Computer Communications - AMAN Systemamansystem.com/apps/people/sallay/NS/slides/paper4.pdfof the cyber-entities in IoT as compared to the Internet; (b) dy- namic activity cycle of

Computer Communications 98 (2017) 52–71

Contents lists available at ScienceDirect

Computer Communications

journal homepage: www.elsevier.com/locate/comcom

Hybrid of anomaly-based and specification-based IDS for Internet of

Things using unsupervised OPF based on MapReduce approach

Hamid Bostani a , Mansour Sheikhan

b , ∗

a Department of Computer Engineering, Islamic Azad University, South Tehran Branch, Tehran, Iran b Department of Communication Engineering, Islamic Azad University, South Tehran Branch, Tehran, Iran

a r t i c l e i n f o

Article history:

Received 21 November 2015

Revised 14 June 2016

Accepted 1 December 2016

Available online 2 December 2016

Keywords:

Internet of Things

Unsupervised optimum-path forest

Anomaly-based intrusion detection

Specification-based intrusion detection

MapReduce

a b s t r a c t

Internet of Things (IoT) is a novel paradigm in computer networks in which resource-constrained objects

connect to unreliable Internet by using a wide range of technologies. The insecure nature of the Inter-

net and wireless sensor networks, that are the main components of IoT, make IoT vulnerable to different

attacks, especially routing attacks (as insider attacks). A novel real-time hybrid intrusion detection frame-

work is proposed in this study that consists of anomaly-based and specification-based intrusion detection

modules for detecting two well-known routing attacks in IoT called sinkhole and selective-forwarding at-

tacks. For this purpose, the specification-based intrusion detection agents, that are located in the router

nodes, analyze the behavior of their host nodes and send their local results to the root node through

normal data packets. In addition, an anomaly-based intrusion detection agent, that is located in the root

node, employs the unsupervised optimum-path forest algorithm for projecting clustering models by us-

ing incoming data packets. This agent, which is based on the MapReduce architecture, can work in a

distributed platform for projecting clustering models and consequently parallel detecting of anomalies

as a global detection approach. The proposed method makes decision about suspicious behavior by us-

ing a voting mechanism. Notably, the proposed method is also extended to detect wormhole attack. The

deployment of the hybrid proposed model is investigated in a smart-city scenario by an existing plat-

form, as well. The free network’s scale and the ability to identify malicious nodes are two key features

of the proposed framework that are evaluated through different experiments in this study. The experi-

mental results of simulated scenarios showed that the proposed hybrid method can achieve true positive

rate of 76.19% and false positive rate of 5.92% when both sinkhole and selective-forwarding attacks were

launched simultaneously. These rates in detecting wormhole attack are 96.02% and 2.08%, respectively.

© 2016 Elsevier B.V. All rights reserved.

t

s

T

s

i

t

a

T

t

P

g

W

1. Introduction

Internet of Things (IoT) is a network by which identifiable het-

erogeneous objects such as smart phones, laptops, and smart sen-

sors can connect to the Internet by using a wide range of technolo-

gies. The basic idea of IoT is creation of an autonomous world us-

ing smart objects that are accessible from anywhere and have abil-

ity to connect, exchange information, and even make decisions on

behalf of users [1] . Along with the rapid progress in technologies

(e.g., radio frequency identification, embedded sensors, and minia-

ture actuators), a wide range of potential applications of IoT have

been proposed in real-life, such as smart cities, home automation,

and health care monitoring [2] . In other words, large number of

smart interconnected devices in IoT can result in valuable services

∗ Corresponding author.

E-mail addresses: [email protected] (H. Bostani), [email protected] (M.

Sheikhan).

r

n

n

I

a

http://dx.doi.org/10.1016/j.comcom.2016.12.001

0140-3664/© 2016 Elsevier B.V. All rights reserved.

o the society and individual citizens [3] . IoT can be supported by

atellite communication systems for the case of Internet of Remote

hings (IoRT) in which Internet Protocol version 6 (IPv6) should be

upported over satellite [4] . Internet of Multimedia Things (IoMT)

s also introduced for interaction and cooperation of smart mul-

imedia things connected to the Internet [5] . For example, Yu et

l. [6] proposed a convergent platform of adaptive IoT and Web of

hings (WoT) for dynamic implementation of the smart WoT.

