep bidirectional and unidirectional LSTM recurrent neural network for network-wide traffic speed prediction. [Cs]. http://arxiv.org/abs/1801.02143
Das S, Venugopal D, Shiva S, Sheldon FT (2020) Empirical evaluation of the ensemble framework for feature selection in DDoS attack, pp 56–61. https://doi.org/10.1109/CSCloud-EdgeCom49738.2020.00019
Dau HA, Ciesielski V, Song A (2014) Anomaly detection using replicator neural networks trained on examples of one class. In: Dick G, Browne WN, Whigham P, Zhang M, Bui LT, Ishibuchi H, Jin Y, Li X, Shi Y, Singh P, Tan KC, Tang K (eds) Simulated evolution and learning. Springer International Publishing, Cham, pp 311–322. https://doi.org/10.1007/978-3-319-13563-2_27
De Michele R, Furini M (2019) IoT healthcare: benefits, issues, and challenges. In: Proceedings of the 5th EAI international conference on smart objects and technologies for social good, pp 160–164. https://doi.org/10.1145/3342428.3342693
Dietterich TG (2017) Steps toward robust artificial intelligence. AI Mag 38(3):3–24. https://doi.org/10.1609/aimag.v38i3.2756
Duessel P, Gehl C, Flegel U, Dietrich S, Meier M (2017) Detecting zero-day attacks using context-aware anomaly detection at the application-layer. Int J Inf Secur 16(5):475–490
Engelbrecht ER, du Preez JA (2020) Learning with an augmented (unknown) class using neural networks. Sci Afr 10:e00600. https://doi.org/10.1016/j.sciaf.2020.e00600
Fei G, Liu B (2016) Breaking the closed world assumption in text classification. In: Proceedings of the 2016 conference of the North American chapter of the association for computational linguistics: human language technologies, pp 506–514. https://doi.org/10.18653/v1/N16-1061
Feng F, Liu X, Yong B, Zhou R, Zhou Q (2019a) Anomaly detection in ad-hoc networks based on deep learning model: a plug and play device. Ad Hoc Netw. https://doi.org/10.1016/j.adhoc.2018.09.014
Feng Z, Xu C, Tao D (2019b) Self-supervised representation learning from multi-domain data. In: 2019b IEEE/CVF international conference on computer vision (ICCV). https://doi.org/10.1109/ICCV.2019.00334
Fernandes Silveira FA, Lima-Filho F, Dantas Silva FS, de Medeiros Brito Junior A, Silveira LF (2020) Smart detection-IoT: a DDoS sensor system for internet of things. In: 2020 international conference on systems, signals and image processing (IWSSIP), pp 343–348. https://doi.org/10.1109/IWSSIP48289.2020.9145265
Ferrag MA, Maglaras L, Ahmim A, Derdour M, Janicke H (2020) RDTIDS: rules and decision tree-based intrusion detection system for internet-of-things networks. Futur Internet 12(3):44. https://doi.org/10.3390/fi12030044
Fotiadou K, Velivassaki T-H, Voulkidis A, Skias D, Tsekeridou S, Zahariadis T (2021) Network traffic anomaly detection via deep learning. Information 12(5):215. https://doi.org/10.3390/info12050215
Garcia S, Parmisano A, Erquiaga MJ (2020) IoT-23: a labeled dataset with malicious and benign IoT network traffic. Zenodo. https://doi.org/10.5281/zenodo.4743746
García-Teodoro P, Díaz-Verdejo J, Maciá-Fernández G, Vázquez E (2009) Anomaly-based network intrusion detection: Techniques, systems and challenges. Comp Sec 28(1):18–28. https://doi.org/10.1016/j.cose.2008.08.003
Garitano I, Uribeetxeberria R, Zurutuza U (2011) A review of SCADA anomaly detection systems. In: Soft computing models in industrial and environmental applications, 6th international conference SOCO 2011. Springer, Berlin, Heidelberg, pp 357–366
Godala S, Vaddella RPV (2020) A study on intrusion detection system in wireless sensor networks. Int J Commun Netw Inf Secur 12(1):127–41
Global new malware volume (2020) Statista. http://www.statista.com/statistics/680953/global-malware-volume/. Accessed 29 July 2021
Gogoi P, Bhattacharyya DK, Borah B, Kalita JK (2011) A survey of outlier detection methods in network anomaly identification. Comput J 54(4):570–588. https://doi.org/10.1093/comjnl/bxr026
Goldstein M, Uchida S (2016) A comparative evaluation of unsupervised anomaly detection algorithms for multivariate data. PLoS ONE 11(4):e0152173
