Journal Pre-proof

Performance evaluation of mobile RPL-based IoT networks under version

number attack

Girish Sharma, Jyoti Grover, Abhishek Verma

PII: S0140-3664(22)00402-9
DOI: https://doi.org/10.1016/j.comcom.2022.10.014
Reference: COMCOM 7312

To appear in: Computer Communications

Received date : 25 July 2022

Revised date : 25 September 2022
Accepted date : 21 October 2022

Please cite this article as: G. Sharma, J. Grover and A. Verma, Performance evaluation of mobile
RPL-based IoT networks under version number attack, Computer Communications (2022), doi:
https://doi.org/10.1016/j.comcom.2022.10.014.

This is a PDF file of an article that has undergone enhancements after acceptance, such as the
addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive
version of record. This version will undergo additional copyediting, typesetting and review before it
is published in its final form, but we are providing this version to give early visibility of the article.
Please note that, during the production process, errors may be discovered which could affect the
content, and all legal disclaimers that apply to the journal pertain.

© 2022 Elsevier B.V. All rights reserved.

 Journal Pre-proof

Revised Manuscript Click here to view linked References

Highlights
Performance Evaluation of Mobile RPL-based IoT networks under Version Number Attack
Girish Sharma,Jyoti Grover,Abhishek Verma

of
• Attacks in RPL based IoT. Why version attack?
• Analysis of version attack in mobile IoT.

• Performance evaluation using different metrics like Packet Delivery Ratio, Average End-to-End Delay, Power

pro
Consumption.
• Keywords: IoT, RPL, Version Attack, Security, 6LoWPAN, IPv6, PDR

re-
lP
rna
Jou
 Journal Pre-proof

Performance Evaluation of Mobile RPL-based IoT networks under

Version Number Attack
Girish Sharmaa,∗,1 , Jyoti Groverb,2 and Abhishek Vermac,3

of
a Malaviya National Institute of Technology, Jaipur JLN Marg, 302017, Rajasthan, India
a Manipal University Jaipur, Jaipur Dehmi Kalan, 303007, Rajasthan, India
b Malaviya National Institute of Technology, JLN Marg, Jaipur 302017, Rajasthan, India
c Indian Institute of Information Technology, Design and Manufacturing, Jabalpur, Airport Road, 482005, Madhya Pradesh, India

pro
ARTICLE INFO Abstract
Keywords: The Internet of Things (IoT) has a vital role in communication and has many cross-platform applica-
IoT tions which generate a massive volume of data. IoT interconnects various devices from small to big
RPL without the direct intervention of humans. The resource-constrained environment poses a significant
Version Attack problem in IoT applications, and it is challenging to develop secure applications. The Internet
Security community endeavours to cope with such challenges by developing different internet protocols. IETF
6LoWPAN ROLL working group standardised a mechanism called IPv6 over Low-Power Wireless Personal Area
IPv6 Networks (6LoWPAN) to carry IPv6 packets over IEEE 802.15.4. 6LoWPAN which supports the
PDR constrained environment uses the Routing Protocol for Low Power and Lossy Networks (RPL) as a
routing protocol. It is essential to secure such applications since the malicious attacker can breach

re-
the privacy and security of humans through a small device. Traditional security mechanisms are not
prominent in a resource-constrained context. Version attack is one of the most common attacks in RPL
based 6LoWPAN. The network becomes unstable due to the version attack, which results in a Denial
of Service attack. The integrity of the version number is not provided by RPL specifications, leading
to threats for IoT applications. The impact of a version number attack on an RPL-based network is
demonstrated in this study. The implications on the constrained network when the nodes are mobile
is the main objective of this paper. In many IoT applications nodes move and it is vital to address the
impact of mobility in a constrained environment. This paper investigates the network’s performance
in terms of packet delivery, delay, and power consumption in RPL based IoT when there is version
attack. Version attacks must be prevented as quickly as possible since they have the potential to
lP
significantly disrupt mobile networks. The main contribution of this research is a performance metric-
based analysis of mobile RPL-based IoT networks under attack.

1. Introduction adaption layer in the IoT architecture is an example that

run over resource-constrained nodes or devices [10, 35].
IoT has enabled ubiquitous computing in small de- IoT demands to develop lightweight applications where the
vices and connected these devices to the internet. Nowa-
constrained nodes could communicate in the constrained
days, developers are developing applications that could
networks. 6LoWPAN works between network and data link
rna

sustain in low power and lossy networks [32]. The resource-
constrained in terms of power, energy and memory is a big
challenge for the developer to make efficient and secure
IoT applications. Devices could communicate in multiple
ways, and there should be a secure way for transferring
the data [10] to the high end machines or the sinks. This
proliferation of data demands fast perspective analysis and
decisions for real-world applications.
There are many resource-constrained devices deployed
in the in IoT applications which demands lightweight, se-
Jou
layer to optimize IPv6 packets in resource-constrained net-
works. Because of the overhead involved, traditional rout-
ing techniques such as Adhoc On-Demand Distance Vector
(AODV), Open Shortest Path First (OSPF), and Dynamic
Source Routing (DSR) are not recommended in constrained
networks [60].
RPL, which was proposed by Internet Engineering Task
Force (IETF) ROLL group, provided a lightweight routing
solution for smart IP devices in 6LoWPAN [63]. Many IoT
resource-constrained applications like agriculture, remote

cure and mobile solutions. 6LoWPAN which serves as an

⋆
G. Sharma is with the Department of Computer Science & Engineer-
ing, Malaviya National Institute of Technology Jaipur, Rajasthan, India.
J. Grover is with the Department of Computer Science & Engineering,
Malaviya National Institute of Technology Jaipur, Rajasthan, India. A.
Verma is with the Computer Science & Engineering Discipline, PDPM
Indian Institute of Information Technology, Design and Manufacturing,
Jabalpur, Madhya Pradesh, India
∗ Corresponding author
2020rcp9012@mnit.ac.in (G. Sharma); jgrover.cse@mnit.ac.in (J.
Grover); abhiverma@iiitdmj.ac.in (A. Verma)
ORCID (s): 0000-0001-6093-6052 (G. Sharma); 0000-0001-9717-0441 (J.
Grover); 0000-0001-6687-4809 (A. Verma)
areas monitoring, military applications and the health care
industry use RPL protocol [3]. RPL has become a de-facto
protocol for the network layer and has become one of the
prominent protocols for routing in low power and lossy
networks (LLNs) [37, 61]
As IoT connects billions of devices [14] and it is in-
creasing every year, so it has become vital to address dif-
ferent attacks in IoT. The significant number of resource-
constrained devices and lossy networks makes the expanded
threat surface in the IoT. In recent years attackers have been
targeting IoT networks. The attackers are exploiting the IoT

G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier Page 1 of 13

 Journal Pre-proof

Version Number Attack in RPL based Mobile 6LoWPANs

Table 1 2. This approach shows attack’s impact on different met-

List of Abbreviations rics like Packet Delivery Ratio (PDR), Power Con-
sumption and Average End to End Delay (AE2ED).
Abbreviations Definition 3. Intensive analysis is shown by varying the percentage
6LoWPAN IPv6 over Low-powered Wireless Personal of attacker nodes in mobile IoT at different hops.

