Professional Documents
Culture Documents
Result ABC Best PDF
Result ABC Best PDF
Result ABC Best PDF
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
1
Abstract—The Routing Protocol for Low power and lossy sinkhole attack, blackhole attack, Sybil attack, replay attack
networks (RPL) is a standard routing protocol for resource- and Denial of Service (DoS) attack. Hence, there is a critical
constrained devices in the Internet of Things (IoT) networks. need to investigate the security aspects of RPL under mobility
Primarily, RPL can support a dynamic range of mobility among
the nodes in the network, which becomes a great demand now for for mitigation and intrusion detection.
real-time applications. At the same time, RPL is much vulnerable In this paper, we focus on a security routing attack, namely
to various security attacks because of its resource-constrained the Sybil attack and its mitigation techniques. Sybil attack is
nature. Such security attacks might cause severe threats and de- the critical routing attack which can degrade the performance
structive behavior inside the network. In this paper, we primarily and lifetime of the network drastically. In the Sybil attack,
focus on the Sybil attack, where an attacker claims multiple
illegitimate identities, either by fabricating or compromising the attacker claims multiple illegitimate identities, either by
the nodes. Also, in this type of attack, a single adversary is fabricating the identities or compromising the legitimate nodes
required to control multiple legitimate nodes in the network, in the network. The Sybil attack is even dangerous in the
and thereby, the adversary node saves the physical resources. mobile RPL, which can weaken the network performance by
In this paper, we proposed a novel Artificial Bee Colony (ABC) exponentially increasing the control overhead transmission,
inspired mobile Sybil attack modeling and Lightweight intrusion
detection algorithm for Sybil attack in mobile RPL. Moreover, and in turn, reduces the overall lifetime of the network. Sybil
we considered three different categories of Sybil attack based attack can also direct to the origin of other consecutive attacks
on its behavior, and we analyzed the performance of the RPL such as selective forwarding, denial of service, rank attack, and
under Sybil attack in terms of packet delivery ratio, control version number attack [3].
traffic overhead, and energy consumption. Also, we examined The main contribution of this research work is the proposal
the performance of the proposed algorithm in terms of accuracy,
sensitivity, and specificity. of a lightweight intrusion detection algorithm for mobile RPL
against the Sybil attack, which needs less computation and
Index Terms—Internet of Things (IoT), RPL, Sybil attack, provides high accuracy, which are quintessential in the case
Intrusion Detection, Lightweight security, mobility, and accuracy.
of a resource-constrained network. We also proposed a bio-
inspired mathematical model for the Sybil attack in mobile
RPL based on the Artificial Bee Colony (ABC) model. Also,
I. I NTRODUCTION
we had examined all the three types of Sybil attacks in both
The Internet of Things (IoT) is an emerging technology that Static RPL and mobile RPL and proposed the lightweight
has brought a lot of attention in research and industrial revolu- intrusion detection approach. Then, we examine the effective-
tion in recent years. IoT can support and manage a system for ness of the proposed lightweight intrusion detection algorithm
the monitoring and control of the physical world through the under all the three categories of Sybil attack in terms of
gathering, processing, and interpretation of generated data by accuracy, sensitivity, and F-score values.
IoT sensor devices. IPv6 over Low-power Wireless Personal The rest of this paper is organized as follows. Section II
Area Network (6LoWPAN) is a small IoT network which reviews the related previous research work on an overview of
supports IPv6 connectivity among the low power devices [1]- RPL and Mobility-aware RPL. And, Section III illustrates the
[2]. Sybil attack and proposed Artificial Bee Colony inspired Sybil
Routing Protocol for Low-Power and Lossy network (RPL) Attack Model. Section IV explains the classification of the
is a standard routing protocol for resource-constrained and Sybil attack. Section V enumerates the proposed lightweight
lossy IoT networks. RPL is an IPv6 enabled distance vector intrusion detection algorithm against Sybil attack in mobile
proactive routing protocol and its topology is much flexible RPL. Section VI provides simulation metrics and performance
to build the network with large numbers of IoT nodes under analysis.
static and mobile conditions [1].