Hagan Memorial Library (2020) University of the Cumberlands. https://www.ucumberlands.edu/library
Hamija AR, Günther M, Boult TE (2018) Reducing network agnostophobia. [Cs]. http://arxiv.org/abs/1811.04110
Hammad M, Hewahi N, Elmedany W (2021) T-SNERF: a novel high accuracy machine learning approach for Intrusion detection systems. IET Inf Secur 15(2):178–190. https://doi.org/10.1049/ise2.12020
Hassen M, Chan PK (2020a) Learning a neural-network-based representation for open set recognition. In: Proceedings of the 2020a SIAM international conference on data mining (SDM). Society for Industrial and Applied Mathematics, pp 154–162. https://doi.org/10.1137/1.9781611976236.18
Hassen M, Chan PK (2020b) Unsupervised open set recognition using adversarial autoencoders. In: 2020b 19th IEEE international conference on machine learning and applications (ICMLA), pp 360–365. https://doi.org/10.1109/ICMLA51294.2020.00064
He S, Zhu J, He P, Lyu MR (2016) Experience report: system log analysis for anomaly detection. In 2016 IEEE 27th international symposium on software reliability engineering (ISSRE). IEEE, pp 207–218
He Z, Rezaei A, Homayoun H, Sayadi H (2022) Deep neural network and transfer learning for accurate hardware-based zero-day malware detection. In Proceedings of the Great Lakes Symposium on VLSI 2022, pp 27–32
Hindy H, Atkinson R, Tachtatzis C, Colin J-N, Bayne E, Bellekens X (2020) Utilising deep learning techniques for effective zero-day attack detection. Electronics 9(10):1684. https://doi.org/10.3390/electronics9101684
Hinnefeld JH, Cooman P, Mammo N, Deese R (2018) Evaluating fairness metrics in the presence of dataset bias. [Cs, LG]. http://arxiv.org/abs/1809.09245
Hong Z, Chen W, Huang H, Guo S, Zheng Z (2019) Multi-hop cooperative computation offloading for industrial IoT–edge–cloud computing environments. IEEE Trans Parallel Distrib Syst 30(12):2759–2774. https://doi.org/10.1109/TPDS.2019.2926979
Hwang R-H, Peng M-C, Nguyen V-L, Chang Y-L (2019) An LSTM-based deep learning approach for classifying malicious traffic at the packet level. Appl Sci 9(16):3414. https://doi.org/10.3390/app9163414
Hwang R-H, Peng M-C, Huang C-W, Lin P-C, Nguyen V-L (2020) An unsupervised deep learning model for early network traffic anomaly detection. IEEE Access 8:30387–30399. https://doi.org/10.1109/ACCESS.2020.2973023
InfoSec (2021) The cost of zero-day attack protection. https://2020infosec.com/the-cost-of-zero-day-attackprotection. Accessed 23 May 2021
Ioulianou P, Vasilakis V, Moscholios I, Logothetis M (2018) A signature-based intrusion detection system for the internet of things. Information and Communication Technology Form, AUT. https://eprints.whiterose.ac.uk/133312/
Jiang F, Fu Y, Gupta BB, Liang Y, Rho S, Lou F, Meng F, Tian Z (2020) Deep learning based multi-channel intelligent attack detection for data security. IEEE Trans Sustain Comput 5(2):204–212. https://doi.org/10.1109/TSUSC.2018.2793284
Jin Y (2019) Towards hardware-assisted security for IoT systems. In: 2019 IEEE computer society annual symposium on VLSI (ISVLSI), pp 632–637. https://doi.org/10.1109/ISVLSI.2019.00118
Jin D, Lu Y, Qin J, Cheng Z, Mao Z (2020) SwiftIDS: real-time intrusion detection system based on LightGBM and parallel intrusion detection mechanism. Comput Secur 97:101984. https://doi.org/10.1016/j.cose.2020.101984
Jo I, Kim J, Kang H, Kim Y-D, Choi S (2018) Open set recognition by regularising classifier with fake data generated by generative adversarial networks. In: 2018 IEEE international conference on acoustics, speech and signal processing (ICASSP), pp 2686–2690. https://doi.org/10.1109/ICASSP.2018.8461700
Kelly C, Pitropakis N, McKeown S, Lambrinoudakis C (2020) Testing and hardening IoT devices against the Mirai botnet. In: 2020 international conference on cyber security and protection of digital services (cyber security), pp 1–8. https://doi.org/10.1109/CyberSecurity49315.2020.9138887
Khan AY, Latif R, Latif S, Tahir S, Batool G, Saba T (2020) Malicious insider attack detection in IoTs using data analytics. IEEE Access 8:11743–11753. https://doi.org/10.1109/ACCESS.2019.2959047
