Future Generation Computer Systems 125 (2021) 698–714

Contents lists available at ScienceDirect

Future Generation Computer Systems

journal homepage: www.elsevier.com/locate/fgcs

A Softwarized Intrusion Detection System for the RPL-based Internet of

Things networks
∗
George Violettas , George Simoglou, Sophia Petridou, Lefteris Mamatas
Department of Applied Informatics, University of Macedonia, Egnatia 156, Thessaloniki, Greece

article info a b s t r a c t

Article history: Internet of Things (IoT) constitutes a pivotal contributor to the Industry 4.0 (I 4.0) vision, tech-
Received 11 February 2021 nologically transforming production and societies. It enables novel services through the seamless
Received in revised form 3 June 2021 integration of devices, such as motes carrying sensors, with the Internet. However, the broad adoption
Accepted 10 July 2021
of IoT technologies is facing security issues due to the direct access to the devices from the Internet,
Available online 17 July 2021
the broadcasting nature of the wireless media, and the potential unattended operation of relevant
Keywords: deployments. In particular, the Routing over Low Power and Lossy Networks (RPL) protocol, a
Internet of Things prominent IoT solution, is vulnerable to a large number of attacks, both of general-purpose and
RPL protocol RPL-specific nature, while the resource-constraints of the corresponding devices are making attack
RPL attacks mitigation even more challenging, e.g., in terms of involved control overhead and detection accuracy.
IoT security In this paper, we introduce ASSET, a novel Intrusion Detection System (IDS) for RPL with diverse
Intrusion Detection System profiles to tackle the above issues that mitigate at least 13 attacks. At the same time, other solutions
go up to eight. ASSET, inspired by the network softwarization paradigm, supports a novel, extendable
workflow, bringing together three anomaly-detection and four RPL specification-based mechanisms,
a novel attacker identification process, as well as multiple attack mitigation strategies. Our IDS also
supports an adaptable control & monitoring protocol, trading overhead for accuracy, depending on the
network conditions. The proof-of-concept experiments show that ASSET entails a low overhead for the
different modes of operation it supports (i.e., 6.28 percent on average) compared to other solutions
reaching up to 30 percent. At the same time, it also keeps the power consumption at acceptable levels
(from 0.18 up to 1.54 percent more). Moreover, it provides 100 percent accuracy for specific attacks
and can identify the attacker in far more attacks than any other similar solution.
© 2021 Elsevier B.V. All rights reserved.

1. Introduction entails hundreds of smart devices, sensors, and actuators commu-

nicating throughout large-scale IoT deployments, where, among
Internet of Things (IoT) does rapidly develop and, among oth- others, security is an essential requirement.
ers, is the technological enabler for smart-x ecosystems and the
next-generation advanced manufacturing, referred to as I 4.0 1.1. Motivation
(Industry 4.0), that includes smart products, smart production,
and smart services. Indeed, recent advances in communication A prominent, standardized routing solution for IoT is the Rout-
technology, e.g., 5G Networks, along with the Industrial IoT (IIoT), ing for Low Power and Lossy Networks (RPL) [2,3], characterized
evolve the request for mass production and automation from the by significant benefits. These include IPv6 support, moderate
principle idea to connect everything in the production chain to control overhead, and efficient low-power operation under chal-
the more sophisticated context of broader and more fine-grained lenging conditions, e.g., lossy links, heterogeneous and constraint
interconnections [1]. For example, a network of geographically devices with respect to their power, storage, memory and pro-
distributed factory branches requires sharing resources and assets cessing capabilities [4,5]. Despite its advantages, RPL still has
to improve orders’ fulfillment. Data transfer among different en- open issues, the most important of which are related to attacks
tities is an essential but also a critical issue in such an automation since it is based on the IP(v6) open stack and primarily uses
ecosystem. The facility of exploiting everyday Internet-enabled wireless media for the nodes’ communication.
devices as endpoints of accessing resources is an asset. Still, it According to the literature [6], RPL-related attacks include
malicious actions aiming at: (i) exhausting nodes’ resources as a
∗ Corresponding author. means of significantly reducing the network’s lifespan and avail-
E-mail address: [email protected] (G. Violettas). ability, (ii) disrupting the structure of the Destination-Oriented

https://doi.org/10.1016/j.future.2021.07.013
0167-739X/© 2021 Elsevier B.V. All rights reserved.
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

Directed Acyclic Graph (DODAG), upon which nodes’ communi- 1.2. Contribution
cation is based, affecting network’s performance in respect to
packet losses and end-to-end (E2E) delays. Passive attacks that Along these lines, we introduce ASSET, a softwarized Intrusion
monitor and intercept network traffic, e.g., sniffing, traffic analy- Detection System that offers a holistic approach to shield an
sis, are not part of the paper’s scope since they do not exclusively RPL-based IoT network against different types of attacks. Our
concern RPL. system is inspired by the Software-Defined Networking (SDN)
In fact, some attacks have no significant impact as standalone paradigm, i.e., it transfers functionality from the constraint end-
events, but they can be critically detrimental to the network in nodes to central premises, i.e., the Controller, offloading both
conjunction with others. Indicatively, impersonation attacks leave computational and communication overhead. At the same time,
space for malicious activities to originate inside the network, it follows a modular architecture that allows adaptations.
against which encryption is not a suitable solution [7] because, In particular, ASSET offers a novel workflow hosting well-
for example, an insider attacker getting access to symmetric keys known mechanisms for data analysis, e.g., the K-Means algorithm,
bypasses the applied RPL security mechanisms. Authenticated that can efficiently collaborate in data exchange toward detecting
security could be a solution, but RPL RFC [2] does not specify several attacks and multiple intruders in the network. The chal-
any mechanisms for public key cryptography [8], which possibly lenging point is that we managed to appropriately synthesize a
cannot be supported by constrained nodes [9]. Hash schemes framework of independent components that are not merely put
have been used for topology authentication without being able one next to the other, but they work as an integrated whole.
to mitigate rank-replay attacks [10]. Moreover, ASSET’s workflow provides the background for further
On the protocol bulletproofing front, the RPL standard [2] enhancements and extensions regarding detection or mitigation
specifies three modes of operation, i.e., unsecured mode, pre- of attacks.
installed mode, and authenticated mode. At the same time, it Next, we experiment with a minimum set of mechanisms for
also defines mechanisms for data confidentially and authenticity, anomaly and RPL specification-based detection, able to address
and replay protection [11,12]. Nevertheless, up to this time, RPL as many as 13 different types of RPL-related attacks with high
implementations on the most commonly used operating systems accuracy and moderated cost. We exploit our literature review
(e.g., Contiki OS and TinyOS) assume the unsecured mode of oper- findings showing that combining detection methods as well as
ation, putting aside RPL’s security features, which are essentially placement strategies brings advantages to the system [14]. In
characterized as optional. Authors in [11,13] elaborate on a partial particular, ASSET hosts three anomaly detection methods on the
implementation of such features, while according to [8], future node and/or on the Controller-level to provide the alternatives of
versions of RPL will address such issues as authenticated security. a lightweight and a computationally-intensive solution, and four
Until then, a suitable approach to encounter malicious ac-
specification-based ones.
tivities is the Intrusion Detection Systems (IDSs) [6,7,12]. IDSs
Most importantly, we develop an adaptable control & monitor-
refer to a set of methods designed toward: (i) detecting an attack,
ing protocol enabling centralized network supervision. In practice,
(ii) identifying the attacker, and (iii) mitigating the event. They
the protocol offers: (i) monitoring of RPL-related data, like UDP
aim to detect several attacks concurrently, and ideally, they can
packets or ICMP statistics in an adaptable fashion, i.e., trading the
be extended to deal with attacks that are not originally included
amount of communicating information for control overhead in re-
in their design goals. Compared to the standalone mechanisms,
spect to the network’s conditions; (ii) configuring RPL parameters
they require some degree of collaboration among the network’s
on-the-fly as a means of enforcing centralized decisions to the
nodes [12].
network nodes once a mitigation action should be taken; and (iii)
Regarding the RPL security, the design, development, and eval-
communicating node-level anomaly detection events that should
uation of an IDS should satisfy a set of requirements that reflect
trigger further investigation centrally, e.g., detailed monitoring
the solution’s width and depth. We define the metrics of robust-
by the Controller. To achieve adaptability, we define three modes
ness and extendability for quantitative evaluation (width), refer-
ring to the range over which the impact of an IDS can be spread of the protocol’s operation, i.e., slim-mode that offers ‘‘baseline’’
with respect to the number of attacks detected. Furthermore, monitoring at regular periods, essential-mode that indicates the
given that new attacks and security issues emerge following the first level of surveillance due to detected anomalies in more
IoT research’s progress, IDSs should be developed as a set of than three nodes, and full-function-mode that denotes the need
software components (mechanisms) to be quickly and on-the-fly of intensive surveillance due to detected anomalies that require
modifiable to encounter attacks beyond their initial scope. detailed data from IoT nodes.
Moreover, we define the metrics of accuracy and mitigation Novelties of ASSET could be summarized as follows: (i) de-
time for qualitative evaluation (depth). In fact, an IDS should tection and mitigation have been automated since all the mech-
exhibit a high accuracy rate regarding both the event and the ad- anisms are incorporated under the umbrella of one workflow,
versary; this means that the system does not misinterpret normal orchestrated by the central controller; (ii) existing node-level
events or nodes’ behavior as attacks or attackers, respectively, features became centralized to offer a better balance and re-
while minimizing the cases that attacks or intruders are over- sponse capabilities; (iii) node-level features are programmable,
taken. Once an attack/attacker has been detected, a mitigation with some addressing several attacks, providing a holistic view;
strategy should be employed to rapidly handle the malicious (iv) the modular architecture makes it easy to add new features
nodes and restore the network’s operation. or alter existing ones; (v) it can be easily deployed over any kind
The research field of IDSs in the IoT domain is generally vast. of RPL network, anywhere in the central infrastructure, by only
Still, only a restricted subset of them is appropriate for Low- materializing the connection with the sink node; (vi) the bespoke
power and Lossy Networks (LLNs) [14,15], i.e., they take into fully parameterizable GUI provided, makes it a powerful tool in
consideration limitations regarding their lossy links, heteroge- the hands of network administrators.
neous and resource-constrained devices. In fact, most of them The rest of the paper is outlined as follows. We briefly present
have been proposed in the recent bibliography, i.e., from 2013 the RPL protocol and the attacks associated with it in Section 2. In
to 2020 [6,12,14]. An overview of these works makes clear that Section 3 we elaborate on the proposed system, including details
there is no one-for-all solution that succeeds in all three axes, of its architecture, interfaces, and mechanisms. Our evaluation
i.e., to detect several attacks at once, to identify the intruder, and results are illustrated and discussed in Section 4. Related IDSs
to mitigate the event, and at the same time, meet the aforemen- along with a comparative overview are presented in Section 5,
tioned requirements of robustness, extendability, high accuracy and while conclusions along with further-step ideas are summarized
rapid mitigation. in the final section.
699
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

