This article has been accepted for inclusion in a future issue of this journal.

Content is final as presented, with the exception of pagination.

IEEE CANADIAN JOURNAL OF ELECTRICAL AND COMPUTER ENGINEERING 1

A Novel Intrusion Detection System for

RPL-Based Cyber–Physical Systems
Un nouveau système de détection d’intrusion pour
les systèmes cyber-physiques basés sur RPL
Mridula Sharma , Haytham Elmiligi, and Fayez Gebali , Life Senior Member, IEEE

Abstract— The physical layer of cyber–physical systems (CPSs) is composed of resource-constrained devices
connected in a wireless sensor network (WSN). Although this layer is easy to deploy, in most cases, it has
many security issues. Several intrusion detection systems (IDSs) have been proposed and tested as effective and
efficient solutions to detect only a few known attacks. In this article, we propose a novel, Supervised machine
learning-based IDS that is capable of detecting several attacks. This article discusses all IDS design steps, starting
from data collection to the feature engineering analysis and building the trained models. Experimental results
show that the proposed IDS can detect four different types of attacks that were seen by the machine learning
models during the training phase. The IDS can also detect the existence of several other attacks that are not seen
by the model and classify them as unknown attack types. The proposed model achieves 99.97% classification
accuracy when detecting known attacks and 85% classification accuracy when detecting a new attack type.
Résumé— La couche physique des systèmes cyber-physiques (CPS) est composée de dispositifs à ressources
limitées connectés dans un réseau de capteurs sans fil (WSN). Bien que cette couche soit facile à déployer,
dans la plupart des cas, elle présente de nombreux problèmes de sécurité. Plusieurs systèmes de détection
d’intrusion (IDS) ont été proposés et testés comme solutions efficaces et efficientes pour détecter seulement
quelques attaques connues. Dans cet article, nous proposons un nouveau système de détection d’intrusion
basé sur l’apprentissage automatique supervisé, capable de détecter plusieurs attaques. Cet article aborde
toutes les étapes de la conception de l’IDS, depuis la collecte des données jusqu’à l’analyse de l’ingénierie des
caractéristiques et la construction des modèles formés. Les résultats expérimentaux montrent que l’IDS proposé
peut détecter quatre types d’attaques différentes qui ont été vues par les modèles d’apprentissage automatique
pendant la phase de formation. L’IDS peut également détecter l’existence de plusieurs autres attaques qui ne
sont pas vues par le modèle et les classer comme des types d’attaques inconnus. Le modèle proposé atteint une
précision de classification de 99,97 % lors de la détection d’attaques connues et de 85 % lors de la détection
d’un nouveau type d’attaque.
Index Terms— Correlation-based feature selection, cyber–physical system (CPS), decision tree classifier (DTC),
embedded method, feature engineering, feature reduction, filter method, information gain, logistic regression
classifier (LRC), naive Bayes classifier, random forest classifier (RFC), routing protocol for low power and lossy
networks (RPLs), state vector machine (SVM), wireless sensor network (WSN) security, WSN attacks.

I. I NTRODUCTION traffic for further processing to the cyber layer [2]–[4].

T HE physical layer of cyber–physical systems (CPSs)

is composed of resource-constrained devices connected
in a wireless sensor network (WSN). routing Protocol for
low-power and lossy networks (RPLs) is one of the most
important protocols used at this layer for both static networks
(such as BAN and smart grid) and dynamic networks (such
as vehicular Area Network) [1]. It provides a mechanism for
point to multipoint traffic (P2MP) and multipoint-to-point
traffic (MP2P). The traffic flows from 6LoWPAN nodes (i.e.,
from the end or router nodes) to the sink node or border
router, which is the central control point, which transmits
Manuscript received October 13, 2020; accepted January 11, 2021.
(Corresponding author: Mridula Sharma.)
The authors are with the Department of Electrical and Computer Engi-
neering, University of Victoria, Victoria, BC V8P 5C2, Canada (e-mail:
naina@uvic.ca; haytham@ieee.org; fayez@uvic.ca).
Associate Editor managing this article’s review: Aiman Erbad.
Digital Object Identifier 10.1109/ICJECE.2021.3053231
2694-1783 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Multihop routing methodology for transmitting data from
sensor nodes to border routers makes the network very much
prone to routing attacks, such as hello flood, decreased rank,
increased version, selective forwarding, and DDoS attacks [2],
[5]. These attacks happen at the physical layer of the CPSs
as the physical layer runs on the RPL protocol.
Several intrusion detection systems (IDSs) have been pro-
posed in the literature for the RPL network [6]–[8]. Packet
compression headers have been used to analyze the network
traffic in order to design an IDS, known as CHA-IDS [8].
Other examples of IDS solutions for RPL include SVELTE and
Pongle’s that are useful for detecting sinkhole and wormhole
attacks, respectively [6], [9]. CHA-IDS detects only three
attacks, namely, hello flood, sinkhole, and wormhole, whereas
SVELTE and Pongle are useful for detecting sinkhole and
wormhole attacks only. Although these IDS solutions are all
efficient in detecting these specific attacks, they are not capable