of
Area Network. 4. The authors found that despite devices mobility being
IoT Internet of Things an important feature of the IoT, it has received remark-
RPL Routing Protocol for Low Power and
ably little attention in the research on RPL networks.
The study considers the mobility of the nodes in the
Lossy Networks
network.
AODV Adhoc On-Demand Distance Vector

pro
OSPF Open Shortest Path First
DSR Dynamic Source Routing 5. To examine the effect of attacks on devices and net-
IETF Internet Engineering Task Force works, most researchers have adopted a small network
DODAG Destination Oriented Direction Acyclic scenario. We increased the number of experimental
Graph nodes to 50 and examined various performance met-
DIO Destination information object rics using Contiki Cooja.
Analyzing IoT efficiency in a resource-constrained context
DIS DODAG Information Solicitation
DAO Destination Advertisement Object
MRHOF Minimum Rank with Hysteresis Objective
is the aim of this study. This research helps in figuring
Function out how the system reacts in dynamic network scenarios.
OF0 Objective Function Zero This will be useful for developing a network of endangered
animal species and for military applications. Security is a
VA
VAM re-
Version Attack with static sensor node
Version Attack with mobile sensor node top concern for these kinds of applications because they are
so crucial. IoT 4.0 is a growing industry, and it is a new
revolution, this increases the scope of our contribution. We
need to address attacks on IoT and their consequences on the
not only through communication medium but also through network.
small devices [15, 60]. In a research by Eyal Itkin et al. The remaining paper is organized as follows: Section 2
infected a network using a Fax Machine [18]. 6LoWPAN presents the details of RPL protocol and version number
is also not secure, and attackers try to exploit it too which
lP
attack. The related work and the security methods devised
could have drastic implication in lossy networks. This paper by different researchers specifically for RPL based attacks
focuses on the routing attacks specifically version number is summarized in section 3. Further, Section 4 shows the
attack in RPL based 6LoWPAN. RPL has its own set of metrics used for the performance analysis. Section 5 depicts
attacks based on network topology, traffic and resource the impact of the version attack with static and mobile nodes.
based. Due to the ad-hoc nature of IoT, detecting routing Section 6 discusses the impact of the version attack and why
attacks in RPL-based 6LoWPAN is extremely difficult. In it is important to detect and Section 7 concludes the paper
RPL based 6LoWPAN attacker tries to flood the network with some insights of implementation and future research
rna

with the unnecessary packets which impacts a lot in terms directions.

of performance, energy consumption and delay [13]. Ahmed
et. al [43] have presented a review of different attacks in
RPL based IoT networks and also discussed different IDS
systems for the attacks like signature-based, anomaly-based
and specification-based systems to detect attacks.
Many researchers around the world have proposed light-
weight security solutions for RPL [30, 38, 58, 59]. However,
attackers can attack constrained networks and devices due
to expanded vulnerabilities. This research aims to intensive
Jou
2. Background
This section discusses about the RPL protocol which
is one of the de-facto protocol for low power and lossy
networks. This part also provides the overview of version
number attack in RPL based 6LoWPAN.
2.1. Overview of RPL protocol

impact analysis of version number attacks on the RPL based
6LoWPAN where the nodes are static and mobile. This
attack is implemented by modifying the control message
packet and muticasting the modified packet in the network
which is explained in the section 2.2. Table 1 shows the
abbreviations used in this paper.
1.1. Contributions
This research contributes the following:
1. The analysis of version attack in RPL based 6LoW-
PAN while considering the mobility of the sensor
nodes.
Routing protocol for Low Power and Lossy Networks
in short RPL was designed to deal with lossy networks
which suffers from communication delay and constrained
resources. RPL has become very useful protocol in re-
source constrained environments like agriculture, remote
areas monitoring, military applications and many more [3].
RPL was designed to perform energy-efficient routing
in 6LoWPAN, which suffers from the lossy link, delay and
varying convergence of the networks. Fig. 1 shows embed-
ding of RPL which is the distance vector routing algorithm
with adaptation layer 6LoWPAN.

G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier Page 2 of 13

 Journal Pre-proof
Version Number Attack in RPL based Mobile 6LoWPANs
of
pro
Figure 1: IoT Network Architecture with Adaptation Layer
RPL forms a loop-free topology based on Destination
Oriented Directed Acyclic Graph (DODAG) and specifies
routes between the nodes as shown in Fig. 2. The destination
node of the DODAG is known as border router or sink.
RPLInstanceID, DODAGID, and DODAGVersion are used
to identify a DODAG. RPL characteristics include auto-
configuration, self-healing, loop avoidance and detection,
sinks.
re-
link quality, establishing node rank and support for multiple
lP
rna
Figure 2: RPL Network
RPL ICMPv6 control messages are four types which
creates and maintains loop free topology and DODAG: (i)
Destination information object (DIO), (ii) DODAG Infor-
mation Solicitation (DIS), (iii) Destination Advertisement
Object (DAO), and (iv) Destination Advertisement Object
Acknowledgment (DAO-ACK). In RPL, an objective func-
Jou
tion (OF) defines how to establish node’s rank and to se-
lect the path. Various OFs in RPL include ETX Objective
function (ETXOF) [22], Minimum Rank with Hysteresis
Objective Function (MRHOF) [21], and Objective Function
Zero (OF0) [55]. The DIS message is used for finding of the
DODAG nodes. The DIO and DAO control messages which
run above the IPv6 advertise the downward and upward
routing information between the nodes and sink. The DAO
message is used for bi-directional communication in order
to keep track of the nodes visited on the way up. Except
for the root node, every node unicasts the DAO message
to send their descendants’ routing tables and advertise their
G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier
addresses and prefixes to their parents. In response to a
unicast DAO message, a DAO recipient sends a unicast
DAO-ACK message [19]. The DIO message is used to create
a DAG and the message multicast through the DODAG.
In RPL, rank of a node helps in loop free routing and
resolves count to infinity problem. When nodes receive DIO
messages with a higher version number, they can raise their
rank. The “Trickle timer" is used for limiting the control
message and the timer is increased or decreased depending
on whether the DODAG is stable or inconsistent [56].
2.2. Version Attack
RPL which was primarily suggested for the low power
and lossy networks maintains the DODAG which comprises
of the RPLInstanceD, DODAGID. DODAGID is a unqiue
identifier for the DODAG root. When the network is formed
each DODAG has a unique Version which shows the current
iteration of the DODAG and this number increments over
the time when the root forms a new version of the DODAG
to reconfigure the network when there are lots of incon-
sistencies occur. This global repairs happens when there is
no parent for the node, links broken or the timer triggers
for the repair to maintain the integrity of the network. To
maintain the network topology, RPL uses different control
messages DIO (DODAG Information Object, DIS(DODAG
Information Solicitation) , DAO (Destination Advertisement
Object), DAO-ACK(DAO Acknowledgement) and depend-
ing on the objective function sensors select the parent node
and this forms the optimal path to the root node[1].
The root node is responsible to increment the version
number but if there is an attacker in the network then it could
increment the version number when it receives the DIO
message and the attacker sends the modified DIO message in
the network which enforces the DODAG reconfiguration and
re-computation. This makes inconsistency in the network
since most of the time root generates the control messages to
maintain the network with no throughput. Apart from this,
the packets generated by different nodes do not reach the sink
since the nodes do not have the current parent list because of
inconsistency.
The attacker node joins the network by transmitting
DIS and receiving DIO from the DODAG node. DODAG
may become inconsistent when an attacker joins a network,
depending on the type of attack, as in the case of a version
attack. This scenario is depicted in the Fig. 3. The attacker
changes the version number in the DIO message which
forces the re-formation of DODAG. The Fig. 3 depicts that
most of the time network tries to stabilizes itself but because
attacker changes the version number every time, the nodes
recomputes the DAG and the server node does not receive
the packet which decreases the packet delivery ratio. Further
it increases the power consumption and end to end delay
since the packets received by the attacker forwards them with
some delay or may not forward at all.
This routing attack has lot of impact on the network
which significantly drops the PDR, increases power con-
sumption. The impact can be increased by increasing the
Page 3 of 13
 Journal Pre-proof

