=Paper=
{{Paper
|id=Vol-3283/Paper16
|storemode=property
|title=Detection of Rank, Sybil and Wormhole Attacks on RPL Based Network Using Trust Mechanism
|pdfUrl=https://ceur-ws.org/Vol-3283/Paper82.pdf
|volume=Vol-3283
|authors=Anup W. Burange,V. M. Deshmukh
|dblpUrl=https://dblp.org/rec/conf/isic2/BurangeD22
}}
==Detection of Rank, Sybil and Wormhole Attacks on RPL Based Network Using Trust Mechanism==
https://ceur-ws.org/Vol-3283/Paper82.pdf
Detection of Rank, Sybil and Wormhole Attacks on RPL Based
Network Using Trust Mechanism
Anup W. Burange 1, Dr. Ms. V. M. Deshmukh 2
1,2
Department of Computer Science & Engineering, PRMIT&R, Badnera-444701, Maharashtra, India
Abstract
The amount of constrained devices which exhibit the ability of getting connected to internet
are increasing day by day, which makes the routing process challenging and vulnerable to
different security threats. The resource constrained nature of low power and lossy network
(LLNs) does not make it suitable for traditional security measures. Due to which there is high
possibility of different routing and topology attacks. This paper consists of the attack
detection of some topological & identity attacks like rank attack, wormhole attack and Sybil
attack and also its effect on network parameters like throughput, overhead, delay etc. The
attack scenarios are in static as well as in dynamic mode.
Keywords 1
RPL, Rank Attack, Wormhole attack, Sybil Attack
1. Introduction
One of the major security requirements in the field of low power and lossy networks LLNs is
secured routing strategy. IoT devices and its applications have reported much vulnerability and are in
danger of extinction to be attacked by some intruder nodes. Rapid growing use of connected devices
enables new ways to carry out different vulnerabilities. Ubiquitous use of IoT systems may lead to
more serious attacks.[1] Studies have shown that current RPL protocol is susceptible to many routing
attacks like Rank attack, Sybil attack, Sinkhole attack, Blackhole attack, Version number attack etc.
Moreover there is need of investigation to ensure that trust solutions for constrained devices like IoT,
should be scalable across billions of devices. Though quite a few techniques have been developed to
counter security concerns in RPL, these techniques also consist of some weaknesses which make
them insufficient for constrained devices. To counter the attacks in network, Intrusion Detection
Systems are also used, they analyses the activity in network and identifies malicious behavior of node
in network. [2] It is also difficult to use well known and traditional security techniques like encryption
as it is processing intensive and require high computational resources. An IDS based on the concept
of Trust Management, [3] Machine Learning,[4] Fuzzy logic [5]can be useful for mitigating these
kind of attacks. This paper shows the implementation of Rank, Wormhole & Sybil attack in RPL
involved network and its effects on different parameters related to the network. The order of the paper
is as follows: Section 2 consists of RPL protocol working and RPL security issues, which includes
Rank, Wormhole and Sybil attack and its related literature. Section 3 consists of implementation
details about these attacks. Section 4 includes the results of implementation.
ACI’22: Workshop on Advances in Computation Intelligence, its Concepts & Applications at ISIC 2022, May 17-19, Savannah, United
States
EMAIL: awburange@mitra.ac.in (A. 1)
©️ 2020 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
152
�2. RPL and Its Related Work
IoT typically exhibits the IEEE standard while using Routing Protocol for Low Power and Lossy
Networks at the network layer, 802.15.4 is used at the physical and data levels (RPL). It is most
suitable protocol for IoT and other constrained devices.[6] It creates Destination Oriented Directed
Acyclic Graph (DODAG) structure to route data packets. Each DODAG is connected to Border
Router (BR) and backbone line connects BR to local internet. The task of selecting and optimizing the
routes as per the different metrics is carried out by Objective Function (OF) within DODAG.