Authorized licensed use limited to: East Carolina University. Downloaded on June 15,2021 at 16:42:10 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2 IEEE CANADIAN JOURNAL OF ELECTRICAL AND COMPUTER ENGINEERING
of detecting any new attacks. After reviewing several articles
and studies in the literature, a few findings are as follows.
1) Almost all of these IDS are only effective for specific
attack types and cannot detect multiple or combinations
of attacks. They are also unable to detect a brand new
attack.
2) Almost in all the works, IDS has only undergone n-fold
cross-validation testing on the data set. None of the
models are tested using new data that are not seen by
the model in the training phase.
3) KDD and many other openly available data sets are com-
monly used in IDS research. The applicability becomes
questionable as these data sets are not essentially for
WSN
These outcomes provide us with sufficient motivation to do
our research to develop an IDS that can detect known attacks
and new attacks as well.
Our proposed IDS addresses this problem and provides a
mechanism to detect both known attacks found in the training
and several unseen/unknown attacks. Our model is further
extended to detect any suspicious activity in the network that
does not conform to the normal traffic flow.
This article has the following main contributions.
1) Proposed a complete packet analysis model of RPL
protocol. The analysis identifies the features that can be
used to identify various traffic patterns under different
circumstances in CPSs.
2) Built a new data set based on 300 different simulations
of RPL networks under different normal and attack
scenarios.
3) Constructed a new IDS framework for RPL networks.
4) Proposed a novel predictive model for intrusion detec-
tion for four known attacks using machine learning
analysis. An extension of the predictive model is added
so that it can detect a new unseen attack or a combina-
tion of several attacks.
The rest of this article is organized as follows. Section II
explains the IDS framework that is used to build the machine
learning model. Section III discusses the experimental results,
using both n-fold cross validation and validation using unseen
data. Finally, Section IV concludes this article and proposes
new directions for future work.
II. P ROPOSED A RCHITECTURE
The proposed IDS is a complete framework, as shown
in Fig. 1.
There are three layers of the framework.
1) Layer 1: Data set building.
2) Layer 2 Model building & evaluation.
3) Layer 3: Predictor.
As shown in the figure, each layer has different roles, and
for each role, one or more algorithms are combined together.
Table I lists the tasks done at each layer of the model.
In the following, the three layers of the framework are
explained in detail.
A. Layer I: Data Sensor
A supervised machine learning model is trained using a
training data set. The training data set contains instances of
Authorized licensed use limited to: East Carolina University. Downloaded on June 15,2021 at 16:42:10 UTC from IEEE Xplore. Restrictions apply.
TABLE I
S UMMARY OF A LGORITHMS U SED AT T HREE L AYERS
OF THE P REDICTIVE M ODEL
the normal network traffic and instances when the network
is under attack. Data are collected from Cooja simulator log
files and are converted into a form that is easier to interpret by
scripts that train the model. Following that, feature engineering
is done, which includes both feature generation and feature
reduction to get an optimal feature subset.
1) Feature Generation: Using the pcap capture of each run,
UDP data are filtered from the rest of the data in two separate
XML files using command line parser tShark, as shown in
Algorithm 1. Following that, each XML file is parsed using
a custom script to generate selected data in the.csv file.
This process is explained in Algorithm 2 for UDP data and
Algorithm 3 for all data. Finally, all generated.csv files are
processed and analyzed to generate a final list of features,
as shown in Table II.
A test environment is created in a Cooja simulator to
generate the data used to build the training set. Once each
packet of one sample run is parsed, a summary of the complete
simulation is generated as one row of data in the final data set.
Based on the scenario in the simulation, a class label is
assigned to every row, which represents the type of network
traffic of that specific run. If the network has no attack, then
the class label is set to 0 indicating no attack. The other four
attack scenarios that are simulated are given labels as 1–4,
indicating Hello Flood attack, DIS attack, Increased version
attack, and Decreased rank attack, respectively. As a result of
this step, a data set comprising 58 features (except class label)
is created. Table II lists the features and their descriptions. The
generated data set represents the traffic patterns of four attack
vectors in addition to the normal network traffic.
To make an efficient and successful IDS, dimensionality
reduction is required to reduce the overall time and processing
complexity of the implementation. Moreover, all 58 features
are not equally important and do not contribute the same
weight to the classification accuracy of the IDS system.
Therefore, feature reduction plays a vital role in improving
the overall performance of the system.
2) Feature Selection/Reduction: The generated data set
includes a list of 58 features, as shown in Table II. These
features are saved in comma-separated value (.csv) format file.
However, some of this information is not needed during the
training phase as it creates pattern overlaps between classes
and may lead to incorrect classification in some cases. In addi-
tion, having all 58 features will require several processing
cycles on the target sensor motes.
Feature reduction is required to select only the most signif-
icant features that can be used to distinguish different attack
patterns. This step also helps the machine learning algorithm to
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

