SVM and PCA Based Security Scheme for

Spoofing Attack Detection in RPL over IoT

Environment
 Internet of Things
◆ Internet of Things (IoT) is a prevalent paradigm conceived to connect billions of
devices.
◆ Recently the IoT receives more attention from the research community in academia a
s well as an industry.
◆ The IoT environment consists of a large number of small sensor devices with limited
resources with one or more gateway nodes.
◆ The IoT devices depend on the gateway to route the messages to the server, since the
processing unit and computational power of the sensors is limited.
◆ They cannot send information directly for a long distance.
 RPL in IoT
◆ A majorly used routing protocol in the IoT is Routing Protocol for Low-Power and
Lossy Networks (RPL).
◆ The RPL follows the Distance Vector Internet Protocol version 6 (IPv6) routing
protocol and this protocol is mainly applied for several IoT applications.
◆ The standard of IPv6 over Low power Wireless Personal Area Networks
(6LoWPAN) integrates the IPv6 and the low-powered sensor device.
◆ The routing layer protocol, RPL is responsible to build routing paths and forwards
the messages to IoT gateway successfully.
 RPL Security
◆ The RPL security is a main concern in IoT applications.
◆ The sensor is an intrinsic part of the IoT, and it is essential to solve the security
issues in the design of routing protocols.
◆ The RPL paves the way for various attacks to enter into the IoT communication.
◆ The main security concerns in IoT communication are user authentication and data
integrity.
◆ An effective authentication scheme assists the IoT devices to distinguish the sender a
nd unauthorized nodes, as well as address the identity based attacks such as spoofing
and Sybil attacks.
 Significance of RPL Security
◆ There are several applications that exploit the RPL for establishing the IoT secure communication.
◆ The following features in RPL attracts most of the applications in real time.
1) It effectively deals with high number of clients using the DODAG
structure and limited number of control messages.
2) Another benefit is that its shortest path construction towards server using rank value.
3) The RPL allows the clients to update the topology, when a client experiences any change in the network topology.
Cont...
◆ However, the security is the main challenge in the tremendous growth of IoT
applications.
◆ Consequently, new intelligent security approaches in RPL protocol using machine le
arning schemes should be developed to connect the IoT devices with each other.
 Role of Machine Learning Algorithms in RPL Security

