Security for the Metaverse: Blockchain and Machine Learning Techniques for Intrusion Detection

Considered to be the next-generation (NextG) Internet, the Metaverse faces various security risks inherited from its predecessor and new specialized threats. It is even more challenging to mitigate these issues in a large-scale setting with numerous wearable devices such as augmented, virtual reality (AR/VR) headsets. In this article, we aim to analyze the security aspect of the Metaverse thoroughly, focusing on blockchain and machine learning (ML) solutions. Firstly, we present a 4-layer architecture of the Metaverse and discuss potential solutions for Metaverse security based on blockchain and ML. Next, we develop a decentralized collaborative intrusion detection system (CIDS) based on blockchain and federated learning (FL) that allows such the Metaverse users to collaboratively protect this digital world. This helps solving the scalability and single-point-of-failure (SPoF) issues of traditional security approaches. Finally, we outline some key challenges and discuss future research directions for Metaverse security.


IntroductIon
The Metaverse is being realized thanks to the rapid development of various advanced technologies such digital twin (DT), Internet of things (IoT), Blockchain, artificial intelligence (AI), edge/ cloud computing, and 5G/6G wireless networks.It is a virtual world where users represent themselves as personalized avatars and immerse in a digital environment with a wide range of virtual activities such as working, playing, and socializing [1].The Metaverse is even envisioned to possess its own financial and economic system, in which people can use digital currencies and tokens to trade for virtual items, user-generated contents (UGC), and artificial intelligence-generated contents (AIGC).Once reaching the highest phase of development, the Metaverse is expected to be persistent, self-sustaining, and synchronized with the real world [2].In other words, any events occurred in the real world would be updated into the virtual world seamlessly, while any changes in the Metaverse are also reflected into its physical counterpart.With the mentioned properties, the Metaverse could have the potential to revolutionize a wide variety of sectors including entertainment, business, healthcare, education, finance, marketing, logistics, and industrial production.
To participate in the Metaverse, users often wear interactive wearable devices such as augmented, virtual reality (AR/VR) headsets and haptic gloves.As a result, far more sensitive user information is collected by these devices to construct the digital avatars, including appearance, voice, facial expression, behaviors, and digital footprint [1].Therefore, security guarantee is needed more urgently than ever to protect user privacy and maintain the platform's operation.On the other hand, numerous IoT devices (e.g., sensors, cameras) and autonomous vehicles such as unmanned aerial vehicles (UAVs) are required to collect real-world data for the physical-virtual synchronization process.This means that security mechanisms for the Metaverse should be designed to support a large-scale system of millions or even billions of devices, while such these devices are of different categories, architectures, and capacities.This poses significant challenges and existing security techniques such as intrusion detection system (IDS) and access control mechanisms may not perform efficiently anymore in the Metaverse.In addition, the Metaverse is envisioned to be decentralized instead of being under control of a particular organization, making third-party and centralized security approaches inefficient and prone to single-point-of-failure (SPoF).Consequently, there is an urgent and inevitable need for security solutions that not only achieve enormous scalability, but also fit to the decentralized and heterogeneous nature of the Metaverse.
The above challenges motivate us to conduct this study to thoroughly investigate the security aspect of the Metaverse, thereby seeking for novel security solutions with desirable properties that are efficient and suitable for the decentralized Metaverse.Prior to our work, some existing works have investigated the application of blockchain and federated learning (FL) for IDS, including the two main purposes: (i) blockchain for IDS management, and (ii) blockchain-based FL for distributed learning of IDS models.Regarding IDS management, Heidari et al. [3] proposed to use blockchain to enable smart decision-making for IDS within the context of the Internet of drones.
Blockchain is also combined with zero-knowledge proof to offer privacy-enhanced registration and verification of drones.However, the framework lacks incentive mechanisms encouraging the contribution of users, while it cannot manage alert submission and verification.To enable a higher level of IDS management, Alexopoulos et al. [4] proposed to use blockchain for storing the detection results.Although the authors stated to filter out fake alerts during the blockchain consensus process, the framework is still limited to a conceptual architecture without practical solutions for malicious alert filtering.
In terms of IDS model training, He et al. [5] proposed a FL-based training scheme for IDS model, in which blockchain is utilized to store and share the trained models.However, the IDS model is aggregated in a centralized server, making it prone to SPoF and can be manipulated by the central server.The FL training process is also vulnerable to poisoning and inference attacks.In addition, none of the existing frameworks offers both distributed training and secure IDS management.
To mitigate these challenges, this article proposes a collaborative intrusion detection system (CIDS) with the following main contributions:

MetAverse securIty LeverAgIng bLockchAIn And dIstrIbuted LeArnIng MetAverse ArchItecture
The Metaverse architecture is illustrated in Fig. 1, which consists of four layers which are device, edge, cloud, and application layers as follows.
Device Layer.This layer consists of numerous heterogeneous devices enabling different functions.For instance, UAVs, vehicular network, and IoT sensors, cameras collect real-world data to construct the digital world based on DT technology.On the other hand, wearable AR/VR devices allow users to take part in the Metaverse, interact with each other and with the virtual environment.For better user experience, operations that require low latency and real-time interaction should be processed directly within the device layer, such as rendering graphics to AR/VR headsets (e.g., avatars, virtual objects), and processing user inputs (e.g., hand movements, voice commands) to translate them into avatar's actions in the Metaverse.
Edge Layer.This layer consists of multiple edge nodes that provide nearly real-time data processing, data caching optimization, and machine-to-machine (M2M) communication.As a result, edge layer can take responsibility for operations that require more computing resources than what can be provided by the device layer, with a relatively low latency due to its proximity to user devices compared to the cloud.For instance, this may include simulating collisions, gravity, and other physical interactions between virtual objects in the Metaverse.Besides, data caching optimization could help reducing latency of virtual scene rendering by caching frequently accessed scenes, while M2M communication can facilitate communication between Metaverse devices, servers, and applications.
Cloud Layer.The cloud layer includes largescale data centers and multiple cloud servers with powerful computational capacity.The cloud servers are responsible for processing operations that require intensive computation such as training complex ML models for Metaverse intelligent services.The data centers can be used to store massive volume of digital content generated within the virtual world, such as digital avatars, digital assets, streaming content, and ML training data.Accordingly, it offers software as a service (SaaS) to Metaverse users, and infrastructure as a service (IaaS), platform as a service (PaaS) to Metaverse service providers.
Application Layer.The application layer provides user interface and functionality for different applications within the Metaverse.It enables Metaverse users to access the virtual environment, interact with each other and generate digital content.The applications can range from user-oriented software (e.g., social networking, gaming, education, healthcare, and e-commerce) to system-based software such as blockchain applications (i.e., blockchain wallets and mining tools).

MetAverse securIty MechAnIsMs
Unlike traditional platforms, the interaction between users in the Metaverse is improved further thanks to AR/VR technology.Therefore, besides conventional technical attacks like malware, eavesdropping, and DoS/DDoS, there would be various social engineering attacks aiming to Metaverse users.For instance, attackers might create fake avatars to impersonate some users, thereby tricking their Metaverse friends into giving personal credentials or accessing malicious The Metaverse is even envisioned to possess its own financial and economic system, in which people can use digital currencies and tokens to trade for virtual items, user-generated contents (UGC), and artificial intelligence-generated contents (AIGC).
sources (i.e., phishing scams).Another potential attack is digital footprint tracking, in which the attackers follow the footprint of the targeted avatars to overhear their conversations and explore their behaviors in the real world.On the other hand, the virtual economy in the Metaverse can be manipulated if attackers successfully hack the Metaverse's digital currency system and trading platforms for digital products.As digital currency and assets contain real value which is comparable with real-world assets, these threats may impact enormously the legality and social acceptance of the Metaverse.While these emerging attacks are especially dangerous to the Metaverse, there are certain mechanisms that can be deployed to mitigate these threats: Access Control.In the Metaverse, access control can be used to restrict the access of avatars to digital assets, control who can enter certain areas of the Metaverse in case of virtual events, or limit the actions that can be performed by specific users and service providers who have bad reputation profile.Besides, it can also manage the access of IoT and wearable devices to Metaverse resource and data (e.g., edge and cloud resources) to prevent resource exhaustion and denial of service (DoS) attacks [6].
Intrusion Detection System.IDS often includes network intrusion detection system (NIDS) and host-based intrusion detection system (HIDS).A NIDS monitors and analyzes network traffic coming to a local Metaverse network to detect suspicious activity, while a HIDS is installed in each Metaverse device to detect unusual behavior targeting on that individual device.
Identity Authentication.With a robust identity authentication system, sybil attack can be mitigated efficiently as fake identities cannot impact on the system, while it can also prevent fraud, phishing scam, impersonation, and social engineering attacks in the virtual world.
Malware Detection System.A malware detection scheme could analyze unusual files, API call, bytes sequences, and abnormal communications between Metaverse users and service providers, thereby recognizing malicious software (e.g., viruses, trojans) that can be injected into Metaverse devices through applications.

