A Comprehensive Survey On Detection of Sinkhole Attack

Internet of Things 22 (2023) 100750
Contents lists available at ScienceDirect
Internet of Things
journal homepage: www.sciencedirect.com/journal/internet-of-things
Review article
A comprehensive survey on detection of sinkhole attack in routing

over low power and Lossy network for internet of things
Aya Abdul Rahman Al-chikh Omar, Bassel Soudan *, Ala’ Altaweel
Department of Computer Engineering, College of Computing and Informatics University of Sharjah, United Arab Emirates
A R T I C L E I N F O A B S T R A C T
Keywords: The Internet of things (IoT) is a developing technology that has produced remarkable advance
Sinkhole attack ments and contributions in numerous applications. IoT refers to a system of wirelessly inter-
RPL connected heterogeneous nodes or sensors over Low-power and Lossy Networks (LLNs). The
IoT
main routing protocol of the LLNs is the Routing Protocol over Low power and Lossy network
Security
Attack detection
(RPL). RPL is a lightweight routing protocol designed to meet the memory, energy, and band
LLNs width constraints of LLNs and IoT devices. Because of their constraints, IoT systems are subject to
challenges such as reliable data transmission, and network security. This work will review several
security mechanisms that have been proposed in the literature to secure RPL-based IoT systems
against sinkhole attack. The proposed mechanisms will be discussed, classified, and analyzed in
terms of their performance, datasets, implementation details, and limitations. This work will also
present some research gap analysis and suggestions for future research topics in this general area.
1. Introduction
The internet of things (IoT) is a large-scale system of connected heterogeneous low power nodes [1]. IoT systems have application
in various fields such as transportation, home automation, healthcare, or industrial systems. IoT systems are characterized by devices
that are distributed over a significant area and connected wirelessly. Real life IoT applications usually utilize low power wireless sensor
networks to ensure smart and ubiquitous services.
Low-power and Lossy Network (LLN) is a class of networks where routers and devices operate under significant constraints on
energy consumption, memory, and storage capacities. LLNs are known to have high loss rates, low data rates, and instability. Most
devices in low-power and wireless sensor networks (WSN) are normally battery-powered. Therefore, power consumption is a major
concern. Specific protocols have been designed to satisfy the constraints in LLNs and to support the traffic flow efficiently. An example
of these protocols is Internet Protocol Version 6 (IPv6) over Low Power Wireless Personal Area Network (6LoWPAN), which is used
extensively in WSN [1].
Most of the security issues and challenges affecting WSNs are targeted at the network layer and its RPL routing protocol. IoT
systems and WSNs are comprised of nodes that have significant resource constraints. These constraints expose the network to different
attacks that may affect network topology, resources, performance, and throughput [2]. Moreover, these systems are expected to be
accessible from anywhere and anytime. Therefore, they exhibit exposure to many types of malicious attacks. Of particular concern is
the sinkhole attack, which targets a network’s topology with the aim of attracting network traffic to the attacking node. This is done by
* Corresponding author.
E-mail address: bsoudan@sharjah.ac.ae (B. Soudan).
https://doi.org/10.1016/j.iot.2023.100750
Available online 11 March 2023

2542-6605/© 2023 Elsevier B.V. All rights reserved.
A.A.R. Al-chikh Omar et al. Internet of Things 22 (2023) 100750
Fig. 1. Temporal and categorical distribution of published works on sinkhole attack under RPL.
advertising falsified information, which tricks victim nodes in the network into adopting the attacking node as the parent with the best
route to the network root. Developing a proper security mechanism for online detection and protection against such an attack is a
challenge, especially given the constraints under which RPL operates [3].
The main motivation of this work is to compare and contrast security mechanisms that have been proposed in the current literature
for protecting LLNs against sinkhole attack. To achieve that, this survey starts with discussing the vulnerabilities of RPL, and in
particular the behavior of the sinkhole attack under RPL. Then, the work will proceed with a review of proposed security mechanisms
that satisfy the constraints of LLNs and secure network data transmission against the sinkhole attack.
A literature search for intrusion detection mechanisms against the sinkhole attack under RPL has resulted in a very limited number
of publications. As can be seen from Fig. 1, the returned results were produced between 2012 and 2021. The figure also shows that the
proposed mechanisms can be grouped into four main categories based on the proposed mechanism for detecting the intrusion:
• Anomaly, signature, and specification-based detection methods

• Ranking-based detection methods
• Trust-based detection methods
• Machine learning-based detection methods
Based on the results of the literature search, a structured analysis of existing proposed techniques needs to be conducted to identify
research gaps and short cummings. This work aims to address the issues related to the detection of sinkhole attack under RPL with the
following research questions:
1 What are the existing proposed techniques for detection of sinkhole attack under RPL?
2 How are researchers generating the datasets used in the proposed detection methods?
3 How are the proposed methods evaluated?
4 What are the performance metrics used for evaluating the proposed methods?
5 What are the research gaps in the existing literature?
Accordingly, the primary contributions of this review paper can be listed as follow:
• Identifying the state-of-the-art methods and intrusion detection systems (IDS) proposed by researchers to detect sinkhole attack
under RPL.
• Identifying the performance metrics and the datasets used by researchers to evaluate the effectiveness of the proposed detection
methods.
• Identifying research gaps and suggestions for future research related to detection methods and IDS of sinkhole attack under RPL.
Looking ahead: Section 2 of this paper discusses background details about the RPL protocol, the Sinkhole attack, performance
metrics used in research, and the common simulators. Section 3 reviews the proposed security mechanisms based on the detection
method. This section will also compare previous surveys about this topic with the one at hand. The results of the review and iden
tification of research gaps are presented in Section 4. Finally, Section 5 presents concluding remarks. Additionally, the appendix at the
end of the paper presents a comparison of the reviewed works in tabular format.
2
Fig. 2. RPL DODAG Construction.
2. Technical background
This section presents some necessary background information as well as definitions needed for clarifying concepts before discussing
the detection methods or IDS presented in the literature.
2.1. Routing protocol over low power and Lossy networks (RPL)
RPL is a standardized distance vector routing protocol for IoT systems and WSNs. It was introduced in 2012 by the Internet En
gineering Task Force (IETF) [4]. RPL is based on the construction of a Destination Oriented Directed Acyclic Graph (DODAG). Which is
built as a tree consisting of one root node, numerous levels of intermediary nodes (known as parent nodes), and leaf nodes (child
nodes). A DODAG is an RPL instance, and an LLNs may consist of many RPL instances (i.e., DODAGs).
In DODAG RPL, only the root node is connected to the internet, and child nodes send data packets to the root node through their
parent nodes. The main principle of an RPL network is to construct a routing topology to auto-optimize and avoid loops in the network.
RPL works as an IP-based distance vector and hop-by-hop routing protocol. Each node in the RPL network computes its own rank based
on its distance (number of hops) from the root node, where the ranks increase the further the node is from the DODAG root. The
transmission path is then determined by discovering the optimal path to the root based on the node ranks.
The routing topology in an RPL network is constructed based on an objective function that is used with some constraints to select
the preferred parent for each child node [5]. There are two main objective functions [4]:
a) Objective function zero (OF0): considers a hop count metric only.

