The massive growth of data that are transmitted through a variety of devices and communication protocols have raised serious security concerns, which have increased the importance of developing advanced intrusion detection systems (IDSs). Deep learning is an advanced branch of machine learning, composed of multiple layers of neurons that represent the learning process. Deep learning can cope with large-scale data and has shown success in different fields. Therefore, researchers have paid more attention to investigating deep learning for intrusion detection. This survey comprehensively reviews and compares the key previous deep learningfocused cybersecurity surveys. Through an extensive review, this survey provides a novel finegrained taxonomy that categorizes the current state-of-the-art deep learning-based IDSs with respect to different facets, including input data, detection, deployment, and evaluation strategies. Each facet is further classified according to different criteria. This survey also compares and discusses the related experimental solutions proposed as deep learning-based IDSs. By analysing the experimental studies, this survey discusses the role of deep learning in intrusion detection, the impact of intrusion detection datasets, and the efficiency and effectiveness of the proposed approaches. The findings demonstrate that further effort is required to improve the current state-of-the art. Finally, open research challenges are identified, and future research directions for deep learning-based IDSs are recommended.

Introduction

In recent years, the world has witnessed a significant evolution in the different areas of connected technologies such as smart grids, the Internet of vehicles, long-term evolution, and 5G communication. By 2022, it is expected that the number of IP-connected devices will be three times larger than the global population, producing 4.8 ZB of IP traffic annually, as reported by Cisco [1]. This accelerated growth raises overwhelming security concerns due to the exchange of huge amounts of sensitive information through resource-constrained devices and over the untrusted “Internet” using heterogeneous technologies and communication protocols. To maintain sustainable and secure cyberspace, advanced security controls and resilience analysis [2] should be applied in the earlier stages before deployment. The applied security controls are responsible for preventing, detecting, and responding to attacks. For detection purposes, an intrusion detection system (IDS) is a widely used technique for detecting internal and external intrusions that target a system, as well as anomalies that indicate potential intrusions and suspicious activities. An IDS involves a set of tools and mechanisms for monitoring the computer system and the network traffic, in addition to analysing activities with the aim of detecting possible intrusions targeting the system [3]. An IDS can be implemented as signature-based, anomaly-based, or hybrid IDS. In signature-based IDS, intrusions are detected by comparing monitored behaviours with pre-defined intrusion patterns, while anomaly-based IDS focuses on knowing normal behaviour in order to identify any deviation [4]. Different techniques are used to detect anomalies, such as statistical-based, knowledge-based, and machine learning techniques; recently, deep learning methods have been investigated [5].