2. Background 2.2. RPL-related attacks

2.1. RPL protocol Routing in the RPL networks is challenging due to the re-
source constraints of the connected devices. Moreover, such net-
Our work elaborates on the RPL protocol [2] since it is the works support dynamic topologies and are based on the wireless
state-of-the-art routing protocol for LLNs. RPL is a distance-vector medium’s passive nature. Consequently, they attract malicious
IPv6 protocol operating over the 6LoWPAN (IPv6 over Low-Power actions, including but not limited to denial of service attacks
Wireless Personal Area Networks) protocol stack where each (DoS), physical damages, and/or extraction of sensitive informa-
node builds the so-called DODAG to maintain an updated net- tion, e.g., DODAG version, nodes’ rank values, and nodes’ IDs.
work topology [4,5]. RPL primarily supports multipoint-to-point In fact, legitimate nodes can be compromised by exploiting the
communications, i.e., from the leaf-nodes upwards to the sink- RPL mechanisms themselves. Suppose a compromised node is
node(s), which operates as a border router connecting the LLN located near the sink. In that case, a combination of attacks can be
with fixed infrastructure, e.g., via a serial connection. launched with severe effects, spanning from resource-depletion
RPL constructs the DODAG by utilizing an Objective Function of nodes, due to a sharp increase in the control overhead, to
(OF), which evaluates the different possible pathways from every delays in data delivery, owing to graph repairs.
node to the sink by solving a multi-variable, multi-objective A. Raoof et al. [12] provide an interesting classification of the
optimization problem for routes’ discovery. The default Minimum attacks that are due to the WSN (Wireless Sensor Networks)
Rank with Hysteresis Objective Function (MRHOF) [16] considers inherited features and those designed to explicitly exploit the
the number of hops to the sink-node and/or the quality of each protocol’s mechanisms or vulnerabilities. Along these lines, we
link between participating nodes into the above pathway(s) by briefly present a comprehensive list of the most common and
utilizing the Expected Transition Count (ETX) metric. Other more disrupting attacks on the RPL protocol in the light of their origin
sophisticated OFs are also described in the bibliography [17]. rather than their impact, e.g., Sinkhole attack can degrade the
To avoid DODAG loops, RPL assigns each node a rank value quality of service in the network and eventually results in DoS
related to the rank of the attached parent-node and the distance to some parts of it [12].
from the sink. A node can be (re-)attached to the graph with a In RPL networks, similarly to the WSNs, topology exploitation
lower rank than its current one upon discovering a new preferred is an obvious starting point of malicious actions since pack-
parent. The opposite case (an updated greater rank) triggers a
ets’ routing depends on the DODAG. Typical routing disruption
Global Repair self-healing mechanism, i.e., recalculating ranks
attacks, such as Wormhole [15,20,21], Blackhole [15,22], and Selec-
for all network nodes [18], to avoid count-to-infinity problems.
tive Forwarding [15,23] (also known as Grayhole), cause network
Moreover, a node resets its rank and re-solicit neighbors (i.e., Lo-
traffic loss, topology inconsistencies, and significant delays since
cal Repair) once it loses its parent, i.e., without waiting for the
parts of the network can get disconnected. A malicious node may
whole network to reset [19]. To avoid exploitation of the above
either drop packets (completely or partially) or alter its standard
mechanisms that cause overhead and delays, RPL RFC [2] suggests
routes once it gains an important position in the graph, e.g., a
a maximum threshold per hour for the repairs.
parent-node with many other nodes attached.
RPL’s RFC [2] also defines four ICMPv6 (Internet Control Mes-
Other typical network attacks, like Flooding [24], Replay [25]
sage Protocol) messages for information exchange and facilitating
or Neighbor [24] attacks, execute repetitive or falsified message-
the DODAG construction. The DIO (DODAG Information Object)
sending in order to deceive their victims and introduce incon-
message is first fired by the sink, multicasted and populated
sistencies. This subtle manipulation can yield severe topology
downwards until all reachable nodes receive it. Among others, it
issues and excessive energy consumption, especially in dynamic
includes timer settings, DODAG version, and mode of operation
(storing/non-storing). DAO (Destination Advertisement Object) networks with mobile nodes [26]. Unlike Replay attacks in WSNs,
messages travel upward, advertising each node’s ancestor until which are performed with data packets, in RPL, the idea is to
reaching the sink. The same information (node–ancestor pair) record legitimate control messages and forward them later.
is also stored by each node the DAO went through. This way, Impersonation attacks, such as Clone-ID [6], or the more so-
each node maintains a version of the DODAG. DIS (DODAG In- phisticated Sybil [23] attack, are originated from a malicious
formation Solicitation) is a unicast message beaconed period- node embezzling the identity(ies) of one or several legitimate(s)
ically by a parentless node to solicit potential parents in its node(s). The goals vary from disrupting the routing topology to
radio-coverage vicinity. DAO-ACK is an optional message for DAO submitting forged data in the network or deceiving/manipulating
acknowledgment that is usually omitted since it causes heavy a reputation-based/voting-based system. These types of attacks
overhead. need a centralized authority to be tackled successfully [27].
As the fundamental pillar of RRL, the DODAG needs to be Besides the above, several attacks exploit specific RPL features,
updated and maintained frequently. A dedicated algorithm—the such as the rank and version fields of control messages, the proto-
Trickle Timer—handles the frequency of DIO messages, upon which col’s self-healing mechanisms, or operation modes. Rank attacks
the graph’s convergence time is based. The algorithm balances include: (i) Decreased Rank [28] or Sinkhole [23] attack, where the
preserving the node’s power consumption and keeping the net- malicious node advertises a low-rank value to force all neigh-
work information up-to-date and trustworthy. To achieve this boring nodes to select it as a parent; (ii) Increased Rank [29,30]
trade-off, DIO messages dispatching frequency varies from a attack, where an adversary near to the sink advertises a high-rank
few seconds, up to 17.5 min, since the Trickle Timer’s duration value to compel all neighboring nodes to avoid it and eventually
is doubled each time it fires [5]. Any change in the DODAG, sub-optimize their parent choice; and (iii) Worst Parent [30]
e.g., unreachable parent, DIO or DAO mismatch, or new parent attack, where the adversary intentionally makes the worst par-
selection, causes a Trickle Timer Reset for the particular node. As ent selection for itself to forward the received packets via non-
a result, DIO messages are dispatched at a higher rate when the optimal paths. Eventually, an attacker can powerfully reshape
network is unstable and at a slower rate otherwise, preserving the topology to diverge from the optimum one [31] with sub-
energy and reducing network traffic. sequences regarding increased traffic, high energy consumption,
DODAG, as well as the RPL messages and mechanisms, are the packet delay, and even routing loops.
origin of the so-called RPL-related attacks described in the next DODAG inconsistencies are an ordinary situation that is nor-
section. mally addressed by the protocol’s self-healing mechanisms as a
700
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

means of nodes’ s energy conservation. Unfortunately, in several

cases, an adversary can take advantage of them. Well-known
examples include DODAG Version or DODAG Inconsistency [32],
Global Repair [33,34], Local Repair [15], DIS message [24,35], and
DAO inconsistency [6] attacks. Indicatively, Local Repair messages
from a malicious node cause all neighboring nodes to unnec-
essarily re-calculate their paths, causing control overhead and
resource exhaustion. Even worse is the case of exploiting the
Global Repair feature (by advertising a higher version number
than the current one) to reconstruct the whole DODAG from
scratch. The malicious node at the network edge may result in
severe topology inconsistencies, routing loops, and delays.
The Routing Table Overload [24], and Routing Table Falsifica-
tion [30] attacks resemble Flooding and Replay attacks, in the
sense that an adversary sends plenty of bogus routes. The goal
is to either to disorient compromised nodes, or saturate their
routing tables directly and not accept legitimate DAO messages
upon which correct routes can be built up. Memory depletion,
packet loss, and delays are among their effects. Fig. 1. The architecture of ASSET IDS.
In the aftermath, elaborating on security issues stemming
from the attacks is very challenging due to the diversity of attacks,
the particularity of malicious nodes’ placement in the network, events from the data communication to the application plane.
and the detrimental effects of combining simple attacks, among Such information is derived by lightweight monitoring and fast
others. Since many of the attacks share common features regard- anomaly detection on a node-level, to reduce communication
ing either their origin, e.g., local repair self-healing mechanism overhead with the Controller.
exploitation, or their impact, e.g., irregularities in the data and/or The proposed IDS has been implemented in Contiki OS [38]
control packets rates of the affected nodes, our proposal invests and Java, also utilizing the Weka [39], and Graphstream libraries
in this observation. Thus, ASSET accommodates a minimum set of [40] featuring a unified workflow that embodies several mech-
mechanisms for anomaly and RPL specification-based detection anisms addressing multiple attacks. In practical terms, the code
able to address as many as 13 different types of RPL-related is under refactoring, targeting goals such as full modularity and
attacks with high accuracy and moderated cost. Next, we present extendability, e.g., the ability to add or replace an anomaly detec-
and discuss ASSET ’s details. tion mechanism. We released the IDS as an open-source,1 under
GPLv3.0.
3. Proposed system Regarding nodes’ heterogeneity, although we used Zolertia
Z1 firmware, we noticed that other node types are also com-
Here, we provide the design artifacts of ASSET, including its patible (e.g., Sky motes). More experiments with heterogeneous
high-level architecture and details of the control channel inter- hardware and software can benefit ASSET.
face. Furthermore, we describe the basic workflows for attack We now detail the IDS architecture and its primary interfaces.
detection, intruder identification, and attack mitigation, along with
the relevant incorporated mechanisms. 3.1. Architecture & interfaces
ASSET can mitigate a large number of attacks with a high ac-
curacy since it exploits the softwarization paradigm in computer The ASSET IDS adopts a three-tier architecture, aligned to the
networks that allows: (i) centralized monitoring and control of SDN paradigm [41]. In Fig. 1, we depict the Data Communication,
the network; (ii) co-existence of multiple mechanisms while be- Control, and Application Planes as well as their main components
ing extendable to support new algorithms; and (iii) consideration detailed below.
of both global and local viewpoints of the IoT network. For exam- The Data Communication Plane concerns the IoT infrastruc-
ple, anomaly detection at the node (or a central) level may trigger ture, including the RPL-based protocol stack of the corresponding
other specification-based detection mechanisms. At a functional nodes. We enable cross-layer configuration hooks to the protocol
level, ASSET mainly consists of a network Controller with attack
stack [36,37] allowing the Controller to read or apply configura-
detection, attacker identification and mitigation algorithms, a
tion settings, e.g., to instantly enforce changes in RPL operation to
control channel interface with adaptable control overhead, and
mitigate attacks. Furthermore, the nodes support control packet
node-level features for anomaly detection, network control and
statistics being either processed locally, i.e., by manifesting per-
monitoring.
node anomaly detection capabilities, or communicated to the Con-
The Controller can collect information, both passively and ac-
troller. The Data Communication Plane interacts with the Control
tively, from different layers, i.e., we currently utilize network-
Plane through the Southbound Interface, carrying either packet
layer and application-layer data. Such a cross-layer approach
statistics from the nodes to the Controller or configuration actions
helps to maintain a detailed network view towards accurate
towards the opposite direction.
decision-making. Attacks’ mitigation is possible by mandating
The other two layers, i.e., the Control and Application Planes, re-
RPL-parameters changes in real-time, e.g., like in [36,37]. In prac-
side at the Controller and interact between each other through the
tice, it provides a front-end to the administrator, supporting sev-
Northbound Interface, which is REST-based. The Control Plane is
eral mechanisms for detecting both the attacks and the attackers,
responsible for the network control aspects, while the Application
along with and threat(s) mitigation.
Plane for the IDS data analysis and GUI features.
The Controller communicates with the nodes through the
The Control Plane is attached to the sink node, employing
Southbound Interface, utilizing a lightweight protocol to lookup
passive and active data communication monitoring of the nodes,
or configure particular RPL parameters on-the-fly, monitoring the
network in an adaptable fashion, i.e., trading information accu-
racy for control overhead, and communicating anomaly detection 1 https://github.com/SWNRG/ASSET.

