Deep Learning Approaches for Network Traffic Classification in the Internet of Things

(IoT): A Survey

Jawad Hussain Kalwar Sania Bhatti

dept. of Software Engineering dept. of Software Engineering
Mehran University of Engineering and Technology Mehran University of Engineering and Technology
Jamshoro, Sindh, Pakistan Jamshoro, Sindh, Pakistan
[email protected] [email protected]

ABSTRACT for network traffic classification in the context of the IoT. By

accumulating existing literature and identifying emerging
The Internet of Things (IoT) has witnessed unprecedented
trends, this survey contributes to the understanding and
growth, resulting in a massive influx of diverse network
advancement of the field. Furthermore, it serves as a
traffic from interconnected devices. Effectively classifying
valuable resource for researchers, practitioners, and
this network traffic is crucial for optimizing resource
network administrators seeking to navigate the complex
allocation, enhancing security measures, and ensuring
landscape of network traffic classification in IoT
efficient network management in IoT systems. Deep
environments.
learning has emerged as a powerful technique for network
traffic classification due to its ability to automatically learn The primary objective of this survey paper is to provide a
complex patterns and representations from raw data. This review and analysis of the deep learning approaches
survey paper aims to provide a comprehensive overview of utilized for network traffic classification in the IoT.
the existing deep learning approaches employed in network Specifically, we aim to:
traffic classification specifically tailored for IoT
environments. By systematically analyzing and categorizing - Identify and tabulate the various deep learning models
the latest research contributions in this domain, we explore and architectures employed in network traffic classification
the strengths and limitations of various deep learning for IoT environments.
models in handling the unique challenges posed by IoT
- Investigate the methodologies and techniques used for
network traffic. Through this survey, we aim to offer
feature extraction, representation, and selection in deep
researchers and practitioners valuable insights, identify
learning-based traffic classification.
research gaps, and provide directions for future research to
further enhance the effectiveness and efficiency of deep - Analyze the strengths, limitations, and performance of
learning-based network traffic classification in IoT. existing deep learning methods in this domain.

