computers & security 104 (2021) 102219

Available online at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

Intrusion detection systems for RPL security:

A comparative analysis

George Simoglou, George Violettas, Sophia Petridou∗, Lefteris Mamatas

University of Macedonia, Egnatia 156, Thessaloniki, Greece

a r t i c l e i n f o a b s t r a c t

Article history: Internet of Things (IoT) is an emerging technology that has seen remarkable blossom over
Received 27 August 2020 the last years. The growing interest for IPv6 constrained networks has made the Routing
Revised 5 January 2021 Protocol for Low Power and Lossy Networks (RPL) the standard routing solution, which
Accepted 4 February 2021 has gained significant attention and maturity in the literature. However, due to the net-
Available online 8 February 2021 works’ open and possibly unattended environment of operation, as well as to the nodes’
constraints, the security of the protocol is a challenging issue, currently under thorough
2020 MSC: investigation. New and innovative Intrusion Detection Systems (IDSs) have been proposed
00-01 in the literature over the last years to address the protocol’s security issues. In that regard,
99-00 our survey paper: i) begins with extracting a set of design requirements for RPL-related IDSs
based on discussing the diversity of attacks on the protocol and investigating their impact;
Keywords:
ii) continues with identifying best practices and gaps in an IDS design which are derived
IoT
by studying the evolution of the related bibliography (2013–2020); and iii) concludes with a
RPL routing protocol
number of guidelines extracted once we map the 22 IDSs under study to the attacks they en-
Security
counter and compare them in line with the design requirements we introduce. Our analysis
Attacks
considers feedback from the corresponding authors for a deeper investigation.
Intrusion detection systems
Comparative analysis © 2021 Elsevier Ltd. All rights reserved.

and constraint devices, newfangled threats (Violettas et al.,

1. Introduction 2018; 2019).
Despite its advantages, RPL still has open issues, the most
The Internet of Things (IoT) is a broad field of technology and
important of which are related to attacks that disrupt the IoT
research, part of which is comprised of Low-power and Lossy
network’s operation (Mayzaud et al., 2016). In fact, RPL is un-
Networks (LLNs). The nodes of such networks are suscepti-
avoidably exposed to a large number of attacks since it is
ble to various restrictions and challenges, rendering the ex-
based on the IPv6 open stack and uses mostly wireless me-
isting routing protocols inappropriate. The gap was filled by
dia for the nodes’ communication. In addition, by exploiting
the IPv6 Routing Protocol for Low-Power and Lossy Networks
RPL’s mechanisms, an intruder can gain access to the network
(RPL), which has become the de facto standard for IoT rout-
and unleash attacks that originate from within the LLN. In
ing, beyond initial expectations (Gaddour and Koubâa, 2012;
such cases, encryption itself does not suffice to provide secu-
Winter et al., 2012). RPL has been proven significantly mature
rity (Verma and Ranga, 2020b). On this front, the RPL standard
to connect IPv6 devices, with moderate control overhead and
specifies three modes of operation, i.e., unsecured mode, pre-
under challenging conditions, e.g., lossy links, heterogeneous
installed mode, and authenticated mode (Winter et al., 2012),

∗
Corresponding author.
E-mail addresses: [email protected] (G. Simoglou), [email protected] (G. Violettas), [email protected] (S. Petridou),
[email protected] (L. Mamatas).
https://doi.org/10.1016/j.cose.2021.102219
0167-4048/© 2021 Elsevier Ltd. All rights reserved.
2 computers & security 104 (2021) 102219

while it also defines mechanisms for data confidentially, data practices and gaps in the literature. Section 6 summarizes
authenticity, and replay protection (Arena et al., 2020). our comparative analysis and compacts our investigation into
Although some recent research efforts focus on a partial four guidelines for future systems. Finally, Section 7 concludes
implementation of RPL’s security features (Arena et al., 2020; this survey.
Perazzo et al., 2017b), up to this time, the majority of RPL im-
plementations assume the unsecured mode of operation. Ac-
tually, the RPL security features are characterized as optional 2. Conceptual framework & methodology
(Winter et al., 2012) and, according to Kamgueu et al. (2018),
Granjal et al. (2015), future versions of RPL will address issues This survey adheres to a novel conceptual framework, shown
such as authenticated security. in Fig. 1, that provides the methodological basis of our inves-
Until then, the most realistic approach to deal with at- tigation. It consists of three methodological steps, defined be-
tacks is the Mitigation Methods and the Intrusion Detection low.
Systems (IDSs). The former regard lightweight supplementary The first one concerns the requirements’ definition that a suc-
mechanisms to the standard RPL and deal with a limited num- cessful IDS should address. Our starting point is a better un-
ber of attacks. The latter employ a combination of methods, derstanding of the problem IDSs tackle, i.e., the mitigation of
allowing for a broader spectrum of attacks’ treatment. Cur- attacks. For example, Wallgren et al. (2013a) identifies the di-
rently, a small number of surveys focus on the RPL afore- versity of attacks as the main cause for attack detection accu-
mentioned security issues and the IDSs confronting them. racy issues in existing IDSs. Other papers, including surveys
Mayzaud et al. (2016) present a definite categorization of RPL (Mayzaud et al., 2016; Raoof et al., 2018) and IDS proposals
attacks, where the IDSs are solely discussed in line with them, (Kamble et al., 2017; Le et al., 2016; Mayzaud et al., 2017; Wall-
while a detailed taxonomy and evaluation of the attacks are gren et al., 2013a), do typically base their analysis on identi-
missing. Furthermore, Mayzaud et al. (2016) includes only fying the considered attacks’ impact, e.g., increased control
three of the new IDSs, available at the time of publication. overhead or decreased packet delivery ratio (PDR). For com-
Raoof et al. (2018) discuss RPL attacks and their mitigation pleteness, we conduct a literature-based investigation of well-
methods in general, leaving limited space for description and known RPL attacks from a new perspective: a combined study
analysis of specific IDSs; only a list of those considered most on attacks’ diversity and impact.
influential by the authors are shortly described. In the recent More precisely, we elaborate on the RPL-related attacks,
work of Verma and Ranga (2020b), the authors also utilize the spanning from resource depletion attacks, that shorten the net-
taxonomy of attacks from Mayzaud et al. (2016), and they pro- work’s lifespan, to network topology attacks, that degrade the
pose a comparison chart of the contemporary IDSs based on paths created by RPL or isolate a subset of network’s nodes,
an extensive set of 26 categorization criteria. Despite being a and network traffic attacks, that allow the analysis of packets
detailed mapping with some potential of providing future in- in order to gain knowledge about the network. Several of them
sights, at this time, their comparison table is empty up to 92%, may not be harmful as standalone events. Still, they can be
and, thus, it remains incomprehensible. critically detrimental to the network (e.g., control overhead) or
The above fact indicates that selecting criteria for analysis the applications (e.g., PDR) in conjunction with others. In this
is a challenging issue since they should be primarily meant first step, we also provide illustrative simulation results, high-
for the context they are proposed, and, secondly, they should lighting the primary outcomes of our combined investigation
facilitate the direct comparison of the subjects (the IDSs in our of attacks’ diversity and impact. As an outcome, we define a
case) under investigation. To our mind, this can be achieved by set of seven design requirements for an RPL-related IDS that
a core of narrow and well-thought criteria. are directly connected with the protocol’s standard.
In this context, this survey implements a coherent inves- Our next step identifies the best practices & gaps out of an
tigation of RPL-related IDSs according to a novel conceptual extensive literature review in respect to the defined design re-
framework that defines a three-step methodology. It starts quirements. Our goal is to realize the best approaches of ex-
by investigating the diversity and impact of well-known at- isting works addressing the requirements, understand their
tacks to define essential design requirements for IDSs, based evolution, as well as identify associated open issues. We in-
on both a literature review and illustrative simulations. The vestigate the 22 most recently introduced RPL-related IDSs in
next step identifies best practices & gaps by studying the evo- the literature (2013–2020). We firstly discuss their classifica-
lution of related IDS proposals. The last step involves mapping tion in respect to their detection method and their placement
22 selected IDSs to the attacks they encounter, while contrast- strategy. Then, we build up a timeline of their evolution stages
ing them in respect to the introduced requirements as com- along with their principle qualitative (i.e., detection method,
parison criteria. Our analysis concludes with essential design placement strategy) and quantitative features (i.e., number of
guidelines for future up-to-date IDSs. attacks). The adherence level to the requirements and classifi-
The remainder of this survey is organized as follows: cation criteria is discussed in the textual descriptions of each
Section 2 presents our conceptual framework that highlights IDS.
our methodological approach. Section 3 gives a brief overview Our last step involves a synthetic process producing our
of the RPL protocol, while Section 4 discusses the RPL-related investigation’s outcome, which is to introduce design guidelines
attacks and their impact to conclude to a set of IDSs’ design for up-to-date IDSs. We consolidate the outputs of the steps
requirements. Section 5 elaborates on the RPL-related IDSs, mentioned above by first, including mapping the IDSs to the
providing a classification of them, discussing the evolution type of attacks they tackle. Secondly, we provide a summa-
of the most recently proposed systems, and highlighting best rized comparison viewed under the design requirements we
 computers & security 104 (2021) 102219 3

Fig. 1 – Conceptual framework of the analysis: an abstract representation.

introduce. For the attacks’ mapping, we consider both attack

detection supported by simulations and those discussed con-
ceptually only. For compliance with the requirements, we are
based on the respective authors’ claims in the IDS’ relevant ar-
ticles. Since the devised requirements are aligned to the RPL
standard objectives, the vast majority of IDSs consider them,
and hence, we ended up with a comprehensive comparison
that produces and elaborates on four crucial design guidelines
for future up-to-date IDSs.
The next section gives a brief overview of RPL, as an essen-
tial background for the analysis that follows next.

3. RPL overview

RPL operates on the IP networking layer, via the 6LoWPAN pro-

tocol stack, exploiting Destination Oriented Directed Acyclic Fig. 2 – DODAG construction.
Graphs (DODAGs) rooted at a single destination called sink
(Winter et al., 2012). In practice, the protocol builds a graph
of logical paths upon physical network connections, which ing metrics and/or constraints, as well as the OF used for the
are directed towards the sink. Parents’ selection on paths to- routing paths’ establishment.
wards the DODAG root can be treated as a multi-objective op- The DODAG’s maintenance is a functionality placed at the
timization problem since a variety of metrics (e.g., link reli- very core of the RPL. Hence, a dedicated algorithm, namely the
ability, latency throughput) and constraints (e.g., nodes’ en- Trickle timer, synchronizes the propagation of DIO messages
ergy, link color) can be exploited to evaluate the nodes’ rank upon which the network’s convergence time is based. The crit-
(Gaddour and Koubâa, 2012). The specified Objective Function ical aspect in DIO multicasting process is the attainment of
(OF) defines how the RPL nodes translate metrics and/or con- a short network setup time and, thus, the reinforcement of
straints into ranks, and select and optimize routing paths in a the network’s metrics, e.g., PDR, while restricting the control
DODAG. overhead towards lowering the node’s power consumption. To
As depicted in Fig. 2, the sink-node launches the DODAG’s achieve the aforementioned trade-off, the DIO messages are
(re)construction based on the exchange of routing control sent periodically; their interval ranges from Imin (Minimum In-
messages, i.e., DODAG Information Object (DIO), Destination terval) up to Imax , where Imax = Imin ∗ 2Idoubling . For example, the
Advertisement Object (DAO), DAO-ACK, and DODAG Informa- default RPL configuration specifies Imin = 212 = 4.096 ms and
tion Solicitation (DIS). Once the first DIO message is multi- Idoubling = 8 which entails Imax = 212+8 = 17.5 min. Actually, the
casted by the sink, plenty of them are multicasted by nodes timer’s duration is doubled each time it fires. Moreover, any
getting attached to the graph. DAO messages are used by all change in the DODAG, e.g., an unreachable parent or a new
nodes, except to the sink, to propagate reverse route informa- parent selection, resets the Trickle timer to Imin (Violettas et al.,
tion; DIS messages are sent by the not connected (due to their 2019). According to the algorithm, DIO messages will be sent
isolated position) or disconnected (due to mobility) nodes in at a higher rate when the network is unstable and slower oth-
order to solicit DIO messages from other possible connected erwise, i.e., to reduce protocol overhead and save energy.
neighbors and join the graph. DIO messages are critical re- The impact of DIO sending frequency in RPL is depicted
garding the graph’s construction since they contain the rout- in Fig. 3. We derive the graph by simulating a WSN in Cooja,
4 computers & security 104 (2021) 102219

Fig. 3 – The network setup time and control overhead in respect to the DIO Imin .

