The Journal of Supercomputing

https://doi.org/10.1007/s11227-021-03922-1

A holistic framework for prediction of routing attacks

in IoT‑LLNs

Rashmi Sahay1 · G. Geethakumari1 · Barsha Mitra1

Accepted: 27 May 2021

© The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature
2021

Abstract
The IPv6 routing protocol for low power and lossy networks (RPL) has gained
widespread application in the Internet of Things (IoT) environment. RPL has inher-
ent security features to restrict external attacks. However, internal attacks in the
IoT environment have continued to grow due to the lack of mechanisms to manage
the secure identities and credentials of the billions of heterogeneous IoT devices.
Weak credentials aid attackers in gaining access to IoT devices and further exploit-
ing vulnerabilities stemming from the underlying routing protocols. Routing attacks
degrade the performance of IoT networks by compromising the network resources,
topology, and traffic. In this paper, we propose a holistic framework for the predic-
tion of routing attacks in RPL-based IoT. The framework leverages Graph Convolu-
tion Network-based network embedding to capture and learn the latent state of the
nodes in the IoT network. It uses a Long Short Term Memory model to predict net-
work traffic. The framework incorporates a Feedforward Neural Network that uses
network embedding and traffic prediction as input to predict routing attacks. The
accuracy of any learning model depends on the integrity of the data provided to it
as input. Therefore, the framework uses smart contract-fortified blockchain technol-
ogy to establish secure channels for IoT data access. The smart contract within the
blockchain generates warning impulses in the case of abnormal behavior of nodes.
The framework predicts normal scenarios, resource attack scenarios, traffic attack
scenarios, and topological attack scenarios with a fair accuracy of 94.5%, 82.46%,
91.88%, and 86.13%, respectively.

Keywords IoT · RPL · Routing attacks · Network embeddings · Smart contract

* Rashmi Sahay
p2016009@hyderabad.bits-pilani.ac.in
G. Geethakumari
geetha@hyderabad.bits-pilani.ac.in
1
Department of CSIS, BITS Pilani, Hyderabad Campus, Hyderabad, India

13
Vol.:(0123456789)
 R. Sahay et al.

1 Introduction

The advancements in embedded technologies like sensors and RFID helped the
Internet of Things (IoT) realize its vision to connect physical devices to the Inter-
net. However, such embedded devices are constrained in characteristics in terms
of memory, processing power, and radio range. The networks of such embedded
devices, termed as Low Power and Lossy Networks (LLNs), are deployed on large
scales in IoT applications like smart cities, home automation, and industrial automa-
tion, to name a few. IoT devices’ constrained characteristics and large scale of IoT
networks present specific routing requirements that are efficiently catered by IPv6
Routing Protocol for Low Power and Lossy Networks (RPL) [1]. However, numer-
ous researchers have identified several vulnerabilities associated with the RPL pro-
tocol that may lead to several routing attacks in IoT environment [2, 3]. The RPL
routing protocol provides mechanisms for protection from external attacks by using
preinstalled keys and authentication keys. However, once a node joins the IoT-LLN
network, it may instigate several insider attacks [4]. IoT devices’ constrained char-
acteristics make the implementation of robust security measures difficult, and IoT
environments are often susceptible to intrusion. The recent series of Distributed
Denial of Service attacks clearly show attackers’ ability to break into the Internet of
Things environment [5]. A malicious node that has managed to break the first line of
security defense, i.e., authentication, becomes capable of instigating various insider
attacks by exploiting the routing protocol’s vulnerabilities in RPL-based IoT-LLNs.
Such insider attacks against routing protocols in IoT affect network performance
and utilization of the limited resources in the constrained IoT network. Therefore,
with the increasing number of IoT applications, it is very important to detect routing
attacks in a timely manner.
In order to detect routing attacks efficiently, it is important to monitor the state
and behavior of the IoT-LLN. Parameters like routing metric (cost), the power con-
sumed by the network resources, paths of the data traffic, network overhead, and
packet arrival rate reflect the state of the IoT-LLN. Routing attacks against IoT envi-
ronment affect either all or a subset of such network parameters. The authors in
[6–8] have applied various machine learning algorithms to predict routing attacks
like flooding attacks, packet dropping attacks, local repair attacks, traffic attacks, and
version number attacks in IoT. However, primary machine learning or deep learn-
ing algorithms require retraining whenever the network genuinely changes its topol-
ogy or traffic patterns. An IoT network may change its topology due to factors like
an increase in the number of IoT devices, the remaining battery power of devices,
changes in device services, etc. Therefore, capturing the features of IoT networks
that are dynamic and heterogeneous in characteristics, as well as making an assess-
ment of the state of the network for attack prediction, is challenging for primary
machine learning or deep learning algorithms. To overcome the challenge, research-
ers have explored the application of network embedding [9]. Network embeddings
are techniques that transform large scale networks that carry heterogeneous and
complex information into low dimensional real number vectors used for network
analysis by downstream machine learning algorithms.

13
A holistic framework for prediction of routing attacks in…

The performance of any network embedding technique, deep learning algorithm,

or statistical tool depends on the quality of the data fed to it. In the article [10],
Geoff Huston mentioned that toxic things existed earlier in wireless sensor networks,
which were much smaller in scale than IoT or SCADA networks and were tightly
closed. In IoT, we have a network that comprises heterogeneous devices from mul-
tiple vendors across multiple platforms. Therefore, a significant challenge in the IoT
environment is establishing secure access to the IoT data without external dependen-
cies. The authors in [11] explored the application of blockchain in the secure sharing
of IoT data for routing attack detection.

1.1 Major contribution

The existing state of the art mechanisms for detecting routing attacks focuses on
a specific type of attack, i.e., if the attack is against network resources, traffic, or
topology. It is not feasible to have different mechanisms in place to detect differ-
ent types of attacks. Hence, we focus on building a framework capable of predict-
ing if the state of the IoT-LLN is normal or under attack and can also predict the
type of attack. In this paper, we present a holistic framework for the prediction of
routing attacks in IoT-LLNs. The framework employs Graph Convolution Networks
(GCN) to generate mask embedding that captures the spatial features of the IoT-
LLNs. The framework uses a Long Short Term Memory (LSTM) model to predict
the next packet arrivals. The framework also makes use of statistical analysis tools
for visualization of the current state of the network. The framework employs the use
of blockchain technology to ensure that the data captured from the IoT-LLNs are
un-tampered and secured. Blockchain also provides a platform for the implementa-
tion of smart contracts. In the present framework, we use a smart contract to pro-
duce warning impulses in case of any abnormal routing behavior. Thus, blockchain
through smart contracts offers an added advantage of felicitating a mechanism for
the IoT devices to produce warnings in the event of any unusual activity collabora-
tively. Smart contracts can significantly benefit the routing security process by auto-
mating security checks.
To summarize, the paper presents a comprehensive framework that takes a holis-
tic approach to security by employing the emerging technologies that can ensure
robust safeguarding of the IoT environment and enable the vision that IoT promises.
Recent literature classifies routing attacks in RPL-based IoT-LLNs into three catego-
ries: resource attacks, topological attacks, and traffic attacks [4, 12]. The framework
can predict attacks belonging to all the three categories of routing attacks using a
Feedforward Neural Network (FNN) model.
The rest of the paper is organized as follows. In Sect. 2, we briefly introduce the
preliminary terminologies related to RPL, network embedding, blockchain, and
smart contract, as well as present the related work in this field. In Sect. 3, we pre-
sent the problem statement. In Sect. 4, we present the proposed holistic framework
for the prediction of routing attacks in RPL-based IoT environments. In Sect. 5, we
compare our proposed framework with existing research on routing security in RPL-
based IoT environments. Section 6 concludes the paper.

