LiDL: Localization with early detection of sybil and wormhole attacks in IoT Networks

Journal Pre-proof

LiDL: Localization with early detection of sybil and wormhole attacks

in IoT Networks

Pallavi Kaliyar, Wafa Ben Jaballah, Mauro Conti, Chhagan Lal

PII: S0167-4048(20)30122-X
DOI: https://doi.org/10.1016/j.cose.2020.101849
Reference: COSE 101849

To appear in: Computers & Security

Received date: 5 September 2019

Revised date: 17 April 2020
Accepted date: 20 April 2020

Please cite this article as: Pallavi Kaliyar, Wafa Ben Jaballah, Mauro Conti, Chhagan Lal, LiDL: Lo-
calization with early detection of sybil and wormhole attacks in IoT Networks, Computers & Security
(2020), doi: https://doi.org/10.1016/j.cose.2020.101849

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition
of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of
record. This version will undergo additional copyediting, typesetting and review before it is published
in its final form, but we are providing this version to give early visibility of the article. Please note that,
during the production process, errors may be discovered which could affect the content, and all legal
disclaimers that apply to the journal pertain.

© 2020 Published by Elsevier Ltd.

Manuscript
lick here to view linked References

1
2
3
4
5 LiDL: Localization with early detection of sybil and wormhole attacks in
6
7 IoT Networks
8
9 Pallavi Kaliyara , Wafa Ben Jaballahb , Mauro Contia , Chhagan Lalc
10
11 a University of Padova, Padova, Italy
b Thales,France
12
c Simula Research Laboratory, Norway
13
14
15
16
17
18 Abstract
19 The Internet of Things (IoT) is recognized as a disruptive innovation that has been led by industry leaders
20 and researchers. IoT promises to improve our daily life based on smart objects interacting with each other,
21
and that can be connected to the Internet. Building a security framework into this new paradigm is a
22
significant technical challenge today. It is mainly due to the low-cost and resource-constrained nature of
23
24 IoT devices. In most of the IoT application scenarios, the routing is done by the de-facto standard protocol
25 called routing protocol for low power and lossy networks (RPL). The use of RPL is suitable due to its
26 energy-efficient schemes, availability of secure and multiple communication modes, and adaptivity to work
27 in various IoT network scenarios. Hence, many researchers are now focusing on RPL related security issues.
28 To this end, our work provides a concise description of two major threats to RPL called sybil and wormhole
29 attacks. Moreover, we propose two solutions to detect these attacks in RPL-based IoT networks. Specifically,
30 our proposed techniques exploit the concept of Highest Rank Common Ancestor (HRCA) to find a common
31 ancestor with the highest rank among all the ancestors that a pair of nodes have in the target network
32 tree. Our two detection algorithms not only detect an ongoing attack but also localizes the position of the
33 adversary in the network. Thus, it makes the mitigation process lightweight and fast. We implement the two
34 approaches in Cooja, the Contiki network emulator. The results obtained from our experiments demonstrate
35 the feasibility of the proposals concerning true positive rate, detection time, packet loss ratio, memory
36 consumption, and network overhead. Our techniques show promising to cover more complex scenarios in the
37 future.
38
39 Keywords: RPL, Internet of Things, Security, sybil attack, wormhole attack, IPv6, 6LoWPAN.
40
41
42 1. Introduction a broad scope of real-world application areas such as
43 smart home, health care, urban sensor networks, wa-
44 The proliferation of the IoT is a new wave of in- ter management, smart cities, and industrial smart
45 novation with recent forecasts suggesting massive de- grid systems [2]. However, the use of IoT devices im-
46 ployment of several IoT devices to reach 24 billion poses strict resource constraints regarding energy and
47 in 2020 [1]. In general, an IoT framework could memory as well as considering the high loss rate of
48 be defined as the use of heterogeneous technolo- the communication links in these networks [3].
49 gies, systems, and TCP/IP protocols, with the grow-
50 ing paradigm of device-to-device communications and Routing in IoT network facilitates the connection
51 the contextual environment. IoT networks are con- of network elements in different applications. So far,
52 sidered as an example of Low-Power and Lossy Net- the only standardized protocol available for IoT is
53 work (LLN), which consist of tiny, heterogeneous de- the RPL [4] protocol. However, RPL provides lit-
54 vices with limited power, memory, and processing re- tle security against different routing attacks [5, 6, 7].
55 sources. These specific networks have been used in In particular, the design flaws of secure network for-
56 mation processes of the standard RPL exposes the
57
network to various attacks [8] [9] such as sybil, black-
58 Email addresses: pallavi@math.unipd.it (Pallavi
Kaliyar), wafa.benjaballah@thalesgroup.com (Wafa Ben
hole [10], rank [11], and wormhole [12]. These attacks
59
60 Jaballah), conti@math.unipd.it (Mauro Conti), hinder the enforcement of basic security services such
61 chhagan@simula.no (Chhagan Lal) as confidentiality, data integrity, authenticity, and ac-
62
63 Preprint submitted to Computers & Security April 16, 2020
64
65
 1
2
3
4 cess control [13], and could be exploited by an adver- tination Oriented Directed Acyclic Graph (DODAG)
5 sary to run more powerful attacks. Therefore, data tree [4] is to discover anomalies, which provides an
6 routing in such networks is considered as one of the indication of ongoing sybil and wormhole in the net-
7
weakest links in the adoption of these networks in work. Once an anomaly is detected, the root node
8
real-world applications [7]. takes adequate actions to remove the identified mali-
9
10 cious node(s) from the network. To this end, the key
11 1.1. Motivation and Contribution contributions of this paper are as follows.
12 An adversary could easily capture, tamper, or even • We propose two new techniques to detect sybil
13 destroy devices in an IoT network. It is due to the and wormhole attacks in RPL based IoT net-
14 lack of physical protection and tamper resistance in works. Both solutions make efficient use of the
15 LLNs. Although RPL provides confidentiality by us-
16 HRCA scheme for attack detection and local-
ing simple cryptographic mechanisms that ensure au- ization. The localization process provides rapid
17 thenticity and integrity of its control messages, a
18 mitigation of an ongoing attack with low over-
legitimate node captured by an adversary can still head.
19
eavesdrop, duplicate, or alter packets, leading to sig-
20
nificant problems such as power outages in smart • We formulate a novel mathematical model to
21
grid networks or widespread system failures. Even perform a simple yet effective detection of the
22
23 though many papers have extensively addressed the wormhole attack in the IoT network. The pro-
24 impact of attacks in traditional networks such as ve- posed model uses minimum additional informa-
25 hicular networks, wireless sensor networks [14], and tion for the detection process. It dramatically
26 mobile ad hoc networks [15], they could not be ap- reduces the attack detection overhead when ex-
27 plied directly to the IoT. It is because of IoT net- ecuted in the non-storing routing mode of RPL,
28 works’ specific characteristics such as device hetero- which is one of the most used routing modes in
29 geneity, resource constraints, few standard protocols, the real-world applications of IoT.
30 context-dependence, and cross-device dependencies.
31 Therefore, researchers have started working on the • We fully implement our proposed techniques in
32 design and development of novel solutions that can Cooja, the Contiki network emulator, which also
33 be efficiently used in the IoT networks to improve works as an emulator. The correctness of our
34 their communication reliability [16, 17], and secu- techniques has been shown through result eval-
35 rity [5, 18]. Although sybil and wormhole attacks uations concerning the relevant metrics such as
36 have been well investigated in the literature for tra- true positive rate, packet loss ratio, memory con-
37 ditional networks, there are still no suitable solutions sumption, and attack detection overhead in vari-
38
that could fully address these attacks by considering ous IoT scenarios with different network load and
39 size. Finally, we make available the open-source
the unique characteristics of IoT and RPL protocol.
40 implementation of both the approaches on Git
41 In this paper, we propose novel techniques to de-
tect two of the most destructive attacks known as repository1 .
42
43 sybil and wormhole in RPL based IoT networks. Our
proposed techniques exploit the concept of Highest 1.2. Organization
44
45 Rank Common Ancestor (HRCA), which aims to find The organization of the rest of this paper is as fol-
46 a common ancestor with the highest rank among all lows. Section 2 provides a brief overview of the RPL
47 the ancestors that a pair of nodes have in the target protocol, with a description of the sybil and wormhole
48 network tree. As HRCA being a tree-based approach attacks followed by the related work concerning the
49 and the RPL routing protocol also logically creates state-of-the-art attacks and solutions in RPL-based
50 a tree topology for routing, we show that the HRCA IoT networks. In Section 3, we discuss the system and
51 approach becomes a perfect match for securing large- adversary models. In Section 4, we present the de-
52 scale RPL based IoT scenarios from the sybil and tails of our proposed solutions. The simulation setup
53 wormhole attacks. Our proposals not only detect an details and performance evaluation are presented in
54 ongoing attack but also localizes the position of the Section 5. Finally, Section 6 concludes our work.
55 attacker in the network. Thus, it makes the mitiga-
56 tion process lightweight and fast. In particular, sev-
57
eral network nodes periodically execute our detection
58
algorithms on their specified cached entries. The aim
59
60 of these periodic executions on the root and specifi-
61 cally identified intermediate nodes in the RPL’s Des- 1 https://github.com/pallavikaliyar/LiDL