which is embedded with Contiki OS (Dunkels et al., 2004). Our cessing constraints of the connected devices. The RPL pro-
explanatory simulation considers a network of one sink and tocol offers several configuration parameters to satisfy di-
10 nodes that perform measurements’ collection and forward- verse requirements regarding deployments of different scale,
ing them over multi-hop communication. Fig. 3 shows the im- heterogeneity, and mobility (Tsvetkov and Klein, 2011; Win-
pact of DIO Imin values on the network setup time (left axis - ter et al., 2012) as well as mechanisms to adapt to changes.
blue squared-dot curve) and on the network control overhead However, such network contexts, including resource-constraint
measured in line with the total number of DIO, DAO, and DIS nodes, supporting dynamic topologies, and based on the passive
messages (right axis - green x-marked curve). According to the nature of the wireless medium, do inevitably attract malicious
results, high values of Imin , i.e., infrequent DIO transmissions, actions, including but not limited to denial of service attacks
cause delays in network setup time due to the nodes that have (DoS), physical damages, and/or extraction of sensitive infor-
not yet received DIO messages and thus remain unconnected. mation, e.g., DODAG version, nodes’ rank values, and IDs. In
On the opposite, frequent DIO messages entail lower setup fact, some nodes can be getting compromised by exploiting
time. Imin equal to 12, which is the default value in Contiki the RPL mechanisms themselves; if the node happens to have
RPL implementation, provides the best performance concern- a significant role in the network, e.g., the sink or parent nodes,
ing the setup time. Regarding control overhead, Fig. 3 validates then a combination of attacks can be applied with serious
that higher interval values produce less network traffic since effects, spanning from resource-depletion of nodes, due to a
the frequency of DIO messages is low. Fig. 3 is in compliance sharp increase in the control overhead, to severe degradation
with our findings in Violettas et al. (2019). of the protocol’s performance in terms of data delivery.
Since the Trickle timer is the most responsible algorithm for Right afterward, a comprehensive list of the most common
the protocol’s performance and along with the DODAG and the and disrupting attacks on the RPL protocol is presented. The
sink-node are fundamental parts of the RPL protocol, it is un- network attacks that do not mainly target RPL are not included
doubtedly a profound target for a series of attacks. since they are not part of the paper’s scope, e.g., (Distributed)
In the following section, we give a taxonomy and de- Denial of Service, (D)DoS attacks.
scribe such attacks, including those exploiting RPL mecha-
nisms and/or weaknesses. We pay special attention to their 4.1. Diversity of attacks
impact, since in fact, several attacks may not cause severe
damage by themselves. Still, they can have bothersome effects Reflected to the aforementioned characteristics of the RPL-
on the network (e.g., control overhead) or on the applications based IoTs, i.e., resource-constraint nodes, dynamic typologies
(e.g., PDR) when combined with others. and passive nature of the wireless medium, the RPL-related at-
tacks are rather divergent and classified into: Resource deple-
tion attacks, Network topology attacks and Network traffic attacks
4. Attacks on RPL-based IoTs (Mayzaud et al., 2016). Fig. 4 provides a panorama of them
along with their classes and sub-classes.
Routing in the RPL-based networks is an incredibly challeng- More specifically, the Resource depletion attacks include ma-
ing task basically due to the power, storage, memory and pro- licious actions that intend to deplete nodes’ computing, mem-
 computers & security 104 (2021) 102219 5

Fig. 4 – Classification of RPL attacks.

ory, or energy resources by creating a false impression of con- Wormhole (Airehrour et al., 2016; Pongle and Chavan, 2015),
tinuous operation. Given that the node’s operation is inextri- Replay (Perazzo et al., 2017a; Sharma et al., 2017), Neighbor
cably linked to processing, memory, and energy assets’ utiliza- (Le et al., 2013), Routing Table Falsification (Kamble et al., 2017),
tion, any overhead is equitable to excessive consumption of Decreased Rank (Le et al., 2013), Increased Rank (Kamble et al.,
their resources. Consequences may be local or, even worse, af- 2017; Xie et al., 2010), and Worst Parent Selection) (Xie et al.,
fect the overall network availability and performance, leading 2010) attacks are well-known sub-optimization attacks.
to routing loops, unnecessary network traffic, and congestion Isolation Attacks exploit the tree topology of the RPL net-
(Le et al., 2013; Pongle and Chavan, 2015; Sehgal et al., 2014). work; they aim at cutting off part(s) of the network by inter-
Attacks against resources are distinguished into Direct and rupting the nodes’ communication with either their parent-
Indirect, according to the fashion of their execution. In direct or sink-node. Amongst their effects are loss of network traf-
attacks a malicious node overloads a subset of nodes-victims fic, end-to-end delay increase, significant service quality de-
and affects their status or operation. Common examples are terioration (e.g., PDR), and isolation of sub-graph parts along
Routing Table Overload (Le et al., 2013), and Flooding Attacks (Le with starvation of their participating nodes. The most com-
et al., 2013; Raoof et al., 2018). On the other hand, indirect at- mon isolation attacks are Blackhole (Chugh et al., 2012; Kumar
tacks manipulate intermediate nodes as a means of broadly et al., 2016; Pongle and Chavan, 2015), Selective Forwarding or
affecting the network by, for example, causing unnecessary Greyhole (Chugh et al., 2012; Kumar et al., 2016; Pongle and Cha-
control traffic. Local Repair (Le et al., 2013; Pongle and Chavan, van, 2015; Wallgren et al., 2013b), and DAO Inconsistency attacks
2015), DIS Message (Le et al., 2016; Le et al., 2013), DODAG Incon- (Mayzaud et al., 2016; Raoof et al., 2018). These attacks can be
sistency (Sehgal et al., 2014), and DODAG Version Number (Aris severe when combined with others, e.g., decreased rank and
et al., 2016; Mayzaud et al., 2014) attacks are typical examples blackhole attack.
of this sub-category. The Network traffic attacks intercept and monitor the net-
The Network topology attacks are divided into Sub- work traffic to acquire or deduce information, e.g., DODAG ver-
Optimization and Isolation attacks that disrupt the nodes’ sion or rank value, which can be exploited by attacks launched
communication and DODAG’s structure, respectively. In later on. Depending on how the traffic is affected, they are
practice, the sub-optimization attacks impact the network’s classified into Eavesdropping and Misappropriation attacks. In
optimal convergence ability, i.e., they prevent the establish- the first case, the intruder monitors the network’s transmis-
ment of the optimal routes, and thus, affect the network traffic sions and analyzes the packets either through a breached
and degrade the network services. Some of the most common node or by directly “listening” to the wirelessly transmitted
consequences include topology inconsistencies, significant packets. This way, he/she gains access to the topology and
packet losses, increased end-to-end delays, network conges- routing-related information or even to the actual content of
tion and nodes resources’ depletion. The aforementioned the transmitted packets. The most known eavesdropping at-
effects can be particularly detrimental to dynamic networks tacks include Sniffing (Mayzaud et al., 2016) and Network Traffic
due to the nodes’ mobility. Sinkhole (Wallgren et al., 2013b), Analysis (Mayzaud et al., 2016).
6 computers & security 104 (2021) 102219

Fig. 5 – Control overhead under attack and mobility over time.

In the latter case, the attacker impersonates other network total number of ICMP packets. The RPL standard operation
nodes to extract information about the network topology or (blue curve) expresses the ground-truth performance which
gain knowledge of other parameters. The node with the great- is contrasted with the performance under attacks’ scenario.
est interest in such attacks is the sink due to its crucial role. In our simulation, we notice a heavy impact on control over-
Appropriating a network node’s identity negatively affects the head in case of DODAG inconsistency attack, i.e., 750% (on av-
routing service. It also confuses the rest nodes leading to po- erage), since a big part of the network is isolated and many
tential incorrect messages’ forwarding since, for example, in- nodes are forced to constantly update and recalculate ranks
stead of reaching their legitimate destination are delivered to and paths to find routes to the sink. Significant deterioration,
the attacker. Clone-ID (Mayzaud et al., 2016; Raoof et al., 2018; i.e., 153% (on average), is also caused by the decreased rank
Wallgren et al., 2013b) falls in this category and can be the and blackhole attacks, launched in combination. This deteri-
first stage of further hostile actions causing serious troubles in oration happens because the attacker advertises a lower rank
the network; Sybil attacks (Medjek et al., 2015; Wallgren et al., value compared to all other legitimate nodes in a network’s
2013b; Zhang et al., 2014) are an escalated type of Clone-ID at- neighborhood, causing the affected nodes to send an exces-
tacks which eventually can cause increased network control sive number of ICMP packets in their try to find paths to the
traffic, high energy consumption and degradation in PDR. sink.
Diversity and/or combination of attacks may affect differ- Our previous experience with nodes’ mobility (Violettas
ent aspects of an RPL-based IoT network. Next section pro- et al., 2018; 2019) urges us to investigate further the attacks’
vides some indicative examples through simulation. impact in comparison to the effects of mobility. The graph
confirms our intuition, i.e., trying to get attached to the graph
4.2. Impact of attacks after being disconnected mobile nodes can create control
overhead easily misinterpreted as the effect of an attack, de-
To indicatively illustrate the impact of attacks on an RPL net- pending on the observation’s time-window, e.g., the green and
work, we simulate (in Contiki Cooja Dunkels et al. (2004)) a purple curves on the period 01:30–02:00.
multi-hop network with one sink and 50 nodes randomly Apart from the network, attacks also affect the applica-
placed around it; the outcome is shown in Figs. 5 and 6. In tion, e.g., by aggravating the rate of data packets’ delivery.
practice, we run the simulation for three hours (x-axis) and Fig. 6 shows the impact on the PDR which is defined as the
consider that 20% of nodes become mobile at 01:00 h (vertical received UDP packets (rUDP) over the total number of pack-
green line). Regarding attacks, we select one from the resource ets being send (sUDP), i.e., PDR = rU DP/sU DP (Violettas et al.,
depletion class, i.e., DODAG inconsistency (yellow curve), and 2019). While RPL rarely fails to deliver a UDP packet, e.g., 100%
a combination of attacks from the network topology class, i.e., PDR in the graph, its performance drops to 49% on average and
decreased rank and blackhole attack (purple curve). Attacks to 38% on the worst case under DODAG inconsistency attack,
start at 01:20 h (vertical red line), for visualization clarity rea- since there are no paths to deliver the packets of nodes that
sons. are being detached from the DODAG due to the attack. A mild
Fig. 5 shows the impact of attacks on the network concern- impact, but again very similar to the mobility case, is caused
ing the control overhead which is calculated in line with the by the rank and blackhole attacks, where the intruder attracts
 computers & security 104 (2021) 102219 7

Fig. 6 – PDR under attack and mobility over time.

i. RPL specification compliance: In fact, an RPL-related IDS

Table 1 – Design requirements.
should be primarily compliant with the RPL standard
i. RPL Specification Compliance (Winter et al., 2012), i.e., the fundamental way in which
ii. Low Overhead the protocol operates. This includes, among others, the
iii. Scalability
DODAG’s construction, the rational of control messages’
iv. Robustness
exchange, the Trickle timer algorithm. The advantages of
v. Extendability
vi. Low False Positives/Negatives compliance are twofold: firstly, the IDS exploits data that
vii. Mobility Support are meaningful in the context of the protocol itself, i.e.,
the rank value, the number of nodes attached to a single
parent-node, which may prevent false positives due to mis-
interpretations, e.g., attack instead of mobility, as we saw
as a parent many neighboring nodes only to drop their data on the previous section. Secondly, it preserves the proto-
packets once received. col’s efficiency, for example, in terms of time needed for the
All the above make clear that RPL-based networks must graph’s convergence, packet delay, as well as resource con-
integrate adequate security mechanisms, which will be able sumption, which is essential in constrained environments.
to detect and mitigate the attacks of along-coming intruders. ii. Low overhead: Any security solution should take into con-
According to the literature (Mayzaud et al., 2016; Raoof et al., sideration resources’ availability, let alone when the solu-
2018; Verma and Ranga, 2020c), IDSs are a suitable approach to tion is intended for LLNs. Fig. 5 indicates that a “low bud-
encounter malicious activities since they aim at detecting sev- get” approach should take care of control messages ex-
eral attacks at once, and ideally can be extended to deal with changed and aim at exploiting the standardized ones to
attacks that are not initially included in their design goals. train the system and detect any abnormal event. Keeping
However, the design of an RPL-related IDS has further require- the control overhead at regular levels entails energy preser-
ments derived from the protocol itself as well as from the im- vation in transceivers, which are the significant consumers
pact of its related attacks. Next section elaborates on such de- of constraint devices. In addition, components that serve
sign requirements. to monitor the network, collect and/or analyze data or per-
form more sophisticated tasks should be hosted by the
4.3. Design requirements of an RPL-related IDS nodes with the corresponding processing, memory, storage
and power capabilities.
The design of an IDS that aims to shield an RPL network is iii. Scalability: In Violettas et al. (2018) we argue that RPL can
a challenging task since it should consider the issues of LLNs, cover a wide range of IoT deployments. Once the LLNs and
the objectives described in RFC 7416 (Tsao et al., 2015), and the their routing approaches inherit IoT characteristics, such
heterogeneity of IoT devices, combining them with its prin- as large-scale deployment, it is reasonable to evaluate an
cipal mission. In that regard, Table 1 presents a set of seven IDS in terms of its ability to shield the protocol even when
design requirements of an RPL-related IDS whose selection is the network’s size, in terms of connected devices, is signif-
justified right afterward.
 8 computers & security 104 (2021) 102219