13
 R. Sahay et al.

2 Background and related work

Among the existing routing protocols for low power and lossy networks, RPL
is the most popular routing protocol in the IoT environment as it satisfies all
the requirements of IoT-LLNs [13, 14]. We first explain the preliminaries of the
RPL protocol.

2.1 RPL (IPv6 routing protocol over low power and lossy network)

RPL is a distance vector routing protocol that organizes low power and lossy
networks as Directed Acyclic Graphs (DAGs) that have one or more Destina-
tion Oriented Directed Acyclic Graphs (DODAGs) [1]. A DODAG consists of
three types of nodes, namely, the sink (root) node, sensor nodes with routing
capabilities (router), and simple sensor nodes (hosts). Nodes (routers and hosts)
in the DODAG forward their sensed information to the sink node, which acts
as a bridge between them and the rest of the IoT environment. The sink node is
also responsible for disseminating the configuration information to the nodes in
the DODAG using DODAG Information Solicitation (DIO) messages. The DIO
messages carry important configuration parameters like rank, version number
routing metric, etc. The rank of a node is estimated based on an objective func-
tion. The rank reflects the proximity of a node to the sink in terms of the prede-
fined objective function. The objective function is a function of the routing met-
ric and a predefined min rank increase value. The routing metric could be a link
or a node parameter that reflects specific characteristics or properties of the sen-
sor node or the link between the sensor nodes [15]. The version number reflects
the current state of the DODAG. Whenever the state of the DODAD changes,
the sink node advertises an incremented version number in the DIO message
so that nodes in the DODAG know that their routing table may be obsolete.
They should seek fresh configuration information from the neighboring nodes.
In order to join a DODAG, a new node requests for the DODAG configuration
information by multicasting (broadcasting within radio range) DODAG Informa-
tion Solicitation (DIS) messages to which neighboring nodes respond with DIO
messages. On receiving the DIO messages, the requesting node selects a parent
node with minimum rank and optionally responds with a DAO advertisement
object (DAO) message.
Rank is an important attribute of the RPL routing process. The rank property
of RPL helps in the efficient organization and maintenance of DODAG. How-
ever, it also makes it vulnerable to several attacks. The three important notions
associated with rank property in RPL are: (a) Rank of the parent node is always
less than the rank of the child node, (b) rank of nodes increases with depth in the
tree structure of the DODAG, and (c) a node should always select a parent node
with minimum rank. A malicious node in the DODAG can easily instigate sev-
eral attacks by violating the above-mentioned notions.

13
A holistic framework for prediction of routing attacks in…

2.2 Network embedding

Definition 1 Given, at any instance t, a dynamic network N(t) with nodes given by
vertex set V(t) connected through edges E(t)), and represented as N(t) = (V(t), E(t)),
a network embedding function f ∶ V → Rd learns the mapping of each node v ∈ V
to a real value feature vector Rd , where, d ≥ 1 is the dimensionality of the node
embedding.

A network embedding function aims to transform the complex features of an input

network into lower-dimensional representations while preserving the higher-order
proximity information of nodes that are not explicitly defined by the input network’s
node and edge attributes. Network embedding techniques have the potential to
address the following challenges posed by large scales IoT networks that generate
volumes of heterogeneous data [16, 17].

• Sparsity: IoT networks are continually growing with an increasing number of

IoT vendors and devices as well as are becoming complex in structure and attrib-
utes. Occasionally, some nodes or links may not be captured due to nodes inten-
tionally hiding their information, privacy policies or owing to limitations of the
collection mechanism.
• Scale and dynamism: Numerous IoT applications like smart traffic manage-
ment, home automation, etc., will cater to millions of nodes with heterogeneous
attributes. Such nodes and links representing the relationship among the nodes
will evolve continuously. Therefore, the algorithms designed to analyze such net-
works must be scalable and capable of capturing the IoT network’s dynamic fea-
tures.
• Heterogeneity and Context representation: Neighboring nodes in an IoT
network may be heterogeneous in characteristics. The presence of connections
among the nodes in a neighborhood is context-driven. The mapping of IoT net-
works into low dimensional vector space must preserve the heterogeneity and the
context information.

In the present work, graph embedding captures the spatial features of the IoT-LLN
that the downstream Feedforward Neural Network model uses for routing attack
prediction.

2.3 Blockchain and smart contract

Blockchain is a decentralized and distributed ledger used to record digital transac-

tions across multiple computing nodes, and each node validates a transaction before
it is recorded or altered. The blockchain stores the recorded transactions, informa-
tion about the transaction, nodes participating in the transaction, and their unique
identities [18]. Each node in the blockchain network has a copy of the blockchain,
and each block in the blockchain has a cryptographic hash of the previous block.
The starting point of the blockchain is known as the Genesis block. Blockchain

13
 R. Sahay et al.

can be of three types, namely, public blockchain, private blockchain, or consor-

tium blockchain. Public blockchains are open for anyone to participate, and specific
computationally powerful nodes termed miners record the transaction to the block-
chain after applying a consensus algorithm. In a private blockchain, while a central
authority has the write permissions, read permissions are public. Also, as the private
blockchains provide privacy, low latency, and low energy consumption, they are
considered apt for the IoT environment.
The true benefit of blockchain comes from the fact that it provides a platform
for the implementation of smart contracts. A smart contract is a digital execution
of a set of rules or protocols designed in the agreement of all the peer participants
without any mediation by a third-party [19]. A smart contract fortified blockchain
not only ensures secure storage of data but also provides a platform to implement
numerous security checks.
In this paper, we use smart contracts deployed in a private blockchain environ-
ment to produce real-time warnings against nodes instigating various attacks like
rank attacks, version number attacks, and flooding attacks.

2.4 Related work

As mentioned before, routing attacks in RPL-based IoT-LLNs target network

resources, network topology, and network traffic. Routing attacks against network
resources often force the network to reorganize itself again and again. As a result,
nodes in the LLNs are forced to suspend their data forwarding action while reor-
ganizing themselves. Examples of resource attacks are the version number attack,
the increased rank attack, flooding attack, etc. Dvir and Buttyan [20], explains
the method of attack instigation and impact of such resource attacks. Topological
attacks against RPL that result in the isolation of a section of the network from the
root node are often difficult to identify and result in packet loss. Examples of such
attacks are blackhole attacks, selective forwarding attacks, and greyhole attacks [21,
22]. Topological attacks may also result in the sub-optimized performance of IoT-
LLN. Examples of such attacks are the worst parent attack [23], and DAO inconsist-
ency attack [24]. Malicious nodes instigating traffic attacks in RPL-based IoT-LLNs
disrupt the normal traffic path by advertising a false rank (lower rank) or false iden-
tity. Examples of such attacks are the Decreased Rank Attack and the Identity attack.
These topological attacks force the network to reorganize itself and cause huge traf-
fic convergence towards the attacker node. This may also result resetting of nodes.
The authors in [25] have examined the energy expended while nodes reset them-
selves. Further, these traffic attacks may be followed by an isolation attack result-
ing in a huge loss of data packets. Examples of such attack scenarios are sinkhole
attacks and wormhole attacks. In essence, such attacks first disrupt the network traf-
fic and then drop (or sniff) data packets causing sub-optimized performance of the
network [12]. Hence, the protection of IoT-LLNs against routing attacks is an impor-
tant research problem.
Khan and Herrmann [26] designed a trust management system to detect
rank inconsistencies in RPL supported IoT-LLN. Such trust-based management

