Adaptive Intrusion Detection for Evolving RPL IoT Attacks Using Incremental Learning

TL;DR

This paper explores the use of incremental learning techniques to enhance intrusion detection in RPL-based IoT networks, enabling adaptive, efficient, and resilient defense against evolving routing-layer attacks.

Contribution

It systematically evaluates multiple models demonstrating that incremental learning effectively detects new threats while reducing retraining time and preventing forgetting of past attacks.

Findings

Incremental learning restores detection of new attack classes.

It reduces retraining time compared to full model retraining.

It mitigates catastrophic forgetting of previous threats.

Abstract

The routing protocol for low-power and lossy networks (RPL) has become the de facto routing standard for resource-constrained IoT systems, but its lightweight design exposes critical vulnerabilities to a wide range of routing-layer attacks such as hello flood, decreased rank, and version number manipulation. Traditional countermeasures, including protocol-level modifications and machine learning classifiers, can achieve high accuracy against known threats, yet they fail when confronted with novel or zero-day attacks unless fully retrained, an approach that is impractical for dynamic IoT environments. In this paper, we investigate incremental learning as a practical and adaptive strategy for intrusion detection in RPL-based networks. We systematically evaluate five model families, including ensemble models and deep learning models. Our analysis highlights that incremental learning not only restores detection performance on new attack classes but also mitigates catastrophic forgetting of previously learned threats, all while reducing training time compared to full retraining. By combining five diverse models with attack-specific analysis, forgetting behavior, and time efficiency, this study provides systematic evidence that incremental learning offers a scalable pathway to maintain resilient intrusion detection in evolving RPL-based IoT networks.