PreprintPDF Available

Adaptive Hybrid Heterogeneous IDS for 6LoWPAN

Authors:
Preprints and early-stage research may not have been peer reviewed yet.

Abstract

IPv6 over Low-powered Wireless Personal Area Networks (6LoWPAN) have grown in importance in recent years, with the Routing Protocol for Low Power and Lossy Networks (RPL) emerging as a major enabler. However, RPL can be subject to attack, with severe consequences. Most proposed IDSs have been limited to specific RPL attacks and typically assume a stationary environment. In this article, we propose the first adaptive hybrid IDS to efficiently detect and identify a wide range of RPL attacks (including DIO Suppression, Increase Rank, and Worst Parent attacks, which have been overlooked in the literature) in evolving data environments. We apply our framework to networks under various levels of node mobility and maliciousness. We experiment with several incremental machine learning (ML) approaches and various 'concept-drift detection' mechanisms (e.g. ADWIN, DDM, and EDDM) to determine the best underlying settings for the proposed scheme.
1
Adaptive Hybrid Heterogeneous IDS for 6LoWPAN
Aryan Mohammadi Pasikhani, John A Clark, Prosanta Gope, Senior Member, IEEE
Abstract—IPv6 over Low-powered Wireless Personal Area
Networks (6LoWPAN) have grown in importance in recent years,
with the Routing Protocol for Low Power and Lossy Networks
(RPL) emerging as a major enabler. However, RPL can be
subject to attack, with severe consequences. Most proposed IDSs
have been limited to specific RPL attacks and typically assume
a stationary environment. In this article, we propose the first
adaptive hybrid IDS to efficiently detect and identify a wide
range of RPL attacks (including DIO Suppression, Increase
Rank, and Worst Parent attacks, which have been overlooked
in the literature) in evolving data environments. We apply our
framework to networks under various levels of node mobility and
maliciousness. We experiment with several incremental machine
learning (ML) approaches and various ‘concept-drift detection’
mechanisms (e.g. ADWIN, DDM, and EDDM) to determine the
best underlying settings for the proposed scheme.
Index Terms—6LoWPAN, RPL, Intrusion Detection System
(IDS), Concept-drift Detection, Increase Rank Attack, DIO Sup-
pression Attack
I. INTRODUCTION
Internet of things (IoT) networks are generally Low-Power
and Lossy Networks (LLNs) consisting of heterogeneous
devices with limited power, memory, and processing resources.
LLNs have been deployed in various sectors such as agri-
culture, control, the built environment and rural environment
monitoring [18]. For efficient routing in LLNs, the Inter-
net Engineering Task Force (IETF) introduced the Routing
Protocol for Low-Power and Lossy Networks (RPL) [19].
Global connectivity, resource constraints and RPL vulnerabil-
ities expose 6LoWPAN to various routing threats, internally
(within the 6LoWPAN) and externally (through the Internet).
Existing routing attacks (e.g. Blackhole, Grayhole, Wormhole,
and DODAG Informational Solicitation (DIS) flooding attacks)
[18] cause the RPL to generate suboptimal routing topologies,
isolate legitimate nodes, and cause significant overheads over
the target network and nodes.
To deal with the security threats in RPL, a variety of Intru-
sion Detection System (IDS) proposals have been introduced
in the literature. A network-based IDS can identify threats
by analysing sniffed packets. IDSs can be signature-based,
anomaly-based, specification-based, or hybrid [18]. Signature-
based IDSs use known signatures of attacks to identify intru-
sions. They can classify known intrusions accurately but re-
quire huge storage space to maintain the database of reference
signatures which must be updated continually. They cannot
reliably detect hitherto unseen intrusions. Anomaly detectors
build a profile of normal behaviour and detect significant
Aryan Mohammadi Pasikhani, John A Clark, Prosanta Gope are
with Department of Computer Science, University of Sheffield, Re-
gent Court, Sheffield S1 4DP, United Kingdom. (E-mail: amohammadi-
pasikhani1@sheffield.ac.uk)
Corresponding author: Dr. Aryan Mohammadi Pasikhani
deviations from that normal profile. Although anomaly-based
IDS requires less storage space to identify abnormal instances
[1], it is prone to generate many false-positive (FP) classi-
fications (i.e., identifying legitimate activity as anomalous).
Specifcation based approaches typically detect deviational be-
haviour from a formalised specification, e.g. that provided by
a protocol description. The hybrid detection strategy combines
existing detection strategies to incorporate their strengths and
minimise their downsides. Various approaches to intrusion
detection are found in the literature, e.g. statistical, rule-based
and machine learning-based. There are three major categories
of ML-based IDS (ML-IDS): supervised (having access to
labelled normal and malicious data instances), unsupervised
(without access to any labelled data), or semi-supervised
(where not all data is labelled, or else access is restricted to
normal instances [20]).
The 6LoWPAN has a streaming data environment. An IDS
does not have access to the entire data stream and cannot afford
to store all incoming data instances. Existing IDSs proposed
for 6LoWPAN work only in stationary environments where the
number of nodes in each scenario does not change. However,
6LoWPAN has an evolving data environment, where node
movement, inaccessibility, changes in running applications,
and unforeseen attacks alter the data stream distribution.
6LoWPAN nodes cannot store a large volume of data. More-
over, in non-stationary evolving environments, the data distri-
bution evolves unpredictably and so the system needs to update
its model incrementally or retrain it using recently observed
batches of data. To address the aforesaid issues, “concept
drift” detection approaches have been introduced in different
network paradigms to enable adaptivity of the IDS [21]. A
concept” can be defined as a joint distribution P(X|Y),
where Xdenotes a vector of attribute values (features) and
Yis the target value (label) [22]. Concept drift is a shift in
the data distribution P(X), where Pt(X, Y )6=Pt+1 (X, Y ).
Thus, over time, the likelihood that observed data indicates
normal system operation may change, e.g. if new malware
has been crafted, or has otherwise adapted, to ‘look like’
benign software. The rate of concept drift is unknown to the
system and can be abrupt, incremental, gradual or recurring
[21]. Concept-drift Detection (CD) methods can enable an IDS
to adapt to unforeseen intrusions and identify shifts in the
network data stream [20]. Additionally, CD approaches use
storage and memory resources efficiently and facilitate fast
classification.
Developing an adaptive IDS capable of accurately classi-
fying the 6LoWPAN evolving data stream is a challenging
task. The classifier needs to update itself with each change
(shift) in the environment to continue to detect novel attacks.
