Generation of RPL Wormhole Attack in IoT Network

and Detection Using RNN Deep Learning Model

Thiyagu T , Arthi R , and Krishnaveni S
* 1 1 1

1 CSE Department, SRM IST, Kattangulathur, Chennai

1*
tt0595@srmist.edu.in
2 CSE Department, SRM IST, Kattangulathur, Chennai
2
arthir4@srmist.edu.in

Abstract. The network of smart devices and gadgets forms the Internet of
Things (IoT). The IoT technology implemented in our day-to-day devices
has shown more advantages to the users. With this, the use of IoT devices
has also increased which increases the network traffic. An increase in
network traffic has attracted many hackers to inject more network attacks.
The more the usage, the more it is vulnerable to attacks. One such IoT
attack is the RPL protocol wormhole attack. Thus, there is a need for an
Intrusion Detection System (IDS) to protect the network data. The proposed
work concentrates on generating real-time wormhole attacks in the cooja
simulator and using a Recurrent Neural Network (RNN) deep learning
model to detect and classify the wormhole attack data from the normal data
in the IoT network traffic. The proposed work produced an accuracy of
96%. The F1 score produced is 96%.
Keywords: IoT, RPL, wormhole, RNN, cooja simulator.

1 Introduction

The increased usage of IoT devices in our day-to-day life has raised the
importance of research in the security of these devices. [1] The work records the
dataset generation of the RPL wormhole attack in the cooja simulator. The
generated dataset is deducted and classified using the RNN model.

Any aspect of our lives takes continuously tracked down by data. Routing
occurrences produced the internet of things (IoT) by surrounding devices,
regulators, and selectors. Several tools exist to model the IoT domain, and hence
Big Data is used to analyze these technologies more easily [4]. Furthermost
general emulators are Cooja, GNS-3, Notify, and MATLAB. Inappropriately,
developing and maintaining effective IoT contact is a challenging job.
2

As the amount of data produced grows, the term data protection has become
increasingly important [5]. Particularly, the safety of complex records needs to be
under the ethics of data safety (Confidentiality, Integrity, and Availability) [7].
Since there is a lack of stable routing rules, there are several occurrences of IoT
attacks such as car hacking, DDoS, and other physical attacks.

1.1 Problem Statement:

The security of IoT devices has become a major concern to the users with the
increase in IoT network traffic. The user is affected by novel intrusions day by
day. The devices are vulnerable to denial of service, flooding, worm, and many
other attacks. The RPL protocol attacks pose a major challenge in deduction and
mitigation. The availability of existing datasets produces a higher performance.
However, it fails to perform well when it is implemented practically. Thus, a new
dataset is required which is generated in the real-time IoT environment for every
routing attack. Also, a suitable deep learning model is required to efficiently
deduct and classify these attacks from the normal data traffic.

1.2 Contribution:

Following are the contributions shown in this work:

 Generation of network traffic with many nodes in cooja simulator and

establish communication between them.

 Injection of RPL wormhole attack in the generated network traffic.

 Recording of the network traffic containing normal and malicious data

using Wireshark as .pacp and .csv files.

 Deduction and classification of malicious data from normal data using the
RNN deep learning model.

 Performance evaluation of the proposed model.

 3

1.3 Paper Organization:

In this paper, Section II presents the background about the major IoT simulators
and features of the cooja simulator. Section III contains the related works about
the RPL attacks and deep learning models. Section IV shows the proposed
methodology. The result is discussed in section V and the conclusion is discussed
in section VI.

1.4 Background:

Cooja Simulator:

With the availability of more IoT network simulators such as ifogsim, cloudsim,
OMNET++ and many other simulators, the cooja simulator suits best for the given
problem statement [9]. The cooja simulator provides a wide scope to create many
number of nodes in the wireless network [8]. Fig 1 shows the cooja interface. The
generation of network taffic in this simulator is easier.

