Review Article A Systematic Review on Hybrid Intrusion Detection System

As computer networks keep growing at a high rate, achieving conﬁdentiality, integrity, and availability of the information system is essential. Intrusion detection systems (IDSs) have been widely used to monitor and secure networks. The two major limitations facing existing intrusion detection systems are high rates of false-positive alerts and low detection rates on zero-day attacks. To overcome these problems, we need intrusion detection techniques that can learn and eﬀectively detect intrusions. Hybrid methods based on machine learning techniques have been proposed by diﬀerent researchers. These methods take advantage of the single detection methods and leverage their weakness. Therefore, this paper reviews 111 related studies in the period between 2012 and 2022 focusing on hybrid detection systems. The review points out the existing gaps in the development of hybrid intrusion detection systems and the need for further research in this area.


Introduction
e Internet has thrived, hence an increase in information sharing, making network security a problem of concern. Attackers around the globe have their eyes on computer systems with the motive of deploying attacks. e security of an electronic device is breached when a successful attack occurs. Intrusion is defined as "any set of actions that attempt to compromise the integrity, confidentiality, or availability of a resource" [1]. e Integrity aspect of a given infrastructure serves to ensure information remains unaltered by unauthorized users. Availability incorporates all aspects of the infrastructure that makes information readily available to users in the system. Confidentiality implies that the information in a given system is protected from unauthorized access and viewing by external parties. erefore, a computer network is considered to be fully secured when the core objectives of these three attributes are sufficiently met. To help achieve these objectives, intrusion detection systems have been developed with the primary intent of monitoring incoming traffic in computer networks for any potential malicious intrusions. An intrusion detection system (IDS) scans information system resources and reports any malicious activities in the system. More advanced IDSs have the capability of acting against the attacks. e action taken by this advanced IDS is to block the malicious users or activities from accessing the computer resources. We have two major categories of intrusion detection systems, which include misuse based and anomaly based. Misuse-based IDSs are developed to flag known attacks using patterns of the known attacks [2]. Misuse detection systems use patterns of well-known attacks or weak spots of the system to match and identify known intrusions. e positive side of misuse IDS is the ability to detect known attacks with great precision. e major challenge facing this type of IDS is their inability to flag new forms of attacks [3]. Misuse intrusion detection systems stand out because of their ability to flag many or all known attack patterns. e main problem facing misuse-based systems is the inability to flag emerging attacks or zero-day attacks. In general, they have a high rate of detection and low rate of false alarms compared to anomaly-based systems. e anomaly-based technique stores the normal behavior of a user in a database and compares it with the current behavior of the user [4]. If there is a substantial difference, then there is something wrong or abnormal. e major advantage of anomaly detection is that it does not require information of known attacks, and thus they can detect new forms of attacks. It has a high rate of false alarm compared to misusebased IDS.
Hybrid intelligent systems have been developed to solve the challenges of the existing intrusion detection systems, such as high rate of false-positive alerts and low detection rate of novel attacks. Hybrid is a technique that combines misuse-based and anomaly-based techniques [5]. e hybrid technique resolves the disadvantages of the two legacy IDSs. Research shows that hybrid detection systems have better performance compared to single IDS.
Despite their proven performance, hybrid intrusion detection systems remain largely unexplored as seen from the few number of existing systematic literature reviews on the topic.
is work, therefore, attempts to perform a comprehensive systematic literature review on hybrid intrusion detection systems between 2012 and 2022 with the objective of pointing out existing gaps in the development of these systems.
is study is arranged as follows. Section 2 introduces and discusses IDS. Section 3 provides a discussion on hybrid detection techniques. Section 4 discusses the methodology adopted in this paper. Section 5 discusses the findings. Section 6 points out the existing gaps in the reviewed literature and insights for future research. Table 1 summarizes all hybrid intrusion detection systems between the periods of 2012 and 2022. Finally, Table 2 lists all abbreviations in this study.

Intrusion Detection Systems
Denning introduced the technique of detecting intrusion, and since then researchers have worked hard to automatically detect intrusions in network systems [6]. Intrusion detection systems have been defined as the technique of using artificial intelligence, machine learning, and database systems to uncover malicious patterns in large datasets [2]. IDS can be broadly classified into two major categories, anomaly-based IDS and misuse-based IDS. Recently, other methods have emerged through the integration of anomaly and misuse intrusion IDSs to yield more categorizes.

