IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL.

16, 2021 4405

A Transfer Learning Approach for Securing

Resource-Constrained IoT Devices
Selim Yılmaz , Emre Aydogan , and Sevil Sen

Abstract— In recent years, Internet of Things (IoT) security 2025, which shows a five-fold increase in ten years. Cisco
has attracted significant interest by researchers due to new projects that Machine-to-Machine (M2M) connections will
characteristics of IoT such as heterogeneity of devices, resource constitute half of the global connected devices and connections
constraints, and new types of attacks targeting IoT. Intrusion
detection, which is an indispensable part of a security system, by 2023 [2]. While nearly half of these connections result
is also included in these studies. In order to explore the complex from home applications, the number of connections resulting
characteristics of IoT, machine learning methods, which rely on from connected work and connected city applications has been
long training time to generate intrusion detection models, are showing an increasing trend in recent years [2].
proposed in the literature. Furthermore, these systems need to The Low Power and Lossy Networks (LLN) are a special
learn a new/fresh model from scratch when the environment
changes. This study explores the use of transfer learning in order type of IoT, which have different application areas from smart
to generate intrusion detection algorithms for such dynamically homes to industry. In these networks, devices have generally
changing IoT. Transfer learning is an approach that stores resource constraints such as energy, memory, and process-
knowledge learned from a problem domain/task and applies that ing power. Moreover, such resource-constrained devices are
knowledge to another problem domain/task. Here, it is employed connected over lossy links. These special characteristics of
in the following two settings: transferring knowledge for gener-
ating suitable intrusion algorithms for new devices, transferring LLNs have resulted in the emergence of new communica-
knowledge for detecting new types of attacks. In this study, Rout- tion protocols. One of the standardized protocols for these
ing Protocol for Low-Power and Lossy Network (RPL), a routing resource-constrained networks is Routing Protocol for Low
protocol for resource-constrained wireless networks, is used as Power and Lossy Networks (RPL) [3]. RPL builds Destina-
an exemplar protocol and specific attacks against RPL are tion Oriented Directed Acyclic Graphs (DODAG) in order
targeted. The experimental results show that the transfer learning
approach gives better performance than the traditional approach. to represent network topology. However this topology could
Moreover, the proposed approach significantly reduces learning be susceptible to attacks. Although RPL has some security
time, which is an important factor for putting devices/networks mechanisms for external attackers, it is still open to insider
in operation in a timely manner. Even though transfer learning attacks such as version number and rank attacks. There-
has been considered a potential candidate for improving IoT fore, developing suitable intrusion detection systems for such
security, to the best of our knowledge, this is the first application
of transfer learning under these two settings in RPL-based IoT resource-constrained networks is vital, which is the main aim
networks. of this study.
This study investigates the use of transfer learning (TL)
Index Terms— IoT, security, transfer learning, intrusion detec-
tion, genetic programming, RPL. for automatically generating suitable intrusion detection algo-
rithms for a variety of devices in RPL-based IoT networks.
I. I NTRODUCTION Transfer learning simply helps move the knowledge learned
in a task/domain to a new task/domain. It helps reduce the
I oT is one of the most popular research topics in com-
munication due to significantly increasing numbers of
heterogeneous devices connecting to each other and to the
learning time needed in the new task/domain. Moreover, it is
expected to produce higher initial and final performances
Internet. According to Statista [1], the total installed base of for the learned model in the new task/domain compared to
IoT devices is expected to be around 75 billion globally by learning without transfer. This study investigates the use of TL
in IoT security in two different ways: transferring knowledge
Manuscript received January 14, 2021; revised April 2, 2021 and May 28, for generating suitable intrusion algorithms for new devices,
2021; accepted June 22, 2021. Date of publication July 9, 2021; date of current transferring knowledge for detecting new types of attacks.
version September 3, 2021. The associate editor coordinating the review of
this manuscript and approving it for publication was Dr. Mika Ylianttila. In the literature, TL is proposed as a promising approach for
(Corresponding author: Sevil Sen.) securing IoT systems, since they consist of different compo-
Selim Yılmaz is with the Department of Computer Engineering, nents such as devices, wireless sensor networks (WSNs), and
Muğla Sıtkı Koçman University, 48000 Muğla, Turkey, and also with the
WISE Laboratory, Department of Computer Engineering, Hacettepe Univer- cloud computing [4]. However, to the best of our knowledge,
sity, 06800 Ankara, Turkey (e-mail: [email protected]). there is no study that covers both settings in the research area
Emre Aydogan is with the Department of Computer Engineering, Akdeniz yet.
University, 07070 Antalya, Turkey, and also with the WISE Laboratory,
Department of Computer Engineering, Hacettepe University, 06800 Ankara, One of the main characteristics of LLNs is that it inter-
Turkey (e-mail: [email protected]). connects a number of heterogeneous, resource-constrained
Sevil Sen is with the WISE Laboratory, Department of Com- devices. Therefore, the main hypothesis in transferring knowl-
puter Engineering, Hacettepe University, 06800 Ankara, Turkey (e-mail:
[email protected]). edge for new devices is that an intrusion detection algorithm
Digital Object Identifier 10.1109/TIFS.2021.3096029 developed for a particular type of device might not be suitable
1556-6021 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
4406 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

for other types of devices. Moreover, developing suitable important for putting devices/networks in operation in a
intrusion detection algorithms for each type of device is a timely manner.
costly approach. Hence, by using TL, the knowledge of an • The use of transfer learning on IoT security is firstly
intrusion detection algorithm could be transferred for gener- explored for the following two settings: transferring
ating new algorithms for devices with different constraints. knowledge for new types of attacks and transferring
For example, an effective algorithm on a device could be knowledge for new devices.
transferred to a more resource-constrained device. With this The paper is organized as follows. The overview of RPL
approach, it is expected to find a good balance between and internal attacks against RPL is given in Section II.
accuracy and resource consumption in a shorter time than The background information about genetic programming and
learning an intrusion detection algorithm from scratch for a transfer learning is also given in this section. Section III
new device. discusses related studies in the field of intrusion detection
In transferring knowledge for new types of attacks, the on RPL and in the area of transfer learning in IoT security.
knowledge is transferred from one domain to a new domain. The proposed approach is given in detail in Section IV.
With the increasing popularity of IoT networks, we expect Experimental settings and results are evaluated and discussed
new attacks to emerge. So, the developed intrusion detection in Section V. Section VI discusses the limitations of the
algorithms might not be effective enough on such new attacks. proposed approach and the possible future studies. Finally,
Therefore, in this study, the knowledge obtained during the Section VII concludes the findings of this study.
automatic generation of an intrusion detection algorithm by
using machine learning techniques is proposed to be trans- II. BACKGROUND
ferred for detecting new types of attacks. With this approach,
it is expected to obtain effective intrusion detection algorithms A. RPL and Target Attacks
for new attacks in a shorter time than traditional learning. RPL is one of the most popular routing protocols for
Here, genetic programming (GP) is employed for evolving LLNs [3]. It is a distance-vector and source routing pro-
intrusion detection algorithms due to their capability of explor- tocol based on building DODAG in order to represent the
ing search space efficiently for complex environments such as network topology. RPL is mainly proposed for supporting
LLNs. Moreover, it allows us to manually analyze evolved multipoint-to-point communication (MP2P), however, it also
detection programs to some degree. Last but not least, it eases supports point-to-multipoint (P2MP) and point-to-point (P2P)
performing validation and testing automatically by producing communication. Each DODAG has a single root node. Hence,
detection programs written in C, hence they could be run in a typical scenario, sensor nodes periodically send their
directly on simulated devices running on Contiki operating information to the root node. The route from these sensor
system. GP is a population-based optimization algorithm. nodes to the root node is determined based on objective
Hence, it outputs a group of candidate solutions for the functions such as expected transmission count (ETX), hop
problem at hand, and the best one is usually selected for count, and energy.
testing. This characteristic of GP allows us to transfer a group RPL has four types of routing control messages. The root
of individuals in the last population in evolution to a new node initially broadcasts DODAG Information Object (DIO)
task/domain. messages in order to create routes in an upward direction.
The contribution of this current study could be summarized By using DIO messages, a node determines a set of candidate
as follows: parents, selects one of them, and determines its rank. Rank
• The use of genetic programming is explored in detecting represents the position of a node with respect to the root
specific attacks against RPL-based IoT networks. The node. The objective function specifies how a node computes
results show that GP could evolve effective algorithms for its rank value for the selection of its parent. Destination
detecting rank, DODAG Information Solicitation (DIS) Advertisement Object (DAO) messages are used for reversal
flooding, version, and worst parent attacks in a given time. route construction. DAO Acknowledgement (DAO-ACK) is
• Transfer learning is explored for detecting new types used to acknowledge the receipt of a DAO message. DIS
of attacks on three scenarios: single-to-single, single-to- messages are sent when a new node wants to join the DODAG
multi, multi-to-multi. In single-to-multi scenario, single and asks for DIO messages from its neighbors.
corresponds to an environment with a single attack, where Although RPL has some countermeasures against external
learning takes place, and multi corresponds to a net- attackers, it is still vulnerable to attacks from inside. Attacks
work with multiple attacks, where the learned detection against RPL are covered in three classes in the literature [5]:
algorithm is transferred to. In all scenarios, the positive attacks against resources, attacks on topology, and attacks on
effect of transfer learning is clearly shown. TL reduces traffic. In this study, the following four attacks are targeted.
the learning time and produces more effective detection The detection of these attacks is investigated by using transfer
algorithms. learning. Even though transfer learning could be applied for
• Finally, the application of transfer learning is investigated detecting variations of existing attacks, here, the main aim is
on generating separate algorithms for the different types to detect new types of attacks by using transfer learning due
of devices with different constraints. The results show to being a more complex problem.
that the proposed approach produces better results and • Decreased Rank (DR): In this attack, attacker nodes
converges faster than the traditional approach, which is illegitimately advertise a lower rank value to other nodes

