12940 IEEE SENSORS JOURNAL, VOL. 21, NO.

11, JUNE 1, 2021

Intrusion Detection Systems in RPL-Based

6LoWPAN: A Systematic Literature Review
Aryan Mohammadi Pasikhani, John A. Clark, Prosanta Gope , Senior Member, IEEE,
and Abdulmonem Alshahrani

Abstract —Drastic reduction in the manufacturing cost of

sensors and actuators has resulted in considerable growth
in the number of smart objects. The so-called Internet of
Things (IoT) blends the real and virtual environments and
removes time and distance barriers. It is widely perceived as
a major enabler for the efficient and effective provision of ser-
vices across a range of sectors. It has naturally attracted the
interest of cyberattackers. Due to the heterogeneity, resource-
constraints, scale, and internet connectivity of IoT devices,
each IoT layer is prone to various threats. Intruders con-
sider the network layer of IoT as the gateway and leverage
vulnerabilities in the routing protocol to compromise the
Confidentiality, Integrity, and Availability (CIA) of connected
nodes. Researchers have proposed different security infrastructures to mitigate harm to IoT networks. One of these is the
Intrusion Detection System (IDS). An IDS is an essential component for the network security layer and is widely adopted
to reinforce the security of the IoT network. This systematic literature review explores the IPv6 Routing Protocol for Low
Power and Lossy Networks (RPL) and its existing threats, classifies relevant IDS techniques and identifies areas requiring
further investigation. We review 103 published papers in this domain.
Index Terms — RPL attacks, IDS taxonomy, detection strategies, 6LoWPAN, monitoring techniques, IoT, LLN.

I. I NTRODUCTION According to Cisco [1], over 75 billion devices are expected

T HE Internet of Things (IoT) provides a framework where

vast numbers of devices can communicate with each
other and so collaborate to provide services across many
domains with increased efficiency and effectiveness. Such
enhanced operation is underpinned by increased sophistication
of information processing. It has become common to describe
various nodes as ‘smart’ but in practice, the degree of smart-
ness encapsulated in individual nodes varies hugely. However,
the ease with which nodes may now communicate means
that highly sophisticated system operation is possible, with
responsibilities for different aspects of service provision being
distributed across the network. Quite basic nodes now play a
critical role in the provision of such sophisticated services.
However, many of these ‘things’ in IoT based systems suffer
from limited computational and energy resources.
Manuscript received December 25, 2020; revised February 12, 2021;
accepted March 6, 2021. Date of publication March 23, 2021; date of
current version May 28, 2021. The work of John A. Clark was supported
in part by the Engineering and Physical Sciences Research Council (The
Active Building Centre) under Award EP/S016627/1 and in part by the
Research England’s Connecting Capability Fund (CCF) IoT Knowledge
Exchange Project–Pitch-In. The associate editor coordinating the review
of this article and approving it for publication was Dr. Thilo Sauter.
(Corresponding author: Prosanta Gope.)
The authors are with the Department of Computer Science,
The University of Sheffield, Sheffield S1 4DP, U.K. (e-mail:
to connect to the Internet by the year 2025. Due to the
increased number of IoT devices, IPv4 does not apply in
this domain and use of IPv6 is essential. Sensors collect
and actuate a massive amount of data that requires precise
analysis. However, because of resource limitations, Low Power
and Lossy Networks (LLNs) have to transfer generated data
to a device/server with sufficient computational resources for
storing it and for conducting computation tasks, such as data
analysis. Information can then be sent to the actuators to
take identified actions. The IPv6 over Low-Power Wireless
Personal Area Networks (6LoWPAN) was developed to pro-
vide a compact IPv6 to LLN nodes in Personal Area Net-
works (PANs) and enable nodes to interact over the Internet.
Making actuators, sensors, and devices connected to outside
wired networks is a profitable business. However, the resource
limitations of LLN nodes makes them vulnerable to internal
and external malice and raises many security concerns. Most
nodes in LLNs are battery-powered, lack heavy-computation
capabilities, and inherit inadequate computation capabilities
and limited storage capacity as a consequence of the need for
low manufacturing costs. Although IoT devices have slightly
better computational resources than Wireless Sensor Net-
work (WSN) nodes and are heterogeneous in design [2], [3],
the devices usually need to work in an unstable environment,

[email protected]; [email protected];
[email protected]; [email protected]). where the neighboring nodes may go on and off to conserve
Digital Object Identifier 10.1109/JSEN.2021.3068240 energy. Parent nodes may move outside their children’s range

1558-1748 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW 12941

and become unreachable; therefore, children need to find new TABLE I

parents in a timely manner. These require a scalable, energy- A BBREVIATIONS
and resource-efficient routing protocol. The Routing Protocol
for LLNs (RPL) is designed to address these needs.
A substantial amount of research has addressed security
concerns in LLNs through cryptography, intrusion detection
systems (IDSs), intrusion prevention systems (IPSs), authenti-
cation and trust-based mitigation approaches, etc. IoT devices
and traditional computers use some similar protocols in the
application, transport, network, and physical layers, as dis-
cussed in section II. The constrained computational and energy
resources of a LLN’s devices are the primary barrier to
adopting existing security mechanisms at IoT interfaces [4].
LLN devices generate huge volumes of data but lack the
resources to store and process it further.
RPL plays a critical and widespread role in service provision
in IoT systems. As a consequence, it is an obvious target
for attack and a critical candidate for defence. One aspect
of defence that must now be considered is how intrusions on
RPL systems can be detected.
Here we present a systematic review of the most influential
approaches and methods providing IDS for RPL networks.
We examine existing routing threats and their negative impacts.
The strengths and weaknesses of IDS strategies and mitigation
techniques are also addressed, as are validation methods.
Our review classifies and provides a taxonomy of these IDS
methods.
Several surveys and reviews, such as [5], [6], and [7],
study RPL functionality, IoT threats, and some proposed
mitigation methods. However, the existing studies provide only
a light introduction to IDSs for RPL and do not cover the
state-of-the-art attacks. They are not comparative and do not
evaluate the pros and cons of each proposed method from
different perspectives. Our survey provides a more rigorous
characterization of IDS strategies together with finer grained
evaluation than is currently available in the literature. The
increased evaluation detail will facilitate further research and
help those considering IDS implementation.
We comment on a wide range of aspects: objectives of
each proposed approach, the effectiveness of each proposed
detection strategies, monitoring techniques, and to what degree
each research achieved its goals. We also consider val-
idation and evaluation methods, configuration setups, and
testbeds used by researchers. Our study focuses on the
most high profile RPL mitigation techniques, concentrating
on IDSs.
The rest of the article is organized as follows. In Section I.A
we define a set of research questions to provide increased
rigor and focus to our review. Section II describes the func-
tioning and the potential vulnerabilities of RPL. Section III
details discovered intrusions and vulnerabilities of RPL. Next,
IDS in terms of the source of monitored data, detection
strategies, response types, monitoring techniques, and valida-
tion and evaluation methods are classified and described in
Sections IV.A, IV.B, IV.C, V, and VI, respectively. After pro-
viding a taxonomy for IDSs for RPL, Section VII addresses the Lastly, Section VIII determines research gaps and opportuni-
identified research questions and provides statistical evidence ties. Table I presents the list of abbreviations and definitions
for the findings based on our investigation of 103 papers. used throughout this paper.

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12942
A. Scope of This Survey and Contributions
Our survey is concerned with IDSs that target RPL net-
works. Salient features and methods of papers in this context
are extracted and the characteristics are detailed. We primarily
aim to address the following research questions:
Q 1. What types of routing threats exist in this domain and
how have they been addressed so far?
Q 2. What is the impact of each attack in an LLN and to
what extent do they damage 6LoWPAN?
Q 3. What are the technical performance objectives of the
research in this field?
Q 4. How do the proposed approaches monitor the network
to detect anomalies and to what extent are particular monitor-
ing methods used by researchers?
Q 5. What IDS strategies exist to protect RPL networks and
how widely is each used?
Q 6. What are the advantages and disadvantages of each
proposed approach?
Q 7. What datasets or simulators are available for RPL net-
works, and to what extent are they employed by researchers?
What configuration and setup of simulated and test networks
(e.g. number of intruders, the distances between nodes, run-
time duration) have researchers used to conduct their experi-
ments?
Q 8. What validation and evaluation methods are used to
measure the performance of the proposed methods and to what
extent have the researchers improved performance?
Q 9. What are open questions in this domain, and what
vulnerabilities remained unaddressed?
B. Publication Statistics
In this paper the publications, literature, and methods are
chosen with regards to their research scope, expert opinions,
and the quality of the publication and its impact on the research
published afterward. Web of Knowledge, Google Scholar, and
IEEE Xplore search engines were used to discover and obtain
the proposed papers between the years 2008 and 2020.
C. Relevant Reviews
In [14], the authors review the security issues and mitigation
techniques of the edge layer in IoT. The paper does not cover
RPL attacks and mitigation techniques. A comprehensive
review of trust-based IDS for RPL is given by [7]. In [9],
the authors study the impacts of a few RPL attacks on 6LoW-
PAN and to what degree the built-in security mechanisms of
RPL can resolve the negative impacts of such attacks. [10]
and [6] review several RPL attacks and a few mitigation
techniques. However, they study only a few proposed method
and do so in limited detail. In [5], the authors concentrate on
classifying IDS approaches. They do not provide an overview
of RPL attacks and their adverse impact on the 6LoWPAN
nor discuss the computational cost of each IDS approach on
the LLN. In [11], the authors provide a review on the use
of Machine Learning (ML) based security infrastructures to
mitigate security vulnerabilities of IoT, but do not include
RPL attacks. Table II shows the contribution, scope, and
shortcomings of each related review and indicates how our
work complements it.
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021
II. P RELIMINARIES
Several network protocols have been introduced that form
connections between IoT devices and the various computers
on the Internet, as shown in Fig. 1. Such protocols can be clas-
sified based on network coverage, energy overhead, and trans-
mission rate. The 6LoWPAN is the combination of IPv6 and
Low-Power Wireless Personal Network (LoWPAN) protocols
and is the adaption layer of IPv6 for 802.15.4 LLNs. It is a
version of IPv6 optimized for LLNs and was mainly designed
to provide Internet connections to resource-constrained nodes
in PANs (Personal Area Networks). However, 6LoWPAN can
be implemented over different platforms and is not restricted to
radio links. The 6LoWPAN follows the IEEE802.15.4 standard
and covers connection ranges of 10s of meters with ∼250Kb/s
transmission rate. Implementing the original IPv6 is compu-
tationally expensive for LLNs. This adaption aims to provide
mechanisms to reduce computational expense, such as address
header compression, packet fragmentation, IPv6 neighbor dis-
covery requirements. There is no default IoT stack layer in
this domain; however, we can see the standards and protocols
introduced for IoT from different perspectives. Fig. 1 illus-
trates the TCP/IP protocol layer and the most common stack
layer described by researchers.
A. Routing Protocol for Low-Power and Lossy
Networks (RPL)
The Routing Protocol for low-Power and Lossy Net-
works (RPL) is designed to provide IPv6 communication
among LLNs, i.e., IoT devices. LLNs include constrained
devices with limited memory, processing power, and some-
times battery operated energy resources. Such devices have
a lossy connection, typically supporting only low data rates
that are usually unstable with relatively low packet delivery
rates (PDRs). RPL was initially designed to work in an
environment with static nodes in fixed locations; however,
some mobility methods [15] were introduced that enable the
participation of mobile nodes in the RPL network. In general,
LLNs that use RPL inherit two features, namely, a meagre
data rate, usually something below ∼250kbps [5], and also
very high collision and dropped packet rates, which negatively
impact the application throughput. RPL supports three kinds
of communication: P2P (peer to peer also called point to
point); P2MP (a central node to multiple points on network);
and MP2P (from multiple nodes to a central server). It uses
a distance vector routing protocol based on its Destination
Oriented Directed Acyclic Graph (DODAG). Multiple RPL
instances, each with a unique RPLinstanceid, can operate
concurrently in the LLN. RPL is capable of constructing
multiple paths back to the same destination and switches to
alternative routes whenever default routes become corrupted
(either intentionally or unintentionally). The protocol generates
a directed acyclic graph (DAG) based on associated policies
imposed by Low power and lossy Border Router (LBR). The
LBR is the root of the DAG and usually has rank 1. This border
router and the rest of the nodes interconnect in a hierarchical
structure, which combines mesh and tree topologies referred
to as a DODAG. The ranking system was designed to prevent
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW 12943

TABLE II
R ELATED R EVIEWS

and detect any probable routing loop in RPL. The rank enables
LLN nodes to identify their parents and children. The RPL
requires the nodes to store a list of parents, allowing a child
node to switch to another parent easily should a current one
become unavailable. The Rank in RPL is computed based on
the distance from the 6BR with different metrics, such as Link
Quality (LQ), Delay, Hop Counts, Connectivity etc., defined
in the Objective Function (OF).
Although RPL is the most popular and standardized routing
protocol in IoT networks [16], several other protocols have
also been developed to enhance routing in LLNs, namely
CORPL (Cognitive RPL) and CARP (Channel Aware Routing
Protocol). The CORPL is an extended version of RPL and
designed for cognitive networks. However, unlike RPL, it does
not support storage management, and all nodes need to track
forwarding records. (The parents are not the only ones respon-
sible for this task.) The CORPL is designed for underwater
communication scenarios, and unlike RPL, it does not support
security and server technologies. Initially, no mobility was
considered in the RPL network and all nodes were considered
to be static. However, several researchers [16] have confirmed
the possibility of placing mobile nodes in RPL.

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12944 IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021

Fig. 1. IoT stack layer.

Fig. 2. DODAG graphing and RPL storing modes.