bLockchAIn-eMpowered securIty soLutIons
When it comes to Metaverse security, traditional centralized security services are often vulnerable to SPoF and manipulation.To this end, blockchain can enable a decentralized system in which all decision-making processes are made by multiple consensus nodes with fault tolerance.For instance, the blockchain committee members can decide whether to accept any intrusion alert in an IDS via the consensus process, thus enabling a large-scale CIDS scheme.Besides, blockchain can support decentralized data storage for identity authentication system so that credential and identity data can be stored on-chain to ensure integrity, transparency, and auditability [7].Regarding access control systems, smart contracts can replace the role of the centralized authority in management and enforcement of access control policies [8], making it automatic and resistant to SPoF and third-party-related issues.In malware detection, while off-chain data storage is an efficient method to store suspicious files or API call sequences, on-chain storage can enable data sharing for malware features and detection results.Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

AI-eMpowered securIty soLutIons
Traditional security solutions often require heavy computation and communication, while they are now more vulnerable to increasingly sophisticated attacks that aim to bypass specific security mechanisms [9].Therefore, traditional security approaches are no more suitable for a large-scale Metaverse with numerous resource-constrained devices in both performance and computation efficiency.
Accordingly, ML techniques, including supervised, unsupervised, and reinforcement learning (RL) can be applied to offer higher accuracy, real-time detection, and adaptability to new attack patterns.For instance, ML-based biometric authentication (e.g., fingerprints, facial recognition, and voice recognition) [10] can be used to authenticate users in the Metaverse via their wearable devices, while ML models can recognize counterfeited identities and impersonation attacks in the virtual world.In terms of detection systems, supervised ML models can detect intrusion [11] and malware attacks after being trained on labelled network traffic data (e.g., network flows) or data of executable files.Unsupervised learning can offer anomaly detection to detect attack patterns without requiring labelled data, whereas RL techniques can be utilized to improve detection accuracy by providing adaptability to network conditions and attacker's behavior [9].In access control systems, ML offers risk-based access control in which the ML models assess the risk associated with each access request based on the requester's information (e.g., location and profile in the virtual world), thereby dynamically adjust access control policies to provide appropriate levels of security.

coMbInAtIon of bLockchAIn And AI for securIty
Besides the mentioned roles of blockchain and ML in the Metaverse security layer, the combination of these two technologies can result in a decentralized distributed learning (DDL) system for Metaverse security that allows the participants to collaborate in the training process without the need for a central entity to control the process.Specifically, the ML security model (e.g., intrusion detection model) is distributed across multiple Metaverse devices who joined the blockchain network, and individual devices trains the model on their own local data without revealing the data for privacy-preserving purpose.Then, their local gradients can be sent to the blockchain committee for aggregation.The committee often consists of multiple validators to perform the decision-making process.Through a specific consensus algorithm, the committee can reach an agreement of which local gradients should be accepted for aggregation, and which should be filtered out as poisoning updates.By doing so, the ML security model can be trained on data across numerous Metaverse devices, making it more generalized and robust in the large-scale Metaverse environment.User privacy, a vital factor in the Metaverse, is ensured as sensitive data are not exposing to other parties, whereas SPoF and third-party issues are eliminated thanks to the decentralized aggregation process.

