ML-based NIDS to secure RPL from Routing
Attacks
Mohammed Aman Kareem
Department of Electrical and Computer Engineering
California State University, Fresno
2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC) | 978-1-6654-1490-6/21/$31.00 ©2021 IEEE | DOI: 10.1109/CCWC51732.2021.9375844
Fresno, USA
amankareem@mail.fresnostate.edu
Abstract—Low power and lossy networks (LLNs) devices
resource-constrained nature make it difficult to implement se-
curity mechanisms to defend against RPL routing attacks. RPLs
inbuilt security functions are not efficient in preventing a wide
majority of routing attacks. RPLs optional security schemes can
defend against external attacks, but cannot mitigate internal
attacks. Moreover, RPL does not have any mechanism to verify
the integrity of control messages used to keep topology updated
and route the traffic. All these factors play a major role in
increasing the RPLs threat level against routing attacks. In this
paper, a comparative literature review of various researchers
suggesting security mechanisms to mitigate security attacks
aimed at RPL has been performed and methods have been
contrasted.
Index Terms—IoT, 6LoWPAN, LLNs, RPL, NIDS for RPL
I. I NTRODUCTION
Low power and lossy networks consist of many devices with
scarce resources. These devices are resource-constrained in
terms of memory, power consumption, computational power,
etc. Because of their resource constraint nature, traditional
routing algorithms are not suitable for LLNs. 6LoWPAN
provides IPV6 based end-to-end connectivity to the resource
constraint devices in LLNs. However, to address the routing
protocol requirements of the LLNs Internet Engineering Task
Force (IETF) created a working group called Routing Over
Low Power and Lossy networks (RoLL). RoLL designed and
developed the routing protocol called Routing Protocol for
Low Power and Lossy Networks (RPL) to suffice the routing
needs of LLNs. RPL still faces many challenges with respect
to power consumption, latency, Mobility, QoS, Security, etc.
Of all these challenges, the security aspects of the RPL is
one of the major concerns for its wide adoption in real-time
implementations. IoT devices are known to sense, monitor, and
collect very sensitive and crucial information from the users
and that is why security plays a vital role in its successful
deployment. RPL provides optional security mechanisms but
these de-facto mechanisms cannot mitigate most of the routing
attacks faced by RPL.
The focus of this paper is to perform a comparative lit-
erature review of various research fraternities, compare their
proposed mitigation strategies to defend against RPL rout-
ing attacks, and identify the research gap. Two prevention
978-0-7381-4394-1/21/$31.00 ©2021 IEEE
Authorized licensed use limited to: Tsinghua University. Downloaded on June 16,2021 at 16:01:38 UTC from IEEE Xplore. Restrictions apply.
Shahab Tayeb
Department of Electrical and Computer Engineering
California State University, Fresno
Fresno, USA
tayeb@csufresno.edu
methods are possible to defend against routing attacks on
RPL i.e. Mitigation-based methods and Intrusion Detection
System (IDS). Mitigation-based schemes require some sort
of modifications to the RPL protocol or nodes participating
in the RPL topology. These modifications can increase the
load on already resource-constrained devices and may not be
scalable as the network grows. Furthermore, the Mitigation-
based scheme cannot tackle a wide variety of attacks with
minimum modifications. However, in the IDS approach, the
operations of IDS can be offloaded to different servers or
cloud services and can be performed majorly in parallel thus
reducing the computational load on IoT devices. Therefore,
in this paper, we will explore the Machine Learning based
Network Intrusion Detection System to overcome the routing
attacks on RPL.
The remainder of the paper is organized as follows: Section
II provides the background on RPL by discussing the technical
aspects, operations, and security threats aimed at RPL. In
Section III a comparative analysis of various schemes pro-
posed by different researchers to tackle RPL routing attacks is
performed, their work and methods are contrasted and results
have been highlighted. Section IV presents the method used
in this study and Section V summarizes this paper.
II. BACKGROUND
RPL is an acronym for Routing Protocol for Low Power
and Lossy Networks (LLNs). IETF’s working group called
RoLL created RPL tailoring it to match the requirements of
the LLNs. RPL operates at the network layer and uses the
distance-vector algorithm to perform routing functionalities.
In RPL, the network topology is organized as the Destination
Oriented Directed Acyclic Graph (DODAG) as shown in fig.1
below.