Anomaly-Based Intrusion Detection Systems.
Anomaly intrusion detection systems profile the normal behavior of a system. ey monitor the normal operations of the system, and if they detect an anomaly, a flag is raised. Instead of keeping all patterns of well-known malicious dataset and updating as new patterns emerge, anomaly detection systems outline "normal" operations of a system and flag anything that deviates from the outline [2]. According to [7], anomaly IDS contains three stages: parameterization, training stage, and detection stage. In the parametrization stage, the data are formatted to capture the normal behavior of the device. After parameterization, the model is trained to represent the normal behavior. e detection stage is where the model detects and flags any deviation from the normal behavior based on the parameterized data [7].
Different intrusion detection mechanisms have been used in the development of the anomaly IDS. Mishra and Yadav [8] outlined the following techniques: data mining techniques, machine learning-based techniques, and statistical approaches. In these techniques, some researchers have used single algorithms while others have opted to integrate algorithms to improve the performance of the IDS [8].
Atefi et al. [9] developed anomaly detection based on profile signature using genetic algorithm and support vector machine algorithms. SVM outperformed GA in terms of precision rate. e researchers combined the two algorithms to form a hybrid IDS. e evaluation of the hybrid IDS produced better performance compared to the single algorithms.
Khoei et al. [10] investigated the application of three types of ensemble learning techniques for anomaly IDS. e three techniques applied were bagging, boosting, and stacking. e performance of the three techniques was compared with that of decision tree (DT), Naïve Bayes (NB), and K-nearest neighbor (KNN). e results showed that stacking-based ensemble learning techniques outperformed the traditional learning techniques in terms of detection rate, false alarm rate, miss detection rate, and accuracy rate.
Rakshe and Gonjari [11] developed an intrusion detection model based on SVM and random forest algorithms. e two algorithms were used for classification purposes. e models were evaluated using NSL-KDD. e models recorded detection accuracy of more than 95%. e performance of the two models was compared, and the random forest algorithm performed better than SVM in the classification of traffic.
Kumar et al. [12] developed an anomaly intrusion detection system based on four algorithms, namely, Naïve Bayes, ID3, MLP, and ensemble learning. e models were evaluated using CICIDS2017 dataset. e ensemble model was developed by combining NB, ID3, and MLP. e metrics used in the evaluation of the models were precision, recall, accuracy, and F1 score. ID3 (decision tree) performed better compared to the other models.
Once anomaly intrusion detection systems have been developed, they do not need regular updates unless a major user or system change has been done. Anomaly IDS can flag new forms of attacks, unlike the misuse IDS. Due to the above-mentioned characteristic of anomaly intrusion detection systems, they are considered to be more effective compared to their counterpart misuse intrusion detection system whose performance highly depends on stored patterns that require regular updates.
Profile creation is the main issue in anomaly intrusion detection because there is no fixed normal action or behavior of the user, and different users use computer systems  [34] Flow-based dataset e model demonstrated high-speed intrusion detection in large network infrastructure through data reduction and processing time.
C2 [35] KDD′99 dataset According to the evaluation results, when choosing the optimum parameter like feature size reduction, the overall performance of the intrusion detection system improves.
C3 [36] KDD dataset e proposed algorithms detect intrusion simultaneously and their output is combined using the rule-based method. e model is tested using the KDD dataset and records an outstanding performance.
C4 [37] Kyoto 2006 + dataset e researchers proposed the use of K-medoids instead of K-means in data clustering. K-medoids performed better compared to K-means clustering. Naïve Bayes was used for classification.
e researchers observed that with the use of K-medoids clustering, processing time increases as the data grow. How to manage time forms a future research gap.
C5 [38] Kyoto 2006 + datasets is model was developed to tackle the problems of a previous work in which the researchers combined K-medoids clustering and Naïve Bayes classification. To further improve the performance of intrusion detection on this model, the researchers combined support vector machine classification with K-medoids clustering. e model recorded better performance. Still, time management is an issue in this model as the previous one.
C6 [39] KDD Cup99 dataset e model uses a double classifier based on AdaBoost with J48 base learner and Bayesian network classifier. e model performed better than J48 and Bayesian cascaded classifier.
C7 [40] KDD99 dataset e model performed better compared to pure SVM in terms of detection rate, training time, and false negative and false positive. In addition, it performed better than pure CSOACN in terms of less training time with comparable detection rate and false alarm rates.
In the future, further performance analysis can be conducted using other algorithms.
C8 [41] KDD99 dataset In this model, GA and SOFM were used for feature extraction on the dataset. e goal was feature reduction on the dataset to be used in training SVM. In this study, SVM was deployed as a classification algorithm. e model performed better compared to SVM.
C9 [42] NSL-KDD At the first stage of the model, PCA is used for feature reduction. e second stage of the model deploys genetic algorithms for the anomaly detection process by labeling the dataset as either normal or anomaly. e final stage uses different types of classifiers for confirmation if the datasets are labeled properly and give detailed information of the attacks. e model was able to demonstrate the importance of combining different machine learning algorithms for intrusion detection.
C10 [43] CAIDA UCSD 2007 dataset Proposed a model to detect DDoS attacks, and the model combines GA and multilayer perceptron (MLP) of ANN. GA is used in feature selection while MLP is used for classification.
C11 [44] KDD Cup 1999 e model recorded a true-positive value of 0.973 and false-positive value of 0.017, which was an outstanding performance. e model needs further evaluation using current datasets.
C12 [45] KDDcup'99 e researchers report that the model achieved a high detection rate and low false-positive rate, but at the same time, they acknowledge the need for further evaluation of the model using different datasets in the future.
C13 [46] KDD CUP 99 Particle swarm optimization has been used in this model to select optimal parameters for multiple criteria linear programming. e model recorded a better performance in terms of accuracy and running time compared with the MCLP model. e model should be further investigated using KDD CUP 99 for its capabilities of detecting different attacks simultaneously.
C14 [47] KDDCUP′99 dataset e research demonstrated the importance of feature selection in intrusion detection. With reduced features, the model was able to improve accuracy rate and detection rate; at the same time, false alarm rate decreased. Evaluation of the model using only one dataset is not enough, and the model needs to be evaluated using another dataset in the future.
C15 [48] KDD CUP99 data e system provides advantages such as feature reduction on the training dataset which improves the performance of intrusion detection systems.
Security and Communication Networks 3 NSL-KDD Proposed K-means and Naïve Bayes classifier for hybrid intrusion detection. K-means was used for data clustering to reduce dataset features, while Naïve Bayes classifier was deployed for classification of the features as normal or attack. e model recorded a better performance in the detection of probe, R2L, and U2R attacks.
C17 [50] NSL-KDD dataset In this model, AGAAR is used for feature learning and reduction. e model uses GPLS for the classification of the dataset as normal or attack. e researchers used only a presentation of the dataset to train the model.
C18 [51] NSL-KDD e researchers demonstrated that combining classifier algorithms using the sum rule approach has the potential of providing good results compared to single classifiers. e model outperformed a single classifier.
C19 [52] KDD CUP 99 dataset In this research, the K-means algorithm was used for classification while J48 was used for feature selection. SOM increased the accuracy rate of the system. e system registered high computation and longer processing time which affected its performance. C20 [53] KDDCUP 99 dataset e dataset will be fed simultaneously into the parallel algorithms; if both algorithms define the data as normal, the data will be classified as normal. If both classifiers classify the data as an attack, ACO will further classify the data into a class of intrusion. e model outperforms individual SVM and ACO algorithms in intrusion detection.
C21 [54] ISCX 2012 e model combined K-means clustering with discretization technique and Naïve Bayes classifier to create a hybrid intrusion detection system. KMC-D is used for clustering and NBC is used for classification. e model significantly reduced the false alarm rate.
C22 [55] NSL KDD e important characteristic of active learning SVM is the ability to develop an intrusion detection system with small samples of datasets, hence reducing the training time and increasing the efficiency of the model.