701
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

i.e., retrieving data communication statistics from the sink or can configure and enable this mode when certain criteria are met
the nodes, respectively. The RPL control engine is responsible (a given number of nodes detect an anomaly).
for enforcing particular RPL configuration processes and receiv- We now describe in detail the messages exchanged between
ing node-level anomaly detection events from the nodes. The the Controller and the nodes. In Table 1, we enlist all messages,
data communication statistics and the anomaly detection events and their design primitives, supported by the Southbound In-
are being communicated to the Application Plane through the terface and its corresponding network control and monitoring
Northbound Interface for further actions. Furthermore, the Control protocol. The last column depicts the specific mode they are
Plane maintains a real-time network representation based on the utilized with (i.e., slim, essential, full-function).
Graphstream library [40,42]. In RPL, nodes collect information about their neighbors (i.e.,
The Application Plane provides the GUI and configuration as- nodes within the wireless radio coverage) and nominate a pre-
pects of the IDS. It supports a real-time visualization of the IoT ferred parent within time instances specified by the Trickle Timer
topology, which also designates potential IoT nodes acting as algorithm. This way, a network graph, i.e., the DODAG, is con-
attackers. Furthermore, it provides handles to the administrator structed in a distributed manner. Since this information is local,
for management and configuration aspects of the IoT network we implemented a notification feature in every node triggered
and the intrusion detection process. Finally, it is responsible for by any parent-change event. In such a case, the node transmits
the data analysis tasks of the Controller, including controller-level a message to the Controller indicating the latest chosen parent
anomaly detection algorithms, specification-based detection mech- with its rank, i.e., a [NP] message. Consequently, the Controller
anisms, classification algorithms for the attacker identification, as is aware of all nodes’ current parent and can form the topology
well as a counter-measures engine, being responsible for triggering graph. Alternatively, the Controller may proactively request the
attack mitigation processes, as a result of the data analysis. node’s parent information if such information is missing through
We now move on to discussing ASSET’s interfaces. Since the a [SP] message. Slim-mode uses these two messages only.
Northbound Interface is an internal interface of the Controller, Other messages from nodes to the Controller include the [IS],
we mainly focus on the Southbound Interface, which is essential [NR], and [NN], communicating ICMP statistics (e.g., total sent and
for the performance of ASSET, especially towards reducing the received messages), node’s current rank, and available neighbors
involved control overhead. with their ranks, respectively. Whenever a node detects an outlier
in its ICMP statistics, it dispatches an [AD] message. Further-
3.1.1. The Southbound Interface more, the [VN] and [RN] messages inform the Controller for a
The Southbound Interface utilizes a lightweight application- DODAG Inconsistency or Local Repair attack, detected by a node,
level protocol that allows the Controller to communicate with the respectively.
nodes via the sink. The protocol maintains compatibility with the The Controller uses designated messages to: (i) solicit missing
RPL standard while being flexible to incorporate new features, node’s parent or node’s neighbors’ information with [SP] and [SN]
such as a novel mechanism for mitigating a newly discovered messages, respectively; (ii) enable or disable ICMP statistics, and
attack. It supports either pulling of information, i.e., the Controller neighbor information notifications with [EI] and [NL] messages,
retrieving monitoring information or configuration parameters respectively; and (iii) implement actions to mitigate attacks, in-
from nodes, or pushing information, i.e., the nodes notify the cluding disabling Trickle Timer resets with [TT], blacklisting a
Controller regarding their monitored data periodically. The im- node from becoming a parent with [BL], and disable Local and
plemented protocol configuration hooks [4,5,37], based on the Global Repair features with [LR] and [GR] messages, respectively.
relevant interfaces implemented in the context of the WiSHFUL Consequently, the Southbound Interface enables novel ASSET
project (i.e., called UPIs), enable the Controller to act as a cen- capabilities, i.e., balancing control overhead to given network
tralized network control facility, especially for enforcing attack conditions and the support of multiple intrusion detection fea-
mitigation measures. tures.
The Southbound Interface is responsible for the following as- In the following subsections, we elaborate on the intrusion
pects: (i) monitoring nodes on the statistics of packets exchanged detection workflow of ASSET and its corresponding mechanisms
and RPL behavior, with different levels of accuracy and com- for attack detection, attacker identification, and attack mitigation.
munication overhead, depending on the criticality of network
conditions; (ii) enforcing changes in RPL protocol behavior of 3.2. Intrusion detection workflow
nodes to mitigate an attack; and (iii) communicating node-level
anomaly (or specification-based) detection events—from nodes to ASSET operates over the Controller and the IoT nodes inter-
the Controller—for triggering further actions. In practical terms, changeably, as depicted in Fig. 2, offloading processes tradition-
the interface operates in three different modes, i.e., slim-mode, ally handled by the nodes to a centralized Controller, for a better
essential-mode, and full-function-mode, described as follows: intrusion detection accuracy and resource efficiency.
(1) In slim-mode, ASSET operates with the minimum number of When the network runs stably, in terms of ICMP and data
monitoring messages, being essential to construct the complete traffic behavior, the Controller collects only the active topolog-
graph of the network centrally. Either the Controller requests ical structure (i.e., slim-mode). In parallel, the nodes perform
the parent of a node, or the nodes are periodically reporting all anomaly detection based on their own measured ICMP statistics.
parent changes. This mode is in place in networks without attack In case they detect one or more outliers, they enable the essential-
indications. mode of the Southbound Interface, i.e., start communicating the
(2) In essential-mode, the nodes transmit to the Controller— ICMP statistics to the Controller. Both nodes and Controller com-
besides the slim-mode notifications—periodic ICMP statistics, plementarily support RPL specification-based attack detection,
which enable controller-level anomaly detection. This mode is like monitoring the number of recent local topology repairs and
enabled when a node detects an attack through its node-level DODAG inconsistencies.
anomaly detection process. The Controller performs anomaly detection on data statistics to
(3) In full-function-mode, the nodes complement the previ- detect Blackhole and Grayhole attacks. Furthermore, it may utilize
ous modes with additional information, i.e., the node’s rank and the full-function-mode to request additional information, such
neighbors information for ASSET to detect—among others—Rank as the node’s rank and its neighbors with their corresponding
and Sybil attacks with higher precision. The ASSET administrator ranks to detect a Decreased Rank attack by comparing the rank
702
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

Table 1
Messages exchanged between the Controller and the nodes.
ID MESSAGE FORMAT DESCRIPTION M
NP [IPv6][IPv6][int] Node’s current parent S
IS [IPv6][int] ICMP statistics
Nodes initiated AD [IPv6][boolean] Anomaly detection notification
E
VN [IPv6][boolean] Version attack notification
RN [IPv6][boolean] Local Repair attack notification
NR [IPv6][int] Nodes’ current rank
F
NN [IPv6][IPv6 neighbors][list] Available neighbors and their ranks
SP [IPv6][int] Requests the node’s parent S
SN [IPv6][list] Solicits node’s neighbors information
EI [IPv6 or multicast][boolean] Enable/Disable ICMP notifications
Controller initiated TT [IPv6 or multicast][boolean] Enable/Disable Trickle Timer reset
BL [IPv6][boolean] Node blacklisted (Y/N) E
LR [IPv6 or multicast][boolean] Enable/Disable Local Repair
GR [IPv6 or multicast][boolean] Enable/Disable Global Repair
SN [IPv6][list] Solicits node’s neighbors information
F
NL [IPv6 or multicast][boolean] Enable/Disable neighbors information

(M)ode: S: Slim, E: Essential, F: Full-function.

3.3. Attack detection mechanisms

ASSET exploits the distributed capabilities of RPL to enable

a relatively lightweight anomaly detection on a node level, as
the first line of defense. By residing on the central infrastruc-
ture, it embraces a centralized approach to provide a resource-
consuming but more accurate controller-level anomaly detec-
tion process, along with several attack-specific detection mech-
anisms. Moreover, it utilizes RPL specification-based mechanisms
to improve its capability to tackle more attacks.
The following subsections detail both anomaly detection pro-
cesses and the attack-specific detection mechanisms, supported
by ASSET.

3.3.1. Anomaly detection

ASSET is utilizing anomaly detection mechanisms without the
need of training data, both at node- and Controller-level.
The node-level anomaly detection operates on every indi-
vidual node autonomously by monitoring the ICMP messages
(DIO, DAO, DIS) produced by the node. Any irregularity found is
communicated with the Controller for further action(s). Anomaly
detection at a node-level is considered rapid and efficient [43,
44], because of the locality of detected attacks. Furthermore,
relevant mechanisms should be lightweight, i.e., consider the
resource-constraint nature of IoT devices. We currently use a low-
complexity and a memory-efficient mechanism that detects irreg-
ularities, i.e., Dixon’s or Dixon-Q Test. The same method was suc-
cessfully used for detecting malicious users in a cognitive radio
networks setting, outperforming Grubb’s and boxplot tests [45],
with the limitation of considering one malicious user only. Since
Fig. 2. An abstract view of ASSET’s, workflow both on the Controller and the Dixon-Q test runs on every node and communicates the
node-level. possible outlier to the Controller, ASSET can employ Dixon-Q
to detect multiple concurrent intruders. Dixon-Q is also widely
used in other scientific disciplines, for example, as a method
declared by each node with those reported by its neighboring for rejecting grossly deviant (outlying) values of data sets [46].
nodes. The current version of workflow also supports the de- The test assumes a normal (Gaussian) distribution of data, a
tection of Flooding and Replay/Neighbor attacks from the ICMP typical assumption of significance tests, which was found to be
anomalies created and Clone-ID attacks by continuously com- true for the ICMP data produced by the nodes in random tests
paring all nodes’ IDs reported. Depending on the type of attack we conducted. The behavior of the particular anomaly detection
detected, the workflow implements an attacker(s’) identification mechanism in our results implicitly validated this assumption.
process and several attack-mitigation processes concerning iden- In detail, Dixon-Q test is based on calculating a Q-value de-
tified malicious nodes, including node blacklisting, suspension of fined as the ratio given by the distance of the value to be tested
Local Repairs, or Trickle Timer Resets. from its nearest neighbor, divided by the range of values. If it
We now elaborate on the particular attack detection, attacker exceeds the tabulated critical Q-test value (i.e., called Qcrit ) for a
identification, and attack mitigation mechanisms implemented by given Confidence Level (CL) and a number of samples N, then this
the ASSET IDS workflow. value can be rejected with a probability of erroneous rejection
703
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

(type I error) that is a function of the selected confidence level. an abnormal RPL status, in case they are crossed. At this point,
For example, probabilities p = 0.01, 0.05, and 0.10, correspond to ASSET supports four specification-based mechanisms (i.e., Rank
CLs of 99, 95 and 90 percent, since CL = (1 − p) ∗ 100, named as Validation, Node ID Validation, Fixed Threshold F and Adaptable
confidence values q99, q95, q90, respectively. The test’s sensitiv- Threshold λ based detection), which brief description follows.
ity can be adjusted by altering the size N of data (i.e., w size), along A Decreased Rank attack is detected upon discrepancies of
with the probability p of Type I error (or confidence level, CL). nodes’ and nodes’ parents’ advertised rank via [NR] messages.
Dixon-Q test is lightweight and easy to implement for resource-
More specifically, according to an algorithm introduced in [35],
constrained devices since it only needs a couple of subtractions
if a node’s rank, plus the RPL stabilizing parameter MinHopRank-
and one division with every two newly arrived samples. For
Increase [2] is lower than its parent’s rank, then the latter is
example, if the samples are 3-digit, the total added complexity
considered as an attacker. We also monitor all advertised ranks
is Θ (3) + O(M(3))log3, which associates with negligible overhead
for resource-constrained devices. Each time an outlier is detected, to be higher than the sink’s rank plus the MinHopRankIncrease.
it is communicated to the Controller through the Southbound Furthermore, the Controller detects a Clone-ID attack via a mech-
Interface as an ‘‘orange’’ alert to trigger further intrusion detection anism named Node ID Validation (∆) to detect two nodes with the
actions, such as a Controller-level anomaly detection process. same ID.
The Controller can implement more resource-consuming at- At this point of the investigation, ASSET uses configurable fixed
tack detection approaches than the nodes, however with addi- thresholds F to monitor crucial parameters at the Controller or
tional control overhead, i.e., the IDS switches to essential-mode, node level, including the number of triggered Local and Global
allowing for a global view of the network, to investigate anoma- Repairs , and Trickle Timer Resets; whenever they exceed the
lies both in the control and data traffic. Regarding the control particular thresholds, the Controller is notified for further attack
traffic, the relevant process is enabled whenever Dixon-Q detects detection actions.
an anomaly in the neighborhood of one or more nodes. ASSET Furthermore, we apply an adaptable threshold λ, which we
currently employs Chebyshev’s inequality [47], acting as a more
elaborate on here. Several attacks relate to fabricated control
accurate but also complex example, compared to Dixon-Q.
messages causing RPL performance issues. For example, the sink-
When the data distribution is unknown, Chebyshev’s inequal-
node avoids routing loops and topology inconsistencies by in-
ity theorem guarantees that at least 1 − K12 of data from a
creasing the DODAG version whenever a global topology repair
sample fall within K standard deviations from the mean. This can
be the basis of an outlier detection method [47] by calculating occurs. Intruders can inject continuously increasing DODAG ver-
relevant lower or upper outlier detection value (ODV) limits. Any sions into DIO messages they dispatch, causing the receiving
data value outside these limits is considered to be an outlier. nodes to reset their Trickle Timer, implement local topology re-
For calculating the ODV limits, there is a need to define a p1 pairs, and consequently face increased communication overhead.
threshold, trimming a small percentage of extreme values at the The protocol reduces the effects of such attacks by limiting the
beginning of the outlier detection process, so outliers do not bias number of Trickle Timer Resets based on a fixed RPL threshold
the standard deviation calculation. Indicative p1 values are 0.01, with the value 20. Any malformed packets, i.e., with the ‘R’ flag
0.05, or 0.10. Additionally, a second p2 threshold represents the IPv6 header option set, upon reaching this threshold, are being
expected probability of an outlier appearance. The p2 threshold is dropped by the receiving node without triggering Trickle Timer
used to determine outliers, and is usually lower than p1 , taking Resets.
values like 10−2 , 10−3 , 10−4 . Both p1 and p2 control the outlier Here, we utilize the adaptable λ(r) threshold function intro-
detection process’s sensitivity and determine the k values for
duced in [32], which is more effective than RPL’s fixed threshold
the outlier pre-filtering (first phase) and actual outlier detection
in terms of reacting to varying attack patterns. We use a fixed
(second phase) processes, respectively.
threshold F at the node-level in practice, while we introduced
Regarding the detection of anomalies in data traffic (Blackhole
a centralized variation of the above algorithm ∑ at the controller-
or Grayhole attacks), ASSET monitors data packet reception based n i
Epkts
level, as λ(r) = [α + β · e1−γ ·r ], where r = ∑n , α = 5, n is
i =1
on the K-means algorithm [48] implemented in Weka library [39]. i
i=1 Dpkts
Given n measurements of nodes to be clustered, a distance mea-
sure d to capture their dissimilarity, and the number of clusters to the number of nodes communicating packets, Epkts the number of
be created (i.e., k = 2 in our case), the algorithm initially selects received packets with ‘R’ flag set true, Dpkts the total number of
k random points as the clusters’ centers. It assigns the rest of packets received. The β is chosen to lead to a default λ(r) value
the n − k points to the closest cluster center (according to d). of 20 (i.e., as suggested by RPL RFC [2]) and α ensures that λ(r)
Then, within each of these k clusters, the cluster representative cannot be zero. The value of γ , according to the authors, should
(also known as centroid or mean) is computed. The process con- be 20 < γ < 25, i.e., we set it to value 22 in our case. Such
tinues iteratively with these representatives as the new clusters’ centralized variation brings the advantage of having a λ value
centers until convergence. Although this is an NP-hard problem, characterizing the whole topology, so a local attack incident leads
it is simplified by heuristic algorithms to converge to a local to the corresponding protection of all nodes in the network.
optimum [49]. In our case, the adaptable threshold λ appears more con-
Next, we describe the specification-based mechanisms of the
servative compared to the one introduced in [32], since the r
Controller.
value reduces with the topology size. However, it produces ex-
cellent results in the particular experiments we carried out. A
3.3.2. Specification-based detection
possible improvement could be a normalization of the equation
To highlight the extendability benefits of ASSET, we introduce
basic building blocks that can form alternative RPL specification- concerning the number of nodes.
based detection methods, including: (i) RPL subsystem or param- In a similar way, other mechanisms monitoring particular RPL
eter monitoring, which relates to ASSET following the behavior of subsystems or parameters and applying thresholds could be im-
RPL, reflected to particular parameters, through the Southbound plemented to detect additional attacks. Right below, we proceed
interface, e.g., number of Trickle Timer Resets, nodes’ rank values, with the description of our attacker identification mechanism
etc; and (ii) a number of fixed or adaptable thresholds, indicating introduced here.
704
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