One of the main effort s to make the concept of real IoT is

he IPv6 over Low-Power Wireless Personal Area Networks (6LoW-

ANs) which is proposed and standardized by the Internet En-

ineering Task Force (IETF) workgroup [7] . The 6LoWPAN is a

ireless Sensor Network (WSN) which allows the connection of

esource-constrained devices, such as sensor nodes, to the Inter-

et through the 6LoWPAN Border Router (6BR) [8,9] . The 6LoWPAN

etwork employs compressed IPv6 protocol for networking and

EEE 802.15.4 as data-link and physical layers protocol. Hennebert

nd Dos Santos [10] described the popular protocols and secu-

H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 53

r

p

c

L

w

(

t

c

e

b

t

n

i

r

I

v

o

o

n

i

t

t

b

m

a

o

t

p

e

s

I

e

s

a

i

p

C

b

a

[

d

r

a

a

i

i

c

a

a

t

b

T

i

p

a

T

d

2

w

a

c

a

s

a

e

S

T

t

e

t

o

s

a

t

[

p

a

f

h

c

s

n

T

E

p

t

m

e

d

a

p

t

p

r

t

h

T

f

e

i

i

s

L

s

t

t

w

t

h

t

m

t

o

p

r

i

t

c

S

b

o

s

ity solutions deployed in small constrained objects of IoT. For this

urpose, the security extension of IEEE 802.15.4e in time-slotted

hannel hopping mode, compressed IPsec, and Datagram Transport

ayer Security (DTLS) (which embedded into the 6LoWPAN stack)

ere analyzed.

The main security requirements for the IoT are as follows [11] :

a) data confidentiality and authentication and (b) privacy and

rust among users and things. In other words, securing data ex-

hange in WSNs (as vital components of IoT) is necessary for smart

nvironments [12] . The communication in the IoT can be secured

y using standard mechanisms such as cryptography and authen-

ication techniques; however, these preventive mechanisms can-

ot detect all possible attacks, especially insider attacks (e.g., rout-

ng attacks), because of the nature of wireless communication. The

esource-constrained devices are directly connected to unreliable

nternet via IPv6 and 6LoWPAN networks in the IoT; so, they are

ulnerable to intrusions; both from the Internet and WSNs [8] .

There are three major challenges for securing smart physical

bjects (also called cyber-entities) in the IoT: (a) expanding scope

f the cyber-entities in IoT as compared to the Internet; (b) dy-

amic activity cycle of the cyber-entities; and (c) heterogeneous

nteractions of cyber-entities [13] . Ning et al. [13] proposed a sys-

em architecture called Unit and Ubiquitous IoT (U2IoT) to address

hese challenges. Leveraging IP-based security protocols has also

een proposed for IoT, after considering WSN’s constraints through

essage compression or computational-load distribution. For ex-

mple, Sahraoui and Bilami [14] proposed a 6LoWPAN compression

f the Host Identity Protocol (HIP) packets’ header and a distribu-

ion technique in Base Exchange (HIP-BEX). Neisse et al. [15] pro-

osed a model-based security toolkit for IoT devices which can be

mployed in a smart-city scenario [16] . Jing et al. [17] analyzed the

ecurity problems of the following three layers contained in the

oT: (a) perception; (b) transportation; and (c) application. Benson

t al. [18] proposed a cyber-physical system leveraging the perva-

ive IoT called Safe Community Awareness and Alerting Network at

low incremental cost. Nguyen et al. [19] discussed the applicabil-

ty and limitations of existing Internet and WSN suitable security

rotocols for the IoT. It is accepted that IoT devices employ the

onstrained Application Protocol (CoAP). Using DTLS is mandated

y secure CoAP as the security protocol. The integration of DTLS

nd CoAP was performed for the IoT and presented by Raza et al.

20] entitled as Lithe.

Therefore, an Intrusion Detection System (IDS) is required for

etecting malicious activities in the IoT besides the standard secu-

ity mechanisms. The constrained devices in IoT are identified by

n IP address, while end-to-end message security is a requirement

nd the 6BR is always accessible [9] . So, designing IDSs for the IoT

s necessary to provide security.

The rest of this paper is organized as follows: the related work

s reported in Section 2 . The foundations of IDS, Routing Proto-

ol for Low Power and Lossy Networks (RPL), selective-forwarding

nd sinkhole attacks, unsupervised OPF, and MapReduce approach

re reviewed briefly in Section 3 . The proposed intrusion detec-

ion model, which is a hybrid of anomaly-based and specification-

ased intrusion detection approaches, is introduced in Section 4 .

he performance of the proposed model in the simulated scenar-

os is presented in Section 5 by reporting simulation results. The

ossibility of detecting additional attacks (such as blackhole, rank,

nd wormhole) by the proposed model is investigated in Section 6 .

he deployment of proposed IDS in real-world IoT applications is

etailed in Section 7 . The paper is concluded in Section 8 .