B. DODAG
The RPL is capable of building several DODAG
graphs [17], with identical roots in each graph characterized
with different DODAG Id’s. Each node is only permitted
to join a single DODAG graph and be a child of a parent
node at the same time; however, nodes with different roots
and DODAGs can communicate with each other. A DODAG
builds its graph in several steps, as represented in Fig. 2.
The formation of the topology starts with the 6BR/Root, also
referred to as the sink node. The root multicasts a DODAG
Information Object (DIO) to all nodes in its neighborhood
to initiate the formation of a DODAG. A DIO packet carries
essential information required by nodes to discover an RPL
instance, learn configuration parameters, select a parent set,
and maintain the DODAG graph.
Neighboring nodes receiving the DIOs from the root choose
the sender as the parent by replying with DAO (Destination
Advertisement Object) messages. Next, the parent node may
accept their request by sending DAO-ACK to each individual.
The neighboring nodes then calculate their ranks concerning
the parents’ rank value and other parameters and multicast
a new DIO to the nodes in their neighborhood for attracting
potential children. Calculating the rank depends on several
factors, such as the distance from the root, energy resource
of the node etc. The node’s rank identifies its position in
the network topology, which is a top-down hierarchy. A child
always has a higher, less valuable rank than its parents. IoT
devices consider neighbors with a lower rank value as a parent.
Optimal routes (parents, hops) in the DAG are obtained from
metrics and constraints. In order to update the DAG, a DIO
message is multicasted periodically according to the timer set
by the border router (as part of the trickle algorithm).
Meanwhile, if any new node wants to join the DODAG,
it will multicast DODAG Information Solicitation (DIS)
requests to discover a DODAG network and listen for a DIO
reply from a node in its neighborhood. The DAO is intended
to be used for creating a downward hierarchy. If a node
loses connection with its parent, either it can wait for an
incoming DIO message (taking 1-60 minutes) or send a DIS
message [18].

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW
TABLE III
O BJECTIVE F UNCTIONS
If the parent node becomes unreachable or disappears,
a couple of repair procedures are designed to avoid recon-
structing the entire topology. The primary technique lets
nodes send their packets through their neighboring node with
the same rank, and the second mechanism guides them to
select another parent from the preferred parent set. DODAG
also introduces a global repair mechanism to reconstruct the
topology completely. Although such a mechanism can play
an essential role in reviving an IoT network, it increases
the vulnerability and enables malicious nodes to sabotage
the network. Such attacks can exhaust battery-powered nodes,
leading to shutdown.
The RPL IPv6 header option with the special flag ‘O’
indicates the intended packet direction, and ‘R’ notifies a rank
error occurrence during packet forwarding between sender
and receiver nodes. There are two downward routing modes,
namely storing and non-storing mode, illustrated in Fig. 2.
Each routing node is stateful in storing mode, and creates a
downward routing table for its sub-DODAG to route incoming
and outgoing traffic. In non-storing mode all nodes transfer
their packets towards the border router/root, then the root node
transfers the packet to the destination address. In non-storing
mode, the root does not create any routing table.
C. Routing Metrics
In the DODAG, the duty of configuring routing metrics,
optimization objectives, rank calculation, and parent selec-
tion policy is defined by the OF (Objective Function) pol-
icy. The IETF proposed several OFs, using a variety of
link attributes, for different applications and environmental
conditions [19]–[23]. The OFs follow diverse policies with
different goals. An OF may aim to enhance the packet end
to end delay or preserve LLN nodes’ energy resources by
avoiding routing through battery-powered nodes. Table III
introduces existing, fully defined, or drafted OFs.
Energy calculation is not considered as an element in the
routing path drawing of MRHOF and OF0. Several OFs
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12945
have been proposed to address this limitation, namely Resid-
ual Energy OF, Energy Efficient and path Reliability Aware
OF (ERAOF), Energy-Oriented Routing OF (OF-EOR), and
Expected Lifetime OF (ELT). For brevity, this review paper
does not review each OF. The reader is referred to [24]
and [25] which provide comprehensive reviews of OFs and
to [26] and [27] which study and analyze MRHOF and
OF0 performance over several measures and LLN scenarios.
Based on their findings, both OF0 and MRHOF cause long
hops in a dense network with a large number of nodes,
introducing an OF is essential.
D. Routing Protocol Vulnerabilities
The 6LoWPAN routing protocol is venerable to various
threats (such as Sinkhole, Version Number, Wormhole, etc.)
and does not have any concrete mechanism to ensure security
in its routing protocol (RPL). [28] provides a comprehensive
study and analysis of RPL performance in an extensive scale
network. Studying RPL performance in a multi-hop network
reveals the existence of link quality, energy exhaustion, infor-
mation leakage, maintenance of routing information, integrity,
and availability issues.
III. RPL ATTACKS
There are three types of RPL attacks, distinguishable by
the harm they cause to the LLN [10], as illustrated in Fig. 5.
If the attack is against the victim nodes’ resources, then it falls
into the resource attack category. This category consists of two
subcategories, namely direct and indirect attacks. In a direct
attack, the malicious node by itself establishes the attack while
in the indirect category the intruder initiates the attack with
the help of compromised nodes. Both approaches aim to drain
neighboring nodes’ resources. However, detection of indirect
attacks is more challenging because usually there is more
than one attacker node present in the network and detection
of their master, the primary intruder node, is harder since it
does not target the LLN nodes directly. If the intruder aims
12946
to generate an unoptimized network topology, it is called a
topology attack. Topology attacks divide into sub-optimization
and isolation subcategories. In the sub-optimization attacks,
the network diverges from optimal performance. In isolation
attacks, targeted nodes become isolated from the network
and cannot receive or transfer packets. The third category is
against RPL network traffic, so it is called a traffic attack. This
category divides into Eavesdropping (if the intruder node sniffs
and analyses the network stream) and misappropriation (where
the identity of other nodes is stolen and used to advantage).
In the following, we describe the prevalent RPL attacks in the
framework mentioned above.
Intruders can obtain a malicious rank either by observing
its neighborhood and then advertising lower, more powerful,
malicious rank values or by deceiving neighboring nodes by
manipulating the OF and persuading other nodes to assign a
better rank to it. The OF manipulation enables the intruder to
adapt to the changes in the network and work dynamically.
This makes the detection of intruder nodes harder for the
IDS [29]. Usually, the intruders combine attacks such as
sinkhole and blackhole with selective forwarding in order to
achieve their goals by making detection harder. Because such
malicious activities aim to disturb the repair and routing mech-
anism of RPL, they are termed RPL attacks. Several researches
[9], [29]–[33] analyzed the adverse effect of different RPL
attacks on the LLN. Watching each attack’s symptoms over
the LLNs can help researchers design a countermeasure by
monitoring the affected parameters. Table IV demonstrates
the different negative impacts each RPL attack has on the
network [9], [29]–[33].
A. Sinkhole (SH)
A sinkhole attack is a sort of eavesdropping attack that
sniffs the victims’ data by persuading them to select the
attacker node as the parent. This causes the construction of an
unoptimized topology among the LLN nodes in the network.
In Fig. 3, node 3 is the intruder and starts a sinkhole attack
by multicasting DIO messages with a lower malicious rank
of 2 while its legitimate rank is 7. As a result of this false
advertisement, the neighboring nodes express their interest
in being children of the intruder by unicasting DAOs. Next,
the victim node sends their packets to their parent, now
the intruder node, to transfer the information to 6BR and
other nodes. In the illustrated scenario, nodes 1 and 2 refuse
the DIOs from node 3 because they already have rank 2,
and node 8 is not affected by the malicious DIO message
because it does not receive it. As a result of this falsified
advertisement, the malicious node will more frequently be
nominated as a preferred parent by its neighbors, while it
does not provide a better performance based on the network
Objective Function (OF). Algorithm 1 provides a pseducode
of such an attack.
B. Blackhole (BH)
The blackhole attack divides the LLN into isolated sub-
networks, which cause an adverse effect on the network
throughput. Similar to the SH attack, the intruder node attracts
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021
Algorithm 1 : Sinkhole, Black-Hole, Selective_
forwarding Attacks
Initialization
A: Attacker node
N: Neighbor list ⊂ legitimate LLN nodes
B: a neighboring node ∈ N
P: Current packet
R: a lower more powerful rank, usually assigned as the
sink node rank
Attack_type = {Sinkhole, Black-hole,
Selective_forwarding}
Input: "A" receives DIOs from A.N and calculates
Min(advertised_ranks)
Output: "A" obtains a lower, malicious rank and
multi-casts it with DIO to all nodes, ∀ node ∈
A.N
if (P is DIO) ∧ (P.sender_i d ∈ A.N) then
if P.sender _i d ∈ A.N ∧ P.sender _i d = r oot_i d
then
if D I O.r ank ≤ A.mali ci ous_r ank then
A.mali ci ous_r ank ←− R
if (A.received(DIS from B)) ∨ (A trickle_timer activated)
then
A.multicast((DIO with mali ci ous_r ank) to node
∀nodes ∈ A.N)
B.receive(DIO from A)
if DIO.rank < B.rank then
B nominate A as preferred_parent
B unicast application packets to its preferred_parent,
which is "A" now, in order to transfer it to the
destination
if Attack_type is Sinkhole then
A collect packets from B and transfer it to next hop
else if Attack_type is Blackhole then
A collect packets from B then drop all of them
else if Attack_type is Selective_forwarding then
A collect packets from B and selectively or
randomly drop some and transfer others to next
hop
the neighboring nodes by advertising a better malicious rank
with DIOs, but instead of forwarding application packets,
it drops all received information. A BH attack launched from a
strategically chosen node can cause a massive loss in network
traffic. A Selective-forwarding (SF) attack, also called a Gray-
hole attack, is a variant of this. Here the intruder selectively
or randomly drops some of the packets and forwards the rest.
Detecting this form of attack is more challenging.
C. Increase Rank (IR)
This attack is against LLN nodes’ resources and indirectly
disrupts victim nodes to exhaust their computational and
energy resources. It also causes a communication disruption in
the LLN. The intruder initiates the attack by increasing its rank
and multicasting DIO messages with the modified malicious
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW
Algorithm 2 : Increase Rank Attack
Initialization
A: Attacker node
N: Neighbor list
P: Current packet
R1 : is the initial, legitimate rank
R2 : is a high, less valuable rank
Input: "A" increases its rank to much higher rank and
multi-casts it with DIO
Output: "A" receives a DIO containing a lower rank
from a neighboring node, then decreases its
rank and multi-casts it with DIO
if (P = DIO) ∧ (P.sender_i d = A.id) then
if A.rank = R1 then
A.rank ⇐ R2
else if A.rank = R1 then
A.rank ⇐ R1
A.Multicast(DIO to A.N)
if (P is DIO) ∧ (P.sender _i d ∈ A.N ) then
if (P.Rank < A.Rank) ∧ (P.sender_i d =
r ootnode_i d) then
A.rank ⇐ R1
A.Multicast(DIO, ∀ nodes ∈ A.N )
higher (less valuable) rank value to its neighboring nodes.
By doing this, it forces the children to search and find a new
parent to approach the border router. After causing significant
network overhead, and when finally the children find a new
parent, the intruder node reverts back to the previous rank
or alternatively advertises a lower (better) rank to attract
neighboring nodes to reselect it as a parent. The process
is illustrated in Algorithm 2; it repeats continuously until it
exhausts the power resources of the victim nodes and forces
them to shut down. In Fig. 3, the attacker node 5, initiates an
IR attack by increasing its rank to 6. As a result, its children
nodes 7, 8, and 9 lose their connection to the border router and
set about finding a new parent by multicasting DIS messages.
Node 4 receives DISs from 7 and 8 and replies to their request
by unicasting a DIO to them. Node 9 is not in the range
of node 4 and sends DIOs periodically until nodes 7 and 8
join the DODAG and respond to its DIS with a DIO. When
the intruder realizes that the victim has found a new route to
the border router, it tries to re-attract them by advertising the
original or better rank. This loop continues until all targets run
out of power.
D. Wormhole (WH)
This attack aims to disturb and obstruct the RPL topology by
causing victim nodes to create unoptimized routes with regards
to a falsified OF. This happens when two or more widely
spaced attacker nodes, connected through a private channel or
tunnel, over a wired or wireless connection established with
the help of a powerful antenna mounted on the intruder nodes,
dominate two parts of the network with their broad radio
coverage. Algorithm 3 demonstrates the implementation of the
Wormhole attack. Consider Fig. 3. Here the attack is initiated
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12947
Algorithm 3 : Wormhole Attack
Initialization
A1 , A2 :Attacker 1 and 2
N: Neighbor list
B: a neighboring node ∈ N
P: Current packet
Control_Packet = {DIO, DAO, DIS, DAO-Ack}
Input: B Multi-casts Control_Packet to nodes, ∀ node ∈
B.N
Output: A1 or A2 transfer the received Control_Packet
from B to its counterpart
if (P is Control_Packet) then
if P.sour ce_i d ∈ A1 .N then
A1 .transfer(P to A2 )
A2 .multicast(P, ∀ node ∈ A2 .N)
else if P.sour ce_i d ∈ A2 .N then
A2 .transfer(P to A1 )
A1 .multicast(P, ∀ node ∈ A1 .N)
by the intruder node 9, transferring the collected control
packets from its neighborhood to its accessory, the intruder
node 10, placed on another part of the RPL network; the
node 10 multicasts the received control packets and confuses
the nearby nodes by making them believe that the generators
of control packets (i.e. node 4, 8, 13 and 14) are in their
neighborhood. This action encourages the victims to add
the initiators to their neighbor lists. The WH attack causes
unoptimized route construction in the network topology and
greatly increases network overheads. Several studies [32], [33]
analyze the negative impact of the WH attack on LLNs. The
WH attack can also be considered as an external intrusion if
the attacker creates a tunnel between a node inside the RPL
network and a device outside the LLN. The manipulated or
malicious node inside the RPL network can be equipped with a
more powerful antenna to transfer collected data to an external
device outside the network. Due to the fact that in such attack,
attackers use a private channel for transferring data, and the
border router is not involved in transferring data, detection of
an external wormhole attack is more sophisticated. As far as
we are aware, there are no IDS proposals to mitigate external
WH attack.
E. DIS Flooding (DF)
This attack aims to exhaust target nodes’ resources by
generating a large amount of traffic in the victim network.
This also disrupts communication among the LLN nodes. The
DF attack significantly increases control packet overheads and
energy consumption, and causes routing disruption. In the
flooding attack, the intruder node can be placed inside or
outside the network, and in the most extreme scenario, it suc-
ceeds in exhausting all targets’ resources. As explained earlier
in II.B, a new node or the node that has lost its connection
with its preferred parent and nodes in its parent list, uses
a DIS message to discover a DODAG network in the RPL
routing protocol. As in Algorithm 4, the intruder abuses the
vulnerability of this method and multicasts a DIS message to
12948 IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021

Fig. 3. Illustration of attacks in a RPL network.

