This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
A Lightweight Intrusion Detection for Sybil Attack
under Mobile RPL in the Internet of Things
Sarumathi Murali, Member, IEEE, and Abbas Jamalipour, Fellow, IEEE.
Abstract—The Routing Protocol for Low power and lossy
networks (RPL) is a standard routing protocol for resource-
constrained devices in the Internet of Things (IoT) networks.
Primarily, RPL can support a dynamic range of mobility among
the nodes in the network, which becomes a great demand now for
real-time applications. At the same time, RPL is much vulnerable
to various security attacks because of its resource-constrained
nature. Such security attacks might cause severe threats and de-
structive behavior inside the network. In this paper, we primarily
focus on the Sybil attack, where an attacker claims multiple
illegitimate identities, either by fabricating or compromising
the nodes. Also, in this type of attack, a single adversary is
required to control multiple legitimate nodes in the network,
and thereby, the adversary node saves the physical resources.
In this paper, we proposed a novel Artificial Bee Colony (ABC)
inspired mobile Sybil attack modeling and Lightweight intrusion
detection algorithm for Sybil attack in mobile RPL. Moreover,
we considered three different categories of Sybil attack based
on its behavior, and we analyzed the performance of the RPL
under Sybil attack in terms of packet delivery ratio, control
traffic overhead, and energy consumption. Also, we examined
the performance of the proposed algorithm in terms of accuracy,
sensitivity, and specificity.
Index Terms—Internet of Things (IoT), RPL, Sybil attack,
Intrusion Detection, Lightweight security, mobility, and accuracy.
I. I NTRODUCTION
The Internet of Things (IoT) is an emerging technology that
has brought a lot of attention in research and industrial revolu-
tion in recent years. IoT can support and manage a system for
the monitoring and control of the physical world through the
gathering, processing, and interpretation of generated data by
IoT sensor devices. IPv6 over Low-power Wireless Personal
Area Network (6LoWPAN) is a small IoT network which
supports IPv6 connectivity among the low power devices [1]-
[2].
Routing Protocol for Low-Power and Lossy network (RPL)
is a standard routing protocol for resource-constrained and
lossy IoT networks. RPL is an IPv6 enabled distance vector
proactive routing protocol and its topology is much flexible
to build the network with large numbers of IoT nodes under
static and mobile conditions [1].
However, due to the limited battery life and mobility, RPL
is prominently vulnerable to various security attacks, namely
selective forwarding, grey hole attack, version number attacks,
Sarumathi Murali and Abbas Jamalipour are with the School of Electrical
and Information engineering, The University of Sydney, Australia. e-mail:
smur0999@uni.sydney.edu.au and a.jamalipour@ieee.org."Copyright (c) 20xx
IEEE. Personal use of this material is permitted. However, permission to use
this material for any other purposes must be obtained from the IEEE by
sending a request to pubs-permissions@ieee.org."
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1
sinkhole attack, blackhole attack, Sybil attack, replay attack
and Denial of Service (DoS) attack. Hence, there is a critical
need to investigate the security aspects of RPL under mobility
for mitigation and intrusion detection.
In this paper, we focus on a security routing attack, namely
the Sybil attack and its mitigation techniques. Sybil attack is
the critical routing attack which can degrade the performance
and lifetime of the network drastically. In the Sybil attack,
the attacker claims multiple illegitimate identities, either by
fabricating the identities or compromising the legitimate nodes
in the network. The Sybil attack is even dangerous in the
mobile RPL, which can weaken the network performance by
exponentially increasing the control overhead transmission,
and in turn, reduces the overall lifetime of the network. Sybil
attack can also direct to the origin of other consecutive attacks
such as selective forwarding, denial of service, rank attack, and
version number attack [3].
The main contribution of this research work is the proposal
of a lightweight intrusion detection algorithm for mobile RPL
against the Sybil attack, which needs less computation and
provides high accuracy, which are quintessential in the case
of a resource-constrained network. We also proposed a bio-
inspired mathematical model for the Sybil attack in mobile
RPL based on the Artificial Bee Colony (ABC) model. Also,
we had examined all the three types of Sybil attacks in both
Static RPL and mobile RPL and proposed the lightweight
intrusion detection approach. Then, we examine the effective-
ness of the proposed lightweight intrusion detection algorithm
under all the three categories of Sybil attack in terms of
accuracy, sensitivity, and F-score values.
The rest of this paper is organized as follows. Section II
reviews the related previous research work on an overview of
RPL and Mobility-aware RPL. And, Section III illustrates the
Sybil attack and proposed Artificial Bee Colony inspired Sybil
Attack Model. Section IV explains the classification of the
Sybil attack. Section V enumerates the proposed lightweight
intrusion detection algorithm against Sybil attack in mobile
RPL. Section VI provides simulation metrics and performance
analysis.
II. R ELATED W ORK
Security in RPL has been identified to be critical because of
the resource-constrained nature of the nodes in the network.
According to Zhang et al. [3], a Sybil attack has become
a severe threat to social networks when the Sybil node can
gain unauthorized access to private contents. Also, they have