bLockchAIn-bAsed coLLAborAtIve IntrusIon detectIon for MetAverse
In this section, we proposed a security framework for the Metaverse based on blockchain, IDS techniques, and FL called MSecureChain, which is designed to support the large-scale and distributed nature of the Metaverse.

probLeM forMuLAtIon And systeM requIreMents
Scalability and SPoF.Both traditional NIDS and HIDS face the scalability issue.When the FIGURE 2. The integration of blockchain and machine learning to Metaverse security defense system.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.
number of nodes to be monitored scales enormously, the NIDS server must analyze a huge amount of continuous network flows, whereas the HIDS program must be installed and monitored on numerous nodes, making it challenging for management.Besides, it is prone to SPoF as the entire system would be compromised if the central authority acts maliciously or is hacked.Therefore, the foremost requirement of MSecu-reChain is to offer decentralized property, so that every Metaverse device can protect itself and collaborate with one another to protect the platform, while the decision-making process is deployed by multiple entities with SPoF resistance.Privacy Issues.Various privacy problems may arise when the central IDS server has all rights to monitor and collect the network data of every Metaverse device for training models or detecting intrusion.Thus, the second requirement is to allow Metaverse devices to collaboratively train a ML model for IDS via FL without revealing their data, and the intrusion detection process can be deployed without compromising privacy.
Unseen Attack Patterns.Attackers can dynamically adjust attack strategies to bypass traditional IDS, while an IDS ML model is not able to detect attack patterns that are previously unseen in the training dataset.Therefore, the third requirement is that MSecureChain's model must be trained continuously on newly collected data to be adaptable to new attack threats.
Fake Alert and Insider Threats.In a distributed setting, it is unavoidable that certain proportion of participants could act maliciously to harm the system or earn illegitimate benefit.Consequently, MSecureChain must be resistant to malicious insiders who deliberately disturb the system in different ways, such as training the IDS model in a wrong direction or continuously submitting dishonest intrusion alerts.
Specifically, the framework is presented below, with two main processes performing concurrently which are model training and intrusion detection process.

ModeL trAInIng
MSecureChain deploys FL in a decentralized manner in which the aggregation process is performed by multiple committee members.This helps preventing SPoF and other issues of centralized systems as mentioned above.
Local Training.The training process is implemented based on stochastic gradient descent (SGD), in which each blockchain round corresponds to a certain number of SGD epochs (illustrated in Fig. 3a).At the beginning, the Metaverse publisher initializes the blockchain network and places the IDS model into the genesis block.In the first round, some Metaverse devices called trainers join the blockchain network, download the initialized model, and start the training process.They train the model on their own collected network flows without revealing these data to any authority for privacy purpose.Once reaching a threshold of local training in a round, all trainers must send their local SGD updates to the committee for global aggregation.To further enhance privacy, trainers also perturb their SGD updates by adding a differential privacy (DP) noise [12] into it, which can help preventing inference attack (i.e., some validators inferring sensitive information of the trainers from the received gradients).This noise is sampled from a zero-mean Gaussian distribution, so its magnitude may cancel out when the number of trainers is large, minimizing the overall statistical impact on the global model's performance.
Global Aggregation.In a round, N validators are randomly selected from M trainers to form a committee.The probability that a trainer is chosen is proportional to its reputation score.A validator with highest reputation is selected to be aggregator.Firstly, the aggregator filters out potentially malicious updates by using Multi-Krum algorithm [13].This mechanism assigns to each SGD update a score, which is its total distance to the other updates, then filters out f highest-score updates.Intuitively, an update that is too different from the rest is likely to be a poisoning update.Next, the aggregator aggregates the remaining updates into a global model, which is then encapsulated into a newly created block along with all blockchain transactions of the current round.Finally, the committee executes practical Byzantine Fault Tolerance (pBFT) consensus protocol [14] to reach an agreement of adding the block into the blockchain.This protocol allows other validators validate the proposed block and vote for its correctness, while the final decision is based on the majority of votes.In then next round, the trainers download the global model from the new block and repeat the training process for that round.
Training Incentive.When a new block is accepted, the aggregator receives an aggregation reward and other validators who voted for this block share a validation reward, which result in certain Metaverse tokens.These tokens can be used as virtual currency in the Metaverse to purchase digital assets or virtual services.Besides, all trainers whose SGD updates are selected for aggregation will receive 1 reputation score as a training reward, while the remaining trainers are slashed 1.This motivates both trainers and validators to act honestly.