However, due to the limited battery life and mobility, RPL II. R ELATED W ORK
is prominently vulnerable to various security attacks, namely Security in RPL has been identified to be critical because of
selective forwarding, grey hole attack, version number attacks, the resource-constrained nature of the nodes in the network.
Sarumathi Murali and Abbas Jamalipour are with the School of Electrical According to Zhang et al. [3], a Sybil attack has become
and Information engineering, The University of Sydney, Australia. e-mail: a severe threat to social networks when the Sybil node can
smur0999@uni.sydney.edu.au and a.jamalipour@ieee.org."Copyright (c) 20xx gain unauthorized access to private contents. Also, they have
IEEE. Personal use of this material is permitted. However, permission to use
this material for any other purposes must be obtained from the IEEE by distinguished the Sybil attack into three types based on the
sending a request to pubs-permissions@ieee.org." nature of behavior.
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
2
Faiza Medjek et al. [4] proposed the evaluation of the ETX is the Expected Transmission Count and denotes the
impacts of the Sybil attack in RPL and analyzed the results number of expected transmissions that a node required for
in terms of control overheads. the successful delivery of a packet [8]. This metric is used to
Our previous research paper [5] on mobility-aware parent estimate the link quality. ETX (N ) is the ETX of links to its
selection algorithm for low power and lossy networks sug- parent node.
gested a novel parent selection algorithm for mobility in RPL
and proposed a dynamic Trickle to optimize the number of
ETX (N ) = ETXold ∗ β + ETXnew ∗ (1 − β) (2)
control overhead.
A.K.Mishra et al. [6] proposed the general analytical model where ETXold is the old ETX value for a node, and each
for Sybil attack in IoT, but not particularly for the RPL node maintains the old ETX in its routing table, β is the
network. It seems to be a significantly good research work learning ratio which has been set default to be 0.9 in contiki
on Sybil attack modeling. However, it is quite challenging to RPL. ETXnew can be calculated by using the Equation 3.
adapt it for low power RPL nodes while designing the Sybil
attack. 1
ETXnew = (3)
D. Airehrour et al. [7] proposed the SecTrust-RPL for the Ps→d ∗ Pd→s
Internet of Things, and they used a trust-based mechanism Here, Ps→d is the probability that a data successfully
for detecting and isolating the security attacks, namely rank reached the recipient, and Pd→s is the probability that the
and Sybil attack. Here, they considered static RPL instead of transmitted node successfully has received the ACK. Here,
mobile RPL. ETX and Rank play a major role in efficient parent selection
Shreenivas et al. [8] proposed SVELTE, an intrusion de- process during RPL under mobility.
tection system for the Internet of Things, that uses the ETX
(Expected Transmissions Count) metric to improve the secu- B. Mobility-Aware RPL
rity within 6LoWPAN networks.
Generally, RPL can support mobility among the nodes.
Karaboga et al. [9] proposed the comprehensive survey on
However, RPL has not been optimized fundamentally in terms
artificial bee colony (ABC) algorithm and its applications, and
of energy consumption and control traffic overhead transfer
it suggested how the bee colony is characterized into different
while introducing the mobility of the nodes inside the network.
phases. This modeled has been adapted in our work while
Mobile RPL or Mobility-aware RPL is an enhanced RPL
designing the Sybil attack in RPL.