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
YILMAZ et al.: TL APPROACH FOR SECURING RESOURCE-CONSTRAINED IoT DEVICES 4407

in the network. This results in many legitimate nodes Algorithm 1 General Steps of GP
in the network connecting to the DODAG graph over 1 Initialize population;
attacker nodes. Hence, a great portion of the network 2 repeat
traffic might pass through attackers, which can be the 3 Evaluate the fitness of each individual;
initial step for future harmful attacks. 4 Rank the population according to fitness values;
• DIS Flood (DF): This attack aims at exhausting nodes’ 5 Apply genetic operators (crossover, mutation, etc.) and
resources. The attacker nodes generate a large number of reproduce new population;
DIS messages to nodes in their neighborhood to consume 6 until a termination criterion is satisfied;
their resources (e.g., energy) and to cause congestion 7 return best-of-run individual
in the network. In this attack scenario, the attacker
sends 20 DIS packets consecutively.
• Increased Version (IV): While version number in DIO
messages is increased by only the root node and propa- we can directly derive detection programs written in C, which
gated throughout the network for global repair in RPL, eases to run them directly on Contiki. Last but least, since
it is illegitimately increased and broadcast by attackers, it is a population-based approach, it allows us to transfer a
which results in an unnecessary effort for rebuilding the group of individuals to a new domain/task at the end of one
graph. In this attack scenario, the attacker increases the run. These characteristics are among the main motivations
value of the version field by one every time he sends a behind using GP in this research. Furthermore, by using
DIO packet. a multi-objective evolutionary algorithm, evolving detection
• Worst Parent (WP): In order to forward incoming packets, programs that are both effective and also efficient (i.e., energy-
a node chooses a parent node with respect to the objective aware) is explored.
function. However, it is not the case in this attack sce- The general steps of GP algorithm are given below. The
nario. Attacker node contrarily prefers the worst parent to algorithm starts with generating the first population. The indi-
send or forward packets, which degrades the performance viduals, which represent candidate solutions for the problem
of the network (e.g., end-to-end delay, delivery ratio). at hand, are usually generated randomly in the first population.
Then, these individuals are transformed into a new, hopefully
B. Genetic Programming for the better, population of individuals by using genetic
GP [6] is an evolutionary computation technique inspired operators. The better the fitness value of an individual is, the
by biological evolution. In its simplest form, it is based on more likely it is to be selected for the application of genetic
the Darwinian survival of the fittest theory where individuals operators. Fitness function represents how good or how close
compete with each other for survival and reproduction in an to the optimal the candidate solution is. In practice, since
environment that can only host a limited number of individuals the optimal solution cannot be achieved in a timely manner,
[7]. It is a population-based search algorithm in order to the algorithm is generally run up to the maximum number of
evolve better individuals that correspond to candidate solutions generations or up to the attainment of a solution with sufficient
for a targeted problem at each generation. It applies genetic quality.
operators such as crossover, mutation, and selection on the In GP, individuals are represented as trees. At each iteration,
individuals in order to provide better solutions in the new the individuals are evaluated by using the fitness function
population and to find the optimum (or close to the optimum) and selected for genetic operators. The selection mechanism
solution for the problem at hand. Since GP is capable of provides a great opportunity for fitter individuals to survive
representing different types of complex problems, we see a by picking out individuals from the current population. One
wide variety of successful GP applications in the literature. or two individuals, depending on the type of operator, are
LLNs are complex environments due to their special char- selected as the parent. Two main genetic operators applied
acteristics such as having low power nodes and lossy links. upon parent individuals are crossover and mutation. In the
Moreover, different trade-offs should be considered while crossover operator, two offspring are created by replacing
designing a security solution for this complex environment the sub-trees of parent individuals. In the mutation operator,
such as accuracy, being lightweight and so stability. Humans a mutation point in a parent tree is randomly selected and
are not particularly adept at selecting good choices when the sub-tree already rooted there is substituted by a new,
complex trade-offs have to be made. Mobility makes this randomly generated sub-tree. Mutation introduces diversity
environment more difficult to perceive. While RPL was not into the population. As the final step of each generation,
designed with mobility in mind, real-life applications could individuals who will survive in the next generation are selected
include mobile nodes. Evolutionary computation (EC) based based on their fitness values. Please see the tutorial in [8] for
approaches could be suitable for such complex and/or dynamic further information on genetic programming.
environments. Among various artificial intelligence techniques
that have been proposed for intrusion detection, EC is consid- C. Transfer Learning
ered one of the most promising approaches. It makes fewer The volume of training data is one of the most important
assumptions about the solution space as other heuristic compu- factors that affect the learning capability of a machine learning
tation techniques. Intrusion detection programs derived using algorithm. In that sense, while supervised learning is generally
GP are open to manual analysis to some degree. Moreover, preferred over unsupervised learning, labeling a high volume

