A Bibliometric Review of Intrusion Detection Research in IoT: Evolution, Collaboration, and Emerging Trends

Abstract

As the IoT market continues to rapidly expand, ensuring the security of IoT systems becomes increasingly critical. This paper aims to identify emerging trends and technologies in IoT intrusion detection. A bibliometric analysis of research trends in IoT intrusion detection, leveraging data from the Web of Science (WoS) repository, is conducted to understand the landscape of publications in this field. The analysis reveals a significant increase in publications on intrusion detection in IoT, indicating growing research interest. Research articles are the leading category of publications, and the analysis also highlights the collaborative linkages among authors, institutions, and nations. Co-occurrence analysis and citation analysis provide insights into the relationships among keywords and the impact of publications. The study also identifies keyword and publication citation burst detection, with recommendations for future research focusing on advanced machine learning techniques to enhance intrusion/anomaly detection. This comprehensive analysis offers valuable guidance for diverse and extensive applications in IoT intrusion detection.

1. Introduction

The Internet of Things (IoT) has experienced substantial expansion in healthcare, transportation, agriculture, and many industries. This growth has improved socio-economic progress by connecting sensors, actuators, and network-enabled devices that share data over both public and private networks [1]. The entire installed base of IoT-linked devices globally is predicted to reach 30.9 billion units by 2025 [2]. However, the development of smart devices and systems has created new security issues, emphasizing the need to detect and prevent such threats. Intrusion detection systems (IDSs) are vital for safeguarding IoT systems from illegal access and maintaining their security posture [3].

An IDS is a critical protection mechanism for typical IP networks that analyzes network activity and alerts to intrusions. However, implementing IDS for IoT networks is difficult owing to the restricted processing and storage capabilities of the IDS agent nodes, making the task more complex [4].

The objective of this review paper is to conduct a bibliometric analysis of research trends in IoT intrusion detection, leveraging data from the Web of Science (WoS) repository. The study covers publications from 2017 to 2023, examining various bibliometric indicators such as publication counts, research areas, authorship patterns, country-wise contributions, and many more.

The bibliometric review also incorporates the collaborative analysis among authors, institutions, and organizations that published their research on IoT intrusion detection. Additionally, the co-occurrence of keywords is also discussed in this study. By critically examining these aspects, we aim to highlight areas for improvement and future research directions. The findings of this study will contribute to the advancement of intrusion detection in IoT and provide guidance for future research efforts. The contributions of this study are as follows:

• Comprehensive Overview of Research Trends: By analyzing publication trends from 2017 to 2023, our study provides a detailed overview of the growth and evolution of research in IoT intrusion detection. This helps in understanding how interest in this field has developed over time.
• Visualization of Collaborative Networks: To analyze collaboration networks, examine the patterns of collaboration among researchers, institutions, and nations, and identify the research groups that have contributed the most in this field.
• Keyword Analysis: To find out the most frequently used keywords in the field of IoT intrusion detection.
• Emerging Trends and Future Directions: To identify emerging trends and technologies in the field of IoT intrusion detection, particularly focusing on the latest developments as of 2024. This provides valuable insights into future research directions and potential areas of innovation.

2. Methodology

This study utilized a bibliometric analysis to systematically evaluate and visualize the research trends, influential publications, and key contributors in the field of IoT intrusion detection. The methodological framework followed in this study is primarily based on the techniques outlined in [5], who conducted a comprehensive bibliometric analysis of cybersecurity. This study is conducted using the following steps described in detail in the following subsections.

2.1. Data Gathering

The current study utilized the WoS repository as the principal source for conducting bibliometric analysis. WoS is widely recognized for its vast compilation of top-notch research papers that have been published in renowned journals across the globe. The database archives publications dating back to 1990, providing a rich source of scholarly literature. Within WoS, the core collection includes the Science Citation Index Expanded (SCI-EXPANDED), Arts and Humanities Citation Index (AHCI), Social Sciences Citation Index (SSCI), Conference Proceedings Citation Index—Social Science and Humanities (CPCI-SSH), Conference Proceedings Citation Index—Science (CPCI-S), Book Citation Index—Social Sciences and Humanities (BKCI-SSH), Book Citation Index—Science (BKCI-S), and Emerging Science Citation Index (ESCI).

2.2. Search Strategy

For this study, the search string in WoS was formulated as follows: ((intrusion AND detection) AND ((IoT OR Internet of Things) AND (IoT Datasets) OR openWRT)), covering the period from 2017 to 2023. The search criteria were configured to include ‘full record and cited references’ to ensure comprehensive retrieval of relevant documents. In terms of inclusion criteria, we focused on three main types of publications: review articles, conference proceedings papers, and articles categorized as review articles in WoS. Other types, such as early access papers, retracted publications, and book chapters, were excluded from our analysis to maintain the focus on comprehensive reviews and original research contributions relevant to our study. The search, conducted in May 2022, resulted in the extraction of 1197 research publications from the database in plain text format. This search strategy was specifically designed to capture documents highly relevant to keywords associated with intrusion detection in the IoT, thereby ensuring both precision and relevance in the retrieved entries.

2.3. Analytical Approach

The study employed both evaluative and relational bibliometric techniques:

(a) Evaluative Techniques: These techniques were used to assess the research outputs of individual authors, their affiliated organizations, and the overall impact of their work.

(b) Relational Techniques: These techniques focused on mapping the relationships between authors, institutions, and research topics. Network analysis was conducted to identify collaboration patterns and influential clusters within the IoT intrusion detection research community.

2.4. Data Visualization

Data visualization was a critical component of this study, allowing for the quick presentation of results and actionable insights. VoS viewer 1.6.20 was particularly effective in creating detailed visualizations of bibliometric networks, while CiteSpace provided research trends of keywords and citations of publications.

3. Publication Structure Analysis

The distribution of the searched publications by year, categories, source title, and trends in intrusion detection in IoT is described in this section. Additionally, prominent nations, organizations, authors, and nationalities in intrusion detection in IoT research are also included, along with their publication counts. All the results in this section were acquired via the WoS-filtered analysis feature applied to the complete document collection gathered employing the search strategy mentioned in the bibliometric analysis section of this paper.

3.1. Analysis of Publications Year over Year

The annual evolution of scholarly articles on IoT intrusion detection, as documented in the WoS, is depicted in Figure 1. The quantity of publications indexed in WoS is presented on the vertical axis, while the years of publication from 2017 to 2023 are indicated on the horizontal axis. The publication counts for each year are indicated on top of the corresponding bar. It is obvious from Figure 1 that there has been a significant increase in the number of publications on intrusion detection in IoT since 2018, indicating a notable increase in research interest in this specific field.

According to [2], a significant and impressive growth in the number of IoT connections is projected in the future. Nevertheless, the extensive acceptance of any technological advancement is heavily reliant on security protocols, hence emphasizing the urgent need for expedited research in IoT intrusion detection. The rapid increase in citations, as shown in Figure 2, highlights the growing importance of intrusion detection in the IoT environment. Following that, a thorough examination of the various categories of publications in this field in the WoS database is provided.

3.2. Publications Category

The categories of publication with their respective count are presented in Figure 3. These categories include research articles, review papers, and conference papers. Research articles are the leading category of publication, accounting for approximately 72% of the total corpus. Conference papers are the second most popular category of publication, making approximately 24% of the total 1197 records. Review articles, albeit in a decreasing proportion, nonetheless make up a considerable 3.8% of the whole corpus. The next section explores the key sources that drive research in intrusion detection within the IoT sector, as reported in WoS.

