This document proposes a lightweight intrusion detection algorithm to detect Sybil attacks in mobile RPL networks for IoT. It discusses RPL and Sybil attacks, proposes an artificial bee colony inspired model for Sybil attacks, and introduces a detection algorithm using nonce IDs, control message counters, and trust factors. The algorithm is evaluated based on accuracy, sensitivity, specificity and other metrics, showing an average 95% accuracy against type-3 Sybil attacks with reduced overhead and energy consumption compared to unsecured mobile RPL.
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
Security of RPL in IoT
1. A Lightweight Intrusion Detection for Sybil
Attack under Mobile RPL in the Internet of
Things
2. Introduction
The Internet of Things (IoT) is an emerging technology that can monitor and
control the physical world by gathering and processing data generated by
the sensors.
IoT for the connectivity of its devices makes use of protocols like 6LoWPAN,
RPL etc.
Here we discuss RPL (Routing protocol for Low power and lossy networks)
which is a standard routing protocol for resource-constrained and lossy IoT
networks.
RPL because of its flexible and dynamic nature is vulnerable to security
attacks, hence there is a need for detection and defense against these
attacks.
Security in RPL is critical and Sybil Attack is one among such security issues
in RPL.
3. Index Terms
Internet of Things (IoT)
RPL
Sybil Attack
Mobility
Intrusion Detection
Lightweight Security
Accuracy
4. Related Work
Faiza Medjek et al. proposed the evaluation of the impacts of the Sybil
attack in RPL and analyzed the results.
A. K. Mishra et al. proposed the general analytical model for Sybil attack in
IoT.
According to Zhang et al. Sybil attack has become a severe threat to social
networks and distinguished the Sybil attack into three types based on the
nature of behavior.
Karaboga et al. proposed the comprehensive survey on artificial bee
colony (ABC) algorithm and its applications.
5. Overview of RPL
RPL is a distance-vector and source routing protocol which is working
under a tree-based topology, namely Destination Oriented Direct Acyclic
Graph (DODAG).
A DODAG comprises of a sink node called border router(BR),which gathers
all sensed information from the remaining nodes in the DAG.
Every DODAG is distinguished by its RPL instance ID, DODAG ID, DODAG
version number and Rank.
There are three types of control messages have been exchanged in RPL:
• DIO - DODAG Information Object
• DAO - DODAG Advertisement Object
• DIS - DODAG Information Solicitation
6. Overview of RPL Cont.
Rank is the relative position of the node from the border router.
Rank is computed using the Equation:
R(N) = R(P) + 128 ∗ ETX(N)
R(N) is the rank value of each node.
R(P) is the rank of its parent node.
ETX(N) is the Expected Transmission Count.
Expected Transmission Count denotes the number of expected
transmissions that a node required for the successful delivery of a packet.
8. Mobile RPL
In this discussion, we considered and simulated RPL under mobility (mobile RPL).
Mobile RPL or Mobility-aware RPL is an enhanced RPL protocol which supports
random mobility of the nodes in the network.
Dynamic Trickle Timer (D-Trickle) has been used to optimize the number of control
message transfer under mobility.
RPL determines the best parent from the preferred parent list under mobility by
considering the following metrics, namely, ETX, Expected Life Time (ELT) and RSSI
(Received Signal Strength Indicator).
9. Sybil Attack
In Sybil attack, attacker claims multiple illegitimate identities either by
fabricating the identities or compromising the legitimate nodes in the
network.
Sybil attack is the most serious threat to the mobile RPL which can
degrade the performance by exponentially increasing the control
overhead transmission, and in turn, reduces the overall lifetime of the
network.
The attacker overloads the DODAG with fake control messages and try to
capture the identity of the border router to obtain the network authority.
10. Classification of Sybil Attack
There are three kinds of Sybil attack:
• SA-1 Type Sybil Attack
• SA-2 Type Sybil Attack
• SA-3 Type Sybil Attack
The classification of types of attacks is made on the basis of distribution,
position and movement of compromised nodes in the RPL.
11. SA-1 Type Attack
In SA-1 type of Sybil attack, malicious nodes will target one fixed region, and they
will try to compromise the identities of the nearby nodes to perform the attack.
All the sybil identities and attackers are fixed at one point in the DODAG.
12. SA-2 Type Attack
In SA-2 type Sybil attack, malicious nodes are scattered among the legitimate
nodes in the DODAG and it won’t bound to one region.
Though the nodes are fixed, the attacker compromises randomly distributed
nodes in the DODAG and makes the detection process complex by socializing with
the legitimate nodes.