protocol which supports random mobility of the nodes in the
network [3]-[11]. In this paper, we considered and simulated
A. Brief Overview of RPL RPL under mobility (mobile RPL). For introducing mobility
and efficient parent selection, we had employed our previous
RPL is a distance-vector, and source routing protocol which research work [8] on mobility-aware parent selection process
is working under a tree-based topology, namely Destination which supports random mobility of the nodes in RPL, and
Oriented Direct Acyclic Graph (DODAG ) in the 6LoWPAN. it determines the best parent from the preferred parent list
A DODAG comprises of many nodes, and there is a sink node under mobility by considering the metrics, namely, ETX, Ex-
called border router (BR), which gathers all sensed information pected Life Time (ELT) and RSSI (Received Signal Strength
from the residual nodes in the same DAG. Every DODAG is Indicator). Also, Dynamic Trickle Timer (D-Trickle) has been
distinguished by its RPL instance ID, DODAG ID, DODAG used to optimize the number of control message transfer under
version number and Rank. mobility. While examining the Sybil attack under mobility,
There are three types of control messages have been ex- mobility-aware parent selection process assists actively in
changed in RPL, namely DIO, DAO and DIS [1]-[2]. reducing the number of control overhead transmission, and
• DIO - DODAG Information Object average energy consumption of each node in RPL. If it has
• DAO - DODAG Advertisement Object been run under conventional RPL with mobility without any
• DIS - DODAG Information Solicitation optimization, the overall lifetime of the network has been
The border router starts the DODAG construction process by largely reduced, and the performance is too poor in terms of
broadcasting DIO messages to the nearby neighboring nodes control traffic overhead and average end-to-end delay [12].
in the DODAG for building and renewing the topology. The
nodes which receive the DIO message, in turn, return DAO III. SYBIL ATTACK IN RPL
acknowledgment message to the border router. Rank is the
relative position of the node from the border router. In this Sybil attacker claims multiple illegitimate identities either
work, we follow Minimum Rank with Hysteresis Objective by fabricating the identities or compromising the legitimate
Function (MRHOF) to support mobility in RPL. Rank in nodes in the network. The Sybil attack is the most serious
MRHOF is computed using the Equation 1 [8]-[10]. threat to the mobile RPL which can degrade the performance
by exponentially increasing the control overhead transmission,
and in turn, reduces the overall lifetime of the network. The
R(N ) = R(P ) + 128 ∗ ETX (N ) (1)
attacker can easily masquerade as another node by claiming
where, R(N ) is the rank value of each node, and R(P ) is the their identities, and it can disrupt the routing protocol, overload
rank of its parent node [8]. the DODAG with fake control messages and try to capture the
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
3
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
4
• Onlooker Bee (Main attacker) is the one which attempts variable for each criteria except criteria 3 as follows. Ck is ’1’
to perform the Sybil attack in the community to intrude when the kth criteria has been met, else the value is ’0’.
the network. Criteria 1: Node ’i’ with the highest number of neighbor
• Scout bees are those who have been already compromised pair has been chosen to improve the possibility of compro-
by the attacker (Onlooker bee), and these scout bees try to mising the nearby nodes easily inside the DODAG. n[N gi ] ≥
compromise the nearby neighboring nodes for bypassing N gth , where n[N gi ] is the number of neighbor elements for
the detection techniques in the DODAG structure. the node ’i’, and N gth is the threshold value for the number
Similar like ABC foraging behavior, the attacking scenario is of neighbors.
Criteria 2: The attacker should choose an arbitrary node
divided into five phases, namely initialization phase, fitness
for compromise if and only if the node should possess residual
factor computation, compromising or fabricating phase, con-
energy at least half of its initial energy value,Eres ≥ Einit 2 .
tagious phase, and hive selection and launching phase.
As all these RPL nodes are already resource-constrained low
power devices, it cannot support the malicious act for a long
period if the compromising node doesn’t have enough residual
energy. If a compromised node drains out of energy and dies
earlier, that node’s DODAG ID will be removed from the
DODAG structure. Then after, those compromised identities
are never helpful for the Sybil attempt. Hence, those low
residual energy nodes cannot be suitable for compromise in
Sybil attack.
Criteria 3: The status of the node ’i’ might be static or
mobile.Ck [k = 3] takes the value ’1’ for static nodes and
’0.4’ for mobile nodes. The reason for this allocation is when
the main Sybil attacker attempts to compromise an arbitrary
node, it gives the highest priority to the static node first. But
when the node is mobile, the priority is considerably low, as it
consumes excess energy while moving and finding new parent
node to establish in the DODAG. Subsequently, its rank will
also be changed, and RSSI value will also vary; these dynamic
changes lead to a slow attempt in the progress of the attack.
