Intrusion Detection Systems Using Blockchain Technology: A Review, Issues and Challenges

Intrusion detection systems that have emerged in recent decades can identify a variety of malicious attacks that target networks by employing several detection approaches. However, the current approaches have challenges in detecting intrusions, which may affect the performance of the overall detection system as well as network performance. For the time being, one of the most important creative technological advancements that plays a significant role in the professional world today is blockchain technology. Blockchain technology moves in the direction of persistent revolution and change. It is a chain of blocks that covers information and maintains trust between individuals no matter how far apart they are. Recently, blockchain was integrated into intrusion detection systems to enhance their overall performance. Blockchain has also been adopted in healthcare, supply chain management, and the Internet of Things. Blockchain uses robust cryptography with private and public keys, and it has numerous properties that have leveraged security’s performance over peer-to-peer networks without the need for a third party. To explore and highlight the importance of integrating blockchain with intrusion detection systems, this paper provides a comprehensive background of intrusion detection systems and blockchain technology. Furthermore, a comprehensive review of emerging intrusion detection systems based on blockchain technology is presented. Finally, this paper suggests important future research directions and trending topics in intrusion detection systems based on blockchain technology.


Introduction
Blockchain is an emerging technology that underlies the infrastructure of Bitcoin. In 2008, Nakamoto discovered blockchain's potential to be used in other domains, thus making Bitcoin the first of blockchain's many implementations. Blockchain technology has been increasingly used in different fields, especially in the security field, which has an important presence in different network environments, such as traditional networks, the Internet of Things (IoT), and cloud computing. Blockchain technology has many features the IoT and Industrial Internet of Things. Ultimately, the majority of existing reviews focus on the challenges or advantages of using blockchain technology in the security field [9].
To summarize and illustrate how the present review is different from the existing reviews, Tab. 1 presents a comparison of discussed topics. At the time of writing this review and according to the comparative analysis conducted in Tab. 1, there is no comprehensive review highlighting a taxonomy of blockchain-based IDS, challenges, results, applications, and research trends. We can also find that the present review is more universal than former related reviews conducted in the same area.

Overview of Blockchain
As aforementioned, blockchain technology was introduced by Nakamoto in 2008 as an underlying technology for Bitcoin to record all transactions of Bitcoin and to create security against potential attacks [10]. Fig. 1 presents blockchain's roadmap from 2008 to 2019. Bitcoin's initial infrastructure based on blockchain technology appeared in 2009 over a peer-to-peer (P2P) network, which is called the Bitcoin network. Since then, cryptocurrencies have gained worldwide attention, and researchers have harnessed and applied blockchain technology to domains, such as smart contracts and supply chain management. This evolution has occurred because blockchain is autonomous, distributed, immutable, and contractual [11,12]. Comparison with prior reviews

Blockchain Structure
A blockchain is a linked-data structure wherein each block has two main sections: a header and body. The header section consists of a nonce, a previous hash, a Merkle root hash, a timestamp, and a difficulty target. The body section contains a list of transactions. Fig. 2 presents the structure of a blockchain. The first block is always called a genesis, all blocks are linked together via cryptography, and blocks are distributed between nodes over a network [12].
Furthermore, to adhere to the rules of blockchain technology, all nodes in the blockchain network must have the same block list, which is presented in Fig. 3. When a new block is added, it broadcasts to all nodes in the network. Each node verifies the new block through a consensus mechanism that confirms a transaction in the block. There are various consensus algorithms to ensure that all nodes have the same blockchain list, such as proof of work and proof of stake [13,14].

Basic Principles of Blockchain Technology
There are many principles of blockchain technology that are applied to three main layers: the network, data, and application layers. First, the network layer is compatible with the P2P network architecture, which supports decentralized connections and distributed network mechanisms. The network layer is responsible for forwarding and verifying data between nodes. In addition, blockchain technology stores the same chain in all nodes over a network; thus, all nodes are synchronized. Therefore, when a new block is generated, it is then verified by a consensus algorithm. If the new block is valid, then it broadcasts to all other nodes. Otherwise, it is discarded. In addition, there are several types of consensus algorithms that all operate on two principles: (i) the freshness principle achieves fair competition through fresh resources for each new block that is added, and (ii) the unpredictability principle prevents any participant from predicting which node will create a new block. Tab. 2 illustrates some of the consensus algorithms that are used in blockchain networks [15,16]. Second, the data layer presents the data structure of the block. Blocks contain data or transactions that do not exceed several megabytes in size. Each block is linked together by a previous hash field through a miner. When a block solves a cryptographic puzzle and obtains the previous hash, a new block is appended to the end of the chain. Furthermore, each block has several fields, which are described in Tab. 3. The data layer also concerns user authentication and transaction encryption. Each user has a public key to validate authentications, and this key is visible to anyone in the blockchain network. Digital signatures are used to verify miners' transactions, and all validated transactions are kept in a public ledger [12,17]. If value of unique node list is less than 20%, then it maintains the network from invalid nodes. It has no miner; therefore, it reduces energy consumption efficiently.
It does not deal with transactional anonymity.