13. SA-3 Type Attack
In SA-3 type Sybil attack, Sybil nodes are under mobility and, also it is distributed
among the network.
Sybil identities moves from one position to other position dynamically, and it tries
to attack the nearby nodes on the way of motion.
14. Artificial Bee Colony Overview
ABC algorithm is a population-based algorithm and an optimization technique that
simulates the foraging behavior of honey bees.
Foraging behavior refers to the act of searching food sources (nectar) by the
honey bees.
Algorithm consists of four significant components:
• Food Sources: The gain of a food source depends on closeness to the
nest, ease of extracting the food and breeding.
• Employed Bees: The employed foragers are those that keep visiting the
food sources to obtain the nectar from the explored sources.
• Onlooker Bees: The onlooker bees are waiting in the nest and
establishing food source through the information shared by employed
foragers.
• Scout Bees: Scout foragers are searching the environment surrounding
the nest for new food sources.
15. ABC inspired Sybil Attack Model
Employed bees are related to the compromised Sybil identities in the RPL
network.
Food sources (Nectar collection) are correlated to the collecting of
compromised identities or stolen identities in the DODAG structure.
Onlooker Bee (Main attacker) is the one which attempts to perform the
Sybil attack in the community to intrude the network.
Scout bees are those who have been already compromised by the attacker
(Onlooker bee), and these scout bees try to compromise the nearby
neighboring nodes.
17. The attacking scenario for ABC inspired attack is divided into 5 phases:
1. Initialization Phase: Initialize the Sybil nodes (Central attacker) to start foraging the
identities.
2. Fitness Factor Computation Phase: Sybil node attempt to select any arbitrary node
based on the following five fitness evaluation criteria.
3. Compromising Phase: Node compromising phase is the process of compromising
the legitimate nodes in the network.
4. Contagious phase: Contagious phase is the action of spreading from one node to
another node.
5. Hive selection and Launching phase: The node with the highest remaining residual
energy value and more compromised neighbor nodes nearby has been chosen as
Sybil node to perform the attack.
ABC inspired Sybil Attack Model Cont.
20. Lightweight Intrusion Detection Against
Sybil Attack in Mobile RPL
A lightweight intrusion detection algorithm is introduced against the Sybil attack,
which needs less computation and provides high accuracy, which are quintessential
in the case of a resource-constrained network.
Three new variables are introduced in DIO messages, they are:
• NONCE ID(Number used only once in a life): Nonce ID has been
created and allocated to each node when it is joining the DODAG
structure after receiving the DIO message for the first time.
If both the NONCE ID and DODAG ID match with the previous record
then the node is safe.
• Control Message Counter: A node attempts to establish a connection
with a nearby node, it can exchange a maximum of 5 control messages within 10
seconds of interval.
If it exceeds the threshold value, there is a potential sign of a malicious
attack.
21. Lightweight Intrusion Detection Against
Sybil Attack in Mobile RPL Cont.
• Time Stamp for Control Messages: It will track the time of arrival of the
control messages exchanged from the neighbors.
If the frequency of transmission of control messages within a speculative
period is more than it is a sign of malicious attack.
Cumulative Trust Factor: The three trust factors are: α, β and γ.
• ρN[n] is the Cumulative Trust Factor.
• ρN[n] = α.[ω.β + (1−ω).γ]
Pheromone Computation: Γ is the pheromone value, which has been used to
identify the set of best trusted node list.
•
23. Performance Evaluation and Related
Metrics
Confusion Matrix
Based on the confusion matrix the performance of the proposed algorithm has been
analyzed.
Accuracy is used to estimate the probability of Sybil attack detection by the
proposed intrusion detection algorithm.
24. Performance Evaluation and Related
Metrics Cont.
Sensitivity indicates the percentage of actual positive events correctly predicted.
Specificity shows the rate of actual adverse events identified.
Precision is positive predictive value (PPV) and NPV (Negative Predictive Value).
25. Performance Evaluation and Related
Metrics Cont.
F-score rate represents higher detection performance.
Simulation Results for the metrics.
26. Performance Evaluation Results
Control traffic overhead is the cumulative sum of DIO, DAO, and DIS control
messages transfer in the DODAG.
28. Conclusion
A bio-inspired analytical model for Sybil attack and lightweight intrusion
detection algorithm for mobile RPL in the Internet of things network is
been designed.
Considered different types of Sybil attacks and analyzed the performance
of the mobile RPL in terms of control traffic overhead, energy cost, and
accuracy.
For Type-3 Sybil attack proposed algorithm gains an average accuracy of
95% under mobile RPL.