13
A holistic framework for prediction of routing attacks in…

system not only put computation overload on constraint nodes but also makes
RPL vulnerable to attacks like bad mouthing attack, self-promoting attack, and
ballot stuffing attacks [27]. Recently researchers have proposed enhancements
of RPL to mitigate certain attacks like rank attacks and version number attacks
to improve the efficiency of the RPL-based routing mechanism. However, such
attempts have often resulted in other disadvantages like slow convergence rate,
high energy consumption, path inconsistency, etc., [28]. Detection of routing
attacks in IoT-LLNs is also a difficult task as attacks have many overlapping
properties. This often results in a false alarm rate as experienced by authors in
[29, 30] while devising mechanisms for mitigation of such attacks. The authors
in [20, 31] have applied hash chain and message authentication code in order to
restrict the nodes from changing the configuration parameters. However, such
attempts are computationally expensive and increase the complexity of the rout-
ing process. Moreover, hash codes are vulnerable to several attacks, which make
such techniques unpopular in usage. All these factors restrict the use of security
solutions employing hashing techniques to secure RPL in real-time application
[2]. In [32], the authors proposed that nodes may work in promiscuous mode
to find abnormal traffic routes in order to guess about the neighboring nodes
involved in rank or Sybil attack. Zaminkar et al., in their paper [33], added a
detection mechanism in the RPL to identify the nodes instigating Sybil attack.
However, they consider only the case where the malicious node advertises their
rank as zero, which may not always be the case.
Recently, machine learning and deep learning algorithms are in wide use for
IoT routing security. The authors in [8, 34], used neural networks to predict the
sub-optimal path attacks and traffic attacks, respectively. Mahdavinejad et al.
[35] presented a taxonomy of various machine learning and deep learning algo-
rithm used for traffic analysis, real-time fault predictions, power data analysis,
and reducing energy consumption in IoT. Their survey stated that most solu-
tions lack analyzing the IoT data and extracting the characteristic of the IoT net-
work data and state, which is necessary for the accuracy of machine learning
algorithms. Jagannath et al. [36] in their survey on the use of machine learn-
ing for wireless communication in IoT, also laid stress on IoT data analysis to
ensure that the data fed to the learning algorithms are of good quality. Recently,
researchers have suggested the use of blockchain technology in IoT networks for
secure storage and sharing of IoT data, access control, authentication, etc. The
authors in [11] showcased the recent research on the use of blockchain in IoT.
They explored the use of blockchain at various layers of routing security and
suggested the use of smart contracts to enhance security.
To summarize, in the recent past, many researchers have proposed mecha-
nisms to detect attacks against RPL in the IoT-LLN. Popular techniques used to
detect routing attacks often employ machine learning models, forensic analy-
sis, overlay networks, etc. Regardless of various such models and frameworks,
a holistic model capable of capturing the state and behavior of IoT-LLNs and
capable of predicting multiple categories of attack is missing in the existing
literature.

13
 R. Sahay et al.

3 Problem statement

The existing literature states the numerous undesirable consequences of routing

attacks in an RPL-based IoT environment. Hence, proactive detection of routing
attacks is essential for securing the IoT environment. In the present work, we focus
on building a framework capable of detecting all the three categories of routing
attacks mentioned in the existing literature [4, 12].
In this paper, we attempt to achieve the following objectives:

• To present how state-of-the-art technologies like blockchain and deep learning

models can be used to develop a strong mechanism to predict routing attacks
against RPL.
• To design a framework using deep learning models and blockchain to predict
routing attacks in RPL-based IoT-LLNs.
• To implement and demonstrate the efficiency of the framework in predicting
routing attacks in IoT-LLNs.

4 Proposed holistic framework for prediction of routing attacks

in RPL‑based IoT‑LLNs

The proposed holistic framework for detecting routing attacks in IoT-LLNs is shown
in Fig. 1.
The framework comprises the IoT-LLN, the smart contract fortified blockchain
network, data visualization and analysis component, and three deep learning models.
The blockchain network provides a secure data channel between the IoT-LLNs and the
deep learning models, as well as the data visualization and the analysis component.

Fig. 1  Proposed framework for prediction of routing attacks

13
A holistic framework for prediction of routing attacks in…

The smart contract within the blockchain generates warning impulses in the case of
abnormalities in rank or version number advertised by nodes and in the case of a node
continuously multicasting DIS messages. The framework employs powerful deep
learning tools like Long Short Term Memory (LSTM) and Graph Convolution Neural
Network (GCN) to capture the temporal and spatial features of the IoT-LLNs. Based on
the inputs received from the GCN, LSTM, and the warning impulses from the smart
contract, the Feedforward Neural Network predicts the probabilities of the IoT-LLN
being under normal state (Pn), under resource attack (P1), under topological attack (P2),
and traffic attack(P3) as shown in Fig. 1. The framework also makes use of statistical
analysis tools for the visualization of the current state of the network
The rank property is specific to RPL, and malicious nodes instigating RPL specific
rank attacks can increase the vulnerability of the IoT-LLN environment to other routing
attacks [37]. Non-adherence to the notion of rank properties in RPL supported IoT-
LLNs results in attacks that target the network’s topology, traffic, or resources. Taking
motivation from this fact, we test our framework with the attack that violates the notion
of the rank property stated by RPL for the demonstration of results. The framework can
detect other RPL attacks with equal efficiency.
To emulate the IoT-LLN environment, we use the cooja simulator available in Con-
tiki Operation System (Contiki-OS). Tmote Sky, an MSP430-based sensor mote with a
radio range of 50 meters, is used for all experimental setups. Unit Disk Graph Model
with Distance Loss is used as the radio medium. For rank estimation of various nodes
in the DODAG, an additive routing metric called Expected Transmission Count (ETX)
is used. In order to validate the framework, we emulated a DODAG comprising 20
nodes under the normal scenario, under the increased rank attack scenario (Resource
Attack), under the worst parent attack scenario (Topological Attack), and decrease rank
attack scenario (Traffic Attack). The Contiki-OS’s network protocol stack (Contiki-
NETSTAK) assembles the different layers of the network in the form of protocol mod-
ules [38]. In order to emulate various attack scenarios, we make the following modifi-
cations in the RPL module of Contiki-NETSTAK.
Decreased rank attack (DRA) and increased rank attack (IRA)
To emulate the decreased rank attack and the increased rank attack scenarios, we
alter the “rank_via_parent(rpl_parent_t ∗ p)” function in the rpl − mrhof .c file of
the RPL module in the Contiki-NETSTACK. A fair node estimates its rank as given by
Eq. 1.
Ranknode = Rankparent + Rankincrease (1)
where Ranknode is the rank of the node, and Rankparent is the rank of the parent node.
Rankincrease is estimated as a sum of the minimum rank increase configured by the
network or the path cost between the node and the parent node. The path cost can be
estimated based on routing metric, which can be an aggregation of one or more link
or node metric [39]. In the present work, Rankincrease is estimated using the parent
node’s link metric as given by Eq. 2.
Rankincrease = parent → link_metric (2)
A malicious node instigating the decreased rank attack estimates its rank as follows.

