A Critical Review of Artificial Intelligence Based Approaches in Intrusion Detection: A Comprehensive Analysis

Intrusion detection (ID) is critical in securing computer networks against various malicious attacks. Recent advancements in machine learning (ML), deep learning (DL), federated learning (FL), and explainable artifcial intelligence (XAI) have drawn signifcant attention as potential approaches for ID. DL-based approaches have shown impressive performance in ID by automatically learning relevant features from data but require signifcant labelled data and computational resources to train complex models. ML-based approaches require fewer computational resources and labelled data, but their ability to generalize to unseen data is limited. FL is a relatively new approach that enables multiple entities to train a model collectively without exchanging their data, providing privacy and security benefts, making it an attractive option for ID. However, FL-based approaches require more communication resources and additional computation to aggregate models from diferent entities. XAI is critical for understanding how AI models make decisions, improving interpretability and transparency. While existing literature has explored the strengths and weaknesses of DL, ML, FL, and XAI-based approaches for ID, a signifcant gap exists in providing a comprehensive analysis of the specifc use cases and scenarios where each approach is most suitable. Tis paper seeks to fll this void by delivering an in-depth review that not only highlights strengths and weaknesses but also ofers guidance for selecting the appropriate approach based on the unique ID context and available resources. Te selection of an appropriate approach depends on the specifc use case, and this work provides insights into which method is best suited for various network sizes, data availability, privacy, and security concerns, thus aiding practitioners in making informed decisions for their ID needs.


Introduction
Intrusion detection is monitoring a computer system or network for malicious activity, such as unauthorized access, misuse, or modifcation of system resources.ID aims to detect such action in real-time or near real-time and take suitable action to protect against further loss or data forfeiture.
Intrusion detection systems (IDS) are designed to analyze system and network activity to identify suspicious patterns that may indicate an attack is underway.Tese systems can be host-or network-based and may use approaches like signature-based identifcation, anomalybased identifcation, or behaviour-based detection to recognize potential risks.Once an intrusion is detected, the IDS can alert or notify security personnel or automated response mechanisms, such as frewalls or other security systems, to take appropriate action to contain or mitigate the attack.ID is an essential part of a comprehensive security method and may assist organizations to detect and respond to security incidents promptly and efciently.ID is a signifcant aspect of cybersecurity that can be solved with the help of technology [1,2].
Integrating technology and the Internet into all aspects of life has revolutionized how people live and work.It has created new opportunities for remote work, online learning, and seamless communication.However, with the convenience of technology comes the risk of security threats, such as hacking, cyberattacks, and data breaches.It is crucial to protect personal and sensitive information and stay safe online.Tis includes being cautious of phishing scams, using strong passwords, and keeping software up-to-date.Regular education on cyber security risks and best practices is also essential.Identifying and detecting network threats and cyber-attacks is crucial in preventing them.Tis involves staying informed about the latest security risks and being vigilant for signs of suspicious activity.Some common indicators of a cyber-attack include unusual pop-ups or error messages, slow efciency of the computer or network, unusual network trafc, unauthorized changes to fles or settings, and suspicious emails or attachments [3,4].
Regular security assessments and testing can also help identify vulnerabilities in your network before attackers exploit them.Cyber security protects sensitive information from being stolen, altered, or misused.Common threats include phishing scams, malware, ransomware, and hacking.Individuals and organizations should regularly update their software, use strong passwords, and educate themselves about the latest security risks to stay safe online.Implementing multi-factor authentication, frewalls, and regularly backing up data can also help prevent cyber-attacks [5].
IDS is an essential section of a comprehensive security resolution as it helps to identify security threats in real time and respond to them quickly.It can be either network-based or host-based, depending on where it is deployed in the network.Network-based IDS (NIDS) monitors network trafc for signs of intrusion and operates at the network layer.Host-based IDS (HID) is installed on individual hosts and monitors events on that specifc host for signs of intrusion.IDS can operate in two modes: signature-based detection, which uses pre-defned rules to identify known threats, and anomaly-based detection, which uses ML algorithms to identify deviations from normal network behaviour and potential fag intrusions [6].