Fig 1: Sink-sender Architecture with Cooja Interface

2 Related Works:

Many research on RPL attacks have been done in the IoT industry. The analysis of
different categories of RPL attacks such as wormhole attacks, blackhole attacks,
flooding attacks and synchole attacks are extensively done. [3] gives a survey
about the effects of RPL wormhole attacks and its detection methods. [11] gives a
detailed research finding about wormhole attacks. The attack detection is done by
the packets leashes. Temporal leashes and geographical laeashes are the two main
categories considered. The work provides both detection and mitigation of the
4

attack. The work in [2] represents the method of generating dataset in the cooja
simulator and injecting attacks in the normal traffic. The work explains the
method of caturing the generated dataset through Wireshark. The proposed
methodogy in [6] shows the deep learning approach for the generated dataset. The
work uses ANN for RPL rank attack detection and classifies it from the normal
data packets in the generated network traffic.

3 Methodology:

Fig 2 explains the methodology used to generate the RPL wormhole attack dataset
injected in normal traffic through the cooja simulator. Then the generated dataset
is applied to the RNN model to classify them into malicious and normal data.

Fig 2: Proposed Methodology

3.1 Components Used:

Simulation: The Cooja simulator is used to generate and record network traffic in
WSN. In this research, the simulator is used to set up 1000s of nodes and establish
communication between them. Then the RPL wormhole attack is injected into it.

.pcap and Wireshark:

The Wire shark is the most popular application that uses .pcap file interval
circulation monitoring [10]. Wire shark can be used on Windows, Mac OS X, and
 5

Linux. As long as the appropriate programs are enabled, these .pcap files can be
accessed. Wire shark, Win Dump, a TCP dump, Packet Square - Capedit, Ethereal,
and examples of .pcap files.

.CSV File:

The. CSV file is a simple text register that encloses a set of documents separated
by commas. Similar data are often used to transfer data between applications [11].
In the proposed work, the network generated from the cooja simulator is captured
by Wireshark and stored as .pacap and .csv files.

Feature Extraction:

The captured network traffic is sent for feature extraction. Feature extraction is the
process of analyzing the number of properties needed to represent a large amount
of data. Several professionals of deep learning claim that properly optimized
feature extraction is the secret to build successful models. It is a method for
identifying essential information components. Pattern identification and
recognizing common patterns in a wide number of documents are two examples of
this approach. Spam detection is another example of this process [12]. It is an
effective data pre-processing technique that has been scientifically designed to
improve feature dimensionality and improve the efficiency of deep learning in
implementation.

Pre-processed Dataset:

File pre-processing is a data mining method that includes translating raw data into
an understandable format. Actual data has some missing, unreliable, and deficient
in specific performances and patterns. It may also contain numerous errors. Pre-
processing the data is a true way of addressing such problems.

RNN Classifier:

The network traffic after data preprocessing is sent to the Recurrent Neural
Network (RNN). RNN is a supervised learning model which processes data in
sequence. As in Fig 3, the three stages of RNN working are:

1. First, the data is moved to the hidden layer which predicts an output.
2. Then the predicted value is compared with the actual value. The
difference is recorded as a loss function. The less the loss function value,
the better the RNN prediction performance.
6

3. Finally, depending on the loss function, the unmatched packets are sent
to the input lane through back-propagation, and node values are adjusted
to match with the actual value.

Fig 3: Working of RNN Model

4 Result:

The paper mainly focuses on the performance of the deep learning RNN model in
the classification of network traffic packets as RPL wormhole attack data and
normal data. The network traffic captured from the cooja simulator forms the base
for the performance evaluation. Figures 3 and 4 show the output of traffic
generated in the cooja simulator.
 7

Fig 3: Generated Traffic Without Wormhole Attack

Fig 4: Generated Traffic With Wormhole Attack

4.1 Confusion Matrix:

The performance of the deep learning model is effectively done by confusion

matrix which is shown in Figure 5. The True Positive (TP) and False Negative
(FN) say that the predicted value matches the actual value. That is, it predicts true
for actual true and false for actual false. On the other hand, True Negative (TN)
and False Positive (FP) say that the predicted value does not match the actual
value. The more the TP and FN value, the more the accuracy of the detection
model.

Fig 5: Confusion Matrix

Evaluation Metrics:
8

According to the work done, the value is true for wormhole attack data and false
for normal data.

Table 1 gives the confusion matrix of the work:

Actual
Positive Negative

Positive 128 8
Predicted

Negative 0 23

Accuracy:

Accuracy is given by the number of correct predictions divided by the total

number of predictions.

= 0.94

Precision:

Precision is given by the actual positive values divided by the predicted positive
values.

