Deep Learning-Based Intrusion Detection Systems: A Systematic Review

Nowadays, the ever-increasing complication and severity of security attacks on computer networks have inspired security researchers to incorporate different machine learning methods to protect the organizations’ data and reputation. Deep learning is one of the exciting techniques which recently are vastly employed by the IDS or intrusion detection systems to increase their performance in securing the computer networks and hosts. This survey article focuses on the deep learning-based intrusion detection schemes and puts forward an in-depth survey and classification of these schemes. It first presents the primary background concepts about IDS architecture and various deep learning techniques. It then classifies these schemes according to the type of deep learning methods utilized in each of them. It describes how deep learning networks are utilized in the intrusion detection process to recognize intrusions accurately. Finally, a complete analysis of the investigated IDS frameworks is provided, and concluding remarks and future directions are highlighted.


I. INTRODUCTION
The widespread expansion of the computer networks and their new emerging applications have enabled the attackers to launch various security attacks against them by various means. In this context, Figure 1 depicts the percentage of the security attacks collected from McAfee Labs in 2017, in which most of them are browser attacks, brute force attacks, and Distributed Denial of Service (DDoS) attacks [1], [2]. Also, several security attacks for the new computing environments such as WBANs [3]- [5], e-healthcare systems [6]- [8], fog computing [9], Mobile Edge Computing (MEC), Cloud Computing [10], [11], wireless sensor networks [12], [13], mobile ad hoc networks [14]- [16], and The associate editor coordinating the review of this manuscript and approving it for publication was Yongqiang Cheng .
SDNs [17]- [19] are conducted. Intrusion detection systems are crucial security components used in combination with firewalls to make the computer networks safer places for owning IT organizations and their customers [20], [21].
IDS solutions are one of the key security components that in combination with firewalls can effectively handle various types of security attacks. IDS schemes can be mainly classified as misuse detection schemes and anomaly detection schemes, which can be realized by using various machine learning techniques. Misuse detection or signature-based systems heavily depend on the signature of the security attacks and malicious behaviors and support multi-class classification. However, they cannot detect the new attacks in which their signature is not available for the IDS [22], [23]. However, as an advantage, these schemes benefit from more accuracy in recognizing known malicious behaviors and their variants. On the other hand, the anomaly detection-based IDS approaches can detect new attacks by relying on the users' normal behavior profiles [24], [25] and only support binary classifications. Nonetheless, in dynamic organizations in which users' roles change occasionally, their profiles should be updated correspondingly [26]. Also, anomaly detection schemes may suffer from the false positive problem [27]- [30]. A large number of recent researches are conducted in both anomaly detection and misuse detection contexts using various machine learning techniques [31]- [35]. Conventional machine learning techniques suffer from the lack of labeled training datasets and heavily rely on the extracted features by a human, which makes it difficult for deployment on large platforms [36]. Deep learning is a novel paradigm in the machine learning field mainly established using ANNs or artificial neural networks and has a higher performance than the other conventional machine learning techniques.
Deep learning consists of various networks such as Convolutional Neural Networks (CNNs), Deep Belief Networks (DBNs), Restricted Boltzmann Machines (RBMs), and Recurrent Neural Networks (RNNs), each of which has different capabilities and properties. These networks can carry out the learning process in unsupervised, semisupervised, or supervised manners [38]. Besides, they benefit from the hierarchical layers aimed to find proper high-level features from the raw input data instead of using manual features [36], [39]- [42]. Recently, deep learning techniques are successfully applied in various domains such as text, audio, and visual processing [43] as well as contexts such as sentiment analysis [44], social network analysis, recommender systems [45], natural language processing, wireless networking [46], and so on. Besides, deep learning has achieved a great deal of attention in the IDS context, and numerous deep learning-based misuse detection and anomaly detection models are provided in the literature to deal with various types of intrusions and security attacks. Although deep anomaly detection schemes and deep intrusion detection (both categories) schemes are studied by previously published review articles [47]- [54], no survey paper is specially presented in the literature to put forward a thorough investigation of the deep misuse detection-based intrusion detection approaches. Moreover, our work studies more intrusion detection schemes and presents a more in-depth comparison of the studied research.
For this purpose, this article focuses on deep learningbased intrusion detection and provides a thorough survey of the different frameworks published in this context from 2010 up to 2020. However, to be more useful before presenting the survey, it first introduces the key terms and background knowledge about the IDS schemes and briefly describes the leading deep learning techniques used in different steps of the intrusion detection process, such as feature selection/extraction and classification. To be more specific, this work classifies the deep intrusion detection approaches based on the type of deep learning network applied in their various intrusion detection steps. It also illuminates their significant contributions and security services, which each scheme provides. Furthermore, it describes their main steps carried out using deep learning methods. Besides, each section of the survey puts forward a comparison of the datasets, evaluation metrics, simulators, environments, and different feature extractions that have been applied in the analysis and verification of the proposed deep intrusion detection schemes. Such comparisons of the studied solutions can be beneficial in highlighting plans for future works and illuminating the areas which have been less investigated. According to our studies, this is the first paper aimed to explore intrusion detection schemes that use deep learning networks. The contribution of this survey article can be listed as follows: VOLUME 9, 2021 • Discussing the key concepts in the intrusion detection process and illustrating the main categories of deep learning techniques.
• Categorizing the investigated deep IDS schemes regarding their utilized deep learning network.
• Demonstrating the key contributions, findings, and advantages of recent research conducted in the deep IDS context and comparing their evaluated metrics, simulators/environments, feature extraction methods, and datasets.
• Identifying critical challenges for the deep learningbased intrusion detection approaches, which should be handled in future researches.
• Providing useful information for researchers who investigate in deep IDS context and seek technical directions and knowledge for the development of their research work. The remaining of this survey article is provided as follows: Section 2 articulates the key issues and background knowledge about the various IDS features and briefly describes the well-known deep learning models. Section 3 provides the classification of the studied schemes and reviews them. The comparison results are given in Section 4, and finally, concluding remarks and open research issues are outlined in Section 5.

II. RESEARCH METHODOLOGY
This section introduces the systematic literature review methodology [55] conducted for the deep learning-based misuse detection schemes proposed in the security literature. It describes the process of paper selection and highlights the research questions which will be addressed in the next sections. In this process, we selected the articles as follows: • Regarding the deep learning and misuse detection context.