C23
[56] KDD′99 To reduce the number of features, the model uses the spatial correlation-based dimension reduction method. e new feature set is used to train the SVM classifier for intrusion detection.
e model achieves high performance in training the classifier algorithm.
C24 [57] KDD′99 dataset e mode consists of two levels. In level one, K-means is used for data dimensionality reduction, and in level two, RF is used for classification. e model was evaluated using an outdated dataset.
C25 [58] NSL-KDD dataset Proposed combination of PCA and LSTM-RNN. PCA is deployed for feature reduction; on the other hand, LSTM-RNN is used for classification. e proposed model performs better compared to a single algorithm.
C26 [59] NSL-KDD dataset Proposed K-means for clustering the dataset and SMO for feature classification in the second stage. e model outperforms individual algorithm K-mean clustering and sequential minimal optimization (SMO). In the future, the model can be evaluated using other datasets.
C27 [60] NSL_KDD e model has two stages of classification using SOM and BPNN. e model uses SOM in the first stage for classification. e dataset flagged as the attack in the first stage is further classified in the second stage using BPNN into different forms of attacks. e model can be verified using other types of datasets in the future.
C28 [61] Wormhole dataset e combination of K-means and decision tree has a high detection rate compared to single algorithms of K-means and decision tree. But the hybrid significantly reduces false positives suffered by the two single algorithms. In the future, research can be done on how to improve the detection rate of the hybrid.
C29 [62] NSL-KDD dataset e model deployed two feature selection algorithms in a cascaded manner. e model outperformed the RNN-based deep neural network in terms of accuracy. In the future, the model can be evaluated using different datasets.
C30 [63] NSL-KDD dataset Plant growth optimization in this model is used for feature reduction and selection. SVM is used for classification. In the future, further investigation of the mode can be done using a different dataset.
C31 [64] Simulated attacks e model implemented GMM, OCSVM, isolation forest, and SOM in parallel to improve the classification. In addition to this, they added a decision module to provide the final classification. e model reported low CPU and RAM usage with high accuracy.
C32 [65] NSL-KDD K-means clustering with random forest classifiers outperformed the Gaussian mixture clustering with random forest classifiers. 4 Security and Communication Networks DARPA-KDD99 In this model, fuzzy rules are generated and then inputted as a particle in PSO. In the future, more compact and intelligent fuzzy logic can be generated to enhance the detection of more attacks.
C34 [67] KDD CUP e model proposed the optimization of ANN using MOA-PSO. e model performed better compared to other models. e model was evaluated using an old dataset.
C35 [68] NSL-KDD e model recorded high accuracy and low FAR, but the model was tested using only one dataset. e model should be tested using other datasets for verification of its performance.
C36 [69] NSL-KDD e model recorded high detection rates of DoS, R2L, and probe attacks. According to the researchers, the model performed poorly in the detection of the user to root (U2R) attacks.
C37 [70] NSL-KDD is was the first model to combine rough set theory and random forest for intrusion detection. e model outperformed other models in terms of accuracy. e model was tested using only one dataset.
C38 [71] NSL-KDD and UNSW-NB15 datasets e model outperformed other models in detection rate and false-positive rates. e researchers proposed an investigation of the model using different datasets.
C39 [72] A novel dataset Proposed a hybrid detection model based on K-means clustering and support vector machine (SVM) classification. e model was evaluated using a novel dataset retrieved from a wireless network packet traffic flow. e model recorded a low false-positive rate with an improved detection rate.
C40 [73] KDD′99 dataset Proposed optimization of FCM using hybrid rice optimization algorithm. e model was evaluated using the KDD99 dataset. e model recorded better clustering performance.
In the future, the model can be evaluated using modern datasets.

C41
[74] KDD 99 K-means and K-nearest neighbors were used to reduce the time complexity of the system with great accuracy.
C42 [75] KDD 99 e model training time of K-means and random tree algorithm-based intrusion detection system is more suitable than using a single random tree algorithm both in 10-fold cross-validation and 66-34 percent validation.
C43 [76] ISCX dataset Proposed a hybrid model based on KM and RF. KM performs clustering of the best features in the first stage. RF performs the classification of the clusters.
e accuracy of the model can be further improved by improving the clustering operation of the KM C44 [77] KDD99 e model deployed hybrid rice algorithm to optimize the extreme learning machine. HRO-ELM improves the accuracy of network intrusion detection. How to improve the structure of ELM using hybrid rice algorithm was proposed for future research.
C45 [78] Real large-scale dataset e model deployed PCA, CCA, and ICA for dimensionality reduction, and the goal is to learn and maintain the key features. What follows is a classification of the key features using a Bloom filter to categorize the dataset as either abnormal or normal. e normal dataset is further classified using the KNN algorithm.
In the future, the model can be evaluated using a different type of SCADA dataset.

