CoSec-RPL: detection of copycat attacks in RPL based 6LoWPANs using outlier analysis
Abhishek Verma, Virender Ranga

TL;DR
This paper introduces CoSec-RPL, an outlier detection-based intrusion detection system that effectively detects and mitigates non-spoofed copycat attacks in RPL-based 6LoWPAN networks, improving network performance without significant overhead.
Contribution
It presents the first RPL-specific IDS using outlier detection to identify copycat attacks, enhancing security in low-power wireless networks.
Findings
CoSec-RPL effectively detects copycat attacks in static and mobile scenarios.
The system reduces attack impact on delay and packet delivery ratio.
No significant overhead added to network nodes.
Abstract
The IPv6 routing protocol for low-power and lossy networks (RPL) is the standard routing protocol for IPv6 based low-power wireless personal area networks (6LoWPANs). In RPL protocol, DODAG information object (DIO) messages are used to disseminate routing information to other nodes in the network. A malicious node may eavesdrop DIO messages of its neighbor nodes and later replay the captured DIO many times with fixed intervals. In this paper, we present and investigate one of the severe attacks named as a non-spoofed copycat attack, a type of replay based DoS attack against RPL protocol. It is shown that the non-spoofed copycat attack increases the average end-to-end delay (AE2ED) and packet delivery ratio of the network. Thus, to address this problem, an intrusion detection system (IDS) named CoSec-RPL is proposed in this paper. The attack detection logic of CoSec-RPL is primarily…
| Normal scenario | Attack scenario | |||||||||||
| Simulation time (minutes) | 5 | 10 | 15 | 20 | 25 | 30 | 5 | 10 | 15 | 20 | 25 | 30 |
| 9 | 10 | 10 | 12 | 13 | 13 | 7 | 7 | 9 | 10 | 12 | 12 | |
| 1 | 1 | 1 | 1 | 1 | 1 | 8 | 9 | 6 | 7 | 12 | 13 | |
| 3 | 7 | 9 | 9 | 11 | 12 | 6 | 9 | 2 | 2 | 3 | 3 | |
| 6 | 8 | 9 | 10 | 10 | 10 | 1 | 1 | 9 | 9 | 11 | 11 | |
| 5 | 7 | 7 | 8 | 9 | 9 | 4 | 4 | 7 | 8 | 9 | 9 | |
| 1 | 1 | 1 | 2 | 2 | 3 | 2 | 2 | 711 | 980 | 1246 | 1520 | |
| 2 | 3 | 3 | 4 | 5 | 166 | 398 | 3 | 4 | 4 | 5 | ||
| DIO’s received from different neighbors | 1 | 1 | 1 | 1 | 1 | 1 | 2 | 2 | ||||
| 4 | 7 | 5 | 5 | 6.5 | 7 | 6 | 7 | 6.5 | 7.5 | 10 | 10 | |
| 1 | 1 | 1 | 1.5 | 1.5 | 2 | 2 | 2 | 2.5 | 3 | 3.5 | 4 | |
| 6 | 8 | 9 | 9.5 | 10.5 | 11 | 8 | 9 | 9 | 9.5 | 12 | 12.5 | |
| IQR | 5 | 7 | 8 | 8 | 9 | 9 | 6 | 7 | 6.5 | 6.5 | 8.5 | 8.5 |
| Upper limit | 11 | 15 | 17 | 17.5 | 19.5 | 20 | 14 | 16 | 15.5 | 16 | 20.5 | 21 |
| DIO’s received >Upper limit | ||||||||||||
| Scenario |
|
|
|
Topology | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Normal scenario (1 data packet per 60 second) | 1 | 4 | 0 |
|
||||||
| 2 | 8 | 0 |
|
|||||||
| 3 | 12 | 0 |
|
|||||||
| 4 | 16 | 0 |
|
|||||||
| 5 | 18 | 0 |
|
|||||||
| Attack scenario (Non-spoofed) (1 data packet per 60 second) | 1 | 4 | 1 |
|
||||||
| 2 | 8 | 1,2 |
|
|||||||
| 3 | 12 | 1,2,3 |
|
|||||||
| 4 | 16 | 1,2,3,4 |
|
|||||||
| 5 | 18 | 1,2,3,4 |
|
| Symbol | Definition | ||
|---|---|---|---|
| Nodemax | Maximum number of nodes in the network. | ||
| Blacklist table | |||
| Neighbor table | |||
|
Structure of a blacklisted node entry in blacklist table. Where, represents the blacklisted node IP address, represents the total number of times node has been detected as attacker, and represents the status of blacklisted node, i.e., set as FALSE for suspected and TRUE for permanently blocked. | ||
|
Structure of a node entry in neighbor table. Where, from represents the DIO sender IP address, represents the time of previous DIO receiving, represents the time of most recent DIO receiving, and represents the total number of DIO’s received from that neighbor till current time. | ||
| Nblacklist | Number of blacklisted nodes. | ||
| Tnodes | Counter that represents total entries in neighbor table. | ||
| Tempty | Flag to check if neighbor table and blacklist table is initialized or not. | ||
| Current system clock time. | |||
| Flag to check if the node is present in neighbor table or not. | |||
| Flag to check if the node is present in blacklist table or not. | |||
| srcip | Source IP address of DIO sender node. | ||
| Null IP address | |||
| Safe DIO interval | |||
| Block threshold | |||
| l | Length of the node table at that time. | ||
| active | It indicates that IDS’s detection procedure is ready to check for attackers present in neighbor table, it is set TRUE by the legitimate node after every 30 second. | ||
| Tuning parameter | |||
| Median | |||
| First quartile | |||
| Third quartile | |||
| Interquartile range | |||
| Upper_limit | It represents the safe threshold for the number of DIO received from a neighbor. |
| Parameter | Values |
|---|---|
| Radio model | Multipath Ray-Tracer Medium (MRM) |
| Mobility model | Random Waypoint Mobility Model |
| Simulation area | 150 m 150 m |
| Simulation time | 1800 seconds |
| Objective function | Minimum Rank with Hysteresis Objective Function(MRHOF) |
| Number of attacker nodes | 4 |
| Number of gateway nodes | 1 |
| Number of sensor nodes | 16 |
| DIO minimum interval | 4 seconds |
| DIO maximum interval | 17.5 minutes |
| Replay interval | 1, 2, 3, 4 seconds |
| Data packet size | 30 bytes |
| Data packet sending interval | 60 seconds |
| Transmission power | 0 dBm |
| Node speed | m/s m/s |
| Parameter | Value |
|---|---|
| tx_power | 0.0 |
| tx_with_gain | false |
| captureEffect | false |
| obstacle_attenuation | -10.0 |
| system_gain_mean | -20.0 |
| system_gain | 0.0 |
| Parameter | Value | Description |
|---|---|---|
| NETSTACK_CONF_WITH_IPV | 1 | Configured to enable IPv networking. |
| NETSTACK_CONF_NETWORK | sicslopan_driver | Enables header compression and fragmentation. |
| NETSTACK_CONF_MAC | csma_driver | Enables Media Access Control with Collision Avoidance. |
| NETSTACK_CONF_RDC | contikimac_driver | Enables energy efficiency using radio duty cycling (RDC) |
| NETSTACK_CONF_RADIO | cc_driver | Control the operation of IEEE compliant CC radio transceiver operating at Ghz. |
| NETSTACK_CONF_FRAMER | framer_ | Enables parsing and generation of formatted packets compatible with IEEE protocol. |
| Ref. | Defense Mechanism | Mobility support | Limitations | Detection of non-spoofed copycat attack |