distinguished the Sybil attack into three types based on the
nature of behavior.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Faiza Medjek et al. [4] proposed the evaluation of the
impacts of the Sybil attack in RPL and analyzed the results
in terms of control overheads.
Our previous research paper [5] on mobility-aware parent
selection algorithm for low power and lossy networks sug-
gested a novel parent selection algorithm for mobility in RPL
and proposed a dynamic Trickle to optimize the number of
control overhead.
A.K.Mishra et al. [6] proposed the general analytical model
for Sybil attack in IoT, but not particularly for the RPL
network. It seems to be a significantly good research work
on Sybil attack modeling. However, it is quite challenging to
adapt it for low power RPL nodes while designing the Sybil
attack.
D. Airehrour et al. [7] proposed the SecTrust-RPL for the
Internet of Things, and they used a trust-based mechanism
for detecting and isolating the security attacks, namely rank
and Sybil attack. Here, they considered static RPL instead of
mobile RPL.
Shreenivas et al. [8] proposed SVELTE, an intrusion de-
tection system for the Internet of Things, that uses the ETX
(Expected Transmissions Count) metric to improve the secu-
rity within 6LoWPAN networks.
Karaboga et al. [9] proposed the comprehensive survey on
artificial bee colony (ABC) algorithm and its applications, and
it suggested how the bee colony is characterized into different
phases. This modeled has been adapted in our work while
designing the Sybil attack in RPL.
A. Brief Overview of RPL
RPL is a distance-vector, and source routing protocol which
is working under a tree-based topology, namely Destination
Oriented Direct Acyclic Graph (DODAG ) in the 6LoWPAN.
A DODAG comprises of many nodes, and there is a sink node
called border router (BR), which gathers all sensed information
from the residual nodes in the same DAG. Every DODAG is
distinguished by its RPL instance ID, DODAG ID, DODAG
version number and Rank.
There are three types of control messages have been ex-
changed in RPL, namely DIO, DAO and DIS [1]-[2].
• DIO - DODAG Information Object
• DAO - DODAG Advertisement Object
• DIS - DODAG Information Solicitation
The border router starts the DODAG construction process by
broadcasting DIO messages to the nearby neighboring nodes
in the DODAG for building and renewing the topology. The
nodes which receive the DIO message, in turn, return DAO
acknowledgment message to the border router. Rank is the
relative position of the node from the border router. In this
work, we follow Minimum Rank with Hysteresis Objective
Function (MRHOF) to support mobility in RPL. Rank in
MRHOF is computed using the Equation 1 [8]-[10].
R(N ) = R(P ) + 128 ∗ ETX (N )
where, R(N ) is the rank value of each node, and R(P ) is the
rank of its parent node [8].
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Things Journal
2
ETX is the Expected Transmission Count and denotes the
number of expected transmissions that a node required for
the successful delivery of a packet [8]. This metric is used to
estimate the link quality. ETX (N ) is the ETX of links to its
parent node.
ETX (N ) = ETXold ∗ β + ETXnew ∗ (1 − β) (2)
where ETXold is the old ETX value for a node, and each
node maintains the old ETX in its routing table, β is the
learning ratio which has been set default to be 0.9 in contiki
RPL. ETXnew can be calculated by using the Equation 3.
1
ETXnew = (3)
Ps→d ∗ Pd→s
Here, Ps→d is the probability that a data successfully
reached the recipient, and Pd→s is the probability that the
transmitted node successfully has received the ACK. Here,
ETX and Rank play a major role in efficient parent selection
process during RPL under mobility.
B. Mobility-Aware RPL
Generally, RPL can support mobility among the nodes.
However, RPL has not been optimized fundamentally in terms
of energy consumption and control traffic overhead transfer
while introducing the mobility of the nodes inside the network.
Mobile RPL or Mobility-aware RPL is an enhanced RPL
protocol which supports random mobility of the nodes in the
network [3]-[11]. In this paper, we considered and simulated
RPL under mobility (mobile RPL). For introducing mobility
and efficient parent selection, we had employed our previous
research work [8] on mobility-aware parent selection process
which supports random mobility of the nodes in RPL, and
it determines the best parent from the preferred parent list
under mobility by considering the metrics, namely, ETX, Ex-
pected Life Time (ELT) and RSSI (Received Signal Strength
Indicator). Also, Dynamic Trickle Timer (D-Trickle) has been
used to optimize the number of control message transfer under
mobility. While examining the Sybil attack under mobility,
mobility-aware parent selection process assists actively in
reducing the number of control overhead transmission, and
average energy consumption of each node in RPL. If it has
been run under conventional RPL with mobility without any
optimization, the overall lifetime of the network has been
largely reduced, and the performance is too poor in terms of
control traffic overhead and average end-to-end delay [12].
III. SYBIL ATTACK IN RPL
Sybil attacker claims multiple illegitimate identities either
by fabricating the identities or compromising the legitimate
nodes in the network. The Sybil attack is the most serious
threat to the mobile RPL which can degrade the performance
by exponentially increasing the control overhead transmission,
and in turn, reduces the overall lifetime of the network. The
(1)
attacker can easily masquerade as another node by claiming
their identities, and it can disrupt the routing protocol, overload
the DODAG with fake control messages and try to capture the
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
3