Hash
Hashing transaction occurs by Merkel tree, where each node is related with its parent node; therefore, if the transaction is modified, then it will affect all hash tree from the leaf node to the Merkle root, respectively.
Finally, the application layer is responsible for interacting with users, whether they are programmers or end-users. The application layer can be classified into two different layers. The first layer is meant for developers to build and test the application's code and is called the fabric layer. The second layer is the application layer, which allows end-users who use applications as a black box to perform specific tasks without knowing the details of the code [18].

Blockchain's Applications
As shown in Fig. 4, numerous industry sectors have used blockchain technology: the financial, healthcare, and cybersecurity sectors, and more [19,20]. Blockchain's features are what make blockchain a charming technology for industries and researchers. Initially, blockchain was applied in the financial field to manage transactions directly between financial institutions without any intermediaries. Therefore, blockchain can enhance business interactions and operational procedures.
Financial Applications: The initial use for blockchain was in cryptocurrency to provide cheaper, faster, more flexible, and more secure payment services than existing international payment methods [21]. In 2016, Bitcoin's capital market reached 10 billion dollars without the need for third parties, and all of its transactions were stored in a secure manner [15]. Therefore, there are several applications for blockchain to develop financial services and support digital currency investments.
Healthcare Applications: Blockchain technology offers the healthcare management system a way to store and process medical records over a network without disclosing patients' privacy or being modified by cyberattacks. Furthermore, it ensures data integrity and medical record accountability [22]. Blockchain technology provides several other potential benefits for healthcare systems, such as decentralization, health data ownership, and robustness. However, a blockchain-based healthcare management system would need to be developed. For instance, developing blockchain-based electronic medical records means that health or personal records would need to be shared over a network. Smart contracts have been found to be suitable for storing and managing medical records as they ensure security and privacy features. Other challenges include the fact that electronic medical records have no standards, and that the healthcare system has an enormous volume of data [23]. Business and Industry Applications: Blockchain technology has been applied to the business and industry sectors, which has led to the term "smart manufacturing." This means that industries can share goods over a network in a secure, decentralized, and self-regulating way [19]. Moreover, IoT ecosystembased blockchain technology has been applied to IoT devices (smartphones, vehicular networks, smart cities, and so forth), and has led users to solve issues such as managing data and keeping it private [24].
Cybersecurity Applications: Cybersecurity encompasses various aspects of online security, such as applications, networks, and information. In addition, cybersecurity deals with different architectures, such as the IoT and cloud. The main goal of cybersecurity is to detect and protect systems from cyber-attacks. Blockchain's characteristics allow the implementation of cybersecurity systems, thus solving key issues such as decentralized distributed domain name services, keyless signature infrastructure, and secure data storage. Recently, numerous applications have begun to adopt and rely on blockchain-based cybersecurity [20].
Education Applications: Blockchain technology has been applied to online education, which has several advantages for teachers, students, and institutions. A teacher can add a block of student information to the chain, or institutions can manage certification in a secure way through digital infrastructures. Furthermore, blockchain technology offers features that can collect and analyze data and generate reports about all entities in a given institution. Blockchain technology provides security in education because it achieves confidentiality, integrity, and availability, and it enables controlled access to students' information. In addition, it has enhanced accountability, authentication, performance, trust, and interoperability. However, it suffers from several limitations, such as scalability, type of security, and privacy issues [25,26].
Other Fields: Several additional fields have integrated blockchain technology into their systems. For instance, e-governments allow governments and citizens to interact, and smart contracts implemented on blockchain infrastructure can increase level of Quality-of-Services (QoS). Moreover, these fields established a decentralization-based blockchain database to ensure transparency, accessibility, and other important QoS features. Blockchain technology has also been applied to the energy field. There are many applications for blockchain technology that support energy management, such as increasing the security of the energy grid and supporting the energy trade [27].
In summary, blockchain is useful for decentralized applications in P2P networks. Furthermore, the trust and security that blockchain technology solves some main problems of cybersecurity. However, blockchain technology is not an optimal solution for all industries because it still has some challenges. For instance, traditional databases are at the core of some industries and provide fast and robust tools for many applications [28]. Therefore, the next section discusses the benefits of blockchain as well as the main challenges and threats it faces.