So, we give the least priority with weight 0.4. If all the nodes
are under mobility, it never goes for preference, the attacker
chooses any arbitrary node for compromise based on the other
Fig. 2. Artificial Bee Colony inspired Sybil Attack
four criteria and defines Ck [k = 3] = 0.4 always.
Criteria 4: If node ’i’ is the parent node for two to three
1) Initialization Phase: Initialize the Sybil nodes (Central nodes, then high priority has been given to that node for
attacker) to start foraging the identities. (either by compro- selection.
mising or by fabricating). A fabricated new identity can Criteria 5: Rank of the node ’i’ under selection should
be easily detected inside the RPL using the upper bound be less to reach the attacking strategy very much close in
on the number of nodes (N ) in the DODAG. So, node proximity to the border router. Therefore, it tries to capture
compromise is the best possible way to perform the Sybil the identity of the border router to devastate the network
attack in the Internet of Things network. Here, consider N be completely. Always, first priority has been given to the parent
the number of nodes in the DODAG, I = {I1 , I2 , .....IN } node more than the rank of the node.
be the set of legitimate identities in the DODAG, Sc = Fitness Factor: For each arbitrary selected node ’i’, Fitness
{S1 , S2 , .....Sk } , Sc ∈ I, be the set of compromised identities Factor (Ff can be calculated based on the number of passing
which have been used by the sybil attacker for malicious criteria (k) from the above mentioned points by using the
attempts, and Sf = {Sf 1 , Sf 2 , .....Sf p } , Sf ∈
/ I, be the set equation 4.
of new fabricated identities introduced by the Sybil attacker.
5
N gi = {N gi1 , N gi2 , N gi3 , ....N gij } is the set of nearby X
neighbor nodes for the node ’i’ in the DODAG. di,j is the Ff = (Ck ) (4)
K=1
distance between
p the node ’i’ to the nearby node ’j’. ,
di,j = (xi − xj )2 + (yi − yj )2 , di,j ≤ ri , and ri is the The node with the highest fitness factor can be chosen for
transmission radius (coverage region) of the node ’i’. compromising and include those into the set of Sybil identity.
2) Fitness Factor Computation Phase: Sybil node attempts The probability that any arbitrary node can be selected as Sybil
to select any arbitrary node based on the following five fitness identity is Pr (Sc ) = N1 .
evaluation criteria to compromise and add those compromised 3) Compromising Phase: Node compromising phase is the
identities in the Sybil group to perform the attack. Here, the process of compromising the legitimate nodes in the network.
value k represents the criteria number, and we define a binary After calculating the fitness factor, the node with the highest
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
5
Algorithm 1 ABC Inspired Sybil Attack Modeling employs one Sybil node and three Sybil identities. The number
Begin: Initialize the population of Sybil Nodes (Main inside the circle in the Fig. 3 represents the node number. Node
attackers) S acts as the main attacker (Sybil node) and the compromised
Input: Select any arbitrary node for compromising its identity nodes are Node nos. 2, 6, 14 and 15. Moreover, after fitness
within the Sybil node’s transmission range selection and hive location fixing, Node no. 2 is selected as
Step 1: Check Five Fitness Evaluation Criteria the launching node to perform the attack inside the network.
Criteria 1: n[N gi > N gth ] After claiming many Sybil identities, the main attacker tries
Criteria 2: Eres > Einit2 to intrude the network and perform subsequent attacks such
Criteria 3: C3 = 1, Static as Denial of service (DoS), Selective Forwarding, Blackhole,
C3 = 0.4, M obile Rank attack and Replay attack. Algorithm 1 explains about
Criteria 4: Parent or not the brief description of the complete modeling of artificial bee
Criteria 5: low rank colony inspired Sybil attack in mobile RPL.
Step 2: FitnessP Factor Computation
Ff = Ck , k = 1, ...5
Step 3: Compromising Phase
Ff > 3, Choose the node with highest fitness factor.