= 0.94

Recall:

The recall is given by total positives divided by the number of correctly predicted
values.

=1

F1 Score:

The F1 score gives the harmonic mean of recall and precision value obtained.
 9

= 0.96

The F1 score of the RNN model is high which proves that the proposed RNN
detection model performs well for RPL wormhole attacks in the IoT network
traffic.

5 Conclusion:

The work shows the importance of research on RPL wormhole attacks and their
severity in IoT networks. First, the network traffic is generated in the cooja
simulator with normal traffic and wormhole attack which is captured through
Wireshark. This data is sent to the RNN classifier which classifies the dataset to
normal data and malicious data. The performance of the deep learning model is
evaluated through a confusion matrix. The F1 score achieved is 0.96 which shows
that the proposed method performs well for the classification of RPL wormhole
attacks.

6 Future Work:

The work has generated output for RNN deep learning classification for RPL
wormhole attacks. The similar work can be extended to various other RPL attacks
such as blackhole attacks, sinkhole attacks, DoS attacks, flooding attacks, rank
attacks, version attacks, and other novel RPL attacks. Also, the work concentrates
on detection techniques. This can be extended by applying mitigation techniques
in the network traffic.

References

[1] Pongle, Pavan, and Gurunath Chavan. "Real time intrusion and wormhole attack
detection in internet of things." International Journal of Computer Applications 121, no. 9
(2015).
[2] Malik, Manisha, and Maitreyee Dutta. "Contiki-based mitigation of UDP flooding
attacks in the Internet of things." In 2017 International Conference on Computing,
Communication and Automation (ICCCA), pp. 1296-1300. IEEE, 2017.
[3] Dutta, Nishigandha, and Moirangthem Marjit Singh. "Wormhole attack in wireless
sensor networks: a critical review." Advanced Computing and Communication
Technologies (2019): 147-161.
[4] Tahboush, Muhannad, and Mary Agoyi. "A Hybrid Wormhole Attack Detection in
Mobile Ad-Hoc Network (MANET)." IEEE Access 9 (2021): 11872-11883.
[5] Cakir, Semih, Sinan Toklu, and Nesibe Yalcin. "RPL attack detection and prevention in
the Internet of Things networks using a GRU based deep learning." IEEE Access 8 (2020):
183678-183689.
[6] Choukri, Wijdan, Hanane Lamaazi, and Nabil Benamar. "RPL rank attack detection
10

using Deep Learning." In 2020 International Conference on Innovation and Intelligence for
Informatics, Computing and Technologies (3ICT), pp. 1-6. IEEE, 2020.
[7] Morales-Molina, Carlos D., Aldo Hernandez-Suarez, Gabriel Sanchez-Perez, Linda K.
Toscano-Medina, Hector Perez-Meana, Jesus Olivares-Mercado, Jose Portillo-Portillo,
Victor Sanchez, and Luis Javier Garcia-Villalba. "A dense neural network approach for
detecting clone id attacks on the rpl protocol of the iot." Sensors 21, no. 9 (2021): 3173.
[8] Rana, Arun Kumar, and Sharad Sharma. "Contiki Cooja Security Solution (CCSS) with
IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) in Internet of Things
Applications." In Mobile Radio Communications and 5G Networks, pp. 251-259. Springer,
Singapore, 2021.
[9] Mahmud, Arif, Faria Hossain, Tasnim Ara Choity, and Faija Juhin. "Simulation and
comparison of RPL, 6Lowpan, and Coap protocols using Cooja simulator." In Proceedings
of International Joint Conference on Computational Intelligence, pp. 317-326. Springer,
Singapore, 2020.
[10] Singh, Upendra, Makrand Samvatsar, Ashish Sharma, and Ashish Kumar Jain.
"Detection and avoidance of unified attacks on MANET using trusted secure AODV
routing protocol." In 2016 Symposium on Colossal Data Analysis and Networking
(CDAN), pp. 1-6. IEEE, 2016.
[11] Hu, Yih-Chun, Adrian Perrig, and David B. Johnson. "Wormhole attacks in wireless
networks." IEEE journal on selected areas in communications 24, no. 2 (2006): 370-380.
[12] Tun, Zaw, and Aung Htein Maw. "Wormhole attack detection in wireless sensor
networks." World Academy of Science, Engineering and Technology 46 (2008): 2008.