SHARMA et al.: NOVEL IDS FOR RPL-BASED CPSs 3

Fig. 1. IDS Framework.

TABLE II
D ATA S ET W ITH THE C OLLECTED F EATURES
get trained faster and reduces the complexity of the generated
model.
Five different machine learning classifiers are used for
model building. These classifiers are random forest classifier
(RFC), state vector machine (SVM), decision tree classifier
(DTC), naive Bayes classifier (GNB), and logistic regression
classifier (LRC).
These classifiers are chosen for two reasons.
1) They have been proven effective for similar classification
problems [10].
2) These classifiers are not very computationally intensive,
i.e., need low resources to process.
Five different models are trained using the training set, and
their accuracy scores are collected. After feature reduction,
the accuracy scores of each classifier need to be compared
to see the overall impact of the feature reduction method.
We have used two different methods for feature reduction so
that we may compare the results to make an optimized model.
The two methods are as follows.
Calculate the Importance of Each Feature Using RFC
(Embedded Method): Embedded methods use a subset of
features and train a model using them. Based on the results
from the model, features are added or removed. We used
random forests classifier to train and validate. Random forests
are very commonly used for feature reduction, as it uses
tree-based strategies that naturally rank the features. Nodes
with the greatest importance happen to be placed at the start
of the trees, while the less important features are at the end
of the trees. Thus, the pruning of the trees below a particular
value can generate a subset of the most important features.
The accuracy score using features identified with different
thresholds is tested. Starting with the threshold > 0.020,
which selected 16 features, the next threshold value of
>0.030 yielded 11 features, a value of >0.40 selected eight
features, and a value of >0.50 selected only four features.
Initially, when the features have been selected, it is a compu-
tationally expensive method, but, later, it helps in saving the
prediction time considerably, as can be seen in Section III. The
final feature set of eight features is defined with the features
having importance >0.04, as explained in Algorithm 5.
Correlation-Based Feature Selection (Filter Method): This
method selects the features that are highly correlated with the
class, but uncorrelated with each other [11]. Here, the model
accuracies are again tested with the reduced features. The
accuracy score uses features that are identified with dif-
ferent correlations. Starting with the correlation of >0.25,