. Related work

As mentioned earlier, sensor nodes in the IoT are exposed to

ireless attacks from the Internet and WSN. So, IDSs and firewalls

re needed [2] . Mitchell and Chen [21] summarized the pros and

ons of different wireless IDSs in various wireless networks such

s WSNs, Wireless Local Area Networks (WLANs), Wireless Per-

onal Area Networks (WPANs), Wireless Mesh Networks (WMNs),

d hoc networks, and Cyber Physical Systems (CPSs). Turkanovi ́c

t al. [22] proposed a User Authentication and Key Agreement

cheme (UAKAS) for heterogeneous WSN based on the IoT notion.

o improve the security of this scheme against cryptographic at-

acks, an enhanced UAKAS has been proposed by Sabzinejad Farash

t al. [23] .

Several IDSs have been proposed for WSNs; however, most of

hem are not applicable in IP-based WSNs, because they were not

riginally designed for IoT technologies such as 6LoWPAN. So, de-

igning IDS for IoT is still a new and on-going research subject,

nd to the best knowledge of the authors a few researchers in

he security field work on this context. For example, Raza et al.

8] proposed a novel real-time IDS for IoT called SVELTE. They im-

lemented the proposed model in the Contiki operating system

nd targeted only routing attacks such as sinkhole and selective-

orwarding. They showed through simulated scenarios that SVELTE

as a small overhead to deploy on the constrained nodes and

an detect most of malicious nodes that launch sinkhole and/or

elective-forwarding attacks. Kasinathan et al. [24] introduced De-

ial of Service (DoS) attacks detection architecture for 6LoWPAN.

hey integrated IDS into a framework which was developed in the

uropean Business-Based Internet of Things and Services (EBBITS)

roject [25] . Their simulation results showed the capability of

he proposed architecture in detecting DoS attacks. One of the

ain goals followed by employing IDS in the IoT is fast security

vent-processing that results in detecting network attacks, imme-

iately. The Complex Event-Processing (CEP) [26] is an appropri-

te solution to achieve real-time IDS for IoT. The CEP is an event-

rocessing method that analyzes the stream of information for fil-

ering and processing of events in real-time scenarios. For this pur-

ose, June and Chi [27] designed a CEP-based IDS in the IoT envi-

onments to achieve better performance in real-time data compu-

ations.

Each layer in the 6LoWPAN is vulnerable to security threats;

owever, most of these threats focus on the network layer [2] .

hese kinds of attacks allow adversaries to take the control of in-

ormation flow in the network [28] . All the network layer intrud-

rs of WSNs can threat RPL [2] . RPL is a distance-vector rout-

ng protocol which was introduced and standardized by Rout-

ng over Low power and Lossy networks (ROLL) workgroup as a

pecific routing protocol for the network layer of 6LoWPAN [29] .

e et al. [30] worked on security aspects of RPL by introducing

pecification-based IDS for detecting a new type of threat called

opology attack. This type of attack, which was originally applied

o RPL, changes the node operation for breaking the optimized net-

ork topology. The experimental results showed effective detec-

ion of RPL topology attacks with a reasonable overhead.

Among several attacks, which can target the RPL, DoS attacks

ave a great effect on the availability of the 6LoWPANs. Each event

hat prevents accessing the services, provided by disrupting com-

unication between network devices, is categorized as a DoS at-

ack [24] . The DoS attacks are popular and simple to implement

n networks; however, they have different forms. So, detection and

revention of them are very difficult [1] . In addition, Sybil attacks

esult in generating wrong reports by the IoT systems, and receiv-

ng spams by the users. Zhang et al. [31] defined three Sybil attack

ypes. They also presented three Sybil detection schemes: (a) so-

ial graph-based; (b) behavior classification-based; and (c) mobile

ybil detection. Furthermore, Intentional attacks disrupt a network

y paralyzing a fraction of nodes, and therefore deteriorating IoT

perations [32] . Chen et al. [32] proposed a fusion-based defense

ystem in which each node feed-backed local decision to the fu-

54 H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71

I

h

i

f

s

f

o

S

d

a

a

i

I

t

M

a

t

e

p

p

a

b

l

e

a

a

a

i

p

n

a

C

a

i

d

t

m

b

e

t

t

t

t

d

t

p

c

m

3

O

v

R

t

t

i

a

d

r

t

c

t

6

sion center in order to inference attacks. They formulated the at-

tack and defense strategy as a zero-sum game to enhance the ro-

bustness of IoT.