b) Minimum rank with hysteresis function (MRHOF): considers the expected transmission count (ETX) metric.
The RPL protocol uses four types of messages when constructing a DODAG [4]:
• DODAG information object (DIO) - A control message that is used to share information about the DODAG. This message is sent by
the root node to its neighbor nodes to construct the DODAG, and it is also sent to a node that is requesting to join an existing
DODAG. It is also sent through the network to refresh the network topology information.
• DODAG information solicitation (DIS) - A control message sent from a new node that is requesting to join the neighbor DODAG.
DIS is used to discover an existing network.
3
Fig. 3. RPL instance network topology and the node ranks.
• DODAG advertisement object (DAO) - A control message sent from child and parent nodes towards the root node to update the
information of the parent nodes through the network.
• DAG advertisement object acknowledgment (DAO-ACK) - A control message sent from the parent node to the child node,
downward the DODAG during the construction of the DODAG or after acknowledging a new node joining request.
To construct a new DODAG, the root node sends a broadcasted DIO message in the first phase to its neighbors to join the RPL
instance (as illustrated in Fig. 2a). The participant or child nodes respond with DAO messages (Fig. 2b). The root node replies with a
DAO-ACK message, and the DODAG is constructed (Fig. 2c). While if a node wants to join an existing RPL instance, it sends a DIS
message to the DODAG root node (Fig. 2d). Closest nodes reply with a DIS message (Fig. 2e), and the new node joins the network
(Fig. 2f). The aforementioned process guarantees the fact that there is only one root node in the network [3]. Fig. 3 shows the network
topology in an RPL network, where the root node (connected to the internet) has the lowest rank and the leaf nodes have the highest
rank values [4].
After the network topology has been constructed in the manner described above, the routing process and data transmission can
start. Should a malicious node intrude into the network, it can cause numerous security issues targeting the network performance,
throughput, or topology. One specific class of these intruder-induced security attacks are routing attacks.
The RPL protocol provides three security modes for message transmission:
1 Unsecured mode: The control messages are exchanged without any security mechanisms.
2 Preinstalled mode: A preinstalled key is required for each node when it requests to join the network as a host.
3 Authenticated mode: A preinstalled key is required from an authentication authority if a node requests to join the network as
router.
The preinstalled and authenticated protocol-level security modes require a node to meet certain security requirements before joining
the network. However, the sinkhole attack is classified as an insider attack, where the attacker leverages a node that is already part of
the network (has already met the requirements for joining the network). Therefore, these security modes cannot protect against such
an attack. Even if the preinstalled mode is employed, the hijacked node will already have the proper keys to access the network and
participate in the construction of the RPL topology [6]. Additionally, the attacker may launch a key-stealing attack to obtain a key from
one of the nodes and use it to join the network and launch the attack [7].
Routing attacks modify the network topology and affect the routing process causing the misdirection of messages, such as in the
case of the sinkhole attack. The intruder in a sinkhole attack alters the routing process and attracts all the network traffic through itself.
A sinkhole attack can be a precursor to other more destructive attacks such as selective forwarding, blackhole, and wormhole attacks
[8,9]. The details on the behavior of the sinkhole attack and its impact on RPL will be discussed in the next sub-section.
2.2. The sinkhole attack
The main target of a sinkhole attack is to alter the topology of the network so that all the traffic in the network is redirected through
the malicious node. The sinkhole attack is launched when a compromised node is used to forge the unencrypted DIO packets
advertising a very low network topology rank. When the forged messages reach surrounding nodes, they consider that the compro
mised node is very close to the root node in the topology. Therefore, they direct their transmissions to it as it represents a shorter path
to the root as shown in Fig. 4.
A sinkhole attack is considered as one of the most severe network topology attacks, as it may serve as the initial step for launching
more damaging attacks [10]. If it is combined with a selective forwarding attack, then the malicious node can selectively drop specific
packets, altering the communication stream. On the other hand, if it is combined with a blackhole attack, then the malicious node may
completely block delivery of all packets [11]. Additionally, the sinkhole attack may be followed by a packet-modification attack that
4
Fig. 4. The network of Fig. 3 under a sinkhole attack.
Fig. 5. Simulation environments used in the literature for the sinkhole attack.
alters the traffic in the network [12].

IoT and WSN networks running RPL are particularly susceptible to sinkhole attack because of the communication pattern. An RPL
network is constructed as a tree topology, where packets from the sensor nodes are sent to a single root node, which is the only node
that is connected to the internet. A sinkhole attack, which compromises this tree structure, allows a malicious node to have access to
the full traffic of the network. Once that is accomplished, more malicious attacks can be launched.
Other IoT communication protocols are also susceptible to sinkhole attack. A recent work studied real-world scenarios of launching
hijacking attacks on several IoT devices [13]. Their work simulated several attacks in WSN like eavesdropping, replay attacks and
denial of service attacks. The result of the experiments showed that wireless communication protocols such as Wi-Fi and Near Field
Communication (NFC) are also vulnerable to such attacks.
Regardless of the topology, these networks are constrained by having a single root node that connects to the base station and the
Internet (as demonstrated in Fig. 4). Therefore, sensor nodes must determine the optimal path to reach the root node with the min
imum number of hops. This optimal path is determined by examining the rank of each node (its distance from the root) and following
the path where lowest ranked nodes exist. If one of the nodes advertises a rank lower than reality, surrounding nodes will be deceived
into directing their traffic to it [10].
5
2.3. Simulators and datasets
Researchers have determined that there is no readily available real-world dataset that can be used for evaluating detection methods
for intrusion in RPL networks. Therefore, they have opted to simulate the behavior of their systems using standard network simulators.
The distribution in Fig. 5 shows the prevalence of the different simulators in the papers in the review pool.
The figure shows that the following network simulators were the most commonly used in the literature:
• COOJA simulator [14]

• Network simulator NS-2 [15]
• Network simulator NS-3 [16]
• OpenWSN [17]
These simulators allow simulating large IoT networks under different configurations, and protocols without the need to build
physical hardware. Overall, the available network simulators are integrated with significant features that provides flexible LLNs
design.
The literature review has shown that COOJA was the most commonly used simulator when designing intrusion detection systems
for sinkhole attacks in RPL networks (as illustrated in Figure ). The COOJA simulator simulates IoT nodes running the Contiki
operating system [18]. Which is designed specifically for memory-constrained nodes communicating using LLNs. It supports standard
protocols such IPv6 (Internet Protocol version 6), RPL, 6LoWPAN, and CoAP (Constrained Application Protocol) [7,19].
COOJA is a memory-efficient, event-driven, multithreaded simulator based on protothreads. It allows extracting numerous char
acteristics about the simulated network that are essential in the evaluation of the network’s performance [20]. It allows extracting
features such as energy consumption, Number of Hops, Routing Metrics, ETX, Churn, Beacon Interval, Listen Duty Cycle, Transmit
Duty Cycle, Average Inter-Packet Interval, Minimum Inter-Packet Interval, and Maximum Inter-Packet Interval.
While there are no available datasets for sinkhole attack in RPL specifically, there are a number of datasets for a group of routing
attacks together such as UNSW NB-15, and RPL-NIDDS17 datasets [21,22]. These datasets are limited in their scope and do not cover
the most common attack scenarios for the sinkhole attack. The datasets do not reflect situations such as different number of malicious
nodes, different network sizes (small, medium, and large), different topological locations of the attack. These scenarios are necessary to
analyze the effectiveness of the detection methods (in terms of detection accuracy and latency) under different attacks. Accordingly,
researches tend to use different network simulators to evaluate their proposed detection methods/ IDS.
2.4. Performance evaluation metrics
Researchers use different metrics for evaluating the performance of proposed systems [23]. The following are the most common
metrics used in the literature for evaluating the quality of the proposed sinkhole attack detection methods:
2.4.1. Detection rate (DR)
The rate at which true attacks are identified correctly. This is also known as the Sensitivity or True Positive Rate (TPR) of the method.
It is determined according to the expression in Eq. (1) [24].
No ⋅ of real attacks detected correctly
DR = TPR = (1)
No ⋅ of real attacks
2.4.2. False positive rate (FPR)
The rate at which normal behavior is incorrectly identified as an attack. This is also known as the fall-out of the method. It is
determined according to the expression in Eq. (2) [25].
No ⋅ of normal cases falsely categorized as attacks
FPR = (2)
No ⋅ of real negative cases
2.4.3. False negative rate (FNR)
The rate at which true attacks are incorrectly identified as normal behavior. This is also known as the miss rate of the method. FNR is
the most important metric as it measures the failure of the method to detect the attack. It is determined according to the expression in
Eq. (3) [25].
No ⋅ of real attacks falsely categorized as normal behavior
FNR = (3)
No ⋅ of real attacks
6
2.4.4. Detection Accuracy
The rate at which the network behavior is correctly categorized as being normal or under attack. It is determined according to the
expression in Eq. (4) [24].
No ⋅ of detected real attacks + No ⋅ of detected cases of true normal behavior
Detection accuracy = x 100 (4)
All Samples
2.4.5. Average delay
The average time required to transmit a packet from a node to the destination node. This figure of merit indicates the incurred
communication overhead caused by the proposed detection method and whether it negatively affects the network’s performance [25].
2.4.6. Average throughput
The number of packets transmitted successfully per second. Can also be used to determine if the proposed detection method
negatively affects the performance of the network. It is measured in bits/second and calculated using the expression in Eq. (5) [25].
No ⋅ of packets transmitted successfully
Average throughput = (5)
Time
2.4.7. Energy consumption
Energy is a significant factor in the context of IoT and WSNs where devices are characterized by severely limited energy capacity
[26]. Any increase in the network’s energy consumption due to the implementation of a particular IDS becomes an important figure of
merit for evaluating the proposed method. The energy consumption is calculated as the sum of the total energy consumed by each node
in the network (as shown in Eq. (6)). A node’s energy consumption comprises of the energy consumed by its CPU, and the energy
consumed in transmitting and listening as shown in Eq. (7) [25].
∑
System Energy Consumption = Energyi (6)
all nodes
Energyi = (tTx * ITx + tRx * IRx + tCPU * ICPU + tLPM * ILPM ) x VCC (7)
Where:
• Energyi is the energy consumed by node i

• tTx: The time the radio of node i is in transmit mode.
• tRx: The time the radio of node i is in receive mode.
• tCPU: The time the CPU of node i is in active mode.
• tLPM: The time node i is in low power mode.
• ITx: Typical transmission current consumption of node i.
• IRx: Typical current consumption for the receiver of node i.
• ICPU: Typical CPU current consumption for node i.
• ILPM: Typical current consumption of node i wile in the low power mode.
• VCC: The Supply Voltage of node i.
2.4.8. Overhead
Is defined as the ratio of control packets to received packets (dimensionless). It is possible that the overhead in the network may
increase as a result of implementing a specific IDS. Therefore, it is an important metric for evaluating the performance of a specific
method [25].
2.4.9. Packet drop / delivery ratio (PDR)
Refers to the total difference between the number of data packets transmitted from the source node to the total number of packets
received at the ultimate destination node. This metric is important to ensure the integrity of the network after the implementation of
the proposed IDS [25].
3. Literature review
This section discusses published literature related to detection methods and intrusion detection systems for sinkhole attacks in RPL
networks. The discussion also covers implementation details of the proposed methods and an evaluation of their performance.
7
Fig. 6. Distribution of the literature across different detection method categories.
Additionally, a summary will also be presented of previous literature surveys highlighting the additional contribution of this review.
Different methods have been proposed for the detection of sinkhole attacks in RPL. This survey categorizes these detection methods
into the following types:
• Anomaly, signature and specification detection methods

