1 Introduction

In this modern era, IoT is a rapidly growing technology that connects everything with the Internet to exchange data without human intervention [1]. There are billions of interconnected devices equipped with sensors and software that can collect or transfer information with each other through public networks. Users can easily access these devices 24/7 from anywhere. IoT devices have been gaining popularity since the last decade in society and industries due to their ease of use, affordability, compact size, and low power consumption. Further, as per a recent report, the market of IoT devices is expected to grow up to 1.6 trillion US dollars by 2025 [2].

IoT applications are widely spread across every industry and sector, including smart homes, offices, smart cities, transportation, agriculture, healthcare, education, defense, and so on. It has brought significant advantages and smartness to our lives, society, and enterprises. Despite that, this technology is not mature enough to provide assured security in services. Therefore, security is one of the most significant concerns. A recent report claims that, there will be twenty-nine billion IoT devices connected to public networks by 2030 [3], as depicted in Fig. 1. Further, various IoT devices containing valuable information of users [4, 5]. For instance, they store personal data about the customer, such as their location, contact information, health details, etc., that can be compromised.

Fig. 1
figure 1

Year-wise IoT devices connected to public networks [3]

Full size image

However, the day-by-day increase in non-secure IoT devices brings various security issues due to the limited resources (memory, processor, power, and bandwidth) and lack of security features. Therefore, cybercriminals accumulate more opportunities to acquire access to these devices, compromise them, and then execute large-scale DDoS attacks with these devices. Several detection solutions have been provided in the literature to defend against IoT traffic-based-DDoS attacks for protecting the IoT environment. Therefore, examining machine learning and deep learning-based DDoS attack detection approaches is a super-heated topic among academicians and researchers.

1.1 IoT platform

The extensive IoT network consists of millions of interconnected physical objects, such as sensors, computers, machines, digital devices, etc. In this, diverse smart gadgets with distinct functionalities communicate seamlessly with each other. Their primary purpose is to collect, analyze, and process information to make decisions without human assistance. Hence, this contributes to automation and improved decision-making based on the data it gathers and processes. This interconnected system generates an intelligent ecosystem where devices work together, enhancing efficiency and improving customer services. Eventually, it simplifies everyday processes and makes our lives more convenient.

1.1.1 Evolution of IoT

IoT technology has been evolved from one or two devices to the use of IoT devices in every household, and the chronological development of IoT technology is illustrated in Figure ??. It is believed that the concept of the IoT was born after 1999 when Kevin Ashton introduced the term IoT during his presentation at Proctor and Gamble, MIT [6]. However, before 1999 several attempts have been made to design intelligent devices. For example, in 1982, researchers at Carnegie Mellon University connected a vending machine to the Internet to test cold soda remotely [7]. Moreover, a smart toaster, invented by John Romkey in 1990, was the first IoT device that operated using the Internet [8]. In the 1990 s, IoT technology witnessed many developments, ranging from Steve Mann’s wearable webcam to the US government’s long-term GPS satellite program [9].

LG brought the world’s first Wi-Fi-enabled smart refrigerator in 2000 [10]. The first smartwatch was launched in 2004 as part of this development journey. In the same year, US Department of Defense successfully deployed the RFID systems on a large scale [7]. Apple Inc. released iPhone and wearable Fitbit in 2007. After that, the first international conference on IoT was held in Switzerland in 2008, attended by 250 researchers from 23 different countries [9]. It can be considered a significant event for the growth and popularity of IoT.

IoT reached a new dimension in 2009 when Google started testing self-driving cars. Further, 2011 was another landmark year for IoT as Gartner added IoT to their Hype cycle of emerging technologies [10]. In 2013 Google smart glasses, followed by Amazon Echo in 2014. It has been accepted as a revolutionary step in IoT and wearable technology. These inventions in the IoT technology open a way to enter in the smart home market [9]. In 2015, Elon Mask released the Autopilot feature in smart cars, which allows drivers to focus on other things while driving [7]. Despite groundbreaking technological advancements in IoT environment over the past few years, in 2016, the first major IoT malware attack was carried out on Dyn’s server using the Mirai botnet [10].

In 2018, IoT technology was integrated with smart-healthcare applications to monitor patients’ health remotely [8]. However, this growth in IoT devices has also increased IoT-based cyberattacks. More than 1.5 billion attacks were executed on IoT devices in the first half of 2021 [11]. Therefore, securing IoT devices from different types of cyberattacks has become a topmost priority for manufacturers and customers (Fig. 2).

Fig. 2
figure 2

A comprehensive timeline of major developments’ in IoT technology

Full size image
Fig. 3
figure 3

A graphical representation of IoT applications using a layered architecture

Full size image

1.1.2 Applications of IoT

IoT technology offers a wide range of technical solutions for every aspect of daily life. Therefore, it has dominated every sector. In Fig. 3, we systematically present the most popular and fast-growing applications related to IoT technology.

For example, the conventional healthcare system has become automated with the integration of IoT technology. During the COVID-19 pandemic, there has been a rise in the demand for IoT-based remote monitoring systems. Integrating IoT into the healthcare domain, we can access modernized devices, such as Internet-connected equipment, wearable fitness gadgets, tracking devices, etc., which help to add smartness to the healthcare domain. The IoT-based device empowers patients and physicians to operate pocket-friendly solutions [12, 13]. Further, in the automobile sector, IoT technology has played a vital role in connected vehicles and reshaped the perception of cars among people. Smart infrastructure and fully automatic connected vehicles together will significantly change the driving experience [14]. Several IoT applications generate global interest, but smart homes and cities are the most prevalent. Home automation, smarter traffic signaling, waste management solutions, e-commerce, monitoring air quality, digital entertainment, and distribution system of water, and energy are some instances of IoT applications utilized to address fundamental problems of society like air/noise pollution, traffic jams, inadequate energy, and water supplies, among many others [15]. Further, IoT technology has contributed significantly to the development of Smart Farming and Smart Grid technologies, which have transformed conventional farming practices and energy management systems [16, 17]. For example with the help of sensors, one can monitor the harvest field from anywhere and utilize resources (water, electricity) more efficiently.

1.2 Challenges

IoT technology is still in its infancy with respect to security and faces several research challenges. They are systematically presented in Fig. 4. In addition to their small and lightweight design, IoT devices also have limited processing and storage capacities, resulting in several manufacturers introducing IoT devices with multiple security loopholes. Further, standardized protocols and technologies required to design and implement these devices may be compromised due to less processing capabilities. Therefore, cybercriminals exploit vulnerabilities of numerous non-secure IoT devices and compromise them to form a bot army for executing large-scale attacks [18, 19].

Fig. 4
figure 4

Research challenges in IoT technology

Full size image

In the addition, several renowned high-tech companies and government organizations across the globe suffered from large-scale DDoS attacks. Therefore, numerous security and privacy breaches in the current IoT system have motivated research communities to develop a comprehensive solution for enhancing the security of IoT-enabled industries/sectors.

One of the most prominent examples of the heterogeneity issue in the IoT environment is that it comprises a vast array of distributed devices, such as sensors, actuators, and other gadgets [20].

Table 1 Summary of research challenges in IoT system
Full size table

Interoperability refers to the ability of different systems or devices "speak the same language" with respect to encoding and protocols. It creates a common path to share data and perform tasks together to achieve the same goal. However, several industries employ different communication technologies, protocols, and components for designing IoT applications that generate a wide range of data specific to their business field. Due to this heterogeneous environment, IoT-based systems encounter difficulties while interacting with each other.

Data management is an exceptionally challenging task due to the heterogeneous nature of IoT devices. Further, they generate lots of data for storing and processing. Traditional database management systems and software techniques have failed to handle Big Data [37]. As per the current scenario, numerous IoT-based systems use traditional cloud architectures to send and receive the large volumes of data generated and consumed by IoT-enabled gadgets. Furthermore, performing highly computational jobs effectively and securely on cloud platforms remains a constant concern [38]. Therefore, systematically analyzing lots of data generated by IoT-based networks is another challenge for IoT systems. One of the emerging fields of Big Data is IoT-based systems, such as virtual assistants (Amazon Alexa, Microsoft’s Cortana, and Apple’s Siri) that generate massive amounts of data regularly. According to Forbes, there were 35 times as many voice searches in 2016 than in 2008, and 33 million voice-first devices are currently in service [39].