Khan AS, Ahmad Z, Abdullah J, Ahmad F (2021) A spectrogram image-based network anomaly detection system using deep convolutional neural network. IEEE Access 9:87079–87093. https://doi.org/10.1109/ACCESS.2021.3088149
Khare S, Totaro M (2020) Ensemble learning for detecting attacks and anomalies in IoT smart home. In: 2020 3rd international conference on data intelligence and security (ICDIS), pp 56–63. https://doi.org/10.1109/ICDIS50059.2020.00014
Khare N, Devan P, Chowdhary CL, Bhattacharya S, Singh G, Singh S, Yoon B (2020) SMO-DNN: spider monkey optimization and deep neural network hybrid classifier model for intrusion detection. Electronics 9(4):692. https://doi.org/10.3390/electronics9040692
Khraisat A, Gondal I, Vamplew P, Kamruzzaman J (2019) Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2(1):20. https://doi.org/10.1186/s42400-019-0038-7
Khraisat A, Gondal I, Vamplew P, Kamruzzaman J, Alazab A (2020) Hybrid intrusion detection system based on the stacking ensemble of C5 decision tree classifier and one class support vector machine. Electronics 9(1):173. https://doi.org/10.3390/electronics9010173
Kim JY, Bu SJ, Cho SB (2018a) Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders. Inf Sci 460:83–102
Kim T, Suh SC, Kim H, Kim J, Kim J (2018b) An encoding technique for CNN-based network anomaly detection. In: 2018b IEEE international conference on Big Data (Big Data), pp 2960–2965. https://doi.org/10.1109/BigData.2018.8622568
Kim S, Hwang C, Lee T (2020) Anomaly based unknown intrusion detection in endpoint environments. Electronics 9(6):1022. https://doi.org/10.3390/electronics9061022
Ko C (2000) Logic induction of valid behavior specifications for intrusion detection. In: Proceeding 2000 IEEE symposium on security and privacy. S P 2000, pp 142–153. https://doi.org/10.1109/SECPRI.2000.848452
Koroniotis N, Moustafa N, Sitnikova E, Turnbull B (2018) Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-IoT dataset. [Cs]. http://arxiv.org/abs/1811.00701
Koroniotis N, Moustafa N, Sitnikova E, Turnbull B (2019) Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-IoT dataset. Futur Gener Comput Syst 100:779–796. https://doi.org/10.1016/j.future.2019.05.041
Kosek AM (2016) Contextual anomaly detection for cyber-physical security in smart grids based on an artificial neural network model. In 2016 joint workshop on cyber-physical security and resilience in smart grids (CPSR-SG). IEEE, pp 1–6
Kotani G, Sekiya Y (2018) Unsupervised scanning behavior detection based on distribution of network traffic features using robust autoencoders. In: 2018 IEEE international conference on data mining workshops (ICDMW), pp 35–38. https://doi.org/10.1109/ICDMW.2018.00013
Kumar A, Lim TJ (2019) EDIMA: early detection of IoT malware network activity using machine learning techniques. [Cs]. http://arxiv.org/abs/1906.09715
Kumar S, Spafford EH (1994) An application of pattern matching in intrusion detection. Purdue University. https://docs.lib.purdue.edu/cgi/viewcontent.cgi?article=2115&context=cstech
Lai Y, Zhou K, Lin S, Lo N (2019) Flow-based anomaly detection using multilayer perceptron in software defined networks. In: 2019 42nd international convention on information and communication technology, electronics and microelectronics (MIPRO), pp 1154–1158. https://doi.org/10.23919/MIPRO.2019.8757199
Lakkaraju H, Kamar E, Caruana R, Horvitz E (2016) Discovering unknown unknowns of predictive models, p 5. http://web.stanford.edu/~himalv/unknownunknownsws.pdf
Liang X, Znati T (2019) A long short-term memory enabled framework for DDoS detection. In: 2019 IEEE global communications conference (GLOBECOM), pp 1–6. https://doi.org/10.1109/GLOBECOM38437.2019.9013450
Liu Y, Zhou Y, Wen S, Tang C (2014) A strategy on selecting performance metrics for classifier evaluation. Int J Mob Comput Multimed Commun 6:20–35. https://doi.org/10.4018/IJMCMC.2014100102
Liu J, Liu S, Zhang S (2019) Detection of IoT botnet based on deep learning. In: 2019 Chinese control conference (CCC), pp 8381–8385. https://doi.org/10.23919/ChiCC.2019.8866088