| Ghaleb et al. (2018a) | SecRPL | No | Degrades the network performance in terms of power consumption, control packet overhead, latency, and network reliability. | No |
| Airehrour et al. (2018) | SecTrust-RPL | No | Requires promiscuous mode of operation for constant monitoring. | No |
| Raza et al. (2013) | SVELTE | Synchronization issue, requires strategic placement of IDS modules, vulnerable to coordinated attacks. | No | |
| Mayzaud et al. (2017) | Distributed Monitoring Architecture | No | Requires promiscuous mode of operation for constant monitoring, relies on high order devices for monitoring which adds cost overhead, requires strategic placement of monitoring nodes. | No |
| Gara et al. (2017) | Hybrid IDS based on Sequential Probability Ratio Test with an Adaptive Threshold | Yes | Increases network overhead due to use of HELLO messages. | No |
| Bostani and Sheikhan (2017) | Hybrid of Anomaly and Specification based IDS | No | Only suitable for applications with one way communication. | No |
| Le et al. (2016) | Specification based IDS | No | Introduces communication overhead, requires a good network trace for the creation of effective specification, and shows less accuracy when it works for a long time. | No |
| Verma and Ranga (2020) | Secure-RPL | Yes | Requires minor changes in RPL implementation, performance is dependent on proper selection of safety thresholds. | No |
| - | CoSec-RPL (proposed solution) | Yes | Requires minor changes in RPL implementation, requires to maintain a neighbor table to store neighbor information. | Yes |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
∎
11institutetext: 1Department of Computer Engineering, National Institute of Technology Kurukshetra, India
11email: *∗*[email protected]
11email: [email protected]
CoSec-RPL: Detection of Copycat Attacks in RPL based 6LoWPANs using Outlier Analysis
Abhishek Verma1,∗
Virender Ranga1
(Received: xx-xx-xxxx / Accepted: xx-xx-xxxx)
Abstract
The IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) is the standard routing protocol for IPv6 based Low-Power Wireless Personal Area Networks (6LoWPANs). In RPL protocol, DODAG Information Object (DIO) messages are used to disseminate routing information to other nodes in the network. A malicious node may eavesdrop DIO messages of its neighbor nodes and later replay the captured DIO many times with fixed intervals. In this paper, we present and investigate one of the severe attacks named as a non-spoofed copycat attack, a type of replay based DoS attack against RPL protocol. It is shown that the non-spoofed copycat attack increases the Average End-to-End Delay (AE2ED) and Packet Delivery Ratio (PDR) of the network. Thus, to address this problem, an Intrusion Detection System (IDS) named CoSec-RPL is proposed in this paper. The attack detection logic of CoSec-RPL is primarily based on the idea of Outlier Detection (OD). CoSec-RPL significantly mitigates the effects of the non-spoofed copycat attack on the network’s performance. The effectiveness of the proposed IDS is compared with the standard RPL protocol. The experimental results indicate that CoSec-RPL detects and mitigates non-spoofed copycat attack efficiently in both static and mobile network scenarios without adding any significant overhead to the nodes. To the best of our knowledge, CoSec-RPL is the first RPL specific IDS that utilizes OD for intrusion detection in 6LoWPANs.111The final publication is available at https://link.springer.com/article/10.1007/s11235-020-00674-w
Keywords:
: Internet of Things RPL Intrusion detection 6LoWPAN Copycat attack CoSec-RPL
††journal:
1 Introduction
In the recent years, Internet of Things (IoT) has been a major player among various evolving networking paradigms Ashton (2009); Xu et al. (2014); Ammar et al. (2018). International Data Corporation (IDC) predicted that there will be 41.6 billion connected IoT devices worldwide by 2025 IDC (2020). While, worldwide spending on IoT is expected to cross the 1 trillion mark in 2022 IDC ([2019](#bib.bib23)). With this much expansion of IoT, the security issues related to it are also expanding. The increase in the number of IoT devices also increases the number of incredible risks. These risks primarily include users’ security and privacy getting exposed to cyber attacks Raoof et al. ([2019](#bib.bib45)); Alaba et al. ([2017](#bib.bib5)); Airehrour et al. ([2016](#bib.bib3)); Ziegeldorf et al. ([2014](#bib.bib72)); Yang et al. ([2017](#bib.bib70)). In the present scenario, many IoT applications are deployed on IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs). The 6LoPWAN concept enables Internet Protocol (IP) on tiny devices, i.e., embedded devices with limited processing power, small onboard memory, and limited energy resources. 6LoWPAN is based on Low Power and Lossy Networks (LLNs), which have high packet loss and low throughput communication links Čolaković and Hadžialić ([2018](#bib.bib41)); Winter et al. ([2012](#bib.bib67)). LLNs are realized by resource constrained devices which operate on very low power, to support longer network lifetime Musaddiq et al. ([2018](#bib.bib40)). The characteristics of LLNs like resource constrained nature, high packet loss, and low network throughput make traditional routing protocols unsuitable for LLN Tripathi ([2014](#bib.bib54)). To solve this issue, the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) was standardized (RFC 6550$) Winter et al. (2012). The RPL protocol provides energy efficient routing in LLNs. However, the RPL protocol remains exposed to various cyber attacks, which may jeopardize users’ security and privacy Sfar et al. (2018); Verma and Ranga (2019c, b, a). The critical applications like healthcare and smart grid, when becoming the target of such threats, may result in life-threatening incidents. This motivated us to explore and perform an in-depth analysis of one such threat (i.e., copycat attack) and design a defense mechanism to detect and mitigate it. The vulnerabilities and threats associated with the RPL protocol have been rigorously studied by cyber security researchers Verma and Ranga (2020); Adat and Gupta (2018). In this paper, the main focus is on a replay mechanism based routing attack which is known as copycat attack, that affects the Quality of Service (QoS) of real-time wireless networks.