identity of the border router to obtain the network authority.

Sybil attack can lead to the origin of other attacks such as
selective forwarding, denial of service, rank attack and version
number attack.There are two different types of Sybil attackers
[6]: Trained attacker and Amateur attacker. Trained attacker
collects the prior DODAG information and topology to initiate
the attack, whereas Amateur attacker doesn’t have any prior
information to launch the attack.

A. Classification of Sybil attack

1) SA-1 Attack: In SA-1 type of Sybil attack [3], malicious
nodes will target one fixed region, and they will try to
compromise the identities of the nearby nodes to perform the
attack. In SA-1, all the sybil identities and attackers are fixed
as in Fig. 1. The reason for attacking one bounded region is
to pretend to be like a legitimate set of nodes as a group and
performing the attacks together.
2) SA-2 Sybil Attack: In SA-2 type Sybil attack [3], ma-
licious nodes are scattered among the legitimate nodes in
the DODAG and it won’t bound to one region as shown in
Fig. 1. As like the SA-1 type, where all the nodes are fixed.
Furthermore, this kind of attack is much arduous to detect
as these sybil nodes have formed a set of socially standard
connections with the legal RPL nodes. Though the nodes are
fixed, the attacker compromises randomly distributed nodes
in the DODAG and makes the detection process complex by
socializing with the legitimate nodes. The principal objective
of this type of SA-2 Sybil attack is to disrupt the routing
topology and manipulate the system which is in favor of the
Sybil attacker.
3) SA-3 Sybil Attack: In SA-3 type Sybil attack [3], Sybil
nodes are under mobility and, also it is distributed among
the network. There won’t be any stability in the attack, as it
moves from one position to other position dynamically, and it
tries to attack the nearby nodes on the way of motion as in
Fig. 1. The primary goals of SA-2 and SA-3 are very similar,
but the identification of these mobile Sybil identities are very
difficult in RPL structure. Friendship based Sybil detection
like trusted voting would be one of the best ways to detect this
type of mobile Sybil attack to ensure trust inside the network.
This type of attack can employ both fabricated identities and
compromised identities together or stand alone as well.
Besides that, here we have considered two different types
of attacks. One is a simultaneous attack, i.e., use all the set
of compromised identities at the same time, and the other one
is Non- simultaneous attack, i.e., use only specific subset of
identities to perform the attack.
B. Proposed ABC inspired Sybil Attack Model
ABC algorithm is a population-based algorithm and an
optimization technique that simulates the foraging behavior
of honey bees and has been successfully applied to various
practical problems. Foraging behavior refers to the act of
searching food sources (nectar) by the honey bees. For the
honey bees, their forage or food supply consists of nectar
and pollen from flowering plants within their flight range.
They consider the best location for their hives (nest of the
Fig. 1. Three different types of Sybil attack
bees) for maximum honey production and breeding [9]. It
consists of three significant components, namely food sources,
the employed bees, the onlooker bees, and the scout bees [13]-
[14].
Food Sources: The gain of a food source depends on
various factors such as its closeness to the nest, its richness
or concentration of its energy, and the ease of extracting this
energy.
Employed Bees: The employed foragers are those that keep
visiting the food sources to obtain the nectar. They exploit the
nectar sources explored before and provide information to the
onlooker bees waiting in hive about quality of food source.
Onlooker Bees: The onlooker bees are waiting in the nest
and establishing a food source through the information shared
by employed foragers.
Scout Bees: Scout foragers are searching the environment
surrounding the nest for new food sources.
In this paper, we employed the ABC algorithm for analytical
modeling of Sybil attack since this attack is a population-based
attack, and the foraging behavior of Sybil identities can be
quite related to the foraging behavior of honey bees. Hence,
ABC inspired Sybil attack has been modeled, as shown in Fig.
2 as follows:
• Employed bees are related to the compromised Sybil
identities in the RPL network.
• Food sources (Nectar collection) are correlated to the
collecting of compromised identities or stolen identities
in the DODAG structure.

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
• Onlooker Bee (Main attacker) is the one which attempts
to perform the Sybil attack in the community to intrude
the network.
• Scout bees are those who have been already compromised
by the attacker (Onlooker bee), and these scout bees try to
compromise the nearby neighboring nodes for bypassing
the detection techniques in the DODAG structure.
Similar like ABC foraging behavior, the attacking scenario is
divided into five phases, namely initialization phase, fitness
factor computation, compromising or fabricating phase, con-
tagious phase, and hive selection and launching phase.
Fig. 2. Artificial Bee Colony inspired Sybil Attack
1) Initialization Phase: Initialize the Sybil nodes (Central
attacker) to start foraging the identities. (either by compro-
mising or by fabricating). A fabricated new identity can
be easily detected inside the RPL using the upper bound
on the number of nodes (N ) in the DODAG. So, node
compromise is the best possible way to perform the Sybil
attack in the Internet of Things network. Here, consider N be
the number of nodes in the DODAG, I = {I1 , I2 , .....IN }
be the set of legitimate identities in the DODAG, Sc =
{S1 , S2 , .....Sk } , Sc ∈ I, be the set of compromised identities
which have been used by the sybil attacker for malicious
attempts, and Sf = {Sf 1 , Sf 2 , .....Sf p } , Sf ∈
/ I, be the set
of new fabricated identities introduced by the Sybil attacker.
N gi = {N gi1 , N gi2 , N gi3 , ....N gij } is the set of nearby
neighbor nodes for the node ’i’ in the DODAG. di,j is the
distance between
p the node ’i’ to the nearby node ’j’.
di,j = (xi − xj )2 + (yi − yj )2 , di,j ≤ ri , and ri is the
transmission radius (coverage region) of the node ’i’.
2) Fitness Factor Computation Phase: Sybil node attempts
to select any arbitrary node based on the following five fitness
evaluation criteria to compromise and add those compromised
identities in the Sybil group to perform the attack. Here, the
value k represents the criteria number, and we define a binary
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
4
variable for each criteria except criteria 3 as follows. Ck is ’1’
when the kth criteria has been met, else the value is ’0’.
Criteria 1: Node ’i’ with the highest number of neighbor
pair has been chosen to improve the possibility of compro-
mising the nearby nodes easily inside the DODAG. n[N gi ] ≥
N gth , where n[N gi ] is the number of neighbor elements for
the node ’i’, and N gth is the threshold value for the number
of neighbors.
Criteria 2: The attacker should choose an arbitrary node
for compromise if and only if the node should possess residual
energy at least half of its initial energy value,Eres ≥ Einit 2 .
As all these RPL nodes are already resource-constrained low
power devices, it cannot support the malicious act for a long
period if the compromising node doesn’t have enough residual
energy. If a compromised node drains out of energy and dies
earlier, that node’s DODAG ID will be removed from the
DODAG structure. Then after, those compromised identities
are never helpful for the Sybil attempt. Hence, those low
residual energy nodes cannot be suitable for compromise in
Sybil attack.
Criteria 3: The status of the node ’i’ might be static or
mobile.Ck [k = 3] takes the value ’1’ for static nodes and
’0.4’ for mobile nodes. The reason for this allocation is when
the main Sybil attacker attempts to compromise an arbitrary
node, it gives the highest priority to the static node first. But
when the node is mobile, the priority is considerably low, as it
consumes excess energy while moving and finding new parent
node to establish in the DODAG. Subsequently, its rank will
also be changed, and RSSI value will also vary; these dynamic
changes lead to a slow attempt in the progress of the attack.
So, we give the least priority with weight 0.4. If all the nodes
are under mobility, it never goes for preference, the attacker
chooses any arbitrary node for compromise based on the other
four criteria and defines Ck [k = 3] = 0.4 always.
Criteria 4: If node ’i’ is the parent node for two to three
nodes, then high priority has been given to that node for
selection.
Criteria 5: Rank of the node ’i’ under selection should
be less to reach the attacking strategy very much close in
proximity to the border router. Therefore, it tries to capture
the identity of the border router to devastate the network
completely. Always, first priority has been given to the parent
node more than the rank of the node.
Fitness Factor: For each arbitrary selected node ’i’, Fitness
Factor (Ff can be calculated based on the number of passing
criteria (k) from the above mentioned points by using the
equation 4.
5
X
Ff = (Ck ) (4)
K=1
,
The node with the highest fitness factor can be chosen for
compromising and include those into the set of Sybil identity.
The probability that any arbitrary node can be selected as Sybil
identity is Pr (Sc ) = N1 .
3) Compromising Phase: Node compromising phase is the
process of compromising the legitimate nodes in the network.
After calculating the fitness factor, the node with the highest
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
5

