A Comprehensive Survey on Intrusion Detection based Machine Learning for IoT Networks

The Internet of things (IoT) is a new ubiquitous technology that relies on heterogeneous devices and protocols. The IoT technologies are expected to o ﬀ er a new level of connectivity thanks to its smart devices able to enhance everyday tasks and facilitate smart decisions based on sensed data. The IoT could collect sensitive data and should be able to face attacks and privacy issues. The IoT security issue is a hot topic of research and industrial concern. Indeed, threats against IoT devices and services could cause security breaches and data leakage. Aiming to identify attempts to abuse the IoT systems and mitigate malicious events, this paper studied the Intrusion Detection Systems (IDS) based on Machine Learning (ML) techniques. The ML approach could provide good tools to detect novel intrusion activities in a timely manner. This paper, therefore, highlighted the related issues to develop secured and e ﬃ cient IoT services. It tried to allow a comprehensive review of IoT features and design. It mainly focused on intrusion detection based on the machine learning schema and built a taxonomy of di ﬀ erent IoT attacks and threats. This paper also compared between the di ﬀ erent intrusion detection techniques and established a taxonomy of machine leaning methods for intrusion detection solutions.


Introduction
The Internet of Things (IoT) is a technology trend able to provide new features and services. Indeed, the estimation shows that the number of connected devices being used will reach 75 billion by 2025 [1]. The fast development of IoT applications is due to new technological developments mainly in the fields of Radio Frequency Identification (RFID) and Wireless Sensor Networks (WSN). IoT generates a large amount of data that need to be managed appropriately for further processing and analysis. Thanks to its ubiquitous and pervasive fashion, cloud computing is an efficient solution for IoT data management and monitoring. It provides shared resources such as storage, computing and application via a cloud services platform connected to the Internet. Both of the IoT Nevertheless, there are various security risks that pose a threat to the cloud and fog computing. As the IoT system sensitive information would be submitted to a third-party cloud service provider, users should be sure that they choose a reliable service provider that guarantees data security. While the cloud computing is deployed with protected facilities managed and monitored by the cloud operators, Fog is deployed in a rather vulnerable environment. Its systems are significantly smaller than clouds. Consequently, it has reduced resources to support security and threat detection operations [4,5].
The device objects on the IoT network involve some new techniques such as self-optimization, selfconfiguration, and self-management, which allows objects to set up and control themselves without any users' interference to adapt to the platform they are operating in. Thus, IoT could maintain interoperability communication between different kinds of infrastructure and software protocols, such as human-tohuman communication, human-to-thing communication, or thing-to-thing communication. It can cover many fields such as healthcare, automobiles, entertainment, industrial appliances, sports, and homes.
Unlike the traditional networks, IoT networks hold protocols such as IPv6 over Low powerWireless Personal Area Network (6LoWPAN), IEEE 802.15.4, Constrained Application Protocol (CoAP), IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) [6]. Nevertheless, IoT applications face serious challenges caused by the heterogeneity and complexity of the data sources. Indeed, the different protocols used in IoT networks have been designed without any security background. Thus, an attacker could leverage vulnerabilities and limitations in these protocols by a range of exploitation techniques for malicious activities. Accordingly, detecting anomalies in IoT traffic could be vital for the protection of networks and information systems. Therefore, Intrusion Detection Systems (IDS) is a necessary line of defense for detecting attacks. IDS developed for IoT could face the challenge of determining the attack or the malicious partners. They are classified mainly into three categories depending on the used detection methods: Anomaly detection, Misuse detection, and Hybrid detection. Since machine learning provides a good technological tool for anomaly detection, IDS could consider machine learning as a solution to be applied to solve security issues [7,8].
The contribution of this paper, relative to the recent literature in the field, can be summarized as follows: i) The scope of this survey is different from other survey papers published in the field, i.e., this paper aimed to put emphasis on the used intrusion detection techniques based on machine learning for IoT networks. ii) This paper provided an overview of the related research work. iii) This paper studied the IoT network security issues and pointed out the necessity of intrusion detection system as a solution for detecting anomalies in IoT networks traffic. iv) This review paper compared the intrusion detection techniques and machine learning approaches. v) This paper provided taxonomies for attacks and anomalies detection schema.
The rest of this paper is organized as follows: Section 2, surveyed the IoT components, architectures, protocols, and challenges. Next, section 3 provided an overview of the different security challenges and attacks in the IoT system. Then, section 5 studied the intrusion detection system and compared the intrusion detection different approaches. Thereafter, section 6, was devoted to studying and classifying the machine learning methods. Before concluding our survey, section 7 recapitulated the different related IoT survey works in the literature.