In Table 1, we systematically presented several challenges concerning IoT devices and technology. It includes mobility, standardization, low cost, scalability, connectivity, self-organization, maintenance, up-gradation, energy efficiency, full Internet access, and quality of service. A list of abbreviations/ terminologies used in this study is summarized in Table 2.

1.3 Contributions

The significant contributions of this review article are listed in the following:

  1. 1.

    Comprehensively examine various security issues associated with the IoT environment and proposed a comprehensive cyberattacks taxonomy for IoT platforms, characterizing each class of taxonomy w.r.t. the layered architecture of IoT and traffic flow rate.

  2. 2.

    Systematically present IoT technology w.r.t its evolution, applications, and various challenges.

  3. 3.

    Critically analyze the existing Machine Learning (ML) and Deep Learning (DL)-based detection approaches for large-scale IoT traffic-based DDoS attacks.

  4. 4.

    Characterize various publically available IoT-traffic-specific datasets.

  5. 5.

    Systematically present various research issues with possible solutions for protecting Internet-based services and networks.

Table 2 List of abbreviations
Full size table

1.4 Prior reviews

Several review articles have been published in the literature in the domain of IoT security. We have systematically compared this review article with recently published review articles in Table 3, which distinctly highlights the unique contributions of this work. We compared them with several significant parameters, including IoT attack taxonomy, feature engineering, feature selection, dataset analysis, classes of attacks categorized, evaluation metrics, etc. Numerous existing reviews narrow their focus to either ML-based or DL-based detection approaches, but our examination encompasses both ML and DL-based detection methods. This study delves into diverse security issues within the IoT environment, examining numerous public datasets related to IoT traffic that have found widespread utility among researchers. Additionally, we discussed some open research issues to guide researchers in addressing significant security threats such as IoT traffic-based DDoS attacks. Apart from this, it has been observed that several existing review articles failed to address many other parameters as well: (i) Feature engineering or feature selection strategies, (ii) Comprehensive cyberattack taxonomy for IoT platforms, (iii) Classes of attacks classified in the existing literature. It clearly illustrates that our article is unique from the previously published ones.

Table 3 Summary of prior review articles
Full size table

1.5 Organization of paper

A roadmap of this review article is presented in Fig. 5. In Sect. 2, we present security issues related to the IoT environment and cyberattacks taxonomy with a primary focus on IoT-traffic-based DDoS attacks. Section 3 discusses the systematic review’s search strategy, research selection, and data extraction process. Section 4 examines the existing ML, and DL-based detection approaches w.r.t. large-scale IoT traffic-based DDoS attacks and characterization of available datasets utilized to implement cyberattacks detection mechanism. Section 5 illustrates the open issues related to IoT security with feasible solutions. Finally, section 6 concludes this review article with future directions.

Fig. 5
figure 5

A road-map of the systematically conducted literature review

Full size image

2 Security issues in the IoT environment

Protecting IoT devices and networks from different cyberattacks is a critical challenge in front of researchers and organizations. Most of these devices do not have a foolproof security system due to a lack of storage and processing capacity. Therefore, they are susceptible to various security and privacy issues, such as confidentiality, integrity, authentication, access control, etc [42]. Information theft and service interruption are the two most common cybersecurity threats to IoT devices and networks. The IoT incorporates three layers: "the perception layer, the network layer, and the application layer" [43]. Figure 3 depicts a basic three-layer architecture and security threats that adversely impact these layers. Each layer has its strengths and weaknesses that need to be determined. Accordingly, they can ensure their security by preventing various types of attacks [44]. The functions of each layer are given in the following:

  1. 1.

    The perception layer: It is associated with the external world to sense and gather data from its surroundings. Several sensors are used in this layer to measure heat, pH value, light, gas, location, etc [45]. Further, it also catches several functionalities such as humidity, pressure, location, movement, etc. Additionally, actuators operate as controllers to provide mechanical responses based on gathered data. However, this layer is vulnerable to various attacks like jamming, radio interference, eavesdropping, node capturing, malicious code injections, side-channel attacks, etc [46].

  2. 2.

    The network layer: The primary function of this layer is to connect different smart devices, gateways, and servers. Further, it plays an active role in transferring/redirecting the collected data to other IoT network components (computational units) for further processing. Therefore, IoT employs several communication standards and protocols, including 4 G/5 G, 6LoWPAN, ZigBee, Bluetooth, WiFi, WiMAX, etc. [47]. In this layer, local cloud/servers store and process the data, which behaves as an intermediary between the network, and the subsequent layer [48, 49]. However, this layer is highly vulnerable to several attacks like routing attacks, DDoS attacks, ICMP flood, etc.

  3. 3.

    The application layer: The final and farthest layer that provides services to users’ requests via mobile devices and web-based software. Numerous innovative applications are available in the application layer to meet the needs of the current trends. They benefit society in many ways through intelligent things, viz. smart cities, smart homes, agriculture, transportation, education, etc [50]. For example, Doctors can use IoT applications to view the health parameters of their patients remotely. However, in this layer, the end-user directly interacts, so there is significant concern about privacy, data theft, etc [51].

Table 4 Summary of the various vulnerabilities in the IoT layers
Full size table

Generally, cybercriminals attempt to exploit the open vulnerabilities exist in devices to compromise and gain control of them. It helps to build a massive army of infected devices to launch large-scale attacks. An appropriate security mechanism is required to address these vulnerabilities to prevent cyberattacks. Moreover, conventional security mechanisms are not directly adaptable to IoT technology because of the inherent limitations of their design, such as limited power and a large number of connected things, which boost heterogeneity and scalability issues [52]. In Table 4, we summarizes the various vulnerabilities [23, 30] that exists in the IoT layers/devices [53, 54].

2.1 DDoS attack

A DDoS attack is one of the most significant security-threat to Internet-based applications and IoT environments. It slows down or completely stops the working of the targeted online services (email servers, websites, or anything connected to the Internet) [55]. DDoS attacks not only interrupt services to legitimate users but also lead to considerable financial losses for the targeted industry. For performing large-scale DDoS attacks, attackers gain access to numerous non-secure devices to create an army of compromised devices. Subsequently, each compromised device (bots) transfers attack traffic toward the target system. A typical setup for launching large-scale DDoS attacks is shown in Fig. 6. The distributed nature of the DDoS attack makes it challenging to identify compromised devices and mitigate the impact of the attack immediately. There are three types of DDoS attacks [56, 57]: (i) Volumetric-based attacks, (ii) Application-layer attacks, and (iii) Protocol-based attacks, which are characterized in Table 5. The most common DDoS attacks used for performing attacks are SYN flood attacks, HTTP attacks, UDP attacks, and ICMP attacks.

Fig. 6
figure 6

A typical setup for launching large-scale DDoS attacks using IoT devices [23]

Full size image
Table 5 Classification of DDoS attacks with mapping to Target techniques
Full size table

2.2 Recent statistical information of DDoS attacks

In this section, we present statistical information about recent and large-scale DDoS attack incidents. During the COVID-19 pandemic, there has been a massive growth in the demand for online-based services in every sector. In addition, the commencement of 5 G technologies has accelerated the adoption of IoT technologies across the globe. Therefore, it generates a massive pool of less-secure devices, and it helps to build the large-scale botnet for conducting DDoS attacks [57]. Recent statistical incidents are systematically listed in the following:

Fig. 7
figure 7

Large scale DDoS attacks against major organizations [57,58,59,60]

Full size image
  1. 1.

    Due to the Covid-19 situation, each organization moved its services, such as education, healthcare, shopping, etc., to the online mode. Therefore, attackers got opportunities to compromise a large number of non-secure devices and hence, a rise in DDoS attack incidents [57].

  2. 2.

    According to the report [61], in 2021, DDoS attacks decreased by 3% compared to the year 2020. However, the attack volume size and sophistication of attacks grew.

  3. 3.

    As per [61], in the last two years, low-volume DDoS attacks (less than 250 GB) have decreased by approximately 5%. However, the large volume of DDoS attacks increased by 1300%.