In this work, we proposed a novel real-time hybrid intrusion

detection framework for detecting malicious behaviors of sinkhole

and selective-forwarding attacks (as the severe DoS attacks) in

6LoWPAN. Moreover, the proposed method can find and introduce

the sources of these attacks as malicious nodes in real-time. The

proposed framework consists of a centralized anomaly-based intru-

sion detection, which is located in the root of 6LoWPAN, and some

specification-based agents which are located in the router nodes.

Each specification-based agent works as a local intrusion detection

agent and sends its analysis results to the root. The anomaly-based

agent, as a global intrusion detection module, uses unsupervised

Optimum-Path Forest (OPF) algorithm [33] for projecting cluster-

ing models based on the MapReduce architecture [34] for detecting

anomalous behaviors. According to the local and global results of

specification-based and anomaly-based intrusion detection agents,

the root makes a general decision about the occurred anomalies in

the network by using a voting mechanism.

3. Preliminaries

In this section, we briefly review the foundations of IDS, RPL,

selective-forwarding and sinkhole attacks, unsupervised OPF, and

MapReduce architecture as the fundamental concepts in the pro-

posed framework.

3.1. Intrusion detection system

IDS is an effective tool or mechanism which gathers network

traffic as input data for detecting intruders or malicious behaviors

that are trying to threat the network. IDSs are classified into dif-

ferent categories based on: (a) analysis methods; (b) data sources;

and (c) system architectures. Depending on the analysis methods,

the computer security community has classified IDSs into three

main categories: (a) misuse detection; (b) anomaly detection; and

(c) specification-based systems. In the misuse detection systems,

the predefined attack patterns are profiled in a signature database

as a reference of intrusion patterns to match against system behav-

ior or network traffic for detecting intrusions [35] . The misuse de-

tection techniques are simple to use; however, specific knowledge

of each attack is required and consequently, unknown abnormal-

ities are not detectable. On the other hand, all of known attacks

can be detected with low False Alarm Rate (FAR), and the stor-

age costs grow with the number of attacks, because a signature

of each known attack should be stored [8] . An anomaly detection

system, which focuses on normal system behavior or network traf-

fic, builds usually one of the following models as a baseline for

describing ordinary behavior: (a) statistical; (b) knowledge-based;

and (c) machine-learning [36] . In the observed data, any deviation

from this model can be considered as an anomaly. The anomaly

detection algorithms are useful for new intrusions; however, they

suffer from a high rate of false positive (unlike, the misuse detec-

tion models). The specification-based systems work by the same

way, as well. However, user guidance is required to extract legiti-

mate system behavior or network traffic for developing a model of

normal behavior in these systems in addition to employing statisti-

cal, knowledge-based, or machine learning techniques [37] . Accord-

ing to the data sources, IDSs take one of the following approaches

for recognizing attacks: (a) host-based; (b) network-based; and (c)

hybrid [38] . In the host-based approach, only host events are con-

sidered for detecting attacks. Therefore, the data for host-based IDS

is provided by different activities of hosts such as audit records of

operating system and system logs; however, in the network-based

IDS, data is mainly collected from the network segments such as

nternet packets [35] . In the hybrid approach, data provided by the

ost events and the network segments are considered in develop-

ng an IDS.

The system architecture of IDS has a great effect on the per-

ormance of IDS in the WSNs such as 6LoWPAN. According to the

ystem architecture, IDSs in the RPL-based WSNs are classified into

our main categories [38] : (a) stand-alone; (b) distributed and co-

perative; (c) distributed and hierarchical; and (d) mobile agent.

ome nodes, which have Low-power and Lossy Networks (LLNs)