C46
[79] UNSW-NB15 and ISCX2012 e researchers used EBat to optimize MLP neural networks to increase the accuracy of classification. EBat algorithm was used in the selection of suitable weights and biases.
KDD Cup 99 and NSL-KDD e researchers used both current and classical datasets for the evaluation of the model.
C47 [80] MSU and ORNL e researchers used WOA to obtain the optimal weights and biases for training ANN. e model recorded superior performance compared with other models.
C48 [81] NSL-KDD e main purpose of the model was to increase the rate of precision in the detection of malicious activities in information systems through a selection of appropriate features. e researchers used NSL-KDD which does not capture new attacks.
C49 [82] NSL-KDD and CICIDS2017 e researchers used double particle swarm optimization (PSO)-based algorithm for feature selection and hyperparameter selection. PSO was used to set the hyperparameters of a deep learning model automatically. e model was evaluated using NSL-KDD and CICIDS2017. CICIDS2017 is considered to be an up-to-date reliable NIDS dataset.
Security and Communication Networks 5 NSL-KDD dataset e research proposes an incremental learning model for DDoS attack detection. When the divergence test fails to detect an attack, the output forms the input into the classifiers. e classifiers are arranged in parallel to speed the detection process and the cost of computation. Finally, the determiner flags the attack if any.
e advantage of using more than one classifier is that algorithms select a different category of features.
C51 [84] NSL-KDD dataset e model combines LSTM and decision tree; at the first level, LSTM is used to cluster data as normal or attack. On the second level of detection, the normal data from the first level are fed into the decision tree for further inspection.
e model recorded a low detection rate to some attacks like U2R due to small samples. In the future, research can be done on how to balance the dataset.
Multimode deep autoencoder forms the first layer of the model. e goal of MDAE is to learn and process multifeature groups. At the second layer, LSTM is used for temporal feature extraction automatically.
In the future, the model can be tested in a real-world environment.
C53 [86] NSL-KDD SMOTE-ENN is used for data balancing to increase the minority classes. e model uses CNN for feature selection. e model recorded low accuracy of 83.31%; in future, research can focus on how to improve this accuracy.
C54 [87] UNSW-NB15 e model deploys PCA for feature reduction, to select only the relevant features. K-means is used for clustering and SVM is used for classification. e model reports a high false alarm rate compared with other models, which makes it risky to deploy the model in a production environment.
C55 [88] KDD Cup 99 dataset e model integrates a genetic algorithm with improved feature selection with SVM. GA performs the initial feature selection. SVM classifies the selected features into either normal or abnormal (DOS, probe, R2L, and U2R). e model can be further evaluated using updated datasets.
C56 [89] CICIDS2017 In this model, DBN is used to reduce the number of features in the dataset and keep only the important features. SVM on the other hand is used for the classification of attacks.
In the future, research can be done on how to improve the accuracy and the efficiency of intrusion detection.

C57
[90] ISCX2012 and UNSW-NB15 and KDD Cup 99 and NSL-KDD e model combines ABC and DA to form an optimization algorithm known as HAD. HAD is used in this model for optimizing the MLP neural network. e model was evaluated using two modern datasets, i.e., ISCX2012 and UNSW-NB15 and two old datasets, that is, KDD Cup 99 and NSL-KDD.
In future, research can be done on how to reduce the features in the dataset.
C58 [91] NSL-KDD e model applied XGBoost for feature selection and deep neural network (DNN) for the classification of network intrusion. e researchers used only one dataset for the validation of the model.

C59
[92] ISCX 2012, NSL-KDD and CIC-IDS2017 In this research, ECAGOA is used to optimize SVM by selecting key SVM parameters to eliminate overfitting issues of SVM. When the model is evaluated using three types of datasets, it records superior performance compared with other models.
C60 [93] NSL-KDD, AWID, and CIC-IDS 2017 In this model, MSAP-GOBA, a variety of GOA, is used to select relevant features in the dataset to improve the detection rate and reduce overfitting problems. ree forms of the dataset were used to validate the model and the result was outstanding compared to other models.
C61 [94] ADFA-LD dataset e model uses VED on the first stage to reconstruct the dataset and the RNN is used for capacity memorization. e model recorded a low false-positive rate compared with other models.

C62
[95] NSL-KDD dataset, UNSW-NB15 dataset, and CIC-IDS2017 e main objective was to reduce the number of features in the dataset to improve classification performance and computation time. NSGA-II id is used as a search strategy and LR is used as a learning algorithm. e model succeeded in reducing the number of features, hence increasing detection accuracy, but this reduced the detection rate of some of the attacks like U2R, backdoor, analysis, exploits, DoS, and web-attack-XSS. is was due to the underrepresentation of the attacks or missing information. 6 Security and Communication Networks KDD CUP99 e research showed that in dealing with data redundancy and class imbalance, we can solve the problem of high falsepositive rate (FPR) for minority samples and improve F1.
C64 [97] NSL-KDD and UNSW-NB15 e integration of the two algorithms enabled the learning of spatial and temporal features. e researchers recommended the optimization of the model to detect U2R and worm attacks.
C65 [98] CICIDS2017 and NSL-KDD e researchers used both current and classical dataset to validate the model. e model recorded a very low false-positive rate and high accuracy, above 99% on each dataset.
C66 [99] KDD cup, database1, and database2 e model outperformed other state-of-the-art algorithms in terms of accuracy, detection accuracy, precision, and recall. e major limitation of the model is that it registered high computational costs. Studies can be done on how to reduce the computational cost. C69 [102] Bot-IoT dataset e researchers proposed a two-stage hybrid intrusion detection system. e deep autoencoders (DAEs) were deployed on the first stage for anomaly intrusion detection. In the second stage, the researchers deployed machine learning-based attack classifiers. e model performed better in the detection of both known and unknown attacks.
C70 [103] CICIDS2017 e hybrid method was effective in the classification of anomaly detection compared to other classifications of DNN. e model was evaluated with an updated dataset named "CICIDS2017" which captures current intrusion.
C71 [104] Alibaba Tianchi dataset e model combined CNN and LSTM to develop a hybrid detection model. e model outperformed other models in terms of accuracy and MSE. e model was evaluated using Alibaba Tianchi dataset which represents real-life malicious behaviors. In the future, the model needs to be evaluated using different datasets.
C72 [105] CICIDS2017 datasets e model outperformed other intrusion detection models in terms of detection rate, accuracy, and false-positive-rate. e model was evaluated using an up-to-date dataset.
In the future, the model can be tested using other datasets.
C73 [106] KDD Cup 99 dataset e model consists of three stages; in the first stage, the model deploys U-Net and LSTM for feature extraction. In stage two, global attention mechanism is used to learn and select critical information in the features. Finally, SVM is used to classify the information. e model was evaluated using an old dataset that does not capture current intrusion.
C74 [107] KDD CUP e model had high performance compared to single algorithms, but the researchers used an old dataset that does not capture modern attacks.
C75 [108] KDDCUP99 and UNSW-NB15 HNGFA outperforms other techniques in exploration, detection, and evolving rules for all small forms of intrusion with high accuracy and low FAR in different settings of the datasets.
C76 [109] CICIDS2017 e model takes advantage of two classifiers, that is, long short-term memory and convolutional neural network. e model possesses the capability of detecting evolving cyber threats.
C77 [110] KDD 99 CSO was used for feature reduction and RNN was used for classification. e researchers used an old dataset to test the model and they proposed the use of a modern dataset for future research.
C78 [111] KDD Cup99 e research proposed a three-stage hybrid intrusion detection model. Snort was used to detect signature-based attacks in the first stage. In the second stage, three feature reduction techniques were applied for feature reduction. e techniques used were univariate, principal component analysis, and linear discriminant analysis. Finally, the model deployed four supervised machine learning algorithms for classification. e model was evaluated using KDD CUP99, and it was observed that RF outperformed other models in terms of accuracy. Currently, we have new forms of datasets that are up to date in terms of attacks. e model can be evaluated using this dataset.
C79 [112] UNSW-NB15 e researchers compared the CART algorithm with other decision tree classifiers, namely, the J48 decision tree, fast decision tree, random tree, fine tree, medium tree, and coarse tree. CART recorded superior performance.
Security and Communication Networks 7 NSL-KDD e model yielded better results compared with other models, but the researchers observed that the increase of neurons caused an increase in complexity and run times.
C81 [114] NSL-KDD, UNSW NB15, and Kyoto2006 Information gain and principal component analysis are used for feature extraction and reduction. DBSCAN is used for clustering the dataset. WGAN-DIV was applied in the final stage for data generation. e researchers proposed stability improvement of the model in future work.
C82 [115] Microsoft Windows server event logs e research showed the importance of user profile creation in the performance of misuse intrusion detection systems.
C83 [116] Real dataset e model uses online incremental SVM for the detection of intrusion on IoT platforms. To make sure that new forms of attacks are detected, MLP is deployed as the second layer of IDS to filter any undetected attacks by the SVM module. e advantage of the model is that it evolves with new forms of attacks due to regular updates from the Internet.
C84 [117] NSL-KDD and UNSW-NB15 e model combined CNN and BiLSTM for feature extraction. e model extracts spatial and temporal features of the dataset simultaneously. Application of the two algorithms in construction of a balanced dataset improves the learning capabilities of the model, hence reducing the time required to train the model.