Algorithm 1: Intrusion Detection Process

Input : Data / ICMP packets
Output: Intruder node(s) to be blacklisted
1 /* Continuously monitoring for anomalies */
2 while ICMP_Statistics do
3 if Chebyshev(ICMP packets) then
4 /* Essential mode */
5 intruder_detection(ICMP packets);
6 end
7 end
8 foreach node do
9 while new data_packets do
10 intruder_detection(data_packets);
11 end
Fig. 3. ASSET identifies two concurrent intruders. 12 end
13 Function intruder_detection(data_in):
14 /* k-means creates 2 groups of nodes */
3.4. Attacker identification 15 if (affected_group = k_means(data_in)) then
16 affected_graphs = kosaraju(affected_group);
Several attacks require identifying the intruder(s) before their 17 foreach (affected_graphs g) do
mitigation, e.g., blacklisting a node causing a Sinkhole attack. In 18 intruder = graph_mother(g);
specific cases, intruder detection may be straightforward. For 19 end
example, a duplicated ID could signify a Clone-ID attack, espe- 20 end
cially if the IDs are pre-assigned. In such cases, the recommended 21 End Function
action could be to engage a human administrator for further steps
or to mark the node that appeared second as a suspect while
considering possible network delays as indications of an attack.
We propose a novel intruder identification process that can 3.5. Attack mitigation
handle multiple co-existing attacks in high accuracy for other
cases. Example usage of the ASSET platform and its GUI locating
Algorithm 2: Parent selection considering blacklisted nodes.
two intruders (marked with red X’s) as well as the affected nodes
(marked as red diamonds) is shown in Fig. 3. Input : Candidate parents p1 and p2
In Algorithm 1 we detail the proposed attacker identification Output: Selected parent
process. In particular, such a process is being triggered by the 1 begin
detection of an anomaly at the Controller-level, i.e., by Cheby- 2 if (p1 && p2 ) in blacklist then
shev’s inequality approach (line 3). This is based on information 3 return null;
related to the implemented monitoring mode, e.g., ICMP statistics 4 else if p1 in blacklist then
in the case of essential-mode. Moreover, Algorithm 1 depicts in 5 return p2 ;
line 8, how the Controller continuously monitors each node’s data 6 else if p2 in blacklist then
packets for irregularities. 7 return p1 ;
If the K-Means algorithm succeeds into clustering the network 8 else
nodes into two groups with high confidence, the smallest group 9 // Standard RPL-MRHOF objective function
will be considered under attack (line 15). It will be further pro- 10 return p1 .ETX < p2 .ETX ? p1 : p2 ;
cessed for subgraph(s) division, representing multiple co-existing 11 end
attacks, i.e., defined as a clique. Here, we apply Kosaraju’s al- 12 end
gorithm [50], which locates strongly connected components as
a directed graph G = (V , E) in linear time (i.e., Θ (V + E)
time) [51]. In particular, we utilize the Depth First Search (DFS) The final step of ASSET intrusion detection workflow concerns
recursive algorithm from [51]. Our main assumption is the follow- the attack mitigation. The selection of the appropriate mitigation
ing. In the case of multiple intruders, the network faces several method to enforce depends on the detection algorithm that pre-
neighborhoods with disrupted regular operations. Hence, all af- cedes, i.e., corresponding to particular types of attacks. In this
fected nodes along with the equivalent intruders form strongly context, ASSET supports the following mitigation methods:
connected sub-graphs. The final step applies root nodes identifi- (i) Blacklist Intruder: A large number of attacks can be mit-
cation for each of the detected sub-graphs, i.e., representing the igated by excluding the intruder(s) from being considered as a
attacker(s) (line 17). The roots are defined as mother-vertices parent by all nodes in the network. To preserve full compatibil-
and located through applying the mother-vertex algorithm. The ity with the RPL standard, we implemented a node blacklisting
mother-vertex of a (strongly connected) graph G = (V , E), is a mechanism (described in Algorithm 2) as an extension of the
vertex v such that a path from v can reach all other vertices default OF [16]. In detail, each node maintains a local blacklisting
in G. The algorithm has to check if v is a mother-vertex by array, which is updated by [BL] messages received by the Con-
executing DFS one more time. Consequently, the complexity of troller. Blacklisted nodes are excluded from the parent selection
the algorithm is Θ (V + E) + Θ (V + E) = Θ (V + E). process, even if they appear as more suitable options, as shown
As soon as one or more intruders are identified, a blacklisting in Algorithm 2. (ii) Ignore Global Repairs and Stop Local Repairs:
process may be initiated, disallowing the attacker(s) from being Since both those mandates may consume significant resources if
part of the RPL DODAG. In the following subsection, we discuss they are the result of an attack (e.g., DODAG Inconsistency attack),
the mitigation features supported by ASSET. the ASSET IDS may decide to suspend one or both of them,
i.e., the former at the sink, and the latter at the concerning nodes,
705
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

Table 2
Attacks and designated actions supported by the IDS.
Categories Description and effects of the attack(s) DM PS DI IA AM
Topology exploitation Cause traffic loss, topology inconsistencies or significant delays
Blackhole Messages to be forwarded are dropped K C U Y B
Grayhole Messages to be forwarded are selectively dropped K C U Y B
Network attacks Capture control messages and forward or replay them maliciously
Flooding All legitimate messages are replicated Di,Ch H I,U,R N G,L,P
Replay Specific control messages (i.e., DIO) are replicated Di,Ch H I,R N G,L,P
Neighbor Replicates control messages originated from a neighboring node Di,Ch H I,R N G,L,P
Impersonation attacks Steal the identity(ies) of one or more node(s)
Clone-ID / Sybil Pretends to be a ‘‘legitimate’’ node by confiscating its ID ∆ C I,R Y B
RPL specific attacks Exploit specific RPL features
Decreased Rank/Sinkhole Advertises a closer to the sink position than the real one Di,Ch,RV H I,R Y B
DODAG Inconsistency Applies an inconsistent DODAG which forces nodes to probe neighbors λ(C,n) H T,R N G,L,P
DODAG Version Increases DODAG version periodically, triggering resets of network probing timers λ(C,n) C T,R N G,L,P
Global Repair Resets routing tables and probes all nodes, i.e, to repair topology λ(C) C R N G
Local Repair Nodes reset their local routing tables, i.e., triggering neighbors’ probing λ(C),F(n) H T,R N L,P

DM: Detection Method - Anomaly Detection [(Di)ixon, (Ch)ebyshev, (K)-Means], Specification Based [Adaptable Threshold (λ(C:Controller, n:node)), Fixed Threshold
(F), Rank Validation (RV), Node ID Validation (∆)].
PS: Placement Strategy - (C)ontroller, (H)ybrid.
DI: Data Input - (I)CMP Statistics, (U)DP Statistics, (T)rickle Timer Resets Counter, (R)PL Control Messages.
IA: Identification of Attacker - Y/N.
AM: Attack Mitigation - (B)lacklist Node, I(G)nore Global Repairs, Stop (L)ocal Repairs, Sto(P) Trickle Timer Resets.

resulting in the suspension of exchanging corresponding DIO

packets. The Ignore Global Repair mitigation method is triggered
by the [GR] message transmitted from the Controller to the sink.
The Stop Local Repair mitigation method is being triggered either
locally or through the [LR] message sent from the Controller to
the corresponding node(s).
(iii) Stop Trickle Timer Resets: Equivalently, the Trickle Timer
Resets cause significant control overhead since RPL control mes-
sages are being exchanged more frequently. A Stop Trickle Timer
Resets mitigation method can either be triggered locally or from
the Controller ([TT] message) allowing for the node(s) to ignore
all Trickle Timer Resets, for a particular period.