evices or high-performance devices called Monitor Nodes (MNs),

re used for monitoring the events in WSNs [38] . In the stand-

lone architecture, each MN performs intrusion detection based on

ts own collected data, independently. The MNs in the stand-alone

DS are classified into two schemes: (a) centralized and (b) dis-

ributed. In the centralized scheme, each node is considered as an

N, and in the distributed scheme, multiple MNs are deployed on

WSN to cover the network [38] . In the distributed and coopera-

ive architecture, intrusion detection is accomplished by the coop-

ration of MNs such that each MN performs as an IDS agent and

articipates in intrusion detection [38] . In this approach, IDS is ap-

lied as a local-agent or a neighbor-agent to a two-level coordinate

rchitecture, where a local-agent can alert intrusion independently

y detecting a threat with sufficient evidence. However, when a

ocal-agent detects intrusion with weak evidence, it starts a coop-

rative detection procedure in an interaction with the neighbor-

gents for global detection [38] . This kind of architecture is suit-

ble for small-scale and flat network infrastructures; however, in

large-scale network, the distributed and hierarchical architecture

s adequate for detecting an intrusion [38] . According to this ap-

roach, the network is partitioned into some clusters with a sink

ode as a Cluster Head (CH). The IDS in a distributed and hier-

rchical architecture is composed of two levels. At the first level,

H-agents, which are responsible to monitor the covered nodes

nd make the global intrusion detection decisions, are embedded

n the sink nodes. At the second level, the local-agents, which are

esigned based on the stand-alone IDS, are deployed in each clus-

er to report the detection results to the CH-agents [38] . The last

entioned IDS architecture in WSNs is the mobile agent. The mo-

ile agent, as a self-controlling program segment, is a specific ex-

cutable code which traverses from a node to another one [39] . In

his agent migration, which means moving an agent from a node

o another selected node, the computation is performed in addi-

ion to data transmission [39] . The mobile agents are assigned to

he selected nodes for performing a monitoring task and intrusion

etection [38] . The selection of agents may be changed after a cer-

ain period of time or after the task is completed. By moving the

rocessing function to the data instead of bringing the data to a

entral processor, the mobile agents can greatly reduce the com-

unication cost in the links with low bandwidths.

.2. Routing protocol for low power and lossy networks

The RPL, which is based on the construction of a Destination-

riented Directed Acyclic Graph (DODAG), is an IP-based distance

ector and hop-by-hop routing protocol that is designed by the

OLL workgroup (which is a workgroup in IETF) to overcome

he routing problems in the LLNs. RPL enables one-to-one, one-

o-many, and many-to-many communication traffic by support-

ng different operations such as the unidirectional traffic towards

DODAG root, bidirectional traffic between resource-constrained

evices (i.e., 6LoWPAN nodes), and bidirectional traffic between

esource-constrained devices and the DODAG root [9] . According

o the DODAG architecture, the nodes are organized in a hierar-

hical tree structure and routed at a single root, as the destina-

ion and called 6BR, to avoid creating any network loop [1] . The

BR, which connects 6LoWPAN to the Internet through the back-


Fig. 1. DODAG scheme including nodes with unique ranks and IPv6 addresses.

b

n

6

t

a

a

a

r

w

i

n

w

b

t

t

P

c

c

b

v

m

a

v

e

m

m

(

c

i

u

o

t

t

t

c

p

c

D

r

a

t

D

f

e

f

w

t

c

D

r

t

c

D

[

3

r

t

d

m

[

e

t

b

t

a

s

e

one, is the root of DODAG and is responsible for management of

odes [1,2] . Fig. 1 shows a typical RPL which consists of different

LoWPAN nodes that are connected together based on the DODAG

opology. Three types of nodes are shown in Fig. 1: (a) leaf nodes

s the source nodes that generate and send data; (b) router nodes;

nd (c) root node. Each node has an ID based on an IPv6 address,

special rank, a set of neighbors, and one (or more) parent(s). The

ank of each node determines the relative position of that node

ith respect to the DODAG root. This rank is strictly increasing

n the top-down direction from the DODAG root toward the leaf

odes, and in opposition decreasing in the bottom-up direction to-

ard the DODAG root [8,9] .

The nodes in a DODAG use an objective function, represented

y an Objective Code Point (OCP), based on some optimization cri-

eria (such as link reliability, latency, hop-count, and node energy)

o optimize the paths toward the DODAG root [2] . A single 6LoW-

AN network may include multiple RPL instances which work con-

urrently with different optimization criteria, where each instance

onsists of one (or more) DODAG(s). Hence, a 6LoWPAN node can

elong to more than one DODAG in an RPL instance [29] . To pre-

ent probable loops created on the network, the message trans-

ission is based on the rank rule (that means the node ranks

re strictly decreasing along with the upstream transmission and

ice versa) [2] . To exchange routing graph information for RPL op-

rations, such as constructing DODAG, the RPL defines three new

essage types: (a) DAG Information Object (DIO); (b) DAG Infor-

ation Solicitation (DIS); and (c) Destination Advertisement Object

DAO). DIO messages carry information which is used for DODAG

onstruction (by allowing a node to determine parents and select-

ng the best one as the preferred parent). The DIS messages are

sed to solicit graph-related information (i.e., DODAG information

bject) from the neighbor nodes [9] . The RPL supports downward

raffic toward the leaf nodes by using DAO messages which adver-

ise required information and also propagate destination informa-

ion upward along the DODAG [29] .