According to standard RPL specification (RFC 6550), the RPL protocol supports a secure mode to provide integrity and confidentiality to data and control packets. The secure mode incorporates traditional cryptography mechanisms to enable security and privacy Ghaleb et al. (2018b). However, the standard RPL specification does not specify any details of secure key management, which restricts the usage of cryptography in resource constrained devices Malik et al. (2019); Seeber et al. (2013); Perazzo et al. (2017b). Moreover, the traditional cryptography based security methods (e.g., Public-key and Symmetric-key cryptography) consume a lot of computing resources, degrade the network’s performance, and reduce the lifetime of IoT networks Shamsoshoara et al. (2019). The RPL protocol is unprotected from cyber attacks (e.g., routing attacks), where an attacker node can exploit its vulnerabilities to compromise the legitimate nodes. The attacks may degrade the network’s overall performance significantly, which consequently, affects the operation of IoT applications. One such destructive attack is termed a copycat attack, a type of replay mechanism based direct attack that targets the legitimate node’s resources. It is a Denial-of-Service (DoS) attack, which has the ability to severely degrade the performance of 6LoWPANs. To launch this attack, an attacker node eavesdrops DODAG Information Object (DIO) messages of legitimates neighbor nodes, and later sends the previously eavesdropped DIO messages many times with fixed replay interval. In this manner, the attacker introduces a high level of congestion and interference in the network, which leads to the creation of sub-optimized routes. Moreover, the attack also forces nodes to transmit DIO messages unnecessarily and performs unessential routing related operations. The copycat attack can be achieved even without stealing cryptography keys of legitimate nodes, which gives a significant advantage to the attacker (outsider attack scenario). Moreover, an attacker does not need to have any high range radio antenna or any other specialized hardware to perform copycat attacks.
The major problem with 6LoWPANs is that the resource constrained devices lack built-in security. Moreover, the RPL protocol does not have any inbuilt Intrusion Detection System (IDS) to provide any defense against cyber attacks. Most importantly, there is no built-in security mechanism to provide defense against routing attacks, which are very common in wireless networks. Therefore, in this research paper, a new Outlier Detection (OD) Kumar and Kumar (2016); Jabez and Muthukumar (2015) based IDS named as CoSec-RPL (abbreviation of “copycat secured RPL protocol”) is proposed to detect copycat attack. CoSec-RPL detects the malicious neighbors and blocks all further communications from it. The main idea behind our proposed IDS is to use the OD mechanism to detect neighbors with abnormal behavior. CoSec-RPL has five major advantages. Firstly, it does not introduce any communication overhead. Secondly, it does not require any good network trace for model training. Thirdly, its performance improves with time. Fourthly, it does not impose any significant memory overhead on the nodes. Fifthly, it can be easily extended to detect other RPL specific routing attacks. Major contributions of the paper can be summarized as:
The impact of copycat attacks on RPL is analyzed through simulations. 2. 2.
An IDS, named CoSec-RPL, targeting non-spoofed copycat attacks is presented and verified through simulations.
The next section of this paper presents a brief overview of RPL protocol, copycat attack, and outlier detection. In Section 3, relevant works are discussed. The proposed solution is described in Section 4. A discussion on performance evaluation of the proposed solution is presented in Section 5. Some possible extensions of proposed solution are discussed in Section 6, and finally we conclude the paper in Section 7.
2 Background
In this Section, we describe the RPL protocol, copycat attack, and outlier detection.
2.1 Overview of RPL Protocol
In this section, building elements, control messages, and fault tolerance mechanisms of the RPL protocol are discussed.
2.1.1 Building Elements of RPL
- •
DODAG: RPL is founded on the idea of Directed Acyclic Graphs(DAGs) Gaddour and Koubâa (2012). In RPL, the IoT devices are logically interconnected with each other using mesh and tree topology. In Destination Oriented Directed Acyclic Graph (DODAG), the root node (gateway) acts as an interface between 6LoWPAN nodes and the Internet. A network may contain more than one DODAG, which collectively forms an RPL Instance and uniquely identified by RPL Instance ID. In a network, more than one RPL Instance may run at a time. An RPL node may be associated with only one DODAG per RPL Instance. Each node of a DODAG is assigned a rank which represents “the node’s individual position relative to other nodes with respect to a DODAG root” Winter et al. (2012). The rank concept is implemented in RPL: (1) to detect and avoid routing loops; (2) to build parent-child relationships; (3) to provide a mechanism for nodes to differentiate between parent and siblings; (4) to enable nodes to store a list of preferred parents and siblings which can be utilized during link repair. DODAG is built during the network topology setup phase, during which each node uses RPL control messages to find the optimal set of parents towards the root and link itself with the preferred parent. The selection of preferred parents is based on an Objective Function (OF). The OF defines the procedure for rank computation from routing metrics and selection of optimal routes in DODAG. RPL may use different OF as per the application’s requirement. Some common OF are ETX Objective function Gnawali and Levis (2010), Minimum Rank with Hysteresis Objective Function (MRHOF) Gnawali and Levis (2012), and Objective Function Zero (OF0) Thubert (2012). RPL supports Multi-Point-to-Point, Point-to-Multipoint, and Point-to-Point Gaddour and Koubâa (2012); Medjek et al. (2018) network topologies. An example of RPL DODAG with N Nodes having IPv6 addresses range from aaaa::1 to aaaa::N is shown in Fig. 1.
- •
Control Messages: RPL defines a new category of ICMPv6 control messages known under Type 155 and defined in Winter et al. (2012); 155 (2018). RPL control messages include DODAG Information Object (DIO), DODAG Information Solicitation (DIS), Destination Advertisement Object (DAO), and Destination Advertisement Object Acknowledgment (DAO-ACK). DIO message carries routing information relevant to existing DODAG and allows other nodes to find an RPL instance and its configuration parameters. Also, it enables a node to select its preferred parent set and performs DODAG maintenance. DIS message is used to solicit a DIO message from an RPL node. It is used by the new or existing node to search for a nearby DODAG. DAO message is used to forward downward route information in the upward direction along the DODAG, finally reaching the root node. DAO-ACK message is a unicast packet send an acknowledgment by a DAO parent or DODAG root, in reply to a unicast DAO message Gaddour and Koubâa (2012).
- •
Trickle Timer: RPL uses an adaptive timer mechanism called as “Trickle timer” in order to limit control traffic in the network Levis et al. (2011). RPL uses a dynamic mechanism to control the number of DIO messages sent by the resource-constrained nodes for minimizing energy consumption. Trickle timer decides when a node should multicast the DIO messages, and it gets reset in case of inconsistency detection in the network, i.e., loops and link loss, change in parent set, etc. The interval of the trickle timer is increased, decreased in case of a stable network and inconsistency detection, respectively. In the case of a stable topology, the trickle timer interval is increased. Thus, the number of DIO sent are decreased, and when this interval is decreased, the number of DIO sent are increased in order to fix the inconsistency issue Vasseur et al. (2011).
2.1.2 Fault Tolerance Mechanisms
RPL defines some important network management mechanisms. It fulfills self-healing characteristics by incorporating a DODAG repair mechanism (global and local), which are triggered during inconsistency detection, loop detection, and avoidance mechanisms to handle routing loops. Inconsistencies include node failure, link failures, change in parent set, and routing loops. A loop may occur when a node, after losing all its parent, joins another node (makes parent) that was earlier in its sub-DODAG. Loop avoidance and loop detection mechanisms of RPL are contrary to those applied in traditional IP networks Xie et al. (2010). In this section, various fault tolerance mechanisms are discussed.