Algorithm 1 ABC Inspired Sybil Attack Modeling employs one Sybil node and three Sybil identities. The number
Begin: Initialize the population of Sybil Nodes (Main inside the circle in the Fig. 3 represents the node number. Node
attackers) S acts as the main attacker (Sybil node) and the compromised
Input: Select any arbitrary node for compromising its identity nodes are Node nos. 2, 6, 14 and 15. Moreover, after fitness
within the Sybil node’s transmission range selection and hive location fixing, Node no. 2 is selected as
Step 1: Check Five Fitness Evaluation Criteria the launching node to perform the attack inside the network.
Criteria 1: n[N gi > N gth ] After claiming many Sybil identities, the main attacker tries
Criteria 2: Eres > Einit2 to intrude the network and perform subsequent attacks such
Criteria 3: C3 = 1, Static as Denial of service (DoS), Selective Forwarding, Blackhole,
C3 = 0.4, M obile Rank attack and Replay attack. Algorithm 1 explains about
Criteria 4: Parent or not the brief description of the complete modeling of artificial bee
Criteria 5: low rank colony inspired Sybil attack in mobile RPL.
Step 2: FitnessP Factor Computation
Ff = Ck , k = 1, ...5
Step 3: Compromising Phase
Ff > 3, Choose the node with highest fitness factor.
Repeat the cycle for all selection
Step 4: Contagious Phase
compromised nodes spreading the sparm
Step 5: Hive Selection
Fixing the node and attack launching starts
Repeat all five steps until border router has been attacked
End

fitness factor can be chosen for compromise. Those compro-

mised identities are known as Sybil identities. Sybil attacker
intends to extend the Sybil identities further among the nearby
neighbors to perform the malicious action efficiently. The idea
is to make the compromised Sybil identities become pairwise
Fig. 3. An example scenario of Sybil Attack in mobile RPL
neighbors, and therefore, the attacker can easily circumvent the
detection procedures which benefits them to seize the network
quickly. IV. P ROPOSED L IGHTWEIGHT I NTRUSION D ETECTION
4) Contagious phase: Contagious phase is the action of AGAINST S YBIL ATTACK IN M OBILE RPL
spreading the sparm from one node to another node. The nodes
which are already compromised attempt to compromise the Since the nodes in the RPL-DODAG are resource con-
nearby pairwise neighbors by calculating di,j and compro- strained, cryptographic techniques or complex mathematical
mise those least distance neighbors, and add into the set of mitigation methods are proved to be very difficult during pro-
Sybil identities. Thereby, the attacker can spread the sparm cessing, and also, it increases the computational power, mem-
throughout the DODAG. ory, and latency. In this paper, we introduced a lightweight
intrusion detection algorithm against the Sybil attack, which
5) Hive selection and Launching phase: The node with the
needs less computation and provides high accuracy, which are
highest remaining residual energy value and more compro-
quintessential in the case of a resource-constrained network. In
mised neighbor nodes nearby has been chosen as Sybil node
this proposed algorithm, we introduced three new variables in
to perform the attack. Sybil node has been chosen from the
DIO messages, namely, NONCE ID, control message counter,
set of Sybil identity. The remaining energy ratio is measured
and timestamps. While including them, we have used the
using the following equation 5 [6].
fields, namely, flag, reserved, and options in the DIO message.
Eres In the proposed lightweight security approach, we have used
ERatio = (5) three trust factors, namely Trust Factor 1, Trust Factor 2, and
Einit
Trust Factor 3 for the early detection of the malicious attempt
where, Eres and Einit are the residual and initial energy of
in RPL.
the node.
Hive selection in the Artificial Bee colony depends on
the nearest food source, maximum honey production and A. DODAG ID and NONCE ID
breeding. Similarly, Hive selection in the Sybil attack aims One of the best approach to identify legitimate and illegit-
to breed many Sybil identities and it chooses the best location imate nodes in the network is to assign a unique ID for all
for launching the attack. Moreover, it aims to increase the the nodes joined in the DODAG architecture. In this paper, we
potential threat to the DODAG structure. propose a common technique following in most of the security
Figure 3 explains an example scenario of Sybil attack which architecture namely the NONCE ID (Number used only once