In the process of DODAG construction, DIO messages (which

ontain important information such as rank, DAG-ID, and OCP) are
t
eriodically broadcasted by the DODAG root [2] . The nodes that re-

eive DIO are considered as the neighbors of DODAG root. They use

IO message information to join the DODAG and select the DODAG

oot as the parent. According to a specific objective function (such

s min-hop), the neighbors set their rank to 1 (the parent’s rank

hat is 0; is incremented by 1), and start broadcasting their own

IO. When a node receives a DIO message, it calculates its rank

rom the OCP specified in a received DIO and forms a list of par-

nts. Then, according to the OCP, the preferred parent is selected

rom the parent-list and broadcasts its own DIO. This procedure

ill be continued until the topology construction is completed (i.e.,

he best path to the DODAG root is identified for each node ac-

ording to the objective function). To handle inconsistencies in the

ODAG, RPL uses a trickle timer for determining the transmission

ate of DIO messages. In a network with stable topology, the trickle

imer interval is large, so the DIO messages will be rare. When in-

onsistencies are occurred, the trickle timer will be reset and more

IO messages are sent from the nodes that cause inconsistencies

9] .

.3. Selective-forwarding and sinkhole attacks

In selective-forwarding attacks, which primarily disrupt the

outing path, malicious nodes selectively forward packets in order

o remove some packets based on the importance of data or ran-

omly [1,9] . For example, a malicious node forwards only routing

essages and removes other packets for disrupting the network

8] . In sinkhole attacks, a malicious node represents itself to oth-

rs as an optimal routing path for attracting nearby nodes to route

raffic through it. In RPL, an intruder launches a sinkhole attack

y propagating its rank as a better rank to make nodes down in

he DODAG by selecting it as a preferred parent [8] . Fig. 2 shows

screenshot of the sinkhole attack operation on a 6LoWPAN. The

inkhole attacks may not necessarily threaten the network; how-

ver, they make serious problems when they couple with other at-

acks such as selective-forwarding attack [9] .


Fig. 2. A screenshot of sinkhole attack by node 6 in DODAG as a malicious node.

n

t

t

a

f

s

A

O

t

v

w

=

w

o

s

e

t

p

m

i

v

t

∈

T

t

v

c

3

r

y

p

a

a

G

f

t

t

t

m

r

m

a

s

c

t

a

o

f

M

c

3.4. Unsupervised optimum-path forest

In 2009, Rocha et al. [33] introduced an unsupervised machine-

learning algorithm for data clustering based on the graph theory

called Optimum-Path Forest Clustering (OPFC). They reduce the

clustering problem, as a pattern recognition problem, into optimal

graph partitioning in a given feature space. In the OPFC, each sam-

ple in the dataset (represented by a feature vector) is shown as

a node in the k-nearest neighbors graph ( G k −nn ) that is connected

with its k best neighbors in a given feature space [40] . In OPFC, the

arcs are weighted by the distance between each pair of nodes and

the nodes are weighted by the probability density function (pdf) of

each node that is based on the distance between the samples and

their k-nearest neighbors [40] . When G k −nn is created, the OPFC

algorithm will find one sample (node) at each maximum pdf as

a root of a dome or cluster which includes dense samples in the

feature space. Then, an Optimum-Path Tree (OPT) will be created

from each root to every node in the influence zone (cluster) such

that each OPT node will be strongly connected to its root as com-

pared to other obtained roots in the G k −nn [33] . The OPF will be

composed by a union of the OPTs.

Suppose Z as a clustering dataset such that each s ∈ Z is shown

by � v (s ) in the given feature space. The G k −nn = ( Z, A k ) is defined

such that the arcs in A k connect k-nearest neighbors in the fea-

ture space [33] . In G k −nn , each arc ( s, t ) ∈ A k is shown by d(s, t) =| →

v (t) − →

v (s ) | which denotes the Euclidean distance between the

corresponding feature vectors of s and t . As mentioned earlier, each

s ∈ Z is weighted by a probability density function defined as fol-

lows [33] :

p ( s ) =

1 √

2 πσ 2 | A k ( s ) | ∑

∀ t∈ A k ( s ) exp

(−d 2 ( s, t )

2 σ 2

)(1)

where | A k ( s )| = k , σ =

d f 3 , and d f is the maximum arc weight in

G k −nn . It is noted that A k ( s ) is the neighbor set of s ∈ Z . Since

the arcs in A k are asymmetric; hence, the symmetric arcs should

be added to the plateaus of pdf as given in Eq. (2) to guarantee a

single root per maximum (cluster) [33] :

i f t ∈ A k ( s ) , s / ∈ A k ( t ) and p ( s ) = p ( t ) then A k ( t ) = A k ( t ) ∪ { s } (2)