• Using the research context some search strings are selected and searched to find the required articles. At first, for finding review articles in the intrusion detection context, we searched these strings:  The results achieved from these searches are screened to find credible and original articles. For example, documents such as thesis, patents, and papers from the journals which are not provided by the publishers listed in Table 1 are excluded. The remaining articles are used in conducting this review which will be reviewed in the next section. Figure 2 depicts the number of deep learning-based misuse detection schemes published from 2010 up to 2020. As shown in this figure, the number of these schemes is increasing and this context can be considered as an active research area. Furthermore, Table 2 describes the main research questions which have been addressed in this paper and the reasons which they are pursued. These questions can be useful for finding open issues in the deep learning-based misuse detection context and directing future researches in the proper directions. Figure 3 exhibits the percentage of the articles applied from different publications. As shown in this figure, most of the studied articles in this survey are achieved from the IEEE, Elsevier, and Springer publications.

III. PROPOSED DEEP LEARNING-BASED IDS SCHEMES
This section presents a review of the intrusion detection schemes [56]- [65], [67]- [69], which have benefited deep learning techniques in the security literature. It intends to answer some of the research questions specified in  Section 2. Figure 4 indicates the classification of the deep learning-based IDS schemes according to the type of deep learning network utilized in them. Generally, the studied intrusion detection schemes employ deep learning techniques in the feature extraction step, the classification step, or both.

A. AUTO-ENCODER BASED SCHEMES
This subsection investigates the recently proposed autoencoder-based intrusion detection schemes such as [69]- [83]. For instance, a deep learning-based scheme to handle intrusions is presented in [84] by Al-Qatf et al., denoted as STL-IDS. This scheme uses the self-taught learning framework for the learning of features and reduction of dimension. This IDS model benefits from a sparse auto-encoder for unsupervised reconstructing a new feature representation. After the pretraining stage, the new features are used in the support vector machines (SVM) classifier to improve its detection accuracy. The efficiency of this approach in binary and multiclass classifications is evaluated against the naive Bayes, J48, SVM, and random forest classifiers, which are shallow. The authors indicated that their approach could reduce the SVM's training and testing times in both binary and multiclass classifications and improves the prediction accuracy of the SVM. However, this can be further evaluated using GPU acceleration and parallel platforms. Also, in [85], the authors introduced an IDS approach that uses SVM and deep learning to improve intrusion detection performance. They utilized a stacked autoencoder to decrease features and applied the SVM classifier for events classification into normal or attacks. They used ISCX 2012 dataset and achieved ten features from it by using an auto-encoder and fed it to the SVM for its training. The authors indicated the benefits of their method regarding metrics like Kappa statistic, detection rate, accuracy, and FPR. This scheme achieves a low FPR while keeping accuracy and precision higher. Although their method's performance is higher than the PCA-Gaussian mixture modeling method, it is only able to conduct the binary classification and cannot handle the multiclass attack traffics.   Auto-encoder is one of the methods applied to find appropriate features in the investigated schemes. As an example, in [86], Farahnakian et al. put forward DAE-IDS, which is a deep learning-based IDS method that employs a deep autoencoder, trained by a greedy layer-wise method to prevent problems such as local optimum and over-fitting. It consists of four layers of auto-encoders in which the output of each layer is fed to the input of another layer. Also, a greedy unsupervised layer-wise training method is utilized for training DAE-IDS, enhancing the performance of a deep model. An auto-encoder at the current layer is trained before the autoencoder at the next layer. After training four auto-encoders, they used a softmax classifier to categorize the inputs into the normal and attack classes. The authors conducted their experiments on the KDDCup99 dataset and demonstrated that it could improve accuracy, detection rate, and FPR. However, the sparsity constraints are not explored on the auto-encoders, and how sparse deep auto-encoders can be used to improve the IDS performance is not discussed.
Yu et al. [87] provided a session-based network IDS using a deep learning-based scheme and achieved excellent performance in recognizing botnet traffics. They implemented a deep architecture to learn features of the botnet traffics and introduced a method to create a dataset from raw network traffics. The authors indicated that deep learning approaches are useful in the session-based network IDS. However, the deep architecture's parameters, such as the number of hidden layers, should be tuned further.
In [88], Niyaz et al. presented a multi-vector DDoS attack detection system based on deep learning for the SDN and implemented it on the SDN controllers as an application. It applies deep learning for the reduction of features achieved directly from the traces of various network traffic. A sparse auto-encoder is a neural network that consists of three layers. They evaluated their system based on traffic traces collected from different scenarios. But, they did not address issues such as bottleneck problems at the controller and also did not considered different types of DDoS attacks. However, this scheme cannot work with raw traffic and depends on the derived features. Besides, the proposed approach in [89] provided a distributed deep learning-based attack detection scheme for the fog computing environment by applying the NSL-KDD. In this scheme, a pre-trained stacked auto-encoder is employed to reduce features, and the softmax classifier is applied for classification purposes. They compared their model with shallow learning methods and analyzed its results using metrics such as DR, accuracy, training time, testing time, and ROC curve. As outlined by the authors, this scheme must be further evaluated on other datasets and should be compared with other types of neural networks.
Shone et al. [90] presented an IDS scheme, in which unsupervised feature learning applies a non-symmetric deep auto-encoder. They provided a classification method by incorporating the stacked non-symmetric deep autoencoders and the random forest classifier. They analyzed their model with the Tensor Flow software tool and applied the NSL-KDD and KDDCup99 datasets. The authors compared their approach against the DBN and indicated that their approach provides higher accuracy, precision, and recall while reducing training time.
The intrusion detection approach in [91] provided a de-noising approach combined with the deep learning methods to deal with the imbalanced datasets applied in the network IDSs. The authors applied the NSL-KDD dataset and carried out their experiments using TensorFlow and used their denoising method to improve results achieved by the SAE and DBN. The authors showed that their method could improve recall, precision, and accuracy while balancing accuracy for the U2R and R2L attacks. However, further evaluations of real traffics are needed to verify the capabilities of this IDS approach.
In [92], the authors established a network IDS using deep learning, which applies power-efficient Neuromorphic processors. They encoded the data to train the auto-encoder, and its achieved weights are involved in the supervised training step. At last, the weights are converted to discrete values by applying discrete vector factorization to produce synaptic weights and crossbar weights, as well as neurons' thresholds. This IDS model is analyzed with the Neurosynaptic core simulator, and the results indicated that it benefits from high accuracy with low power usage.
In [93], Kim et al. introduced DAEQ-N, which utilizes a reinforcement learning-based method that uses a deep autoencoder in the Q-network to achieve high prediction accuracy in online learning systems while detecting intrusions by verifying whether the data is classified as normal or anomalous. In their model, the rewards are calculated as the sums of the differences between encoding and decoding. They developed the average reward during the training and achieved steady progress using the auto-encoder. The relevant feature patterns are fed back into the DAEQ-N.