3.3. Source of Publication

The top 10 sources of publications and the associated number of publications are depicted in Figure 4. The leading source of publication in the field is the ‘IEEE Access’ journal, featuring 97 publications that make up 8% of the total database extracted from WoS. ‘Sensors’ is the second most popular source, with a total of 82 publications, making up 6.8% of the overall record count. ‘Electronics’ secured the third position, with 50 publications. It is followed by ‘Cmc Computers Materials Continua’ in fourth place with 35 publications, ‘Applied Sciences Basel’ in fifth place with 34 publications, and ‘Computers Security’ in sixth place with 27 publications. The rest of the top ten publishers are the ‘Internet of Things’ at seventh place with 23 publications; both the ‘IEEE Global Communications Conference’ and ‘Lecture Notes in Computer Science’ have 20 publications each; and in tenth position is ‘Cluster Computing the Journal of Networks Software Tools and Applications International journal of Advanced Computer Science and Application’ with 17 publications. In the next subsection, the prominent global organizations whose members have made significant contributions to WoS databases are discussed.

3.4. Productive Organizations and Researchers

The ten leading organizations with their respective count of publications are presented in Figure 5. The Egyptian Knowledge Bank EKB (Egypt) bagged the first position with 50 publications. The National Institute of Technology (NIT) System (India) made the second-highest contribution of 43 publications to the WoS. Third and fourth positions are achieved by Prince Sattam Bin Abdulaziz University from Saudi Arabia and Vellore Institute of Technology VIT (India) with 28 publications each. These are followed by King Abdulaziz University (Saudi Arabia) and SRM Institute of Science and Technology, Chennai (India), contributing 27 publications each to the WoS. Princess Nourah Bint Abdulrahman University (Saudi Arabia) holds the seventh position with 26 publications. University of New South Wales, Sydney (Australia), VIT Vellore (India), and National Institute of Technology Raipur (India) are in the top 10 organizations with 23, 22, and 20 WoS articles on IoT intrusion detection, respectively.

Table 1. The top nine most prolific researchers in the field of intrusion detection in IoT.

Author	Published Name	Published Organization	Country	Record
Moustafa N	Moustafa, Nour	Australian Defense Force Academy University of New South Wales Sydney, Melbourne Genomics Health Alliance Univ New South Wales Canberra, ADFA Campbell Univ New South Wales UNSW Canberra Canberra Cyber Secur Cooperat Res Ctr CSCRC Univ New South Wales UNSW Canberra Univ New South Wales UNSWs UNSW Canberra Fayoum University	Australia	19
Kumar P	Kumar, Prabhat Kumar, P.	Lappeenranta-Lahti University of Technology LUT National Institute of Technology Raipur National Institute of Technology Manipur Indian Institute of Technology (IIT)—Hyderabad Indian Institute of Technology (IIT)—Guwahati National Institute of Technology (NIT System) National Institute of Technology Patna Netaji Subhas University of Technology (East Campus) Texas A&M University System	India	16
Gupta GP	Gupta, Govind P. Gupta, Govind	National Institute of Technology Raipur, National Institute of Technology (NIT System), Jaypee Institute of Information Technology (JIIT), Indian Institute of Technology (IIT)—Roorkee	India	14
Khan MA	Khan, Muazzam A.	Quaid I Azam University City Univ Sci and IT Agricultural University Peshawar	Pakistan	14
Tripathi R	Tripathi, Rakesh	National Institute of Technology Raipur National Institute of Technology (NIT System)	India	14
Kumar R	Kumar, Randhir	National Institute of Technology (NIT System) National Institute of Technology Raipur	India	13
Azrour M	Azrour, Mourade Azrour, Mourad Mourade, Azrour	Cadi Ayyad University of Marrakech Moulay Ismail University of Meknes	Morocco	12
Guezzaz A	Guezzaz, Azidine	Cadi Ayyad University of Marrakech Univ Cadi Ayyad Zohr Essaouira Cadi Ayyad Univ Ibn Zohr University of Agadir SCCAM Team	Morocco	12
Ahmad J	Ahmad, Jawad Ahmed, Jamil Ahmad, Jamil Ahmad, J. Ahmad , Jeffrey Ahmed, Jawad	Sch Comp Engn and Built Environm Edinburgh Napier University Coventry University Sylhet Agricultural University University of Engineering and Technology Taxila Hazara University Isra Univ Isra Univ Hyderabad University of Peshawar Glasgow Caledonian University Avanture Bytes Chenab Coll Engn and Technol DATEV eG Hazara Univ Mansehra Quaid e Azam Univ Islamabad Kohat University of Science and Technology Balochistan University of Information Technology, Engineering and Management Sciences BUITEMS Rehman Med Coll University of Malakand Aga Khan University National University of Sciences and Technology—Pakistan Bennett Univ Poole Hosp NHS Trust University of Aberdeen Pakistan Atom Energy Commiss Salisbury District Hospital Bahauddin Zakariya University HITEC Univ Taxila NITEC University Tehsil Head Quarter Hosp Sichuan University Abasyn Univ PMC Guy’s and St Thomas’ NHS Foundation Trust University of Engineering and Technology Peshawar Western University (University of Western Ontario) Pakistan Institute of Engineering and Applied Science Dow University of Health Sciences Univ Coll Agr Univ Informat Technol Engn and Management Sci Iqra University Caboolture Hosp Centre National de la Recherche Scientifique (CNRS) Jinnah Hosp Quaid I Azam University Bolan Med Coll Isra Univ Hosp Bolan Med Coll Quetta PMRC Res Ctr BMCH	People R China	11

shows the list of top nine researchers with maximum WoS publications in IoT intrusion detection. Of these top nine authors, four authors are from India and two from Morocco. There is one author each from Australia, Pakistan and China.

3.5. Trends in Countries

Figure 6 illustrates the publication output trends of the top ten countries from the year 2017 onwards, which contributed to the publications on intrusion detection in IoT in the WoS database. India published the greatest number of publications in 2017, followed by Australia. The United States took the lead from 2018 to 2020. In the year 2021, India was the top source for publication output. The nations in descending order of contribution in terms of total number of published articles from 2017 to 2023 are India (257), Saudi Arabia (200), People’s Republic of China (174), the USA (134), Pakistan (86), Australia (83), England (78), Canada (69), Malaysia (55), and Egypt (54). In the next subsection, popular research areas in IoT intrusion detection are presented.

3.6. Popular Research Areas

Figure 7 presents the popular research areas with their record count from 2017 to 2023 in IoT intrusion detection. ‘Computer Science’, with 893 records, is the leading active research area in the WoS, whereas ‘Engineering’ holds the second position with 543 records. ‘Telecommunication’ ranks third with a total of 368 records, emphasizing the need for effective security approaches in communication networks that are integrated with the IoT. The incorporation of IoT technology into the field of ‘Chemistry’ is gaining popularity, as indicated by 111 publications in the WoS database, especially in the context of intelligent industrial applications. ‘Instruments and Instrumentation’ and ‘Physics’, with 85 and 83 WoS publications, respectively, provide a multidisciplinary approach to analyzing incursion hazards in IoT ecosystems. The 68 articles indexed in ‘Materials Science’ show a rising interest in investigating the interaction of new materials and technologies with IoT security. ‘Science Technology Other Topics’ holds the eighth position with 48 publications. ‘Automation Control Systems’ ranks ninth with 41 records, while ‘Mathematics’ ranks tenth with 21 WoS papers in the popular research areas of intrusion detection in IoT.

The trends in WoS publications across the mentioned research areas are delineated in Figure 8. Computer Science has been the top research area since 2017, followed by Engineering. A notable increase in research publications from 2019 has been observed in Computer Science. The trend data in the figure indicate higher publication numbers and consistent growth in research areas, namely Computer Science, Engineering, Telecommunication, and Material Science research areas and a steady growth in areas: Chemistry, Instruments and Instrumentation, Physics, Science Technology Other Topics, Automation Control System, and Mathematics show. In 2023, Computer Science reported a count of 313 publications, followed by Engineering with 199 records. The field of Telecommunications reported 122 records. In the field of Chemistry, 48 records were published. The field of Instruments and Instrumentation comprises a total of 32 records, 4 records in the field of Physics, and 32 records in the field of Material Sciences. There were a total of 20 records in the field of Science, Technology, and Other Topics, 18 records in Automation Control, and 7 records published in Mathematics.