  4. 4.

    The significant reason to protect online services can be understood using Fig. 7. It shows that various popular and market-leading organizations have become the victims of large-scale DDoS attacks [57, 58].

  5. 5.

    Several record-breaking, large-scale DDoS attacks have been recorded in the past few years. They are listed as follows: [57,58,59,60].

    • In March 2018, the GitHub platform suffered from the third-largest DDoS attack, with the volume size of 1.35 terabits per second (Tbps).

    • In January 2019, the Imperva online service faced one of the largest network and application layer DDoS attacks, such as the SYN DDoS attack with 580 million packets per second (Pps).

    • In Q1-2020, the Amazon platform experienced the second-largest DDoS attack (2 Tbps of data).

    • In November 2021, an Azure client experienced the most significant DDoS attack with 3.45 Tbps of throughput and 340 million packets per second (Pps).

    • In 2022, Google successfully handled the most substantial DDoS attacks ever seen, which peaked at approximately 46 million requests per second (rps). However, the recent attack surpassed this, reporting 398 rps and sending 7.5 times more requests than the previous one [62].

  6. 6.

    In 2021, the BFSI (Banking, Financial Services, and Insurance) industries encountered more than 25% of DDoS attacks. Further, the education and telecommunication sectors have experienced a higher percentage of DDoS attacks compared to other sectors [61].

  7. 7.

    As per a recent report [63], the market for providing solutions against different types of DDoS attacks is expected to double to $4.7 billion by 2024. It is representing a compound annual growth rate (CAGR) of 14 percent.

2.3 Role of botnet in IoT traffic-based DDoS attacks

A botnet is a pool of Internet-connected devices compromised by an attacker(s) by installing malicious software or malware (specifically IoT Botnet malware). In this, botmaster (a.k.a attacker) leads the botnet’s command-and-control servers for controlling these bots remotely [64]. The security limitations of IoT devices make them vulnerable to compromise, allowing attackers to incorporate them into extensive botnet networks [65]. Cybercriminals are increasingly targeting smart devices due to their often inadequate protection and susceptibility to hacking. This makes them attractive instruments for executing powerful cyber attacks. Consequently, attackers frequently utilize these IoT botnets to carry out large-scale DDoS attacks. For example, in 2016, the Mirai malware utilized more than 2.5 million IoT devices as botnets to execute a large-scale DDoS attack on Dyn’s DNS infrastructure [66]. This attack affected the world’s leading DNS provider and caused significant Internet service disruptions. In this type of attack, the intensity of attack traffic is directly proportional to the number of IoT devices available in the botnet. Further, the Mirai botnet source code has been released into the public domain, resulting in an exponential increase in the number of Mirai IoT botnet DDoS attacks [67].

2.4 Cyberattacks taxonomy for IoT platforms

In the literature, several researchers [23, 25, 33, 68] have proposed IoT-based cyberattack taxonomies. However, these taxonomies failed to provide a comprehensive and wide range of cyberattacks related to IoT environments. Further, a few authors [69,70,71,72] presented various security problems but failed to provide solutions to mitigate these security problems.

Mathonsi et al. [70] proposed an IoT platform-based security taxonomy that covers several network security issues and PCI rather than addressing attack categories. Further, Ram et al. [71] primarily focused on communication layer issues associated with connected cars. And Shepherd et al. [72] proposed a taxonomy for IoT security in healthcare systems that give an overview of security considerations but do not elaborate on DDoS attacks type and their impact.

In this article, we propose a comprehensive cyberattacks taxonomy for IoT platforms and characterize each class of taxonomy w.r.t. IoT layers. The proposed cyberattacks taxonomy for IoT platforms is shown in Figure ??. The attacker mostly breaches the security of each layer of IoT technology-based applications. Therefore, in the proposed taxonomy, we categorized the cyberattacks based on the basic three-layer architecture of IoT technology, such as the application, network, and perception-layer attacks.

2.4.1 Perception-layer attacks

This layer primarily interacts with hardware, such as sensors, RFID tags, and other devices for transmitting and receiving information through distinct communication protocols, including RFID, Zigbee, and Bluetooth. This layer is also known as the sensing layer [73, 74]. Generally, IoT devices are deployed at unmanaged locations anywhere in the world, where intruders can quickly gain access without any difficulty, making them susceptible to several security attacks [75]. In this layer, cyberattacks are broadly categorized into two types: Physical and Malformed attacks. Some of the most common cyberattacks related to the above-mentioned classes are discussed in the following:

  1. 1.

    Jamming attack: Among the most severe threats to the IoT enabled sectors, jamming attacks highly affect IoT networks by obstructing communications, degrading IoT device performance, and exhausting their energy supplies [76]. It makes the perception layer of the IoT stack a victim. It involves interference with radio frequencies of the network that causes node frequency jamming when multiple devices share the same frequency channel [77]. Further, a small jamming source can also jam specific network nodes by sending artificial jamming signals.

  2. 2.

    Collision attack: Data collision happens when two or more nodes send data simultaneously while sharing the same channel. In that case, the data could be impacted by packet collisions, resulting in a mismatch in the checksum, which might result in the data being incorrect and dropped [78]. Moreover, re-transmitting data every time a packet crashes could impose additional burdens on the source node and the network, causing a denial of service and exhausting the entire network resources [79].

  3. 3.

    Sleep deprivation: The attackers take advantage of the power constraints of IoT devices by delivering fake control packets to the victim node until it is exhausted. The processing of these packets depletes the devices’ power supply, resulting in sleep deprivation attacks [80]. It is common for IoT devices to have their security process enabled after booting, which allows the attacker to launch an attack during the booting process.

  4. 4.

    Side-channel attack: Side-channel attacks (SCAs) extract information from a chip or a system by measuring and analyzing physical factors, including timing information, power consumption, execution time, and radio waves [81].

  5. 5.

    Node capture attack: Sensors (a.k.a. nodes) are highly vulnerable to node-capturing attacks. Attackers capture or replace malicious nodes in a node-capturing attack.

  6. 6.

    Malicious input attack: An attacker has the opportunity to inject malicious code or false data into the node while updating these node’s firmware or software over the wireless medium, resulting in financial loss, excessive power consumption, and deteriorating performance of devices and networks [82].

  7. 7.

    Eavesdropping: A network that operates in an open environment puts its nodes at risk for eavesdropping attacks during data transfer or similar events [83].

Further, this layer is vulnerable to some other attacks like replay attacks, bluesnarfing, physical damage, etc (Fig. 8).

Fig. 8
figure 8

A comprehensive cyberattacks taxonomy for IoT platforms

Full size image

2.4.2 Network-layer attacks

This layer of the IoT architecture incorporates numerous functionalities, including routing, adoption, and fragmentation. It enables physical objects always be connected in IoT systems using network services, such as wired and wireless networks. Sensor networks play a vital role while designing IoT networks. Therefore, this layer is more likely to generate sophisticated attacks, ranging from route manipulation to fragmentation. It can impact the availability of network resources. It can be split into: (i) Protocol-based and (ii) Volume-based attacks [84]. Volume-based attacks can be sub-categorized into two types: low-rate and high-rate attacks. In high-rate DDoS attacks, the frequency is excessively high, whereas low-rate attacks have the same frequency as legitimate traffic.

The protocol-based attacks are also referred to as resource depletion attacks, as they consume the target server’s resources (CPU, Memory) and communication tools (firewall, load balancer) [85]. They were quantified by packets per second (Pps). A few of the protocol-based attacks are presented in the following:

  1. 1.

    LAND attack: This attack aims to form an infinite loop. To launch a local area network denial (LAND) attack, an attacker sends a synthetic SYN packet to the victim system and sets the target IP as the source IP [86]. However, the target server recursively generates replies to this packet, resulting in a feedback loop. In this scenario, the target server may crash eventually due to a LAND attack [87, 88].

  2. 2.