Furthermore, the network IDS proposed in [94] utilized the self-taught learning method for training the deep neural network. They indicated that the concatenation of the features extracted by self-taught learning with the NSL-KDD's features increases the performance of the sparse auto-encoder. The IDS scheme's performance is compared regarding the accuracy, detection rate, FPR, precision-recall curve, and ROC.
Also, in [95], Louati and Ktata introduced DL-MAFID, for solving multi-class intrusion detection problems using multiagent systems and auto-encoder. This scheme uses an autoencoder for dimension reduction and evaluates its dimension reduction capability using the KDDCup'99 dataset. Besides, shallow classifiers such as MLP and KNN are used to recognize five classes of the studied dataset. The conducted experiments showed that DL-MAFID can achieve an accuracy of 99.95% and decreases the detection time.
Abusitta et al. [70], proposed a deep learning-driven IDS scheme for multi-cloud environments that can handle incomplete IDS feedbacks. More specifically, it learns to reconstruct IDS feedbacks regarding incomplete feedbacks using the denoising auto-encoder. Besides, this scheme learns extracting features that can handle incomplete feedback, allowing deciding about probable intrusions regarding the incomplete IDS feedback. The authors evaluated their scheme using the KDDCup'99 dataset in the GPU-enabled Tensor-Flow against MLP and stacked auto-encoder. Uneven distribution of data can happen in training, to deal with this issue, in [96], Chuang and Wu presented a NIDS scheme in which applies a data generation model by training a variational auto-encoder to deal with data shortage and imbalanced data in datasets. For training the NID model, this scheme applies a data generation model to provide a dataset with a balanced set of records for each category of attacks. By having a balanced dataset, the over-fitting problem in the training of the proposed IDS model can be handled. The authors have evaluated their scheme using the Keras and apply the NSL-KDD dataset. Table 3 compares the evaluation metrics, simulators, feature extractions, and datasets applied in the auto-encoder-based intrusion detection schemes investigated in this part of the paper.

B. RESTRICTED BOLTZMANN MACHINE-BASED SCHEMES
Many schemes have used RBM in the detection of intrusions [97]- [99]. For example, in [100], the authors provided an IDS framework for smart cities by using RBMs for unsupervised learning of the features from data generated by sensors. By using achieved features, various classifiers are trained. They used the RBM models with various layers and indicated the ability of the automated feed-forward ANN in outperforming the feed-forward ANNs, random forest, and SVM learned models. The authors indicated the efficiency of their method in detecting attacks with higher accuracy. However, they also demonstrated that the performance of attack detection decreases as the number of classes ascends. Also, the security scheme in [98] provided RBC-IDS, an RBM-based, and clustering-based IDS for WSNs. They studied its performance and compared it to another IDS scheme called ASCH-IDS. The authors indicated that ASCH-IDS and RBC-IDS could reach the same accuracy and detection rate, but the RBCIDS's detection time is longer. They also used the various number of hidden layers in the RBC-IDS compared it against the ASCH-IDS. They exhibited that when their scheme is used with three hidden layers, it can achieve a higher detection rate and accuracy. Besides, they showed that the machine learning IDS solutions perform the same as the deep learning IDS schemes, but with less detection time.
Also, Zhang et al. [101] introduced an IDS framework by combining RBM, SVM, and DBN and the combination of the ANNs at the bottom, aiming to improve the accuracy and speed of the RBM. Unsupervised learning can enhance the ANNs to extract features more efficiently. To evaluate their scheme, the authors applied metrics such as accuracy, FPR, FNR, testing time, and training time with the KDDCup99 dataset and indicated some improvements in these metrics. Besides, the network IDS introduced in [102] applied RBMs to learn various complex datasets. They analyzed the learning procedures of RBMs and trained their RBMs on the IDS datasets. Besides, Alom et al. [103] presented a network IDS using unsupervised deep learning and rules-based approaches to identify new types of attacks. In this scheme, the autoencoder and RBM are applied for the unsupervised extraction of features. Then k-means clustering is applied to these three features, and an unsupervised extreme learning machine is used in network IDS. The authors carried out the KDD-Cup99 dataset and achieved high detection accuracy. Another network IDS approach is proposed in [104], which benefits from deep confidence neural networks to find features of monitored network data and used BP neural network classifier to detect intrusions. The authors analyzed the influence of the DBN network model's parameters on the IDS performance. They also validated their scheme using the KDDCup99 dataset and indicated that it improves accuracy over the shallow learning methods. For recognizing DDoS attacks, in [ Table 4 compares the evaluation metrics, simulators, feature extractions, and datasets applied in the RBM-based intrusion detection schemes investigated in this part of the paper.

C. DEEP BELIEF NETWORK-BASED SCHEMES
This subsection discusses the IDS schemes [106]- [113], which have utilized the DBN in handling intrusions and security vulnerabilities. For instance, Zhang et al. [114] presented an IDS approach based on the DBN and an improved GA, which intends to find an optimal network structure for DBN to classify security attacks. It reduces the network structure complexity and enhances the accuracy of classification.
Also, for attacks such as U2R, which have fewer training data, their approach provides higher accuracy than other methods. They optimized the deep network parameters, reduced the training time, and improved the IDS accuracy.
In [115], Gao et al. introduced an IDS model based on the DBN, which combines a back-propagation network and RBM. The deep learning model proposed in this scheme can learn high-dimensional representations and performs the classification task. Besides, this scheme uses the unsupervised greedy learning algorithm for pre-training and also tuning the DBN to learn high-dimensional data and facilitate the classification.
The intrusion detection approach proposed in [116] investigated the abilities of the DBN in conducting intrusion detection on the NSL-KDD after its training. The authors evaluated the training time and testing time of their system and indicated that it could recognize the security attacks and classifies them into five classes in the presence of incomplete and nonlinear data.
Tian et al. [117] tried to improve the IDS accuracy by using recursive DBNs and random forest classifiers. They introduced the forgetting coefficient and the tracking time-varying factor to make the trained parameters reasonable. They also classified the extracted features using the random forest classifier and indicated that it could increase the detection rate and reduce the FPR. Besides, David et al. [118] provided a hybrid IDS scheme by using deep learning techniques for the generation of the security attacks' signatures and classifying them. This scheme employs a deep stack of denoising AEs for implementing DBN, which can process raw input data for training the DNN and generate malware signatures. Their approach achieves a high level of accuracy by using the DBN-generated signatures and uses a dataset containing primary malware attacks.  In [119], Salama et al. provided an IDS scheme that benefits from the DBN and SVM and can conduct network traffic classification into normal traffic class, U2R, DoS, R2L, and Probing attacks. They used DBN to mitigate the dimension of feature sets and used SVM to classify the intrusion. They presented tests on the NSL-KDD dataset and indicated that their approach accuracy is high.