Background
The aim of this paper was to build an effective study and taxonomy of IoT threats and intrusion detection solutions based on machine leaning methods. To this end, and in a first step, we need to understand the IoT system design and components.
The IoT system extended the currently available internet services to allow connection between different device objects. This was achieved thanks to sensing equipments and various communications protocols. The main process of an IoT system can be summarized as follows: i) Data generation : it represents the device objects that generate data.  Figure 1 illustrates the main IoT system components at different process phases.
WSN is an IoT subset that addresses the use of wireless-connected sensors. It allows a real time control of the physical sensing domains such as healthcare and Transportation. The IoT facilitates the interconnection of many heterogeneous devices over the Internet, which brought about the need for a multi-layer archictecture. However, so far, the number of proposed architectures has not converged to one model because of the different views of the authors. Nerveless, a basic model has three layers: the perception layer, the network layer, and the application layer [9,10]. They are defined as follows : i) The perception layer, which aims to collect data (e.g., humidity, temperature, pH level, and pressure) from the physical system under control sensed thanks to sensors. This layer can be divided into two sublayers: perception nodes such as sensors and controllers; and a perception network that network that is connected to the network layer.
ii) The network layer, which assures data network transmission and provides a pervasive access environment to the next layer (i,e., the application layer). This layer defines routing, network management and data transmission to different devices through a heterogeneous network.
iii) The application layer, it checks data and sends them to the ultimate users to provide an access to their smart resources such as intelligent computation and business services. It, then, represents, an interface for the end-users to communicate with their IoT devices. Table 1 illustrates some of the main supported standard protocols for each layer. 3 EAI Endorsed Transactions on Security and Safety Online First Still IoT has several challenges compared to the traditional network. Indeed, the IoT system can maintain complex and heterogeneous data and each layer of its architecture has its own communication protocol. In addition, the IoT devices are set up on Low-power and Lossy Networks (LLNs). However, LLNs are stressed by dynamism, reduced memory, and power handling. These features are not considered in the standard Internet. Thus, examining security threats on IoT should be in parallel with LLNs, which faces energy and connectivity constraints [11]. A new generation of IoT systems, knows as Cognitive IoT (CIoT), enables autonomous interaction, context awareness and perception action between physical or virtual objects. Authors in [12] investigate potential threats and attacks on CIoT.

IoT Attacks
The IoT can be affected by different threats and malicious attacks. This could cause serious damage to the system in any of the IoT architecture layers and harm its reputation. This section provided some some possible attacks targeting security at each each layer (i.e., perception layer, network layer and application layer).

Perception Layer Attacks
The perception layer can be exposed to many physical and hardware attacks. Indeed, due to the diversity of the deployment environment and the dynamic change in the network topology, the sensor nodes in the perception layer usually use ad-hoc network technology and wireless communication. In such environment, attackers can easily eavesdrop on communication between nodes. Furthermore, the nodes usually use the sleep mode to prolong the life of the resource power; however, the attackers can keep the node in a working state to accelerate the energy consumption [51][52][53][54]. Some of the common attacks on the perception layer are as follows: i) Node capture attacks, which can be achieved via physically replacing the entire node, or tampering the node hardware to capture and control a device. Indeed, when a node is compromised, the confidential information like group communication key, cryptographic keys or access keys will be exposed to the attacker. In addition, the attacker can inject a fake malicious node in the network to act as an authorized node in the network connection; after that, he is likely to copy the associated information transmitted over the network and use it for further attacks to compromise the security of the entire IoT network.
ii) Malicious code injection attacks allowing the attacker to inject the malicious code into the memory and control a device in a IoT network. In order to allow the injection of a malicious code into the system, the attacker can leverage the attack on the system from the end-user, use a debug module or use some hacking techniques. This kind of attack can execute specific control functions and grant access into the IoT system.
iii) False data injection attacks, which occurs when the attacker is able to inject false or malicious data instead of real one. It stops the real measurement data transmission by the captured node and replaces the real information by the transmission of false data through a tampered node to the ultimate user. Thus, the entire network could fall into the attacker control and a Denial of Service (Dos) attack can be performed.  [13,14] -WSN is one of the target applications of this standard.
-Internet Engineering Task Force (IETF) has proposed standards within IEEE 802.15.4 to simplify the integration between Internet and LLNs (low-power and lossy networks). RFID -It automatically identifies and control objects through radio wave. [15][16][17] -The principle object of RFID is to rapidly exchange information, provide efficiency of manufacturing and the whole life cycle of the supply chain for the delivery and dispatch speeds. Bluetooth Low -It is a low-power wireless technology. Energy (BLE) [18][19][20][21] -It works with many IoT commercials applications such as smart watches, fitness trackers, and smart appliances. WBAN (802.15.6) -It is a standard for short range, low power, and reliable wireless communication for human body area network. [22,23] -It can be deployed in several applications such as health monitoring and ambient living environments. Network layer Z Wave -It is a low-power wireless communication protocol. [24,25] -It is specified for applications that need very small data transmission information such as household appliance control, access control and wearable health-care control. LoRaWAN -It is a media access control protocol for Low Power Wide Area Networks (LPWAN). [26][27][28][29][30] -It is developed to allow low-powered devices to communicate with Internet-connected applications over long range wireless connections. Sigfox -It allows the transmission of small data packet for wireless network to connect low-power devices. [31][32][33][34] -It is a competitor of LoRaWAN in the LPWAN domain. 6LoWPAN -IPv6 over Low power Wireless Personal Area Networks has an adapted header format to connect the endpoint devices, and addresses IPV6 packet in the network layer infrastructure. [35][36][37] -The IETF 6LoWPAN working group proposes an adaptation of new communication generation, and, technologies that can be supported by the IEEE 802.15.4 RPL -It is a routing Protocol for Low Power and Lossy Networks. [38,39] -It supports optimal routing requirements by creating a robust topology over lossy links. Wi-Fi -It is a widely used communication protocol among IoT devices. [40,41] -It is based on the IEEE 802.11 standards family and IEEE802.11n is the common Wi-fi used standard.
-It is an excessive power consumer for some IoT application. Cellular -GSM/3G/4G/5G are cellular communication protocols for IoT applications that requires operation over long distance. [41][42][43] -They can send and transfer a high amount of data.
-They are costly and cause high power consumption for many IoT applications. Application layer Constrained Application Protocol -It is released by IETF Internet Engineering Task Force for application request-response protocol layer. (CoAP) -It allows physical objects to deliver services to users on the Internet. [44][45][46] -It was designed by using a subset of the HTTP methods. Message Queue Telemetry -It was created by IBM and targets lightweight machine-to-machine (M2M) communications.
-It is a messaging protocol for the IoT and M2M . (MQTT) -It is a Publish/subscribe pattern. [46][47][48] -It is arranged to be a lightweight protocol suitable for networks with unreliable or low-frequency links. Data Distribution Service (DDS) -It is a standard for expandable, high-performance, and real-time M2M communication. [49,50] -It includes two main layers : Data-Centric Publish-Subscribe (DCPS), which defines information delivery to the subscribers; and Data-Local Reconstruction Layer (DLRL), which provides an interface to the DCPS functionalities. iv) Side Channel Attacks (SCA); these aim to leak the secret key used in encryption to protect the sensitive data. This kind of attacks use different techniques to eavesdrop the data transmission device and determines when an encryption key is used to access a device. v) Replay attacks; these target the authentication and key agreement schemes and aim to transmit legitimate information to the target node in order to earn the IoT system trust. The attacker can easily capture, record, then, replay the legitimate traffic in a wireless channel to cause, for example, energy drain at the sensor nodes.