Te modelling of IDSs as a feature selection problem and using traditional classifers to address it.It also mentions using meta-heuristic (MH) optimization algorithms to tackle complex optimization problems in IDSs.Tese MH algorithms include particle swarm optimization (PSO) [20], crow search algorithm (CSA) [21], genetic algorithm (GA), random harmony search algorithm, and grey wolf optimizer (GWO) algorithm [22][23][24].Tese algorithms have been applied to enhance the privacy and efcacy of IDSs by optimizing the selection of features used to make predictions [25][26][27].Indeed, developing an IDS is a difcult and thought-provoking task as it requires a deep understanding of both benign and malicious activity behaviour in a network environment.Lab-based testing of IDS models can provide valuable insights into the efciency and accuracy of the model.Still, it can also lead to overftting, where the model is too closely optimized to the laboratory data and may not perform well in real-world environments.Terefore, validating the IDS model in a real-world environment is critical to ensuring its efectiveness.Tis can be done by deploying the model in a live network and monitoring its efciency over time.Tis will provide a more accurate representation of the actual network environment and help to identify any weaknesses or limitations in the model.Furthermore, ongoing testing and updating of the model is necessary to keep pace with changing security threats and evolving network behaviour.DL has found numerous applications in image classifcation, object detection, and segmentation and has enabled advancements in areas such as facial recognition and autonomous vehicles industries and felds, including the medical sector, computer vision, fnance, marketing advertising, NLP, cybersecurity, and IDS [17,19,21].
Diferent CNN designs for application in IDS have been anticipated.Te network model of these designs difers in terms of depth and breadth, kind of convolutional operation, number and size of flters, type and size of pooling, the number of fully associated layers, and the atmosphere in which they are applied.MobileNet, ResNet, NASNet, Ef-cientNet, MnasNet, and AlexNet are among the models described, all of which strive to improve the accuracy and efciency of ID.Tese models were created based on research fndings [22,24].
Tis study describes a proposed novel IDS model that combines DL and meta-heuristic optimization techniques.Te model starts with efcient and simple feature extraction in the CNN model.It uses quite a few convolution blocks to extract useful features and is only employed during the extraction of features.Te raw data is transformed into lower-dimensional representations using relevant characteristics, which the CNN learns using simple structures and efcient training methods.Te entirely coupled layer with CNN extracts key features and classifes the activity as 2 Journal of Engineering malicious or not.Integrating the strengths of DL and metaheuristic optimization methods, the proposed research work intends to enhance the accuracy and efciency of IDSs [11,14,15].Recently, machine learning and federated learning have played a vital role in IDS.ML refers to a subset of AI that allows computers to learn from information and enhance their performance without being explicitly programmed.In the context of ID, ML can be used to develop algorithms that automatically identify malicious activities and detect network intrusions.Machine learning techniques work by training models on large amounts of historical data and using these models to predict the likelihood of new events being benign or malicious.For example, a machine learning algorithm may learn to identify patterns of behavior that are indicative of an attacker attempting to exploit a vulnerability in a network.Once trained, the algorithm can be used to classify new data points and identify potential intrusions in real time.
Federated learning is a machine learning technique used in scenarios where data is distributed among multiple devices or organizations.In the context of ID, federated learning refers to a method where multiple devices or entities collaboratively train a machine learning model to detect and prevent network intrusions.Instead of centralizing all the data on a single server, federated learning distributes the model training process to multiple devices.Each device contributes its local data and trains a local model based on its data.Te local models are then sent to a central server and combined into a global model.Te central server aggregates the global model and sends it back to the devices for further training, and this process repeats iteratively.
Federated learning can be particularly useful in ID scenarios, where data privacy and security are crucial.By training the model locally, data is not sent to a central server, which can reduce the risk of data breaches and ensure data privacy.Moreover, by leveraging multiple devices and organizations data, federated learning can improve the accuracy of the ID model.
Intrusion detection systems are essential tools for detecting and preventing malicious activities in computer networks.Machine learning and federated learning [18] are two popular techniques widely used in IDS to improve their accuracy and efciency.Machine learning algorithms can analyze large amounts of data and identify patterns and anomalies in network trafc to detect potential attacks.On the other hand, Federated learning allows multiple parties to collaborate on building a model without sharing their data, improving privacy and data security.Both techniques have their strengths and weaknesses, and their efectiveness in IDS depends on various factors such as the availability and quality of data, computational resources, and security concerns.