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
4408 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

of data is tiring, time-consuming, and even prone to errors in mitigating this attack type [17], the version number update
the case of manual labeling. A semi-supervised algorithm can messages coming from nodes other than the root node and
address this issue as it needs a large amount of unlabeled data nodes in its neighborhood are dropped. In order to validate
instead. However, since gathering unlabeled data can be also other update messages, the majority of nodes with better
unrealistic for some problems, traditional machine learning rank values are expected to have the same version number.
may not be effective to solve them. Transfer learning is a way In [18], a separate network consisting of the monitoring
to handle this problem by transferring the information from a nodes is constructed by taking advantage of the multiple
source domain to a target domain [9] that has limited data. instance feature of RPL. Hence, each monitoring node shares
A domain D is defined by a feature space X and a marginal its information in order to detect version number attacks. The
distribution P(X) (i.e., D = {X , P(X)}). Here, X denotes an effects of the rank attack are analyzed in [19]. It is shown
object (instance) set (i.e., X = {x | x i ∈ X , i = 1, 2, . . . , m}). that implementing attacks in an area with a high forwarding
A task, however, T is composed of a label space Y and an load such as where nodes have a limited choice of parents
objective predictive function f (i.e., T = {Y, f }). Given a has a higher impact on the network. An analytical model
source domain (D S ), a source task (T S ), a target domain (DT ), of Sybil attackers is proposed to increase the evasiveness of
and a target task (TT ); transfer learning is defined as learning Sybil attack by using artificial bee colony algorithm [20].
an efficient objective predictive function ( f ) for DT by using Then, a lightweight threshold-based Sybil attack detection
information from D S and T S , where D S = DT or T S = TT . system is proposed for the bounded region, scattered, and
Traditional machine learning tasks deal with the same task and mobile attacker scenarios by introducing new fields into DIO
domain in training and testing data (i.e., D S = DT and T S = messages such as control message counter and timestamps.
TT ). The model is obtained by using training data and then is While most of the proposed IDS for RPL is anomaly-
applied to testing data in order to evaluate the model. However, based, there are few specification-based IDS [21], [22] in the
transfer learning is quite different from the traditional ML in literature. In the last few years, few machine learning-based
a way that task and domain in training and testing data can IDS have been proposed for RPL. Compression Header Ana-
be different. lyzer Intrusion Detection System (CHA-IDS) [23] employs
Based on the definitions above, D S = DT implies features collected from IPv6 over Low-Power Wireless Per-
that either feature space or marginal distribution between sonal Area Network (6LoWPAN) compression header, then
source and target must be different from each other applies six classification algorithms after the feature selection
(i.e., X S = XT ∨ P(X S ) = P(X T )). In homogeneous trans- phase. Even though the proposed approach performs better
fer learning, the feature space of source and target domains than SVELTE [12] and [24], it has high power and memory
must be the same (i.e., X S = XT ); otherwise, (i.e., X S = XT ), consumption. Moreover, it is proposed for only WSN-based
it is called heterogeneous transfer learning [10]. Another type attacks. In [25], a neural network-based approach is applied for
of TL is the one where conditional probability distributions detecting hello flood, version, and rank attacks, and it is shown
are different (i.e., P(Y S |X S ) = P(YT |X T )). The output label to be very effective in detecting hello flood attacks. In a recent
space can also be different, Y S = YT . If one of these two study [26], intrusion detection algorithms are automatically
conditions is satisfied, then we can say that source and target generated by using evolutionary computation. Both central
tasks are different (i.e., T S = TT .) and distributed intrusion detection architectures are explored.
Recently, a neural network-based intrusion detection system
III. R ELATED W ORK is proposed for RPL [27]. The effects of link-layer features
There is a good amount of works in the literature in order on detecting RPL attacks were firstly explored and shown to
to prevent and detect external and internal attacks against reduce false positives.
RPL. Besides intrusion detection systems, there are security Modeling the normal behavior of IoT devices has also been
protocols which are grouped into cryptography-, trust-, and exploited to develop intrusion detection systems targeting gen-
threshold-based solutions in the literature for enhancing the eral attacks. In [28], the operations of devices are monitored,
RPL security [11]. However, here, we mainly focus on studies and a model that determines the ‘normal’ behavior of a device
proposed for detecting and mitigating RPL specific attacks. is extracted by using system statistics like central processing
SVELTE [12] is the first intrusion detection system (IDS) unit (CPU) usage, memory consumption of the monitored
for IoT, which employs the combination of signature and devices. They employ methods based on neural networks,
anomaly-based systems. Since then, researchers mainly focus linear regression, and recurrent neural networks. In another
on mitigating or detecting particular types of attacks against anomaly-based security model [29], changes in the energy
RPL. While, rank and version number attacks are among pattern of IoT devices are monitored to detect cyber and
the most analyzed attacks against RPL, RPL-specific flooding physical attacks in the network. Here, a convolutional neural
attacks such as DIS flooding [13], newly developed attacks network, one of the popular deep learning (DL) algorithms,
such as DIO suppression [14] need more attention [11]. is employed to identify deviations from the normal behavior
Version number attacks have been analyzed in [15], [16]. of the system.
Both analyses show that the attack increases the network In the literature, transfer learning has been applied in various
overhead considerably. Moreover, it is shown that the more problems such as text classification, sentiment classification,
the attacker is away from the root node, the more damage it image classification, WiFi localization, anomaly detection,
could give to the network [15]. Therefore, in a technique for spam filtering up to date [9]. However, there are only a

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
YILMAZ et al.: TL APPROACH FOR SECURING RESOURCE-CONSTRAINED IoT DEVICES 4409

Fig. 1. The conceptual scheme of the proposed approach.

few studies that explore the application of transfer learning although the energy consumption of the proposed algorithms is
on IoT security. Very recently, a DL-based attack detection given in some studies [12], [23], their applicability to different
system is proposed [30]. Due to the difficulty of having labeled devices is not taken into account as done in this study. Last
data, they propose a transfer learning approach in which the but not least, although there are a few recent studies [30], [32]
latent representation of an autoencoder trained on a labeled that employ transfer learning for IoT security in the literature,
dataset is transferred to another autoencoder trained on an these studies do not target RPL attacks. They do not use
unlabeled dataset. It aims to detect general attacks such as transfer learning both for new attacks and for new devices as
scanning, Transmission Control Protocol (TCP) flooding, and in the current study. Moreover, the deep TL approach [30] only
User Datagram Protocol (UDP) flooding, hence no specific focuses on attacks belonging to the same class (i.e. DDoS).
IoT protocol is targeted. Nine datasets from N-BaIoT are
employed [31]. 115 statistical features are extracted from the IV. E VOLVING I NTRUSION D ETECTION A LGORITHMS
packet stream. Area Under Curve (AUC) score is used for In this study, the use of transfer learning for intrusion
performance comparison. Furthermore, the effectiveness of detection in resource-constrained IoT networks is investigated.
transferring information and processing time is analyzed. The The conceptual scheme of the proposed approach is depicted
results show that the proposed TL-based approach performs in Fig. 1. Firstly, intrusion detection algorithms are evolved
better than the baseline DL technique. Although the target by using GP for the source domain. The features used in
datasets include attacks that do not exist in the source datasets, individuals are extracted from networks simulated by Cooja,
the effect of the proposed approach on only the new attacks a Java-based network simulator of sensor nodes running the
is not shown explicitly in the results. Contiki operating system [33]. Please note that the first popu-
In another recent study [32], transfer learning is employed lation in the source domain is initialized randomly. However,
in order to encode high-dimensional features applied for the first population in the target domain is constructed by
multi-class classification for building a binary classifier. transferring knowledge from the source domain. The fittest
A detection model is trained in order to detect four attacks individuals learned in the source domain are transferred
(i.e., denial-of-service (DoS), distributed DoS (DDoS), recon- into the target domain. In this regard, we adopted FullTree
naissance, and information theft) in IoT networks. In the approach proposed in [34], which selects a given percentage
study, no specific IoT protocol is targeted, but features of best individuals of the last generation for transferring to
related to internet protocol (IP), TCP, UDP, hypertext trans- the target domain. With transfer learning, it is expected to
fer protocol (HTTP) are extracted. It is shown that high evolve better individuals in a shorter time than the traditional
accuracy is obtained for binary classification by using TL. approach. Moreover, it generally performs better initial and
In N-BaIoT [31], a network-based botnet detection for IoT, final performance compared to learning without transfer.
transferring knowledge of the detection model to other iden- In the source task/domain, the initial population is randomly
tical devices is left as future work. constructed. The individuals in the population are candidate
In this study, the aim is not only to detect attacks against algorithms for detecting RPL-specific attacks. Each individual
RPL, but also to develop suitable solutions for this environ- is represented by a GP tree. An exemplar GP tree is shown
ment: developing effective detection algorithms in a timely in Fig. 2. Terminal (or leaf) nodes represent the features
manner for new attacks and developing efficient algorithms for collected from RPL control and data packets. The feature set
new devices. To the best of our knowledge, there is no such proposed in our previous study [35], which covers most of
study in the literature. While anomaly-based systems [12], the features related to RPL control messages and data packets,
[18] could be effective against new attacks, their performance together with randomly generated numbers has been employed
on unknown attacks has not been evaluated. Furthermore, as leaf nodes. The features are listed in Table I. While

