Spoofing Attack Detection in RPL over IoT Environment

Abstract
The Internet of Things (IoT) becomes an emerging technology in wireless communication. A widely
applied routing protocol in the IoT is the Routing Protocol for Low-Power and Lossy Networks (RPL). The RPL
routing protocol is vulnerable to the routing attacks. The spoofing attack targets the IP address and credentials of
legitimate nodes and paves the way for other routing attacks. Several trust and cryptography based security
techniques have been designed for providing RPL security. However, most of them detect the malicious
activities using the specific characteristics of routing attacks. The proposed methodology plans to exploit the
machine learning schemes for differentiating the normal routing activities from the malicious activities to detect
such attacks. The proposed methodology uses Principal Component Analysis (PCA) and Support Vector
Machines (SVM) for feature reduction and attack classification respectively. The PCA ranks the features using
information gain and biasing factor, and selects the optimal set of features. By utilizing the optimal set of
features, the proposed methodology utilizes a rapid and straightforward learning that classifies the attacks under
the appropriate classes.

Keywords: RPL, Routing Attacks, Information gain (NG), Spoofing attack Detection, Support vector
machine (SVM), Principal component analysis (PCA).

I. Introduction
Recently the Internet of Things (IoT) has received significant attention from the research community due
to the potential applications [1]. Due to the significant developments in modern communication technologies,
the wireless devices connected to the internet are used in a wide range of prospective applications, such as
military sensing, environmental monitoring, object tracking, healthcare monitoring, and so on. The IoT
environment inherently consists of a large number of small sensor devices with limited resources with one or
more gateway nodes. The IoT devices depend on the gateway to route the messages to the server, as the
processing unit and the computational power of the sensors are limited. It is assumed that, after retrieving the
data from the sensors, other clients can read it only by requesting the server. However, it is difficult to ensure
that the authorized client is either a human or machine that sends and receives the produced data by the tiny
sensors [2]. It is because, the IoT sensor devices enable the clients to read the sensed information anywhere in
the world.
Every year, billions of sensing devices with microcontrollers are sold in the market. These devices are
connected through the Internet Protocol (IP) to support various applications and clients. The IoT supports
diverse applications from healthcare to transportation. In other words, IoT is used in several applications such as
environmental monitoring, home, and industrial automation, security management, object tracking, military,
healthcare systems, intelligent transportation, and Network Control Technologies.
Intelligent Transportation System: The intelligent transportation system enables the following services in
vehicles, such as receiving, sending, sorting transportation as well as other associated subsystems.
Smart Home Industry: Under the IoT, the smart home industry has broad prospects and receives a better
position in the potential market around the world. Instead of a complex arrangement of wired connections, the
smart home industry applies wireless communication among devices and eases the building maintenance.
 Structural Monitoring: The Structural monitoring is considered as one of the possible illustrations to
indicate the potential breakages in the building and solve such issues using the sensing modes of vibration, and
acoustic emissions.
According to the Cisco report, more than 50 billion devices become smarter by making internet connection
in 2020. Due to the growth of IoT network deployment, recent research on wireless communication turns its
focus on IoT communication. The wireless IoT devices are limited with radio range, processing capability, and
battery life. The immediate replacement of dead sensors is not possible in the IoT environment. Thus, a
significant concern of tiny sensors is energy conservation while ensuring the service level in the routing.
The rest of the work has been organized as follows. In this article, II section discusses the updated related work.
The III section gives the RPL Routing and Security issues & section IV gives the significance of RPL Security.
Next section will discuss the proposed method, designed for Spoofing Attack Detection in RPL over IoT
Environment. Finally the paper concluded.
II. Related Works
The routing protocol should be designed to satisfy the critical features of the routing layer. The routing
layer attacks on IoT significantly impact the performance of network layer activities. A considerable number of
attacks target the routing layer processes. In order to disrupt the normal networking procedures, the nodes with
the attack configuration attempt to spoof or alter the data. With this intention, the attackers create packet loss,
unnecessary packet flooding, route discovery interruption, false alarm generation, and intentionally increase the
delay of delivering messages [3] [4]. Several defense mechanisms exploit the message authentication code to
detect the spoofing and data integrity attacks. In such cases, the nodes have to verify the received message
integrity as well as the authenticity of the sender. The implementation of packet count and timestamps prevent
the unauthorized repetition of control messages in the network.
