| Advantages | Disadvantages | Data source | |
---|---|---|---|---|
IDS deployment strategies | Distributed IDS | • HIDS can check end-to-end encrypted communications behaviour. • No extra hardware is required. • Detects intrusions by checking the host file system, system calls or network events. • Every packet is reassembled • Looks at the entire item, not streams only | • Delays in reporting attacks • Consumes host resources • It needs to be installed on each host. • It can monitor attacks only on the machine where it is installed. | • Audits records, log files, Application Program Interface (API), rule patterns, system calls. |
Centralized IDS | • Do not impose an additional overhead on the sensor nodes. • Detects attacks by checking network packets. • Not required to install on each host. • Can check various hosts in the same period. • Capable of detecting the broadest ranges of network protocols | • IoT can be exposed if the centralized IDS is compromised. • Challenge is to identify attacks from encrypted traffic. • Dedicated hardware is required. • It supports only the identification of network attacks. • Difficult to analysis a high-speed network. • The most serious threat is the insider attack. • Not applicable For a large scale IoT ecosystem. | • Simple Network Management Protocol (SNMP) • Network packets (TCP/UDP/ICMP), • Management Information Base (MIB) • Router NetFlow records | |
 | Hierarchical | • It uses NIDS, HIDS and wireless intrusion detection system (WIDS) presenting success in interoperability across heterogeneous Network types. • IDS is likely to be extremely deployable across big and heterogeneous IoT networks, | • the complexity of the IDS | Various |