13
 R. Sahay et al.

if (Rankparent − K1 > 0)
Ranknode = Rankparent − K1 (3)
else
Ranknode = Default_Min_Rank (4)
where K1 > Rankincrease. In our experimental setup, Default_Min_Rank is assigned
to 256. This ensures that rank of any node is not less than the rank of the sink node.
The rank of the sink node is initialized to 256 in Contiki-NETSTACK.
A node instigating the increased rank attack estimates its rank by Eq. 5 as follows.
Ranknode = Rankparent + Rankincrease + K2 (5)
where K2 is initialized to 200 and increased by 10 at every instance of neighborhood
probing. In the present work, the average increase in rank of the nodes in various
experimental performed was less than equal to 200. Therefore, K2 is initialized to
200. However, in order to emulate the Increased Rank Attack scenario, while com-
puting the rank, K2 may be initialized to the mean value, median value, or any con-
stant value that may successfully instigate the attack.
Worst parent attack (WPA)
In order to emulate the Worst Parent Attack, the attacker nodes violate the
“best − parent(rpl − parentp1, rpl − parentp2)” function in the rpl-mrhof.c to
choose the worst of the two input arguments instead of the best. In other words, the
attacker node violates the third notion of rank property by always selecting a parent
with a higher rank instead of a parent with the minimum rank.
The Contiki OS, along with the simulation tool Cooja, provides tools like “Radio
Message” and “Power Trace”. These tools help in capturing the exchange of control
messages among nodes and the data packets forwarded to the sink node in the form
of PCAP (Packet Capture) files and help in keeping track of the resources consumed
by nodes. Thus, the Cooja simulator can be used to generate both benign and mali-
cious IoT datasets [40]. The datasets obtained in the form of PCAP files are stored in
the blockchain network.
In the following subsection, we present the experimental setup of the smart con-
tract fortified blockchain. We also explain how an interface is established among the
IoT-LLN, the smart contract fortified blockchain, the data visualization unit, and the
deep learning models.

4.1 The blockchain network and smart contract

The Ethereum private blockchain platform is used in the present work, which allows
only authorized user nodes to participate. A node should run an Ethereum client
in order to participate in the Ethereum private blockchain network. The client cre-
ates a local copy of the blockchain, making the computing node capable of doing
transactions within the blockchain network. In the present work, the Ethereum Cli-
ent “Geth” is used, which is popularly used to build decentralized applications [41].

13
A holistic framework for prediction of routing attacks in…

In order to store the IoT sensor data in the blockchain network, an interface with
the Ethereum test platform is established through a Web.py library. The IoT sensor
data is analyzed by the smart contract housed in the local blockchain, and the smart
contract produces warning impulses in the event of a routing anomaly. The warning
impulse is provided to the Feedforward Neural Network (FNN) and the data visuali-
zation and analysis tool.

4.1.1 Role of smart contract

In the present work, the smart contract is designed to perform the following task:

1. Produce warning impulses in case of the following events

• In the event of a rank change by a node exceeds a predefined threshold.
• In the event of a version number increment initiated by a non-sink node.
• In case the number of DIS messages multicasted by a node exceeds a given
threshold.
2. The smart contract performs the required feature extraction on the IoT-LLN data
and creates the dataset for the ensemble machine learning model and the data
visualization tool.

The smart contract defined by Algorithm 1 comprises the following:

1. State Variables: The state variables are used to trigger a transaction in the block-
chain. In the present work, the state variable “PCAP” stores the packet captured
information obtained from the sink node of the IoT-LLN.
2. Modifiers: These are functions used to check the preconditions that must be
satisfied before the data be added to the blockchain.
3. Functions: The set of rules required to execute the digital contract offered by the
blockchain are defined within functions. In the present work, the functions defined
are Add, CheckRankThreshold, CheckVersionID, CheckDISfreq and CreateData.

13
 R. Sahay et al.

13
A holistic framework for prediction of routing attacks in…

The modifier function in the smart contract verifies that data from the PCAP
files to be added to the blockchain has no missing fields as depicted through
Lines 2 to 4 of Algorithm 1. On successful verification, the Add function adds the
data to the blockchain as shown through Lines 5 to 7. If the packet received is a
DIO message, rank and version number checks are performed. The smart contract
produces warning impulses that help in understanding the current state of the IoT-
LLNs. The function CheckRankThreshold produces a warning impulse if a node
changes its rank beyond a predefined threshold value, as represented through
Lines 9 to 19 of Algorithm 1. The function compares the absolute value of change
in rank advertised by a node with a predefined threshold value Th, as shown in
Line no. 10. If the change in rank is greater than the threshold value, the Check-
RankThreshold function further check if the rank has decreased or increased. The
Algorithm in Line no. 12 checks if the change in rank is greater than zero. If the
conditions in Line no. 10, and Line no. 12 are true, it means that the rank adver-
tised has exceeded the predefined threshold value for permitted change in rank
and is also greater than the previous rank. Thus, it’s an Increased Rank Attack,
and the warning impulse produced by the CheckRankThreshold function carries
the message “rank increased” and the ID of the node. If the condition in Line no.
10 is true, and in Line no. 12 is false true, it means that though the rank adver-
tised has exceeded the permitted value for change in rank, it is lesser than the
previous rank. Thus, it’s a Decreased Rank Attack, and the warning impulse car-
ries the message “rank decreased” along with the node ID. The warning impulses
produced by the CheckRankThreshold function can be interpreted as the possibil-
ity of instigation of a rank attack. The function CheckVersionID produces a warn-
ing impulse when a non-sink node advertises an incremented version number as
depicted through Lines 21 to 30. The warning impulses by function CheckVer-
sionID indicate the topological reorganization of the IoT-LLN. When a non-sink
node initiates the increase in version, it either shows that nodes in the IoT-LLN
face a mismatch in configuration information or a malicious node in the IoT-LLN
has instigated a version number attack.
If the packet capture is a DIS message, the CheckDISfreq function is invoked.
The CheckDISfreq keeps a count of the number of DIS messages emitted by each
node in the IoT-LLN and produces a warning impulse if the count exceeds a pre-
defined threshold as shown in Line 32 to 39 of Algorithm 1. The “DIS Flooding”
warning impulse indicates that the node has lost its parent node and is unable to find
a new parent. Alternatively, it may be that the node is instigating a flooding attack.
If the packet captured is UDP packet, the CreateData(UDP) function extracts the
features from the data payload as depicted through Lines 41 to 46. The function
CreateData(UDP) calls a Normalize(Data) function that performs the preprocessing
of the IoT-LLN data. The data preprocessing involves the following steps:

1. Encoding Categorical Data: The dataset consists of one categorical data - the
Node ID. The encoding method used is label encoding that converts labels to
numeric values.
2. Feature Scaling: Feature scaling is necessary for the present problem to ensure
an unbiased prediction as the independent variables in the dataset vary widely

13
13
Table 1  Statistics of the dataset
Features Hops CPU power Transmit power
Metric Normal IRA DRA WPA Normal IRA DRA WPA Normal IRA DRA WPA

Min 1 1 1 1 2136 1651 1901 1777 0 0 0 0

Max 9 7 8 7 41604 56252 47052 44866 21880 32071 27055 25615
Mean 3.6951 3.6526 3.605 3.655 7197 6957.9 7506.0 8307.9 2313.01 2143.2 2489.83 2973.59
SD 1.7809 1.6592 1.6647 1.6368 4273.7 4175.1 4692.27 5281.717 2585.03 2505 2830.13 3175.20
Features Listen power LMP power Routing metric
Metric Normal IRA DRA WPA Normal IRA DRA WPA Normal IRA DRA WPA