62
63 2
64
65
 1
2
3
4 2. Background and Related Work root to announce itself as a possible destination to
5 the root. During their way towards the root, these
6 In this section, first, we present a brief overview of packets pass through their ancestors, thus establish-
7 the RPL protocol and working methodology of sybil ing “downwards” routes along the way. The full im-
8 and wormhole attacks. Then, we will discuss state-of- plementation details of RPL and its design goals are
9
the-art attacks and solutions on data communication out of the scope of this paper. Hence, we direct the
10
in RPL-based IoT networks along with their limita- interested readers to more comprehensive literature
11
tions to show how our proposed work improves the on RPL protocol, which is given in [4, 20].
12
13 state-of-the-art.
14 2.2. Sybil and wormhole attacks in IoT
15 2.1. Routing Protocol for Low Power and Lossy Net- In this section, we present an overview of sybil and
16 works (RPL) wormhole attacks concerning the IoT networks.
17 RPL [4] is based on a virtual routing topology
18 • Sybil Attack - sybil attack consists of manipu-
called Destination-Oriented Directed Acyclic Graph lating network devices to harm the data com-
19
(DODAG) on top of the underlying physical topology. munication process [21]. In particular, a sybil
20
The DODAG is a directed graph-oriented towards a node illegitimately claims multiple identities and
21
22 root node without loops. In DODAG, each node has executes this attack to achieve various advan-
23 multiple parents towards the root. However, a node tages, such as usage of unauthorized resources,
24 selects only a preferred parent based on the rout- harming the confidentiality of users, dissemi-
25 ing metric and objective function. The parent node nating false control information, and publish-
26 will be used for forwarding data packets. The struc- ing private information of network users. Since
27 ture of DODAG supports multipoint-to-point com- a sybil node has legitimate information (code
28 munication in RPL, which provides communication and cryptographic material), it may participate
29 from the nodes to the root. Each node receives a in the network operations in the same way as
30 rank ID that depends on its distance from the root. a non-compromised node. Hence, sybil nodes
31 The creation and the maintenance of the DODAG can launch a variety of attacks and become even
32 are done through ICMPv6 control packets known as more critical.
33 DODAG Information Objects (DIO). Each node in
34 RPL disseminates DIO messages containing the link, • Wormhole attack - In wormhole attack [22], an
35 node metrics, and an objective function that is used attacker first tunnels the packets that it receives
36 by each node to select the preferred parent among at one point in the network to another point in
37 its neighbors. The node metrics contain values such the network. Later, it replays these packets into
38 the network from that point. This attack aims
as the expected transmission count (ETX) and the
39
residual energy. To maintain the DODAG, the DIO to give the attacker advantages relative to other
40
packets are rebroadcast by each node based on the nodes, and the attacker could exploit it in a va-
41
42 Trickle algorithm [19]. Another control packet known riety of ways, such as to misdirect traffic of other
43 as DODAG information solicitation (DIS) packet is nodes or privilege its own traffic. The success of
44 triggered when a new node wants to join an existing the wormhole attack is independent of the fact
45 DODAG. The DODAG node receiving the DIS will that the network communication is confidential
46 send a DIO packet. and authentic, and it uses cryptographic keys to
47 RPL supports different types of communica- perform secure communications.
48 tions such as point-to-multipoint, point-to-point,
49 and multipoint-to-point, and it provides two modes 2.3. State-of-the-art on security in RPL-based IoT
50 known as storing and non-storing. In storing mode, networks
51 which is based on table-driven routing, the non-root There are very few efforts in the past that addresses
52 nodes create and maintain a routing table for all the security issues in RPL protocol against various
53 their descendant nodes. While in the non-storing routing attacks, such as rank, sybil, and wormhole
54 mode, which is based on source routing, only the attacks. The authors in [23] propose an Intrusion De-
55 root node creates and maintains the routing infor- tection System (IDS) called SVELTE. In SVELTE,
56 mation about all the network nodes. The creation the IDS is installed at the root and a set of net-
57
and maintenance of routing tables in both the RPL work nodes to analyze the traffic to identify anoma-
58
modes are done with the help of RPL’s control pack- lies, which helps in detecting various routing attacks.
59
60 ets called Destination Advertisement Object (DAO). However, the network scalability and routing over-
61 Each non-root node sent these packets towards the head remains the biggest drawback of the SVELTE
62
63 3
64
65
 1
2
3
4 scheme. Additionally, unlike LiDL, it does not pro- able as it is only evaluated in small networks (i.e.,
5 vide attack localization, and it does not evaluate 24 nodes). In particular, the work concerning the
6 SVELTE against sybil and wormhole attacks. impact and countermeasures of a wormhole in RPL-
7
In [24], sybil attacks are categorized into three dif- based IoT networks is still in its early stages. There-
8
ferent forms. Based upon the geographical and so- fore, it requires significant attention from the research
9
10 cial scope of the attacking nodes, the countermea- community.
11 sures proposed are social graph-based sybil Detec- In [30], the authors propose a technique to de-
12 tion (SGSD), behavioral classifies-based sybil Detec- tect and mitigate wormhole attack in LLNs. The
13 tion (BCSD), and mobile sybil detection. These tech- technique uses two special types of motes, namely,
14 niques are quite relevant in mitigating most of the Area Border Router (ABS) and Sensing Aware Nodes
15 sybil attacks but faces specific challenges such as the (SAN), to detect wormhole attacks. The proposed
16 lack of global social and historical graphs, location in- approach mainly monitors the signal strength of
17 formation of mobile devices, the unauthorized study nodes, and if the distance between two nodes is found
18 of users patterns, and the difference in security ca- greater than the default distance, than an attack is
19 pability of different devices. Additionally, the au- detected. Both types of special motes act as a backup
20 thors do not implement and evaluate their proposed for each other, such that if one type of mote fails, oth-
21 scheme, which questions its correctness and deploy- ers will detect the attack. The results are good, and it
22 ment feasibility. SecTrust-RPL, a secure RPL proto- does not require excessive power, which is quite useful
23 in a resource-constrained environment. However, the
col proposed in [25], is based on a trust-based mech-
24 main disadvantage is that the detection of approach
anism that stands out from all the earlier works. It
25 is directly proportional to the special types of motes
26 mainly relies on cryptographic techniques for securing
IoT networks. It is effective against both the rank at- used in the network, which makes it less effective in
27
tack and the sybil attack by the adoption of a trustee- small IoT networks.
28
29 trust or relationships for all its nodes. However, the
30 proper integration of recouped nodes back in the net- 3. Problem Formulation
31 work remains a problem in this approach. Recently,
32 authors in [17] propose a trust-based security archi- In this section, we present the problem formula-
33 tecture for RPL in which parameters such as nonce tion which includes system and adversary modelling.
34 value, network white-list, and timestamp are used to Later, we use these models to describe and evaluate
35 ensure the integrity of the control messages in tran- our proposed security solutions.
36 sit. Authors in [26] exploit the use of a lightweight
37 remote attestation scheme to improve the security of 3.1. System Model Formulation
38 the data communication process in RPL-based IoT
39 In our work, the system model has the following
networks. properties.
40
41 Wormhole attacks, as described in [27], are one of
42 the sophisticated attacks to detect. The attack be- • The target IoT network consists of a set N =
43 comes more critical when it is launched in combi- {N1 , N2 , ...Nm } of size m resource-constrained
44 nation with other attacks like eavesdropping, selec- devices (i.e., sensors and actuators) called nodes,
45 tive forwarding, and blackhole. In literature, there and R = {R1 , R2 , ...Rn } resourceful nodes called
46 are effective proposals to tackle wormhole attack in LLN border routers (LBR). The nodes in set
47 Wireless Sensor Networks (WSNs) [28, 29]. Worm- N exhibit the same amount of resources. How-
48 hole attack on short-path length routing protocol is ever, the functionalities of these nodes could dif-
49 considered in [28] for wireless ad hoc networks, where fer from each other depending upon the type of
50 they propose a timing-based detection. The approach sensors (e.g., light, pressure, and temperature)
51 considers packet transmission time (PTT) to detect that are installed in them. Based on the type of
52 wormhole attacks, and it is an improvement to its pre- IoT application running on top of the network-
53 decessors. In [29], the authors make use of neighbor ing infrastructure, the nodes with similar func-
54 information stored by nodes in an RPL based network tionalities could be grouped to create a multicast
55 to detect wormhole tunnels, and the root provides the group in the network. For routing, the RPL pro-
56 validation. The monitoring algorithm based on RSSI tocol supporting storing and non-storing modes
57
eventually discovers the wormhole. The main draw- has been configured at the network layer of all
58
backs of the mechanism consist of the cost overhead the nodes. The other layers (e.g., application,
59
60 and memory allocation for neighbors. Also, the scal- link layer, and physical) have been configured
61 ability of the proposed approach remains question- using the standard protocol stack of IoT [31].
62
63 4
64
65
 1
2
3
4 work configuration and requirements of IoT ap-
5 Table 1: Symbol Table
plications running on the top, a network could
6 Symbol Definition
have more than one virtual DODAG instances
7 N Set of nodes in network over the same physical network, each represented
8 m Number of IoT nodes in N by a DODAG ID (DIDi ). To ensure that our
9 det
Stab sybil Detection table system model covers a broad range of IoT do-
10 det
11 Wtab wormhole Detection table mains, it provides support for all types of com-
12 < ith Source-Destination pair munications (i.e., multipoint-to-point, point-to-
13 Si , Di > multipoint, and point-to-point) in both the RPL
14 modes.
I Identity of a benign node
15
SID Sybil identity • Our proposed security solutions define the fol-
16
17 G Communication Graph lowing additional or enhanced data structures at
18 (DODAG) nodes (i.e., root or non-leaf) in the target net-
19 wh Wormhole attack work.
20 Γ Attack intensity det
21 i – Sybil Detection Table (Stab ): Irrespective
Sid ith Source node ID to RPL routing mode (i.e., storing or non-
22 i
23 Did ith Destination node ID storing), each non-leaf node in the net-
hop det
24 P revid Previous hop Node ID work stores Stab , which consists of 2-tuple
25 hop i hop i
Fid Forwarding next hop Node ID < Sid , P revid >. Here, Sid is the ID of
26 th
i
Srank ith Source node Rank the i network node, which is also acting
27 hop
i
Drank ith Destination node Rank as a source node, and P revid is the ID of
28 the previous forwarding node of a received
i
29 Thops Total path-length (in hops) of ith data packet. For each received packet at a
30 Source-Destination pair non-leaf node, the receiving node will check
31 Rnode Root Node det
the Stab entries based on our proposed sybil
32
Dpkt Data Packet attack detection technique. At any point
33 new det
34 Dpkt First Data Packet from a new of time, the number of entries in Stab will
35 Data session not exceed the total number of data sessions
36 N Random node in DODAG in the network, otherwise the first-in-first-
37 out (FIFO) replacement algorithm is used
N Lnode Non leaf Node
38 to store a new entry in the table.
ti time at ith instance
39 – Wormhole Detection Table (Wtab det
): De-
40 Ptimer Network level periodic timer
pending upon the RPL routing mode, our
41 Nchild Child of random node N
wormhole detection algorithm operates dif-
42 Lnode Leaf Node ferently on the Wtab det
. The selected network
43 Nrank Rank of random node N nodes execute our wormhole detection al-
44 count
Vhop Verified hop count of particular det
gorithm on the Wtab , which consists of the
45 i i i i i
46 Source-Destination pair 5-tuple < Sid , Did , Srank , Drank , Thops >,
pkt th
here i is the i node in the network, Sid i
47 Wdet wormhole detection packet
i
48 and Did are the source and destination IDs,
i i
49 Srank and Drank are the rank of source
i
50 • At the initialization phase, all nodes are deployed and destination nodes, and Thops is the hop
51 i i
randomly in the given network area, and the count between the < Sid , Did > source-
52 RPL protocol creates a virtual DODAG over the destination pair. In non-storing mode, each
53 physical topology. As mentioned before that, data packet passes through root node, due
54 along with the m network nodes, the IoT net- to which the root node has the global topol-
55 work also contains n LBR nodes, which are con- ogy view. Thus, it can easily gather the
56 sidered as resourceful nodes and act as a root information required to fill all the entries
57 det
for a DODAG. We assume the rank value of in Wtab . In case of storing mode, we use
58
the LBR nodes is set to one, and the rank of a different approach to perform the worm-
59
60 the other nodes is calculated based on their dis- hole detection, which we describe in detail
61 tance from the LBR. Depending upon the net- in Section 4.3.
62
63 5
64
65
 1
2
3
4 3.2. Adversary Model Formulation Lwh (Si , Di ) are the lengths of the shortest paths
5 between a random source-destination pair Si , Di
6 The rapid increase in the use of IoT networks for
a vast array of user-centric applications makes these ∈V(G) ∩ V (Gwh ) on G and Gwh , respectively. If
7
networks a high-profit target for attackers. In our Lwh (Si , Di ) < L(Si , Di ), it indicates that there
8
target IoT scenarios, the attackers are assumed to exists a wormhole attack on Gwh . If, ΓSi Di =
9
10 have the following characteristics. L(Si , Di ) - Lwh (Si , Di ) quantifies the shortened
11 path length of wh between Si and Di , then the
• We are concerned about malware infection, i.e., intensity of wh can be defined as ΓSi Di = max
12
13 predominantly Software Adversary (SA). In our {ΓSi Di |Si , Di ∈ V (G) ∩ V (Gwh )}. The intensity
14 adversary model, we assume that a SA is pow- of the attack depends on the number of attackers
15 erful enough to capture and manipulate one or in the network and their positions with respect
16 more legitimate nodes remotely. Once those to the source-destination pair that they target.
17 nodes are infected with malicious code, then the In particular, when the attack intensity is high,
18 SA can disrupt data communication functional- the topological distortion in the target IoT net-
19 ity by launching sybil or wormhole attacks. work will be important.
20
21 • The primary goal of the SA is to disrupt network
• Sybil Attack Formulation: Let m be the
22 routing protocol and interfere with ongoing com-
number of nodes in network, and I =
23 munications. In the case of the sybil attack, the
{ID1 , ID2 , ID3 , ...IDm } be the set of identities
24 malicious node acquires the identity of a legiti-
of these nodes. An attacker needs to possess
25 mate node and try to disrupt the whole routing
one or more valid identities (called sybil iden-
26 process. While in the case of the wormhole at-
tities) to perform the attack. Assume SI =
27 tack, the malicious nodes can create a tunnel be-
{SID1 , SID2 , SID3 ...SIDn } be the identities
28 tween any two nodes to mislead network traffic
an attacker possess, where n < m, and SID is
29 by causing more delay or loops or perform selec-
30 a sybil identity. The possession of identity could
tive packet drop in the network. This situation
31 be done by compromising a benign node or by
can lead the sender node to transmit a single
32 fabricating the identity of a benign node. The
packet multiple times. This scenario causes en-
33 fabrication process can be executed by acquiring
ergy loss since previously sent packets to roam
34 a set of identities (i.e., SID) in a way that all the
in the network from one node to another node
35 SIDs fall in the category of valid identities, i.e.,
until they reach its destination or outlives.
36 SIDi ∈ SI, and SIDi ∈ {SIDmin , SIDmax},
37 • In this paper, we primarily focus on the miti- where SIDmin and SIDmax are minimum and
38 gation of adversarial scenarios when single, or maximum valid range of IDs. The ID fabrication
39 multiple malicious nodes try to make multiple might not be possible if there exists a secure com-
40 fake IDs of the legitimate nodes or create tun- munication channel between the communicating
41 nels. The aim is to cause communication de- nodes, in such cases, the node compromise could
42 lay and disrupt network topology view in rout- be used to launch the sybil attack.
43
ing/forwarding tables. We assume that the ad-
44
versary will not interfere with the proper func-
45
46 tioning of a network, such as altering data pack- 4. LiDL: Sybil and wormhole attack detection
ets, destroying network devices, and tampering approaches
47
48 with the cryptographic key management opera-
49 tions. An IDS can detect such activities. Hence In this section, we first present the working
50 it puts the attacker at risk of being detected [20]. methodology of our proposed security solutions for
51 sybil and wormhole detection. To better understand
Next, we mathematically formulate the two attacks the functioning of our proposed solutions, later, we
52
53 that our proposed approaches identify and mitigate use an example of an IoT scenario which consists of
54 in a target IoT network scenario. benign and malicious nodes.
55 • Wormhole Attack Formulation: We assume that
56 G be a communication graph of target IoT 4.1. Overview
57
network that consists after the DODAG for-
58
mation, and wh be a wormhole attack on the The finite state machine (FSM) model of both the
59
60 G. Thus, Gwh will be the resultant DODAG proposed approaches is shown in Figure 1. Here, we
61 after the attack. Assume that L(Si , Di ) and perform the following essential functions.
62
63 6
64
65
 1
2
3
4 • Initial Joining: Wait for RPL DODAG forma- Algorithm 1 Sybil attack detection process
5 tion. Once done, all nodes will become part of 1: for each Dpkt received at N do
6 the network. 2: if N ≡ N Lnode ∨ N ≡ Rnode then
7 i hop
8 3: Extract < Sid , P revid > from Dpkt
• Verify Periodic timer: After network formation,
9 4: if detection process is based on Ptimer then
a network-level periodic timer is being set. det
10 5: Add a new entry in the Stab
11 • Apply detection algorithm: Upon each expiry of 6: else
i det
12 the periodic timer, one or more nodes are se- 7: if Sid ∈ Stab then
i hop det
13 lected to execute our wormhole and sybil de- 8: Check FD: Sid → P revid in Stab
14 tection algorithms. Based on the result of the 9: if FD ≡ TRUE then
15 algorithm’s execution, the node(s) that identify 10: Process the Dpkt normally
16 misbehavior will trigger an alarm message to the 11: else
17 root node. 12: Notify Rnode for sybil detection
18 13: end if
19 • Result: Based on the alarm message content, the 14: else
20 root node will take further actions to mitigate 15: Add < Sid i hop
, P revid det
> entry in Stab
21 the attack(s) in the provided locality. 16: end if
22
17: end if
23
18: else
24
25 Start RPL Check for
19: Process the packet normally, i.e., the node is
Start
26
DODAG
Formation
Periodic
Timer
the leaf node
27 20: end if
28 21: end for
29 If attack 22: for each expiry of Ptimer do
found i hop det
30 inform Root 23: Check FD: Sid → P revid in Stab
Node
31 24: if FD ≡ TRUE then
32 25: Process the Dpkt normally
33 FSM for Sybil & Wormhole Apply Algo. 1 26:
If Sybil
else
{ apply Algo. 1}
or Algo. 2 If Wormhole
34 Detection 27: Notify Rnode for sybil attack detection
{apply Algo. 2 }

