A Systematic Literature Review on Machine and Deep Learning Approaches for Detecting Attacks in RPL-Based 6LoWPAN of Internet of Things
<p>Taxonomy of RPL attacks.</p> "> Figure 2
<p>Flowchart of the SLR methodology stages.</p> "> Figure 3
<p>Taxonomy of existing research literature in RPL.</p> "> Figure 4
<p>The steps and tools for conducting the SLR study.</p> "> Figure 5
<p>Distribution of selected studies according to (<b>a</b>) Year of Publication, (<b>b</b>) Digital Libraries.</p> "> Figure 6
<p>Distribution of selected studies according to (<b>a</b>) Publication Per Type, (<b>b</b>) Publication Per Topic.</p> "> Figure 7
<p>Distribution of studies according to country of origin.</p> "> Figure 8
<p>Distribution of the attacks in the existing studies.</p> "> Figure 9
<p>Distribution percentages of the used tools and network simulators in the existing studies.</p> "> Figure 10
<p>Distribution of the used metrics and parameters in the existing studies.</p> "> Figure 11
<p>Occurrence of the datasets in the existing studies.</p> "> Figure 12
<p>Issues and challenges.</p> ">
Abstract
:1. Introduction
1.1. Routing Protocol for Low Power and Lossy Network (RPL)
- DODAG Information Solicitation (DIS). Nodes intending to join a network but have yet to receive DODAG Information Object (DIO message advertise a DIS message to inquire for available DODAG to create a connection).
- DODAG Information Object (DIO). Nodes use the DIO message for locating RPL instances, learning about DODAG configurations, choosing a preferred parent, keeping DODAG structure in place, and knowing the current rank of the node and the IPv6 address of the root [13].
- A Destination Advertisement Object (DAO) message is used for advertising backward route information by building upward and downward routes between nodes and then creating routing tables on receiving nodes [14].
- A Destination Advertisement Object Acknowledgement (DAO-ACK) message is a response message to a DAO message.
- Consistency Check (CC). The RPL protocol employs CC to ensure the synchronization of the “security counter or timestamp between each pair of nodes” [15].
1.2. Security Issues and Threats in the RPL Protocol
1.3. Machine Learning (ML) and Deep Learning (DL) Technique for RPL Security
1.4. Contributions and Structure of Study
- Provide a Systematic Literature Review (SLR) for the state-of-the-art approaches concerning ML, DL, and combined ML-DL approaches to detect attacks in RPL-based 6LoWPAN.
- Introduce theoretical and practical steps for conducting SLR studies that pave the way for other researchers to conduct their SLRs in any field of academic research.
- Provide a taxonomy on contemporary research directions in RPL-based 6LoWPAN.
- Demonstrate demographic, statistical, and critical analysis on the existing studies with the implemented attacks and used tools.
- Clear description and analysis of the benchmark datasets created and used by existing studies in the RPL-based research field.
- Derive various security issues and challenges of previous studies and provide future research directions.
2. Relevant Works
3. Research Questions and Method
- RQ1: What is the distribution of the selected studies according to the year of publication, digital library, publication type and topic, and country of origin?
- RQ2: What are the existing ML-based approaches to detect attacks in RPL-based 6LoWPAN?
- RQ3: What are the prevailing DL approaches contributed by existing studies to detect RPL-based 6LoWPAN attacks?
- RQ4: What state-of-the-arts combined ML and DL approaches have been used to detect attacks in RPL-based 6LoWPAN?
- RQ5: What are the recent applications based on ML and DL approaches proposed for detecting attacks in RPL-based 6LoWPAN?
- RQ6: What are the existing threats in RPL-based 6LoWPAN that the existing studies had addressed?
- RQ7: What tools and network simulators are used in the existing studies, and what are the occupied evaluation metrics and parameters in the reviewed studies?
- RQ8: What are the datasets utilized to evaluate the existing studies, and are there any available datasets designed specifically for RPL-based 6LoWPAN?
4. Research Methodology
4.1. Stage 1—Identification of Information Sources and Research Keywords
- Springer Link (http://link.springer.com; accessed on: 1 April 2022).
- IEEE Xplore® Digital Library (http://ieeexplore.ieee.org; accessed on: 1 April 2022).
- Science Direct (http://www.sciencedirect.com; accessed on: 1 April 2022).
- Scopus Database (http://www.scopus.com; accessed on: 27 April 2022).
- Google Scholar (http://scholar.google.com; accessed on: 1 April 2022).
- The first group of keywords includes ((rpl OR “routing protocol” OR “Routing Protocol” OR 6lowpan OR RPL) AND (iot OR “internet of thing” OR “Internet of Things” OR IoT)) for retrieving the studies from (Springer Link, IEEE Xplore® digital library, Science Direct, and Scopus).
- The second group of keywords comprises ((rpl or “routing protocol”) AND (iot OR “Internet of Things”)) for extracting studies from the Google Scholar website, since we observed that Google Scholar returned too many results when using the first groups of keywords. Therefore, to solve this issue, we eliminate some of the keywords not directly related to our study scope, resulting in a more manageable number of gathered documents.
4.2. Stage 2—Screening and Refine Criteria
4.3. Stage 3—Inclusion Criteria
5. Distribution Results of SLR Stages
6. Theoretical and Practical Steps for the SLR Study
- Google Scholar: First, we inserted the second group of keywords (G.2) into the search box; then, we selected the range of publication years, resulting in the required documents displayed and available to us. However, we had to exclude several duplicate documents found in other databases when using the first group of keywords throughout the search process. Then, we imported the residue documents into the My Library feature in Google Scholar before exporting them to Mendeley Software using the Mendeley Web Importer Tool’s extension [43].
- Scopus Database: The first group of keywords (G.1) is inserted into the search box. Then, the search results are refined using year and document type filters. Afterward, we exported the selected studies using the Research Information System (RIS) before importing them into Mendeley software for further analysis.
- Springer Link: We began by entering the first group of keywords (G.1) into the search engine, then refined the returned results based on document type and year of publication. Then, we downloaded the links to the selected articles as separate CSV-formatted files. Next, we downloaded the articles from the available links and imported them into Mendeley software using Mendeley’s Web Importer Tool extension [43].
- IEEE Xplore® digital library: We began by inserting the research keywords (G.1) into the search box, then applied the filter and selection criteria. Then, we export the selected documents using (.bib) format, which is then imported into Mendeley Software.
- Science Direct: The search process in Science Direct is similar to that for the Scopus database. We selected the displayed documents according to the pre-defined criteria. Then, we exported the documents in RIS format, which can be imported into Mendeley Software later. Figure 4 shows the whole process of conducting the SLR stages.
7. Result and Discussion
7.1. RQ1: What Is the Distribution of the Selected Studies According to the Year of Publication, Digital Library, Publication Type and Topic, and Country of Origin?
7.2. RQ2: What Are the Existing ML-Based Approaches to Detect Attacks in RPL-Based 6LoWPAN?
7.3. RQ3: What Are the Prevailing DL Approaches Contributed by Existing Studies to Detect RPL-Based 6LoWPAN Attacks?
7.4. RQ4: What State-of-the-Arts Combined ML and DL Approaches Have Been Used to Detect Attacks in RPL-Based 6LoWPAN?
7.5. RQ5: What Are the Recent Applications Based on ML and DL Approaches Proposed for Detecting Attacks in RPL-Based 6LoWPAN?
7.6. RQ6: What Are the Existing Threats in RPL-Based 6LoWPAN That the Existing Studies Had Addressed?
7.6.1. Resource-Based Attacks
- Hello Flooding (HF) Attack: This attack aims to make the network services or resources unavailable. The HF attack is carried out by constantly flooding the network with many "Hello" packets to notify their one-hop neighbors of their presence. The high transmission power of the malicious nodes will persuade all other nodes in the network that it is their neighbor [49,54]. Meanwhile, the adjacent nodes will respond to those messages. As a result, massive network traffic will be generated, resulting in control overhead, service unavailability, instability, and node resource depletion [56].
- Increased Rank (IR) Attack: In the IR Attack scenario, a malicious node increases its rank illegitimacy. Meanwhile, the malicious node announces itself near the root node, but with a higher rank and worse path. Therefore, nodes in the malicious node’s subtree and those in its proximity must choose other nodes as parents, leading to more delay and disruption of the routing topology [14,65].