It’s called destination-oriented because the RPL topology
only has a single destination, and it is termed as directed
because the paths are highly directional and acyclic as the
network is a spanning tree with no cycles. In fig.1, node 1
marked as yellow is the root, and the rest of the nodes marked
in green are the participating nodes. The node from where the
arrow originates is the child, and the node where the arrow
terminates is the parent node. The RPL has four factors, and
they are as follows:
1000

Fig. 1. DODAG
1. DODAG ID
2. RPL Instance ID
3. DODAG Version Number
4. Rank
DODAG ID is the IPV6 based ID assigned only to the
root node, and it does not change as long as the root remains
the same. Every RPL instance has an RPL instance ID as in
RPL multiple instances can coexist. RPL instance ID along
with the DODAG ID is used to uniquely identify the DODAG
network. In the RPL DODAG version number is bound to the
orientation of the topology. Only the root node can update the
version number, and whenever the version number changes,
the topology rebuilds itself discarding any previous routing
information stored. The Rank property indicates the level of
the node with respect to the neighbors and it is also used to
select parents. Rank increases as we move away from the root
node and it decreases as we approach the root node.
A. RPL Control messages
RPL uses control messages to keep the DODAG updated,
pass the routing information among the nodes in the DODAG,
and to route the traffic. RPL uses four types of control
messages which are as follows:
1. DIO (DODAG Information Object)
2. DIS (DODAG Information Solicitation)
3. DAO (Destination Advertisement Object)
4. DAO-ACK (DAO Acknowledgement)
The DIO control message is used by the existing RPL
instance to announce its existence so that other new nodes
that are interested to join can discover it. The DIO message
consists of the Rank property, Objective function, and other
routing metrics that could help the new node in the decision
making such as Rank calculation and parent selection. The
DIS control message is used by the new node to discover the
RPL instance that it can join. The DAO message is sent by the
child node to the parent node requesting it to join as a child.
The DAO-ACK control message is sent by the parent node to
the child node in response to the DAO control message sent
by the child node.
B. Trickle Timer
RPL regularly exchanges control messages to route the
traffic, communicate the routing metrics among the nodes,
Authorized licensed use limited to: Tsinghua University. Downloaded on June 16,2021 at 16:01:38 UTC from IEEE Xplore. Restrictions apply.
Fig. 2. Root node starting DODAG construction by multicasting DIO control
messages
Fig. 3. Nodes 2 and 3 select the root node 1 as the parent
and to keep topology updated. Trickle timer controls how
frequently these control messages are exchanged. It tries to
keep the exchange of control messages to a minimum to reduce
energy consumption. Every node in the RPL topology has a
trickle timer, and when the timer expires the node transmits
the control messages.
C. Objective Function
In RPL, every node has the objective function and the
objective function along with the rank property is used by the
nodes to select the parent. There are two types of objective
functions, and they are as follows:
1. Objective function zero (OF0)
2. Minimum Rank with Hysteresis Objective Function
(MRHOF)
OF0 uses the rank property as the metric to select parents
whereas in MRHOF the routing metrics are configurable by the
programmer or designer such as minimize energy, minimize
latency, etc.
D. RPL Operation
In this section, we will discuss how RPLs control messages
are used in the formation of the DODAG topology. Let us con-
sider three nodes as shown in fig.2 where node 1 highlighted
in yellow is the root node. The root node starts the DODAG
creation by multicasting DIO messages to the neighboring
nodes. The DIO message consists of Rank, objective function,
and other routing metrics.
The neighboring nodes 2 and 3 after receiving the DIO
message compute their rank from the root node. They both
send a DAO control message to the root node requesting to
join as shown in fig.3. The root node sends DAO-ACK to
nodes 2 and 3 and hence establishes the path as shown in
fig.4 and fig.5 respectively.
Now consider two other nodes 4 and 5, the DODAG
multicasts again DIO messages to these nodes. After receiving
the DIO messages both nodes 4 and 5 learn their ranks with
respect to nodes 2 and 3 respectively as shown in fig.6.
Both nodes 4 and 5 select their parents based on the lowest
rank by sending DAO messages to their respective parents as
shown in fig.7.
1001
 Fig. 4. Root node 1 accepts node 2 and 3 as children

Fig. 8. Parent nodes 2 and 3 accept nodes 4 and 5 as children

Fig. 5. Node 2 and 3 join the root node 1 by establishing paths

Then the parent nodes 2 and 3 send DAO-ACK messages to

their children 4 and 5 and the routes are established as shown
in fig.8 and fig.9 respectively.