Blockchain's Benefits, Challenges, and Threats
Blockchain technology provides several benefits to its users. Some of these benefits are summarized below in Tab. 4. The main advantage of blockchain is its decentralization feature. Decentralization means that there is no need for third parties and that all participants make decisions about the information contained in a network [29].
Despite the benefits gained from using blockchain technology, it still suffers from several challenges. Some of these challenges are presented below in Tab. 5 [30].
Although blockchain technology provides reliable and comfortable services for transactions executed over a network, the blockchain list itself faces different security issues. Therefore, it is important to take these issues into consideration. Tab. 6 outlines the main threats that blockchains may face [31][32][33].
This comprehensive overview of blockchain technology shows that it will revolutionize numerous fields in the future. Although it has some challenges, blockchain has various advantages, such as enhancing IDS performance. The nodes might share transactions between themselves without the need for central point. Empowered Users Users have a full privilege and permission to manage their transactions before adding them into a blockchain list, while those users can only read their transactions after adding them into a blockchain list. High-quality data Data in a blockchain is available over different nodes consistently. It is characterized by its accurateness and freshness.

Reliability and Robustness
Blockchain's nodes resist against any malicious attack since it is a decentralized network.

Trust
No need for a third-party in blockchain to allow users to share their transactions in a trusted manner. Immutable No one can modify transactions in a blockchain once they were added into a blockchain list. Simple Ecosystem Only one ledger is required for each blockchain network. Availability The user can create transactions anytime.

Few Fees
Blockchain reduces the cost of transactions by avoiding third parties. Efficiency Transactions occur quickly and automatically. Auditability Authorized participants can audit transactions in a blockchain. Traceability Authorized participants can track any transaction easily. Transparency Blockchain provides transparent transactions to ensure a consistent relationship between parties instead of doing a negotiation. Security Blockchain uses a complex cryptographic for each transaction and block.

Intrusion Detection System
The IDS is a device or software that, through the use of different detection approaches, can detect an attack on a system and then send a notification or report to the system's administrator when it detects such an attack. The IDS may be a single device that observes a stand-alone system or a network system that performs local analysis to detect attacks. Furthermore, IDSs provide the three most important security services: (i) data confidentiality, which checks if the data is stored in a secure place in the system; (ii) data availability, which checks if data are available for an authorized user; and (iii) data integrity, which checks if data are correct and consistent with other data in the system [34].

IDS Types
Network-based intrusion detection system (NIDS) and the host-based intrusion detection system (HIDS) are stand-alone IDSs. To enhance the performance of IDSs in large IT ecosystems, multiple detectors have been used to correlate alerts and exchange knowledge; these detectors are called collaborative intrusion detection systems (CIDSs). CIDSs come in three different network architectures: centralized, hierarchical, and distributed [35]. Fig. 4 presents the IDS classifications. A centralized CIDS uses several IDSs to monitor the network, wherein each IDS connects and shares data with a single analysis unit. Hierarchical The miner is responsible for adding any new block in a blockchain; thus, it consumes power to validate the expanding volume of transactions. Signature Verification Signature transaction requires a complex cryptographic calculation in a blockchain.

Slow
Any Blockchain's block must be encrypted and verified, then it should be broadcasted over networks.

High Cost
While the cost of initial capital in Blockchain is extremely high, holding a huge volume of transactions also consumes energy; therefore, the overall cost of maintaining each transaction will be increased. Scalability Because of the Blockchain has an immutable nature, nodes cannot delete any block from the chain; therefore, the blockchain size is increased over time incrementally. and decentralized CIDSs also use several IDSs, but analysis units connect in a heretical structure to monitor multiple points in the network. A decentralized CIDS can overcome the single point of failure problem. Meanwhile, a distributed CIDS is a P2P network architecture in which each participant has an analysis unit and shares information with others in a distributed manner [36,37].