Liu Z, Li S, Zhang Y, Yun X, Cheng Z (2020) Efficient malware originated traffic classification by using generative adversarial networks. In: 2020 IEEE symposium on computers and communications (ISCC), pp 1–7. https://doi.org/10.1109/ISCC50000.2020.9219561
Liu F, Li X, Xiong W, Jiang H, Xie G (2021a) An accuracy network anomaly detection method based on ensemble model. In: ICASSP 2021a—2021a IEEE international conference on acoustics, speech and signal processing (ICASSP), pp 8548–8552. https://doi.org/10.1109/ICASSP39728.2021.9414675
Liu Q, Hagenmeyer V, Keller HB (2021b) A review of rule learning-based intrusion detection systems and their prospects in smart grids. IEEE Access 9:57542–57564. https://doi.org/10.1109/ACCESS.2021.3071263
Lobato AGP, Lopez MA, Sanz IJ, Cardenas AA, Duarte OCMB, Pujolle G (2018) An adaptive real-time architecture for zero-day threat detection. In: 2018 IEEE international conference on communications (ICC), pp 1–6. https://doi.org/10.1109/ICC.2018.8422622
Lu X, Liu P, Lin J (2019) Network traffic anomaly detection based on information gain and deep learning. In: Proceedings of the 2019 3rd international conference on information system and data mining—ICISDM 2019, pp 11–15. https://doi.org/10.1145/3325917.3325946
Luo Y, Xiao Y, Cheng L, Peng G, Yao D (2021) Deep learning-based anomaly detection in cyber-physical systems: progress and opportunities. ACM Comput Surv 54(5):106:1-106:36. https://doi.org/10.1145/3453155
Ma L, Chai Y, Cui L, Ma D, Fu Y, Xiao A (2020) A deep learning-based DDoS detection framework for internet of things, pp 1–6. https://doi.org/10.1109/ICC40277.2020.9148944
Maurya S, Ahmad RB (2020) Cloud of things (CoT) based smart cities. In: 2020 7th international conference on computing for sustainable global development (INDIACom), pp 94–97. https://doi.org/10.23919/INDIACom49435.2020.9083697
Meidan Y, Bohadana M, Mathov Y, Mirsky Y, Breitenbacher D, Shabtai A, Elovici Y (2018) N-BaIoT: network-based detection of IoT botnet attacks using deep autoencoders. IEEE Pervasive Comput 17(3):12–22. https://doi.org/10.1109/MPRV.2018.03367731
Meira J (2018) Comparative results with unsupervised techniques in cyber attack novelty detection. Proceeedings 2(18):1191. https://doi.org/10.3390/proceedings2181191
Mergendahl S, Li J (2020) Rapid: robust and adaptive detection of distributed denial-of-service traffic from the internet of things. In: 2020 IEEE conference on communications and network security (CNS), pp 1–9. https://doi.org/10.1109/CNS48642.2020.9162278
Mohammadi M, Al-Fuqaha A, Sorour S, Guizani M (2018) Deep learning for IoT big data and streaming analytics: a survey. IEEE Commun Surv Tutor 20(4):2923–2960. https://doi.org/10.1109/COMST.2018.2844341
Mokhtari S, Abbaspour A, Yen KK, Sargolzaei A (2021) A machine learning approach for anomaly detection in industrial control systems based on measurement data. Electronics 10(4):407. https://doi.org/10.3390/electronics10040407
Mou L, Jin Z (2018) Tree-based convolutional neural networks: principles and applications. Springer, Singapore
Moussa MM, Alazzawi L (2020) Cyber attacks detection based on deep learning for cloud-dew computing in automotive IoT applications. In: 2020 IEEE international conference on smart cloud (SmartCloud), pp 55–61. https://doi.org/10.1109/SmartCloud49737.2020.00019
Moustafa N, Slay J (2015) UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 military communications and information systems conference (MilCIS). https://doi.org/10.1109/MilCIS.2015.7348942
Mu X, Ting KM, Zhou Z-H (2017) Classification under streaming emerging new classes: a solution using completely-random trees. IEEE Trans Knowl Data Eng 29(8):1605–1618. https://doi.org/10.1109/TKDE.2017.2691702
Mutombo VK, Lee Y, Kim H, Kim Y, Debska NW, Hong J (2020) Smart transportation platform for private transportation. In: Proceedings of the 35th annual ACM symposium on applied computing, pp 1920–1927. https://doi.org/10.1145/3341105.3374043