35 28: end if
36 29: end for
37 Figure 1: FSM for sybil and wormhole Attack Detection
38
39 then it is mandatory to have the same values of Y to
40 4.2. Sybil Attack Detection hold the FD to T RU E.
41 Our sybil attack detection and localization tech- i
In the case where no entry matching with Sid is
42 nique use Stabdet
, which resides at each non-leaf node in det
43 found in Stab , a new entry is created with the infor-
the RPL DODAG. The proposed detection approach mation extracted from the received data packet (Al-
44 det
works implicitly during the Stab ’s creation and main- gorithm 1, lines 7 and 15). While, if the Sid i
extracted
45
46 tenance processes, which are as follows. Initially, the from received data packet matches with some Sid i
in
det
47 Stab is empty. Whenever an ith non-leaf node re- det
Stab and it satisfies the FD, then the packet is pro-
i
48 ceives a data packet, it extracts the source ID (Sid ) cessed normally (Algorithm 1, lines 8 − 10). On the
49 from the packet and identifies the previous-hop ID other hand, if a match has been found in the table
hop det
50 (P revid ), and it checks the existing Stab entries for such that FD is not satisfied, then the node will raise
i hop
51 a match with the condition Sid → P revid (Algo- a sybil attack detection alarm by informing the root
52 rithm 1, lines 2 − 3). In particular, upon reception of node about it (Algorithm 1, line 12). The use of the 2-
53 a data packet at a non-leaf node, the following func- i hop
tuple (i.e., < Sid , P revid >) in the matching process
54 tional dependency (F D) is checked: helps the localization of the attacker. It is because
55 FD: X → Y , it means that the values of X deter- this particular 2-tuple ensures that the attacker will
56 mine the value of Y . In our network scenario, X is always be a descendant of the node at which the at-
57 the source node (Sid i
) of the received data packet, and tack is detected, i.e., the node that informed the root
58 hop
Y is P revid of a data packet at the current node. If node about the sybil attack. Additionally, this non-
59
60 any two entries (including the current entry extracted leaf node is by default the Highest Rank Common An-
61 from the received packet) shares the same values of X, cestor (HRCA) of the sybil node and its correspond-
62
63 7
64
65
 1
2
3
4 ing genuine node to which it is cloning. To reduce
5 the overhead caused due to processing (i.e., the FD
6 check) of all the received data packet at non-leaf node, Server
7
each non-leaf node extracts the 2-tuple and stores it
8 det
in the Stab (Algorithm 1, lines 4 − 5). The non-leaf
9
10 node only performs the FD check on all the current
det
11 entries in its Stab once a predefined periodic network
12 timer (Ptimer ) expires (Algorithm 1, lines 22 − 29).
13 The value of Ptimer should be carefully selected, and
14 it is a function of traffic load, memory at IoT nodes,
15 and attack detection time. Algorithm 1 provides the
16 steps of our proposed sybil attack detection approach,
17 and it includes the detection process with timer and
18 without timer.
19 The size of the Stab det
(i.e., number of entries)
20 greatly affects the detection process and communi- Figure 2: Sybil and wormhole Attacks in RPL IoT Network
21 cation overhead. Let us assume that Stab det
could store
22 x number of entries at any point in time, and once
23 i hop
the table is full, then the new entries will replace the ues are Sid = 19 and P revid = 21. While, for
24 non periodic detection process, it will check the FD
oldest entry in the table. A larger value of x results
25 i
Sid i
Sid hop
→ P revid det
in Stab and creates a new en-
in longer delays in the searching process performed
26
at each expiry of Ptimer . Thus, larger x increases the try only if FD is TRUE. Now, if at time tx , node
27
energy consumption (due to high processing power), 24 receives a packet from node 19, it will extract the
28
29 as well as memory requirements for the resource, con- 2-tuple (i.e., < 19, 30 >) and checks for the F D in
det
30 strained IoT nodes. On the other hand, a small value Stab . Due to the existence of entry < 19, 21 > in 24’s
det
31 of x could weaken the attack detection capabilities of Stab , the F D will not satisfy and node 24 suspects
32 the proposed detection approach. It is because once an ongoing sybil attack in its sub-tree and notify the
33 det
the Stab is full at a node, the entries created by the same to the root node by sending an alarm message.
34 data packets received from the sybil nodes might get Upon receiving an alarm message, the root could eas-
35 overwritten by the new entries that are caused by the ily identify the sybil node by looking into the global
36 First In First Out (FIFO) replacement algorithm at topology information that it has collected at the time
37 that node. As depicted in Algorithm 1, line 4, the of DODAG creation. Our detection technique works
38 per received packet FD check-in Stab det
can be avoided for storing and non-storing modes of RPL, moreover,
39 at the expense of the reduced attack detection prob- it supports all the communication modes including
40 ability by performing the FD check operation period- point-to-point, point-to-multipoint, and multipoint-
41 ically. In case of the periodic timer (Ptimer ) detec- to-point. However, the attack localization can only
42 tion approach, each non-leaf node (including root) be possible in storing mode with point-to-point and
43 det point-to-multipoint communications.
will check FD for each entry in the Stab upon every
44
expiry of the timer.
45
To better understand the working methodology 4.3. Wormhole Attack Detection
46
47 presented in Algorithm 1, we describe it with the In this section, we present the working method-
48 help of Figure 2, which shows a RPL DODAG con- ology of our novel wormhole detection technique
49 structed on an IoT scenario of 33 nodes. Let us as- for RPL-based IoT network scenarios. The pro-
50 sume that nodes 31 and 32 are sybil attackers and posed technique makes efficient use of HRCA nodes
51 these nodes use the ID of nodes 19 and 2 for packet in RPL-DODAG to execute the wormhole detection
52 transmissions. Table 2 depicts an instance of node technique periodically. Each non-leaf node in the
53 det
24’s Stab at time tx . Let us suppose that at time DODAG will identify and maintain a list of source-
54 t1 (where tx > t1 ) the HRCA (i.e., node with ID destination pairs for which it is HRCA. In storing
55 24) of nodes 31 (attacker) and 19 (benign) receives a mode of RPL, a node stores route for all its descen-
56 data packet from node 31, then as per Algorithm1, dants with the help of DAO messages. To keep the
57 node 24 checks if the sybil detection process is pe- network overhead low, we use a HRCA identification
58 riodic or not (line 4 in Algorithm 1). If it is pe- process which is local to a node, i.e., each node can
59 hop
60 riodic, then it extracts the < Sid , P revid > and identify whether it is HRCA for one or more commu-
det
61 creates a new entry in its Stab . The extracted val- nicating pairs in the network, by using the following
62
63 8
64
65
 1
2
3
4 Algorithm 2 Wormhole attack detection process
det at node 24
Table 2: sybil Example: Stab
5 new
hop 1: for each Dpkt that N receives from a < Si , Di >
6 i
Sid P revid Remark (this en- pair do
7 try is not stored hop
8 2: if (N 6= Di ) ∧ (N 6= Lnode ) ∧ (Fnext ≡ Nchild
at nodes) hop hop new
9 ∧ Fnext 6= P rev of Dpkt ) then
19 21 packet originated 3: N is HRCA for < Si , Di > pair
10 by node 31 at t1
11 4: end if
2 10 packet originated 5: end for
12
by node 2 at t2 6: for each Dpkt new
that N receives from Si do
13
14 23 10 packet originated 7: if N ≡ HRCA < Si , Di > ∨ N ≡ Di then
15 by node 23 at t3 8: N add an entry in Wtab det
with 5-tuple <
16 . . . i
Sid i
, Did i
, Srank i
, Drank i
, Thops >
17 . . . 9: if N ≡ HRCA < Si , Di > then
18 . . . 10: N extract values from Dpkt new
and fill 3-
19 26 21 packet originated tuple < Sid i
, Did i i
, Srank > in newly added
20 by node 26 at tx−1 det
entry Wtab
21 19 30 packet originated 11: end if
22 by node 19 at tx
23 12: if N ≡ Di then
new
24 13: N extract values from Dpkt and fill 5-
det
25 tuple in newly added entry Wtab
approach: when a node receives a data packet for- 14: end if
26
27 warded by one of its child and the forwarding next-hop 15: end if
hop
28 (Fnext ) node towards the destination of the packet is 16: end for
29 also one of its other children. The current node be- 17: for each expiry of Ptimer do
30 comes the HRCA for this communicating pair (Algo- 18: each Di creates Wdet pkt
that consists of
31 rithm 2, lines 1 − 5). i i i i
Sid , Did , Srank , Drank , Thops
32 For the sake of clarity, we refer the reader to Fig- 19: Di sends Wdet pkt
to Rnode for each Sid i i
, Did entry
33 ure 2, where a data session begins between the nodes in its Wtab det
34 3 and 19, then the data packets will follow the route pkt
35 20: for each Wdet received by a N do
3 → 21 → 24 → 30 → 19. In this route, when node i i
36 21: if N ≡ HRCA < Sid , Did > then
21 forwards the packet to node 24, the node 24 will count i
37 22: N calculates Vhop = (| (Drank −Nrank ) |
forward it to node 30. Here, node 24 satisfies the i
38 + | (Srank − Nrank ) |)
HRCA property (i.e., receiving the packet from one count i
39 23: if Vhop ≡ Thops then
child and forwarding it to another child) for a source-
40 24: No wormhole tunnel detected between
destination pair (i.e., node 3 and node 19). However, i i
41 < Sid , Did >
our wormhole detection algorithm does not consider a
42 25: else
node as HRCA if the next-hop node from the HRCA
43 26: wormhole tunnel detected between <
44 to the source node and the destination node is the i i
Sid , Did >
45 same. For example, in Figure 2 node 18 is HRCA for
27: N notifies the Rnode for mitigation of
46 < 5, 22 > source-destination pair because the next-
the attack
47 hop node to reach to nodes 5 and 22 from node 18
28: end if
48 is the same node (i.e., node 15). Thus, our worm-
29: end if
49 hole detection approach does not consider node 18 as
30: end for
50 HRCA for nodes 5 and 22. Finally, in the non-storing
31: end for
51 mode of RPL, only the root will act as HRCA because
52 all the data packets will be routed through it.
53 In order to detect the wormhole attack in the RPL
54 DODAG, the steps that are given in our proposed 1. Step 1: Whenever a destination node (say Di )
55 Algorithm 2 are executed in the network upon expiry or HRCA of < Si , Di > pair receives the first
56 of the network level timer (Ptimer ). We also present new
data packet (Dpkt ) generated by a new data
57 session, the node creates a fresh entry in its
the flowchart in Figure 3, which provides a simpli-
58 wormhole Detection Table (Wtab det
) by storing the
fied explanation of the steps taken in our proposed
59 i i i i i
wormhole detection approach. Below, we detail these 5-tuple < Sid , Did , Srank , Drank , Thops >, here
60 t
61 steps. i represents the i h source-destination pair in
62
63 9
64
65
 1
2
3
4 the network, and Thops i
is the total number of tunnel between the Sidi i
, Did pair, upon
5 i i which the DODAG root will take the
hops between Sid and Did , which are recorded
6 attacker identification and mitigation
in the received data packet header (Algorithm 2,
7
lines 7 − 8). To fill values in the fields of measures (Algorithm 2, lines 26-27).
8
9 this new entry, the destination node extracts < • If the node receiving the Wdetpkt
is not the
i i i i
10 Sid , Did , Srank , Thops > from the received packet HRCA, then it will forward the packet to-
11 header, and it already knows its own rank, i.e., wards the DODAG root. Finally, when
12 Drank (Algorithm 2, lines 12 − 14). While the the root receives a Wdet pkt
and it is the
13 HRCA node can only fill the values in the new HRCA, then it will computes the Vhop count