The intrusion detection scheme proposed in [120] provided MDPCA-DBN, a fuzzy aggregation method that uses DBN, and a density peak clustering method. This scheme divides the training set to reduce dataset size and mitigate the imbalance of the data samples in the primary dataset. Each of the subsets is applied for training sub-DBNs and reducing data dimensions. They calculated the weights of the fuzzy membership function of the test samples in the sub-DBNs and aggregated their output according to their weights. The authors conducted experiments on the NSL-KDD and UNSW-NB15 IDS datasets to indicate that their scheme can improve metrics like recall, accuracy, precision, detection rate, F1-score, and FPR. The security solution in [121] developed an IDS for the IoT environment, which employs a deep learning method to recognize malicious traffics by providing security as a service and enabling interoperability in the IoT. They evaluated their scheme using raw traffic data achieved from the network traffic traces. Table 5 compares the evaluation metrics, simulators, feature extractions, and datasets applied in the DBN-based intrusion detection schemes, outlined in this subsection.

D. RECURRENT NEURAL NETWORK-BASED SCHEMES
This subsection studies the IDS schemes [110], [122]- [129], which apply RNN in the detection of intrusions. For instance, for detecting attacks within the IoT network, Roy et al. [130] incorporated an LSTM RNN. This scheme deals with the IoT traffic to recognize the attack and normal patterns. The authors trained the RNN with the UNSWNB15 dataset and indicated that their model's efficiency regarding metrics like recall, precision, FAR, and F-1 score. They noted that BLSTM RNN-based IDS is efficient and can have high accuracy. However, further experiments on the more massive datasets of IoT traffics should be conducted to verify the achieved results.
They studied their scheme in the multiclass and binary classification problems and analyzed the neurons and various learning rates' impact on their model. This scheme is evaluated on the NSL-KDD against shallow classifiers like naive Bayesian, J48, and random forest, and it is indicated that it could achieve a high detection rate and accuracy with a low FPR in multiclass classification.
The IDS scheme in [132] applied real-time data as input to a neural network. They used a deep multilayer perceptron and also an RNN model, which benefits from an LSTM hidden layer for learning the temporal context of several attacks such as command injection and DDoS. Based on the detection latency, they introduced a mathematical model to determine the proper time for computation offloading of their model.
The DDoS attack detection approach presented in [133] uses deep learning to find the most useful features from the low-level features and achieves reasonable inference. In this scheme, the DDoS attack detection is formulated as a sequence classification, and the packet-based DDoS attack detection is transformed into window-based attack detection. In this scheme, the deep defense consists of RNN, CNN, and fully connected layers. They designed an RNN to learn traffic patterns, which improve the performance of DDoS detection and decrease the error rate. RNN can also learn long historical features and outperforms the random forest classifier. Nonetheless, to further verify the results of this RRN-based scheme, it should be tested on the datasets with several DoS attacks and compared with other shallow models.
In [134], Jiang et al. applied an LSTM RNN to conduct a multi-channel attack detection. To enhance the detection rate, it preprocesses data and performs feature abstraction and training, and detection steps. Preprocessing of data provides high-quality data, and then various features can be achieved from it. They trained the neural networks with multiple features and classified the attacks. They also introduced a voting algorithm that outperforms shallow classifiers such as Bayesian and SVM while classifying input data as normal or attack.
In [135], Kasongo et al. presented DLSTM, an IDS scheme that utilizes a deep LSTM-based classifier and benefits from the multiple LSTM layers coupled to a DFFL to find intrusions. Furthermore, this scheme applies the information gain method for selecting appropriate features. They used the NSL-KDD dataset and compared their approach against Naïve Bayes, SVM, random forests, KNN, and deep feed-forward neural networks. The authors improved the accuracy and F1-Score; nonetheless, as specified by them, more evaluations on other datasets and attacks are needed to verify the achieved results and improvements.
In [136], Kaur et al. provided D-Sign, a deep learningbased hybrid IDS scheme for intrusion detection, which can generate the signature of new web attacks. The evaluations of D-Sign are conducted using the ROC area, detection rate, precision, TPR, recall, F-measure, and FPR. The authors indicated that their scheme could improve sensitivity, accuracy, and specificity while reducing the FPR and FNR. However, to increase the performance of this scheme, a better pattern matching algorithm should be used for a signature generation while testing it with an updated dataset. Also, to prevent the vanishing gradient problem, the proposed RNN must be further improved.
In [137], Xu et al. proposed an IDS that consists of a softmax module, multilayer perceptron (MLP), and an RNN with gated recurrent units (GRU). This IDS approach is tested using the NSL-KDD and KDDCup'99 datasets. The experimental results showed that GRU provides better results than the LSTM in the RNNs and the bidirectional GRU achieves the best results. However, their system relies on theoretical verification, and to further verify it, this method must be applied to real network environments.
Almiani et al. [138], introduced an automated IDS for securing fog computing, which applies multi-layered RNN. This IDS model incorporates an improved backpropagation algorithm to train the RNN. This scheme has two engines denoted as classification and traffic analysis engines.
At first, the traffic connection records are pre-processed in the traffic processing unit to provide usable traffic data for the classification engine where the connections are classified into normal and attack. Furthermore, this IDS is analyzed using the NSL-KDD dataset and metrics such as accuracy, precision, detection rate, F1-measure, false-positive rate, falsenegative rate, Kappa coefficients, and Mathew correlation. But, to verify the achieved results, further evaluations using real network traffic are necessary. Table 6 indicates the applied evaluation metrics, tools, feature extractions, and IDS datasets in the RNN-based intrusion detection schemes.

E. DEEP NEURAL NETWORK-BASED SCHEMES
This subsection studies the IDS schemes such as [139]- [149], which utilize the DNN in handling intrusions and security attacks. For instance, in [150], Amarasinghe et al. presented a supervised learning IDS scheme using DNN, which for increasing the trust of the users generates feedbacks on the decision-making of the IDS. This scheme generates offline feedback after the training process and creates online feedback in the deployment process. This scheme is evaluated using the NSL-KDD for detecting two DDoS and Probe attacks using different depths. The authors exhibited that their created feedback can add another evaluation layer by the user. However, the authors have not considered the speed of events into account in creating online feedback, and the feedback should be generated in human-understandable methods.