Table 2. Distribution of publications by research area and paper category.

Research Area	Article	Proceeding Paper	Review Article
Computer Science	609	225	29
Engineering	405	113	35
Telecommunication	218	136	14
Chemistry	104		7
Instruments and Instrumentation	78	1	6
Physics	80		3
Material Science	66	1	1
Science Technology Other Topics	41	3	4
Automation Control System	35	5	1
Mathematics	14	7

presents statistics on publications, categorized by research area and category of paper. Based on the data detailed in the Table, it can be observed that research articles are the most prevalent type of publication. Currently, there are no proceeding papers in the research areas of Chemistry and Physics, as well as no review articles in the field of Mathematics. The distribution of research articles on IoT intrusion detection in WoS-indexed categories and indexed publications is discussed in the next subsection.

3.7. Web of Science Categories and Indexed Publications

The publications with their respective count on IoT intrusion detection categorized by WoS are presented in Figure 9. The maximum number of publications (553) fall under ‘Computer Science Information Systems’ followed by ‘Engineering Electrical Electronic’ with (465) publications. Five out of the top ten WoS categories are related to computer science, indicating a significant focus on intrusion detection in IoT within computer science domains. These categories, namely ‘Computer Science Theory Methods’, ‘Computer Science Artificial Intelligence’, ‘Computer Science Hardware Architecture’, ‘Computer Science Interdisciplinary Applications’, and ‘Computer Science Software Engineering’, ranked fourth (286 publications), fifth (177 publications), sixth (109 publications), seventh (109 publications), and eighth (97 publications), respectively. ‘Telecommunication’ with 368 articles holds the third position. The bottom two positions in the top 10 are held by ‘Instruments Instrumentation’ with 85 papers and ‘Physics Applied’ with 81 papers.

Figure 10 depicts the trends in publications across several categories of the WoS from 2017 to 2023. The highest number of documents were published in Computer Science theory in 2017, followed by Engineering Electrical Electronic. Conversely, in 2018, Engineering Electrical Electronic published the most articles, with Computer Science Theory Methods coming in second. In 2019, Computer Science Theory Methods, Engineering Electrical Electronics, and Computer Science Information Systems were the top publishing categories. From 2020 onwards, the highest number of documents was published in the Computer Science Information System category, culminating in 183 publications in 2023. In the same year, Engineering Electrical and Electronic published 168 documents, while Telecommunications and Computer Science Theory and Methods published 122 and 81 documents, respectively. The WoS categories Computer Science Hardware Architecture and Computer Science Software Engineering both published the same number of documents, i.e., 30. Instruments Instrumentation and Physics Applied published 32 documents each. Computer Science Artificial Intelligence published 65 articles, while Computer Science Interdisciplinary Applications published 47 articles.

Figure 11 presents a detailed analysis of the various document types published in IoT intrusion detection across specific WoS categories. A consistent growth in the number of publications is observed in research articles and proceeding papers, while a fluctuation of counts is observed in review articles.

The publications with their respective count of IoT intrusion detection in WoS-indexed publications are depicted in Figure 12. The Science Citation Index Expanded (SCI-EXPANDED) indexed most of the papers in the WoS database, totaling 791 publications. The next in line was the Conference Proceedings Citation Index—Science (CPCI-S), with 289 articles published. The Emerging Sources Citation Index (ESCI) indexed the third-highest publications. The Social Sciences Citation Index (SSCI) includes 20 intrusion detection in IoT-related articles. Moreover, two articles are indexed in the Conference Proceedings Citation Index—Social Science and Humanities. Lastly, the Book Citation Index—Social Science and Humanities and Book Citation Index—Science each have one intrusion detection in IoT-related articles. In this subsection, a thorough analysis of the leading funding agencies in the field of research intrusion detection in IoT is presented.

3.8. Funding Agencies

The contributions made by different funding agencies in this particular field with their respective publication count are illustrated in Figure 13. The top funding agency in IoT intrusion detection research is the National Natural Science Foundation of China NSFC, accounting for about 5.68% of the total 1197 records in WoS. The European Union (EU) closely follows, making a contribution of approximately 2.92% to the overall count. A small yet significant contribution of 1.83% of the total was made by Princess Nourah Bint Abdulrahman University. The National Science Foundation (NSF) and the Natural Sciences and Engineering Research Council of Canada (NSERC) had a significant combined contribution of 2.74%. Additional funding agencies that contribute to IoT intrusion detection research include the National Research Foundation of Korea, the National Key Research and Development Program of China, and the Ministry of Science ICT MSIT Republic of Korea. An analysis of access types for articles pertaining to intrusion detection in IoT is presented in the next subsection.

3.9. Access Type

The access type of publications with their respective counts is depicted in Figure 14. All Open Access records make up 50% of total records. These articles are free and open to everybody. Around 37% of records are released under the “Gold” open-access model. This means that readers get free access to the content of these articles as soon as they are published. Access type Gold–Hybrid accounts for around 6% of total articles. These papers are published in standard subscription-based journals, but authors can pay an additional price to make their works publicly available. Articles labeled as Free to Read, which account for only 1% of the total, are available to readers for a short period following publication. Green Published, Green Accepted, and Green Submitted are conventional subscription-based journals that contribute approximately 14%, 4%, and 8% of the total, respectively.

4. Co-Authorship Analysis

Collaboration among authors, institutions, and nations is vital for innovation and research progress. The subsections below provide an analysis of co-authorship among authors, organizations, and nations that have contributed to intrusion detection in IoT from 2017 to 2023. The fractional counting method, which includes both highly and low-cited sources in an article, was used in this analysis. The analysis employed an inclusive criterion of at least three published papers and five citations per author, organization, or country and excluded the publications co-authored by more than 25 authors, organizations, and nations. The subsections describe the co-authorship analysis based on author, organization, and countries, where ‘Np’ represents the number of published articles by each author/institution/country, indicating their productivity in the field of IoT intrusion detection. Links represent the count of collaborative efforts between a specific author/institution/country and other authors/institutions/countries. If ‘n’ authors/organizations/countries co-authored a publication, the strength of the relationship between each pair of co-authors/organizations/countries was calculated using 1/n. Total Link Strength (TLS) measures the overall strength of an author’s, organization’s, or country’s collaborative relationships. An in-depth co-authorship study among authors is presented in this subsection.

4.1. Author-Based Co-Authorship Analysis

In this subsection, a co-authorship study among authors is presented. The VoS search revealed a total of 3727 such authors who have contributed to this field. A total of 219 documents met the criteria mentioned earlier. Among these, 64 documents were identified as part of the most connected co-author network.

Table 3. The top fifteen authors have the highest TLS values.