• Ranking-based detection methods
• Trust-based detection methods
• Machine learning-based detection methods
The distribution of the literature based on these categories is illustrated in Fig. 6. The published literature under each category will
be discussed separately in the following sub-sections.
3.1. Anomaly, signature, and specification-based detection methods
Anomaly-based detection depends on identifying deviations in a network’s behavior compared to an established baseline standard.
Signature-based detection on the other hand searches the network’s traffic for a known pattern from the attack under consideration.
Finally, specification-based detection looks for violations to policies that describe correct operation of the network. These detection
methods have been used in numerous research studies for the detection of sinkhole attacks in RPL networks. This section presents a
survey of these studies and Table in the appendix provides a comparison summary.
Researchers proposed a hybrid anomaly and signature IDS named SVELTE [27]. The goal is to secure RPL networks against
sinkholes and selective forwarding attacks. SVELTE is designed as a distributed mini firewall in the root node. The proposed IDS
implements three detection methods: network graph inconsistency, node availability, and routing graph validity. In network graph
validity, the network is checked for node rank inconsistencies. While node validity is checked by proposing a time threshold to measure
the packet loss rate in the network. Finally, routing graph validity ensures consistency of the network topology with the routing graph.
SVELTE was evaluated on networks containing 8, 16, and 32 nodes with different number of malicious nodes. SVELTE achieved a 90%
detection rate.
A specification-based IDS was developed for detecting network topology attacks like rank, sinkhole and neighbor attacks [28]. The
proposed IDS passes through two phases. In the first phase, all possible states and transitions are defined while the network topology is
stable. Then, in the second phase, the collected knowledge is translated into detection algorithms that is implemented in the IDS
agents. The network is then organized into a hybrid clustering architecture. The nodes are grouped into clusters and the IDS agent is
installed in the cluster head to monitor the nodes in that cluster. The cluster head collects the following information from each node:
node ID, rank, preferred parent ID, sequence number of DIO, DIS and DAO. This detail facilitates the cross-check process and increases
the reliability of the information. The detection algorithm checks for an inordinate number of transmitted DIS and DIO messages as an
indication of the existence of malicious nodes. The algorithm also checks rank consistency between nodes and their parents. The
proposed IDS was tested using COOJA simulator on a 100-node network organized into 11 clusters, with one malicious node. The
results showed 100% TPR and 3.28% FPR in detecting a sinkhole attack after 10 minutes.
A hybrid intrusion detection system to detect sinkhole and selective forwarding attacks either individually or collaboratively has
been proposed [29]. The system combines specification-based agents (installed in the router nodes) with an anomaly-based agent
(installed in the root node). The specification-based agents monitor the traffic and identify malicious nodes based on pre-defined
threshold values for packet receiving rate and time delay. Their results are then sent to the root node. The root node in turn ex
tracts packet receiving rate, packet dropping rate, average latency, and maximum hop count for each time slot from the received
8
traffic. These features are fed to an anomaly-detection agent based on the unsupervised Optimum-Path Forest (OPF) algorithm to
classify the results as normal or anomalous. Thus, the final decision is taken based on the results of local specification-based detection
and global anomaly-based detection. The proposed system was tested on small and medium networks, and it achieved better FPR than
an anomaly-based IDS, but worse TPR. However, it is important to note that the experiments were conducted on networks consisting of
nodes with infinite energy (not LLNs).
Researchers proposed adding passive intermediate nodes to the network to monitor other nodes or integrating the IDS into the root
node and detect malicious behavior [30]. The passive nodes are distributed throughout the network and are characterized by high
radio range. Each of these nodes monitors the rank information advertised by its neighbors to detect nodes maliciously advertising
improper rank information. An evaluation was conducted using COOJA on a 20-node network with 2 malicious nodes. The results
showed 100% TPR, 0.53% FPR and 99.50% detection accuracy. However, the energy consumption of the network increased due to the
additional monitoring nodes.
An Intrusion Detection and Response System (InDReS) has been proposed based on improving the shortcomings of the previously
discussed SVELTE system [31]. The authors noted that SVELTE produced high FPR values and subsequent works added improvements
on the detection method, but did not consider its effect on Quality of Service (QoS) [27]. InDReS uses a constraint-based specification
model to detect the attack. The proposed method uses a combination of four algorithms. First, the logical topology of the network is
initialized using leader node selection. Where leader nodes are determined based on the received signal strength. Leaders’ nodes are
assumed to be protected and impossible to be compromised by the attacker. The efficiency of the network’s handling of packets is then
determined by calculating the packet drop count. Nodes are classified as malevolent based on whether their probability beta distri
butions exceed a predefined threshold. Finally, the relative rank value of the nodes is used to determine whether such nodes should be
isolated from the network. InDReS was able to achieve a lower packet drop ratio, lower normalized overhead, lower energy con
sumption, and higher throughput.
An IDS has been proposed for the detection of the sinkhole and clone ID attacks individually or as a combination [32]. The proposed
IDS combines the algorithm used in SVELTE for the detection of the sinkhole attack with another algorithm for the detection of the
clone ID attack [33]. The authors used 8-node, 16-node, and 24-node networks simulated using COOJA to evaluate their IDS in terms of
power consumption, memory consumption and TPR. The proposed IDS was able to achieve 100% TPR after 50 minutes when the
network was subjected to sinkhole and clone-ID attacks at the same time.
A knowledge-based specification rule IDS has been developed to detect sinkhole attack in IoT [34]. The system defines a threshold
for normal network traffic and some rules for the detection of the attack. The IDS is comprised of three components: a knowledge-based
system, an inference engine, and a working memory. The IDS clusters the network and then selects a leader node to monitor the other
nodes within each cluster. The leader monitors the number of transmissions (input and output) of each node to define its reputation
and confidence. During the detection stage, the data collected by the leaders is used along with the predefined thresholds to determine
the attacker. The IDS was implemented in the Netsim simulator and was evaluated in term of detection rate. The IDS achieved 72.5%
average of detection rate by the member nodes, and 100% by the associated nodes and the leader nodes. That is, all the sinkhole attack
nodes were detected efficiently.
3.2. Ranking-based detection methods
Ranking-based detection for sinkhole attack in RPL networks is based on identifying the rank inconsistency behavior of the attack.
This section surveys the methods that have proposed using rank-based detection methods. Additionally, Table in the Appendix presents
a contrasting comparison of these works.
Researchers have investigated a hybrid rating-based method for the detection of sinkhole attack in RPL networks [35]. The pro
posed method passes through a number of stages to detect the attack. The process starts by constructing a trustworthy and reliable
network. First, a Trustworthy Platform Module (TPM) is used to calculate the energy consumption, trust and integrity of each node in
the network. The TPM is a small low-cost security device integrated into each node of the network to ensure the reliable creation of the
DODAG through encryption of the control messages. The TPM holds the encryption keys and passwords. It is also used as a processor to
secure the transmission of trust computations and storage operations. Moreover, the TPM includes tables that store the values of
integrity, trust and energy measurements. Then, route costs are calculated based on the reliability values, and parents are selected
based on specific reliability thresholds. Once the reliable network is constructed, an attack can be detected using two methods. The first
method is based on comparing rank differences (from the routing table) for the nodes along the path that DIO messages traverse; while
the second method depends on calculating PDR and determining if ACK messages are returned for all transmitted messages. The
combination of these two methods allows detection of the attack and determination of the attacker node. Once the attacker is iden
tified, it is quarantined and isolated by broadcasting warning messages from the root to all nodes in the network. The performance of
the proposed method was evaluated using the NS-2 simulator for a 500-node network with various malicious node rates (10%, 20%,
and 30%). The method was able to achieve 98% detection rate, 10.98% FNR, 13.6% FPR and 98% PDR for a network with 30%
malicious nodes.
A distance-based ranking and rating mechanism for the detection and isolation of sinkhole attacks in RPL networks has been
proposed [36]. According to the proposed method, a node is considered malicious if it doesn’t send its real rank and when it sends
many DIO messages to its non-child neighbors. This is determined by comparing the rank of the node and that of its parent, as well as
the nodes to which it is sending DIO messages. Additionally, a node is considered malicious when its average packet transmission rate
exceeds a predefined threshold. The proposed method was evaluated using the NS-3 simulator for a 600-node network with 30%
sinkhole rate. The method achieved 98% detection and PDR rates, 9.2% FNR, and 12.4% FPR.
9
A system named DEEM (Decentralized and Energy Efficient Method) was proposed for detecting sinkhole attacks in RPL networks
[37]. The proposed system gives particular focus on the energy consumption. DEEM attempts to detect the attack through two phases.
First, data is collected for each node in the network, such as: node ID, neighbor set and preferred parent node. For each neighbor, the
algorithm collects the ID, rank, and path Expected Transmission Count (ETX). During this first phase, the algorithm also obtains
knowledge about the RPL Instance ID, DODAG ID and DODAG Version Number through DIO messages. During the detection phase, the
algorithm compares differences in the ranks of the nodes, their parents, and neighbors against a predefined threshold. If a node is
detected as a malicious node, it is firstly added to a suspects list. Moreover, if a node is detected twice as malicious, it will be added to
the blacklist. The proposed method was evaluated on networks with 8, 16 and 32 nodes. The results show TPR rate of 92%, 89% and
85% for the three network sizes, respectively. Additionally, DEEM exhibited lower energy consumption compared to the SVELTE IDS
[27].
A hybrid IDS model to detect sinkhole and selective forwarding attacks was developed by clustering the network and assigning a
head node for each cluster [38]. The head node builds a neighbor node table that includes node ID and rank for nodes within its
transmission range. The constructed table is updated periodically by interrogating the neighboring nodes. Should there be changes to
the information in the table, rank inconsistencies can be detected immediately. In order to prevent the attack, the IDS runs an algo
rithm that produces random values, which are used as authentication keys for all nodes in the same path. The root node checks the keys
of different paths, and indicates an attack in case there are variations. The performance of the IDS was evaluated on a 100-node
network with 1 malicious node using COOJA. The IDS achieved 96.3% TPR and 5.7% FPR rates.
Researchers have proposed a finite state machine (FSM) to detect selective forwarding, hello flood and sinkhole attacks [39]. The
transitions in the FSM implement the operations and behavioral flow of the RPL protocol. The proposed FSM operates as an
anomaly-based IDS that detects the sinkhole attack through rank inconsistencies in the network. The proposed FSM reported 91%
detection rate in an 8-node network with 1 malicious node.
A cluster-based detection and prevention method against sinkhole and selective forwarding attacks has been proposed [40]. The
proposed method was developed in Matlab and employed the key match algorithm. According to the proposed method, each node uses
a key match algorithm to discover the optimal path to the root node. This prevents attackers from being part of the network. For attack
detection, a cluster-based IDS is used to calculate the transmission limits for each node and maintain a neighbor table that includes the
node IDs and their ranks. If an attacker is detected, it is isolated through an alert message and reconstruction of the network topology.
The proposed method was evaluated on a 15-node network in terms of packet drop ratio, throughput, packet delivery ratio, overhead
and average energy consumption. Overall, the method achieved a TPR between 50% to 80%, while SVELTE had achieved a TPR of 80%
on a similar case [27].
3.3. Trust-based detection methods
Trust-based methods operate on the premise that a trustworthy intermediate node will dutifully retransmit all the packets it re
ceives. On the other hand, an intermediate node that does not retransmit everything it receives would be suspected of being malicious.
This section surveys proposed research works that use various trust-based methods for the detection of sinkhole attacks. A summary of
these proposed methods is also presented in Table in the Appendix.
Authors proposed an IDS named INIT (Intrusion detection of Sinkhole attacks on 6LoWPAN for Internet of Things) for the detection
of sinkhole attacks in RPL networks [41]. The proposed IDS uses a combination of watchdog, reputation, and trust mechanisms. INIT is
comprised of four modules. The cluster configuration module classifies free nodes as cluster members or leaders depending on their
function in the network. The route monitoring module assigns a reputation value to each router node based on the number of
transmitted and received messages. The attack detection module attempts to detect malicious nodes based on the reputation and trust
of each node. A Beta probability function is used to calculate a belief and disbelief value for each node based on the probability of
future behavior taking into account its previous results. These belief values are updated constantly to monitor the health of the
network. Finally, the isolation process is performed by the cluster leader or the root node. The proposed IDS was evaluated on a 50-
node network with 20% and 30% attack rate. The system achieved 90% attack DR for fixed devices and 70% for mobile devices.
Researchers have developed an IDS for sinkhole attack by monitoring the number of transmitted and received packets in the
network [42]. The proposed system classifies the network’s nodes into leaf, router (intermediate) and root nodes. The IDS agent
(implemented in the root node only) calculates an Intrusion Ratio (IR) for each router node as the ratio of received vs. transmitted
packets. If the IR ∕
= 1, then there is a malicious node in the network.
A sinkhole attack IDS has been developed based on direct neighbor sink reputed trust [43]. The proposed model records positive
and negative reputation for each node. The initial trust values are calculated using a subjective logic algorithm, afterwards, they get
updated based on positive and negative observations. When a node changes its rank or drops data packets, it is considered malicious
and its negative reputation is incremented. The model was evaluated on a network with different node counts ranging from 50 to 250
nodes, with 10% and 30% attack rate. The results showed that for a 10% attack rate, the FNR was 6.5%, FPR was 5.75% and PDR was
86%. On the other hand, the model achieved 9% FNR, 10.5% FPR and 82% PDR on a 100-node network with 30% attack rate.
3.4. Machine learning-based detection methods
Data-driven machine learning methods have shown significant performance in analyzing massive network flow data. A number of
research articles have proposed to use ML techniques for the detection of sinkhole attacks in RPL networks. The following is a survey of
these articles, and Table 4 in the Appendix presents a comparative summary.
10
A network IDS based on ensemble learning method has been proposed for the detection of routing attacks in RPL networks [22].
The proposed method implemented four classifiers: Boosted Trees, Bagged Trees, Subspace Discriminant and RUSBoosted Trees. The
performance evaluation of the IDS was conducted using the RPL-NIDDS17 dataset, which consists of 20 features and includes sinkhole,
blackhole, selective forwarding, hello flooding, local repair, sybil and clone ID attacks. The proposed IDS architecture was comprised
of a number of elements. The sniffer collects all the transmitted packets and stores them into the sensor events and traffic repository. A
feature extraction module analyzes the collected data. Afterwards, the analysis engine classifies the traffic as attack or normal. The
analysis results are then sent to a voting module, which is responsible to raise an alarm when an attack is detected. The performance
evaluation of the proposed IDS shows that Boosted Tree achieved the highest accuracy (94.5%), while Subspace Discriminant reported
the lowest accuracy (77.8%).
A Trust-aware mechanism has been proposed for the detection and isolation of sinkhole attacks using the Random Forest (RF) ML
algorithm [25]. The mechanism assumes that every node is able to monitor its neighbors forwarding behavior using passive
acknowledgement. The proposed system calculates a direct trust value for each node based on direct experience and an indirect trust
value based on the recommendation of other nodes in the network. Direct trust is computed by calculating Quality of Service (QoS)
metrics like packet delivery ratio, average delay, and energy consumption. These values are compared to predefined threshold values
in order to detect malicious behavior. The RF algorithm is used to determine a social trust metric, which measures the honesty among
the node owners. Indirect trust is calculated using subjective logic by analyzing the abnormal behavior of the neighbor. Where
abnormal behavior is measured by counting the positive and negative communication of the node and comparing it with a fixed
threshold value. The proposed algorithm achieved 85% accuracy in a 100-node network with 50% malicious nodes.
A machine learning-based distributed intrusion detection system for sinkhole attacks has been proposed [44]. The system is an
anomaly-based IDS that works by creating a profile of normal network behavior using machine learning classifiers. An IDS module
located in the host nodes collects information about the network and forwards it to another IDS module in the root node. The collected
information is analyzed in the root node to detect anomalous behavior. The researchers used Genetic Algorithm and a confidence
degree threshold to select training features for the ML models based on network traffic. The selected features to train the ML model are:
Hop count, routing metrics, ETX, CPU power, and transmit power. The IDS was evaluated on a 60-node network simulated in COOJA
with 24 malicious nodes. The researchers investigated using Support Vector Machine (SVM), Decision Tree (DT), and Bayesian
classifiers. The results showed that DT outperformed SVM and Bayesian classifiers with a 99.02% DR, 0.16% FPR, and 99.35% rate of
accuracy.
Researchers have proposed a deep learning-based IDS for detecting sinkhole, distributed denial of service (DDoS), blackhole,
wormhole and opportunistic service attacks [11]. The system first passes through an anomaly detection phase where header tags are
extracted from the packets and used as features for the machine learning model. The extracted features are: transmission rate,
reception rate, transmissions to reception ratio, activity duration, transmission mode, source IP address, destination IP address, and
data value information. The collected datasets are used to train a binary-classification supervised perceptual learning model. The
model consists of 5 layers, and uses the Rectified Linear Unit (ReLU) activation function. The proposed IDS achieved 96.4% TPR
against blackhole attack and 99% TPR against sinkhole attack.
A mechanism based on convolutional neural networks (CNN) has been proposed to mitigate the impact of routing attacks on power
consumption in healthcare IoT systems [45]. The system was designed to handle selective forwarding, sinkhole, wormhole, hello
flooding and version attacks. The framework of the mechanism has two main phases. During the feature selection phase, RF and
over-fitting are used for selecting weight by rule, Chi-squared and weight by tree importance features. The CNN model for the detection
phase was trained on a dataset generated from the Contiki simulator. The dataset consisted of 21 features and 5621 instances including
1156 malicious nodes. The model achieved 98.57% detection accuracy.
Researchers proposed a hybrid IDS to detect sinkhole, blackhole, sybil, and DoS attacks based on machine learning [46]. Initially,
the IDS monitors the network traffic and analyzes overall behavior. Then, the system extracts the features and performs traffic pattern
identification. The detection is carried out using anomaly detection by employing a long, short term memory (LSTM) recurrent neural
network (RNN) model. This model is used to learn the content across the network to get the essential features from the nodes. The
researchers used the UNSW NB-15 dataset, which consists of 240 classes of normal nodes and 3890 classes of attack nodes for eval
uating the model. The proposed model achieved a 98.6% DR.
3.5. Previous research surveys related to sinkhole attack in RPL networks
The conducted search has identified only a number of survey papers that have been published previously reviewing literature
related to detection methods for routing attacks in RPL networks [1,8,9,47–50]. The main contributions of this review compared to the
earlier surveys is concentration specifically on sinkhole attack, and discussion and comparison of the proposed detection methods in
terms of performance, evaluation metrics, dataset, and implementation. The details in Table 5 show that this review has the widest and
most up-to-date coverage (2013 through 2021). Even though this review may not cover the largest number of papers compared to
earlier surveys, it has the advantage that the works reviewed here are all targeted specifically at the sinkhole attack.
4. Discussions and answers to the research questions
This section discusses the results of the publication review. Answers to the research questions will be presented, research gaps and
possible future research directions will also be identified.
11
Table 1
Contrasting detection methods / IDS in terms of implementation flexibility and limitations.
Detection Method Category Implementation Limitations
Trust-based detection Trust calculations are either calculated in the border router or assigned Need to add a TPM device to the network
to TPM device Frequent monitoring and updating the trust
calculations
Ranking-based detection Clustering the network or adding passive nodes Adding overhead to the network
If the cluster head fails, IDS fails
Signature and specification based Clustering the network or adding passive nodes Adding overhead to the network
detection If the cluster head fails, IDS fails
Anomaly-based detection IDS is placed in the root node If root node fails, IDS fails (also the network
fails)
ML–based detection IDS is placed in the root node If root node fails, IDS fails (also the network
fails)
Fig. 7. Distribution of the proposed methods in terms of detection, isolation, and prevention of the sinkhole attack.
4.1. Discussion of the review results
This survey has shown that the sinkhole attack targets vulnerability points in the RPL protocol and exploits its dependence on node
rank values to establish a significant alteration in the network’s operation. It was also shown that the sinkhole attack can be used as a
precursor to more damaging attacks. Accordingly, numerous methods have been proposed for detecting this attack as soon as it
develops.
The survey highlighted the differences between the proposed methods, the metrics used for evaluating their performance, and the
datasets and simulators used to verify their operation. It is clear from the survey that most of the published research addresses different
network routing attacks without delving into the methods proposed to handle each attack individually. To avoid the vague scope, this
review has concentrated on studying the security methods used to detect sinkhole attack specifically.
This literature review has attempted to analyze the methods reported in the literature for the detection of a sinkhole attack on RPL-
based networks, with the target of identifying the most promising methods. Overall, all of the discussed methods have been reasonably
successful, achieving an accuracy exceeding 80% under the different evaluation scenarios. However, Table 1 below shows that these
methods vary in terms of implementation flexibility and limitations. The survey has shown that trust-based detection methods/IDS
exhibit require frequent monitoring and updates of the trust calculations for the nodes. This adds a significant overhead to the
operation of the network. Similarly, ranking-based detection methods, and signature and specification IDS also require a set of cal
culations related to the rank values between the nodes. This requires definition of rules and thresholds for identifying signatures of
normal network behavior versus network under attack scenarios. These calculations and threshold checks need to be performed
frequently, therefore adding significant overhead to the network. Additionally, implementing these detection methods is usually done
by adding passive nodes, modifying the network topology through clustering, or modifying the RPL protocol to allow nodes to monitor
each other. All of these involve significant restrictions to the operation of the network.
Based on this analysis, it can be concluded that anomaly-based and ML-based intrusion detection permit the most flexible
12
Fig. 8. Common performance metrics appearing in the review pool.
Table 2
Frequency of different performance metrics appearing in the review pool.
Performance metric Frequency Reference
True Positive Rate (TPR) 9 [27,28,29,30,32,37,38,40,11]