Several conventional schemes have conducted a survey on the IoT authentication and data integrity for
improving the performance of IoT protocols. However, the focus on the machine learning algorithms for IoT
security is limited. The survey on IoT security presented in [5-10] review the challenges in encryption,
authentication, access control, network security and application security in IoT systems. The study of machine
learning methods in [11] for protecting data privacy and security in the IoT context discusses the challenges in
the adaptation of machine learning algorithms in IoT security. The primary challenge in IoT security is the
provision of huge amount of data. To obtain insights from these data, several works [12-15] exploit different
methods of integrating data analytical methods with IoT design. Unlike traditional methods, only the machine
learning algorithms can effectively derive unobserved insights from data with minimal human assistance.
The commonly used machine learning algorithms for providing the IoT security are decision trees, Support
Vector Machines (SVMs), Bayesian algorithms, random forest, association rule, ensemble learning, K-Means
clustering, k-nearest neighbor, and Principal Component Analysis (PCA). The decision tree based algorithms
classify the messages based on the feature values. In decision tree algorithms, the term tree and edge denote a
feature and a value that the features have in a message. The machine learning algorithms classify the samples
concerning their feature values in a message. There are several measures used in the detection of the optimal
feature set that best splits the training messages, using information gain and Gini index [16]. The decision tree
based approaches consist of two main processes, such as building or induction and classification or inference
[17]. The induction process constructs the decision tree using unoccupied nodes and branches. The inference
process selects the features using different measures. However, the decision tree algorithms are affected due to
the sampling, global optimum, and the number of features in a message.
The SVMs creates a splitting hyperplane in the data features. It is suitable for IoT as it handles a large
number of feature attributes with a small number of sample features [18]. The SVMs are established using the
statistical learning. The main advantage of SVMs is scalability, due to the updation of training patterns
dynamically [19]. However, it requires labeled data to identify the attacks in RPL. Also, the naive Bayesian
algorithm successfully handles the features independently. However, it fails in extracting the relationships and
interactions among features. The k-nearest neighbor algorithm should decide the optimal k value to improve its
performance, but it is a time-consuming process for IoT applications. An unsupervised learning approach, K-
Means clustering identifies clusters in the messages based on the feature similarities. However, it is less
effective than supervised learning methods, specifically in detecting known attacks. The PCA scheme reduces
the number of features. However, there is a necessity to use other machine learning algorithm to establish an
effective security approach [20]. Thus, an effective security scheme needs to be proposed for IoT security
against the spoofing and integrity attacks in RPL.
III. RPL Routing and Security Issues
A majorly used routing protocol in the IoT is the Routing Protocol for Low-Power and Lossy Networks
(RPL). The RPL follows the Distance Vector Internet Protocol version 6 (IPv6) routing protocol [21][22] and
this protocol is mainly applied for several IoT applications. The standard of IPv6 over Low power
Wireless Personal Area Networks (6LoWPAN) integrates the IPv6 and the low-powered sensor device. The
routing layer protocol, RPL is responsible for building routing paths and forwards the messages to the IoT
gateway successfully. RPL security is the primary concern in IoT applications and new security challenges
steadily increase when connecting the server with homogeneous or heterogeneous sensor devices [23]. The
sensor is a central part of the IoT, and it is essential to solving the security issues in the design of routing
protocols. The routing layer protocol, RPL paves the way for various attacks to enter into the IoT
communication [24]. The main security concerns in IoT communication are user authentication and data
integrity. An effective authentication scheme assists the IoT devices to distinguish the sender and unauthorized
nodes, as well as address the identity-based attacks such as spoofing and Sybil attacks successfully. Also,
providing confidentiality of the IoT messages is critical, as the attackers attempt to intercept the traffic flow and
reveal the secret information. Some of the malicious nodes store the messages that are routed through it and
replay the same message in the network after some time. Therefore, it is essential to implement the defense
mechanism to provide authentication and avoid the spoofing attacks in IoT communication.