Rank	Country	Author	Np	Links	TLS
1	India	Kumar, Prabhat	16	12	16
2	India	Tripathi, Rakesh	14	10	14
3	Australia	Moustafa, Nour	18	13	13
4	India	Gupta, Govind P.	14	10	13
5	Morocco	Azrour, Mourade	12	4	12
6	Morocco	Benkirane, Said	12	4	12
7	Morocco	Guezzaz, Azidine	12	4	12
8	UK	Ahmad, Jawad	11	9	11
9	India	Kumar, Randhir	11	12	11
10	Algeria	Ferrag, Mohammed Amine	10	6	10
11	USA	Alsmadi, Izzat	8	5	8
12	Pakistan	Khan, Muazzam A.	6	8	6
13	England	Maglaras, Leandros	6	4	6
14	Canada	Mahmoud, Qusay H.	6	4	6
15	Canada	Ullah, Imtiaz	7	1	6

displays the top fifteen authors from the collection of non-connected sets that have the maximum co-authorship values based on TLS. The co-authorship-based TLS is always an integer value since the total sum of fractional link strengths for a single author in any published article will always equal one. Therefore, the strength of an author’s co-authorship relationship, which is determined by the number of publications, is directly proportional to the number of published articles, i.e., Np. Nevertheless, Table 3 does not demonstrate this. As an illustration, Moustafa Nour, the author with the third highest rating in TLS, has 18 publications, although TLS itself has 13 publications. This means that there are five articles written by Moustafa, Nour that were either sole-authored or co-authored with individuals who have less than three publications and/or five citations each. Similar patterns can be observed for the authors Gupta, Govind P. from India, and Ullah, Imtiaz from Canada. It can be observed from Table 3 that India has five researchers with the highest TLS value. Three researchers are from Morocco and Australia; the United Kingdom and Algeria each have one representative. The United States has one researcher on the list, while Canada is represented by two researchers. England also has one researcher included in this group.

Figure 15 shows the co-authorship network diagram in different colored nodes, and the connections between them reflect their respective collaborative linkages. The figure displays leading TLS authors, namely Kumar, Prabhat in green color nodes, Moustafa, Nour in yellow color nodes, and Ferrag, Mohammed Amine in purple color nodes.

4.2. Organization-Based Co-Authorship Analysis

An analysis of co-authorship among organizations publishing research in intrusion detection within IoT is presented in this subsection. A total of 1461 organizations involved in this field were identified by VoS Viewer, and only 256 organizations met the criteria specified above. Among them, 204 were identified as part of the largest interconnected network of organizations.

Table 4. The top ten organizations with the highest TLS values.

Rank	Organization	Country	Np	Links	TLS
1	Princess Nourah Bint Abdul Rahman University	Saudi Arabia	26	43	26
2	Prince Sattam Bin Abdulaziz University	Saudi Arabia	26	32	23
3	King Khalid University	Saudi Arabia	18	24	16
4	Prince sultan University	Saudi Arabia	15	22	15
5	Vellore Institute of Technology	India	21	21	13
6	Edinburgh Napier University	UK	18	18	12
7	Ummul Al Qura University	Saudi Arabia	13	20	11
8	Cadi Ayyad University	Morocco	12	3	11
9	King Abdulaziz University	Saudi Arabia	24	15	11
10	Moulay Ismail University Meknes	Morocco	11	3	11

displays the leading ten organizations that have the highest co-authorship, as determined by TLS values, within this set of 256. The cumulative strength of fractional linkages inside a single organization in each published paper will always amount to one; hence, the co-authorship-based TLS of organizations is always an integer. Thus, an organization’s overall co-authorship link strength across all published papers equals its article count (Np). However, this trend is not applicable in Table 4, as the TLS is an integer value that is less than the total number of publications (Np). For example, Prince Sattam Bin Abdulaziz University, the second highest-ranking TLS organization, has 26 publications, but TLS has 23 publications. This implies that there are three articles authored by researchers from Prince Sattam Bin Abdulaziz University that either do not have a co-author from any other organization or have co-authors from organizations with less than three publications and/or five citations individually. Identical patterns can be observed for TLS or other organizations. Organizations from Saudi Arabia dominate Table 4, holding the first, fourth, seventh, and ninth rankings. Furthermore, the list features two universities from Morocco and one institutional representation from the UK.

Figure 16 depicts the co-authorship network diagram among different organizations. This network uses different colors to represent different research network groups. The relative thickness of connecting links illustrates the strength of the links between organizations. The figure displays organizations, namely Vellore Institute of Technology in cyan, Edinburgh Napier University in green, and King Khalid University in orange.

4.3. Country-Based Co-Authorship Analysis

A co-authorship analysis of the countries publishing research on intrusion detection in IoT is shown in this subsection. The VoS search identifies 89 nations, out of which only 65 countries met specified criteria. The top fifteen cited nations from a total of 65 countries with the highest TLS values are shown in

Table 5. The top fifteen countries with the highest TLS values.

Rank	Country	Np	Links	TLS
1	Saudi Arabia	200	44	139
2	India	256	46	94
3	People r China	174	41	87
4	Pakistan	86	37	81
5	England	78	35	64
6	Australia	83	28	60
7	USA	134	34	59
8	Malaysia	55	33	46
9	Egypt	54	25	41
10	Canada	69	22	31
11	United Arab Emirates	37	22	30
12	South Korea	51	24	29
13	Jordan	38	22	28
14	Algeria	24	19	20
15	Taiwan	28	17	20

. The cumulative strength of fractional linkages inside a single country in each published paper will always amount to one; hence, the co-authorship-based TLS of the country is always an integer. Thus, a country’s overall co-authorship link strength across all published papers equals its article count (Np). However, this trend is not applicable in Table 5, as the TLS is an integer value that is less than the total number of publications (Np). This finding implies that certain published publications do not have co-authors from other countries. It is also possible that several published research included co-authors from only countries with less than three intrusion detection in IoT articles and/or five WoS citations and hence were excluded from our study. For example, Saudi Arabia, the leading TLS country, has 200 publications, but TLS has only 139 publications. This means that there are 61 articles written by Saudi Arabian researchers that either did not have a co-author from another nationality or had co-authors from countries with less than a total of three publications and/or five citations each. Table 5 details the leading fifteen nations with the highest TLS metrics on IoT intrusion detection in WoS publications. With 200 publications, Saudi Arabia has a TLS value of 139, followed by India, which has the highest number of publications, securing the second position in TLS with a value of 94. China has a publication count of 174 and a TLS of 87, and it claimed the third position. The United States published 134 articles and holds the seventh spot in terms of TLS ranking. This finding demonstrates considerably smaller international co-author links between authors from the United States and other nations. Similarly, Australia has a greater number of publications than England but ranks lower in terms of TLS ranking. Algeria claimed the fourteenth rank in terms of TLS ranking, having 24 publications indicating strong international co-author linkages with authors from other countries.

Figure 17 depicts the co-authorship network diagram among different countries. This network uses different colors to represent different research network groups. The relative thickness of connecting links illustrates the varying strengths of links between different countries. The figure displays countries such as India, Turkey, Bangladesh, and the USA in brown color nodes. Similarly, Saudi Arabia, Jordan, and the United Arab Emirates are in teal color nodes. Finland, Spain, Brazil, and Switzerland form a red-colored network.

5. Analysis of Co-Occurrence

In this section, an analysis of the co-occurrences of keywords addressed in the WoS from 2017 to 2023 on IoT intrusion detection is presented. The fractional counting method is used to analyze the co-occurrences of these keywords, with a minimum threshold of five occurrences per keyword. The co-occurrences of these keywords were analyzed using the fractional counting approach, with a minimum threshold of five occurrences per keyword.

5.1. All Keyword-Based Co-Occurrence Analysis

The co-occurrence analysis of all WoS-identified keywords on publication in intrusion detection in IoT is presented in this section. VoS search revealed a total of 2479 keywords. However, only 247 keywords meet the threshold value. The top thirteen co-occurring terms with the highest TLS values are listed in

Table 6. The top 13 keywords with the maximum co-occurrence TLS values for all keywords.