- •
Loop Avoidance: RPL defines two strict rules based on a rank property for avoiding loops in the network. The first rule is termed as “max_depth rule”. It states that a node must not select a neighboring node as its parent whose rank is higher than its own rank. The second rule states that a node must not increase its rank by selecting nodes of higher rank as their preferred parent in order to increase its parent set size.
- •
Loop Detection: Since loops are unavoidable in LLNs, hence the need for loop detection mechanisms arises. RPL defines a mechanism to detect routing loops whenever they occur. A data path validation mechanism is used by RPL to resolve routing loops. It involves setting and processing some specific bits contained in the RPL routing header. RPL ensures that the packets moving in the wrong direction are detected as a part of some loop. Loop recovery mechanism further involves resetting of trickle timer for repairing network topology while discarding packets being received at that time.
- •
Local Repair: RPL triggers the DODAG local repair mechanism in case of a node failure, link failure, and loop detection. Local repair aims to rapidly find an alternate parent/path (may not be optimal) without putting any global implication on entire DODAG.
- •
Global Repair: When local repairs are found to be inefficient while performing network recovery as they start diverging DODAG to a non-optimal state due to the presence of many inconsistencies, then the whole DODAG needs to be rebuilt from scratch. Global repair is performed by incrementing DODAG version number, which leads to the reconstruction of the whole DODAG, where nodes recompute their rank to form an optimal topology Hui (2012).
2.1.3 RPL Modes
Two modes of operations are supported by the RPL protocol in order to maintain downward routes. In this section, storing and non-storing mode of the RPL protocol Winter et al. (2012); Gaddour and Koubâa (2012) are highlighted.
- •
Storing mode: In the storing mode, downward routes start to propagate from leaf nodes to root node through intermediate router nodes. Every child node sends DAO message to its parent who initially stores information contained in that message and later sends a new DAO message containing aggregated reachability information to its parent. Thus, each node knows the path to every other node in the RPL network.
- •
Non-storing mode: In the non-storing mode, leaf nodes unicast DAO message to the DODAG root node. Unlike storing mode, intermediate router nodes do not store any information from DAO message; instead, they only append their address to it and forward to the parent. It is done to form a reverse routing path. Thus, only the DODAG root knows a path to every node in the network.
2.2 Copycat Attack
The main target of the copycat attack is to degrade the routing performance of RPL based 6LoWPANs so that the QoS of real-time applications gets affected. In this, an attacker may compromise a legitimate internal node and reprogram it to introduce the high level of congestion and interference in the network. The attacker can also choose an outsider attack strategy to perform this attack. To launch a copycat attack, an attacker eavesdrops the DIO messages of nearby nodes, and later sends (multicast) the captured DIO message (with or without modification) many times with a fixed replay interval. The copycat attack can be of two types: 1) non-spoofed; 2) spoofed. In “non-spoofed copycat attack”, the eavesdropped DIO is sent after modifying the source IP of the ICMPv6 packet containing DIO message. The attacker sends the unmodified captured DIO with its own IP address in the ICMPv6 packet, which forces the receiving (victim neighbors) nodes to believe that the packet is from a legitimate sender and makes them perform unnecessary routing related operations. Therefore, an attacker is able to drain victim’s resources and disrupts its normal packet forwarding behavior. The second type of copycat attack is termed as “spoofed copycat attack”. In this attack, the eavesdropped DIO is sent to neighbor nodes after replacing the source IP address of encapsulating IPv6 packet with the IP address of legitimate DIO sender, i.e., the sender of eavesdropped DIO message. This makes the receiver believe that the sender of DIO is its in-range neighbor. The victim nodes may even try to add the out of range neighbor, assuming that it leads to the optimal route to the gateway. In simple words, in non-spoofed copycat attack the adversary uses its IP address as the source, and in spoofed copycat attack the adversary uses the source IP address of a legitimate node as a source. Both types of attacks introduce heavy congestion and interference in their attack region, which consequently, decreases the Packet Delivery Ratio (PDR) and increases the Average End-to-End Delay (AE2ED) of the underlying network. The main difference between copycat attack and other replay attack variants (i.e., routing information replay and neighbor attack) lies in the frequency of replaying the packets and the packet field being modified. In other RPL specific replay attacks, the attacker primarily aims to introduce the un-optimized or non-existing paths in the network by merely replaying the previously eavesdropped DIO packet after a certain period of time. In contrast, the copycat attacker focuses on the combination of the replay and interference method. The attack also forces legitimate nodes to make unnecessary DIO transmissions, which consequently, increases the control packet overhead of the network.
Moreover, the standard RPL specification states that the link quality (e.g., Expected Transmission Count) must be computed before adding a new node in the candidate parent set when MRHOF is used. Upon receiving the replayed DODAG Information Object (DIO) messages, a probing mechanism is initiated to asses the link quality. In this case, the probing fails because the replayed source is not in the communication range of the node, hence the path is assumed to be bad and consequently, discarded Wallgren et al. (2013). Thus, the neighbor attack is ineffective if the nodes use ETXOF or MRHOF. Moreover, when an eavesdropped packet is frequently replayed multiple times with a fixed interval, a heavy interference is introduced in the network region, i.e., an attacker’s communication range. Also, copycat attack with fixed time interval keeps node busy continuously and consequently, degrades the network’s performance. It is to be noted that a copycat attack can also be performed with random intervals. However, the interval needs to be short in order to perform maximum damage to the network. Also, adding a mechanism to compute random interval very frequently will impose computational overhead to the attacker node, thereby decreasing attacker node’s lifetime. Considering the fact that the attacker’s primary target is to cause maximum damage to the network, it will simply choose a shorter interval (fixed value) and perform attack for longer time. In this study, we have considered the attack with fixed intervals. Analysis and detection of copycat attack with random intervals will be considered in our future work.” The copycat attacker node is programmed in such a way that it remains isolated (neither makes a parent nor becomes a parent) from the network while only performing a replay attack. In this way, an attacker is able to reduce its own energy consumption rate for performing a long-lasting attack. In case of spoofed copycat attack where an attacker uses source IP of one or more legitimate nodes (i.e., like Sybil attack), the attack will be ineffective if RPL is configured with MRHOF. Whereas in case the RPL is configured with OF0, then the attacker will succeed in persuading legitimate nodes that it is a potential parent. This is because the nodes do not check for neighbor reach-ability in case of OF0. In this paper, we have focused on non-spoofed copycat attack, and proposed an IDS to detect such attacks in RPL based 6LoWPANs. The non-spoofed copycat attack is illustrated in Fig. 2.
2.3 Outlier Detection
An outlier is defined as “an observation (or subset of observations) which appears to be inconsistent with the remainder of that set of data” Barnett and Lewis (1974). OD involves the detection and removal of outliers from the data. OD has been commonly used for a long time to detect anomalies present in the data. Outliers can arise in data due to intentional or unintentional software and hardware errors, e.g., data entry error. In machine learning, removing outliers is one of the primary tasks in data preprocessing to leverage the quality of a prediction or classification model. Indeed, OD is important to any quantitative discipline that needs a good quality of data. There are many OD methods available in the literature, and the most popular one is known as the Interquartile Range (IQR). The standard deviation around the mean can be used to detect outliers. However, mean and standard deviation are sensitive to outliers and may lead to incorrect results. This problem is solved by the IQR method as it uses the median instead of the mean.