Algorithm 4 DIS Flooding attack but to their neighborlist (B). This RPL attack causes network
Initialization congestion and the saturation of the LLN nodes. It increases
A: Attacker node control packet overheads considerably. In the multicast DIS
N: Neighbor list Flooding attack, the victim node, the receiver node here, will
I: Current node id reset its trickle timer and multicast its DIO message when
B: a neighboring node ∈ N its receives a multicasted DIS message from the intruder. In a
V: Victim list unicast DIS flooding attack, the receiver node of unicasted DIS
P: Current_packet message unicasts a DIO to the intruder without resetting its
Attack_type = {Unicast DIS Flooding, Multicast DIS trickle timer. Since it is not required to be part of the DODAG
Flooding} to send DIS control packets, an intruder can initiate the DIS
Contr ol_Packet = {DIO, DAO, DIS, DAO-Ack} flooding attack outside of the network [10].
Input: "A" uni-casts or multi-casts DIS to node(s), ∀
nodes ∈ A.N
Output: "B" uni-casts or multi-casts DIO message F. Clone Id (CI) & Sybil Attacks
if A.Attack_type is Unicast DIS Flooding then Both of these attacks are inherited from WSNs. In the
A.unicast(DIS ⇒ B, B ∈ A.N) Clone ID attack, the intruder node clones or takes the identity
B.unicast(DIO ⇒ A) (MAC address, IP address, rank, etc.) of a victim node,
else if A.Attack_type is Multicast DIS Flooding then then multicasts or unicasts packets to its neighbors to disrupt
A.Multicast(DIS, ∀B ∈ A.N) the network and threaten confidentiality and integrity of the
for ∀B ∈ A.N do targeted node data. On the other hand, in the Sybil attack,
B.Multicast(DIO, ∀node ∈ B.N) the intruder aims to disturb a vast number of nodes by stealing
the identity of several nodes. The intruder then multicasts and
unicasts the control packets of targeted nodes simultaneously.
The placement of intruder node(s) in a Sybil attack affects the
degree of negative impact on the network; this has been studied
the neighboring node then listens for a DIO reply; this action in [38]–[40]. The intruder node(s) can manipulate data by
repeats in order to drain resources and cause a considerable bonding to an area and disturbing a smaller quantity of nodes
number of collisions in the network. Fig. 3 illustrates a DIS by stealing their identity and collecting their data; the process
flooding attack scenario. In the scenario (A), node 7 is is presented in Algorithm 5. They are also capable of scaling
assigned as the intruder and establishes the flooding attack by the attack domain by influencing nodes in different locations
multicasting DISs to its neighbor list. As a result, its neighbors to impact a larger proportion of network. The aim in this kind
reply to its request by multicasting DIOs not only to node 7 of placement is to damage the routing mechanism and make