3.6. Summary

In Table 2, we summarize how all the above IDS features

are associated with all handled attacks, including their brief de-
scriptions. More specifically, we enlist for all attacks: (i) the
detection method applied (i.e., whether it is anomaly detection Fig. 4. Threat model.
or specification based) as well as the specific detection features
utilized; (ii) the placement of the detection method, i.e., at the
Controller only or also at the nodes (hybrid); (iii) the required RPL weaknesses, i.e., due to RPL’s constrained nature. Finally, we
data input for the particular detection method; (iv) whether the complete the model by introducing the IDS’s defenses serving as
identification of an attacker is needed for its mitigation; and (v) a shield from threats and vulnerabilities.
the mitigation method which is appropriate to this type of attack.
The table highlights that ASSET handles diverse types of at- 4. Evaluation results
tacks through different combinations among the supported IDS
features. We note that anomaly detection can even detect un- We evaluate ASSET in line with robustness and extendability
known attacks causing communication disruptions. Furthermore, that reflect the width of our solution, as well as accuracy and
new specification-based building blocks can be integrated to in- mitigation-time that express its depth. More specifically, we be-
crease its supported number of attacks further. Although the gin with discussing our evaluation methodology and, then, we
IDS could be implemented with different relevant algorithms present: (i) proof-of-concept simulation results that demonstrate
performing even better, our selection performed decently in our attack incidents, along with ASSET’s response in terms of detec-
experimentation exercise and enough to validate the main ASSET tion and mitigation, as well as attacker’s identification; and (ii)
novelties. the ASSET’s robustness with an evaluation of its operation under
Moreover, in Fig. 4, we illustrate the threat model [52,53] a range of attacks triggering all discussed mechanisms.
we consider in this work, i.e., which is a visualized analysis of
network security breach strategies, along with our IDS’s match- 4.1. Evaluation methodology
ing mitigation techniques. To establish this risk assessment, we
begin by pinpointing the assets upon which the RPL network’s For the ASSET’s performance evaluation, we utilize the Cooja
mission is based. Next, we explore the potential threats in high emulator in Contiki OS [38]. The simulations carried out are con-
and low risk, originating either from malicious actions or known sidering one sink node, a set of legitimate nodes, and one attacker
706
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

Table 3
Network setup parameters.
Parameter Value Notes
Network layer RPL Storing mode
MAC layer 802.15.4
Implementation Contiki 3.0 - Cooja
Sink node(s) 1 Serial Port Connection
Mote type Zolertia Z1
Nodes placement Random
Number of nodes 25 or 50
Area 800 m × 800 m
Simulated time 3 h 10,800,00 ms
Data (UDP) transmission 5 min Unless otherwise stated
period (P)
ICMP probing frequency 5 min Avoiding zero probings
Packet size 70 B Average size
TX range 50 m
Interference range 50 m
TX/RX success ratio 100%
Trickle timer duration 4 ms–17.5 min Contiki RPL defaults

node. Although ASSET can potentially mitigate attacks caused by

multiple malicious nodes, we left the relevant experimentation
as future work. The network setup parameters are described in
detail in Table 3. Fig. 5. An RPL network under Decreased Rank attack.
We only consider attacks where the intruder is part of the
active RPL topology i.e., responds promptly to the Controller’s Table 4
solicitation messages, e.g., it would be rather trivial for an IDS Node-level anomaly detection: Dixon-Q test, w size = 7.
with centralized components to detect and, consequently, black- ICMP NODE t6 t5 t4 t3 t2 t1 t0
list as possible intruder a node that does not respond to such 4 4 4 4 5 4 4 18
messages. Once being blacklisted, the intruder cannot be chosen 17 5 2 5 3 3 4 15
27 5 3 6 4 4 5 19
as a parent-node, and hence, it cannot successfully launch most of SEND 32 4 4 4 3 6 4 19
the RPL attacks described in Section 2.2. In practice, we consider 33 7 4 6 5 7 7 17
that the attacker node(s) are running multiple modified Contiki 42 8 7 6 6 9 8 13
OS versions2 (also available under GPLv3.0) to execute one or 44 3 5 3 3 4 5 8
more attacks in conjunction. Right afterward, we present proof- 4 3 4 3 1 5 4 39
of-concept results demonstrating ASSET’s operation under various 17 12 5 4 5 5 4 42
27 10 6 5 4 4 6 82
attacks.
RECV 32 9 4 2 3 3 3 64
33 11 6 5 5 7 6 91
4.2. Proof-of-concept results 42 6 6 5 5 9 8 58
44 4 3 3 7 3 3 20
To evaluate the different aspects of ASSET and reveal the
potential of its mechanisms, we conducted several experiments,
as presented below. Those proof-of-concept experiments focus
The Dixon-Q test mechanism in every node detects the
on demonstrating ASSET’s functionalities along with the required
anomaly in the number of ICMP messages sent and received,
width and depth. Comparing ASSET with other similar solutions is
as shown by the PANIC entries in the log file illustrated in the
considered as a future work since (i) we have to identify common
right-hand window in Fig. 5. In our simulation, we configure the
use-cases in terms of required security level and affordable con-
Dixon-Q window-size as w size = 7. Table 4 shows for each of
trol overhead or processing cost; and (ii) we have to determine
the above nodes that the latest of seven values, regarding both
the type of involved mitigation action and its impact since this
the incoming (RECV) and outgoing (SEND) ICMP packets, is an
determines the communication or performance issues that a false
outlier, causing seven nodes to dispatch the [AD] message at t0
positive can cause.
(nodes within the attacker’s range are with gray background in
Table 4). Since the number of nodes sending a [AD] message
4.2.1. Detection mechanisms evaluation
exceeds the threshold of three, ASSET activates controller-level
The first proof-of-concept simulation is associated with
anomaly detection by Chebyshev’s inequality mechanism for fur-
anomaly detection mechanisms of ASSET. As illustrated in Fig. 5,
ther investigation of the attack instance, i.e., attacker’s detection
we consider a network with 50 nodes (marked with yellow)
and mitigation.
randomly placed around the sink-node (the green one), while
an intruder (ID = 54, purple color) compromises the network
4.2.2. Control overhead & power consumption
by unleashing a Decreased Rank attack advertising a lower rank
The holistic approach provided by ASSET is illustrated in Fig. 6
value than all other legitimate nodes in its wireless coverage
which is the outcome of our second proof-of-concept simulation.
(i.e., the green range). As a result, most of the nodes within
In practice, we simulated for three hours (x-axis) a multi-hop
range, i.e., nodes with ID 27, 32, 33, 42 and some others around it,
network with 25 nodes randomly placed around one sink, con-
i.e., nodes with ID 4, 17, 44, increase the number of ICMP packets
sidering a combination of Decreased Rank and Blackhole attacks,
exchanged, in their effort to recalculate paths to the sink.
and we observe the network’s control overhead to validate our
intuition regarding the impact of attacks over it. Fig. 6 shows that
2 https://github.com/SWNRG/contiki-malicious. attacks are launched at 01:20 hour (vertical red line), detected
707
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

Fig. 6. Control overhead over time for a combined Decreased Rank and Blackhole
attack on a network of 25 nodes.

Fig. 8. An RPL network under Blackhole attack.

compared with the three operation modes of ASSET (i.e., slim-

, essential-, full-function-modes). The results are presented in
Fig. 7, where after the initial anticipated initial power ‘‘spikes’’
until the network settles down, the power consumption is min-
imal, with only full-function mode consuming slightly more en-
ergy. In total, compared with RPL, the slim-mode consumes 0.18
percent more power per node, the essential mode consumes 0.71
percent, while the full-function mode consumes 1.54 percent
more energy. Compared to other similar solutions, SVELTE [43]
has a 30 percent overhead compared to RPL.

4.2.3. ASSET’s modes of operation

Moreover, Fig. 6 confirms that slim-mode operation of ASSET
does not overload the network. In the period from the beginning
of the simulation until the attacks (vertical red line), ASSET oper-
Fig. 7. Average power consumption of nodes under ASSET’s different modes of ates with the minimum number of monitoring messages, i.e., [NP]
operation. messages from nodes to report parents’ changes and/or [SP] mes-
sages from the Controller to the nodes, requesting missing infor-
mation regarding their parents. The purple curve, corresponding
at 01:32 hour (vertical yellow line), and mitigated at 01:47 hour to the RPL network with the IDS functionality, is only slightly
(vertical green line). higher, i.e., 6.28 percent on average in our simulation, compared
We chose a typical combination of attacks. The intruder-node to the blue line, representing the standard RPL operation.
discards data packets, e.g., UDP, once it successfully deceives The full-mode operation of ASSET succeeds in the attacker’s
several nodes that choose it as a routing node (i.e., parent) for identification and mitigation at the cost of increased control
their packets. Fig. 6 does imprint the impact of the Decreased Rank overhead. However, this overhead remains lower, 49.87 percent
attack, which precedes the Blackhole one. Once the attack has on average, than when the RPL protocol is left unshielded. Indeed,
taken place, the Dixon-Q test detects outliers in control packets within the time frame between the red and green verticals, node
on six nodes at 01:25 hour and three more nodes at 01:30. and controller-level anomaly detection are taking place, addi-
These nodes notify the Controller with [AD] messages, activating
tional messages ([IS], [NR], and [NN]) are sent to the Controller,
the Chebyshev’s inequality mechanism for a more fine-grained
who then activates the three steps described in Section 3.4 to
detection. For this purpose, apart from a [NP] message, nodes also
identify the attacker. However, despite these demanding pro-
dispatch their latest chosen parent-node, i.e., ICMP statistics ([IS]
cesses, ASSET controls network topology disruptions and updates,
messages), node’s current rank ([NR] messages), and available
neighbors ([NN] messages), assisting the Controller in identifying moderating Local and Global Repair ([LR] and [GR] messages) and,
the intruder. Once the intruder is identified, the Controller at thus, holding the peak in the purple curve.
01:32 dispatches a [BL] message to all nodes as a mitigation Finally, mitigating the attack brings as much as 95.96 percent
action. Fig. 6 provides evidence that, at 01:47 hour, the network benefit to the network in control overhead. In the period from
graph is concise again, i.e., network nodes selected legitimate the attacks’ mitigation (vertical green line) until the end of the
parents, after excluding the attacker as a candidate parent. simulation, ASSET manages to establish a new DODAG consisted
Regarding power consumption, we conducted the same exper- of legitimate nodes while allowing the network to continue its
iment under four different modes of operation, i.e., standard RPL mission, i.e., data gathering.
708
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