Now let us consider another node 6 which has not received
any DIO message from the RPL instance and to speed-up the
process node 6 sends a DIS control message to discover the
DODAG as shown in fig.10. After receiving the DIS message
the DODAG sends a DIO message to the node using which Fig. 9. New nodes 4 and 5 join the DODAG
node 6 learns its rank with respect to nodes 4 and 5 as shown
in fig.11.
Then the node 6 selects node 5 as the parent and the DAO
and DAO-ACK messages are exchanged between them and
finally, the route is established as shown in fig.12

E. RPL Routing Attacks

RPL suffers from a wide range of routing attacks, but in
this section, some important routing attacks which apply to
this study are discussed as follows:

Fig. 10. A new node 6 transmits a DIS control message to discover DODAG

Fig. 6. Nodes 2 and 3 multicast DIO control message to discover new nodes

Fig. 11. Existing DODAG responds with DIO message to new node 6
Fig. 7. New nodes 4 and 5 choose parents by sending DAO control messages

1002

Authorized licensed use limited to: Tsinghua University. Downloaded on June 16,2021 at 16:01:38 UTC from IEEE Xplore. Restrictions apply.

Fig. 12. New node 6 joins the DODAG
1. Blackhole attack:
In this type of attack, an attacker node drops all the
packets instead of forwarding them. The goal of this
attack is to launch a DoS attack. This attack can be
removed by RPLs self-healing mechanism, so it is alone
not very effective but, when it’s combined with other
attacks, the damage can be more grave.
2. Selective forwarding attack:
In this attack, the adversary forwards packets from
chosen protocols and drops the remaining packets. It is
also known as the Greyhole attack.
3. Sinkhole attack:
Here the attacker node uses fake routing metrics such as
the rank to deceive neighboring nodes into choosing it as
the preferred parent and route the traffic via it allowing
it to eavesdrop on the data.
4. Wormhole attack:
In this attack, two attacker nodes get together and
coordinate to form a link such that it is longer than
the regular path. Instead of sending traffic through the
regular path they route it via the established link and
hence inducing longer delays.
5. Clone ID attack:
In a Clone ID attack, the attacker node steals the identity
of a legitimate node to modify the data.
6. Sybil attack:
This attack is similar to the clone ID attack, but here the
attacker is capable of stealing multiple identities from
the legitimate nodes.
7. Hello flooding attack:
In this attack, an adversary with better range and routing
metrics such as a better rank transmits false DIO mes-
sages. The victim node after receiving the DIO message
with better metrics attempts to join the attacker node
which is out of range. It periodically makes this attempt
and ends up exhausting its resources and increasing the
network overhead.
8. Rank attack:
In this type of attack an attacker alters the rank attribute
by either changing the objective function or by changing
the rank directly. The goal of the attacker in this type
of attack is to deceive neighboring nodes using false or
Authorized licensed use limited to: Tsinghua University. Downloaded on June 16,2021 at 16:01:38 UTC from IEEE Xplore. Restrictions apply.
forged ranks so that the attacker can introduce delays in
the network.
9. Version number attack:
Here the attacker illegally modifies the version number
unnecessarily triggering the route build process and
hence increasing the resource consumption of the net-
work without any need.
10. Local repair attack:
The attacker unnecessarily starts the local repairs in
the network by falsely setting repair flags such as
“R”. This causes the child nodes to discard any stored
routing information and remove themselves from the
parent’s sub DODAG. This attack introduces loops and
inconsistencies in the DODAG topology.
III. L ITERATURE R EVIEW
In this section, a comparative literature review of the rele-
vant work by various research fraternities is performed. Their
proposed mitigation strategies are contrasted, and the results
are highlighted below.
Several authors examined the influence of version number
attacks on the RPL topology using different approaches.
From their study, it has been observed that packet-delivery-
ratio (PDR), control packet overhead, inconsistencies, and
loops have a strong correlation with the attacker’s position
whereas power consumption and delay do not correlate with
the attacker’s locale. During the simulation grid topology with
about less than 50 nodes was considered. A. Aris et al. [2]
implemented a probabilistic model in which the attack was
performed with different probabilities (i.e. 0, 0.3, 0.5, 0.7,
and 1) and by arbitrarily varying the attacker’s position. A
total of about 44 nodes which consisted of a combination
of both static and mobile nodes (No. of mobile nodes =
4, No. of static nodes = 38) was used. It was noted that
as the probability gets higher the chances of the attacker
getting detected rises and the network performance decreases.