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW
Algorithm 5 Sybil Attack
Initialization A: Attacker node N: Neighbor list P:
Current packet L: Target List S: sender node
Control_Packet = {DIO, DIS }
Attack_Types = {Sybil, Clone_Id}
Input: Control_packet initiated by victim node(s)
Output: "A" steals victim nodes credentials, then
uni-casts or multi-casts control packets with
their identities
if (P ∈ Control_Packet) ∧ (P.sender _i d ∈ A.N) then
//attacker can select the victim(s) selectively or target
its children
if (S.node_i d ∈ A.children_list) then
if (Attack_Type = Sybil) then
if (S.node_i d ∈ A.L) then
A.clone(S.credential)
A.Multicast(Control_Packet ⇒ A.N) ∨
A.Unicast(Control_Packet ⇒ A.N[node_id])
else if (L.length = 1 ∧ Attack_Type = Clone_Id)
then
A.clone(S.credential)
A.Multicast(Control_Packet ⇒ A.N) ∨
A.Unicast(Control_Packet ⇒ A.N[node_id])
Algorithm 6 Worst Parent Attack
Initialization A: Attacker node N: Neighbor list P:
Current packet Control_Packet = {DIO, DIS, DAO,
DAO-Ack }
Input: "A" discovers the neighboring node with the
highest, least valuable rank, providing the worst
OF
Output: "A" selects the discovered worst parent as the
preferred parent to reduce routing performance
if (P = DIO) ∧ (P.sender_i d ∈ A.N) then
if (A.preferred_parent[rank] < Node.Rank, ∀ Nodes ∈
A.N) then
A.preferred_parent = Node.id
the ranking system or OF ineffective. Detection of distributed
attack scenarios is harder if malicious nodes are mobile. The
study [40], describes various types of Sybil attacks.
G. Worst Parent Attack (WP)
As in Algorithm 6, the intruder selects the worst parent
to transfer data [29] while multicasting its actual rank with
DIOs. The idea behind this attack is to cause lengthy end-to-
end delays and create an unoptimized path from children nodes
to the 6BR. Detection of this attack is more challenging than
other attacks because the intruder does not show any abnormal
attitude through multicasting control packets; however, if the
intruder decides to impact larger nodes and attract more
children by advertising lower rank, detection becomes more
feasible. No current study covers this attack.
H. DODAG Inconsistency
The intruder can either multicast malicious control packets
with enabled ‘O’ and ‘R’ flags in the opposite direction
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12949
Algorithm 7 Version Number attack
Initialization
A: Attacker node
N: Neighbor list
I: Current node id
B: a node
P: Current packet
M_VN: Malicious Version Number
Contr ol_Packet: {DIO, DAO, DIS, DAO-Ack}
Input: "A" collects DIO from the root or a neighboring
node and reads the current version number
Output: "A" increases the current version number and
puts it in (M_VN) and advertise it through
multi-casting DIO
if (P = DIO ∧ P.destination_id = A.id) then
if (P.version_number = 1) ∨ (P.version_number ≤
M_VN) then
A.DIO[version_number] ⇐ M_VN
A.multicast(DIO, ∀B ∈ A.N)
M_VN ⇐ M_VN ++
else if (P.version_number > M_VN) then
A trigger repair mechanism of DODAG and
recalculate its rank
M_VN ⇐ P.DIO[version_number] ++
A.DIO[version_number] ⇐ M_VN
A.multicast(DIO)
or can alter the received packet from a neighboring node
and enable its ‘O’ and ‘R’ flags before forwarding it to the
destination. This causes significant control packet and energy
overheads and increases packet delivery time. If the intruder
decides to manipulate the received packet before transferring
it, the detection becomes harder. It causes isolation in the
network because the receiver node always drops the packet
and initiates the repair mechanism.
I. Version Number Attack (VN)
Since there is no built-in security mechanism to ensure that
only the root node can modify the value of a DODAG version
number in a LLN, the intruder can abuse this vulnerability to
cause an adverse impact on the functionality of a DODAG.
In a VN attack (Algorithm 7), the intruder node incrementally
increases the repair mechanism value and then advertises
it through its DIO message. This encourage LLN nodes
to enable the global repair procedure and recalculate their
routing paths more frequently. VN causes significant energy
overheads in LLN nodes while exhaust-ing their computational
resources. This attack can become much more sophisticated if
the intruder node is far from the 6BR, i.e., in the lower level
of the DODAG hierarchy. In [30], [31], the authors analyze
the negative impact of the VN attack on LLNs.
J. Ranks Attack (RA)
This attack is harder to be detected because the intruder
node does not initiate any malicious packet or manipulate any
legitimate packet. It disregards the rank error initiated by its
12950
TABLE IV
RPL ATTACKS AND T HEIR I MPACTS ON LLNs
neighboring or child node [29]. The DODAG only allows an
increase of the rank in a downward direction and decreases in
upward direction, as illustrated in Fig. 2. The nodes have to
check the rank condition when sending and receiving packets.
If LLN nodes find any error in this procedure, they have to
enable the rank-error bit defined in the RPL protocol and
inform neighboring nodes about inconsistency in the network;
this prevents the formation of a loop in the network. In the
rank attack, the intruder does not enable the rank-error bit
when it discovers a rank error. This attack difficult to detect
because the intruder does not display any abnormal behavior
(e.g., it satisfies all protocol conventions, except honesty).
In the long run, this malicious behavior causes the formation
of a loop in the network, damaging the network topology.
Moreover, it isolates the nodes with a rank error in the
network and results a massive number of error packets and
inconsistencies in the routing mechanism. It [29] analyses the
impact of the rank attack on LLNs.
K. Local Repair Attack (LR)
The intruder initiates this attack by sending a repair packet
to the node in its neighborlist while there is no inconsistency or
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021
error in the network. This results in computational exhaustion
of LLN nodes and an increase in control packet overheads in
the network, because victim nodes have to recalculate their
routes to the malicious node.
L. Replay Attack
The intruder records legitimate control packets, such as
DIO, DAO, DIS, generated by its neighboring nodes, and
then later it unicasts or multicasts the collected packets. This
causes inconsistency, and creation of expired routing paths in
the network because some configuration in advertised control
packets are outdated and cause the network to function erro-
neously. Algorithm 8 represents such an attack. Because the
intruder forwards the collected control packets from legitimate
nodes, built-in security mechanisms of RPL and the use of
cryptography cannot prevent it [8].
Even RPL secure mode and cryptography cannot secure
the LLN against such intrusions because knowing the keys
is not required for an intruder to replay collected packets.
The consequence of this attack is discussed in Table IV. The
intruder replays the application packet in the replay attack for
the WSN platform, while in the RPL, the intruder replays
control messages only.
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW
Algorithm 8 Replay Attack
Initialization A: Attacker node N: Neighbor list P:
Current packet L: Target List R: List of recorded control
packets Control_Packet = {DIO, DIS, DAO, DAO-Ack }
Input: "A" records Control_Packet initiated by "L"
Output: "A" multi-casts R
if (P ∈ Control_Packet) ∧ (P.sender _i d ∈ A.N) then
//attacker can select the victim(s) selectively or target
its children
if (P.sender _i d ∈ A.L) then
Add(R ⇐ P)
if (Attack_triggertimer.status = Activated) then
A.multicast(R, ∀ nodes ∈ A.N)
M. DIO Suppression attack (DS)
The authors of [96] study the DIO suppression vulnerability
of RPL and analyze its adverse impacts on LLNs. In the DS
attack, the intruder advertises a DIO frequently in order to slow
down the DIO message process. Neighboring nodes of the
attacker consider the received DIO consistent after collecting
enough similar DIO messages from the malicious node. This
leads victim nodes to suppress their DIO multicasting process,
which in turn leads to the isolation of some LLN nodes since
they cannot discover their neighboring nodes, and some routes
that are providing better OF will remain undiscovered. A study
and analysis of the consequences of a DIO suppression attack
in LLN can be found in [94]. It also proposes a mitigation
method [94].
N. DAO Inconsistency attack (DI)
In RPL, the forwarding-error flag is designed to indicate
that the stored path in the routing table of the parent is no
longer valid and needs to be removed. This is done by enabling
‘F’ flag in the option header of the received packet and
replaying it to the parent. In RPL storing-mode, the intruder
exploits the vulnerability of this mechanism to initiate a DAO
inconsistency attack. Upon receiving a packet sourced from
an ancestor of the intruder node, the intruder enables the
‘F’ flag of the received packet and replays it to its parent
to claim that the indicated downward route in the packet is
no longer available. This misleads the parent into removing
the legitimate downward route from its routing table. As a
result, the parent node also has to inform its parents that
the destination node is no longer available when it receives a
packet that wants to use the expired route. The authors of [87]
study the impact of this attack on LLNs.
IV. I NTRUSION D ETECTION S YSTEMS
Security infrastructures such as encryption may perform
well in securing 6LoWPAN against external intrusions but
they are computationally expensive [87], [90], [97] for LLN
nodes and cannot make RPL resilient in the face of internal
malicious activities [49], [98]. However, Intrusion Detection
Systems (IDSs) show outstanding performance with accept-
able energy overhead for detection of internal and external
intrusions. The structure of IDS for 6LoWPAN can be clas-
sified along several axes, namely the source of monitoring
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12951
data, analysis type, detection strategy, monitoring technique,
the form of response, and detection time. Next, each criterion
is discussed in detail and the relevant proposed methods
categorized. Fig. 5 gives a taxonomy of IDS for RPL and
Table VI shows the IDS approaches employed by researchers.
Before classifying IDSs, we define what an IDS is. In recent
years we have seen inconsistency in the definitions of IDS in
RPL. The IDS is the software or hardware designed to monitor
and analyze the events taking place inside the host machine,
or packets sniffed through the network traffic, in order to dis-
cover any suspicious activities and raise an alarm. An IDS does
not have any mitigation duty. On the other hand, an Intrusion
Prevention System (IPS) can work with an IDS to mitigate
suspicious behavior.
Although IPS can autonomously prevent intrusions, security
administrators sometimes may prefer to implement IDS rather
than IPS. Moreover, detecting suspicious activities (via an
IDS) or mitigating the effects of an intrusion (using an IPS) it
is often desired simply to understand the situation better. For
example, administrators like to discover the aim and identity of
intruders by tracing the path of attackers seeking information.
This may be achieved, for example, by using a honeypot or a
variety of situational awareness tools.
A. Source of Monitoring Data
The source of data for monitoring can be defined with
regards to the type of intrusion the IDS aims to counter.
It may aim to secure the IoT network against attacks manip-
ulating the content of the application layer, such as SQL
injection, bruteforce, or side-channel attacks. In this case,
monitoring audit-logs, system events of the client machine,
or in some scenarios, the payload contents of network packets
after decryption plays a vital role in detecting intrusions.
On the other hand, the attacks that alter the parameters of
a legitimate network packet or generate malicious packets
require the appliance of network security infrastructure such
as an IDS to monitor and analyze network traffic. Therefore,
the IDS obtains network-packets and audit-logs of the host
machine, or both for monitoring purposes.
1) Network-Based IDS (NIDS): Since RPL is in the net-
work layer of the IoT stack, detecting RPL attacks requires
analyzing network packets. The NIDS analyses the flow of
network traffic in the LLN. Researchers commonly use NIDS
for detecting RPL based intrusions. However, NIDS cannot
analyze the encrypted contents of packets’ payloads without
possessing the encryption key. The NIDS monitors the network
traffic either through several monitoring agents placed among
LLN nodes, or each LLN node is required to participate in the
monitoring task, as discussed in Section V. The advantages and
disadvantages of NIDS in 6LoWPAN are given below. NIDS
are widely used by researchers in this domain because they
can monitor 6LoWPAN on a large scale. NIDS operates in
hidden mode, also called ghost-mode, and is concealed from
the eyes of intruders; therefore, attackers cannot probe them
in order to compromise them [48].
Additionally, NIDS can function in passive mode and cause
less energy and computational overhead for LLN nodes.
This also leads to less disruption in network traffic and less
12952
congestion and dropped packets. A strategically placed probe
can monitor an extensive network. However, centralized NIDS
are very likely to face difficulties in dealing with volumes of
incoming data from an extensive scale network, especially if
the assigned monitoring node has resource constrained LLN
devices. They may miss incoming attacks during periods of
high traffic. Secondly, NIDS cannot analyze the encrypted
content in sniffed packets’ payloads. Finally, the network
communication between the central IDS and the sensors in the
active decentralized, hybrid IDS generates a very significant
control packet overhead, leading to network congestion.
2) Host-Based IDS (HIDS): The HIDS, in its traditional
meaning, is designed to monitor and analyze not only the
network inputs and outputs of the host machine but also
the internal system events that are taking place inside the
host machine. It monitors system logs and events to identify
suspicious activities. Because HIDSs are hosted in LLN nodes,
they may place very significant demands on the computational
and energy resources of the host machine. As mentioned
earlier, there is no use of HIDS in its traditional definition
for detecting RPL attacks; all researchers employ NIDS to
counter such attacks. However, the use of HIDS is essential,
especially for attacks manipulating IoT in the application layer
and when analyzing encrypted content of packet’s payload is
required. In the RPL domain the proposed IDS is sometimes
called host-based by researchers if LLN nodes are required
to send their device information in terms of geographical
location, RSSI (Received Signal Strength Indication), routing
table, neighboring node information etc., to an IDS or an
internal IDS of the node. Researchers typically categorize this
IDS as being one of active monitoring.
3) Hybrid IDS: The IDS is called hybrid, in terms of the
data source, if both HIDS and NIDS security mechanisms are
incorporated in a network, among LLN nodes, to monitor the
network events that are taking place from different perspec-
tives. Although this technique provides the IDS management
system with a broader monitoring oversight of the 6LoWPAN
and secures the network against a more extensive range of
malicious activities threatening different stack layers of IoT,
there is no any research that covers this type of IDS yet.
B. Detection Strategy
There are two main approaches to the analysis of events
for detecting attacks [99]: detection of malicious signatures
and detection of anomalies. Signature detection is broadly
employed by most security software companies in the mar-
ket. Anomaly-based IDS has attracted researchers over many
years. A third approach, specification-based IDS, compares
behaviors against reference behaviors defined more formally,
e.g. by protocol specifications. Below we describe each of the
proposed methods.
1) Signature-Based: The signature-based IDS, also known
as misuse-based, compares the collected data against the
already stored signatures of malicious software to identify
abnormal activities. This type of IDS relies on stored patterns
of known intrusions, collected by experts through real-world
experience, and empirical or simulation experiments. Causing
the lowest False Positive Rate (FPR) is a major strength
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021
of misuse-based IDS, while this detection strategy is unable
to detect unknown intrusions. Intrusions are the ones not
stored in the system profile/database, because it is either a
zero-day attack or one whose signature is otherwise not yet
included. So this category of IDS only performs well over
known intrusions and shows poor performance over unknown
attacks. Continual updating of the database is needed. Also,
signature-based IDS demands significant storage space, which
is scarce in IoT nodes; researchers usually place such IDS in
the 6BR or at the edge.
2) Anomaly-Based: Unlike misuse-based IDS, an anomaly-
based IDS adapts to normal activities and highlights any devia-
tion from the system’s normal behavioral profile. This enables
anomaly IDS to detect unknown attacks. It does so through
statistical, knowledge-based, or machine-learning methods.
However, such IDS is known for having a considerable FPR;
that is because lots of normal activities are not considered
or have been missed in the profile-building/training phase.
This form of IDS constructs a profile of normal activities
across nodes in the LLN. The anomaly-based IDS requires
less storage compared to the misuse-based IDS, but consumes
more processing power, especially in the training period [16].
Additionally, determining what is normal requires a compre-
hensive dataset of legitimate activities and also requires a long
adaptation period.
3) Specification-Based: This IDS uses a defined notion of
normal behavior and highlights any deviation from it. How-
ever, and unlike the anomaly-based approach, expert manual
assistance is typically required to define the specification of the
normal profile. (This may take the form of a protocol specifica-
tion for example.) This strategy is widely used by researchers
on account of its small storage requirement and reasonable
FPR and FNR performance and requiring no training period.
Furthermore, according to [41], this approach is well-suited
to detecting topology or rank-based attacks in RPL networks.
However, specification-based IDS cannot update its normal
profile when the network topology changes or when there is an
increase or decrease in the number of nodes. Manual updates
to the specification will be needed.
4) Hybrid: To remedy the shortcomings of the detection
strategies mentioned above, researchers have sought to com-
bine the detection strategies to produce hybrid IDSs to mon-
itor the network. A hybrid IDS typically provides a better
detection rate and performance at the expense of greater
resource (computation and energy) consumption. Researchers
seek practical trade-offs between accuracy and LLN nodes
resource exhaustion.
C. Response
An IDS generally seeks to detect intrusions. Once detected,
a decision needs to be made as to how to respond. We can
categorize responses into two major groups:
1) Passive Response: Here, the security administrator or
the system users will be informed about the occurrence of
abnormal activities. No automated corrective action is taken
as a result. The ‘response’ must be manually invoked.
2) Active Response: Here, the response is automatic and
takes place when specific categories of attacks are noticed.
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW
TABLE V
M ONITORING T ECHNIQUES AND D ETECTION S TRATEGIES IN IDS
Active intrusion detection systems log and notify the security
administrator in the same way as passive ones do, but they can
also take extra actions to counter the intrusion. For instance,
they may alter Access Control Lists (ACLs) on a firewall in
order to terminate malevolent traffic, block processes on the
server subject to the intrusion, or guide the intruder to a trap
or “safe environment” created by security administrators.
V. M ONITORING T ECHNIQUES
Earlier IDSs dedicated a solitary monitoring node to analyze
and watch the events either in a hosted device or a specific
network. This is called Centralised IDS (CIDS). In the RPL
network the CIDS is usually placed at the 6BR because it
incurs lower energy and computational overheads compared
with LLN nodes. CIDS is prone to highly sophisticated and
distributed intrusions and Single Point of Failure (SPoF). That
is because the computational power of 6BR may sometimes
be overwhelmed and a considerable proportion of incoming
network traffic not being analyzed. To address CIDS issues the
Distributed IDS (DIDS) carries out data monitoring and/or IDS
detection tasks at several locations. Although DIDS is a bet-
ter candidate for computer networks, demanding 6LoWPAN
network nodes participate in monitoring and detection tasks
causes very significant network overheads. Researchers have
considered different placements of DIDS in LLNs to balance
the number of agents in a way that covers a reasonable number
of nodes. In the most computationally expensive scenarios the
monitoring and detection duty is spread across all nodes. One
of the most effective distributed placements of IDSs, a cluster-
ing placement that divides the LLN into clusters with cluster
heads with various combinations of tasks among nodes and
heads, is discussed in detail in [111]. The placement of IDSs
and their monitoring nodes plays an essential role in reducing
network overheads, saving energy resources, reducing FAR,
and increasing the detection rate of attacks. Fig. 4 depicts
existing monitoring techniques for IDS in LLN.
Although the 6BR has sufficient hardware resources to
carry out heavy computation and host a comprehensive IDS,
communication between LLN nodes and the 6BR results
in very significant overheads on the network. Placing IDS
agents on the sensors can reduce the control packet overhead
associated with network monitoring. However, such LLN
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12953
sensors have limited resources and IDS computation may drain
their computational resources (processing, storage, ROM, and
energy). Placing IDS agents across dedicated nodes can reduce
monitoring traffic, provide us with more processing capacity,
and enable the IDS to monitor a wider area.
The IDS can be placed at various locations in the IoT
network, such as sinknode/6BR, predefined devices, or all
nodes. Nodes that host IDS can have different responsibilities.
In the distributed IDS the nodes can be responsible for
monitoring neighboring sensors. A node that is responsible for
monitoring its neighbors is usually referred to as a watchdog.
The centralized IDS is placed at an individual node and works
alone. In an IoT network it typically is placed on the border
router or a dedicated host. Since the border router is the bridge
between LLNs and outside world placing the IDS in the 6BR
allows monitoring and analysis of the internal and external
traffic to the 6LoWPAN network [16].
Nevertheless, analyzing traffic between LLNs and the Inter-
net that traverses the border router is not enough to secure the
network because it cannot watch the activities that are taking
place among the nodes unless they are near the 6BR. Addi-
tionally, the centralized IDS may have difficulty monitoring
compromised nodes. The IDS monitoring technique divides
into two categories called Active and Passive monitoring,
whether the LLN node participates in the monitoring tasks
or not. Table V gives the pros and cons of each monitoring
technique.
A. Active Monitoring
In this kind of monitoring, the LLN nodes are responsible
for monitoring tasks. The monitoring tasks can be transferring
packets or gathering monitored information, and analyzing
them. This monitoring technique divides into three subcate-
gories: centralized, decentralized or hybrid.
1) Centralized Monitoring: In active centralized monitoring,
a single central unit is responsible for analyzing and judging
the collected packets. Meanwhile, the rest of the nodes need
to monitor, capture, and store the data and transfer them to
the Central Manager unit (CM). The CM node aggregates
received data and analyses it. Usually, the CM has better
computational hardware resources than other nodes in the
RPL network. It can be a local server or manifest itself as a
12954
Fig. 4. Monitoring techniques.
cloud-based service. This type of IDS works well over small
scale networks. However, in larger-scale networks the CM is
more likely to face route congestion and suffer from significant
overheads and SPoF.
2) Decentralized Monitoring: This type of monitoring is
similar to a centralized approach where each node still has
responsibility for packet collection and transportation. How-
ever, unlike active centralized IDS, the distributed nodes are
usually router nodes or cluster heads and need to perform
decision making tasks. Therefore, there would be reduced load
on the LLN nodes in the network compared with central-
ized monitoring. Although decentralized monitoring conserves
nodes’ hardware resources better than a centralized one, it still
places significant computational and energy demands on LLN
resources.
3) Hybrid Monitoring: In an active hybrid approach, both the
CM and distributed nodes share responsibility for monitoring
and decision-making in the network. However, LLN nodes
must still collect and transfer their information to IDS agent
nodes and so there may be computational exhaustion of LLN
nodes’ resources.
B. Passive Monitoring
In this approach, monitoring nodes (sniffers) are assigned in
the 6LoWPAN to sniff and collect control packets from their
neighborhood. They are responsible for collecting information
about nodes and events occurring in the target network. Passive
monitoring employs centralized and decentralized approaches,
as described below.
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021
1) Centralised: In this approach, the monitoring nodes pas-
sively listen to the communications in the network, then
collect the data before sending it to the sink node, which
is responsible for analyzing and decision-making. PCIDS is
capable of conducting a more in-depth analysis of the collected
data remotely, on the edge or cloud, where more computational
resources are available; however, this results in a delay for
attack detection.
2) Decentralized: In this approach, the central manage-
ment unit and several monitoring nodes are responsible for
monitoring tasks like data aggregation and analysis. Several
monitoring nodes can be placed in the network to do data
collection, and aggregation tasks. The sniffers can be involved
in sending the collected data from their neighboring nodes to
the monitoring nodes. Next, monitoring nodes can perform
data aggregation before forwarding information to the sink
node for deeper analysis. In this way, the target node gets
analyzed from both local and global perspectives.
VI. VALIDATION
A. Validation Approaches
Researchers use different IDS validation approaches, as dis-
cussed below.
1) Simulation: This strategy is the most widely used
approach for IDS validation in this domain. Here, researchers
either validate their method against a dataset generated through
simulation of several normal and attack scenarios or implement
their proposed algorithm in the simulator and validate its
performance at run-time using different evaluation metrics.
There are several pros and cons to using this validation
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW 12955

TABLE VI
S TATE - OF - THE -A RT IDS T ECHNIQUES

method. The main advantage of simulation is its low cost,
low implementation effort, and compressed experimental time
(i.e. simulated time is far quicker than real-time). The majority
of simulators in this field are open-source and implementing
a large number of nodes does not significantly increase the
project cost. Moreover, the time taken to implement and
test ideas can be drastically decreased compared to empiri-
cal approaches. However, simulation outcomes may be less
reliable than those of empirical validation.
2) Empirical: This approach collects the evidence through
an experimental network setup. It is considered as the most
reliable approach for evaluating any proposed system. How-
ever due to high economic costs, effort and time barriers,
the implementation and use of an extensive heterogeneous IoT
network in a wide geographical area for a long duration is not
feasible using this validation method.
3) Theoretical: a solid theoretical argument to support
research outcomes. This includes, e.g. relating a model to
attribute properties it is intended to represent [112].
4) Hypothetical: This validation strategy is used when the
applicability of the proposed method in practice is not clearly
specified.
5) No Validation: There are several researches in this field
that did not provide any evidence for their proposed methods.
This is the most unreliable approach for validation.
B. Evaluation Metrics
Researchers use several metrics to measure the performance
of their proposed methods. It is common to measure the
accuracy and effectiveness of the proposed IDS in classifying
malicious and normal packets. One of the most comprehensive
ways to calculate the performance of a classifier is the confu-
sion matrix, illustrated in Fig. 6. It summarizes four aspects
of binary classification: the numbers of True Positives (TP),
True Negatives (TN), False Positives (FP), and False Nega-
tives (FN). Each source event is classified as either an attack
or normal. The positive is the intrusion class, and negative
is the normal one. Most studies seek to minimize the False
Positive Rate (FPR) and False Negative Rate (FNR). Both
false classification of malicious activity as normal (FN) and the
false classification of normal packets as malicious (FP) incur
costs. In contrast, the correct classification of intrusions (TP)
and normal activities (TN) incurs no cost other than the
costs of deploying the IDS (C0) (Fig 6, B). Reducing the

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12956 IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021

Fig. 5. IDS taxonomy.