IDS Detection Techniques
The most well-known IDS approaches are signature and anomaly. The signature approach tries to detect attacks through the mapping between signatures (i.e., patterns or rules) in the database. Although it can detect known attacks easily, this approach suffers because it cannot detect a new attack with no known patterns or rules. Conversely, the anomaly approach can detect unknown attacks by monitoring the system's behavior. The anomaly approach finds abnormal activities and generates an alarm for the network administrator. Although this approach can detect unknown attacks, it may send false positive alarms. Each approach employs several techniques, as shown in Fig. 5.
Pattern Matching: Pattern matching compares new strings that enter the system with strings in the system's database to verify that there is no malicious attack occurring. If there is any matching pattern, then the system detects an attack and will generate an alarm; if there is no matching pattern, then no attack is detected. There are two kinds of pattern matching algorithms: single and multiple. Single pattern matching algorithms are simple because they search for one pattern at a time. Multiple pattern matching algorithms search for all patterns at the same time, require more time and resources [38,39]. A popular pattern matching algorithm applied to IDSs is the Boyer-Moore single pattern algorithm compares strings from the rightmost character. Although it has achieved the best performance in searching operations, the Boyer-Moore algorithm does not have feature scalability. Meanwhile, the Aho-Corasick and Wu-Manber algorithms are multiple pattern matching algorithms that search for more than one pattern simultaneously; however, the Aho-Corasick algorithm requires more memory than the Wu-Manber algorithm [40]. Pattern matching algorithms have a trade-off between their search speed and consumed memory. Some researchers have proposed ways to optimize these algorithms, while others have proposed new algorithms to enhance the performance of detection techniques in IDSs [38][39][40].
Rule-based: This technique is used in both signature and anomaly approaches. Signature detection diagnoses packets and detects malicious attacks through rules that are predefined in the system, whereas anomaly detection diagnoses the behavior of the system and detects differences between normal and abnormal behavior depending on predefined rules in the system, such as programmers' sequence of system calls. Both detection methods must update a network's rules to acquire more security. Updating the rules using the signature approach is simple, easy, and automatic; updating the rules using anomaly detection, however, is more complex because it needs time to record new training rules [41,42].
State-based: Signature detection uses the state transition analysis technique to describe attack scenarios. This technique contains two main elements, namely, state, and arc. The state represents the user or process, and the arc represents an action; if the user or process reaches the final state, then an attack occurs and the system detects it. The first tool to implement the state transition analysis technique was the Unix State Transition Analysis Tool, which executes host-based intrusion detection. The Unix State Transition Analysis Tool is a rule-based expert system that looks for known attacks in the audit traces of multi-user computer systems. However, it suffers from some limitations, such as its features being difficult to extend or adapt to different operating systems [43].
Data Mining: The signature detection approach can use data mining techniques to discover new patterns for IDSs and to overcome its main disadvantage. Although data mining is used mainly in the signature approach, much research has also applied data mining to anomaly detection. However, data mining requires data from various machine learning techniques, such as rule-based, classification, and clustering, to gather knowledge for network intrusion detection [44,45]. Some of the existing data mining algorithms are shown in Tab. 7 [46,47].
Statistical-based Intrusion Detection: This technique deals with two profiles in anomaly detection: one for observing current network traffic, and the other for statistical training. When an event occurs, the anomaly detection system evaluates it by comparing two behaviors. If the anomaly score exceeds the threshold, then the intrusion detection system generates an alarm [48]. Most model-based statistics assume multivariate statistical techniques, such as the chi-square statistic, Canberra technique, and Hotelling's T-squared distribution. Numerous anomaly detection mechanisms find outliers in the dataset by analyzing behavior, as each element in the dataset has specific features and a local outlier factor that could be used to detect the abnormal behavior [49,50].
Biological Models: Prior works have proven that the human immune system and computer network security are similar in nature. Both systems have a complex network and aim to protect its nodes from any malicious attack. In addition, both systems have security policies and security levels. The human immune system sets its policies to depend on natural selection phenomena, and its security levels should meet disposability, correction, integrity, and accountability requirements. Meanwhile, computer network systems establish a set of rules to defend against attacks and detect illegal actions that may occur in the network that break specific security levels [51][52][53]. In recent years, several algorithms inspired by biological processes, such as genetic algorithms and artificial neural network algorithms [54,55], have been widely applied to the anomaly detection approach to enhance the performance of intrusion detection.
Learning Models: Artificial learning techniques have increased the effectiveness of the anomaly detection approach. Anomaly detection can be supervised or unsupervised. Supervised anomaly detection is taught by a labelled dataset that distinguishes between normal and abnormal behavior. Supervised learning algorithms include support vector machines and the k-nearest neighbor. Unsupervised anomaly detection is taught by unlabeled training data; therefore, it uses several techniques to distinguish between normal and abnormal behavior in the system. One of these techniques is clustering, which has been used in anomaly intrusion detection to find outliers exhibiting anomalous behavior. The k-mean clustering algorithm is the most popular such algorithm, and has been applied to intrusion detection [56][57][58].