However, only a single attacker with multiple probabilities was
used in their analysis. A. Dvir et al. [3] introduced the VeRA
scheme (Version number and rank authentication scheme) to
deal with the version number attacks. In this approach the
DIO control messages are bound with the digital signature to
validate their integrity. The time overhead of this approach is
found to be small, but this scheme was not verified under the
real-time deployment with a larger node size. Mayzaud A et
al. [4] have observed that as the attacker gets closer to the root
more loop formations and rank inconsistencies occur.
Few other authors evaluated the performance of the RPL
through simulation. Different simulation time and a varying
number of nodes were taken into account in their study. The
performance of the RPLs objective functions (i.e. objective
function zero - OF0 and minimum rank with hysteresis objec-
tive function - MRHOF) was also tested. A. N. Abbou et al. [6]
evaluated the objective functions with 18 different scenarios
using different combinations of nodes (i,e 30,60 and 120)
and simulation times (i,e 5min, and 10min). All nodes used
were stationary and they concluded that MRHOF outperforms
1003
OF0 in the long term and MRHOF is more complex but its
performance gets better over time. On the flip side, Foley
et al. [13] proposed the use of a machine learning-based
anomaly detection approach to defending the RPLs two objec-
tive functions against the combination of attacks (for example
Rank and Version attack, Rank and Blackhole attack, etc.).
They employed 5 types of classifiers (Naive Bayes, Support
vector machines, multilayer perceptron, Random forest, and
ZeroR) to detect any deviations related to power consumption
and other network metrics. They also developed a dataset
consisting of 24 attributes and 418 instances. Feature selection
was applied to the dataset which boosted the attack detection
rate by about 30%. Further, it was identified that the ensemble
voting technique using MLP and RF models is the most
appropriate implementation for the combined attacks detection
against the two objective functions. Moreover, Q. Zhang et al.
[5] aimed to enhance the RPL’s performance by improving
the coverage and QoS of IoT devices. They proposed the use
of layered network architecture and organizing the unmanned
aerial vehicles (UAVs) in the proposed architecture to meet
their goals. Additionally, the design of a low power optimal
routing algorithm (LLRA) for their layered network architec-
ture was also proposed. It was theoretically concluded that the
LLRA outperforms traditional routing algorithms (like AODV
and GPSR) with respect to average delay and packet delivery
ratio (PDR).
Many others investigated the impact of the Rank attack
and proposed strategies to mitigate attacks aimed at the rank
property of the RPL. The various solutions proposed here
require state management or additional monitoring nodes. The
nodes are required to perform calculations and analysis to
defend against the discussed attack. A. Le et al. [7] have
identified that in the presence of multiple attackers and areas
where the forwarding of control messages is high the impact
of the attack is more grave. On the other hand, Neerugatti
et al. [12] introduced the MLTKNN based on the K-nearest
neighbor technique to mitigate the above attack. This method
calculates the distance among nodes and further computes
the rank based on the distance metric. The computed rank
based on the distance metric and original rank is compared
to determine the malicious nodes. For the simulation, a total
of 30 nodes were used which consisted of 28 normal nodes,
1 attacker node, and 1 border router. This approach is found
to have high detection and a high delivery rate. Whereas A.
Le et al. [14] suggested the use of specification-based IDS to
prevent the attack. This approach employs statistical analysis,
finite state machines, and ML-based pattern recognition with
the help of additional monitoring nodes sniffing the com-
munication among neighbors. The simulation was performed
with a small number of nodes (node size = 12). In contrast,
David Airehrour et al. [18] contemplated a secure trust-aware
RPL protocol to deal with the issue. The proposed scheme
computes the trustworthiness of the neighboring nodes where
lower trust values indicate the malicious nodes. This scheme
also mitigates the Sybil attack and is scalable. The authors
compare the SecTrust-RPL and standard RPL by performing
Authorized licensed use limited to: Tsinghua University. Downloaded on June 16,2021 at 16:01:38 UTC from IEEE Xplore. Restrictions apply.
simulation with 30 nodes of which 3 were the attacker nodes.
With 60 minutes of simulation time, the packet loss rate in
the case of standard-RPL was 60-73% whereas in the case of
SecTrust-RPL it was found to be much lower i.e. 15-28%.