Rank	Keyword	Np	Links	TLS
1	Intrusion Detection	241	489	482
2	Internet	233	360	355
3	Machine Learning	227	306	305
4	Internet of Things	211	303	303
5	IoT	211	297	295
6	Deep Learning	216	254	254
7	Security	222	250	250
8	Intrusion Detection System	215	240	236
9	Anomaly Detection	194	188	187
10	Things	196	182	182
11	Internet of Things (IoT)	144	118	117
12	Ids	130	86	86
13	Cybersecurity	137	83	83

. The data in Table 6 show that the keyword ‘Intrusion Detection’ was included in 241 published articles (Np). Furthermore, it co-occurred with 489 other IoT intrusion detection WoS-indexed keywords within these articles. ‘Intrusion Detection’ has a TLS of 482, which is the total number of times this keyword co-occurred with each of the 489 other keywords (all of which had at least five occurrences). Herein, if “n” WoS-indexed terms co-occurred in an article, the link strength between each pair was calculated as 1/n (due to the citing article). TLS is the total of the link strengths between a keyword and all other co-occurring keywords across all published articles. Since a keyword’s fractional link strength adds up to one in every published article, the co-occurrence-based TLS of keywords is always a whole number rather than a fraction. Table 6 does not show this pattern, as the TLS is always a whole number but always smaller than the Np (actual number of publications). This finding suggests that the authors of certain published articles have not referenced any other IoT intrusion detection keywords. It may also show that in certain published studies, only IoT intrusion detection keywords with fewer than five occurrences co-occurred; thus, they were excluded from the present study and were not considered co-occurring keywords. For example, when considering the second-highest TLS keyword, ‘Internet’, published papers were 233 while TLS was 355. Therefore, there are 122 articles that addressed this keyword and either did not contain any other intrusion detection in IoT WoS keyword or cited keywords that had fewer than five occurrences separately. For the keyword ‘Machine Learning’, 78 publications did not contain any other IoT intrusion detection keyword/included keywords that were considered relevant based on the chosen threshold. The top thirteen keywords show that most research papers emphasize intrusion and anomaly detection utilizing machine/deep learning-based categorization in IoT security.

The co-occurrence network map, as depicted in Figure 18, illustrates the relationships among all keywords. Notably, the figure showcases keywords like intrusion detection and machine learning, which are represented by brown-colored nodes. On the other hand, green-colored nodes represent keywords, such as internet, security, and internet of things (IoT), among others. Additionally, keywords like Mirai, NSL-KDD, Mqtt, bot-iot, iot, and datasets are denoted by pink-colored nodes.

5.2. Author’s Keyword-Based Co-Occurrence Analysis

The co-occurrence analysis of the keywords used by authors in intrusion detection in IoT research publications is presented in this subsection. The VoS search revealed 2196 such keywords. A total of 183 keywords were identified that meet the specific requirement. Of these, the 15 co-occurring keywords with the highest TLS values are detailed in

Table 7. The top 15 keywords with the maximum co-occurrence TLS values for author keywords.

Rank	Keyword	Np	Links	TLS
1	Intrusion Detection	169	346	324
2	Machine Learning	166	306	305
3	Internet of Things	153	303	300
4	Deep Learning	156	254	251
5	IoT	125	197	195
6	Intrusion Detection System	131	177	170
7	Anomaly Detection	116	131	128
8	Security	126	129	128
9	Internet of Things (IoT)	99	118	113
10	Cybersecurity	95	80	78
11	Feature Selection	72	80	78
12	Ids	85	78	76
13	Network Security	74	66	66
14	Intrusion Detection System (IDs)	72	63	61
15	IoT security	62	64	51

. The data in the Table indicate that the keyword ‘Intrusion Detection’ occurred in 169 published articles (Np). ‘Intrusion Detection’ co-occurred with 346 other IoT Intrusion detection author keywords in these articles. The keyword ‘intrusion detection’ has a TLS of 324, which is the total number of times ‘intrusion detection’ co-occurred with each of the 346 other keywords (all of which had at least five occurrences). In this case, the strength of the connection between each pair of co-occurring keywords was calculated as 1/n (because of the citing article) if an article had ‘n’ author keywords. For example, the link strengths between each of the ten co-occurring terms in an article would be 1/10. TLS shows the total strength of a keyword’s link with all other keywords that appear together across all published articles. As the total of a keyword’s fractional link strengths in any published article will always equal one, the co-occurrence-based TLS of keywords is always a whole number and never a fraction. As a result, the number of such published articles (Np) will equal the total co-occurrence link strength of a term over all published articles. This pattern, however, is not visible in Table 7, where the TLS is consistently fewer than the actual number of publications (Np) despite always being a whole number.

The co-occurrence network map generated by the VoS viewer, as depicted in Figure 19, illustrates the relationships among the author’s keywords. Notably, the figure showcases keywords like intrusion detection, iot, iot network, bot-iot, and nsl-kdd in green-colored nodes. On the other hand, blue-colored nodes represent the keywords machine learning, artificial intelligence, information security, and cybersecurity. Additionally, the keywords edge computing, support vector machine, malware, botnet, and security form a red-colored node network.

6. Citation Analysis

The citation-based networks between documents, sources, authors, organizations, and nations related to IoT intrusion detection are displayed in this section.

6.1. Documents-Based Citation Analysis

The citation analysis of documents published in intrusion detection in IoT research is presented in this subsection. The citations of these documents were analyzed using the criteria of five citations per document. A total of 1197 publications were identified through the VoS search. Only 601 documents met the specified criteria, and 539 were found to form the biggest set of connected documents. The top ten cited documents from the non-connected group are listed in

Table 8. The top 10 WoS articles with maximum citation links.

Rank	Title of Article	Source	Authors	Year	Citation	Link
1	Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-IoT dataset [6]	Future Generation Computer Systems	Nickolaos Koroniotis, Nour Moustafa, Elena Sitnikova, and Benjamin Turnbull	2019	605	142
2	Network Intrusion Detection for IoT Security Based on Learning Techniques dataset [7]	IEEE Communications Surveys and Tutorials	N. Chaabouni, M. Mosbah, A. Zemmari, C. Sauvignac, and P. Faruki	2019	373	71
3	TON_IoT Telemetry Dataset: A New Generation Dataset of IoT and IIoT for Data-Driven Intrusion Detection Systems dataset [8]	IEEE Access	A. Alsaedi, N. Moustafa, Z. Tari, A. Mahmood, and A. Anwar	2020	202	61
4	Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study dataset [9]	Journal of Information Security and Applications	Mohamed Amine Ferrag, Leandros Maglaras, Sotiris Moschoyiannis, and Helge Janicke	2020	393	60
5	An Ensemble Intrusion Detection Technique Based on Proposed Statistical Flow Features for Protecting Network Traffic of Internet of Things dataset [10]	IEEE Internet of Things Journal	N. Moustafa, B. Turnbull, and K. -K. R. Choo	2019	238	45
6	A Two-Layer Dimension Reduction and Two-Tier Classification Model for Anomaly-Based Intrusion Detection in IoT Backbone Networks [11]	IEEE Transactions on Emerging Topics in Computing	H. H. Pajouh, R. Javidan, R. Khayami, A. Dehghantanha, and K. -K. R. Choo	2019	232	42
7	Design and Development of a Deep Learning-Based Model for Anomaly Detection in IoT Networks [12]	IEEE Access	Ullah and Q. H. Mahmoud	2021	108	21
8	Deep recurrent neural network for IoT intrusion detection system [13]	Simulation Modelling Practice and Theory	Muder Almiani, Alia AbuGhazleh, Amer Al-Rahayfeh, Saleh Atiewi, and Abdul Razaqu	2020	163	33
9	An effective feature engineering for DNN using hybrid PCA-GWO for intrusion detection in IoMT architecture [14]	Computer Communications	Swarna Priya R.M., Praveen Kumar Reddy Maddikunta, Parimala M., Srinivas Koppu, Thippa Reddy Gadekallu, Chiranji Lal Chowdhary, and Mamoun Alazab	2020	231	31
10	Machine Learning Based Intrusion Detection Systems for IoT Applications [15]	Wireless Personal Communications	Verma, A., Ranga, V.	2020	139	31

. It is evident from Table 8 that most of the impactful articles were published between 2019 and 2020. Prominent authors like N. Moustafa and K.-K.R. Choo co-authored multiple highly cited papers. The number of citation-based linkages to these papers, i.e., the number of publications published in the WoS that cite these articles and discuss intrusion detection in IoT, is also listed in Table 8. For example, the paper titled ‘Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-IoT dataset’ obtained 605 citations in total, of which only 142 belonged to the intrusion detection in IoT articles having a minimum of five citations each and are published in the WoS. Meanwhile, the paper titled ‘Design and Development of a Deep Learning-Based Model for Anomaly Detection in IoT Networks’, published in 2021, received a total of 108 citations, 21 of which were from intrusion detection in IoT WoS literature, each with at least five citations.