The IQR is a measure of statistical dispersion based on dividing data into quartiles. The value of IQR represents the middle 50% of sorted data (ascending). IQR is calculated as in Eq. 1, where are third and the first quartile, respectively.
[TABLE]
To determine the IQR, firstly, the median () of the data is computed. Then, the first quartile () and third quartile () are computed. Q1, Q3 are the median of the lower and upper half of the data. After the computation of and , the IQR is computed using Eq. 1. In order to visualize the distribution of data for better analysis, box plots are used. Fig. 3 illustrates an example of a box plot and probability density function of a normal distribution. The illustration visualizes the minimum, , , , and maximum value. Tukey et al. proposed to use 1.5IQR (Tukey fences) as a demarkation line for outliers Hoaglin (2003). As per 1.5IQR rule, points below Lower limit, and points above Upper limit are considered as outliers. The Lower limit, Upper limit are calculated as in Eqs. 2 and 3, respectively. The OD problem can be mapped to the intrusion detection problem of RPL based 6LoPWANs. Where, an outlier can be a node with abnormal behavior (i.e., malicious node) which needs to be identified and eliminated for achieving better network performance.
[TABLE]
[TABLE]
3 Related Work
Replay and flooding attacks have been widely studied by the WSN researchers and many IDS have been suggested for detection of such attacks Mohammadi and Ghaffari (2019); Hamid et al. (2006); Raymond and Midkiff (2008); Pathan et al. (2006); Gungor and Hancke (2009). However, such solutions cannot be directly applied in RPL security because RPL protocol has different operating mechanisms and different format of control messages. In the literature, there are a limited number of works on the detection of replay and flooding attacks against RPL protocol. Le et al. Le et al. (2016) proposed a specification based IDS for detecting Rank Le et al. (2013), Local repair, Neighbor, DIS and Sinkhole attacks. The proposed IDS is based on the Extended Finite State Machine-generated from a semi-auto profiling technique. Tsao et al. Tsao et al. (2015) suggested using a counter to ensure the freshness of the data and control packets for defending a replay attack. However, no experimental study on the behavior of suggested attacks, and no performance evaluation of the suggested solutions is done in this study. Verma et al. Verma and Ranga (2019a, 2020) proposed a lightweight defense mechanism to secure RPL against the DIS flooding attack. The authors used standard RPL parameters like DIS start delay and DIS interval to detect and mitigate the attack. There are several works that have addressed other routing attacks, particularly to RPL. Ghaleb et al. Ghaleb et al. (2018a) proposed a security mechanism which is known as SecRPL to secure RPL against the DAO falsification attack. An enhanced version of the RPL protocol is proposed by Ariehrour et al. Airehrour et al. (2018) to detect rank and sybil attacks. Raza et al. Raza et al. (2013) developed SVELTE for the detection of sinkhole, selective forwarding and spoofing attacks. Mayzaud et al.Mayzaud et al. (2014) analyzed version number attacks and suggested a distributed monitoring scheme to detect such attacks Mayzaud et al. (2016b, a, 2017). Gara et al. Gara et al. (2017) addressed Selective forwarding and clone ID attacks using a hybrid IDS based on the Sequential Probability Ratio Test with an Adaptive Threshold. Bostani et al. Bostani and Sheikhan (2017) proposed a hybrid IDS based on the combination of anomaly and specification detection engines to detect sinkhole and selective forwarding attacks. The existing security solutions are not suitable for the detection of copycat attack because of different attack characteristics, i.e., the copycat attack is a combination of flooding and replay attack. Where, flooding attack induces heavy congestion and interference, while the replay attack sub-optimizes the DODAG. To the best of our knowledge, there are no RPL specific IDS present in the literature that is capable of detecting such an attack.
4 Proposed Solution
To detect non-spoofed copycat attack in RPL based 6LoWPANs, an IDS named as CoSec-RPL is proposed. The initial idea is to find the nodes which show significantly different behavior. CoSec-RPL is based on the idea of OD, which is also based on the IQR classifier. As discussed in section 2.3, the statistical method like IQR can detect outliers present in the given data with less implementation complexity. In wireless networks, the node showing abnormal behavior can be assumed as an outlier node. The existing Eq. 2 introduces a longer delay in attack detection, i.e., an attack is detected after a long time. Certain modifications have been made in the IQR method to make it fit for the detection of copycat attack in RPL based 6LoWPANs. To do this modification, a number of simulations are performed to decide the suitable value of Upper limit. The choice of Upper limit is based on improving the attack detection time. Eq. 2 is modified and shown in Eq. 4. The tuning parameter () is responsible for improving the responsiveness of CoSec-RPL, and its value is set to 1. This has been done in order to tune the outlier detection mechanism for quick detection of the attack.
[TABLE]
We performed multiple experiments to analyze the behavior of the network (normal and non-spoofed attack scenarios) in terms of the number of control messages sent and received by the nodes. The network setup details of the experiments are shown in Table 2 From the experiments, we observed that the node receives an almost similar number of DIO messages from its various neighbors under the normal scenario. Whereas, in the case of an attack scenario, the victim node receives a significantly large number of DIO messages from attacker node as compared to other neighbors. This makes it possible to utilize OD for detecting nodes that show abnormal behavior during network run-time. An example of OD using the modified IQR method is shown in Table 1. It shows a set consisting of the number of DIO’s received from different neighbors at different time intervals. The values of , , , IQR, Upper limit with respect to each set are tabulated. The Upper limit acts as the safe threshold for the number of DIO received from a neighbor. The DIO count greater than the Upper limit signifies that the respective neighbor is a copycat attacker, i.e., represented by DIO’s received >Upper limit condition. In a normal scenario, the DIO’s received from each neighbor are below Upper limit. Hence, no outlier is detected. Whereas, in the case of attack scenario, there is one neighbor from which a significantly large number of DIO’s are received. Thus, the abnormal neighbor is marked as an outlier and identified as a possible copycat attacker. This detection logic has been incorporated in the CoSec-RPL for the effective detection of copycat attackers present in the network. CoSec-RPL consists of five procedures: CoSec-RPL, init_neighbor_table, init_blacklist_table, check_malicious, remove_neighbor_table_entry. Pseudo-codes of listed procedures are shown in Algorithm 1, 2, 3, 4, and 5. Table 3 presents different symbols (data structures, variables) and corresponding definitions used in the proposed IDS.