False Positive Rate (FPR) 8 [28,29,30,35,36,38,43,44]
Detection Accuracy (DA) 7 [22,25,29,30,31,32,44]
Packet Drop / Delivery Ratio 6 [23,32,35,28,43]
Energy Consumption 6 [25,27,28,29,30,31,32,37,38]
Detection Rate (DR) 4 [7,30,35,39,41]
False Negative Rate (FNR) 3 [23,35,43]
Overhead 2 [32]
Throughput 2 [25,32]
Average Delay 2 [25,32]
implementation. These methodologies use an IDS in the root node to collect the network traffic. Then, they utilize an ML or DL model
to detect anomalous network behavior and classify the traffic as normal or malicious. Researchers have been able to achieve 99%
detection accuracy of the sinkhole attack in a simulation model and 97% using real sensors [11].
4.2. Identifying the research gaps
This review has identified a number of improvements that should be considered in future research related to this topic. These can be
summarized in the following research gaps:
1 Performance evaluations for the methods proposed in most of the reviewed publications were based on a single network topology.
Very few have considered the effect of different network topologies on the performance of the proposed method. Thus, a research
gap has been identified related to evaluating the performance of proposed methods in network topologies containing one RPL
instance versus multiple instances.
2 None of the reviewed papers have evaluated the performance of the proposed detection methods in term of the location of the
malicious node within the network, or the number of hops between the malicious node and the root node. Future research should
include evaluation of the proposed method by varying the number of hops between the root node and the attack node.
3 RPL is a routing protocol designed for LLN networks, which are a main component in IoT systems in general. However, IoT systems
do not all behave in a similar manner. One of the surveyed papers has identified that the proposed detection mechanism was
targeted at a healthcare IoT system specifically [45]. It is important to investigate whether a proposed detection method is specific
to a certain IoT application, or whether it would be applicable to IoT systems in general.
13
Table 3
Tools used to evaluate the proposed detection methods.
Reference Reported Evaluation Method
[8,10,27,28,24,29,30,34,36] COOJA Simulator