C85
[118] NSL-KDD and CICIDS2017 e researchers observed that deep learning models' performance is highly dependent on the amount of data used for training. If a lot of data is used for training, the model will perform better.
C86 [119] NSL-KDD e method aimed at feature reduction to improve the classification. NSL-KDD was used for evaluation which does not reflect new forms of attacks.
C87 [120] NSL-KDD e model was superior compared to other clustering algorithms for unsupervised detection but with high computation time.

C88
[121] CAN-intrusion-dataset and CICIDS2017 dataset Decision tree (DT), random forest (RF), extra trees (ET), and extreme gradient boosting (XGBoost) algorithms are applied in this model to develop a signature-based IDS. e second phase of the model deploys a cluster labeling (CL) K-means (CL-K-means) algorithm to develop anomaly-based IDS, and this will detect unknown attacks.
For future work, model performance can be improved by investigating other unsupervised learning and online learning methods to be used in the anomaly-based IDS framework.
C89 [122] CICIDS2017 and UNSW-NB15 Proposed a two-stage intrusion detection system based on DT and RF to improve detection. e first stage extracts some selected features for classification. e second stage deals with the extraction of features that were not classified in the first stage. e model was evaluated using two modern datasets.
C90 [123] NSL-KDD and CIC-IDS2017 e model combined K-means, deep learning algorithm, and RF. K-means and RF are deployed to classify the event as either normal or attacks, while deep learning algorithms are used to learn the hidden features of attack events. e model recorded better processing speed and less training time.
C91 [124] ICS dataset e model combines PSO and ANN to create a hybrid detection model. In this model, the PSO search method is used in the ICS dataset to enhance the classification performance of the ANN model. In the future, further investigation can be done on various optimization techniques to increase detection accuracy.
C92 [125] KDD CUP 99 e outcome shows that PSO + KNN outperformed PSO + DT in network anomaly detection. In the future, the model should be evaluated with current datasets.
C93 [126] NSL-KDD dataset Proposed a two-level intrusion detection model; at level one, the model used Naïve Bayes classifier to detect DoS and probe, and at level two, the model deployed SVM to distinguish R2L and U2R from normal instances. In the future, the model can be tested against other forms of intrusion.
C94 [127] DARPA 1998 e model proposed the optimization of ANN using GWO. e goal was to solve the limitations of using the backpropagation algorithm, which include local minimum limitations. e model took a longer time to train; in the future, research can be done on how to reduce the training time. In addition, the model can be evaluated using the current dataset.
C95 [128] NSL-KDD e researchers used a new algorithm known as slime mould optimization algorithm to optimize the weighted extreme learning machine. e model reduces training time, and the real-time performance of intrusion detection is improved.
8 Security and Communication Networks NSL-KDD and CICIDS2017 dataset In this model, WOA is used to optimize the kernel parameters of the RVM and the weight coefficients of the hybrid kernel. e model was evaluated using two types of datasets, NSL-KDD representing the old dataset and CICIDS2017 dataset representing an updated dataset.
PED performs fist level classification by classifying every packet received. Any packet that does not meet the minimum score in the first level is further classified in the second level using the HLD classifier. PED can be constructed by selecting between RF and DT while HLD can be constructed by selecting between RF and ADT. e model has a high implementation complexity and cost than existing IDSs composed of a simple classifier. Research can be done on how to improve implementation complexity and cost.
C98 [131] NSL KDD Proposed hybrid model by combining supervised algorithm Light GBM and unsupervised algorithm K-means. e model recorded superior performance than other models, but it requires higher training time.
C100 [133] KDD′99 dataset Proposed a model combining serial-based IDS (SIDS) and parallel-based IDS (PIDS). PIDS is deployed to detect known intrusion and SIDS is deployed to detect unknown intrusion. e model can be evaluated using an updated dataset. CICIDS2017 dataset e researchers developed a hybrid detection model based on convolutional neural network and network. e goal was to solve the issue of feature selection. To achieve this, the researchers applied the forward feature selection technique. e model was tested using the CICIDS2017 dataset and the result showed that forward feature selection is a promising technique in feature selection. e model can be tested using a different dataset in the future.