Repeat the cycle for all selection
Step 4: Contagious Phase
compromised nodes spreading the sparm
Step 5: Hive Selection
Fixing the node and attack launching starts
Repeat all five steps until border router has been attacked
End
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
6
in a life). This Nonce ID has been created and allocated to each Algorithm 2 Lightweight Intrusion Detection Algorithm
node when it is joining the DODAG structure after receiving for Sybil Attack
the DIO message for the first time. The NONCE number and Begin: Sybil Attack Detection
unique DODAG ID (IPv6 address) have been broadcasted to Input: DIO Message
the neighbor nodes with the DODAG DIO messages. Trust Input: NONCE, DODAG ID, CtN[n], tn[N]
factor 1 has been denoted as ’α’ and it can be calculated after ∆cthreshold = 5
verifying the NONCE ID and its correspondent IP address ∆τ threshold = 3
(DODAG ID). If both the NONCE ID and DODAG ID match Step 1: Check [ NONCE & DODAG ID - Match]
with the previous record, then α will be ’1’. If there is any Set α = 1
mismatch between them, α will be ’0’. Therefore, the event of Else
α = 0 indicates that there is a potential possibility of malicious Set α = 0
action and an untrusted event. End
Step 2: Check [Control Message Counter]
B. Control Message Counter Calculate ∆cN = CtN [n] - CtN [n-10]
If [∆cN > ∆c threshold ]
Every RPL node manages a counter value for each neighbor
Set γ=0
based on the number of control messages and the type of
Else
control message. Moreover, there is a threshold value has been
Set γ=1
fixed for the counter with respect to the rank of each node and
End
its parentship. When the rank is high, the counter threshold
Step 3: Check [Time Stamp]
will increase proportionally. And, when the rank decreases,
Calculate ∆τ = tn [N] - tn-1 [N]
it will reduce the counter threshold correspondingly. Because
If [ ∆τ < ∆τ threshold ]
the nodes nearby the border router are required to transfer
Set β=1
more data and control messages rather than the leaf nodes
Else
at the end. ctN [n] is the counter value (number of control
Set β=0
messages received) at time ’n’ and ctN [n − 10] is the counter
End
value before 10 sec. ∆cN is the difference of the counter
Step 4: Pheromone Computation
value within 10 seconds to track the changes in the number
Cumulative Trust Factor (CTF)
of control messages. ∆cN can be calculated using equation 6
ρN [n] = α.[ω.β + (1-ω).γ]
as follows.
If ρN [n] 6=0
Γ =η. ρN [n-1] + (1-η). ρN [n] - Trusted Event
∆cN = ctN [n] − ctN [n − 10] (6)
Else
∆cthreshold is the threshold value for the control message Γ = ρN [n-1] . ρN [n] - Untrusted Event
counter difference within 10 seconds. In an ideal case, when a Add High Pheromone nodes into White List
node attempts to establish a connection with a nearby node Add Low Pheromone nodes into Sybil Node List
in a DODAG structure, it can exchange a maximum of 5 End
control messages within 10 seconds of interval. If it exceeds
the threshold value, there is a potential sign of a malicious
attempt by flooding of control messages on a target node Consider tn [N ] is the time of arrival of a control message at
to drain out the resources. To combat this type of malicious the current instant from a neighbor node ’N’ and tn−1 [N ] is
action, Trust Factor 2 has been used to estimate the trust value the time of arrival of the previous control message from the
on a node based on the control message counter values. same neighbor ’N’. ∆τ is the the time difference between the
( consecutive control messages and it can be calculated using
0, if ∆c > ∆cthreshold equation 8 as follows.