Version Number Attack in RPL based Mobile 6LoWPANs

the procedure due to this network cannot become stable. In

constant time the attacker changes the version number. So,
this algorithm takes O(1) time to perform version attack.

of
3. Related Work
This section 3 discusses recent research that has shown
the impact and analysis in terms of packet delivery ratio,
end to end delay, power consumption specifically for version
attack. The latest study by Ahmet Arış et al. showed in their
paper [8] impact of multiple attackers on the performance

pro
Figure 3: Version Attack by multicasting DIO
number of attackers and adequately positioning the attack-
ers [34]. It is vital to address this attack as it is very easy to
implement and adversely affects the network.
This research takes internal node as an adversary node
re-
that participates in the creation of the network topology.
After the topology has been established, the node will begin
attacking once the network has stabilised. We analysed the
attack in different scenarios taking the attacker node at
different hops i.e. at one hop, two hop or hop from the sink
node which provides extensive results that we have shown
through different graphs.
The attack model shown in Fig. 3 is implemented as
lP
shown in Algorithm 1.
Algorithm 1 Version Attack
1: 𝑁𝑜𝑑𝑒𝑁 , 𝑁𝑜𝑑𝑒𝐴 , 𝑉 𝑒𝑟𝑁𝑢𝑚 ⊳ Legitimate, Attacker
Node, Version Number
2: procedure Version Attack
3: Time 𝑡 the 𝑁𝑜𝑑𝑒𝐴 joins network ⊳ Attacker Node
rna
of the network by taking into account different metrics
like PDR, attacker position, average delay, average power
consumption. Their paper showed that multiple attackers
only affect the packet delivery ratio and the attack adversely
affects the network if the malicious node is closer to the root
node.
We start our discussion with the paper by Congu Pu et.
al [42] who used the Gini Index model to mitigate the Sybil
attack. This technique uses Gini impurity to detect the DIS
attacker nodes, and the control message impurity increase
when there is a Sybil attack. The defence mechanism dis-
cards the DAO messages if it exceeds the threshold limit.
Although this solution is capable of identifying Sybil Attack
but not able to identify the attacker node.
par Sharma et. al [51] have proposed a technique for
simulating attacks for generating the dataset for multiple
attacks. They generated a dataset for Version attack, Hello
Flood attack, and decreased rank attack and identified 58
features to apply the machine learning algorithm to classify
attacks. Sarumathi et. al [36] have proposed an IDS system
for Sybil attack using the Artificial Bee Colony (ABC) in-
spired algorithm when the nodes are mobile. The IDS system
counts the number of control messages in the stipulated
period and calculates the timestamp between the message;
if it exceeds, the flag is set to check whether the event is

joins IoT malicious or legitimate. Wadhaj et. al [62] have proposed

4: 𝑁𝑜𝑑𝑒𝐴 ← 𝐷𝐼𝑂𝑀 mitigation of the DAO attack in RPL based IoT networks
5: 𝑉 𝑒𝑟𝑁𝑢𝑚 ← 𝐷𝐼𝑂𝑀 which restrict the number of DAO messages received from
⊳ Attacker extract version number from DIO Message the child node. If the limit crosses the threshold, no DAO
6: 𝑉 𝑒𝑟𝑁𝑢𝑚 ← 𝑉 𝑒𝑟𝑁𝑢𝑚 + + ⊳ Attacker changes the will be forwarded until the next time slot. This mitigation
version number of DAG technique can increase the PDR and reduce the effect of
7: 𝑁𝑜𝑑𝑒𝐴 𝑚𝑢𝑙𝑡𝑖𝑐𝑎𝑠𝑡 𝐷𝐼𝑂 the attack. The paper by Zahrah A. Almusaylim et al. [5]
8: 𝑁𝑒𝑖𝑔ℎ𝑏𝑜𝑟𝑖 ← 𝐷𝐼𝑂𝑀 ⊳ Neighbors receive DIO proposed a new RPL protocol named SRPL-RP and ana-
with changed version number lyzed the network by taking parameters like control packets,
9: ⊳ Whole network PDR, time, energy consumption. They also proposed the
Jou

𝑁𝑒𝑖𝑔ℎ𝑏𝑜𝑟𝑖 𝑚𝑢𝑙𝑡𝑖𝑐𝑎𝑠𝑡 𝐷𝐼𝑂

becomes unstale
10: 𝑅𝑒𝑝𝑒𝑎𝑡 𝑡ℎ𝑒 𝑝𝑟𝑜𝑐𝑒𝑑𝑢𝑟𝑒 𝑎𝑓 𝑡𝑒𝑟 𝑡𝑖𝑚𝑒 𝑡′ ⊳ The
attacker does not allow to network to become stable
11: end procedure
Algorith 1 shows how we implemented the version by
changing Contiki Operating Systems file. Every time the
attacker receives the DIO message, it changes the version
number and multicast it. The neighbour nodes do the same.
The root thinks that network has become unstable and resets
the trickle timer to reform the network. The attack repeats
mitigation of the version and rank attack. Their proposed
approach provides the 98.48% high PDR as compared to
other techniques like SRPL [20], VeRA [17] and it also
provides 1231.778 joules of average power consumption,
which is less as compared to other techniques. The approach
takes the rank of nodes and neighbours list of the nodes to
check the behaviour and depicts whether there is an attack.
A paper by Ahmet Aris et al. [8] provided some study
related to version attack with only four mobile nodes and
showed that PDR and control packet overhead depends on

G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier Page 4 of 13

 Journal Pre-proof

Version Number Attack in RPL based Mobile 6LoWPANs

Table 2: Defense Mechanisms: IDS for RPL based IoT networks

S.No Reference Mechanism Description Limitations
1. Amin et al. Hybrid IDS Detects DoS attack in WSN. Signature part detects Energy consumption is
[6] 2009 (RIDES) using distributed pattern matching utilizing bloom fil- not studied.
(Signature and ters. Anomaly part utilizes CUSUM(Cumulative Sum

of
Anomaly) Control charts) to detect the network anomalies.
2. Kasinathan Signature Based To detect DoS attacks using Suricata open source IDS. No performance study
et al. [24] (DEMO) Uses Frequency Agility Manager to operate in different of the IDS. No mobility
2013 channels. considered.
3. Raza et al. Anomaly Based Detects Spoofed Informatio, Sinkhole and Selective Do not consider mobility
[45] 2013 (SVELTE) forwarding attacks. Based on Mapper, Analyzer and of nodes.

pro
Detector. Nodes sends the RPL information to Gateway.
Involves network graph inconsistency in IDS. Provides
less computational overhead
4. Zhang et al. Specification Detects routing choice intrusion. Uses FSM for moni- Only homogeneous
[64] 2015 Based toring nodes to implement normal and malicious states. nodes are considered.
Detects attack if any node sends DIO message with
lower ETX value.
5. Pongle and Anomaly Based Detects Wormhole attacks. Uses node’s and neighbor’s Lot of computation
Chavan [41] information to detect attack. Uses RSSI to detect at- and communication
2015 tacker nodes. overhead
6. Surendar Specification To detect Sinkhole attack in RPL. Cluster head acts Considers only homoge-

7.
and Uma-
makeswari
[54] 2016

Le et al. [29]
Based (InDReS)

Specification
re-
as monitoring node and counts the packet drops of the
adjacent nodes. Compare the ranks of the neighboring
nodes with the threshold value and detects the malicious
node.
Lacks in implementation and performance analysis.
neous nodes