C101
C107 [140] NSL KDDCup 99 e researchers used dragonfly algorithm to optimize multilayer perceptron. OSVM was used for the classification of data as either normal or intrusive.
C108 [141] KDD′99 and UNSW-NB15 datasets In the first stage, the researchers improved on feature selection. In the second stage of the model, the researchers combined signature and anomaly-based attack detection techniques. e model recorded a very high rate of accuracy of 99.69%.
Security and Communication Networks 9  differently. Capturing the profile of different users as normal has proven to be difficult, hence creating the main limitation of anomaly IDS. With the limitation arises the issue of high false-positive alerts because any abnormal action by the user is considered an attack. Research in this area is focused on how to profile normal action and how to reduce high falsepositive rates.

Misuse/Signature Intrusion Detection System.
Misuse intrusion detection systems depend on well-known attack signatures to capture attacks and to flag intrusions using well-known patterns. e well-known signatures are captured and labeled to assist in intrusion detection. e labeled patterns are stored in a database that needs regular updates when new patterns are captured. For detection of attacks, misuse-based IDS compares the received traffic with the stored signatures in the database; if the patterns are similar, the traffic is marked as an intrusion; else, the traffic will be marked as normal. Unlike anomaly-based IDSs, misuse IDSs are easy to create as the pattern of malicious code is known. e code of the malicious malware is analyzed for a unique pattern, and this pattern is used to create the baseline signature to be used for detection. is makes misuse-based IDSs have a high positive detection rate as they depend on well-known information. Users must keep updating the corresponding databases for new signatures.
Over the years, research has been done on this area of misuse intrusion detection. Zhang et al. [13] proposed a misuse intrusion detection system for defending LAN users using the XGBoost algorithm. To develop and evaluate the model, the researchers used real-time data collected from LAN of 10 different Asian countries. e model was evaluated using collected data from 45 networks. e model recorded 97.5% in overall precision and 97.5% in the overall recall. In addition, the researchers observed that LAN intrusion detection is affected by ARP, MDNS, and NBNS protocols. e main advantage of this model is that it was evaluated using real-time network data which means that the model can be deployed in the existing LANs as it is or with minor changes.
Taher et al. [14] used the artificial neural network (ANN) and support vector machine (SVM) technique to develop a signature-based intrusion detection model. e two algorithms were to find the algorithm with the best performance in terms of classification. NSL-KDD dataset was used for the  [15] proposed Internet Protocol Flow Information Export (IPFIX) signature-based intrusion detection known as FIXIDS. e model uses the newly added HTTP-related flow information elements (IEs) to detect intrusion in high-speed networks. e model outperformed Snort in general. is technique can be investigated further in future for standard flow.
Tug et al. [16], using blockchain technology, proposed collaborative signature-based intrusion detection system referred to as CBSigIDS. e model uses blockchain technology to incrementally update and distribute secure signatures database in a collaborative network. Evaluation of the model shows that blockchain technology can be used to improve the performance of signature-based IDS in secure manure. In future, research can be done on the application of blockchain technology in anomaly IDS. e main limitation with misuse intrusion detection systems is that they cannot detect zero-day attacks or new forms of attacks. At the point of realization of a new form of attack and the creation of the signature of the attack, most of the computer systems are already left vulnerable. Misuse intrusion detection systems also require large storage memory to store the signature library. e focus area of research on this type of intrusion detection system is on how to reduce the volume consumed by the database. Another potential area of research is how to make this IDS able to detect zero-day attacks.