Authorized licensed use limited to: East Carolina University. Downloaded on June 15,2021 at 16:42:10 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4 IEEE CANADIAN JOURNAL OF ELECTRICAL AND COMPUTER ENGINEERING
which selected 12 features, the next correlation value of
>0.30 selected ten features, and then, >0.35 selected only
five features. The improvements both in accuracy and time
took for training and prediction are discussed in Section III.
The final feature set of ten features is used where features
have a correlation > 0.30, as explained in Algorithm 6. The
five models were retrained using the new feature set, and it
showed improvements both in accuracy and time taken for
training and prediction, as explained in Section III.
B. Layer 2: Model Building & Evaluation
Using the optimal feature set, the five models are trained.
To improve the success rate of the model, three steps were
taken.
1) A set of five classifiers is used to make predictions on
the attack scenario.
2) Feature reduction is done using two methods, i.e., the
filter method and the embedded method, and selecting
the optimal feature set accordingly.
3) Making iterative predictions to make it more accurate if
no clear results are predicted in the first attempt.
The two models built using a filter and embedded methods
are evaluated in two steps.
Step I (Model Evaluation Using n-Fold Cross Validation):
The n-fold cross validation is the common method of the
model evaluation. It works by splitting the data set into n-parts
(e.g., n = 5 or n = 10). Each split of the data is called a fold.
The algorithm is trained on n − 1 folds with one held back
and is tested on the held back fold. This is repeated so that
each fold of the data set is given a chance to be the held back
test set. The classification accuracy, TP, TN, FP, FN, precision,
and recall scores of all the selected algorithms are calculated.
The objective is to reduce the false alarm rate and increase the
detection rate. The test size of 0.2 indicates 20–80 test split
for the model evaluation. Algorithm 8 shows the procedure
used for n-fold cross validation.
Step II (Model Evaluation Using New Data From the Similar
Network): For extended model evaluation, it is tested with
new data. The testing data are brand new data, which has
never been seen by the model before. To do so, new.pcap
files are collected from the same network after running new
simulations. The new.pcap file is used to generate an absolute
new.csv file using algorithms (1 to 5). The new.csv data is
given to the predictive model for analysis. Since the predictive
model has five submodels of five different classifiers, different
classifiers may give different predictions. For the purpose of
making an accurate final prediction, polling is applied to the
results from five classifiers, and the majority class definition is
used as the final result. The polling results are also explained
in Section III.
C. Layer 3: Predictor
Now, our model is trained for the network with either no
attack or one of the four attacks, namely, hello flood, DIS
attack, Increased version, or decreased rank. However, when
the model is deployed in the network, we may come across
three different scenarios, which are as follows:
Authorized licensed use limited to: East Carolina University. Downloaded on June 15,2021 at 16:42:10 UTC from IEEE Xplore. Restrictions apply.
1) a normal network with no attacks;
2) a network with one of the four known attacks;
3) a network with a new attack or a combination of several
attacks.
This predictive model is capable of identifying any of the
abovementioned scenarios, using the process defined in the
following.
1) Normal Traffic: If three or more classifiers identify
class 0 for this testing set, the network undoubtedly does
not have an intrusion and the system continues working as
before.
2) Identifying a Known Attack: If three or more classifiers
identify classes 1–4, a known attack seems to occur in the
network. An alarm is raised to the administrator of the network
showing a possibility of a known intrusion.
3) Identifying a New Attack: This scenario is where predic-
tion from different classifiers does not match. Since different
classifiers identify the intrusion differently, it indicates that an
attack is found in the network, which is not seen by the models
in the past in the training set. To make the prediction more
accurate, the predictor performs 20 iterations to look for the
model results. If after 20 iterations, still no model, that is able
to give a clear prediction, leads to the agreement of the new
attack.
D. Predictor Deployment
The IDS model built is deployed on the border router.
A new.pcap file is collected from the network every 15 min
on the router. The features are extracted from the newly
generated.pcap file using Algorithms 1–5 to generate the latest
testing set. This testing set is passed through the model for
analysis. As the result of the analysis, if the predictions
from different classifiers are the same, the result is clear.
There is always a possibility that different classifiers may
give different results. The final result declaration is through
polling.
Polling: The concept of selecting the majority decision
is polling. If the majority is clear and most of the models
declare 0 as result, there is no attack in the network. However,
if the polling gives the majority decision of 1–4, an intrusion
is there and is declared based on the class. There may be an
instance when there is no clear majority decision. In that case,
20 iterations are done for the prediction. If, in 20 iterations,
a single class is predicted for more than ten times (>50%