Further, some authors studied the machine learning-based
approach to design a network intrusion detection system
(NIDS) to secure RPL from routing attacks. The majority
of the authors here developed novel datasets and the various
machine learning algorithms such as deep learning, classi-
fication techniques, decision trees, supervised learning, etc
were studied in their approach to tackling a wide range
of routing attacks against RPL. For instance, A. Verma et
al. [8] proposed Ensemble learning-based NIDS to defend
against 7 types of routing attacks (i.e. Sinkhole, Blackhole,
Sybil, Clone ID, Selective forwarding, Hello flooding, and
Local repair attacks). Their approach applies four types of
classification techniques (i.e. Bagged Trees, Boosted Trees,
Subspace Discriminant, RUSBoosted Trees) with the help
of their self-developed dataset called RPL-NIDDS17. The
observations demonstrate that ensemble classifiers built on
Boosted Trees and RUSBoosted trees outshine with respect
to accuracy and area under the ROC and perform better than
AdaBoost and Random forest. On the contrary, S. Cakir et
al. [9] introduced a GRU-based deep learning algorithm to
mitigate the Hello flooding attack. Three different types of
datasets which they called SSN1, SSN2, and SSN3 were
used in the study and the deep learning operations were
performed on separate servers and hence avoiding any resource
consumption or computational loads on nodes. About 20% of
the data was used for testing and the rest was used for training
and the highest accuracy of about 99.96% was achieved. On
the other hand, M. Sharma et al. [10] applied the supervised
learning mechanism and generated a multi-class dataset by
applying feature reduction techniques to defend against four
types of routing attacks (i.e. Hello Flooding attack, DIS
attack, Increased version attack, and Reduced rank attack).
Feature reduction techniques optimized the dataset in terms
of complexity and energy consumption and a total of about
63.7% reduction was performed. To detect the attacks Naive
Bayes, Random forest, and C4.5 classifiers were employed on
the optimized dataset and the highest accuracy of 99.3% was
obtained with Random forest. Additionally, P. Shukla [19] and
Liu, J et al. [20] proposed the use of three different IDS based
on ML to mitigate against wormhole attacks and the use of the
NSL-KDD dataset to evaluate the impact of 7 different attacks
using 11 machine learning algorithms respectively. In the
former approach K-means clustering unsupervised learning,
Supervised decision tree and a 2-stage hybrid of both K-means
and the decision tree is applied to deal with wormhole attacks
by creating safe zones by learning the safe distance using
decision trees. When a router attempts to add a node outside
the safe zone, the wormhole attack is identified. During the
simulation, about 100-200 nodes were considered and were
organized in different topologies (i.e. Mesh, Ring, and Star).
Results indicate that the hybrid IDS significantly diminishes
the false positives and has a lower detection rate, but with more
1004
accuracy concerning the other two IDS. While in the latter
approach the authors used 11 machine learning algorithms
(i.e. AdaBoost, Random Forest, Decision Tree, Bagging, XG-
Boost, SVM, Naive Bayes, Bayes network, KMeans, and DB-
SCAN) to evaluate 7 attacks (i.e. SynFlood, Land, UDP flood,
Ping of Death, Smurf, IP sweeping and Port sweeping). In their
conclusion, they stated that Tree-based and ensemble methods
outperform others by attaining more than 96% accuracy.
Moreover, some researchers contemplated different cate-
gories of IDS for example anomaly-based, signature-based,
specification-based, and hybrid-based IDS to tackle various
routing attacks targeting RPL. Most of the proposed methods
here can be extended further to deal with other types of
attacks and are scalable. Some metrics considered in their
work are detection rate, accuracy, true positive rate, false-
positive rate, etc. The nature of the nodes considered in
their evaluation was static. Shahid Raza et al. [15] proposed
SVELTE IDS which implemented a combination of signature-
based and anomaly-based models to tackle sinkhole and se-
lective forwarding attacks. In this approach, two lists namely
whitelist and blacklist are maintained and nodes are added
to these lists based on their activity. A detection rate of
about 100% was observed for sinkhole attacks whereas in
the case of selective forwarding attacks this rate was in the
range of 80-100%. It was also stated that the alarming rate
might decrease as the network grows. Conversely, B. Farzaneh
[16] et al. and H. Bostani et al. [17] presented anomaly-
based and hybrid of the anomaly and specification-based IDS
respectively. In the former approach neighbor, and DIS attacks
are addressed by creating node profiles by monitoring the
node’s behavior. Any deviation from this normal profile is
termed as abnormal and indicates an attack. The IDS was
placed in a distributed manner and different network sizes
(20,30, 40 nodes) were considered during the simulation. A
true positive rate of 100% and a false positive rate of 0% was
obtained for the majority of the scenarios. Alternatively, in the
latter approach, a hybrid of anomaly-based and specification-
based methods is suggested to tackle selective forwarding,
sinkhole, and wormhole attacks. The router nodes are config-
ured with specification-based modules whereas the anomaly-
based modules are installed in root nodes. Anomaly-based
modules employ unsupervised optimum-path forest algorithm
based on the map-reduce architecture. It was simulated with
about 20 nodes and a total of 10 simulations were performed.