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
4410 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

TABLE I TABLE II
T HE F EATURE S ET GP PARAMETERS AND THEIR VALUES

The intrusion detection algorithm corresponding to the tree

in Fig. 2 is given below:

1 if ((COUNT_DIS + MAX_RANK) < COUNT_DIO) &&

(COUNT_DATA
 == MAX_RPL_INS)

2  alert(intrusion)
3 end

The parameter settings including the operators and functions

are given in Table II. The number of generations is set as the
termination criterion of evolution in the experiments. In order
to evaluate evolved algorithms, accuracy is employed as the
fitness function. As for the implementation of GP algorithm,
a Java-based evolutionary computation toolkit (ECJ) [36] is
used in the experiments. The other settings of GP not listed
in the table are the default parameters of ECJ.
The running time of evolving an intrusion detection algo-
rithm is proportional to the running time of genetic program-
ming, which is mainly determined by the individual/generation
size and the fitness evaluation cost. Hence, the time complexity
of the proposed approach is O(G × I × F); where G, I , and
F denote the number of generations, the number of individ-
Fig. 2. An example GP-tree.
uals evaluated in each generation, and the fitness evaluation
respectively. In the fitness evaluation of each individual, the
data-related features include information about data packets average of running the individual on five network simulations,
received by the root node in a time interval, topology-related in each which consist of 300 records collected in 60s window
features include information about routing control messages intervals, is calculated. Please note that each individual is
received by the root node, which could give useful insights extracted by tree traversal in GP. If the number of nodes in the
for detecting RPL-specific attacks. individual tree is n, the time complexity of the tree in-order
Mathematical operators such as addition, multiplication, and traversal by using traditional algorithms is O(n). Here, the
subtraction, together with the logical operators such as ‘and’, number of nodes in the tree is limited by the maximum tree
‘or’ are used as non-terminal (intermediate) nodes to form depth as given in Table II.
a GP tree, as illustrated in Fig. 2. The root node, however, Depending on the placement strategy (i.e., centralized,
is constrained to be a comparison or logical operator so that distributed, and hybrid), the evolved IDS algorithms can be
the evolved tree returns a boolean expression. Each individual deployed to any node in a network. In this study, a central
produces an if statement for detecting the attack and raising intrusion detection system is proposed, where the evolved
an alarm. algorithm is deployed on the root node. So, the features

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
YILMAZ et al.: TL APPROACH FOR SECURING RESOURCE-CONSTRAINED IoT DEVICES 4411

are collected from packets sent from/received by the root In this algorithm, in contrast to the fitness proportionate
node. As stated earlier, the applicability of the transfer selection in single-objective GP, Pareto ranking and crowding
learning-based approach is investigated under two different distance measurements of candidate solutions obtained from
settings: their objective values, are taken into account for selecting an
Transferring knowledge for new types of attacks: Here, individual to survive in next generations.
the effect of transfer learning on detecting new RPL attacks In this setting, the same type of RPL attacks takes part
is explored. For this purpose, RPL attacks other than those in both domains; however, energy consumed by an intrusion
used in learning in the source domain are employed at detection agent becomes more critical. In order to simulate a
the target domain. Three different scenarios are explored more constrained device, the frequency of sending data packets
in this setting. In the first scenario, called single-to-single, sent from sensor nodes is increased, which also increases the
a different single attack takes part in both source and target network traffic to be handled by the root node. While the time
domains. In the second scenario, called single-to-multi, while interval is 15 s in the source domain, it is set as 5 s in the
the source domain evolves a detection algorithm for a single target domain. Since the root node consumes more energy to
attack, it is transferred for detecting multiple attacks in the handle the increased traffic, the intrusion detection algorithm is
target domain. Finally, in the third scenario, called multi-to- expected to consume less energy in order to tolerate additional
multi, both domains include different combinations of multiple energy cost caused by the data packets without sacrificing its
attacks. detection accuracy, if possible. So, even though the same input
In this setting, the same feature space is used in both source feature space and the same attacks are used in both source
and target problems, i.e. X S = XT . However the marginal and target domains (i.e., X S = XT ), the marginal distribution
distribution is different from each other as the source and target becomes different (i.e., P(X S ) = P(X T )). Again, the same
attacks are different, i.e. P(X S ) = P(X T ), which changes data output space is employed (i.e., YS = YT ). However, unlike
distribution. The same output label is used for both tasks, the previous setting, energy consumption is added as another
i.e. YS = YT . Lastly, the predictive function used in both objective for the target problem, which makes the source and
source and target problems is the same. Based on these target task different. To sum up, from the transfer learning
definitions, source and destination tasks are the same, source perspective, both domain and tasks are different in this setting.
and target domains are different from the transfer learning
point of view. V. E XPERIMENTAL R ESULTS
Transferring knowledge for new devices: In this setting,
the detection algorithms are transferred to a new environment A. Simulation Environment
where a new type of devices takes part. Here, both detection In this study, Cooja simulator [38] is used to simulate IoT
ability and energy consumption of evolved detection algo- networks. Cooja is the most used simulator in the literature.
rithms are taken into account on transferring. Here, the main In addition, since it includes RPL implementation, it is pre-
motivation is the need to deploy intrusion detection algorithms ferred to be used in this study. It is capable of simulating
on more resource-constrained devices. Therefore, while the wireless sensor networks consisting of different mote types.
generated algorithms in the source domain are evolved by Here, Zolertia Z1 platform is adopted as a mote type in
using only the accuracy of the algorithms, in the target domain all simulations due to its bigger read-only memory (ROM)
both accuracy and energy consumption of evolved algorithms capacity than other platforms. Targeted attacks described in
are taken into consideration in the fitness function. Therefore, Section II-A are implemented by using the RPL attacks
the problem at hand becomes a multi-objective problem with framework [39]. In order to measure the power consumption
the goals of higher accuracy and lower energy consumption. of evolved algorithms, Powertrace [40] tool is integrated into
In the literature, a great deal of effort has been the Cooja simulator.
put in order to extend evolutionary-based algorithms for In the experiments, 15 different network topologies are
solving multi-objective problems. Now, evolutionary-based employed for each scenario, where five topologies are used
multi-objective algorithms (EMOAs) are known to be very for training, and the remaining 10 topologies are used for
successful in finding well-converged and –diversified solu- testing. Each topology is run twice for generating benign
tions. In contrast to single-objective problems where the best and malicious traffic. Each topology is run for five hours
individual is found for that objective; for the multi-objective and has 300 samples since features are collected every 60 s
problem, the solution is usually not unique, but a set of optimal as given in the subsequent section. In simulations involving
solutions called Pareto-dominant solutions. To define formally, attacker nodes, malicious nodes attack the network during the
a solution (say u) is a Pareto-dominant solution in comparison whole simulation time; hence, the dataset is balanced. In order
to other solution (say v) (denoted as u ≺ v) if its objective set, to see the multi-hop characteristics of RPL, at least 25 nodes
f (u), is partially less than that of v, f (v) for a minimization are suggested to be used in RPL-based networks [41]. There-
problem, i.e., ∀i : f i (u) ≤ f i (v) ∧ ∃i : f i (u) < f i (v) | i ∈ fore, 30 nodes are deployed in each simulation. There is a
{1, . . . , k}; where k is the number of objectives. Therefore, trade-off between the number of nodes and the simulation
Pareto-dominant solutions are better than non-dominant solu- time. That’s why bigger networks were not preferred in order
tions in every objective but not comparable to each other. Here, to be able to run many simulations and to get statistically
Non-dominated Sorting Genetic Algorithm II (NSGA-II) [37], significant results. While 5 nodes (≈ 15%) are set as an
one of the most popular Pareto-based EMOAs, is employed. attacker performing malicious activities, the rest are set as

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
4412 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

sensor nodes, except the root node where the evolved detection TABLE III
algorithms are placed on. Sensor nodes send periodic data P ERFORMANCE OF THE P ROPOSED TL-BASED A PPROACH BASED
ON THE S IGNED W ILCOXON R ANK T EST
packets (every 15 s) as in a typical sensor network application.