4.2.4. Attacker’s identification all UDP data packets traveling towards the sink. In contrast, for
Our last proof-of-concept outcome elaborates on the attacker’s Grayhole the attacker decides to forward or not the received
identification mechanism. In Fig. 8, in a three-hour run, we op- data packet based on a fair coin toss. In Decreased Rank at-
erate another random, multi-hop topology (illustrated on the tack, a malicious node is advertising a fake rank calculated after
up-left part), where 25 nodes (the yellow ones) are under Black- subtracting four times the RPL’s parent switching threshold (Min-
hole attack by the purple node (ID = 27), while they route their HopRankIncrease) from the attacker’s actual rank (i.e., fake_rank
data packets to the sink (green node). The intruder is placed = actual_rank - 4*MinHopRankIncrease). For DODAG Version at-
within the direct reach of six nodes (ID 2, 6, 7, 10, 15, 18) and tack, an adversary keeps sending DIO messages with increasing
presents a legitimate behavior until 01:20 hour when it starts version numbers, triggering continuous Trickle Timer Resets, in
dropping all received data packets in their routing towards the addition to Global and Local Repairs. DODAG Inconsistency attack
sink (including the attacker’s own ones to make the scenario is applying erroneous headers in RPL messages [32] triggering
more challenging). also Trickle Timer Resets, Global and Local Repairs. Global or Local
In a network with scheduled UDPs and a pre-defined dispatch- Repair attacks, are replicated with a DODAG Inconsistency attack.
ing period, the impact of a Blackhole attack is to differentiate Flooding attack was implemented with the attacker continuously
affected by non-affected nodes in terms of the UDP packets num- dispatching forged RPL & data packets, limited by Cooja pro-
ber arrived at the sink. Indeed, the K-Means algorithm running cessing capabilities since a high communication load crashes
in the Controller has successfully divided the network into two the (emulated) serial port. We implemented the Replay attack
distinct groups, i.e., clusters 0 and 1 (bottom left window), also in a similar way to Flooding attack by assuming an adversary
illustrated in the right part of Fig. 8, i.e., cluster 0 contains the continuously re-sending the RPL messages it receives. Finally,
yellow nodes along with the sink (non-affected as indicated by the Clone-ID attacker duplicates existing RIME, MAC, and/or IPv6
the high number of UDP packets). In contrast, cluster 1 shown in addresses, i.e., leading to duplicated node IDs.
red, consists of the affected nodes (due to the low number of UDP The specific attack detection mechanism employed for each
packets). attack is also indicated in Table 5. Chebyshev’s inequality’s and
A closer look at the affected sub-graph reveals that only nodes Dixon’s settings are w size = 8, p1 = 0.95 and w size = 5,
6, 7, and 18 within the intruder’s coverage are affected by the confidence = q99, respectively. The configuration of threshold
attack. In contrast, the other three ones, i.e., 2, 10 and 15, are F was set to 10 (half of the one proposed by RPL, assuming a
not affected because they do not select the intruder as a parent hostile environment), and adaptable λ is implemented as defined
in Section 3.3.2. These mechanisms operate both on the node and
(indeed, the parent of the nodes 2,15 is node 26, while the parent
Controller side, depending on the attack type. K-Means confidence
of node 10 is node 23). Simultaneously, nodes 3, 13 and 5, 9, 17
was set to 0.1.
select as a parent the affected nodes 18 and 6, respectively, and
The central cells in Table 5 indicate the number of nodes
consequently are also influenced by the Blackhole attack, although
signaling an attack at the given time-slot, based on the mecha-
they are not within the intruder’s coverage.
nism referenced in the particular row. We indicate with bold the
At this step, it is crucial to distinguish among cluster members
time-slot that attacks start, e.g., we selected slot 16 on 80th min
to identify the malicious one. K-means feeds Kosaraju’s algorithm
for all different cases. We color differently the cells where the
with the red sub-graph. Kosaraju then defines one sub-graph (or
attacks are detected (gray) and mitigated (dark gray-white fonts),
more, in case of multiple attacks) and passes the graph to the
as well as those reflecting false positives (light gray). Single nodes
mother node algorithm. The algorithm recognizes node 27 as
cause a few false positives. As previously discussed, an event is
the ‘‘root’’ of this sub-graph, identifying this ID as the malicious
considered an attack when at least three nodes declare its detec-
node. In our simulation, the attack begins at 01:20 hour, and our
tion, except for Clone-ID and Global Repair attacks, because the
system recognizes the attacker at 01:47 hour. Right afterward, the
corresponding mechanisms do not cause false positives, e.g., the
Controller blacklists this node to not be selected as a parent node. Global Repair attack is being handled at the sink only. Moreover,
In this scenario, we noticed that leaving unmitigated such an regarding Decreased Rank detection, although four rank inconsis-
attack reduces the packets that the sink successfully received by tencies are reported in time-slot 18, the dedicated RV mechanism
as much as 17.3 percent. Our system helps the network lose only needs to mandate the nodes to enable full-function mode to send
5.7 percent of the packets that would eventually arrive at the sink all neighbor’s data (i.e., [SN] message) and compare all declared
in a non-attack case. ranks for discrepancies before identifying the attacker.
Next, we carry on discussing the results on the robustness of We consider an attack as mitigated when the proper mitiga-
ASSET. tion action is enforced, independently of the time it takes. An
indication of the latter appears in Table 5 through the declining
4.3. Robustness results number of nodes signaling the attack immediately after the miti-
gation time-slots. Once we described our notation, we proceeded
Our results regarding ASSET’s robustness are summarized in with our observations based on each row’s results.
Table 5 and show that our proposed system can handle 13 at- The first two rows consider simulations without attacks to
tacks. We excluded from our analysis Sinkhole, Neighbor, and highlight the overhead of ASSET during regular system operation.
Sybil attacks due to their high similarities with Decreased Rank, On the one hand, Chebyshev’s inequality did not produce any
Replay, and Clone-ID attacks, respectively. Moreover, Decreased false positives. However, we had some rare false positives with
Rank and DODAG Inconsistency attacks appear twice in the Table more relaxed confidence levels (e.g., p1 = 0.90) without trigger-
to highlight how alternative mechanisms can handle them. ing attack detection. On the other hand, the Dixon-Q test faces 5
Each row of Table 5 represents a three-hour simulation, di- cases of single-node detecting outliers, e.g., node 22nd on time-
vided into 5 min time-slots, regarding the same 25-nodes’ net- slots 23, 24, and 25. We also note that Dixon-Q detects some
work. The first two rows refer to Chebyshev’s and Dixon’s op- infrequent outliers even after an attack is mitigated since the
erations in case of non-attack. In contrast, each of the rest rows network settles down progressively. This causes a minor commu-
represents a type of attack (1st column), occurring at the 80th nication overhead increase in the particular nodes, i.e., enabling
min, along with the detection mechanism (2nd column) in place. the transmission of ICMP statistics to the Controller, and high-
Regarding basic implementation details and configurations, lights that ASSET’s control overhead adaptability aspects require
in Blackhole attack, the malicious node suspends forwarding of further investigations, which we consider as future work.
709
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714
Blackhole and Grayhole attacks impact data rather than control
packets. We employ the K-Means algorithm, which continuously
36
60

0
0

0
0
0
0
0
0
0
0
0
0
0
0

clusters the nodes into two groups based on their UDP packets
35
55

0
0

0
1
0
0
0
0
0
0
0
0
0
0

arrived at the sink. We consider a true positive whenever a

small cluster with nodes present a low number of UDP pack-
34
50

0
0

0
0
0
0
0
0
0
0
0
0
0
0

ets, i.e., assuming that the attack does not impact most nodes.
33
45

0
0

0
0
0
0
0
0
0
0
0
0
0
0

Consequently, the sporadic false positives do not cause any issue.

We noticed that topology-size and severity of attack impact false
32
40

0
0

0
0
0
0
0
0
0
0
0
0
0
0

positives and attack mitigation time. For example, it takes three

31
35

more time-slots for ASSET to mitigate the less severe Grayhole

0
1

0
0
0
0
0
0
0
0
0
0
0
0

attack, compared to Blackhole. Such issues deserve a dedicated

30
30

0
0

0
0
1
0
0
0
0
0
0
0
0
0

analysis.
Regarding the Decreased Rank attack, we provide results for
29
25

0
0

0
0
0
0
0
0
0
0
0
0
0
0

both Rank Validation and Chebyshev mechanisms. The former

28
20

0
0

0
0
0
0
0
0
0
0
0
0
1
0

needs four time-slots until its mitigation time, while the latter
can detect the attack in just two time-slots. However, Cheby-
27
15

0
0

0
0
0
0
0
0
0
0
0
0
0
0

shev is not equipped to mitigate this particular attack. In this

26
10

0
0

0
0
0
0
0
0
0
0
0
0
0
0

execution, RV is characterized by two false positives, before and

after the attack, without impacting the attack detection process.
25

0
1

0
5
0
0
0
0
0
0
0
0
0
0
5

These results highlight the need for dedicated specification-based

24
60

mechanisms.
0
1

0
4
0
0
0
0
0
0
0
1
0
0

DODAG Version attack is mitigated within two time-slots be-

23
55

0
1

1
2
0
0
0
0
0
0
0
0
0
0

cause of frequent DIO packets with increasing DODAG versions.

In the first and second time-slots, the adaptable λ thresholds
22
50

0
0

5
1
0
0
0
0
0
0
0
0
0
0

are being crossed at the node- and controller-levels, respectively,

21
45

0
0

4
1
2
0
0
0
0
0
0
2
0
0

i.e., the latter confirming the attack detection. We have an equiv-

alent result for DODAG Inconsistency attack since their outcome
20

10
12
40

0
1

2
0
5
0
0
0
1
0
0

is similar, given the attacker’s same spatial position. Here, we

19

11
35

0
0

1
0
5
0
0
0
1
1
0
9

mitigate the attack’s outcome, i.e., suspend resetting Trickle Timer,

Global, and Local Repairs since identifying the attacker requires
18

15
16
16

12
30

0
0

0
0
4

1
1

5
7
1

additional software or equipment [25], considered out of the

17

15
16

11
25

0
0

0
0
0
2

0
1

2
0
1

paper’s scope.
We also provide the outcome of Chebyshev’s mechanism in
20
16

0
0
0

0
0
0
0
0
0
0
0
0
0
0

the case of DODAG Inconsistency attack, highlighting its inability

15

to detect the latter and the advantages of ASSET’s specification-

15

0
0

0
0
0
0
0
0
0
0
0
0
0
0

based mechanisms. We note that Chebyshev with a lower sen-

14
10

0
0

0
0
0
0
0
0
0
0
0
0
0
0

sitivity (e.g., p1 = 0.90 and the same w size) can detect the
attack at time-slot 20 and mitigate it at 21, i.e., later than the
λ: Adaptable Threshold, F: Fixed Threshold, RV: Rank Validation, ∆: Node ID Validation
13

0
0

0
0
0
0
0
0
0
0
0
0
0
0
5

adaptable λ. Such aspects highlight that anomaly detection and

12
60

0
0

0
0
0
0
0
0
0
0
0
0
0
0

specification-based mechanisms can be operating in a parallel

manner, complementing each other.
11
55

0
0

0
0
0
0
0
0
0
0
0
0
0
0

In the case of Global Repair attack, ASSET needs three time-

10
50

0
0

1
0
0
0
0
0
0
0
0
0
0
0

slots to mitigate it (i.e., the sink ignores further Global Repair

mandates). This process involves the communication of nodes
45
9

0
0

0
0
0
0
0
0
0
0
0
0
0
0

with the sink and the follow-up involvement of the Controller.

Ch: Chebyshev’s Inequality, Di: Dixon-Q Test, K: K-Means
40

The mitigation time is shorter by one time-slot for Local Repair

8

0
0

0
0
0
0
0
0
0
0
0
0
0
0

attacks, where nodes signal an attack as soon as their fixed

35
7

0
0

0
1
0
0
0
0
0
0
0
0
0
0

threshold F is reached, which is confirmed by the Controller with

its adaptable threshold λ.
30
6

0
0

0
0
0
0
0
0
0
0
0
0
0
0
It takes four time-slots for ASSET to mitigate both Flooding
25
5

0
0

0
0
0
0
0
0
0
0
0
0
0
0
and Replay attacks because of the gradual control traffic increase
among the nodes. One node detects an outlier for the Replay
20
4

0
0

0
0
1
0
0
0
0
0
0
0
0
0
attack at the 28th time-slot, which is ignored by the Controller.
15
3

0
0

0
0
0
0
0
0
0
0
0
0
0
0

C : Controller, n: node
Mitigation for both attacks involves disabling Global and Local
Repairs, as well as Trickle Timer Resets. Since Cooja faces stability
10
2

0
0

0
0
0
0
0
0
0
0
0
0
0
0
issues with these two attacks, conducting these experiments in a
1

0
0

0
0
0
0
0
0
0
0
0
0
0
0
5

test-bed environment and studying the network’s behavior under

ASSET’s robustness evaluation.
Time (180 min)

λ(C ),F(n)
real network conditions is another open issue.
Time-slot

λ(C , n)
λ(C,n)

λ(C )
DM

RV
Ch

Ch

Ch

Ch
Ch
Di

∆
K
K
Clone-ID attackers are rapidly identified by the Controller with
100 percent accuracy, due to the centralized nature of ASSET,
Chebyshev’s Inequality
i.e., nodes with duplicated IDs are immediately detected and

Attack Mitigation
Attack Detection
Attack initiation
DODAG Inconsistency
DODAG Inconsistency

False Positives
black-listed. Sybil attacks will also be equivalently mitigated.

No Attack

Attack

Decreased Rank
Decreased Rank
DODAG Version
The above results demonstrate that ASSET, under the given

Dixon-Q Test

Global Repair
Local Repair
scenario, configuration settings and network conditions: (i) can

Blackhole
Grayhole
Table 5

Clone-ID
Flooding
Replay
detect 13 attacks (i.e., including Sinkhole, Neighbor, and Sybil
attacks that exhibit a very similar behavior with Decreased Rank,
710
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

Replay, and Clone-ID, respectively) without false positives in at- Table 6

tack detection, i.e., we noticed only some rare false alarms from Comparative overview of existing hybrid IDSs related to our work.
IDS DM EE NA E IA AM
nodes to the Controller; (ii) handles effectively the infrequent
[43] AD, SB, SD S 7 Y Y WE
false alarms due to the requirement that at least three nodes [57] AD, SB S 3 Y Y N
[58] AD, SD S 5 – N N
should signal an attack before a mitigation action being triggered; [44] AD, SD S 3 Y N N
(iii) employs multiple attack detection mechanisms, including [59]
ASSET
AD,
AD,
SD
SB
C
S
8
13
Y
Y
Y
Y
MF
MM
three anomaly detection and four specification-based, contribut-
DM: Detection Method - Anomaly Detection (AD), Specification-Based Detection (SB), Signature
ing to both width and depth of attack detection; (iv) mitigation Detection (SD).
EE: Evaluation Environment - (S)imulation, (C)onceptual.
time depends on the attack type, severity, and behavior; and NA: Number of Attacks.
(v) manages to identify and exclude the attackers for Blackhole, E: Extendability - Y/N.
IA: Identification of Attacker AM: Attack Mitigation - White List Exclusion (WE), Mini Firewall (MF),
Grayhole, Decreased Rank, and Clone-ID attacks, while for the rest Multiple Methods (MM).