- Rank Attack: In a Rank attack, the attacker distributes the minimum rank r-value, intending to become a parent node. In the RPL network, the parent node is chosen based on the rank metric. Regularly, the nodes closest to the root node have the lowest rank. Therefore, using a low-rank value, the rank attacker is chosen as a parent, and the other nodes forwarded routing messages along the network’s attacking path. Thus, it loads extra overhead and excessive energy dissipation at the nodes, resulting in lower routing performance [59,75].
- Version Number (VN) Attack: In a VN attack scenario, the attackers target the global repair feature of RPL by modifying the version number of the existing DODAG. The root node is responsible for changing the version number in normal operation. However, suppose the malicious node transmits a DIO message with a higher version number. In that case, it forces the global repair mechanism to start and reconstruct the DODAG, which will result in additional overhead and drain the nodes’ power resources [14,51].
- Local Repair Attack: The rogue node increases its rank to infinity during the execution process. It transmits this message to the entire network, compelling other legitimate nodes to look for a new parent to reach the root (gateway) node. When this occurs frequently, network performance suffers, as the topology must be modified every time the node changes [63].
- Increased Version (IV) Attack: In this attack, the fraudulent nodes purposefully change the version number of the DIO control packet and send the altered DIO message to their neighbors. When the neighbors receive the altered DIO message, they demonstrate their exclusion from the new DODAG, resulting in the unnecessary reconstruction of already-available DODAG. Consequently, the frequent reconstruction increases network traffic and causes an impact on critical network factors, such as lifetime, availability, and energy efficiency [56,76].
- DIS Flooding Attack: This attack occurs when one or more malicious nodes periodically send DIS messages to neighboring nodes within their transmission range, and upon receiving of DIS message, the trickle timers of the victim node(s) would reset, and this process continues until the power resources of the victim node(s) depleted, crashing the network [62].
- DDoS Flooding Attack: In a DDoS flooding attack, various malicious nodes target the network nodes with vast amounts of traffic to interrupt the normal operation of the network services. This attack also increases communication overhead and overwhelms the power resources of the sensor nodes [63,76,77].
7.6.2. Topology-Based Attacks
- Selective Forwarding (SF) Attack: This attack happens when the malicious node dislocates the network routing path by selectively forwarding some of the packets in the network while leaving the rest forwarded to the original destination [21]. In addition, this attack can involve one or more malicious nodes and could either be consecutive or non-consecutive [23].
- DIO Suppression Attack: The purpose of the DIO suppression attack is to disrupt or slow down the network’s transmission of DIO messages. For this purpose, Trickle’s DIO suppression method is used. During this attack, the adversary continuously sends a DIO message that the receiving nodes regard as consistent. Suppose the nodes get a sufficient number of consistent DIOs. In that case, they disable their own DIO transmission, resulting in a general decrease in the quality of the routes or, in the worst-case scenario, a network breakdown [62,78].
- Worst Parent (WP) Attack: In the WP attack scenario, the attacker fabricates routing information and broadcasts DIO messages to neighboring nodes with different rank values than genuine ones. Later, the child node assigns the malicious node (with the highest rank value) as their parent instead of the best ones specified in the usual RPL scenario. As a result of this attack, the network nodes suffer from non-optimal routing paths, degrading their performance and leading to high consumption of power resources [3,24].
- Opportunistic Service Attack: In this attack, the malicious node gains its trust value by initially offering highly dependable services and then later resorts to providing inferior services for its own sake [63].
- Temperature Level Attack: The attacker manipulates the reading of the temperature and humidity level sensors in patients’ rooms. Consequently, the air-conditioning system stabilizes the temperature level based on erroneous data, which could cause deterioration of the patient’s health [7].
- Heart Attack: This is an e-health related data attack that manipulates the patient’s heartbeat level information. Such modifications might cause bad decisions being made or ignored by emergency personnel, such as when a patient’s heart rate is extremely low/high and quick medical attention is required [7].
- WormHole (WH) Attack: In a WH attack, two or more attackers collaborated to establish a virtual tunnel between them to pass the traffic, entirely or selectively, through it instead of its original route. Therefore, such an attack disrupts the network topology, exhausts network resources, and provides the attackers with access to sensitive information [69,79].
- SinkHole (SH) Attack: A malicious node broadcasts itself as the best convenient route (optimal path) to be a preferred parent for the surrounding nodes. Then, the network traffic of the child nodes will be forwarded to the SH node. Therefore, this attack disrupts the communication and leads to other kinds of attacks [32,49,80].
- BlackHole (BH) Attack: In a BH attack, the pernicious node announces itself as the shortest route to the destination. All the packets arriving at this node will be dropped and, thus, prevented from reaching their destinations. Therefore, this attack will create a ‘hole’ in the network without the senders being aware of their packets’ delivery status [49,63].
7.6.3. Traffic-Based Attacks
- Decreased Rank (DRA) Attack: In this attack, a rogue node broadcasts its fabricated rank to its neighbors, resulting in neighboring nodes choosing the fraudulent node as their parent. Consequently, this causes other nodes to route their messages through a fake node. In addition, the fraudulent node broadcasts its predecessor’s rank as its own to deceive other nodes. The main effect of this attack is to increase the network’s traffic, and it can also be used to eavesdrop on DODAG’s downward nodes [56,81].
- Sybil Attack: In the Sybil attack scenario, the attacker masquerades the identities of multiple legitimate nodes to access network data. This attack deteriorates the network’s performance and increases the control communication overhead, resulting in delegated power resources. In addition, this attack could serve as a jumping-off point for other types of RPL attacks [49,82].
- Clone ID (CID) Attack: In this attack, the attacker takes the ID of one existing legitimate node and transfers it to the malicious node, resulting in the data being routed to the malicious node instead of legitimate nodes. Therefore, the attacker will sniff a large size of the network information [49,83].
7.7. RQ7: What Tools and Network Simulators Are Used in the Existing Studies, and What Are the Occupied Evaluation Metrics and Parameters in the Reviewed Studies?
7.8. RQ8: What Are the Datasets Utilized to Evaluate the Existing Studies, and Are There Any Available Datasets Designed Specifically for RPL-Based 6LoWPAN?
- RPL-NIDDS2017 Dataset is a synthetic dataset created by Ranga and Verma [46] in 2018 using the NetSim program to simulate various network scenarios. They simulated an IoT network scenario comprising sensor nodes, a gateway, routers, and wired nodes to generate the dataset, containing 20 attributes and two additional attributes for labeling. In addition, the dataset included seven attack traces: Local Repair attacks, CID, BH, SF, Sybil, HF, and SH attacks. Moreover, the dataset’s features were divided into three types: flow, basic, and time. They also proposed an approach to detect the attacks, as mentioned in Section 7.2.
- IoT DDoS Dataset: Yahya Al-Hadhrami and Hussain [72] proposed a real-time dataset explicitly designed for the 6LoWPAN/RPL network. The dataset contained three DoS-based RPL attacks: DIS flooding, SF, and BH attacks. Twelve features were extracted from the physical, network, and application layers. In addition, the authors devised queueing methods for collecting network traffic from a set of sniffing nodes. The dataset simulation was executed for 24 h, resulting in more than 4,195,537 packets of RPL-based 6LowPAN network traffic. The simulation process involved 29 nodes, where the Zolertia (z1) nodes are mimicked in the Cooja environment. Moreover, to reflect the environment of real-world networks, the authors included two distributor nodes that generate a noisy signal at predetermined intervals. Furthermore, the proposed system that generates the IoT DDoS dataset consists of four components: the capturing medium, data aggregation, queuing unit, and the feature extraction unit. The authors conducted four scenarios. The first scenario represents the normal network behavior without any attack, while the rest represent the three DoS-based RPL attacks.
- IDC and EDC Dataset: The researchers [7] at the SERCOM Lab of the University of Carthage have created two datasets, IDC and EDC, reflecting a smart hospital infrastructure. The generated IDC dataset comprises the normal and malicious behavior of network traffic. The malicious behavior includes the traces of three attacks: Rank, Flooding, and VN Modification attacks. Meanwhile, the dataset is split into training and testing sets, with 1000 instances utilized for the training set and 200 for the testing set. The EDC dataset generation used two types of data, environmental and body sensor data, where the environmental data include environmental information, such as temperature, light, and humidity. The training and testing set of environmental data contained 100 and 200 instances, respectively. The body sensor data comprise body temperature information and heart rate information. Similar to the environmental data, 1000 instances were utilized as a training set, and 200 for the testing set.