In the realm of securing computer networks, ID plays a pivotal role in protecting against a multitude of malicious attacks.In this ever-evolving landscape of network security, recent technological advancements have propelled machine learning (ML), deep learning (DL) [28][29][30][31][32], federated learning (FL), and explainable artifcial intelligence (XAI) into the limelight as promising avenues for enhancing ID.Tese advancements represent a signifcant change in the way this work approaches network security, presenting both a wealth of opportunities and a set of challenges.
To navigate this intricate and dynamic terrain efectively, a set of fundamental research questions has emerged.Tese questions delve into specifc facets of these cutting-edge approaches, with the aim of shedding light on their strengths, limitations, and the contexts in which they are most suited.Te ultimate goal is to equip network practitioners with the knowledge and insights needed to make informed and strategic decisions as they work to fortify their systems against the ever-present threat of malicious intrusions.In the ongoing pursuit of a more secure digital world, these research questions serve as guiding beacons, illuminating the path toward efective and innovative ID.RQ1: How can ID be efectively enhanced and secured against malicious attacks using modern technological advancements, including ML, (DL), FL, and XAI? RQ2: What are the key strengths and limitations associated with DL-based approaches in ID, especially considering their need for labelled data and substantial computational resources for training complex models?RQ3: In what ways do ML-based approaches for ID difer from DL-based methods in terms of their computational requirements and their ability to generalize to previously unseen data?RQ4: How does Federated Learning (FL) address the need for privacy and security in ID, and what are the trade-ofs in terms of communication resources and computational overhead when aggregating models from diverse entities?RQ5: What is the role of explainable artifcial intelligence (XAI) in enhancing interpretability and transparency in the context of ID? RQ6: What are the gaps in the existing literature when it comes to a comprehensive analysis of the suitability of DL, ML, FL, and XAI-based approaches for specifc use cases and scenarios in ID? RQ7: How can practitioners determine the most appropriate approach for ID based on their network size, data availability, and privacy and security requirements?
Te research questions presented in Tables 1-3 are preliminary to the feld of ID.Tese questions explore cutting-edge technology applications, collectively advancing our understanding and capabilities in detecting and responding to network intrusions.Researchers use these questions to develop more efective and context-aware ID methods, ultimately enhancing network security.

Literature Review
Previously, multiple researchers have worked on IDS.Some of their works are highlighted in this section.Journal of Engineering

Journal of Engineering
In this study [93], the authors highlighted that cyber security has become a critical concern in recent years as information technology has become more widespread.As a result, the feld of IDS and their improvement through ML have received signifcant attention from researchers.Many studies have been conducted in this domain to develop new IDS models and enhance their efciency in detecting security threats.Te aim is to provide a more efective and efcient means of protecting networks and systems against cyber-attacks.Tis study introduces Passban, an IDS for IoT devices, emphasizing its deployment on low-cost IoT gateways.However, it does not address the challenges of adapting to the rapidly evolving landscape of IoT attacks and the need for continuous updates to counter new threats.Additionally, the paper does not explore the potential scalability issues of deploying such systems across a vast network of diverse IoT devices in various application domains.
In [94], Mojtaba and associates anticipated IDS, an IDS optimized for a limited hardware environment using unsupervised learning.Te IDS is designed to detect anomalies in network data and uses unsupervised learning techniques to improve its efciency.Te authors aim to provide a solution that can efectively detect security threats while being optimized for deployment in a limited hardware environment.Using unsupervised learning, the IDS can learn from the data and adapt to changing network behavior without needing labelled data or manual updates.Te paper introduces Kitsune as a resource-efcient NIDS, but its realworld scalability and generalization across diverse network environments and attacks remain unverifed.Additionally, the extent of human intervention required for setup and maintenance is unclear.In [95], the authors presented an IDS that uses AutoEncoder algorithms for online ID.AutoEncoders are a type of deep-learning algorithm that can detect anomalies in data.Te IDS described in this study applies AutoEncoder algorithms to real-time network data, providing an online ID solution.Te goal of this IDS is to identify security threats in a fast and efcient manner accurately.AutoEncoder algorithms allow the IDS to learn from the data and adapt to changing network behaviour [39].Te proposed ANN-based sequential classifer aims to balance false positive and false negative rates in ID.However, it introduces potential challenges related to computational overhead, increased detection latency, and the need for fne-tuning.Te study lacks an extensive evaluation of its efectiveness against evolving cyber threats.