IDS Performance Measures
To ensure that an IDS's security service works efficiently, there are several evaluation metrics that might be used to measure the performance of any IDS. Researchers often use accuracy, false positive rates, and false negative rates. The equations below are used to measure the performance of IDSs [34]. Accuracy (AC) measures the IDS's accuracy in detecting an attack [59,60]: The detection rate (DR) is the ratio between intrusions detected to total attacks on the system [61]: Precision (P) measures the ratio of attacks that were predicted correctly to the total attacks in the system, and is calculated as follows [62]: The true negative rate (or specification) (TNR) measures the ratio of normal values to the values that were successfully detected as legitimate in the system [63]: The false positive rate (FPR) measures the ratio of normal points that were detected as attacks and is calculated by Eq. (5) [64]. If the FPR is high, then the performance of the IDS is low.
The false negative rate (FNR) measures the ratio of attacks that were not detected in the system [64]: The true positive rate (or recall) (TPR) measures the ratio of predicted attacks to the actual number of attacks on the system, and is determined by the following equation [62]: In the above equations, TP denotes the number of true positives, FN denotes the number of false negatives, TN denotes the number of true negatives, and FP denotes the number of false negatives. Tab. 8 presents the related confusion matrix [65,66].

IDSs based on Blockchain Technology
Several works have used blockchain technology in IDSs to detect malicious attacks. These works can mainly be classified into two main categories: those that rely on the anomaly detection approach, and those that rely on the signature approach. Fig. 6, Fig. 7 and Fig. 8 illustrate different taxonomies of IDSs based on blockchain models for the detection approach. The following subsections discuss in detail IDSs based on blockchain models that use anomaly and signature detection techniques. Note that blockchain technology is more commonly adopted for anomaly detection than for signature detection.

Anomaly Detection Approach
The anomaly detection technique monitors a system's behavior by constructing a profile over a given period of time; this profile contains all activities of the system. However, there are different models for creating a profile file for the system, such as time series and threshold models [67]. The present review discusses three models that researchers have used to adopt blockchain technology, namely, machine learning, rule-based, and statistical models. Details about each model are presented in the following subsections.

Machine Learning Models
Machine learning can assist IDSs in detecting new and current attacks automatically and without human intervention by optimizing the system's feature selection. Recently, there have been many machine learning algorithms adopted into IDSs to enhance system security, such as support vector machines, artificial neural networks, and genetic algorithms [67]. This subsection presents the related works on IDS-based machine learning and how blockchain has been integrated into such learning.
Golomb et al. [68] introduced a blockchain protocol (called CIoTA) based on a distributed and collaborative anomaly detection framework used in the IoT. Each device contains a local model to detect malicious behavior, and new detection frameworks are shared by adding new blocks to the chain that are then propagated to all neighboring nodes. Experimental results revealed that CIoTA improves device and network security by detecting different types of attacks in the network. However, because CIoTA is designed for limited resources, it may increase overhead when many devices are available in the network. Moreover, Idé [69] introduced a novel blockchain protocol, called CollabDict, for collaborative anomaly detection in the IoT network; this protocol learns collaboratively in blockchain platforms. CollabDict addresses three issues commonly faced by statistical machine learning algorithms: consensus-building, data privacy, and validation. CollabDict accomplishes consensus building by using a proof-of-vote mechanism-based statistical generalization and realizes data privacy by only sharing the client's aggregated statistics. However, validation remains a challenge for the CollabDict protocol. Thus, validation and its consequences need to be reviewed carefully in future research. Kumari et al. [70] protected blockchain networks from attacks using a modified k-means algorithm, which detects malicious nodes by classifying the nodes in the network based on their behavior patterns. Each pattern is built based on two parameters: (i) the time consumed for one transaction and (ii) the number of transactions from one node to another.
Finally, Dey [71] introduced an intelligent software agent based on game theory algorithms and machine learning techniques. This agent runs on an application layer and has two objectives: (i) determining old