The intrusion detection scheme in [151] addressed the ability of DNN as a classifier for handling a diverse set of intrusions. The training and validation models have a high R2 value that indicates the introduced model can be accurate. With the loss being set as cross-entropy, they got a classification model to detect the next intrusions.
In [152], Kim et al. provided an IDS using a DNN, in which preprocess data using transformation and normalization. After refining the data by preprocessing, the DNN is used to create a learning model, and for conducting the required evaluations, the KDDCup99 is employed to analyze the accuracy, detection rate, and FPR of this model. The work in [153] proposed an IDS scheme using a DNN and trained it by using packet traces exchanged among electronic control units in the vehicular network. They tried to find proper features generated from network data for detecting normal and attack packets. For providing a fast response to the security attacks with a high detection ratio, this IDS scheme monitors packet exchange in vehicular networks and trains the features offline. Also, they evaluated the required time for training and testing steps.
Potluri et al. [154] presented a DNN-based IDS scheme, which at first converts the non-numeric values to the numeric ones and then normalizes them. Afterward, the training is conducted on various multi-core systems, and the required time for training is analyzed. This IDS scheme utilizes the DNN to extract the relations between the given input data. Also, the tuning of the DNN is conducted after various training stages. Then, DNN classifies the input data into the normal and attack classes, and it also should be tested with the test part of the dataset. But, because there are a few training data for attacks such as U2R and R2L, these attacks are not detected, and this problem decreases the detection accuracy of this scheme. Also, they exhibited that the training step can be conducted faster by using the multicore CPU, but the GPU did not achieve high performance because of the applied data type. The security solution in [155] proposed an ensemble-based IDS which applies deep techniques like auto-encoder, DNN, DBNN, and an extreme learning machine. It uses the NSL-KDD to study the performance of the implemented neural network ensemble based on metrics such as accuracy, detection rate, FPR, and AUC. To further improve the results, other machine learning approaches should be analyzed in the proposed ensemble. The IDS scheme in [156] tried to apply two kinds of DNNs, which are auto-encoder and RNN, to recognize payload-based web attacks. Their model utilizes two DNNs to find useful features and classify the URLs as benign or malicious.
In [157], the authors used recurrent and convolutional network layers to construct an ANN model for finding appropriate features. They provided a hierarchical extraction of features by integrating the convolution of n-grams with sequential modeling. By using one recurrent layer and two convolutional layers, they detect various malware.
The IDS approach in [158] utilized DNN for the classification of the security attacks on the internet of things and evaluated the performance of their scheme using datasets such as CIDDS-001, GPRS, and UNSW-NB15. Furthermore, the DNN is integrated with a grid search method to tune parameters for each dataset. They analyzed their approach's performance regarding metrics such as accuracy, recall, precision, and FPR.
Peng et al. [159] proposed ENIDS, a deep learning-based network IDS framework for improving IDS performance. It uses the NSL-KDD to train classifiers such as DNN, SVM, logistic regression models, and random forest. Nonetheless, the authors showed that their approach is vulnerable to some security attacks.
The IDS scheme in [160] is aimed to classify network traffic datasets by using classifiers such as random forest, gradient boosting tree, and deep feed-forward ANN. They used a homogeneity metric for finding the most appropriate features from a dataset. Besides, they utilized 5-fold crossvalidation to assess their models. The authors demonstrated that their approach provides high accuracy for multiclass and binary classification with DNN on the CICIDS2017 and UNSW NB15 datasets.
The work in [161] provided TSDL, an IDS scheme based on a deep-stacked auto-encoder neural network that applies two hidden layers and the softmax classifier. This deep model is trained by a semi-supervised method, and each of the hidden layers is pre-trained unsupervised using the unlabeled traffic features. The initial decision step of this model classifies the network traffic into normal and abnormal classes using the deep learning model by the user. To recognize the attack types, where the probability of the initial step's output is utilized as a feature to complement the main features, and this further enables the decision-making step to classify various types of attacks. They evaluated their scheme on the datasets such as KDDCup99 and UNSWNB15, which have more types of attacks.
This model achieves good accuracy for multiclass intrusion detection with both datasets. Also, FAR and the execution time of this scheme are low. Table 7 indicates the evaluation metrics, tools, feature extractions, and datasets applied in the DNN-based schemes.

F. CNN-BASED SCHEMES
This subsection discusses the intrusion detection schemes such as [162]- [189], which apply CNN in intrusion detection. For example, in [190]  network traffic features by using CNN, and then, the required data for detecting intrusions is achieved by supervised learning.
For decreasing the execution cost, in this scheme, the traffic vector is converted into an image. The authors used KDD-Cup99 for performance evaluation and showed that based on various metrics such as FAR, accuracy, and timeliness, the CNN-IDS model is good. However, the low detection rate of attacks such as R2L and U2R is not addressed in this scheme.
The security solution in [191] proposed a character-based IDS scheme using CNNs. It considers the network traffic as a set of characters and encodes them into a vector, aggregated into a matrix as the input of the CNNs. It uses the NSL-KDD for conducting the required experiments and shows that it has good accuracy, detection rate, and low FPR in binary and multiclass classification. However, the authors failed to investigate the impact of various structures of CNN on their model. Also, Wang et al. [192] provided an encrypted traffic classification approach using one-dimensional CNNs, which integrates the extraction and selection of features with a classifier. The authors have verified their scheme using ISCX VPN-nonVPN dataset. They demonstrated that the 1D-CNN can classifies encrypted traffic better than the 2D-CNN.
In [193], Saxe et al. presented the eXpose neural network, which employs a deep learning approach to receive short strings, learn useful features, and classify the input using character-level embedding and CNN. They developed a CNN for the automatic finding of features from a string. Using embedding with convolutions as top layers with the supervised training allows finding useful features optimized for classification. This scheme demonstrates how a deep-learning method is adapted to security problems, where strings are obfuscated to prevent the extraction of the features. However, in this scheme, the computational cost of training on the long strings is high.
The IDS approach in [194] presented a network traffic classification scheme using a CNN model, which considers the data traffic as images. In this approach, the classifier can handle raw network traffic data and does not need any features designed by a human. The scheme is evaluated using two different scenarios with three classifiers. In these experiments, the authors showed that their approach could obtain the required accuracy.