Re-training a classifier using the entire training data is com-
putationally expensive and generally infeasible. This article
arXiv:2205.09170v1 [cs.CR] 18 May 2022
2
TABLE I: Related Works
Scheme Method Attacks Considered Desirable Properties
DP1 DP2 DP3 DP4 DP5
[1] Active decentralised IDS SH and GH (using Cooja simulator) × × × × X
[2] Specification-based IDS WH and Sybil (using Cooja simulator) × × × × ×
[3] Specification-based active centralised IDS SH (using Cooja simulator) × × × × ×
[4] Hybrid specification-based IDS SH, BH, GH, DA, WH, Clone Id, Replay, Sybil, Rank, VN and
WP (Netsim)
× × × X×
[5] Hybrid ML-based IDS WH ×X×X×
[6] Ensemble Voting (MLP and RF) SA, VN, SH, and BH × × × × ×
[7] Unsupervised Optimum-Path Forest Clustering SH, WH, and SF × × × × ×
[8] Hybrid ML-IDS using passive monitoring technique SH, WH, and DA (using Cooja simulator) × × × × ×
[9] Active decentralised hybrid IDS SH (using Cooja simulator) × × × × ×
[10] Active decentralised anomaly-based IDS DA and NA × × × × X
[11] Passive decentralised signature-based IDS DA (using Cooja simulator) × × × × ×
[12] Active decentralised specification-based WP, DA, SH, and DF × × × X×
[13] Online adaptive RF + concept drift KDDCup99 (application layer attacks) × × × × ×
[14] Online RF (Hoeffding Trees) KDDCup99 (application layer attacks) × × × × ×
[15] Ensemble Weighted Voting, RF KDDCup99 (application layer attacks) ×D/N D/N D/N D/N
[16] Concept drift (HDDM) based ensemble incremental learning
approach in IDS
KDDCup99 (application layer attacks) XD/N D/N D/N D/N
[17] Online Sequential-Extreme Learning Machine (OS-ELM) NSL-KDD 2009 (application layer attacks) XD/N D/N D/N D/N
Our Scheme One-Class SVM, incremental OzaBaggingADWIN using KNN,
and HalfSpace-Trees
SH, BH, GH, DA, DS, IR, WH, and WP (Netsim v13) X X X X X
D/N: Different Network-technology. In the “Attack” column, the later entries refer to available datasets that contain a variety of attacks, (but these exclude RPL attacks);
X: Satisfy; ×: Not addressed; X: Satisfy part of that desirable property; SH: Sinkhole, BH: Blackhole; GH: Grayhole; DA: DIS Flooding; IR: Increase Rank; WH: Wormhole;
DS: DIO Suppression; WP: Worst Parent; DP1: Adaptive intrusion detector; DP2: Lightweight; DP3: Accurate in evolving data environment; DP4: Detect a wide range of RPL attacks;
DP5: Detect known and unknown (a.k.a unseen) intrusions;
proposes the use of streaming data mining techniques and drift
detection to provide a novel adaptive form of hybrid ensem-
ble capable of enhancing system performance. The proposed
scheme can identify various routing attacks. Internal attacks
(sourced inside 6LoWPAN) include sinkhole, blackhole, and
grayhole attacks. External (sourced over the Internet) attacks
include wormhole and DIS flooding attacks.
Different ensembling techniques have been adopted and
compared in this article. A passive decentralised monitoring
technique (where anomaly-based IDS agents passively mon-
itor network communications and send abnormal/suspicious
observations to the central IDS for further analysis) is used
to collect and monitor LLN traffic from different locations
and avoid additional computational overheads over legitimate
nodes for intrusion detection purposes.
A. Desirable Properties
Our proposed IDS approach aims to achieve the following
Desirable Properties (DPs).
DP1: the IDS should be able to identify routing attacks
in an evolving data stream environment by updating its
detection model when drift is detected.
DP2: the IDS should not need excessive memory and
computational resources whilst being able to identify
routing attacks precisely.
DP3: the IDS should work over 6LoWPAN networks
incorporating mobile nodes.
DP4: the IDS should be able to detect a wide range of
RPL attacks.
DP5: the IDS should be able to detect both known and
previously unseen intrusions.
B. Related Work
A broad range of routing vulnerabilities in 6LoWPAN and
the lack of effective built-in security mechanisms in RPL [18]
have encouraged researchers to develop IDSs for detecting
RPL attacks. Various monitoring and detection strategies [18]
have been considered. These [2], [23], [24], [3] typically use
a specification-based IDS to detect Sinkhole (SH), Wormhole
(WH) and DIS flooding (DA) attacks. 54% of existing IDSs
employed a specification-based detection strategy for detecting
routing attacks in 6LoWPAN [18]. Specification-based IDSs
employ a set of static rules for identifying intrusions; they
cannot update their rules automatically. Only 21% of reported
works have considered a hybrid detection strategy [18] but
none considers mobility of nodes.
The shortcomings of the statistical and rule-based detection
approaches [18] have encouraged researchers to apply machine
learning (ML) algorithms to enhance the performance of IDS
in 6LoWPAN. Among existing hybrid IDSs, only a few [5],
[6], [7] are ML-based. Moreover, they [6], [5], [8], [7] use
offline ML approaches, where the intrusion detection model
is constructed using a stationary batch of training data. The
batch-trained ML-IDS degrades as the data stream environ-
ment evolves [20]. Nevertheless, legitimate 6LoWPAN nodes
often have limited memory and cannot store extensive records
of malicious activities. This inevitably means that less critical
records should be replaced with vital ones over time. To the
best of our knowledge, no existing IDS for 6LoWPAN does
this.
Various proposed monitoring techniques observe inter-node
communication in the 6LoWPAN [18] (e.g. centralised and
decentralised active or passive monitoring approaches). They
[2], [23], [3], [9], [1], [10], [6], [5], [7] employ an active
monitoring technique to detect RPL attacks. According to [18],
77% of existing IDSs used an active monitoring technique,
where legitimate nodes were required to participate in intru-
sion detection tasks with centralised or decentralised intrusion
detectors. Active monitoring can provide more information
about node configuration (e.g. geographical location, energy
consumption, and CPU, RAM, ROM usage) and result in
more accurate detection of RPL attacks. However, it also
causes additional computational overhead on the legitimate
3
nodes. Consequently, some 6LoWPAN IDS papers employ
passive centralised [8], [25] and passive decentralised [11],
[24], [26], [27] approaches. Passive monitoring does not cause
any additional computation overhead for legitimate nodes [26].
Nevertheless, it can provide IDS only with control packets that
are multicasted or unicasted by monitoring nodes’ neighbours.
According to [18], existing IDS mainly focus on detecting
sinkhole (21%), grayhole (14%), blackhole (10%) and DIS
flooding (10%) attacks while other RPL attacks are over-
looked. No research in the literature examines the performance
of IDS against external routing attacks (external DA and WH),
and there is no research detecting DS (DIO Suppression) and
IR (Increase Rank) attacks [18]. Furthermore, only 13% of
RPL IDS research has considered mobility [18]. Table I shows
the related works in the literature and the contributions that
this article makes.
C. Motivation and Contribution
The RPL is vulnerable to various routing threats (e.g. Sink-
hole, Blackhole, and Wormhole). Further more, the 6LoWPAN
data environment evolves on an unpredictable basis. Different
IDSs have been proposed in the literature to detect existing
RPL attacks in 6LoWPAN (as discussed in Section I-B).
However, none of the existing IDS satisfies all the desirable
properties (as mentioned in Section I-A). In 6LoWPAN, an
IDS observes a considerable (unbounded) volume of data as
a continuous flow; hence, it cannot explicitly store all obser-
vations to identify anomalous activities. To maintain detection
performance, it is expected that the IDS modify its detection
model on a regular basis and incrementally adapt to unfore-
seen data distributions. This article proposes and evaluates
an adaptive heterogeneous ensemble hybrid IDS framework
to detect various types of RPL attacks in 6LoWPAN. The
hybrid detection strategy helps the proposed framework to
balance the computational cost of the anomaly-based intrusion
detection and the storage cost of the signature-based intrusion
detection over legitimate nodes. Besides, various incremental
ML algorithms and ensemble techniques are evaluated to
determine the most suitable combinations for the proposed
system. The major contributions of this article are:
A new adaptive hybrid IDS to detect internal and external
RPL attacks.
An efficient concept-drift-based ML-IDS, maintaining
effectiveness in the face of environmental change.
An effective approach to identifying a wide range of RPL
attacks, including less researched ones.
An IDS which is resilient against known and previously
unseen RPL intrusions.
A comprehensive and publicly available dataset for ML-
based IDSs containing a extensive range of RPL attacks.
D. Organisation
The rest of the article is organised as follows. In Section
II, we present our proposed scheme. In Section III, we
describe our implementation and evaluation details. Section
IV concludes the paper.