Te authors of [96] investigated the application of ANN and other classifcation methods for detecting network intrusions.Tey compared the efciency of ANNs with other classifcation algorithms to determine which was the most efective for their specifc problem.It was found that an ensemble approach combining multiple classifers could provide improved efciency compared to using a single algorithm.Tis ensemble approach takes advantage of diferent algorithm's strengths and helps mitigate their weaknesses, leading to improved accuracy and efectiveness in detecting security threats in network data.In this work, the proposed anomaly-based IDS using Genetic Algorithm and Support Vector Machine (SVM) with a new feature selection method ofers improved accuracy and reduced false positives.However, the study lacks a comprehensive evaluation of its performance in diverse network environments and against evolving attack strategies.Te practical scalability of the model to handle real-world network trafc remains unaddressed.
Te authors of [97] suggested a novel network security mechanism that relies on feature extraction.Tis model uses a GA and a least squares SVM to classify anomalies in security issues.Te evaluation outcomes presented that the model has low false-positive rates and high positive rates, making it efective in identifying security issues while avoiding false alarms.Using a proprietary genetic algorithm and least squares, SVM enhances the model's efciency and accuracy compared to previous techniques.In this work, the two-stage classifer using RepTree algorithm and protocol subset improves ID accuracy, but it may not efectively handle novel or evolving attack patterns not present in the training data.Te paper lacks an in-depth analysis of the model's robustness against adversarial attacks, and it does not explore its scalability to handle complex, real-world network environments with a wide range of protocols and attack types.
In [98], a reduced error pruning tree (REPTree) algorithm was established as a method for network security.Te proposed model has four key components: a feature selection layer and a protocol grouping sub-layer.Te feature selection layer allows users to choose the most relevant features for their security needs.Te protocol grouping sublayer group's network fows into categories based on the protocol used (TCP, UDP, or others).Te anomaly detection layer uses the REPTree algorithm to identify unusual network behavior.Finally, the inspection layer examines the detected abnormalities to determine if they represent a security threat.Te overall goal of the proposed model is to provide a comprehensive and efcient method for detecting security threats in network data.Te authors also explain that CANID, a cascade ensemble-based artifcial neural network, is efective for multiclass ID, but it may struggle with novel and rapidly evolving attack techniques.Its scalability and performance in complex, real-world network environments remain unexplored.
In [99], the researchers presented a method that involves feeding the network with feature vectors extracted from network trafc data and training the network to recognize normal and abnormal trafc patterns.During the testing phase, the network is presented with new data, predicting whether the trafc is normal or abnormal based on its training.Tey used NSL-KDD and UNSW-NB 15 datasets to evaluate the efciency of ID methods.Tese datasets consist of feature vectors representing network trafc data labelled as either normal or anomalous.By testing their method on these datasets, the researchers can evaluate the accuracy of their CNN-based ID method.Te proposed deep learning binomial classifer shows high accuracy in network ID.Still, it is not clear how well it generalizes to novel, real-world attack scenarios, and the study lacks an assessment of its performance against adversarial attacks or potential Journal of Engineering vulnerabilities.In order to take advantage of the capability of CNNs in processing 2D data, the feature vectors were converted into images.Tis was done by one-hot coding the nominal features, expanding the feature dimensions, and transforming each 8 byte chunk into one pixel.Tese transformed feature vectors were then turned into 8 × 8 pixel images.Te researchers implemented a three-layer CNN to classify network attacks.Tey compared the efciency of this CNN against other DL networks such as ResNet 50 and GoogLeNet.Te results showed a score of 91.14% for the NSL-KDD dataset and 94.9% for the UNSW-NB 15 dataset.Te authors have proposed an IDS based on an Artifcial Neural Network (ANN) that employs an optimized feature selection approach to maximize operational efciencies.Te method was evaluated on two datasets (UNSW-NB15 and NSL-KDD) and found to be 95.45% accurate, outperforming existing modern approaches.In addition, the authors recommended a mixed ID model that combines Deep Belief Networks (DBN) and SVM [100][101][102].