    ACK-PUSK flood: TCP connections are established through a three-way handshake process that begins when the client transmits an SYN request to the server [89, 90]. After that, the client receives an SYN + ACK packet from the server. In the end, the client sends ACK to complete this process successfully. An attacker with malign intent can use multiple botnets to send an ACK, PUSH bit-enabled packet with a forged source address, and the target device will drop the packet due to the server not having a connection to the spoofed IP address [91,92,93]. It results in the complete exhaustion of the server’s resources due to excessive processing of every incoming packet.

  3. 3.

    Smurf attack: This attack manipulates the Internet control message protocol (ICMP) using a malware strain known as Smurf. An attacker sends multiple ICMP packets originating from a spoofed source IP address and broadcasts them to all computers on the network through a broadcast address. It causes each node of the network to respond to the ICMP request. Therefore, a significant amount of traffic receives by the victim.

  4. 4.

    SYN-ACK flood: An attacker exploits the second step of the three-way handshaking process to perform an SYN-ACK flood attack. In this step, the attacker overwhelms the target server with multiple spoofed SYN-ACK packets using a botnet or spoofed IPs. Meanwhile, the target server attempts to handle these requests, which consumes considerable resources, including RAM and CPU, during excessive processing.

  5. 5.

    SSDP flood: An attacker exploits the Simple service discovery protocol (SSDP), a network protocol used to advertise and discover network services in small networks. Further, it supports Universal Plug-and-Play (UPnP) service in devices for sharing information through UDP. This attack involves transmitting small UDP packets containing the target server’s spoofed IP address to multiple UPnP-enabled devices until the server becomes offline due to the flood of requests from these devices.

  6. 6.

    Selective forwarding: It is one of the most prevalent routing attacks. It drops specific packet data during transmission to construct a hole in the network. It is performed by forwarding only particular packets to the next node. If this attack is in tandem with a sinkhole attack, then it becomes more dangerous for the network.

  7. 7.

    Teardrop attack: This attack happens when the malefactor transmits fragmented packets toward the target system [94]. Due to the vulnerability in TCP/IP fragmentation reassembly, the server system cannot reassemble such received packets. Therefore, fragmented packets overlap, and network devices crash due to this issue. It generally performs on outdated operating systems [95, 96].

  8. 8.

    RST/FIN flood: After growing three-way handshaking of the TCP-SYN session, the server exchanges RST or FIN packets to terminate the TCP-SYN session between the host and client. An RST or FIN flood attack affects a target server by receiving large numbers of RST or FIN packets from attackers who do not belong to the TCP-SYN session with a target server. The RST or FIN flood attack depletes a victim’s firewall or servers by draining their system resources.

The volume-based attacks a.k.a. bandwidth depletion attacks. It immediately overwhelms a target server’s bandwidth by generating an enormous amount of traffic. Some of the most popular volume-based attacks are presented as follows:

  1. 1.

    NTP amplified: Network time protocol (NTP)is used to synchronize the computer’s clock with the server over the Internet. Malefactor exploits NTP to perform the NTP-amplified attack. This attack occurs when the attacker transmits amplified data packets (monlist command enabled) to the NTP server through a pool of spoofed IPs of the target [97, 98]. The target NTP server starts responding to every request, and the high frequency of responses overburdens the network’s bandwidth. Therefore, it results in the denial of legitimate requests.

  2. 2.

    Fraggle attack: Fraggle attacks a.k.a amplification attacks. It floods the victim network bandwidth using UDP_ECHO_PACKETS instead of ICMP echo reply packets [99]. In this attack, attackers employed reflectors as a launching pad to transmit large amounts of spoofed UDP packets to the broadcast IP of the network. It resulted in a turndown of service.

  3. 3.

    Ping of death: In this attack, attackers transmit ICMP echo requests that exceed the conventional IP packet-size limit and cause the victim’s server to freeze or crash. Typically, the maximum length of an IP packet is 64 Kbytes. It is necessary to break down large IP packets into smaller fragments and reassemble them on the recipient’s side, forming a larger IP packet than 65535 bytes [100]. As a result of this inconsistency, the computer system allocated several resources for assembling the faulty packets. An attacker can consume network bandwidth and makes the network offline.

  4. 4.

    IP Null attack: This attack involves sending a spoofed IP packet with an IPv4 header that indicates which transport protocol is used. In this type of attack, the attacker assigns the value to zero for this field. Therefore, this type of packet is overlooked by the security mechanism (firewall), although they are designed to scan TCP, UDP, and ICMP. When the target server is overburdened with these packets and attempts to handle them, it may eventually lead to a system crash.

  5. 5.

    UDP flood: In a UDP flood attack, the attacker attempts to recursively transmit multiple UDP packets with spoofed IPs to the different ports of the victim system. In the meantime, the victim system inspects each port repeatedly for a piece of application information but finds no such program. As a result, the victim system sends ICMP (Destination unreachable) packets as the suitable response to the spoofed IP address, whereas it does not receive any response from the attacker’s side. [101].

  6. 6.

    ICMP flood: This attack aims to render Internet congestion by consuming the network bandwidth, and due to this, the target system denies access to legitimate users [102]. Attackers transmit numerous ICMP requests to a broadcast station using spoofed source IPs to exhaust the victim’s server bandwidth [103].

  7. 7.

    SNMP flood: SNMP flood attack exploits the functionality of Simple network management protocol. SNMP is primarily used to manage network devices like servers, hubs, switches, and routers. In an SNMP attack, the hacker transmits numerous SNMP requests with spoofed IPs (of the victim system) to multiple network devices. Therefore, these devices respond to the victim system with a large number of response packets.

  8. 8.

    SYN flood: In SYN flood, the attacker exploited the functionality of TCP protocol by sending SYN packets with forged IPs toward the targeted system to initiate the connection establishment process. In order to confirm the connection, the victim system responds with SYN+ACK packets and waits for ACK packets. However, the attack devices didn’t send the ACK packets to the victim system. Therefore, the connection is opened and waits for the ACK packets for a long time [104].

  9. 9.

    Sybil attack: This type of attack is also called an identity fabrication attack. In this, the primary objective of the attacker is to identify vulnerable nodes for obtaining unauthorized access to IoT networks. Further, vulnerable nodes attempt to promote themselves as another node in the network by stealing or falsifying the identity of other nodes [105]. Once attackers get control of the network, they modify routing protocols and disrupt overall network administration. This attack also reduces systems effectiveness and network performance [106].

  10. 10.

    Sinkhole attack: The attacker compromises several nodes from the IoT network to perform DDoS attacks [107]. The malicious node attempts to gain the attention of neighboring nodes by advertising its superior rank over its parent nodes. It yields the adjacent nodes to revise their parent node and modify the routing table. As the sinkhole node becomes the parent node and all the nearby nodes revise their routes to pass through the sink because the attacked node announces a better-fabricated route.

2.4.3 Application-layer attacks

In the case of application-layer attacks, the application or web server is overwhelmed with false requests. It led to denying access to legitimate packets. Attackers generally perform this type of DDoS attack by flooding numerous HTTP requests (get/post) to the victim system or applications. The magnitude of this attack is measured using requests per second (Rps) [108]. Application-layer attacks are broadly categorized into protocol-based and volume-based attacks. Further, volume-based attacks can be sub-categorized into low-rate and high-rate attacks.

The most popular volume-based application-layer attacks are presented in the following:

  1. 1.

    Slowloris attack: Slowloris is one of the variants of HTTP traffic-based DDoS attacks. It is an uneventful attack that opens numerous HTTP connections of the target web server. Further, an attacker sends the partial HTTP request at regular intervals to keep the connection open for an infinite time. Therefore, the resources of the target system are gradually consumed until they are completely exhausted, and then the server starts discarding all legitimate requests. It is challenging to protect the target system from this type of attack [109].

  2. 2.

    RUDY attack: The R.U.D.Y. (R-U-Dead-Yet?) attack is a famous denial-of-service attack. It is a slow-rate attack like Slowloris and submits long-form data at a slow speed to bring down a web server. It is also known as a "low and slow" attack since it forms a small number of long requests instead of overloading a server with multiple instant requests. In this, hackers open a limited number of sessions to the targeted server or website over a short period, leaving them open as long as possible, eventually exhausting all its connections [110].

  3. 3.