In [195], the authors introduced a few-shot deep learning scheme for improving IDS performance. They trained a deep CNN for IDS. They tried to extract various layers in the CNN model and applied a 1-nearest neighbor and linear SVM classifiers. It can deal with the imbalanced training samples problem in which a specific class has limited data. They used NSL-KDD and KDDCup99 datasets. But, this scheme should be further evaluated on the other imbalanced datasets, in which some of their attack classes have much fewer data records than others, to verify the detection rate of the minority class security attacks.
Yang et al. [196] are aimed to secure the SCADA networks against malicious attacks by proposing a deep-learningbased IDS. This approach employs a CNN-based model to find traffic patterns and time windows of network attacks. They designed a re-training scheme to deal with unseen attack instances, to update SCADA systems their neural networks with attack traces. Their experiments showed that this approach achieves good accuracy in handling network intrusions in the SCADA systems. However, this scheme does not support mixed attacks and should be enhanced to deal with other security attacks on the SCADA protocols.
In [197], Zeng et al. presented an IDS approach by using a deep learning-based model to recognize malware traffic for OBUs. This scheme does not need the extracted features by a human and, as an advantage, can handle raw traffic data. The performance of this scheme is compared against other IDS methods on a public dataset and on a simulated VANET dataset. The results indicated that this scheme could achieve excellent performance with a lower resource requirement.
Bassey et al. [198] applied deep learning in an IDS model to find unauthorized devices in IoT, by using radiofrequency fingerprinting(RF), which are hard to impersonate and are collected from six identical ZigBee devices. A CNN is used to find appropriate features from the RF traces, and de-correlation is performed on these features. The reduced features are clustered to identify IoT devices. The experimental results exhibited that the deep learning-based extraction of feature can recognize new machines which were not observed in the training step.
The security approach proposed in [199] introduced an IDS based on a deep CNN to protect CAN or controller area network bus, located inside a vehicle in vehicular networks. The deep CNN learns the pattern of the network traffic and recognizes attack traffic with no need for features designed by humans and recognizes message injection attacks according to the traffic changes. This IDS scheme is designed utilizing the Inception-ResNet model designed for image classification while reducing its size and layers. To use the CAN messages as input to the deep CNN classifier, they generated a 2-D data frame like an image with sequential bitwise identifiers of CAN messages. They indicated that their IDS could recognize attack traffics such as DoS, fuzzy attacks, and spoofing attacks. They considered four message injection attacks in their experiments that exploited the CAN bus. This scheme is evaluated against the LSTM, SVM, ANN, k-NN, NB, and decision tree classifiers and the authors indicated that the LSTM and ANN provide better performance but incur more FNR and ER.
Also, in [200], Song et al. proposed an IDS solution using CNN to protect the vehicle's controller area network bus. This scheme applies the CNN, provided using the Inception-ResNet model structure presented for image classification, to learn the traffic patterns of the network and detect attack traffic with a high detection rate. However, since the Inception-ResNet architecture is complicated, they restructured the CNN by mitigating its size and layers. They provided a frame builder, a module that produces a 2-D data frame similar to an image with sequential bitwise identifiers of CAN messages and enables the CNN to learn input data temporal patterns. They constructed fully labeled datasets for the attacks of the in-vehicle network by injecting the CAN messages. By performing the required experiments they demonstrated that their IDS can have low false-negative rates and error rates, comparing to other machine learning methods. Nonetheless, the proposed CNN model cannot handle new attacks.
Also, Bu et al. [201], proposed CN-LCS, an IDS approach for a relational database management system that uses CNN and LCS or Learning Classifier System. This scheme can classify sparse and high-dimensional feature vectors of database queries with convolution-pooling operations and GA-based feature selection. Furthermore, in this scheme, CNN is used to classify the queries by modeling normal behaviors of the database, and the GA-based LCS is used to find new rules for detecting anomalies. The authors performed the necessary experiments on the TPC-E dataset and showed that their scheme presents better accuracy than other machine learning methods. However, further evaluation of the proposed scheme seems to be necessary, and also the authors failed to further tune the genetic operators applied in the CN-LCS for ensuring stable performance.
In [202], Li et al. proposed DeepFed, a federated deep learning-based IDS scheme for detecting security threats by using the CNN and gated recurrent unit. They introduced a federated learning framework for creating IDS using data from multiple systems. Also, they used a Paillier public key-based cryptography system for securing the proposed model in the training process. The authors run the experiments using a real dataset for industrial cyber-physical systems and demonstrated the effectiveness of their approach. However, DeepFed does not address the cyber-security problems from different-domain cyber-physical systems.
The IDS scheme proposed in [203], applies the CNN to detect DoS attacks in a hybrid network-based IDS and it consists of four convolutional layers, two pool layers, three dropout layers, two dense layers, one flatten layer, and one softmax layer. For evaluation of this IDS approach, Wireshark and Weka tools are employed and datasets such as ISCXIDS 2012 and NSL-KDD are used. The authors indicated that by using the CNN their scheme can achieve higher accuracy than other machine learning algorithms.
Riyaz et al. [204], provided an IDS scheme for wireless networks, which uses CRF-LCFS, a feature selection method that applies linear correlation coefficient and conditional random field. This feature selection method applies the conditional random field for choosing variables used in the feature selection using correlation coefficient variance. The proposed feature selection approach provides important features for the CNN that is used for the classification step. At last, the author exhibited that their model achieves less false alarm rate, training, and testing time while getting high detection accuracy compared with the other CNN-based IDS schemes. Also, in [205], Wu et al. presented a NIDS model utilizing CNNs, in which the CNN is incorporated for automatically selecting features from raw network traffic. To process data with CNN, this scheme converts the raw network traffic vector into the two-dimensional image format. They set the cost function weight coefficient of each class based on its numbers to solve the imbalanced data set problem. They used the NSL-KDD dataset for evaluating their CNN model's performance and showed that it has lower computational complexity while achieving better results in terms of accuracy and FAR. Table 8 indicates the evaluation metrics, tools, feature extractions, and datasets applied in the CNN-based intrusion detection schemes.

G. HYBRID IDS SCHEMES
In [206], Xu et al. introduced LCVAE, a deep learning-based IDS method using a log-cosh conditional variational autoencoder, which can capture the observed data distribution and can provide new data in the specific classes. In this scheme, the authors the log hyperbolic cosine function to introduce a loss term, which can balance the generation procedures and generates different data for classes that are imbalanced. Besides, they utilized the CNN-based classification based on the observed and generated intrusion. Finally, they conducted the required experiments using NSL-KDD and demonstrated their scheme capabilities in generating new diverse intrusion data.
