A Specification-Based IDS for Detecting Attacks on RPL-Based Network Topology

Routing Protocol for Low power and Lossy network (RPL) topology attacks can downgrade the network performance significantly by disrupting the optimal protocol structure. To detect such threats, we propose a RPL-specification, obtained by a semi-auto profiling technique that constructs a high-level abstract of operations through network simulation traces, to use as reference for verifying the node behaviors. This specification, including all the legitimate protocol states and transitions with corresponding statistics, will be implemented as a set of rules in the intrusion detection agents, in the form of the cluster heads propagated to monitor the whole network. In order to save resources, we set the cluster members to report related information about itself and other neighbors to the cluster head instead of making the head overhearing all the communication. As a result, information about a cluster member will be reported by different neighbors, which allow the cluster head to do cross-check. We propose to record the sequence in RPL Information Object (DIO) and Information Solicitation (DIS) messages to eliminate the synchronized issue created by the delay in transmitting the report, in which the cluster head only does cross-check on information that come from sources with the same sequence. Simulation results show that the proposed Intrusion Detection System (IDS) has a high accuracy rate in detecting RPL topology attacks, while only creating insignificant overhead (about 6.3%) that enable its scalability in large-scale network.

[1]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[2]  Christos Xenakis,et al.  A novel Intrusion Detection System for MANETs , 2010, 2010 International Conference on Security and Cryptography (SECRYPT).

[3]  Xia Wang,et al.  Specification Synthesis for Monitoring and Analysis of MANET Protocols , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[4]  Jonathan Loo,et al.  The impacts of internal threats towards Routing Protocol for Low power and lossy network performance , 2013, 2013 IEEE Symposium on Computers and Communications (ISCC).

[5]  Jing Qian,et al.  A FSM-based Test Sequence Generation Method for RPL Conformance Testing , 2013, 2013 IEEE International Conference on Green Computing and Communications and IEEE Internet of Things and IEEE Cyber, Physical and Social Computing.

[6]  Jonathan Loo,et al.  The Impact of Rank Attack on Network Topology of Routing Protocol for Low-Power and Lossy Networks , 2013, IEEE Sensors Journal.

[7]  Iwao Sasase,et al.  Low false alarm rate RPL network monitoring system by considering timing inconstancy between the rank measurements , 2014, 2014 11th International Symposium on Wireless Communications Systems (ISWCS).

[8]  Aikaterini Mitrokotsa,et al.  Intrusion Detection Techniques in Sensor Networks , 2008 .

[9]  Thiemo Voigt,et al.  Routing Attacks and Countermeasures in the RPL-Based Internet of Things , 2013, Int. J. Distributed Sens. Networks.

[10]  Thiemo Voigt,et al.  SVELTE: Real-time intrusion detection in the Internet of Things , 2013, Ad Hoc Networks.

[11]  Philip Levis,et al.  RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks , 2012, RFC.

[12]  Karl N. Levitt,et al.  A specification-based intrusion detection system for AODV , 2003, SASN '03.

[13]  Angel Lozano,et al.  A Security Threat Analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs) , 2015, RFC.

[14]  Jonathan Loo,et al.  Specification-based IDS for securing RPL from topology attacks , 2011, 2011 IFIP Wireless Days (WD).

[15]  Jonathan Loo,et al.  6LoWPAN: a study on QoS security threats and countermeasures using intrusion detection system approach , 2012, Int. J. Commun. Syst..