- IRAD Dataset: Osman et al. [31] developed a VN attack-based dataset. The authors developed a Python model to extract the dataset features. The total number of extracted features was 113. They proposed a dataset comprising 1,050,861 records, out of which 884,861 were assigned as benign and the rest as malicious traffic. In addition, the authors developed a lightweight mechanism to identify the attack, as stated in Section 7.2.
8. Open Issues, Challenges, and Future Research Directions
- Challenge 1—Datasets Availability: This study discovered that most researchers use self-generated datasets from various simulation programs, either synthetic or real-time, to evaluate their approaches [7,47,48]. However, some researchers do use existing publicly available datasets [31,49], even though many of those datasets were based on traditional networks’ traffic, which is different from the traffic of RPL-based 6LoWPAN networks [49]. Unfortunately, only a handful of researchers constructed datasets for RPL networks and made them available publicly [46,58,72]. Consequently, it is difficult for researchers to compare their work with others due to the variations in the datasets used.
- Challenge 2—Evaluation Metrics: We found that most studies used well-known evaluation metrics and parameters to validate the effectiveness of their work. Unfortunately, those parameters are commonly used in devising mechanisms for detecting attacks in traditional networks. In addition, due to the constrained environment of IoT networks, there is a need to also evaluate the proposed mechanism in terms of network and nodes metrics, such as PRC, PDR, and E2E delay. However, only a few researchers utilized these metrics in their studies [35,66,67]. Consequently, that might lead to bias in the results.
- Challenge 3—Implementation of Security Mechanisms: We can infer from our observation that the majority of researchers applied traditional security solutions to detect attacks in RPL-based 6LoWPAN networks [30,32,66]. Due to limited device capabilities in RPL-based 6LoWPAN networks (e.g., processing, memory, and power), there is a need for lightweight security and robust mechanisms with low complexity to avoid depletion of network resources and minimize the response time to defend against possible attacks.
- Challenge 4—Network Configuration: We noted many variations in the network configuration parameters used by researchers, such as the number of normal and malicious nodes, network topology, and network size. Without a standard configuration, researchers will face challenges when comparing their work to others. Furthermore, the evaluation scenarios used by the majority of existing approaches were using a small network [47,52,53]. However, in reality, IoT deployment is typically a vast network comprising various resource-limited nodes. Consequently, in such a network, the actual performance of the existing solutions may degrade and decline, making it less effective and vulnerable to attacks.
- Challenge 5—Diversity of Devices: This study discovered that the majority of approaches were designed and tested with only one or two types of sensor nodes (see Section 7.2, Section 7.3 and Section 7.4), i.e., the interoperability of non-homogeneous devices is one of the first assumptions of IoT applications. However, different hardware configurations can impact the performance of routing protocols and message processing rates. Therefore, researchers creating IoT routing solutions must consider the heterogeneity of hardware components.
- Challenge 6—Contemporary Attacks: We inferred those new attacks are technically and behaviorally different from the earlier ones. ML and DL models are usually trained with more outdated datasets’ features. However, new attacks might require a different set of features to identify. Consequently, the new attacks may either evade classifiers, generate false alarms, or reduce detection rates.
- There is an urgent need for a standard comprehensive benchmark dataset that is publicly available to enable researchers to test the performance of their proposed works and compare them with others fairly. The proposed solution will address Challenge 1.
- Since RPL networks comprise low-powered nodes, there is a need to evaluate the performance and impact of the existing solution using additional network parameters, such as PRC, computational cost, deployment strategy, and coverage area of the defense mechanism. Furthermore, there is a need to develop lightweight ML and DL approaches that operate in a constrained environment and are adaptable for deployment in tiny devices. The proposed solutions will tackle Challenge 2.
- Researchers need to develop efficient mechanisms in dynamic network topology and support mobility options. In addition, the deployment of the detection mechanism in the network plays a crucial role in detecting the attacks successfully. Hence, there is a need to identify the optimum location in the network that contributes to a high detection rate with less energy and result in the lowest computational overhead for network nodes. The suggested solution will address Challenge 3.
- Researchers need to develop highly scalable and fast response solutions that provide a minimal delay in information transmission, especially for crucial IoT applications. This suggested solution will address Challenge 4.
- There is a lack of solutions that work with heterogeneous network devices. The expected future of IoT networks is towards technological convergence with different technologies, such as cloud computing, software-defined networking, blockchain, and 5G. The offered solution will solve Challenge 5.
- There is a need for multiple defense approaches for guarding against newly discovered RPL attacks. Furthermore, there is also a need to incubate combined/hybrid ML and DL approaches to exploit their powerful features to identify known and zero-day threats. The proposed approaches must be highly robust, scalable, and support Quality of Service (QoS). The offered solutions will address Challenge 6.
9. Conclusions and Limitations
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Kamel, S.O.M.; Elhamayed, S.A. Mitigating the impact of iot routing attacks on power consumption in iot healthcare environment using convolutional neural network. Int. J. Comput. Netw. Inf. Secur. 2020, 12, 11–29. [Google Scholar] [CrossRef]
- Alamiedy, T.A.; Anbar, M.; Alqattan, Z.N.; Alzubi, Q.M. Anomaly-based intrusion detection system using multi-objective grey wolf optimisation algorithm. J. Ambient. Intell. Humaniz. Comput. 2020, 11, 3735–3756. [Google Scholar] [CrossRef]
- Canbalaban, E.; Sen, S. A Cross-Layer Intrusion Detection System for RPL-Based Internet of Things. In International Conference on Ad-Hoc Networks and Wireless; Springer: Bari, Italy, 2020; Volume 12338, pp. 214–227. [Google Scholar] [CrossRef]
- Al-mashhadi, S.; Anbar, M.; Hasbullah, I.; Alamiedy, T.A. Hybrid rule-based botnet detection approach using machine learning for analysing DNS traffic. PeerJ Comput. Sci. 2021, 7, e640. [Google Scholar] [CrossRef] [PubMed]
- Morales-Molina, C.D.; Hernandez-Suarez, A.; Sanchez-Perez, G.; Toscano-Medina, L.K.; Perez-Meana, H.; Olivares-Mercado, J.; Portillo-Portillo, J.; Sanchez, V.; Garcia-Villalba, L.J. A dense neural network approach for detecting clone id attacks on the rpl protocol of the iot. Sensors 2021, 21, 3173. [Google Scholar] [CrossRef] [PubMed]
- Samaila, M.G.; Sequeiros, J.B.; Freire, M.M.; Inácio, P.R. Security threats and possible countermeasures in IoT applications covering different industry domains. In Proceedings of the 13th International Conference on Availability, Reliability and Security, Hamburg, Germany, 27–30 August 2018. [Google Scholar] [CrossRef]
- Said, A.M.; Yahyaoui, A.; Abdellatif, T. Efficient anomaly detection for smart hospital iot systems. Sensors 2021, 21, 1026. [Google Scholar] [CrossRef] [PubMed]
- Shukla, P. ML-IDS: A machine learning approach to detect wormhole attacks in Internet of Things. In Proceedings of the 2017 Intelligent Systems Conference (IntelliSys), London, UK, 7–8 September 2017; pp. 234–240. [Google Scholar] [CrossRef]
- Vinet, L.; Zhedanov, A. A ‘missing’ family of classical orthogonal polynomials. J. Phys. A Math. Theor. 2011, 44, 085201. [Google Scholar] [CrossRef]
- Sahay, R.; Geethakumari, G.; Mitra, B.; Sahoo, I. Efficient Framework for Detection of Version Number Attack in Internet of Things. In Advances in Intelligent Systems and Computing; Springer International Publishing: Berlin/Heidelberg, Germany, 2020; Volume 941, pp. 480–492. [Google Scholar] [CrossRef]
- Alamiedy, T.A.; Anbar, M.F.; Belaton, B.; Kabla, A.H.; Khudayer, B.H. Ensemble Feature Selection Approach for Detecting Denial of Service Attacks in RPL Networks. In Communications in Computer and Information Science; Springer Science and Business Media Deutschland GmbH: Berlin/Heidelberg, Germany, 2021; Volume 1487, pp. 340–360. [Google Scholar] [CrossRef]
- Agiollo, A.; Conti, M.; Kaliyar, P.; Lin, T.N.; Pajola, L. DETONAR: Detection of Routing Attacks in RPL-Based IoT. IEEE Trans. Netw. Serv. Manag. 2021, 18, 1178–1190. [Google Scholar] [CrossRef]
- AlSawafi, Y.; Touzene, A.; Day, K.; Alzeidi, N. Hybrid RPL-based sensing and routing protocol for smart city. Int. J. Pervasive Comput. Commun. 2020, 16, 279–306. [Google Scholar] [CrossRef]
- Raoof, A.; Matrawy, A.; Lung, C.H. Routing Attacks and Mitigation Methods for RPL-Based Internet of Things. IEEE Commun. Surv. Tutor. 2019, 21, 1582–1606. [Google Scholar] [CrossRef]
- Faraj, O.; Megías, D.; Ahmad, A.M.; Garcia-Alfaro, J. Taxonomy and challenges in machine learning-based approaches to detect attacks in the internet of things. In Proceedings of the 15th International Conference on Availability, Reliability and Security, Virtual Event, Ireland, 25–28 August 2020; pp. 1–10. [Google Scholar] [CrossRef]
- Kim, H.S.; Ko, J.; Culler, D.E.; Paek, J. Challenging the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL): A Survey. IEEE Commun. Surv. Tutor. 2017, 19, 2502–2525. [Google Scholar] [CrossRef]
- Nokia. Nokia: Threat Intelligence Report 2020. 2020. Available online: https://doi.org/10.1016/s1361-3723(20)30115-9 (accessed on 1 April 2022).