Min 286 200 305 284 5304 3806 3927 860 512 512 512 512
Max 34436 12178 11443 10921 65527 65531 65529 65535 7284 5796 5524 5237
Mean 1504.93 1426.45 1594.4 1813.1 47140 47263 47245.2 47154.0 1676.44 1603 1624.91 1894.93
SD 1164.12 1029.727 1146.617 1291.89 9732.97 9698.7 9756.541 9705.767 843.9287 746.9 838.6473 961.2887
Features ETX Beacon interval Warning impulse
Metric Normal IRA DRA WPA Normal IRA DRA WPA Normal IRA DRA WPA

Min 128 128 128 128 8 8 8 8 NA 0 0 0

Max 3017 2733 2466 2194 2097 2097 2097 2097 NA 340 237 266
Mean 618.3332 588.0811 602.517 672.04 1445.77 1500.31 1333.41 1018.131 NA 171.66 113.7582 118.5874
SD 382.7174 339.2285 370.203 411.945 755.617 759.169 794.024 733.52.4 NA 97.46 71.9267 64.10992
R. Sahay et al.
A holistic framework for prediction of routing attacks in…

in their range, as may be observed from Table 1. The feature scaling method
applied in the proposed model is Min–Max scaling. The normalized value x of
′

an independent variable x in the range of [ a1; a2 ] is given by Eq. 6.

(x − min(x))(a2 − a1 )
x� = a1 + (6)
max(x) − min(x)
3. Creating the adjacency matrix in order to capture the topological state of the IoT-
LLN. The adjacency matrix is used by the GCN model.
4. Extracting the feature depicted in Table 1 like hops, power consumption, routing
metric, ETX etc.

4.2 Data visualization and analysis

Data visualization helps in understanding the digression in the behavior of the IoT-
LLN under different attack scenarios compared to the normal scenario. To test the
framework, we emulated four different scenarios, namely, a normal scenario, an
increased rank attack scenario, a decreased rank attack scenario, and the worst par-
ent attack scenario in a 20 node DODAG. The description of the dataset obtained
from the simulation is given in Table 1.
It may be observed from Fig. 2 that the three different rank attacks have differ-
ent manifestations on the various node and link parameters of the IoT-LLN. How-
ever, it may also be observed that the distinction is not very remarkable. Though
the smart contract produced warning impulse helps in giving an early indication of
an attack and improves the overall efficiency of attack prediction, it requires further
effort to drill down the type of attack. Also, often one type of attack may lead to
other attacks. For example, a topological attack results in a change in the existing

Fig. 2  Density distribution of the normalized features in the dataset

13
 R. Sahay et al.

topology of the IoT-LLN. Consequently, various traffic paths in the LLN also get
disrupted, leading to a traffic attack kind of a scenario. This may confuse any naive
machine learning or statistical model. Therefore, it is essential to have specialized
and robust models to capture the specific temporal and spatial features of the LLN to
predict the reason behind any abnormal behavior.
In the following subsection, we explain the role of the role of network embedding
in predicting routing attacks in RPL-based IoT-LLNs.

4.3 Role of GCN‑based network embedding in routing security

Given that we have secure access to IoT data under the shield of blockchain, what
remains is a sophisticated platform for the intelligent and automated analysis of IoT
networks for an orchestrated advance attack prediction. From the study of the exist-
ing literature on the application of various machine learning and sequential deep
learning models in the prediction of routing attacks in the IoT network, we observed
the following shortcomings:

• The ever growing IoT network may consist of a huge number of nodes, and it
may be a very complex and intractable task to process such ordered information.
• The modern deep learning models work on fixed grid sizes and can handle lim-
ited data types. For example, if the number of nodes in the network changes, the
learning algorithm needs retraining.
• The modern sequential deep learning models like Feedforward Neural Networks
do not incorporate the features of graph structures.

The use of graph embedding eliminates these shortcomings [16]. In order to develop
a robust security platform, it is imperative to extract the topological features in the
case of the IoT network. The topology of the network plays a significant role in the
network operation. Topology affects the utilization of network resources, traffic pat-
terns, reliability, and throughput. Irrespective of the type of routing attack against
the IoT networks, the topology of the LLN is invariably affected. The impact on the
topology may vary depending on the kind of attack. Hence, topological integrity
will be the most important driving force of secured IoT applications. Therefore, we
reiterate the importance of extracting topological features of IoT-LLNs for develop-
ing a robust security framework against routing attacks.
The goal is to turn the topological representation into features via network
embedding. The intuition is to learn the attributes of the nodes and the links and
learn about the topology of the LLN. The learning model should map the nodes in
the topology to a ‘d-dimensional’ embedding such that similar nodes in the topol-
ogy are close in the embedding space, where ‘d’ is the number of features used for
the latent representation. In other words, the learning model should produce the
latent representation of the nodes to capture the LLN topology’s spatial features in
the embedding space. In our work, we use Graph Convolution Network (GCN) to
capture the spatial characteristics of the LLN. A GCN works like a normal Convolu-
tional Neural Network (CNN) in the sense that it takes into consideration the spatial

13
A holistic framework for prediction of routing attacks in…

relations of the nodes rather than just the individual node itself [42]. The difference
in them is that for GCN, the nodes are vertices of a graph, while for CNN, the nodes
are pixels of an image. Formally, a Graph Convolutional Network (GCN) is defined
as a neural network that operates on graphs. Given a graph G = (V, E), a GCN takes
as input the following:

a. An attribute matrix X of size (n ∗ f ), where n is the number of nodes and f is the

number of input features for each node.
b. An n ∗ n adjacency matrix A of the graph structure G.

The feature included in the attribute matrix are given in Table 2.

A hidden layer in the GCN can thus be written as H i = f (H i−1 , A)) where H 0 = X
and f is a propagation function. Each layer builds an N ∗ F i feature matrix where
each row is a feature representation of a node. At each layer, these features are uti-
lized to form the next layer’s attributes using the function f.
The embedding is such that the latent representation of each node in the LLN
takes information from the neighboring nodes. In other words, the node’s neighbor-
hood defines a computation graph, and each node has a different computation graph.
Thus, the parameters of the nodes are shared across the network. The aggregator
function used in the GCN must be order invariant. The advantage of order invari-
ance is that the model trained on a subgraph can also apply to the whole graph as the
same aggregated parameters are shared across the network. This is particularly an
advantage for the growing IoT network as it eliminates the requirement of retraining
the learning model as additional nodes join the network.

4.4 The role of LSTM (long short‑term memory)

Another feature important to assess the security of IoT-LLNs is the timely arrival
of data packets. LSTM is well suited for the live prediction of time series data [43].
An LSTM cell consists of an input gate, a forget gate, and an output gate. The input
and output gates, through an activation function (usually logistic), decide the per-
centage of the new input to be received by the cell and are used to compute the

Table 2  Features for DRA and IRA detection

S.no. Parameter Description

1 Parent routing metric ETX value of the node’s parent

2 Node current routing metric
3 Beacon interval
4 CPU power
5 LPM power
6 Transmit power
7 Listen power
ETX of value of the node
Time lag between subsequent beacons sent by a node
CPU energy consumption of the node for a clock cycle
Low power mode energy consumption of node for a clock cycle
Power consumed in packet transmission for a clock cycle
listen energy consumption of a node for a clock cycle

13
 R. Sahay et al.

output activation. The forget gate decides the percentage of the input to be retained
by the cell. This helps in avoiding the problem of vanishing gradient. The equations
to compute the value of the three gates and cell are as described by authors in [43].
LSTM may suffer from over fitting, which is avoided by the Dropout regulariza-
tion technique. In the present work, the role of the LSTM model is to capture the
temporal features of the IoT-LLN network. The model takes the arrival time of a
data packet at the sink node and predicts the next packet arrival time. If the true
next packet arrival happens beyond the predicted arrival time, it may be inferred
as an attack scenario. To demonstrate the strength of LSTM, we applied LSTM to
predict the next packet arrival when the IoT-LLN is under packet dropping attack
and compared it to the exponential smoothing technique suggested by the authors in
[44]. The model used has a LSTM cell history of 2 and the LSTM layer followed by
a Dense Layer of 2 units. The plot in Fig. 3b demonstrates the packet arrival time by
the LSTM model, whereas Fig. 3a depicts the next packet arrival time predicted by
exponential smoothing. It may be observed that the LSTM model can closely predict
the correct times after the attack while the exponential smoothing method diverges
completely. By this, we can conclude that the LSTM model is better suited than the
exponential smoothing method.