times), the class value is used for the final declaration, but,
if the majority is not very clear (i.e., is less than ten times),
it is flagged as a new attack. This latest.csv is saved as an
archive file for future analysis. After the final prediction, if the
class predicted is 0, nothing is done, but, in all other cases,
an alarm is raised to the administrator of the network about
the intrusion in the network.
III. R ESULTS AND D ISCUSSION
The proposed IDS framework is divided into three layers.
Layer 1 includes feature engineering, and layer 2 executes
model building and evaluation algorithms. Layer 3 classifies
the traffic and detects the attacks in the network.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
SHARMA et al.: NOVEL IDS FOR RPL-BASED CPSs
TABLE III
C HANGE IN THE C LASSIFICATION A CCURACY OF D IFFERENT
C LASSIFIERS W ITH C HANGING T HRESHOLD VALUES
A. Layer 1: Feature Engineering
The.pcap file of each run is used to build a single instance
of the data set. Each instance has 58 features and one class
value. The data set has five different class values. For each
class, 60 instances are used to create the test data set. Two
different feature reduction methods are applied at layer 2.
1) Embedded Feature Reduction Method Using RFC: In
this method, we selected features with importance
> 0.05. Only eight features were found meeting the
threshold of 0.04. The experimental results show that,
with only eight features, the performance of two out of
five classifiers improved, whereas the accuracy remained
constant for all other classifiers.
2) Correlation-Based Feature Reduction This method
reduced the features to 10. The experimental results
show that the accuracy of one classifier improved, one
dropped a little, and the other three remained almost
constant. The final threshold chosen is 0.30.
1) Results of Embedded Method—Feature Reduction Using
Random Forest Classifier: In the embedded method, an RFC
is used to check the best couple of features with different
thresholds and their impact on the prediction accuracy of the
model. We tested for the different values of threshold ranging
from 0.02, 0.03, 0.04, and 0.05. The features were reduced to
16, 11, 8, and 4 based on these values. We finally selected
the value of 0.04 that reduced the features to eight only (88%
feature reduction) as it improved the efficiency of SVM from
63.33 to 83.33 and LRC from 97.77 to 98.88. GNB reduced
from 80 to 75.55, but, for RFC and DTC, accuracies were
constant, as listed in Table III.
2) Results of Filter Method—Correlation-Based Feature
Reduction: Here, we tested the model accuracy with different
values of the correlation. The correlation values were set
to greater than 0.25, 0.30, and 0.35 leading to the reduced
features 12, 10, and 5. We chose the value of 0.30 as it reduced
the features to 10 and improved the prediction accuracy of
SVM from 63.33 to 77.77, keeping the rest almost the same.
This was a 77.5% feature reduction.
B. Layer 2: Model Evaluation
In our study, to make an accurately predictable IDS, we used
five classifiers. After feature reduction using embedded meth-
ods and filter methods, two-way model evaluations are done,
which are n-fold cross validation and validation using new
data from a similar network. The results of the two evaluation
methods are discussed in the following.
Authorized licensed use limited to: East Carolina University. Downloaded on June 15,2021 at 16:42:10 UTC from IEEE Xplore. Restrictions apply.
5
TABLE IV
TP S CORES OF X-VALIDATIONS U SING THE E MBEDDED M ETHOD
TABLE V
TP S CORES OF X-VALIDATIONS U SING THE F ILTER M ETHOD
1) n-Fold Cross Validation Results: For model testing,
80/20 cross validations are performed. The analysis for class 0,
class 1, class 2, class 3, and class 4 is summarized in the
following.
a) Results of the model built using embedded method:
The performance of the classifiers is evaluated against indi-
vidual scenarios.
In every case, TP and FP rates are evaluated. Table IV lists
the TP scores of models built using the embedded method.
b) Results of the model built using correlation (Filter)
method: Correlation-based feature reduction removes features
that have a low correlation with the class variable. The
performance of the classifiers is evaluated against individual
scenarios.
In every case, TP and FP rates are evaluated. Table V lists
the TP scores of the model built using the filter method.
2) Model Evaluation Results Using New Unseen Data:
Another evaluation method used is testing the model with the
new data from the same network with the known class label.
To do so, new log data from the network are taken as a.pcap
file and are passed through Algorithms 1–5 to generate a new
data set in form of a.csv file. This file is passed to the model
for prediction. All the five classifiers used for predictions may
give the same or different predictions. The five results are
used for polling, and the majority decision is taken as the
final result.
1) All Classifiers Give Same Result: The result is predicted.
2) Three or Four Classifiers Give Same Result: The major-
ity result is predicted again.
3) Four Out of Five Classifiers Gives Different Results: In
this, the prediction analysis is repeated 20 times. To get
the final majority out of all runs, if the classification gets
a rate of more than 50%, it is taken as the final result.
For model testing with new data, ten simulations each were
done for class 0, class 1, class 2, class 3, and class 4. The
results found are summarized in the following.
a) Results of the model built using embedded method:
Table VI lists the results of the model built using the embedded
method.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