[29] .Net Framework, C#, and MATLAB
[31,27,28] NS-2, NS-3 Simulators
[34] Netsim Simulator
[31] OpenWSN Simulator
[32,38] MATLAB
[23,33,37] NA
[35] Python and COOJA Simulator
4 None of the ML-based detection methods attempted hyperparameter tuning of the ML model, except for one. In that singular article,
the researchers reported using a genetic optimization algorithm for feature selection and hyperparameter tuning [44]. This
highlights a research gap where it would be recommended to investigate the use of optimization methods for tuning the hyper
parameters of machine learning based detection methods.
5 The literature survey has highlighted that previous works focused only on detecting the attack, or detecting the attack and isolating
the malicious node. Only two of the works proposed preventing the attack from occurring in the first place. One method proposed
using encryption and the other proposed using a shared key concept [38,40]. The diagram in Fig. 7 shows the distribution of the
articles in the review pool in terms of focus on detection, isolation, and prevention. A research gap can be identified in terms of
proposing a security method that can detect, isolate and prevent sinkhole attacks in RPL networks.
6 The works in the review pool utilized numerous performance metrics for the evaluation of the proposed methods. The statistics in
Fig. 8 and Table 2 show the frequency of the different metrics in the review pool, and which references utilized each metric. These
statistics highlight the inadequate attention afforded to very important metrics for IoT systems, such as energy consumption,
overhead, complexity, average delay, and average throughput. Future work targeted at IoT systems must consider these metrics.
Future research that aims to detect the sinkhole attack should consider measuring the detection latency to demonstrate the
effectiveness of the proposed method. Detection latency represents the amount of time the proposed method requires to detect the
attack. It is a critical metric as it represents the time window for the attacker to launch the attack before it is detected. Figure and
Table 2 show that none of the articles in the review pool reported the detection latency of their proposed methods, which highlights
a significant research gap.
7 Proposals for attack prediction based on ML and DL usually yield very high success rates. However, in practice these prediction
methods might not produce the same results. One of the possible reasons is that the attacker knowledge changes from point to point.
Therefore, when the attacker acquires new skills, which is what happens in the real world, the conditions change drastically and the
proposed models produce weaker results than expected. It is recommended that researchers should not depend on synthetic
datasets. But, they should strive to generate datasets extracted from real-world operating conditions for training and testing their
proposed models.
4.3. Answers to research questions
A number of research questions were posed in Section 1 to guide this survey. This section will develop answers to these questions
based on the learnings from the reviewed literature.
5 What are the existing proposed techniques for detection of sinkhole attack under RPL?
A number of techniques have already been proposed for the detection of the sinkhole attack. These techniques can be classified
based on the detection methods used, such as building system based on specification, signature and anomaly detection, systems based
on ranking and rating, systems based on trust and reputation, and systems utilizing data driven machine learning models. Each of these
methods was explicitly examined in the literature review section.
2 How are researchers generating the datasets used in the proposed detection methods?
It can be summarized from the literature survey that no dataset exists that specifically addresses sinkhole attack in RPL. There are
datasets available that target a collection of routing attacks, such as RPL-NIDDS17 and UNSW NB-15. Most of the researchers opted to
generate synthetic datasets using common network simulators like COOJA, NS-2 and NS-3.
3 How are the proposed methods evaluated?
It is very difficult to build real-life IoT platforms for evaluating proposed attack detection methods. Most researchers simulate the
operation of the IDS using network simulators, Python, or MATLAB. Table 3 lists the tools used to evaluate the proposed detection
14
methods as reported in the literature.
4 What are the performance metrics used for evaluating the proposed methods?
Researchers used a number of metrics to evaluate the performance of their proposed methods. As highlighted in Table VI, the
evaluation metrics used in the literature were: true positive rate, false negative rate, false positive rate, detection rate, detection
accuracy, packet drop ratio, energy consumption, overhead, average delay and throughput. The most common evaluation metric was
the true positive rate which indicates the detection of the malicious attack. However, it was noticed that important metrics such as
energy consumption, overhead, throughput and average delay were not common.
5 What are the research gaps in the existing literature?
A number of research gaps have been identified and discussed in detail in Section 4.2.
4.4. Future research suggestions
This survey has highlighted a number of important areas that have not received adequate consideration in research on sinkhole
attack in LLNs and RPL specifically. These points can be summarized in the following:
• Investigating the impact of the sinkhole attack on RPL networks under different considerations: location of the attacker within the
network, the number of hops between the attacker and the root node, and single versus multiple malicious nodes.
• Investigating the impact of the sinkhole attack when it is combined with other routing attacks.
• Comparing proposed detection methods in terms of applicability and flexibility, as well as integration complexity into a running
network.
• Comparing and evaluating the efficacy of classical machine learning and deep learning models in detecting a sinkhole attack.
• Proposing techniques for detecting, isolating, and preventing the attack at the same time.
• Investigating the most important features in a network’s traffic flow to be used in applying ML and DL models for detecting the
attack and identifying the malicious node.
5. Conclusion
Given the pervasive spread of Wireless Sensor Networks and Internet of Things systems, they have become the target of numerous
attack scenarios. These systems suffer a significant limitation in terms of energy and processing capacity. This makes it very difficult to
detect and mitigate attacks given their limited resources. A particularly interesting attack on these systems is the sinkhole attack. This
attack targets a node in the network and uses it to collect all of the traffic traveling through the network. While this attack may not be
destructive in and of itself, it is typically used as a precursor to more damaging attacks, such as the blackhole attack.
This work has surveyed current proposals in the literature for detecting and isolating sinkhole attacks on LLNs networks controlled
by the RPL routing protocol. This survey has identified both strong and weak points in the detection methods proposed in the research.
However, significant research gaps have also been identified allowing for future contributions in this area. It was determined that most
of the research has not considered the effectiveness of the proposed methods on networks with multiple RPL instances. Also, none of
the published research has considered the effect of the malicious node’s location within the network on the effectiveness of the
proposed method. While there were numerous proposals for using ML-based techniques, none of these proposals considered opti
mization of the hyperparameters of the ML model. There have been a good number of proposals for the detection of the attack and a
few proposals for the isolation of the malicious nodes. However, there were very little attention given to the prevention of the attack in
the first place. Most of the works concentrated on evaluating the efficacy of proposed method using detection evaluation metrics. Very
few of the publications gave consideration to metrics important to IoT systems such as energy consumption, complexity, overhead,
delay, and throughput. The general summary is that there is still room for significant contributions in this area of research
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Data availability
No data was used for the research described in the article.
Appendix
15
A.A.R. Al-chikh Omar et al.
Table 4
Overview of anomaly, signature, and specification-based detection methods in the literature
Ref. Detection Method Simulator and Simulated Malicious Performance metrics Required Features Targeted Attacks Detecting vs. Research Gap(s)
Dataset Network Size node count Isolating the
malicious node
[27] Hybrid anomaly and signature COOJA 8, 16 and 32 — TPR and Energy Packet loss rate and rank Sinkhole and Detection High FPR
IDS Consumption inconsistency selective TPR decreases in large
forwarding attacks networks
[28] Specification-based IDS based COOJA 100 1 TPR and FPR Node id, rank, preferred Rank attack, Detection If the cluster head fails,
on a hybrid clustering parent ID, DIO, DIS and sinkhole attack the detection method
architecture DAO sequence number and Neighbor will fail
attack
[29] Hybrid of anomaly-based and .Net 10 and 16 1 and 3 TPR, FPR, and Packet receiving rate, Sinkhole and Detection Not tested on an LLNs
specification-based IDS using Framework, C# Detection Accuracy PDR, average latency, selective- Resulting TPR is lower
unsupervised OPF based on and Matlab and maximum hop forwarding than the anomaly-
16
MapReduce approach. count attacks. based IDS