Network Layer Attacks
The network layer is a hardware and software infrastructure for for data routing and transmission received from the perception layer. Hence, the network layer often hosts the perception layer attacks as well as other types of attacks [55,56]. The most common attacks can be identified as follows: i) Man in the Middle attacks, where the attacker injects a malicious device that can be virtually located between two communicating victim nodes. The attacker steals the identify information of these two victim nodes using eavesdropping and spoofing attacks. This allows the malicious node to behave as a legitimate one, store and forward the victim nodes data. The victim nodes cannot detect the malicious node and assume that they directly communicate with each other.
ii) Denial-of-Service attacks (DoS), which are performed when the attacker floods normal nodes with requests. This kind of attack can bombard the IoT network by generating a large amount of traffic to consume resources or bandwidth of the legitimate nodes. There is a wide range of DoS attacks launched against the IoT such as Ping of Death, Tear Drop, UDP flood, SYN flood, and Land Attack.
iii) Sinkhole attacks, which is the most destructive attack since it prevents communication among network devices and it is used to launch further attacks. Indeed, a compromised node aims to attract all the traffic from adjacent nodes using routing metrics in routing protocols. This attack prevents the destination node from obtaining the valid and complete sensed information. In addition, it can be the basis of other attacks such as selective forwarding and wormhole attacks.
iii) Sybil attack, which denotes an attempt to control a peer network by forging multiple fake identities. The attacker broadcasts massages with multiple fake identifications in a WSN to compromise the effectiveness of the systems. Such an attack could cause the system to generate wrong reports and lose privacy. To outside observers, these multiple fake identities give the impression of being real unique identities [57].

Application Layer Attacks
Attackers could exploit the vulnerabilities in the software application, and then launch phishing attacks, virus, worms, Trojan Horse, Spyware and malicious scripts [58][59][60]. Several possible attacks in the IoT application layer can be categorized as follows: i) Phishing attack, which uses infected emails or phishing Web applications to gain access to the confidential data by spoofing the user authentication credential.
ii) Virus, Worms, Trojan Horse, Spyware, which are malicious programs that can infect the software applications. They aim to cause tampered data, denial of service and missing or stolen information.
iii) Malicious Scripts, which are embedded in Web pages or served by an advertisement. It scans the network for IoT devices and, then, takes control of them.

Security Challenges and Open Issues in the IoT
Security is the main challenge in the IoT network design. Indeed, the IoT devices are designed to be light weight, have low computation power, low battery life and low memory. As incorporating security features are resource expensive, IoT devices are often found to be less protected and in recent times, more IoT devices have been attacked due to high profile security flaws. In addition, IoT is a heterogeneous system that interconnect diverse peripheries different in terms of capacity, complexity, size, data, quantity and type. This heterogeneity has an important influence over the protocol and network security services that must be implemented in the IoT.
Hence, it is important to implement policies that define the data management, protection and transmission in an efficient way. A mechanism is needed to enforce such policies and identify the service level agreements in each involved service. Besides, access and privilege management mechanisms are required to prevent unauthorized access to the IoT resources. Without an efficient cryptographic algorithm with an adequate key management and security protocols, the users' privacy and security can be threatened; and any IoT node detected by a malicious user could be exploited to collect information for successful attack.
However, since IoT is based on the Internet, it inherits and even extends its security problems due to the different new protocols implemented for IoT without taking into account the notion of security background. Indeed, once a device is connected to the Internet, it becomes vulnerable to potential security breaches caused by hacking and phishing techniques. Therefore, as IoT is becoming a reality, serious efforts should be made to design and implement security schema able to be integrated within the IoT system processes.
The IoT security services require providing: confidentiality, integrity, and availability [61][62][63][64]. These security requirements are defined as follows: 6 EAI Endorsed Transactions on Security and Safety Online First i) Confidentiality : IoT can interconnect, store and transfer sensitive information from a large number of devices such as human, machine, sensor, and protocol (e.g. RFID, Zig bee) in real time. Nevertheless, since it is easy to intercept personal information by a malicious user, it has become urgent to secure the message, and the stored data against unauthorized individuals. It is important to guarantee that only authorized users can access the information securely and prevent eavesdropping or attacks. A cryptographic mechanism is also needed to ensure that anonymity and piracy can not access or process the data. Besides, each object in IoT has to be able to identify and authenticate other objects. However, authentication could be a challenge in the IoT network because of the huge number of entities (i.e., millions of smart objects, service providers, processing units, users), the emerged standards and self configuring protocols that make authentication a complex process compared to the traditional network.
ii) Integrity : IoT needs a security process, that provides a reliable service and ensures an effective control action to pick up any modification in the network and to detect system threat. Therefore, it is necessary to define a mechanism that prevent injection attacks. However, integrity cannot be reliable because of the IoT low computational power.
iii) Availability : It is necessary to provide accessible data to IoT users, whenever necessary, despite the huge number of users in real time. Indeed, it is important to offer services that are always available and continuous whenever the data and devices are requested. Availability is an important need for the successful deployment of IoT systems. However, IoT systems and devices could be unavailable because of attacks events such as : DoS and eavesdropping attacks.
Security issues in IoT systems are increasingly imperative with the expanding number of attacks. Unlike the conventional systems, the IoT systems are subject to more threats than the conventional systems because of the qualities of the IoT devices characteristics and communication protocols. As a matter of fact, IoT devices are usually outfitted with lower battery and micro-controllers, which makes them easily overflowed. In addition, the used communication protocols such as Bluetooth, Zig-Bee, Wifi or GSM are prone to attacks. On the other hand, during the communication process, some of the data could be lost and, thus, affect the network efficiency in data management. Designing the communication nodes and managing the huge exchange of data among huge number of objects is an additional challenge.