4.5 Routing attack prediction by the FNN model in the framework

The FNN takes the concatenated input from the LSTM model, GCN model, and the
warning impulse from the blockchain-based smart contract and predicts the state of
the IoT-LLN. The output layer of the FNN model produces the following four out-
puts as mentioned in Section 4:

1. P1, which is the probability of the IoT-LLN being under a resource attack (Type
1 Attack).
2. P2, which is the probability of the IoT-LLN to be under topological attack (Type
2 Attack).
3. P3, which is the probability of the IoT-LLN to be under traffic attack (Type 3
Attack).

Fig. 3  Prediction of next packet arrival time

13
A holistic framework for prediction of routing attacks in…

4. Pn, which is the probability of the IoT-LLN to be in a normal scenario (No attack).

4.6 Performance evaluation of the proposed holistic framework

To evaluate the performance of the framework, we simulate the no attack, IRA,

DRA, and WPA scenarios for one clock hour approximately that resulted in 5520
timestamps, 6166 timestamps, 5777 timestamps, and 5099 timestamps of data,
respectively. The results of the prediction made by the framework are depicted in
Fig. 4. In the plots, the time period is normalized for uniformity. The results depict
the probability of the IoT-LLN being under a normal (no attack) scenario or an
attack scenario as predicted by the FNN model in the holistic framework. It may be
observed from Fig. 4 that the framework is able to identify the correct scenario. The
case wise analysis of the prediction is as follows:

1. Normal (No Attack) Scenario: It may be observed from Fig. 4a that initially, the
probabilities of the network being under normal and under type 2 attack scenario
are almost equal. This is because, initially, when the network is organizing itself,
the topology changes as the nodes become part of the network. Thus, initially, the
probabilities of the network being under normal scenario and under topological
attack (type 2 attack) are almost the same. As the network stabilizes, we see that

Fig. 4  Performance of the proposed framework in detecting routing attacks in IoT-LLNs

13
 R. Sahay et al.

the probability of the network being under a normal scenario is correctly predicted
by the FNN.
2. Type 1 (Resource Attacks) Scenario: It may be observed from Fig. 4b that the
FNN model correctly identifies the IoT-LLN being under resource attack. As
discussed before in Sect. 4.2, it is often observed that one type of attack may
often lead to other types of attacks. In the present case, the resource attack, i.e.,
the increased rank attack, eventually leads to a change in topology, which in turn
changes the traffic path as predicted by the model.
3. Type 2 (Topological Attacks) Scenario: From Fig. 4c, it may be observed that
the model correctly predicts type 2 attack, i.e., topological attack. The topological
attack considered in the present case for evaluation of the framework is the Worst
Parent Attack in which a node selects an inferior parent. As a result, the LLN
changes its topology, implying that the path of data packets also changes. Conse-
quently, there is a decrease in the probability of the LLN being under topological
attack and an increase in the probability of the LLN being under traffic attack.
Also, to instigate the WPA, the malicious node keeps probing the neighboring
nodes, which forces them to suspend their data forwarding. Instead, neighboring
nodes engage in responding to the malicious node, which explains the reason
behind the rise in the probability of the LLN being under a type 1 attack.
4. Type 3 (Traffic Attacks) Scenario: It may be observed from Fig. 4d that the
model correctly predicts the traffic attack over the simulation time. A traffic attack
often increases the consumption of network resources which explains the reason
behind the FNN model giving a higher probability for a resource attack that is a
type 1 attack at around one third of the simulation time.

From the prediction results, we observe that the FNN model leveraging the inputs
received from GCN and LSTM models as well as the smart contract in the proposed
framework predicts the IoT-LLN’s correct state. The model predicts various types of
attacks correctly. Additionally, it also predicts how a specific attack affects the other
properties of the network. For example, in the type 1 scenario, we observed that the
model correctly predicts the resource attack and later shows how the attack affects
the topology and the traffic of the network. The performance of the FNN model in
the proposed holistic framework in predicting the different classes of routing attack
is depicted in Table 3. The overall accuracy of the model is 77.49%.
It may be observed from Table 3, the FNN model in the proposed framework pre-
dicts the different classes of attacks with fair accuracy. The model predicts the normal

Table 3  Prediction of normal and attacks scenario by the proposed framework

Class Accuracy (%) Precision Recall F1-score

Type1: Resource attack (IRA) 82.46 0.66 0.67 0.66

Type2: Topological attack (WPA) 86.13 0.65 0.74 0.69
Type3: Traffic attack (DRA) 91.88 0.9 0.81 0.85
Normal scenario 94.50 0.89 0.88 0.88

13
A holistic framework for prediction of routing attacks in…

scenario with an accuracy of 94.5% and with high precision and recall values of 89%
and 88%, respectively. This ensures that the model will not falsely predict the IoT-LLN
to be under attack during normal functioning. In constrained networks, the resources
are minimal, and hence the timely prediction of resource attack is of utmost impor-
tance. The proposed model predicts resource attacks with an accuracy of 82.46%. Also,
for smooth operation, a well-defined network topology and un-disrupted traffic are
essential requirements. The accuracy achieved by the FNN model in predicting traffic
attack cases is 91.88%, and the topological attack is 86.13%. It may be observed from
Table 3, the recall and precision values of the resource and the topological attacks are
low in comparison to the traffic attack. The model’s accuracy in predicting the traffic
attacks is higher than the topological and resource attacks. In the following Subsection,
we analyze the predictions of the model and the rationale behind the obtained results.

4.7 Analysis of the predictions

In this work, the type 1 attack considered is an Increased Rank Attack. As observed
from Fig. 4b, the model correctly gives a higher probability of a type 1 attack for
around 70% of the simulation time. As discussed before, in an Increased Rank Attack,
a malicious node increases its rank to choose a parent node with a rank higher than its
own. Consequently, nodes in the subtree of the malicious node and occasionally in its
vicinity have to select other nodes as a parent. As a result, there is a change in topol-
ogy and traffic paths. Therefore, as the simulation progresses, the model gives a similar
probability to all three attack types. Thus, the recall value of type 1 attack is less in
comparison to type 3 attack. The phenomenon of change in topology will be prevalent
in other resource attacks as well. For example, in the case of a version number attack,
the sink node reorganizes the network at the request of the victim nodes. Consequently,
the resource consumption increases because of the increase in the number of control
messages emitted by the nodes, and also, the topology and traffic path may change.
The Worst Parent Attack is used to test the framework for type 2 attacks. The WPA
results in topological suboptimization by malicious nodes choosing inferior parents. As
a result, the topology is disrupted, and traffic paths of the malicious nodes and the vic-
tim nodes change. This phenomenon is true for any other topological attack because
disruption in topology will always disturb the traffic paths. Therefore, the model pre-
dicts type 2 attacks as type 3 for a brief period of simulation time. In both cases of
resource and topological attacks, we observed that the attack results in traffic path alter-
ation. Thus, the model recalls the type 1 and type 2 attack events as type 3 attacks occa-
sionally, as shown in Fig. 4b, c.
Consequently, the recall and accuracy of resource and topological attacks are low
compared to traffic attacks. However, as observed from Fig. 4, the FNN model cor-
rectly gives higher probabilities to specific attack types and no attack cases during
the majority of the simulation time. It also captures how symptoms of one attack type
result in the symptoms of other attack types.