=
i i i
14 entry for < Sid , Did , Srank > fields because the i i
i (| (Drank − Srank ) |. After that, it com-
15 packet header does not contain Drank , and the count i
i pares the value of Vhop with Thops that is
16 Thops is not the total path length yet (Algo- pkt
17 rithm 2, lines 9 − 11). given in the received Wdet to identify the
18 2. Step 2: After each expiry of the predefined peri- presence of a wormhole as depicted in (Al-
19 odic timer (Ptimer ) with time interval say τ (Al- gorithm 2, lines 21 − 23).
20 gorithm 2, line 17), the following events occur. The process mentioned above will be used when
21
• At any non-root node say N , for each en- RPL is working in the storing mode. In the non-
22
23
det
try in its Wtab where the Di is equal to N , storing mode, where the intermediate nodes have no
24 it will create a custom wormhole detection memory, and all the packets need to be forwarded
pkt through the root, our wormhole detection process is
25 packet (Wdet ) and send it to root (Algo-
26 rithm 2, lines 18 − 19). The total number of simple. At each expiry of Ptimer , if the root is the
27 det
entries in Wtab at N is always less than or destination node for a source-destination pair then it
count count
28 equal to the number of source-destination will compute the value of Vhop as follows: Vhop
i i
29 pairs in which it is acting as a destination = (| (Drank − Srank ) |. Else, the root will compute
pkt count
30 node. The Wdet sent by N is lightweight as Vhop using the following equation:
31 it only include Sidi i
, Did i
, Srank i
, Drank , Thops
count i i
32 information. Vhop = (| (Drank − 1) | + | (Srank − 1) |), (2)
33 pkt
34 • Each intermediate node that receives Wdet
where 1 is the root rank. Later, in both the above
35 during its way towards the root, checks count i
cases, the Vhop is compared with the actual Thops .
36 whether it is the HRCA for the pair of nodes i
i i pkt The root stores Thops for each source-destination pair
37 Sid , Did specified in the Wdet or not (Algo- i
rithm 2, lines 20 − 21). The check is done in the network. It can simply calculate Thops by using
38
39 by searching the Wtab det
for the pair of nodes its global topology view.
i i
40 Sid , Did . If the node is HRCA node, then
41 it will run the following wormhole detec- det table at time t
Table 3: Example: Node 24 Wtab 1
42 tion steps before discarding the packet (Al- i i i i i
43 gorithm 2, line 22):
Sid Did Srank Drank Thops
44 It will compute the verified hop count 30 29 3 - -
45 count
(Vhop ) value using the following equation:
46
19 2 4 - -
47 15 24 4 2 4
48 count i
Vhop = (| (Drank − HRCArank ) | . . . . .
49 i
(1)
50 + | (Srank − HRCArank ) |). . . . . .
51
– If the value of Vhop count
for the pair of . . . . .
52
53
i i
nodes Sid , Did is same as the value of 26 28 5 - -
i
54 Thops that is extracted from the re- 3 30 4 - -
pkt
55 ceived Wdet , then it indicates the ab-
56 sence of a wormhole tunnel between the To better understand the working methodology of
57 i i
Sid , Did (Algorithm 2, lines 23-24). our wormhole detection technique, we consider the
58 – If the calculated Vhop count
differs from DODAG depicted in Figure 2 as an example, which
59 i
60 the Thops , then the HRCA notifies the has the following pairs < Si , Di > in the network:
61 root about the existence of a wormhole < 30, 29 >, < 19, 2 >, < 15, 24 >, < 26, 28 >, and
62
63 10
64
65
 1
2
3
4 of Thops is equal to 6.
5 In order to clearly explain our detection algorithm,
6 det
we make use of Figure 2 and Wtab (i.e., Table 3)
7
at node 24. Table 3 shows an instance of node 24’s
8 det
9 Wtab . The first entry in Table 3 is created when node
10 24 receives a data packet, which is initiated by source
11 node 30, and node 29 is acting as the destination for
12 the packet. The node 24 only creates a new entry for
13 the first data packet of a new data session between
i i i i
14 a Sid , Did pair, if node 24 is HRCA of Sid , Did pair.
15 As it can be seen from Figure 2 that 24 is HRCA
16 for < 30, 29 > pair, so it will create a new entry
det
17 for source node (i.e., 29) in its Wtab , only if such an
18 entry is not already available in the table. In par-
19 i i i
ticular, node 24 extracts the values of Sid , Did , Srank
20 from the packet and stores them in the newly cre-
21 ated entry. The columns Drank , and Thops i
will re-
22 main empty as the packet does not have these values.
23 Similarly, when node 24 receives new packets from
24 other source-destination pairs for which it is HRCA
25
(e.g., < 19, 2 >, < 26, 28 >, and < 3, 30 >), it will
26 det
create new entries in its Wtab . For < 15, 24 > entry
27
28 in Table 3, it is seen that all the columns are filled. It
29 is because when node 24 receives the first packet for
30 a new flow between 15 and 24, then the destination
31 address in the received packet will match with 24 it-
32 self. Thus, it knows the value of Drank (i.e., its own
i
33 rank), it can calculate the Thops by using the ranks
34 of 15 and itself.
35 By taking into account the network scenario given
36 in Figure 2 where, if < 19, 2 > is a benign source-
37 destination pair, and < 10, 16 > acts as a wormhole
38 tunnel in the network, then our wormhole detection
39 technique works in the following steps:
40
41 1. Source node 19 will initiate a new data session
42 by sending the first data packet (say P1 ) to the
43 destination node 2.
44
45 2. Upon reception of P1 , each node in the path be-
46 Figure 3: Flowchart for wormhole attack detection tween 19 to 2 will execute lines 1 to 16 of Al-
47 gorithm 2, to check if the node is HRCA for
48 the < 19, 2 > pair, and then process the packet
49 < 3, 30 >. Let us assume that the wormhole attacker accordingly. In our example, only node 24 will
50 pair of nodes is < 10, 16 >. We illustrate how the satisfy the IF condition given in line 2 of Algo-
51 wormhole attack impacts the communication between rithm 2 because it is HRCA for < 19, 2 > pair.
52 det
a genuine pair < Si , Di > (say < 19, 2 >). Also, 3. Nodes 24 and 2 create an entry in the Wtab as
53 we show that how our proposed approach identifies per line 7. The entry created at node 24 is shown
54 the presence of this wormhole attack. When node 19 in Table 3 (2nd entry). Table 3 also shows the en-
55 sends a data packet to node 2, due to the wormhole tries for other source-destination pairs for which
56 attack, the packet follows the path: 19 → 30 → 24 → node 24 is either acting as HRCA or destination.
57
10 → 16 → 14 → 13 → 23 → 12 → 20 → 2, which It is seen in Table 3 that when node 24 is HRCA,
58 i i i
has the total path length (Thops ) of 10. However, then it can only store < Sid , Did , Srank > infor-
59 det
60 without wormhole attack, the path is: 19 → 30 → mation (e.g., 1st and 2nd entries in Wtab ) for a
61 24 → 10 → 12 → 20 → 2. Without attack, the value < Si , Di > pair. However, when node 24 is a
62
63 11
64
65
 1
2
3
4 destination node (e.g., 3rd entry in Wtab det
), then
5 i i i i i Table 4: Simulation parameters
it can store < Sid , Did , Srank , Drank , Thops >. Parameters Values
6
4. Let us assume that the periodic network timer Simulator Cooja on Contiki v2.7
7
8 (Ptimer ) expires at time t1 . Node 2 sends Simulation time 5 to 30 Minutes (for time varying
pkt scenario)
9 the Wdet towards root (line 19), which goes
through the path 2 → 20 → 12 → 10 → Simulation time 10 Minutes
10
24 → root. The Wdet pkt
carries the 5- DODAG root rank 1
11 Scenario Dimension 200 x 200 to 800 x 800 sq.meter
i i i i i
12 tuple < Sid , Did , Srank , Drank , Thops > (i.e., <
Number of nodes 61 sky motes (including 1 root
13 pkt
19, 2, 4, 6, 10 >) that was stored in 2’s Wdet upon for fixed scenario)
14 the reception of the first data packet from node Number of nodes 21 to 101 sky Motes (for node
15 19. During its way to the root, when node 24 varying scenario)
16 receives the Wdet pkt
, it extracts the < Sid i
, Didi
> Transport layer UDP
17 (i.e., < 19, 2 >) and verifies whether this pair is protocol
18 det Routing Protocols RPL and LiDL
in its Wtab .
19 det
Ptimer 1 Minute
20 5. If the pair < 19, 2 > exists in the Wtab of node Radio Medium Unit Disk Graph Medium
21 24, then it performs the checks (we refer the (DGRM)
22 reader to lines 22 and 23 in Algorithm 2). The PHY and MAC IEEE 802.15.4 with CSMA and
count
23 output of the Equation 1 in line 22 will be Vhop Layer ContikiMAC
24 = (| (6 − 2) | + | (4 − 2) |), which is 6. When RNG Seed 25 iterations each with new seed
25 it is matched with the Thops i
(i.e., 10) that is ex- Application proto- CBR
26 pkt col
tracted by node 24 from the received Wdet (line Transmission 25m
27 20), then the given condition will not satisfy, and Range
28 the lines 26 and 27 will get executed, which in- Number of attacker 2% to 10%
29 dicates the presence of a wormhole, and a noti- nodes
30 Traffic rate 0.50 pkt/sec - 500 packets
fication about it will be sent to the root node.
31
32
33 5. Implementation and Evaluation with the traditional RPL protocol and the state-of-
34 art work in [30], in different scenarios. The existing
35 In this section, we present first the simulation setup results of the approach in [30] have been taken on very
36 details that we used for implementing and evaluating small network (i.e., 6 to 10 nodes, including one root
37 our proposed countermeasures. Then, we provide an node and one attacker node), which is not feasible for
38 analysis of the simulation results that we have ob- a scalable approach, so we take and compare results
39 tained from multiple IoT network scenarios. The re- by increasing the same ratio of attacker nodes with
40 sults of our proposed solutions have been compared respect to node density in the network used in [30] in
41 with the traditional RPL protocol only since there is
42 different network scenarios. In order to show that our
no existing research that specifically addresses any of detection approaches are effective and scalable, we
43 these two attacks in RPL-based IoT network scenar-
44 consider the different target scenarios with high node
ios. Although, few trust-based [32] [33] and Intru- density. Additionally, for all IoT scenarios that we
45
sion Detection System (IDS) [34] security solutions consider in our evaluation, we use the storing mode
46
47 for RPL exists, however, these works are not suitable of RPL. The main reason is that in the non-storing
48 for comparison purposes since they do not address mode, all the additional processing and storage con-
49 any specific routing attack. sumption due to periodic execution of the detection
50 algorithms will be performed by a resource-full node
51 5.1. Simulation Setup (i.e., root/LLN router). All the simulation results are
52 We have fully implemented both sybil and worm- generated by taking the average of 25 random simu-
53 hole attack detection approaches on top of the avail- lations on each scenario. Table 4 provides the details
54 able open-source code of RPL. The implementation of various parameters along with the values that we
55 is performed in Cooja, the Contiki network emula- have used to configure different target IoT network
56 tor [35, 36], which is being widely used for deploy- scenarios in Cooja emulator [37].
57
ing resource-constrained devices in LLNs (e.g., IoT
58
networks), and we make available open-source im- 5.2. Performance Evaluation and Discussion
59
60 plementation of both the detection techniques. We We present the result analysis of our proposed
61 compare the performance of our detection techniques detection approaches with considering two metrics
62
63 12
64
65
 1
2
3
4 namely the Average Packet Delivery Ratio (APDR) Proposed Sybil_det ABR_SAN Sybil_det
Proposed Wormhole_det
5 and the True Positive Rate (TPR). We create and
6 randomly deploy sybil and wormhole attacker nodes 100
95
7
in the target scenario. The attacker nodes adversely 90
8 85