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
6

in a life). This Nonce ID has been created and allocated to each Algorithm 2 Lightweight Intrusion Detection Algorithm
node when it is joining the DODAG structure after receiving for Sybil Attack
the DIO message for the first time. The NONCE number and Begin: Sybil Attack Detection
unique DODAG ID (IPv6 address) have been broadcasted to Input: DIO Message
the neighbor nodes with the DODAG DIO messages. Trust Input: NONCE, DODAG ID, CtN[n], tn[N]
factor 1 has been denoted as ’α’ and it can be calculated after ∆cthreshold = 5
verifying the NONCE ID and its correspondent IP address ∆τ threshold = 3
(DODAG ID). If both the NONCE ID and DODAG ID match Step 1: Check [ NONCE & DODAG ID - Match]
with the previous record, then α will be ’1’. If there is any Set α = 1
mismatch between them, α will be ’0’. Therefore, the event of Else
α = 0 indicates that there is a potential possibility of malicious Set α = 0
action and an untrusted event. End
Step 2: Check [Control Message Counter]
B. Control Message Counter Calculate ∆cN = CtN [n] - CtN [n-10]
If [∆cN > ∆c threshold ]
Every RPL node manages a counter value for each neighbor
Set γ=0
based on the number of control messages and the type of
Else
control message. Moreover, there is a threshold value has been
Set γ=1
fixed for the counter with respect to the rank of each node and
End
its parentship. When the rank is high, the counter threshold
Step 3: Check [Time Stamp]
will increase proportionally. And, when the rank decreases,
Calculate ∆τ = tn [N] - tn-1 [N]
it will reduce the counter threshold correspondingly. Because
If [ ∆τ < ∆τ threshold ]
the nodes nearby the border router are required to transfer
Set β=1
more data and control messages rather than the leaf nodes
Else
at the end. ctN [n] is the counter value (number of control
Set β=0
messages received) at time ’n’ and ctN [n − 10] is the counter
End
value before 10 sec. ∆cN is the difference of the counter
Step 4: Pheromone Computation
value within 10 seconds to track the changes in the number
Cumulative Trust Factor (CTF)
of control messages. ∆cN can be calculated using equation 6
ρN [n] = α.[ω.β + (1-ω).γ]
as follows.
If ρN [n] 6=0
Γ =η. ρN [n-1] + (1-η). ρN [n] - Trusted Event
∆cN = ctN [n] − ctN [n − 10] (6)
Else
∆cthreshold is the threshold value for the control message Γ = ρN [n-1] . ρN [n] - Untrusted Event
counter difference within 10 seconds. In an ideal case, when a Add High Pheromone nodes into White List
node attempts to establish a connection with a nearby node Add Low Pheromone nodes into Sybil Node List
in a DODAG structure, it can exchange a maximum of 5 End
control messages within 10 seconds of interval. If it exceeds
the threshold value, there is a potential sign of a malicious
attempt by flooding of control messages on a target node Consider tn [N ] is the time of arrival of a control message at
to drain out the resources. To combat this type of malicious the current instant from a neighbor node ’N’ and tn−1 [N ] is
action, Trust Factor 2 has been used to estimate the trust value the time of arrival of the previous control message from the
on a node based on the control message counter values. same neighbor ’N’. ∆τ is the the time difference between the
( consecutive control messages and it can be calculated using
0, if ∆c > ∆cthreshold equation 8 as follows.
γ= (7)
1, if ∆c < ∆cthreshold
Here,γ represents the Trust Factor 2, and N denotes the ∆τ = tn [N ] − tn−1 [N ] (8)
node ID. Each node will check the counter status every 10
∆τthreshold is the threshold value for the time difference
seconds. If it exceeds the threshold, it will set the γ to 0 and
between the timestamps of the control messages within 10
if not, it will be set to 1.
seconds from any neighbor node. ∆t threshold is considerably
dynamic under mobility as the mobility among the nodes
C. Time Stamp for Control Messages demands more control message transmission; however, RPL
In this proposed lightweight approach towards Sybil attack node requires some resting period of at least 3 seconds
detection, we have included a new variable called timestamp, between two consecutive control messages to stabilize it. If
which will track the time of arrival of the control messages a node doesn’t lie in the resting period for some time during
exchanged from the neighbors. This approach will help to keep transmission, it is again a plausible likelihood of malicious
track of the attacker who is trying to send a pool of control action. To combat this type of malicious action, Trust Factor
messages frequently to destroy the resources of the RPL nodes. 3 has been used to estimate the trust value on a node based

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
on the time stamp values.
( the proposed algorithm has been analyzed. True Positive (TP)
1, if ∆τ < ∆τthreshold
β=
0, if ∆τ > ∆τthreshold
Here,β represents the Trust Factor 2. If ∆τ value is less
than the ∆τthreshold value, then the frequency of transmission
of control messages within a speculative period is more.
Therefore, it might be a sign of malicious action, and it will
set the β to 0. If ∆τ is more than ∆τthreshold value, then the
frequency of transmission of control messages stays consistent.
So, in this case, it will assign the value of β to 1. In this
proposed work, we have set the ∆τthreshold to 3 for every 10
seconds from each neighbor.
The sign of malicious attempts can early be identified
using the crucial role of ∆cthreshold and ∆τthreshold , and we
can take counter action before any significant impact on the
system.
D. Cumulative Trust Factor and Pheromone Computation
ρN [n] is the Cumulative Trust Factor and it calculates the
cumulative trust factor for the node ’N’ at the instant ’n’ by
considering all the three trust factors: α, β and γ.
ρN [n] = α.[ω.β + (1 − ω).γ]
From Equation 10, it can be understood that any case of
a mismatch between the NONCE and DODAG ID will cause
the cumulative trust factor to 0.
Pheromone trail (smell) has been used by the ant to find the
shortest best path from its nest to the food source. Similarly,
here, Γ is the pheromone value, which has been used to
identify the set of best trusted node list. The nodes with the
highest pheromone value has been added in the trusted node
list and the node with the less pheromone or zero pheromone
has been added to the block list i.e (Sybil nodes list).
( arbitrarily in a 300 m by 300m area. Every node has been
η.ρN [n − 1] + (1 − η)ρN [n], for trusted event
Γ=
ρN [n − 1].ρN [n], for untrusted event
(11)
ρN [n − 1] is the previous cumulative trust factor value
before 10 seconds. If it is a trusted event ( ρN [n] 6= 0
), then the pheromone value exists with a non-zero value.
Otherwise, pheromone value is 0 in the case of untrusted event
(ρN [n] = 0). Here, ω and η are the weight factor and it has
been fixed to 0.2 and 0.3 respectively.
V. P ERFORMANCE E VALUATION M ETRICS AND
S IMULATION R ESULTS
TABLE I
C ONFUSION M ATRIX
Positive Negative
Positive TP FN
Negative FP TN
PPV NPV
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Things Journal
7
Based on the confusion matrix in Table I, the performance of
is an event when the IDS recognizes an activity as an attack,
(9)
and the event is actually an attack, and True Negative (TN) is
the event when IDS identifies an attack trial when there is no
attack. False Negative (FN) is an event when IDS fails to detect
an attack when there is an actual malicious trial, and True
Negative (TN) is an event when no attack has taken place, and
no detection has been made. Accuracy is used to estimate the
probability of Sybil attack detection by the proposed intrusion
detection algorithm. The Sensitivity indicates the percentage
of actual positive events correctly predicted by the proposed
detection algorithm, whereas Specificity shows the rate of
actual adverse events identified by the detection algorithm.
The F-score should lie in the interval [0,1], and high the F-
score rate represents higher detection performance. Precision is
positive predictive value (PPV) and NPV (Negative Predictive
Value) [15].
TP + TN
Accuracy = (12)
TP + FN + FP + TN
TP
Sensitivity = (13)
TP + FN
(10)
TN
Specificity = (14)
FP + TN
TP
Precision = P P V = (15)
TP + FP
 
