TABLE 1. Summary of the findings of the related studies.

Ref. Model Used Contribution Challenges/Gaps

The main
contribution of
this study is
the The study's
development limitation is
that it was
of an evaluated
innovative
intrusion using a single
detection dataset; further
[20] DRNN system for Fog study is
required
security, that
uses a multi- to evaluate its
layered performance
recurrent on other
neural datasets.

network-based
approach.
 This study
contributes to
the field of
DDoS attack This study is
limited to the
detection by use of two
introducing a
scalable and recent security
adaptable datasets;
SDN- additional

based investigation is
[21] DL framework required to
using DL to evaluate the
achieve a high
level of proposed
architecture's
accuracy in performance in
categorizing a wider
binary and
multiclass data range of attack
scenarios.
across
unknown
network traffic.

This study
contribution
proposes a
novel approach
for This limitation
is that it only
detects FDIA
identifying
false data
injection using PMU
attacks (FDIA) measurements
in smart and does not
[22] CNN-LSTM
grid (SG) consider other
systems. In types of data
addition, the that could be
model has been used

optimized by to improve
applying detection
particle swarm accuracy.
optimization

(PSO).
 This study
presents a
This study is
novel IDS that
limited by its
uses various
use of both the
ML
KDD99 and
and DL
NSL-KDD
models. The
datasets, which
proposed IDS
do not
[23] ML, DL demonstrates
adequately
high accuracy,
represent
a minimal rate
recent attacks
of false alarms,
and suffer
and a low
from network
cost for
biases.
training on the
CIDDS dataset.

The study's
contributions
The study's
encompass a
limitations
model for
include the
assumption
conducting
false data
of unrestricted
injection
attack
attacks, a
resources,
detection
complete
method based
topology
[29] DRL on deep
information,
reinforcement
and the
learning, and
potential for
an
future
approach to
advancements
enhance
in the detection
efficiency in
method's
addressing
sparse
perception
capabilities.
reward
problems.
 The main
contribution of
this study is
the
development

of an
innovative The study's
technique testing on
called 2DR- IEEE 14- and
CNN, which 39-bus
[30] 2DR-CNN
can accurately systems is its
detect and main
identify drawback.
dynamic load-
altering

attacks (D-
LAAs) with
high
resolution.

The focus of
this research is
limited to a

The framework specific EASH

developed in system;
this study uses therefore, it's
machine findings

learning to may not apply

distinguish to other CPSs.
between The analysis
network
[33] ML attacks and also indicates
that the
component classification
failures in results can
Energy Aware
Smart Home be enhanced by
including or
(EASH) excluding
systems. features

from the
descriptive
datasets.
 This study
compares and
investigates AI
methods that

use XGBoost
and LSTM for
cyberattack
detection in a

CPS
environment.
This study is
In addition, we
limited to the
investigate and
use of one ICS
gas
analyze the
proposed
pipeline
approach using
security
other available
dataset. Future
research could
benchmark
datasets, such
involve
This work ML, DL as NetML-
exploring other
2020 and IoT-
ensemble
23,
methods or
which contain
optimizing
various
hyperparamete
cyberattacks.
rs to improve
However, this
the
work
model's
has some
performance.
similarities to
prior studies.
For example,

, [21], and [23]

use various ML
techniques for

IDS in Fog
systems and
SDN-based
framework.

considers detection-related factors such as the algorithm and performance metrics.

Finally, a comprehensive review was conducted, which involved categorization,
classification, and examination of the existing literature on artificial intelligence (AI)
techniques used to identify cyberattacks in the Internet of Things (IoT) settings [36].
This study compares and investigates existing DL and ML algorithms for cyberattack
detection in CPSs. Based on our knowledge, this study is different from other studies
because we focused on critical industrial control systems, i.e., gas pipeline cyberattack
detection using LSTM and XGBoost models. However, our work added value by
understanding the various A I models from empirical studies to overcome current trends
in cybersecurity attacks in CPSs and IoT environments. We also analyzed and validated
the models using the available benchmark datasets that containing cyberattacks. Table 1
summarizes the findings based on the related studies.

In addition, our comparable contribution attempts to address key limitations of existing

approaches. For example, [20] evaluated there DRNN model for intrusion detection
systems using a single dataset. The authors in [23] use both the KDD99 and NSL-KDD
datasets, which appear to have network biases. In addition, [21] limits the capabilities of
their proposed DL model to a single DDoS attack in the SDNbased domain. To overcome
these limitations, our study uses a variety of datasets from various domains, including
gas pipelines, NetML-2020, and IoT-23, which contain a variety of cyberattack
scenarios. We also investigate the capability of combining LSTM and XGBoost to detect
cyberattack scenarios in industrial control systems.

III. MATERIALS AND METHODS

This section provides details of the study methodology, implementation, and design of
the proposed methods for intrusion detection systems in CPS. The proposed framework
combines several independent processes and comprises data collection and observation.
During this process, datasets were collected and observed in detail based on the type of
data. The entire dataset was processed, consisting of cleaning the data, visualizing the
data using vectorization steps, and feature engineering. The training of the dataset used
ML. An optimization method was used to create the final model. The study will use the
XGBoost classification, which is based on