II. PRO PO SE D SCHEME
Our proposed scheme employs a passive decentralised
monitoring approach (readers may refer to [26] for more
details) using a cluster-based placement [28] strategy to anal-
yse the data stream in 6LoWPAN. Anomaly-based detectors
are spread over the 6LoWPAN to analyse their neighbours’
control packets and report abnormalities to the Centralised
IDS (CIDS) on the 6LoWPAN Border Router (6BR). The
CIDS is an adaptive heterogeneous hybrid IDS that protects
6LoWPAN against internal and external intrusions. Fig. 1
illustrates the system architecture. The proposed scheme has
three components: an anomaly-based network IDS (ANIDS)
(Section II-A), an incremental ensembles of signature-based
IDSs (Section II-B1), and incremental ensembles of anomaly-
based IDSs (Section II-B2) (described below). Algorithm 1
shows the proposed scheme.
A. Anomaly-based network IDS
Since the CIDS on the 6BR cannot observe network com-
munications of distant nodes (since the 6BR has limited
radio range and RPL may operate in storing mode [18]),
the proposed scheme distributes Anomaly-based Network IDS
(ANIDS) agents to passively monitor multicasted and uni-
casted control packets of their neighbouring nodes without
requiring significant storage space. As shown in Experiment
1 (Section III-B), a One-Class SVM (OCSVM) can provide
excellent performance in detecting intrusions with negligible
false-alarms and excellent recall value. The OCSVM is a
novelty detection algorithm that develops a model of safe
activities and classifies instances as an outlier (anomalous)
if they deviate from its profile. The outcome of OCSVM
is bipolar, yt=1for xtoutliers and yt= +1 for
xtinliers. In OCSVM, the classifier assumes that the
given training dataset Xcontains only normal (safe) instances,
X={x1, x2, ..., xN}xiNormal, and considers the origin
of a kernel-based transformed representation as an outlier.
OCSVM aims to discover a separating boundary (hyperplane)
w.φ(xi)that maximises the distance between normal instances
(x) and the origin (0,0),w.φ(xi)ρ= 0 (define the
hyperplane) where wand φ(.)denote weight and SVM kernel
(a function that projects data into a high dimensional space
to increase the discriminatory capability of the classifier)
respectively; ρdenotes the maximal margin (threshold), Eq. 1,
with Ninstances xi<1,N> . According to [29], the OCSVM
can be solved efficiently using the quadratic Eq. 2. The ν
(Nu) is upper bounded by the fraction of outliers and lower
bounded by the fraction of support vectors. The νintends to
fine-tune the trade-off between over-fitting and generalisation.
The conjoint usage of νand the slack variable ξ(ξ0)
enables the system to handle a dataset that contains a small
fraction of outliers. In other words, νis the probability of
finding an outlier in X, where outliers X. The γ(gamma)
determines how much influence a single training example
has. The larger γis, the closer other examples must be
to be affected. Since it is expected that ANIDS generate
some degree of false-positive alarms (wrongly classifying safe
instances as intrusions), the instances that are classified as
anomalies will be further analysed by the CIDS.
4
Fig. 1: System Model.
w.φ(xi)ρξixiX and ξi0,i∈ {1, ..., N }(1)
Minw,ξ,ρ =1
2kwk2+ 1
νγ
n
X
i=1
ξi!ρ(2)
yi=sign(w.φ(xi)ρ)(3)
where the yiin Eq. 3 is an inliner (+1) if w.φ(xi)ρ0
and an outlier (-1) otherwise.
B. Central IDS
The CIDS contains an incremental heterogeneous hybrid
IDS and is responsible for analysing internal and external
data streams. It analyses the external network traffic coming to
the 6LoWPAN and internal network communications among
LLN nodes. Moreover, an observation that is classified as
anomalous by any ANIDS will be reported to CIDS for more
in-depth analysis. The CIDS analyses the anomalous observa-
tions through its incremental ensemble of signature-based IDS
and an incremental ensemble of anomaly-based IDS to make
more accurate classifications. Experiments 2 and 3 (in Section
III-B) show that the incremental ensemble of OZABagging
with KNNADWIN learners and HalfSpace-Trese (HS-Trees)
[30] create a hybrid IDS that provides excellent performance
in detecting intrusions. The adaptivity through Concept-drift
Detection (CD) enables the framework to enhance its intrusion
detection performance over time by adapting to unforeseen
intrusions and changes in data distributions. The outcomes of
Experiments 4, and 5 show that the adaptive sliding window
(ADWIN) CD algorithm [21] enhances the performance of the
proposed scheme while using limited processing and memory
at any point in time.
1) Incremental ensemble of signature-based IDSs: Incre-
mental ensemble classifiers provide better detection perfor-
mance at the cost of more computation and memory usage
[31]. An ensemble classifier f(c1(xt), c2(xt)...cn(xt)) is a set
of classifiers (ci)that make predictions over a given instance
of the feature set (xt). The OzaBagging classifier [32] builds
an ensemble of classifiers such that ciC,ciis trained over
different bootstrap instances. Since it is challenging to draw
samples with replacement in an online streaming environment,
the OzaBagging classifier weights the observed instances using
a Poisson in bootstrap replica [33]. The OzaBaggingADWIN
[32], [34] is the OzaBagging algorithm with ADWIN concept-
drift detection. The OzaBaggingADWIN implements several
ADWIN drift detectors to monitor classifier error rates. On
the detection of concept drift, OzaBaggingADWIN replaces
the worst classifier ciCwith a new classifier, a procedure
described as “replace the loser” [33].
2) Incremental ensemble of anomaly-based IDSs: Al-
though adopting adaptivity (concept-drift detection) enables a
signature-based IDS to learn unforeseen intrusions (discussed
in Section II-B3), a signature-based IDS is prone to some
degree of false-negative alarms for unknown intrusions. To
enable the proposed framework to identify unknown intru-
sions, the HalfSpace-Trees (HS-Trees) algorithm [30] analyses
5
Algorithm 1: Proposed Algorithm
1Initialisation
2A stream of pair (x, y), as (x0, y0),(x1, y1)... (xT, yT),
arriving one-by-one over time.
3X is an evolving data stream (X → ∞), where xtis a set of
features observed at time t(now).
4yis the real class label and yis the classifier prediction.
Y is {−1,1}
5CA:COCS V M CHS T // Anomaly Classifiers.
6COCS V M : One-class SVM Classifiers CA.
7iT ree: a HalfSpace-Tree.
8ω: Window Size.
9AScore : Anomaly Score.
10 CHS T : HalfSpace-Trees ensemble classifier CA.
11 M is the number of models in the ensemble.
12 hmis an adaptive OzaBagging ensemble model induced by
learners m∈ {m1...mn}.
13 Count 0.
14 r: mass profile of a node in the reference window. //mass is
used as a measure to rank anomalies.
15 l: mass of a node in the latest window.
16 k: Generate poisson (λ= 1)
17 ψ: is the generalised Kronecker function: ψ(a, b)is 1 if a
== b, and 0 otherwise.
18 for each (xt)in Xdo // upon receiving an input
(xt)
19 δusing Eq. 3 cclassifies (xt), where cCOCSV M
20 if δ== -1 then // chas classified (xt)as
malicious
21 predict y= arg maxyYPM
m=1 ψ(hm(xt), y)
22 for all mhmdo
23 ˆwexp(1)/k!