IoT security Challenges in Different Layers
The IoT basic architecture has three layers and each of which should deploy mechanisms to handle security challenges. Nevertheless, each layer suffers some security issues [51,65], which should be solved for confidentiality, availability and integrity services requirements [66]. Hence, this section discussed the various security challenges and protective measures for each IoT layer.
Security at the Perception Layer. Security at the perception layer should provide mechanisms against hardware attacks. This layer includes different sensor types that could detect physical attacks. As the perception layer is designed to collect or forward information between the sensors, data confidentiality need to be ensured. Indeed, the system should be able to prevent any unauthorized user from accessing the data, exclude any unauthorized device and reject prohibited flow from accessing the network. Confidentiality solution at the perception layer could include digital signatures to withstand unauthorized access. In addition, symmetric and asymmetric encryption algorithms are needed to encrypt data for data privacy protection, by converting it into a code, so that it would not be understood by the undesired parties [67,68]. To enforce user privacy in RFID systems, there are privacy-friendly authentication protocols implemented for RFID. These are based on well-established symmetric-key cryptographic building blocks. In addition, they require a lower reader complexity than O(N), where N is the number of tags in the database. The literature shows that designing a privacyfriendly protocol is still a challenging task [69,70]. The attacker injected node in the network can put out of sight sensitive information like identity and location. Consequently, this node is sensed anonymous by the IoT network. As a solution, a K-anonymity approach is recommended for low processing devices. k-anonymity is a privacy protection approach used to protect against identity disclosure. This approach is required when there is a need to share users records in such a way that the individuals' identities of those who are subject of the data cannot be re-identified [71]. On the other hand, it is necessary to provide an integrity service process to mitigate data tempering. Each device in the perception layer should be supplied by error detection mechanism such as parity bit and checksum. Cryptographic hash function could also be deployed to guarantee the data integrity at the perception layer [72,73]. Most of the attacks at this layer can be resolved by designing a physically secured devices. It involves components like data acquisition unit design, radio frequency circuits and chip selection. Such components should not be 7 EAI  [74].
Security at the Network Layer. Security mechanisms implemented at the network layer, along with the perception layer, build an additional defense layer for the IoT system. It could implement the following security schema: i) Routing security : several routing mechanisms suffer from stability and reliability problems. Therefore, a secure routing is one of the main features for sensor systems safe usage. A secure routing is ensured by routing the data through multiple paths, which increase the network error detection. It reduces energy consumption, increases the network lifetime and prevent black hole attacks [75,76]. Simultaneously, the IPSec Security channel is a good solution to decide whether the sender IP is real or not. Indeed, IPSec supplies two security features types : authentication and encryption. This solution may help avoid eavesdropping and data tempering attacks [77].
ii) Sinkhole attack detection : a Sinkhole attack is a compromised node inside the network that launches attacks. Based on the routing metric used in the routing protocol, the compromised node publicizes useful way to attract all the traffic from adjacent nodes and use these nodes to route the traffic. The Sinkhole attack causes extensive threat, since it is a fundamental phase to launch additional attacks. Challenges exist in detecting, and providing resistance to a sinkhole attack in the WSN network [78][79][80][81].
iii) Secure Management : IoT involves billions of connected devices that need to be managed, therefore, IoT operators require an effective device management platform to address IoT security challenges. Such platform allows operators to manage these billions of devices that communicate with the base station, to scale quickly and cost effectively and provide visibility into data traffic. It needs several key distribution management techniques for encryption and maintaining routing information [82][83][84].
iv) Secure localization : IoT services may rely on location information in order to report geographically meaningful data. Localization algorithms design and techniques have to implement countermeasures to mitigate fake locality information provided by an attacker using spoofing techniques [85][86][87]. v) Self-organization : it is a countermeasure technique to preserve communication among devices in a network after a failure caused by disasters or attacks; and thus, sustain network availability. A key distribution mechanism could be a challenge for software based on public-key cryptographic systems [88,89].
Security at the Application Layer. Security mechanisms implemented at the application layer complement the other layers of defense deployed at the network and perception layers for the IoT system. Data confidentiality, integrity and availability should be guaranteed in the application layer. Various applications are provided to a large number of users. Therefore, a proper authentication mechanism should be provided in order to prevent the access of illegal users into the system. For data recovery purposes, the storage systems transfer data through different channels to different locations. Such a process involves data integrity and user privacy. Consequently, a proper mechanism for data recovery and storage process should be implemented [90]. This layer could face buffer overflow vulnerabilities if the programmer software implementation does not respect the standard recommendation. Then, such vulnerabilities could be leveraged by attackers to achieve their aims. To correct security' failures, risk assessment is a fundamental technique to define potential threat and risk associated with an IoT system. It is used to come up with new threats to the system, and helps to better identify continual control for reducing risks during the risk mitigation process [91,92]. Some of the security measures required in this layer can be listed as follows: i) Intrusion detection : it generates alarms on the occurrence of any suspicious activity in the system. It keeps track of the intruders activities in log files. Misuse and anomaly detections are among the different intrusion detection existing techniques [73].
ii) Firewalls : it monitors and filters the incoming and outgoing traffic based on defined security rules [93,94].
ii) Anti-virus, Anti-adware and Anti-Spyware these software solutions are essential to ensure security consistency, confidentiality, and reliability in the IoT environment.