4.1 Description of CoSec-RPL procedure
Pseudo-code of CoSec-RPL procedure is presented in Algorithm 1. The CoSec-RPL procedure is incorporated in the DIO processing method, which is executed after the reception of the DIO message from any neighbor. DIO processing method is responsible for the processing of incoming DIO messages, and executes corresponding routing management operations. CoSec-RPL is executed every time when a DIO message is received from any neighbor. We have considered two thresholds , which correspond to safe DIO interval and block threshold, respectively. In addition, a tuning parameter is used to control the re-activeness of CoSec-RPL. Monitoring the time difference between successive DIO messages helps in the detection of copycat attacks. When the time difference between successive DIO messages is less than or equal to , the neighbor is suspected as malicious, and vice-versa. The value of (i.e, 500 milliseconds) is adopted from Thulasiraman et al. Thulasiraman and Wang (2019). Block threshold is used to avoid the permanent blocking of wrongly detected neighbors. Thus, when a neighbor is detected as an attacker, it is put in a suspected state and allowed to communicate until the block threshold is reached. Once the block threshold is reached, the neighbor is permanently blocked. The value of is set to . One important advantage of using in CoSec-RPL is that it helps to detect aggressive attackers which are transmitting with fixed or random intervals.
This procedure is responsible for performing the following functions:
- •
Initialization of neighbor and blacklist tables.
- •
Perform early detection of blacklisted nodes in order to minimize computational overhead.
- •
Maintenance of neighbor table entries, i.e., addition of new entry and updation of old entries.
- •
Execution of check_malicious procedure after every 30 seconds to find malicious neighbors present in neighbor table.
4.2 Description of check_malicious procedure
The check_malicious procedure is the most important part of the CoSec-RPL scheme. It is responsible for finding the malicious neighbors (i.e., outliers) present in the neighbor table. Pseudo-code of check_malicious is presented in Algorithm 2. The count of DIO messages received by different neighbors is used to filter out the malicious nodes. Also, the modified IQR method is implemented to compute the safe threshold (i.e., Upper_limit). Neighbors are checked against Upper_limit and safe DIO interval. In case any neighbor violates the safety conditions, it is marked as suspected and added to the blacklist table. A node is marked malicious and permanently blocked if it is suspected for times. Upon detection of malicious neighbor its entry is removed from neighbor table.
4.3 Description of init_neighbor_table, init_blacklist_table, remove_neighbor_table_entry procedures
The init_neighbor_table, init_blacklist_table, remove_neighbor_table_entry are supporting procedures of CoSec-RPL scheme. The init_neighbor_table procedure initializes the neighbor table when node is powered ON. Pseudo-code of init_neighbor_table is shown in Algorithm 3. The init_neighbor_table procedure is responsible for initializing the neighbor table entries with default values. Pseudo-code of init_blacklist_table is presented in Algorithm 4. The init_blacklist_table procedure initializes the blacklist table when node is powered ON. It initializes the blacklist table entries with default values. Pseudo-code of remove_neighbor_table_entry is illustrated in Algorithm 5. The remove_neighbor_table_entry procedure deletes the neighbor table entry.
5 Performance Evaluation
In this section, we first focus on studying the impact of the copycat attack on the network’s performance. Then a detailed evaluation of the proposed CoSec-RPL scheme is done. A number of experiments have been performed using the Cooja simulator, which is the most reliable and widely used network simulator provided in Contiki operating system Dunkels et al. (2011). Contiki is a well known lightweight and publicly available operating system for constrained devices.
5.1 Experimental setup
Cooja is capable of producing real results for evaluations. It has an inbuilt hardware simulator named MSPsim that emulates the exact binary code of real sensor devices in order to achieve realistic simulation. In this paper, Zolertia 1 (Z1) platform is utilized to act as a 6LoWPAN node. Table 4 presents the simulation parameters considered in the experiments. In order to simulate a realistic scenario, the Multipath Ray-Tracer Medium (MRM) radio model is used in all the experiments Perazzo et al. (2017a); Wang et al. (2017); Ancillotti et al. (2018); Kanaris et al. (2019). The MRM radio model parameters shown in Table 5 have been adopted from Perazzo et al. Perazzo et al. (2017a); Vallati (2019). A network topology of 16 sensors randomly distributed in a square grid of 150 m 150 m resembles smart agriculture and small industry monitoring application. A small level deployment of these applications involves the placement of several monitoring nodes that cover farmland or industrial place. Thus the considered network settings are sufficient for LLN security study. All the nodes are running on Contiki with a common protocol stack, as shown in Table 6. The ContikiRPL library is modified to implement the copycat attack on attacker nodes as well as to implement the proposed IDS on legitimate sensor nodes. Specifically, an attacker node is programmed to eavesdrop and capture the DIO message from any legitimate node and then replay the captured message at a fixed replay interval. A network scenario containing 1 gateway node and 16 sensor nodes which are randomly placed on a grid of 150m150m is considered. Each sensor sends a data packet (30 bytes) to a gateway every 60 seconds. Random Waypoint Mobility Model is used to simulate the behavior of mobile nodes where the speed of nodes is set between m/s and m/s Kabilan et al. (2018). In order to perform fair experiments, the attacker node is programmed to launch an attack after 90 seconds of network initialization. In this way, the attack starts after the network is established and becomes stable. Similarly, CoSec-RPL is programmed to activate after 120 seconds of network initialization and repeatedly checks for malicious neighbors every 30 seconds.
5.2 Performance indicators
In order to analyze the impact of non-spoofed copycat attack on RPL based 6LoWPAN network, PDR and AE2ED are selected. Similarly to evaluate CoSec-RPL, Attacker Detection Accuracy (ADA) and First Response Time (FRT) are analyzed. These performance indicators are defined as,
PDR: It is the ratio between the total number of data packets received by the gateway node to the total data packets sent by the sensor nodes including re-transmitted data packets. PDR is calculated as Eq. 5.
[TABLE]
where represents the total number of data packets received at gateway node, and represents the total data packets sent from non-root node . 2. 2.
AE2ED: AE2ED is defined as the average amount of time taken by all the data packets sent from each sensor node, to be successfully delivered to the gateway node while neglecting all lost and dropped packets. AE2ED is calculated as Eq. 6.
[TABLE]
where , represent time delay of data packet and total number of received packets, respectively. 3. 3.
ADA: It represents the ratio of total number of correctly detected attackers with respect to all observations made by IDS. ADA is calculated as Eq. 7.
[TABLE]
where , represent correctly and wrongly detected attackers, respectively. 4. 4.
FRT: It is defined as the time interval between the attack launch by a particular attacker and its first detection by IDS. FRT is calculated as Eq. 8.
[TABLE]
where , represent time of first detection and time of launch, respectively.
5.3 Simulation results
Both static and mobile (dynamic) network scenarios are studied in this paper. First, the impact of non-spoofed copycat is analyzed on the network in terms of PDR and AE2ED. Second, the performance of the CoSec-RPL scheme is studied in terms of ADA and FRT. For each scenario, 10 independent replications with different seeds are run in order to obtain statistically valid results. The mean values of the obtained results with its errors at 95% confidence interval have been reported to avoid biased observations.