Placement of a node is getting decided by its Rank in relation to the sink node. For proper functioning
of RPL different control messages are being used by the protocol these are DIO (DODAG
Information Object), which is used for maintaining and updating the topology; DAO (DODAG
Destination Advertisement Object), which is responsible for transmitting destination information
upwards for route updating progress; and lastly, DIS (DODAG Information Solicitation), which
works for a new node. i.e Before entering the network, a new node might request information on the
topology. The primary task of initializing the topology setup is carried out by the DAO and DIS
messages.[7] RPL has “Rank” value for every node which determines particular location of every
node relative to BR and rest of the nodes in DODAG. Node which has lowest rank will be selected as
parent, rank is nothing but the “coordinates” of a node in graph hierarchy. Rank helps to detect and
avoid loops during routing process.[8] It works in two ways Storing mode and Non-storing mode. In
pre-mode all nodes save the router tables themselves, while in the latest mode only edge-router saves
the route table. By default the RPL comes with three security options, these are unsafe, pre-installed
and authenticated. [9] These security modes are primary security measures and does not solve all
security concerns. In the RPL protocol, routes are stored in two different ways. While messages are
sent to the root node in the centralized mode, each node in the dispersed mode has a routing table and
shows routing decisions for its subtree.[10]
2.1. RPL Security Issues
IoT includes the threats to existing infrastructure as Routing specific attacks and Resource specific
attacks. These are further can be divided into network resources, traffic and topology related
attacks.[11]
2.1.1. Wormhole Attack
In wormhole attack, attacker nodes forms a channel amongst them and packets are transmitted
through it.[12] Malicious nodes try to make believe that they are close to other nodes in the network
so that other node should transmit their packet through these malicious nodes.[13]
Pavan pongale et al. a proposed novel system for detecting wormhole attacks, IDS detects threats
by using node location and neighbor information. Their system uses acquired signal strength to detect
malicious location / attacker on the network. They proposed a hybrid system in which the central
modules of 6BR and the other modules are distributed to the sensor nodes. Location information can
be helpful for detection of Sybil attack and clone-ID attack. This system considers only static nodes
and they claimed to be energy efficient having less energy overhead with high true positives.[14]
Snehal deshmukh bhosale et al. to detect wormhole attacks and attackers, they used an intrusion
detection system (IDS). They used only received signal strength as parameter for detection of
malicious nodes. The IDS used is hybrid IDS having centralized and distributed module. Centralized
module detects attack and distributed module detects attacker node. This system is implemented it in
cooja simulator of contiki operating system, success rate of system is claimed to be 90%. [15]
Rupinder singh et al. proposed WRHT, which is a hybrid technique for wormhole detection. This
technique is the combination of two techniques called watchdog and Delphi. They calculated
153
�determining the likelihood of packet loss and time delays on each path to determine the probability of
a wormhole. [16]
Ruchi Mehta et al. proposed lightweight trust based mechanism consisting of direct and indirect
trust. They claimed that their technique is energy efficient and they termed it as lightweight but they
tested it on only two parameters namely throughput and packet loss rate. [17]
Prachi shukla, implemented a machine learning approach for wormhole detection. They developed
ML based IDS consisting of unsupervised K-means IDS, Supervised tree based IDS and hybrid IDS
which combine these two IDS. Claimed detection rate is between 70 to 80%. [18]
2.1.2. Sybil Attack
In this attack type, attacker or malicious node exhibit different illegitimate identities and it can
execute a variety of malicious activities such as unfair voting, fake route broadcast.[19] Sybil attack
can turn out to be the origin of other attacks and it can be more dangerous in dynamic environment
thereby degrading the network performance by increasing network traffic overhead.[20]
S. Murali et al, they proposed a lightweight intrusion detection system and a mobile Sybil attack
detection system inspired by an artificial bee colony (ABC) were developed for RPL's mobile
environment. They examined the effectiveness of RPL and concentrated on three sorts of Sybil
attacks based on its behavior. They focused on three categories of the Sybil attack based on its actions
and examined RPL's performance, They used bio-inspired analytical model which seems to be