    HTTP flood: HTTP flood attacks are the most commonly used DDoS attacks for performing attacks on the application layer. In this attack, attackers created a massive network (i.e., botnet) of compromised devices called bots. With this botnet, attackers overwhelm web server(s) with numerous legitimate HTTP requests and force the server to preserve maximum resources to process these requests [89].

  4. 4.

    DNS flood: In this type of DDoS attack, the attackers exploited the functionality of the DNS. DNS amplification attacks are volumetric DDoS attacks. It exploits open DNS resolvers by sending a large number of DNS lookup requests with a spoofed source IP of the victim. Therefore, the DNS server process these requests and sends responses to the target system [111]. Typically, a small DNS request can result in a high volume of DNS responses.

  5. 5.

    SIP flood: The goal of this attack is to bombard the SIP REGISTRAR or the SIP registration server with spoofed requests. It exhausts all resources, including network bandwidth, processing capacity, and storage [112]. This attack will potentially overwhelm the server, resulting in a service outage and couldn’t provide uninterrupted service for legitimate users.

  6. 6.

    Specially crafted packets: Attackers employing specially crafted packets exploit poorly developed websites, vulnerable web applications, or improper binding with databases to bring the servers offline. Further, they created different data packets for lock-up database queries. These attacks are particularly persuasive since they consume extensive resources of the target server. A single attacker typically launches them. An instance of a Specially crafted DoS attack is MS13-039.

Sometimes, attackers exploit the vulnerability in the application layer protocols. It results in exhausting the CPU and memory resources of the victim system or application. The most common protocol-based application-layer attacks are presented in the following:

  1. 1.

    APDoS attack: Advanced Persistent DoS (APDoS) is a threat posed by attackers who like to drive extreme destruction to the target system or application. It combines the most powerful features of state-of-the-art attacks and multivector approaches for targeting each component of the application layer. It is a threat that extends beyond simple flooding attacks.

  2. 2.

    Misused application attack: Instead of using bots to overwhelm the victim server, the attacker redirects traffic of heavily loaded applications, like peer networks (P2P network services) from legitimate clients to the target server. Therefore, the server goes down because of the immense processing load of numerous requests from multiple legitimate users.

  3. 3.

    Cross-site scripting: When a user is connected to a trusted website through a browser, the cross-site scripting attack can execute arbitrary code in their browser. This attack uses a user application as the conveyance. In this, the browser does not know about the malicious code, it proceeds to download the script code from an authorized website. The security zones in Internet Explorer do not provide any protection. Therefore, user authentication cookies are usually accessed by the malicious code stored in the local computer.

3 Review methodology

The primary objective of this study is to provide comprehensive learning of IoT traffic-based DDoS attacks, characterization of various IoT traffic-based datasets, and critical analysis of the existing detection approaches, challenges, and their feasible solutions. To achieve this:

  1. 1.

    We adopted a systematic literature review methodology to conduct this comprehensive review. Further, analyzes recent researches and future trends related to IoT security by examining the most significant and recent publications from 2020 to 2022.

  2. 2.

    We will explore various ML and DL-based attack detection approaches used in the literature by researchers for classifying network traces into benign and malicious traffic patterns.

There have been several surveys in the domain of IoT security that have covered different aspects. However, most existing systems were neither systematically carried out nor centered on ML and DL-based techniques. Therefore, this systematic literature review mainly focused on critically analyzing the existing approaches to protect Internet services from distributed and wide-scale IoT traffic-based attacks.

3.1 Search strategy

Applying an appropriate search strategy is the initial stage of the systematic review process. Further, finding relevant studies that match the research topic is a highly critical step in the review process. Therefore, a comprehensive group of databases has been compiled to extract the relevant literature.

We have searched the following digital libraries for this research work: ACM digital library, Science Direct, IEEE Explore, Wiley, Springer, and Google Scholar.

Fig. 9
figure 9

A research selection process for systematic literature review

Full size image

Further, we performed a pilot study to recursively refine the search string to achieve our research objective and retrieve articles related to IoT security or large-scale DDoS attacks in digital databases. The following search query is common for all digital library collections, with some minor modifications: IoT traffic-based DDoS attacks or DDoS attacks in IoT networks. The number of results obtained from the databases was analyzed for refinement by the "selection process," as demonstrated in Fig. 9.

3.2 Research selection process

This paper presents a systematic approach to the comprehensive literature review that identifies specific criteria for filtering research articles that do not fulfill our research goal. As a result, we have few more focused and recently published research articles on IoT and ML or DL-based techniques available in the literature to detect large-scale IoT traffic-based DDoS attacks. A detailed description of the research selection process is as follows:

  • The process begins with collecting research articles based on the keywords seen in the titles or abstracts of the articles in search engines.

  • In the initial screening, articles are filtered based on including and excluding criteria described in the next Sects. 3.2.1 and 3.2.2

  • We exclude unrelated articles on IoT security at the first filtration level by simply reading the titles.

  • The second filtration level is to filter out articles unrelated to the IoT traffic-based DDoS attacks by reading the abstract.

  • During the third stage, we read the full text of the articles and removed those papers that have no relevance to ML/DL-based approaches to detect IoT traffic-based DDoS attacks.

3.2.1 Inclusion criteria

  • Articles that provide IoT security solutions: preventing IoT systems from DDoS attacks.

  • All research paper focuses on ML/DL-based approaches to analyze IoT network traffic to recognize large-scale DDoS attacks.

  • The most suitable and scholarly publications on subjective analysis includes suitable methods, outcomes, or datasets.

  • Research studies that contribute to the objectives of this review article.

  • Research that extends previous related work.

  • The papers were published from 2020 to 2022.

3.2.2 Exclusion criteria

  • Document type: Unpublished, review articles, book chapters, grey literature, editorials, meta-analysis, software documentary, keynote, tutorial.

  • Language: Full text in other than English.

  • Availability: Inability to access the full article.

  • Not appropriate methods or datasets used for subjective analysis is unrelated to the research topic.

  • Studies with irrelevant results and conclusions did not fit the scope of this review.

  • Duplicate research articles.

Table 6 Relevant fields for data extraction
Full size table

3.3 Data extraction

After completing a stringent selection process in the above mention section, a refined set of articles was left out for further analysis. Data extraction from selected research papers needs in-depth analysis, identification, and gathering of essential information. Further, we assemble critical and valuable data from each study into a pre-designed format. It consists of different fields: key references, attack detection methods, ML/DL algorithms, datasets, nature of the dataset (imbalanced/balanced), experimental setup, number of attack classes or features, pre-processing techniques, feature selection methods, results (accuracy), limitations, and observations. The details of fields are displayed in Table 6.

4 Review of existing approaches to detect IoT traffic-based DDoS attacks

Several researchers have proposed IoT traffic-based DDoS attack detection approaches in the literature. However, traditional systems failed to provide a complete solution for protecting Internet-based services/IoT networks from large-scale IoT traffic-based DDoS attacks. Further, the widespread integration of IoT devices in every sector with minimum security features increases the frequency of DDoS attack incidents. In the literature, few researchers proposed ML and DL techniques-based detection approaches. This type of system at least provides high-accuracy solutions against DDoS attacks compared to traditional solutions. In this section, we systematically analyzed the existing detection approaches. Therefore, we divided this section into two subsections: ML and DL techniques-based solutions to detect IoT traffic-based DDoS attacks.

4.1 Review of ML technique-based methods to detect IoT traffic-based DDoS attacks

ML technique-based approaches strengthen the security for Internet-based services and IoT networks from different types of cyberattacks by embedding intelligence. Various ML-based algorithms are employed to design ML-based detection models for identifying different types of attacks. Several ML-based detection approaches are available in the literature, and we systematically examine them in the following:

Soe et al. [113] proposed an IoT-botnet attack detection approach using a sequential attack detection framework. They employed three ML algorithms: the J48 Decision tree, Naive Bayes, and ANN classifier. Researchers have claimed that this approach has given 99% classification accuracy. They designed the proposed approach using the N-BaIoT dataset. This system consists of two phases: (i) "Model Builder" and (ii) "Attack Detector". In the first phase: data collection, data organization, model training, and feature selection were conducted. In the second phase, analyze the incoming traffic and determine whether it is normal or attack traffic. The primary purpose of this approach is to classify network traces into binary classes: legitimate and attack. However, this approach failed to distinguish different categories of DDoS attacks.