- Highlight the challenges and open research directions in

1 INTRODUCTION deep learning-based network traffic classification for IoT.
The Internet of Things (IoT) has the prospect to
The scope of this survey encompasses recent literature
revolutionize the way we interact with the digital world,
published in academic journals, conferences, and reputable
connecting billions of devices and enabling numerous
online repositories since January 2020 up until April 2023.
applications across various domains such as healthcare,
We focus on the application of deep learning techniques to
smart cities, transportation, and industry. However, the
network traffic classification in IoT environments,
rapid growth of IoT devices has also brought about
considering both supervised and unsupervised learning
significant challenges, particularly in managing and
approaches. However, we exclude studies that solely focus
securing the vast amount of network traffic generated by
on traditional machine learning methods or other specific
these devices[62]. Network traffic classification plays a
non-deep learning techniques. We have also excluded the
crucial role in understanding the communication patterns,
studies that are not specifically aimed at IoT and the unique
identifying potential security threats, and optimizing
challenges that come with that.
network performance in IoT environments[22]. Traditional
approaches to traffic classification, such as port-based or The remainder of this survey paper is organized as follows.
payload-based methods, have limitations in effectively Section 2 provides an overview and the Background
handling the diverse and dynamic nature of IoT traffic[1]. concepts of the fundamentals of network traffic
Consequently, researchers have turned to deep learning classification in the IoT, including the characteristics of IoT
techniques, which have demonstrated remarkable success traffic and the challenges faced in its classification. Section
in various domains, including computer vision, natural 3 presents a brief look at related surveys. Section 4
language processing, and speech recognition[49]. describes our methodology. Section 5 presents a
comprehensive survey of deep learning models and
This survey paper aims to present a comprehensive analysis
architectures used in IoT network traffic classification,
of the state-of-the-art deep learning approaches employed
highlighting their advantages and drawbacks. It discusses
the methodologies employed for feature extraction, These devices, ranging from everyday objects like smart
representation, and selection in deep learning-based traffic appliances and wearables to industrial machinery and
classification. the challenges and open research directions. infrastructure, collect and transmit data to the cloud or
followed by a summary and conclusion. By addressing these other networked systems[40]. Network traffic classification
key aspects, this survey paper aims to shed light on the in the IoT context involves the categorization of data flows
current landscape, achievements, and challenges in the generated by IoT devices based on their specific
application of deep learning for network traffic characteristics and purposes. The unique nature of IoT
classification in the IoT domain. network traffic presents several challenges compared to
traditional network traffic classification[42]. First, the
sheer scale and diversity of IoT devices result in a
2 BACKGROUD significantly larger volume of network traffic with distinct
Deep learning has emerged as a powerful technique for patterns and behaviors. This necessitates the development
network traffic classification in the Internet of Things (IoT) of classification techniques capable of handling the
domain[1]. With the exponential growth of connected increased complexity and variability in IoT data[29].
devices, the need for efficient and accurate identification of Second, IoT devices often operate under resource
network traffic becomes crucial for managing and securing constraints, such as limited processing power, memory, and
IoT systems. Deep learning models, particularly energy. As a result, network traffic classification algorithms
convolutional neural networks (CNNs)[2,17,28,41] and for IoT must be optimized to minimize computational
recurrent neural networks (RNNs)[6,27,37,39,50], have overhead and energy consumption[44]. Moreover, IoT
demonstrated remarkable capabilities in extracting traffic may exhibit time-varying patterns, intermittent
relevant features from raw network data and effectively connectivity, and mobility, requiring adaptive classification
classifying different types of traffic. By leveraging the methods that can handle dynamic and evolving network
inherent ability of deep learning models to learn environments[31]. Additionally, IoT network traffic
hierarchical representations, IoT network traffic can be classification may involve the identification of specific IoT
effectively classified based on its distinctive patterns and applications, protocols, or device types to enable targeted
characteristics. monitoring, resource allocation, and security measures.
Therefore, network traffic classification in the IoT domain
Furthermore, the availability of large-scale IoT traffic requires tailored algorithms and techniques that can handle
datasets[3,33,36], enables the training of deep learning the unique characteristics and challenges posed by the vast
models with enhanced accuracy and generalizability. and diverse IoT ecosystem[9]. Researchers are actively
However, challenges persist in developing deep learning exploring novel approaches, including deep learning,
models that are computationally efficient and resource- machine learning, and data mining techniques, to tackle
constrained for IoT devices[2]. Despite these challenges, these challenges and advance the state-of-the-art in IoT
deep learning remains a promising approach for network network traffic classification.
traffic classification in IoT, offering significant potential for
improving network management, security, and resource Machine learning refers to the field of study and practice
allocation in IoT environments[22]. that focuses on the development of algorithms and models
capable of automatically learning patterns and making
Network traffic classification, an essential task in network predictions or decisions based on data. It encompasses
management and security, involves categorizing network various techniques such as statistical models, decision
traffic into different types or classes based on various trees, and neural networks[23]. Deep learning, a subset of
attributes and characteristics[8]. The primary motivation machine learning, specifically refers to the use of artificial
behind network traffic classification is to gain insights into neural networks with multiple layers to extract high-level
network behavior, monitor performance, allocate resources representations from raw data[46]. Deep learning excels in
effectively, and ensure network security. By understanding capturing intricate patterns and dependencies in complex
the composition and patterns of network traffic, datasets, enabling more accurate and robust predictions
administrators can identify and prioritize critical compared to traditional machine learning methods. The
applications, detect anomalies, mitigate network hierarchical nature of deep neural networks allows them to
congestion, and enforce security policies[24]. Furthermore, automatically learn abstract features and representations,
network traffic classification enables the development of making them highly effective for tasks like image
specialized services, such as Quality of Service (QoS) recognition, natural language processing, and speech
mechanisms and intrusion detection systems, tailored to recognition[12]. Consequently, deep learning has gained
different traffic types[32]. Effective network traffic prominence due to its superior performance on large-scale
classification is crucial for managing and optimizing datasets, ability to handle unstructured data, and the
network resources, enhancing user experience, and potential for end-to-end learning without explicit feature
safeguarding network infrastructure from potential threats engineering. In summary, deep learning's capacity to
and vulnerabilities. capture complex relationships and learn hierarchical
representations makes it a powerful and superior approach
The Internet of Things (IoT) refers to the interconnected
compared to vanilla machine learning for many data-driven
network of physical devices embedded with sensors,
tasks.
actuators, and communication capabilities that enable
them to exchange data and interact with the environment.
Deep learning has emerged as a promising approach for traffic management, and quality of service (QoS)
network traffic classification in the Internet of Things (IoT) mechanisms in IoT systems. It facilitates the identification
domain, offering the potential to effectively manage and and prioritization of critical applications and services,
secure IoT systems[22]. The application of deep learning to leading to improved user experience and overall system
network traffic classification involves a multi-step process. performance. Additionally, deep learning-based traffic
First, a large-scale dataset of labeled network traffic is classification plays a vital role in IoT security, enabling the
collected, representing various IoT applications, protocols, detection and mitigation of network anomalies, intrusion
and device types. This dataset serves as the training data for attempts, and malicious activities. It empowers network
the deep learning model. Next, the dataset is preprocessed administrators and security professionals to enforce
to extract relevant features, such as packet headers, payload appropriate security policies and protect IoT infrastructure
information, flow statistics, and timing characteristics. from potential threats and vulnerabilities.
These features capture the distinctive patterns and
behaviors of different network traffic classes[59]. Then, a Deep learning offers a promising approach for network
deep learning model, typically a convolutional neural traffic classification in the IoT domain. Its ability to
network (CNN)[2,17,28,41] or recurrent neural network automatically learn complex patterns, handle large-scale
(RNN)[6,27,37,39,50] is constructed. The model datasets, and adapt to dynamic IoT environments makes it
architecture consists of multiple layers, allowing it to learn a valuable tool for managing and securing IoT systems.
hierarchical representations and abstract features from the However, challenges related to computational
raw network traffic data. The model is trained using the requirements, data availability, and interpretability need to
labeled dataset, employing techniques like be addressed. As research progresses, deep learning
backpropagation and stochastic gradient descent to techniques in network traffic classification are expected to
optimize the model's parameters. Once trained, the deep evolve, leading to further advancements in IoT network
learning model can classify incoming network traffic into management, security, and resource optimization. Future
predefined classes or detect anomalies based on learned research efforts should focus on addressing the limitations
patterns[7]. of deep learning models in IoT contexts and exploring
techniques to optimize their performance for real-time and
Compared to traditional methods of network traffic resource-constrained IoT applications.
classification, deep learning offers several advantages. First,
deep learning models can automatically learn and extract
complex and hierarchical features from raw data, 3 RELATED WORK
eliminating the need for manual feature engineering. This In several surveys published in recent years researchers
ability is particularly valuable in the IoT context, where the have addressed various challenges and proposed solutions
characteristics of network traffic can be diverse, dynamic, in the field of network traffic analysis. One survey [8]
and constantly evolving. Second, deep learning models are provides a comprehensive review of network traffic
highly flexible and adaptable, capable of capturing both classification techniques, discussing their implementations,
spatial and temporal dependencies in network traffic data. advantages, and limitations. The authors emphasize the
This flexibility enables the classification of time-varying importance of network traffic classification for purposes
and intermittent IoT traffic patterns. Third, deep learning like quality of service, lawful interception, preventing choke
models have shown superior performance in handling points, and identifying malicious behavior. They suggest
large-scale datasets, which is crucial in IoT environments integrating multilayer classification models to improve
with a vast number of connected devices generating accuracy and overcome limitations, while also proposing
massive amounts of data. Furthermore, the availability of the exploration of supervised learning, evaluation of
pre-trained models and transfer learning techniques allows models in real environments with high-scale traffic, multi-
for efficient utilization of resources and accelerated training source traffic classification, and combining statistical
processes in network traffic classification tasks. feature analysis with deep learning.
However, deep learning for network traffic classification in Another survey [38] focuses on the challenges posed by the
IoT also presents some challenges and limitations. Deep increasing adoption of network traffic encryption. It
learning models often require substantial computational reviews existing literature on solutions for analyzing
resources and training time, which can be a concern in encrypted network traffic and highlights the constraints
resource-constrained IoT devices with limited processing faced by traditional deep packet inspection systems.
power and energy. Additionally, the need for extensive Ongoing efforts within the research community to
labeled datasets for training deep learning models may be overcome these limitations are acknowledged, and future
challenging to obtain in some IoT contexts. Furthermore, research directions in encrypted traffic analysis and
deep learning models are often regarded as black boxes, processing are identified. Additionally, a survey [22]
making it difficult to interpret and explain their decision- highlights the use of image processing techniques in
making processes, which can be problematic in scenarios network traffic analysis, particularly in the context of
where explainability and accountability are crucial. The efficient and automated analysis. The authors discuss the
implications of deep learning in network traffic application of artificial intelligence and deep neural
classification for IoT are significant. Accurate classification networks in analyzing network traffic image data and note
of network traffic can enable efficient resource allocation,
the existing challenges in determining suitable image and techniques used in traffic classification and emphasizes
representations for specific environments and conditions. the need for near-real-time fine-grained classification in
community networks. It suggests exploring packet-based or
Furthermore, a paper [16] addresses the lack of flow-based methods and utilizing deep learning models
standardization in network traffic analysis, proposing the such as CNNs and LSTMs, while considering computational
use of pcapML, an open-source system, for standardized resource usage and training time.
dataset curation and usage. The authors also introduce
pcapML benchmarks to track the progress of network Another survey [1] provides a comprehensive overview of
traffic analysis methods and demonstrate the impact of deep learning techniques in Network Traffic Monitoring
standardization on reproducibility and innovation in the and Analysis (NTMA) for systems like IoT and cellular
field. Collectively, these publications provide valuable networks. It covers a wide range of applications including
insights into network traffic analysis, covering topics such traffic classification, prediction, fault management, and
as classification techniques, the impact of encryption, image network security. The paper discusses the advantages,
processing applications, and the importance of disadvantages, challenges, and future research directions in
standardization. the field of deep learning for NTMA. In the context of IoT
intrusion detection, a research study [21] explores the
Several publications have explored different aspects of implementation of top artificial intelligence deep learning
Internet of Things (IoT) security and classification techniques using the IoT-23 dataset. The study develops
techniques. One survey [42] focuses on identifying and various neural network models and identifies CNN, GANs,
profiling IoT devices, discussing various profiling methods and multilayer perceptron as achieving the highest
and their categorization based on security perspectives. accuracy scores with minimal loss function and execution
The survey emphasizes the need for specialized tools to time. The research highlights the effectiveness of deep
monitor IoT devices and highlights the importance of learning models, particularly CNN, in detecting IoT
accurate device identification for security. anomalies and reducing attacks. Collectively, these
publications contribute valuable insights into the
Another article [45] delves into the use of machine and deep
applications of deep learning for network traffic
learning techniques for IoT security intelligence. It provides
classification, monitoring, and intrusion detection in
an overview of IoT security challenges, traditional security
various contexts, offering guidance for future research in
limitations, and the extraction of insights from raw data to
the field.
protect IoT devices against cyber-attacks. The article
highlights the significance of selecting appropriate models
for IoT security and identifies future research directions. 4 METHODOLOGY
In the context of IoT platform support, a survey [43] To conduct this survey, we performed a literature search
explores FPGA-based implementations of classification using relevant search queries. The search queries included
techniques to process large datasets efficiently. It discusses terms such as "Internet of Things," "IoT," "network traffic
different classification techniques, existing FPGA classification," "deep learning," and "deep neural networks."
implementations, challenges, and optimization strategies. We utilized multiple search queries to ensure a thorough
The relevance to IoT lies in the need for high-speed exploration of the literature. The queries used were
classification in IoT applications, and FPGA-based ["Internet of Things," "IoT," "network traffic classification,"
implementations can enhance performance. "deep learning," "deep neural networks"], ["IoT," "network
traffic classification," "deep learning," "deep neural
Additionally, a review paper [51] presents a comprehensive networks," "Internet of Things"], and ["Internet of Things,"
survey on machine learning and deep learning perspectives "IoT," "network traffic classification," "deep learning," "deep
of Intrusion Detection Systems (IDS) for IoT. It discusses IDS neural networks"].
placement, analysis strategies, intrusion categories, and the
application of machine learning and deep learning for We searched various academic databases, including but not
attack detection. The paper emphasizes the importance of limited to IEEE Xplore, ACM Digital Library, and Google
robust IDS solutions for IoT security and suggests future Scholar. The search results were filtered based on relevance
research directions. Together, these publications contribute to the topic and inclusion criteria. After obtaining the
valuable insights into IoT device profiling, security relevant papers, we reviewed them to extract information
intelligence, FPGA-based implementations, and IDS on the deep learning approaches employed for network
perspectives, addressing security challenges and traffic classification in the context of IoT. We focused on
identifying avenues for further exploration. techniques, algorithms, architectures, and datasets utilized
in the studies. By analyzing the collected information, we
Publications have also explored the applications of deep categorized and summarized the different deep learning
learning techniques in network traffic classification, approaches used for network traffic classification in the IoT.
monitoring, and intrusion detection in the context of We identified common trends, challenges, and
community networks and modern communication systems. advancements in the field. The methodology employed in
One review [32] focuses on traffic classification in this survey aimed to provide a comprehensive overview of
community networks and highlights the effectiveness of the current state of research on deep learning approaches
deep learning in addressing the challenges posed by for network traffic classification in the IoT.
encrypted traffic. The paper discusses various approaches
 would improve the reliability, applicability, and overall
progress in the field.