6 IEEE CANADIAN JOURNAL OF ELECTRICAL AND COMPUTER ENGINEERING

TABLE VI TABLE VIII

A CCURACY S CORE OF M ODEL T ESTING W ITH N EW D ATA U SING C OMPARATIVE A NALYSIS OF THE P ROPOSED IDS W ITH O THER IDS
E MBEDDED M ETHOD AVAILABLE IN THE L ITERATURE

TABLE VII
A CCURACY S CORE OF M ODEL T ESTING W ITH N EW D ATA U SING
C ORRELATION M ETHOD

Normal Scenario: Logistic regression and RFC s always

gave the correct results. SVM gave the correct prediction
nine times, and one time, it predicted it as attack 3. DTC
also predicted the same. Naive Bayes was also off one time.
However, the polling result was always clearly predicted a
normal scenario.
Attack 1 (Hello Flood Attack): All classifiers except DTC
gave correct prediction all the ten times. The decision tree
was wrong all the ten times. However, polling gave the correct
result in the very first attempts.
Attack 2 (DIS Attack): This is the only scenario that was not
very clearly predicted in the first attempt. All the classifiers
predicted different results. No clear polling result in our IDS
leads to 20 iterations of prediction. Since the decision tree
and RFCs always gave correct prediction, the net result after
20 iterations gave a correct prediction of 2 (19 times it was
2).
Attack 3 (Increased Version Attack): Random forest, naive
Bayes, and LRCs always gave correct results. SVM and
decision tree were off the prediction, but polling always got
the correct result.
Attack 4 (Decreased Rank Attack): Random forest, decision
tree, and LRCs always gave correct results. SVM and naive
Bayes were off the prediction, but polling always got the
correct result.
b) Results of the model built using correlation method:
Table VII lists the results of the model built using the Attack 1 (Hello Flood Attack): All classifiers except DTC
correlation method. gave correct prediction all the ten times. The decision tree
Normal Scenario: GNBs always gave the correct results. was wrong all the ten times. However, polling gave the correct
SVM and logistic regression gave correct prediction nine result in the very first attempts.
times, and one time, it predicted it as attack 2. DTC was also Attack 2 (DIS Attack): This is the only scenario that was
off one time. However, the polling result was always clearly not very clearly predicted in the first attempt. All the clas-
predicted a normal scenario. sifiers predicted different results, mainly switching between