Intrusion Detection
Despite the growing and advanced research in the domains of computer network, security is still be threatened. Therefore, many security solutions are developed to tackle attacks. Intrusion Detection (ID) is a security solution that aims to identify malicious activities attempts to abuse a network system. Typically, an Intrusion Detection System (IDS) detects vulnerabilities, notifies malicious activities, and enables preventive measures. It monitors the network traffic and can address the illegitimate access, spiteful activities, or policy stealing. Due to the IoT characteristics in terms of diversity of the components such as protocol, connected devices, and network architecture; the IoT network is considered as a vulnerable environment to multiple attacks. Therefore, it is important to implement an IDS as a defense line in the IoT network. The main purpose of an IDS is to dynamically monitor a network traffic and classify them as normal or anomalous. It analyzes the traffic and triggers alarms when an anomaly is detected [95,96]. The IDS alarms can be classified into four categories as follows : i) The true positive represents the detected normal traffic types that are correctly identified as normal by the system.
ii) The true negative represents the detected anomalous traffics that are correctly identified as anomaly or attacks by the system.
iii) The false positive represents the detected normal traffic types that are identified as anomalous traffic.
iv) The false negative represents the detected anomalous traffic types that are identified as normal traffic.
A perfect system should have reduced false alarms (i,e., false negative and false positive) [97].
Intrusion detection techniques, used in IDS could be classified into three categories: misuse based IDS, anomaly based IDS, and hybrid based IDS. They are defined as follows: iii) The hybrid based IDS combines the benefits of both misuse and anomaly based detection technique. Thus, it has two detection modules, one for new attacks detection, and the other for known attacks detection. Nevertheless, this technique is not recommended for an IoT system as it consumes resources and energy [102,103].
IDS could be sorted out into three types based on location of deployment in real time as follows: i) Network-based intrusion detection system (NIDS), which is placed along a network segment or boundary and monitors traffics on that segment. It could detect attacks launched by outside attackers who want to gain unauthorized access to the network to steal or disrupt the network system [104][105][106].
ii) A host-based intrusion detection system (HIDS); this is a software installed on individual systems to be monitored. An HIDS can only monitor the individual host system and not the entire network. It can detect an internal activity, identify the user who accessed and the resources he used, and prevent illegitimate access [107][108][109].
iii) Hybrid system, which is a technique that integrates both NIDS and HIDS. Thus, it is perfect in terms of security and attacks detection [110].
IDS could perform online or offline detection. The online detection manages the network packets data in real time, whereas the offline detection processes stored data in logs files for example. In the IoT networks, the IDS could be deployed in the border router or in every physical object. Placing the IDS in the border router, could detect intrusion attacks from the internet against the objects in a network segment. However, deploying the IDS in every physical object requires more resources (i,e., energy, processing and storage. This could be an issue due to Low power and Lossy Network (LLN) nodes sources limitations. Another solution consists in distributing IDS agents across some dedicated nodes to gain more processing capacity. Nevertheless, such a solution faces the challenge of how to organize the network in different regions for an optimal performance [111]. Based on the IDS architectures, it is possible to classify IDS into the following categories: 9 EAI Endorsed Transactions on Security and Safety Online First i) Centralized IDS: the entire IDS is placed in the network center, either remote or host-based location [112,113].
ii) Distributed IDS: the IDS nodes are joined among multiple nodes in the network and the detection responsibility is shared amongst them [114,115].
iii) Hierarchical IDS: It may be stand alone or in combination with another architecture type in which some nodes have a higher detection control than others. Decentralized architectures could be grouped under hierarchical cluster [116,117].
iv) Hybrid IDS: It represents any combination of the cited above architecture. This category is often exploited in tandem with multiple detection methods [118,119]. Figure 2 illustrates the different IDS categories according to detection time, architecture, location and detection methods features. Table 2, reviews the IDS proposals for IoT based on detection methods.

Machine Learning
Machine learning (ML) is a sub-domain of artificial intelligence domain. It studies the knowledge from the training data and supports diverse applications domains such as computer science, signal processing, and telecommunication. It can solve mathematical and complex problems and has proved accuracy in detecting attacks and misbehavior in different security solution. ML algorithms can also be used in IDS for classifying behaviors as normal or anomalous by building models able to detect patterns to predict intrusion. The challenge with the IDS based ML implementation consist in how to build a model with a reduced number of false alarms and good recognition accuracy. Considering the IoT heterogeneous environment and its dynamic behavior, anomaly based ML technique could be a key solution to boost the detection of current, new and subtle attacks and improve the detection performance. After the features have been extracted from the data source, different ML methods could be implemented to classify the data. The obtained results can be leveraged by the IDS to make decision. The ML classification involves two phases: a training phase and a testing one. The training phase learns the features distribution and generates a model able to detect patterns. Then, in the testing phase, the model is applied to detect any abnormality [135][136][137]. Figure  3 shows the process to achieve the ML classification. In this figure, the test and training data are preprocessed to remove noise. In the training data set, feature selection methods are used to extract relevant feature sets, which are used in the training classifier. The normalization step standardizes the range of different data feature values. Finally, in the classification phase, a classifier algorithm is deployed. The ML techniques consist of three categories: supervised, unsupervised, and semi-supervised approaches.
This section builds taxonomy for different ML techniques that can be used in the IDS context .