Despite claims of being tailored for the Internet of Things

(IoT), certain publications in the literature often fall short
in fulfilling this assertion. While the authors purport to
address IoT-specific challenges, their work frequently lacks
a comprehensive understanding of the distinctive
characteristics, requirements, and limitations of IoT
networks. In order to bridge this gap, future research must
diligently adhere to the unique demands and complexities
of the IoT landscape, ensuring that proposed solutions can
Figure 1 Methodology for this Survey be effectively deployed in real-world IoT environments.

However, despite the challenges present in the literature,

5 DISCUSSION we have successfully tabulated and consolidated the
The literature on deep learning approaches for network existing research in this field. Through meticulous analysis,
traffic classification in the Internet of Things (IoT) faces we have derived noteworthy insights and findings.
several challenges. These include limited benchmarking
The table below presents a summary of the literature,
and comparative analysis, inconsistent experimental
organizing the publications based on their reference, year
setups, insufficient analysis of real-world challenges,
of publication, proposed solution or approach, dataset(s)
inadequate focus on interpretability and explainability, and
utilized in their studies, and the specific purpose of network
imbalanced representation of research contributions.
traffic classification. This tabulated information provides a
These issues hinder the assessment, comparison, and
concise overview of the publications, allowing researchers
practical implementation of deep learning models in IoT
and practitioners to gain insights into the proposed
network traffic classification. Addressing these concerns
solutions, datasets employed, and the specific objectives of
network traffic classification addressed in each study.

Table 1: A Selection of Recent Deep Learning Models for IoT Network Traffic Classification

Ref Year Proposed Solution Dataset(s) Classification Purpose

Application based
[17] 2020 Deep CNN Moore dataset
Classification
Binary & Multiclass Malicious
[2] 2020 Deep CNN NSL-KDD
Traffic Classification
D-PACK: CNN + Autoencoder for USTC-TFC2016, Mirai-RGU,
[20] 2020 Malicious Traffic Classification
auto-profiling Mirai-CCU
Custom (converted to
[10] 2020 ResNet-50 Malicious Traffic Classification
binvis)
Mini-Batch Gradient Descent with an
[57] 2020 Custom Anomaly Detection
Adaptive Learning Rate and Momentum
Application based
[47] 2021 Cost sensitive CNN ISCX VPN-nonVPN
Classification
ByteSGAN: A Semi-Supervised Generative Application based
[54] 2021 ISCX VPN-nonVPN + Custom
Adversarial Network Classification

[55] 2021 Logarithmic Neural Network (LOGNN) NSL-KDD and UNSW-NB15. Intrusion Detection

5G Network Traffic
[15] 2021 Based on Deep Transfer Learning USTC-TFC2016
Classification

[5] 2021 Deep Autoencoder Bot-IoT Botnet Detection

[39] 2021 Stacked RNN (SRNN) Bot-IoT Botnet Detection

[27] 2021 TSCRNN ISCXTor2016 Encrypted Traffic Classification

Ref Year Proposed Solution Dataset(s) Classification Purpose

Multiclass Feed Forward Neural Network

[14] 2021 Bot-IoT Intrusion Detection
mFNN
Multi-task lEarning Model with hyBrid
Bot-IoT, UNSW-NB15,
[25] 2022 dEep featuRes (MEMBER): CNN with Intrusion Detection
CICIDS2017, ISCX2012
attention
Stack Ensembled Meta-Learning-Based
[48] 2022 UNSW-NB15 Multiclass Traffic Classification
Optimized Classification Framework

[58] 2022 Deep Neural Network Custom + Ton-IoT Intrusion Detection

LSTM Autoencoder in an unsupervised

[26] 2022 NEU-SNS-intl-IoT Zero-Day Attack Detection
manner
Custom IoMT-blockchain
[53] 2022 Multimodal Autoencoder + BiLSTM Anomaly Detection
dataset
Packet Graph-Vector Transformer + CNN +
[28] 2022 UNSW-NB15 + Custom Encrypted Traffic Identification
Multi-Dimensional CNN
Multiclass Device
[52] 2022 LSTM, 1D-CNN, Deep Forest, RF Custom
Identification.

[35] 2022 Deep CNN IoT-23 dataset Malicious Traffic Classification

UNSW-NB15, CICIDS2017,
[9] 2022 CNN With Deep Feature Extraction Real-Time Intrusion Detection
and KDDCup99
3 Models: VGG-DALNet Model, Res-DALNet
[19] 2022 USTC-TFC2016 Malicious Traffic Classification
Model, Alex-DALNet Model
Recurrent Kernel CNN-Modified Monarch
[37] 2022 N-BaIoT and CICIDS-2017 Intrusion Detection
Butterfly Optimization
2 Stage Distillation Aware Compressed Application based
[30] 2022 ISCX VPN-nonVPN
Deep CNN Models Classification
Knowledge-Transfer-ConvLaddernet and
[34] 2022 USTC-TFC2016 + Custom Malicious Traffic Classification
KT-Domain-Adaptive-ConvLaddernet
UNSW-NB15 and
[60] 2022 LSTM DNN Intrusion Detection
Bot-IoT
Simplified Time Convolutional Network Multi-Class Malicious Traffic
[56] 2022 CSE-CICIDS2018 + Custom
(S-TCN) Classification
Confidence Measure-Based Ensemble Deep Realtime Multiclass Traffic
[44] 2022 ISCX VPN-nonVPN
Learning Model Classification

[41] 2022 Transfer Learning with CNNs BoT-IoT and UNSW-NB15 Zero-Day Attack Detection

Deep Subdomain Adaptation Network with

[18] 2023 MCFP Malicious Traffic Classification
Attention Mechanism (DSAN-AT)
Cost Matrix Time-Space Neural Network ToN-IoT, BoT-IoT and ISCX
[61] 2023 Anomaly Detection
(CMTSNN) VPN-nonVPN
Deep learning Multiclass classification Anomaly-Based Intrusion
[13] 2023 CICIDS2017
model (EIDM) Detection
Deep Learning-Based Convolutional Neural Binary And Multi-Class
[31] 2023 CICDDoS2019
Network Classification