IntrusIon detectIon
Alert Submission.Some Metaverse devices can act as detectors, who download the latest IDS model from the blockchain network to detect intrusion within their local network.They observed network traffic and input it into the IDS model.If the model outputs a positive result, the detectors can submit the corresponding network flow data to the committee as a blockchain transaction (Fig. 3b).The committee verifies the submitted alert transactions by feeding the corresponding network flows into the latest IDS model.The accepted alerts and its network flows are also added into the new block of the current round.Since on-chain information is transparent to all blockchain nodes, all participants can be aware of every alert added into the blockchain.
Alert Verification.Although the accepted alerts are validated by the committee, there is still certain possibility in which an alert is not correct in the real environment due to misclassification of the IDS model.Besides, malicious detectors can try to generate a nonexistent network flow that makes the IDS model predicts a positive result.Therefore, there is a decentralized oracle network in MSecureChain to verify the accepted IDS alerts.The oracle network consists of multiple cybersecurity companies who want to join the system and earn tokens through verifying alerts.These professional parties can collect the on-chain IDS alerts and verify them on the real infrastructure.Similar to the blockchain committee, the oracle network performs alert verification in a decentralized manner so it can resist to SPoF and manipulation.If an IDS alert is verified to be a real attack, the verified alert will be broadcast thoroughly to all Metaverse users who joined the blockchain.
Detection Incentive.If an alert is verified to be correct by both the committee and the oracle network, the corresponding detector will receive a detection reward, while the oracle's members together share a verification reward.Both of these rewards result in Metaverse tokens.Besides, each participant must deposit a stake of certain tokens into a smart contract when registering to be a detector.This stake will be slashed if a detector submits more than k alerts that are verified to be incorrect by the oracle network, while this detector will be banned from the blockchain network due to their dishonesty.

consensus And bLock proposAL
Besides the transactions for token rewards, reputation rewards, and alert submission as mentioned above, Metaverse users can trade Metaverse tokens with each other on the blockchain via trading transactions.When the blockchain committee receives the transactions in a round, the leader packs them into a new block, and executes pBFT [14] to reach consensus on that block.
To mitigate the storage issue, both local SGD updates and the global model are uploaded to IPFS, thus the trainers and aggregators only exchange the IPFS links with each other instead of transferring the entire model.Each block in the blockchain contains the following information: all verified transactions, the IPFS links of the submitted local updates, the IPFS link of the global model, and the block header which indicates round number, timestamp, the hash of the previous block, and other basic information.

securIty AnALysIs
Security in Model Training.In the training process, MSecureChain can converge under up to 33% poisoning trainers by utilizing Multi-Krum algorithm [13].The aggregation is performed in a decentralized manner with multiple validators, making it remains stable even if certain committee members act dishonestly, since pBFT consensus protocol can resist up to 33% malicious validators [14].Privacy is ensured as the trainers do not disclosure their data, while the gradient updates are added DP noise to prevent inference attack.In addition, the proposed incentive mechanisms also take responsibility for eliminating malicious participants in the training process.
Security in Intrusion Detection.The detection process is carried out in a blockchain-based decentralized setting instead of relying on a single authority, thereby preventing SPoF and manipulation, while increasing transparency and scalability.The IDS model is continuously trained on newly collected network data, making it resist to zero-day attacks (i.e., unseen attack patterns).Additionally, there is also a decentralized blockchain oracle that verifies the IDS alerts on the real infrastructure.All intrusion alerts are stored on the blockchain with immutability, transparency, and auditability, thus ensuring the integrity of intrusion logs and data.
The detection process is carried out in a blockchain-based decentralized setting instead of relying on a single authority, thereby preventing SPoF and manipulation, while increasing transparency and scalability.