Te authors [103] presented a novel anomaly-based IDS that leverages gradient-boosted machines (GBM) as the primary detection engine.Te authors used a grid search approach to determine the optimal parameters for the GBM.Tey evaluated their IDS's performance using hold-out and cross-fold validation methods on three distinct datasets: UNSW-NB15, NSL-KDD, and GPRS.Teir experimental results demonstrate that the proposed IDS outperforms several other classifers, such as fuzzy classifers, GAR forest, and tree-based ensembles, across various performance metrics, including accuracy, specifcity, sensitivity, and the area under the curve (AUC).Tis study demonstrates GBM's superior performance in anomaly-based ID, but it does not assess the model's ability to adapt to emerging or evolving attack strategies.Tis study's fndings could be further validated through additional real-world testing and diverse datasets to assess the model's robustness.
In their study, the authors [104] investigated the performance of a Random Forest (RF) based IDS with regard to accuracy and false alarm rate.Te authors used the NSL-KDD, UNSW-NB15, and GPRS datasets for both model training and testing.Te proposed IDS was evaluated using diferent tree-size ensembles, and statistical analysis based on Friedman's ranking revealed that the ensemble of 800 trees achieved the best results, while an ensemble of 20 trees showed the worst performance.Furthermore, the authors demonstrated that the RF-based IDS outperforms other classifers, such as the ensemble of Random Tree and Naive Bayes, as well as single classifers, such as NBTree and Multilayer Perceptron.Te study highlights the efectiveness of the random forest classifer in ID; however, it lacks a comprehensive analysis of the model's adaptability to new attack patterns and its robustness against adversarial attacks.Te evaluation focuses on existing datasets, and the realworld applicability of the model in dynamic and evolving network environments remains unexplored.
In this work, Royet et al. [105] introduce a novel Federated Learning (FL) framework called BrainTorrent, specifcally designed for highly dynamic peer-to-peer (P2P) environments.On the other hand, the authors of another research propose a diferent FL framework, named BAFFLE, that is based on BC and does not require an aggregator.Te authors demonstrate their proposed framework's high scalability and computational efciency in a private Ethereum network.Te study introduces BrainTorrent as a federated learning (FL) framework for medical applications, but it does not thoroughly address the potential challenges related to network coordination, security, and scalability in a decentralized, peer-to-peer environment.Additionally, the paper does not explore the real-world complexities and regulatory concerns related to privacy and data protection in a multicentre medical context, which can afect the practicality and adoption of FL solutions.
In this research [106], the authors present a comprehensive overview of the use of Federated Learning (FL) in information security, specifcally focusing on ID as one of its applications.Teir paper provides explanatory insights into the topic and covers a broader scope than just ID.On the other hand, the authors also focus on Federated Intrusion Detection Systems (FIDSs), but their methodology difers from that of authors.Tis study highlights the potential of federated learning (FL) for improving cybersecurity, but it lacks a comprehensive exploration of the real-world challenges and complexities of deploying FL in dynamic, realtime environments.It does not provide in-depth insights into the practical implementation hurdles, potential network coordination issues, and the need for robust security measures.Furthermore, the paper does not delve into the regulatory and ethical considerations surrounding the use of FL in handling sensitive data in real-time applications.Te authors of [107] compile a list of existing FIDSs and provide a detailed overview of their approaches while also identifying open issues in the feld.Tis study cannot recognize encrypted packets and thus leaves an opportunity for attack.Moreover, the creation of a normal model for enormous dynamic data is extremely challenging, which leads to false alarms.

Black-Box and White-Box-Based Artificial Intelligence Approaches in Intrusion Detection Systems
In IDSs based on ML, DL, and FL approaches have shown promising results in detecting and mitigating security threats.Machine Learning (ML) is a subfeld of AI [108][109][110].Many ML techniques are increasingly being used for ID in network security.IDS are used to monitor network trafc and detect any unauthorized or malicious activities.Traditional IDS rely on pre-defned rules and signatures to identify known attacks, but they may fail to detect novel or unknown attacks.ML algorithms can be used to learn the patterns and characteristics of normal network trafc and then detect anomalies or deviations from this normal behavior, which may indicate the presence of an intrusion.Some of the ML approaches are shown in Table 1.