[4] 2023 Federated Blending Model Edge-IIoT, InSDN Intrusion Detection

[50] 2023 RNN + BiLSTM BoT-IoT Intrusion Detection

Global-Local Attention Data Selection ISCX VPN-nonVPN, Multimodal Multitask

[11] 2023
(GLADS) ISCX-Tor, USTC-TFC, ToN-IoT Encrypted Traffic Classification
5.1 Application Awareness in IoT introduces high computation complexity, impacting
application-awareness speed. Similarly, the CCN structure
Application awareness in network traffic classification in
model has too many hidden layers, leading to increased
IoT refers to the ability to identify and understand the
computation time and slower convergence speed. Future
specific applications or services generating the network
work involves improving the t-SNE function and finding an
traffic. It involves classifying traffic based on the
optimal CCN structure model. The ByteSGAN model [54]
applications or protocols being used, such as video
addresses data imbalance issues in traffic classification but
streaming, voice over IP (VoIP), web browsing, or file
faces challenges related to GAN training, such as mode
transfer. Application awareness is important because it
collapse and instability. Prequential evaluation technology
allows for more precise and granular monitoring, analysis,
is suggested for evaluating streaming data in the context of
and control of network traffic. By accurately identifying
traffic classification. While the compressed models [30]
different applications, network administrators can
perform well, further enhancements are needed to handle
optimize network resources, prioritize critical applications,
the problem of unbalanced traffic types. Future studies aim
detect and mitigate potential security threats, and ensure a
to develop efficient models addressing this issue.
better quality of service for IoT devices and applications.
5.2 Classification of Encrypted traffic & Others
Several models have been introduced to enhance
application awareness in network traffic classification for Encrypted and other unique IoT traffic classification in IoT
IoT. One such model proposed in [17] is a CNN-based refers to the identification and analysis of network traffic
mechanism integrated with Software-Defined Networking that is encrypted or uses unique protocols specific to IoT
(SDN). The mechanism consists of three modules: traffic devices. It involves detecting and classifying traffic that
collection, data pre-processing, and application-awareness. cannot be easily inspected or understood due to encryption
Another approach presented in [47] is the Cost-Sensitive or unconventional protocols. This type of classification is
Convolutional Neural Network (CSCNN), which addresses important because it enables the monitoring and detection
the class imbalance problem in low-frequency traffic data of potential security threats or malicious activities that may
identification. The CSCNN adapts misclassification costs be hidden within encrypted or unique IoT traffic. By
during training, leading to improved traffic classification, accurately classifying and analyzing such traffic, network
particularly for low-frequency traffic data. Furthermore, a administrators can enhance the security and integrity of
GAN-based Semi-Supervised Learning Encrypted Traffic IoT networks, detect anomalies, and protect against
Classification method called ByteSGAN is proposed in [54]. potential attacks or unauthorized access.
This approach utilizes a small number of labeled traffic
samples and a large number of unlabeled ones to achieve Researchers have proposed diverse models to address the
fine-grained traffic classification. ByteSGAN outperforms unique challenges of network traffic classification in IoT
other supervised learning methods like CNN in terms of systems. One approach utilizes deep transfer learning to
traffic classification. overcome limited datasets and computing capabilities in 5G
IoT systems [15]. This method employs weight initialization
Compressed models have also been explored for traffic and neural network fine-tuning to enable transfer learning
classification in IoT networks. The paper discussed in [30] between different domains. Experimental results
introduces a two-step distillation scheme using a Network demonstrate the high accuracy achieved by models such as
in Network (NIN) model. Channel pruning is applied to LeNet-5, BiT, and EfficientNet-B0, even with limited labeled
select important filters, resulting in compressed models. data. For encrypted traffic classification in Industrial IoT
Knowledge Distillation (KD) is utilized to transfer soft (IIoT) systems, a novel approach called TSCRNN has been
target, relationship, and feature map information, achieving introduced [27]. TSCRNN considers both temporal and
higher accuracy and significantly reducing computation spatial characteristics, outperforming other classification
resources compared to state-of-the-art CNN models. methods based on machine learning and deep learning.
This approach shows promise for various IIoT applications,
The proposed models offer notable strengths in network including communication, network, information
traffic classification. The CNN-based mechanism with SDN processing, and security. In the domain of IoT device
integration [17] shows superior performance in terms of identification, an autonomous model update framework
key metrics, indicating its effectiveness in application- based on packet payloads has been proposed [28]. This
awareness. The CSCNN approach [47] addresses the class framework accurately identifies known device traffic while
imbalance problem, making it suitable for low-frequency mitigating the impact of unknown interference in an open-
traffic data identification. ByteSGAN [54] demonstrates world scenario. The 2-D CNN classifier in the framework
superior performance in encrypted traffic classification. achieves accurate classification of known IoT devices and
The compressed models [30] achieve higher accuracy with exhibits resistance against unknown interference. GLADS is
reduced computation resources, addressing the problem of a lightweight, multitask, and deep learning-based
unbalanced traffic types. The HetIoT-CNN IDS [31] shows encrypted traffic classification model designed for
high accuracy in detecting various attacks while resource-constrained IoT environments [11]. This model
maintaining efficiency. incorporates the "indicator" mechanism for simultaneous
feature extraction from multiple modalities. Experimental
However, these models also have certain limitations. The t-
results demonstrate that GLADS outperforms existing
SNE pooling function in the CNN-based mechanism [17]
baselines and provides insights into the relationship
between input lengths and model performance. To classify utilizes high-performance computing with Nvidia GPUs and
time-series signals generated by IoT device network flows, Intel CPUs for parallel processing. The proposed system
a deep learning-based approach using different consists of three subsystems: feature engineering, feature
architectures has been proposed [52]. The DF model, based learning, and detection/classification. Using a CNN-based
on the Deep Forest algorithm, shows competitive design, the system achieves high detection accuracy
performance compared to 1D-CNN and LSTM models, (99.3%) for distinguishing normal and anomaly traffic and
outperforming the Random Forrest model. Future work high classification accuracy (98.2%) for categorizing IoT
involves exploring scenarios with concept drifts caused by traffic into five classes.
events like firmware upgrades.
Another framework called D-PACK [20] incorporates traffic
The proposed models offer several strengths in network sampling, traffic auto-profiling using a CNN, and an
traffic classification for IoT. The deep transfer learning unsupervised deep learning model (autoencoder) to enable
approach [15] enables accurate classification even with early detection of malicious traffic. This system
limited labeled data, leveraging techniques proven effective demonstrates near-perfect detection accuracy and offers
in image classification domains. TSCRNN [27] the advantage of speeding up the detection process. D-PACK
demonstrates superior performance by considering both aims to examine a minimal number of packets and bytes to
temporal and spatial characteristics, enhancing encrypted reduce processing volume. D-PACK's efficiency is
traffic classification in IIoT systems. The autonomous highlighted by its ability to detect with only two packets per
model update framework [28] accurately identifies known flow and 80 bytes per packet. The framework is expected to
IoT device traffic while being resilient to unknown consume less flow pre-processing and detection time
interference, improving network management. GLADS [11] compared to prior works.
provides a lightweight and multitask model for encrypted
traffic classification in resource-constrained IoT Additionally, deep learning models like ResNet50 [10] and
environments. The DF model [52] achieves competitive VGG-DALNet [19] have been employed for identifying
performance without requiring feature engineering or malicious network traffic, achieving high accuracy rates
hyper-parameter tuning. even with limited labeled samples. The paper evaluates the
accuracy of three models (VGG-DALNet, Res-DALNet, and
However, these models also have limitations that should be Alex-DALNet) using SSL-based MTC methods for classifying
considered. The deep transfer learning approach [15] relies malicious traffic with limited labeled samples. VGG-DALNet
on the availability of labeled data, which may still be limited performs the best among the three models, followed by Res-
in certain IoT scenarios. TSCRNN [27] would benefit from DALNet and Alex-DALNet.
addressing the issue of unbalanced traffic datasets and
exploring unsupervised and semi-supervised learning [34] propose Multi-Task Classification (MTC) methods for
methods. The autonomous model update framework [28] secure IIoT applications, where ConvLaddernet-based MTC
should be further validated and optimized for diverse real- performs well with few labeled samples, and KT-
world scenarios. GLADS [11] needs further research to ConvLaddernet-based MTC excels with even fewer labeled
handle zero-day applications and address imbalanced samples. DSAN-AT [18] introduces a deep transfer learning
traffic. The DF model [52] exhibits higher inference time model that accurately identifies malware variant traffic at
compared to other models, which may impact real-time an IoT edge gateway, utilizing channel and spatial attention
classification requirements. mechanisms for enhanced performance. Lastly, Multi-class
S-TCN [56] presents an improved Temporal Convolutional
5.3 Malicious Traffic Identification Network (TCN) solution based on Deep Packet Inspection
(DPI), offering high accuracy and fast detection speed for
Malicious traffic identification through network traffic
malicious traffic in IoT environments. The [35] DEMD-IoT
classification in IoT refers to the process of detecting and
model is proposed for IoT malware detection using deep
classifying network traffic that exhibits malicious behavior
ensemble learning architectures. One-dimensional CNNs
or intent. It involves identifying patterns, signatures, or
are used instead of two-dimensional CNNs, reducing