24 Update mwith (xt, yt)and weight ˆw
25 if y== -1 then // hmdetect (xt)as normal
26 AScore 0
27 for all iTree in CHST do
28 AScore AS core + Score(xt, iTree) //
accumulate scores
29 UpdateMass(xt, iTree.root, false) // update
mass l in iTree
30 Report AScore as the anomaly score for xt
31 Count++
32 if Count == ωthen
33 Update model : Node.r Node.l for every
node with non-zero mass r or l
34 Reset Node.l 0 for every node with
non-zero mass l
35 Count 0
36 if ADWIN detects change in error of one of the
models (hm)then
37 Replace the model with highest error with a new
model
38 Output: Notify administrator if xtis anomalous
observations that are classified as normal so far. In HS-Trees,
each tree contains nodes that capture the number of data items
(known as mass) within a subspace of streaming data. In this
context, the mass is used to profile the degree of anomaly. The
OzaBaggingADWIN and HS-Tree form an incremental hybrid
IDS on the 6BR.
3) Adaptivity: Adaptive learning updates the predictor
model to respond to concept drift through the predictor opera-
tions. The 6LoWPAN traffic routing evolves as nodes move or
become unavailable (e.g. their energy resource may deplete),
which results in reconstruction of the DODAG routing graph.
Data forms a stream into the IDS with a distribution that varies
over time. To reduce memory use, concept-drift-based IDS
trains over a small number of training data at any point in time
and does not load the entire dataset into memory [20]. The
fundamental function of any concept drift detection approach
is the mechanism to detect the drift occurrence timestamp.
Accurate identification of the time that drifts happen plays a
vital role in enhancing the system’s adaptivity performance.
Since the model never has full access to the entire data in
a continuous environment, this article employs the adaptive
sliding window (ADWIN) concept [35] to perform concept
drift detection. A window is a snapshot of data; it gives
more importance to the recently observed data and periodically
discards the older data. ADWIN observes the ratio of changes
between two sub-windows (W) to compute the window size.
When the difference between the simple mean (ˆµ) of Wt
and Wt+1, differs more than the threshold (δ), the ADWIN
algorithm concludes a drift is taking place and drops the oldest
bucket and shrinks the window size; otherwise, no data is
dropped and the window size increases by one [35].
TABLE II: Simulation Parameters.
Parameters Values
Simulator Tetcos Netsim V13
Number of nodes 16, 32, 64, 128
Number of Malicious nodes 10%, 20%, 30%
Number of Workstations 4, 8
Transmission Range 50m
Number of ML detectors 10%
Number of Mobile nodes 20%
Scenario Dimension (Terrain) (250 × 250) to
(850 × 850) s.meters
Traffic Rate 250 kbps
Simulation time 21,600 seconds
Application Protocols COAP, CBR
RPL mode Storing mode
Mobility Modes Random Walk, Group Walk
Path Loss Model Log Distance, Exponent(n): 2
Distance between nodes 25 45 m
Objective Function (OF) OF0, LQ
Receiver Sensitivity -85 dBm
III. IMPLEMENTATION AND EVALUATIO N
In this article, we use the Netsim simulator to evaluate
the performance of the proposed scheme against different
RPL attacks. In this context we consider different network
configurations (e.g. number of malicious and legitimate nodes,
and objective function), as described in Table II. The simulated
6LoWPAN scenarios include 16 to 128 LLN nodes (excluding
6BR and external computers), with 10% to 30% of nodes
assigned as malicious. In all scenarios, we consider 20% of
the nodes, including half of the malicious nodes, are mobile
and randomly move around the terrain with a velocity of 5
m/s. Nodes distribute over terrain covering 250m2800m2
and are 25 45mapart, with 50mtransmission range.
Each scenario is simulated for 360 minutes for performance
6
Fig. 2: Feature Importance.
benchmarking. This article uses the interleaved test-then-train
approach to evaluate the proposed scheme [34]. It is assumed
that the packets in the streaming data Dsequentially appear in
the target network, where xtis an unlabeled instance vector
observed at time t, containing different attributes about the
node configurations and the DODAG. The actual label ytof
instance xtwill be available to the system at different points
in time. In the continuous data environment like 6LoWPAN,
the ground truth ytmay not be available immediately before
observing xt+1, and it may be available at some point in future
[20]. Additionally, the observations of the data stream in the
6LoWPAN are independent. That means there is no relation
between (xt+1, yt+1 )and (xt, yt).
A. Data-set and Feature Construction
The simulations generate a dataset D, representing mali-
cious and normal (safe) network communications. Each obser-
vation xin Ddenotes a set of nfeatures x={f1, f2...fn},
where ficontains specific information about the sender and
receiver. The header of each RPL control packet (e.g. DIO,
DIS, DAO) contains different information about the sender
of the packet [19], [36] that can facilitate the identification of
anomalous network activities. Engineering a set of informative
features is essential to develop an IDS to accurately classify
all types of RPL attacks in the streaming data environment.
Therefore, we perform feature engineering to facilitate the
classification of data streams for IDS. The extracted features
can enable the anomaly-based classifiers to correctly identify
all the anomalies through training over normal instances and
make signature-based classifiers to accurately classify each
type of RPL attack. The raw instances of 6LoWPAN simu-
lations contain a set of features that are not applicable for
conducting intrusion detection tasks. For instance, features that
represent node identities (e.g. IP address, MAC address, and
node id) can inhibit scheme generalisation. Since this article
employs a passive decentralised monitoring approach [26],
any feature that requires the internal configuration of legiti-
mate nodes (e.g. power consumption, geographical location,
CPU/RAM/ROM usages) are excluded. We simulated several
pairs of networks (A,B)where Acontains only the normal
nodes and Bcontains both the normal and malicious nodes.
Observing the statistical difference of control and application
packets in Aand Benable us to identify the adverse impact
that each RPL attack has in the networks in B. A simulated
6LoWPAN includes legitimate (safe) network communications
(control and application packets) and malicious traffic. In each
RPL attack scenario, malicious nodes cause adverse impacts
inside the network by either generating malicious network
traffic (e.g. DIS flooding, DIO suppression, and sinkhole
attacks) or modifying legitimate network communication of
their neighbouring nodes (blackhole and grayhole attacks). The
abnormalities that each RPL attack causes inside 6LoWPAN
7
TABLE III: Engineered Features.
Feature Description
Basic
pkt type Type of packet (DIO, DAO, DIS, App etc)
pkt status Packet status (Collided, Successful)
src rank Sender rank in DODAG
adv vn Advertised version number
History-based
snd dis count No. of DIS unicasted/multicasted by sender
snd dio count No. of DIO advertised by sender
snd dao count No. of DAO unicasted by sender
snd daoack count No. of DAO-Ack unicasted by sender
snd cpkt count No. control packet issued by sender
rcvd dis count No. of DIS rcvd by current node in past
rcvd dio count No. of DIO rcvd by current node
rcvd dao count No. of DAO rcvd by current node
rcvd daoack count No. of DAO-Ack rcvd by receiver
rcvd cpkt count No. of control packets rcvd by receiver
avg intpkt time Average delay between pkts issued by snd
rnk alt count No. rank alteration by sender
vn alt count No. version number alteration by sender
trans app count No. of application trans by sender
pkt e2e delay Packet end-to-end delay
Connection-based
cpkt loss Control packet loss ratio
pkt loss Application packet loss ratio
avg hopcount Average No. of hopcount (global view)
neighbour count No. of neighbouring node
child count No. of children
same parent Sender and the detector have same parent
rx sen Average receiver sensitivity
tx pwr Average transmission power
rssi Received signal strength indicator of sender
cmp snd prt lq LQ of sender >LQ of parent
prt bst lq Current parent provide best link quality
constitute malicious observations.
We extract three types of features: basic, time-based, and
connection-based features. Basic features contain general node
information derived from ICMP v6 control packet headers
(node rank, source and destination addresses, flags etc).
Whereas the time-based features provide information about
the number of times that the current node sends or receives
a specific type of application or control packet. Connection-
based features carry salient information about the sender’s
routing configuration (RSSI, link quality etc) and the number
of collided control and application packets perceived by an
IDS detector. Table III depicts the set of features engineered
in this article. Here we apply the Mean Decrease in Impurity
(MDI) importance metric to illustrate the importance of engi-
neered features in identifying RPL attacks, as shown in Fig.