γ= (7)
1, if ∆c < ∆cthreshold
Here,γ represents the Trust Factor 2, and N denotes the ∆τ = tn [N ] − tn−1 [N ] (8)
node ID. Each node will check the counter status every 10
∆τthreshold is the threshold value for the time difference
seconds. If it exceeds the threshold, it will set the γ to 0 and
between the timestamps of the control messages within 10
if not, it will be set to 1.
seconds from any neighbor node. ∆t threshold is considerably
dynamic under mobility as the mobility among the nodes
C. Time Stamp for Control Messages demands more control message transmission; however, RPL
In this proposed lightweight approach towards Sybil attack node requires some resting period of at least 3 seconds
detection, we have included a new variable called timestamp, between two consecutive control messages to stabilize it. If
which will track the time of arrival of the control messages a node doesn’t lie in the resting period for some time during
exchanged from the neighbors. This approach will help to keep transmission, it is again a plausible likelihood of malicious
track of the attacker who is trying to send a pool of control action. To combat this type of malicious action, Trust Factor
messages frequently to destroy the resources of the RPL nodes. 3 has been used to estimate the trust value on a node based
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
7
on the time stamp values. Based on the confusion matrix in Table I, the performance of
( the proposed algorithm has been analyzed. True Positive (TP)
1, if ∆τ < ∆τthreshold is an event when the IDS recognizes an activity as an attack,
β= (9)
0, if ∆τ > ∆τthreshold and the event is actually an attack, and True Negative (TN) is
the event when IDS identifies an attack trial when there is no
Here,β represents the Trust Factor 2. If ∆τ value is less attack. False Negative (FN) is an event when IDS fails to detect
than the ∆τthreshold value, then the frequency of transmission an attack when there is an actual malicious trial, and True
of control messages within a speculative period is more. Negative (TN) is an event when no attack has taken place, and
Therefore, it might be a sign of malicious action, and it will no detection has been made. Accuracy is used to estimate the
set the β to 0. If ∆τ is more than ∆τthreshold value, then the probability of Sybil attack detection by the proposed intrusion
frequency of transmission of control messages stays consistent. detection algorithm. The Sensitivity indicates the percentage
So, in this case, it will assign the value of β to 1. In this of actual positive events correctly predicted by the proposed
proposed work, we have set the ∆τthreshold to 3 for every 10 detection algorithm, whereas Specificity shows the rate of
seconds from each neighbor. actual adverse events identified by the detection algorithm.
The sign of malicious attempts can early be identified The F-score should lie in the interval [0,1], and high the F-
using the crucial role of ∆cthreshold and ∆τthreshold , and we score rate represents higher detection performance. Precision is
can take counter action before any significant impact on the positive predictive value (PPV) and NPV (Negative Predictive
system. Value) [15].
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
8
TABLE II
104
S IMULATION PARAMETERS
4
Type-1 Sybil attack - Without ID
Type-2 Sybil attack - Without ID
Parameters Definition
3.5
Type-3 Sybil attack - Without ID
Type-1 Sybil attack - With ID Simulator Cooja under contiki OS
Average Control Traffic Overhead
100
Figure 4 illustrates the number of control traffic overhead
exchanges under the three different types of Sybil attack in
RPL. Control traffic overhead is the cumulative sum of DIO,
95
DAO, and DIS control messages transfer in the DODAG.
Average Packet Delivery Ratio
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
9
Average Ratio
Accuracy
0.9
the assistance of the proposed lightweight security procedures,
the packet delivery ratio has been improved extensively in
malicious scenarios. The reason has been because of choosing 0.85
Sensitivity
TABLE III
Average Ratio
0.9
Sensitivity
Specificity
constrained network.