True Positive Rate (%)

affect the APDR by altering different network pa- 80
9 75
10 rameters (e.g., routing table information, and global 70
11 topology view at the root node) that lead to the dis- 65
60
12 ruption of the data communication process. We also 55
50
13 evaluate how the execution of detection schemes af- 45
14 fect the energy and memory consumption of nodes in 40
35
15 the network. 30
25
16 When a wormhole attack is executed in the net- 20
17 work, the attacker aims to maliciously take part on 40 60 80 100
Number of nodes in network
18 a route, so it could degrade the network performance
19 by using one or more of the following ways: (i) selec-
Figure 5: Effect on true positive rate with increase in network
20 tively drop the packets (i.e., selective packet discard- size
21 ing), (ii) delay the packets by changing their shortest
22 path or creating loops, and (iii) drop all the packets
23 (i.e., blackhole attack). As performing the blackhole The attacker nodes are randomly selected in the net-
24 attack increases the risk of being detected, therefore, work. The simulation time (i.e., 10 minutes) and
25 in our scenarios, the wormhole attack aims to accom-
26 the value of Ptimer (i.e., 1 minute) are kept constant.
plish selective packet dropping and unceasing packet As seen in Figure 4, the APDR of our detection ap-
27
end-to-end delay. On the other hand, the sybil at- proaches remains higher than without any detection
28
29 tacker intends to send and receive packets by cloning approach scenarios. However, there is a slight de-
30 other nodes in the network. In our target scenar- crease in APDR with an increase in network density.
31 ios, the aim of a sybil attack is to increase the net- When there are no detection algorithms deployed, the
32 work traffic by sending unwanted packets or to receive APDR is low since the packets are dropped by the
33 packets that are designated to other nodes. wormhole attackers or due to their loops that induce
34 expiry in the time-to-live value of a packet. Addition-
Sybil with DT Without DT
35 Wormhole with DT ally, the presence of sybil attacks increases the net-
36 work congestion, and there are cases where a packet
100
37 is only received by the cloned node, thus further de-
Average packet delivery ratio (%)