5.3.1 Impact on PDR
The performance of Static RPL (static network reference model without attack), Static RPLUnder Attack (i.e., Static RPL under non-spoofed copycat attack), Static RPLCoSec-RPL (i.e., Static RPL under attack with our proposed defense scheme), Mobile RPL (mobile network reference model without attack), Mobile RPLUnder Attack (i.e., Mobile RPL under non-spoofed copycat attack), and Mobile RPLCoSec-RPL (i.e., Mobile RPL under attack with our proposed defense scheme) is evaluated and compared. In the case of the Static RPL and Mobile RPL, it must be noted that the replay interval plays no role. Achieving good data packet delivery is one of the major requirements of critical IoT applications. Thus, PDR analysis is an essential criterion in the performance evaluation of 6LoWPANs. Fig. 4 shows PDR obtained with different replay intervals, i.e., and seconds. It can be observed that the attack severely degrades the performance of the network. This is confirmed from the comparison of PDR values of Static RPL vs. Static RPLUnder Attack, and Mobile RPL vs. Mobile RPLUnder Attack, under different attack intervals.
The PDR values achieved in Static RPL, Mobile RPL are 0.97 and 0.59, respectively. On the other hand in Static RPLUnder Attack, Mobile RPLUnder Attack the PDR is reduced to 0.57 and 0.14, respectively. The non-spoofed copycat attack induces a major impact on network’s PDR. The main reason for this is that during the attack, a victim node repeatedly receives DIO (with non-spoofed source IP address) messages from an unresponsive attacker, in very short interval. From an unresponsive attacker, we mean that the node that does not respond to the victim’s DAO messages (in case downward routing is enabled). This forces the victim node to perform unnecessary routing management related operations on every illegitimate DIO reception, which limits its data packet forwarding behavior. Such a reduction in PDR is unsuitable for critical IoT applications like healthcare. Hence, non-spoofed copycat attack must be addressed for smooth operation of critical applications. CoSec-RPL is able to improve the PDR of both static and mobile networks. Average PDR values achieved in case of Static RPLCoSec-RPL and Mobile RPLCoSec-RPL are 0.88 and 0.46, respectively. It can be observed from the PDR values achieved in the case of Static RPLCoSec-RPL and Mobile RPLCoSec-RPL that network’s performance is improved. It is because CoSec-RPL detects and blocks all the incoming packets from the attacker node and consequently, reduces the effect of the attack on legitimate nodes.
5.3.2 Impact on AE2ED
There are a number of critical IoT applications that can’t tolerate network latency issues. Thus, it is also essential to make sure the network has minimal latency. In this regard, the impact of non-spoofed copycat attack on AE2ED of 6LoWPAN network is studied. Fig. 5 shows AE2ED obtained with different replay intervals. It can be observed that the attack increases network latency. This is confirmed from the comparison of AE2ED values of Static RPL vs. Static RPLUnder Attack, and Mobile RPL vs. Mobile RPLUnder Attack, under different attack intervals.
It can also be observed in Fig. 5 that with different attack intervals, the AE2ED values obtained in Static RPL, Mobile RPL are 0.28 and 0.82, respectively. Whereas, in case of Static RPLUnder Attack the AE2ED is achieved between 0.22 and 0.42. In case of Mobile RPLUnder Attack the AE2ED is achieved between 2.13 and 3.11. It can be seen that the attack does not have any significant impact on AE2ED of the static network. On the other hand, in the case of the attack on a mobile network, AE2ED significantly increases. This is because of the network dynamicity due to which the nodes frequently leave and join the DODAG. This situation consequently, leads to frequent DODAG repairs and parent switching, which provides an attacker with a major benefit to increasing the attack’s impact on the network. Mobile RPLUnder Attack achieves lowest and highest AE2ED with and second replay interval, respectively. AE2ED of the network under attack increases because of two major reasons. The first reason is the congestion and interference evoked by the non-spoofed copycat attacker, which affects the forwarding nodes in the attack region. The second reason is the creation of non-optimal routes due to the replay of outdated routing information, which increases the path length for routing data packets. CoSec-RPL improves the AE2ED of both static and mobile network scenarios. The average AE2ED values achieved in case of Static RPLCoSec-RPL and Mobile RPLCoSec-RPL are 0.25 and 1.27, respectively. It can be observed from the AE2ED values achieved in the case of Static RPLCoSec-RPL and Mobile RPLCoSec-RPL that network’s performance is significantly improved. CoSec-RPL effectively reduces the time required for routing data packets from node to 6BR by detecting and blocking the incoming malicious traffic from the attacker node. CoSec-RPL reduces the computational overhead induced on legitimate nodes due to reception of outdated routing information from the attacker node.
5.3.3 IDS performance in terms of ADA
Fig. 6 shows the ADA achieved by CoSec-RPL in different attack scenarios. Where, Static CoSec-RPL, Mobile CoSec-RPL represent results obtained from CoSec-RPL operation in a static and mobile network scenarios, respectively. It can be observed from the results that CoSec-RPL performs better in a static network by achieving a maximum of 94% and a minimum of 81% ADA. Whereas, in the case of mobile network, CoSec-RPL achieves a maximum of 85% and a minimum 60% ADA. CoSec-RPL performs well in the static network because of the stable network due to which the attack detection mechanism is able to correctly identify the malicious neighbors present in the node’s neighbor table. On the contrary, mobile networks are dynamic where frequent leaving and joining of legitimate nodes increases the number of DIO message transmissions. The legitimate nodes which have transmitted many DIO messages in order to join the DODAG become suspected attacker because they are detected as an outlier by CoSec-RPL’s attack detection mechanism. However, the permanent blocking of legitimate nodes is still prevented because of the block threshold (). The performance of CoSec-RPL in terms of ADA is inversely proportional to the replay interval. This indicates that CoSec-RPL is able to detect aggressive attackers more accurately than the non-aggressive attacker. Assuming that the attacker chooses an aggressive strategy to create a major impact on the network, CoSec-RPL is the suitable choice to detect such attacks.
5.3.4 IDS performance in terms of FRT
The responsiveness of an IDS plays a major role for deciding its usefulness in real-world applications. Considering this important factor, we have analyzed the performance of CoSec-RPL in terms of FRT. Fig. 7 shows FRT of CoSec-RPL to detect attackers with different replay intervals. The results have been reported for each attacker individually, which are represented by A1, A2, A3, and A4. It can be seen that the Static CoSec-RPL performs better than Mobile CoSec-RPL. This is because of the stable network that makes it easy for the detection mechanism to quickly find the malicious neighbor present in the neighbor table. The reason for delayed attacker detection in the case of Mobile CoSec-RPL is the network dynamicity, which increases the DIO transmission of legitimate nodes. Hence, it becomes very difficult for the detection mechanism to differentiate between normal and attacker neighbors present in the neighbor table. As mentioned in section 5.3.3, aggressive attacker is quickly detected by CoSec-RPL as compared to a non-aggressive attacker. A Similar pattern is observed in FRT results shown in Fig. 7. In both static and mobile scenarios, CoSec-RPL achieves minimum FRT to detect most aggressive attackers, i.e., A1-A4 with 1 second replay interval. Whereas maximum FRT is achieved in the detection of least aggressive attackers, i.e., A1-A4 with 4 second replay interval. From FRT analysis, it can be concluded that the performance of CoSec-RPL dependent on the replay interval of the attacker. Small replay interval corresponds to quick and accurate intrusion detection, while large replay interval corresponds to slower and less accurate intrusion detection.