No mobility considered.
2011, Based Extends works in their next paper by proposing EFSM
Le et al. [30] which detects Rank, Local Repair, DIS, Sinkhole at-
2016 tacks. EFSM created using Integer Linear Program-
lP
ming. By generating RPL trace files shows the legiti-
mate states with transitions
8. Lai [28] 2016 Specification Detects Wormhole attacks. Uses hop count to find rank PDR, E2ED, Power con-
Based metric and sees any node having unacceptable rank. sumption not analyzed.
Make DIO message is considered malicious if rank
increases the threshold.
9. Mayzaud Anomaly Based Detects DODAG inconsistency attacks. Two types of Considers only single at-
et al. [33] node: monitoring and monitored. Monitoring nodes tacker. Uses high order
2016 collect data and detects attacks in distributes manner. devices which adds cost
rna

overhead.
10. Mayzaud Anomaly Based Extends previous work by detecting Version attack. Col- Only one attacker is as-
et al. [31] laboration of monitoring nodes to transfer information sumed
2016 using multi instance network.
11. Mayzaud Anomaly Based Extends previous work by allowing monitoring nodes to No mobility considered.
et al. [34] send information to the root about who changed the Ver-
2017 sion number called Local Assessment. The Localization
algorithm deployed on the sink detects the attacker.
12. Mayzaud Anomaly Based To detect Selective Forwarding attack. Uses two Implementation
et al. [34] types of nodes: Gateway (Centralized node), overhead. No mobility
Jou

2017 Node(Distributed Module). Identifies probability considered.

of number of dropped packets. Decision step identifies
the malicious node and minimize FPR by utilizing
Sequential Probability Ratio Test.
13. Shreenivas Anomaly Based Extension to SVELTE. ETX metric for detecting ETX No mobility considered.
et al. [52] manipulation attacks by using node’s location and trans-
2017 mission limits.

G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier Page 5 of 13

 Journal Pre-proof

Version Number Attack in RPL based Mobile 6LoWPANs

14. Bostani and Hybrid IDS Detects Sinkhole, Selective forwarding and Wormhole Not suitable for the en-
Sheikhan attacks. Specification module deployed on the router ergy constrained envi-
[12] 2017 nodes analyze their child nodes and sends the informa- ronment.
tion to the Gateway. Gateway uses anomaly approach
uses the Optimum path Forest Clustering on the incom-

of
ing packets from the router nodes.
15. Napiah et al. Signature Based Detects HELLO flood, Sinkhole and Wormhole attacks. Technique require high
[38] 2018 (CHA-IDS) Extracts the header data to detect attacks. Apply ML end machine. No mobil-
algorithms. ity considered.
16. Ioulianou Signature Based Detects DIS and Version Number attacks. Uses IDS Framework is not vali-
et al. [23] routers and IDS detectors(Sends malicious info to dated. No mobility con-

pro
2018 routers). sidered.
17. Shafique Specification Detects rank attack. Uses the node current rank, parent Accuracy decreases with
et al. [49] Based (SBIDS) rank, previous rank for detecting the malicious node by mobile nodes. Considers
2018 using the DAO message. mobile nodes.
18. Verma and Anomaly based Uses the dataset CIDDS-001 and apply K-Means and No real time solution.
Ranga [57] KNN ML techniques.
2018
19. Kfoury et al. Signature Based Detects Sinkhole, Version Number and HELLO flood- Lot of implementation
[25] 2019 (SOMIDS) ing attacks. Perform clustering of traffic classes using overhead. No mobility
Pcap files. Data aggregation on DIS, DAO, DIO, rank, considered.

20. Verma
Ranga
2019
and
[58]
Anomaly based
re-
version number change and mote power.
DetectsSinkhole, Blackhole, Sybil, Clone ID, Selective
Forwarding, Hello Flooding and Local Repair attacks
on RPL using NIDDS17 dataset. It uses ensemble clas-
sifiers.
Approach does not con-
sider mobility of nodes

21. Abhishek and Anomaly based Uses the datasets CIDDS-001, UNSW-NB15, and NSL- No real time solution. No
Virender [2] KDD to detect the attack DoS attack. Implements sev- mobility considered
2020 eral ML algorithms and measures the performance in
terms of accuracy, FPR, AUC etc.
lP
22 Pu [42] 2020 Gini Index Model EThis technique uses Gini impurity to detect the DIS at- Unable to identify the at-
tacker nodes, and the control message impurity increase tacker node
when there is a Sybil attack.
23. Agiollo et al. Hybrid IDS Uses dataset RADAR to detect around 14 routing at- No real time solution.
[3] 2021 tacks using NetSim. Anomaly part detects the malicious
node since it knows how node behaves when there is no
attacker. It uses AutoRegressive Integrated Moving Av-
erage (ARIMA) model. Signature part sees the specific
rna

patterns in the data. It uses Clone Identity, Change in

DODAG, Change in Version or Rank etc.
24 Stenhuis [53] Cryptography Stores encrypted keys of the members. This mechanism No proper performance
2021 based uses trusted third parties and the nodes responsible for analysis is depicted.
accessing the IEEE 802.15.4 network. Lightweight hash
generation without
using trusted third
parties makes the system
vulnerable.
25 Savva et al. Behaviour Based Identifies Jamming attack using PDR, ETX, Packets Analyses whether there
Jou

[48] 2022 Drop per terminal (PDPT) metrics as input to the fuzzy is Jamming attack. Does
system. Defuzzified output provides the percentage of not find the attacker
jamming of a node. node. Mobility is not
addressed
26 Kiran [26] Anomaly based Extension to SVELTE. DWA-IDS uses the Nmapper Mobility is not addressed
2022 and IDS module.
27 Sharma et al. Behaviour Based Analysis and mitigation of blackhole attack using sus- Do not consider mobile
[50] 2022 pect identification and verification. nodes. Only accuracy
metrics.
28 This Paper Analysis of Ver- Analysis of version attack in mobile and static environ- Considers mobile nodes.
sion Attack ment. Very useful in healthcare, military and species- Intensive analysis
tracking applications through metrics PDR,
AE2ED, Energy.

G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier Page 6 of 13

 Journal Pre-proof

Version Number Attack in RPL based Mobile 6LoWPANs

how far the attacker node is and similar results when the Table 3
nodes are moving. Simulation Parameters
In this continuation Anthéa Mayzaud et al. [34] proposed
a distributed mechanism based on RPL to detect the version Parameters Value
attack and found that the average FPR rate decreases with the

of
Simulator Cooja (Contiki 3.0)
increase in monitoring node [34]. In the paper Ahmet Arıs et Simulation Time 1800 Seconds
al. [9]a lightweight mitigation technique for identifying the DODAG Root Rank 1
Version attack. In this mitigation technique, they proposed Scenario Dimension 200 * 200 𝑚2
that version number change could not be reflected by the Number of Sensor Nodes 10, 20,30,40,50
nodes which have a lower rank. Another more generalized Gateway Nodes 1
mitigation technique proposed irrespective of the attacker’s

pro
Mote Type Z1
position is based on the neighbours with better rank claiming Transport Layer Protocol UDP
the version number change. There proposed approach does RaDIO Medium Unit Disk Graph Medium
not consider the mobility of nodes where topology dynami- PHY and MAC Layer IEEE 802.15.4
cally changes. Transmission Range 50 m
A distributed approach is proposed by Ahmed et al. [4] Number of Attacker nodes 10% , 20%, 30%
to mitigate the version attack for the dense networks in RPL. Number of Mobile nodes 50%
The node that receives the changed version number sends
Speed of Node 1 to 2 m/sec
verification procedures to nodes 2-hop far away from it.
Data Packet Size 30 bytes
Cooperatively, all the nodes involved in the detection process
Data packet sending interval 60secs