0.85
D. Accuracy, Sensitivity and Specificity
The average accuracy rate of the detection algorithm for
0.8
type 1, type 2, type 3 attack was computed to be 96.8%,
95.2%, and 94.8%, as shown in Table III and Figs. 7, 8,
0.75 and 9. The accuracy rate seems to be considerably less in
0.1 0.2 0.3 0.4 0.5 0.6 0.7
Ratio of the Sybil identities
the event of a type-3 attack, as the type-3 attack is under
mobility, and the adversary can spread the attack randomly
Fig. 8. Performance Evaluation under Type-2 Sybil Attack throughout the DODAG under motion. Furthermore, because
of such random movement of the adversary, legitimate nodes
can sometimes be misinterpreted as an adversary and vice-
versa. Under the mobile scenario, the control message counter
C. Energy Cost value has been increasing, and it will direct to reduce the
Figure 6 indicates that the average energy consumption pheromone concentration. So, this will hit the F-score value
under type1, type 2, and type 3 Sybil attack without intrusion to reach 0.894. However, our proposed algorithm worked very
detection is 0.074, 0.092, and 0.13 J, respectively. It has been effectively in the event of type-1 and type-2 attack in all the
observed from Fig.6 that the expansion of Sybil identities scenarios which earned F-score values of 0.972 and 0.943m,
forces the network to consume more energy. Meanwhile, respectively.
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
10
VI. C ONCLUSION [14] R. Kalucha and D. Goyal, “A review on Artificial bee colony in
MANET” in Int. Journal of Computer science and mobile computing,
In this paper, we have proposed a bio-inspired analytical Vol.3, Issue.7, July 2014, pg-34-40.
model for Sybil attack and lightweight intrusion detection [15] N. Salari, S. Shohaimi. et al, “ A Novel Hybrid Classification Model
of Genetic Algorithms, Modified k-Nearest Neighbor and Developed
algorithm for mobile RPL in the Internet of things network. Backpropagation Neural Network”, PLOS ONE 9(11): e112987, 2014.
Also, we considered three different types of Sybil attacks [Online]. Available: https://doi.org/10.1371/journal.pone.0112987.
and analyzed the performance of the mobile RPL in terms
of packet delivery ratio, control traffic overhead, energy cost,
and accuracy while increasing the density of Sybil identities in
the DODAG. The results showed that the proposed lightweight
intrusion detection algorithm achieves superior performance in
terms of accuracy, sensitivity, and specificity. Furthermore, as
it is a lightweight security approach, it reduces the overall
computational complexity and latency while establishing the
DODAG. In the event of a Type-3 Sybil attack, though the
Sarumathi Murali is a Postgraduate Research
severity of the attack is too high, our proposed algorithm gains Scholar in the Wireless Networking Group (WiNG)
an average accuracy of 95% under mobile RPL. To conclude, under the supervision of Prof. Abbas Jamalipour
the proposed lightweight intrusion detection algorithm proved with the School of Electrical and Information En-
gineering at The University of Sydney, Australia,
to be an efficient lightweight security approach towards Sybil working towards her PhD. She received the Bachelor
attack, and while administering the profoundly right mitigation degree with the specialization on Electronics and
approach, it demands less power and computation complexity, Communication Engineering from Anna University,
India and she received the honors and gold medal in
which are quintessential for a resource-constrained network. the postgraduation with the specialization on com-
munication systems from Anna University, India.
Her research interest includes Routing under Low Power and Lossy networks,
R EFERENCES Internet of Things routing protocol modeling, Security and Privacy issues
in IoT, Signal Processing, and Mobile Adhoc Networks. She had published
[1] T. Winter and P. Thubert, “RPL: IPv6 Routing Protocol for Low Power more than 20 scholarly journals and 35 technical papers in National and
and Lossy Networks, ” IETF, CA, USA, RFC 6550, vol. 3, Mar. 2010, International conferences.
[Online]. Available: https://rfc-editor.org/rfc/rfc6550.txt.
[2] G. Montenegro, C. Schumacher, and N. Kushalnagar, “IPv6 over
low-power wireless personal area networks (6LoWPANs): Overview,
assumptions, problem statement, and goals,” IETF, CA, USA,
RFC 4919, accessed: Sep. 2017. [Online]. Available: https://rfc-
editor.org/rfc/rfc4919.txt
[3] K. Zhang, X. Liang, R. Lu and X. Shen, "Sybil Attacks and Their
Defenses in the Internet of Things," in IEEE Internet of Things Journal,
vol. 1, no. 5, Oct. 2014, pp. 372-383.