2. The connection- and history-based features play vital roles
in detecting the routing attacks in 6LoWPAN.
B. Performance Evaluation and Discussion
As discussed in Section II-A, the novelty or anomaly
detectors of the proposed scheme work by observing the
control packets of their neighbours; if the current observation
is identified as anomalous, it will be further analysed by the
heterogeneous hybrid ensemble IDS on the 6BR. Below, dif-
ferent outlier detection, incremental ensembling, and concept
drift detection algorithms are evaluated. We seek the best
combination to gain the optimal F1, accuracy, recall, precision
[18] and kappa [31], [21] with least False Negative Rate (FNR)
and False Positive Rate (FPR) [18]. Below, we conduct six
experiments utilising the underlying features of the Netsim
emulator to execute the proposed framework over several
Raspberry Pi 4 (model B, 4GB RAM) micro-controllers to
measure the execution time and the model power consump-
tion using a UM25C digital multimeter. Table II depicts the
network configurations that we implemented to conduct our
experiments. In all of our experiments, 20% of nodes are
mobile and randomly move around the terrain with a velocity
of 5 m/s.
Experiment 1. The anomaly-based detector (also known
as novelty detector) plays a crucial role to identify outliers
in the proposed scheme. Here we measure the performance
of OCSVM in detecting RPL attacks. We have evaluated
OCSVMs with different parameter values for Nu ν(0,1]
and Gamma γ(0,1] for finding the optimal configuration;
Fig. 3(a) shows that the OCSVM with ν(0.01,0.25) and
γ(0.6,1] can maximise recall. However, since the aim of
the ANIDS is to identify all the intrusions and maximise TPR,
here we assign the OCSVM with ν= 0.2and γ= 0.9to
achieve 99.74% TPR with 89.39% recall (weighted average).
Our experiments suggest that an OCSVM outperforms other
existing anomaly detection algorithms, majority-voting ensem-
ble of Local Outlier Factor and Isolation Forest, as shown in
Fig. 4.
Experiment 2. Experiment 1 showed that although the
OCSVM algorithm can accurately identify outliers it also
incurs 20.25% FPR. To address this issue, we conduct our
second experiment to measure the performance of different
incremental ensemble algorithms and rectify ANIDS mis-
classifications. Here, we have compared the performance of
OzaBagging [32], LearnPPNSE [37], Online Boosting [38],
Online AdaC2 [38], Accuracy Weighted Ensemble [39], and
Online SMOTE Bagging [38] algorithms in detecting RPL
attacks. The outcome of our experiment (as shown in Fig. 5
and Fig. 6) shows that the combination of OzaBagging using
KNNADWIN can provide the best possible outcome to iden-
tify known intrusions. OzaBagging using KNNADWIN with
n estimators (number of estimators) as 4 and n neighbours
(number of neighbours) as 6 receives 91.5% F1 and 7.8% FPR
and with n estimators as 8 and n neighbours as 6 receives
92.2% F1 and 7.3% FPR, as depicted in Fig. 5.
Experiment 3. Above, we showed how an incremental
ensemble approach can identify known intrusions efficiently.
Our proposed hybrid IDS targets both known and unknown
intrusions. Accordingly, we now investigate an incremental
ensemble of anomaly-based classifiers which can rectify false-
negative alarms of the signature-based IDS. False-negative
alarms are very costly and indicate the IDS failing in its
primary task. In this experiment, we show how the inclusion
of an incremental HalfSpace-Trees (HS-Trees) classifier can
enhance the overall performance of the system. Fig. 6 shows
that the HS-Trees algorithm forms a better hybrid IDS when
it combines with the OzaBaggingADWIN compared to other
incremental algorithms by around 6 to 10%. Fig. 6 gives
the current and moving mean (also referred to as moving
average) F1, recall, kappa, and accuracy of the incremental
ML algorithms.
Experiment 4. Here, we investigate to what extent concept-
drift detection can provide system adaptivity. We evaluate
different drift detection algorithms to select one that can ensure
adaptivity in the system and also enhance the framework
8
(a) One-Class SVM Recall. (b) One-Class SVM Time Complexity.
Fig. 3: One-Class SVM (OCSVM).
(a) Local Outlier Factor Recall. (b) Isolation-Forest Recall.
Fig. 4: Performance of different outlier detection algorithms.
Fig. 5: OzaBagging ADWIN (KNN) F1.
performance over time. We consider the following (seven)
adaptive Windowing methods for concept drift detection:
(ADWIN), Drift Detection Method (DDM), Early Drift De-
tection Method (EDDM), Kolmogorov-Smirnov Windowing
(KSWIN), PageHinkley, Drift Detection Method based on
Hoeffding’s bounds (HDDM) with moving weighted average-
test (HDDM-W) or moving average-test (HDDM-A) concept
drift detection methods [16], [21]. Results are presented in Fig.
7(a) and Fig. 7(b). From Fig. 7, we can see that ADWIN gives
the best accuracy than of the concept-drift detection methods
in the shortest time interval. Outcomes of Experiments 1, 2,
3, and 4 show that our proposed scheme so far addresses DP1
(adaptive and robust intrusion detection which were discussed
in Section I-A).
Experiment 5. Here, we measure the time complexity of
each component in the proposed framework. We consider
64 LLN nodes in 6LoWPAN, with 20% assumed malicious.
Fig. 3(b) shows the results over 1500 network packets, where
50% of instances are assumed normal and the remaining 50%
include each RPL attack type equally. We measure the time
9
Fig. 6: Performance of the proposed scheme in detecting RPL attacks, moving mean and current.
(a)
(b)
Fig. 7: Comparison of Concept-drift Detection methods.
complexity for each ANIDS and CIDS separately. Fig. 3(b)
shows the time complexity that the OCSVM with ν= 0.2
and γ= 0.8causes the least time complexity in the system.
On the other hand, the adaptive heterogeneous hybrid IDS,
10
TABLE IV: Performance Bench-marking.