of them it mitigates the outcome of the attack, i.e., the attack may
still be present.
Due to our experiments’ high complexity, we consider a more In our survey paper published in 2021 [14], we have inves-
thorough investigation of ASSET’s performance, including its sta- tigated the 22 most recently introduced RPL-related IDSs in the
tistical evaluation and comparison with other similar solutions, as literature (2013 − 2020) and concluded the outcome that com-
future work. However, we argue that the current results suffice bining detection methods as well as placement strategies brings
to confirm ASSET’s novelties, as defined in the paper. positive results. The competetive advantage was found to be the
number of attacks the system detects; this ranges from three to
4.3.1. Open ASSET vulnerabilities five (3 to 5) for the hybrid detection systems [44,58] and goes up
Here, we discuss several ASSET’s security vulnerabilities that to eight (8) for the full hybrid ones [43,59]. Table 6 provides a
are outside the scope of this paper and deserve further investiga- brief comparative overview of hybrid systems, which are found
tion. These open challenges can be summarized as follows. the most advanced of the recent literature [14] and relevant to
For simplicity, we currently assume that ASSET Controller and our proposed one.
corresponding communication (e.g., packets carrying measure- Further benefits include the ability of some systems to iden-
ments from nodes to the Controller) is safe and not tampered. tify the attacker [57,59] and/or mitigate the attack [43,59], the
For example, attacks oriented to Software-Defined IoT solutions extendability as a feature that enables the IDS evolution towards
could be relevant to ASSET, e.g., targeting a centralized Controller.3 detecting new attacks, as well as the detection accuracy rate
Consequently, there is a need for hardening the related secu- in conjunction with low resource overhead, especially when the
rity. Several techniques could be potentially applied, including developed mechanisms are appropriately located both in central
Byzantine Fault Tolerance [54], n-versioning, or secure tokens and and distributed nodes.
enclaves. Moreover, a sophisticated attack could possibly tamper In particular, appropriately tuning the parameters of SVELTE
with the measurements traveling to the sink to ‘‘hide’’ an ongoing [43] can offer as much as 100 percent of detection accuracy and
attack or to work around an ASSET mechanism. This may be zero false positives. However, the system trades its advantages
challenging for ASSET since it operates many attack detection with resource requirements regarding storage, the signatures’
mechanisms in parallel, i.e., another one may detect the attack. repository, and computational power for anomaly detection algo-
We consider such aspects complementary with our solution but rithms. In comparison, Bostani et al. [57] show an average of 93.3
complicated enough to deserve an independent study. percent accuracy with less than 3.3 false positives for multiple
Furthermore, our proposal may be vulnerable to more sophis- runs.
ticated attacks than the considered ones. For example, neighbor- Game Theory IDS [58] reports an average of 98.6 percent ac-
ing nodes may collude to exclude nodes from the graph or apply a curacy and less than 2.5 percent of false positives for a variety
Clone-ID attack after collapsing the node to be duplicated. In the of setups. In comparison, CHA–IDS [44] shows an accuracy within
latter case, reputation-based mechanisms can be implemented as 85.2 − 100 percent and up to 0.058 percent false positives, in
a scheme with multi-path duplication of messages, i.e., to verify the worst case. Although they keep a good balance between
node’s compliance. Although this is always the case with IDSs, we accuracy, false positives, and overhead, they neither deal with
consider ASSET as a descent solution to many different attacks, in the attacker’s identification nor with mitigation actions. These
contrast to the related works. limitations probably stem from the fact that Game Theory IDS
employs a distributed placement strategy not taking advantage
5. Related works of the results of a central analysis, and vice versa, CHA–IDS is
a centralized system, not exploiting distributed mechanisms. In-
In the context of RPL, the associated IDSs gain popularity fol- deed, in the case of [59], signature and anomaly detection are
lowing the protocol’s evolution [7,12,14,55]. Literature classifies used in combination, exploiting, further, the rationale of a hybrid
these RPL-related IDSs according to two main criteria [56]: (i) placement strategy. The system brings a high score of as many as
the detection method they employ, and (ii) their placement strat- 8 attacks detected.
egy. Based on the detection method, the IDSs are distinguished Comparing the above hybrid systems is a challenging and not
in: signature detection, anomaly detection, RPL specification-based straightforward task since it is associated with the considered
systems, while hybrid detection IDSs combine at least two of the use-case in terms of required security level and reasonable con-
aforementioned categories. Regarding their placement strategy, trol overhead or processing cost, depending on how an IDS covers
RPL-related IDSs are classified into: centralized, distributed, and the addressed attack(s). Our literature study reveals that different
hybrid placement systems; the latter that blend the rationale of approaches span from simulating all or some of the attacks to
centralized and distributed by keeping the ‘‘heavy’’ tasks for the conceptually supporting coverage for all or subset of the attacks
root or central node(s) and delegating the more lightweight ones under invistigation. Indicatively, authors in [59] introduce a full-
to the rest. conceptual framework, where they discuss but do not evaluate
their IDS. Also, in the case of simulation approaches, differences
3 Although ASSET adopts ideas originating from the SDN world, the scope of concern the simulation environments and the metrics used to as-
this paper covers RPL-related attacks only, rather than the security of SDN IoT sess the IDSs’ performance. Among different approaches, Contiki
systems. Cooja [38] is a common choice; it is also adopted in our work.
711
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

Another challenging issue considering comparison is the lack CRediT authorship contribution statement
of a common framework for IDS evaluation in real environments,
i.e., test-beds. This challenge is reflected in 3rd column of Table 6 George Violettas: Conceptualization, Software, Original draft
which shows that all approaches with evaluation results use preparation, Investigation, Writing. George Simoglou: Visualiza-
simulation. Our previous experience with test-beds participating tion, Data curation, Writing. Sophia Petridou: Writing, Valida-
in the FED4FIRE [60] and GENI [61] federations, in the context tion. Lefteris Mamatas: Methodology, Writing, Supervision.
of 5G network slicing research [62–64], shows that it would be
interesting, but also very challenging, to deploy complete IDSs Declaration of competing interest
in test-beds for evaluation reasons and address possible issues
that arise. Currently, the Sharing Artifacts in a Cybersecurity The authors declare that they have no known competing finan-
Community Hub (SEARCCH) project [65] offers a facility that cial interests or personal relationships that could have appeared
provides validation, repeatable sharing, and reuse of security- to influence the work reported in this paper.
related research results. A relevant initiative for IoT security could
establish a common framework where open-source IDS code Acknowledgments
could be released and comparatively evaluated, e.g., in a com-
mon environment with the same methodology and evaluation Kyriakos Vougioukas provided the testing framework4 for
scenarios. Dixon-Q and Chebyshev’s Inequality tests.
In this work, we exploit observations derived by the recent
bibliography to develop a novel softwarized IDS by-design, in the References
sense that it assigns lightweight tasks, such as monitoring and
first-place detection, to the constraint end-nodes and transfers [1] M. Wollschlaeger, T. Sauter, J. Jasperneite, The future of industrial com-
the demanding tasks to central premises. Besides, ASSET follows a munication: Automation networks in the era of the internet of things &
modular architecture that allows adaptations and/or extendabil- industry 4.0, IEEE Ind. Electron. Mag. 11 (1) (2017) 17–27.
ity. It combines anomaly and specification-based detection and, to [2] T. Winter, et al., RPL: IPv6 routing protocol for low-power and lossy
the best of our knowledge, is the most robust system compared networks, RFC 6550 (2012) 1–157.
to its peers. It detects 13 RPL-related attacks, supports attacker’s [3] O. Gaddour, A. Koubâa, RPL In a nutshell: A survey, Comput. Netw. 56 (14)
identification, and offers several mitigation actions depending on (2012) 3163–3178.
the attack detected. [4] G. Violettas, S. Petridou, L. Mamatas, Evolutionary software defined
networking-inspired routing control strategies for the internet of things,
IEEE Access 7 (2019) 132173–132192.
Conclusion
[5] G. Violettas, S. Petridou, L. Mamatas, Routing under heterogeneity &
mobility for the Internet of Things: a centralized control approach, in:
ASSET’s evaluation has shown that handling attacks against IEEE Global Commun. Conf. (GLOBECOM), 2018, pp. 1–7.
the RPL protocol is challenging and highly dependent on the im- [6] A. Mayzaud, R. Badonnel, I. Chrisment, A taxonomy of attacks in RPL-based
plemented mechanisms targeting one or more specific attack(s). internet of things, Int. J. Netw. Secur. (2016).
Moreover, transferring node-level functions to the centralized [7] A. Verma, V. Ranga, Security of RPL based 6LoWPAN networks in the
infrastructure is more stable and accurate and provides new internet of things: A review, IEEE Sens. J. 20 (11) (2020) 5666–5690.
capabilities to the network administrators. Some attacks can be [8] P. Kamgueu, E. Nataf, T. Ndie, Survey on RPL enhancements: a focus on
handled with high accuracy, while some can be mitigated, leaving topology, security and mobility, Comput. Commun. 120 (2018) 10–21.
the identification of the intruder as an open issue. In addition, [9] J. Granjal, E. Monteiro, J. Silva, Security for the internet of things: a survey
inspired by the softwarization paradigm, by offering centralized of existing protocols and open research issues, IEEE Commun. Surv. Tutor.
intelligence and extendability, ASSET is an ideal platform for 17 (3) (2015) 1294–1312.
[10] M. Landsmann, M. Wahlisch, T. Schmidt, Topology authentication in RPL,
new mechanisms and tools to be tested in the areas of anomaly
in: 2013 IEEE Conf. on Comput. Comm. Workshop (INFOCOM WKSHPS),
detection and SDN-like solutions for RPL and the IoT in general.
0000, pp. 73–74.
ASSET exhibits the following advantages: (i) a holistic work- [11] A. Arena, et al., Evaluating and improving the scalability of RPL security in
flow handling 13 well-known RPL-related attacks; (ii) 3 anomaly the internet of things, Comput. Commun. (2020).
and 4 specification-based attack detection mechanisms, operating [12] A. Raoof, A. Matrawy, C.-H. Lung, Routing attacks and mitigation methods
both at node and controller-level and exhibiting a low number of for RPL-based internet of things, IEEE Commun. Surv. Tutor. 21 (2) (2018)
false positives; (iii) a set of alternative mitigation actions and an 1582–1606.
original attacker identification process; and (iv) an adaptable con- [13] P. Perazzo, et al., An implementation and evaluation of the security
trol and monitoring protocol, trading communication overhead features of RPL, in: Int. Conf. on Ad-Hoc Netw. and Wireless, Springer,
for attacker detection accuracy. 2017, pp. 63–76.
Our next steps include the following aspects: (i) to further [14] G. Simoglou, et al., Intrusion detection systems for RPL security: A
comparative analysis, Comput. Secur. (ISSN: 0167-4048) 104 (2021)
improve (i.e., in width and depth) the attack detection and mit-
102219.
igation, the attacker identification mechanisms, as well as the
[15] P. Pongle, G. Chavan, A survey: Attacks on RPL & 6LoWPAN in IoT, in: 2015
control channel adaptability, including employing change-point IEEE Int. Conf. on Pervasive Computing (ICPC), 0000, pp. 1–6.
analysis for anomaly detection [66,67], (ii) to conduct extensive [16] O. Gnawali, P. Levis, The minimum rank with hysteresis objective function,
experimentation with multiple attacks (also co-existing), attack- RFC 6719 (2012).
ers, topology structures and sizes, experiment configurations, [17] O. Gaddour, et al., OF-FL: QoS-aware fuzzy logic objective function for
including based on real IoT test-beds, to accurately measure the the RPL routing protocol, in: 2014 IEEE 12th Int. Symp. on Modeling and
implications of ASSET to network latency among others, (iii) to Optimization in Mobile, Ad Hoc, and Wireless Netw. (WiOpt), 0000, pp.
incorporate a separate control channel with a long-range inter- 365–372.
face, inspired by [68,69], which can significantly improve ASSET’s [18] T. Clausen, U. Herberg, M. Philipp, A critical evaluation of the IPv6 routing
operation, in terms of communication overhead and attack miti- protocol for low power and lossy networks (RPL), in: 2011 IEEE 7th
Int. Conf. on Wireless and Mobile Computing, Networking and Commun.
gation capability, (iv) to assess the node’s mobility and wireless
(WiMob), 0000, pp. 365–372.
interference impact and how they can affect attack detection
since it can also increase control overhead, e.g., they may cause
false positives in anomaly detection. 4 https://github.com/boygioykaskyriakos/outliers_platform.