[4] F.Medjek and D.Tandjaoui ”Analytical evaluation of the impacts of Sybil
attacks against RPL under mobility” in International Symposium on
Programming and Systems (ISPS), 28-30 April 2015, pp.1-6.
[5] S. Murali and A. Jamalipour, "Mobility-Aware Energy-Efficient Parent Abbas Jamalipour (S’86–M’91–SM’00–F’07) is
Selection Algorithm for Low Power and Lossy Networks," in IEEE the Professor of Ubiquitous Mobile Networking at
Internet of Things Journal, vol. 6, no. 2, April 2019, pp. 2593-2601. the University of Sydney, Australia, and holds a PhD
[6] A.K.Mishra, A.Kumar, D.Puthal, and Laurence T. Yang, “Analyti- in Electrical Engineering from Nagoya University,
cal Model for Sybil Attack Phases in Internet of Things,” DOI Japan. He is a Fellow of the Institute of Electrical,
10.1109/JIOT.2018.2843769, IEEE Internet of Things Journal, accepted Information, and Communication Engineers (IEICE)
for publication, pp.1-9. and the Institution of Engineers Australia, an ACM
[7] D. Airehrour, J.A. Gutierrez, S. KumarRay, SecTrust-RPL: A secure Professional Member, and an IEEE Distinguished
trust-aware RPL routing protocol for Internet of Things, Future Gener- Lecturer. He has authored seven technical books,
ation Computer Systems, Volume 93, 2019, pp. 860-876. eleven book chapters, over 450 technical papers, and
[8] D. Shreenivas, S. Raza, and T. Voigt, “Intrusion Detection in the five patents, all in the area of wireless communica-
RPL-connected 6LoWPAN Networks” In Proceedings of the 3rd ACM tions. Dr. Jamalipour is an elected member of the Board of Governors, Execu-
International Workshop on IoT Privacy, Trust, and Security (IoTPTS tive Vice-President, Chair of Fellow Evaluation Committee, and the Editor-in-
’17), USA, 2017, pp. 31-38. Chief of the Mobile World, IEEE Vehicular Technology Society. He was the
Editor-in-Chief IEEE Wireless Communications, Vice President-Conferences
[9] D.Karaboga and B. Gorkemli, ”A comprehensive survey: artificial bee
and a member of Board of Governors of the IEEE Communications Society,
colony (ABC) algorithm and applications” in Springer- Artificial Intel-
and has been an editor for several journals. He has been a General Chair
ligence review - Volume 42, Issue 1, June 2014, pp 21–57.
or Technical Program Chair for a number of conferences, including IEEE
[10] O. Gnawali and P. Levis, “The Minimum Rank with Hysteresis Objective
ICC, GLOBECOM, WCNC and PIMRC. He is the recipient of a number of
Function-MRHOF,” IETF, CA, USA, RFC 6719, vol.11, Sept.2012,
prestigious awards such as the 2016 IEEE ComSoc Distinguished Technical
[Online]. Available: https://rfc-editor.org/rfc/rfc6552.txt.
Achievement Award in Communications Switching and Routing, 2010 IEEE
[11] C.Cobarzan, J. Montavont, T.Noel, “Analysis and performance evalua-
ComSoc Harold Sobol Award, the 2006 IEEE ComSoc Best Tutorial Paper
tion of RPL under mobility” in Proc. of the 2014 IEEE Symposium on
Award, as well as 15 Best Paper Awards.
Computers and Communication (ISCC), Funchal, Portugal, 23–26, June
2014, pp. 1–6.
[12] H. Fotouhi, D. Moreira, and M. Alves, “mRPL: Boosting mobility in
the Internet of Things,” Ad Hoc Netw., vol. 26, pp. 17–35, Mar. 2015.
[13] M.Tareq, R.Alsaquor. et al, “Mobile Adhoc Network Energy cost
algorithm based on Artificial Bee colony”, Hindawi -wireless communi-
cations and mobile computing, volume 2017, Article ID 4519357, 2017,
pp.1-14.
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.