5.3.5 Implementation Overhead
The resource constrained nature of 6LoWPAN nodes restrict the usage of resource-hungry security solutions. Thus, it is very important to develop a lightweight security solution that does not consume a lot of node’s resources, i.e., CPU, memory, and energy. In this section, the implementation overhead of CoSec-RPL in terms of memory requirement (i.e., static memory (RAM) and flash memory (ROM)) is analyzed and discussed. To determine the memory requirements of CoSec-RPL, the msp430-size tool is utilized. Fig. 8 shows the comparison between the memory requirements of the sensor node and the 6BR node over which the CoSec-RPL is implemented. On a sensor node, the Z1 binary with CoSec-RPL implemented on it requires 51.57 kB of ROM and 7.66 kB of RAM. On 6BR node, Z1 binary occupies 51.19 kB of ROM and 7.604 kB of RAM. The maximum ROM, RAM storage capacity of Z1 node is 92 kB and 8 kB, respectively. CoSec-RPL modules additionally require only 5.9 kB, 2.56 kB of ROM and RAM, respectively. This indicates that the proposed IDS can be used to secure resource constrained nodes from non-spoofed copycat attack.
5.3.6 Theoretical comparison with existing works
Table 7 presents the details of some RPL specific IDS proposed in the literature. Also, a theoretical comparison of recent literature is made with our proposed solution. The main motivation behind carrying out theoretical comparison is that the existing RPL specific IDS are developed to detect different (other than copycat attack) routing attacks such as DIS flooding, rank, version number, etc. These IDS are specifically designed to detect a particular type of attack and will fail to detect copycat attack. A fair comparison can only be made with those IDS which have been designed to detect the copycat attack. To the best of our knowledge, there are no IDS present in literature that has been designed to detect the copycat attack, and hence we only rely on the theoretical comparison. The same methodology for performance comparison is followed in similar existing works Raza (2013); Airehrour et al. (2018); Ghaleb et al. (2018a); Wadhaj et al. (2020); Mayzaud et al. (2015); Verma and Ranga (2020) which inspired us to carry out practical comparison with standard RPL only.
6 CoSec-RPL future extensions
One of the main advantages of CoSec-RPL is that it can be easily extended for the detection of other attacks. The detection mechanism of our proposed IDS can be adapted for the detection of attacks that involve an attacker to send a large number of control messages to legitimate nodes. OD mechanism can be improved by using Kalman filter (statistics and control theory) Wang et al. (2018) and Entropy (Information theory) Zhi et al. (2018); Domingues et al. (2018).
DIS flooding attack detection: The proposed IDS can be modified to detect the DIS flooding attack. It will only require two modifications: (1) it will require an extra filed in the neighbor table that stores the number of DIS messages received from neighbors; (2) based on the threshold on a maximum allowed DIS messages from the neighbor, DIS flooding attacker can be detected.
DAO insider attack detection: In the DAO insider attack, an insider attacker node sends fake DAO messages to its parent repeatedly in a fixed interval. In this way, an attacker generates a flood of DAO messages. CoSec-RPL can be extended to maintain the count of DAO messages received from child nodes. The node having abnormal behavior can be detected by the OD mechanism of CoSec-RPL.
Wormhole attack detection: To detect wormhole attacks, CoSec-RPL needs few modifications. First, the neighbor table needs to store the signal strength of its neighbors. Then, the neighbor with significantly strong signal strength can be classified as an attacker by CoSec-RPL.
Spoofed copycat attack detection: CoSec-RPL is designed specifically for detecting non-spoofed copycat attack. The present solution is not capable of detecting a spoofed copycat attack where an attacker may spoof its IP frequently. However, the attack detection logic of CoSec-RPL can be improved to detect such attacks. This limitation is left as an improvement to CoSec-RPL and will be considered in our future work.
7 Conclusion and Future scope
RPL is currently the most popular routing protocol for 6LoWPAN based IoT applications. The security of such applications against various cyber attacks is one of the biggest challenges in the current scenario. In this paper, we first presented and investigated a routing attack named a copycat attack. The copycat attack is a combination of flooding and replay attack, which makes it severe for RPL based 6LoWPANs. From the simulation experiments, we illustrated how a non-spoofed copycat attack (i.e., a variant of copycat attack) significantly degraded the network performance, particularly in terms of AE2ED and PDR. We further, proposed and evaluated a distributed IDS named CoSec-RPL to secure 6LoWPAN against such attacks. Our proposed IDS detected non-spoofed copycat attack and showed acceptable performance in terms of ADA and FRT. Also, we have shown that the CoSec-RPL can be implemented on resource constrained node like the Zolertia Z1 mote. The major limitations of CoSec-RPL include: (1) it cannot detect spoofed copycat attack; (2) it requires minor changes in RPL implementation; (3) it requires to maintain a neighbor table to store neighbor information. In the future, we plan to improve CoSec-RPL performance and perform testbed experiments.
ACKNOWLEDGMENT
This research was supported by the Ministry of Human Resource Development, Government of India.
Conflicts of Interest
On behalf of all authors, the corresponding author states that there is no conflict of interest.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1155 (2018) (2018) Internet Control Message Protocol version 6 (ICM Pv 6) Parameters. https://www.iana.org/assignments/icmpv 6-parameters/icmpv 6-parameters.xhtml , [Online; accessed 19-April-2018]
- 2Adat and Gupta (2018) Adat V, Gupta B (2018) Security in internet of things: issues, challenges, taxonomy, and architecture. Telecommunication Systems 67(3):423–441
- 3Airehrour et al. (2016) Airehrour D, Gutierrez J, Ray SK (2016) Secure routing for internet of things: A survey. Journal of Network and Computer Applications 66:198 – 213
- 4Airehrour et al. (2018) Airehrour D, Gutierrez JA, Ray SK (2018) Sec Trust -RPL: A secure trust-aware RPL routing protocol for Internet of Things. Future Generation Computer Systems
- 5Alaba et al. (2017) Alaba FA, Othman M, Hashem IAT, Alotaibi F (2017) Internet of Things security: A survey. Journal of Network and Computer Applications 88:10–28
- 6Ammar et al. (2018) Ammar M, Russello G, Crispo B (2018) Internet of things: A survey on the security of iot frameworks. Journal of Information Security and Applications 38:8–27
- 7Ancillotti et al. (2018) Ancillotti E, Bolettieri S, Bruno R (2018) Rtt-based congestion control for the internet of things. In: International Conference on Wired/Wireless Internet Communication, Springer, pp 3–15
- 8Ashton (2009) Ashton K (2009) That ‘internet of things’ thing. RFID journal 22(7):97–114