3.1 Role of Machine Learning Algorithms in RPL Security
Several cryptography algorithms have been suggested for IoT communication security. However, they
detect the malicious activities using the features of specified security attacks. However, the defense systems
against a specified security attack are quickly conquered by the attackers with modified features or new types of
attacks. For instance, a more severe threat to IoT communication is Distributed Denial of Service (DDoS)
attack, and the conventional defense schemes cannot trace if it utilizes the spoofed source IP addresses for
launching the malicious activities. Thus, the powerful tool to identify the attackers is machine learning methods
[25]. It explores the network data to learn the normal and abnormal behavior of nodes based on how the IoT
devices are involved in IoT communication. The machine learning based defense systems collect the input data
from each part of the IoT network and investigate them for differentiating the normal patterns of communication
from the malicious behavior. Moreover, the machine learning-based defense systems play an essential role in
identifying the new attacks. Consequently, IoT defense systems should be transitioned from merely facilitating
secure communication to intelligent, and secure communication using machine learning schemes.
IV. The significance of RPL Security
The number of interconnected devices in the IoT architecture is significantly increasing. In recent research
on IoT communication security, the RPL receives considerable attention, since the RPL meets the resource
constraints of the IoT network. The secure RPL routing has to be extraordinarily smart to deliver the messages
without leaking the private information to others. Several applications exploit the RPL for establishing the IoT
secure communication. The following features in RPL attract most of the applications in real time. 1) It
effectively deals with a high number of clients using the DODAG structure and a limited number of control
messages. 2) Another benefit is that its shortest path construction towards server using rank value. When the
RPL client configures the rank value as minimum among other neighboring clients, it connects to the server in a
minimum number of hops. 3) The RPL allows the clients to update the topology when a client experiences any
change in the network topology.
However, security is the primary challenge in the tremendous growth of IoT applications. Consequently,
new intelligent security approaches are essential in the RPL protocol by applying machine learning schemes to
improve the performance of IoT applications.

V. Proposed Method
The primary goal of the IoT system is the network availability to anyone, anywhere and anytime.
Consequently, potential threats become more probable in IoT, due to its advancement in wireless
communication. In IoT, the network layer is responsible for generating and routing the messages towards the
server. Mostly, the IoT communication protocols use RPL as a network layer protocol. Moreover, it is
responsible for providing a ubiquitous access environment to the IoT devices, i.e., data communication and
storage functionalities. IoT devices exchange messages over wireless networks, where an attacker attempts to
expose the private information from the communication channel through eavesdropping. An attacker exploits
the security weaknesses in an RPL and exerts a negative impact on routing performance. Numerous routing
layer attacks, such as passive attacks, such as eavesdropping and active attacks, such as spoofing, Sybil, man-
in-the-middle, malicious inputs and denial of service affect the RPL performance. Thus, the provision of
security for an RPL protocol should be of high priority. However, the IoT devices cannot support complex
security algorithms, due to their limited computation and battery resources. Thus, the powerful method for data
exploration to learn about normal and abnormal routing behavior is essential.
The main aim and objectives of the proposed methodology are as follows.
 To learn from existing messages and to predict future unknown attacks in RPL using SVM in IoT
 To adapt the machine learning algorithm to resource-constrained IoT devices by reducing the features
using PCA
 To identify the unknown attacks in RPL, by enabling the security system to execute the learning
module frequently.
 The proposed defense system adopts the SVM classifier as detector using a reduced feature set. The
proposed scheme includes the training and testing phase to learn standard RPL features and to identify the
attackers respectively. By observing the RPL protocol, the data packets are collected over time.