- Pu, C.; Carpenter, L. Digital Signature Based Countermeasure Against Puppet Attack in the Internet of Things. In Proceedings of the 2019 IEEE 18th International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA, 26–28 September 2019; pp. 1–4. [Google Scholar] [CrossRef]
- Sahay, R.; Geethakumari, G.; Mitra, B. A novel blockchain based framework to secure IoT-LLNs against routing attacks. Computing 2020, 102, 2445–2470. [Google Scholar] [CrossRef]
- Almusaylim, Z.A.; Jhanjhi, N.Z.; Alhumam, A. Detection and mitigation of RPL rank and version number attacks in the internet of things: SRPL-RP. Sensors 2020, 20, 5997. [Google Scholar] [CrossRef] [PubMed]
- Neerugatti, V.; Rama Mohan Reddy, A. Artificial Intelligence-Based Technique for Detection of Selective Forwarding Attack in RPL-Based Internet of Things Networks. In Advances in Intelligent Systems and Computing; Springer: Singapore, 2020; Volume 1054, pp. 67–77. [Google Scholar] [CrossRef]
- Alzubaidi, M.; Anbar, M.; Chong, Y.W.; Al-Sarawi, S. Hybrid monitoring technique for detecting abnormal behaviour in rpl-based network. J. Commun. 2018, 13, 198–208. [Google Scholar] [CrossRef]
- Mayzaud, A.; Badonnel, R.; Chrisment, I. A taxonomy of attacks in RPL-based internet of things. Int. J. Netw. Secur. 2016, 18, 459–473. [Google Scholar] [CrossRef]
- Sahay, R.; Geethakumari, G.; Mitra, B. A Feedforward Neural Network based Model to Predict Sub-optimal Path Attack in IoT-LLNs. In Proceedings of the 20th IEEE/ACM International Symposium on Cluster, Cloud and Internet Computing, Melbourne, VIC, Australia, 11–14 May 2020; pp. 400–409. [Google Scholar] [CrossRef]
- Tahsien, S.M.; Karimipour, H.; Spachos, P. Machine learning based solutions for security of Internet of Things (IoT): A survey. J. Netw. Comput. Appl. 2020, 161, 102630. [Google Scholar] [CrossRef] [Green Version]
- Jamalipour, A.; Murali, S. A Taxonomy of Machine Learning based Intrusion Detection Systems for the Internet of Things: A Survey. IEEE Internet Things J. 2021, 111, 2287–2310. [Google Scholar] [CrossRef]
- da Costa, K.A.; Papa, J.P.; Lisboa, C.O.; Munoz, R.; de Albuquerque, V.H.C. Internet of Things: A survey on machine learning-based intrusion detection approaches. Comput. Netw. 2019, 151, 147–157. [Google Scholar] [CrossRef]
- Zarpelão, B.B.; Miani, R.S.; Kawakani, C.T.; de Alvarenga, S.C. A Survey of Intrusion Detection in Internet of Things; Elsevier: Amsterdam, The Netherlands, 2017. [Google Scholar]
- Mohammadi, M.; Al-Fuqaha, A.; Sorour, S.; Guizani, M. Deep learning for IoT big data and streaming analytics: A survey. IEEE Commun. Surv. Tutor. 2018, 20, 2923–2960. [Google Scholar] [CrossRef] [Green Version]
- Cakir, S.; Toklu, S.; Yalcin, N. Rpl attack detection and prevention in the internet of things networks using a gru based deep learning. IEEE Access 2020, 8, 183678–183689. [Google Scholar] [CrossRef]
- Osman, M.; He, J.; Mokbal, F.M.M.; Zhu, N.; Qureshi, S. ML-LGBM: A Machine Learning Model Based on Light Gradient Boosting Machine for the Detection of Version Number Attacks in RPL-Based Networks. IEEE Access 2021, 9, 83654–83665. [Google Scholar] [CrossRef]
- Bokka, R.; Sadasivam, D.T. Machine Learning Techniques To Detect Routing Attacks in Rpl Based Internet of Things. Int. J. Electr. Eng. Technol. (IJEET) 2021, 12, 346–356. [Google Scholar] [CrossRef]
- Alamiedy, T.A.; Anbar, M.; Al-Ani, A.K.; Al-Tamimi, B.N.; Faleh, N. Review on feature selection algorithms for anomaly-based intrusion detection system. Adv. Intell. Syst. Comput. 2019, 843, 605–619. [Google Scholar] [CrossRef]
- Aversano, L.; Bernardi, M.L.; Cimitile, M.; Pecori, R. A systematic review on Deep Learning approaches for IoT security. Comput. Sci. Rev. 2021, 40, 100389. [Google Scholar] [CrossRef]
- Medjek, F.; Tandjaoui, D.; Djedjig, N.; Romdhani, I. Fault-tolerant AI-driven Intrusion Detection System for the Internet of Things. Int. J. Crit. Infrastruct. Prot. 2021, 34, 100436. [Google Scholar] [CrossRef]
- Verma, A.; Ranga, V. Security of RPL Based 6LoWPAN Networks in the Internet of Things: A Review. IEEE Sen. J. 2020, 20, 5666–5690. [Google Scholar] [CrossRef]
- Avila, K.; Jabba, D.; Gomez, J. Security Aspects for Rpl-Based Protocols: A Systematic Review in IoT. Appl. Sci. 2020, 10, 6472. [Google Scholar] [CrossRef]
- Khraisat, A.; Alazab, A. A critical review of intrusion detection systems in the internet of things: Techniques, deployment strategy, validation strategy, attacks, public datasets and challenges. Cybersecurity 2021, 4, 18. [Google Scholar] [CrossRef]
- Pasikhani, A.M.; Clark, J.A.; Gope, P.; Alshahrani, A. Intrusion Detection Systems in RPL-Based 6LoWPAN: A Systematic Literature Review. IEEE Sens. J. 2021, 21, 12940–12968. [Google Scholar] [CrossRef]
- Ahmad, R.; Alsmadi, I. Machine learning approaches to IoT security: A systematic literature review. Internet Things 2021, 14, 100365. [Google Scholar] [CrossRef]
- Moher, D.; Liberati, A.; Tetzlaff, J.; Altman, D.G.; Altman, D.; Antes, G.; Atkins, D.; Barbour, V.; Barrowman, N.; Berlin, J.A.; et al. Preferred reporting items for systematic reviews and meta-analyses: The PRISMA statement. PLoS Med. 2009, 6, e1000097. [Google Scholar] [CrossRef] [Green Version]
- Bollbach, P. Adding Documents|Mendeley. Available online: https://www.mendeley.com/guides/desktop/02-adding-documents (accessed on 1 April 2022).
- Team, T.M.S. Mendeley Web Importer. 2013. Available online: https://www.mendeley.com/reference-management/web-importer (accessed on 1 April 2022).