Lawal et al. [114] proposed a DDoS attack mitigation framework in fog computing for detecting attacks more accurately. They utilized three ML-based techniques for implementing this approach: DT, NB, and KNN. Further, they have classified network traces into two classes: legitimate and attack. This system is designed using the CICDDoS 2019 dataset. The authors claimed that the performance of the KNN classifier delivers a higher classification accuracy of 99.9% than others. However, the proposed system failed to protect the Internet-based system from IoT traffic-based DDoS attacks traffic flows.

Shafiq et al. [115] proposed a novel framework model with a practical feature selection approach named CorrAUC. This framework is specially designed to identify anomalies and malicious traffic in the IoT network. They used the AUC metric, Pearson correlation, and the class label to estimate each feature’s significance. By using these methods, choose the 5-best features and design ML-based model using these features. The author evaluated four ML-based approaches on the Bot-IoT dataset: DT, SVM, RF, and NB. They claimed that the DT-based model has given better classification accuracy (approximately 99%) than other methods. The primary focus of this approach is to protect the victim from DoS attacks, and it has failed to provide a better solution against large-scale DDoS attacks.

Doshi et al. [116] proposed an IoT traffic-based DDoS detection approach for identifying large-scale IoT traffic-driven DDoS attacks. Firstly, they create the feature vector by dividing network features into stateless and stateful features. The stateless features include packet header fields, such as packet size and protocol. The stateful features collect flow information, such as bandwidth, source IP, and destination IP. Secondly, these features feed to the different machine learning techniques (LSVM, KNN, DT, RF, NN) for designing the detection model. They claimed this system efficiently classifies incoming traffic into legitimate and attack traffic with 99% accuracy. However, the results obtained from this system might be biased towards the majority class due to it being designed using an unbalanced dataset. On the other hand, powerful botnets like Mirai frequently mutate, making them difficult to identify.

Churcher et al. [117] employed different ML techniques: KNN, SVM, DT, NB, RF, ANN, and LR, for implementing their detection approach. They designed this system using a realistic Bot-IoT dataset. Further, They used 1.5 million records to test the performance of this system. The KNN-based approach performs well with a classification accuracy of 99%. However, this system is designed using unbalanced data and may produce inaccurate results in a real-world scenario. Further, this approach is failed to distinguish between a flash event and DDoS attacks traffic flows. In Table 7 and 8, we systematically characterize and summarize the detailed review of recent ML-based approaches based on various parameters: attack detection methodology, the dataset used, attack classes, experimental setup, number of features utilized, feature selection methods, and feature engineering strategies.

Table 7 Summary of recent ML-based attack detection approaches, their feature selection and feature engineering strategies
Full size table
Table 8 Summary of recent ML-based attack detection approaches with their attack detection methodology, the dataset used, experimental setup, classes of attacks classified, and the number of features utilized
Full size table

4.2 Review of DL technique-based methods to detect IoT traffic-based DDoS attacks

Nowadays, deep learning techniques are widely employed for providing solutions to various critical problems. In this, models are designed using large amounts of prepared data/ patterns and predict output more accurately based on their learned experience. In the case of DDoS attacks, models are responsible for predicting legitimate traffic, different types of attacks, and flash events by analyzing incoming network flows. Further, DL-based approaches offer high-accuracy solutions. Therefore, several researchers proposed DL-based detection approaches for protecting the IoT environment against large-scale cyberattacks. This type of approach helps us to improve the precision of the model. In this section, we characterize existing DL-based detection approaches, and they are presented in the following:

Larriva et al. [140] proposed DL-based IDS approach for protecting the IoT networks. They used different datasets for creating their models: UNSW-NB15, UGR16, and NSL-KDD. They employed z-score, min-max, and distinct pre-processing schemes on these datasets with predefined classes. They employed MLPClassifier for classifying network flows. The classification accuracy of this system is 99.7%+, 99.2%+, and 99.3%+ for NSL-KDD, UNSW-NB15, and UGR16, respectively. However, the comparative analysis of the proposed system’s performance w.r.t. attack types is not presented. Further, this approach failed to distinguish between a flash event and DDoS attacks traffic flows.

Popoola et al. [141] proposed a DL-based approach for detecting botnet attacks in IoT networks. They used a highly imbalanced Bot-IoT dataset to develop this detection approach. Therefore, the synthetic minority oversampling (SMOTE) technique is employed to balance out asymmetric network traffic data in the Bot-IoT dataset and minimize overfitting or underfitting problems. Further, after normalizing the data, they implemented the DRNN model. The proposed models efficiently classify the majority classes (DD_T, DD_U, D_T, D_U, OSF, and SS). However, no feature selection technique was employed while designing this detection approach. Therefore, it will require more time to collect all features. Further, it becomes a victim during a large-scale attack.

Table 9 Summary of recent DL-based attack detection approaches, their feature selection and feature engineering strategies
Full size table

Hezam et al. [153] proposed a DDoS botnet attack detection approach that combines BiLSTM and CNN models. They have given a solution to detect the most destructive Mirai and Bahlite botnet-based DDoS attacks. This approach consists of two parts: (i) By employing CNN for pre-processing and feature optimization tasks and (ii) The BiLSTM for detecting DDoS botnets in the network. This approach is validated using a realistic N-BaIoT dataset comprising attack traffic from nine infected IoT devices. The performance analysis of four DL-based models (such as CNN, RNN, LSTM-RNN, and BiLSTM-CNN) executed using a tenfold cross-validation technique. It has been viewed that the BiLSTM-CNN model performs better than other models. However, the BiLSTM-CNN model uses full features to detect botnet attacks, but its accuracy is not enough to deal with today’s highly-frequent and complex cyberattacks.

Koroniotis et al. [154] proposed a DL-based attack detection technique. The authors have designed three ML/DL-based detection models with LSTM, SVM, and RNN algorithms using the IoT dataset (synthetic dataset created while doing this research). For implementing these models, the top 10 features were extracted from the synthetic dataset using statistical techniques: correlation coefficient and joint entropy. However, they failed to evaluate the adversarial robustness of these DL-based models. Further, the primary focus of this approach is to classify network traces into two classes: attack and legitimate. Therefore, it failed to distinguish between different DDoS attacks.

Kim et al. [155] proposed a deep neural network (DNN)-based approach for protecting networks from a broad range of security threats. This approach designed using the KDD-1999 dataset. In the proposed method, two variables are employed for intrusion detection consisting of four hidden layers and 100 neurons in each hidden layer. They used a ReLU activation function combined with stochastic gradient descent (SGD) optimization function. The author claimed that the proposed model efficiently classified network traffic with 99% accuracy. However, the proposed approach failed to protect the victim’s system from large-scale DDoS attacks.

Feng et al. [156] proposed a DL technique-based model to classify different security threats and DoS attacks. They employed both CNN and LSTM models as classification techniques to identify security threats by XSS and SQL. This approach is designed using the well-known KDD-CUP 99 dataset. The sample data (collected data) is divided into two parts: 70% for training and 30% for testing. This approach helps us to detect XSS attacks through DNN and CNN with 57% and 78% accuracy, respectively. However, this approach primarily focused on protecting Internet-based services from DoS attacks and failed to identify large-scale DDoS attacks.

In Table 9 and 10, we systematically characterize and summarize the detailed review of recent DL-based approaches using various parameters: attack detection methodology, the dataset used, attack classes, experimental setup, number of features utilized, feature selection methods, and feature engineering strategies.

Table 10 Summary of recent DL-based attack detection approaches with their attack detection methodology, the dataset used, experimental setup, classes of attacks classified, and the number of features utilized
Full size table

4.3 A detailed review of publicly available datasets

The solution to critical problems using artificial intelligence (ML and DL techniques) highly depends on high-quality data w.r.t. the number of records, accuracy in the data, selection of best features, balance data, etc. When the models are designed using asymmetric or inappropriate (non-IoT-specific) datasets, it may be possible models can give high performance during the training/testing phase. However, in a real-time environment, they fail to provide better accuracy. The comprehensive and benchmark dataset will help us to develop robust DL/ML-based classification models [167,168,169,170,171,172,173,174,175]. Therefore, we summarize various well-known and publically available datasets in this section. We systematically characterize them using different parameters in Table 11.