The sinkhole and selective forwarding attack detection showed
a TPR of 76.19% and an FPR of 5.92% whereas the wormhole
attack identification demonstrated a TRP of 96.02% and an
FPR of 2.08%.
Finally, a group of authors put forth various value-based
mechanisms for preventing RPL routing attacks. For example,
C. Thomson et al. [1] presented a threshold-based mecha-
nism for overcoming the DAO attack. The authors propose
two secure versions of RPL i.e. SecRPL1, and SecRPL2,
and compare them with standard RPL and InSecRPL (RPL
with no defense mechanism). In SecRPL1 the parent node
keeps track of the amount of DAOs sent by individual child
Authorized licensed use limited to: Tsinghua University. Downloaded on June 16,2021 at 16:01:38 UTC from IEEE Xplore. Restrictions apply.
nodes whereas in SecRPL2 the parent node tracks the total
DAOs forwarded by all child nodes combined. In a threshold-
based approach once a limit is reached further DAOs are
not forwarded for that interval. For simulation 50 nodes
of which 10 were attacker nodes distributed uniformly was
considered and the objective function used was MRHOF.
Results demonstrate that InSecRPL was adversely affected by
the attack and SecRPL2 outperforms SecRPL1. In the presence
of 10 attackers SecRPL1 when compared with the InSecRPL
decreases DAO overhead by 76.36% whereas the SecRPL2
reduces it by about 205%. Alternatively, B. Groves et al. [11]
introduced the Gini-based approach to deal with Sybil attacks.
In this approach nodes compute the dispersity and based
on this the attack is detected. The proposed approach was
compared with the fixed threshold-based scheme called CT
and it was found that the Gini-based approach performs better
than the CT method. Gini index-based mechanism detects the
Sybil attack with great accuracy and efficiency. This approach
also improves performance with respect to the detection rate,
energy consumption, and detection latency.
In conclusion, the majority of the work by various authors
reviewed here in this section employed static nodes with uni-
form distribution. Only a few authors in their work considered
nodes size greater than 100 whereas majorly the studies were
performed on about 10-50 nodes. The impact in the presence
of multiple attacker nodes was not evaluated by a large number
of authors. Moreover, no real-time implementations to verify
the proposed methods have been performed.
IV. R ESEARCH G APS
By studying the work of various research fraternities, it was
observed that only a few of them have used more than 100
nodes in their analysis, and most of the research work did
not take into account the mobility of the nodes. Moreover,
the presence of multiple attackers was also not considered in
the majority of the work. Furthermore, the majority of the
proposed schemes to prevent RPL attacks were not evaluated
in real-time. Another challenge researchers face is regarding
the availability of the dataset. Because of privacy issues,
many organizations cannot share real-time data from the IoT
networks that could help researchers in their further study.
V. M ETHOD
The approach followed in this paper is the comparative
analysis of the related work of different authors. Their pro-
posed methodology was compared and contrasted, used algo-
rithms were studied and analyzed. Further, common metrics
used to evaluate the performance of the proposed schemes
were compared and observations were made. The Pros and
cons of suggested strategies were also thoroughly discussed,
simulation trends, testbed set-up, and simulation parameters
were studied and compared. Moreover, the results of various
proposed methods were examined, compared and necessary
observations were made. It was also noted that there are two
possible approaches namely mitigation-based and IDS based
strategies to overcome the RPL routing attacks. The mitigation
1005
based schemes require some enhancement in the RPL design to
target a particular attack. They can prevent only a specific type
of attack by making some modifications in the implementation.
They cannot be extended to tackle different types of attacks.
Such a method also needs to manage and maintain the state
of the topology to function. It can be cumbersome to include
such modifications in the design to overcome a wide range
of attacks by taking into account different permutations and
combinations. This approach can increase memory consump-
tion, power consumption, computational loads, and design
complexity. On the other hand, the IDS approach can prevent
a wide variety of attacks and can also be extended to other
attacks easily. The IDS operations can be offloaded to a
different server and can majorly be run in parallel, hence
causing no overhead on the resource-constrained RPL devices.