FPR is generally considered easier than reducing the FNR. the proposed detection technique.
Of course, the FNR is significantly sensitive to inability to FN
detect unknown intrusions. FNR = (1)
FN + T P
In Fig. 6, FNs and FPs have different negative conse- FP
quences. A considerable number of FPs causes system man- FPR = (2)
FP + T N
agement to waste time and can lead to loss of confidence.
The Packet Delivery Ratio (PDR), equation 3, is the ratio
A high FN indicates that the IDS is failing to perform the
between the total number of application packets received by
primary task it was designed for. The FN rate, equation 1,
the final destination nodes and the total number of application
is usually higher than the FP rate, equation 2. Reducing FP
packets sent by senders.
is more challenging but essential. Normal packets usually n
significantly outnumber malicious ones and this will generally i=1 Preceivedi
PDR =  n (3)
have consequences for the reliability of trained classifiers for j =1 Psent j

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW 12957

Fig. 6. Decision threshold and confusion matrix.

The Detection Rate (DR), equation 4, is another widely used is not the aim of this study. Table VII and, VIII summarize the
metric in this field. It declares how and in what measure the results provided in each piece of research using the evaluation
IDS succeeds in detecting the attacks. metrics discussed in section VI-B. Studying and analyzing
TP Tables IV, VI, VII, and VIII help us to answer each question
Recall = DR = TPR = (4) in turn.
T P + FN
The Control Packet Overhead (CPO) is the total number
of DODAG control packets (DIO, DAO, and DIS) initiated A. To What Extent Are RPL Attacks Addressed
by each node, equation 5. In order to calculate the power so Far (Q 1)
consumption of a node, researchers use equation 6, which is In Section IV, we introduced and described a comprehen-
the sum of total energy consumed by the machine and the sive set of known RPL attacks. Fig. 7.A illustrates to what
network (Energy consumption) divided by the elapsed time extent each RPL attack has been addressed so far, based
in seconds. on Table VII and VIII data. The extracted information shows
n that the proposals mostly concentrate on addressing sinkhole,
CPO = (DO D AGContr ol Packet)i (5) selective forwarding, DIS flooding, and blackhole attacks, with
i=1 21%, 14%, 10%, and 10% of papers, respectively. The rest of
Energy consumed(mJ) the attacks constitute less than half of the researches’ attention,
Power Consumption = (6)
Time(s) 45% in total. There are two explanations; either the dominant
attacks are the most disruptive malicious activities that are
The End to End (E2E) delay gives the average time elapsed
harming LLN, or the less considered attacks are less easily
when transferring a packet from a source to its destination,
detected. Hence, there is a significant need for research to
equation 7.
n mitigate all intrusions or concentrate more on those receiving
di little attention. Our survey did not find any study propos-
E2E Delay = i=1 (7)
n ing an IDS to mitigate Worst Parent, External Wormhole,
Accuracy, given in Equation 8, is the fraction of all events OF Manipulation Attacks. Also, very few propose IDS to
that are correctly classified (either as malicious or normal). mitigate Replay, DODAG inconsistency, DAO inconsistency,
Precision, given in Equation 9, is the fraction of all posi- Neighbor attacks, and Rank attacks. No comprehensive study
tive classifications (i.e. alarms) that are correct. Precision is in this field mitigates all types of RPL attack. Because some
focused on positive classifications whilst accuracy considers RPL attacks are similar in nature, the ideal IDS should be able
both positive and negative classifications. not only to detect the occurrence of attacks but also identify the
type of attack accurately and identify intruder nodes correctly.
TP +TN
Accuracy = (8)
T P + FP + T N + FN
TP B. Negative Impact of Each RPL Attack (Q 2)
Precision = (9)
T P + FP Studying the proposed methods enables us to determine to
what degree each RPL attacks cause abnormality in 6LoW-
VII. D ISCUSSION PAN. Discovering the adverse impact level of each RPL
Our study reviews 103 papers in order to answer the attack requires an in-depth analysis of each intrusion over
questions posed in section I.A. The results provided by several LLN scenarios, which is accomplished by the already
researchers are considered as the basis for evaluating and reviewed researches mentioned in section III. Table IV shows
comparing their proposed methods. Justifying the correctness the negative impact of each attack from different perspectives
and trustworthiness of the provided results claimed by authors that are scaled with regards to terminology used in the studied

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12958 IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021

TABLE VII
S TATE - OF - THE -A RT R ESEARCH O UTCOMES ON IDS IN L OW P OWER AND L OSSY N ETWORK (LLN)

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW 12959

TABLE VIII
S TATE - OF - THE -A RT R ESEARCH E XPERIMENT S ETUP ON IDS IN L OW P OWER AND L OSSY N ETWORK (LLN)

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12960
Fig. 7. Mitigated attacks (A) and research objectives (B) proportions.
Fig. 8. The adverse effects of RPL attacks on LLN.
paper. This answers Q2 and helps researchers to concentrate
more on the most destructive malicious activities. Table IV,
Fig. 8 and Fig. 9 reveal that the version number attack is the
most disruptive intrusion on the LLN, while OF manipulation
and worst parent attacks cause the least disruption (which
makes their detection harder). Analyzing the affected para-
meters would help researchers to detect such attacks. Each
RPL attack manipulates and harms the target network in
various aspects with different strengths; therefore, precise and
accurate algorithms are required for IDS to not only detect the
occurrence of attack but also to classify the type of intrusion
to distinguish the intruder node correctly.
C. Technical Performance Objectives (Q 3)
The primary stated objectives of the reviewed IDS
approaches are to achieve the high TPR/Detection Rate (Obj1),
low energy consumption overheads (Obj2), low Control Packet
Overhead (Obj3), low FAR(Obj4), ability to protect networks
that have mobile nodes (Obj5), provide mitigation for mul-
tiple attacks (Obj6), evaluation over many and heterogeneous
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021
Fig. 9. Negative impact level of each RPL attack.
networks (Obj7), resilience against unknown intrusions (Obj8),
providing intrusion prevention mechanisms (Obj9), and high
PDR (Obj10). There are multiple objectives that can be used
for evaluation purposes. Many pieces of research address only
one or a small number of these and provide no information
on the others. We cannot assume that the implemented sys-
tems perform well on objectives that have not been formally
evaluated, and so the practical applicability of such IDS
in real-world networks is doubtful. Often researchers call
their method comprehensive in all terms without providing
sufficient evidence to prove their claim. Table IX and Fig. 7.B
show the objective of each study based on statements and
the results provided in their paper. In order to discover
the minimum, maximum, first quartile, mean, median, third
quartile value of each detection and monitoring technique
used by researchers, we analyze the provided results in
Table VII and VIII and extract essential information shown in
Fig. 11. With regards to extracted data we illustrate to what
extent researchers satisfy the objectives, in Fig. 10. Enhancing
the detection rate (Objective 1) is the primary aim of 17% of
the reviewed papers. Although 58% of researches satisfied the
requirement of this objective, 8.7% could not fully answer this
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW 12961

TABLE IX
R ESEARCHERS O BJECTIVES

Fig. 10. Aimed objectives.

need, and 33.3% did not address this essential requirement of

IDS. This study discovers that 65.2% of proposed methods
would be able to detect unknown intrusions (Objective 8) with
the attention of 23% of papers.

D. Monitoring Techniques Implementation

Proportion (Q 4)
76.8% of the proposed methods use active monitoring sys-
tems and the remaining 23.2% use passive monitoring, using
Fig. 12.A. Active monitoring techniques enable the researcher
to reduce the financial cost of the network, as there is no need
for extra equipment and sniffers to probe the LLN. Further-
more, LLN nodes can provide host machine configuration and
other information, which is not available in passive monitoring
techniques. However, assigning the monitoring tasks to the
LLN constrained nodes increases network traffic overhead
as nodes need to transfer their information to centralized or
decentralized IDSs. The passive monitoring technique can
reduce the active monitoring shortcomings while providing
IDS with less detail about LLN nodes. Moreover, even though
passive monitoring can provide a comprehensive view of
the monitored network [113], the use of separate network
communication (i.e. a collection of probes) may increase E. Proposed IDS Strategies (Q 5)
overhead costs and restricts their benefit to the small-scale Sections IV and V discussed existing IDS techniques and
and controlled network. As a result, and as seen from Fig. 12, monitoring methods in the literature. Fig. 12.B, and Fig. 12.C
most proposals use active monitoring. Researchers in [89] use show the proportions of each IDS strategy built on by the
a different channel for IDS agents’ communication to reduce reviewed papers and the proportion of their response types,
the negative impacts of IDS communication on LLN in pas- respectively. We can see that the majority, 54%, of the
sive monitoring techniques. Table VI shows what monitoring introduced methods use a specification-based detection strat-
technique is used in each research, and Table V gives each egy to mitigate RPL attacks, 21% are hybrid, 17% are
monitoring technique’s strengths and weaknesses. anomaly-based, and the remaining 8% are signature-based

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12962 IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021

Fig. 11. Statistical results regarding monitoring(left) and detection(right) strategies.

IDS. This noticeable difference in proportions is because

specification-based IDS uses less storage space and con-
sumes less computational resource than misuse-based and
anomaly-based detection approaches. However, such IDSs are
inflexible and do not adapt automatically to attacks, as stated
in section IV-B.

F. Shortcomings of Proposed Methods (Q 6)

Studying Fig. 10 and Fig. 11 shows the vulnerabilities and
disadvantages of each IDS strategy in LLN. Further study
is required to address the shortcomings stated in Table V.
From Fig. 11, we can see that researchers receive the least
FPR and the best TPR using misuse detection techniques
with 1% and 95.2% FPR and TPR, respectively. However,
none of the proposed misused-based IDS, which constitute
8% of all proposed methods, provides any evaluation of
FNR, which is an essential metric, especially for evaluating
signature-based IDS. Anomaly IDS provides the researchers
with the least FNR of 5.8% and better detection rate than the
specification-based method, on average, 92.3% TPR. However,
as we expect in section IV-B, the FPR of anomaly-based and
specification-based methods was higher than signature-based
IDS, with 5% and 12.2% FPR, respectively. Although 21%
of researchers attempt to minimize the FPR and receive the Fig. 12. The proportion of each monitoring technique (A), detection
strategy (B) and response type (C).
optimum TPR by developing a hybrid IDS, this detection
strategy provides researchers with 88.4% TPR and 6.8% FPR
on average. The illustrated results in Fig. 11 and the proportion the mentioned datasets include either 6LoWPAN traffic or any
of detection strategies in Fig. 12, reveal the need for further RPL-based attacks. This is because they were not generated
investigation into hybrid detection strategies to boost the through IoT simulation or empirical experiments and mostly
performance of IDS in the 6LoWPAN. include application layer intrusions. The lack of an official,
reliable dataset compelled researchers in this field to evaluate
G. Datasets and Simulators Used by Researchers (Q 7) their proposed methods through simulation or empirical exper-
There are several well-known intrusion datasets developed iments. Table X introduces several simulators that exist in this
through simulations, Capture The Flag (CTF) competitions, field and are widely used by researchers for simulation and
or empirical lab experiments. These have been used by evaluation purposes. Some of these simulators are employed
researchers to train and test their proposed methods to detect more than others. 73% of the proposed researches in this
various types of attacks. Some very well known datasets are domain have used the Cooja simulator for simulation and
KDD 99, NSL-KDD, Defcon, and CDX. However, none of evaluation purposes. The authors of [114] compared different

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW 12963

TABLE X
T HE M OST P OPULAR N ETWORK S IMULATORS

simulators for RPL networks. However, some well-known

simulators such as Netsim, Opnet, NS-3, and Matlab did not
appear in their study; we include them here while adding more
detail to the information on existing simulators. The average
numbers of normal and malicious nodes in the testbeds are
49 and 4, respectively. Researchers model 8.2% of nodes as
malicious on average. The minimum, average, and maximum
experiment runtimes were 30, 2196, and 50000 seconds,
respectively.