[30] Hybrid monitoring technique COOJA 20 2 Energy Consumption, Rank value Sinkhole attack Detection Network overhead and
based on passive intermediate TPR, FPR, and energy consumption
nodes that monitor surrounding Detection Accuracy. are increased
nodes
[31] Improved version of IDS NS-2 150 — PDR, Throughput, Rank value Sinkhole attack Detection Clustering-based IDS,
proposed in [27] Overhead, and Energy thus if the cluster head
Consumption fails, the IDS will fail
[32] IDS combines two existing COOJA 8, 16 and 24 — TPR and number of Rank value Sinkhole and Detection Suffers the same high
algorithms for detection of detected malicious selective FPR as in [27]
sinkhole and clone ID attacks nodes. forwarding
attacks.
[34] Knowledge-Based specification Netsim NA — DR Number if input and Sinkhole attack Detection New rules might need
rule IDS output transmissions to be defined if the
environment changes

Table 5
Overview of ranking-based detection methods in the literature.
Ref. Detection Method Simulator Simulated Malicious Performance Required Features Targeted Attacks Detecting vs. Research Gap(s)
and Dataset Network Size node count metrics Isolating the
malicious node
[35] Hybrid IDS based on node NS2 500 10%, 20% DR, FNR, FPR and Energy, trust, Sinkhole Detection and Adding communication overhead
rating and 30% PDR integrity, rank isolation to the network
inconsistency, and
PDR
[36] Distance-based rating and NS3 600 10%, 20% PDR, FNR and Rank values and Sinkhole Detection and Malicious node can only be
ranking and 30% FPR average packet isolation detected by a child node. If the
transmission malicious node is a child, it can’t
be detected.
17
[37] Comparing differences in rank COOJA 8, 16 and 32 1, 2 and 4 Energy Node ID, preferred Sinkhole Detection and TPR decreases for large
between a node, its parent, and consumption and parent node rank, and isolation networks. Lower Energy
its neighbors to a predefined TPR path ETX Consumption compared to [27]
threshold
[38] Cluster-based IDS that uses rank COOJA 100 1 Energy Rank value Sinkhole, selective Detection and If the cluster head fails, the IDS
inconsistency along with consumption, forwarding attacks. prevention will fail.
random hash authentication TPR and FPR
keys
[39] A finite state machine (FSM) OpenWSN 8 1 DR Rank value Selective Detection Evaluation metrics were only
that defines the operations and forwarding, hello FPR and energy consumption
behavior flow of the RPL flood, and sinkhole
protocol attacks
[40] clustering-based method based Matlab 10, 20, 30, — TPR Rank value Sinkhole and Detection and Evaluation metrics were only
on the key match algorithm 40, 50, 60 selective forwarding prevention FPR and energy consumption

Table 6
Overview of Trust-based detection methods in the literature.
Ref. Detection Method Simulator Simulated Malicious Performance Required Features Targeted Detecting vs. Research Gap(s)
and Dataset Network Size node count metrics Attacks Isolating the
malicious node
[41] Cluster-based IDS combining NA 50 nodes 20% and 30% DR Number of transmitted Sinkhole Detection and Energy, TPR, FPR, FNR, PDR
watchdog, reputation and trust packets, ranks of all isolation metrics not considered.
mechanisms nodes. If the cluster head fails, the IDS
will fail
[42] Detecting inconsistencies in NA NA NA PDR Received and Sinkhole Detection and No simulation or evaluation
number of transmitted and transmitted packet isolation results, and the attack may not
received packets counts affect network traffic
[43] Direct neighbor sink reputed trust COOJA From 50 to 10%, and 30% FNR, FPR and Parent rank, node rank, Sinkhole Detection Energy consumption metric is not
18
calculated using subjective logic 250 malicious PDR transmission ratio considered in the evaluation
algorithm,