13
 R. Sahay et al.

5 Comparison with existing literature on routing security

in RPL‑based IoT‑LLNs

Recently routing attack detection using machine learning and deep learning models
have been proposed by researchers. Simoglou et al. [45] in their survey examined
22 Intrusion Detection Systems for RPL and found that a holistic approach towards
routing attack detection in RPL-based IoT is missing. In [6], the authors proposed
a Self Organized Map neural network to cluster IoT data. They tested their pro-
posed mechanism with normal data, flooding attacks data, version number attack
data, and sinkhole attacks data. However, the authors did not discuss the results of
their mechanism in detail. The authors did not mention the accuracy of the proposed
mechanism. Also, the version number and flooding attacks have some common
behavior. The author did not explain if the common characteristics of the attacks
were considered while clustering. The authors in [7] proposed an ensemble machine
learning model to detect routing attacks on data that comprised packet dropping,
flooding, and local repair attack data. They display high accuracy in attack detec-
tion. However, the authors have not specified if their proposed mechanism is able
to distinguish among the various categories of routing attacks. In our work, since
the proposed holistic framework for routing attack detection utilizes graph embed-
ding through GCN and LSTM to capture the network’s spatial and temporal fea-
tures, it is correctly able to identify and distinguish between the different types of
routing attacks. It also displays how an attack can impact various network elements
like resources, traffic, and topology. Recently, authors have proposed trust-based
mechanisms for attacks detection [26, 32]. In such mechanisms, nodes collabora-
tively determine secure communication paths and are not dependent on external
feedback. However, such mechanisms are vulnerable to malicious nodes propagating
false trust values, place heavy computational overhead on the constrained nodes, and
increase network overhead. The authors in [20, 46] have used a mechanism based
on the hash chain authentication scheme that restricts nodes from advertising false
version number and rank information in order to limit routing attacks. Such mecha-
nisms are unimplementable in real scenarios, as hash computation will drain node
power and memory resources. As a result, such mechanisms become vulnerable to
packet dropping attacks as well as hash chain attacks.

5.1 Treats to validity

In our work, the proposed holistic framework for routing attack detection can be
implemented at the edge network or cloud as it requires high computing resources.
Though edge computing reduces latency compared to the cloud and provides accu-
rate information about the state of the IoT-LLN, there will be a time gap before the
nodes in the IoT-LLN receive feedback about an attack prediction. However, in the
trust-based mechanism, nodes do not depend on external feedback but suffer from
resource consumption, packet dropping as well as false trust propagation. There-
fore, a trade-off analysis between the performance of the edge-based and trust-based

13
A holistic framework for prediction of routing attacks in…

mechanisms with respect to attack detection accuracy and delay in providing feed-
back to the nodes may be performed in the future. IoT Environment generates a huge
volume of data. As a result, the blockchain’s growing size will be a significant chal-
lenge not addressed in the proposed framework. A probable solution is to have a
multilevel blockchain architecture that decouples data and transactions.

6 Conclusion and future work

The inherent vulnerabilities of the RPL routing process make the IoT-LLNs sus-
ceptible to several attacks. This necessitates the requirement for a robust security
mechanism to be in place. Numerous efforts to enhance the existing RPL proto-
col in order to make it secure have failed to secure the IoT-LLNs against routing
attacks. Thus, the timely prediction of abnormal behavior and thwarting any pos-
sible attack scenario are particularly important. To this end, we proposed a frame-
work to predict routing attacks in RPL-based IoT-LLNs. The framework uses smart
contract fortified blockchains and deep learning models to enhance the routing secu-
rity of IoT-LLNs. Blockchain ensures the integrity of the IoT-LLN data fed to the
ensemble deep learning model. In our work, the smart contract in the blockchain
ensures secure preprocessing of the IoT-LLN data and produces warning impulses
on encountering abnormal trends in the network data. We further observed that deep
learning models like LSTM and GCN have great potential in capturing the temporal
and spatial features of graph-based networks like RPL-based IoT-LLNs.
We found that the proposed framework could correctly predict the state of the
network being under normal functioning or under attack. The FNN model in the
framework not only predicts the type of attack correctly but also predicts how a spe-
cific type of attack can impact the other properties of the network. In the future, the
scope of the proposed framework can further be narrowed down to specific attacks.
Another major challenge in the IoT environment is the volume of data generated
and the growing size of the blockchain. As a future enhancement, we can explore
an effective mechanism to analyze and address this challenge. A potential research
direction could be designing an efficient hierarchical architecture for the blockchain
network to handle the growing size of IoT data.

References
1. Winter T, Thubert P, Brandt A, Hui J, Kelsey R, Pister K, Struik R, Vasseur JP, Alexander R (2012)
RPL: IPv6 routing protocol for low-power and lossy networks, RFC 6550, March 2012
2. Kim HS, Ko J, Culler DE, Paek J (2017) Challenging the IPv6 routing protocol for low-power and
lossy networks (RPL): a survey. IEEE Commun Surv Tutor 19(4):2502–25
3. Raoof A, Matrawy A, Chung-Horng L (2018) Routing attacks and mitigation methods for RPL-
based Internet of Things. IEEE Commun Surv Tutor 21(2):1582–1606
4. Mayzaud A, Badonnel R, Chrisment I (2016) A taxonomy of attacks in RPL-based Internet of
Things. Int J Netw Secur 18(3):459–473
5. Kambourakis G, Kolias C, Stavrou A (2017) The mirai botnet and the iot zombie armies In: Pro-
ceedings of the IEEE Military Communications Conference (MILCOM), October 2017, pp 267–272