- Kfoury, E.; Saab, J.; Younes, P.; Achkar, R. A Self Organizing Map Intrusion Detection System for RPL Protocol Attacks. Int. J. Interdiscip. Telecommun. Netw. 2019, 11, 30–43. [Google Scholar] [CrossRef] [Green Version]
- Arul Anitha, A.; Arockiam, L. ANNIDS: Artificial Neural Network based Intrusion Detection System for Internet of Things. Int. J. Innov. Technol. Explor. Eng. 2019, 8, 2583–2588. [Google Scholar] [CrossRef]
- Verma, A.; Ranga, V. ELNIDS: Ensemble Learning based Network Intrusion Detection System for RPL based Internet of Things. In Proceedings of the 2019 4th International Conference on Internet of Things: Smart Innovation and Usages (IoT-SIU), Ghaziabad, India, 18–19 April 2019; pp. 1–6. [Google Scholar] [CrossRef]
- Sharma, M.; Elmiligi, H.; Gebali, F.; Verma, A. Simulating Attacks for RPL and Generating Multi-class Dataset for Supervised Machine Learning. In Proceedings of the 2019 IEEE 10th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), Vancouver, BC, Canada, 17–19 October 2019; pp. 20–26. [Google Scholar] [CrossRef]
- Aydogan, E.; Yilmaz, S.; Sen, S.; Butun, I.; Forsstrom, S.; Gidlund, M. A Central Intrusion Detection System for RPL-Based Industrial Internet of Things. In Proceedings of the 2019 15th IEEE International Workshop on Factory Communication Systems (WFCS), Sundsvall, Sweden, 27–29 May 2019; pp. 1–5. [Google Scholar] [CrossRef]
- Verma, A.; Ranga, V. Evaluation of Network Intrusion Detection Systems for RPL Based 6LoWPAN Networks in IoT. Wirel. Pers. Commun. 2019, 108, 1571–1594. [Google Scholar] [CrossRef]
- Neerugatti, V.; Reddy, A.R.M. Machine Learning Based Technique for Detection of Rank Attack in RPL based Internet of Things Networks. Int. J. Innov. Technol. Explor. Eng. 2019, 8, 244–248. [Google Scholar] [CrossRef]
- Müller, N.; Debus, P.; Kowatsch, D.; Böttinger, K. Distributed Anomaly Detection of Single Mote Attacks in RPL Networks. In Proceedings of the 16th International Joint Conference on e-Business and Telecommunications, Prague, Czech Republic, 26–28 July 2019; Volume 2, pp. 378–385. [Google Scholar] [CrossRef]
- Qureshi, K.N.; Rana, S.S.; Ahmed, A.; Jeon, G. A novel and secure attacks detection framework for smart cities industrial internet of things. Sustain. Cities Soc. 2020, 61, 102343. [Google Scholar] [CrossRef]
- Said, A.M.; Yahyaoui, A.; Yaakoubi, F.; Abdellatif, T. Machine Learning Based Rank Attack Detection for Smart Hospital Infrastructure. Lect. Notes Comput. Sci. 2020, 12157, 28–40. [Google Scholar] [CrossRef]
- Kumar, V.; Kumar, V.; Sinha, D.; Das, A.K. Simulation Analysis of DDoS Attack in IoT Environment. In Advances in Intelligent Systems and Computing; Springer: Cham, Switzerland, 2020; Volume 1122, pp. 77–87. [Google Scholar] [CrossRef]
- Tabari, M.Y.; Mataji, Z. Detecting Sinkhole Attack in RPL-based Internet of Things Routing Protocol. J. AI Data 2020, 9, 73–85. [Google Scholar]
- Sharma, S.; Verma, V.K. AIEMLA: Artificial intelligence enabled machine learning approach for routing attacks on internet of things. J. Supercomput. 2021, 77, 13757–13787. [Google Scholar] [CrossRef]
- Osman, M.; He, J.; Mahiuob, F.; Mokbal, M.; Zhu, N. Artificial Neural Network Model for Decreased Rank Attack Detection in RPL Based on IoT Networks. Int. J. Netw. Secur. 2021, 23, 496–503. [Google Scholar] [CrossRef]
- Yavuz, F.Y.; Ünal, D.; Gül, E. Deep Learning for Detection of Routing Attacks in the Internet of Things. Int. J. Comput. Intell. Syst. 2018, 12, 39. [Google Scholar] [CrossRef] [Green Version]
- Momand, M.D.; Khan Mohsin, M. Machine Learning-based Multiple Attack Detection in RPL over IoT. In Proceedings of the 2021 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, 27–29 January 2021; pp. 1–8. [Google Scholar] [CrossRef]
- Abapour, N.; Shafiesabet, A.; Mahboub, R. A Novel Security Based Routing Method Using Ant Colony Optimization Algorithms and RPL Protocol in the IoT Networks. Mapta J. Electr. Comput. Eng. (MJECE) J. 2021, 3, 1–9. [Google Scholar]
- Airehrour, D.; Gutierrez, J.A.; Ray, S.K. SecTrust-RPL: A secure trust-aware RPL routing protocol for Internet of Things. Future Gener. Comput. Syst. 2019, 93, 860–876. [Google Scholar] [CrossRef]
- Choukri, W.; Lamaazi, H.; Benamar, N. RPL rank attack detection using Deep Learning. In Proceedings of the 2020 International Conference on Innovation and Intelligence for Informatics, Computing and Technologies, Sakheer, Bahrain, 20–21 December 2020. [Google Scholar] [CrossRef]
- Thamilarasu, G.; Chawla, S. Towards deep-learning-driven intrusion detection for the internet of things. Sensors 2019, 19, 1977. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Alghuried, A. A Model for Anomalies Detection in Internet of Things (IoT) Using Inverse Weight Clustering and Decision Tree. Masters’s Thesis, Dublin Institute of Technology, Dublin, Ireland, 2017; p. 64. [Google Scholar] [CrossRef]
- Sahay, R.; Geethakumari, G.; Mitra, B. A holistic framework for prediction of routing attacks in IoT-LLNs. J. Supercomput. 2021. [Google Scholar] [CrossRef]
- Foley, J.; Moradpoor, N.; Ochenyi, H. Employing a Machine Learning Approach to Detect Combined Internet of Things Attacks against Two Objective Functions Using a Novel Dataset. Secur. Commun. Netw. 2020, 2020, 2804291. [Google Scholar] [CrossRef]
- Kamel, S.O.M.; Abou Elhamayed, S. Optimal Feature Subset Selection Using Cuckoo Search On IoT Network. Int. J. Adv. Netw. Appl. 2020, 11, 4478–4488. [Google Scholar] [CrossRef]
- Maleh, Y.; Sahid, A.; Belaissaoui, M. Optimized Machine Learning Techniques for IoT 6LoWPAN Cyber Attacks Detection. In Advances in Intelligent Systems and Computing; Springer: Cham, Switzerland, 2021; Volume 1383, pp. 669–677. [Google Scholar] [CrossRef]
- tuz Zahra, F.; Jhanjhi, N.; Brohi, S.N.; Malik, N.A. Proposing a Rank and Wormhole Attack Detection Framework using Machine Learning. In Proceedings of the 2019 13th International Conference on Mathematics, Actuarial Science, Computer Science and Statistics (MACS), Karachi, Pakistan, 14–15 December 2019; pp. 1–9. [Google Scholar] [CrossRef]
- tuz Zahra, F.; Jhanjhi, N.; Brohi, S.N.; Malik, N.A.; Humayun, M. Proposing a Hybrid RPL Protocol for Rank and Wormhole Attack Mitigation using Machine Learning. In Proceedings of the 2020 2nd International Conference on Computer and Information Sciences (ICCIS), Sakaka, Saudi Arabia, 13–15 October 2020; pp. 1–6. [Google Scholar] [CrossRef]
- Al-Hadhrami, Y.; Hussain, F.K. A Machine Learning Architecture Towards Detecting Denial of Service Attack in IoT. In Advances in Intelligent Systems and Computing; Springer International Publishing: Berlin/Heidelberg, Germany, 2020; Volume 993, pp. 417–429. [Google Scholar] [CrossRef]
- Al-Hadhrami, Y.; Hussain, F.K. Real time dataset generation framework for intrusion detection systems in IoT. Future Gener. Comput. Syst. 2020, 108, 414–423. [Google Scholar] [CrossRef]
- Al-Hadhrami, Y.; Al-Hadhrami, N.; Hussain, F.K. Data Exportation Framework for IoT Simulation Based Devices. In Advances in Intelligent Systems and Computing; Springer: Cham, Switzerland, 2020; Volume 1036, pp. 212–222. [Google Scholar] [CrossRef]
- Essop, I.; Ribeiro, J.C.; Papaioannou, M.; Zachos, G.; Mantas, G.; Rodriguez, J. Generating Datasets for Anomaly-Based Intrusion Detection Systems in IoT and Industrial IoT Networks. Sensors 2021, 21, 1528. [Google Scholar] [CrossRef]
- Boudouaia, M.A.; Ali-Pacha, A.; Abouaissa, A.; Lorenz, P. Security against rank attack in RPL protocol. IEEE Netw. 2020, 34, 133–139. [Google Scholar] [CrossRef]
- Lohachab, A.; Karambir, B. Critical Analysis of DDoS—An Emerging Security Threat over IoT Networks. J. Commun. Inf. Netw. 2018, 3, 57–78. [Google Scholar] [CrossRef]
- Alabsi, B.A.; Anbar, M.; Manickam, S.; Elejla, O.E. DDoS attack aware environment with secure clustering and routing based on RPL protocol operation. IET Circuits Devices Syst. 2019, 13, 748–755. [Google Scholar] [CrossRef]
- Perazzo, P.; Vallati, C.; Anastasi, G.; Dini, G. DIO suppression attack against routing in the internet of things. IEEE Commun. Lett. 2017, 21, 2524–2527. [Google Scholar] [CrossRef]