H. Used Evaluation and Validation Methods (Q 8)

We investigated to what extent each validation method was
used to evaluate the proposed mitigation technique in this
domain. Using a simulator for validation has the lion’s share
with 86%, while empirical validation makes up only 7%.
Providing more evaluation results can help the readers to
understand the strength and weaknesses of the investigated
IDS. However, researchers mostly did not provide sufficient
evidence to justify the achievement of their aimed contribution
Fig. 13. The evaluation metrics and their usage.
by comparing the performance of the proposed method over
normal and attack scenarios. Researchers provide the least evi-
dence for FNR while it is crucial for evaluating the capability
of IDS. Fig. 13 reveals to what extent each evaluation metric
was considered by researchers.

Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12964
TABLE XI
ML B ASED IDS FOR RPL
VIII. F UTURE R ESEARCH D IRECTIONS
Reviewing the proposed IDS approaches for RPL enables us
to identify gaps and research opportunities. We believe further
study on the aforementioned and less-investigated research
questions can enhance RPL security and make it more resilient.
Below we summarize the remaining gaps and provide some
suggestions to address them. Further study opportunities are
provided to answer Q9.
A. Lack of a Comprehensive, Collaborative IDS
Fig. 12.A and Table VI reveal that the majority of proposed
methods employ active hybrid monitoring techniques. How-
ever, the conducted researches consider only one DODAG
with a single border router in their scenarios. Secure 6LoW-
PAN against sophisticated intrusions (e.g. cooperative attacks)
requires the development of distributed collaborative IDS to
monitor several LLNs from a global perspective, with different
LLNs informing each other of newly discovered intrusions.
B. Lack of Hybrid IDS in Terms of the System Design
We did not find any combination of HIDS and NIDS to
secure IoT against both application layer and network layer
attacks. IoT faces significant attacks from both levels and so
fusing the best aspect of HIDS and NIDS seems essential.
C. Comprehensive in Detecting Attacks
Existing studies in IDS are often limited to the detection of
one or a very small number of RPL attacks. Our review did not
find any proposed IDS securing LLN against all known types
of RPL attacks. There seems to be significant opportunity for
detectors that can operate effectively over the range of possible
attacks (both known and unknown).
D. Exploiting Machine Learning for Defence
Table XI shows the ML-based IDSs proposed to secure
networks against RPL-attacks. Some of the proposed
approaches [45] are scenario-based and may not perform well
in LLNs different to the training target. There is a significant
opportunity to further explore the rich defensive possibilities
offered by ML. Crafting resource efficient intrusion detectors
seems an obvious and important target for the application
of ML, e.g. use ML to synthesize RPL attack detectors that
consume little power.
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021
E. ML-Based Intrusions
ML has proven to be very powerful and effective in detect-
ing intrusions but what if intruders decide to use ML to
establish ML-based RPL intrusions? After discovering vulner-
abilities in the targeted LLN, intruders can adopt an ML-based
malicious system (e.g., using a reinforcement learning algo-
rithm) to enter a game with the RPL network and discover
the most effective intrusion for damaging nodes’ CIA. Since
intruders may use advanced ML algorithms to achieve their
goals, detecting such intrusions might be challenging. Thus,
ML may be used to synthesize effective and highly stealthy
strategies for attack. This study has not found any IDS research
capable of securing LLN against such sophisticated intrusions.
F. Evaluating the Detection of Unknown Attacks
The anomaly-based, specification-based, and hybrid IDSs
are known for their capability in detecting unknown intrusions.
Although 17%, 54%, and 21% of existing IDSs employ
such detection strategies respectively, we did not find any
performance evaluation of these IDS over unknown attacks.
Here, an unknown intrusion is an attack that IDS is not trained
for.
G. Study Dynamic Scenarios
The proposed IDSs mostly consider a network scenario with
a fixed number of nodes in a static environment. However,
an LLN is a lossy and unstable dynamic network. Nodes may
continuously move in and out of the LLN. Hence, the number
of nodes increases and decreases over time. Therefore, it is
essential to consider such a dynamic, unstable and scalable
network while developing IDS for RPL because such elements
have a direct effect in the detection of attacks such as DIS
flooding, SH, SF etc.
H. Improve Validation Strategies
Validating a detection technique in order to design effective
security measures for IoT networks and, more specifically,
for RPL-based networks, requires realistic traces. The main
two approaches to generate traces are simulation and test-
beds. Several simulation tools available in this domain, some
open-source and others with paid licenses, are compared
in Table X. Modeling the real world IoT-RPL environment
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW
requires a proper simulation tool. Having the right RPL
behavior will enable the researchers to simulate the aforemen-
tioned attacks and evaluate practical detection and mitigation
techniques.
A physical testbed provides another validation means. How-
ever, researchers generally use a very small-scale collection
of devices, which in return cannot mimic the actual IoT
networks running RPL as the routing protocol. As indicated
in section VII.G, the average number of nodes of the testbeds
implemented by researchers was 49. A large-scale testbed of,
say, a smart city, that includes a large number of IoT devices
would be a major resource.
There is a pressing need for a comprehensive RPL network
dataset that is freely available for researchers. This would be
a major research enabler, allowing meaningful evaluation of
any proposed RPL IDS techniques.
I. Real Time Notification
Accurate and timely detection of malicious activities criti-
cally depends on the monitoring technique adopted. The ability
to detect breaches early is the most valuable aspect of any IDS.
As stated in section V, there are several proposed methods
for deciding on where to place the monitoring nodes and the
IDS agents for monitoring and detection purposes. However,
the large number of geographically spaced connected devices
makes it hard to inspect packets in real-time. This negatively
impacts the alarm and response time. There is a need for more
research to provide the means for IDS to detect RPL attacks
accurately while providing real-time notifications.
J. Adopt a Lightweight Approach
The LLN nodes are constrained by nature and barely
function properly for their assigned tasks; they are constrained
in processing, memory and power and may not be able to
hold tasks other than the ones assigned to them. Furthermore,
the network suffers from a wide range of different disruptive
attacks, as mentioned in section III. Designing a complex
detection algorithm that can mitigate major RPL attacks is
more likely to exhaust LLN node computational and energy
resources. Therefore, future IoT-RPL intrusion detection solu-
tions must be powerful yet lightweight.
IX. C ONCLUSION
The features and capabilities of IoT devices allow them to
be utilized and incorporated everywhere: in health care sectors,
smart cities, smart homes, and industrial environments. They
have become significant targets while their computational
limitations make them vulnerable. The RPL protocol underpins
the network operation of many modern LLNs. This review has
explored attacks against this protocol and identified the state-
of-the-art in the use of IDSs to mitigate attacks on networks
that run this protocol. We have identified significant research
gaps and proposed possible future research directions.
R EFERENCES
[1] L. Horwitz. The Future of IoT Miniguide: The Burgeoning IoT
Market Continues. Accessed: Mar. 20, 2021. [Online]. Avail-
able: https://www.cisco.com/c/en/us/solutions/internet-of-things/future-
of-iot.html
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12965
[2] T. Park, N. Abuzainab, and W. Saad, “Learning how to
communicate in the Internet of Things: Finite resources and
heterogeneity,” 2016, arXiv:1610.01586. [Online]. Available:
https://arxiv.org/abs/1610.01586
[3] D. Midi, A. Rullo, A. Mudgerikar, and E. Bertino, “Kalis—A system
for knowledge-driven adaptable intrusion detection for the Internet of
Things,” in Proc. IEEE 37th Int. Conf. Distrib. Comput. Syst. (ICDCS),
Jun. 2017, pp. 656–666.
[4] E. Fernandes, A. Rahmati, K. Eykholt, and A. Prakash, “Internet of
Things security research: A rehash of old ideas or new intellectual
challenges?” IEEE Secur. Privacy, vol. 15, no. 4, pp. 79–84, Aug. 2017.
[5] B. B. Zarpelao, R. S. Miani, C. T. Kawakani, and S. C. de Alvarenga,
“A survey of intrusion detection in Internet of Things,” J. Netw.
Comput. Appl., vol. 84, pp. 25–37, Apr. 2017. [Online]. Available:
https://www.sciencedirect.com/science/article/pii/S1084804517300802
[6] P. Pongle and G. Chavan, “A survey: Attacks on RPL and 6LoWPAN in
IoT,” in Proc. Int. Conf. Pervasive Comput. (ICPC), Jan. 2015, pp. 1–6.
[7] D. Airehrour, J. Gutierrez, and S. K. Ray, “Secure routing for Internet
of Things: A survey,” J. Netw. Comput. Appl., vol. 66, pp. 198–213,
May 2016. [Online]. Available: https://www.sciencedirect.
com/science/article/pii/S1084804516300133
[8] A. Raoof, A. Matrawy, and C.-H. Lung, “Routing attacks and mit-
igation methods for RPL-based Internet of Things,” IEEE Commun.
Surveys Tuts., vol. 21, no. 2, pp. 1582–1606, 2nd Quart., 2019.
[9] L. Wallgren, S. Raza, and T. Voigt, “Routing attacks and countermea-
sures in the RPL-based Internet of Things,” Int. J. Distrib. Sensor Netw.,
vol. 9, no. 8, Aug. 2013, Art. no. 794326, doi: 10.1155/2013/794326.
[10] A. Mayzaud, R. Badonnel, I. Chrisment, and I. G. Est-Nancy, “A tax-
onomy of attacks in RPL-based Internet of Things,” Int. J. Netw. Secur.,
vol. 18, no. 3, pp. 459–473, 2016.
[11] F. Hussain, R. Hussain, S. A. Hassan, and E. Hossain, “Machine
learning in IoT security: Current solutions and future challenges,”
IEEE Commun. Surveys Tuts., vol. 22, no. 3, pp. 1686–1721,
3rd Quart., 2020.
[12] A. Verma and V. Ranga, “Security of RPL based 6LoWPAN networks
in the Internet of Things: A review,” IEEE Sensors J., vol. 20, no. 11,
pp. 5666–5690, Jun. 2020.
[13] H.-S. Kim, J. Ko, D. E. Culler, and J. Paek, “Challenging the IPv6
routing protocol for low-power and lossy networks (RPL): A sur-
vey,” IEEE Commun. Surveys Tuts., vol. 19, no. 4, pp. 2502–2525,
Sep. 2017.
[14] A. Mosenia and N. K. Jha, “A comprehensive study of security of
Internet-of-Things,” IEEE Trans. Emerg. Topics Comput., vol. 5, no. 4,
pp. 586–602, Dec. 2017.
[15] I. E. Korbi, M. B. Brahim, C. Adjih, and L. A. Saidane, “Mobility
enhanced RPL for wireless sensor networks,” in Proc. 3rd Int. Conf.
Netw. Future (NOF), Nov. 2012, pp. 1–8.
[16] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: Real-time intrusion
detection in the Internet of Things,” Ad Hoc Netw., vol. 11, no. 8,
pp. 2661–2674, 2013. [Online]. Available: https://www.sciencedirect.
com/science/article/pii/S1570870513001005
[17] A. Le, J. Loo, Y. Luo, and A. Lasebae, “Specification-based IDS for
securing RPL from topology attacks,” in Proc. IFIP Wireless Days
(WD), 2011, pp. 1–3.
[18] T. Winter et al., RPL: IPv6 Routing Protocol for Low-Power and Lossy
Networks, document RFC 6550, 2012, pp. 1–157.
[19] J. Vasseur, M. Kim, K. Pister, N. Dejean, and D. Barthel, Routing
Metrics Used for Path Calculation in Low-Power and Lossy Networks,
document RFC 6551, IETF, 2012, pp. 1–30.
[20] J. Martocci, P. De Mil, N. Riou, and W. Vermeylen, Building
Automation Routing Requirements in Low-Power and Lossy Networks,
document RFC 5867, Internet Engineering Task Force, 2010.
[21] A. Brandt, J. Buron, G. Porcu, and T. Italia, Home Automation Routing