Nagisetty A, Gupta GP (2019) Framework for detection of malicious activities in IoT networks using keras deep learning library. In: 2019 3rd international conference on computing methodologies and communication (ICCMC), pp 633–637. https://doi.org/10.1109/ICCMC.2019.8819688
Narla SRK, Stowell HG (2019) Connected and automated vehicles. Inst Transport Eng ITE J 89(3):28–33
Narudin FA, Feizollah A, Anuar NB, Gani A (2016) Evaluation of machine learning classifiers for mobile malware detection. Soft Comput 20(1):343–357. https://doi.org/10.1007/s00500-014-1511-6
Naveed K, Wu H (2020) Poster: a semi-supervised framework to detect botnets in IoT devices. In: 2020 IFIP networking conference (networking), pp 649–651
Nawaratne R, Alahakoon D, De Silva D, Yu X (2020) Spatiotemporal anomaly detection using deep learning for real-time video surveillance. IEEE Trans Ind Inf 16(1):393–402. https://doi.org/10.1109/TII.2019.2938527
Neuschmied H, Winter M, Stojanović B, Hofer-Schmitz K, Božić J, Kleb U (2022) APT-attack detection based on multi-stage autoencoders. Appl Sci 12(13):6816
Ng W, Minasny B, de Sousa Mendes W, Demattê JAM (2019) Estimation of effective calibration sample size using visible near infrared spectroscopy: deep learning vs machine learning. Soil. https://doi.org/10.5194/soil-2019-48
NSL-KDD Datasets (2009) https://www.unb.ca/cic/datasets/nsl.html
Osterweil E, Stavrou A, Zhang L (2019) 20 years of DDoS: a call to action. [Cs]. http://arxiv.org/abs/1904.02739
Otoum Y, Liu D, Nayak A (2019) DL-IDS: a deep learning–based intrusion detection framework for securing IoT. Trans Emerg Telecommun Technol. https://doi.org/10.1002/ett.3803
Pan Y, An J, Fan W, Huang W (2019) Shellfier: a shellcode detection method based on dynamic binary instrumentation and convolutional neural network. In: Proceedings of the 2019 8th international conference on software and computer applications, pp 462–466. https://doi.org/10.1145/3316615.3316731
Pang G, Shen C, Cao L, Hengel AVD (2021) Deep learning for anomaly detection: a review. ACM Comput Surv 54(2):38:1-38:38. https://doi.org/10.1145/3439950
Pérez-Díaz JA, Valdovinos IA, Choo K-KR, Zhu D (2020) A flexible SDN-based architecture for identifying and mitigating low-rate DDoS attacks using machine learning. IEEE Access 8:155859–155872. https://doi.org/10.1109/ACCESS.2020.3019330
Qureshi A-U-H, Larijani H, Mtetwa N, Javed A, Ahmad J (2019) RNN-ABC: a new swarm optimization based technique for anomaly detection. Computers 8(3):59. https://doi.org/10.3390/computers8030059
Qureshi AS, Khan A, Shamim N, Durad MH (2020a) Intrusion detection using deep sparse auto-encoder and self-taught learning. Neural Comput Appl 32(8):3135–3147. https://doi.org/10.1007/s00521-019-04152-6
Qureshi A-U-H, Larijani H, Mtetwa N, Yousefi M, Javed A (2020b) An adversarial attack detection paradigm with swarm optimization. In: 2020b international joint conference on neural networks (IJCNN), pp 1–7. https://doi.org/10.1109/IJCNN48605.2020.9207627
Rafique MF, Ali M, Qureshi AS, Khan A, Mirza AM (2020) Malware classification using deep learning based feature extraction and wrapper based feature selection technique. arXiv. https://doi.org/10.48550/arXiv.1910.10958
Rahman SA, Tout H, Talhi C, Mourad A (2020) Internet of things intrusion detection: centralized, on-device, or federated learning? IEEE Netw 34(6):310–317. https://doi.org/10.1109/MNET.011.2000286
Rashid MM, Kamruzzaman J, Hassan MM, Imam T, Gordon S (2020) Cyberattacks detection in IoT-based smart city applications using machine learning techniques. Int J Environ Res Public Health 17(24):9347. https://doi.org/10.3390/ijerph17249347
Ring M, Wunderlich S, Scheuring D, Landes D, Hotho A (2019) A survey of network-based intrusion detection data sets. Comput Secur 86:147–167. https://doi.org/10.1016/j.cose.2019.06.005
Rivero J, Ribeiro B, Chen N, Leite FS (2017) A Grassmannian approach to zero-shot learning for network intrusion detection. In: Liu D, Xie S, Li Y, Zhao D, El-Alfy E-SM (eds) Neural information processing. Springer International Publishing, Cham, pp 565–575. https://doi.org/10.1007/978-3-319-70087-8_59