99
38 98 creases the APDR. When we deploy our detection
39 97 approaches in RPL, the slight drop in PDR shown in
40 96 Figure 4 is due to the time taken by the detection
41 95 approaches to detect the attacks; and the possible
42 94
increase in route length is due to increased node den-
43 93
sity.
44 92
45 91 The simulation results for both the attacks in a
46 90 lossless network configuration presents approximately
47 89 100% true positive rate (TPR). Particularly, the
40 60 80 100
48 Number of nodes in network availability of the required network information that
49 is needed by the nodes executing the algorithms 1
50 Figure 4: APDR with increase in network size and 2 resulted in nearly zero false positives. How-
51 ever, as the network configuration becomes lossy, due
52 To demonstrate the scalability of the detection to the loss of some packets that are needed for accu-
53 techniques, Figures 4 and 5 present the percentage of rate functioning of our algorithms 1 and 2, the TPR
54 APDR and TPR with increasing the network size. In starts to decrease. For instance, with the increase
55 this network scenario, the number of network nodes in the size of the network, the TPR decreases, as it
56 is increased from 21 to 101 nodes with an interval of is shown in Figure 5. This behavior is due to the
57
20 nodes, and the network size is also increased from fact that the global topology at the root node, as
58
200 x 200 to 800 x 800 sq.meter with an increase of well as the full information about descendent nodes
59
60 150 sq.meter each time. Moreover, the number of at- at a non-leaf node takes a little time to become stable
61 tacker nodes is kept 10% of the total network nodes. in larger network configurations. Another reason for
62
63 13
64
65
 1
2
3
4 having lower values of TPR in large networks is due Sybil with DT Without DT
Wormhole with DT
5 to the generation of high traffic at certain detection
6 nodes (i.e., HRCA) during some detection periods, 100
99.6

Average packet delivery ratio (%)

7 99.2
and the attacker entries in wormhole and sybil de- 98.8
8 98.4
tection tables got over-written. Similarly, when the 98
9 97.6
10 number of attackers are increased in the target net- 97.2
96.8
11 work, the TPR decreases due to the same aforemen- 96.4
96
12 tioned reasons. Figure 5 also shows the TPR results 95.6
95.2
13 for [30] approach, and it can be seen that the TPR is 94.8
94.4
14 low in networks with a lower number of nodes. It is 94
93.6
15 because [30] uses two special types of motes (called 93.2
92.8
16 SAN and ABR) that helps it to detect wormhole pres- 92.4
92
17 ence in the network. Thus, the detection rate of [30] 5 10 15 20 25 30
Simulation Time (minutes)
18 is directly dependent on the number of these special
19 types of nodes present in the network. The number
Figure 6: APDR with increasing simulation time
20 of these nodes depends on the total number of nodes
21 in the network, and therefore, as the network size in- Proposed Sybil_det ABR_SAN Sybil_det
22 creases, these special types of nodes also increases, Proposed Wormhole_det
23 which increases the TPR as shown in Figure 5. 100
24 99
Figure 6 and 7 illustrate the impact of increasing
25 98
the simulation run time on the two metrics APDR
True Positive Rate (%)

26 97

27 and TPR. We fixed the following parameters: (i) the 96

95
28 number of nodes is 60 (including root nodes), (ii)
94
29 the number of attacker nodes is 10% of total network 93
30 nodes, and (iii) Ptimer is 1 minute. Figure 6 shows 92
91
31 that the APDR remains high when our detection ap- 90
32 proaches are active in the network, and the APDR 89
33 increases with the time due to the increased TPR in 88
87
34 the network, as shown in Figure 7. The TPR has 5 10 15 20 25 30
35 lower values in the case of low simulation time (i.e., Simulation Time (minutes)
36 5 min) as it can be shown in Figure 7. This behavior
37 is because the nodes that execute the Algorithms 1 Figure 7: Impact on true positive rate with increasing the
38 simulation time
and 2 do not have enough network information within
39 such a short simulation time to raise the alarm if the
40 same node is misbehaving. Without our detection ing with the increase in the number of attacker nodes.
41 technique, the APDR remains almost constant (i.e.,
42 The APDR of RPL drops from 97 to 89% when the
approximately 94%). For [30], the TPR values vary network has 10% of total network nodes as attacker
43
between 89% to 95%, and it is the average detection nodes, and it continues to decline as the percentage
44
45 rate when it uses both special types of nodes (i.e., of attacker nodes increases further.
46 ABR and SNR) in the network. As shown in Fig- As shown in Figure 9, the TPR value for sybil at-
47 ure 7 our approach outperforms [30] concerning the tack is between 97% to 99%. This minor decrease
48 TPR. The main reason is that unlike [30], our ap- in TPR of sybil detection algorithm is due to follow-
49 proaches do not depend on the presence of special ing reasons: (i) during the sybil detection execution
50 nodes to detect a wormhole. period in the network if a sybil or its correspond-
51 Figure 8 and 9 show the percentage of APDR and ing benign node (whose identify the sybil node is us-
52 TPR with varying the number of attackers. For these ing) leaves the network, and then quickly rejoin from
53 scenarios, the percentage of the attacker nodes is in- a different position, and (ii) if a HRCA node does
54 creased from 2% to 10% in the network, while the not receive data or control packet from the benign
55 other parameters are kept constant such as the simu- node which is being attacked (i.e., forging identity) by
56 lation time (10 minutes), Ptimer (1 minute), and the the sybil node during the detection period, then the
57
number of nodes (61 including the root node). As sybil node will not be detected in that detection cy-
58
shown in Figure 8, the APDR of our sybil detection cle. However, the above two scenarios are rare in the
59
60 approach remains higher than 95%, however, for the network. Therefore, the overall TPR for sybil detec-
61 wormhole detection approach, it is slightly decreas- tion does not go lower than 97%. Figure 9 shows that
62
63 14
64
65
 1
2
3
4 Sybil with DT Without DT Proposed Sybil_det ABR_SAN Sybil_det
Wormhole with DT Proposed Wormhole_det
5
6 100 100
Average packet delivery ratio (%)

7 99 99
8 98 98

True Positive Rate (%)

97 97
9 96 96
10 95 95
11 94 94
12 93 93
13 92 92
91 91
14
90 90
15 89 89
16 88 88
17 2 4 6 8 10 2 4 6 8 10

18 Number of attacker nodes (%) Number of attacker nodes (%)

19
Figure 8: APDR with increase in percentage of attacker nodes Figure 9: Effect on true positive rate with increasing the num-
20 ber of attacker nodes
21
22 Sybil Attack Wormhole Attack
the performance of the wormhole detection technique
23
24 decreases more than sybil as the number of attacker
99.9
25 nodes increases. The reason for this behavior is two-
99.6
26 folded: (i) a small number of attacker nodes might
True Positive Rate (%)

99.3
27 never get a chance to re-route data (i.e., become part
99
28 of an active root) because the traffic is limited in the
98.7
29 network. Thus, these attackers are not investigated
30 by our detection algorithms, and (ii) due to the static 98.4