Yang et al. [207], proposed ICVAE-DNN, an IDS model that combines an improved conditional variational autoencoder with a DNN. In this scheme, the auto-encoder is used to learn and explore sparse representations between network data features and classes. The trained ICVAE decoder generates new attack samples according to the specified intrusion categories to balance the training data and increase the diversity of training samples, improving the detection rate of the imbalanced attacks. The trained ICVAE encoder is not only used to automatically reduce data dimension but initialize the weight of DNN hidden layers so that DNN can easily achieve global optimization through backpropagation and fine-tuning. The authors used the NSL-KDD and UNSW-NB15 datasets are used for evaluating their scheme and indicated that their scheme can outperform other IDS approaches regarding metrics such as accuracy, detection rate, and falsepositive rate, even detecting minority attacks and unknown attacks.
In [208], Hara et al. introduced an IDS scheme that employs semi-supervised learning which uses a small number of labeled data in the training dataset to reduce costly human-labor tasks and improves the performance with the support of unlabeled data in the training dataset. This scheme uses the adversarial auto-encoder, a semi-supervised learning algorithm that incorporates the GAN into the auto-encoder. They evaluated their approach using the NSL-KDD dataset and indicated that their scheme by using only 0.1 percent of labeled data achieves comparable performance with existing IDSs that use machine learning methods.
In [209], Zhang et al. introduced Tiki-Taka, a deep learning-based NIDS approach for handling security attacks. They trained MLP, CNN, and C-LSTM models on the CSE-CIC-IDS2018 dataset and employed 5 categories of security attacks. This scheme provides query detection, ensembling adversarial training, and model voting ensembling. The authors compared their scheme against MLP, CNN, and C-LSTM-based IDS approaches with metrics such as precision, accuracy, Recall, and F1-Score. They exhibited that although their models have high detection rates, it is vulnerable to adversarial samples.

IV. DISCUSSION
This section intends to compare the various techniques and methods employed in intrusion detection schemes. The results of this section can be useful in highlighting the directions of future researches. This section provides the following information about these schemes: • Simulation metrics used in the evaluation of the studied intrusion detection solutions.
• Environments, programming languages, and simulator software appealed to verify the proposed intrusion detection schemes.
• Datasets used to evaluate and assess deep learning-based intrusion detection solutions.
• The applied feature extraction methods.
• The number of intrusion detection schemes designed using each type of deep learning technique.
• The publication year of the investigated intrusion detection frameworks.
• Accuracy of the deep IDS schemes on several open datasets such as KDDCup, NSL-KDD, ISCX, and UNSW-NB15. Figure 5 exhibits some of the evaluation metrics employed by the deep learning-based intrusion detection schemes and the number of systems that have utilized each factor in their experiments to verify their results. As shown in this figure, metrics such as accuracy, precision, and recall are widely used by the studied intrusion detection approaches. Figure 6 indicates the percentage of the different feature extraction methods in the investigated deep learning-based IDS schemes. As shown in this figure, feature extraction methods such as entropy and PCA are widely utilized by the outlined IDS schemes. Likewise, Figure 7 specifies the percentage of the simulators applied in the analyzed    and Windows. It can be applied to data flow graphs and differentiable programming. It is employed in applications such as ANNs and can operate on several GPUs and CPUs. It also introduces various levels of distributed and parallel operations.
Another environment that is applied by some of the deep IDS schemes is Snort, which is a free and open-source IDS tool that can be used on small networks. It can be run on operating systems such as BSD, Linux, Windows, and Mac. Furthermore, Snort doesn't need to recompile the kernel and does not need specific hardware or software. In addition to the before-mentioned environments, recently other software tools such as DeepLearning4j, Caffe, Torch, Theano, MXNet, Neon, and Microsoft Cognitive Toolkit can be used for designing deep learning-based solutions. Figure 8 exhibits the datasets applied in the investigated approaches and determines the number of schemes that have employed each type of dataset. It can be concluded from this figure, the primary datasets used in this context are the NSLKDD and KDD-Cup99, which are pretty old. Likewise, the other datasets shown in this figure can be described as follows: • UNSW-NB15 dataset contains 42 features, and 32% of its records are normal, and 68% of its records are malicious.
• CIDDS-001 dataset is a flow-based one that consists of 10 features and five classes: unknown, attacker, suspicious, normal, and victim. It can be applied to evaluate the IDS approaches and consists of malicious traffics such as DDoS, brute force, and port scans.
• GPRS is a dataset designed for IEEE 802.11 environments and has 15 features for two different topologies: WEP/WPA and WPA2. Figure 9 depicts the number of intrusion detection schemes designed using each type of deep learning technique. This figure indicates that more IDS schemes favor deep neural networks such as auto-encoders, DNN, and CNN.
The percentage of the intrusion detection schemes which have applied raw data or existing benchmark IDS datasets in their experiments and evaluations are shown in Figure 10. As shown in this figure, most of the schemes have assumed that the required data for training and testing are pre-stored in the datasets and only use them. Such systems often consider that no other data will be added to the dataset, and there is no need for incremental training of classifiers. Also, a few numbers of the investigated IDS schemes have focused on the processing of the raw data achieved from monitoring the streaming network traffic or host events. These schemes often use incremental learning, which uses input data for continuous training of the IDS model and extracting new security attack signatures. Another item that we illuminate about the studied schemes is their accuracy.
For this purpose, Figure 11 compares the accuracy of the several deep IDS schemes, which the authors have claimed achieved on their experiment conducted on the KDDCup   dataset. Also, Figure 12 indicates the accuracy of some other deep IDS schemes on the NSL-KDD dataset. Figure 13 depicts the accuracy of the deep IDS approaches achieved on the ISCX dataset, and Figure 14 indicates the accuracy results achieved on the UNSW-NB15 dataset by some of the deep learning-based IDS solutions. As shown in these figures, fewer schemes have evaluated the newer datasets, and in future studies, verification of the proposed schemes should be evaluated on the newer datasets that better reflect the real traffic of the target environment. Deep learning methods have been used for classification and feature learning purposes, in which the latter method reduces the complexity of the raw features of the dataset. As shown in previous sections, autoencoders are often used for feature learning, and RNNs are applied for classification purposes. Regarding the need for real-time IDS schemes, the online learning method is applied in some of the studied deep IDS approaches. Also, online learning cannot be easily parallelized, and each input data need a linear learning rate. Also, in online learning, it is assumed that data have a similar distribution and possess a specific amount of correlation. In this learning method, data with time-varying distributions can be a challenging issue.