B. Performance Evaluation
In the evolution of intrusion detection algorithms by GP,
we adopted the window-based approach where the network
traffic is collected in a time interval and the detection algorithm
is triggered at the end of each interval. Otherwise, it would be
too costly to run a detection algorithm after every incoming
packet. Therefore, firstly, the optimal length of this time
window is explored. To do that, GP is run five times for
each attack type with five different network configurations in
various time intervals (5, 15, 30, 60, and 90 s). The effects
of various time intervals are compared by using detection
accuracy. According to the overall findings, the detection
performance proportionally increases with the time interval
until 60 s, after which it slightly degrades. Therefore, the
length of the time window is set as 60 s in the following
experiments.
1) Transferring Knowledge for New Types of Attack:
In this setting, a detection algorithm evolved for RPL
attack(s) at the source domain is transferred to the target
domain where another RPL attack(s) is implemented. Dif-
ferent attack combinations are explored under three different
scenarios: single-to-single, single-to-multi, and multi-to-multi.
Each model is trained by using five different networks and
tested by using 10 networks having varying topologies. GP is
run 10 times for every setting due to the stochastic nature of
evolutionary computation-based algorithms, then the evolved
best detection algorithm of each run is used for testing.
Fig. 3. Overall accuracy performance of the proposed transfer-based learning
Pre-trained models are obtained at the 1000th generation. approach.
Then, the individuals of the last population are transferred
to the target domain and the evolution goes on in the new
environment. Here, instead of the whole population, only In addition to the overall performance comparison,
elite individuals (10% of the population) are transferred to Wilcoxon signed-rank test has been applied with a statistical
the target domain and the remaining part of the population significance level of 95% to reveal whether there is a sta-
is randomly generated to protect diversity in the population. tistically difference between two approaches (i.e., TL-based
A detection algorithm is also evolved by using traditional and traditional) and if so, the number of simulations where
learning (without transfer) for comparison. In traditional learn- the proposed TL-based approach exhibits superior or inferior
ing, GP is initialized with a random population. Both learning performance than the traditional approach are listed. The
process continues for 500 generations and the best algorithms total number of cases for each scenario where TL-based
(with/without transfer) are obtained at the 500th generation for approach has shown superior (+), equal (=), and inferior
a fair comparison. Fig. 3 shows the average results of 10 GP (-) performance is given in Table III. The results show that
runs for each setting. The accuracy of each transfer for findings obtained by the rank test are highly correlated with the
different attack cases is represented in the figure. Each attack overall performance given in Fig. 3. It is statistically proven
case is given on the x-axis. For instance, DR→DF denotes that that the proposed approach shows much better performance
the pre-trained models are evolved in an environment where than the traditional approach. The results also support that
DR takes place and is transferred to the target domain where there is no meaningful difference observable in cases, in which
DF attack is implemented. The results show that the proposed the average performances are very similar to each other as
transfer learning-based approach yields better performance depicted in Fig. 3.
than the traditional learning approach on 8 out of 12 attack The attack cases where the proposed approach is less
cases in the single-to-single scenario, 18 out of 24 attack cases effective on average than the traditional learning are further
in the single-to-multi scenario, and 26 out of 30 attack cases analyzed through statistical box plots given in Fig. 4. In the
in the multi-to-multi scenario. The overall accuracy results single-to-single scenario (Fig. 4(a)), the proposed approach
obtained by averaging all the attack cases (given as dashed yields very similar detection accuracy on DR→WP case.
lines in the figure) also affirm the improvements yielded by It even outperforms the traditional approach on the remaining
the proposed TL-based approach. two cases (i.e., DF→DR and IV→DF) in which only two

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
YILMAZ et al.: TL APPROACH FOR SECURING RESOURCE-CONSTRAINED IoT DEVICES 4413

Fig. 5. Overall detection rate and FPR.

metrics, which are important indicators in order to show how

well the algorithm is able to distinguish malicious flows from
benign flows. The overall detection and false positive rates
are given for each scenario in Fig. 5. As it is shown in the
figure, the proposed approach has a higher detection rate and
lower false positive rate than the traditional approach for each
scenario. Moreover, there is a trade-off between detection
rate and false positive rate among the scenarios in general.
A case-basis plot is given in Fig. 6 for detailed detection rate
and FPR metric values of the proposed approach. It can be
seen that the proposed approach assures a higher detection
rate (or lower FPR) performance in almost all cases, but it
slightly deteriorates when DR attack is implemented on either
source or target domain overall. DR is observed to generally
degrade the performance of the proposed approach.
In addition to the final performances, the pre-trained models
Fig. 4. Detailed comparative analysis. are expected to have better initial performances. Here, the
initial accuracy values are comparatively given in Fig. 7. The
figure clearly shows that the proposed approach has better
runs bring about a degradation to the overall performance. adaptability to a new domain overall. Concretely speaking,
However, an apparent degradation is observable in IV→DR it becomes superior to the traditional approach on 7 out
case. The overall testing results show that GP shows its of 12 attack cases used in the single-to-single scenario, 22 out
best and worst performance on IV (93.4%) and DR (79.7%) of 24 attack cases used in the single-to-multi scenario, and all
attacks, respectively. It is observed that the feature set is attack cases used in the multi-to-multi scenario. A much higher
less separable on DR than IV. This might make the situation performance difference is observed when multiple attacks take
more difficult in order to find optimal solutions when we part in the source domain, since the pre-trained IDS model that
transfer solutions from IV to DR. Therefore, a randomly is evolved from multiple attacks rather than a specific attack,
initialized population could perform better in few simula- is more generic and includes more knowledge.
tions, which affects the average results as observed in the The comparative convergence behavior captured at the target
results. As shown in Fig. 7, the average accuracy at the domain is also analyzed in Fig. 8. It is unsurprising to observe
initial generation obtained by using the traditional approach is that the comparative convergence capability of the proposed
higher than that achieved with the proposed approach. In the approach is proportional to its initial performance by showing
single-to-multi scenario (Fig. 4(b)), the proposed approach early convergence behavior. Hence, these results easily suggest
is highly competitive with the traditional approach on four that the time needed to evolve an intrusion detection algorithm
cases (i.e., DR→DF_IV, DR→IV_WP, DF→DF_WP, and can dramatically be decreased when the proposed TL-based
DF→IV_WP) but becomes inferior on the remaining cases approach is used, which is highly crucial in such a dynamically
(i.e., IV→DR_WP and WP→DR_DF). Finally, the proposed changing environment.
approach shows very similar performance for all cases in the Finally, a comparison with the recently proposed cross-layer
multi-to-multi scenario (Fig. 4(c)). intrusion detection system (CL-IDS) [27] has been carried out
The performance of the proposed approach is also analyzed in order to further evaluate the effectiveness of transferring
in terms of the detection rate and false positive rate (FPR) knowledge for detecting new types of attacks. Since CL-IDS

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
4414 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

Fig. 7. Comparative accuracy values obtained at the initial generation.