re-
send their version number to the source. Collectively, it
decides to change or not to change the version number.
Osman et al. [39] proposed a machine learning based
version attack in RPL using Gradient Boosted Machines.
The approach generates the data-sets by simulating the sce-
There are many critical applications of IoT that run
over resource-constrained networks and need lightweight,
secure, scalable, and mobility supported solutions to main-
narios with and without attackers in Contiki cooja and tain user’s security and privacy [27, 46, 47]. 6LoWPAN is
generating the .pcap files. After pre-processing the data, one such example that run over resource-constrained devices
the Gradient Boosted Machines (GBM) is applied to know or nodes [10, 35]. In most of the proposed solutions, we
lP
whether the data is malicious or benign. could see that there is a lack of analysis where the nodes are
In his dissertation by Raoof [44] discusses mitigation mobile. But in today’s world, IoT consists of mobile nodes.
of different attacks in RPL based networks. The proposed These mobile nodes may drastically impact the network’s
approach is based on trust-based solutions using Chained performance in a constrained environment. This paper takes
Secure Mode (CSM) without mobility in the network. In a set of mobile nodes and multiple attackers and evaluates
the paper [7] by A. Arul Anitha discusses mitigation of performance using parameters like Packet delivery ratio,
version attack by comparing the version number with the Delay and power consumption.
root node’s version. If there is a mismatch, it invokes the
rna

validation phase where the node’s version is compared with

neighbours. The attacker node is identified by comparing the
version number and causes initiation of global repair. Again
it does not consider mobility in the network. The paper [53]
by Ruben et al. discusses a cryptography-based solution for
the Sybil attack. This mechanism uses trusted third parties
and the nodes responsible for accessing the IEEE 802.15.4
network. But The lightweight hash generation without using
trusted third parties makes the system vulnerable.
Researchers have come up with a lot of solutions to
Jou
4. Performance Metrics
This study primarily focuses on the behaviour of the
network with mobility and version attack for RPL in 6LoW-
PAN. This analysis was performed using Contiki [16] Cooja
[40] which is one of the open source tool to emulate the
network and primarily built for IoT based networks i.e. for
constrained environments. Contiki has gained lot of attention
in the research community since it is lightweight and gives
lots of possibilities to make changes in the existing code and

detect and mitigate version number attacks and other RPL
specific attacks using behaviour based and anomaly-based
approaches. Some researchers also proposed cryptography
based, trust-based solutions but these solutions are not
prominent in the resource limited networks. Some of the IDS
proposed by the researchers is summarized in the Tab. 2. But
most of the solutions do not include the mobility of nodes in
the network. This paper focuses on version number attack
by considering nodes’ mobility and shows the efficiency
metrics by varying the number of attacker nodes.
rebuild the operating system with better algorithms.
Table 3 depicts the simulation parameters on which
the network behaviour analysis is carried out. Experimental
results show that there is significant impact of mobility in
6LoWPAN networks. This study which aims to analyze the
network behaviour when there are attackers in the network
have the following objectives
1. Performance analysis using parameters such as Packet
Delivery Ratio, End to End Delay, Power Consump-
tion etc. in non attacking mode

G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier Page 7 of 13

 Journal Pre-proof
Version Number Attack in RPL based Mobile 6LoWPANs
2. Impact of Version Attack on the PDR, Delay and
Power Consumption
3. Analysis of network with mobility and Version attack
which is the main objective of this paper.
of
All the simulations were carried out for 15 minutes so
that real impact on the network could be traced. We assume
that 50% of the nodes are mobile and rest are static. We
therefore thoroughly examined a hybrid network. We also
assume that attacker node is static which compromises the
nodes sitting around it.
pro
4.1. Performance Evaluation Parameters
This simulation uses the metrics such as Packet Delivery
Ratio, Power Consumption and End to End delay to see the
impact of mobility with version attack on the performance.
Formulae for these metrics is explained as below.
• Packet Delivery Ratio is calculated as:
𝑁𝑢𝑚𝑏𝑒𝑟 𝑜𝑓 𝑃 𝑎𝑐𝑘𝑒𝑡𝑠 𝑅𝑒𝑐𝑒𝑖𝑣𝑒𝑑 𝑎𝑡 𝑆𝑖𝑛𝑘
𝑃 𝐷𝑅 =
𝑁
∑
𝑖=1
re-
𝑃 𝑎𝑐𝑘𝑒𝑡𝑠_𝑆𝑒𝑛𝑡_𝐵𝑦_𝑁𝑜𝑑𝑒𝑖
This is the fraction of packets received by the Gateway
and the total number of packets sent by sensor nodes.
• Average end to end delay is calculated as:
lP
𝑁
∑ PDR.
𝑃 𝑎𝑐𝑘𝑒𝑡𝐷𝑒𝑙𝑎𝑦𝑖
𝑖=1
𝐸2𝐸𝐷 =
𝑇 𝑜𝑡𝑎𝑙_𝑃 𝑎𝑐𝑘𝑒𝑡𝑠𝑅𝑒𝑐𝑒𝑖𝑣𝑒𝑑 𝑆𝑢𝑐𝑐𝑒𝑠𝑠𝑓 𝑢𝑙𝑙𝑦
This depicts the ratio of the time taken by each
successfully delivered packet to the Gateway to the
number of packets without considering the unsuccess-
rna
ful packets.
• Power Consumption
𝐸𝑛𝑒𝑟𝑔𝑦𝑐 = (𝐶𝐶𝑃 𝑈 + 𝐶𝐿𝑃 𝑀 + 𝐶𝑇 𝑋 + 𝐶𝑅𝑋 ) 𝑚𝐽 (1)
𝐸𝑛𝑒𝑟𝑔𝑦𝑐
𝑃 𝑜𝑤𝑒𝑟 = 𝑚𝑊 (2)
Jou
𝑇 𝑜𝑡𝑎𝑙𝑡𝑖𝑚𝑒
The power consumption is calculated for different
states of the node i.e. radio is on/off, micro-controller
is receiving or transmitting signals or micro-controller
is in low power mode
5. Results Analysis
This section describes the performance evaluation and
analysis with and without version attack and also describes
how much impact on the performance of the network when
the nodes are mobile. The Contiki Operating System’s files
G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier
were modified to implement the version attack primarily the
rpl-icmp6.c file. The experiments were done using different
number of nodes.
The Zoletia Z1 mote, which we used to build the IoT,
contains 92KB of ROM and 8KB of RAM [65]. The version
attack we have implemented fits comfortably inside the
capabilities of the Z1 mote. In order to function, this im-
plementation makes changes to the files used by the Contiki
OS. We build a network with both good legitimate and
malicious nodes. Increasing the percentage of malicious
nodes illustrates the implications. The findings are described
in greater detail in Sections 5.1 5.2 5.3. These findings
demonstrate a significant effect on Packet delivery Ratio,
Average End-to-End Delay, and Power Consumption as the
number of attacker nodes increases.
5.1. Result Analysis: Packet Delivery Ratio
Figure 4 shows the average PDR when all nodes are
static w.r.t varying the number of nodes. The impact of the
attack can be seen clearly when the percentage of attacker
node increases, the PDR goes down drastically. This also
proves that the attacker position and number of legitimate
nodes in its proximity impacts the PDR. When an attacker
node compromise the legitimate nodes, there is a significant
change in PDR. Most of the time network tries to reconfigure
itself since attacker node changes the version number. The
root node has to rebuild the network by resetting the trickle
timer. As a result, the packets transmitted by the sensor
nodes to the root node are not received, which lowers the
Figure 4 also shows that as the number of nodes increases
in the network, the PDR drops significantly since the net-
work becomes more congested and if the attacker node is
closer to the root node, it will change the version number and
forcefully lets the root node to reconfigure the network. The
mobility of the nodes itself could reduce the PDR. Figure 5
shows that mobility with the attacker node reduces the PDR
significantly and the graph also reflects the increase in the
PDR in certain cases for e.g. when N=40 there is increase
in PDR which is due to random moves of the nodes and
sometimes it is quite possible that while moving if the nodes
are closer to the root then they will be surely able to deliver
packets to the root node. Apart from this, it also depends on
the random scattering of the nodes and distance from the root
node.
The above result analysis is satisfied by the Fig. 6. This
histogram depicts the PDR by combining the results of the
static and mobile scenarios. There is a significant drop in the
PDR when the nodes are moving. In the figure the abbrevia-
tions VA and VAM are for Version Attack with Static Nodes
and Version Attack with Mobile Nodes respectively.
5.2. Result Analysis: Average End to End Delay
Another important parameter to analyse the impact of
attackers is end to end delay. Figure 7 shows the change in
the delay w.r.t increase in number of nodes. When there is
no attack, the delay is very low but when the % of attacker
node increases at the different hops, the latency increases and
Page 8 of 13
 Journal Pre-proof