Consequently, handling such challenges in the online learning and application of the proposed methods in deep IDS schemes should be investigated. As outlined before,    in some of the studied schemes, deep learning in some IDS schemes has been used for feature selection/extraction. In such schemes, improved versions of the machine learning algorithms can be further used to increase the performance of the intrusion detection process. The training of deep learning networks is another interesting issue that is aimed at finding the network parameters for minimizing the loss function. Currently, for the training of the deep networks, the SGD or Stochastic Gradient Descent algorithm is used to tune the network parameters based on the gradient for each training sample. Typically, the SGD's complexity is less than the basic gradient descent method, and in its learning phase, the learning rate hyper-parameter tunes the updating speed. Numerous methods are proposed for accelerating the convergence and determining the learning rate. In the subsequent studies, tuning the SGD's learning rate can be investigated further. Furthermore, by the conducted investigations, it can be concluded that few deep IDS schemes are proposed for environments such as VANETs, Internet of Things (IoT), mobile edge computing, software-defined network, and healthcare systems, and it has not been well-studied in these domains. Thus, introducing special-purpose deep IDS approaches for such environments should be further studied in the next IDS studies. Besides, in such schemes, using datasets that reflect the inherent traffic of the environment is of the main issues. In this context, some of the schemes, such as [150], have produced their required datasets by capturing traffic from their environments, and some others, such as [197], have used simulated traffics. Besides, in designing deep IDS approaches, high resource consumption of the deep learning techniques should be considered, especially in domains such as IoT, which consists of many resource-limited devices.
From the results of the previous section, it can be seen that most of the schemes have used the KDDCup-based datasets, which are old and cannot represent the current threats and security attacks. Thus, due to the limitations of the existing datasets, creating new datasets in the IDS context and different domains should enable proper verification of the newly proposed IDS schemes.
Based on the type of traffic which the studied IDS schemes can handle, the proposed schemes can be classified as the schemes which handle unencrypted traffic and schemes that are designed to deal with encrypted traffics. Nonetheless, only a handful of schemes have been designed to detect intrusion on encrypted traffic. Thus, further studies on encrypted traffic seem to be necessary for different domains.
Typically, the deep learning techniques have high computational needs, and their training latency and computation complexity raise according to the number of their applied neurons and layers. Furthermore, when a deep IDS scheme uses a large dataset, techniques such as cross-validation, which are used to reduce the over-fitting problem, can incur further training costs. Several approaches are proposed approach in the literature to deal with this issue; for instance, reservoir computing, hardware-assisted methods, and incremental methods are used in offline training. Furthermore, cloud computing processing capabilities can be benefited in some domains, such as the IoT, to reduce the deep learning overheads. From the studied deep IDS schemes, mostly applied GPU to increase the performance of the learning process. But, GPUs suffer from the current leakage problem, and this prevents its application on portable devices. Although FPGA or Field-Programmable Gate Arrays are used to deal with this problem, finding other solutions to increase the performance of deep network training should be studied to increase the training speed of the deep techniques.
One of the interesting solutions to deal with the training speed of the deep learning methods is distributed deep learning. In this context, model parallelism and data parallelism methods are proposed for training the deep model in a distributed system, in which for model parallelism, all data should be handled with one model, and all nodes participate in estimating the model's parameters. Also, in data parallelism methods, the deep model should be replicated on all the nodes to be trained with a part of the dataset, and nodes cooperate to update and synchronize the model weights. Using distributed deep learning techniques can further enhance the training speed of the deep learning-based intrusion detection process and should be analyzed in subsequent researches.
Another interesting method that is used for reducing the training time of deep learning networks is transfer learning that for small new datasets can be performed with the pre-trained networks as fixed feature extractors, and for large new datasets, can be conducted using fine-tuning the weights of the pre-trained model. In the forthcoming IDS approaches, transfer learning can be further investigated to enhance the intrusion detection process. Table 9 indicates the future research directions in the deep learning-based intrusion detection domain.

V. CONCLUSION
Intrusion detection systems are one of the essential security components of the current information technologybased organizations. However, providing an efficient and high-performance IDS approach to deal with a wide variety of security attacks is a challenging approach. Recently, deep learning techniques have proved to deal with intrusion detection problems, and several deep learning-based IDS schemes are introduced in the literature. Deep learning is a subset of machine learning techniques, which incorporate several layers to conduct nonlinear processing and learn several data representation levels. Deep learning networks can process raw input data and support unsupervised, semi-supervised, and supervised learning methods.
This article provides an in-depth review and classification of the intrusion detection schemes which have benefited deep neural networks to deal with intrusions and malicious behaviors. For this purpose, it first categorizes the deep IDS schemes according to their incorporated deep learning techniques and describes how each scheme is trying to apply deep learning methods for recognizing various types of intrusions. Besides, in the studied deep IDS schemes, the shallow learning methods utilized in combination with the deep learning techniques are investigated. Moreover, to provide an in-depth insight into the studied IDS frameworks, in each category of the studied approaches, their primary contributions, advantages, and limitations are specified. Besides, in each category, their utilized evaluation metrics, simulators, and datasets are compared. At last, it can be concluded that deep learning is an interesting method, which puts forward many opportunities and also challenges in the intrusion detection context. SHIMA RASHIDI was born in Iran, in 1989. She received the B.E. and M.E. degrees in computer science from the University of Tabriz, Tabriz, Iran, in 2011 and 2013, respectively. She is currently pursuing the Ph.D. degree with the University of Science and Technology, Tehran, Iran.
She is also an Assistant Lecturer with the University of Human Development, Sulaymaniyah, Iraq. Her main research interests include text mining, semi supervised learning, and social network analysis.
MEHDI HOSSEINZADEH received the B.S. degree in computer hardware engineering from Islamic Azad University, Dezfol Branch, Iran, in 2003, and the M.Sc. and Ph.D. degrees in computer system architecture from Islamic Azad University, Science and Research Branch, Tehran, Iran, in 2005 and 2008, respectively. He has authored/coauthored more than 150 publications in technical journals and conferences. His research interests include SDN, information technology, data mining, big data analytics, e-commerce, e-marketing, and social networks.
AMIR MASOUD RAHMANI received the B.S. degree in computer engineering from the Amirkabir University of Technology, Tehran, in 1996, the M.S. degree in computer engineering from the Sharif University of Technology, Tehran, in 1998, and the Ph.D. degree in computer engineering from IAU University, Tehran, in 2005. He is currently a Professor of computer engineering with the National Yunlin University of Science and Technology. He has authored/coauthored more than 350 publications in technical journals and conferences. His research interests include distributed systems, the Internet of Things, and evolutionary computing. VOLUME 9, 2021