The comparison results show that the proposed

transfer-learning approach is able to detect attacks with
varying attacker densities at high detection rates. In addition,
the detection performance increases proportionally to the
attack density in general. While the proposed approach
performs better than CL-IDS on IV and WP attacks, it is
slightly inferior to CL-IDS on detecting DF attack. CL-IDS
produces FPR between 0.16% and 0.61% depending on the
features included in the training. While the former case has
both the network layer and the link-layer features in training,
Fig. 6. Detailed detection rate (red lines) and false positive rate (blue lines)
analysis. the latter case includes the network layer feature set that
contains the same features used in our approach. The false
positive rate of our approach is given separately for each
shares its attack dataset [42], it provides a platform for attack density in Table IV. As shown in the results, our
performing a comparison with other studies. CL-IDS is a approach outperforms CL-IDS in networks, where 10% and
neural network-based intrusion detection system that explores 20% of nodes are attackers. Even though the FPR in networks
the effects of both routing and link-layer features on detecting with a lower density of attackers is comparably high in our
RPL attacks. Here, DF, IV, and WP attacks are included in approach, this mainly results from the high false positive
the evaluations as in [27]. To ensure a fair comparison, the outputs of few runs. However, in most of the individual runs,
same network traffic data used for the training and testing of high accuracy is achieved with 0% FPR.
the CL-IDS and the same length of the time window (5s) for To sum up, it is shown that the evolved intrusion detection
collecting features is employed as given in [27]. The parameter algorithms could be transferred for detecting the new type
setting shown in Table II is used for evolving intrusion of attacks by using transfer learning. It not only introduces
detection systems. The proposed approach is run 10 times more effective intrusion detection algorithms for new attacks
for each attack scenario. The performances are compared in but also achieves that in a timely manner. Both the initial
terms of detection rate as given in [27] for each attack with and final performances of the transfer learning-based approach
varying attacker densities. The comparison results are given are better than the performances of the traditional approach.
in Table IV. Please note that while CL-IDS uses all attacks By transferring knowledge from one domain to a new domain,
in one training, because of the use of transfer-learning in intrusion detection algorithms with high accuracy in a shorter
our approach, separate models are generated separately for time are obtained. With transferring more knowledge such
each attack type. For example, the test results of WP are the as in multi-to-multi scenarios, better results are obtained.
average testing results of the models trained for IV and DF, Therefore, the proposed approach is a good candidate for IoT
and transferred for detecting WP. Hence it is the average result networks that are becoming popular every day and become the
of 20 runs for each attack. target of new attacks.

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
YILMAZ et al.: TL APPROACH FOR SECURING RESOURCE-CONSTRAINED IoT DEVICES 4415

TABLE IV
C OMPARISON OF O UR A PPROACH W ITH CL-IDS IN [27]

Fig. 9. Accuracy and energy increase performance of Pareto dominant

algorithms.

where their objectives are better (i.e., gives high accuracy, low
energy increase) than the non-dominant algorithms. Therefore,
in this experiment, the Pareto-dominant algorithms found at
the final population at the target domain are transferred to
the testing environment. Contrary to the first setting, one
network topology is used for training, while four different
topologies are used in testing. The reason for that is to reduce
Fig. 8. Comparative convergence performance captured throughout the
evolution. the excessive computation time caused by a separate real-time
simulation in which each candidate IDS is evaluated to obtain
its energy consumption.
2) Transferring Knowledge for New Devices: In this setting, The accuracy and energy consumption performances of the
two conflicting objectives are optimized simultaneously in Pareto dominant algorithms are separately given in Fig. 9 for
order to evolve a detection algorithm that is energy-aware and every attack case. The markers in this figure indicate the per-
having high accuracy. In order to measure the energy overhead formance of these algorithms on four different networks used
of evolved algorithms, the energy consumption of the root in testing. The overall performances of the Pareto dominant
node, where the central IDS is placed upon, is measured with algorithms are also comparatively given as dashed lines in this
and without IDS. figure.
It is worth stressing that elite individuals (algorithms) in The results show that the proposed transfer learning-based
this setting are regarded as the Pareto dominant algorithms framework gives better performance on all the attack cases

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
4416 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

TABLE V
C OMPARATIVE HV M ETRIC VALUES

Fig. 11. Convergence characteristic on HV metric.

framework [43], a Java-based framework for multi-objective

optimization with metaheuristics, is used for implementation
and calculation of HV metric. It is worth stating that jMetal
Fig. 10. Comparative best testing performance of Pareto dominant algo- concatenates all the Pareto dominant individuals found, then
rithms. generates reference points from them when there are no known
reference points of the problem (also called as true Pareto
except DR. As also shown in the previous results, DR gen- front), which is the case in this setting. The comparative
erally degrades the performance of the evolved detection HV values are given in Table V. The results show that the
algorithms. When it is analyzed in detail, it is found out proposed TL-based approach ensures a more convergent and
that the current feature set is not able to distinguish DR diverse Pareto-dominant detection algorithm overall than
from benign traffic. For detecting DF, the traditional approach those evolved by the traditional learning-based approach.
produces slightly better algorithms in terms of energy usage A comparative analysis is also made on convergence behav-
but they sacrifice detection accuracy; whereas, the proposed ior of the proposed and traditional approaches here. Unlike the
approach ensures much better detection accuracy. As for first setting where the accuracy of the best detection algorithm
IV attack, the Pareto dominant algorithms evolved by the at each generation is shown, HV metric is evaluated to
proposed approach are overwhelmingly better than the tradi- show the convergence behavior throughout the evolution. The
tional approach according to energy usage, while they produce comparative convergence curves with respect to this metric are
very similar accuracy performance on overall. Finally, both given in Fig. 11 separately for every attack type addressed. It is
approaches give very similar results overall on WP attack. worth restating that the higher the HV value is, the better an
As it is aimed to evolve IDS algorithms that have high algorithm is able to converge to the true Pareto front of the
detection accuracy but low energy usage, those located at the problem. It can be seen from the figure that the convergence
upper-left region in the objective space (Fig. 9) are highly characteristic evaluated by HV verifies the findings shown
attractive solutions. Therefore, a close view of the upper-left in Fig. 9 and 10. HV curves reveal that the proposed transfer
region is given in Fig. 10. As it is stated above, an IDS algo- learning-based method converges better and earlier to the true
rithm evolved by the traditional approach should be preferred Pareto front of all attack types except that of DR.
for DR. However, for detecting DF efficiently, the proposed To sum up, while multi-objective evolutionary computation
approach is superior to the traditional approach. Although both allows us to discover trade-offs between accuracy and energy
approaches evolve algorithms with similar energy usage for consumption, with the use of transfer learning better trade-offs
detecting IV, the TL-based approach obtains algorithms with for a new environment could be obtained in a shorter time than
higher accuracy. Lastly, for WP attack, while the proposed the traditional multi-objective EC approach. For each attack
approach is much better in terms of accuracy (around 98%) type other than DR, better accuracy or better energy consump-
but slightly worse in terms of energy increase (less than 1% tion is achieved in Pareto fronts of the transfer learning-based
increase) than the traditional approach. approach. Hence, the proposed approach could be used for
In order to analyze convergence and diversity of developing suitable intrusion detection algorithms for new
multi-objective solutions obtained by EMOA, the devices introduced to the system with different constraints.
hyper-volume (HV) metric is usually employed. HV reveals The proposed approach complies with the heterogeneous
the diversity and convergence performance of the nature of IoT networks.
Pareto-dominant individuals together by evaluating the space
enclosed by the worst reference point and the Pareto dominant VI. L IMITATIONS AND F UTURE W ORKS
individuals. The higher HV value means a larger space in In this study, a central intrusion detection system is proposed
which the Pareto-dominant individuals occupy. Hence, higher for showing the effects of transfer learning on intrusion
HV values correspond to better convergence and diversity detection. Because of that, it could be a single point of failure.
obtained by the Pareto-dominant individuals. Here, jMetal However, in real life, such central systems are always sup-