31 nature of DODAG, all nodes have their fixed routes 98.1

32 to send and receive data packets (unless there are 97.8
33 any leave or join operations in DODAG). Thus, the 97.5
34 attacked nodes will not be detected until either the 97.2
35 DODAG changes or new traffic flows pass through 1 2 3 4 5
36 these left out attackers. In both the cases mentioned Periodic Attack Detection Timer (in minutes)
37 above, the attackers will not be able to degrade the
38 network performance because they are not part of Figure 10: Effect on true positive rate with increase in Ptimer
39 any active data communication routes. In the detec- value
40
tion technique proposed in [30], the TPR value varies
41
from 90% to 94%. It has been seen that when both the Ptimer interval increases, then the performance of
42
43 techniques (i.e., SAN and ABR) work together, the both the detection approaches decreases. The main
44 TPR increases. In a few cases, if one fails, then the reason for this behavior is that larger values of Ptimer
45 other type of node can still detect the wormhole at- causes more entries in the detection tables to be over-
46 tacks, but the TPR in such cases will be lower. Our written, which causes a delay or avoid the detection
47 wormhole detection approach provides higher TPR of attacker nodes. However, for low values of Ptimer
48 than the work in [30], and the TPR of [30] decreases this will generate high energy consumption in the net-
49 with an increase in the number of attackers in the work. Hence, an optimal value of Ptimer should be
50 network. This behavior could be justified since some selected based on the specific target scenario. This
51 attackers are successfully able to avoid detection from optimal value of Ptimer should consider parameters
52 the SAN and ABR nodes, as they might reside out of such as resource availability (i.e., node energy and
53 their detection area. memory), attacker detection time, and the percent-
54 Figure 10 illustrates the attack detection rate with
55 age of detected attackers.
varying the Ptimer interval. The value of Ptimer is
56 increased from 1 to 5 minutes with 1 minute interval,
57 5.3. Energy and Memory Consumption Analysis
while the other parameters like simulation time (10
58
minutes), number of nodes (61 including root), and We compute and present the overall energy con-
59
60 number of attacker nodes (6% and 10% of the total sumption in the network in the presence of our de-
wormhole
61 nodes) are kept constant. Figure 10 shows that when tection techniques. Let Econsume be the energy con-
62
63 15
64
65
 1
2
3
4
5 Table 5: Average Power Consumption (APC) with using Sky motes
6 PC Factors Traditional RPL with RPL with sybil RPL with RPL with
7 (In mW) RPL sybil detection wormhole wormhole
8 detection
9 LPM 9.211 9.212 9.216 9.214 9.301
10 CPU 24.949 25.121 25.350 25.202 25.786
11 Listen 27.938 27.975 27.979 27.974 27.988
12 Transmit 4.88 5.01 5.12 5.06 5.22
13 Total 66.978 67.317 67.665 67.450 68.295
14
15
16 a scenario which consists of a total of 61 nodes (54
Table 6: Memory Usage
17 benign nodes, 6 attackers, and 1 root), and it has
18 Flash RAM
one minute for Ptimer . The simulation runs for 10
19 [Bytes] [Bytes]
minutes with both detection approaches and with-
20 ContikiRPL 41498 8246 out any detection approach (only traditional RPL).
21 sybil De- 192 (+0.5%) 96 (+1.2%) The values in Table 5 show minor increment in en-
22 tection ergy consumption when executing our proposed ap-
23 Technique proaches. The main reason is that only a small sub-
24 wormhole 480 (+1.2%) 232 (+2.8%) set of network nodes (i.e., HRCA) execute our sim-
25
Detection ple (yet practical) detection approaches. Therefore,
26
27 Technique there exist a set of nodes in the network that do
28 LiDL 42170 8574 not have to execute the detection approaches. Thus,
29 (+1.7%) (+4.0%) they will save their energy during the attack detec-
30 tion process. In particular, only the HRCA and root
31 nodes execute the detection algorithms periodically
32 sumed for processing the wormhole detection tech- in the network. The number of HRCA nodes that ex-
sybil
33 nique and Econsume be the energy consumed for pro- ecute the detection algorithms depends on the num-
34 cessing the sybil detection technique for all the source ber of active source-destination pairs and their posi-
35 and destination pairs, which are represented by i and tions concerning each other in the target DODAG.
36 j variables in our below energy calculation equations. Please note that in a DODAG, it is possible that
37 The detection process runs only at the HRCA nodes. two or more source-destination pairs share the same
38 Thus the energy consumption for the wormhole de- HRCA, in such cases, the number of HRCA will be
39 tection technique is depicted as follows. lower than the number of source-destination pairs in
40 the network, and it will further lead to a small en-
41 ergy consumption. For instance, as shown in Table 3,
42 j
X det
wormhole Wtab node 24 is HRCA for four different source-destination
43 Econsume ≈ (∀Ptimer ) HRCA(j) ∗ Pl
det
Wtab pairs. Hence, if we consider the Figure 2 and Table 3,
44 n=1 y=1
45 (3) then by executing the detection algorithms only on
46 node 24, we can identify, if there exists a sybil or
47 Similarly, the energy consumption for sybil detec- wormhole attack that adversely affects the nodes that
48 tion technique is as follows. include 30, 29, 19, 2, 15, 26, 28, 3, and 30. The en-
49 ergy consumption can be further reduced significantly
50 if the length of the detection tables and the source-
i
X
51 sybil S det destination pairs in the network are kept lower, and
Econsume ≈ (∀Ptimer ) HRCA(i) ∗ Pk tab
52 det the value of Ptimer is kept higher. However, this will
m=1 x=1 Stab
53 (4) also decrease the TPR in the network. The low en-
54 ergy consumption of our detection techniques makes
55 Furthermore, we consider the total energy con- them eligible for the large-scale network deployment
56 sumption based on standard Contiki measurement considering energy as one of the constraints for the
57 IoT devices.
that is described in Table 5. Table 5 shows the com-
58
parison of average energy consumption for traditional Table 6 shows ContikiRPL memory consump-
59
60 RPL with our proposed detection approaches. These tion [38], and the overall code and data memory in-
61 energy consumption values are computed based on crease when implementing our detection techniques.
62
63 16
64
65
 1
2
3
4 The cost of sybil detection technique is 192 Byte of [2] M. Miettinen, S. Marchal, I. Hafeez, N. Asokan,
5 Flash and 96 Byte of RAM. For the wormhole detec- A. Sadeghi, and S. Tarkoma, “Iot sentinel: Au-
6 tion, the memory cost is 480 Byte of Flash and 232 tomated device-type identification for security
7
Byte of RAM. As per our approach, we consider sev- enforcement in iot,” in 2017 IEEE 37th Inter-
8
eral entries in the table between 95 to 100, which is national Conference on Distributed Computing
9
10 sufficiently a large amount compared to a large IoT Systems (ICDCS), June 2017, pp. 2177–2184.
11 network. Thus the memory consumption mentioned
above is considerably low with respect to the secu- [3] M. Miettinen, T. D. Nguyen, A.-R. Sadeghi, and
12 N. Asokan, “Revisiting context-based authenti-
13 rity features that it provides when compared to the
traditional RPL protocol. cation in iot,” in Proceedings of the 55th Annual
14
Design Automation Conference, ser. DAC ’18,
15
16 2018, pp. 1–6.
6. Conclusion and Future Work
17 [4] T. Winter, P. Thubert, A. Brandt, J. Hui,
18 Data routing in IoT networks is a challenging pro- R. Kelsey, P. Levis, K. Pister, R. Struik,
19 cess in unattended and insecure environments. To al- J. Vasseur, and R. Alexander, “RPL: IPv6
20 leviate the major security threats and risks for RPL- routing protocol for low-power and lossy
21
based IoT networks, we propose two efficient detec- networks,” 2012. [Online]. Available: http:
22
tion approaches to counterfeit against two specific //www.rfc-editor.org/rfc/rfc6550.txt
23
24 networking attacks, namely, sybil and wormhole at-
tacks. Our algorithms benefit from the use of the [5] A. Raoof, A. Matrawy, and C. Lung, “Routing
25 attacks and mitigation methods for rpl-based in-
26 HRCA concept that considers a local common an-
cestor in order to perform the detection process and ternet of things,” IEEE Communications Sur-
27
localization of attackers in a specific (possibly small) veys Tutorials, pp. 1–1, 2018.
28
29 area in the network. Hence, this simplifies the iden-
[6] Y. H. Hwang, “Iot security and privacy: Threats
30 tification and removal of the attackers. We assess and challenges,” in Proceedings of the 1st ACM
31 the feasibility of our algorithms by a thorough set of Workshop on IoT Privacy, Trust, and Security,
32 simulations scenarios. We show that our proposed de-
ser. IoTPTS ’15, 2015.
33 tection techniques are lightweight (i.e., low resource
34 consumption), scalable, and effective (i.e., high PDR [7] H. Kharrufa, H. A. A. Al-Kashoash, and A. H.
35 and attack detection rate). As the networking at- Kemp, “Rpl-based routing protocols in iot ap-
36 tack detection and mitigation in resource-constrained plications: A review,” IEEE Sensors Journal,
37 LLNs are still in its early stages, in the future, we will vol. 19, no. 15, pp. 5952–5967, Aug 2019.
38 investigate possible solutions for other networking at-
39 tacks in the RPL-based IoT networks. Moreover, we [8] B. Ghaleb, A. Al-Dubai, E. Ekonomou,
40 M. Qasem, I. Romdhani, and L. Mackenzie, “Ad-
plan to build a generic intrusion detection system to
41 dressing the dao insider attack in rpls internet
identify and mitigate multiple attacks and improve
42 of things networks,” IEEE Communications Let-
43 the overall network security.
ters, vol. 23, no. 1, pp. 68–71, Jan 2019.
44
45 Acknowledgements [9] Y. Tahir, S. Yang, and J. McCann, “Brpl: Back-
46 pressure rpl for high-throughput and mobile
47 Pallavi Kaliyar is pursuing her Ph.D. with a fellow- iots,” IEEE Transactions on Mobile Computing,
48 ship for international students funded by Fondazione vol. 17, no. 1, pp. 29–43, Jan 2018.
49 Cassa di Risparmio di Padova eRovigo (CARI-
50 PARO). Wafa Ben Jaballah is partially supported [10] G. Glissa, A. Rachedi, and A. Meddeb, “A secure
51 by the H2020 COLLABS under grant H2020-ICT-08- routing protocol based on RPL for internet of
52 2019- 871518. Mauro Conti were supported in part by things,” in 2016 IEEE Global Communications
53 EU LOCARD Project under Grant H2020-SU-SEC- Conference (GLOBECOM), Dec 2016, pp. 1–7.
54 2018-832735. The work of M. Conti was supported by
55 [11] R. Sahay, G. Geethakumari, and K. Modugu,
the Marie Curie Fellowship through EC under Agree-
56 “Attack graph based vulnerability assessment
ment PCIG11-GA-2012-321980.
57 of rank property in rpl-6lowpan in iot,” in 2018
58 IEEE 4th World Forum on Internet of Things
[1] [Online]. Available: https://www.gartner.com/
59 (WF-IoT), Feb 2018, pp. 308–313.
newsroom/id/3869181
60
61
62
63 17
64
65
 1
2
3
4 [12] P. Pongle and G. Chavan, “A survey: Attacks on the wormhole attack in wireless ad hoc net-
5 rpl and 6lowpan in iot,” in 2015 International works,” IEEE Transactions on Wireless Com-
6 Conference on Pervasive Computing (ICPC), munications, vol. 8, no. 2, pp. 736–745, Feb 2009.
7
Jan 2015, pp. 1–6.
8 [23] S. Raza, L. Wallgren, and T. Voigt, “Svelte:
9 [13] A. Le, J. Loo, Y. Luo, and A. Lasebae, “The Real-time intrusion detection in the internet of
10 impacts of internal threats towards routing pro- things,” Ad Hoc Networks, vol. 11, pp. 2661–
11 tocol for low power and lossy network perfor- 2674, 2013.
12 mance,” in 2013 IEEE Symposium on Comput-
13 ers and Communications (ISCC), July 2013, pp. [24] K. Zhang, X. Liang, R. Lu, and X. Shen, “Sybil
14 attacks and their defenses in the internet of
789–794.
15 things,” IEEE Internet of Things Journal, vol. 1,
16 [14] I. Tomi and J. A. McCann, “A survey of poten- no. 5, pp. 372–383, 2014.
17 tial security issues in existing wireless sensor net-
18 work protocols,” IEEE Internet of Things Jour- [25] D. Airehrour, J. A. Gutierrez, and S. K. Ray,
19 nal, vol. 4, no. 6, pp. 1910–1923, Dec 2017. “Sectrust-rpl: A secure trust-aware rpl routing
20 protocol for internet of things,” Future Genera-
21 [15] L. Abusalah, A. Khokhar, and M. Guizani, “A tion Computer Systems, pp. 1–18, 2018.
22 survey of secure mobile ad hoc routing proto-
23 cols,” IEEE Communications Surveys Tutorials, [26] M. Conti, P. Kaliyar, M. M. Rabbani, and
24 vol. 10, no. 4, pp. 78–93, Fourth 2008. S. Ranise, “Split: A secure and scalable rpl
25 routing protocol for internet of things,” in 2018
26 [16] C. Pu and S. Hajjar, “Mitigating forwarding 14th International Conference on Wireless and
27 misbehaviors in rpl-based low power and lossy Mobile Computing, Networking and Communi-
28 networks,” in 2018 15th IEEE Annual Con- cations (WiMob), Oct 2018, pp. 1–8.
29 sumer Communications Networking Conference
30 (CCNC), Jan 2018, pp. 1–6. [27] P. Perazzo, C. Vallati, D. Varano, G. Anastasi,
31 and G. Dini, “Implementation of a wormhole at-
32 [17] P. Thulasiraman and Y. Wang, “A lightweight tack against a rpl network: Challenges and ef-
33 trust-based security architecture for rpl in mo- fects,” in 2018 14th Annual Conference on Wire-
34 bile iot networks,” in 2019 16th IEEE Annual less On-demand Network Systems and Services
35 Consumer Communications Networking Confer- (WONS), 2018, pp. 95–102.
36 ence (CCNC), Jan 2019, pp. 1–6.
37 [28] M. Khabbazian, H. Mercier, and V. K. Bhar-
38 [18] S. Raza and R. M. Magnsson, “Tinyike: gava, “Severity analysis and countermeasure for
39 Lightweight ikev2 for internet of things,” IEEE the wormhole attack in wireless ad hoc net-
40 Internet of Things Journal, vol. 6, no. 1, pp. 856– works,” IEEE Transactions on Wireless Com-
41 866, Feb 2019. munications, vol. 8, no. 2, pp. 736–745, 2009.
42
43 [19] P. Levis, T. Clausen, J. Hui, O. Gnawali, and [29] P. Pongle and G. Chavan, “Real time intrusion
44 J. Ko, “The trickle algorithm,” March 2011. and wormhole attack detection in internet of
45 [Online]. Available: https://tools.ietf.org/rfc/ things,” Inter-national Journal of Computer Ap-
46 rfc6206.txt plications, vol. 121, no. 9, 2015.
47
48 [20] H. S. Kim, J. Ko, D. E. Culler, and J. Paek, [30] M. S. Ahsan, M. N. M. Bhutta, and M. Maqsood,
49 “Challenging the ipv6 routing protocol for low- “Wormhole attack detection in routing protocol
50 power and lossy networks (rpl): A survey,” IEEE for low power lossy networks,” in 2017 Inter-
51 Communications Surveys Tutorials, vol. 19, national Conference on Information and Com-
52 no. 4, pp. 2502–2525, 2017. munication Technologies (ICICT), Dec 2017, pp.
53 58–67.
54 [21] D. Evangelista, F. Mezghani, M. Nogueira, and
55 A. Santos, “Evaluation of sybil attack detec- [31] A. Al-Fuqaha, M. Guizani, M. Mohammadi,
56 tion approaches in the internet of things content M. Aledhari, and M. Ayyash, “Internet of things:
57 dissemination,” in 2016 Wireless Days (WD), A survey on enabling technologies, protocols,
58 March 2016, pp. 1–6. and applications,” IEEE Communications Sur-
59 veys Tutorials, vol. 17, no. 4, pp. 2347–2376,
[22] M. Khabbazian, H. Mercier, and V. K. Bhar-
60 Fourthquarter 2015.
gava, “Severity analysis and countermeasure for
61
62
63 18
64
65
 1
2
3
4 [32] P. Thulasiraman and Y. Wang, “A lightweight [35] I. Romdhani, A. Al-Dubai, M. Qasem, C. Thom-
5 trust-based security architecture for rpl in mo- son, B. Ghaleb, and I. Wadhaj, “Cooja sim-
6 bile iot networks,” in 2019 16th IEEE Annual ulator manual,” Tech. Rep., 2016. [Online].
7
Consumer Communications Networking Confer- Available: http://researchrepository.napier.ac.
8
ence (CCNC), Jan 2019, pp. 1–6. uk/Output/299955
9
10 [33] R. Mehta and M. M. Parmar, “Trust based [36] “Get Started with Contiki,” http://www.
11 mechanism for securing iot routing protocol rpl contiki-os.org/start.html.
12 against wormhole grayhole attacks,” in 2018
13 3rd International Conference for Convergence in [37] A. Dunkels, “Contiki OS,” http://www.
14 Technology (I2CT), April 2018, pp. 1–6. contiki-os.org/download.html.
15
16 [34] A. Verma and V. Ranga, “Elnids: Ensemble [38] M. Corporation, “Ultra low power IEEE
17 learning based network intrusion detection sys- 802.15.4 compliant wireless sensor module,”
18 tem for rpl based internet of things,” in 2019 4th http://www.crew-project.eu/sites/default/
19 International Conference on Internet of Things: files/tmote-sky-datasheet.pdf.
20 Smart Innovation and Usages (IoT-SIU), April
21 2019, pp. 1–6.
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63 19
64
65
Declaration of Interest Statement