Version Number Attack in RPL based Mobile 6LoWPANs

of
pro
Figure 4: Packet Delivery Ratio: Static Nodes

re-
lP
Figure 5: Packet Delivery Ratio: 50% of the Mobile Nodes

This explanation is further extended as shown in the

Figure 8 when the nodes are mobile. For the same random
seed of the network, there is a notable increase in the delay
which is more than 50%.
rna

5.3. Result Analysis: Power Consumption

In the constraint environment like IoT, the network
resources including power consumption should be man-
aged efficiently and effectively. Power consumption analysis
shown in the graphs 9 shows that when the nodes are static
and the % of the attacker node is increased, the power
consumption also increases and it is very significant when
the attackers are close to the sink node i.e at 1-hop. Another
important conclusion from the graph is that as the density of
the network increases, power consumption reduces which is
Jou

Figure 6: Impact on PDR with and without Mobility

it is more prominent at the 1-Hop distance. If the attacker
is close to the root, most of the packets are not delivered
successfully since the attacker changes the Version Number
of the DODAG and root becomes busy in re-configuring
the network. As illustrated in the figure, at 2-Hop and 3-
Hop distances from the attacker node, the latency decreases
because more packets reach the Gateway, hence reducing the
end-to-end delay.
obvious since there are many neighbors which could forward
the packets with the shortest path, thereby reducing the
power consumption.
We can also observe the impact on the power consump-
tion when the nodes are mobile as shown in Figure 10. In
general for the same scenarios, power consumption increases
for the mobile network as compared to the static ones. It is
maximum when the attacker is at 1-hop distance

G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier Page 9 of 13

 Journal Pre-proof

Version Number Attack in RPL based Mobile 6LoWPANs

of
pro
Figure 7: Average End to End Delay: Static Nodes

re-
Figure 8: Average End to End Delay: Mobile Nodes
lP
6. Discussions drops significantly when nodes are mobile and its impact
will depend on the attacker position of the attacker as well.
The results that we achieved experimentally in these
End to end delay is very high when the nodes are mobile
scenarios shows that mobility results in lot of consumption
and the figures shows that at it is quite large at 1-hop with
of resources in terms of power, number of hops to reach the the increase in number of attackers. Similarly we can also
destination for the packets (delay). The nodes were moved conclude for power consumption which increase with the
using the random waypoint model [11]. The purpose of this mobility of nodes. This paper tries to show the intensive
rna

paper was to analyse version attacks using various attack

analysis for different metrics in the RPL based mobile net-
scenarios. Version attack is simple to carry out but challeng-
works and provide suggestions that any IDS should include
ing to identify in RPL-based IoT. Therefore, it is crucial to
mobility in their solutions, since in the real world practical
comprehend how this attack behaves, which mostly results applications include mobile devices. As a future work we
in an increase in the network’s control message. would work upon implementing an IDS which addresses and
The impact of version attacks with varying proportions mitigates multiple RPL specific attacks. The RPL specific
of attacker nodes that are mobile and static is also demon-
attacks are shown in the Fig. 11. We also intend to implement
strated in this research, illustrating the hybrid network. PDR
Jou