It is shown in Table 1 that ML has developed as a promising technique for ID, and several ML algorithms have been proposed and tested in this area.K Nearest Neighbour (KNNs) and SVMs are the most widely used ML techniques for ID.ANNs can learn patterns from input data and make predictions based on them, while SVMs efectively separate data into diferent classes.Decision Trees (DTs) and Random Forests (RFs) are popular ML algorithms for ID, as they can handle both categorical and continuous data.Additionally, Deep Learning (DL) methods, such as CNNs and RNNs, have shown promising results for ID due to their potential to learn hierarchical representations of information.However, selecting the best ML algorithm for ID depends on several factors, such as the dataset, the specifc problem being addressed, and the resources available for training and deployment.
Deep Learning-based approaches such as CNNs and RNNs have presented high accuracy in identifying intrusions by learning patterns in raw network trafc data.ML-based approaches such as SVMs and DTs can detect intrusions by classifying network trafc data based on previously learned patterns.FL-based approaches allow multiple parties to cooperate in training a global model without exchanging their private data, ofering an attractive alternative for ID in sensitive environments.Te choice of approach depends on multiple aspects, such as the size and difculty of the dataset, the level of security and privacy required, and the computational and communication resources available.Ultimately, these approaches efectively detect and mitigate security threats in today's complex and dynamic network environments.and Explainable Artifcial Intelligence (XAI)-based DL Framework.Te choice of ID method depends on the task's specifc needs.RNN, a type of DL model, is suitable for ID as it can process sequential data.RNNs can analyze network trafc in real-time to identify anomalies and potential threats by using a memory of past inputs created by looping the output back into the network [41,42,46,47,72,73,75,76,[111][112][113][114][115][116].Te network can use previous inputs, such as past network trafc patterns, to help identify unusual behavior in the current trafc.Generally, RNNs are a powerful tool for ID, as they can learn complex dependencies in sequential data and help to identify anomalies in real time.Deep Neural Network (DNN), is a type of ML model that uses multiple layers to learn representations of input data.DNNs can be employed in ID to learn characteristics from network trafc data to detect abnormalities and probable breaches.A feed-forward deep neural network is a form of DNN that only operates in one way, from input to output, and does not include loops or recurrent connections.FDDNNs may be used in ID to learn complex features in data from the network.
A CNN is a DL architecture that processes gridstructured data, such as images.CNNs can be leveraged to extract meaningful features from network trafc data, which can then be used to identify patterns indicative of specifc types of intrusions.ANN is stimulated by the arrangement and function of the human brain and is a type of ML model that can be used for a wide range of applications.In ID, ANNs can be trained to recognize complex patterns in network trafc data to detect anomalies that may indicate a potential intrusion.
Bayesian convolutional neural networks (BCNNs) are a variant of CNNs that incorporate Bayesian methods to account for uncertainty in the model's predictions.In ID, BCNNs can provide more reliable predictions by modelling the uncertainty associated with the ID query.A Deep Belief Network (DBN) is a DL architecture that uses unsupervised pre-training to detect anomalies in network trafc data for ID.An Autoencoder is a DL model that learns a compact illustration of network fow to detect anomalies and potential intrusions in ID.Both DBNs and Autoencoders are useful for identifying unusual behavior in network trafc data.
In ID, AEs can be used to learn features from network trafc data indicative of normal behavior, which can then be used to identify anomalies and potential intrusions.An Journal of Engineering LSTM type of RNN uses gating mechanisms to allow the network to remember or forget information from its memory selectively.In ID, LSTMs can be used to analyze network trafc data in real-time to identify anomalies and potential intrusions, taking into account both short-term and long-term patterns.Self-taught learning is unsupervised learning that uses unlabeled data to learn representations of the data.In ID, STL can be used to learn features from network trafc data without needing labelled data, which can then be used to identify anomalies and potential intrusions.HAST-ID is a DL IDS that leverages hierarchical spatialtemporal features to detect network intrusions.It employs a CNN to extract features from raw network trafc data and LSTM network to model temporal dependencies.