icantly increased. Obviously, satisfying scalability should

not jeopardize the low overhead requirement.
iv. Robustness: The diversity of attacks previously described
entails the necessity of an IDS that is able to detect a range
of attacks. If an IDS does not protect the network against
different types of attacks, the adversary can compromise a
node, in the worst case a central one, and affect both the
network and applications, as we saw in Figs. 5 and 6.
v. Extendability: Apart from their primary performance with
respect to the attacks they cope with, many IDSs can be
extended to encounter additional cases. Some systems ex-
Fig. 7 – Classification of IDSs in respect to their detection
hibit a “static”, binary rationale that recognizes a known
method and their placement strategy.
threat pattern or not and proceeds accordingly with the
decision. However, new attacks and security issues emerge
following the progress of research and development on the
IoT. Systems should exploit all current technology assets to into one of the four distinctive categories that follow (Le et al.,
remain up-to-date and able to deal with threats that might 2016; Raoof et al., 2018; Zarpelão et al., 2017):
be currently unknown. To our mind, an IDS can be extend-
able once its detection method becomes intelligent and its 1. The Signature Detection (Sg) IDSs identify specific patterns
placement is sophisticated. in the network traffic that signify a particular attack
vi. Low false (positive or negative) detections: The effectiveness (Lokesak, 2008). They usually rely on databases (Pongle and
and detection accuracy of a system is associated with the Chavan, 2015), which contain known malicious signatures.
number of false positives and/or negatives. Thus, beyond While these systems consume limited resources, they are
being robust and extendable, an IDS should exhibit a high not effective against unknown threats (Raoof et al., 2018),
accuracy rate; this means that the system sends alarms for since their effectiveness depends on threat awareness.
precise attacks while minimizing the cases that attacks are 2. The Anomaly Detection (A) IDSs rely on network traffic mon-
overtaken. To satisfy this requirement, it is necessary to itoring and machine-learning or statistical analysis. They
monitor different aspects of the network’s operation, e.g., develop a healthy network behavior profile, and then com-
the control overhead combined with the number of times pare it to any future network state, intending to recognize
a node changes its parent, or the PDR in line with the local possible discrepancies that signal malicious activity. They
repairs triggered by the RPL itself. This enables more accu- can detect events that correspond to known or unknown
rate decisions, including differentiating regular but unex- threats at the expense of having high false detection rates
pected operations from attacks. (Le et al., 2016; Raoof et al., 2018; Sadek et al., 2013).
vii. Mobility support: Many applications with mobile IoT devices 3. The RPL Specification-based (S p ) IDSs are similar to the pre-
have emerged over the last decade, and RPL operation un- vious ones in the sense that they detect attacks based on
der mobility is the leading research challenge since it en- divergent network behaviors’ observation. However, they
tails connectivity hand-overs and additional control over- build healthy network models by monitoring RPL-related
head to maintain the topology (Theodorou et al., 2019; Vi- data specified under the security goals (Le et al., 2016; Pon-
olettas et al., 2018; 2019). Thus, we should not underesti- gle and Chavan, 2015; Raoof et al., 2018; Zarpelão et al.,
mate or surpass the mobility issue when it comes to the 2017). This category’s IDSs present high efficiency and low
IDS design. Security mechanisms, similar to the basic ones, false detection rates while requiring less training time than
should consider both fixed and mobile nodes, and the liter- the Anomaly Detection IDSs. Though, in the case of regu-
ature has shown, so far, that there are no straightforward larly changing environments, their manual configuration
solutions. reduces their effectiveness.
4. The Hybrid Detection (HD) IDSs are a combination of at
Apparently, to design an IDS able to satisfy all the above least two of the categories mentioned above. They tend to
requirements is a great challenge. In the next section, we pro- inherit the advantages of the combined categories while
vide classification and present the evolution of most recent minimizing their drawbacks (Zarpelão et al., 2017). The
IDSs in the literature as a means of identifying best practices prevailing hybrid scheme, at this time, is signature along
and possible gaps in the so-far related research. with anomaly detection; to the best of our knowledge, cur-
rently, there are five HD systems (Bostani and Sheikhan,
2016; Kaur, 2019; Napiah et al., 2018; Raza et al., 2013;
5. RPL-related IDSs Sedjelmaci et al., 2017), spanned across the time evolu-
tion of IDSs, and three of them, i.e., (Kaur, 2019; Napiah
5.1. Classification of RPL-related IDSs et al., 2018; Sedjelmaci et al., 2017), employ signature and
anomaly detection. Signature-based techniques are sim-
The RPL-related IDSs in the literature are classified according ple (Raza et al., 2013) and can be executed very quickly
to two main criteria (Zarpelão et al., 2017): (i) the detection and efficiently (Dharmapurikar and Lockwood, 2006), be-
method they employ, and (ii) their network placement, as de- cause they rely on pattern matching. Hence, they are a
picted in Fig. 7. Based on the detection method, the IDSs fall favored choice of combination to detect the known at-
 computers & security 104 (2021) 102219 9

tacks effectively. In contrast, the unknown ones are left strategy due to the resources’ limitations of the IoT devices.
to be caught by the mechanism which is combined with, The decision to place the IDS at the root-node (i.e., Centralized)
e.g., anomaly detection (Kaur, 2019; Napiah et al., 2018; keeps the computationally intensive tasks away from the con-
Sedjelmaci et al., 2017) or specification-based detection strained devices; however, it bequeaths the disadvantages of
(Bostani and Sheikhan, 2016). the single point of failure solutions, i.e., the root-node can be
compromised or cut-off. Distributed IDSs do not face this prob-
Regarding their placement strategy, the RPL-related IDSs lem, plus they can be scaled easily but require some tasks to
are classified into three categories (Zarpelão et al., 2017): be executed by the constrained nodes. Hybrid Placement logic
attempts to blend the above two approaches by keeping the
1. Centralized (C) IDSs are installed and operate at the root- “heavy” tasks for the root-node and delegating the lightweight
node of DODAG or at a subset of network nodes (Raoof ones to the rest.
et al., 2018; Zarpelão et al., 2017) assuming that resource- Nowadays, there is a trend towards this category, since it
intensive processes are being handled by nodes that are seems to bring satisfactory results. Our experience advocates
sufficiently equipped (Raoof et al., 2018). Due to the cen- that this trend can be further enhanced by the emergence of
tralized strategy, these systems are not effective in detect- the softwarization paradigm (Theodorou et al., 2019; Violettas
ing simultaneous malicious activities in different network et al., 2018; 2019); we discuss this challenge later in the paper.
locations, e.g., in broad networks. Additionally, such IDSs We now summarize the most recently proposed IDSs based
could render the network exposed in failures at the single on the above taxonomy, along with a timeline highlighting
point of defense, e.g., the sink-node (Aydogan et al., 2019; their evolution.
Othman et al., 2018).
2. Distributed (D) IDSs on the opposite side, are decentralized
and fully implemented in every node of the network. They 5.2. The evolution of RPL-related IDSs
usually require cooperation between the network nodes
(Raoof et al., 2018), whose availability may be highly fluc- The research field of IDSs is vast, but only a restricted subset
tuated (Othman et al., 2018). Detection mechanisms are is appropriate for LLNs (Pongle and Chavan, 2015), i.e., consid-
usually implemented in specific nodes-guards distributed ering the resource-constraints and lossy nature of the latter.
across the network and are responsible for monitoring, In this survey, we identified 22 relevant works that have been
whereas the attack mitigation functions are implemented proposed in the literature over the last seven years, i.e., from
at each node. The benefit of these systems is that threat 2013 to 2020. We summarize these RPL-related IDSs in Fig. 8,
mitigation is performed from within, as all the nodes are which illustrates their time evolution along with their qualita-
involved in protecting the network (Raoof et al., 2018). tive features, i.e., the incorporated detection method and the
In this manner, the network’s scalability and adaptability placement strategy, as well as their quantitative feature, i.e,
with a high-security level can be achieved (Othman et al., the number of attacks they encounter.
2018). Nonetheless, the resource consumption of these
IDSs remains a significant issue. 5.2.1. Signature detection IDSs
3. Hybrid Placement IDSs (HP) combine the two previous cate- Authors in Pongle and Chavan (2015), Kasinathan et al. (2013),
gories as a means of balancing the pros and cons (Pongle Verma and Ranga (2019), Ioulianou and Vasilakis (2020),
and Chavan, 2015; Raoof et al., 2018; Wallgren et al., Mayzaud et al. (2017), Deshmukh-Bhosale and Sona-
2013b; Zarpelão et al., 2017). In practice, they delegate the vane (2019), Ioulianou et al. (2018) introduce signature
resource-demanding processes, such as monitoring, anal- detection systems. Regarding their placement, the majority
ysis, and decision-making, to the central nodes, while as- of them (Deshmukh-Bhosale and Sonavane, 2019; Ioulianou
signing the lightweight tasks to the rest. Nevertheless, the and Vasilakis, 2020; Ioulianou et al., 2018; Mayzaud et al.,
IDSs of this category require continuous optimization; the 2017; Pongle and Chavan, 2015) are hybrid schemes, while
central nodes’ deployment should be done wisely and may DEMO (Kasinathan et al., 2013) is a distributed and ELNIDS
variate for each RPL network (Raoof et al., 2018). (Verma and Ranga, 2019) is a centralized approach.
DEMO (Kasinathan et al., 2013) is an adaptation of “Suri-
Remarks 1. As an outcome, we notice that Signature Detec-
cata”, an open-source IDS, developed in the context of the
tion IDSs’ major weakness is their ineffectiveness against un-
“EBBITS” European project and deals with flooding attacks.
known threats. In contrast, the Anomaly Detection ones can
DEMO includes a frequency agility manager (FAM) and secu-
detect even unknown threats, but they suffer from high false
rity information and event management system (SIEM). At the
positives’ rates. Exploiting data related to the protocol seems
same time, it defines two particular non-RPL node types: the
promising, and thus, the relevant systems dominate the de-
IDS node, which is responsible for the attack detection, and
tection method. However, it is interesting that only two out of
the monitoring nodes that monitor the network traffic and
five Hybrid Detection systems employ them in combination
send the relevant data via a wired connection (to prevent jam-
with either signature (Raza et al., 2013) or anomaly detection
ming) to the IDS node for further analysis. The system is scal-
methods (Bostani and Sheikhan, 2016). This leaves room for
able and effective in detecting the attacks. Regarding its ex-
investigating the potentiality of hybrid systems that indeed
tendability, the authors propose hosting the Simple Network
contains RPL specification-based methods.
Management Protocol (SNMP) along with special modules into
Apart from the attack detection approach, the design of the system to detect additional attacks and combine DEMO
modern IDSs demands an energy-aware efficient placement with SVELTE (Raza et al., 2013) to create a hybrid solution.
10 computers & security 104 (2021) 102219

Fig. 8 – The RPL-related IDSs in a timeline.

Overall, exploiting non-RPL nodes and wired connectivity in- sinkhole, selective forwarding, and clone-ID attacks. It as-
curs no overhead to the RPL network but also entails a solution signs the central role to the IDS router and defines a sub-
that is not totally RPL-compliant. set of nodes as IDS detectors. The router serves both as a
Compliant with the RPL specification and hybrid regard- network traffic monitoring node and a firewall and is ca-
ing its placement, the Real time IDS for wormhole attacks pable to access the required resources. The detectors nar-
(Deshmukh-Bhosale and Sonavane, 2019; Pongle and Chavan, row the monitoring operation in their neighborhood and for-
2015) exploits measurements regarding the nodes’ Received ward any useful information derived by a local, lightweight
Signal Strength Indicator (RSSI) as a means of cross-checking decision-making algorithm. Among the parameters that the
the network’s topology. It deals with two types of wormhole at- IDS monitors are the RSSI and the packet drop rate. A se-
tacks, i.e., by packet encapsulation and by packet relay, as well curity scheme is used for wireless communications’ protec-
as with neighbor attacks. More specifically, during the net- tion; however, the authors suggest the IDS nodes are wire-
work setup, the root-node records topology-related data and connected to avoid signal jamming and eavesdropping. The
receives by the rest nodes their neighbors’ RSSI values. Then, it system is extended (Ioulianou and Vasilakis, 2020) to also de-
exploits such information to estimate the distances between tect the DIS message attacks by monitoring the DIS send-
the nodes and compare them to the pre-saved topology data ing rate and comparing it to a pre-defined threshold. The
to detect discrepancies that indicate an attack. The system de- evaluation shows high accuracy and low false positives even
mands low resources and has low false detection rates. It can in large networks (Ioulianou and Vasilakis, 2020); concern-
be extended to detect more attacks, such as clone-id, sybil, ing the trade-off between performance and overhead, the
DODAG version number, and local repair attacks. However, it authors conclude that three to eight detectors should be
bases its operation on static topology information ignoring deployed.
mobility issues that networks usually face. The most recent signature detection system is ELNIDS
Distributed monitoring strategy IDS for the detection of version (Verma and Ranga, 2019) that utilizes artificial intelligence
number attacks (Mayzaud et al., 2017) is also a hybrid place- and machine-learning mechanisms on central premises. It is
ment IDS that focuses on DIO, DODAG version, and nodes’ based on ensemble learning to encounter sinkhole, blackhole,
rank monitoring. The IDS defines several monitoring nodes selective forwarding, sybil, clone-ID, flooding, and local repair
responsible for identifying and sending to the DODAG root a attacks. The IDS relies on the following modules: the snif-
list of malicious nodes detected by tracking the RPL’s spec- fer, the sensor events/traffic repository, a feature extraction
ification parameters. Once the root receives and merges all module, the analysis engine, the signature database, and the
the incoming lists, it notifies the network nodes to interrupt alarm/attack notification manager. The sniffer module mon-
further contact with the adversaries. The system behaves ef- itors the network traffic and records the information in the
fectively in small and medium-scale networks, but its perfor- storage unit. The feature extraction module distinguishes the
mance deteriorates in high false positives/negatives rates in network traffic characteristics that aid in a later classification
large networks. An idea to overcome this disadvantage is to performed by the analyzer using ensemble models. An event
cross-monitor each node by at least two other ones. is classified as an attack if any database known signature is de-
Another hybrid placement system proposed in 2018 is tected. According to its evaluation, ELNIDS exhibits high accu-
the Signature-based IDS for the IoT (Ioulianou and Vasilakis, racy; however, similarly to the other Sg IDSs discussed, it does
2020; Ioulianou et al., 2018), which is designed to detect not consider nodes’ mobility.
 computers & security 104 (2021) 102219 11