Rodríguez E, Valls P, Otero B, Costa JJ, Verdú J, Pajuelo MA, Canal R (2022) Transfer-learning-based intrusion detection framework in IoT networks. Sensors 22(15):5621
Roopak M, Tian GY, Chambers J (2019) Deep learning models for cyber security in IoT networks 0452–0457. https://doi.org/10.1109/CCWC.2019.8666588
Roopak M, Tian GY, Chambers J (2020) An intrusion detection system against DDoS attacks in IoT networks. In: 2020 10th annual computing and communication workshop and conference (CCWC), pp 0562–0567. https://doi.org/10.1109/CCWC47524.2020.9031206
Sabeel U, Heydari SS, Elgazzar K, El-Khatib K (2021) Building an intrusion detection system to detect atypical cyberattack flows. IEEE Access 9:94352–94370. https://doi.org/10.1109/ACCESS.2021.3093830
Said Elsayed M, Le-Khac N-A, Dev S, Jurcut AD (2020) Network anomaly detection using LSTM based autoencoder. In: Proceedings of the 16th ACM symposium on QoS and security for wireless and mobile networks, pp 37–45. https://doi.org/10.1145/3416013.3426457
Sameera N, Shashi M (2020) Deep transductive transfer learning framework for zero-day attack detection. ICT Express 6(4):361–367
Samy A, Yu H, Zhang H (2020) Fog-based attack detection framework for internet of things using deep learning. IEEE Access 8:74571–74585. https://doi.org/10.1109/ACCESS.2020.2988854
Sarhan M, Layeghy S, Gallagher M, Portmann M (2021) From zero-shot machine learning to zero-day attack detection. arXiv preprint. https://arxiv.org/abs/2109.14868
Sarker IH, Shahriar B, Watters P, Ng A (2020) Cybersecurity data science: an overview from machine learning perspective. J Big Data. https://doi.org/10.1186/s40537-020-00318-5
Scheirer WJ, de Rezende Rocha A, Sapkota A, Boult TE (2013) Toward open set recognition. IEEE Trans Pattern Anal Mach Intell 35(7):1757–1772. https://doi.org/10.1109/TPAMI.2012.256
Scheirer WJ, Jain LP, Boult TE (2014) Probability models for open set recognition. IEEE Trans Pattern Anal Mach Intell 36(11):2317–2324. https://doi.org/10.1109/TPAMI.2014.2321392
Schlachter P, Liao Y, Yang B (2019) Deep one-class classification using intra-class splitting. In: 2019 IEEE data science workshop (DSW), pp 100–104. https://doi.org/10.1109/DSW.2019.8755576
Schlachter P, Liao Y, Yang B (2020) Deep open set recognition using dynamic intra-class splitting. SN Comput Sci 1(2):77. https://doi.org/10.1007/s42979-020-0086-9
Sharafaldin I, Habibi Lashkari A, Ghorbani AA (2018) Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th international conference on information systems security and privacy, pp 108–116. https://doi.org/10.5220/0006639801080116
Sharma B, Pokharel P, Joshi B (2020) User behavior analytics for anomaly detection using LSTM autoencoder—insider threat detection. In: Proceedings of the 11th international conference on advances in information technology, pp 1–9. https://doi.org/10.1145/3406601.3406610
Singla A, Bertino E, Verma D (2019) Overcoming the lack of labeled data: training intrusion detection models using transfer learning. In: 2019 IEEE international conference on smart computing (SMARTCOMP). IEEE, pp 69–74
Smys S, Basar D, Wang D (2020) Hybrid intrusion detection system for internet of things (IoT). J ISMAC 2:190–199. https://doi.org/10.36548/jismac.2020.4.002
Soe YN, Santosa PI, Hartanto R (2019) DDoS attack detection based on simple ANN with SMOTE for IoT environment, pp 1–5. https://doi.org/10.1109/ICIC47613.2019.8985853
Stoian N-A (2020) Machine learning for anomaly detection in IoT networks: malware analysis on the IoT-23 Data set. 10. http://purl.utwente.nl/essays/81979
Strubell E, Ganesh A, McCallum A (2019) Energy and policy considerations for deep learning in NLP. [Cs]. http://arxiv.org/abs/1906.02243
Sun X, Dai J, Liu P, Singhal A, Yen J (2018) Using Bayesian networks for probabilistic identification of zero-day attack paths. IEEE Trans Inf Forensics Secur 13:2506–2521
Sung F, Yang Y, Zhang L, Xiang T, Torr PH, Hospedales TM (2018) Learning to compare: relation network for few-shot learning. In Proceedings of the IEEE conference on computer vision and pattern recognition, pp 1199–1208.