- Ahsan, M.S.; Bhutta, M.N.M.; Maqsood, M. Wormhole attack detection in routing protocol for low power lossy networks. In Proceedings of the 2017 International Conference on Information and Communication Technologies (ICICT), Karachi, Pakistan, 30–31 December 2017; pp. 58–67. [Google Scholar] [CrossRef]
- Alzubaidi, M.; Anbar, M.; Hanshi, S.M. Neighbor-Passive Monitoring Technique for Detecting Sinkhole Attacks in RPL Networks. In Proceedings of the 2017 International Conference on Computer Science and Artificial Intelligence, Jakarta, Indonesia, 5–7 December 2017; pp. 173–182. [Google Scholar] [CrossRef]
- Aris, A.; Oktug, S.F. Analysis of the RPL Version Number Attack with Multiple Attackers. In Proceedings of the 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment, Dublin, Ireland, 15–19 June 2020. [Google Scholar] [CrossRef]
- Murali, S.; Jamalipour, A. A Lightweight Intrusion Detection for Sybil Attack under Mobile RPL in the Internet of Things. IEEE Internet Things J. 2020, 7, 379–388. [Google Scholar] [CrossRef]
- Mirshahjafari, S.M.H.; Ghahfarokhi, B.S. Sinkhole+CloneID: A hybrid attack on RPL performance and detection method. Inf. Secur. J. 2019, 28, 107–119. [Google Scholar] [CrossRef]
Ref. No. & Year | Type of Study | RPL Architecture | RPL Security and Threats | RPL-ML Technique | RPL-DL Technique | RPL Datasets |
---|---|---|---|---|---|---|
[16], 2017 | Survey | ✓ | ✗ | ✗ | ✗ | ✗ |
[36], 2019 | Review | ✓ | ✓ | ✗ | ✗ | ✗ |
[25], 2020 | Survey | ✗ | ✗ | ✗ | ✗ | ✗ |
[37], 2020 | Systematic Review | ✓ | ✗ | ✗ | ✗ | ✗ |
[15], 2020 | Survey | ✗ | ✗ | ✗ | ✗ | ✗ |
[38], 2021 | Critical Review | ✗ | ✗ | ✗ | ✗ | ✗ |
[39], 2021 | SLR | ✓ | ✓ | ✗ | ✗ | ✗ |
[40], 2021 | SLR | ✗ | ✗ | ✗ | ✗ | ✗ |
This study, 2022 | SLR | ✓ | ✓ | ✓ | ✓ | ✓ |
Ref./Year | A1 | A2 | A3 | A4 | A5 | A6 | A7 | Advantages and Limitations |
---|---|---|---|---|---|---|---|---|
[8], (2017) | NA | K-Mean Clustering, DT, Hybrid (K-Mean Clustering and DT) | NA | Real-time Simulation Dataset | WH | C++ | DR | The proposed K-Mean Clustering and DT models obtain the best result in DR, while the hybrid (K-Mean Clustering and DT) approach gains the lowest FPR compared to the K-Mean Clustering and DT models. However, the proposed approach targeted only one attack, and the result of the other evaluation metrics was missing. Furthermore, no further information about the features linked to the detected attacks is available. |
[44], (2019) | All features used | Self-Organizing Map (SOM) | 6 | Synthetic Dataset | HF, SH, VN | Contiki (Cooja simulator), Python, Wireshark | Number of Broadcast Messages, PRC, U-Matrix | The proposed SOM model classified the datasets’ samples effectively. However, the authors did not provide information about the collected dataset. Furthermore, the critical performance metrics, such as AC, Precision, TPR, and others, are not analyzed. Moreover, the proposed mechanism is not suitable for constrained devices. |
[45], (2019) | NA | MLP-based ANN | NA | Real-time Simulation Dataset | DIS Flooding, VN | Contiki (Cooja simulator), Wireshark, Weka | AC, TPR, FPR, Precision, Recall, F-Measure, MCC, ROC Area, PRC Area | The proposed ANNIDS approach achieved the highest TPR, Precision, Recall, and F-Measure results and detected the DIS and VN attacks accurately. However, the authors did not mention the dataset and selected features used. Furthermore, no explanation of the produced outcomes and deployment strategy is available. Lastly, the proposed model is not suitable for constrained devices. |
[46], (2019) | All features used | Ensemble classifiers (Boosted Trees, Bagged Trees, Subspace Discriminant, RUSBoosted Trees) | 20 | RPL-NIDDS2017 Dataset | SH, BH, Sybil, CID, SF, HF, Local Repair | MATLAB (2017), Python | AC, AUC | The proposed ensemble model (Boosted Tree) achieves the best result for AC in the case of hold-out and cross-validation. In addition, the ensemble (RUS Boosted) model gains the highest result of AUC. However, there is no evaluation result for the other metrics and no comparison with the other traditional classifiers. The authors also do not provide information about the deployment strategy. |
[47], (2019) | Pairwise Correlation | RF, NB, J48 Classifier | 21 | Synthetic Dataset | HF, DIS Flooding, IV, DRA | Python, Contiki (Cooja Simulator) | AC, Recall, Precision | The proposed framework reported that the RF classifier achieves the highest processing time, AC, Recall, and Precision results. In addition, the author clarified that the dimensional reduction technique significantly reduced energy consumption and processing time. However, the other evaluation metrics, such as packet loss and energy consumption, are not covered. Furthermore, the authors used a small number of network nodes and no further information about the availability of the generated multi-class dataset. |
[48], (2019) | All features used | GP | 50 | Synthetic Dataset | HF, VN | Contiki (Cooja simulator) | TPR, FPR, AC | The proposed central architecture obtained the best AC result during 500 ms and 5000 ms. Moreover, the authors reported that the distributed architecture achieves high AC results with the help of network nodes. However, the proposed approach suffered from a single point of failure and used the network nodes for monitoring, adding more computational overhead and consuming the power resources. Furthermore, the proposed work does not provide information about the collected dataset. |
[49], (2019) | All features used | NB, DT, LR, ANNs, EM Clustering | 20, 23, 49, 41 | NIDDS2017, WSN-DS, UNSW NB15, KDD99 | SH, BH, HF, CID, Local Repair, Sybil, SF | MATLAB (R2017a), Weka Software (version 3.9) | AC, FPR | The proposed DT model achieved the best result of AC and FPR. In addition, EM Clustering registered the lowest result of AC. However, the authors did not use feature selection techniques and did not consider other vital analysis parameters like PDR, PRC, E2E Delay, etc. Furthermore, the deployment strategy for the proposed work was missing. |
[50], (2019) | NA | K-NN | NA | NA | Rank | Contiki (Cooja simulator) | E2E Delay, PDR, TPR, FPR | The proposed mechanism results obtained significant reports that PDR and TPR improved after deploying the proposed mechanism compared to regular networks under Rank attack. Meanwhile, the results of the E2E delay and FPR declined after the proposed mechanism was spread throughout the network. However, the authors considered only one type of attack and ignored others. Furthermore, the proposed mechanism uses one metric (i.e., rank) to calculate the distance between static nodes and does not consider the mobility of other nodes. Meanwhile, the nodes participate in the detection process, creating additional overhead in the network. |
[51], (2019) | NA | Kernel Density Estimation | NA | Real-time Simulation Dataset | HF, VN, BH | Contiki O.S. (Cooja simulator), Python | TPP, FPR, UDP Flow | The proposed approach achieved a significant average TPR result of detecting all types of attacks with different topologies. However, the result of the critical parameters, such as accuracy, precision, PDR, and E2E Delay, is not analyzed. Furthermore, the authors did not give details about the availability of the collected dataset, and the extracted features are not sufficient to detect other types of attacks. |
[24], (2020) | All features used | FFNN | 14 | Synthetic Dataset | WP | Contiki (Cooja simulator) | AC, Precision, Recall, F-Measure, PRC | The devised FNN model achieved a significant result in terms of Accuracy Precision, Recall, and F-Score. Furthermore, the presented work identified the zone that launches the attack. However, the authors used few nodes, and their approach is limited to detecting one type of attack. Furthermore, no details were available about the availability of the dataset and the type of deployment strategy. |
[3], (2020) | NA | Neural Network | 27 | Synthetic Dataset | WP, HF, VN | Contiki (Cooja simulator) | AC, DR, FPR | The proposed approach reported high results for detecting invoking attacks for binary and multi-class classification. In addition, the produced link-layer features decreased the FPR and slightly increased the DR of the VN attack. However, the authors used few nodes during the simulation and no details about the availability of the dataset. Moreover, other critical parameters, such as PDR, E2E delay, and PRC, are not available. Additionally, the deployment strategy for this work has not been provided. |