Feature Selection Methods
Features selection simplifies the interpretation model, removes information redundancy, decreases the training times, and increases the classifier's efficiency. Features selection is based on the following three techniques for feature reduction [138][139][140]: i) The wrapper technique, which generates relevant features subsets from a feature vector based on the learning algorithm performance.
ii) The filter technique, which generates relevant features subsets from a feature vector regardless of the learning algorithm performance. It evaluates features relevance according to heuristics based on general data characteristics.
iii) Hybrid technique, which exploits the important features of both wrapper and filter methods.
Principal Component Analysis. The Principal Component Analysis (PCA) is a filter method used to extract relevant data and present it as a set of variables called principal components. When a large amount of data needs to be approximated by a complex model structure, PCA is the adequate tool for data reduction by simplifying the data matrix. PCA estimates the variables correlation structure and a variable importance is defined by the size of its residual variance. Indeed, PCA projects the matrix X into vectors T and P to reveal the dominating characteristics of a multivariate data set. A projection matrix P is used to project X down on an A-dimensional subspace leading to T the object coordinates in this plane. The score vectors t a represents the columns in T . However, the loading vectors P a represents the row in P and holds the direction coefficients of the PC (hyper) plane. The vectors t a and P a are orthogonal. The deviations between projections and the original coordinates define the residuals, which are collected in the matrix E. PCA in a matrix form represents the least squares [141,142].
Hence, X could be defined as follows: Here, x is the mean vector that is explicitly included in the model formulation. 10 EAI Endorsed Transactions on Security and Safety Online First  -This research work proposes a signature based intrusion detection system using a fast pattern matching algorithm which outperforms existing signature based IDS in detecting known attacks. -This research work proposes an AdaBoost ensemble method, using three techniques of Decision Tree, Naive Bayes and Artificial Neural Network, was applied to enhance the overall performance in terms of time processing, detection rate, and accuracy.
-It aims to propose a solution to defend against botnet attacks in an IoT network.
-It uses the UNSW-NB15 [127] and NIMS botnet datasets [128] to extract the protocols data sources.
-Simulation is used to evaluate the performance of the proposed schema.

S.Prabavathy et al. Date 2018 [129]
-This research work proposes a distributed detection mechanism for IoT applications using fog computing.
-The proposed mechanism is implemented using Extreme Learning Machine (ELM) algorithm at distributed fog nodes. The ELM algorithm is exploited to identify the attacks in incoming traffic from IoT virtual clusters.
-The NSL-KDD dataset was used for training and testing the mechanism.
-To evaluate the performance of the proposed mechanism, accuracy, detection rate, false alarm rate and response time were evaluated and studied.

11
EAI Endorsed Transactions on Security and Safety Online First Correlation-based feature selection. Correlationbased feature selection (CFS) is a filter feature selection method. This method does not depend on any particular data transformation. It measures the correlation between nominal features, thus, numeric features need to be transferred into discrete counterparts. CFS assumes that features are conditionally independent given the class they belong to. It can identify relevant features when moderate feature dependencies exist. However, when features strongly depend on others because of the class they belong to, CFS may fail to select all the relevant features . The interesting features subsets contain features that are uncorrelated with each other Figure 3. ML classification process. and highly correlated with the class [143][144][145]. The correlation between a composite test consisting of the summed components and the outside variable can be predicted from the following equation : Here, r_zc is the correlation between the summed components and the outside variable, k is the number of features components; r zi is the average of correlations between components and the outside variable; and r ii is the average inter-correlations between components.
Information Gain. Information Gain (IG) is a filter method for feature selection. It measures how much an attribute is useful in a given set of feature vectors. IG measures the reduction in entropy, which is a way to measure the level of impurity in a data sample. It calculates the IG entropy for each attribute and ranks them in a decreasing order. Each attribute gains a score from 1 to 0. Attributes with higher IG entropy represents the relevant one and they are considered as the input subset of features to the next dimensionality reduction step [146,147]. The estimated information required to classify a given instance in as follows : Here, m is the number of classes, D is the total instances number in the training set, and di is the instances number of class i in the training set. 12 EAI Endorsed Transactions on Security and Safety Online First Attribute Ratio. Attribute Ratio (AR) method is a filter technique for feature selection. It is calculated by features frequency or average (Avg). Before calculating AR, we need to calculate the class ratio (CR). CR defines the ratio of each class for attribute i. CR is calculated through two methods according to the type of attributes [148,149]. The AR feature selection formula is as follows : Here, CR represents the class ratio. For numeric attributes, the CR is calculated as follows : For binary attributes, the CR is calculated as follows : Genetic Algorithm. The Genetic algorithm (GA) is a heuristic algorithm inspired from the natural selection, where fitter creatures survive and their genes are simulated. The GA starts with a random population of individuals and improves the population using three operators: selection, crossover, and mutation. The best solution in the last population is returned as the best global optimum approximation for a given problem. This algorithm evaluates each individual fitness in the population using a fitness function. It associates probabilities to individuals and select them with a selection mechanism for creating the next generation proportional to their fitness values. The selection operator is able to choose the best solution since the probability is proportional to the fitness. There are many selection techniques used to choose the best solution such as the fuzzy selection, the fitness uniform selection [150], the proportional selection [147], the linear rank selection [147], and the steady-state reproduction [151]. The GA algorithm uses the crossover and mutation operators that simulate the biological process for introducing diversity to the population. With the crossover operator two solutions selected randomly are combined to produce two new solutions. There are different techniques for this operator notably the single point and double point techniques [152]. The mutation operator prevents solutions from becoming similar and increases avoiding local solutions probability. There are many techniques in the literature for the mutation operator such as the power mutation, Uniform [153], Gussian [154], shrink [155], supervised mutation [156], uniqueness mutation [157], and varying probability mutation [158][159][160].
Binary Particle Swarm Optimization. Binary Particle Swarm Optimization (BPSO) is a wrapper method. The PSO technique is a population-based algorithm, where each individual in a population corresponds to a particle. Each particle represents a candidate solution to the problem at hand. Particles change their positions by flying around in a multidimensional search space until a relatively unchanged position has been found, or until computational limitations are exceeded. Each particle has its fitness evaluated by a fitness function. A particle fitness value is called a personal best pbest solution achieved so far. The particle, which has the best solution among all pbest, is called the global best particle gbest [161,162]. A particle velocity and position update can be described as follows : Here, d is the particle dimension, t is the iteration, r1 and r2 are random number in the interval (0, 1), and c1 and c2 are positive acceleration constants.
An improved Binary Particle Swarm Optimization:. An Improved Binary Particle Swarm Optimization technique (IBPSO) is a solution proposed to improve the BPSO technique. This IBPSO technique aims to prevent particles from getting trapped in a local optimum by introducing a boolean algebra operation. In fact, it assumes that the particles have fallen into the local optimum when the gbest values are unchanged after three generations. The particles have to be induced to leave the local optimum using the 'and logical operation' 'and' pbest of all particles [163,164].