anomalies in the network traffic that indicate potential
preprocessing time and computational complexity.
attacks, malware, or unauthorized activities. This type of
Techniques such as Batch Normalization, Dropout, and
identification is crucial because it enables the early
early stopping are employed to prevent overfitting and
detection and mitigation of security threats in IoT
improve outcomes. Three 1D-CNN classifiers with different
environments. By accurately identifying and classifying
settings are built to learn various patterns of IoT network
malicious traffic, network administrators can take proactive
traffic. The models' hyperparameters are optimized using
measures to protect IoT devices, networks, and data,
the GridSearchCV algorithm.
ensuring the integrity, privacy, and security of the entire IoT
ecosystem. The proposed models for malicious traffic detection in IoT
network traffic classification offer several strengths. IoT-
Researchers have proposed several models to detect and
IDCS-CNN [2] achieves high detection and classification
classify malicious traffic in IoT networks. IoT-IDCS-CNN [2]
accuracy, surpassing existing IDS systems in the same
presents an efficient deep-learning-based system that
domain. D-PACK [20] stands out for its ability to speed up
utilizes a CNN design to achieve high detection accuracy for
detection, allowing for timely identification of malicious
distinguishing normal and anomaly traffic. The system
traffic. Deep learning models such as ResNet50 [10] and
VGG-DALNet [19] demonstrate high accuracy rates, even algorithm is introduced for mining untrustworthy data
with limited labeled samples, making them effective in real- from massive traffic data in Industrial IoT (IIoT). This
world scenarios. The MTC methods proposed in algorithm outperforms others in terms of performance and
ConvLaddernet and KT-ConvLaddernet [34] cater to precision, enhancing trustworthiness in networking big
different labeled sample scenarios, showcasing their data in IIoT. Additionally, [13]presents the EIDM model,
versatility. DSAN-AT [18] exhibits high performance in which utilizes deep learning to detect and classify
accurately identifying specific malware variant traffic, even suspicious behaviors in network flow. The model achieves
with a small training dataset. Multi-class S-TCN [56] offers high accuracy in classifying various traffic behaviors,
high accuracy, fast detection speed, and support for parallel outperforming other models in terms of accuracy and time
detection, making it suitable for IoT environments. The cost.
DEMD-IoT model [35] achieves superior performance
compared to state-of-the-art models through the use of one- The proposed models for anomaly detection in network
dimensional CNNs and optimization techniques. traffic classification in IoT offer several strengths. The
feature extraction method in [53] effectively extracts and
Despite their strengths, the proposed models also have fuses features from different traffic feature subspaces,
certain limitations. IoT-IDCS-CNN [2] suggests the need for enhancing anomaly detection performance. The CMTSNN
additional data collection and customization with other model in [61] combines temporal and spatial feature
cyberattack datasets to enhance its performance. D-PACK extraction methods, leading to improved robustness and
[20] could benefit from further optimization methods to identification rates for encrypted abnormal traffic. The
reduce detection delays. The deep learning models like HCAMBGDALRM algorithm in [57] outperforms other
ResNet50 [10] and VGG-DALNet [19] require labeled algorithms, ensuring trustworthiness in networking big
samples for training, which may be challenging to obtain in data in IIoT and supporting safety improvement. The EIDM
certain scenarios. ConvLaddernet and KT-ConvLaddernet model in [13] achieves high accuracy in classifying
[34] rely on pretraining models, posing practical challenges. suspicious behaviors, surpassing other models and
DSAN-AT [18] requires refinement to consider adaptability, demonstrating efficient time cost.
federated transfer learning, and online transfer learning for
identifying specific malware variant traffic. The DEMD-IoT Despite their strengths, the proposed models also have
model [35] may experience increased execution time due to certain limitations. The feature extraction method in [53]
a large number of hyperparameters, and exploring parallel requires further research to develop more flexible
processing is recommended to reduce computational costs. algorithms and study real-time anomaly detection in
simulated network environments. The CMTSNN model in
5.4 Anomaly Detection [61] requires exploration of adaptability to real-time flow
changes and optimization to maintain identification rates
Anomaly detection in network traffic classification in IoT
while reducing model complexity. The HCAMBGDALRM
refers to the process of identifying abnormal or suspicious
algorithm in [57] provides parallel processing support but
patterns in network traffic behavior. It involves analyzing
may require additional investigation to address specific
network traffic data to detect deviations from normal
IIoT scenarios. The EIDM model in [13] would benefit from
behavior that may indicate potential security breaches,
exploring the distribution of learning processes across
intrusions, or abnormal activities. This type of detection is
different machines for high-performance computing and
important because it helps identify and mitigate unknown
enhancing the overall performance and security of the
or emerging threats in IoT networks. By accurately
intrusion detection system.
detecting anomalies in network traffic, administrators can
take prompt action to investigate and respond to potential 5.5 Botnet Detection
security incidents, ensuring the overall security and
integrity of IoT devices, data, and infrastructure. Botnet detection in network traffic classification in IoT
refers to the process of identifying and distinguishing
Researchers have proposed various models to detect network traffic associated with botnets, which are
anomalies in network traffic in the IoT environment. A networks of compromised devices controlled by a malicious
feature extraction method using multi-model autoencoders actor. It involves analyzing traffic patterns, communication
is proposed in [53] to effectively extract and fuse features behavior, and other characteristics to identify the presence
from different traffic feature subspaces. The method also of botnet-related activities. Botnet detection is crucial
introduces a multi-feature sequence anomaly detection because it helps mitigate the risks posed by botnet attacks
algorithm using residual learning, showcasing good in IoT networks. By accurately detecting and classifying
performance in anomaly detection for IoT-Blockchain botnet traffic, network administrators can take necessary
traffic. In [61], the CMTSNN model is presented for multi- actions to isolate and mitigate the compromised devices,
classification identification of encrypted abnormal traffic in prevent further spread of malware, and safeguard the
IoT. This model combines BiLSTM-1DCNN for temporal and integrity, availability, and security of IoT networks and
spatial feature extraction, and employs a cost penalty devices.
matrix and an improved cross-entropy loss function to
address unbalanced traffic data. Experimental results Researchers have proposed various models to detect and
demonstrate superior performance, with lower false alarm classify botnet attacks in network traffic in IoT. In [5], a deep
rates and higher accuracy. In [57], the HCAMBGDALRM autoencoder-based anomaly detection solution is
proposed. This method shows high accuracy, precision, and attacks. It also showcases efficiency in terms of time,
recall values, indicating its effectiveness and robustness in lightweight design, and low complexity compared to state-
detecting botnet attacks in IoT networks. In [39], the SRNN of-the-art IDSs. Additionally, the identification and feature
(Stacked Recurrent Neural Network) model is introduced extraction tool presented in [58] demonstrates
for botnet detection in highly imbalanced network traffic effectiveness in filtering and identifying various types of
data in a Smart Home Network (SHN) environment. The network traffic.
SRNN model utilizes multiple layers of RNN to learn
hierarchical representations of the imbalanced network Other advancements in intrusion detection for network
traffic data, leading to better representation learning and traffic classification in IoT include the DL-based IDS
improved generalization ability. framework proposed in [50], which utilizes a fog-cloud
architecture to address computation and latency
The proposed models for botnet detection in network challenges. This framework demonstrates efficacy, reduced
traffic classification in IoT offer several strengths. The deep network latency, and improved detection capability.
autoencoder-based anomaly detection solution in [5] Furthermore, the federated blending model-driven IDS
demonstrates high accuracy and robustness in detecting framework (F-BIDS) presented in [4] offers improved
botnet attacks. It can effectively identify new or unknown classification performance and reduced privacy risk
threats, which is crucial in IoT environments where through federated learning, addressing privacy concerns
traditional signature-based systems may fall short. The associated with centralized learning. The introduction of
SRNN model in [39] outperforms traditional RNN models, logarithmic neurons and the logarithmic neural network
exhibiting better representation learning and robustness (LOGNN) in [55] shows promising results in intrusion
against overfitting. It excels in detecting network traffic detection, outperforming traditional deep learning and
samples from minority classes with high imbalance ratios, machine learning algorithms.
making it suitable for securing Smart Home Networks
against complex botnet attacks. The customized feed-forward neural network introduced in
[14] incorporates concepts like network embedding and
Despite their strengths, the proposed models also have transfer learning to enhance its performance. The RKCNN-
certain limitations. The deep autoencoder-based anomaly MMBO model, comprising a kernel classifier and a DL-
detection solution in [5] may be vulnerable to adversarial classifier, is employed for classification in the IoT intrusion
machine learning techniques, which could potentially evade detection mechanism (IDM) showcased in [37].
the detection system. Additionally, it may not detect Additionally, the PB-DID (Packet-Based Intrusion
internal attacks that occur beyond the gateway level in IoT Detection) approach presented in [60] addresses imbalance
networks, limiting its scope. The SRNN model in [39] has and overfitting issues in public datasets by combining
longer training and response times compared to other standard flow, TCP, and other features. The Deep Feature
machine learning and deep learning models, although this Extraction (DFE) method described in focuses on
trade-off is considered insignificant given the large number extracting more information from input data using 2D
of network traffic samples. convolutions and permutations.