[52], (2020) | GP | Threshold Statements | 53 | Synthetic Dataset | HF, VN, SH, BH | Contiki (Cooja simulator) | AC, TPR, FPR, PDR | The presented framework revealed the best results from HF and VN attacks during the 2000 seconds. Meanwhile, the highest AC result for detecting SH and BH attacks was obtained at 1000 s. Furthermore, the results of PDR and TPR have improved. However, when the number of network nodes raised, the PDR declined, which led to inaccurate detection of the attack. Moreover, the authors evaluated their work with small numbers of network nodes. Additionally, no details were available on the deployment strategy of the presented work. |
[10], (2020) | NA | DT, SVM, Bernoulli and LR | 5 | Synthetic Dataset | VN | Contiki (Cooja simulator) | AC, Precision, Recall, Specificity | The introduced framework reported significant AC, Precision, Recall, and Specificity outcomes. However, there is no evaluation of the other critical metrics, such as PDR, PRC, and E2E delay. Furthermore, this work is limited to only one attack. |
[21], (2020) | NA | Artificial Intelligence-based Packet Drop Ratio | NA | Real-time Simulation Dataset | SF | Contiki (Cooja simulator) | PDR, E2E Delay, DR | The proposed technique obtained significant results in terms of TPR and FPR. After implementing the proposed approach in the network, the result of the E2E delay improved. However, the proposed mechanism failed to improve the PDR. Furthermore, the proposed approach addressed one type of attack with small numbers of networks nodes. |
[53], (2020) | NA | One-Class SVM | NA | Real-time Simulation Dataset | Rank | Contiki (Cooja simulator) | PRC, Anomaly DR | The proposed ML approach reported good results in terms of anomaly detection rate. However, this work deals with one type of attack, and the presented work employs a small number of nodes. Furthermore, the outcomes of the other metrics, such as PDR, E2E delay, and PLR, are not computed. |
[54], (2020) | NA | DT | 11 | Synthetic Dataset | HF, VN | Contiki (Cooja simulator), Python, Wireshark | PRC, Precision, Recall, AC, FPR | The presented work obtained promising results for AC and FAR. However, this work targeted only one type of attack, with no details about the other critical evaluation parameters, such as packet loss and E2E delay. Furthermore, the presented analysis factors cannot detect other types of attacks. Moreover, the proposed work suffers from high PRC. |
[55], (2020) | GP | DT, SVM, Bayesian Classifiers | 5 | Synthetic Dataset | SH | Contiki (Cooja simulator), RapidMiner | DR, FPR | The proposed Bayesian model achieved the highest DR after applying the alarm verification method. Meanwhile, the DT classifier reported the highest level of Precision compared to the others. However, the proposed approach suffers from high FPR, and no further information about the deployment strategy is available. Moreover, the proposed work is limited to detecting only one type of attack. |
[56], (2021) | NA | ANN | 23,22, 32,28 | Synthetic Dataset | HF, DRA, IV | Contiki (Cooja simulator), Python, Wireshark | PRC, Number of Packets, AC, Recall, Precision F- Score, MCC | The introduced AIEMIA approach reached the maximum result of AC using the hold-out validation technique. The authors reported good outcomes for the other performance measures such as PRC, Number of Packets, etc. However, no information about the collected features is available. Furthermore, the author used a small network size for the dataset collection. |
[57], (2021) | Information Gain Algorithm | ANN | 8 | IRAD Dataset | VN, DRA, HF | NA | AC, Loss, Precision, Recall, F1-Score, Support | The proposed MLRPL model attained high AC and other evaluation metrics in binary and multi-class results. In addition, the performance of the proposed approach exceeds other existing approaches. However, the proposed model takes a long training time to achieve the best result. Furthermore, the authors did not provide details about the deployment strategy for the network and the software specifications. |
[31], (2021) | Step Forward Feature Selection | Gradient Boosting ML | 11 | Synthetic Dataset | VN | Contiki (Cooja simulator), Python, Wireshark | AC, FPR, TNR, Precision, Recall, F1-Score, ROC | The devised ML-LGBM model achieved high AC, Precision, F-Score, TNR, and FNR. In addition, the presented work exceeded the approaches in terms of training time, testing time, model size, and other metrics. However, only one type of attack is detectable in this work, and no details are available on the generated dataset’s availability. Additionally, the authors used small network nodes during the dataset’s generation process. |
[59], (2021) | Principle Component Analysis | SVM | NA | Real-time Simulation Dataset | VN, Rank, DoS | Contiki (Cooja simulator),Python | AC, Recall, Precision, F Measure, PDR, Control Overhead, Energy Consumption | The proposed MLRP model achieved significant results and improved the PDR of the base-RPL. The result also reported a high detection of targeted attacks with implementing the PCA technique. However, despite the significance of PDR, the proposed approach suffers from low PDR, which requires more improvement. Furthermore, there is no information about the dataset’s availability and the number of selected features regarding the generated dataset. Moreover, the authors used few nodes during the data generation stage. |
[60], (2021) | NA | Ant Colony Optimisation | NA | NA | RPL Attacks | NA | Throughput, Number of Packets, Response Time | The proposed security mechanism improved the quality of service and routing process. Furthermore, the presented work proves its efficiency in enhancing the throughput and number of packets compared to the SecTrust-RPL approach. However, the authors did not specify the type of targeted attacks and the programs used. Furthermore, there are no details about the deployment strategy. |
[7], (2021) | NA | SVM | NA | IDC and EDC Datasets | Heart, Temperature Level, Flooding, VN, Rank | Contiki (Cooja simulator), Python | Detection AC, PRC | The introduced anomaly detection approach obtained high detection of e-health related data and network attacks. In addition, the proposed approach provided low-cost management and accurate decisions by utilizing a standard management program with reliable features. However, the proposed approach identifies other attacks, such as Flooding and event attacks, with a low DR. Furthermore, the authors did not present details about the feature selection technique and availability of the used dataset. |
Ref./Year | A1 | A2 | A3 | A4 | A5 | A6 | A7 | Advantages and Limitations |
---|---|---|---|---|---|---|---|---|
[58], (2018) | DT, Pearson Coefficient, Histogram | MLP-based ANN | 17 | IRAD Dataset | HF, VN, DRA | Contiki (Cooja simulator), Python, Wireshark | Precision, Recall, F1 Score, AUC, Loss, AC | The proposed DL model obtained the highest results in identifying HF attacks. The presented approach detects the other attacks significantly. In addition, this work provides a comprehensive analysis of the proposed dataset and different scenarios for each type of attack with diverse sizes of networks. However, the analysis of other critical parameters, such as PDR, E2E delay, and PRC, has not been provided. Furthermore, no information about the deployment strategy is available. Additionally, the proposed approach is not suitable for dynamic network traffic. |
[63], (2017) | Perceptual Learning Model | DNN, DBN | 8 | NA | BH, Opportunistic Service, DDoS, SH, WH | Contiki (Cooja simulator), Python | Precision, TPR, F1-Score, P-R Curves | The presented mechanism achieved a significant attack detection result and a good Precision outcome. However, they did not cover other critical parameters, such as PDR, E2E delay, and PRC. Furthermore, the authors did not provide details about the used dataset and selected features. |