complex to implement in resource constrained environment. [21]
Faiza Medjek et al. simulated the impact of Sybil mobile attack. They proposed a new intrusion
detection system called trust based IDS (T-IDS). They proposed a new timer and made some
additions to RPL control messages. Each node employs a trusted platform module (TPM) for its
system identity management module. The TPM requires the manufacturer to create a cryptographic
co-processor chip that offers hardware support for storing security parameters and identities, this
solution is not feasible as manufacturing unit have their own limitations.[22]
C. wang et al. proposed a technique for Sybil attack detection based on Channel State Information
( CSI). Proposed algorithm is claimed for the detection of Sybil attack in static devices. They also
proposed a scheme based on channel characteristic for dynamic attackers.[23]
Alekha Kumar Mishra et al. developed analytical model which uses k-mean clustering for finding
deployment location of attacker. Identity replacement model is also presented to circumvent fake
identity detection. This algorithm achieves very less detection range of nearly 48%.[24]
Ashwini Nikam et al, implemented IDS based on opinion metric for detection and identification of
Sybil and DoS attacks. They calculated opinion values (trust) of a node based on its positive and
negative experiences. Detection of attacker node done by border router based on metric values. They
used centralized approach which may not be effective in case of IoT devices. Failure of BR will result
in system breakdown. [25]
2.1.3. Rank Attack
This form of attack involves an attacker node introducing a bogus rank value. A node's distance
from the root node is used to calculate its rank value.[26] By misusing the rank value, attacker node
attracts the neighboring node to capture the data packets and then it can drop those packets or can
send it to the non-destined nodes. Increased rank attack and lowered rank attack are two more
categories that can be applied to this attack. Increased rank attack causes the loop creation in DODAG
154
�due to which packet fails to reach its destination. In decreased rank attack, node falsely claims as
parent thereby decreasing its rank value and keeping it minimum.[27]
R. Stephen et al., simulated RIAIDRPL algorithm, they claimed that the algorithm is capable of
finding the loops in DODAG, created by attacker node. They simulated the performance of this
algorithm on cooja simulator. The claimed accuracy is 90% and they compared it with RPL, LRPL
based on different network parameters. [28]
Usman Shafique et al. implemented an IDS which is based on sink node, for detection of rank
attack. They claimed lower computational overhead and high detection rate. Future work include the
addition of more metric like energy, hop count, bandwidth, delay etc. These factors are very important
but they mentioned in future implementation.[29]
Anhtuan Le et al, investigated how rank attacks affected network metrics. They claim different
types of rank attacks and they analyzed their behavior. They studied; Rank attack may result in path
loops, packet collisions, unoptimized paths, increased overhead, and other network performance
degradations. [30]
3. Attacks Detection using Trust Mechanism
Below, we present our proposed trust-based method, which is included in the RPL protocol.
Determining an individual node's trust value for the RPL network is the mechanism's main objective
and embed such values in routing decisions. As seen below, the Direct Trust is calculated.
DT (i,j) (t) = Fji (t) / (Sij (t) + k[Sij (t) – Fji (t)])
where,
Fji(t) = Total number of packets forwarded by "j" on behalf of "i".
Sij (t)= Total number of packets sent by node "i" to node "j".
k= Penalty value (Depends on frequency of interaction, length of the interaction, Energy consumed).
For indirect trust computation, we considered the parameters like reputation, experience, etc.
between the nodes.
Indirect Trust (IT) = Reputation Trust (RT) + Experience Trust (ET)
Where RT depends on the positive and negative recommendations from neighboring nodes and ET is
calculated by node’s past behavior is routing process analyzed by the sink node. We detected three
attacks, namely, Rank, Wormhole, and Sybil, in static and dynamic scenarios, considering 15 and 30
nodes, respectively. It is very important to check the effects of these attacks in a dynamic environment
as most of the IoT nodes will be dynamic in the future. three attack types namely as Rank, Sybil and
Wormhole with 20 and 40 nodes on cooja simulator of contiki with MRHOF objective function and
z1 mote type, radio medium model used is UDGM distance loss. In these attacks we have taken two
scenarios of static nodes and dynamic nodes. In static, all the nodes are static whereas in dynamic we
implemented Random Way Point model, which is one of the standard mobility model. Following are
the screenshots of the attack types.