Figure 9: Average Power Consumption: Static Nodes

G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier Page 10 of 13

 Journal Pre-proof
Version Number Attack in RPL based Mobile 6LoWPANs
of
pro
Figure 10: Average Power Consumption: Mobile Nodes
re-
lP
Figure 11: RPL Specific Attacks in 6LoWPAN
rna
Jou
Figure 12: Memory Requirement: Version Attack
various attacks to create a dataset. This dataset will be useful
in determining the network’s behaviour and detecting the
particular attack.
6.1. Implementation Overhead
Zolertia Z1 mote has 8KB of RAM and 92KB of
ROM [65]. We incorporated an attack on ContikiRPL and
performed analysis of the attack. It can be observed in
Figure 12 that we are able to attack the network within
G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier
the constrained of gateway and client Z1 mote. With this
significantly less overhead, we can implement the version
number attack easily in both static and mobile networks.
7. Conclusion and Future Work
In this study, we showed the impact on different metrics
when there is version attack. The results show that there is a
drastic drop in PDR. When the mobile nodes are introduced,
some scenarios show high PDR, and it is quite intuitive
because of mobility of nodes. Similarly, the average end to
end delay increases with mobility of nodes. Similarly, as
we increased the number of nodes in the network, power
consumption decreases because the network becomes dense
and the nodes are near to each other. This makes nodes to
have multiple neighbours to route a packet. This work can
be extended for other different types of attacks like Rank
Attack, Hello Flood attack, Hatchetman attack with mobility.
As a future work, different attack with mobility will be
implemented and data will be used for implementing the
Intrusion Detection System. In the 6LoWPAN based IoT, the
defense mechanism should be lightweight to be incorporated
within the Contiki-RPL which is lossy in nature. The future
work also aims for mitigating the attacks keeping the mobil-
ity scenario in the RPL based networks.
References
[1] Zahrah A Almusaylim, NZ Jhanjhi, and Abdulaziz Alhumam. De-
tection and mitigation of rpl rank and version number attacks in the
internet of things: Srpl-rp. Sensors, 20(21):5997, 2020.
[2] Verma Abhishek and Ranga Virender. Machine learning based
intrusion detection systems for IoT applications. Wireless Personal
Communications, 111(4):2287–2310, 2020.
[3] Andrea Agiollo, Mauro Conti, Pallavi Kaliyar, TsungNan Lin, and
Luca Pajola. Detonar: Detection of routing attacks in rpl-based iot.
IEEE Transactions on Network and Service Management, 2021.
[4] Firoz Ahmed and Young-Bae Ko. A distributed and cooperative veri-
fication mechanism to defend against dodag version number attack in
rpl. In PECCS, pages 55–62, 2016.
[5] Zahrah A Almusaylim, Abdulaziz Alhumam, Wathiq Mansoor, Push-
pita Chatterjee, and Noor Zaman Jhanjhi. Detection and mitigation of
rpl rank and version number attacks in smart internet of things. 2020.
[6] Syed Obaid Amin, Muhammad Shoaib Siddiqui, Choong Seon Hong,
and Sungwon Lee. Rides: Robust intrusion detection system for ip-
based ubiquitous sensor networks. Sensors, 9(5):3447–3468, 2009.
Page 11 of 13
 Journal Pre-proof
Version Number Attack in RPL based Mobile 6LoWPANs
[7] A Arul Anitha and L Arockiam. Venadet: Version number attack
detection for rpl based internet of things. Solid State Technology, 64
(2):2225–2237, 2021.
[8] Ahmet Arış and Sema F Oktuğ. Analysis of the rpl version number
attack with multiple attackers. In 2020 International Conference
of
on Cyber Situational Awareness, Data Analytics and Assessment
(CyberSA), pages 1–8. IEEE, 2020.
[9] Ahmet Arış, Sıddıka Berna Örs Yalçın, and Sema F Oktuğ. New
lightweight mitigation techniques for rpl version number attacks. Ad
Hoc Networks, 85:81–91, 2019.
[10] Ankur O Bang, Udai Pratap Rao, Pallavi Kaliyar, and Mauro Conti.
Assessment of Routing Attacks and Mitigation Techniques with RPL
pro
Control Messages: A Survey. ACM Computing Surveys (CSUR), 55
(2):1–36, 2022.
[11] Christian Bettstetter, Hannes Hartenstein, and Xavier Pérez-Costa.
Stochastic properties of the random waypoint mobility model. Wire-
less networks, 10(5):555–567, 2004.
[12] Hamid Bostani and Mansour Sheikhan. Hybrid of anomaly-based
and specification-based ids for internet of things using unsupervised
opf based on mapreduce approach. Computer Communications, 98:
52–71, 2017.
[13] Ismail Butun, Patrik Österberg, and Houbing Song. Security of
the internet of things: Vulnerabilities, attacks, and countermeasures.
IEEE Communications Surveys & Tutorials, 22(1):616–644, 2019.
[15] CISOMAG.
you feel less secure.
re-
[14] Erdem Canbalaban and Sevil Sen. A cross-layer intrusion detection
system for RPL-based Internet of Things. In International Conference
on Ad-Hoc Networks and Wireless, pages 214–227. Springer, 2020.
10 iot security incidents that make
https://cisomag.eccouncil.org/
10-iot-security-incidents-that-make-you-feel-less-secure/.
Accessed: 2020-01-10.
[16] Adam Dunkels, Bjorn Gronvall, and Thiemo Voigt. Contiki-a
lightweight and flexible operating system for tiny networked sensors.
In 29th annual IEEE international conference on local computer
lP
networks, pages 455–462. IEEE, 2004.
[17] Amit Dvir, Levente Buttyan, et al. Vera-version number and rank
authentication in rpl. In 2011 IEEE Eighth International Conference
on Mobile Ad-Hoc and Sensor Systems, pages 709–714. IEEE, 2011.
[18] Yannay Livneh Eyal Itkin and Yaniv Balmas. Faxploit: Sending
fax back to the dark ages. https://research.checkpoint.com/2018/
sending-fax-back-to-the-dark-ages/. Accessed: 2018-08-12.
[19] Olfa Gaddour and Anis Koubâa. RPL in a nutshell: A survey.
Computer Networks, 56(14):3163 – 3178, 2012. ISSN 1389-1286.
rna
[20] Ghada Glissa, Abderrezak Rachedi, and Aref Meddeb. A secure rout-
ing protocol based on rpl for internet of things. In 2016 IEEE Global
Communications Conference (GLOBECOM), pages 1–7. IEEE, 2016.
[21] Gnawali and Levis. The minimum rank with hysteresis objective
function (MRHOF). IETF, CA, USA, RFC, 6719, 2012.
[22] O Gnawali and P Levis. The ETX Objective Function for RPL,” draft-
gnawali-roll-etxof-01. URL https://tools. ietf. org/html/draft-gnawali-
roll-etxof-00, 2010.
[23] Philokypros Ioulianou, Vasileios Vasilakis, Ioannis Moscholios, and
Michael Logothetis. A signature-based intrusion detection system for
the internet of things. Information and Communication Technology
Jou
Form, 2018.
[24] Prabhakaran Kasinathan, Gianfranco Costamagna, Hussein Khaleel,
Claudio Pastrone, and Maurizio A Spirito. An ids framework for
internet of things empowered by 6lowpan. In Proceedings of the 2013
ACM SIGSAC conference on Computer & communications security,
pages 1337–1340, 2013.
[25] Elie Kfoury, Julien Saab, Paul Younes, and Roger Achkar. A self
organizing map intrusion detection system for rpl protocol attacks.
International Journal of Interdisciplinary Telecommunications and
Networking (IJITN), 11(1):30–43, 2019.
[26] Usha Kiran. IDS To Detect Worst Parent Selection Attack In RPL-
Based IoT Network. In 2022 14th International Conference on
COMmunication Systems & NETworkS (COMSNETS), pages 769–
773. IEEE, 2022.
G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier
[27] Aparna Kumari, Sudeep Tanwar, Sudhanshu Tyagi, Neeraj Kumar,
Reza M Parizi, and Kim-Kwang Raymond Choo. Fog data analytics:
A taxonomy and process model. Journal of Network and Computer
Applications, 128:90–104, 2019.
[28] Gu-Hsin Lai. Detection of wormhole attacks on ipv6 mobility-based
wireless sensor network. EURASIP Journal on Wireless Communi-
cations and Networking, 2016(1):1–11, 2016.
[29] Anhtuan Le, Jonathan Loo, Yuan Luo, and Aboubaker Lasebae.
Specification-based ids for securing rpl from topology attacks. In
2011 IFIP Wireless Days (WD), pages 1–3. IEEE, 2011.
[30] Anhtuan Le, Jonathan Loo, Kok Keong Chai, and Mahdi Aiash. A
specification-based ids for detecting attacks on rpl-based network
topology. Information, 7(2):25, 2016.
[31] Anthéa Mayzaud, Rémi Badonnel, and Isabelle Chrisment. Detecting
version number attacks in rpl-based networks using a distributed
monitoring architecture. In 2016 12th International Conference on
Network and Service Management (CNSM), pages 127–135. IEEE,
2016.
[32] Anthea Mayzaud, Remi Badonnel, and Isabelle Chrisment. A Taxon-
omy of Attacks in RPL-based Internet of Thing. International Journal
of Network Security, 18(3):459–473, 2016.
[33] Anthéa Mayzaud, Anuj Sehgal, Rémi Badonnel, Isabelle Chrisment,
and Jürgen Schönwälder. Using the rpl protocol for supporting passive
monitoring in the internet of things. In NOMS 2016-2016 IEEE/IFIP
Network Operations and Management Symposium, pages 366–374.
IEEE, 2016.
[34] Anthéa Mayzaud, Rémi Badonnel, and Isabelle Chrisment. A dis-
tributed monitoring strategy for detecting version number attacks in
rpl-based networks. IEEE Transactions on Network and Service
Management, 14(2):472–486, 2017.
[35] Geoff Mulligan. The 6lowpan architecture. In Proceedings of the 4th
workshop on Embedded networked sensors, pages 78–82, 2007.
[36] Sarumathi Murali and Abbas Jamalipour. A lightweight intrusion
detection for sybil attack under mobile rpl in the internet of things.
IEEE Internet of Things Journal, 7(1):379–388, 2019.
[37] Syeda M Muzammal, Raja Kumar Murugesan, and NZ Jhanjhi. A
comprehensive review on secure routing in internet of things: Miti-
gation methods and trust-based approaches. IEEE Internet of Things
Journal, 2020.
[38] Mohamad Nazrin Napiah, Mohd Yamani Idna Bin Idris, Roziana
Ramli, and Ismail Ahmedy. Compression header analyzer intru-
sion detection system (cha-ids) for 6lowpan communication protocol.
IEEE Access, 6:16623–16638, 2018.
[39] Musa Osman, Jingsha He, Fawaz Mahiuob Mohammed Mokbal,
Nafei Zhu, and Sirajuddin Qureshi. Ml-lgbm: A machine learning
model based on light gradient boosting machine for the detection of
version number attacks in rpl-based networks. IEEE Access, 2021.
[40] Fredrik Österlind. A sensor network simulator for the Contiki OS.
Swedish Institute of Computer Science, 2006.
[41] Pavan Pongle and Gurunath Chavan. Real time intrusion and worm-
hole attack detection in internet of things. International Journal of
Computer Applications, 121(9), 2015.
[42] Cong Pu. Sybil attack in RPL-based internet of things: analysis and
defenses. IEEE Internet of Things Journal, 7(6):4937–4949, 2020.
[43] Ahmed Raoof, Ashraf Matrawy, and Chung-Horng Lung. Routing
attacks and mitigation methods for rpl-based internet of things. IEEE
Communications Surveys & Tutorials, 21(2):1582–1606, 2018.
[44] Ahmed Mohammed Raoof. Secure Routing and Forwarding in RPL-
based Internet of Things: Challenges and Solutions. PhD thesis,
Carleton University, 2021.
[45] Shahid Raza, Linus Wallgren, and Thiemo Voigt. Svelte: Real-time
intrusion detection in the internet of things. Ad hoc networks, 11(8):
2661–2674, 2013.
[46] Sandip Roy, Santanu Chatterjee, Ashok Kumar Das, Samiran Chat-
topadhyay, Neeraj Kumar, and Athanasios V Vasilakos. On the design
of provably secure lightweight remote user authentication scheme for
mobile cloud computing services. IEEE Access, 5:25808–25825,
2017.
Page 12 of 13
 Journal Pre-proof