Remarks 2. We can notice that early signature detection sys- of being resource-intensive. Due to the high resource require-
tems (Deshmukh-Bhosale and Sonavane, 2019; Kasinathan ments, the IDS is not scalable.
et al., 2013; Mayzaud et al., 2017; Pongle and Chavan, 2015) CoSec-RPL (Verma and Ranga, 2020a) has been lately in-
aim at a special attack by design and operate deterministically. troduced and deals with a combination of flooding and re-
On the contrary, the latest systems of this category (Ioulianou play attacks, namely “copycat attacks”. To detect anomalies
and Vasilakis, 2020; Ioulianou et al., 2018; Verma and Ranga, and analyze the statistical data, the system relies on a modi-
2019) expand their impact to a broad range of attacks either fied version of the Interquartile Range (IQR) Outlier Detection
by adopting a hybrid placement strategy (Ioulianou and Vasi- (OD) method (Barnett and Lewis, 1994), which uses the me-
lakis, 2020; Ioulianou et al., 2018) or by employing centralized dian instead of the mean value and entails less implementa-
machine-learning mechanisms (Verma and Ranga, 2019), e.g., tion complexity. The idea behind CoSec-RPL is to identify the
ensemble learning. nodes with significantly diverse behavior. The authors tune
the IDS’s thresholds appropriately via multiple experiments.
CoSec-RPL is triggered whenever a DIO message is received
5.2.2. Anomaly detection IDSs from any neighbor and monitors the time difference between
Anomaly detection systems proposed in Verma and consecutive DIO messages. When measurements surpass cer-
Ranga (2020a), Surendar and Umamakeswari (2016), tain thresholds, a node is initially considered suspicious, and
Cervantes et al. (2015), Gara et al. (2017); most of them its state is characterized accordingly as “suspected”. In this
are hybrid regarding their placement (Cervantes et al., 2015; state, communication with the node is still allowed; however,
Gara et al., 2017; Surendar and Umamakeswari, 2016), while when a second threshold is reached, the node is considered
CoSec-RPL (Verma and Ranga, 2020a) is the most recent one malicious, and its state becomes “blocked”; in this case, no
(published on May 2020) and adopts distributed placement further communication with it is permitted. Even though the
logic. Both CoSec-RPL (Verma and Ranga, 2020a) and INTI system’s memory requirements are not negligible, since it de-
(Cervantes et al., 2015) belong to the IDSs’ minority which mands a neighboring table in every node to store relative in-
supports mobility. formation, they are not prohibitive for IoT devices, and thus
Anomaly detection in INTI (Cervantes et al., 2015) relies on it does fit inside a Z1 mote. CoSec-RPL is evaluated under both
separating the network into clusters (i.e., group of nodes). Each static and mobile network scenarios and is proved to be very
cluster consists of a leader-node, at least one associated-node, useful. However, it performs better in fixed topologies (since
and the member nodes. The system bases its functionality on mobility affects the intervals of DIO messages transmissions).
trust estimation, using the nodes’ ranks and statistics. The at- It can be extended to detect more attacks, particularly DIS
tack detection and the malicious nodes’ isolation is performed flooding, DAO insider, wormhole, and spoofed copycat attacks.
using the Dempster-Shafer evidence theory (Sentz et al., 2002).
Remarks 3. The anomaly detection IDSs are a minority of
Evaluations (Cervantes et al., 2015; Raoof et al., 2018; Zarpelão
the systems under analysis (four out of 22), probably because
et al., 2017) showed that the system mitigates sinkhole at-
anomaly detection is, by definition, a general method, loosely
tacks at the cost; however, of high computational processing
coupled with the RPL itself. So far, most systems (Cervantes
requirements. According to the authors Cervantes et al. (2015),
et al., 2015; Gara et al., 2017; Surendar and Umamakeswari,
INTI is an extendable IDS and takes into account nodes’ mo-
2016) have been exercised with only one attack type, but they
bility.
can potentially detect unknown attacks. Such a feature relates
InDReS (Surendar and Umamakeswari, 2016) is an improve-
to the anomaly detection mission, which identifies unusual or
ment of INTI (Cervantes et al., 2015) that keeps the main prin-
even unknown “behavior” and attributes it to an attack. They
ciples of functionality while limiting the computational over-
mainly exploit intelligent mechanisms, e.g., clustering, prob-
head, thus preserving resources which is critical for LLNs.
ability theory, and statistical parametric or non-parametric
Once the system identifies malicious nodes, it reconstructs
tests, along with appropriately defined thresholds. Of course,
the network’s topology, excluding them. However, compared
thresholds’ tuning is an important issue since it may result
to its predecessor, InDReS’ performance was not evaluated in
in either high false positives or negatives. As we will see later
terms of false positives/negatives and mobility support.
in this section, combining the advantages of anomaly detec-
The IDS for selective forwarding attack (Gara et al., 2017) was
tion with other detection methods brings very positive results
proposed in 2017 and uses the Sequential Probability Ratio
(Bostani and Sheikhan, 2016; Kaur, 2019; Napiah et al., 2018;
Test (SPRT) combined with an adaptive threshold. Its mech-
Sedjelmaci et al., 2017). It is indicative, for example, that they
anism relies on two modules: the first is responsible for de-
dominate as a component of the Hybrid Detection (HD) sys-
cision making and is implemented at the root-node. The sec-
tems.
ond, used for incoming and outgoing packet monitoring, op-
erates on the rest routing nodes. The monitoring nodes send
information to the root via randomly selected paths. The root 5.2.3. Specification-based detection IDSs
analyzes the data it receives using the SPRT and assigns every IDSs of this category (Ahmed and Ko, 2016; Aydogan et al.,
node with a probability of being malicious. The decision mak- 2019; Kfoury et al., 2019; Le et al., 2016; Nikam and Ambawade,
ing is based on a threshold above which a node is classified 2018; Nygaard, 2017; Shafique et al., 2018; Zhang et al., 2015)
as malicious. Then, the root notifies the non-malicious nodes share the feature of taking into account RPL-related informa-
about the adversaries’ presence and initiates a DODAG global tion, e.g., control messages, rank value, DODAG information,
repair in order to isolate the possible intruders. The system’s and try to identify an attack exploiting such knowledge. Re-
evaluation indicates its effectiveness, which comes at the cost garding their placement, there is a shared trend.
12 computers & security 104 (2021) 102219

IDS for RPL routing choice intrusion (Zhang et al., 2015) is a however, its performance degrades as the number of attack-
distributed placement system that relies on monitoring DIO ing nodes increases, especially when mobility is considered.
messages’ fields, nodes’ parents and rank values, as well as Concerning the power consumption, the IDS incurs an over-
the number of nodes connected to a single parent to detect head of around 20% compared to the unprotected network
decreased rank attacks. The idea is that a low-rank value ad- consumption. Finally, SBIDS can be extended to accommo-
vertised by a node that presents an increased number of nodes date more routing metrics and, thus, repelling additional
attached to it indicates that this node is probably malicious. attacks.
Energy requirements were taken into account, and the IDS can Opinion Metric based Intrusion Detection System for RPL Protocol
operate in large networks. in IoT (Nikam and Ambawade, 2018) is a hybrid placement IDS,
The IDS proposed in Le et al. (2016) is a hybrid placement able to mitigate sybil and flooding attacks, utilizing an opinion
system that, similarly to the INTI (Cervantes et al., 2015), di- metric-based mechanism which is based on subjective logic
vides the network into clusters and uses specification-based (Svensson and Jøsang, 2001). The nodes monitor their neigh-
detection to mitigate the attacks. It is designed to repel sink- bors’ transmissions and rate them according to their com-
hole, worst parent selection, local repair, neighbor, and DIS pliance with the RPL specification. Nodes that behave as per
message attacks. The system is effective, it presents low false specification principles are rated positively, whereas the di-
detection rates, and due to its low energy demands, it is scal- verging ones are rated negatively. The ratings are later ag-
able. It can be extended to detect a broader range of attacks; gregated to the root-node, where the subjective logic (the “”
however, it does not address mobility issues. consensus operator) is employed for the malicious nodes’ de-
The Distributed and Cooperative Verification IDS to defend tection. A node is considered malicious when the aggregated
against DODAG version number attack (Ahmed and Ko, 2016) sug- degree of disbelief exceeds a threshold. The system is solely
gests that when the nodes receive a DIO message contain- evaluated in terms of detection performance, and a consider-
ing an increased DODAG version, the message should be ac- able number of false detections were recorded. Nevertheless,
cepted once it is confirmed. In case that the sender is the root- the authors plan to extend their work and consider additional
node, the receiver will accept the message; otherwise, the re- routing attacks using a neural network trust model.
ceiver requests the DODAG version number from its two-hops- A Central IDS able to mitigate flooding and DODAG version
distant neighboring nodes. This functionality demands two number attacks was proposed in Aydogan et al. (2019). The
additional message types, the “CVQReq” for the request and system is implemented at the root-node and uses genetic pro-
“CVQRep” for the reply. Evaluation results show that the IDS gramming to generate the IDS’s algorithm automatically. The
is effective against the DODAG version attack; however, the root continuously analyzes the network traffic and extracts 50
false detection rate increases in proportion to the attacking features, which are later used for the constitution of the ge-
nodes’ number. Furthermore, the control overhead is signifi- netic programming trees. The last generation’s best individ-
cantly low. ual (tree) is evaluated for both flooding and DODAG version
TIDS: Trust-based IDS (Nygaard, 2017) is a hybrid placement number attacks, and two corresponding detection algorithms
system that mitigates sinkhole and selective forwarding at- are obtained. In its current version, a central logic is adapted.
tacks using the notion of trust. TIDS relies on Subjective Logic The root-node executes the resource-demanding tasks; the
(Svensson and Jøsang, 2001), incorporating variables both for authors also suggest a decentralized fashion of operation, but
trust and uncertainty, and considers a node as malicious when this entails further challenges to be addressed. The system
its disbelief value is higher than its belief value. Trust val- is highly effective, probably due to centralized monitoring,
ues are calculated based on the level of nodes’ good cooper- which provides a global network view. Aspects such as re-
ation and conformity with the RPL specification. Each node source requirements, scalability, extendability, and mobility
observes its neighbors and forwards the recorded data to the support, were left out of the system’s evaluation.
root-node using a new control packet, namely “Trust Informa- Self-Organizing Map IDS for RPL Protocol Attacks (Kfoury et al.,
tion (TRU)”. The root-node has the required resources for the 2019) exploits machine-learning and more precisely Self-
purpose and calculates the trust values. The system was eval- Organizing Maps (SOM), built centrally to the RPL network,
uated and found to successfully detect sinkhole attacks even to detect flooding, sinkhole, and DODAG version number at-
in large topologies (at the expense of high energy demands tacks. The authors elaborate on the way that several mod-
on the root-node), while selective forwarding attack was dis- ules collaborate to generate the maps. Initially, synthetic data
cussed only in a theoretical context. According to the author, from numerous simulations of different real-life scenarios
TIDS is useful in topologies comprised solely of static nodes, were produced and used as input to the “aggregator” mod-
and it can be extended to mitigate version number attacks ad- ule. This module utilizes six packet fields (i.e., message type
ditionally. – DIO/DIS/DAO, IP addresses of the sender and destination
SBIDS: Sink-based Intrusion Detection System (Shafique et al., nodes, current DODAG version, current sender node rank,
2018) is a centralized system designed to detect decreased Unix timestamp), pre-processes the input data and provides
rank attacks in non-storing RPL networks. The root-node, as an output six features (i.e., DIS, DIO, DAO, DODAG version
which is considered trusted by default, marks a node as mali- changes, rank changes to total messages ratios in the time-
cious by monitoring the rank changes and defining thresholds frame, average power consumption on the destination node
accordingly, i.e., it records the previous and current ranks of in the timeframe). These features are getting normalized by
parent-nodes, and establishes a threshold for parent switch- the “normalizer” module, to be used by the “trainer” module
ing. SBIDS considers both static and mobile nodes, Its evalu- to generate the maps. Simulations run by the authors indicate
ation revealed high accuracy in large networks in both cases; that the IDS is able to identify the attacks.
 computers & security 104 (2021) 102219 13