Syarif I, Prugel-Bennett A, Wills G (2012) Unsupervised clustering approach for network anomaly detection. In: International conference on networked digital technologies. Springer, Berlin, Heidelberg, pp 135–145
Takahashi Y, Shima S, Tanabe R, Yoshioka K (2020) APTGen: an approach towards generating practical dataset labelled with targeted attack sequences. In: 13th {USENIX} workshop on cyber security experimentation and test ({CSET} 20). https://www.usenix.org/conference/cset20/presentation/takahashi
Tao H, Bhuiyan MZA, Abdalla AN, Hassan MM, Zain JM, Hayajneh T (2019) Secured data collection with hardware-based ciphers for IoT-based healthcare. IEEE Internet Things J 6(1):410–420. https://doi.org/10.1109/JIOT.2018.2854714
Tavallaee M, Bagheri E, Lu W, Ghorbani AA (2009) A detailed analysis of the KDD CUP 99 data set, pp 1–6. https://doi.org/10.1109/CISDA.2009.5356528
Thamilarasu G, Chawla S (2019) Towards deep-learning-driven intrusion detection for the internet of things. Sensors 19(9):1977. https://doi.org/10.3390/s19091977
Toward developing a systematic approach to generate benchmark datasets for intrusion detection—ScienceDirect (n.d.) https://www.sciencedirect.com/science/article/pii/S0167404811001672. Accessed 26 Aug 2021
Umer MA, Junejo KN, Jilani MT, Mathur AP (2022) Machine learning for intrusion detection in industrial control systems: applications, challenges, and recommendations. Int J Crit Infrastruct Prot 38 https://doi.org/10.1016/j.ijcip.2022.100516
Van CN, Phan VA, Cao VL, Nguyen KDT (2020) IoT malware detection based on latent representation. In: 2020 12th international conference on knowledge and systems engineering (KSE), pp 177–182. https://doi.org/10.1109/KSE50997.2020.9287373
Vanerio J, Casas P (2017) Ensemble-learning approaches for network security and anomaly detection. In: Proceedings of the workshop on big data analytics and machine learning for data communication networks, pp 1–6. https://doi.org/10.1145/3098593.3098594
Viegas E, Santin A, Abreu V, Oliveira LS (2018) Enabling anomaly-based intrusion detection through model generalization. In: 2018 IEEE symposium on computers and communications (ISCC), pp 00934–00939. https://doi.org/10.1109/ISCC.2018.8538524
Wang W, Zhu M, Wang J, Zeng X, Yang Z (2017a) End-to-end encrypted traffic classification with one-dimensional convolution neural networks. In: 2017a IEEE international conference on intelligence and security informatics (ISI), pp 43–48. https://doi.org/10.1109/ISI.2017.8004872
Wang W, Zhu M, Zeng X, Ye X, Sheng Y (2017b) Malware traffic classification using convolutional neural network for representation learning. In: 2017b international conference on information networking (ICOIN), pp 712–717. https://doi.org/10.1109/ICOIN.2017.7899588
Wang H, Yang J, Lu Y (2020) A logical combination based application layer intrusion detection model. In: Proceedings of the 2020 international conference on cyberspace innovation of advanced technologies, pp 310–316. https://doi.org/10.1145/3444370.3444590
Xie W, Xu S, Zou S, Xi J (2020) A system-call behavior language system for malware detection using a sensitivity-based LSTM Model. In: Proceedings of the 2020 3rd international conference on computer science and software engineering, pp 112–118. https://doi.org/10.1145/3403746.3403914
Xue B, Fu W, Zhang M (2014) Multi-objective feature selection in classification: a differential evolution approach. Simul Evol Learn. https://doi.org/10.1007/978-3-319-13563-2_44
Yang Y, Zheng K, Wu B, Yang Y, Wang X (2020) Network intrusion detection based on supervised adversarial variational auto-encoder with regularization. IEEE Access 8:42169–42184. https://doi.org/10.1109/ACCESS.2020.2977007