IDS algorithms can easily be improved or changed with no
RPL design modifications. Therefore, by using the above
arguments we can justify the use of IDS to tackle RPL routing
attacks
VI. C ONCLUSION
In conclusion, this paper discussed and contrasted the dif-
ferent methods of various research fraternities to tackle RPL
routing attacks. The methods proposed by various researchers
should be examined using large network sizes under the
presence of multiple attackers and should also be further tested
and verified in a real-time setting. Tackling RPL’s security
issues are vital to the successful deployment of the RPL
protocol. RPL’s self-organizing nature, the absence of robust
security mechanisms in the design, and lack of methods to
verify the integrity of control messages being exchanged make
it vulnerable to a wide variety of security attacks.
R EFERENCES
[1] I. Wadhaj, B. Ghaleb, C. Thomson, A. Al-Dubai and W. J. Buchanan,
”Mitigation Mechanisms Against the DAO Attack on the Routing
Protocol for Low Power and Lossy Networks (RPL),” in IEEE Access,
vol. 8, pp. 43665-43675, 2020, doi: 10.1109/ACCESS.2020.2977476.
[2] A. Aris, S. F. Oktug and S. Berna Ors Yalcin, ”RPL version number
attacks: In-depth study,” NOMS 2016 - 2016 IEEE/IFIP Network
Operations and Management Symposium, Istanbul, 2016, pp. 776-779,
doi: 10.1109/NOMS.2016.7502897.
[3] A. Dvir, T. Holczer and L. Buttyan, ”VeRA - Version Number and Rank
Authentication in RPL,” 2011 IEEE Eighth International Conference on
Mobile Ad-Hoc and Sensor Systems, Valencia, 2011, pp. 709-714, doi:
10.1109/MASS.2011.76.
[4] Mayzaud A., Sehgal A., Badonnel R., Chrisment I., Schönwälder J.
(2014) A Study of RPL DODAG Version Attacks. In: Sperotto A.,
Doyen G., Latré S., Charalambides M., Stiller B. (eds) Monitoring and
Securing Virtualized Networks and Services. AIMS 2014. Lecture Notes
in Computer Science, vol 8508. Springer, Berlin, Heidelberg.
[5] Q. Zhang, M. Jiang, Z. Feng, W. Li, W. Zhang and M. Pan, ”IoT
Enabled UAV: Network Architecture and Routing Algorithm,” in IEEE
Internet of Things Journal, vol. 6, no. 2, pp. 3727-3742, April 2019,
doi: 10.1109/JIOT.2018.2890428.
[6] A. N. Abbou, Y. Baddi and A. Hasbi, ”Routing over Low Power
and Lossy Networks protocol: Overview and performance evaluation,”
2019 International Conference of Computer Science and Renewable
Energies (ICCSRE), Agadir, Morocco, 2019, pp. 1-6, doi: 10.1109/ICC-
SRE.2019.8807584.
[7] A. Le, J. Loo, A. Lasebae, A. Vinel, Y. Chen and M. Chai, ”The Impact
of Rank Attack on Network Topology of Routing Protocol for Low-
Power and Lossy Networks,” in IEEE Sensors Journal, vol. 13, no. 10,
pp. 3685-3692, Oct. 2013, doi: 10.1109/JSEN.2013.2266399.
Authorized licensed use limited to: Tsinghua University. Downloaded on June 16,2021 at 16:01:38 UTC from IEEE Xplore. Restrictions apply.
[8] A. Verma and V. Ranga, ”ELNIDS: Ensemble Learning based Network
Intrusion Detection System for RPL based Internet of Things,” 2019 4th
International Conference on Internet of Things: Smart Innovation and
Usages (IoT-SIU), Ghaziabad, India, 2019, pp. 1-6, doi: 10.1109/IoT-
SIU.2019.8777504.
[9] S. Cakir, S. Toklu and N. Yalcin, ”RPL Attack Detection and Prevention
in the Internet of Things Networks Using a GRU Based Deep Learning,”
in IEEE Access, vol. 8, pp. 183678-183689, 2020, doi: 10.1109/AC-
CESS.2020.3029191.
[10] M. Sharma, H. Elmiligi, F. Gebali and A. Verma, ”Simulating Attacks
for RPL and Generating Multi-class Dataset for Supervised Machine
Learning,” 2019 IEEE 10th Annual Information Technology, Electronics
and Mobile Communication Conference (IEMCON), Vancouver, BC,
Canada, 2019, pp. 0020-0026, doi: 10.1109/IEMCON.2019.8936142.