Version Number Attack in RPL based Mobile 6LoWPANs

[47] Sandip Roy, Ashok Kumar Das, Santanu Chatterjee, Neeraj Kumar,
Samiran Chattopadhyay, and Joel JPC Rodrigues. Provably secure
fine-grained data access control over multiple cloud servers in mobile
cloud computing based healthcare applications. IEEE Transactions
on Industrial Informatics, 15(1):457–468, 2018.
[48] Michael Savva, Iacovos Ioannou, and Vasos Vassiliou. Fuzzy-logic

of
based ids for detecting jamming attacks in wireless mesh iot networks.
arXiv preprint arXiv:2205.03797, 2022.
[49] Usman Shafique, Abid Khan, Abdur Rehman, Faisal Bashir, and
Masoom Alam. Detection of rank attack in routing protocol for low
power and lossy networks. Annals of Telecommunications, 73(7):
429–438, 2018.

pro
[50] Deepak Kumar Sharma, Sanjay K Dhurandher, Shubham Kumaram,
Koyel Datta Gupta, and Pradip Kumar Sharma. Mitigation of black
hole attacks in 6lowpan rpl-based wireless sensor network for cyber
physical systems. Computer Communications, 189:182–192, 2022.
[51] Mridula Sharma, Haytham Elmiligi, Fayez Gebali, and Abhishek
Verma. Simulating attacks for rpl and generating multi-class dataset
for supervised machine learning. In 2019 IEEE 10th Annual Informa-
tion Technology, Electronics and Mobile Communication Conference
(IEMCON), pages 0020–0026. IEEE, 2019.
[52] Dharmini Shreenivas, Shahid Raza, and Thiemo Voigt. Intrusion
detection in the rpl-connected 6lowpan networks. In Proceedings
of the 3rd ACM international workshop on IoT privacy, trust, and
security, pages 31–38, 2017.

based sybil defence in ieee 802.15. 4. 2021.

re-
[53] Ruben Stenhuis. Rpl attack analysis: Evaluation of a cryptography-

[54] M Surendar and A Umamakeswari. Indres: An intrusion detection and

response system for internet of things with 6lowpan. In 2016 Inter-
national Conference on Wireless Communications, Signal Processing
and Networking (WiSPNET), pages 1903–1908. IEEE, 2016.
[55] Pascal Thubert. Objective function zero for the routing protocol for
low-power and lossy networks (RPL). Technical report, 2012.
[56] J Vasseur, Navneet Agarwal, Jonathan Hui, Zach Shelby, Paul
lP
Bertrand, and Cedric Chauvenet. RPL: The IP routing protocol
designed for low power and lossy networks. Internet Protocol for
Smart Objects (IPSO) Alliance, 36:1–20, 2011.
[57] Abhishek Verma and Virender Ranga. Statistical analysis of cidds-
001 dataset for network intrusion detection systems using distance-
based machine learning. Procedia Computer Science, 125:709–716,
2018.
[58] Abhishek Verma and Virender Ranga. Elnids: Ensemble learning
based network intrusion detection system for rpl based internet of
rna

things. In 2019 4th International conference on Internet of Things:

Smart innovation and usages (IoT-SIU), pages 1–6. IEEE, 2019.
[59] Abhishek Verma and Virender Ranga. CoSec-RPL: detection of
copycat attacks in RPL based 6LoWPANs using outlier analysis.
Telecommunication Systems, 75:43–61, 2020.
[60] Abhishek Verma and Virender Ranga. The impact of copycat attack
on rpl based 6lowpan networks in internet of things. Computing,
pages 1–22, 2020.
[61] Abhishek Verma and Virender Ranga. Security of rpl based 6lowpan
networks in the internet of things: A review. IEEE Sensors Journal,
20(11):5666–5690, 2020.
Jou

[62] Isam Wadhaj, Baraq Ghaleb, Craig Thomson, Ahmed Al-Dubai, and
William J Buchanan. Mitigation mechanisms against the dao attack
on the routing protocol for low power and lossy networks (rpl). IEEE
Access, 8:43665–43675, 2020.
[63] Tim Winter, Pascal Thubert, Anders Brandt, Jonathan W Hui, Richard
Kelsey, Philip Levis, Kris Pister, Rene Struik, Jean-Philippe Vasseur,
Roger K Alexander, et al. RPL: IPv6 Routing Protocol for Low-Power
and Lossy Networks. rfc, 6550:1–157, 2012.
[64] Lan Zhang, Gang Feng, and Shuang Qin. Intrusion detection system
for rpl from routing choice intrusion. In 2015 IEEE International
Conference on Communication Workshop (ICCW), pages 2652–2658.
IEEE, 2015.
[65] Zoletria. Z1 Datasheet. URL http://zolertia.sourceforge.net/wiki/
images/e/e8/Z1_RevC_Datasheet.pdf.

G. Sharma, J. Grover, A. Verma: Preprint submitted to Elsevier Page 13 of 13

 Journal Pre-proof

Author Statement

of
Girish Sharma: Conceptualization, Methodology, Writing- Original draf
preparation, Sofware Jyoti Grover: Data curation, Writing- Reviewing and
Editing, Abhishek Verma: Visualization, Investigation, Supervision, Writing-

pro
Reviewing and Editing

re-
lP
rna
Jou
 Journal Pre-proof

Declaration of interests

☐ The authors declare that they have no known competing financial interests or personal relationships

of
that could have appeared to influence the work reported in this paper.

pro
re-
lP
rna
Jou