Yang J, Li H, Shao S, Zou F, Wu Y (2022) FS-IDS: a framework for intrusion detection based on few-shot learning. Comput Secur 122:102899
Yichao Z, Tianyang Z, Xiaoyue G, Qingxian W (2019) An improved attack path discovery algorithm through compact graph planning. IEEE Access 7:59346–59356
Yu Y, Long J, Cai Z (2017) Network intrusion detection through stacking dilated convolutional autoencoders. Secur Commun Netw 2017:e4184196. https://doi.org/10.1155/2017/4184196
Yu X, Lu H, Yang X, Chen Y, Song H, Li J, Shi W (2020) An adaptive method based on contextual anomaly detection in internet of things through wireless sensor networks. Int J Distrib Sens Netw 16(5):1550147720920478
Zahoora U, Khan A, Rajarajan M, Khan SH, Asam M, Jamal T (2022a) Ransomware detection using deep learning based unsupervised feature extraction and a cost sensitive Pareto Ensemble classifier. Sci Rep 12(1):15647. https://doi.org/10.1038/s41598-022-19443-7
Zahoora U, Rajarajan M, Pan Z, Khan A (2022b) Zero-day ransomware attack detection using deep contractive autoencoder and voting based ensemble classifier. Appl Intell 52(12):13941–13960. https://doi.org/10.1007/s10489-022-03244-6
Zavrak S, İskefiyeli M (2020) Anomaly-based intrusion detection from network flow features using variational autoencoder. IEEE Access 8:108346–108358. https://doi.org/10.1109/ACCESS.2020.3001350
Zhang Z, Liu Q, Qiu S, Zhou S, Zhang C (2020) Unknown attack detection based on zero-shot learning. IEEE Access 8:193981–193991. https://doi.org/10.1109/ACCESS.2020.3033494
Zhao J, Shetty S, Pan JW, Kamhoua C, Kwiat K (2019) Transfer learning for detecting unknown network attacks. EURASIP J Inf Secur 2019(1):1–13
Zong Y, Huang G (2019) A feature dimension reduction technology for predicting DDoS intrusion behavior in multimedia internet of things. Multimed Tools Appl. https://doi.org/10.1007/s11042-019-7591-7
Zoppi T, Ceccarelli A, Capecchi T, Bondavalli A (2021) Unsupervised anomaly detectors to detect intrusions in the current threat landscape. ACM/IMS Trans Data Sci 2(2):1–26
Zou M, Wang C, Li F, Song W (2018) Network phenotyping for network traffic classification and anomaly detection. In: 2018 IEEE international symposium on technologies for homeland security (HST), pp 1–6. https://doi.org/10.1109/THS.2018.8574178
Zou J, Zhang J, Jiang P (2019) Credit card fraud detection using autoencoder neural network. [Cs, Stat]. http://arxiv.org/abs/1908.11553
Funding
This research did not receive any specific grant from funding agencies in the public, commercial, or not-for-profit sectors.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix 1: list of included and excluded studies
Table 14 presents the list of papers included and excluded in this research review. The columns “QA1–QA6” show the quality assessment score after the quality criteria identified in Sect. 5.2.4 are applied. Results are an aggregated answer to the six QA scores. The last column reflects “I-Included” and “E-Excluded” studies from this review based on QA results. Studies with over 50% (> 3) are included in this SLR; otherwise, they were excluded. It is important to mention here that any study not answering QA1 (i.e., Does the study address zero-day attack detection?) defeats the purpose of this SLR so that it will be excluded from further analysis.
Appendix 2: data extraction form and details
Table 15 presents the details of unknown attack detection research papers included in this study.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Ahmad, R., Alsmadi, I., Alhamdani, W. et al. Zero-day attack detection: a systematic literature review. Artif Intell Rev 56, 10733–10811 (2023). https://doi.org/10.1007/s10462-023-10437-z
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10462-023-10437-z