Requirements in Low-Power and Lossy Networks, document RFC 5826,
2010.
[22] M. Dohler, T. Watteyne, T. Winter, and D. Barthel, Routing Require-
ments for Urban Low-Power and Lossy Networks, document RFC 5548,
2009.
[23] K. Pister, P. Thubert, C. Systems, S. Dwars, and T. Phinney,
Industrial Routing Requirements in Low-Power and Lossy Networks,
document RFC 5673, 2009.
[24] A. Khosla and T. C. Aseri, “Comparative analysis of objective functions
in routing protocol for low power and lossy networks,” Int. J. Future
Revolution Comput. Sci. Commun. Eng., vol. 4, no. 3, pp. 556–562,
2018.
12966
[25] J. V. V. Sobral, J. J. P. C. Rodrigues, R. A. L. Rabêlo, J. Al-
Muhtadi, and V. Korotaev, “Routing protocols for low power and
lossy networks in Internet of Things applications,” Sensors, vol. 19,
no. 9, p. 2144, 2019. [Online]. Available: https://www.mdpi.com/1424-
8220/19/9/2144
[26] A. Musaddiq, Y. B. Zikria, Zulqarnain, and S. W. Kim, “Routing
protocol for low-power and lossy networks for heterogeneous traffic
network,” EURASIP J. Wireless Commun. Netw., vol. 2020, no. 1,
pp. 1–23, Dec. 2020.
[27] N. Pradeska, Widyawan, W. Najib, and S. S. Kusumawardani, “Per-
formance analysis of objective function MRHOF and OF0 in routing
protocol RPL IPv6 over low power wireless personal area networks
(6LoWPAN),” in Proc. 8th Int. Conf. Inf. Technol. Electr. Eng. (ICI-
TEE), Oct. 2016, pp. 1–6.
[28] X. Liu, Z. Sheng, C. Yin, F. Ali, and D. Roggen, “Performance analysis
of routing protocol for low power and lossy networks (RPL) in large
scale networks,” IEEE Internet Things J., vol. 4, no. 6, pp. 2172–2185,
Dec. 2017.
[29] A. Le, J. Loo, A. Lasebae, A. Vinel, Y. Chen, and M. Chai, “The impact
of rank attack on network topology of routing protocol for low-power
and lossy networks,” IEEE Sensors J., vol. 13, no. 10, pp. 3685–3692,
Oct. 2013.
[30] A. Aris, S. F. Oktug, and S. B. O. Yalcin, “RPL version number
attacks: In-depth study,” in Proc. IEEE/IFIP Netw. Oper. Manage.
Symp. (NOMS), Apr. 2016, pp. 776–779.
[31] A. Mayzaud, A. Sehgal, R. Badonnel, I. Chrisment, and J. Schönwälder,
“A study of RPL DODAG version attacks,” in Monitoring and Securing
Virtualized Networks and Services, A. Sperotto, G. Doyen, S. Latré,
M. Charalambides, and B. Stiller, Eds. Berlin, Germany: Springer,
2014, pp. 92–104.
[32] P. Perazzo, C. Vallati, D. Varano, G. Anastasi, and G. Dini, “Imple-
mentation of a wormhole attack against a RPL network: Challenges
and effects,” in Proc. 14th Annu. Conf. Wireless Demand Netw. Syst.
Services (WONS), Feb. 2018, pp. 95–102.
[33] N. Song, L. Qian, and X. Li, “Wormhole attacks detection in wireless
ad hoc networks: A statistical analysis approach,” in Proc. 19th IEEE
Int. Parallel Distrib. Process. Symp., Apr. 2005, p. 8.
[34] P. Thubert et al., Objective Function Zero for the Routing Protocol for
Low-Power and Lossy Networks (RPL), document RFC 6552, 2012.
[35] O. Gnawali and P. Levis, The Minimum Rank With Hysteresis Objective
Function, document RFC 6719, 2012.
[36] O. Gnawali and P. Levis. (2010). The ETX Objective Function for RPL.
[Online]. Available: https://draft-gnawali-roll-etxof-01
[37] A. Brachman, “RPL objective function impact on LLNs topology
and performance,” in Internet of Things, Smart Spaces, and Next
Generation Networking, S. Balandin, S. Andreev, and Y. Koucheryavy,
Eds. Berlin, Germany: Springer, 2013, pp. 340–351.
[38] F. Medjek, D. Tandjaoui, M. R. Abdmeziem, and N. Djedjig, “Analyti-
cal evaluation of the impacts of Sybil attacks against RPL under mobil-
ity,” in Proc. 12th Int. Symp. Program. Syst. (ISPS), Apr. 2015, pp. 1–9.
[39] K. Zhang, X. Liang, R. Lu, and X. Shen, “Sybil attacks and their
defenses in the Internet of Things,” IEEE Internet Things J., vol. 1,
no. 5, pp. 372–383, Oct. 2014.
[40] S. Murali and A. Jamalipour, “A lightweight intrusion detection for
Sybil attack under mobile RPL in the Internet of Things,” IEEE
Internet Things J., vol. 7, no. 1, pp. 379–388, Jan. 2020.
[41] A. Le, J. Loo, K. K. Chai, and M. Aiash, “A specification-based IDS for
detecting attacks on RPL-based network topology,” Information, vol. 7,
no. 2, p. 25, 2016. [Online]. Available: https://www.mdpi.com/2078-
2489/7/2/25
[42] C. Cervantes, D. Poplade, M. Nogueira, and A. Santos, “Detection
of sinkhole attacks for supporting secure routing on 6LoWPAN for
Internet of Things,” in Proc. IFIP/IEEE Int. Symp. Integr. Netw.
Manage. (IM), May 2015, pp. 606–611.
[43] H. Bostani and M. Sheikhan, “Hybrid of anomaly-based and
specification-based IDS for Internet of Things using unsupervised
OPF based on mapreduce approach,” Comput. Commun., vol. 98,
pp. 52–71, Jan. 2017. [Online]. Available: https://www.sciencedirect.
com/science/article/pii/S0140366416306387
[44] M. Surendar and A. Umamakeswari, “InDReS: An intrusion detection
and response system for Internet of Things with 6LoWPAN,” in
Proc. Int. Conf. Wireless Commun., Signal Process. Netw. (WiSPNET),
Mar. 2016, pp. 1903–1908.
[45] M. N. Napiah, M. Y. I. B. Idris, R. Ramli, and I. Ahmedy, “Compres-
sion header analyzer intrusion detection system (CHA–IDS) for 6LoW-
PAN communication protocol,” IEEE Access, vol. 6, pp. 16623–16638,
2018.
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021
[46] E. Kfoury, J. Saab, P. Younes, and R. Achkar, “A self organizing
map intrusion detection system for RPL protocol attacks,” Int. J.
Interdiscipl. Telecommun. Netw., vol. 11, no. 1, pp. 30–43, Jan. 2019.
[47] S. Choudhary and N. Kesswani, “Detection and prevention of routing
attacks in Internet of Things,” in Proc. 17th IEEE Int. Conf. Trust,
Secur. Privacy Comput. Commun./12th IEEE Int. Conf. Big Data Sci.
Eng. (TrustCom/BigDataSE), Aug. 2018, pp. 1537–1540.
[48] A. Verma and V. Ranga, “ELNIDS: Ensemble learning based network
intrusion detection system for RPL based Internet of Things,” in
Proc. 4th Int. Conf. Internet Things, Smart Innov. Usages (IoT-SIU),
Apr. 2019, pp. 1–6.
[49] S. Choudhary and N. Kesswani, “Cluster-based intrusion detection
method for Internet of Things,” in Proc. IEEE/ACS 16th Int. Conf.
Comput. Syst. Appl. (AICCSA), Nov. 2019, pp. 1–8.
[50] A. Althubaity, H. Ji, T. Gong, M. Nixon, R. Ammar, and S. Han,
“ARM: A hybrid specification-based intrusion detection system for
rank attacks in 6TiSCH networks,” in Proc. 22nd IEEE Int. Conf.
Emerg. Technol. Factory Automat. (ETFA), Sep. 2017, pp. 1–8.
[51] J. Foley, N. Moradpoor, and H. Ochenyi, “Employing a machine
learning approach to detect combined Internet of Things attacks
against two objective functions using a novel dataset,” Secur. Commun.
Netw., vol. 2020, pp. 1–17, Feb. 2020.
[52] M. Sheikhan and H. Bostani, “A security mechanism for detecting
intrusions in Internet of Things using selected features based on MI-
BGSA,” Int. J. Inf. Commun. Technol. Res., vol. 9, no. 2, pp. 53–62,
2017.
[53] S. M. H. Mirshahjafari and B. S. Ghahfarokhi, “Sinkhole+cloneid:
A hybrid attack on RPL performance and detection method,” Inf.
Secur. J., Global Perspective, vol. 28, nos. 4–5, pp. 107–119, 2019,
doi: 10.1080/19393555.2019.1658829.
[54] U. Shafique, A. Khan, A. Rehman, F. Bashir, and M. Alam, “Detection
of rank attack in routing protocol for low power and lossy networks,”
Ann. Telecommun., vol. 73, nos. 7–8, pp. 429–438, Aug. 2018.
[55] R. Stephen and L. Arockiam, “E2V: Techniques for detecting and
mitigating rank inconsistency attack (RInA) in RPL based Internet of
Things,” J. Phys., Conf. Ser., vol. 1142, Nov. 2018, Art. no. 012009,
doi: 10.1088/1742-6596/1142/1/012009.
[56] L. Zhang, G. Feng, and S. Qin, “Intrusion detection system for RPL
from routing choice intrusion,” in Proc. IEEE Int. Conf. Commun.
Workshop (ICCW), Jun. 2015, pp. 2652–2658.
[57] T. Matsunaga, K. Toyoda, and I. Sasase, “Low false alarm rate RPL
network monitoring system by considering timing inconstancy between
the rank measurements,” in Proc. 11th Int. Symp. Wireless Commun.
Syst. (ISWCS), Aug. 2014, pp. 427–431.
[58] D. Airehrour, J. Gutierrez, and S. K. Ray, “Securing RPL routing
protocol from blackhole attacks using a trust-based mechanism,” in
Proc. 26th Int. Telecommun. Netw. Appl. Conf. (ITNAC), Dec. 2016,
pp. 115–120.
[59] A. Sehgal, A. Mayzaud, R. Badonnel, I. Chrisment, and J. Schonwalder,
“Addressing DODAG inconsistency attacks in RPL networks,” in Proc.
Global Inf. Infrastruct. Netw. Symp. (GIIS), Sep. 2014, pp. 1–8.
[60] D. Airehrour, J. Gutierrez, and S. K. Ray, “A trust-aware RPL
routing protocol to detect blackhole and selective forwarding
attacks,” J. Telecommun. Digit. Econ., vol. 5, no. 1, pp. 50–69, 2017.
[Online]. Available: https://search.informit.org/doi/10.3316/informit.
752286025338502
[61] H. B. Patel and D. C. Jinwala, “Blackhole detection in 6LoWPAN
based Internet of Things: An anomaly based approach,” in Proc. IEEE
Region Conf. (TENCON), Oct. 2019, pp. 947–954.
[62] A. Amouri, V. T. Alaparthy, and S. D. Morgera, “Cross layer-based
intrusion detection based on network behavior for IoT,” in Proc. IEEE
19th Wireless Microw. Technol. Conf. (WAMICON), Apr. 2018, pp. 1–4.
[63] E. G. Ribera, B. M. Alvarez, C. Samuel, P. P. Ioulianou, and
V. G. Vassilakis, “Heartbeat-based detection of blackhole and greyhole
attacks in RPL networks,” in Proc. 12th Int. Symp. Commun. Syst.,
Netw. Digit. Signal Process. (CSNDSP), Jul. 2020, pp. 1–6.
[64] S. Luangoudom, D. Tran, T. Nguyen, H. A. Tran, G. Nguyen, and
Q. T. Ha, “svBLOCK: Mitigating black hole attack in low-power and
lossy networks,” Int. J. Sensor Netw., vol. 32, no. 2, pp. 77–86,
2020. [Online]. Available: https://www.inderscienceonline.com/
doi/abs/10.1504/IJSNET.2020.104923
[65] F. Gara, L. B. Saad, and R. B. Ayed, “An intrusion detection system
for selective forwarding attack in IPv6-based mobile WSNs,” in
Proc. 13th Int. Wireless Commun. Mobile Comput. Conf. (IWCMC),
Jun. 2017, pp. 276–281.
PASIKHANI et al.: IDSs IN RPL-BASED 6LoWPAN: A SYSTEMATIC LITERATURE REVIEW
[66] A. Nikam and D. Ambawade, “Opinion metric based intrusion
detection mechanism for RPL protocol in IoT,” in Proc. 3rd Int. Conf.
Converg. Technol. (ICT), Apr. 2018, pp. 1–6.
[67] C. Pu and S. Hajjar, “Mitigating forwarding misbehaviors in RPL-
based low power and lossy networks,” in Proc. 15th IEEE Annu.
Consum. Commun. Netw. Conf. (CCNC), Jan. 2018, pp. 1–6.
[68] P. Pongle and G. Chavan, “Real time intrusion and wormhole attack
detection in Internet of Things,” Int. J. Comput. Appl., vol. 121, no. 9,
pp. 1–9, Jul. 2015.
[69] S. Deshmukh-Bhosale and S. S. Sonavane, “A real-time intrusion detec-
tion system for wormhole attack in the RPL based Internet of Things,”
Procedia Manuf., vol. 32, pp. 840–847, Jan. 2019. [Online]. Available:
https://www.sciencedirect.com/science/article/pii/S2351978919303282
[70] P. Shukla, “ML-IDS: A machine learning approach to detect wormhole
attacks in Internet of Things,” in Proc. Intell. Syst. Conf. (IntelliSys),
Sep. 2017, pp. 234–240.
[71] D. B. Gothawal and S. Nagaraj, “Intrusion detection for enhancing
RPL security,” Procedia Comput. Sci., vol. 165, pp. 565–572,
Jan. 2019. [Online]. Available: https://www.sciencedirect.com/
science/article/pii/S1877050920300594
[72] P. Kaliyar, W. B. Jaballah, M. Conti, and C. Lal, “LiDL: Localization
with early detection of Sybil and wormhole attacks in IoT
networks,” Comput. Secur., vol. 94, Jul. 2020, Art. no. 101849.
[Online]. Available: https://www.sciencedirect.com/science/article/pii/
S016740482030122X
[73] A. Mayzaud, R. Badonnel, and I. Chrisment, “A distributed monitoring
strategy for detecting version number attacks in RPL-based networks,”
IEEE Trans. Netw. Service Manage., vol. 14, no. 2, pp. 472–486,
Jun. 2017.
[74] P. Ioulianou, V. Vasilakis, I. Moscholios, and M. Logothetis, “A
signature-based intrusion detection system for the Internet of Things,”
in Proc. IEICE Inf. Commun. Technol. Forum. Graz, Austria: The Insti-
tute of Electronics, Information and Communication Engineers, 2018.
[75] A. Arış, S. B. Ö. Yalçın, and S. F. Oktuğ, “New lightweight
mitigation techniques for RPL version number attacks,” Ad Hoc Netw.,
vol. 85, pp. 81–91, Mar. 2019. [Online]. Available: https://www.
sciencedirect.com/science/article/pii/S1570870518307625