5.6 Intrusion Detection The proposed models for intrusion detection in network
traffic classification in IoT offer several strengths. The
Intrusion detection by network traffic classification in IoT
MEMBER framework in [25] captures comprehensive and
involves utilizing deep learning techniques to identify and
robust feature representations, leading to improved
detect potential security breaches or unauthorized
generalization ability. The HetIoT-CNN IDS in [31] is
activities within IoT networks. Deep learning models are
lightweight, efficient in terms of time, and less complex,
trained on large amounts of network traffic data to learn
making it suitable for resource-constrained IoT
patterns and behaviors associated with normal and
environments. The IoT intrusion detection system in [58]
malicious network activity. This approach is crucial for IoT
shows effectiveness in detecting intrusions and can be
security as it enables real-time monitoring and proactive
further enhanced by exploring different deep learning
identification of anomalies, helping to protect IoT devices,
models with varied architectures. The customized feed-
networks, and sensitive data from cyber threats.
forward neural network in [14] leverages network
Several models have been proposed to detect and classify embedding and transfer learning techniques, which
intrusions in IoT networks based on network traffic. The enhance its ability to capture relevant features and improve
MEMBER framework proposed in [25] leverages multi-task classification accuracy. The RKCNN-MMBO model in [37]
learning for intrusion detection in imbalanced network combines kernel and DL-classifiers, enabling effective
scenarios. By combining statistical and packet content classification after preprocessing. The PB-DID approach in
features, the model captures rich representations and [60] addresses imbalance and overfitting issues in public
exhibits improved generalization ability. The inclusion of a datasets, reducing the number of features required for
memory module and attention mechanisms further identifying malicious traffic. The DFE method in [9]
enhances its performance. In the HetIoT (Heterogeneous enhances classification accuracy by extracting more
Internet of Things) environment, the HetIoT-CNN IDS, a information from input data while minimizing the
deep learning-based CNN, is proposed in [31]. This IDS computational requirements, making it suitable for real-
demonstrates high accuracy in detecting benign and DDoS time intrusion detection in IoT devices with limited
processing capabilities.
While the proposed models demonstrate strengths, they Multiple models have been proposed for zero-day attack
also have certain limitations. The MEMBER framework in detection in IoT networks through network traffic
[25] requires further research to detect multi-stage attacks classification. The intrusion detection framework
with long time spans and address the impact of highly introduced in [41] utilizes transfer learning and model
stealthy stealing attacks and adversarial attacks on model refinement techniques to improve detection accuracy in
performance and robustness. The HetIoT-CNN IDS in [31] limited and imbalanced datasets. The ADRIoT framework
focuses on a specific environment and should explore presented in [26]adopts an edge-assisted architecture and
additional models, such as Recurrent Neural Networks incorporates a multiedge collaborative mechanism to
(RNN), for detecting and predicting DDoS attacks. The IoT enable prompt detection of IoT-based attacks.
intrusion detection system in [58] would benefit from
expanding the dataset to include other IoT protocols, such The proposed models offer several strengths in the context
as the MQTT protocol, for comprehensive intrusion of zero-day attack detection in network traffic classification
detection coverage. The customized feed-forward neural in IoT. The intrusion detection framework in [41]
network in [14] demonstrates subpar performance in demonstrates excellent accuracy and low false positive
classifying specific attack subcategories, highlighting the rates, even for novel zero-day attack families. The
need for further improvement. The IDM utilizing the utilization of transfer learning and network fine-tuning
RKCNN-MMBO model in [37] requires reliability testing improves detection rates and outperforms previous deep
against severe attacks to ensure robust intrusion detection learning-based intrusion detection systems. The ADRIoT
capabilities. The PB-DID approach in [60], although framework in [26] leverages an edge-assisted architecture,
effective in addressing imbalance and overfitting, should enabling the anomaly detection module to run closer to the
explore the generalization of its methodology to diverse IoT data source for real-time detection. The incorporation of a
environments and datasets. The DFE method in [9] could multiedge collaborative mechanism enhances the resource
benefit from additional research to enhance the utilization on the edge, supporting efficient and effective
classification of minority classes by optimizing the detection of a wide range of IoT-based attacks.
permutation process.
Despite their strengths, the proposed models also face
To advance intrusion detection in IoT networks through certain limitations. The intrusion detection framework in
network traffic classification, several areas warrant further [41] primarily focuses on IoT network traffic from the
exploration. The proposed models can be enhanced by UNSW-NB15 dataset, necessitating further evaluation on
incorporating long-short term memory networks to real data from diverse IoT networks. Future research
leverage timestamp information and header fields for should extend the framework to detect other types of zero-
differentiating attack subcategories [14]. Reliability day attacks and assess its performance on lightweight IoT
measurement against severe attacks and accuracy devices with real IoT network traffic. The ADRIoT
evaluation of DL techniques can be conducted to strengthen framework in [26] relies on unsupervised anomaly
the IDM utilizing the RKCNN-MMBO model [37]. Future detection, which may limit its ability to detect novel zero-
work should also focus on extending the applicability of the day attacks with high accuracy. Additional research is
PB-DID approach to a wider range of IoT environments and needed to enhance the framework's capability to handle
expanding the dataset coverage to include additional IoT emerging and sophisticated zero-day attack patterns.
protocols [60]. For the DFE method [9], future research can
To advance zero-day attack detection in IoT networks
concentrate on optimizing the permutation process as an
through network traffic classification, several areas warrant
optimization problem, enabling improved classification of
further exploration. The intrusion detection framework
minority classes.
proposed in [41] can be extended to incorporate real data
5.7 Zero-Day Attack Detection from IoT networks, allowing for a more comprehensive
evaluation of its effectiveness and robustness. Future work
Zero-day attack detection by network traffic classification should also focus on enhancing the framework's ability to
in IoT involves identifying and mitigating previously detect diverse zero-day attack types, addressing the
unknown or undisclosed vulnerabilities and attack challenges posed by lightweight IoT devices, and exploring
techniques that exploit these vulnerabilities. Unlike techniques for handling real-time IoT network traffic. In the
traditional intrusion detection systems that rely on known case of the ADRIoT framework [26], future research should
attack patterns, zero-day attack detection employs consider incorporating supervised learning methods to
advanced machine learning algorithms to analyze network improve the accuracy of zero-day attack detection and
traffic data and identify anomalous behavior that may further refine the collaborative mechanism to optimize
indicate a new or unknown attack. This approach is crucial resource utilization on the edge.
for IoT security as it provides an additional layer of defense
against emerging threats, ensuring the timely detection and
prevention of attacks that could exploit vulnerabilities that 6 CONCLUSIONS AND FUTURE DIRECTIONS
have not yet been patched or addressed by security Advancements in network traffic classification for IoT using
updates. By proactively identifying and mitigating zero-day deep learning techniques have shown promising results in
attacks, organizations can significantly reduce the potential various areas, including application awareness, accuracy
damage caused by these advanced threats and safeguard improvement, malicious traffic detection, anomaly
their IoT infrastructure and sensitive data. detection, botnet detection, intrusion detection, and zero-
day attack detection. These advancements have brought To overcome these limitations and further enhance
several strengths to the field. For instance, models such as network traffic classification in IoT environments, future
CSCNN, ByteSGAN, deep transfer learning, TSCRNN, GLADS, research efforts should focus on exploring additional
DF model, and others demonstrate superior performance, techniques. Recurrent neural networks, reinforcement
versatility, and fast detection speed. They exhibit strengths learning, transfer learning, federated learning, parallel
like effective feature extraction, robustness in handling processing, real-time anomaly detection, high-performance
encrypted traffic, enhanced trustworthiness, and improved computing, and supervised learning for labeling anomalies
representation learning. are some of the directions that should be pursued.
Additionally, refinement of models, exploration of new
However, these models also face certain limitations that architectures and techniques, expansion of datasets,
need to be addressed. Computation complexity, addressing privacy and explainability concerns,
convergence speed, GAN training challenges, unbalanced differentiation of attack subcategories, reliability testing,
traffic types, limited labeled data, unbalanced traffic generalization to diverse environments, optimization of
datasets, real-world validation, handling zero-day classification for minority classes, and evaluation on real
applications, inference time, optimization requirements, IoT network data are key areas for future research. By
and computational complexities are some of the addressing these limitations and pursuing these avenues of
weaknesses associated with these models. Furthermore, research, advancements in network traffic classification in
vulnerabilities to adversarial machine learning techniques, IoT using deep learning techniques can lead to improved
limited detection scope, longer training and response times, security, privacy, trustworthiness, and defense against
and challenges in handling multi-stage attacks and various threats and vulnerabilities.
adversarial attacks are additional limitations.