IBPSO+IG. The Improved Binary Particle Swarm
Optimization and Information Gain technique (IBPSO+IG) is a hybrid solution to enhance the IBPSO technique. This hybrid solution combines filter and wrapper feature selection methods. First, IG is used to calculate the importance of each feature with respect to the class. Then, to effectively remove usefulness features, the traditional BPSO and the improved BPSO wrapper methods are used to select the features again [163].

Supervised ML Approaches
The supervised approaches are predictive models developed based on a labeled training dataset that contains normal and anomalous data instances. New data instances are compared with the model to determine which class they belong to. There are several supervised machine learning algorithms such as linear classifier, K-Nearest Neighbor (KNN), Decision Tree, and Artificial Neural Network [165,166].
Linear classifier. 13 EAI Endorsed Transactions on Security and Safety Online First Logistic regression The logistic regression is a predictive analysis. This technique is used to conduct the analysis when the dependent variable is binary. It is a statistical way of modeling a binomial outcome. The outcome can be 0 or 1, which performs a binary classification of positive class from negative one. It uses a sigmoid curve to output a probability value and, thus, performs a classification [167]. Its hypothesis function is as follows : S(w) is the sigmoid curve with as output an estimated classification likelihood.

Support Vector Machines
The Support Vector Machines (SVM) technique divides the space into planes and finds a separating hyperplanes between them to classify data. Then, a new unseen data point is classified based on which side of the hyperplane it falls. The SVM technique is suitable for mediumsized datasets of features with similar meaning. The advantages of SVM technique are its scalability and its capabilities to perform real-time intrusion detection and update the training patterns dynamically [168][169][170] Naive Bayes It is a probabilistic machine learning model. This classifier is based on the Bayes theorem. It learns parameters by considering that the value of each feature is independent of the other features given the class variable. Then, it collects simple perclass statistics from each feature. This classification technique is faster in training compared to the other linear classifiers and it is good for very large datasets and high-dimensional data. However, it often provides the worst generalization and accuracy performances of the linear classifier techniques [171,172].
K-Nearest Neighbor. It builds the model by storing the training dataset. To make a prediction for a new unseen data point, it finds the closest data points in the training dataset, which is considered as the nearest neighbors. This technique is generally used with small datasets [173,174].
Decision Tree. Learning a decision tree means learning the sequence questions that gets us to the answer most quickly. These questions are called tests. A decision tree is a flowchart-like structure in which each internal node represents a test on an attribute. Each branch represents the test outcome, and each leaf node (i.e., terminal node) represents a class label. The paths from root (i.e., the entire sample) to leaf (i.e., terminal node) represent the classification rules. This technique is simple to interpret. However, it requires high computation, it is often relatively inaccurate, and unstable (i.e., a small change in the data can lead to a large change in the structure of the optimal decision tree) [175].
Artificial Neural Network. This technique is a braininspired system, which mimic the way humans learn. The neural networks consists of the artificial neuron called perceptron. Neural networks have input and output layers, as well as hidden layers consisting of units that transform the input into results the output layer can use. This technique can be viewed as linear models generalizations that perform multiple stages of processing to come to a decision [176].

Unsupervised ML Approaches
Unsupervised approaches associated no explicit labels with the training dataset. It aims to learn about data by modeling the structure and the distribution of the data. There are several unsupervised machine learning algorithms such as K-means clustering, Hidden Markov Model, and Fuzzy Logic [177].
K-means Clustering. The k-means clustering method was leveraged in WSN for intrusion detection to enhance security in IoT systems [178,179]. This method aims to generate k clusters from a given dataset by iteratively allocating each data point according to the existing features to one of the k clusters. As a result, each cluster will hold samples with similar features. Indeed, the k centroids, which define the clusters centers, are estimated. Then, each data point is assigned to its nearest cluster centroid using the square Euclidean distance. After that, the cluster centroids are recalculated by computing all the samples mean assigned to that cluster. These steps are iterated until no sample that can modify the clusters exists. It is clear that this method depends on specifying the parameter k, which defines the clusters number, before executing the algorithm [180].