Rule-based Models
Rule-based models observe the events of a system that has rules stored in a database to determine if an event is normal or abnormal. The model has one drawback: its failure to detect abnormal events if there are not many rules in the database.
Signoriniet et al. [72] proposed a model called BAD, which is a blockchain anomaly detection approach for the Bitcoin network. This model saves malicious transactions in an attack log at the first injection in the network; it then uses this log to prevent the attacks from spreading throughout the network. The BAD model takes blockchain's features (i.e., distributed, decentralized, and no need for third parties) to manage sensitive information. In addition, the BAD model is trusted because data behavior is verified by all of the nodes in the network, and it has a tamperproof feature that prevents malicious software from modifying the blockchain. However, the BAD model only works efficiently if the attacker repeats the same malicious transaction every time.
Signorini et al. [73] also proposed the ADvISE anomaly detection tool for blockchain systems; it collects and analyses blockchains' meta-data (forks), and then records malicious forks at the first attack in the database. Afterward, all peers in the blockchain network share the database to prevent attacks from being executed, thus protecting the network. Despite ADvISE being a tool designed for any type of attack, it works efficiently only when the attack has replicated itself more than once. Kanth et al. [74] presented a blockchain-based CIDS to detect doorknob rattling attacks through pluggable authentication modules (PAM) based on the private Ethereum blockchain. This PAM model can detect doorknob-rattling attacks more rapidly than previous models, but it lacks scalability.
Steichen et al. [75] introduced the ChainGuard model based on software-defined networking to detect and prevent abnormal behavior. The ChainGuard model uses software-defined networking functions to filter the traffic of the network through a firewall of blockchain applications. As a result, it minimizes denial-ofservice and distributed denial-of-service attacks on the network because it prevents malicious packets from influencing the blockchain.
Moreover, Zhu et al. [76] proposed a novel model for managing storage in cloud computing based on blockchain technology. Their model reduces the risk of attacks on the blockchain and is called controllable blockchain data management. This model increases a network's security level by submitting trusted authority nodes, which have higher voting authorization compared to other nodes in the network. The model also has the authority to terminate any malicious node, and thus it has controllability. In addition, controllable blockchain data management provides a privacy-preserving feature because it grants public keys, private keys, and permissions to each user who joins a network in which users are unknown to each other. Furthermore, users' votes are signed, and users must pay fees to vote, which decreases the risk of malicious voting. This model also has openness and transparency because it publishes modifications and voting records over the network; moreover, the network is not affected if a single node crashes.

Statistical Models
A statistical model-based IDS relies on analyzing and correlating data, then applying statistical theories on such data to detect attacks. Users also define the threshold for each statistical variable. However, current statistical models suffer from insufficiency in genetic architecture because confidentiality, integrity, and availability have not been considered within the current statistical models' principles. At the time of the present review, there is no literature on adopting a blockchain technology-based statistical model [77].
Pham et al. [78] proposed an anomaly detection technique in the Bitcoin network that uses two approaches, namely, the LOF and the densification power law. Their findings showed that the proposed technique achieves high anomaly detection rates, and that the technique can be applied in different networks. However, the main challenge of this technique is that it is has difficulty measuring the accuracy of the LOF method.

Signature Detection Approach
There have been several works conducted to detect attacks using blockchain technology based on the signature detection approach. This section presents two signature models based on blockchain.

Pattern Matching Models
Although the pattern matching model is the most widely used model by the signature detection approach, limited research has been conducted on it regarding blockchain technology. Pattern or stringmatching models use single or multiple patterns matching algorithms to detect malware. The single pattern approach compares only one pattern at a time to detect malware, whereas the multiple-patterns approach compares more than one pattern at a time [39].
Hu et al. [79] presented an approach to collaborative intrusion detection based on blockchain for multimicrogrid systems. The approach has three aspects: (i) it integrates the consensus mechanisms of blockchain with multi-microgrid systems to enhance the accuracy of CIDSs; (ii) it uses periodic and time-triggered patterns to reduce false positive rates; and (iii) it enhances delegated proof of stake (DPoS) consensus algorithms to solve the single richest member problem.