155
�Figure 1: Rank Attack Implementation
Above figure shows the rank attack implementation on cooja simulator.Two scenarios are taken 20
and 40 nodes, in 20 nodes Node 10 & 20 are rank attacker nodes. In 40 nodes, Node 10,20,30,40 are
attacker nodes.
Figure 2: Sybil Attack Implementation
Above figure is the screenshot of Sybil attack implementation on cooja simulator. Node 6 is
attacker node in 20 nodes simulation, while Nodes 6 and 24 are attacker nodes in 40 nodes simulation.
156
�Figure 3: Wormhole Attack Implementation
Above figure is about the Wormhole attack implementation on cooja simulator. Nodes 5 and 20
are attacker nodes in 20 nodes simulation.
4. Results
As stated earlier, we implemented two attack scenarios as static and dynamic with 20 and 40
nodes for each attack. Following are the graphs for the above mentioned attacks in two scenarios.
Also we compared it with normal RPL protocol and we named it as “Without attack” for comparison.
We considered the following performance metrics for comparing normal RPL network with attack
models.
• Packet delivery ratio (Percentage)
PDR in RPL network is the ratio between total packets sent to the total packets received.
• Overhead (Packets)
Overhead in RPL network can be defines as, amount of control packets required for network path
initialization. DIO,DAO and DIS packets are said to be a control packets in RPL network.
• Delay(ms)
Delay is the measure of time taken between total time received to the total sent time.
• Throughput(bits/sec)
Throughput is the measure of rate of successful data delivery of data Packets.
• Energy Consumption(joules)
Energy consumption is the total energy or power used to send or receive data packets by a node.
157
�4.1.1. Static Environment
Figure 4: Performance metric comparison in static environment.
158
�4.1.2. Dynamic Environment
Figure 5: Performance metric comparison in dynamic environment.
159
�4.1.3. Attacks Detection
Figure 6: Number of attacks detected in static and dynamic environment.
4.1.4. Result Discussion
Though the graphs are self explanatory, we want to highlight some of the key findings in the result.
We have taken two scenarios static and dynamic with 20 and 40 nodes respectively. As shown in
figure 4, graph “Without attack” is nothing but the RPL protocol with MRHOF objective function. In
this the negative effects by the attacks on performance metrics like throughput, packet delivery ratio,
delay, overhead, energy consumption etc are analyzed in static environment, where the nodes are
stationary. The same metrics are analyzed in dynamic environment, where all the nodes are moving in
some specific manner. We run the simulation many times to perfectly get the values and thus graphs.
In static it is found that, these metrics are highly impacted by the attacks compared to normal routing
\i.e without attack, whereas in dynamic scenario energy consumption and packet overhead are more.
Thus it is important to identify and remove such type of attacker nodes from the network, to improve
the overall efficiency of it.
160
�5. Conclusion
Due to low power and computation capabilities IoT devices are more prone to different routing and
topology attacks. In this work, we detected three attacks namely rank, wormhole and Sybil, using trust
mechanism & also by some attack characteristics. Simulations are done in static and dynamic
environment scenarios with 20 and 40 for each attack type. In static and dynamic it is identified from
the graph that all the parameters are affected by the attacks. We are also working on the lightweight
IDS based on machine learning to indentify and prevent these attacks to make routing safe in IoT
environment.
6. References
[1] J. V. V. Sobral, J. J. P. C. Rodrigues, R. A. L. Rabêlo, J. Al-Muhtadi, and V. Korotaev,
“Routing protocols for low power and lossy networks in internet of things applications,”
Sensors (Switzerland), vol. 19, no. 9, pp. 1–40, 2019, doi: 10.3390/s19092144.
[2] M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A. R. Sadeghi, and S. Tarkoma, “IoT
SENTINEL: Automated Device-Type Identification for Security Enforcement in IoT,” Proc. -
Int. Conf. Distrib. Comput. Syst., pp. 2177–2184, 2017, doi: 10.1109/ICDCS.2017.283.
[3] Z. A. Khan and P. Herrmann, “A trust based distributed intrusion detection mechanism for
internet of things,” Proc. - Int. Conf. Adv. Inf. Netw. Appl. AINA, pp. 1169–1176, 2017, doi:
10.1109/AINA.2017.161.