On the other hand, a nonsymmetric deep AutoEncoder (NDAE) uses a nonsymmetric deep auto-encoder to learn the normal actions of a system and recognize deviations from it as potential interferences.Deep Learning H2O is a platform for building, training, and deploying DL models for ID, capable of supporting binomial and multinomial models for classifying network trafc as normal or intrusion.TSDL employs a two-stage learning approach in its DLbased IDS [36,37,48,74,117].
Using a combination of DNN and RNN in the BAT model for ID is a common approach in the security feld.Using a DNN for feature extraction allows for the decrease of dimensionality and abstraction of raw data into a more manageable form for analysis.Using a RNN, specifcally the BLSTM, enables the model to capture the temporal relationships and dependencies in the data, which is signifcant for accurately identifying anomalies and intrusions.Te attention mechanism in the BAT model helps the network focus on the most relevant parts of the data, allowing for more accurate and fne-tuned predictions.In general, using such DL approaches in ID processes has shown promising results and has been an active area of research [34,42,72].It is commonly used for ID to analyze time-series data such as network trafc logs.1D-DCNN is a type of CNN designed to process data sequences.It uses a dilated causal structure that allows the network to process longer sequences of data while still preserving the causal relationship between the data points.ImmuneNet is a hybrid framework for ID that combines DL and immune system-inspired algorithms [46].It uses a deep neural network (DNN) to extract features from network trafc data and an immune system-inspired algorithm to detect intrusions based on these features.XAI is a feld of AI that focuses on developing transparent and interpretable algorithms.In the context of ID, an XAI-based DL framework would use algorithms that provide clear explanations for why a particular instance of network trafc is being classifed as normal or as an intrusion.
Table 2 presents a comprehensive evaluation of various DL methods for ID concerning accuracy.Te results demonstrate that DL approaches accurately predict cybersecurity threats.
DL techniques [111] have become popular in ID due to their potential to switch complex relationships and extract relevant features from raw data.Te examples you mentioned, HAST-ID and Non-symmetric Deep AutoEncoder (NDAE), demonstrate the capability of DL to extract both spatial and temporal features and learn a low-dimensional illustration of the information.Meanwhile, the Deep Learning H2O framework is based on binomial and multinomial models and provides a fast and precise approach to ID. Te Feed Forward Neural Network (FFNN) and Two Stage Deep Learning (TSDL) Models use feed-forward neural networks and a two-stage deep learning approach to make predictions about intrusions.Te Bidirectional Long-Short-Term-Memory (BiDLSTM), 1D-Dilated Causal Neural Network (1D-DCNN), DL-based Hybrid Framework "ImmuneNet", and Explainable Artifcial Intelligence (XAI) based DL Framework all demonstrate promising results in ID by utilizing bidirectional long-short term memory networks, dilated causal neural networks, a hybrid DL framework, XAI-based framework [118], ANN [112], IoTbased devices [113] and machine learning-based framework [114][115][116].
It is shown in Table 3 that FL has emerged as a promising approach for ID, allowing multiple parties to cooperate in the training of a global model without exchanging their private information.FL ofers advantages over traditional centralized machine learning approaches by protecting the privacy of sensitive data and reducing the risk of data breaches.Various FL approaches have been suggested for ID, containing federated SVM (FedSVM), federated extreme learning machine (FedELM), federated ensemble-based anomaly detection (FedEAD), and federated autoencoder (FedAE).However, selecting the best FL approach for ID depends on several factors, such as the number of participating gadgets, the difculty of the data, the communication and computational resources available, and the level of security and privacy required.Further research is needed to assess the efectiveness of FL in ID and optimize its performance in real-world scenarios.DL, ML, and FL approaches have shown prominent performance in IDSs but have some strengths and weaknesses, as presented in Figure 1.
It is shown in Figure 1 that Explainable AI-based IDSs have several advantages over deep learning, machine learning, and federated learning-based IDS.Firstly, explainable AI-based IDS provides transparency by clearly explaining the decision-making process.Tis makes it easier to understand how the decision was made and what factors were considered.In contrast, deep learning or machine learning-based IDS can be opaque, making it difcult to understand how the decision was made.Secondly, explainable AI-based IDS can detect and identify any biases in the system, thus improving fairness and accuracy.In contrast, deep learning or machine learning-based IDS can be susceptible to biases that may go unnoticed.Tirdly, explainable AI-based IDS is fexible and can be adapted to various scenarios.Tis is because the rules governing the decision-making process are transparent and easily modifed.Fourthly, explainable AI-based IDS provides insights into the underlying security threats and vulnerabilities, which helps improve the system's security posture.Conversely, deep learning or machine learning-based IDS may not provide such insights, making it difcult to address 10 Journal of Engineering security issues proactively.Lastly, explainable AI-based IDS can help meet regulatory requirements requiring decisionmaking transparency.Terefore, explainable AI-based IDS may be a better option for ID in many scenarios.