Authorized licensed use limited to: East Carolina University. Downloaded on June 15,2021 at 16:42:10 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
SHARMA et al.: NOVEL IDS FOR RPL-BASED CPSs
class 2 and class 3. No clear polling result in our IDS in
the first attempt leads to 20 iterations of prediction for the
final results. Since RFCs always gave correct prediction, and
logistic regression was predicting the correct class most of the
time, the net result after 20 iterations gave a correct prediction
of 2 (19 times it was 2).
Attack 3 (Increased Version Attack): Random forest, deci-
sion tree, and LRCs always gave correct results. SVM and
naive Bayes were off the prediction, but polling always got
the correct result.
Attack 4 (Decreased Rank Attack): Random forest, naive
Bayes, and LRCs always gave correct results. The decision
tree predicted the correct majority of the time. SVM was off
the prediction, but polling always got the correct result.
C. Layer 3: Model Deployment
The IDS is deployed at the node that is observing the traffic
flow of the entire network. The data are collected every 15 min
for checking an intrusion. The data in the form of a.pcap file
are used and passed through the defined algorithms (1–5) to
get a brand new.csv testing data file. These testing data are
passed through the model for the final prediction.
1) Detecting a Known Attack: The performance for the
normal traffic and the four defined attacks was similar to the
previous section.
2) Detecting an Unknown Attack: We introduced a new
attack in the network. We got the.pcap files for 20 different
simulations and created new testing set for these 20 runs.
When passed through the model, the prediction was given as
follows.
1) None of the models predicted class 0.
2) RFC predicted 2 or 4 several times.
3) SVM predicted class 1 all the time.
4) DTC predicted 3 or 4 a few times.
5) GNB predicted it as 3 all the time.
6) The logistic regression model classified it as class 2 all
the time.
As the final result of polling, there was an incorrect pre-
diction only three times, i.e., class 3 was predicted; 17 times,
the result came as a new attack leading to 85% accuracy.
Table VIII presents the comparison of this new IDS with
other IDS’s reviewed in the literature.
IV. C ONCLUSION
The 6LoWPAN network may suffer from many intrusion
threats. The novel IDS, as proposed in this article, is built
using supervised machine learning techniques and is built and
tested on Cooja-Contiki. The IDS is successfully capable of
detecting any intrusion in the network. Data from each net-
work are collected after 15–20 min, using several algorithms.
Authorized licensed use limited to: East Carolina University. Downloaded on June 15,2021 at 16:42:10 UTC from IEEE Xplore. Restrictions apply.
7
Data are turned into single-row features in the form of.csv
file. This.csv file is passed through the IDS trained using five
different supervised machine learning classifiers, i.e., RFC,
SVM, DTC, GNB, and LRC. As the result, the IDS may detect
that the network is without any intrusion or is having one of the
four attacks, i.e., Hello flood, DIS attack, increased version,
or decreased rank attacks. The model is also capable of detect-
ing a new attack that does not belong to the abovementioned
categories.
The high capability of detecting the known and new attacks
is supported by experimental results. Out of the 20 instances of
the new attack, only three instances were predicted as class 3,
and the rest all were classified as a new attack, i.e., giving
85% accuracy of predicting a new attack. The new attack is
not classified yet. It may be a new attack or a combination of
many others. Table VIII lists the comparison of the proposed
IDS with the other ones discussed in the literature.
Future work includes the plan for extending and remodeling
the IDS to be able to classify the new attack from the archive
and name it as another class for the predictions later. This
may be done automatically based on reinforcement learning
techniques.
R EFERENCES
[1] K. C. Lee et al., “A comprehensive evaluation of RPL under mobility,”
Int. J. Veh. Technol., vol. 2012, pp. 1–10, Mar. 2012.
[2] T. Clausen, U. Herberg, and M. Philipp, “A critical evaluation of the
IPv6 routing protocol for low power and lossy networks (RPL),” in
Proc. IEEE 7th Int. Conf. Wireless Mobile Comput., Netw. Commun.
(WiMob), Oct. 2011, pp. 365–372.
[3] O. Gaddour and A. Koubâa, “RPL in a nutshell: A survey,” Comput.
Netw., vol. 56, no. 14, pp. 3163–3178, Sep. 2012.
[4] A. Raoof, A. Matrawy, and C.-H. Lung, “Routing attacks and mitigation
methods for RPL-based Internet of Things,” IEEE Commun. Surveys
Tuts., vol. 21, no. 2, pp. 1582–1606, 2nd Quart., 2019.
[5] L. Wallgren, S. Raza, and T. Voigt, “Routing attacks and countermea-
sures in the RPL-based Internet of Things,” Int. J. Distrib. Sensor Netw.,
vol. 9, no. 8, Aug. 2013, Art. no. 794326.
[6] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: Real-time intrusion
detection in the Internet of Things,” Ad Hoc Netw., vol. 11, no. 8,
pp. 2661–2674, Nov. 2013. [Online]. Available: http://www.
sciencedirect.com/science/article/pii/S1570870513001005
[7] C. Cervantes, D. Poplade, M. Nogueira, and A. Santos, “Detection of
sinkhole attacks for supporting secure routing on 6LoWPAN for Internet
of Things,” in Proc. IFIP/IEEE Int. Symp. Integr. Netw. Manage. (IM),
May 2015, pp. 606–611.
[8] M. N. Napiah, M. Y. I. B. Idris, R. Ramli, and I. Ahmedy,
“Compression header analyzer intrusion detection system (CHA–
IDS) for 6LoWPAN communication protocol,” IEEE Access, vol. 6,
pp. 16623–16638, 2018.
[9] P. Pongle and G. Chavan, “Real time intrusion and wormhole attack
detection in Internet of Things,” Int. J. Comput. Appl., vol. 121, no. 9,
pp. 1–9, Jul. 2015.
[10] I. Ahmad, M. Basheri, M. J. Iqbal, and A. Rahim, “Performance com-
parison of support vector machine, random forest, and extreme learning
machine for intrusion detection,” IEEE Access, vol. 6, pp. 33789–33795,
2018.
[11] S. M. Kasongo and Y. Sun, “A deep learning method with filter
based feature engineering for wireless intrusion detection system,” IEEE
Access, vol. 7, pp. 38597–38607, 2019.