Remarks 4. Not surprisingly, eight out of 22 systems (36.4%), Once traffic is analyzed the output data are embedded into
according to the Fig. 8, fall in this category. Either intuition data packets and forwarded to the root-node, where the AA-
or experience leads the researchers to exploit the cardinal IDS resides. AA-IDS employs the unsupervised Optimum-Path
RPL data structure, i.e., the graph, and its relevant informa- Forest (OPF) algorithm (Rocha et al., 2009) to cluster the col-
tion, e.g., control messages and Trickle timer algorithm, in IDS lected data and proceed with the anomaly detection. The de-
design. However, judging by the outcome, the specification- cision that classifies a node as malicious or not is based on a
based detection, either as a single detection method or in voting mechanism that considers both local results of SA-IDS
combination with others, performs moderately regarding the agents and the global analysis of the AA-IDS. The system can
number of attacks. In the worst-case, systems detect one at- also be extended to mitigate blackhole and decreased rank at-
tack (Ahmed and Ko, 2016; Shafique et al., 2018; Zhang et al., tacks.
2015), while it is remarkable that they perform better once hy- The authors developed a dedicated RPL WSN simulator for
brid placement strategy is adopted (Le et al., 2016; Nikam and their evaluation analysis and provided high accuracy rates
Ambawade, 2018; Nygaard, 2017), or RPL-related information regardless of the network size, justifying this way their sys-
is processed by machine-learning mechanisms (Kfoury et al., tem’s scalability; their evaluation, however, considers only
2019; Nikam and Ambawade, 2018). Indeed the specification- a static topology. Regarding the energy requirements, abun-
based systems that exploit clustering, trust schemes, genetic dance was taken for granted for all kinds of nodes. Still later
programming, and artificial neural networks to process the in a theoretical context, it was concluded that the IDS could be
RPL-monitoring parameters outperform those that take these used in real-world IoT applications by offloading the resource-
parameters into account without any kind of intelligence. intensive tasks from the root-node to an external device; ob-
viously, such assumptions leave space for improvements.
Here, the aftermath is that tight coupling with the protocol
Game Theory IDS (Sedjelmaci et al., 2017) is a distributed
itself is not sufficient; it is a step to start with. Mixing tech-
placement IDS that combines signature detection for the
niques can help to develop robust systems that do not jeopar-
known attack patterns and anomaly detection for the un-
dize performance and cost.
known ones. In this way, the system is proved to encounter a
considerable number of attacks, i.e., flooding, sinkhole, black-
5.2.4. Hybrid detection IDSs hole, sybil, and wormhole attacks. The Nash Equilibrium
SVELTE (Raza et al., 2013) is one of the oldest RPL-related IDSs. Game Theory is used to set a game between the IDS entities
It is a hybrid placement system that consists of three mod- and the attackers; when the system detects a traffic pattern
ules: (i) the 6LoWPAN Mapper (6Mapper), implemented at the that reaches a threshold, it considers it an anomaly. To reduce
root-node, maps and keeps track of the DODAG along with the false detections, the authors combine the IDS with a reputa-
parent and neighboring information of each node; (ii) the in- tion system. The evaluation of the IDS assumes both fixed and
trusion detection module, which is also executed centrally, re- mobile nodes and reveals low requirements on resources.
lies on the RPL specification, signature and anomaly detection CHA-IDS (Napiah et al., 2018) is a centralized system that
to specify the attacks, and; (iii) the distributed firewall and re- elaborates on the IPv6 compressed header’s analysis using
sponse module that prevents the out-of-network attacks and machine-learning. In fact, the root-node extracts data from
is implemented in every node. SVELTE combines all three de- the network traffic, which are later used as an input to the
tection methods and tries to achieve a trade-off between the “J48” algorithm (Sahu and Mehtre, 2015) for the attacks’ detec-
storage cost of Sg and the computing cost of anomaly detec- tion. In this way, it detects flooding, sinkhole and wormhole at-
tion techniques. The system’s evaluation revealed its effec- tacks, taking place either individually or in combination, with
tiveness against blackhole, selective forwarding, sinkhole, and high accuracy. According to the authors, the system exhibits
DODAG inconsistency attacks. a good performance regarding the trade-off between perfor-
However, since SVELTE uses a rank threshold to de- mance and overhead. However, in its current version, it does
tect anomalies, it suffers from high rates of false posi- not succeed in locating the attacker’s position; future exten-
tives/negatives (Le et al., 2016; Raza et al., 2013; Surendar and sions and possible combinations with other distributed place-
Umamakeswari, 2016; Zarpelão et al., 2017). In addition, it has ment schemes could offer this capability. Furthermore, exten-
significant resource requirements and does not take into ac- sions could improve the system to additionally mitigate sybil,
count mobility issues. Improvements of SVELTE (Matsunaga clone-ID, DODAG version number, and local repair attacks.
et al., 2015; Shreenivas et al., 2017) reduce false detections and Lastly, the Ultimate Approach IDS of Mitigating Attacks in
add geographical hints of the malicious nodes, increasing the RPL Based Low Power Lossy Networks (Kaur, 2019) follows a
IDS’s robustness by allowing it to discover clone-ID, sybil and holistic approach, is full hybrid regarding its design and en-
wormhole attacks additionally. counters the maximum number of attacks, i.e., eight. More
Hybrid of Anomaly-Based and Specification-Based IDS for specifically, the system encounters sinkhole, DODAG version
IoTs Using Unsupervised OPF Based on MapReduce Approach number, flooding, neighbor, wormhole, decreased rank, clone-
(Bostani and Sheikhan, 2016) is a full hybrid approach that ID, and sniffing attacks and can detect events that originate
encounters selective forwarding, sinkhole, and wormhole at- both inside and outside the network. The IDS incorporates
tacks. The system combines an Anomaly Agent-Based IDS many non-mobile sink/sub-DODAG parent-nodes that can de-
(AA-IDS) with several Specification Agent-Based IDSs (SA- tect both known signatures and anomalies. The system uses
IDSs) and considers the leaf-nodes traffic solely to the root. blockchain and calculates trust values to detect the attacks
The SA-IDSs, implemented at the router-node(s), are used for and isolate the adversaries. The author present a conceptual
traffic monitoring and the identification of malicious nodes. framework of their approach, stating its effectiveness along
14 computers & security 104 (2021) 102219

Fig. 9 – Overview of the Hybrid Detection IDSs.

with low resource requirements and its ability to be extended. supervised data mining, respectively. We omitted a more in-
The system seems to partially support mobile nodes since depth discussion and comparative analysis on the involved al-
only the root and the sub-DODAG parents are considered to gorithms in the IDSs at this point of the investigation since
be fixed-positioned. we mainly focus on their systemic aspects. Such investiga-
tion requires comparisons between different approaches (e.g.,
Remarks 5. The time evolution of IDSs (Fig. 8) shows that hy- machine-learning vs statistics-based) under a given environ-
brid detection systems span across the whole investigation ment or theoretical investigations on their impact on the com-
period, i.e., 2013 − 2020, indicating that even in the early sys- putational burden, as an example. From our point of view, this
tems, such as SVELTE (Raza et al., 2013), the researchers pin- exercise diverges from the given scope of the paper. However,
pointed that combining the attacks’ detection methods brings this issue is important and complex enough to deserve an in-
advantages to the process. The basic and, probably, the appar- dependent study. Consequently, it is considered future work.
ent benefit is quantitative and regards the number of attacks Next, we provide a brief summary that compacts the indi-
that the system can encounter; this ranges from three to eight vidual remarks into a set of best practices and identified gaps
as depicted in Fig. 9. in IDS design.

Further benefits include the ability of some systems to lo-

calize the adversary (Bostani and Sheikhan, 2016; Kaur, 2019; 5.3. Best practices & Gaps
Raza et al., 2013), as well as the detection accuracy rate in con-
junction with low resource overhead, especially when the de- The so far research, reflected on the IDSs under analysis, re-
veloped mechanisms are appropriately located both in central veals best practices in the design of RPL-related IDSs. The
and distributed nodes. In particular, appropriately tuning the most important is that utilizing detection methods in con-
parameters of SVELTE (Raza et al., 2013) can offer as much as junction can bring a high score regarding the number of at-
100% of detection accuracy and zero false positives. In com- tacks detected. In particular, anomaly detection contributes as
parison, solution (Bostani and Sheikhan, 2016) shows an av- a general method to detect both known and unknown threats
erage of 93.3% accuracy with less than 3.3 false positives for and performs excellent with either signature or specification-
multiple runs. Game Theory IDS (Sedjelmaci et al., 2017) reports based methods, which provide some kind of “knowledge”
an average of 98.6% accuracy and less than 2.5% of false posi- to the process, i.e., patterns or threshold crossings of RPL-
tives for a variety of setups, while CHA-IDS (Napiah et al., 2018) related parameters. Another best practice is to exploit both
shows an accuracy within 85.2–100% and up to 0.058% false distributed and centralized mechanisms to achieve opti-
positives, in the worst case. mal placement in the detection mechanisms. This includes
Evaluating these numbers in real-world environments is a coarse-grained, lightweight monitoring at every node which
challenging issue that certainly deserves a further investiga- conditionally triggers fine-grained, resource-demanding pro-
tion, e.g., whether they allow a realistic operation of the partic- cesses executing at central premises, e.g., machine-learning.
ular IDSs. This angle of investigation is associated with: (i) the The third point is that detection by its own narrows the IDS
considered use-case in terms of required security level and af- mission; some systems (Bostani and Sheikhan, 2016; Kaur,
fordable control overhead or processing cost; and (ii) the type 2019; Raza et al., 2013) go beyond it by identifying the at-
of involved mitigation action and its impact, since this deter- tacker(s) and mitigating the threats using information rele-
mines the communication or performance issues a false pos- vant to the RPL protocol.
itive causes. This observation combined with the summary of the most
Most of these hybrid systems use machine-learning, robust systems – Fig. 9 – reveals that eventually, a minority
i.e., Game Theory IDS (Sedjelmaci et al., 2017), CHA-IDS of IDSs follow a holistic approach that deals with the three-
(Napiah et al., 2018) and (Bostani and Sheikhan, 2016) employ fold mission of detection, identification, and mitigation. Thus,
Nash equilibrium game theory, the “J48” algorithm, and un- there are several gaps in the literature regarding methods:
 computers & security 104 (2021) 102219 15