The authors declare that there is no conflict of interest of any kind for the submitted manuscript.

Regards

Wafa Ben Jaballah, Mauro Conti, Pallavi Kaliyar, and Chhagan Lal
Credit Author Statement

Pallavi Kaliyar: Writing - Original Draft, Validation, Implementation, and Software. Wafa Ben Jaballah:
Conceptualization, Methodology, Investigation. Mauro Conti: Supervision, Conceptualization. Chhagan
Lal: Problem Formulation, Reviewing and Editing.
Biographical Sketch

Wafa Ben Jaballah is a security researcher at Thales Group, France. She received her Ph.D.
degree from the University of Bordeaux. Before joining Thales, she held a research position at
Orange Labs. She was also a Post-Doc Researcher at the University of Bordeaux, France. Her
main research interest is in the area of IoT security and network security. She has been a
Visiting Researcher at the University of Padua (2012–2017).

Mauro Conti is Full Professor at the University of Padua, Italy, and Affiliate Professor at the
University of Washington, Seattle, USA. He obtained his Ph.D. from Sapienza University of
Rome, Italy, in 2009. After his Ph.D., he was a Post-Doc Researcher at Vrije Universiteit
Amsterdam, The Netherlands. In 2011 he joined as Assistant Professor the University of Padua,
where he became Associate Professor in 2015, and Full Professor in 2018. He has been
Visiting Researcher at GMU (2008, 2016), UCLA (2010), UCI (2012, 2013, 2014, 2017), TU
Darmstadt (2013), UF (2015), and FIU (2015, 2016). He has been awarded with a Marie Curie
Fellowship (2012) by the European Commission, and with a Fellowship by the German DAAD
(2013). His research is also funded by companies, including Cisco and Intel. His main research
interest is in the area of security and privacy. In this area, he published more than 200 papers in
topmost international peer-reviewed journals and conference. He is Area Editor-in-Chief for
IEEE Communications Surveys and Tutorials, and Associate Editor for several journals,
including IEEE Communications Surveys and Tutorials, IEEE Transactions on Information
Forensics and Security, and IEEE Transactions on Network and Service Management. He was
Program Chair for TRUST 2015, ICISS 2016, WiSec 2017, and General Chair for SecureComm
2012 and ACM SACMAT 2013. He is Senior Member of the IEEE.
Pallavi Kaliyar is currently a Ph.D. student in school of Brain Mind and Computer Science at the
University of Padova, Italy with a fellowship for international students funded by Fondazione
Cassa di Risparmio di Padova e Rovigo (CARIPARO). Here, she is part of the SPRITZ Security
and Privacy Research Group research group under the supervision of Prof. Mauro Conti. She
received my Masters of Technology in Computer Science and Engineering in 2012 and Bachelor
of Engineering in Computer Science and Engineering in 2008. She is conducting research on
fields including security and communication reliability related to the Internet of Things and
Software Defined Networking.

Chhagan Lal is Postdoc fellow in Department of Mathematics, University of Padua, Italy and
Affiliate Associate Professor at Manipal University Jaipur, India. He obtained his Bachelors in
Computer Science and Engineering from MBM Engineering College, Jodhpur, India in 2006. He
obtained his Masters degree in Information Technology with specialization in Wireless
communication from Indian Institute of Information Technology, Allahabad in 2009, and Ph.D. in
Computer Science and Engineering from Malaviya National Institute of Technology, Jaipur, India
in 2014. He has been awarded Canadian Commonwealth scholarship in 2012 under Canadian
Commonwealth Scholarship Program to work in University of Saskatchewan in Saskatoon,
Saskatchewan, Canada. His current research areas include Blockchain Analysis, Security in
Wireless networks, Software-defined networking, Underwater acoustic networks, and context
based security solutions for Internet of Things (IoT) networks