experIMentAL AnALysIs setup detAILs
As the Metaverse is still in its infancy, there has not been Metaverse-specific IDS datasets.Therefore, we instead evaluate the performance of MSecureChain on the well-known CIC-IDS2017 dataset [15].It includes a record of nearly 3 million network flows, while each flow consists of more than 80 network traffic features (e.g., flow duration, packet length, and number of forwarded packets).About 12 types of attacks are involved in this dataset such as Dos, port scan, and botnet attacks.Since the Metaverse is built on top of the Internet with numerous connected IoT devices, it is reasonable to utilize the CIC-IDS2017 dataset for our experiments.
In terms of ML model, we designed an attention-based multi-layer perceptron (MLP) model which consists of an attention module for feature weighting, and a MLP classification module for binary prediction.The attention module includes four fully-connected layers of size 80, using the ReLU activation function.It outputs an attention vector that assigns higher weights to important features, while putting less attention on unimportant features that only have minor impact on the detection results.This weight vector is then applied to the input network flow before being fed into the classification module.The MLP classification module consists of three fully-connected hidden layers using ReLU activation.Each hidden layer has 126 neurons, and the last layer is activated by the sigmoid function.Cross-entropy is used as the loss function for our detection task.With the aid of the attention module, the classification module can be lightweight, whereas the data processing task is simplified.As a plug-in framework, MSecure-Chain is also compatible with other IDS models, providing the flexibility to incorporate models that may offer higher performance for specific use cases.
Regarding blockchain, we use Hyperledger Fabric to implement our proposed framework.In our experiments, the number of trainers is set to 60, while there are 30 aggregators and 10 detectors.Each trainer is assigned a subset of the CIC-IDS2017 dataset.To exacerbate the effect of data heterogeneity, we intentionally make the class distribution among the trainers unbalanced.This makes the experiments represent better the Metaverse environment.In particular, each trainer is only assigned a random dataset of up to 3 out of 12 attack types.The data regarding port scan and Heartbleed attacks are reserved for later usage as unseen attacks.The data used by the trainers in each round are also different from each other.

experIMentAL resuLts
We first analyze the convergence of MSecure-Chain compared to a FL baseline under 30% poisoning attack (i.e., 30% of trainers are malicious).We deploy two types of attack, which are data poisoning and model poisoning attacks.In data poisoning attack, the poisoning trainers reverse label of the training data before training (i.e., every negative-class datapoint is assigned a positive label, and vice versa).In model poisoning attack, poisoning trainers compute the gradient update, then send to the committee another malicious update which has the opposite direction compared to the original gradient.Besides the loss metric, we also evaluate the true positive rate, which is the percentage of actual intrusion attacks which are correctly identified.As illustrated in Fig. 4, MSecureChain can converge efficiently under both types of poisoning attack, while the FL baseline fails to achieve an optimal solution.
Then, about 15,000 network flows are injected into the system in each blockchain round to observe intrusion alerts.Fig. 5a demonstrates the number of IDS alerts from the detectors, and verified alerts from the oracle network.It shows that the detectors have detected intrusion flows efficiently in each round, while some false positive alerts will be verified by the blockchain The blockchain latency is defined as the time interval from the instant a transaction is submitted until it is finalized on the blockchain.
oracle network.Besides, the overall accuracy of the CIDS is around nearly 99% in every round.When the model is stable at round 20, we randomly inject an additional of 500 to 600 unseen-attack flows each round to observe the model's false negative rate (FNR).In this experiment, we let some of the trainers collect 20% of unseen attack flows and use them to train the model.As shown in Fig. 5b, although the FNR increases from 1% to more than 30% at round 20, MSecureChain adapts quickly with the injected unseen attacks and achieves a negligible FNR after round 60.On the other hand, the pre-trained model cannot recognize the new attacks, leading to a high FNR of about 33%.This is because our model is trained continuously on the newly collected data by the trainers, while the well-trained model is fixed for a specific task and cannot be improved.
In terms of blockchain performance, we use Hyperledger Caliper to generate transactions and estimate the latency of the blockchain according to different blocksizes and workloads.The blockchain latency is defined as the time interval from the instant a transaction is submitted until it is finalized on the blockchain.Fig. 6 shows that our framework offers a negligible latency when the transaction workload is lower than 1,200 transactions per second (TPS).When the transaction arrival rate increases to more than 1,300 TPS, the chain with lowest blocksize results in the highest latency.This is because a smaller blocksize can only store a fewer number of transactions, posing a limitation to the blockchain performance.On the other hand, the blockchain with largest blocksize (i.e., 1000 transactions per block) is not the most efficient one.This is because the larger blocksize often results in higher processing and block transmission time.As a result, if the offered blocksize becomes too large, it may lead to higher latency.With a balanced blocksize of 500 transactions, the framework achieves the lowest latency, which is still negligible until the workload reaches more than 1600 TPS.It worth noting that the blockchain used in MSecureChain is only for IDS management and training instead of supporting all functions of the metaverse such as entertainment and economy.Therefore, the capacity of 1600 TPS can be considered as high and efficient for our purposes.