to identify and then mitigate the intruder, to detect multiple indicate that no simulation is carried out. Regular fonts with
attacks, to deal with false positives decisions, e.g., how and the star mark refer to the IDSs that can be extended to tackle
when a blacklisted node comes back to the network and which an attack, according to the corresponding authors. The out-
are the coincidences of its isolation. Our analysis also finds the come is summarized in Table 2 which synthesizes the knowl-
lack of an architecture beyond a hybrid-wise fashion of com- edge gained from Sections 4 and 5.
bination and builds up a “polymorphic” system able to adapt To better highlight the mapping process, we give two in-
in dynamic conditions. dicative examples. The authors in Le et al. (2016) utilize Con-
Finally, we notice a lack of IDS evaluation in real envi- tiki Cooja (Dunkels et al., 2004) and evaluate their IDS against
ronments, i.e., test-beds, since the majority of systems in sinkhole, worst parent selection, local repair, neighbor, and
our analysis are evaluated using simulations. More specifi- DIS message attacks; their simulation results include true
cally, 16 out of 22 IDSs utilize Contiki Cooja (Dunkels et al., positives/negatives, false positive/negatives, and energy con-
2004), while NS-2, Matlab and TOSSIM simulators are also sumption. For this reason, the reference (Le et al., 2016) ap-
used for evaluation in Surendar and Umamakeswari (2016), pears in bold in rows: 3, 4, 7, 10 and 14 that refer to the afore-
Sedjelmaci et al. (2017) and Verma and Ranga (2019), respec- mentioned attacks. On the other hand, SVELTE (Raza et al.,
tively. Only authors in CHA-IDS (Napiah et al., 2018) docu- 2013) is an example for which the authors declare its ef-
ment utilizing Cooja in combination with a test-bed facility, fectiveness against selective forwarding, sinkhole, blackhole,
however, without providing the details of the latter. Our pre- and DODAG inconsistency attacks. However, they evaluate it
vious experience with test-beds participating in the FED4FIRE only for the first two attacks using the metrics of true posi-
(Wauters et al., 2014) and GENI (Berman et al., 2014) federa- tive rate, energy and memory consumption in Contiki Cooja
tions, in the context of 5G network slicing research (Maciel (Dunkels et al., 2004). Thus, it appears in bold only in rows 7
et al., 2019; Valsamas et al., 2019a; 2019b), shows that it would and 16; the rest entries on the table are with regular fonts.
be interesting, but also very challenging, to deploy complete The same applies to SVELTE’s improvement (Shreenivas et al.,
IDSs in test-beds for evaluation reasons and address possible 2017) where the corresponding authors claim effectiveness
issues that arise. Currently, the Sharing Artifacts in a Cyber- against clone-ID, sybil and wormhole attacks due to additions
security Community Hub (SEARCCH) project (Flux Research considering the malicious nodes’ geographical position. How-
Group, 2020) offers a facility that provides validation, repeat- ever, relevant to these new attacks results are not provided.
able sharing, and reuse of security-related research results. A The only simulation results refer to the reduction of false de-
relevant initiative for IoT security could establish a common tection rates for the initial attacks having already been evalu-
framework where open-source IDS code could be released and ated, i.e., selective forwarding and sinkhole.
comparatively evaluated, e.g., in a common environment with Mapping of Table 2 reveals that the vast majority of the RPL-
the same methodology and evaluation scenarios. related IDSs (73%) deal with network topology attacks; this is
The section that follows proceeds with a comparative anal- expected since the DODAG and its related mechanisms, i.e.,
ysis of the IDSs under investigation that includes: (i) a com- the Trickle timer algorithm, and parameters, i.e., DODAG ID and
plete mapping of IDSs to the type of attacks they encounter; rank values, play a cardinal role on the RPL networks. An even
and (ii) their comparison in the light of the design require- more interesting fact is that as much as 54.5% of the IDSs fo-
ments we introduce. The ultimate goal is a list of four guide- cus on the Sinkhole attacks indicating the sink-node’s major
lines that, to our mind, a modern IDSs should follow. role to such networks. On the contrary, network traffic attacks
do not attract significant attention, probably due to the pas-
sive nature of eavesdropping attacks, which are difficult to
6. Comparative analysis & insights be detected. To our mind, energy-awareness, in conjunction
with resources’ limitations on IoT networks, create an emerg-
6.1. Map IDSs to attacks ing field of research regarding the resource depletion attacks
and the corresponding IDSs.
We start our comparative analysis by assigning each of the Table 2 also shows that some IDSs (Kaur, 2019; Le et al.,
22 most recently introduced IDSs under discussion to the 2016; Verma and Ranga, 2019) are more robust than others
RPL-related attacks they tackle. This is a challenging and not since they encounter a greater number of attacks; in fact,
straight-forward task, since it depends on how an IDS covers they repel different attacks that expand to all three categories,
the addressed attack(s). To this point, our literature study re- i.e., resource depletion, network topology, and network traffic
veals that different approaches are spanning from simulating attacks. Among them, the Ultimate Approach (Kaur, 2019) in-
all or some of the attacks to conceptually supporting cover- troduces a full-hybrid, conceptual framework where the au-
age for all or subset of the attacks under study. In the case of thors discuss but not evaluate their IDS with respect to the
simulation approaches, differences also concern the simula- attacks encountered. On the contrary, the Specification-Based
tion environments as well as the metrics used to evaluate the IDS (Le et al., 2016) and ELNIDS (Verma and Ranga, 2019)
IDSs’ performance. tackle five and seven attacks, respectively, for which simu-
To proceed with our mapping, we listed the attacks with re- lation analysis and results are provided. SVELTE (Raza et al.,
spect to the classes they belong to and are illustrated in Fig. 4. 2013) addresses seven different types of attacks, evaluates
Next, to highlight the aforementioned differences, we mark in a subset of them through simulation, and gives an indi-
bold the IDSs in a row when they are evaluated through sim- cation towards the potentiality of full-hybrid IDSs to deal
ulation (e.g., based on Contiki Cooja, NS-2, Matlab, or TOSSIM) with a broad spectrum of attacks. Overall, the majority
for the attack on the same row on Table 2, while regular fonts of works (17) proceed with comprehensive simulation ap-
16 computers & security 104 (2021) 102219

Table 2 – Mapping the IDSs to the type of mitigated attacks.

Attacks IDS
RESOURCE DIRECT Routing Table Overload -
DEPLETION
ATTACKS
Flooding Sedjelmaci et al. (2017), Napiah et al. (2018),
Kaur (2019), Aydogan et al. (2019),
Kasinathan et al. (2013), Verma and
Ranga (2019), Verma and Ranga (2020a),
Kfoury et al. (2019), Nikam and
Ambawade (2018)
INDIRECT Local Repair Le et al. (2016), Verma and Ranga (2019),
Pongle and Chavan (2015)∗ , Napiah et al. (2018)∗
DIS Message Le et al. (2016), Ioulianou and Vasilakis (2020),
Verma and Ranga (2020a)∗
DODAG Inconsistency Raza et al. (2013)
DODAG Version Number Mayzaud et al. (2017), Kaur (2019),
Aydogan et al. (2019), Kfoury et al. (2019),
Ahmed and Ko (2016), Pongle and
Chavan (2015)∗ , Napiah et al. (2018)∗ ,
Nygaard (2017)∗

NETWORK SUB-OPTIMIZATION Sinkhole Le et al. (2016), Sedjelmaci et al. (2017),

TOPOLOGY Napiah et al. (2018), Kaur (2019),
ATTACKS Raza et al. (2013), Bostani and Sheikhan (2016),
Verma and Ranga (2019), Ioulianou and
Vasilakis (2020), Surendar and
Umamakeswari (2016), Cervantes et al. (2015),
Kfoury et al. (2019), Nygaard (2017)
Wormhole Pongle and Chavan (2015),
Sedjelmaci et al. (2017), Napiah et al. (2018),
Kaur (2019), Raza et al. (2013) (D. Shreenivas’
version Shreenivas et al. (2017)), Bostani and
Sheikhan (2016), Verma and Ranga (2020a)∗
Replay Verma and Ranga (2020a)
Neighbor Le et al. (2016), Pongle and Chavan (2015),
Kaur (2019)
Routing Table Falsification -
Rank Attacks Decreased Rank Kaur (2019), Zhang et al. (2015),
Shafique et al. (2018), Bostani and
Sheikhan (2016)∗
Increased Rank -
Worst Parent Selection Le et al. (2016)
ISOLATION Blackhole Sedjelmaci et al. (2017), Raza et al. (2013),
Verma and Ranga (2019), Bostani and
Sheikhan (2016)∗
Selective Forwarding Raza et al. (2013), Bostani and Sheikhan (2016),
Verma and Ranga (2019), Ioulianou and
Vasilakis (2020), Gara et al. (2017), Nygaard (2017)
DAO Inconsistency Verma and Ranga (2020a)∗

NETWORK EAVES-DROP Sniffing Kaur (2019)

TRAFFIC
ATTACKS
Network Traffic Analysis -
MISAPPR-OPRIATION Clone-ID Kaur (2019), Raza et al. (2013) (D. Shreenivas’
version Shreenivas et al. (2017)), Verma and
Ranga (2019), Ioulianou and Vasilakis (2020),
Pongle and Chavan (2015)∗ , Napiah et al. (2018)∗
Sybil Sedjelmaci et al. (2017), Verma and Ranga (2019),
Raza et al. (2013) (D. Shreenivas’ version
Shreenivas et al. (2017)), Nikam and
Ambawade (2018), Pongle and Chavan (2015)∗ ,
Napiah et al. (2018)∗

– IDSs in [bold] are evaluated through simulations for the corresponding attack. – IDSs with the star mark (∗ ) can be extended to encounter the
corresponding attack according to the authors’ declaration in the relevant publication. – The rest IDSs are mapped to the corresponding attack
according to the authors’ declaration in the relevant publication.
 computers & security 104 (2021) 102219 17

Table 3 – Comparative overview of RPL-related IDSs.

IDS Criteria
i ii iii iv v vi vii
SVELTE (Raza et al., 2013; Shreenivas et al., 2017) ✗ ✗ –   ✗ ✗
DEMO (Kasinathan et al., 2013) ✗ –  ✗  – ✗
Real time IDS for Wormhole Attacks (Pongle and Chavan, 2015)   – ✗   ✗
IDS for RPL Routing Choice Intrusion (Zhang et al., 2015)  ∗  ✗ – – ✗
INTI (Cervantes et al., 2015)  ✗  ✗   
InDReS (Surendar and Umamakeswari, 2016)   – ✗  – ✗
Specification-Based IDS (Le et al., 2016)       ✗
Distributed and Cooperative Verification IDS (Ahmed and Ko, 2016) ✗  – ✗ – ∗ ✗
Hybrid of Anomaly and Specification Based IDS (Bostani and ∗ ✗  ✗   ✗
Sheikhan, 2016)
Distributed Monitoring Strategy IDS (Mayzaud et al., 2017)  –  ✗ – ∗ ✗
Game Theory IDS (Sedjelmaci et al., 2017)     –  
IDS for Selective Forwarding Attack (Gara et al., 2017)  ✗ ✗ ✗ – – ✗
TIDS: Trust based IDS (Nygaard, 2017) ✗ ✗  ✗  ✗ ✗
Signature IDS (Ioulianou and Vasilakis, 2020)  ✗  ✗   ✗
CHA - IDS (Napiah et al., 2018)  ✗ – ✗   ✗
SBIDS: Sink-based IDS (Shafique et al., 2018)  ✗  ✗   
Opinion Metric based IDS (Nikam and Ambawade, 2018)  – – ✗  ✗ ✗
ELNIDS (Verma and Ranga, 2019)  –     ✗
Central IDS (Aydogan et al., 2019)  – – ✗ – – ✗
Self-Organizing Map IDS (Kfoury et al., 2019)  – – ✗  – ✗
Ultimate Approach IDS (Kaur, 2019)  ∗ –   – ∗
CoSec-RPL (Verma and Ranga, 2020a)  ✗ – ✗   
∗
Design requirements: = Under certain conditions or estimated but not
i = RPL specification compliance evaluated
ii = Low overhead = Satisfied
iii = Scalability ✗= Not Satisfied
iv = Robustness –= No Information Available
v = Extendability
vi = Low false positives
vii = Mobility support

proaches in the sense that they evaluate all the attacks the Elaborating on RPL-related systems, it is expected that the
corresponding authors claim tackling. A small subset of works majority of them are compliant with the protocol. However,
(Ioulianou and Vasilakis, 2020; Pongle and Chavan, 2015; Raza even if they are designed for LLNs only one-third of them
et al., 2013; Sedjelmaci et al., 2017) evaluate through simula- presents low overhead; the rest are either high-cost solutions
tion a portion of attacks they investigate, while Kaur (2019) in- or do not clarify their trade-offs in terms of performance and
troduces a conceptual work that misses simulation results. cost. Half of the systems are scalable, and the rest are not eval-
In the following section, we elaborate on comparing those uated for large-scale deployments.
RPL-related IDSs in light of the design requirements we intro- Regarding the robustness, most of the systems deal with
duced. up to four attacks, while almost 37% of the IDSs are single-
attack solutions (Fig. 8). As a result, 22.7% of them appear to
be robust, since they claim to cope with five or more attacks;
6.2. IDSs’ comparison
among them, only the Specification-Based IDS (Le et al., 2016)
and ELNIDS (Verma and Ranga, 2019) are evaluated for all the
Table 3 presents the comparative overview of the 22 IDSs un-
attacks they investigate. Despite these relatively low scores,
der analysis (their order is consistent with their time evolu-
a significant number of IDSs (almost 73%) claim that they are
tion on Fig. 8) in respect to the seven design requirements in-
extendable and able to detect and mitigate more attacks, once
troduced and discussed in Section 4.3. The comparison shows
they are modified. Unexpectedly, we notice that robustness is
if a system satisfies () or not (✗) each of the requirements,
not necessarily associated with a low overhead cost, i.e., three
while a dash ( - ) denotes that no information is available. We
out of five robust systems present low overhead (Kaur, 2019; Le
are essentially based on the respective authors’ claims in the
et al., 2016; Sedjelmaci et al., 2017), while two of them (Le et al.,
relevant articles and, in some cases, we exploit feedback from
2016; Sedjelmaci et al., 2017) also combine robustness with
them for clarifications. This way, we manage to build a table
low false detection. These findings indicate that research to-
completed as much as 80.5%, which indicates that both the
wards balancing the trade-off among security (expressed with
design requirements and the comparison itself are meaning-
robustness and extendability), performance (in terms of low
ful.
18 computers & security 104 (2021) 102219