[4] U. Jayasinghe, G. M. Lee, T. W. Um, and Q. Shi, “Machine Learning Based Trust
Computational Model for IoT Services,” IEEE Trans. Sustain. Comput., vol. 4, no. 1, pp. 39–
52, 2019, doi: 10.1109/TSUSC.2018.2839623.
[5] M. D. Alshehri, F. K. Hussain, and O. K. Hussain, “Clustering-Driven Intelligent Trust
Management Methodology for the Internet of Things (CITM-IoT),” Mob. Networks Appl., vol.
23, no. 3, pp. 419–431, 2018, doi: 10.1007/s11036-018-1017-z.
[6] L. Wallgren, S. Raza, and T. Voigt, “Routing attacks and countermeasures in the RPL-based
internet of things,” Int. J. Distrib. Sens. Networks, vol. 2013, 2013, doi: 10.1155/2013/794326.
[7] P. Suganya and C. H. Pradeep Reddy, “A survey and analysis on various objective functions
defined for RPL in 6LOWPAN,” Int. J. Recent Technol. Eng., vol. 7, no. 6, pp. 403–411,
2019.
[8] A. Verma and V. Ranga, “Evaluation of Network Intrusion Detection Systems for RPL Based
6LoWPAN Networks in IoT,” Wirel. Pers. Commun., vol. 108, no. 3, pp. 1571–1594, 2019,
doi: 10.1007/s11277-019-06485-w.
[9] S. Y. Hashemi and F. Shams Aliee, “Dynamic and comprehensive trust model for IoT and its
integration into RPL,” J. Supercomput., vol. 75, no. 7, pp. 3555–3584, 2019, doi:
10.1007/s11227-018-2700-3.
[10] A. Raoof, A. Matrawy, and C. H. Lung, “Routing Attacks and Mitigation Methods for RPL-
Based Internet of Things,” IEEE Commun. Surv. Tutorials, vol. 21, no. 2, pp. 1582–1606,
2019, doi: 10.1109/COMST.2018.2885894.
[11] W. Alnumay, U. Ghosh, and P. Chatterjee, “A trust-based predictive model for mobile Ad Hoc
network in internet of things,” Sensors (Switzerland), vol. 19, no. 6, pp. 1–14, 2019, doi:
10.3390/s19061467.
[12] M. Goyal and M. Dutta, “Intrusion Detection of Wormhole Attack in IoT: A Review,” 2018
Int. Conf. Circuits Syst. Digit. Enterp. Technol. ICCSDET 2018, pp. 1–5, 2018, doi:
10.1109/ICCSDET.2018.8821160.
[13] S. M. H. Mirshahjafari and B. S. Ghahfarokhi, “Sinkhole+CloneID: A hybrid attack on RPL
performance and detection method,” Inf. Secur. J., vol. 28, no. 4–5, pp. 107–119, 2019, doi:
10.1080/19393555.2019.1658829.
[14] P. Pongle and G. Chavan, “Real Time Intrusion and Wormhole Attack Detection in Internet of
Things,” Int. J. Comput. Appl., vol. 121, no. 9, pp. 1–9, 2015, doi: 10.5120/21565-4589.
[15] S. Deshmukh-Bhosale and S. S. Sonavane, “A Real-Time Intrusion Detection System for
Wormhole Attack in the RPL based Internet of Things,” Procedia Manuf., vol. 32, pp. 840–
161
� 847, 2019, doi: 10.1016/j.promfg.2019.02.292.
[16] R. Singh, J. Singh, and R. Singh, “WRHT: A Hybrid Technique for Detection of Wormhole
Attack in Wireless Sensor Networks,” Mob. Inf. Syst., vol. 2016, 2016, doi:
10.1155/2016/8354930.
[17] R. Mehta and M. M. Parmar, “Trust based mechanism for Securing IoT Routing Protocol RPL
against Wormhole Grayhole Attacks,” 2018 3rd Int. Conf. Converg. Technol. I2CT 2018, pp.