P recision.Sensitivity
F-Score = 2. (16)
P recision + Sensitivity
Table II illustrates the simulation parameters used here,
and in this work, we used the random-way point model for
mobility, and at the beginning stage, all nodes are positioned
located at random places arbitrarily within the 300 m x 300m
area when the simulation becomes started, and parent selection
process has been made randomly based on our previous work
on the mobility-aware parent selection algorithm [8]. The
speed of each node varies dynamically every 10 s between
a minimum speed of 1 m/s to a maximum speed of 3 m/s.
Each node stays in its location at least for 5 s, and then it
shifts to a new place for establishing a constant routing path
towards the Border Router [sink node]. All nodes, except the
sink, repeat these steps until the simulation stops.
We employed a main Sybil attacker that works based on the
algorithm 1 in this paper. The ratio of the Sybil identities is
the number of compromised identities from the set Sc used by
the main Sybil attacker for malicious attempts. The severity
and intensity of the attack increase when the ratio of the Sybil
identities upsurges. Hence, the ratio of Sybil identities has
been used to measure the intensity and the impact of the
TPR Sybil attack in the IoT network with respect to the changes
TNR in packet delivery ratio, control traffic overhead, and energy
consumption.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
8

TABLE II
104
S IMULATION PARAMETERS
4
Type-1 Sybil attack - Without ID
Type-2 Sybil attack - Without ID
Parameters Definition
3.5
Type-3 Sybil attack - Without ID
Type-1 Sybil attack - With ID Simulator Cooja under contiki OS
Average Control Traffic Overhead

Type-2 Sybil attack - With ID

3
Type-3 Sybil attack - With ID Radio medium model UDGM-distance loss
Type - 3 (Sybil attack-SA-3)
2.5
Mote type Tmote Sky
Range of nodes Rx and Tx: 50m
2 Type - 2 (Sybil attack-SA-2) Number of nodes 80
1.5
Area 300 m x 300m
Type - 1 (Sybil attack-SA-1)
Simulation time 3000 s
1 ω 0.2
0.5
Ng th 3
Sybil nodes ratio 0.1 to 0.6
0
0 0.1 0.2 0.3 0.4 0.5 0.6
Transmission rate 1pkt/sec
Ratio of Sybil Identities Mobility model Random way point model
Mobile node speed 1 m/s to 3 m/s
Fig. 4. Control Traffic Overhead under three types of Sybil attack

A. Control Traffic Overhead

100
Figure 4 illustrates the number of control traffic overhead
exchanges under the three different types of Sybil attack in
RPL. Control traffic overhead is the cumulative sum of DIO,
95
DAO, and DIS control messages transfer in the DODAG.
Average Packet Delivery Ratio

Type - 1 (Sybil attack-SA-1)

90
85
80
Type-1 Sybil attack - Without ID
Type-2 Sybil attack - Without ID
Type-3 Sybil attack - Without ID
Type-1 Sybil attack - With ID
75
Type-2 Sybil attack - With ID
Type-3 Sybil attack - With ID
70
0 0.1
Fig. 5. Packet Delivery ratio under three types of Sybil attack
0.16
Type-1 Sybil attack - Without ID
Type-2 Sybil attack - Without ID
Type-3 Sybil attack - Without ID
0.14 Type-1 Sybil attack - With ID
Average Energy Consumption (J)
When the Sybil attacker joins a DODAG or when launching
phase starts, the complete or a segment of the DODAG needs
Type - 2 (Sybil attack-SA-2)
to be rebuilt, which leads to an enormous number of control
traffic overhead exchanges among the nodes in the DODAG.
Also, while attackers attempt to compromise the legitimate
Type - 3 (Sybil attack-SA-3) nodes, control traffic will rise exponentially, then it will prompt
to the enhanced energy consumption.
In the case of Type 1 (SA-1) attack, as it is bounded to
one region and static; hence, only a partial section of the
0.2 0.3 0.4 0.5 0.6
DODAG is impacted which cause less number of control
Ratio of Sybil Identities messages transfer when compared to the type-2 and type-
3 Sybil attack. On the other hand, the type-2 attack causes
topology variation in a distributed way inside the DODAG;
therefore, the number of control message will also increase
significantly. Lastly, the type-3 (SA-3) attackers can execute
the attack under mobility, which is extremely severe, and it
can cause severe damage in the DODAG structure, which in
turn will increase the control traffic overhead. However, the
Type - 3 (Sybil attack-SA-3) number of control message transfer has been suppressed to a