false positives, scalability, and RPL compliance), and cost (as- The fact that 63% of IDSs do not satisfy the low overhead
sociated with low overhead) can bring fruitful results. and robustness criteria simultaneously, and 27% do not
Finally, an insightful outcome of Table 3 is that 77% of IDSs provide any cost-related results indicates that current re-
do not consider the mobility issue, probably due to the difficul- search underestimates this issue. Of course, a high level
ties that it entails. We demonstrate, for example, on Figs. 5 and of security entails cost barriers. However, three systems
6 that nodes’ mobility causes control overhead comparable (Kaur, 2019; Le et al., 2016; Sedjelmaci et al., 2017) are ro-
to some attacks, e.g., decreased rank and blackhole attack; bust low overhead simultaneously, while (Le et al., 2016) ex-
this could mislead the decision-making of an IDS with impact hibits the best behavior in respect to all the requirements
on false positives’ rate. Indeed, IDSs that deal with sinkhole defined. Probably the last seven years are a trial period dur-
(Bostani and Sheikhan, 2016; Cervantes et al., 2015; Ioulianou ing which many ideas and approaches are under investiga-
and Vasilakis, 2020; Kfoury et al., 2019; Le et al., 2016; Napiah tion. Fortunately, the above IDSs provide evidence that we
et al., 2018; Nygaard, 2017; Raza et al., 2013; Sedjelmaci et al., gain knowledge and invest in holistic solutions that com-
2017; Surendar and Umamakeswari, 2016; Verma and Ranga, bine security, performance, and cost.
2019), wormhole (Bostani and Sheikhan, 2016; Napiah et al., • Mobility support: Mobility is a trend of modern IoT networks
2018; Pongle and Chavan, 2015; Raza et al., 2013; Sedjelmaci and, among others, contributes to widening the networks’
et al., 2017) and rank attacks (Bostani and Sheikhan, 2016; Le range deployment. Current IDSs’ literature is not mature
et al., 2016; Zhang et al., 2015), mishandle nodes’ mobility and enough to provide solutions that deal with this issue ef-
interpret it as an attack pattern (since, for example, mobile ficiently, i.e., to combine it with robustness and low false
nodes send control messages from different network places positives’ rates. In fact, mobility is the least satisfied among
and in irregular intervals compared to the fixed ones). In ad- our defined requirements. Previously in this section, we
dition, mobility patterns can be known a priori (e.g., a city- justified this weakness, which definitely provides room for
bus, with IoT nodes on it, follows the same route every day) research, especially in the light of results and solutions re-
or completely random; in the latter case, even probabilistic or garding the RPL under mobility (Theodorou et al., 2019; Vio-
machine-learning models face accuracy issues in predicting lettas et al., 2018; 2019). Both from our previous experience
nodes’ status and, thus, providing appropriate input to an IDS. (Theodorou et al., 2019; Violettas et al., 2018; 2019) and from
These observations make clear that an IDS should monitor the systems that support mobility (Cervantes et al., 2015;
and evaluate a number of parameters in conjunction to each Kaur, 2019; Sedjelmaci et al., 2017), we conclude that hy-
other in order to combine high accuracy with low false posi- brid solutions regarding the detection method and/or the
tives. placement strategy could efficiently contribute to building
efficient IDSs.
6.3. Guidelines • Alignment to the IoT evolution: IoT advances towards sup-
porting applications with diverse, challenging require-
So far, it is clear that there is no one-for-all solution that mit- ments, e.g., ultra-low delays, mobility, or high capac-
igates a great portion of the RPL-related attacks and, at the ity of nodes, through exploiting Edge Cloud Computing,
same time, meets all the design requirements we introduced. Software-Defined Networks (SDN) and 5G or Beyond Net-
As aftermath, we present here some basic guidelines for an works. In this complex ecosystem, new critical IoT instal-
up-to-date IDS. lations (e.g., Industry 4.0 or Smart-city) come together with
new sophisticated attacks. Consequently, an up-to-date
• Trade-off between security and performance: This notice re- IDS should be extendable, able to tune security/cost and
flects the need for robust and extendable systems while security/performance trade-offs to particular IoT applica-
simultaneously presenting high accuracy and ability to op- tions, and benefit from such advanced networking, pro-
erate regardless of the network’s scale and be compliant cessing, and storage capabilities. For example, Edge Clouds’
with the RPL to preserve the protocol’s native performance. incorporation brings significant processing and storage re-
Table 3 shows that only (Le et al., 2016; Sedjelmaci et al., sources that can support Artificial Intelligence / Machine-
2017) are robust systems and at the same time satisfy the Learning (AI/ML) capabilities, e.g., for data analysis, clus-
criteria i, ii and vi. Thus, there is room for research and im- tering, or prediction. Such features perfectly match with
provements, especially if we consider that out of 21 differ- RPL extensions inspired by the SDN paradigm (Theodorou
ent RPL-related attacks, a critical portion of the IDSs, 77%, et al., 2019; Violettas et al., 2018; 2019) that enables modu-
deal with up to only four of them. Furthermore, current larity, adaptation, and dynamicity; e.g., to jointly recognize
literature lacks proposals that cope with certain attacks, mobility patterns, detect, and mitigate unknown attacks.
such as routing table overload and falsification, increased The hybrid approaches are consistent to the above direc-
rank, and worst parent selection. Simultaneously, the built- tion since their centralized mechanisms can be driven by
in security mechanisms of RPL have not been thoroughly intelligent mechanisms deployed at Edge Clouds, their de-
investigated and are considered optional features in the cisions enforced by SDN controllers. Simultaneously, the
RPL specification. Their implementation and further re- nodes are assigned with lightweight tasks, such as local
search on their effectiveness against the various attacks monitoring and/or low-complexity algorithms, i.e., for in-
may bring positive results for the trade-off between secu- stantaneous reporting or acting upon attacks.
rity and performance.
• Trade-off between security and cost: Designing security sys-
tems for LLNs should take the cost as a primary concern.
 computers & security 104 (2021) 102219 19

Symposium on Integrated Network Management (IM). IEEE;

7. Conclusion 2015. p. 606–11. doi:10.1109/INM.2015.7140344.
Chugh K, Lasebae A, Loo J. Case study of a black hole attack on
The RPL routing protocol is a relatively mature technology 6LoWPAN-RPL. In: Proc. of the Sixth International Conference
that allows IPv6 routing in LLNs. By investigating RPL attacks on Emerging Security Information, Systems and Technologies
with special attention on their impact in terms of control (SECURWARE), Rome, Italy (August 2012); 2012. p. 157–62.
Deshmukh-Bhosale S, Sonavane SS. A real-time intrusion
overhead and application performance, and evaluating the re-
detection system for wormhole attack in the RPL based
lated IDSs in the literature, we conclude that there is room internet of things. Procedia Manufacturing 2019;32:840–7.
for research regarding holistic solutions with specific tailored- doi:10.1016/j.promfg.2019.02.292. 12th International
made characteristics, such as: monitoring and exploiting sev- Conference Interdisciplinarity in Engineering, INTER-ENG
eral features in conjunction, e.g., network conditions and pro- 2018, 45 October 2018, Tirgu Mures, Romania
tocols’ mechanisms, handling mobility, respecting resource Dharmapurikar S, Lockwood JW. Fast and scalable pattern
constraints, while at the same time providing a high level of matching for network intrusion detection systems. IEEE J. Sel.
Areas Commun. 2006;24(10):1781–92.
security reflected in robustness and low false positives. We in-
Dunkels A, Gronvall B, Voigt T. Contiki-a lightweight and flexible
troduce seven design requirements that a modern RPL-related operating system for tiny networked sensors. In: 29th Annual
IDS should satisfy. Moreover, we provide a list of four con- IEEE International Conference on Local Computer Networks.
crete guidelines that, according to our experience, future ap- IEEE; 2004. p. 455–62. doi:10.1109/LCN.2004.38.
proaches should take into consideration. In fact, we are cur- Flux Research Group, 2020. The University of Utah.
rently working on an SDN-inspired, machine-learning-based https://www.flux.utah.edu/index.
Gaddour O, Koubâa A. RPL in a nutshell: a survey. Comput. Netw.
polymorphic IDS that exploits our findings and brings promis-
2012;56(14):3163–78. doi:10.1016/j.comnet.2012.06.016.
ing results.
Gara F, Saad LB, Ayed RB. An intrusion detection system for
selective forwarding attack in IPv6-based mobile WSNs. In:
13th International Wireless Communications and Mobile
Declaration of Competing Interest Computing Conference (IWCMC). IEEE; 2017. p. 276–81.
doi:10.1109/IWCMC.2017.7986299.
Granjal J, Monteiro E, Silva JS. Security for the internet of things: a
The authors declare that they have no known competing fi-
survey of existing protocols and open research issues. IEEE
nancial interests or personal relationships that could have ap-
Commun. Surv. Tutor. 2015;17(3):1294–312.
peared to influence the work reported in this paper. doi:10.1109/COMST.2015.2388550.
Ioulianou P, Vasilakis V, et al. Denial-of-service attacks and
R E F E R E N C E S
countermeasures in the RPL-based internet of things, 11980;
2020. p. 374–90. doi:101007/978-3-030-42048-2_24.
Ioulianou P, Vasilakis V, Moscholios I, Logothetis M. A
signature-based intrusion detection system for the internet of
Ahmed F, Ko Y-B. A distributed and cooperative verification things. Inf. Commun. Technol. Form 2018.
mechanism to defend against DODAG version number attack Kamble A, Malemath VS, Patil D. Security attacks and secure
in RPL. In: PECCS; 2016. p. 55–62. routing protocols in RPL-based internet of things: Survey. In:
doi:10.5220/0005930000550062. 2017 International Conference on Emerging Trends Innovation
Airehrour D, Gutierrez J, Ray SK. Secure routing for internet of in ICT (ICEI); 2017. p. 33–9. doi:10.1109/ETIICT.2017.7977006.
things: a survey. J. Netw. Comput. Appl. 2016;66:198–213. Kamgueu PO, Nataf E, Ndie TD. Survey on RPL enhancements: a
doi:10.1016/j.jnca.2016.03.006. focus on topology, security and mobility. Comput. Commun.
Arena A, Perazzo P, Vallati C, Dini G, Anastasi G. Evaluating and 2018;120:10–21. doi:10.1016/j.comcom.2018.02.011.
improving the scalability of RPL security in the internet of Kasinathan P, Costamagna G, Khaleel H, Pastrone C, Spirito MA.
things. Comput. Commun. 2020. An IDS framework for internet of things empowered by
doi:10.1016/j.comcom.2019.12.062. 6LoWPAN. In: Proceedings of the 2013 ACM SIGSAC
Aris A, Oktug SF, Berna Ors Yalcin S. RPL version number attacks: Conference on Computer & Communications Security; 2013.
in-depth study. In: NOMS 2016 - 2016 IEEE/IFIP Network p. 1337–40. doi:10.1145/2508859.2512494.
Operations and Management Symposium; 2016. p. 776–9. Kaur J. An ultimate approach of mitigating attacks in RPL based
doi:10.1109/NOMS.2016.7502897. low power lossy networks. Proceedings of 17th International
Aydogan E, Yilmaz S, Sen S, Butun I, Forsström S, Gidlund M. A Conference on Security and Management (SAM’19), 2019.
central intrusion detection system for RPL-based industrial Kfoury E, Saab J, Younes P, Achkar R. A self organizing map
internet of things. In: 2019 15th IEEE International Workshop intrusion detection system for RPL protocol attacks. Int. J.
on Factory Communication Systems (WFCS). IEEE; 2019. p. 1–5. Interdiscip.Telecommun. Netw. (IJITN) 2019;11(1):30–43.
doi:10.1109/WFCS.2019.8758024. doi:10.4018/IJITN.2019010103.
Barnett V, Lewis T, Vol. 37. third ed. J Wiley & Sons; 1994. Kumar A, Matam R, Shukla S. Impact of packet dropping attacks
doi:101002/bimj4710370219. on RPL. In: 2016 Fourth International Conference on Parallel,
Berman M, Chase JS, Landweber L, Nakao A, Ott M, Distributed and Grid Computing (PDGC); 2016. p. 694–8.
Raychaudhuri D, Ricci R, Seskar I. GENI: a federated testbed for doi:10.1109/PDGC.2016.7913211.
innovative network experiments. Comput. Netw. 2014;61:5–23. Le A, Loo J, Chai KK, Aiash M. A specification-based IDS for
Bostani H, Sheikhan M. Hybrid of anomaly-based and detecting attacks on RPL-based network topology. Information
specification-based IDS for internet of things using 2016;7(2):25. doi:10.3390/info7020025.
unsupervised OPF based on MapReduce approach. Comput. Le A, Loo J, Lasebae A, Vinel A, Chen Y, Chai M. The impact of
Commun. 2016:52–71. doi:10.1016/j.comcom.2016.12.001. rank attack on network topology of routing protocol for
Cervantes C, Poplade D, Nogueira M, Santos A. Detection of low-power and lossy networks, Vol. 13. IEEE; 2013. p. 3685–92.
sinkhole attacks for supporting secure routing on 6LoWPAN doi:10.1109/JSEN.2013.2266399.
for internet of things. In: 2015 IFIP/IEEE International
20 computers & security 104 (2021) 102219