Table 11 Detailed analysis of various datasets used to detect DDoS attacks on IoT platforms
Full size table

  • IoTID20 [176] dataset is primarily employed to design IDS approaches. In this dataset, two intelligent devices are connected to the Wi-Fi router in order to simulate modern cyberattacks. Further, it includes 83 network traffic-related features, along with three additional features for labels: binary, category, and subcategory. It captures five attack categories: DoS, Mirai, scan, MITM, and legitimate. The number of instances in this dataset is 625,783 traces.

  • ToN IoT [177] presents an innovative set of datasets for evaluating the effectiveness and reliability of various cybersecurity applications using Artificial Intelligence (AI). These datasets are referred to as ToN IoT due to the heterogeneity of the data collected from IoT and IIoT sensors’ telemetry data, different operating systems’ data, and IoT network traffic records.

  • IoT-23 [145] is a recently published IoT network traffic-based dataset. It incorporates 20 malware classes and three benign classes captured during 2018-19. Further, this dataset assembles a massive number of instances for real and labeled (malicious attack and benign) flows captured from real IoT devices. The significant objective of this dataset is to provide a framework for developing ML-based intrusion detection mechanisms.

  • MQTT-IoT-IDS2020 [178] is primarily used to develop IDS mechanisms to detect MQTT-based attacks. Message Queuing Telemetry Transport (MQTT) is a well-known "IoT machine-to-machine communication protocol". This dataset is generated by MQTT’s simulated network architecture, including 12 sensors, a broker, a fake camera, and an attacker. Captured five different attack scenarios: "regular operation", "aggressive scanning", "UDP scanning", "Sparta SSH brute force", and "MQTT brute-force". It helps to differentiate between legitimate and malicious MQTT traffic.

  • The MedBIOT [179] dataset is generated by designing a testbed. The testbed is a medium-sized network with 83 IoT devices (real and simulated devices). It is a labeled dataset that contains both legitimate and malicious IoT traffic collected from botnets. Three well-known botnets: Mirai, BashLite, and Torii deployed with the C &C.

  • The IoTNID [180] dataset includes 42 PCAPs with raw network packets recorded at different periods. These PCAPs have 825,000 network flows, each instance consisting of seven features. In this dataset, there are five major categories and eleven subcategories. Among the five major categories, one class is for legitimate transmissions, while the other four relate to cyberattacks.

  • The CICDDoS2019 [181] dataset contains legitimate and different DDoS attack traffic flows. The network flows of this dataset are collected using a real-testbed- environment for two days. On the first day, they conducted seven different types of attacks, while on the second day, they conducted twelve different types. This dataset is freely accessible to the research community in the following data formats: PCAP (without labeled) and CSV format (with 87 features, including labeled).

  • A realistic Bot-IoT [154] dataset comprises legitimate and fabricated IoT network traffic with several attack types. The Bot-IoT dataset provides complete packet capture details, suitable labels, and approximately 72 million records. The source files of this dataset are publicly available in two data formats: PCAP and CSV, with sizes of (69.3 GB) and (16.7 GB), respectively. It contains eleven target classes and 46 features.

  • N-BaIoT [182] comprises real IoT traffic data generated from nine commercial IoT devices. For collecting instances of this dataset, they employed two botnets, Mirai and BASHLITE. The malicious flows of this dataset are broadly categorized into two types, and these two are further sub-categorized into ten attack types with one benign class. This dataset is highly in-balanced due to the number of benign instances being minimal compared to malicious ones.

  • The DS2oS [157] dataset includes application layer-based DDoS attacks collected from the IoT environment. In addition, it includes IoT middleware containing the data and services of intelligent spaces. Further, this dataset consists of 347,935 network flows with 13 different features, categorized into eight attack classes: Normal, Scan, DDoS, Multitious control, Multitious operation, Scan wrong setup, spying, and Data type probing.

  • The CICIDS2017 [183] dataset includes legitimate and different cyberattacks. Each network flow of this dataset is marked as benign or one of the 14 different attack types. The CSV version of this dataset comprises 2,830, 743 network flows divided into eight files. Each instance of network flow consists of 79 features.

  • The UNSW-NB15 [184] dataset includes 49 features and ten target classes, including benign. Several researchers utilize this dataset to develop protection mechanisms for devices and networks against malignant attacks. This dataset was created in a synthetic environment by performing simulated attacks. It comprises roughly one hour of anonymized network flows of different DDoS attacks.

4.4 Performance evaluation metrics

In this section, we present key standard performance metrics commonly employed to validate the effectiveness of cyberattack detection mechanisms. The widely used performance metrics include Accuracy, Precision, True positive rate, False positive rate, False negative rate, True negative rate, and F-measure. Furthermore, we present some additional metrics, such as Geometric Mean (G-mean), and Matthews Correlation Coefficient (MCC), which are used in contemporary works.

4.4.1 Confusion matrix

The confusion matrix (CM) isn’t an explicit performance metric in itself. However, it serves as a tool for determining the correctness of any classification model. The CMs parameters are used to calculate nearly all performance measures. It is shown in Fig. 10. In the confusion matrix, false positives (Type I) and false negatives (Type II) are two types of errors. To improve the model’s performance, we need to reduce these errors.

Fig. 10
figure 10

A confusion matrix

Full size image

4.4.2 Geometric mean (G-mean)

It offers a balanced assessment, particularly in situations with class imbalance, providing a single measure of overall classification effectiveness. The formula for G-mean is:

$$\begin{aligned} G-mean = \sqrt{\frac{True\_Pos}{(True\_Pos \; + \; False\_Neg)} * \frac{True\_Neg}{(False\_Pos \; + \; True\_Neg)} } \end{aligned}$$

4.4.3 Matthews correlation coefficient (MCC)

It is beneficial for evaluating classification models on imbalanced datasets, providing a comprehensive assessment of their overall performance. The formula for MCC considers all four outcomes of binary classification: true positives (True_pos), true negatives (True_Neg), false positives (False_Pos), and false negatives (False_Neg).

$$\begin{aligned} MCC =\,\frac{True\_Pos \; * \;True\_Neg\; - \;False\_Pos \;* \;False\_Neg}{ \sqrt{ (True\_Pos \; + \; False\_Pos) (True\_Pos \; + \; False\_Neg) (True\_Neg \; + \; False\_Pos) (True\_Neg \; + \; False\_Neg)}} \end{aligned}$$

4.4.4 Accuracy (Acc)

$$\begin{aligned} Acc=\,\frac{True\_Pos \; + \; True\_Neg}{(True\_Pos \; + \; False\_Pos \;+ \; True\_Neg \; + \; False\_Neg)} \end{aligned}$$

4.4.5 Precision (\(P_{r}\))

$$\begin{aligned} P_{r}=\frac{True\_Pos}{(True\_Pos \; + \; False\_Pos)} \end{aligned}$$

4.4.6 True positive rate (\(TP_{r}\))

$$\begin{aligned} TP_{r}=\frac{True\_Pos}{(True\_Pos \; + \; False\_Neg)} \end{aligned}$$

4.4.7 False positive rate (\(FP_{r}\))

$$\begin{aligned} FP_{r}=\frac{False\_Pos}{(True\_Neg \; + \; False\_Pos)} \end{aligned}$$

4.4.8 False negative rate (\(FN_{r}\))

$$\begin{aligned} FN_{r}=\frac{False\_Neg}{(True\_Pos \; + \; False\_Neg)} \end{aligned}$$

4.4.9 True negative rate (\(TN_{r}\))

$$\begin{aligned} TN_{r}=\frac{True\_Neg}{(False\_Pos \; + \; True\_Neg)} \end{aligned}$$

4.4.10 F-measure (\(F_{m}\))

$$\begin{aligned} F_{m}= 2*\frac{P_{r} \; * \; TP_{r}}{P_{r} \; + \; TP_{r}} \end{aligned}$$

5 Open research issues and potential solutions

For the IoT domain to continue its rapid growth, there are still some security issues that need to be resolved. As a result of the widespread usage and heterogeneous nature of IoT devices, a single solution is not viable. Therefore, in recent years, several researchers have extensively examined various security mechanisms that address multiple issues related to securing IoT devices. This section presents open issues, significant gaps, and possible solutions that ensure IoT devices’ security and prevent them from being exploited to launch large-scale attacks against online infrastructure.