712
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

[19] J. Tripathi, J.C. de Oliveira, J.P. Vasseur, A performance evaluation study [47] B. Amidan, T. Ferryman, S. Cooley, Data outlier detection using the
of RPL: Routing protocol for low power & lossy networks, in: 2010 44th Chebyshev theorem, in: 2005 IEEE Aerospace Conf., 0000, pp. 3814–3819.
Annual Conf. on Inf. Sciences and Syst. (CISS), 0000, pp. 1–6. [48] D. Fogel, An introduction to simulated evolutionary optimization, IEEE
[20] P. Pongle, G. Chavan, Real time intrusion and wormhole attack detection Trans. Neural Netw. 5 (1) (1994) 3–14.
in internet of things, Int. J. Comput. Appl. 121 (9) (2015). [49] A. Likas, N. Vlassis, J. Verbeek, The global k-means clustering algorithm,
[21] D. Airehrour, S. Ray, Secure routing for internet of things: A survey, J. Pattern Recognit. 36 (2) (2003) 451–461.
Netw. Comput. Appl. 66 (2016) 198–213. [50] M. Sharir, A strong-connectivity algorithm and its applications in data flow
[22] K. Chugh, L. Aboubaker, J. Loo, Case study of a black hole attack on analysis, Comput. Math. with Appl. 7 (1) (1981) 67–72.
LoWPAN-RPL, in: Proc. of the Sixth Int. Conf. on Emerging Secur. Inf., Syst. [51] T. Cormen, et al., Introduction to Algorithms, The MIT Press, 2009.
and Technol. (SECURWARE), 2012, pp. 157–162. [52] A. Marback, et al., A threat model-based approach to security testing,
[23] L. Wallgren, S. Raza, T. Voigt, Routing attacks and countermeasures in Softw. Pract. Exper. J. 43 (2) (2013) 241–258.
the RPL-based internet of things, Int. J. Distrib. Sens. Netw. 9 (8) (2013)
[53] R. Gupta, et al., Machine learning models for secure data analytics: A
794326.
taxonomy and threat model, Comput. Commun. 153 (2020).
[24] A. Le, et al., The impacts of internal threats towards routing protocol
[54] S. Marano, V. Matta, L. Tong, Distributed detection in the presence of
for low power and lossy network performance, in: 2013 IEEE Symp. on
Byzantine attacks, IEEE Trans. Signal Process. 57 (1) (2008) 16–29.
Comput. and Commun. (ISCC), 0000, pp. 000789–000794.
[55] P. Nandhini, B. Mehtre, Directed acyclic graph inherited attacks and
[25] P. Perazzo, et al., DIO Suppression attack against routing in the internet of
mitigation methods in RPL: a review, in: Int. Conf. on Sustain. Commun.
things, IEEE Commun. Lett. 21 (11) (2017) 2524–2527.
Netw. and Appl., Springer, 2019, pp. 242–252.
[26] T. Umer, et al., Information and resource management systems for in-
[56] B. Zarpelão, et al., A survey of intrusion detection in Internet of Things, J.
ternet of things: Energy management, communication protocols & future
Netw. Comput. Appl. 84 (2017) 25–37.
applications, Future Gener. Comput. Syst. 92 (2019) 1021–1027.
[57] H. Bostani, M. Sheikhan, Hybrid of anomaly-based and specification-based
[27] J.R. Douceur, The sybil attack, in: Int. Workshop on Peer-to-Peer Systems,
IDS for internet of things using unsupervised OPF based on mapreduce
Springer, 2002, pp. 251–260.
approach, Comput. Commun. (2016) 52–71.
[28] A. Le, et al., The impact of rank attack on network topology of routing
[58] H. Sedjelmaci, S. Senouci, T. Taleb, An accurate security game for
protocol for low-power and lossy networks, IEEE Sens. J. 13 (10) (2013)
low-resource IoT devices, IEEE Trans. Veh. Technol. 66 (10) (2017)
3685–3692.
9381–9393.
[29] W. Xie, et al., Routing loops in DAG-based low power and lossy networks,
in: 24th IEEE Int. Conf. on Adv. Inf. Networking and Appl., 2010, pp. [59] J. Kaur, An ultimate approach of mitigating attacks in RPL based low power
888–895. lossy networks, in: Proc. of 17th Int. Conf. on Secur. and Manage. (SAM),
2019.
[30] A. Kamble, V. Malemath, D. Patil, Security attacks and secure routing pro-
tocols in RPL-based internet of things: Survey, in: Int. Conf. on Emerging [60] T. Wauters, et al., Federation of internet experimentation facilities: archi-
Trends Innovation in ICT (ICEI), 2017, pp. 33–39. tecture and implementation, in: European Conf. on Netw. and Commun.
[31] D. Airehrour, J.A. Gutierrez, S.K. Ray, SecTrust-RPL: A secure trust-aware (EuCNC) 2014, IEEE, 0000, pp. 1–5.
RPL routing protocol for internet of things, Future Gener. Comput. Syst. 93 [61] M. Berman, et al., GENI: A federated testbed for innovative network
(2019) 860–876. experiments, Comput. Netw. 61 (2014) 5–23.
[32] A. Sehgal, et al., Addressing DODAG inconsistency attacks in RPL networks, [62] P. Valsamas, et al., Multi-PoP network slice deployment: A feasibility study,
in: 2014 IEEE Global Inf. Infrastructure and Netw. Symp. (GIIS), 0000, pp. in: 2019 IEEE 8th Int, Conf. on Cloud Netw. (CloudNet), 0000, pp. 1–6.
1–8. [63] P.D. Maciel, et al., A marketplace-based approach to cloud network slice
[33] A. Aris, S.F. Oktug, S. Berna Ors Yalcin, RPL version number attacks: In- composition across multiple domains, in: 2019 IEEE Conf. on Netw. Softw.
depth study, in: NOMS 2016 - 2016 IEEE/IFIP Network Operations and (NetSoft), 0000, pp. 480–488.
Manage. Symp., 0000, pp. 776–779. [64] P. Valsamas, et al., A multi-domain experimentation environment for 5G
[34] A. Mayzaud, et al., A study of RPL DODAG version attacks, in: IFIP Int. Conf. media verticals, in: IEEE 2019 Conf. on Comput. Commun. Workshops,
on Auton. Infrastructure, Manage. and Secur., Springer, 2014, pp. 92–104. 0000, pp. 461–466.
[35] A. Le, et al., A specification-based IDS for detecting attacks on RPL-based [65] F.R. Group, The university of utah, 2020, https://www.flux.utah.edu/index.
network topology, Information 7 (2) (2016) 25. [66] S. Skaperas, L. Mamatas, A. Chorti, Real-time video content popularity
[36] T. Theodorou, et al., A multi-protocol software-defined networking solution detection based on mean change point analysis, IEEE Access 7 (2019)
for the internet of things, IEEE Commun. Mag. 57 (10) (2019) 42–48. 142246–142260.
[37] G. Violettas, et al., An experimentation facility enabling flexible network [67] S. Skaperas, L. Mamatas, A. Chorti, Real-time algorithms for the detection of
control for the Internet of Things, in: IEEE 2019 Conf. on Comput. Commun. changes in the variance of video content popularity, IEEE Access 8 (2020)
Workshops, 0000, pp. 992–993. 30445–30457.
[38] A. Dunkels, B. Gronvall, T. Voigt, Contiki - a lightweight and flexible [68] T. Theodorou, L. Mamatas, A versatile out-of-band software-defined
operating system for tiny networked sensors, in: 29th Annual IEEE Int. networking solution for the internet of things, IEEE Access 8 (2020)
Conf. on Local Comput. Netw., 2004, pp. 455–462. 103710–103733.
[39] I.H. Witten, et al. (Eds.), The WEKA workbench, in: Data Mining, Morgan [69] T. Theodorou, L. Mamatas, SD-MIoT: A software-defined networking
Kaufmann, 2017, pp. 553–571. solution for mobile internet of things, IEEE Internet Things J. (2020) 1.
[40] Graphstream, 2018, https://github.com/graphstream.
[41] S. Schaller, D. Hood, Software defined networking architecture standard-
ization, Comput. Stand. Interfaces 54 (2017) 197–202.
George Violettas earned his Ph.D. in Network Control
[42] A. Dutot, et al., GraphStream: A tool for bridging the gap between complex
and Security for the Internet of Things from the
systems and dynamic graphs, in: EPNACS’2007, 0000, pp. 63.
University of Macedonia, Thessaloniki, Greece. He holds
[43] S. Raza, L. Wallgren, T. Voigt, SVELTE: Real-time intrusion detection in the an M.Sc. Degree in Applied Informatics from the same
internet of things, Ad Hoc Netw. 11 (8) (2013) 2661–2674. University, and a 4-yrs Bachelor in Computer Science
[44] M.N. Napiah, et al., Compression header analyzer intrusion detection from the Hellenic Open University. He has worked as
system (CHA - IDS) for 6LoWPAN communication protocol, IEEE Access a senior researcher in EU founded projects (Horizon
6 (2018) 16623–16638. 2020): NECOS H2020 (Novel Enablers for Cloud Slic-
[45] S. Kalamkar, A. Banerjee, A. Roychowdhury, Malicious user suppression for ing), UNIC (Unikernel-based CDNs for 5G Networks,
FED4FIRE+ Open Call 4, H2020), MEC (Multi-homing
cooperative spectrum sensing in cognitive radio networks using Dixon’s
with Ephemeral Clouds on the Move in MONROE Open
outlier detection method, in: 2012 National Conf. on Commun. (NCC), IEEE,
Call 2, H2020) and CORAL (Cross-Layer Control of Data Flows, WiSHFUL Open
0000, pp. 1–5. Call 2, H2020). He has hands-on experience with experimentation facilities and
[46] C. Efstathiou, Estimation of type i error probability from experimental test-beds (Fed4fire, Emulab, Monroe).
dixon’s ‘‘Q’’ parameter on testing for outliers within small size data sets,
Talanta 69 (5) (2006) 1068–1071.

713
G. Violettas, G. Simoglou, S. Petridou et al. Future Generation Computer Systems 125 (2021) 698–714

George Simoglou received his B.Sc. degree in Applied MONROE Open Call 2, H2020) and CORAL (Cross-Layer Control of Data Flows,
Informatics from the University of Macedonia, Thes- WiSHFUL Open Call 2, H2020). She has more than 40 publications in journals
saloniki, Greece. His B.Sc. thesis was on the Security and conferences. She is a Member of the IEEE Computer Society and serves as
issues of the RPL routing protocol, presented on Feb. an Associate Editor of the International Journal of Communication Systems.
2020. He is currently working as a Web and software
developer. His research interests include Internet of
Things, network protocols and security. Lefteris Mamatas is an Associate Professor in the
Department of Applied Informatics, University of Mace-
donia, Greece. He leads the Softwarized & Wireless
Networks Research Group (http://swn.uom.gr) in the
same University. He worked as a researcher at the
University College London (UK), Space Internetworking
Sophia Petridou is an Assistant Professor in the Center/Democritus University of Thrace (Greece), and
Department of Applied Informatics, University of Mace- DoCoMo Eurolabs (Germany). His research interests lie
donia. She received her Ph.D. from the Department of in the areas of Software-Defined Networks, Internet
Informatics, Aristotle University of Thessaloniki, Greece of Things, 5G Networks, and Multi-Access Edge Com-
in 2008. Her main research interests are in the areas puting. He participated in many international research
of Internet of Things, Wireless and Optical networks’ projects, such as NECOS (H2020), FED4FIRE+ OC4 (H2020), WiSHFUL OC2
protocols, formal verifications and probabilistic model (H2020), MONROE OC2 (H2020), Dolfin (FP7), UniverSELF (FP7), and Extending
checking of protocols, protocols’ security. She has Internet into Space (ESA). He has published more than 60 papers in interna-
been involved in international research projects of: tional journals and conferences. He served as a General Chair for the WWIC 2016
NECOS H2020 (Novel Enablers for Cloud Slicing) , UNIC conference and the INFOCOM SWFAN 2016 workshop, as a TPC Chair for the
(Unikernel-based CDNs for 5G Networks, FED4FIRE+ INFOCOM SWFAN 2017, E-DTN 2009, IFIP WWIC 2012 conferences/workshops
Open Call 4, H2020), MEC (Multi-homing with Ephemeral Clouds on the Move, and as a Guest Editor for the Elsevier Ad Hoc Networks Journal.

714