Figure 1: Block Diagram of Proposed Method

The proposed scheme divides the data into training and testing RPL messages. The RPL packets include a
vast number of features resulting in extended learning time and computational complexity. All the RPL features
do not contribute to improving the accuracy of attack detection. Thus, the proposed scheme system utilizes the
PCA in extracting the most relevant features that have a maximum number of attacks, and the SVM to
categorize the RPL specific attackers accurately. An information gain is a measurement of the impurity level in
each feature. However, considering the information gain alone is not efficient always in feature reduction.
Because the information gain is biased when the feature consists of distinct values. Instead of measuring the
information gain, the proposed scheme considers the bias of information gain in terms of breaking point and
reduces the mistake occurring in the feature reduction. The normalized gain is measured as the ratio of
Information gain to the breakpoint information. To precisely differentiate the normal routing activities from the
malicious behavior from normal, the proposed scheme exploits the use of classifiers. It utilizes the SVM
classifier to identify the attack packets, since the SVM is an efficient tool to learn the high dimensional data, and
it can update the training patterns arbitrarily when a new attack is entered into the network.
Thus, the proposed methodology effectively classifies the attackers, which are launched through IP address
spoofing and improves the routing efficiency in the IoT environment.
For the performance evaluation of the proposed methodology, including SVM classification and PCA,
there is a need to collect the samples for RPL routing activities. The dataset for training is generated using the
Cooja simulator over the Contiki operating system. The data set for malicious activities is created by modeling
the spoofing and data integrity related attacks in RPL. This dataset is generated by monitoring the RPL routing
protocol for 8 min, in which the attack-free IoT traffic is spanning for 5 min and the IoT traffic that contains
attacks lasting for 3 min. Initially, the proposed scheme is implemented in Java using Java Machine Learning
Library for reducing the features. The reduced feature set and its values are provided as an input to Waikato
Environment for Knowledge Analysis (WEKA) for classification. Secondly, the attack classification exercise
using SVM classifier is executed in the WEKA.
The proposed scheme is evaluated using the following metrics.
Detection Accuracy: The ratio of the total number of detected malicious messages and the total number of
malicious messages transmitted over the wireless medium.
Throughput: Total number of delivered bits to the server.
Delay: Total time taken by a packet to reach the server node in the network.
Overhead: Total number of control messages used for providing the security in RPL.

VI. Conclusion
This work surveys various existing RPL routing attack countermeasures for secure routing in IoT. The
routing and security issues associated with the RPL and the importance of machine learning algorithms in RPL
security are described. This work proposes the solutions for the security issues such as SVM classification and
PSA based secure RPL in IoT. The clustering algorithm is designed with the use of an optimal set of network
layer features, which is reduced using PCA. The performance evaluation and metrics are also discussed.

References
1. L. Atzori, A. Iera, G. Morabito, “The Internet of Things: A Survey,” Computer Networks, Vol. 54, No. 15,
pp. 2787-2805, 2010
2. Tan L, Wang N. “Future Internet: The Internet of Things”. 3rd International Conference on Advanced
Computer Theory and Engineering (ICACTE), Chengdu, China, pp.376–380, 2010
3. Mayzaud A, Sehgal A, Badonnel R, Chrisment I, Schönwälder J. “A study of RPL DODAG version
attacks”, Springer IFIP International Conference on Autonomous Infrastructure, Management and Security,
pp. 92-104, 2014
4. Anhtuan Le, “The Impact of Rank Attack on Network Topology of Routing Protocol for Low-Power”,
IEEE Journal on Sensors, Vol.13, No.10, pp. 3685 - 3692, 2013
5. A. R. Sfar, E. Natalizio, Y. Challal, and Z. Chtourou, "A roadmap for security challenges in the Internet of
Things," Digital Communications and Networks, 2017.
6. S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, "Security, privacy and trust in Internet of
Things: The road ahead," Computer networks, Vol. 76, pp. 146-164, 2015.
7. F. A. Alaba, M. Othman, I. A. T. Hashem, and F. Alotaibi, "Internet of Things security: A survey," Journal
of Network and Computer Applications, Vol. 88, pp. 10-28, 2017.