Figure 20 depicts the citation-based networks of intrusion detection in IoT based on published documents in WoS, with distinct colored nodes and linkages as per respective co-citations. The top two documents by Koroniotis et al. [6] and Chaabouni et al. [7] form the nodes of the grey-colored citation network, whereas documents by Alsaedi et al. [8] form the purple-colored network.

6.2. Source-Based Citation Analysis

The citation analysis of intrusion detection in IoT research publishing sources is discussed in this subsection. A minimum of three published publications and five citations per source were used as the criterion for analyzing the citations of these sources. VoS search revealed a total of 455 such sources. Only 69 sources met the specified criteria. The leading ten cited sources with maximum TLS values are detailed in

Table 9. The top 10 sources with the highest TLS values.

Rank	Source	Np	Links	Citation	TLS
1	IEEE Access	80	62	2606	558
2	Sensors	79	62	1460	538
3	Electronics	46	57	894	283
4	Future Generation Computer Systems—The International Journal of eScience	16	53	1094	257
5	Applied Sciences—Basel	32	42	427	199
6	Internet of Things	19	38	137	124
7	Computers and Security	26	38	365	119
8	Computer Networks	15	43	368	118
9	Cmc—Computer Materials and Continua	35	42	259	115
10	Computer Communications	14	39	475	102

. The Table also shows the citations, number of unique citing organizations (links), number of publications (Np), and the total strengths of all such links (TLS) for a source. IEEE Access is ranked first on this list, having published a total of 80 articles that exclusively address intrusion detection in IoT. These papers have garnered 2606 citations from other journals in the WoS database that also publish research on intrusion detection in IoT. Among the sources mentioned, only a small number meet the specific requirements for inclusion in the current study, which are a minimum of three published papers and at least five citations per source. Therefore, the total number of citations that IEEE Access has received from the 62 linked and selected journals is 558 (TLS). Sensors possess the second-best TLS of 538.

Figure 21 illustrates the citation-based networks of intrusion detection in IoT, which are based on sources published in WoS. The nodes and linkages are indicated by varying colors in accordance with their respective co-citations. In this case, the red-colored network emphasizes sources such as Cybersecurity, Mobile Networks and Applications, Sensors, and IEEE Access. The green color network displays sources, including the Journal of Network and Computer Applications, Sustainable Cities and Society, and Computer Communication. Future Generation Computer Systems—The International Journal of eScience, Journal of Network and System Management—are illustrated in orange color.

6.3. Author-Based Citation Analysis

This subsection presents a citation analysis of intrusion detection in IoT research publishing authors. The citations of these authors were evaluated using the criteria of a minimum of three publications and five citations per author. This analysis excluded documents that were co-authored by more than 25 writers. A total of 3727 authors were identified through the VoS search. Only 219 authors were found to satisfy the specified criteria. Of these, only 216 were found to compose the largest set of connected authors. The top ten cited authors from the non-connected set with the highest TLS values are listed in

Table 10. The top 10 authors with the highest citation TLS values.

Rank	Author	Country	Np	Citation	Links	TLS
1	Moustafa, Nour	Australia	18	1632	173	668
2	Kumar, Prabhat	India	16	881	95	442
3	Tripathi, Rakesh	India	14	894	92	432
4	Gupta, Govind P.	India	14	896	92	424
5	Ferrag, Mohammed Amine	Algeria	10	1203	117	362
6	Turnbull, Benjamin	Australia	4	932	148	362
7	Maglaras, Leandros	England	6	945	98	291
8	Koroniotis, Nickolaos	Australia	3	626	121	289
9	Kumar, Randhir	India	11	535	49	285
10	Janicke, Helge	Australia	5	695	87	232

. This Table also displays the number of citation links for each author, which is the number of unique researchers who cited a specific author’s intrusion detection in IoT articles published in WoS. For example, Moustafa, Nour published 18 intrusion detection in IoT articles from WoS from 2017 to 2023. These publications gained 1632 citations from the published documents of 173 distinct researchers, each having a minimum of three publications and five citations. In this manner, each of these researchers created a citation-based connection with Moustafa, Nour. The link strength of a particular link is determined by the number of citations it contains. The TLS of the cited author represents the combined strength of all citation-based links. Table 10 is primarily composed of researchers from Australia and India, with four authors from each country. England and Algeria are each represented by a single author. Interestingly, Ferrag, Mohammed Amine ranked fifth in terms of TLS count (362) but has a citation count of 1203. It is worth noting that the author (Koroniotis, Nickolaos) showcases notable interconnectivity with a TLS of 362 despite fewer publications.

Figure 22 shows the citation-based networks of intrusion detection in IoT based on authors published in WoS, displayed in various colored nodes and linkages as per respective co-citations. In the figure, authors such as Gupta, Govind P., Kumar, Randhir, and Tripathi, Rakesh form a green-colored network. The top leading author Moustafa, Nour is in a red-colored node. On the other hand, authors Ferrag, Mohammed Amine and Maglaras, Leandros are represented by purple-colored nodes.

6.4. Organization-Based Citation Analysis

The citation analysis of intrusion detection in IoT research publishing organizations is presented in this subsection. A criterion of a minimum of three published documents and five citations per organization was employed to analyze the citations of these organizations. The documents that are co-authored by more than 25 nations are omitted from this evaluation. A minimum of three published publications and five citations per source were used as the criterion for analyzing the citations of these organizations. The VoS search identified a total of 1461 such organizations. Only 256 sources met the specified criteria, and 255 organizations formed the interconnected network.

Table 11. The top 10 organizations with the highest citation TLS values.

Rank	Organization	Country	Np	Citation	Links	TLS
1	University New South Wales	Australia	13	1327	93	428
2	Guelma University	Algeria	9	1187	77	283
3	National Institute Technology	India	22	902	70	265
4	De Montfort University	UK	6	945	71	232
5	Princess Nourah Bint Abdul Rahman University	Saudi Arabia	26	214	73	229
6	Vellore Institute of Technology	India	21	524	70	221
7	University of Texas San Antonio	USA	11	675	71	203
8	King Saud University	Saudi Arabia	16	352	68	195
9	Prince Sattam Bin Abdulaziz University	Saudi Arabia	26	194	72	194
10	Edinburgh Napier University	UK	18	331	77	191

lists the leading ten cited organizations with the highest TLS values from the non-connected network. The Table displays the number of publications (Np), the number of unique citing organizations (links), citations, and the total strengths of all such links (TLS) for an organization. The data in Table 11 are composed of three institutions from Saudi Arabia, two institutions each from India and the UK, and one each institution from Algeria, USA, and Australia. The University of New South Wales is first on the list with 13 research publications, 1327 citations, 93 inter-institutional citation links, and TLS 428. This organization was cited 1327 times by other organizations. Out of these citations, only 93 were selected for the current study based on specific criteria, which required a minimum of three published papers and five citations per organization. The Guelma University, Algeria, earned the second-highest position, with a TLS of 283 and only nine publications. The National Institute of Technology produced more articles (Np = 22) than the University of New South Wales and Guelma University, but it still ranked third with TLS (265). Princess Nourah Bint Abdul Rahman University (PNU) in Saudi Arabia has the highest number of publications (Np = 26) among the institutions listed in Table 11, yet it ranks fifth overall because of fewer inter-institutional citation linkages. The same pattern is observed for King Saud University (ranked eighth).