13
 R. Sahay et al.

6. Kfoury E, Saab J, Younes P, Achkar R (2019) A self organizing map intrusion detection system for
RPL protocol attacks. IGI Glob JITN 11(1):30–43
7. Verma A, Ranga V (2019) ELNIDS: ensemble learning based network intrusion detection system
for RPL based Internet of Things. In: Proceedings of the 4th IEEE International conference on Inter-
net of Things: Smart Innovation and Usages, April 2019, pp 1–6
8. Sahay R, Geethakumari G, Modugu K, Mitra B (2018) Traffic convergence detection in IoT LLNs:
a multilayer perceptron based mechanism. In: Proceedings of the 2018 IEEE Symposium Series in
Computational Intelligence, 18–21 November 2018, pp 1715–1722
9. Hou M, Ren J, Zhang D, Kong X, Zhang D, Xia F (2020) Network embedding: taxonomies, frame-
works and applications. Comput Sci Rev 38:100296
10. Huston G (2015) The internet of stupid thing, Asia-Pacific Network Information Centre (APNIC)
Blog. 30 April 2015
11. Sahay R, Geethakumari G, Mitra B (2020) A novel blockchain based framework to secure IoT-
LLNs against routing attacks. Computing 102(11):2445–70
12. Pongle P, Chavan G (2015) A survey: attacks on RPL and 6LoWPAN in IoT. In: Proceedings of the
IEEE International Conference on Pervasive Computing (ICPC), January 2015, pp 1–6
13. Dohler M, Watteyne T, Winter T, Barthel D (2009) Routing requirements for urban low-power and
lossy networks. In: RFC 5548, May 2009
14. Kharrufa H, Al-Kashoash HA, Kemp AH (2019) RPL-based routing protocols in IoT applications: a
review. IEEE Sens J 19(15):5952–67
15. Vasseur JP, Kim M, Pister K, Dejean N, Barthel D (2012) Routing metrics used for path calculation
in low-power and lossy networks. In: RFC 6551 March 2012
16. Chen H, Perozzi B, Al-Rfou R, Skiena S (2018) A tutorial on network embeddings. arXiv preprint
arXiv:​1808.​02590
17. Shi M, Tang Y, Zhu X, Liu J, He H (2020) Topical network embedding. Data Min Knowl Disc
34(1):75–100
18. Teslya N, Ryabchikov I (2017) Blockchain-based platform architecture for industrial IoT. In:
Proceedings of the IEEE 21st Conference of Open Innovations Association, November 2017, pp
321–329
19. Christidis K, Devetsikiotis M (2016) Blockchains and smart contracts for the internet of things.
IEEE Access 4:2292–303
20. Dvir A, Buttyan L (2011) VeRA-version number and rank authentication in RPL. In: Proceedings of
the IEEE 8th International Conference on Mobile Adhoc and Sensor Systems (MASS), 17 October
2011, pp 709–714
21. Salehi M, Darehshoorzadeh A, Boukerche A (2015) On the effect of black-hole attack on opportun-
istic routing protocols. In: Proceedings of the 12th ACM Symposium on Performance Evaluation of
Wireless Ad Hoc, Sensor, and Ubiquitous Networks, November 2015, pp 93–100
22. Cirstea C, Cernaianu M, Gontean A (2012) Packet loss analysis in wireless sensor networks routing
protocols. In: Proceedings of the 35th IEEE International Conference of Telecommunication and
Signal Processing, 3 July 2012, pp 37–41
23. Le A, Loo J, Lasebae A, Vinel A, Chen Y, Chai M (2013) The impact of rank attack on network
topology of routing protocol for low-power and lossy networks. IEEE Sens J 13(10):3685–92
24. Ghaleb B, Al-Dubai A, Ekonomou E, Qasem M, Romdhani I, Mackenzie L (2018) Addressing the
DAO insider attack in RPL’s Internet of Things networks. IEEE Commun Lett 23(1):68–71
25. Kulaua U, Muller S, Schildtb S, Busching F, Wolf L (2021) Investigation & mitigation of the energy
efficiency impact of node resets in RPL. Ad Hoc Netw 114:102417
26. Khan ZA, Herrmann P (2017) A trust based distributed intrusion detection mechanism for Internet
of Things. In: Proceedings of the 31st International Conference on In Advanced Information Net-
working and Applications (AINA), March 2017, pp 1169–1176
27. Khan ZA, Ullrich J, Voyiatzis, AG, Herrmann P (2017) A trust-based resilient routing mechanism
for the internet of things. In Proceedings of the 12th International Conference on Availability, Reli-
ability and Security, August 2017, pp 1–6
28. Kamgueu PO, Nataf E, Ndie TD (2017) Survey on RPL enhancements: a focus on topology, secu-
rity and mobility. Comput Commun 120:10–21
29. Mayzaud A, Badonnel R, Chrisment I (2017) A distributed monitoring strategy for detecting version
number attacks in RPL based networks. IEEE Trans Netw Serv Manag 14(2):472–86
30. Raza S, Wallgren L, Voigt T (2013) SVELTE: real-time intrusion detection in the Internet of
Things. J Ad Hoc Netw 11(8):2661–2674

13
A holistic framework for prediction of routing attacks in…

31. Perrey H, Landsmann M, Ugus O, Schmidt TC, Wählisch M (2013) TRAIL: topology authentica-
tion in RPL. arXiv preprint arXiv:​1312.​0984
32. Airehrour D, Gutierrez JA, Ray SK (2019) SecTrust-RPL: a secure trust-aware RPL routing proto-
col for Internet of Things. Future Gen Comput Syst 93:860–76
33. Zaminkar M, Fotohi R (2020) SoS-RPL: securing Internet of Things against sinkhole attack using
RPL protocol-based node rating and ranking mechanism. Wirel Pers Commun 114:1287–1312
34. Sahay R, Geethakumari G, Mitra B (2020) A feedforward neural network based model to predict
sub-optimal path attack in IoT-LLNs. In: Proceedings of the 20th IEEE/ACM International Sympo-
sium on Cluster, Cloud and Internet Computing (CCGRID), May 2020, pp 400–409
35. Mahdavinejad MS, Rezvan M, Barekatain M, Adibi P, Barnaghi P, Sheth AP (2018) Machine learn-
ing for Internet of Things data analysis: a survey. Digit Commun Netw 4(3):161–75
36. Jagannath J, Polosky N, Jagannath A, Restuccia F, Melodia T (2019) Machine learning for wireless
communications in the Internet of Things: a comprehensive survey. Ad Hoc Netw 93:101913
37. Sahay R, Geethakumari G, Modugu K (2018) Attack graph-based vulnerability assessment of rank
property in RPL 6LOWPAN in IoT. In: Proceedings of the 2018 IEEE World Forum on Internet of
Things, 05–08 February 2018, pp 308–313
38. Zikria YB, Afzal MK, Ishmanov F, Kim SW, Yu H (2018) A survey on routing protocols supported
by the Contiki Internet of things operating system. Future Gen Comput Syst 82:200–19
39. Vasseur JP, Kim M, Pister K, Dejean N, Barthel D (2012) Routing metrics used for path calculation
in low-power and lossy networks. In: RFC 6551, March 2012
40. Essop I, Ribeiro J, Papaioannou M, Zachos G, Mantas G, Rodriguez J (2021) Generating data-
sets for anomaly-based intrusion detection systems in IoT and industrial IoT networks. Sensors
21(4):1528
41. Rouhani S, Deters R (2017) Performance analysis of Ethereum transactions in private blockchain.
In: Proceedings of the 8th IEEE International Conference on Software Engineering and Service Sci-
ence, November 2017, pp 70–74
42. Edwards M, Xie X (2016) Graph based convolutional neural network. arXiv preprint arXiv:​1609.​
08965
43. Jiang F, Fu Y, Gupta BB, Lou F, Rho S, Meng F, Tian Z (2018) Deep learning based multi-channel
intelligent attack detection for data security. IEEE Trans Sustain Comput 5(2):204–12
44. Sahay R, Geethakumari G, Mitra B, Thejas V (2018) Exponential smoothing based approach for
detection of blackhole attacks in IoT. In: Proceedings of the 12th IEEE International Conference on
Advanced Networks and Telecommunications Systems (ANTS), December 2018, pp 1–6
45. Simoglou G, Violettas G, Petridou S, Mamatas L (2021) Intrusion detection systems for RPL secu-
rity: a comparative analysis. Comput Secur 2:102219
46. Glissa G, Rachedi A, Meddeb A (2016) A secure routing protocol based on RPL for Internet of
Things. In: the Proceedings of the 2016 IEEE Global Communications Conference (GLOBECOM),
4 December 2016, pp 1–7

Publisher’s Note Springer Nature remains neutral with regard to jurisdictional claims in published
maps and institutional affiliations.

13