8. K. Zhao and L. Ge, "A survey on the internet of things security," IEEE 9th International Conference on
Computational Intelligence and Security (CIS), pp. 663-667, 2013.
9. J. S. Kumar and D. R. Patel, "A survey on internet of things: Security and privacy issues," International
Journal of Computer Applications, Vol. 90, No. 11, 2014.
10. H. Suo, J. Wan, C. Zou, and J. Liu, "Security in the internet of things: a review," IEEE international
conference on Computer Science and Electronics Engineering (ICCSEE), Vol. 3, pp. 648-651, 2012.
11. P. Mishra, V. Varadharajan, U. Tupakula, and E. S. Pilli, "A Detailed Investigation and Analysis of using
Machine Learning Techniques for Intrusion Detection," IEEE Communications Surveys & Tutorials, 2018.
12. C.-W. Tsai, C.-F. Lai, M.-C. Chiang, and L. T. Yang, "Data mining for Internet of Things: A survey," IEEE
Communications Surveys and Tutorials, Vol. 16, No. 1, pp. 77-97, 2014.
13. D. Gil, A. Ferrández, H. Mora-Mora, and J. Peral, "Internet of things: A review of surveys based on context
aware intelligent services," Sensors, Vol. 16, No. 7, pp. 1069, 2016.
14. F. Alam, R. Mehmood, I. Katib, N. N. Albogami, and A. Albeshri, "Data fusion and IoT for smart
ubiquitous environments: A survey," IEEE Access, Vol. 5, pp. 9533- 9554, 2017.
15. O. B. Sezer, E. Dogdu, and A. M. Ozbayoglu, "Context Aware Computing, Learning, and Big Data in
Internet of Things: A Survey," IEEE Internet of Things Journal, Vol. 5, No. 1, pp. 1-27, 2018.
16. W. Du and Z. Zhan, "Building decision tree classifier on private data," in Proceedings of the IEEE
international conference on Privacy, security and data mining, Vol. 14, pp. 1-8, 2002
17. S. B. Kotsiantis, "Decision trees: a recent overview," Artificial Intelligence Review, Vol. 39, No. 4, pp.
261-283, 2013
18. A. L. Buczak and E. Guven, "A survey of data mining and machine learning methods for cyber security
intrusion detection," IEEE Communications Surveys & Tutorials, Vol. 18, No. 2, pp. 1153-1176, 2015
19. M. Ozay, I. Esnaola, F. T. Y. Vural, S. R. Kulkarni, and H. V. Poor, "Machine learning methods for attack
detection in the smart grid," IEEE Transactions on Neural Networks and Learning Systems, Vol. 27, No. 8,
pp. 1773-1786, 2016
20. H.-b. Wang, Z. Yuan, and C.-d. Wang, "Intrusion detection for wireless sensor networks based on multi-
agent and refined clustering," IEEE International Conference on Communications and Mobile Computing,
Vol. 3, pp. 450-454, 2009
21. E. Kim, D. Kaspar, C. Gomez, and C. Bormann. “Problem Statement and Requirements for IPv6 over
Low-Power Wireless Personal Area Network (6LoWPAN) Routing”, RFC 6606 (Informational), 2012.
22. Olfa Gaddoura and Anis Koubâa, “RPL in a nutshell: A Survey”, Computer Networks, Elsevier, Vol.56,
No.14, pp. 3163–3178, 2012
23. Dhumane A, Prasad R, Prasad J. “Routing Issues in Internet of Things: A Survey”. In Proceedings of the
International MultiConference of Engineers and Computer Scientists, Vol. 1, pp. 16-18, 2016.
24. Grgic K, Krizanovic Cik V, Mandrić Radivojevic, V. “Security Aspects of IPv6-based Wireless Sensor
Networks”, International Journal of Electrical and Computer Engineering Systems, Vol.7, No.1, pp.29-37,
2016
25. J. Cañedo and A. Skjellum, "Using machine learning to secure IoT systems," IEEE 14th Annual
Conference on Privacy, Security and Trust (PST), pp. 219-222, 2016.