Figure 23 shows various global institutional citation-based linkages in the field of intrusion detection in IoT. Different citation networks are depicted in distinct colors. The leading University of New South Wales is highlighted in a brown color, whereas the organizations such as Guelma University and De Montfort University are shown in light red color.

6.5. Country-Based Citation Analysis

This subsection presents a citation analysis of intrusion detection in IoT research-publishing countries. A criterion of a minimum of three published documents and five citations per nation was employed to analyze the citations of these nations. The documents that are co-authored by more than 25 nations are omitted from this evaluation. The VoS search found 89 such nations. However, 65 nations were found to meet the specified requirements. The ten leading cited nations with maximum TLS values are presented in

Table 12. The top 10 countries with the maximum citation TLS values.

Rank	Country	Np	Citation	Links	TLS
1	India	256	3925	63	2651
2	Saudi Arabia	200	2598	59	2383
3	Australia	83	3990	58	2152
4	People’s Republic of China	174	3452	61	1820
5	USA	134	2813	59	1452
6	England	78	3029	57	1390
7	Pakistan	86	1089	59	1094
8	Canada	69	2007	58	930
9	Egypt	54	787	57	779
10	Algeria	24	1449	55	681

. India ranks top on the list with 256 documents, a TLS of 2651, and 63 international citation links. The WoS papers on intrusion detection in IoT by Indian-affiliated authors have received a remarkable 3925 citations. Authors from 63 different countries (citation links) referenced these publications, which were shortlisted based on the aforementioned threshold requirements (minimum three published documents and five citations per nation). China has a publication count of 174, international citing linkages (61) greater than Australia, and still, China has the fourth rank in terms of the highest TLS. A similar pattern is seen for the USA.

Figure 24 displays the citation network of intrusion detection in IoT publishing countries. This figure illustrates two prominent networks represented in red and green-colored nodes and their linkages. The red-colored network consists of nations, including India, Japan, Turkey, and others. On the other hand, the green-colored network is made up of nations such as Australia, Lithuania, Italy, Sweden, Poland, and others. Similarly, the blue-colored network is composed of countries such as Germany, Finland, Algeria, and others.

7. Burst Detection Analysis

This section presents the burst detection analysis generated from the CiteSpace tool, covering the period from 2017 to 2024. The analysis was conducted by employing the ‘Top N per slice’ selection criteria to identify and examine significant bursts in citations. The keywords and articles that experienced a dramatic increase in citations during specific timeframes were identified using burst analysis. The burst detection model of Citespace is based on Kleinberg’s algorithm. This study also highlights the burst strengths to understand the relative temporal priority assigned to various publications and keywords by the research community. Additionally, in the subsection, a comparison of the data trends from 2017–2023 with those in 2024 is provided for more recent temporal trends.

7.1. Keyword Burst Detection

The analysis of burst detection of keywords in IoT intrusion detection is discussed in this subsection.

7.1.1. Trends from 2017–2023

Table 13. Top 15 keywords with the strongest citation bursts.

Rank	Keyword	Year	Strength	Begin	End
1	deep neural network	2019	4.03	2022	2023
2	neural networks	2017	3.75	2017	2021
3	network intrusion detection system	2022	3.43	2022	2023
4	deep learning (dL)	2022	3.43	2022	2023
5	computer crime	2021	3.22	2021	2023
6	support vector machine	2019	3.21	2020	2021
7	edge computing	2020	3.12	2020	2021
8	ddos attack	2021	3.08	2021	2021
9	big data	2019	2.77	2021	2023
10	network traffic	2020	2.73	2020	2021
11	iot network	2022	2.57	2020	2023
12	machine learning (mL)	2021	2.47	2021	2023
13	fog computing	2019	2.37	2021	2021
14	smart cities	2020	2.34	2020	2021
15	genetic algorithm	2019	2.22	2019	2021

details the top 15 keywords in descending order of their corresponding burst strengths from 2017–2023. The keywords ‘deep neural network’, ‘network intrusion detection system’, ‘deep learning (dl)’ obtained the burst strengths of 4.03, 3.43 and 3.43, respectively, from 2022–2023. The keyword ‘neural networks’ witnessed the second-highest burst strength of 3.75 from 2017–2021. Meanwhile, ‘computer crime’, ‘big data’, and ‘machine learning (ml)’ keywords had burst strengths of 3.22, 2.77, and 2.47, respectively, from 2021–2023. From 2020–2021, the keywords ‘support vector machine’, ‘edge computing’, ‘network traffic’, and ‘smart cities’ obtained burst rates of 3.21, 3.12, 2.73, and 2.34, respectively.

7.1.2. Trends in 2024

Table 14. Top keywords with the strongest citation bursts in 2024.

Rank	Keyword	Strength	Begin	End
1	intrusion detection system	3	April	April
2	feature selection	2.74	March	June
3	feature extraction	2.34	February	February

displays the top three keywords for the year 2024, arranged in descending order according to their respective burst strengths. In April, the keyword ‘intrusion detection’ system had a maximum burst strength of 3, while the keyword ‘feature selection’ had a burst strength of 2.74 from March to June. The keyword ‘feature extraction’ achieved a burst strength of 2.34 in the month of February.

7.1.3. Comparative Analysis of Keyword Trends: 2017–2023 vs. 2024

A comparative analysis of keyword trends from 2017–2023 and 2024 reveals a significant shift in focus. From 2017 to 2023, the emphasis was on advanced machine learning techniques such as deep learning, neural networks, and support vector machines, reflecting the research community’s interest in leveraging sophisticated algorithms for IoT intrusion detection. Keywords like “deep neural network,” “network intrusion detection system”, and “deep learning” dominated this period, indicating a strong focus on developing and refining these technologies. In contrast, the trends in 2024 show a pivot towards practical implementation aspects of intrusion detection. The top keywords for 2024—“intrusion detection system”, “feature selection”, and “feature extraction”—suggest a growing interest in optimizing and fine-tuning the detection process. This shift indicates a maturation in the research field, moving from developing core algorithms to enhancing their effectiveness and efficiency in real-world applications.

7.2. References Burst Detection

The burst detection analysis performed for the referenced IoT intrusion detection papers is presented in this subsection.

7.2.1. Trends from 2017–2023

The top seven referenced publications in descending order of their individual burst strengths are presented in

Table 15. Top 7 references with the strongest citation bursts.

Rank	Institution	Year	Strength	Begin	End
1	Diro AA, 2018, Future Gener Comp Sy, V82, P761 [16]	2018	20.48	2020	2021
2	Chaabouni N, 2019, IEEE Commun Surv Tut, V21, P2671 [7]	2019	16.08	2021	2023
3	Zarpelao BB, 2017, J Netw Comput Appl, V84, P25 [17]	2017	16.07	2019	2021
4	Kolias C, 2017, Computer, V50, P80 [18]	2017	12.69	2019	2020
5	Nour, 2015, 2015 MIL Comm INF Sy, V0, PP1 [19]	2015	7.39	2018	2019
6	Al-Fuqaha A, 2015, IEEE Commun Surv Tut, V17, P2347 [20]	2015	3.1	2017	2019
7	Hodo E, 2016, 2016 International Symposium On Networks, P1 [21]	2016	3.1	2017	2019

. The article contributed by Diro AA et al. [16] witnessed the maximum burst strength of 20.48 within a relatively short time frame of one year, specifically from 2020 to 2021. The article contributed by Chaabouni N et al. [7] in 2019 has a citation burst of 16.08 from 2021–2023. Zarpelao BB et al. [17] obtained a citation burst of 16.07 from 2019–2021 two years after its publishing. The article published by Kolias C et al. [18] in 2017 witnessed a burst strength of 12.69 from 2019–2020 and a document published by Nour et al. [19] achieved a strength burst of 7.39 from 2015–2019. The article published by Al-Fuqaha A et al. [20] and Hodo E et al. [21] witnessed the same strength burst of 3.1 from 2017–2019.