N M Accuracy FNR
SH BH GH DA IR WH DS WP SH BH GH DA IR WH DS WP
16
10% 91.5 91.8 96.2 99.8 95.8 98.3 97.4 98.6 14.1 13.8 3.4 0 7.3 2.4 2.6 2.7
20% 98.7 95.4 98.4 100 97.9 96.5 98.7 97.5 1.8 5.4 3.0 0 4.0 4.4 2.3 2.9
30% 97.6 97.0 96.6 100 94.1 99.6 98.2 99.5 3.4 5.4 5.8 0 11.3 0.1 2.9 0.2
32
10% 93.3 96.3 98.5 99.8 97.8 99.7 98.5 99.6 10.0 5.4 2.0 0.3 3.8 0.2 2.2 0.5
20% 98.7 98.2 98.2 100 97.8 94.8 98.4 95.2 2.4 3.1 2.0 0 3.6 9.5 2.0 8.7
30% 98.6 98.3 98.7 100 97.0 90.1 98.7 91.9 2.3 3.2 2.4 0 5.3 16.0 2.4 13.2
64
10% 92.5 93.1 90.6 99.9 94.9 91.6 89.5 92.7 13.8 13.2 16.8 0.1 9.1 12.0 18.9 10.6
20% 93.0 93.4 96.2 100 94.9 91.0 97.0 96.3 11.0 11.4 6.7 0 8.4 10.7 4.9 6.7
30% 93.7 93.8 96.2 100 96.4 94.5 98.7 96.6 11.5 9.4 7.1 0 5.0 10.1 2.4 5.9
128
10% 97.2 93.0 91.2 99.8 95.5 93.5 94.0 92.3 5.4 13.4 16.0 0.4 8.1 9.2 8.2 11.3
20% 93.6 93.9 94.1 100 95.9 94.4 96.0 93.1 11.7 11.0 10.0 0 6.1 10.5 6.7 13.3
30% 94.3 94.9 96.9 100 96.9 95.2 96.7 95.4 10.0 8.4 5.8 0 4.7 8.5 5.8 7.8
SH: Sinkhole; BH: Blackhole; GH: Grayhole; DA: DIS Flooding; IR: Increase Rank;
WH: Wormhole; DS: DIO Suppression; WP: Worst Parent;
N: Total number of nodes; M: No. Malicious nodes; No. Mobile nodes 20%
TABLE V: Performance Bench-marking with offline IDS in 6LoWPAN
Paper No. No. Duration Mobility RPL Attacks
Nodes Malicious minutes SH BH GH IR DA DS WH WP
[7] 550 15 20 No 100% - 85.36% - - - 96% -
92.68% 97.53%
[10] 2040 130% 30 No - - - - 100% - - -
[6] 11 1 30 No 93.14% 93.14% - - - - - -
[11] 10 1 - No - - - - - - - -
[24] 210 1 480 No - - - - - - - -
[8] 8 1330 No 100% - - - 100% - 100% -
[23] 824 12 30 No - - - - - - 94% -
[1] 864 1430 No 79% - 81% - - - - -
[9] 48 2 - No 90% - - - - - - -
100%
[5] 10200 2 - No - - - - - - 71% -
75%
Proposed 16128 1030% 360 Yes 91.5% 91.8% 90.6% 94.1% 99.8% 94.0% 90.1% 91.9%
Scheme(20%) 98.7% 98.3% 98.7% 97.9% 100% 98.7% 99.7% 99.6%
results indicate the accuracy of the proposed IDS in detecting each type of RPL attack;
Details are shown in Table IV;
TABLE VI: Unknown Attack Detection.
Unknown Performance Metrics
Attack Accuracy Precision F1 TPR FPR
SH 90.85 91.16 90.79 86.52 5.17
BH 89.75 90.30 89.74 83.62 3.55
GH 93.9 94.07 93.88 90.97 3.31
IR 91.75 92.20 91.71 86.61 3.25
DA 98.30 98.36 98.29 96.57 0
WH 98.35 98.36 98.34 97.04 0.30
DS 93.95 94.05 93.94 91.62 3.76
WP 95.10 95.18 95.09 92.93 2.71
developed in our Experiments 2 and 3, using 4 learners and
8 neighbours (KNN) causes O(log(n)) time complexity in
the system. Table VII shows that ANIDS has linear and
logarithmic time complexity in training and testing, while
CIDS has polynomial time complexity in the proposed scheme.
To measure the power consumption of each component, we use
the Netsim Emulator feature to connect the physical micro-
controllers with the simulation environment and connect digi-
tal ammeters to the micro-controllers. We run our experiment
for 10 minutes, disabling all unnecessary background tasks
and applications. The power consumption of an ANIDS and
the CIDS in a LLN with 64 nodes was 3.505 J/s and 3.754 J/s,
respectively, whilst a legitimate node without any ANIDS or
CIDS consumed 3.17 J/s. In this way, we have satisfied DP2
(lightweight IDS).
TABLE VII: Time Complexity.
Comp Training (sec) Testing (sec)
ANIDS O(N):O(log(n)):
0.36 + -2.4E-08*n 0.22 + -0.0021*log(n)
CIDS - O((log n)k):
-2.3 * x0.94
Experiment 6. Here, we first evaluate how well the pro-
11
posed scheme detects each RPL attack in LLNs with different
proportions of legitimate and adversarial nodes, while 20% of
nodes, including 50% the malicious nodes, were mobile and
moving, as shown in Table IV.
From Table IV, we can see that the performance of the
proposed scheme is plausible in terms of the accuracy and
false-negative rate (FNR) for detecting various RPL attacks.
The proposed scheme can detect IR attack with high accuracy
(up to 97.9%); and the SH, BH, DS, and GH attacks with up
to 98.7%; WH with up to 99.7%; WP with up to 99.6%;
and DA with up to 100% accuracy. Our outcomes show that
our proposed scheme satisfies DP3 (accurate in evolving data
environment) and DP4 (detect a wide range of RPL attacks).
We then consider the detection of unforeseen intrusions, where
each RPL attack was excluded from the pre-training data one-
by-one and exclusively covered all the adversarial activities of
the evaluation data stream, as shown in Table VI. Outcomes of
this experiment show our proposed scheme can address DP5
(detect unseen/unknown intrusions).
IV. CONCLUSION
Routing threats in 6LoWPAN and threats against RPL are
highly significant. In this article, we have introduced an adap-
tive hybrid heterogeneous IDS scheme that is effective and
efficient and can readily cope with changes to the environment
and detect known and unknown routing intrusions in the
6LoWPAN. Table V gives an indicative comparison between
our scheme and the results obtained by other authors. However,
we stress our results are obtained in a much more challenging
environment. We provide our results here as a bench-mark for
the research community.
REFERENCES
[1] S. Raza, L. Wallgren, and T. Voigt, “Svelte: Real-time intrusion detection
in the internet of things,” Ad hoc networks, vol. 11, no. 8, pp. 2661–
2674, 2013.
[2] P. Kaliyar, W. B. Jaballah, M. Conti, and C. Lal, “Lidl: Localization
with early detection of sybil and wormhole attacks in iot networks,”
Computers & Security, vol. 94, p. 101849, 2020.
[3] U. Shafique, A. Khan, A. Rehman, F. Bashir, and M. Alam, “Detection
of rank attack in routing protocol for low power and lossy networks,
Annals of Telecommunications, vol. 73, no. 7, pp. 429–438, 2018.
[4] A. Agiollo, M. Conti, P. Kaliyar, T.-N. Lin, and L. Pajola, “Detonar:
Detection of routing attacks in rpl-based iot,” IEEE Transactions on
Network and Service Management, 2021.
[5] P. Shukla, “Ml-ids: A machine learning approach to detect wormhole
attacks in internet of things,” in 2017 Intelligent Systems Conference
(IntelliSys). IEEE, 2017, pp. 234–240.
[6] J. Foley, N. Moradpoor, and H. Ochen, “Employing a machine learning
approach to detect combined internet of things attacks against two
objective functions using a novel dataset,Security and Communication
Networks, vol. 2020, 2020.
[7] H. Bostani and M. Sheikhan, “Hybrid of anomaly-based and
specification-based ids for internet of things using unsupervised opf
based on mapreduce approach,” Computer Communications, vol. 98,
pp. 52–71, 2017.
[8] M. N. Napiah, M. Y. I. B. Idris, R. Ramli, and I. Ahmedy, “Compres-
sion header analyzer intrusion detection system (cha-ids) for 6lowpan
communication protocol,” IEEE Access, vol. 6, pp. 16623–16 638, 2018.
[9] D. Shreenivas, S. Raza, and T. Voigt, “Intrusion detection in the rpl-
connected 6lowpan networks,” in Proceedings of the 3rd ACM interna-
tional workshop on IoT privacy, trust, and security, 2017, pp. 31–38.
[10] B. Farzaneh, M. A. Montazeri, and S. Jamali, “An anomaly-based
ids for detecting attacks in rpl-based internet of things,” in 2019 5th
International Conference on Web Research (ICWR). IEEE, 2019, pp.
61–66.
[11] P. Kasinathan, G. Costamagna, H. Khaleel, C. Pastrone, and M. A. Spir-
ito, “An ids framework for internet of things empowered by 6lowpan,
in Proceedings of the 2013 ACM SIGSAC conference on Computer &
communications security, 2013, pp. 1337–1340.