In OPFC, a path π t that includes a sequence of distinct adjacent

odes, starts from root of t ( R ( t )) and is terminated with t . Note

hat a path with one sample like π t =〈 t 〉 called trivial and π s . 〈 s,

〉 represents the concatenation of π s and 〈 s, t 〉 denoting a path

nd an arc, respectively [40] . In the OPFC algorithm, a connectivity

unction f ( π t ) assigns a path cost to each path π t . For other paths,

uch as τ t , if f ( π t ) ≥ f ( τ t ), then π t will be an optimum path [40] .

mong all possible paths from a root in the maxima of the pdf, the

PFC will assign a path as optimum path P ∗( t ) to the t ∈ Z , such

hat the minimum density value along the path is maximum [40] :

( t ) =

max ∀ πt ∈ ( Z, A k )

{ f min ( πt ) } (3)

here f min ( π t ) is defined as follows:

f min ( 〈 t〉 )

{p ( t ) ; t ∈ R

p ( t ) − δ; otherwise , f min ( πs . 〈 s, t〉 ) = min { f min ( πs ) , p ( t ) }

(4)

here δ = mi n ∀ ( s,t ) ∈ A k | p(t) � = p(s ) | p(t) − p(s ) | (Notably, larger values

f δ will lead to the reduction of maxima’s number) and R is the

et of OPF’s root which is found on-the-fly with one element per

ach maximum of the pdf [40] . The algorithm tries to maximize

he connectivity map v ( t ) b y computing an OPF, which assigns the

redecessor p ( t ) to each sample t �∈ R or mark nil when t ∈ R . To see

ore details about the OPFC algorithm, refer to [40] .

An OPFC model classifies a new sample to a special cluster (that

s created in the OPFC algorithm), by finding a root which pro-

ides the optimum path to the new sample. Therefore, in order

o classify a new sample t ∈ Z ’ \ Z according to the neighbors of t ( s

A k ( t ) ⊂Z ’), the algorithm computes the pdf of t by using Eq. (1) .

hen, the optimum path can be found incrementally by evaluating

he optimum cost as follows [33] :

( t ) =

max ∀ ( s,t ) ∈ A k { min { v ( s ) , p ( t ) } } (5)

Suppose s ∗ ∈ Z is the best node that satisfies Eq. (5) , so the

lassifier selects the cluster of s ∗ as the class of t .

.5. MapReduce approach

Today, one of the main challenges of the well-known corpo-

ations, such as Google or Yahoo, is the maintenance and anal-

sis of big data for extracting useful knowledge. MapReduce ap-

roach [34] is an efficient solution for the big data problem. This

pproach employs algorithms that have parallelism capabilities in

parallel space. The MapReduce, which was firstly presented by

oogle, is a parallel programming model that is inspired from a

unctional programming language such as Lisp. This approach hides

he details and complexity of parallel computation, data distribu-

ion, and fault tolerance [34] . In this approach, a big dataset is split

o smaller datasets and stored on different machines. Then, these

achines process the smaller datasets in parallel and finally, the

esults will be integrated. In fact, this algorithm reduces the inter-

ediate space to the final solution space.

The MapReduce approach includes two main phases: (a) Map

nd (b) Reduce. In the Map phase, input data is split to smaller

egments named chunk. Then, they are delivered to some ma-

hines called mappers that are responsible for the mapping opera-

ion [41] . Then, each mapper converts the content of the chunk to

sequence of key-value pairs and consequently for each pair, a list

f key-value pairs is generated by calling the user-defined “map”

unction ( map ( k 1 , v 1 ) → list ( k 2 , v 2 )) [34,41] . In the Reduce phase,

apReduce framework performs sorting based on the keys and

ollects each key-value pair with the same key and sends them to


Table 1

Comparison of two attacks in a WSN [43] .

Attack name Behavior

Selective-forwarding Data forwarding misbehavior

Sinkhole Route updating misbehavior

t

h

g

f

i

t

l

4

s

s

P

p

n

o

a

r

p

t

b

t

l

b

o

i

s

a

o

A

n

t

s

t

m

d

t

t

c

a

m

n

t

f

i

s

p

f

n

a

s

t

e

d

t

fi

a

s

n

a

l

i

e

f

a

t

d

i

m

t

n

1

d

t

(

r

s

a

p

p

n

i

a

t

c

r

c

S

p

s

S

r

s

t

G

o

d

n

s

l

p

t

r

p

t

c

he reducer node. In fact, a group consists of key-value pairs, which

ave the same key, will be produced in the Reduce phase for each

enerated key in the Map phase. Then, the user-defined “reduce”

unction accepts the mediate keys with a set of values represent-

ng the dimension of keys, and merges the values by converting

hem to a smaller value (i.e., reducing the dimension) ( reduce ( k 2 ,

ist ( v 2 )) → list ( v 3 )) [34] .