[1], (2020) | One-R, Chi-Square, Weighted RF | CNN | 15 | IoT Routing Dataset | HF, SF, SH, WH, VN | Contiki (Cooja simulator), RapidMiner | Model Accuracy, Loss Function, AC, Error, Precision, Recall, F-measure, Correlation, Logistic Loss | The proposed model achieved a significant result for detecting attacks with low error and loss rates. Furthermore, the proposed CNN model reduced the PRC and maintained the stability of the IoT network. However, it required an extended processing time to reach its best result and failed to explain the deployment strategy. Furthermore, the authors did not disclose the dataset and selected features used. Moreover, there are no critical parameters, such as PDR, PRC, and E2E delay details. |
[62], (2020) | All features used | MLP | NA | Synthetic Dataset | Rank | Contiki (Cooja simulator), Wireshark | TPR, FPR, macro AVG, Weighted Avg, AC, Precision, Recall, F-scores | The presented MLP algorithm achieved a high AC result for different scenarios of attacks. Furthermore, the result reported that this approach is capable of sorting and distinguishing various kinds of attacks. However, despite all these benefits, no details about the used features or availability of the generated dataset are available. |
[65], (2021) | NA | LSTM, Graph CNN | 7 | Synthetic Dataset | DRA, IR, WP | Contiki (Cooja simulator), Ethereum Client (Geth) | Time of Arrival, AC, Precision, Recall, F1-Score, Model Probabilities | The designed DL framework achieved a high result of accuracy for different scenarios. Furthermore, the result reported that this approach is capable of sorting and distinguishing between various kinds of attacks. However, the proposed framework is not suitable for low-power devices and creates additional overhead on the network. Additionally, the authors did not provide details about the deployment strategy, and no information is available on other critical parameters, such as PDR, E2E delay, and PRC. |
[5], (2021) | All features used | Auto Encoder and DNN | 19 | Synthetic Dataset | CID | Contiki (Cooja simulator), Wireshark | AC, F-Score, Total time | The introduced (SAE + DNN) framework provided high detection accuracy in detecting CID attacks. In addition, the authors compared their work with other existing approaches and exceeded them in terms of effectiveness. However, the proposed work is limited to detecting only one type of attack, and there was no information about the availability of the dataset. Moreover, the author used a small number of nodes during the data collection step. Finally, no analysis of the other critical parameters, such as PDR, E2E delay, and PRC, are available. |
Ref./Year | A1 | A2 | A3 | A4 | A5 | A6 | A7 | Advantages and Limitations |
---|---|---|---|---|---|---|---|---|
[30], (2020) | NA | RNN, SVM, LR | 5 | Synthetic Dataset | HF | Contiki (Cooja simulator), Python | PDR, ERC, Average Delay, AC, MSE, MAE, RMSE | The proposed hybrid model achieved significant PDR and average delay for attack identification with a different set of features. In addition, the best result for RMSE, MSE, MAE, and AC is obtained in the third scenario. Furthermore, the GRU attains the best result for AC compared to SVM and LR in most cases. However, the presented work targeted only one type of attack. Furthermore, the presented work was tested with a few nodes during data collection steps and suffered from scalability issues when the number of nodes was raised. Moreover, this work lacked information about the availability of the used dataset and the used feature selection technique. |
[66], (2020) | NA | NB, SVM, MLP, RF, ZeroR | 24 | Synthetic Dataset | Rank, VN, Rank + Sybil, Rank + BH, Decreased Path Metric | Contiki (Cooja simulator), Weka | RMSE, MAPE, ROC Average, Correctly Classified Instances, Balancing Technique Average | The presented approach significantly detected the invoked attacks in both objective functions (OF0 and MRHOF). In addition, the overall performance of the presented approach reported that the voting (MLP and RF) achieved excellent results compared to other approaches. Furthermore, the SMOTE-MLP model achieved good results in some experiments. However, the devised work could not analyze other critical parameters, such as AC, Precision, Recall, PDR, E2E delay, and PRC. Furthermore, there was no information about the deployment strategy of the presented work and the availability of the generated dataset. |
[67], (2020) | CS + Dagging + base learner BLR | SVM, DL, Fuzzy Unordered Rule Induction Algorithm | 12, 15 | IoT Routing Dataset | IoT Routing | Contiki (Cooja simulator), Weka | AC, Error, F-Measure | This study reported that the AC, Error, and f-Measure of (CS algorithm using Dagging with BLR) model is better than the CS algorithm with BLR model. In addition, the CNN model achieved better results in all metrics measured than other classification algorithms. However, the presented approach did not provide information about the availability of the dataset and the deployment strategy. Furthermore, the study did not analyze other critical metrics, such as PDR and E2E delay. Furthermore, the authors did not identify the type of targeted attack in this work. |
[32], (2021) | RF | MLP, KNN, AdaBoost, RF, GNB, LR, DT | 21 | Synthetic Dataset | SH, DIO Suppression, BH, SF, Sybil, DIS Flooding | NetSim, Python | AC, Precision, Recall, AUC, ROC, F1-Score | The proposed DT achieved the best AC, Precision, and F-Score results. In addition, the LR, GNB, and MLP achieved the highest results in Recall value, and the RF model achieved the best result in AUC. However, the authors did not introduce analysis in terms of PDR, E2E delay, and PRC. Furthermore, there was no information about the availability of the dataset nor details about the deployment strategy. Moreover, the proposed ML algorithms create additional overhead, and then they are not suitable for constrained devices. |
[35], (2021) | RF, PC | DT, RF, K-NN, NB, MLP, LR, Sequential DL model | 7, 10, 7, 10, 6, 7, 13 | Synthetic Dataset | DRA, BH, SH, HF, SF, VN | Contiki (Cooja simulator), Python, Wireshark | AC, Precision, Recall, F1-Score, Fitting Time | The proposed model achieved significant results in all the used metrics for detecting the attack in both two-class and multi-class classifications. In addition, the RF classifier achieved the lowest fitting time. Furthermore, the presented work introduced the RF-IDSR approach, which provides fault tolerance and intrusion tolerance in Industry 4.0 networks. However, no information about the availability of the dataset and the deployment strategy is available. Furthermore, there was no analysis of the other critical metrics, such as PDR, PRC, and E2E delay. |
[68], (2021) | PSO | NB, SVM, RF, K-NN, False MLP | 15 | Synthetic Dataset | HF, WH, SH | Contiki (Cooja simulator), Python, Wireshark | AC, Precision, Recall, TPR, FPR | The RF algorithm achieved the best result in detecting the invoked attacks. However, the proposed approach did not provide information about the deployment strategy or details about the generated dataset’s availability. Moreover, the proposed technique added more computational overhead to the network, consuming power resources. Furthermore, there was no analysis of the other crucial parameters, such as PDR, E2E delay, and PRC. |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Al-Amiedy, T.A.; Anbar, M.; Belaton, B.; Kabla, A.H.H.; Hasbullah, I.H.; Alashhab, Z.R. A Systematic Literature Review on Machine and Deep Learning Approaches for Detecting Attacks in RPL-Based 6LoWPAN of Internet of Things. Sensors 2022, 22, 3400. https://doi.org/10.3390/s22093400
Al-Amiedy TA, Anbar M, Belaton B, Kabla AHH, Hasbullah IH, Alashhab ZR. A Systematic Literature Review on Machine and Deep Learning Approaches for Detecting Attacks in RPL-Based 6LoWPAN of Internet of Things. Sensors. 2022; 22(9):3400. https://doi.org/10.3390/s22093400
Chicago/Turabian StyleAl-Amiedy, Taief Alaa, Mohammed Anbar, Bahari Belaton, Arkan Hammoodi Hasan Kabla, Iznan H. Hasbullah, and Ziyad R. Alashhab. 2022. "A Systematic Literature Review on Machine and Deep Learning Approaches for Detecting Attacks in RPL-Based 6LoWPAN of Internet of Things" Sensors 22, no. 9: 3400. https://doi.org/10.3390/s22093400