[12] A. Le, J. Loo, K. K. Chai, and M. Aiash, “A specification-based ids for
detecting attacks on rpl-based network topology,Information, vol. 7,
no. 2, p. 25, 2016.
[13] M. A. Kareem and S. Tayeb, “Ml-based nids to secure rpl from routing
attacks,” in 2021 IEEE 11th Annual Computing and Communication
Workshop and Conference (CCWC). IEEE, 2021, pp. 1000–1006.
[14] N. Martindale, M. Ismail, and D. A. Talbert, “Ensemble-based online
machine learning algorithms for network intrusion detection systems
using streaming data,” Information, vol. 11, no. 6, p. 315, 2020.
[15] J. Li, Z. Zhao, R. Li, and H. Zhang, “Ai-based two-stage intrusion
detection for software defined iot networks,” IEEE Internet of Things
Journal, vol. 6, no. 2, pp. 2093–2102, 2018.
[16] X. Yuan, R. Wang, Y. Zhuang, K. Zhu, and J. Hao, “A concept drift
based ensemble incremental learning approach for intrusion detection,”
in 2018 IEEE International Conference on Internet of Things (iThings)
and IEEE Green Computing and Communications (GreenCom) and
IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart
Data (SmartData). IEEE, 2018, pp. 350–357.
[17] R. Singh, H. Kumar, and R. Singla, “An intrusion detection system
using network traffic profiling and online sequential extreme learning
machine,” Expert Systems with Applications, vol. 42, no. 22, pp. 8609–
8624, 2015.
[18] A. M. Pasikhani, J. A. Clark, P. Gope, and A. Alshahrani, “Intrusion
detection systems in rpl-based 6lowpan: A systematic literature review,”
IEEE Sensors Journal, 2021.
[19] R. Alexander, A. Brandt, J. Vasseur, J. Huii, K. Pister, P. Thubert,
P. Levis, R. Struik, R. Kelsey, and T. Winter, “RPL: IPv6 Routing
Protocol for Low-Power and Lossy Networks,” RFC 6550, Mar. 2012.
[20] M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, “Survey on
incremental approaches for network anomaly detection,” arXiv preprint
arXiv:1211.4493, 2012.
[21] J. Gama, I. ˇ
Zliobait˙
e, A. Bifet, M. Pechenizkiy, and A. Bouchachia, “A
survey on concept drift adaptation,ACM computing surveys (CSUR),
vol. 46, no. 4, pp. 1–37, 2014.
[22] G. I. Webb, R. Hyde, H. Cao, H. L. Nguyen, and F. Petitjean, “Charac-
terizing concept drift,” Data Mining and Knowledge Discovery, vol. 30,
no. 4, pp. 964–994, 2016.
[23] P. Pongle and G. Chavan, “Real time intrusion and wormhole attack
detection in internet of things,” International Journal of Computer
Applications, vol. 121, no. 9, 2015.
[24] A. Mayzaud, A. Sehgal, R. Badonnel, I. Chrisment, and J. Sch¨
onw¨
alder,
“Using the rpl protocol for supporting passive monitoring in the internet
of things,” in NOMS 2016-2016 IEEE/IFIP Network Operations and
Management Symposium. IEEE, 2016, pp. 366–374.
[25] E. Viegas, A. Santin, L. Oliveira, A. Franca, R. Jasinski, and V. Pedroni,
“A reliable and energy-efficient classifier combination scheme for intru-
sion detection in embedded systems,” Computers & Security, vol. 78,
pp. 16–32, 2018.
[26] A. Mayzaud, R. Badonnel, and I. Chrisment, “A distributed monitoring
strategy for detecting version number attacks in rpl-based networks,
IEEE Transactions on Network and Service Management, vol. 14, no. 2,
pp. 472–486, 2017.
[27] A. M. Pasikhani, J. A. Clark, and P. Gope, “Reinforcement-learning-
based ids for 6lowpan,20th IEEE International Conference on Trust,
Security and Privacy in Computing and Communication (TrustCom),
2021.
[28] A. Mitrokotsa and A. Karygiannis, “Intrusion detection techniques in
sensor networks,” Wireless Sensor Network Security, vol. 1, no. 1, pp.
251–272, 2008.
[29] L. A. Maglaras and J. Jiang, “A real time ocsvm intrusion detection
module with low overhead for scada systems,International Journal of
Advanced Research in Artificial Intelligence (IJARAI), vol. 3, no. 10,
2014.
[30] S. C. Tan, K. M. Ting, and T. F. Liu, “Fast anomaly detection for
streaming data,” in Twenty-Second International Joint Conference on
Artificial Intelligence, 2011.
[31] H. M. Gomes, J. P. Barddal, F. Enembreck, and A. Bifet, “A survey
on ensemble learning for data stream classification,” ACM Computing
Surveys (CSUR), vol. 50, no. 2, pp. 1–36, 2017.
[32] N. C. Oza and S. J. Russell, “Online bagging and boosting,” in
International Workshop on Artificial Intelligence and Statistics. PMLR,
2001, pp. 229–236.
12
[33] A. Bifet and R. Gavalda, “Adaptive learning from evolving data streams,
in International Symposium on Intelligent Data Analysis. Springer,
2009, pp. 249–260.
[34] A. Bifet, G. Holmes, B. Pfahringer, R. Kirkby, and R. Gavalda, “New
ensemble methods for evolving data streams,” in Proceedings of the
15th ACM SIGKDD international conference on Knowledge discovery
and data mining, 2009, pp. 139–148.
[35] A. Bifet and R. Gavalda, “Learning from time-changing data with
adaptive windowing,” in Proceedings of the 2007 SIAM international
conference on data mining. SIAM, 2007, pp. 443–448.
[36] D. Barthel, J. Vasseur, K. Pister, M. Kim, and N. Dejean, “Routing
Metrics Used for Path Calculation in Low-Power and Lossy Networks,
RFC 6551, Mar. 2012.
[37] R. Elwell and R. Polikar, “Incremental learning of concept drift in
nonstationary environments,IEEE Transactions on Neural Networks,
vol. 22, no. 10, pp. 1517–1531, 2011.
[38] B. Wang and J. Pineau, “Online bagging and boosting for imbalanced
data streams,” IEEE Transactions on Knowledge and Data Engineering,
vol. 28, no. 12, pp. 3353–3366, 2016.
[39] H. Wang, W. Fan, P. S. Yu, and J. Han, “Mining concept-drifting data
streams using ensemble classifiers,” in Proceedings of the ninth ACM
SIGKDD international conference on Knowledge discovery and data
mining, 2003, pp. 226–235.
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
As new cyberattacks are launched against systems and networks on a daily basis, the ability for network intrusion detection systems to operate efficiently in the big data era has become critically important, particularly as more low-power Internet-of-Things (IoT) devices enter the market. This has motivated research in applying machine learning algorithms that can operate on streams of data, trained online or “live” on only a small amount of data kept in memory at a time, as opposed to the more classical approaches that are trained solely offline on all of the data at once. In this context, one important concept from machine learning for improving detection performance is the idea of “ensembles”, where a collection of machine learning algorithms are combined to compensate for their individual limitations and produce an overall superior algorithm. Unfortunately, existing research lacks proper performance comparison between homogeneous and heterogeneous online ensembles. Hence, this paper investigates several homogeneous and heterogeneous ensembles, proposes three novel online heterogeneous ensembles for intrusion detection, and compares their performance accuracy, run-time complexity, and response to concept drifts. Out of the proposed novel online ensembles, the heterogeneous ensemble consisting of an adaptive random forest of Hoeffding Trees combined with a Hoeffding Adaptive Tree performed the best, by dealing with concept drift in the most effective way. While this scheme is less accurate than a larger size adaptive random forest, it offered a marginally better run-time, which is beneficial for online training.