Rule-based Models
Rule-based models have a set of rules that match against network traffic or audit data. They can detect any attack if the rules match. However, since using a rule-based model alone is insufficient for malware detection, it needs to be integrated with another technique [80]. This subsection discusses how researchers have started to integrate the rule-based model with blockchain technology.
Alexopoulos et al. [81] proposed a blockchain framework based on CIDSs to enhance malicious detection. The proposed framework tries to archive accountability, integrity, resilience, consensus, scalability, and privacy, while reducing overhead requirements by exchanging alerts between nodes based on secure ledger distribution. The framework considers each alert message as a transaction produced by an IDS node, and then all collaborating nodes utilize consensus mechanisms to validate the alert. Thus, it prevents storing malicious alert. However, Alexopoulos' proposed framework has not been implemented or evaluated in a real or virtual environment.
Li et al. [82] extended a generic framework to improve the signature detection approach based on blockchain technology and thus increase the IoT network's security level. The improved framework is called CBSigIDS. It builds a trusted signature database and shares it between all nodes in the network; moreover, each record is signed by a private key. CBSigIDS is effective and robust in detection because a malicious node cannot add a signature to the database; however, this approach faces the limitations of blockchain technology, such as energy, cost, and scalability.
The database, but it faces the limitations of blockchain technology, such as energy, cost, and scalability.

Analysis of Blockchain-IDS Models
As mentioned earlier, blockchain-based IDS models are based on anomaly and signature approaches, both of which have various challenges that may be solved via blockchain technology. This subsection presents the challenges of IDS in both approaches. In addition, it provides an analysis of and comparisons between the existing blockchain-based IDS models.
The anomaly detection approach suffers from a high number of false alarms, and it is unable to detect encrypted packet that occurs by cyberattacks. Moreover, it has difficulty constructing a normal profile for dynamic systems, its alarms are not classified, and initial training is required. In contrast, the main limitation in the signature detection approach is that it is unable to detect a new cyberattack in the system. Therefore, this approach needs to be updated frequently, and it is an inappropriate choice for detecting a multi-step attack [83].
The existing blockchain-based IDS models also suffer from different issues. Tab. 9 provides a description of each model along with their strengths and weaknesses. As aforementioned, the common challenge between all models is that they have no standard design. It improves security of IoT devices and the whole network as well.
It is not efficient security protocol for many IoT devices.
[69] It proposes a protocol (CollabDict) for a collaborative anomaly detection based on blockchain and Gaussian mixture learning algorithm.
Performance of CollabDict is better than fuses multitask learning algorithm.
Collaborative learning has three main challenges, namely: (i) validation, (ii) consensus building, and (iii) data security.
[70] It relies on the use of the kmeans algorithm to distinguish between malicious nodes and normal nodes through the analysis of pattern behavior for each node in a blockchain network.
It manages nodes and transactions in the network efficiently, also, it classifies nodes correctly.
It uses mean value for each cluster; thus, inaccurate cluster head might be selected, besides, it uses a static distance measure rather than a dynamic one.
[71] It detects anomaly behaviours of participates in a blockchain network based on a game theory and a supervised machine learning algorithms.
It provides probability for each attack based on value of the transaction.
It requires improvements to strengthen its defense mechanism.
[72] It builds BAD model to detect malicious transactions and prevent spreading them over the network.
It prevents malicious software from modifying the transactions' trace. Furthermore, data behavior should be verified from all participants in the network; thus, network security is increased.
It cannot detect the malicious transactions efficiently.
[73] It provides a tool used to detect anomaly behaviours in a blockchain network.
It is a flexible tool that can detect several types of malicious transactions in a blockchain network.
It works efficiently in case of having repeating attacks in the network.  It ensures providing a sufficient storage in cloud computing, and it increases the security level in the whole network.
It is not evaluated in real environment.
[78] It utilized LOF method and densification power law to detect malicious users and transactions in a Bitcoin network.
It achieves high anomaly detection rate, and it can be adapted in different networks types.
It is difficult to measure accuracy of LOF method; so, it is not efficient in detecting anomaly behaviours.
[79] It produces a collaborative intrusion detection (CID) model-based on blockchain technology for Multimicrogrid system. It records the target of CID in a blockchain and builds a correlation model of Multi-microgrid system, by a consensus algorithm.
It reduces the false-negative rate by using multiple patterns, and it improves DPoS consensus algorithm. Also, no need for a trusted authority in MMGs.
It is limited to few types of attacks. Also, it does not provide a high level of true positive rate compared to other approaches.
[81] It uses a blockchain technology to improve CIDS. In addition, it provides a combined architecture based on blockchain and CIDs.
It reduces the overhead and volume of the blockchain construct considerably.
The approach is not assessed in the real environment, and it is not sup-porting scalability feature.
Most existing models leverage the anomaly technique instead of the signature technique due to its benefits. Besides, machine learning methods are receiving more attention from researchers because they have proven their worthiness in detection tasks.
As shown in Fig. 6, IDSs have different architectures. Among them, the CIDS architecture is appropriate for blockchain. The distributed IDS is the most compatible because the blockchain technology builds over a P2P architecture and it is a distributed model. Therefore, the existing models have been proposed for various network architectures. Lastly, we note that the distributed system has four main architectures: (i) clientserver, (ii) three-tier, (iii) n-tier, and (iv) peer-to-peer [83][84][85].
Tab. 10 compares between related works categories based on approach detection, network type, attack type detection and type of blockchain, as well as the simulation and platform that was used in each model. While most IDS models were proposed for different networks architectures, which adopted blockchain technology are assessed in a virtual environment by different simulators. However, there was one real model (CIoTA) applied in the IoT environment, but it also has its own limitations.

