The rapid expansion of Internet of Things (IoT) deployments has increased the exposure of interconnected devices to cyber threats, particularly in heterogeneous and resource-constrained environments. Although recent research increasingly emphasizes learning-based detection, classical intrusion detection system (IDS) paradigms remain widely deployed in practical IoT settings due to their interpretability, deterministic behavior, and low computational overhead. This study presents a systematic literature review focused exclusively on classical IDS for IoT environments, including signature-based, anomaly-based, specification-based, and hybrid classical approaches. Following PRISMA-aligned procedures, peer-reviewed studies published between 2021 and 2026 were identified, screened, and synthesized using qualitative comparative analysis. The review examines detection principles, deployment contexts, datasets, evaluation practices, and reported limitations across the classical paradigms. The findings indicate that classical IDS continues to function as a baseline defensive mechanism, particularly at gateway and edge levels. However, persistent challenges remain, including limited capability against zero-day attacks, high false-positive behavior in dynamic environments, scalability constraints, rule maintenance overhead, and restricted adaptability to evolving IoT behavior. This study contributes a consolidated taxonomy and evidence-based analysis of classical IDS deployment characteristics in IoT environments, providing a validated baseline for future intrusion detection research and evaluation.
Mohamad et al. (Thu,) studied this question.