Table 7
Overview of machine learning detection methods in the literature.
Ref. Detection Method Simulator Simulated Malicious Performance Required Features Targeted Attacks Detecting vs. Research Gap(s)
and Dataset Network node count metrics Isolating the
Size malicious
node
[22] Ensemble learning based- RPL- NA NA Detection accuracy NA Sinkhole, blackhole, Detection The proposed method
IDS using: Boosted Trees, NIDDS17 selective forwarding, only classifies the
Bagged Trees, Subspace datasets hello flooding, local network traffic. It does
Discriminant and repair, sybil and clone ID not identify the
RUSBoosted Trees malicious node
[25] Trust-aware mechanism COOJA 100 nodes Up to 50% Detection accuracy, Packet delivery ratio, average Sinkhole Detection and The mechanism
using random forest (RF) malicious PDR, throughput, delay, energy consumption, isolation assumes that nodes can
algorithm nodes. ave. delay, energy and positive and negative monitor the forwarding
cons. comm. behavior of their
19
neighbors
[44] ML-based distributed IDS COOJA 60 nodes 24 DR, FPR and Hops, Routing metrics, ETX, Sinkhole attack Detection Data collection process
using SVM, DT and Bayesian accuracy rate. CPU power and transmit consumes a lot of
classifiers power energy
[11] Deep learning-based IDS, Scapy and NA NA TPR Transmission rate, reception Sinkhole, DDoS, Detecting Energy metric, PDR,
using a binary-classification Raspberry pi rate, trans. to reception ratio, blackhole, wormhole FPR are not considered
supervised perceptual activity duration, trans. and opportunistic in the evaluation
learning model mode, source IP, destination service
IP
[45] Convolutional neural COOJA 5621 1156 Detection accuracy Reception time, lost packets, Selective forwarding, Detection The proposed method is
network (CNN) based malicious Hops, Rtmetrics, ETX, churn, sinkhole, wormhole, not evaluated in term of
security mechanism nodes Beacon interval, power, class, hello flooding and PDR, FPR, FNR and
node, on time, duty cycles, version attack energy
Dups
[46] LSTM-based IDS UNSW NB- NA NA Detection accuracy NA Sinkhole, black hole, Detection FPR, FNR and energy
15 dataset sybil, DoS not considered

