Skip to main content

Table 6 Comparison of IDS deployment strategies based on their positioning

From: A critical review of intrusion detection systems in the internet of things: techniques, deployment strategy, validation strategy, attacks, public datasets and challenges




Data source

IDS deployment strategies

Distributed IDS

• HIDS can check end-to-end encrypted communications behaviour.

• No extra hardware is required.

• Detects intrusions by checking the host file system, system calls or network events.

• Every packet is reassembled

• Looks at the entire item, not streams only

• Delays in reporting attacks

• Consumes host resources

• It needs to be installed on each host.

• It can monitor attacks only on the machine where it is installed.

• Audits records, log files, Application Program Interface (API), rule patterns, system calls.

Centralized IDS

• Do not impose an additional overhead on the sensor nodes.

• Detects attacks by checking network packets.

• Not required to install on each host.

• Can check various hosts in the same period.

• Capable of detecting the broadest ranges of network protocols

• IoT can be exposed if the centralized IDS is compromised.

• Challenge is to identify attacks from encrypted traffic.

• Dedicated hardware is required.

• It supports only the identification of network attacks.

• Difficult to analysis a high-speed network.

• The most serious threat is the insider attack.

• Not applicable

For a large scale IoT ecosystem.

• Simple Network Management Protocol (SNMP)

• Network packets (TCP/UDP/ICMP),

• Management Information Base (MIB)

• Router NetFlow records



• It uses NIDS, HIDS and wireless intrusion detection system (WIDS) presenting success in interoperability across heterogeneous Network types.

• IDS is likely to be extremely deployable across big and heterogeneous IoT networks,

• the complexity of the IDS