Hybrid Intrusion Detection System
With the evolving variety of attacks, the two classical IDSs mentioned above cannot protect our information systems effectively. New methods of combining different intrusion detection systems to improve their effectiveness have been proposed. Research has shown that combined algorithms perform better than single algorithms [17]. e goal of hybrid intrusion detection systems is to combine several detection models to achieve better results. A hybrid intrusion detection system consists of two components. e first component processes the unclassified data. e second component takes the processed data and scans it to flag out intrusion activities [18].
Hybrid intrusion detection systems are based on combining two learning algorithms. Each learning algorithm possesses unique features, which assist in improving the performance of the hybrid [19]. Hybrid IDSs can be broadly categorized into cascaded hybrid, integrated-based hybrid, and cluster + single hybrid.
In In [20], the researchers combined feature extraction techniques and classification techniques to increase detection rate while at the same time reducing false alarm rate. In the first stage of the hybrid, chi-square was used for feature selection. e goal of this stage was to reduce the number of features in the dataset but maintaining the important features that capture the attacks. In the second stage, a multiclass support vector machine (SVM) algorithm was used for classification. Multiclass support vector machine was used in this model to improve classification rate. e model was evaluated using the NSL-KDD dataset, with the results showing that the model recorded a high detection rate with a low false alarm rate.
In [21], Khraisat et al. developed a hybrid detection model based on a C5 decision tree classifier and one-class support vector machine (OC-SVM). e model consisted of two major components. A C5.0 decision tree classifier was used to develop the first component of the model for misuse detection. e second component was developed using OC-SVM for anomaly detection. e researchers tested the performance of the model using the NSL-KDD and Australian Defence Force Academy (ADFA) datasets, and the results showed that the hybrid model was superior to single-based models.
Khan proposed a hybrid intrusion detection model based on convolutional neural network (CNN) and recurrent neural network (RNN). e research aimed to improve feature extraction, which is fundamental in the performance of intrusion detection systems. CNN was used in the first phase to extract local features in the dataset, with the RNN being used in the second phase to extract temporal features in the dataset.
is technique resolved the issue of data imbalance on the available dataset. To test the performance of the model, the CSE-CIC-DS2018 dataset was used, which is the updated dataset. e model outperformed other intrusion detection models, with an intrusion detection accuracy of 97.75% [22].
In [23], the researchers proposed a hybrid model intrusion detection model for smart home security. e model consisted of two components. e first component applied machine learning algorithms to real-time intrusion detection. Algorithms used in this component included random forest, XGBoost, decision tree, and K-nearest neighbors. e second component applied the misuse intrusion detection technique for detection of known attacks. To test the performance of the model, the CSE-CIC-IDS2018 and NSL-KDD datasets were used.
e model recorded an outstanding performance for detection of both network intrusion and user-based anomalies in smart homes.
In [24], the authors proposed a hybrid intrusion detection system for online network intrusion detection. e researchers integrated improved particle swarm optimization and regularized extreme learning machine (IPSO-IRELM). In this study, IPSO was used to optimize IRELM. e model was tested using UCI balance dataset, NSL-KDD dataset, and UNSWNB15 dataset. e model recorded a high accuracy rate as well as capabilities to classify the minority features.
In [25], a hybrid detection model based on Spark ML and the convolutional-LSTM (Conv-LSTM) network was proposed.
e model consists of two components: the first component uses Spark ML to detect anomaly intrusion while the second component deploys Conv-LSTM for misuse detection. To investigate the performance of the model, the researchers used ISCX-UNB dataset. e model recorded an outstanding performance of 97.29% accuracy in detection. e researchers proposed that the model can be evaluated further using a different dataset as a way of attempting to reproduce the results.
In [26], the authors developed an intrusion detection system by combining firefly and Hopfield neural network (HNN) algorithms. e researchers used Firefly algorithm to detect denial-of-sleep attacks through node clustering and authentication.
In [27], the researchers proposed a hybrid detection system for VANET (vehicular ad hoc network). e model consisted of two components. e researchers deployed a classification algorithm on the first component and a clustering algorithm on the second component. In the first stage, they used random forest to detect known attacks through classification. For the second stage, they deployed weighted K-means algorithm for the detection of anomaly intrusion. e model was evaluated using the current dataset, CICIDS2017 dataset. e researchers proposed further evaluation of the model in real-world environments. In another work [28], the researchers integrated random forest algorithm with unsupervised clustering algorithm based on coresets. is model was used for detection of realtime intrusions in VANET. Compared with other models, the model recorded better performance in terms of accuracy, computational time, and detection rate.
Barani [29] proposed a hybrid detection model based on genetic algorithm and artificial immune system (AIS) (GAAIS) for intrusion detection on ad hoc on-demand distance vector-based mobile ad hoc network (AODV-based MANET). e model was evaluated using different routing attacks. Compared with other models, the model improved detection rate and decreased the false alarm rate.
In [30], the researchers used integrated firefly algorithm with a genetic algorithm for feature selection MANET. To classify the selected features in the first stage of the model as either intrusion or normal, the researchers used replicator neural network for classification. e model performance was compared to that of fuzzy-based IDS. e model outperformed fuzzy-based IDS in accuracy as well as precision and recall.

Methodology
e methodology used consists of three primary phases: planning, conducting, and reporting as outlined by Kitchenham and Charters [31]. e three steps can be explained as follows: (a) Planning: the main goal of this phase is to define the research goals and the review protocol. Review protocol defines how the review will be done. It consists of all the elements of review. (b) Conducting: once the protocol has been defined, the review process can start. e main stages in this phase include identifying relevant research, selecting primary studies, and extracting required data and synthesis data. (c) Report: finally, in reporting the review, data extraction strategies are defined and the steps to be used in data synthesis are outlined.

Research Questions (RQs).
e main objective of this paper was to analyze the hybrid intrusion detection system techniques that were developed from 2012 to 2022. e following research questions were developed in line with the main objective:

Search Strategy.
Research shows that it is important to be guided by a search strategy in the systematic review [31]. In defining our search strategy, we were guided by the steps outlined by yago et al. [32]. e main two steps in this process are defining keywords and the sources of the study. e keywords were derived from the research questions. e keywords and synonyms used are as follows: (1) Hybrid OR Integrated OR Cascaded. (

2) Intrusion detection System OR IDS (3) Artificial Intelligence OR Machine Learning
We used the Boolean operators (OR) and (AND) to define the search string. e operator (OR) was used between synonyms, while (AND) was used between the keywords. e following search strings were defined: (1) "Hybrid" OR "Integrated" OR "Cascaded" (2) "Intrusion detection System" OR "IDS" (3) "Artificial Intelligence" OR "Machine Learning" Finally, the search strings were combined as follows: ((1) AND (2) OR (1) AND (2) AND (3)).

Security and Communication Networks 13
e researchers used the following digital libraries that are recognized in publishing research in the area of intrusion detection systems [33].

Publication Selection Criteria.
For inclusion criteria, all primary studies that have reviewed hybrid intrusion detection systems and articles published between January 2012 and February 2022 were included in the study. Single algorithm studies, secondary studies, short papers, duplicated studies, non-English studies, and incomplete papers were excluded. In addition, all studies that were not relevant to the research questions were excluded from the research. Table 4 summarizes the inclusion/exclusion criteria.

Study Selection Process.
To conduct the selection process, the papers were selected according to the established strings, and papers were also selected based on the title, abstract, and keywords on this stage. e selected papers from the first selection process were subjected through the second selection process, which was based on reading the entire text of the paper. e primary reviewer conducted the selection process. e secondary reviewer conducted an inter-rater reliability test on the selected papers. is was done to make sure that there was no bias in the selection process from the primary reviewer. In the first step, 1875 studies were excluded by the reviewers as they did not satisfy the inclusion criteria. Of those excluded, 1786 were out of scope, 8 were grey studies, 27 were single algorithm studies, 53 were short papers, and 1 was duplicate paper. In the second step, 98 studies were excluded by the reviewers as they did not satisfy the inclusion criteria. Of those excluded, 78 were out of scope, 2 were single algorithm studies, 17 were short papers, 1 was non-English paper, and 1 was incomplete paper. In this research 111 papers were selected for the review as shown in Table 5.

Data Extraction Process.
e objective of this step is to provide an answer to the research questions for each paper in a semi-structured way. To avoid bias in the data extraction process, a data extraction form was developed. e data extraction form captured key elements to answer the research questions as shown in Table 6. Figure 1 shows the number of publications per year. e year with the most publication is 2020. e graph indicates a continuous increase in research in the field of hybrid IDS. is can be attributed to the desire of improving the efficiency and effectiveness of IDS.