[11] B. Groves and C. Pu, ”A Gini Index-Based Countermeasure Against
Sybil Attack in the Internet of Things,” MILCOM 2019 - 2019 IEEE
Military Communications Conference (MILCOM), Norfolk, VA, USA,
2019, pp. 1-6, doi: 10.1109/MILCOM47813.2019.9021050.
[12] Neerugatti, Vikram and Mohan Reddy, A. Rama, Machine Learning
Based Technique for Detection of Rank Attack in RPL based Internet
of Things Networks (July 10, 2019). International Journal of Innovative
Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075,
Volume-8 Issue-9S3, July 2019.
[13] Foley, J., Moradpoor, N., & Ochen, H. (2020). Employing a Machine
Learning Approach to Detect Combined Internet of Things Attacks
against Two Objective Functions Using a Novel Dataset. Security and
Communication Networks, 2020.
[14] A. Le, J. Loo, Y. Luo and A. Lasebae, ”Specification-based IDS for
securing RPL from topology attacks,” 2011 IFIP Wireless Days (WD),
Niagara Falls, ON, 2011, pp. 1-3, doi: 10.1109/WD.2011.6098218.
[15] Shahid Raza, Linus Wallgren, Thiemo Voigt, SVELTE: Real-time intru-
sion detection in the Internet of Things, Ad Hoc Networks, Volume 11,
Issue 8, 2013, Pages 2661-2674, ISSN 1570-8705.
[16] B. Farzaneh, M. A. Montazeri and S. Jamali, ”An Anomaly-Based
IDS for Detecting Attacks in RPL-Based Internet of Things,” 2019 5th
International Conference on Web Research (ICWR), Tehran, Iran, 2019,
pp. 61-66, doi: 10.1109/ICWR.2019.8765272.
[17] H. Bostani, M. Sheikhan, “Hybrid of anomaly-based and specification-
based IDS for internet of things using unsupervised OPF based on
mapreduce approach”, Computer Communications, Volume 98, 2017,
Pages 52-71, ISSN 0140-3664.
[18] David Airehrour, Jairo A. Gutierrez, Sayan Kumar Ray, SecTrust-RPL:
A secure trust-aware RPL routing protocol for Internet of Things, Future
Generation Computer Systems, Volume 93, 2019, Pages 860-876, ISSN
0167-739X.
[19] P. Shukla, ”ML-IDS: A machine learning approach to detect worm-
hole attacks in Internet of Things,” 2017 Intelligent Systems Con-
ference (IntelliSys), London, 2017, pp. 234-240, doi: 10.1109/Intel-
liSys.2017.8324298.
[20] Liu, J., Kantarci, B., & Adams, C. (2020). Machine Learning-Driven
Intrusion Detection for Contiki-NG-Based IoT Networks Exposed to
NSL-KDD Dataset. In Proceedings of the 2nd ACM Workshop on
Wireless Security and Machine Learning (pp. 25–30). Association for
Computing Machinery.
[21] A. Davis, S. Gill, R. Wong and S. Tayeb, ”Feature Selection for Deep
Neural Networks in Cyber Security Applications,” 2020 IEEE Inter-
national IOT, Electronics and Mechatronics Conference (IEMTRON-
ICS), Vancouver, BC, Canada, 2020, pp. 1-7, doi: 10.1109/IEMTRON-
ICS51293.2020.9216403.
[22] Airehrour, David, et al. “Secure Routing for Internet of Things: A
Survey.” Journal of Network and Computer Applications, vol. 66, May
2016, pp. 198–213. ScienceDirect, doi:10.1016/j.jnca.2016.03.006.
[23] H. Kharrufa, H. A. A. Al-Kashoash and A. H. Kemp, ”RPL-Based
Routing Protocols in IoT Applications: A Review,” in IEEE Sen-
sors Journal, vol. 19, no. 15, pp. 5952-5967, 1 Aug.1, 2019, doi:
10.1109/JSEN.2019.2910881.
[24] H. Kim, J. Ko, D. E. Culler and J. Paek, ”Challenging the IPv6 Routing
Protocol for Low-Power and Lossy Networks (RPL): A Survey,” in IEEE
Communications Surveys & Tutorials, vol. 19, no. 4, pp. 2502-2525,
Fourthquarter 2017, doi: 10.1109/COMST.2017.2751617.
[25] Anthéa Mayzaud, Rémi Badonnel, Isabelle Chrisment. A Taxonomy
of Attacks in RPL-based Internet of Things. International Journal of
Network Security, ACEEE a Division of Engineers Network, 2016, 18
(3), pp.459 - 473.
1006