Le A, Loo J, Luo Y, Lasebae A. The impacts of internal threats Sadek RA, Soliman MS, Elsayed HS. Effective anomaly intrusion
towards routing protocol for low power and lossy network detection system based on neural network with indicator
performance. In: 2013 IEEE Symposium on Computers and variable and rough set reduction. Int. J. Comput. Sci. Issues
Communications (ISCC); 2013. p. 000789–94. (IJCSI) 2013;10(6):227.
doi:10.1109/ISCC.2013.6755045. Sahu S, Mehtre BM. Network intrusion detection system using J48
Lokesak, B., 2008. A comparison between signature based and decision tree. In: 2015 International Conference on Advances
anomaly based intrusion detection systems, PPT. URL http: in Computing, Communications and Informatics (ICACCI).
//www.iup.edu/WorkArea/DownloadAsset.aspx?id=81109. IEEE; 2015. p. 2023–6. doi:10.1109/ICACCI.2015.7275914.
Maciel PD, Verdi FL, Valsamas P, Sakellariou I, Mamatas L, Sedjelmaci H, Senouci SM, Taleb T. An accurate security game for
Petridou S, Papadimitriou P, Moura D, Swapna AI, Pinheiro B, low-resource IoT devices. IEEE Trans. Veh. Technol.
et al. A marketplace-based approach to cloud network slice 2017;66(10):9381–93. doi:10.1109/TVT.2017.2701551.
composition across multiple domains. In: 2019 IEEE Sehgal A, Mayzaud A, Badonnel R, Chrisment I, Schnwlder J.
Conference on Network Softwarization (NetSoft). IEEE; 2019. Addressing DODAG inconsistency attacks in RPL networks. In:
p. 480–8. Proceedings of Global Information Infrastructure and
Matsunaga T, Toyoda K, Sasase I. Low false alarm attackers Networking Symposium (GIIS). IEEE; 2014. p. 1–8.
detection in RPL by considering timing inconstancy between doi:10.1109/GIIS.2014.6934253.
the rank measurements. IEICE Commun. Express Sentz K, Ferson S, Sentz K. In: Technical Report. Combination of
2015;4(2):44–9. doi:10.1587/comex.4.44. Evidence in Dempster-Shafer Theory. US Department of
Mayzaud A, Badonnel R, Chrisment I. A taxonomy of attacks in Energy (US); 2002. doi:10.2172/800792.
RPL-based internet of things. Int. J. Netw. Secur. 2016. Shafique U, Khan A, Rehman A, Bashir F, Alam M. Detection of
doi:10.6633/IJNS.201605.18(3).07. rank attack in routing protocol for low power and lossy
Mayzaud A, Badonnel R, Chrisment I. A distributed monitoring networks. Annals of Telecommunications 2018;73:429–38.
strategy for detecting version number attacks in RPL-based doi:10.1007/s12243-018-0645-4.
networks. IEEE Trans. Netw. Serv.Manage. 2017;14(2):472–86. Sharma D, Mishra I, Jain S. A detailed classification of routing
doi:10.1109/TNSM.2017.2705290. attacks against RPL in Internet of Things. Int. J. Adv. Res. Ideas
Mayzaud A, Sehgal A, Badonnel R, Chrisment I, Schnwlder J. A Innov. Technol. 2017;3:692–703.
study of RPL DODAG version attacks, Vol. 8508. Springer; 2014. Shreenivas D, Raza S, Voigt T. Intrusion detection in the
p. 92–104. doi:10.1007/978-3-662-43862-6. RPL-connected 6LoWPAN networks. In: Proceedings of the 3rd
Medjek F, Tandjaoui D, Abdmeziem MR, Djedjig N. Analytical ACM International Workshop on IoT Privacy, Trust, and
evaluation of the impacts of Sybil attacks against RPL under Security; 2017. p. 31–8. doi:10.1145/3055245.3055252.
mobility. In: 2015 12th International Symposium on Surendar M, Umamakeswari A. InDReS: an intrusion detection
Programming and Systems (ISPS); 2015. p. 1–9. and response system for internet of things with 6LoWPAN. In:
doi:10.1109/ISPS.2015.7244960. 2016 International Conference on Wireless Communications,
Napiah MN, Idris MYIB, Ramli R, Ahmedy I. Compression header Signal Processing and Networking (WiSPNET). IEEE; 2016.
analyzer intrusion detection system (CHA - IDS) for 6LoWPAN p. 1903–8. doi:10.1109/WiSPNET.2016.7566473.
communication protocol. IEEE Access 2018;6:16623–38. Svensson H, Jøsang A. Correlation of intrusion alarms with
doi:10.1109/ACCESS.2018.2798626. subjective logic. Proceedings of the Sixth Nordic Workshop on
Nikam A, Ambawade D. Opinion metric based intrusion detection Secure IT systems (NordSec2001), Copenhagen, Denmark.
mechanism for RPL protocol in IoT. In: 3rd International Citeseer, 2001.
Conference for Convergence in Technology (I2CT). IEEE; 2018. Theodorou T, Violettas G, Valsamas P, Petridou S, Mamatas L. A
p. 1–6. doi:10.1109/I2CT.2018.8529770. multi-protocol software-defined networking solution for the
Nygaard F. Intrusion detection system in IoT. NTNU; 2017. internet of things. IEEE Commun. Mag. 2019;57(10):42–8.
Master’s thesis. doi:10.1109/MCOM.001.1900056.
Othman SM, Alsohybe NT, Ba-Alwi FM, Zahary AT. Survey on Tsao, T., Alexander, R., Dohler, M., Daza, V., Lozano, A., Richardson,
Intrusion detection system types. Int. J. Cyber-Secur. M., 2015. A security threat analysis for the routing protocol for
Digit.Forensics 2018;7(4):444–63. low-power and lossy networks (RPLs). RFC 7416, 131.
Perazzo P, Vallati C, Anastasi G, Dini G. DIO suppression attack Tsvetkov T, Klein A. RPL: IPv6 routing protocol for low power and
against routing in the internet of things. IEEE Commun. Lett. lossy networks. Network 2011;59:59–66.
2017;21:2524–7. doi:10.1109/LCOMM.2017.2738629. Valsamas P, Papadimitriou P, Sakellariou I, Petridou S, Mamatas L,
Perazzo P, Vallati C, Arena A, Anastasi G, Dini G. An Clayman S, Tusa F, Galis A. Multi-PoP network slice
implementation and evaluation of the security features of deployment: a feasibility study. In: 2019 IEEE 8th International
RPL. In: International Conference on Ad-Hoc Networks and Conference on Cloud Networking (CloudNet). IEEE; 2019. p. 1–6.
Wireless. Springer; 2017. p. 63–76. Valsamas P, Sakellariou I, Petridou S, Mamatas L. A multi-domain
Pongle P, Chavan G. A survey: attacks on RPL and 6LoWPAN in IoT. experimentation environment for 5G media verticals. In: IEEE
In: 2015 International Conference on Pervasive Computing INFOCOM 2019-IEEE Conference on Computer
(ICPC). IEEE; 2015. p. 1–6. doi:10.1109/PERVASIVE.2015.7087034. Communications Workshops (INFOCOM WKSHPS). IEEE; 2019.
Pongle P, Chavan G. Real time intrusion and wormhole attack p. 461–6.
detection in internet of things. Int. J. Comput. Appl. Verma A, Ranga V. ELNIDS: ensemble learning based network
2015;975:8887. doi:10.5120/21565-4589. intrusion detection system for RPL based internet of things.
Raoof A, Matrawy A, Lung C-H. Routing attacks and mitigation In: 2019 4th International conference on Internet of Things:
methods for RPL-based internet of things. IEEE Commun. Surv. Smart innovation and usages (IoT-SIU). IEEE; 2019. p. 1–6.
Tutor. 2018;21(2):1582–606. doi:10.1109/COMST.2018.2885894. doi:10.1109/IoT-SIU.2019.8777504.
Raza S, Wallgren L, Voigt T. SVELTE: real-time intrusion detection Verma A, Ranga V. CoSec-RPL: detection of copycat attacks in RPL
in the internet of things. Ad Hoc Netw. 2013;11(8):2661–74. based 6LoWPANs using outlier analysis. Telecommun. Syst.
doi:10.1016/j.adhoc.2013.04.014. 2020. doi:10.1007/s11235-020-00674-w.
Rocha L, Cappabianco F, Falco A. Data clustering as an Verma A, Ranga V. Security of RPL based 6LoWPAN networks in
optimum-path forest problem with applications in image the internet of things: a review. IEEE Sens. J.
analysis. Int. J. Imaging Syst.Technol. 2009;19:50–68. 2020;20(11):5666–90. doi:10.1109/JSEN.2020.2973677.
doi:10.1002/ima.20191.
 computers & security 104 (2021) 102219 21

Verma A, Ranga V. Security of RPL based 6LoWPAN networks in the Move, MONROE Open Call 2, H2020) and CORAL (Cross-Layer
the internet of things: a review. IEEE Sens. J. Control of Data Flows, WiSHFUL Open Call 2, H2020). He has
2020;20(11):5666–90. doi:10.1109/JSEN.2020.2973677. hands-on experience with experimentation facilities and test-
Violettas G, Petridou S, Mamatas L. Routing under heterogeneity beds (Fed4fire, Emulab, Monroe). His Ph.D. includes an SDN-like
and mobility for the internet of things: a centralized control central controller monitoring IoT networks and utilizing Machine
approach. In: Global Communications Conference Learning (WEKA) and Artificial Intelligence.
(GLOBECOM), 2018 IEEE Conf. on. IEEE; 2018. p. 1–7.
Violettas G, Petridou S, Mamatas L. Evolutionary software defined Sophia Petridou is Assistant Professor in the
networking-inspired routing control strategies for the internet Department of Applied Informatics, Univer-
of things. IEEE Access 2019;7:132173–92. sity of Macedonia. She received her PhD De-
doi:10.1109/ACCESS.2019.2940465. gree in Department of Informatics, Aristotle
Wallgren L, Raza S, Voigt T. Routing attacks and countermeasures University of Thessaloniki, Greece in 2008.
in the RPL-based internet of things. Int. J. Distrib. Sens. Netw. Her main research interests are in the ar-
2013;9(8):794326. eas of Internet of Things, Wireless and Opti-
Wallgren L, Raza S, Voigt T. Routing attacks and countermeasures cal networks’ protocols, formal verifications
in the RPL-based internet of things. Int. J. Distrib. Sens. Netw. and probabilistic model checking of proto-
2013;9(8). doi:10.1155/2013/794326. cols, protocols’ security. She has been in-
Wauters T, et al. Federation of internet experimentation facilities: volved in international research projects of:
architecture and implementation federation of internet NECOS H2020 (Novel Enablers for Cloud Slic-
experimentation facilities: architecture and implementation. ing), UNIC (Unikernel-based CDNs for 5G
In: European Conf. on Networks and Communications Networks, FED4FIRE+ Open Call 4, H2020), MEC (Multi-homing with
(EuCNC) 2014. IEEE; 2014. p. 1–5. Ephemeral Clouds on the Move, MONROE Open Call 2, H2020) and
Winter, T., Thubert, P., Brandt, A., et al., 2012. RPL: IPv6 routing CORAL (Cross-Layer Control of Data Flows, WiSHFUL Open Call 2,
protocol for low-power and lossy networks. IETF RFC 6550. H2020). She has more than 40 publications in journals and confer-
Xie W, Goyal M, Hosseini H, Martocci J, Bashir Y, Baccelli E, ences. She is a Member of the IEEE Computer Society and serves as
Durresi A. Routing loops in DAG-based low power and lossy an Associate Editor of the International Journal of Communication
networks. In: 2010 24th IEEE International Conference on Systems.
Advanced Information Networking and Applications; 2010.
Lefteris Mamatas is Assistant Professor in
p. 888–95. doi:10.1109/AINA.2010.126.
the Department of Applied Informatics, Uni-
Zarpelão BB, Miani RS, Kawakani CT, de Alvarenga SC. A survey of
versity of Macedonia, Greece. He leads the
intrusion detection in internet of things. J. Netw. Comput.
Softwarized & Wireless Networks Research
Appl. 2017;84:25–37. doi:10.1016/j.jnca.2017.02.009.
Group (http://swn.uom.gr) in the same Uni-
Zhang K, Liang X, Lu R, Shen X. Sybil attacks and their defenses
versity. He worked as a researcher at the
in the internet of things. IEEE Internet Things J.
University College London (UK), Space Inter-
2014;1(5):372–83. doi:10.1109/JIOT.2014.2344013.
networking Center/Democritus University of
Zhang L, Feng G, Qin S. Intrusion detection system for RPL from
Thrace (Greece), and DoCoMo Eurolabs (Mu-
routing choice intrusion. In: 2015 IEEE International
nich). His research interests lie in the areas
Conference on Communication Workshop (ICCW). IEEE; 2015.
of Software-Defined Networks, Internet of
p. 2652–8. doi:10.1109/ICCW.2015.7247579.
Things, 5G Networks, and Multi-Access Edge
George Simoglou received the B.Sc. degree Computing. He participated in many inter-
in Applied Informatics from University of national research projects, such as NECOS (H2020), FED4FIRE+ OC4
Macedonia, Thessaloniki, Greece. His B.Sc. (H2020), WiSHFUL OC2 (H2020), MONROE OC2 (H2020), Dolfin (FP7),
thesis was on the Security issues of the RPL UniverSELF (FP7), and Extending Internet into Space (ESA). He has
routing protocol and presented on Feb. 2020. published more than 60 papers in international journals and con-
He is currently working as Web and software ferences. He served as a General Chair for the WWIC 2016 con-
developer and his research interests include ference and the INFOCOM SWFAN 2016 workshop, as a TPC Chair
Internet of Things, network protocols and for the INFOCOM SWFAN 2017, E-DTN 2009, IFIP WWIC 2012 con-
security. ferences/workshops and as a Guest Editor for the Elsevier Ad Hoc
Networks Journal.

George Violettas pursues his Ph.D. in the

area of Software-Defined Networks and mo-
bile IoT at the University of Macedonia,
Thessaloniki, Greece. He holds an MSc De-
gree in Applied Informatics from the same
University, and a 4-yrs Bachelor in Computer
Science from the Hellenic Open University.
He has worked as a senior researcher in
EU founded projects (Horizon 2020): NECOS
H2020 (Novel Enablers for Cloud Slicing),
UNIC (Unikernel-based CDNs for 5G Net-
works, FED4FIRE+ Open Call 4, H2020), MEC
(Multi-homing with Ephemeral Clouds on