◆ Several cryptography algorithms have been suggested for IoT communication securit
y.
◆ They detect the malicious activities using the features of specified security attacks.
◆ However, the defense systems against a specified security attack are quickly
conquered by the attackers with modified features or new types of attacks.
◆ Thus, the powerful tool to identify the attackers is machine learning methods
 Related Works
◆ The commonly used machine learning algorithms for providing the IoT security are a
s follows.
1) decision trees,
2) Support Vector Machines (SVMs),
3) Bayesian algorithms,
4) Random forest,
5) Association rule,
6) Ensemble learning,
7) K-Means clustering,
8) K-nearest neighbor, and
9) Principal Component Analysis (PCA).
Cont...
◆ The SVM creates a splitting hyperplane in the data features.
◆ The main advantage of SVMs is scalability, due to the updation of training patterns
dynamically.
◆ However, it requires labeled data to identify the attacks in RPL.
◆ In addition, naive Bayesian algorithm successfully handles the features
independently, however it fails in extracting the relationships and interactions among
features.
◆ The k-nearest neighbor algorithm should decide the optimal k value to improve its pe
rformance.
◆ However, it is a time consuming process for IoT applications.
Cont...
◆ An unsupervised learning approach, K-Means clustering identifies clusters in the
messages on the basis of feature similarities.
◆ However, it is less effective than supervised learning methods, specifically in
detecting known attacks.
◆ The PCA scheme reduce the number of features.
◆ But, there is a necessity to use other machine learning algorithm to establish an
effective security approach.
 Problem Statement
◆ The major challenge encountered by the machine learning algorithms in IoT, is how
to generate the rules with training dataset.
◆ A main characteristic of the IoT environment is dynamism.
◆ In such network, normal structures and attack patterns in RPL protocol are
considerably changed with time.
◆ Generating collaborative IoT threat training data need to be updated continuously
with new attacks.
◆ However, it is difficult due to the wide diversity of IoT devices.
◆ Since, the IoT clients share sensitive messages, that are not meant to be shared
publicly, a privacy issue prevails in the RPL protocol.
 Research Gap
◆ An attacker exploits the security weaknesses in a RPL and exerts a negative impact
on routing performance.
◆ Numerous routing layer attacks, such as passive attacks, such as eavesdropping and
active attacks, such as spoofing, Sybil, man-in-the-middle, malicious inputs and
denial of service affect the RPL performance.
◆ Thus, the provision of security for a RPL protocol should be of high priority.
◆ However, the IoT devices cannot support complex security algorithms, due to their
limited computation and battery resources.
 Aims and Objectives
◆ To learn from existing messages and to predict future unknown attacks in RPL using
SVM in IoT
◆ To adapt the machine learning algorithm to resource constrained IoT devices by
reducing the features using PCA
◆ To identify the unknown attacks in RPL, by enabling the security system to execute
the learning module frequently.
Proposed Methodology
Cont...
◆ The proposed defense system adopts the SVM classifier as detector using a reduced
feature set.
◆ The proposed scheme includes the training and testing phase to learn standard RPL
features and to identify the attackers respectively.
◆ By observing the RPL protocol, the data packets are collected over a time.
◆ The proposed scheme divides the data into training and testing RPL messages.
◆ The RPL packets include a vast number of features resulting in an extensive learning
time and computational complexity.
 Feature Reduction
◆ ll the RPL features do not contribute in improving the accuracy of attack detection.
◆ Thus, the proposed scheme system utilizes the PCA in extracting the most relevant
features that have a maximum number of attacks, and the SVM to categorize the
RPL specific attackers accurately.
◆ An information gain is a measurement of impurity level in each feature.
◆ However, considering alone the information gain is not efficient always in feature
reduction.
◆ Instead of measuring the information gain, the proposed scheme considers the bias of
information gain.
 Attack Classification
◆ The normalized gain is measured as the ratio of Information gain to the break point
information.
◆ To precisely differentiate the normal routing activities from the malicious behavior
from normal, the proposed scheme exploits the use of classifiers.
◆ It utilizes the SVM classifier to identify the attack packets, since the SVM is an effici
ent tool to learn the high dimensional data.
◆ It can update the training patterns arbitrarily, when a new attack is entered into the
network.
 Performance Evaluation
◆ For the performance evaluation of proposed methodology including SVM
classification and PCA, there is a need to collect the samples for RPL routing
activities.
◆ The dataset for training is generated using the Cooja simulator over Contiki
operating system.
◆ The dataset for malicious activities is created by modeling the spoofing and data
integrity related attacks in RPL.
◆ This dataset is generated by monitoring the RPL routing protocol for 8 min, in which
the attack-free IoT traffic is spanning for 5 min and the IoT traffic that contains
attacks lasting for 3 min.
Cont...
◆ The proposed scheme is implemented in Java using Java Machine Learning Library
for reducing the features.
◆ The reduced feature set and its values are provided as an input to Waikato
Environment for Knowledge Analysis (WEKA) for classification.
◆ Secondly, the attack classification exercise using SVM classifier is executed in the
WEKA.
 Evaluation Settings
◆ OS : Ubuntu 12.04 LTS 64bit, Instant Contiki-3.0 and Vmware Player 12.5.6,
◆ Tool: Cooja and WEKA
◆ Language : C and Java
 Performance Measures
◆ Detection Accuracy: The ratio of total number of detected malicious messages and
total number of malicious messages transmitted over wireless medium.
◆ Throughput: Total number of delivered bits to the server.
◆ Delay: Total time taken by a packet to reach the server node in the network.
◆ Overhead: Total number of control messages used for providing the security in
RPL.
 Conclusion
◆ This work surveys various existing RPL routing attack countermeasures for secure
routing in IoT.
◆ The routing and security issues associated with the RPL are discussed.
◆ The importance of machine learning algorithms in RPL security are described.
◆ This work proposes the solutions for the security issues such as SVM classification
and PCA based secure RPL in IoT.
Cont...
◆ The clustering algorithm is designed with the use of an optimal set of network layer
features, which is reduced using PCA.
◆ The performance evaluation and metrics are also discussed.