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
YILMAZ et al.: TL APPROACH FOR SECURING RESOURCE-CONSTRAINED IoT DEVICES 4417

ported with backups. Moreover, other nodes could participate VII. C ONCLUSION
in intrusion detection and take place of the root node in In this study, the use of the transfer learning approach
case of a failure. For instance, one of the root’s neighbors, is explored in order to detect RPL-specific attacks. To the
which maintains local connectivity with the root node, could best of the authors’ knowledge, this is the first application
be selected randomly for the sake of security in case the root of transfer learning in IoT security in the following two
node fails. settings: transferring knowledge for new types of attacks and
The proposed system can be adapted to a distributed and/or transferring knowledge for new devices.
hybrid architecture. The main motivation of using a centralized In transferring knowledge for new types of attacks, the
intrusion detection system in this work is its practicality efficacy of transfer learning is analyzed for detecting different
rather than choosing it over a distributed and cooperative attacks, where three attack scenarios are included: single-
architecture. In [26], both central and distributed intrusion to-single, single-to-multi, and multi-to-multi. In transferring
detection architectures are explored and shown that since the knowledge for new devices, the use of transfer learning is
root node has more information, the proposed central intrusion explored for generating suitable intrusion detection algorithms
detection system presents higher accuracy than IDSs running for new types of devices with varying energy constraints.
on nodes as stand-alone. On the other hand, by collaborating While only the accuracy of the generated intrusion detection
with other IDSs, higher accuracy could be obtained. However, algorithms is considered for the first setting, the energy con-
in that case, the communication between IDS agents should be sumption of these algorithms is also included in the second
investigated, a trade-off between accuracy and communication setting. The experimental results in both settings prove that
cost should be discovered. As far as we know, this is not the proposed transfer learning-based approach yields better
explored yet in the literature. Since the main motivation of performance than the traditional learning approach in most
this paper is to show the use of transferring knowledge on cases. In addition, it performs higher convergence speed and
intrusion detection, it is applied on a central node for the sake hence a shorter training time for the evolution of new detection
of simplicity. However, due to taking into account multiple algorithms in a new task/domain. This is especially important
objectives simultaneously, the proposed approach could easily for IoT, where new attacks emerge every day and new types
be enriched by including the communication cost as another of devices can be added to the network. Although the pro-
objective besides accuracy and energy usage. This is left as posed approach targets attacks against RPL, it could be easily
future work. adapted to other protocols and/or general attacks in IoT.
GP could allow us to manually analyze the evolved pro-
grams to some degree. On the other hand, the code bloating
problem of GP, which increases the size of individuals due to ACKNOWLEDGMENT
the long trees, could disrupt the readability of the evolved The authors would like to thank Erdem Canbalaban for
programs. This problem is not desired in many GP appli- sharing the dataset [27].
cations, hence the tree depth parameter is often decreased.
However, it has a positive effect from the security point
of view. By increasing the tree depth parameter deliberately R EFERENCES
here, the code bloating problem helps evolve longer and more [1] Internet of Things (IoT) Connected Devices Installed Base Worldwide
complex programs that are more robust against adversarial From 2015 to 2025 (in Billions). Accessed: Apr. 1, 2020. [Online].
Available: https://www.statista.com/statistics/471264/iot-number-of-
attacks. On the other hand, this will increase the power connected-devi%ces-worldwide/
consumption of the detection programs. As it is seen, the [2] Cisco. Cisco Visual Networking Index: Forecast and Trends, 2017–
problem at hand has multiple objectives that conflict with 2022 White Paper. Accessed: Apr. 1, 2020. [Online]. Available:
https://www.cisco.com/c/en/us/solutions/collateral/service-provider/
each other. Multi-objective evolutionary computation is a good visual-%networking-index-vni/white-paper-c11-741490.html
candidate for solving such complex problems having different [3] T. Winter et al., RPL: IPV6 Routing Protocol for Low-Power and Lossy
trade-offs. Networks, RFC, 6550, 2012, pp. 1–157.
[4] M. Ali Al-Garadi, A. Mohamed, A. Al-Ali, X. Du, and M. Guizani,
Although GP is employed in this study for various reasons “A survey of machine and deep learning methods for Internet of
stated above, DL is one of the most popular algorithms used Things (IoT) security,” 2018, arXiv:1807.11023. [Online]. Available:
for solving engineering problems. It has started to be used http://arxiv.org/abs/1807.11023
[5] A. Mayzaud, R. Badonnel, I. Chrisment, and I. G. Est-Nancy, “A tax-
extensively in many domains, particularly in image processing onomy of attacks in RPL-based Internet of Things,” Int. J. Netw. Secur.,
and in computer vision. Unlike traditional machine learning vol. 18, no. 3, pp. 459–473, 2016.
techniques, which extract meaningful features from raw data [6] J. R. Koza, “Genetic programming as a means for programming com-
puters by natural selection,” Statist. Comput., vol. 4, no. 2, pp. 87–112,
and give them as input to the training process, DL techniques Jun. 1994, doi: 10.1007/BF00175355.
use raw data directly and extract features on their own. [7] A. E. Eiben and J. E. Smith, “Evolutionary computing: The origins,”
Furthermore, it is easily applicable for transferring knowledge in Introduction to Evolutionary Computing. Berlin, Germany: Springer,
2015, pp. 13–24, doi: 10.1007/978-3-662-44874-8_2.
to another domain/task. Nowadays, we have started to see the [8] R. Poli, W. B. Langdon, N. F. McPhee, and J. R. Koza, “Genetic
applications of DL in security as well. In the future, DL can programming: An introductory tutorial and a survey of techniques and
be easily employed as a replacement for GP. This replacement applications,” Univ. Essex, Colchester, U.K., Tech. Rep. CES-475, 2007.
[9] F. Zhuang et al., “A comprehensive survey on transfer learning,”
can give us an advantage for saving on feature extraction time CoRR, vol. abs/1911.02685, 2019. [Online]. Available: http://arxiv.
as we could give raw traffic data directly as input to DL. org/abs/1911.02685

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.
4418 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 16, 2021