Conclusion
Intrusion detection in cybersecurity is vital as advanced attacks rise.Innovative technologies like DL, ML, and FL play crucial roles.DL-based approaches have demonstrated high accuracy rates in detecting intrusion attacks.Tese approaches learn complex network trafc data patterns and can detect known and unknown attacks.But, these methods need a large volume of information and computing resources for training, which can be challenging for some organizations.ML-based approaches are simpler and less resource-intensive than DL-based approaches.Tey can detect known attacks with high accuracy rates but may not perform well in detecting unknown attacks.FL-based approaches, which leverage collective learning from multiple decentralized devices, ofer a promising solution for organizations that cannot share data due to privacy or security concerns.Tey allow for the training of models on distributed datasets without sharing data.Tis study systematically explores enhancing and securing ID systems with ML, DL, FL, and XAI.It critically assesses these approaches, with DL achieving high accuracy at the cost of resources.ML, though simpler, has limitations in detecting unknown attacks.FL shows promise for data-sensitive organizations, though further research is necessary.Organizations should carefully assess their needs and resources to select the appropriate IDS technique.

Future Research Directions and Recommendations
Future research directions in ID can explore the integration of Blockchain technology and XAI with existing techniques like ML, DL, and FL.BCT can ofer a decentralized, secure, and tamper-resistant environment for storing and sharing ID data.It can also facilitate the secure exchange of models and updates between diferent entities involved in the FLbased approach.Additionally, XAI techniques can enhance the interpretability and transparency of the models, enabling security professionals to understand and verify the model's behavior.
One potential research direction could be to explore how Blockchain technology can be used to improve the privacy and security of FL-based IDSs.FL permits several entities to train a model collectively without exchanging their information.However, there may still be concerns about the privacy of the data being utilized to train the model.BCT may ofer a protected and transparent platform for data sharing without compromising data privacy.
Another potential research direction could be to develop XAI techniques that can explain the behavior of DL-based Journal of Engineering ID models.DL-based models are often highly complex and difcult to interpret, which can make it challenging to understand why a particular intrusion was detected.Developing XAI techniques that can explain the behavior of DL-based models can improve their transparency and interpretability, providing valuable insights into their decision-making process.Generally, the integration of Blockchain technology and XAI with existing ID approaches has the potential to enhance the privacy, security, interpretability, and transparency of these systems.Further research in this area can help to develop more robust and efective IDSs that can better protect computer networks from malicious attacks.
method tangled with the MapReduce-Based intelligent model for ID (MR-IMID)

Figueiredo
Figueiredo et al.

Table 1 :
Critical review of machine learning (ML) based approaches in ID.

Table 2 :
Critical review of deep learning based approaches in ID.

Table 3 :
Critical review of federated learning (FL) based approaches in ID.
Based IDS relies on preset patterns, making it easy to understand and identify known attacks, though it might miss new threats.Feature Engineering-Based IDS empowers experts to create features based on their knowledge, improving interpretability by concerning features to attack types.Nevertheless, the investment in domain expertise and the potential for incomplete pattern coverage are critical considerations.Meanwhile, Federated Learning (FL)-based IDS, a new approach, ensures privacy by training models together on separate devices.FL addresses privacy and teamwork concerns, but communication overhead and potential loss of detailed information during collaboration highlight the complexities of this method.To navigate IDS development efectively, grasping both black-box and whitebox concepts is vital for wise choices.
complex patterns within large and detailed datasets.However, its need for signifcant computational resources and the difculty in understanding how it works emphasize the compromises linked to its black-box nature.On the other side, White box methods, including Rule-Based IDS and Feature Engineering-Based IDS, emphasize interpretability and human domain knowledge.