Semi-Supervised ML Approaches
With semi-supervised approaches, the training data instances contain only labels for normal class. Data instances are not labeled for the anomalous class. Semi-supervised approaches allocate great interest in machine learning because it can exploit available unlabeled data to improve supervised learning tasks when the labeled data are expensive or scarce. The most common semi-supervised algorithms are the Expectation-Maximization [185] with generative mixture models [186], and the transductive SVM algorithm [187][188][189].

Related Surveys
This section introduced the related works that survey and overview the intrusion detection techniques using machine learning algorithms in the IoT network by highlighting their main contributions. There are many surveys that discuss the intrusion detection, privacy and security issues for IoT. Despite the various research works dealing with intrusion detection systems, it is still infancy for IoT applications. As far as we know, there are scarce investigations focused on overviewing intrusion detection using machine learning mechanisms for IoT network. We focused on intrusion detection for IoT network using machine learning algorithms in this paper. In order to compare our survey to the existing IoT network overviews and surveys, table 3 sets side by side our survey work and other recent works that study security issues and intrusion detection in the IoT network.

Conclusion
IoT is a technology trend that enables new protocols, applications and services. It is able to connect a large number of physical objects to the Internet, and produces extensive data traffic in the network. However, the IoT traffic could be leveraged to conceive malicious activities. Indeed, IoT systems have some security flaws and vulnerabilities, the commonest of which is that when attackers may misuse this emerging technology to threaten users' privacy. Therefore, security issues cannot be neglected and IoT security solutions should be developed. This paper elaborated taxonomy of the IoT security challenges and attacks, and highlighted the open issues in IoT security. It surveyed and provided taxonomy of various intrusion detection methods that are possible to mitigate different attacks. The intrusion detection techniques are classified into three types based on the detection mechanism: signature-based IDS, anomaly-based IDS, and specification-based IDS. Signature based IDS can detect all known attacks based on their signatures. However, with anomalybased IDS, the IDS builds a normal activity profile, which represents the normal behaviors that are accepted in the network system. Then, it becomes able to trigger alert in anomaly detection, which mismatch the normal behavior. The specification-based IDS technique exploits the benefits of both signature and anomaly-based detection techniques. It attempts, then, to detect known as well as unknown attacks. Machine learning is a field in the artificial intelligence (AI), which has been already applied in multiple disciplines and can bring a potential benefit to the IoT security systems. Accordingly, this paper presented a comprehensive study of different machine leaning methods used for intrusion detection in the IoT network context. These methods could be classified into three categories based on the availability of labeled data traffic: supervised, unsupervised, and semi-supervised methods.  [190] -It provides an update overview of the intrusion detection systems.
-It discusses the use of the IDS to detect and identify vulnerabilities.
-It studies the prevention mechanisms applied to avoid intrusion. A. Ahmim and al. Date 2020 [191] -It studies some supervised machine learning schema for IDS. -It surveys intrusion detection systems and their mechanisms.
-It reviews common public data sets used in experiments. K. A.P. da Costa and al. Date 2019 [192] -It overviews research progress in security-related issues in IoT environments.
-It discusses methods based on machine learning and evolutionary computation. D. Kumar and al. Date 2019 [193] -It presents comprehensive investigation of security for IoT systems.
-It proposes a taxonomy for the IoT ecosystem.
-It provides state-of-the-art attacks on IoT systems and their defenses. C. Patel and al. Date 2019 [194] -It discusses security challenges for IoT.
-It examines cyber threats, attacks and security solutions for IoT. N. Chaabouni and al.
-It identifies and classifies IoT threats. Date 2019 [195] -It studies and compare intrusion detection systems based on machine learning techniques. A.Mudassar and al.
-It discusses the generic architecture of IoT and protocols. Date 2019 [196] -It surveys IoT security challenges and issues. S. Deep and al.
-It examines security and privacy issues at each layer of the IoT system. Date 2019 [197] -It overviews the existing security solutions for IoT. L.Deng and al.
-It overviews the IoT network security issues. Date 2018 [198] -It discusses some intrusion detection technologies and compares between them. E. Benkhelifa and al. Date 2018 [199] -It discusses protocols and technologies of the IoT system. -It studies Intrusion Detection Systems (IDS) architecture.
-It identifies security issues in IoT architectures and examines some proposed solutions. N. Zhang and al. Date 2017 [200] -It provides a large-scale empirical analysis of 83M IoT devices in 16M real-world homes.
-It analyzed the security profile of different IoT devices and networks.
-It describes the current landscape of IoT devices and their security posture. Z.A.Khan and al.
-It examines the trust based intrusion detection mechanism for IoT used to allow nodes building trust relation with their adjacent nodes, which guide the messages routing through the network. Date 2017 [114] -It proposes a design and evaluation for intrusion detection system mechanisms for IoT that uses a trust management technique to detect intruder nodes. B.B.Zarpelão and al.
-It surveys the IDS research work for IoT. Date 2017 [201] -It proposes a classification of intrusion detection systems based on their placement strategy, detection technique and security threat.
Our contribution H.Mliki and al. Date 2020 -This paper studies network technologies and services at each layer in the basic IoT model.
-Elaborates a taxonomy of the IoT security challenges and attacks.
-Surveys the existing intrusion detection mechanisms for the IoT network and elaborates a taxonomy to classify these mechanisms.
-Develops a comprehensive study of different machine learning methods used for intrusion detection in the IoT network context.