Future Research Directions
Prior research has focused on constructing models to enhance the performance of IDSs by adopting blockchain technology over several network environments. However, most of these models suffer from issues related to the blockchain technique, IDS approach, or network environment. Therefore, the present paper notes a few issues that require consideration in future research concerning performance improvements for IDSs based on blockchain technology.
No Application in Real Environment: Most IDS models proposed for different network architectures that have adopted blockchain technology were applied in a virtual environment, but not in a real environment. In addition, each model suffers from its own limitations, such as lacking a framework of blockchain-based intrusion detection techniques (either an anomaly or signature).
Increased Accuracy in IDSs Based on Blockchain Technology: An IDS can send false alarms, which means that it can detect an attack when there is none. [81] suggested that these false alarms can be prevented by using the signature detection blockchain nodes to verify alarms, but this has not been implemented. To verify whether an alarm is true, an approach must be designed based on blockchain technology that receives and verifies an alarm before exchanging it over a network.

Ref Description
Strengths Weaknesses [82] It introduces a generic framework (CBSigIDS) to enhance signature IDS based on a blockchain technology in IoT environment, where it uses consortium blockchain to build trusted rules (signature) database and share it with other nodes in network.
It improves effectiveness and robustness of signature based IDSs.
It suffers from some of challenges such as: vulnerability to the advanced attacks' types and the need for verification and the frequent update in blockchain, which, in result causes a delay and diminishes the overall network performance.
Data Management in CIDSs Based on Blockchain Technology: The nodes in CIDSs communicate and share data between each other to detect attacks. Blockchain technology emphasizes trust and privacy for sharing data over P2P networks. A mechanism should be proposed to reduce communication overhead by storing alarms and data efficiently. Another issue in data management is accountability in tracing data between nodes over a distributed network.
Build a Hybrid Model Using Blockchain Technology and Other Models to Enhance Detection in IDSs: Anomaly and signature approaches utilize different techniques to detect attacks in a system. As aforementioned, there are a few techniques for adapting blockchain technology with IDSs. Therefore, other techniques can improve the performance of IDSs based on blockchain. For instance, researchers can design a hybrid model using blockchain and biological models to enhance detection with the anomaly approach; they can also employ a hybrid model using blockchain and data mining to enhance detection with the signature approach. Design Proof-of-Concepts for CIDS: Researchers must demonstrate the probability and effectiveness on CIDSs based on blockchain regarding different issues, such as energy, cost, complexity, speed, and scalability.

Conclusion
Recently, blockchain technology has emerged within several fields to ensure high level of security. This paper discussed the structure of blockchain, presented an overview of IDSs, and compared between existing blockchain-based IDS models. However, few research has been conducted on this topic, and no standard approaches or real applications have been demonstrated. In addition, this paper identified future directions that need to be addressed and investigated by researchers to improve the performance of IDSs based on blockchain technology. From the authors' perspectives, the CIDS architecture is the most proper architecture for building general architecture for IDSs based on blockchain technology because CIDSs can share data between nodes over a P2P network, which is considered an important feature in a blockchain structure.