1–6, 2018, doi: 10.1109/I2CT.2018.8529426.
[18] P. Shukla, “ML-IDS: A machine learning approach to detect wormhole attacks in Internet of
Things,” 2017 Intell. Syst. Conf. IntelliSys 2017, vol. 2018-January, no. September, pp. 234–
240, 2018, doi: 10.1109/IntelliSys.2017.8324298.
[19] K. Phani Rama Krishna and R. Thirumuru, “Optimized energy-efficient multi-hop routing
algorithm for better coverage in mobile wireless sensor networks,” J. Integr. Sci. Technol., vol.
10, no. 2, pp. 100–109, 2022.
[20] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: Real-time intrusion detection in the Internet of
Things,” Ad Hoc Networks, vol. 11, no. 8, pp. 2661–2674, 2013, doi:
10.1016/j.adhoc.2013.04.014.
[21] S. Murali and A. Jamalipour, “A Lightweight Intrusion Detection for Sybil Attack under
Mobile RPL in the Internet of Things,” IEEE Internet Things J., vol. 7, no. 1, pp. 379–388,
2020, doi: 10.1109/JIOT.2019.2948149.
[22] F. Medjek, D. Tandjaoui, I. Romdhani, and N. Djedjig, “A trust-based intrusion detection
system for mobile RPL based networks,” Proc. - 2017 IEEE Int. Conf. Internet Things, IEEE
Green Comput. Commun. IEEE Cyber, Phys. Soc. Comput. IEEE Smart Data, iThings-
GreenCom-CPSCom-SmartData 2017, vol. 2018-Janua, pp. 735–742, 2018, doi:
10.1109/iThings-GreenCom-CPSCom-SmartData.2017.113.
[23] C. Wang et al., “Accurate sybil attack detection based on fine-grained physical channel
information,” Sensors (Switzerland), vol. 18, no. 3, pp. 1–23, 2018, doi: 10.3390/s18030878.
[24] S. K. Apat, J. Mishra, K. S. Raju, and N. Padhy, “The robust and efficient Machine learning
model for smart farming decisions and allied intelligent agriculture decisions,” J. Integr. Sci.
Technol., vol. 10, no. 2, pp. 139–155, 2022.
[25] A. Nikam and D. Ambawade, “Opinion Metric Based Intrusion Detection Mechanism for RPL
Protocol in IoT,” 2018 3rd Int. Conf. Converg. Technol. I2CT 2018, pp. 1–6, 2018, doi:
10.1109/I2CT.2018.8529770.
[26] D. Airehrour, J. A. Gutierrez, and S. K. Ray, “SecTrust-RPL: A secure trust-aware RPL
routing protocol for Internet of Things,” Futur. Gener. Comput. Syst., vol. 93, pp. 860–876,
2019, doi: 10.1016/j.future.2018.03.021.
[27] W. Choukri, H. Lamaazi, and N. Benamar, “RPL rank attack detection using Deep Learning,”
2020 Int. Conf. Innov. Intell. Informatics, Comput. Technol. 3ICT 2020, pp. 5–10, 2020, doi:
10.1109/3ICT51146.2020.9311983.
[28] R. Stephen and L. Arockiam, “RIAIDRPL: Rank Increased Attack (RIA) Identification
Algorithm for Avoiding Loop in the RPL DODAG,” Int. J. Pure Appl. Math., vol. 119, no.
September, pp. 1203–1209, 2018.
[29] U. Shafique, A. Khan, A. Rehman, F. Bashir, and M. Alam, “Detection of rank attack in
routing protocol for Low Power and Lossy Networks,” Ann. des Telecommun. Telecommun.,
vol. 73, no. 7–8, pp. 429–438, 2018, doi: 10.1007/s12243-018-0645-4.
[30] A. Le, J. Loo, A. Lasebae, A. Vinel, Y. Chen, and M. Chai, “The impact of rank attack on
network topology of routing protocol for low-power and lossy networks,” IEEE Sens. J., vol.
13, no. 10, pp. 3685–3692, 2013, doi: 10.1109/JSEN.2013.2266399.
162