  1. 1.

    Robust IDS mechanism: Sometimes, the proposed IDS mechanism itself becomes the victim of an attack while examining the massive volume of network traces [40, 187]. Further, the sophistication in the state-of-art of attacks and attack patterns shifted from Gbps to Tbps due to millions of non-secure devices connected across the globe. Proposed solution: Incremental learning needs to be employed while designing the robust attack detection approach. Data changes continuously in real-world scenarios, but the data used for model designing is completely different from real-world data samples. Therefore, incremental learning is helpful in constantly re-training detection models from real-world traffic. It makes the deployed model more robust and efficient.

  2. 2.

    Inadequacy of IoT-specific/comprehensive datasets: IoT devices differ from conventional systems in that they have unique characteristics. Therefore, it requires additional attributes while designing the IDS/DDoS detection model for them. It is essential to design ML and DL-based detection models on an IoT-specific dataset with comprehensive and contemporary attack traffic. Most of the detection mechanisms [127, 128, 130, 132,133,134, 138, 139] are designed and validated with non-IoT-specific or outdated datasets. These mechanisms failed to provide solutions for modern attacks after deploying the model in today’s high-speed and high-volume public networks. Proposed solution: We have characterized several IoT traffic-based datasets in Table 10. Based on the use case, there is a need to select a better dataset for designing the proposed solution. Further, the dataset should have all possible network traffic instances, such as low-rate DDoS, high-rate DDoS traffic, legitimate traffic, flash events, etc.

  3. 3.

    Unavailability of balanced/preprocessed datasets: In the detailed analysis of state-of-the-art datasets, we found that most of them are unbalanced. The ML and DL models [117, 135, 136, 147, 149, 153, 157,158,159,160,161,162,163,164, 166] trained with an unbalanced or inappropriate dataset may perform well during training but fail to analyze real-life traffic accurately. The performance of the detection model relies on the quality of the training data samples. Proposed solution: Synthetic and minority over-sampling techniques (SMOTE), ensembles of datasets, and other dataset-balancing methods can be employed to address this problem. Moreover, different feature-engineering techniques can also be used to prepare a suitable dataset for ML and DL models to improve detection accuracy.

  4. 4.

    Longer training time of detection model: Many defense mechanisms [188, 189] face the problem of long training times that affect the model’s performance to the point that sometimes it becomes necessary to compromise with the overall performance of the system in order to minimize the training time. The use of DL models is challenging due to the multiple hidden layers involved. Some DL models can be trained in a few weeks or may take several months, increasing the burden and cost of model building and training. Proposed solution: Transfer learning is a method where a pre-trained model is again reused for another problem that belongs to a similar category. Despite its extensive use in different artificial intelligence applications, this concept has not been explored much in cyberattack detection. When ML and DL methods are combined with transfer learning, they improve system performance and achieve better results with less training time.

  5. 5.

    Validation in simulated environment: Researchers have designed and validated several defense mechanisms in a simulated or emulated environment. For that purpose, they used simulated datasets for training and evaluating their detection models [125, 143, 144, 148, 150, 151, 162, 166]. However, these datasets do not reflect the actual behavior of real network traffic. As a result, the model performs well in the local environment but fails in the real-life environment. Proposed solution: The proposed model must be developed, validated in a realistic environment, and deployed in the real network for comprehensive evaluation.

  6. 6.

    Lack of detection models for Zero-day attacks: The ML-based detection models provided remarkable detection accuracy when the training and validation datasets had similar attributes or patterns. However, in reality, attackers typically use different techniques to launch attacks on victims’ systems. Therefore, ML-based detection models cannot recognize unseen or zero-day attacks accurately [190, 191]. Proposed solution: A regular update of models is necessary to account for the latest attacks and those that are unknown at training time. Further, select the dataset that contains unknown or zero attacks for the training of the detection models.

  7. 7.

    Traffic analysis in real time: A large-scale attack, such as a DDoS attack, overwhelms the target system with numerous bogus requests in a very short time frame. Most detection models in the literature usually operate offline. They are unable to identify patterns that separate benign traffic from malicious traffic and defend against these attacks in an automated way [188, 192]. For DDoS attack detection, analysis of online streaming data hasn’t been explored much. Proposed solution: Simplify the analysis process and detect malicious traffic more quickly by reducing the number of network traffic features. Develop high-speed mechanisms to accelerate the traffic analysis process and defend against these attacks in an automated way.

  8. 8.

    Single-point failure: Most of the DDoS attack detection approaches [113, 138, 141, 161, 193, 194] are deployed on a centralized architecture. In the event of extensive DDoS attacks, the centralized architecture-based detection approach itself becomes a victim. Further, it failed to analyze large volumes of network traffic packets in real-time. Therefore, these approaches cannot provide comprehensive protection against wide-scale DDoS attacks. Proposed solution: The proposed DDoS attack detection approaches must be deployed on a distributed architecture: Distributed Stream Processing Framework (DSPF). DSPFs, such as Apache Spark Streaming, Apache Kafka Streams, and Apache Storm, are adept at processing large-scale data in a distributed manner, making them valuable tools for analyzing massive network streams.

Practical implications: The reviewed DDoS attack detection approaches have significant and far-reaching implications across various IoT applications, safeguarding critical functionalities and ensuring the reliability of interconnected systems. To highlight the practical implications, we explored specific examples, such as:

  • Case 1: e-Healthcare Systems: In scenarios where hospital IoT devices face a DDoS threat, the detection mechanisms quickly identify and counteract attacks, ensuring the seamless operation of life-critical medical devices. Hence, it guarantees uninterrupted patient care and averts potential life-threatening situations.

  • Case 2: Smart Industry: In the context of Industrial IoT Networks, DDoS attacks targeting manufacturing IoT devices, the detection methods ensure continuous production line operation by neutralizing DDoS attacks. These methods play a crucial role in maintaining productivity and preventing potential economic losses.

  • Case 3: Smart City Infrastructure: A robust protection mechanism can effectively identify and mitigate attacks targeting the city’s IoT infrastructure. This safeguarding secures critical services like traffic management and public safety, ensuring uninterrupted city operations.

  • Case 4: Smart Home Networks: Generally, smart home systems are susceptible to DDoS attacks, and practical detection approaches effectively protect against such threats. As a result, it ensures users can continue enjoying automation and security without disruption.

6 Conclusion and future directions

IoT technology has incredible potential to shape a new modern world. It connects everything through the Internet, and we are just one click away from global things. Along with these significant changes that make our day-to-day lives more convenient. However, it also brings several security problems. One of the most prominent security challenge is to protect Internet-based services from large-scale IoT traffic-based DDoS attacks. Therefore, several researchers proposed IoT traffic-based DDoS attack detection approaches in the literature. But, the frequency and magnitude of cyberattacks increase year-after-year.

In this article, we systematically presented: (i) A comprehensive cyberattacks taxonomy for IoT platforms, (ii) Systematically demonstrated IoT’s evolution, applications, and challenges, (iii) Discussed various security issues associated with the IoT environment, and demonstrated the review strategy, (iv) Presented a comprehensive review of existing ML and DL-based detection approaches for IoT traffic-based DDoS attacks, (v) Characterized publicly available IoT-traffic-specific datasets with their attributes, and illustrated commonly used performance metrics, (vi) Presented open research issues along with possible solutions for detecting IoT traffic-based DDoS attacks in IoT systems, and future directions. Based on the open issues and their possible solutions, this literature review aims to provide a broader perspective for future directions in the IoT security domain. Therefore, fellow researchers can gain a basic understanding of existing ML and DL-based defense mechanisms for IoT security. Additionally, one can develop a robust defense system to make an IoT environment more secure by addressing the open issues raised in this study.