Article
Full-text available
One of the important features of routing protocol for low-power and lossy networks (RPLs) is objective function (OF). OF influences an IoT network in terms of routing strategies and network topology. On the contrary, detecting a combination of attacks against OFs is a cutting-edge technology that will become a necessity as next generation low-power wireless networks continue to be exploited as they grow rapidly. However, current literature lacks study on vulnerability analysis of OFs particularly in terms of combined attacks. Furthermore, machine learning is a promising solution for the global networks of IoT devices in terms of analysing their ever-growing generated data and predicting cyberattacks against such devices. Therefore, in this paper, we study the vulnerability analysis of two popular OFs of RPL to detect combined attacks against them using machine learning algorithms through different simulated scenarios. For this, we created a novel IoT dataset based on power and network metrics, which is deployed as part of an RPL IDS/IPS solution to enhance information security. Addressing the captured results, our machine learning approach is successful in detecting combined attacks against two popular OFs of RPL based on the power and network metrics in which MLP and RF algorithms are the most successful classifier deployment for single and ensemble models.
Article
Full-text available
Embedded systems (electronic systems with a dedicated purpose that are part of larger devices) are increasing their relevance with the rise of the Internet of Things (IoT). Such systems are often resource constrained, battery powered, connected to the internet, and exposed to an increasing number of threats. An approach to detect such threats is through an anomaly-based intrusion detection with machine-learning techniques. However, most of these techniques were not created with energy efficiency in mind. This paper presents an anomaly-based method for network intrusion detection in embedded systems. The proposed method maintains the classifier reliability even when network traffic contents changes. The reliability is achieved through a new rejection mechanism and a combination of classifiers. The proposed approach is energy-efficient and well suited for hardware implementation. The experiments presented in this paper show that the hardware versions of the machine learning algorithms consume 46% of the energy used by their software counterparts, and the feature extraction and packet capture modules consume 58% and 37% of their respective software counterparts.
Article
The Internet of Things (IoT) is a reality that changes several aspects of our daily life, from smart home monitoring to the management of critical infrastructure. The “Routing Protocol for low power and Lossy networks” (RPL) is the only de-facto standardized routing protocol in IoT networks and is thus deployed in environmental monitoring, healthcare, smart building, and many other IoT applications. In literature, we can find several attacks aiming to affect and disrupt RPL-based networks. Therefore, it is fundamental to develop security mechanisms that detect and mitigate any potential attack in RPL-based networks. Current state-of-the-art security solutions deal with very few attacks while introducing heavy mechanisms at the expense of IoT devices and the overall network performance. In this work, we aim to develop an Intrusion Detection System (IDS) capable of dealing with multiple attacks while avoiding any RPL overhead. The proposed system is called DETONAR - DETector of rOutiNg Attacks in Rpl - and it relies on a packet sniffing approach. DETONAR uses a combination of signature and anomaly-based rules to identify any malicious behavior in the traffic (e.g., application and DIO packets). To the best of our knowledge, there are no exhaustive datasets containing RPL traffic for a vast range of attacks. To overcome this issue and evaluate our IDS, we propose RADAR - Routing Attacks DAtaset for Rpl: the dataset contains five simulations for each of the 14 considered attacks in 16 static-nodes networks. DETONAR’s attack detection exceeds 80% for 10 attacks out of 14, while maintaining false positives close to zero.
Article
Drastic reduction in the manufacturing cost of sensors and actuators has resulted in considerable growth in the number of smart objects. The so-called Internet of Things (IoT) blends the real and virtual environments and removes time and distance barriers. It is widely perceived as a major enabler for the efficient and effective provision of services across a range of sectors. It has naturally attracted the interest of cyberattackers. Due to the heterogeneity, resource-constraints, scale, and internet connectivity of IoT devices, each IoT layer is prone to various threats. Intruders consider the network layer of IoT as the gateway and leverage vulnerabilities in the routing protocol to compromise the Confidentiality, Integrity, and Availability (CIA) of connected nodes. Researchers have proposed different security infrastructures to mitigate harm to IoT networks. One of these is the Intrusion Detection System (IDS). An IDS is an essential component for the network security layer and is widely adopted to reinforce the security of the IoT network. This systematic literature review explores the IPv6 Routing Protocol for Low Power and Lossy Networks (RPL) and its existing threats, classifies relevant IDS techniques and identifies areas requiring further investigation. We review 103 published papers in this domain.
Article
The Internet of Things (IoT) is recognized as a disruptive innovation that has been led by industry leaders and researchers. IoT promises to improve our daily life based on smart objects interacting with each other, and that can be connected to the Internet. Building a security framework into this new paradigm is a significant technical challenge today. It is mainly due to the low-cost and resource-constrained nature of IoT devices. In most of the IoT application scenarios, the routing is done by the de-facto standard protocol called routing protocol for low power and lossy networks (RPL). The use of RPL is suitable due to its energy-efficient schemes, availability of secure and multiple communication modes, and adaptivity to work in various IoT network scenarios. Hence, many researchers are now focusing on RPL related security issues. To this end, our work provides a concise description of two major threats to RPL called sybil and wormhole attacks. Moreover, we propose two solutions to detect these attacks in RPL-based IoT networks. Specifically, our proposed techniques exploit the concept of Highest Rank Common Ancestor (HRCA) to find a common ancestor with the highest rank among all the ancestors that a pair of nodes have in the target network tree. Our two detection algorithms not only detect an ongoing attack but also localizes the position of the adversary in the network. Thus, it makes the mitigation process lightweight and fast. We implement the two approaches in Cooja, the Contiki network emulator. The results obtained from our experiments demonstrate the feasibility of the proposals concerning true positive rate, detection time, packet loss ratio, memory consumption, and network overhead. Our techniques show promising to cover more complex scenarios in the future.
Conference Paper
The Internet of Things (IoT) is a concept that allows the networking of various objects of everyday life and communications on the Internet without human interaction. The IoT consists of Low-Power and Lossy Networks (LLN) which for routing use a special protocol called Routing over Low-Power and Lossy Networks (RPL). Due to the resource-constrained nature of RPL networks, they may be exposed to a variety of internal attacks. Neighbor attack and DIS attack are the specific internal attacks at this protocol. This paper presents an anomaly-based lightweight Intrusion Detection System (IDS) based on threshold values for detecting attacks on the RPL protocol. The results of the simulation using Cooja show that the proposed model has a very high True Positive Rate (TPR) and in some cases, it can be 100%, while the False Positive Rate (FPR) is very low. The results show that the proposed model is fully effective in detecting attacks and applicable to large-scale networks.
Article
Software Defined Internet of Things (SD-IoT) Networks profit from centralized management and interactive resource sharing, which enhances the efficiency and scalability of IoT applications. But with the rapid growth in services and applications, they are vulnerable to possible attacks and face severe security challenges. Intrusion detection has been widely used to ensure network security, but classical detection methods are usually signature-based or explicit-behavior-based and fail to detect unknown attacks intelligently, which makes it hard to satisfy the requirements of SD-IoT Networks. In this paper, we propose an AI-based two-stage intrusion detection empowered by software defined technology. It flexibly captures network flows with a global view and detects attacks intelligently. We firstly leverage Bat Algorithm with Swarm Division and Binary Differential Mutation to select typical features. Then, we exploit Random Forest through adaptively altering the weights of samples using the weighted voting mechanism to classify flows. Evaluation results prove that the modified intelligent algorithms select more important features and achieve superior performance in flow classification. It is also verified that our solution shows better accuracy with lower overhead compared with existing solutions.