Cyber security has become increasingly challenging due to the proliferation of the Internet of Things (IoT), where a massive number of tiny, smart devices push trillion bytes of data to the Internet and is expected to reach 73.1 ZB (zettabytes) by 2025 [8]. IoT devices have limited computational capabilities and thus researchers have shifted their focus onto designing lightweight IDS that can deliver the needed security requirements while operating on those thin devices.

Zarpelão et al. [9] surveyed IDS developments for IoT and discovered a growing interest in lightweight IDS. The authors discovered two tracks that claim to be lightweight which are:

• Signature-based lightweight IDS (such as [10]): this track is beyond the scope of this work.
• Anomaly-based lightweight IDS: People will focus this work on this research track.

Lee et al. [11] detected 6LowPAN attacks by observing IoT nodes’ reported energy consumption. To deal with energy consumption attacks, Le et al. [12] created a lightweight intrusion-detection system that restricts sensing operations to cluster heads, allowing the remaining nodes to operate normally. This approach is aligned with Reza et al. [13]. Jan et al. [14] concentrated on creating computationally lightweight IDS using support vector machines, supervised machine learning (ML), which does not limit the IDS to a single attack type (as in [11]) nor to the number of nodes running the IDS (such as in [12,13]).

By limiting the number of investigated features, Soe et al. [15] developed a lightweight anomaly-based IDS strategy that selects the features with the highest gain ratio and discards all others, thus reducing the amount of computation required. It is worth noting that this strategy runs the risk of missing out on rare attacks that can only be detected using discarded features. This method is consistent with that proposed by Davahli et al. [16], where feature selection is based on the hybridization of a genetic algorithm (GA) and the Grey Wolf Optimizer (GWO).

Khater et al. [17] combined the last two strategies (feature reduction and supervised deep learning) to enhance the communication security of lightweight IoT devices in a Fog computing environment. To maintain the lightweight criteria, a combination of Modified Vector Space Representation (MVSR) N-gram (1-gram and 2-gram) were used for system call encoding in the feature extraction phase while using a sparse matrix for space reduction. Then, the extracted features were fed into a Multilayer Perceptron (MLP) model with a single hidden layer that would classify the nature of the network traffic.

Instead of being selective on the features (such as in [15]) or on nodes (such as in [12,13]), Sedjelmaci et al. [18] proposed a strategy that is selective on time. The authors proposed a game-theoretic approach for identifying the times when the attacks are most probably going to happen. Only then, the IDS functionality is enabled.

Deep Neural Networks (DNN) were applied in the hope of improving the detection accuracy of lightweight IDS. One of the most recent applications is “Realguard” by Nguyen et al. [19], a DNN-based IDS that implements a simple MLP with 5 hidden layers. Realguard can run on low-end IoT devices while achieving high attack detection accuracy.

IoT devices cannot handle all sent data due to rising network overhead and stagnant power storage capacity. Researchers have turned to sampling methods before data analysis to mitigate this, reducing data volume. This approach must prevent information loss to avoid compromising threat detection accuracy. Sampling techniques are designed to optimize IDS efficiency and attack detection accuracy. IoT nodes sample packets, creating a subset of network traffic for subsequent analysis and detection. The success of a sampling method depends heavily on factors such as the sampling rate and the chosen strategy.

A network-based IDS (NIDS) analyzes data samples as network packets. Thus, the population is all packets in the network traffic, whereas the subset is a selection. Since only a specific number of packets are taken for analysis, the essential parameter is the sampling rate, or sampling ratio, which determines the ultimate size of the subset compared to the original population. Some sampling algorithms may produce an incorrect sample size. Static and dynamic sampling algorithms exist. A static sampling process is conducted periodically or randomly following a given rule or data interval. People can classify those rules under three main categories of sampling decisions: count-based, time-based, and content-based. Every static algorithm that samples data based on its ordering position in a stream of packets is identified as count-based. A time-based algorithm focused on the arrival time of a packet (timestamp). Finally, content-based sampling methods analyze the content of the packet before data selection. As this final method increases the overhead and computation time, content-based algorithms, known as well as filtering algorithms, are beyond the scope of the research. The main advantage of using a static sampling algorithm would be reducing bandwidth and storage requirements, as only a subset is detained for anomaly detection analysis. In their turn, dynamic or adaptive sampling algorithms use different sampling intervals and/or rules for data sample decisions.

In this context, several studies have looked at the effects of data sampling. Mai et al. [20] investigated, using various sampling algorithms, the effect of sampling high-speed IP-backbone network traffic on intrusion-detection outcomes, specifically port scans and volume anomaly detection. Roudiere et al. [21] tested the accuracy of the “Autonomous Algorithm for Traffic Anomaly Characterization” detector in detecting DDoS attacks over sampled traffic. Various sampling policies were used to sample the traffic. The authors of [22,23] investigated how packet sampling influenced anomaly detection results. Silva et al. [24] proposed a framework for evaluating packet sampling’s effects. They examined the effectiveness of each sampling algorithm and proposed a set of metrics for assessing each sampling technique’s ability to produce a representative sample of the original traffic. Bartos et al. [25] investigated the impact of traffic sampling on anomaly identification and presented a new adaptive flow-level sampling algorithm to improve the sampling process’ accuracy. Using traces containing the Blaster worm, Brauckhoff et al. [26] assessed the accuracy of existing anomaly detection and data sampling algorithms. Liu et al. [27] implemented a novel Difficult Set Sampling Technique (DSSTE) to tackle the class imbalance problem which helped in the detection of rare attacks. They used Edited Nearest Neighbor (ENN) to identify the difficult set then applied the K-means algorithm to compress the majority in the difficult set, and finally augmented the data of the clusters to obtain the final sample. A more thorough discussion can be seen in the previous survey [28] and benchmarking [4] works where people investigated all data sampling strategies, their impact on detecting various attacks, and the behavior and robustness of features under various sampling strategies. People also looked at how the estimation of network features varies depending on the sampling method, sample size, and other factors, and how this affects statistical inference from these data.