[10] K. Weiss, T. M. Khoshgoftaar, and D. Wang, “A survey of trans- [26] E. Aydogan, S. Yilmaz, S. Sen, I. Butun, S. Forsstrom, and M. Gidlund,
fer learning,” J. Big Data, vol. 3, no. 1, pp. 1–40, Dec. 2016, doi: “A central intrusion detection system for RPL-based industrial Internet
10.1186/s40537-016-0043-6. of Things,” in Proc. 15th IEEE Int. Workshop Factory Commun. Syst.
[11] A. Verma and V. Ranga, “Security of RPL based 6LoWPAN networks (WFCS), May 2019, pp. 1–5.
in the Internet of Things: A review,” IEEE Sensors J., vol. 20, no. 11, [27] E. Canbalaban and S. Sen, “A cross-layer intrusion detection system
pp. 5666–5690, Jun. 2020. for RPL-based Internet of Things,” in Ad-Hoc, Mobile, and Wireless
[12] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: Real-time intru- Networks. Cham, Switzerland: Springer, 2020, pp. 214–227.
sion detection in the Internet of Things,” Ad Hoc Netw., vol. 11, [28] F. Li, A. Shinde, Y. Shi, J. Ye, X.-Y. Li, and W.-Z. Song, “System
no. 8, pp. 2661–2674, May 2013. [Online]. Available: http://www. statistics learning-based IoT security: Feasibility and suitability,” IEEE
sciencedirect.com/science/article/pii/S1570870513001005 Internet Things J., vol. 6, no. 4, pp. 6396–6403, Aug. 2019.
[13] A. Verma and V. Ranga, “Addressing flooding attacks in IPv6-based [29] F. Li, Y. Shi, A. Shinde, J. Ye, and W.-Z. Song, “Enhanced
low power and lossy networks,” in Proc. TENCON IEEE Region Conf. cyber-physical security in Internet of Things through energy audit-
(TENCON), Oct. 2019, pp. 552–557. ing,” IEEE Internet Things J., vol. 6, no. 3, pp. 5224–5231,
[14] P. Perazzo, C. Vallati, G. Anastasi, and G. Dini, “DIO suppression attack Jun. 2019.
against routing in the Internet of Things,” IEEE Commun. Lett., vol. 21, [30] L. Vu, Q. U. Nguyen, D. N. Nguyen, D. T. Hoang, and E. Dutkiewicz,
no. 11, pp. 2524–2527, Nov. 2017. “Deep transfer learning for IoT attack detection,” IEEE Access, vol. 8,
[15] A. Mayzaud, A. Sehgal, R. Badonnel, I. Chrisment, and J. Schönwälder, pp. 107335–107344, 2020.
“A study of RPL DODAG version attacks,” in Proc. 8th IFIP [31] Y. Meidan et al., “N-BaIoT—Network-based detection of IoT Botnet
Int. Conf. Auton. Infrastruct., Manage. Secur. (AIMS), in Lecture attacks using deep autoencoders,” IEEE Pervas. Comput., vol. 17, no. 3,
Notes in Computer Science, vol. 8508. Brno, Czech Republic, pp. 12–22, Jul. 2018.
Jun. 2014, pp. 92–104. [Online]. Available: https://hal.inria.fr/ [32] M. Ge, N. F. Syed, X. Fu, Z. Baig, and A. Robles-Kelly, “Toward
hal-01090993/file/mayzaud_aims2014.pdf, doi: 10.1007/978-3-662- a deep learning-driven intrusion detection approach for Internet of
43862-6_12. Things,” 2020, arXiv:2007.09342. [Online]. Available: http://arxiv.
[16] A. Aris, S. F. Oktug, and S. Berna Ors Yalcin, “RPL version number org/abs/2007.09342
attacks: In-depth study,” in Proc. NOMS IEEE/IFIP Netw. Oper. Manage. [33] Contiki-NG. Contiki-NG/Contiki-NG. GitHub. Accessed: Jul. 13, 2021.
Symp., Apr. 2016, pp. 776–779. [Online]. Available: https://github.com/contiki-ng/contiki-ng/wiki
[17] A. Arış, S. B. Ö. Yalçın, and S. F. Oktuğ, “New lightweight mitigation [34] T. T. Huong Dinh, T. H. Chu, and Q. U. Nguyen, “Transfer learning
techniques for RPL version number attacks,” Ad Hoc Netw., vol. 85, in genetic programming,” in Proc. IEEE Congr. Evol. Comput. (CEC),
pp. 81–91, Mar. 2019. May 2015, pp. 1145–1151.
[18] A. Mayzaud, R. Badonnel, and I. Chrisment, “A distributed monitoring [35] E. Aydogan, S. Yilmaz, S. Sen, I. Butun, S. Forsstrom, and M. Gidlund,
strategy for detecting version number attacks in RPL-based networks,” “A central intrusion detection system for RPL-based industrial Internet
IEEE Trans. Netw. Service Manage., vol. 14, no. 2, pp. 472–486, of Things,” in Proc. 15th IEEE Int. Workshop Factory Commun. Syst.
Jun. 2017. (WFCS), May 2019, pp. 1–5.
[19] A. Le, J. Loo, A. Lasebae, A. Vinel, Y. Chen, and M. Chai, “The impact [36] ECJ. (2017). A Java-Based Evolutionary Computation Research System.
of rank attack on network topology of routing protocol for low-power [Online]. Available: https://www.cs.gmu.edu/~eclab/projects/ecj/
and lossy networks,” IEEE Sensors J., vol. 13, no. 10, pp. 3685–3692, [37] K. Deb, A. Pratap, S. Agarwal, and T. Meyarivan, “A fast and elitist
Oct. 2013. multiobjective genetic algorithm: NSGA-II,” IEEE Trans. Evol. Comput.,
[20] D. Karaboga and B. Basturk, “A powerful and efficient algorithm for vol. 6, no. 2, pp. 182–197, Apr. 2002.
numerical function optimization: Artificial bee colony (ABC) algo- [38] F. Osterlind, A. Dunkels, J. Eriksson, N. Finne, and T. Voigt,
rithm,” J. Global Optim., vol. 39, no. 3, pp. 459–471, Apr. 2007, doi: “Cross-level sensor network simulation with COOJA,” in Proc. 31st
10.1007/s10898-007-9149-x. IEEE Conf. Local Comput. Netw., Nov. 2006, pp. 641–648.
[21] A. Le, J. Loo, K. K. Chai, and M. Aiash, “A specification-based IDS for [39] Dhondta and Bahmadh. (Jul. 2021). RPL-Attacks: RPL Attacks Frame-
detecting attacks on RPL-based network topology,” Information, vol. 7, work, Version 1.3.1. Zenodo. Accessed: Jul. 13, 2021, doi: 10.5281/
no. 2, p. 25, 2016. zenodo.55352.
[22] U. Shafique, A. Khan, A. Rehman, F. Bashir, and M. Alam, “Detection [40] A. Dunkels, J. Eriksson, N. Finne, and N. Tsiftes, “Powertrace: Network-
of rank attack in routing protocol for low power and lossy networks,” level power profiling for low-power wireless networks,” Comput. Syst.
Ann. Telecommun., vol. 73, nos. 7–8, pp. 429–438, Aug. 2018. Lab., Swedish Inst. Comput. Sci., Uppland, Sweden, Tech. Rep. 2011:05,
[23] M. N. Napiah, M. Yamani, I. Idris, R. Ramli, and I. Ahmedy, “Compres- 2011.
sion header analyzer intrusion detection system (CHA-IDS) for 6LoW- [41] H. Kim, J. Ko, D. E. Culler, and J. Paek, “Challenging the IPv6 routing
PAN communication protocol,” IEEE Access, vol. 6, pp. 16623–16638, protocol for low-power and lossy networks (RPL): A survey,” IEEE
2018. Commun. Surveys Tuts., vol. 19., no. 4, pp. 2502–2525, 4th Quart.,
[24] P. Pongle and G. Chavan, “Real time intrusion and wormhole attack 2017.
detection in Internet of Things,” Int. J. Comput. Appl., vol. 121, no. 9, [42] RPL Attack Dataset. Accessed: Dec. 4, 2020. [Online]. Available:
pp. 1–9, Jul. 2015. https://wise.cs.hacettepe.edu.tr/projects/rplsec/
[25] F. Y. Yavuz, D. Ünal, and E. Gül, “Deep learning for detection of routing [43] J. J. Durillo and A. J. Nebro, “jMetal: A Java framework for
attacks in the Internet of Things,” Int. J. Comput. Intell. Syst., vol. 12, multi-objective optimization,” Adv. Eng. Softw., vol. 42, no. 10,
no. 1, pp. 39–58, Nov. 2018. pp. 760–771, 2011.

Authorized licensed use limited to: EASWARI COLLEGE OF ENGINEERING. Downloaded on January 10,2023 at 04:10:05 UTC from IEEE Xplore. Restrictions apply.