Table 8
Overview of existing research survey papers related to sinkhole attack in RPL networks.
Ref. Date of Number of Discussions Date Additional contribution of this work
Publication surveyed Range
papers
[1] 2020 24 papers Compares the attacks in terms of their behaviors 2011 – This work focuses on sinkhole attack only in terms
and consequences, then highlights the proposed 2020 of its behavior, and the performance of the
detection methods. proposed methods.
[8] 2013 - Concentrates on the location of the IDS (root nodes, 2003 – Expanded from covering the placement of the IDS
and cluster nodes) and highlights whether the IDS is 2013 to how it is developed, the performance, the used
detecting only or detecting and isolating. datasets and the selected features used for each IDS.
[9] 2019 6 papers Compares the attacks in terms of their effects on the 2011 – This work focuses only on the impact and behavior
network, countermeasures, complexity, and 2013 of sinkhole attack on RPL networks.
limitations.
[47] 2019 21 papers Type of IDS (anomaly, signature, specification, or 2009 – This work compares the proposed sinkhole IDS
hybrid), location of IDS (Centralized, Distributed or 2018 systems and the different detection methods in term
theory), Types of attacks detected, IDS performance of the used datasets, types of detected attacks,
metrics (Detection accuracy, FPR, Resource performance metrics (TPR, FPR, FNR, energy
consumption, Real time, scalability, flexibility, consumption, PDR, detection rate and accuracy,
robustness), for different routing attacks. throughput, overhead and average delay).
[48] 2017 7 papers Comparing the proposed methods and the 2011 – This work discusses the proposed methods for 7
drawbacks. 2016 papers and compares them in term of their
implementation, performance, datasets, and
research gaps.
[49] 2016 10 papers Comparing different RPL attacks and the proposed 2012 – This work compares the proposed methods in term
detection methods along with the overhead of the 2015 of their research gaps, where the overhead is part of
method. the research gap comparison.
[50] 2021 18 papers Discusses machine learning-based IDSs for routing 2013 – This work compares machine learning detection
attacks without comparing them. 2020 methods along with other detection methods for
sinkhole attack only.
References
[1] K. Avila, D. Jabba, J. Gomez, Security aspects for rpl-based protocols: a systematic review in IoT, Appl Sci 10 (2020) 18, https://doi.org/10.3390/
APP10186472.
[2] A. Hassanzadeh, A. Altaweel, R. Stoleru, Traffic-and-resource-aware intrusion detection in wireless mesh networks, Ad Hoc Netw 21 (2014) 18–41, https://doi.
org/10.1016/j.adhoc.2014.04.009.
[3] M.R.P. Thubert, Routing for RPL (routing protocol for low-power and Lossy networks) leaves, Internet Eng Task Force (2021).
[4] R. Winter, T. Thubert, P. Brandt, A. Hui, J. Kelsey, R. Levis, P. Pister, K. Struik, R. Vasseur, J.P. Alexander, RPL: IPv6 Routing Protocol for Low-Power and Lossy
Network; Internet Engineering Task Force (IETF), Fremont, CA, USA, 2012.
[5] A. Musaddiq, Y. Bin Zikria, S.W.Kim Zulqarnain, Routing protocol for Low-Power and Lossy Networks for heterogeneous traffic network, Eurasip J Wirel
Commun Netw. 2020 (2020) 1, https://doi.org/10.1186/s13638-020-1645-4.
[6] A. Raoof, C.-H. Lung, A. Matrawy, Introducing network coding to RPL: the chained secure mode (CSM), 2020 IEEE 19th Int Symp Netw Comput Appl (2020)
1–4, https://doi.org/10.1109/NCA51143.2020.9306744.
[7] A. Arena, P. Perazzo, C. Vallati, G. Dini, G. Anastasi, Evaluating and improving the scalability of RPL security in the Internet of Things, Comput Commun 151
(2020) 119–132, https://doi.org/10.1016/j.comcom.2019.12.062.
[8] L. Wallgren, S. Raza, T. Voigt, Routing attacks and countermeasures in the RPL-based internet of things, Int J Distrib Sens Networks. (2013) 2013, https://doi.
org/10.1155/2013/794326.
[9] A. Jain, S. Jain, A survey on miscellaneous attacks and countermeasures for RPL routing protocol in IoT, Springer, Singapore, 2019, https://doi.org/10.1007/
978-981-13-1501-5_54.
[10] B.H. Patel, P. Shah, RPL routing protocol performance under sinkhole and selective forwarding attack: Experimental and simulated evaluation, Telkomnika
(Telecommunication Comput Electron Control 18 (2020) 1849–1856, https://doi.org/10.12928/TELKOMNIKA.V18I4.15768.
[11] G. Thamilarasu, S. Chawla, Towards deep-learning-driven intrusion detection for the internet of things, Sensors (Switzerland) 19 (2019) 9, https://doi.org/
10.3390/s19091977.
[12] H.A. Khattak, M.A. Shah, S. Khan, I. Ali, M. Imran, Perception layer security in Internet of Things, Futur Gener Comput Syst 100 (2019) 144–164, https://doi.
org/10.1016/j.future.2019.04.038.
[13] A. Muñoz, C. Fernández-Gago, R. López-Villa, A test environment for wireless hacking in domestic IoT scenarios, Mob Netw Appl (2022), https://doi.org/
10.1007/s11036-022-02046-x.
[14] F. Österlind, A. Dunkels, J. Eriksson, N. Finne, T. Voigt, Cross-level sensor network simulation with COOJA, in: Proc. - Conf. Local Comput. Networks, LCN,
2006, pp. 641–648, https://doi.org/10.1109/LCN.2006.322172.
[15] ns-users@isi.edu, The network simulator - ns-2, (2011).
[16] University of Washington NS-3 Consortium, ns-3 Network Simulator, What Is Ns-3? (2022) 1. https://www.nsnam.org/.
[17] X. Watteyne, Thomas Vilajosana, B. Kerkez, F. Chraim, K. Weekly, Q. Wang, S. Glaser, K. Pister, OpenWSN: A standards-based low-power wireless development
environment, Eur Trans Telecommun (2013) 1–13.
[18] A. Dunkels, B. Grönvall, T. Voigt, Contiki - A lightweight and flexible operating system for tiny networked sensors, in: Proc. - Conf. Local Comput. Networks,
LCN, 2004, pp. 455–462, https://doi.org/10.1109/LCN.2004.38.
[19] Z. Shelby, K. Hartke, C. Bormann, The Constrained Application Protocol (CoAP), Rfc 7252 112 (2014). https://www.rfc-editor.org/rfc/pdfrfc/rfc7252.txt.pdf.
[20] ANRG, Cooja Simulator, ANRG. (2016).
[21] N. Moustafa, J. Slay, UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set), Intell Secur Group UNSW
Canberra (2015), https://doi.org/10.1109/MilCIS.2015.7348942. Aust.
[22] A. Verma, V. Ranga, ELNIDS: ensemble learning based network intrusion detection system for RPL based Internet of Things, in: Conf. Internet Things Smart
Innov. Usages, IoT-SIU, 2019, p. 2019, https://doi.org/10.1109/IoT-SIU.2019.8777504.
[23] A.B. Nassif, B. Soudan, M. Azzeh, I. Attilli, O. Almulla, Artificial intelligence and statistical techniques in short-term load forecasting: a review, Int Rev Model
Simulations. 14 (2021) 408–430, https://doi.org/10.15866/iremos.v14i6.21328.
20
[24] J. Brown, M. Anwar, G. Dozier, An evolutionary general regression neural network classifier for intrusion detection, in: 2016 25th Int. Conf. Comput. Commun.
Networks, ICCCN 2016, 2016, pp. 1–5, https://doi.org/10.1109/ICCCN.2016.7568493, 2016.
[25] K. Prathapchandran, T. Janani, A trust aware security mechanism to detect sinkhole attack in RPL-based IoT environment using random forest – RFTRUST,
Comput Networks 198 (2021), https://doi.org/10.1016/j.comnet.2021.108413.
[26] B. Soudan, F.F. Dandachi, A.B. Nassif, Attempting cardiac arrest prediction using artificial intelligence on vital signs from Electronic Health Records, Smart Heal.
25 (2022). 10.1016/j.smhl.2022.100294.
[27] S. Raza, L. Wallgren, T. Voigt, SVELTE: Real-time intrusion detection in the Internet of Things, Ad Hoc Netw 11 (2013) 2661–2674, https://doi.org/10.1016/j.
adhoc.2013.04.014.
[28] A. Le, J. Loo, K.K. Chai, M. Aiash, A specification-based IDS for detecting attacks on RPL-based network topology, Inf 7 (2016) 2, https://doi.org/10.3390/
info7020025.
[29] H. Bostani, M. Sheikhan, Hybrid of anomaly-based and specification-based IDS for Internet of Things using unsupervised OPF based on MapReduce approach,
Comput Commun 98 (2017) 52–71, https://doi.org/10.1016/j.comcom.2016.12.001.
[30] M. Alzubaidi, M. Anbar, Y.W. Chong, S. Al-Sarawi, Hybrid monitoring technique for detecting abnormal behaviour in rpl-based network, J Commun 13 (2018)
198–208, https://doi.org/10.12720/jcm.13.5.198-208.
[31] M. Surendar, A. Umamakeswari, InDReS: An Intrusion Detection and response system for Internet of Things with 6LoWPAN, in: Proc. 2016 IEEE Int. Conf. Wirel.
Commun. Signal Process. Networking, WiSPNET 2016, Conf. Wirel. Commun. Signal Process. Networking, WiSPNET, 2016, pp. 1903–1908, https://doi.org/
10.1109/WiSPNET.2016.7566473, 2016.
[32] S.M.H. Mirshahjafari, B.S. Ghahfarokhi, Sinkhole+CloneID: a hybrid attack on RPL performance and detection method, Inf Secur J 28 (2019) 107–119, https://
doi.org/10.1080/19393555.2019.1658829.
[33] S. Sharmila, G. Umamaheswari, Detection of sinkhole attack in wireless sensor networks using message digest algorithms, in: Proc. 2011 Int. Conf. Process
Autom. Control Comput. PACC 2011, Control and Computing, 2011, pp. 1–6, https://doi.org/10.1109/PACC.2011.5978973.
[34] G.H. An, T.H. Cho, Improving Sinkhole Attack Detection Rate through Knowledge-Based Specification Rule for a Sinkhole Attack Intrusion Detection Technique
of IoT, Int J Comput Networks Appl 9 (2022) 169–178, https://doi.org/10.22247/ijcna/2022/212333.
[35] M. Zaminkar, F. Sarkohaki, R. Fotohi, A method based on encryption and node rating for securing the RPL protocol communications in the IoT ecosystem, Int J
Commun Syst 34 (2021) 1–18, https://doi.org/10.1002/dac.4693.
[36] M. Zaminkar, R. Fotohi, SoS-RPL, Securing internet of things against sinkhole attack using RPL protocol-based node rating and ranking mechanism, Wirel Pers
Commun 114 (2020) 1287–1312, https://doi.org/10.1007/s11277-020-07421-z.
[37] S.R. Taghanaki, K. Jamshidi, A. Bohlooli, DEEM: A decentralized and energy efficient method for detecting sinkhole attacks on the internet of things, in: 2019
9th Int. Conf. Comput. Knowl. Eng. ICCKE 2019, 2019, pp. 325–330, https://doi.org/10.1109/ICCKE48569.2019.8965177, 2019.
[38] S. Choudhary, N. Kesswani, Cluster-based intrusion detection method for internet of things, in: Proc. IEEE/ACS Int. Conf. Comput. Syst. Appl. AICCSA, Conf.
Comput. Syst. Appl, AICCSA, 2019, pp. 1–8, https://doi.org/10.1109/AICCSA47632.2019.9035319, 2019-Novem.
[39] W. Yang, Y. Wang, Z. Lai, Y. Wan, Z. Cheng, Security vulnerabilities and countermeasures in the RPL-based Internet of Things, in: Proc. - 2018 Int. Conf. Cyber-
Enabled Distrib. Comput. Knowl. Discov. CyberC 2018, Conf. Cyber-Enabled Distrib. Comput. Knowl. Discov, CyberC, 2019, pp. 49–54, https://doi.org/
10.1109/CyberC.2018.00020, 2018.
[40] S. Choudhary, N. Kesswani, Detection and prevention of routing attacks in Internet of Things, in: Proc. - 17th IEEE Int. Conf. Trust. Secur. Priv. Comput.
Commun. 12th IEEE Int. Conf. Big Data Sci. Eng. Trust. 2018, Conf. Trust. Secur. Priv. Comput. Commun. 12th IEEE Int. Conf. Big Data Sci. Eng, Trust, 2018,
pp. 1537–1540, https://doi.org/10.1109/TrustCom/BigDataSE.2018.00219, 2018.
[41] C. Cervantes, D. Poplade, M. Nogueira, A. Santos, Detection of sinkhole attacks for supporting secure routing on 6LoWPAN for Internet of Things, in: Proc. 2015
IFIP/IEEE Int. Symp. Integr. Netw. Manag. IM 2015, Symp. Integr. Netw. Manag. IM 2015, 2015, pp. 606–611, https://doi.org/10.1109/INM.2015.7140344.
[42] R. Stephen, L. Arockiam, Intrusion detection system to detect sinkhole attack on RPL protocol in Internet of Things, Int J Electr Electron Comput Sci Eng 4
(2017) 16–20. www.ijeecse.com.
[43] B. Patel, P. Shah, Direct neighbour sink reputed trust based intrusion detection system to mitigate sinkhole attack in RPL for IoT networks, J Eng Sci Technol Rev
14 (2021) 38–45, https://doi.org/10.25103/jestr.141.03.
[44] M. Yadollahzadeh-Tabari, Z. Mataji, Detecting sinkhole attack in RPL-based Internet of Things routing protocol, J AI Data Min 9 (2021) 73–85.
[45] S.O.M. Kamel, S.A. Elhamayed, Mitigating the impact of iot routing attacks on power consumption in iot healthcare environment using convolutional neural
network, Int J Comput Netw Inf Secur 12 (2020) 11–29, https://doi.org/10.5815/ijcnis.2020.04.02.
[46] S. Smys, A. Basar, H. Wang, Hybrid intrusion detection system for internet of things (IoT), J ISMAC (2020). https://irojournals.com/iroismac/V2/I4/02.pdf.
[47] S. Hajiheidari, K. Wakil, M. Badri, N.J. Navimipour, Intrusion detection systems in the Internet of things: a comprehensive investigation, Comput Netw 160
(2019) 165–191, https://doi.org/10.1016/j.comnet.2019.05.014.
[48] M. Alzubaidi, M. Anbar, S. Al-Saleem, S. Al-Sarawi, K. Alieyan, Review on mechanisms for detecting sinkhole attacks on RPLs, ICIT 2017 - 8th Int Conf Inf
Technol Proc 2017 (2017) 369–374, https://doi.org/10.1109/ICITECH.2017.8080028.
[49] A. Mayzaud, R. Badonnel, I. Chrisment, A taxonomy of attacks in RPL-based internet of things, Int J Netw Secur 18 (2016) 459–473.
[50] M.A. Kareem, S. Tayeb, ML-based NIDS to secure RPL from routing attacks, in: 2021 IEEE 11th Annu. Comput. Commun. Work. Conf. CCWC 2021, 2021,
pp. 1000–1006, https://doi.org/10.1109/CCWC51732.2021.9375844, 2021.
21

A Comprehensive Survey On Detection of Sinkhole Attack

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Comprehensive Survey On Detection of Sinkhole Attack

Uploaded by

Copyright:

Available Formats

Internet of Things 22 (2023) 100750

Contents lists available at ScienceDirect