open Issues And future reseArch dIrectIons
We would like to discuss some important open research issues and describe potential research directions on Metaverse security in the following.
Lack of Metaverse Security Data.A significant challenge of most ML-based approaches for IDS is collecting labelled network data to train the ML models.On the other hand, the Metaverse is still in its infancy, thus it lacks practical datasets for Metaverse security and IDS.As a NextG Internet, there would be a variety of new and sophisticated attacks that exploit the vulnerability of this virtual space.Therefore, further research is needed to provide concrete datasets for the Metaverse in practice.
Labelling IDS Data.In practice, labelling network flows is a non-trivial task.It requires specialized tools and expertise from the trainers to correctly label the collected data.For unseen  attack, our framework can only adapt with the new attacks given that some of the trainers can collect and label the unseen-attack flows based on their own tools and expertise.Therefore, designing a unsupervised or semi-supervised IDS model with high performance and of lightweight is also a worth-researching topic that can mitigate this problem.
Blockchain Storage.Maintaining a full node in the blockchain network might be a challenging task for Metaverse devices due to their limited storage capacity.Along with increasing the devices' capacity, developing new techniques that mitigate the storage burden of blockchain in the Metaverse context is a topic worthy of study.
Non-Technical Social Engineering Attacks.The presented security solutions mostly focus on technical attacks, while the emergence of the Metaverse with higher level of interaction can result in non-technical social engineering attacks (e.g., phishing and baiting scams).On the other hand, the necessary regulations for virtual crimes and threats in the digital space are still limited and needed further research.

concLusIon
In this article, we have investigated thoroughly the security aspect of the Metaverse.Firstly, the overall Metaverse architecture, including device, edge, cloud, and application layers, is presented with the corresponding security solutions to protect the Metaverse, consisting of IDS, access control, identity authentication, and malware detection systems.We presented their roles, and how they are empowered by blockchain, AI, and the combination of both technologies.Then, MSecureChain, a blockchain-based FL framework for Metaverse CIDS has been proposed with high efficiency under poisoning attacks.Finally, we identified several open challenges of Metaverse security and the proposed framework, thus figuring out future research directions for this vital topic.Experimental results and security analysis show that MSecureChain can resist up to 33% byzantine nodes and offer around 99% accuracy for intrusion detection on the dataset CIC-IDS2017, while resistant to SPoF, inference, and zero-day attacks.

FIGURE 1 .
FIGURE 1.The overall architecture of the Metaverse with security mechanisms protecting its layers.

FIGURE 4 .
FIGURE 4. Performance evaluation of the training process under poisoning attacks: a) Test loss; b) True Positive rate.

FIGURE 6 .
FIGURE 6.The average latency of blockchain according to different blocksizes and transaction workloads.

FIGURE 5 .
FIGURE 5. Monitoring the IDS model's performance.a) IDS model performance and alert monitoring.b) False negative rate against unseen attacks.