7.2.2. Trends in 2024

The top referenced publications, in descending order, with their individual burst strength, are presented in

Table 16. Top references with the strongest citation bursts in 2024.

Rank	References	Year	Strength	Begin	End
1	Alsaedi A, 2020, IEEE Access, V8, P165130 [8]	2020	3.27	May	June
2	Ferrag MA, 2022, IEEE Access, V10, P4028 [22]	2022	3.01	May	June
3	Maseer ZK, 2021, IEEE Access, V9, P22351 [23]	2021	2.31	April	April
4	Otoum Y, 2022, T Emerg Telecommun T, V33, P0 [24]	2022	2.31	April	April
5	Anthi E, 2019, IEEE Internet Things, V6, P9042 [25]	2019	2.16	February	February

. The article contributed by Alsaedi et al. [8] observed the maximum burst strength of 3.27 from the month of May to June. The article published by Ferrag et al. [22] witnessed a burst strength of 3.01 from May to June. The article published by two different authors, namely Maseer ZK et al. [23] and Otoum Y et al. [24], obtained a burst count of 2.31 for April. The article published by Anthi E et al. [25] obtained a burst count of 2.16 in February.

7.2.3. Comparative Analysis of Reference Trends: 2017–2023 vs. 2024

From 2017 to 2023, the trend in IoT intrusion detection research focused on foundational techniques and broad applications. Researchers concentrated on leveraging deep learning and machine learning to develop general intrusion detection frameworks. During this period, there was also a significant emphasis on understanding and countering specific threats, as well as developing fundamental datasets for network intrusion detection systems. Surveys during this time reflected the broad, exploratory nature of the research, aiming to map out the landscape of IoT security.

In contrast, 2024 saw a shift towards more specialized and advanced methodologies. The focus moved to creating comprehensive, realistic datasets tailored for both centralized and federated learning, indicating a greater emphasis on real-world applications and data-driven techniques. Researchers developed sophisticated deep learning frameworks and targeted specific IoT environments, such as smart homes. This evolution marks a progression from general methodologies to highly refined, application-oriented research, reflecting the maturation and increased specificity of the field.

8. Conclusions and Future Directions

The present study provides an exhaustive bibliometric examination of several elements of intrusion detection in IoT research published between 2017 and 2023. This report analyzed yearly publications by type, organization, source, researcher, country, and area. Furthermore, the aforementioned comprehensive analysis was conducted from the viewpoints of co-authorship, co-occurrence, and citation. The fractional counting approach was employed for co-authorship, co-citation, and co-occurrence analyses. In order to determine the most popular publications and keywords over time, the findings of burst detection were finally discussed. The following is a summary of the main conclusions of the present investigation:

• From 2019 onwards, WoS published more than 200 articles pertaining to IoT intrusion detection.
• The majority of these publications consist of research articles, accounting for 72.01%.
• The majority of intrusion detection in IoT papers (80) from WoS were published in the journal IEEE Access.
• The Egyptian Knowledge Bank (EKB) of Egypt has published the greatest number of papers, with a total of 49.
• Moustafa N from Australia has authored the highest number of publications (19) on intrusion detection in IoT, serving as the first author.
• Researchers from the USA published the greatest number of publications from 2018 to 2020. Since 2021, India has been the top source for publication output.
• Computer science is the predominant field of research with the highest number of papers (893) on intrusion detection in IoT.
• The majority of the WoS IoT intrusion detection publications (791) belong to the Science Citation Index Expanded (SCI-EXPANDED).
• The majority of IoT intrusion detection publications in the WoS database are categorized under ‘Computer Science Information Systems’, with a total of 553 publications, followed closely by the category of ‘Engineering Electrical Electronic’, which has 465 publications.
• The National Natural Science Foundation of China (NSFC) is the leading funding agency in IoT intrusion detection research, with a significant contribution of approximately 5.68%.
• Approximately half of the total records consist of Open Access publications.
• Kumar, Prabhat from India holds the highest co-authorship-based TLS of 16 with 12 co-author links and 16 publications.
• The co-authorship-based TLS of Princess Nourah Bint Abdul Rahman University is the highest among all, with a score of 26. This university has established co-author linkages with 43 other organizations.
• Saudi Arabia boasts the highest co-authorship-based TLS of 482, establishing strong collaborative connections with 44 other nations.
• Intrusion Detection has the highest co-occurrence-based TLS of 482 with links to 489 other author-defined keywords indexed in WoS.
• Intrusion detection has the highest co-occurrence-based TLS of 324 with links to 346 other author-defined IoT intrusion detection keywords.
• IEEE Access has the maximum citation-based TLS of 558, with citation linkages to 2606 journals.
• Moustafa, Nour (Australia) has the highest citation-based TLS of 668, with citation links to 1632 intrusion detection in IoT researchers.
• The University of New South Wales (Australia) has the highest citation-based TLS (428), with citation links to 1327 institutions.
• India has the highest citation-based TLS of 2651, with citation links to 3925 nations.
• During 2022–2023 the keywords ‘deep neural network’, ‘network intrusion detection system’, ‘deep learning (dl)’, and ‘iot network’ obtained burst strengths of 4.03, 3.43, 3.43, and 2.57, respectively.
• The document published by Chaabouni N. et al. [7] witnessed a burst strength of 16.08 during 2021–2023.
• During 2021–2023, the National Institute of Technology (NIT System) and SRM Institute of Science and Technology Chennai witnessed burst strengths of 4.43 and 3.78, respectively.

According to the comprehensive bibliometric analysis conducted on intrusion detection in IoT research spanning from 2017 to 2023, future studies should focus on advanced machine learning techniques, such as reinforcement learning, federated learning, and transfer learning, to enhance intrusion and anomaly detection in IoT systems. Researchers can conduct comparative studies to evaluate the effectiveness of these advanced techniques in various IoT environments, ensuring a comprehensive understanding of their strengths and limitations. Additionally, researchers should investigate the application of IoT intrusion detection in underexplored fields such as Automation Control, Physics, and Mathematics. Researchers can also perform comprehensive bibliometric analyses on the utilization of machine/deep learning techniques in IoT intrusion detection. These analyses aim to uncover the underlying trends that are impacting current endeavors and shaping the future of IoT security. The insights and recommendations mentioned above offer valuable guidance for diverse and extensive applications in this field. These advancements have the potential to positively impact various disciplines and sectors worldwide, leading us toward a more secure digital future.

9. Limitations, Scope, and Future Work

While our study provides valuable insights into trends and methodologies in IoT intrusion detection based on academic publications, it is important to acknowledge several limitations. Firstly, the focus on academic publications may not fully capture practical developments and innovations from industry sectors that do not frequently publish in scientific journals. This limitation suggests a future direction for research to explore and document contributions from industry and non-academic sectors in IoT security. Secondly, the reliance on data solely from the Web of Science may exclude significant works published in other databases or non-indexed conferences, potentially limiting the comprehensiveness of our findings. Future studies could expand the scope to include a broader range of sources to ensure a more inclusive analysis. Lastly, while our analysis aims to provide a comprehensive overview, generalizing the results across all sub-fields within IoT intrusion detection may overlook specific nuances and variations. Future research should consider delving deeper into specific sub-fields to uncover these nuances and provide context-specific insights. Addressing these considerations will enhance the applicability and relevance of future research in advancing the field of IoT security.