Research Questions (RQs).
In this section, the outcome of the literature review will be analyzed and discussed as per the research questions. RQ1: which hybrid techniques have been used in intrusion detection systems?
In this question, the research sought to understand which techniques were used in the development of the hybrid IDS. Research shows that hybrid approaches can be broadly categorized into three: cascaded hybrid, integratedbased hybrid, and cluster + single hybrid.
As shown in Table 7, the most used hybrid technique was the cascaded hybrid technique (72 papers), the integratedbased hybrid technique (36 papers), and the cluster + single technique (3 papers).
RQ2: which classical algorithms were used in the integration of the hybrid?
In this question, the researcher sought to understand the classical algorithms applied to hybrid techniques. It was established that the most used algorithms in hybrid detection systems were SVM, DT, K-means, Naïve Bayes, KNN, GA, and PSO as shown in Table 8. e rest of algorithms appeared less than 5 times in the selected papers.
RQ3: which are the evaluation metrics used in the hybrid intrusion detection system? Metric is the measure of the performance of ML algorithm on a given dataset. Metrics are used mostly to compare the performance of different models and determine the most effective one.
Accuracy is a frequently applied metric. e purpose of this metric is to compare the correctly detected outcomes against the total detected outcomes.
True-positive rate (TPR), also known as either recall, sensitivity, or detection rate, is the fraction of correctly detected positive outcomes compared to positive observation.
False-positive rate (FPR), which is referred to as false alarm rate (FAR) or fall-out, is the fraction of wrongly predicted positive outcomes compared to actual negative observations.
True-negative rate (TNR) is also called specificity. is metric is the ratio of correctly predicted negative outcomes compared to actually negative observations. False-negative rate (FNR) is also called miss rate. is metric is the ratio of wrongly predicted negative outcomes compared to positive observations. F-score/F-measure is a measure that combines a model's precision and recall into an overall accuracy figure. F1 scores range from 0 to 1 with 1 being perfect and 0 indicating poor performance.
Precision is the ratio of correctly predicted positive outcome compared to positive prediction.
Time is a metric used to measure the efficiency of a model. is can be done either during the training stage or during the evaluation stage.
is study found that three metrics were used in more than 50% of the research as shown in Figure 2. ese are accuracy, detection rate, and false alarm rate. Accuracy tests the performance of a model in terms of the number of correctly predicted results. e higher the accuracy, the better the model. is explains why the metric has been used in most of the studies. TPR or detection rate measures the capabilities of a model to flag attacks. is is a very important metric as the objective of any intrusion detection system is to flag attacks. Lastly, false alarm rate (FAR) is the measure of false alarms produced by the model. e more the false alarms, the poor the model. e metric can be used by the designers to improve the performance of the model by reducing or eliminating false alarms. e above three metrics form the key evaluation metrics for any detection model. With the three metrics, it is possible to determine the overall performance of a model. RQ4: which datasets were used in hybrid intrusion detection system research? Figure 3 depicts datasets used in hybrid intrusion detection system research. Dataset used is one of the most important elements in the development of anomaly-based intrusion detection systems. Despite that, the conducted Exclusion Grey studies 6.

Conclusion
is study has filled the gap that exists in the current body of knowledge on systematic literature review on hybrid intrusion detection systems. is systematic analysis on hybrid IDS points out the existing gaps in the development of hybrid intrusion detection systems and the need for further research on this area. e analysis of SLR indicates that the field of hybrid intrusion detection techniques is an area of focus for many researchers due to its potential of solving the issue of intrusion because this technique increases the performance and efficiency of intrusion detection systems compared to a single algorithm. Investigation on how well to integrate the existing algorithms is of the essence in this field. Most of the hybrid intrusion detection systems are based on three major categories: cascaded hybrid technique, integrated-based hybrid technique, and cluster + single technique. Based on this work, most of the studies focused on cascaded hybrid technique (65%) is method combines the classical algorithms either parallel or in serial format. e second most widely used technique according to the conducted analysis is the integrated-based hybrid technique (35%). is technique aims at optimizing the classical algorithms. Integrated-based hybrids are more efficient and give better results compared to other forms of hybrid techniques. us, to develop an efficient and effective IDS, integrated-based hybrid should be adopted in developing the IDS. Lastly, cluster + single technique was the least used technique (3%). e literature review has shown that the existing algorithms have the potential to solve the problem of intrusion but cannot still evolve with the ever-changing digital environment. Most of the models rely on human intervention to update them.
ere is a need for models which can learn their environment and update themselves without human input.
According to the conducted study, researchers have deployed different types of algorithms in the development of hybrid intrusion detection. e commonly used algorithm includes ANN, SVM, DT, K-means, Naïve Bayes, KNN, GA, and PSO.
For evaluation of the models, fifteen types of datasets were used in the analyzed studies. e datasets that recorded high utilization in the analyzed studies include KDDCup99 and NSL-KDD. Despite their high recorded popularity, these datasets have received criticism from researchers. Most researchers point out that these datasets were developed years ago, and hence they are outdated and ineffective in developing modern intrusion detection systems. In addition, researchers have observed that these datasets do not capture the current forms of detection, and hence they lack the capabilities of defending modern network infrastructure. To resolve this challenge, the analyzed literature review observed emerging datasets which capture current intrusions. ese include CICIDS2017, UNSW-NB15, CSE-CIC-IDS2018, and Bot-IoT datasets. e problem is that most of the studies are still using old datasets. For effective IDS, researchers in this field of intrusion detection systems need to embrace the updated datasets. e three most commonly used metrics for performance evaluation of IDS are accuracy, TPR, and FPR. Future studies should consider also including CPU utilization and detection time as performance metrics. e detection of   intrusion should be done on a real-time basis before any damage is caused, and hence the detection time should be as low as possible. In the development of intrusion detection systems, resource utilization should be considered. In this review, only a few papers included CPU utilization as a performance metric.
Data Availability e secondary data supporting this systematic review are from previously reported studies and datasets, which have been cited. e processed data are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.