Fog-Enabled Dense Deployed IoT Networks.

REFERENCES Journal of Electrical Engineering and Technology
(May 2022).
[1] Mahmoud Abbasi, Amin Shahraki, and Amir
DOI:https://doi.org/10.1007/s42835-022-01314-
Taherkordi. 2021. Deep Learning for Network
w
Traffic Monitoring and Analysis (NTMA): A Survey.
Computer Communications 170, 19–41. [7] Lerina Aversano, Mario Luca Bernardi, Marta
DOI:https://doi.org/10.1016/j.comcom.2021.01.0 Cimitile, and Riccardo Pecori. 2021. Anomaly
21 Detection of actual IoT traffic flows through Deep
Learning. In Proceedings - 20th IEEE International
[2] Qasem Abu Al-Haija and Saleh Zein-Sabatto. 2020.
Conference on Machine Learning and Applications,
An efficient deep-learning-based detection and
ICMLA 2021, Institute of Electrical and Electronics
classification system for cyber-attacks in iot
Engineers Inc., 1736–1741.
communication networks. Electronics
DOI:https://doi.org/10.1109/ICMLA52953.2021.
(Switzerland) 9, 12 (December 2020), 1–26.
00275
DOI:https://doi.org/10.3390/electronics9122152
[8] Ahmad Azab, Mahmoud Khasawneh, Saed
[3] Abdullah Alsaedi, Nour Moustafa, Zahir Tari,
Alrabaee, Kim-Kwang Raymond Choo, and Maysa
Abdun Mahmood, and Adna N Anwar. 2020. TON-
Sarsour. 2022. Network traffic classification:
IoT telemetry dataset: A new generation dataset
Techniques, datasets, and challenges. Digital
of IoT and IIoT for data-driven intrusion detection
Communications and Networks (September 2022).
systems. IEEE Access 8, (2020), 165130–165150.
DOI:https://doi.org/10.1016/j.dcan.2022.09.009
DOI:https://doi.org/10.1109/ACCESS.2020.3022
862 [9] Amir Basati and Mohammad Mehdi Faghih. 2022.
DFE: efficient IoT network intrusion detection
[4] Ons Aouedi and Kandaraj Piamrat. 2023. F-BIDS:
using deep feature extraction. Neural Comput Appl
Federated-Blending based Intrusion Detection
34, 18 (September 2022), 15175–15195.
System. Pervasive Mob Comput 89, (February
DOI:https://doi.org/10.1007/s00521-021-06826-
2023).
6
DOI:https://doi.org/10.1016/j.pmcj.2023.101750
[10] G Bendiab, S Shiaeles, A Alruban, and N
[5] Ioana Apostol, Marius Preda, Constantin Nila, and
Kolokotronis. 2020. IoT Malware Network Traffic
Ion Bica. 2021. Iot botnet anomaly detection using
Classification using Visual Representation and
unsupervised deep learning. Electronics
Deep Learning. In 2020 6th IEEE Conference on
(Switzerland) 10, 16 (August 2021).
Network Softwarization (NetSoft), 444–449.
DOI:https://doi.org/10.3390/electronics1016187
DOI:https://doi.org/10.1109/NetSoft48620.2020.
6
9165381
[6] Abdelhamied A. Ateya, Naglaa F. Soliman, Reem
[11] Jianbang Dai, Xiaolong Xu, and Fu Xiao. 2023.
Alkanhel, Amel A. Alhussan, Ammar Muthanna,
GLADS: A global-local attention data selection
and Andrey Koucheryavy. 2022. Lightweight Deep
model for multimodal multitask encrypted traffic
Learning-Based Model for Traffic Prediction in
 classification of IoT. Computer Networks 225, [20] Ren Hung Hwang, Min Chun Peng, Chien Wei
(April 2023), 109652. Huang, Po Ching Lin, and Van Linh Nguyen. 2020.
DOI:https://doi.org/10.1016/j.comnet.2023.1096 An Unsupervised Deep Learning Model for Early
52 Network Traffic Anomaly Detection. IEEE Access 8,
(2020), 30387–30399.
[12] Li Deng and Dong Yu. 2014. Deep Learning: DOI:https://doi.org/10.1109/ACCESS.2020.2973
Methods and Applications. Foundations and 023
Trends® in Signal Processing 7, 3–4 (2014), 197–
387. DOI:https://doi.org/10.1561/2000000039 [21] V. Kanimozhi and T. Prem Jacob. 2023. The Top
Ten Artificial Intelligence-Deep Neural Networks
[13] Omar Elnakib, Eman Shaaban, Mohamed for IoT Intrusion Detection System. Wirel Pers
Mahmoud, and Karim Emara. 2023. EIDM: deep Commun (March 2023).
learning model for IoT intrusion detection DOI:https://doi.org/10.1007/s11277-023-10198-
systems. Journal of Supercomputing (2023). 6
DOI:https://doi.org/10.1007/s11227-023-05197-
0 [22] Michal Konopa, Jan Fesl, and Jan Janecek. 2020.
Promising new Techniques for Computer Network
[14] Mengmeng Ge, Naeem Firdous Syed, Xiping Fu, Traffic Classification: A Survey. In 2020 10th
Zubair Baig, and Antonio Robles-Kelly. 2021. International Conference on Advanced Computer
Towards a deep learning-driven intrusion Information Technologies, ACIT 2020 - Proceedings,
detection approach for Internet of Things. Institute of Electrical and Electronics Engineers
Computer Networks 186, (February 2021). Inc., 418–421.
DOI:https://doi.org/10.1016/j.comnet.2020.1077 DOI:https://doi.org/10.1109/ACIT49673.2020.92
84 08995
[15] Jianfeng Guan, Junxian Cai, Haozhe Bai, and Ilsun [23] John R Koza, Forrest H Bennett, David Andre, and
You. 2021. Deep transfer learning-based network Martin A Keane. 1996. Automated Design of Both
traffic classification for scarce dataset in 5G IoT the Topology and Sizing of Analog Electrical
systems. International Journal of Machine Learning Circuits Using Genetic Programming. In Artificial
and Cybernetics 12, 11 (November 2021), 3351– Intelligence in Design ’96, John S Gero and Fay
3365. DOI:https://doi.org/10.1007/s13042-021- Sudweeks (eds.). Springer Netherlands, Dordrecht,
01415-4 151–170. DOI:https://doi.org/10.1007/978-94-
009-0279-4_9
[16] Jordan Holland, Paul Schmitt, Prateek Mittal, and
Nick Feamster. 2022. Towards Reproducible [24] Rakesh Kumar, Mayank Swarnkar, Gaurav Singal,
Network Traffic Analysis. (March 2022). Retrieved and Neeraj Kumar. 2022. IoT Network Traffic
from http://arxiv.org/abs/2203.12410 Classification Using Machine Learning Algorithms:
An Experimental Analysis. IEEE Internet Things J 9,
[17] Nan Hu, Fangjun Luan, Xiaoxi Tian, and
2 (January 2022), 989–1008.
Chengdong Wu. 2020. A Novel SDN-Based
DOI:https://doi.org/10.1109/JIOT.2021.3121517
Application-Awareness Mechanism by Using Deep
Learning. IEEE Access 8, (2020), 160921–160930. [25] Jinghong Lan, Xudong Liu, Bo Li, Jie Sun, Beibei Li,
DOI:https://doi.org/10.1109/ACCESS.2020.3021 and Jun Zhao. 2022. MEMBER: A multi-task
185 learning model with hybrid deep features for
network intrusion detection. Comput Secur 123,
[18] Xiaoyan Hu, Cheng Zhu, Guang Cheng, Ruidong Li,
(December 2022).
Hua Wu, and Jian Gong. 2023. A Deep Subdomain
DOI:https://doi.org/10.1016/j.cose.2022.102919
Adaptation Network With Attention Mechanism
for Malware Variant Traffic Identification at an IoT [26] Ruoyu Li, Qing Li, Jianer Zhou, and Yong Jiang.
Edge Gateway. IEEE Internet Things J 10, 5 (March 2022. ADRIoT: An Edge-Assisted Anomaly
2023), 3814–3826. Detection Framework Against IoT-Based Network
DOI:https://doi.org/10.1109/JIOT.2022.3160755 Attacks. IEEE Internet Things J 9, 13 (July 2022),
10576–10587.
[19] Xiaoyi Hu, Jinhui Ning, Jie Yin, Jie Yang, Bamidele
DOI:https://doi.org/10.1109/JIOT.2021.3122148
Adebisi, and Haris Gacanin. 2022. Efficient
Malicious Traffic Classification Methods based on [27] Kunda Lin, Xiaolong Xu, and Honghao Gao. 2021.
Semi-supervised Learning. In Proceedings - 2022 TSCRNN: A novel classification scheme of
9th International Conference on Dependable encrypted traffic based on flow spatiotemporal
Systems and Their Applications, DSA 2022, Institute features for efficient management of IIoT.
of Electrical and Electronics Engineers Inc., 230– Computer Networks 190, (May 2021).
235. DOI:https://doi.org/10.1016/j.comnet.2021.1079
DOI:https://doi.org/10.1109/DSA56465.2022.00 74
039
[28] Shuhe Liu, Xiaolin Xu, Yongzheng Zhang, and 2022. Intrusion Detection Model for IoT Using
Yipeng Wang. 2022. Autonomous Anti - Recurrent Kernel Convolutional Neural Network.
interference Identification of textIoT Device Wirel Pers Commun (March 2022).
Traffic based on Convolutional Neural Network. In DOI:https://doi.org/10.1007/s11277-022-10155-
Proceedings of the International Joint Conference 9
on Neural Networks, Institute of Electrical and
Electronics Engineers Inc. [38] Eva Papadogiannaki and Sotiris Ioannidis. 2021. A
DOI:https://doi.org/10.1109/IJCNN55064.2022.9 Survey on Encrypted Network Traffic Analysis
891943 Applications, Techniques, and Countermeasures.
ACM Computing Surveys 54.
[29] Min Lu, Bin Zhou, and Zhiyong Bu. 2023. Two- DOI:https://doi.org/10.1145/3457904
Stage Distillation-Aware Compressed Models for
Traffic Classification. IEEE Internet Things J [39] Segun I. Popoola, Bamidele Adebisi, Mohammad
(2023). Hammoudeh, Haris Gacanin, and Guan Gui. 2021.
DOI:https://doi.org/10.1109/JIOT.2023.3263487 Stacked recurrent neural network for botnet
detection in smart homes. Computers and
[30] Min Lu, Bin Zhou, Zhiyong Bu, and Yu Zhao. 2022. Electrical Engineering 92, (June 2021).
Lightweight Models for Traffic Classification: A DOI:https://doi.org/10.1016/j.compeleceng.2021
Two-Step Distillation Approach. In IEEE .107039
International Conference on Communications,
Institute of Electrical and Electronics Engineers [40] Mustafizur Rahman Shahid. Deep learning for
Inc., 2108–2113. Internet of Things (IoT) network security.
DOI:https://doi.org/10.1109/ICC45855.2022.983 Retrieved from https://theses.hal.science/tel-
9130 03193266