[76] E. Aydogan, S. Yilmaz, S. Sen, I. Butun, S. Forsstrom, and M. Gidlund,
“A central intrusion detection system for RPL-based industrial Internet
of Things,” in Proc. 15th IEEE Int. Workshop Factory Commun. Syst.
(WFCS), May 2019, pp. 1–5.
[77] J. Canedo and A. Skjellum, “Using machine learning to secure IoT
systems,” in Proc. 14th Annu. Conf. Privacy, Secur. Trust (PST),
Dec. 2016, pp. 219–222.
[78] A. Verma and V. Ranga, “Mitigation of DIS flooding attacks in RPL-
based 6LoWPAN networks,” Trans. Emerg. Telecommun. Technol.,
vol. 31, no. 2, p. e3802, 2020. [Online]. Available: https://onlinelibrary.
wiley.com/doi/abs/10.1002/ett.3802
[79] B. Farzaneh, M. A. Montazeri, and S. Jamali, “An anomaly-based IDS
for detecting attacks in RPL-based Internet of Things,” in Proc. 5th
Int. Conf. Web Res. (ICWR), Apr. 2019, pp. 61–66.
[80] P. P. Ioulianou and V. G. Vassilakis, “Denial-of-service attacks and
countermeasures in the RPL-based Internet of Things,” in Computer
Security, S. Katsikas et al., Eds. Cham, Switzerland: Springer, 2020,
pp. 374–390.
[81] P. Kasinathan, C. Pastrone, M. A. Spirito, and M. Vinkovits, “Denial-
of-service detection in 6LoWPAN based Internet of Things,” in
Proc. IEEE 9th Int. Conf. Wireless Mobile Comput., Netw. Commun.
(WiMob), Oct. 2013, pp. 600–607.
[82] S. O. Amin, M. S. Siddiqui, C. S. Hong, and S. Lee, “RIDES: Robust
intrusion detection system for IP-based ubiquitous sensor networks,”
Sensors, vol. 9, no. 5, pp. 3447–3468, 2009. [Online]. Available:
https://www.mdpi.com/1424-8220/9/5/3447
[83] P. Kasinathan, G. Costamagna, H. Khaleel, C. Pastrone, and
M. A. Spirito, “DEMO: An IDS framework for Internet of Things
empowered by 6LoWPAN,” in Proc. ACM SIGSAC Conf. Comput.
Commun. Secur. (CCS), 2013, pp. 1337–1340, doi: 10.1145/2508859.
2512494.
[84] V. Pandu, J. Mohan, and T. P. Kumar, “Network intrusion detection
and prevention systems for attacks in IoT systems,” in Countering
Cyber Attacks and Preserving the Integrity and Availability of Critical
Systems. Hershey, PA, USA: IGI Global, 2019, pp. 128–141.
[85] B. Farzaneh, M. Koosha, E. Boochanpour, and E. Alizadeh, “A
new method for intrusion detection on RPL routing protocol using
fuzzy logic,” in Proc. 6th Int. Conf. Web Res. (ICWR), Apr. 2020,
pp. 245–250.
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
12967
[86] B. Ghaleb, A. Al-Dubai, E. Ekonomou, M. Qasem, I. Romdhani, and
L. Mackenzie, “Addressing the DAO insider attack in RPL’s Internet
of Things networks,” IEEE Commun. Lett., vol. 23, no. 1, pp. 68–71,
Jan. 2019.
[87] C. Pu, “Mitigating DAO inconsistency attack in RPL-based low power
and lossy networks,” in Proc. IEEE 8th Annu. Comput. Commun.
Workshop Conf. (CCWC), Jan. 2018, pp. 570–574.
[88] M. C. Belavagi and B. Muniyal, “Multiple intrusion detection in RPL
based networks,” Int. J. Electr. Comput. Eng., vol. 10, no. 1, p. 467,
Feb. 2020.
[89] A. Mayzaud, A. Sehgal, R. Badonnel, I. Chrisment, and J. Schonwalder,
“Using the RPL protocol for supporting passive monitoring in the
Internet of Things,” in Proc. IEEE/IFIP Netw. Oper. Manage. Symp.
(NOMS), Apr. 2016, pp. 366–374.
[90] A. Mayzaud, A. Sehgal, R. Badonnel, I. Chrisment, and
J. Schonwalder, “Mitigation of topological inconsistency attacks in
RPL-based low-power lossy networks,” Int. J. Netw. Manage., vol. 25,
no. 5, pp. 320–339, 2015. [Online]. Available: https://onlinelibrary.
wiley.com/doi/abs/10.1002/nem.1898
[91] C. Pu, “Sybil attack in RPL-based Internet of Things: Analysis and
defenses,” IEEE Internet Things J., vol. 7, no. 6, pp. 4937–4949,
Jun. 2020.
[92] D. Airehrour, J. A. Gutierrez, and S. K. Ray, “Sectrust-RPL: A
secure trust-aware RPL routing protocol for Internet of Things,”
Future Gener. Comput. Syst., vol. 93, pp. 860–876, Apr. 2019.
[Online]. Available: https://www.sciencedirect.com/science/article/pii/
S0167739X17306581
[93] F. Medjek, D. Tandjaoui, I. Romdhani, and N. Djedjig, “A trust-based
intrusion detection system for mobile RPL based networks,” in Proc.
IEEE Int. Conf. Internet Things (iThings), IEEE Green Comput.
Commun. (GreenCom), IEEE Cyber, Phys. Social Comput. (CPSCom),
IEEE Smart Data (SmartData), Jun. 2017, pp. 735–742.
[94] A. Verma and V. Ranga, “CoSec-RPL: Detection of copycat attacks
in RPL based 6LoWPANs using outlier analysis,” Telecommun. Syst.,
vol. 75, no. 1, pp. 43–61, Sep. 2020.
[95] A. Verma and V. Ranga, “Addressing flooding attacks in IPv6-
based low power and lossy networks,” in Proc. IEEE Region Conf.
(TENCON), Oct. 2019, pp. 552–557.
[96] P. Perazzo, C. Vallati, G. Anastasi, and G. Dini, “DIO suppression
attack against routing in the Internet of Things,” IEEE Commun. Lett.,
vol. 21, no. 11, pp. 2524–2527, Nov. 2017.
[97] A. Saeed, A. Ahmadinia, A. Javed, and H. Larijani, “Intelligent
intrusion detection in low-power IoTs,” ACM Trans. Internet Technol.,
vol. 16, no. 4, pp. 1–25, Dec. 2016, doi: 10.1145/2990499.
[98] T. Tsao, R. Alexander, M. Dohler, V. Daza, A. Lozano, and
M. Richardson, A Security Threat Analysis for the Routing Protocol
for Low-Power and Lossy Networks (RPLs), document RFC 7416,
Internet Engineering Task Force, 2015.
[99] O. Lounis and B. Malika, “A new vision for intrusion detection
system in information systems,” in Proc. Sci. Inf. Conf. (SAI),
Jul. 2015, pp. 1352–1356.
[100] S. Sonavane, “Design and implementation of RSSI based intrusion
detection system for RPL based IoT network,” Int. J. Comput. Sci.
Netw. Secur., vol. 19, no. 12, pp. 1–9, 2020.
[101] T. Jones, A. Dali, M. R. Rao, N. Biradar, J. Madassery, and K. Liu,
“Towards a layered and secure Internet-of-Things testbed via hybrid
mesh,” in Proc. IEEE Int. Congr. Internet Things (ICIOT), Jul. 2018,
pp. 17–24.
[102] Z. A. Khan and P. Herrmann, “A trust based distributed intrusion
detection mechanism for Internet of Things,” in Proc. IEEE 31st Int.
Conf. Adv. Inf. Netw. Appl. (AINA), Mar. 2017, pp. 1169–1176.
[103] E. Viegas, A. Santin, L. Oliveira, A. Franca, R. Jasinski, and
V. Pedroni, “A reliable and energy-efficient classifier combination
scheme for intrusion detection in embedded systems,” Comput. Secur.,
vol. 78, pp. 16–32, Sep. 2018. [Online]. Available: https://www.
sciencedirect.com/science/article/pii/S0167404818306175
[104] H. Sedjelmaci, S. M. Senouci, and M. Al-Bahri, “A lightweight
anomaly detection technique for low-resource IoT devices: A game-
theoretic methodology,” in Proc. IEEE Int. Conf. Commun. (ICC),
May 2016, pp. 1–6.
[105] J. Li, Z. Zhao, R. Li, and H. Zhang, “AI-based two-stage intrusion
detection for software defined IoT networks,” IEEE Internet Things
J., vol. 6, no. 2, pp. 2093–2102, Apr. 2019.
[106] J. Arshad, “COLIDE: A collaborative intrusion detection framework
for Internet of Things,” IET Netw., vol. 8, pp. 3–14, Jan. 2019. [Online].
Available: https://digital-library.theiet.org/content/journals/10.1049/iet-
net.2018.5036
12968
[107] N. B. Mohammadi, J. Misic, V. B. Misic, and H. Khazaei, “A
framework for intrusion detection system in advanced metering
infrastructure,” Secur. Commun. Netw., vol. 7, no. 1, pp. 195–205,
2014. [Online]. Available: https://onlinelibrary.wiley.com/doi/abs/
10.1002/sec.690
[108] D. B. Gothawal and S. V. Nagaraj, “Anomaly-based intrusion detection
system in RPL by applying stochastic and evolutionary game models
over IoT environment,” Wireless Pers. Commun., vol. 110, no. 3,
pp. 1323–1344, Feb. 2020.
[109] D. Shreenivas, S. Raza, and T. Voigt, “Intrusion detection in the
RPL-connected 6LoWPAN networks,” in Proc. 3rd ACM Int.
Workshop IoT Privacy, Trust, Secur. (IoTPTS). New York, NY,
USA: Association for Computing Machinery, 2017, pp. 31–38, doi:
10.1145/3055245.3055252.
[110] A. Rghioui, A. Khannous, and M. Bouhorma, “Monitoring behavior-
based intrusion detection system for 6LoWPAN networks,” Int. J.
Innov. Appl. Stud., vol. 11, no. 4, p. 894, 2015.
[111] A. Mitrokotsa and A. Karygiannis, “Intrusion detection techniques
in sensor networks,” Wireless Sensor Netw. Secur., vol. 1, no. 1,
pp. 251–272, 2008.
[112] V. Verendel, “Quantified security is a weak hypothesis: A critical
survey of results and assumptions,” in Proc. New Secur. Paradigms
Workshop (NSPW). New York, NY, USA: Association for Computing
Machinery, 2009, pp. 37–50, doi: 10.1145/1719030.1719036.
[113] J. Maerien, P. Agten, C. Huygens, and W. Joosen, “FAMoS:
A flexible active monitoring service for wireless sensor networks,” in
Distributed Applications and Interoperable Systems, K. M. Göschka
and S. Haridi, Eds. Berlin, Germany: Springer, 2012, pp. 104–117.
[114] L. B. Saad, C. Chauvenet, and B. Tourancheau, “Simulation of the
RPL routing protocol for IPv6 sensor networks: Two cases studies,” in
Proc. Int. Conf. Sensor Technol. Appl. (SENSORCOMM). Nice, France:
IARIA, Sep. 2011, pp. 1–7. [Online]. Available: https://hal.inria.fr/hal-
00647869
Aryan Mohammadi Pasikhani received the
M.Sc. degree in software engineering from the
National University of Malaysia. He is currently
pursuing the Ph.D. degree in computer Science
from The University of Sheffield. His research
interests include intrusion detection and preven-
tion systems, reinforcement learning, machine
learning, optimization, securing embedded sys-
tems, and the Internet of Things.
Authorized licensed use limited to: Univ of Calif Santa Barbara. Downloaded on June 23,2021 at 12:58:49 UTC from IEEE Xplore. Restrictions apply.
IEEE SENSORS JOURNAL, VOL. 21, NO. 11, JUNE 1, 2021
John A. Clark is a Professor of Computer
and Information Security with The University
of Sheffield, and also leads the Security of
Advanced Systems Research Group. Previously,
he was a Professor of Critical Systems with the
University of York. His major research interests
include cybersecurity and software engineering,
most notably the use of artificial intelligence
to these areas. His publications have included
work on: threat modeling, security policies, covert
channel analysis, cryptographic building blocks,
intrusion detection, insider detection, and automated synthesis of secu-
rity protocols. His current research interests include automated discovery
of classical cryptanalytic strategies, intrusion detection, and the search
for quantum approaches to cryptanalysis via evolutionary computation.
He is particularly interested right now in building up research in the
security of robotic and autonomous systems and in the security of
advanced manufacturing systems and active buildings.
Prosanta Gope (Senior Member, IEEE) served
as a Research Fellow for the Department of Com-
puter Science, National University of Singapore
(NUS). Primarily driven by tackling challenging
real-world security problems, he has expertise in
lightweight anonymous authentication, authen-
ticated encryption, access control, security of
mobile communications, healthcare, the Internet
of Things, Cloud, RFIDs, WSNs, smart-grids,
and hardware security of the IoT devices. He is
currently working as an Assistant Professor with
the Department of Computer Science, The University of Sheffield, U.K.
He has authored more than 75 peer-reviewed articles in several rep-
utable international journals and conferences, and has four filed patents.
He received the Distinguished Ph.D. Scholar Award in 2014 from the
National Cheng Kung University, Taiwan. He has served as a TPC Mem-
ber/Chair for several international conferences, such as IEEE GLOBE-
COM, ARES, and IEEE-Trustcom. He also serves as an Associate Editor
for the IEEE INTERNET OF THINGS JOURNAL, IEEE SYSTEMS JOURNAL,
IEEE SENSORS JOURNAL, and the Security and Communication Networks
Journal.
Abdulmonem Alshahrani received the M.Sc.
(Hons.) degree in information systems from
DePaul University, Chicago, IL, USA. He is cur-
rently pursuing the Ph.D. degree in cybersecurity
with the Department of Computer Science, The
University of Sheffield. He is also a Lecturer with
the College of Computer Science, King Khalid
University, Saudi Arabia. His research interests
include applying machine learning (ML) and arti-
ficial intelligence (AI) solutions to optimize intru-
sion detection systems (IDS) for sophisticated
networks of embedded, connected, and low-resourced devices, such as
the Internet of Things (IoT).