Type-2 Sybil attack - With ID

Type-3 Sybil attack - With ID great extent with the presence of proposed intrusion detection
Type - 2 (Sybil attack-SA-2)
0.12 approach in all three types of Sybil attacks. Here, Trust Factor
Type - 1 (Sybil attack-SA-1) 2 [γ] plays a significant role in contending the malicious action
0.1 by considering the control message counter[∆cN ] value in the
lightweight intrusion detection algorithm.
0.08

B. Packet Delivery Ratio

0.06
The average packet delivery ratio is the average ratio of the
total number of packets received successfully by the border
0.04
0 0.1 0.2 0.3 0.4 0.5 0.6 router to the total number of packets transmitted by the source
Ratio of Sybil Identities
nodes. From Fig. 5, it can be observed that the average packet
delivery ratio under type1, type 2, and type 3 Sybil attack with
Fig. 6. Energy Consumption under three types of Sybil attack (without
Intrusion Detection) Intrusion detection are 97.5%, 96.2%, and 94.1%, respectively.
Figure 5 illustrates the packet delivery ratio under different

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
9

types of Sybil attacks in mobile RPL. When the density of

1
Sybil identities increases, it will cause a progressive drop in
the packet delivery ratio in all three cases. But for the type
3 attack (SA-3), Sybil identities are scattered all over the 0.95
DODAG, which will provoke extremely to malicious action
while delivering the packet to the border router. Though, with

Average Ratio
Accuracy
0.9
the assistance of the proposed lightweight security procedures,
the packet delivery ratio has been improved extensively in
malicious scenarios. The reason has been because of choosing 0.85
Sensitivity

the trusted node in all instants while forwarding the packets to

the border router. The Cumulative Trust factor and pheromone Specificity
0.8
values play an active role here in selecting the best-trusted
node based on its actions and trials.
0.75
0.1 0.2 0.3 0.4 0.5 0.6 0.7

1 Ratio of the Sybil identities

Fig. 9. Performance Evaluation under Type-3 Sybil Attack

0.95 Accuracy

TABLE III
Average Ratio

P ERFORMANCE E VALUATION OF L IGHTWEIGHT I NTRUSION D ETECTION

0.9
ALGORITHM
Sensitivity

Average Detection Value

0.85
Specificity Type Accuracy Sensitivity Specificity F-Score
SA-1 0.968 0.974 0.952 0.972
0.8
SA-2 0.952 0.935 0.904 0.943
SA-3 0.948 0.955 0.852 0.894
0.75
0.1 0.2 0.3 0.4 0.5 0.6 0.7
Ratio of the Sybil Identities

the compelling reasons for this issue can be extensive com-

Fig. 7. Performance Evaluation under Type-1 Sybil Attack putation, upsurge in the exchange of control traffic over-
heads, mobility, and continuous transmission and reception.
Gradually, these events will drive to a rapid reduction in
1
the network lifetime. However, Fig.6 implies that there is
a significant reduction in overall energy consumption while
using the proposed intrusion detection system. Indeed, in the
0.95 Accuracy
lightweight security approach, it demands simple computation
and minimal resources for its prediction and counteraction,
which becomes quintessential in the case of a resource-
Average Ratio

0.9
Sensitivity
Specificity
constrained network.
0.85
D. Accuracy, Sensitivity and Specificity
The average accuracy rate of the detection algorithm for
0.8
type 1, type 2, type 3 attack was computed to be 96.8%,
95.2%, and 94.8%, as shown in Table III and Figs. 7, 8,
0.75 and 9. The accuracy rate seems to be considerably less in
0.1 0.2 0.3 0.4 0.5 0.6 0.7
Ratio of the Sybil identities
the event of a type-3 attack, as the type-3 attack is under
mobility, and the adversary can spread the attack randomly
Fig. 8. Performance Evaluation under Type-2 Sybil Attack throughout the DODAG under motion. Furthermore, because
of such random movement of the adversary, legitimate nodes
can sometimes be misinterpreted as an adversary and vice-
versa. Under the mobile scenario, the control message counter
C. Energy Cost value has been increasing, and it will direct to reduce the
Figure 6 indicates that the average energy consumption pheromone concentration. So, this will hit the F-score value
under type1, type 2, and type 3 Sybil attack without intrusion to reach 0.894. However, our proposed algorithm worked very
detection is 0.074, 0.092, and 0.13 J, respectively. It has been effectively in the event of type-1 and type-2 attack in all the
observed from Fig.6 that the expansion of Sybil identities scenarios which earned F-score values of 0.972 and 0.943m,
forces the network to consume more energy. Meanwhile, respectively.

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2948149, IEEE Internet of
Things Journal
10