[31] Shalaka Mahadik, Pranav M. Pawar, and Raja [41] Eva Rodríguez, Pol Valls, Beatriz Otero, Juan Jose
Muthalagu. 2023. Efficient Intelligent Intrusion Costa, Javier Verdu, Manuel Alejandro Pajuelo, and
Detection System for Heterogeneous Internet of Ramon Canal. 2022. Transfer-Learning-Based
Things (HetIoT). Journal of Network and Systems Intrusion Detection Framework in IoT Networks.
Management 31, 1 (March 2023). Sensors 22, 15 (August 2022).
DOI:https://doi.org/10.1007/s10922-022-09697- DOI:https://doi.org/10.3390/s22155621
x
[42] Miraqa Safi, Sajjad Dadkhah, Farzaneh Shoeleh,
[32] Matthew Dicks, Jonathan Tooke, and Shane Weisz. Hassan Mahdikhani, Heather Molyneaux, and Ali
2020. Review of Deep Learning Approaches to A. Ghorbani. 2022. A Survey on IoT Profiling,
Network Traffic Classification for Community Fingerprinting, and Identification. ACM
Networks. Retrieved June 3, 2023 from Transactions on Internet of Things 3, 4 (September
https://projects.cs.uct.ac.za/honsproj/2020/ 2022). DOI:https://doi.org/10.1145/3539736

[33] Nour Moustafa and Jill Slay. UNSW-NB15: A [43] Afef Saidi, Slim Ben Othman, Meriam Dhouibi, and
Comprehensive Data set for Network Intrusion Slim Ben Saoud. 2021. FPGA-based
Detection systems (UNSW-NB15 Network Data Set). implementation of classification techniques: A
Retrieved from https://cve.mitre.org/ survey. Integration 81, 280–299.
DOI:https://doi.org/10.1016/j.vlsi.2021.08.004
[34] Jinhui Ning, Guan Gui, Yu Wang, Jie Yang, Bamidele
Adebisi, Song Ci, Haris Gacanin, and Fumiyuki [44] Ola Salman, Imad H. Elhajj, Ali Chehab, and Ayman
Adachi. 2022. Malware Traffic Classification Using Kayssi. 2022. Towards efficient real-time traffic
Domain Adaptation and Ladder Network for classifier: A confidence measure with ensemble
Secure Industrial Internet of Things. IEEE Internet Deep Learning. Computer Networks 204,
Things J 9, 18 (September 2022), 17058–17069. (February 2022).
DOI:https://doi.org/10.1109/JIOT.2021.3131981 DOI:https://doi.org/10.1016/j.comnet.2021.1086
84
[35] Mehrnoosh Nobakht, Reza Javidan, and Alireza
Pourebrahimi. 2022. DEMD-IoT: a deep ensemble [45] Iqbal H. Sarker, Asif Irshad Khan, Yoosef B.
model for IoT malware detection using CNNs and Abushark, and Fawaz Alsolami. 2022. Internet of
network traffic. Evolving Systems (June 2022). Things (IoT) Security Intelligence: A
DOI:https://doi.org/10.1007/s12530-022-09471- Comprehensive Overview, Machine Learning
z Solutions and Research Directions. Mobile
Networks and Applications (2022).
[36] Nour Moustafa. 2019. The Bot-IoT dataset. IEEE DOI:https://doi.org/10.1007/s11036-022-01937-
Dataport. 3

[37] C. U. Om Kumar, Suguna Marappan, Bhavadharini [46] Hannes Schulz and Sven Behnke. 2012. Deep
Murugeshan, and V. Mercy Rajaselvi Beaulah. Learning. KI - Künstliche Intelligenz 26, 4 (2012),
 357–363. DOI:https://doi.org/10.1007/s13218- Y) 617, (December 2022), 133–149.
012-0198-z DOI:https://doi.org/10.1016/j.ins.2022.10.060

[47] Mhd Saeed Sharif and Mina Moein. 2021. An [54] Pan Wang, Zixuan Wang, Feng Ye, and Xuejiao
Effective Cost-Sensitive Convolutional Neural Chen. 2021. ByteSGAN: A semi-supervised
Network for Network Traffic Classification. In Generative Adversarial Network for encrypted
2021 International Conference on Innovation and traffic classification in SDN Edge Gateway.
Intelligence for Informatics, Computing, and Computer Networks 200, (December 2021).
Technologies, 3ICT 2021, Institute of Electrical and DOI:https://doi.org/10.1016/j.comnet.2021.1085
Electronics Engineers Inc., 40–45. 35
DOI:https://doi.org/10.1109/3ICT53449.2021.95
81789 [55] Zhendong Wang, Zhenyu Xu, Daojing He, and
Sammy Chan. 2021. Deep logarithmic neural
[48] Manish Snehi and Abhinav Bhandari. 2022. A network for Internet intrusion detection. Soft
Novel Distributed Stack Ensembled Meta- comput 25, 15 (August 2021), 10129–10152.
Learning-Based Optimized Classification DOI:https://doi.org/10.1007/s00500-021-05987-
Framework for Real-time Prolific IoT Traffic 9
Streams. Arab J Sci Eng 47, 8 (August 2022), 9907–
9930. DOI:https://doi.org/10.1007/s13369-021- [56] Liu Xin, Liu Ziang, Zhang Yingli, Zhang Wenqiang,
06472-z Lv Dong, and Zhou Qingguo. 2022. TCN enhanced
novel malicious traffic detection for IoT devices.
[49] Fanhua Song, Donghong Qin, and Chen Xu. 2022. A Conn Sci 34, 1 (2022), 1322–1341.
Survey of Application of Artificial Intelligence DOI:https://doi.org/10.1080/09540091.2022.20
Methods in SDN. In 2022 2nd IEEE International 67124
Conference on Software Engineering and Artificial
Intelligence, SEAI 2022, Institute of Electrical and [57] Xiaodan Yan, Yang Xu, Xiaofei Xing, Baojiang Cui,
Electronics Engineers Inc., 237–242. Zihao Guo, and Taibiao Guo. 2020. Trustworthy
DOI:https://doi.org/10.1109/SEAI55746.2022.98 Network Anomaly Detection Based on an Adaptive
32340 Learning Rate and Momentum in IIoT. IEEE Trans
Industr Inform 16, 9 (September 2020), 6182–
[50] Naeem Firdous Syed, Mengmeng Ge, and Zubair 6192.
Baig. 2023. Fog-cloud based intrusion detection DOI:https://doi.org/10.1109/TII.2020.2975227
system using Recurrent Neural Networks and
feature selection for IoT networks. Computer [58] Jianbin Ye and Bo Liu. 2022. A deep learning-
Networks 225, (April 2023). based system for IoT intrusion detection. SPIE-Intl
DOI:https://doi.org/10.1016/j.comnet.2023.1096 Soc Optical Eng, 72.
62 DOI:https://doi.org/10.1117/12.2639322

[51] Ankit Thakkar and Ritika Lohiya. 2021. A Review [59] Tao Yi, Xingshu Chen, Yi Zhu, Weijing Ge, and
on Machine Learning and Deep Learning Zhenhui Han. 2023. Review on the application of
Perspectives of IDS for IoT: Recent Updates, deep learning in network attack detection. Journal
Security Issues, and Challenges. Archives of of Network and Computer Applications 212.
Computational Methods in Engineering 28, 4 (June DOI:https://doi.org/10.1016/j.jnca.2022.103580
2021), 3211–3243.
[60] Muhammad Zeeshan, Qaiser Riaz, Muhammad
DOI:https://doi.org/10.1007/s11831-020-09496-
Ahmad Bilal, Muhammad K. Shahzad, Hajira
0
Jabeen, Syed Ali Haider, and Azizur Rahim. 2022.
[52] Daravichet Tin, Maryam Shahpasand, Hassan Protocol-Based Deep Intrusion Detection for DoS
Habibi Gharakheili, and Gustavo Batista. 2022. and DDoS Attacks Using UNSW-NB15 and Bot-IoT
Classifying Time-Series of IoT Flow Activity using Data-Sets. IEEE Access 10, (2022), 2269–2283.
Deep Learning and Intransitive Features. In DOI:https://doi.org/10.1109/ACCESS.2021.3137
International Conference on Software, Knowledge 201
Information, Industrial Management and
[61] Shizhou Zhu, Xiaolong Xu, Honghao Gao, and Fu
Applications, SKIMA, Institute of Electrical and
Xiao. 2023. CMTSNN: A deep learning model for
Electronics Engineers Inc., 192–197.
multi-classification of abnormal and encrypted
DOI:https://doi.org/10.1109/SKIMA57145.2022.
traffic of Internet of Things. IEEE Internet Things J
10029420
(2023).
[53] Jun Wang, Hanlei Jin, Junxiao Chen, Jinghua Tan, DOI:https://doi.org/10.1109/JIOT.2023.3244544
and Kaiyang Zhong. 2022. Anomaly detection in
[62] 2023. OT/IoT Security Report A Deep Look Into the
Internet of medical Things with Blockchain from
ICS Threat Landscape - 2022 2H Review.
the perspective of deep neural network. Inf Sci (N