VI. C ONCLUSION [14] R. Kalucha and D. Goyal, “A review on Artificial bee colony in
MANET” in Int. Journal of Computer science and mobile computing,
In this paper, we have proposed a bio-inspired analytical Vol.3, Issue.7, July 2014, pg-34-40.
model for Sybil attack and lightweight intrusion detection [15] N. Salari, S. Shohaimi. et al, “ A Novel Hybrid Classification Model
of Genetic Algorithms, Modified k-Nearest Neighbor and Developed
algorithm for mobile RPL in the Internet of things network. Backpropagation Neural Network”, PLOS ONE 9(11): e112987, 2014.
Also, we considered three different types of Sybil attacks [Online]. Available: https://doi.org/10.1371/journal.pone.0112987.
and analyzed the performance of the mobile RPL in terms
of packet delivery ratio, control traffic overhead, energy cost,
and accuracy while increasing the density of Sybil identities in
the DODAG. The results showed that the proposed lightweight
intrusion detection algorithm achieves superior performance in
terms of accuracy, sensitivity, and specificity. Furthermore, as
it is a lightweight security approach, it reduces the overall
computational complexity and latency while establishing the
DODAG. In the event of a Type-3 Sybil attack, though the
Sarumathi Murali is a Postgraduate Research
severity of the attack is too high, our proposed algorithm gains Scholar in the Wireless Networking Group (WiNG)
an average accuracy of 95% under mobile RPL. To conclude, under the supervision of Prof. Abbas Jamalipour
the proposed lightweight intrusion detection algorithm proved with the School of Electrical and Information En-
gineering at The University of Sydney, Australia,
to be an efficient lightweight security approach towards Sybil working towards her PhD. She received the Bachelor
attack, and while administering the profoundly right mitigation degree with the specialization on Electronics and
approach, it demands less power and computation complexity, Communication Engineering from Anna University,
India and she received the honors and gold medal in
which are quintessential for a resource-constrained network. the postgraduation with the specialization on com-
munication systems from Anna University, India.
Her research interest includes Routing under Low Power and Lossy networks,
R EFERENCES Internet of Things routing protocol modeling, Security and Privacy issues
in IoT, Signal Processing, and Mobile Adhoc Networks. She had published
[1] T. Winter and P. Thubert, “RPL: IPv6 Routing Protocol for Low Power more than 20 scholarly journals and 35 technical papers in National and
and Lossy Networks, ” IETF, CA, USA, RFC 6550, vol. 3, Mar. 2010, International conferences.
[Online]. Available: https://rfc-editor.org/rfc/rfc6550.txt.
[2] G. Montenegro, C. Schumacher, and N. Kushalnagar, “IPv6 over
low-power wireless personal area networks (6LoWPANs): Overview,
assumptions, problem statement, and goals,” IETF, CA, USA,
RFC 4919, accessed: Sep. 2017. [Online]. Available: https://rfc-
editor.org/rfc/rfc4919.txt
[3] K. Zhang, X. Liang, R. Lu and X. Shen, "Sybil Attacks and Their
Defenses in the Internet of Things," in IEEE Internet of Things Journal,
vol. 1, no. 5, Oct. 2014, pp. 372-383.
[4] F.Medjek and D.Tandjaoui ”Analytical evaluation of the impacts of Sybil
attacks against RPL under mobility” in International Symposium on
Programming and Systems (ISPS), 28-30 April 2015, pp.1-6.
[5] S. Murali and A. Jamalipour, "Mobility-Aware Energy-Efficient Parent Abbas Jamalipour (S’86–M’91–SM’00–F’07) is
Selection Algorithm for Low Power and Lossy Networks," in IEEE the Professor of Ubiquitous Mobile Networking at
Internet of Things Journal, vol. 6, no. 2, April 2019, pp. 2593-2601. the University of Sydney, Australia, and holds a PhD
[6] A.K.Mishra, A.Kumar, D.Puthal, and Laurence T. Yang, “Analyti- in Electrical Engineering from Nagoya University,
cal Model for Sybil Attack Phases in Internet of Things,” DOI Japan. He is a Fellow of the Institute of Electrical,
10.1109/JIOT.2018.2843769, IEEE Internet of Things Journal, accepted Information, and Communication Engineers (IEICE)
for publication, pp.1-9. and the Institution of Engineers Australia, an ACM
[7] D. Airehrour, J.A. Gutierrez, S. KumarRay, SecTrust-RPL: A secure Professional Member, and an IEEE Distinguished
trust-aware RPL routing protocol for Internet of Things, Future Gener- Lecturer. He has authored seven technical books,
ation Computer Systems, Volume 93, 2019, pp. 860-876. eleven book chapters, over 450 technical papers, and
[8] D. Shreenivas, S. Raza, and T. Voigt, “Intrusion Detection in the five patents, all in the area of wireless communica-
RPL-connected 6LoWPAN Networks” In Proceedings of the 3rd ACM tions. Dr. Jamalipour is an elected member of the Board of Governors, Execu-
International Workshop on IoT Privacy, Trust, and Security (IoTPTS tive Vice-President, Chair of Fellow Evaluation Committee, and the Editor-in-
’17), USA, 2017, pp. 31-38. Chief of the Mobile World, IEEE Vehicular Technology Society. He was the
Editor-in-Chief IEEE Wireless Communications, Vice President-Conferences
[9] D.Karaboga and B. Gorkemli, ”A comprehensive survey: artificial bee
and a member of Board of Governors of the IEEE Communications Society,
colony (ABC) algorithm and applications” in Springer- Artificial Intel-
and has been an editor for several journals. He has been a General Chair
ligence review - Volume 42, Issue 1, June 2014, pp 21–57.
or Technical Program Chair for a number of conferences, including IEEE
[10] O. Gnawali and P. Levis, “The Minimum Rank with Hysteresis Objective
ICC, GLOBECOM, WCNC and PIMRC. He is the recipient of a number of
Function-MRHOF,” IETF, CA, USA, RFC 6719, vol.11, Sept.2012,
prestigious awards such as the 2016 IEEE ComSoc Distinguished Technical
[Online]. Available: https://rfc-editor.org/rfc/rfc6552.txt.
Achievement Award in Communications Switching and Routing, 2010 IEEE
[11] C.Cobarzan, J. Montavont, T.Noel, “Analysis and performance evalua-
ComSoc Harold Sobol Award, the 2006 IEEE ComSoc Best Tutorial Paper
tion of RPL under mobility” in Proc. of the 2014 IEEE Symposium on
Award, as well as 15 Best Paper Awards.
Computers and Communication (ISCC), Funchal, Portugal, 23–26, June
2014, pp. 1–6.
[12] H. Fotouhi, D. Moreira, and M. Alves, “mRPL: Boosting mobility in
the Internet of Things,” Ad Hoc Netw., vol. 26, pp. 17–35, Mar. 2015.
[13] M.Tareq, R.Alsaquor. et al, “Mobile Adhoc Network Energy cost
algorithm based on Artificial Bee colony”, Hindawi -wireless communi-
cations and mobile computing, volume 2017, Article ID 4519357, 2017,
pp.1-14.

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.