. Proposed model

As mentioned earlier, this study concentrates on detecting

elective-forwarding and sinkhole attacks as the well-known in-

ider attacks in IoT which can get the control of data flow in 6LoW-

AN. In this study, the intrusion detection task in the 6LoWPAN is

resented as the following problem:

Suppose a 6LoWPAN network, which includes m + n homoge-

eous sensor nodes ( S = L ∪ R | L = { l 1 , …, l m

}, R = { r 1 , …, r n }) and

ne power root node as the 6BR. It is noted that L and R are leaf

nd router sets, respectively. Assume that only m leaf nodes are

esponsible to generate data (e.g., by sensing the ambient tem-

erature) as the source nodes and sending them (in packet form)

hrough n router nodes to the root node. The routing packets are

ased on the RPL protocol by using the DODAG graph. We assume

hat the RPL protocol supports solely unidirectional traffic from the

eaves (sources) to the root. In this network, the attacks are caused

y malicious nodes ( s a ∈ R ) that perform as valid nodes. The goal

f proposed model is detecting outlier behaviors (as attacks) and

dentifying the malicious nodes that cause these behaviors.

Fig. 3 shows the block diagram of the proposed framework. As

een, the proposed model is a hybrid method based on centralized

nd distributed intrusion detection models. This model consists

f an Anomaly Agent-based IDS (AA-IDS) and some Specification

gent-based IDSs (SA-IDSs). In the proposed model, each router

ode monitors the input/output traffic and identifies the poten-

ial malicious nodes by using the SA-IDS, independently. Then, they

end analysis results to the 6BR by embedding them into packets

o be forwarded. In the 6BR, the AA-IDS projects some clustering

odels (based on the OPFC algorithm) for clustering the collected

ata and detecting anomalies. The task is performed based on fea-

ures of each source node that were extracted from the incoming

raffic. Then, the algorithm makes a final decision based on the lo-

al results of SA-IDS agents (which are hosted in the router nodes)

nd the global analysis results of the AA-IDS agent. In the proposed

odel, it is assumed that the attack traffic is much less than the

ormal traffic [42] . In the proposed framework, the intrusion de-

ection and the malicious nodes identification are performed in the

ollowing three stages:

Stage 1 (identifying malicious nodes): the goal of this stage

s identifying the suspicious nodes that may cause sinkhole and

elective-forwarding attacks in the 6LoWPAN. Identifying the sus-

icious nodes is based on a stand-alone architecture and is per-

ormed by using some light SA-IDSs that are located in the router

odes. Table 1 reviews the operation of the selective-forwarding

nd sinkhole attacks in a WSN [43] . As seen in Table 1 , the

elective-forwarding attack influences packet transmission, while

he sinkhole attack has an adverse effect on the routing of pack-

ts.

In the proposed model, the SA-IDS works as detailed below to

etect these attacks:

a) Identifying suspicious nodes launching sinkhole attack: ac-

cording to the sinkhole action which was mentioned in Section

3.3 , Fig. 4 shows the influence of malicious node S on node A

in the DODAG.

As seen in Fig. 4 , when node S (as a sinkhole attacker) wants

o launch a sinkhole attack, it attracts node A to route the traf-

c through node S . Hence, node A adds node S to the parent set

nd selects it as a preferred parent for routing its packets. After a

hort time, node S resumes again its normal behavior. Therefore,

ode A removes it from the parent set and selects node B again

s the preferred parent. Based on this action, the SA-IDS which is

ocated in the router node (such as A ) computes the rate of change

n preferred parent and also the rate of change in parent set at

ach time-slot �w (as the non-traffic-related features) for identi-

ying suspicious node (based on the routing table). If these values

re greater than a predefined threshold, then the SA-IDS will iden-

ify and introduce the suspicious node. The following pseudo-code

escribes how a suspicious node (i.e., the agent of sinkhole attack)

s identified by its lower node in the SA-IDS agent ( Algorithm 1 ):

In the proposed model, we assume that the time interval that a

alicious node is selected as the preferred parent is shorter than

he corresponding time interval for other nodes (presenting the

ormal behavior). Therefore, as seen in steps 15 to 17 of Algorithm

, if the non-traffic-related feature values are greater than the pre-

efined thresholds, then the algorithm computes the total duration

hat each node was selected as a preferred parent of the host node

a node which the SA-IDS is located in it). Then, a node which cor-

esponds to the minimum time interval will be introduced as a

uspicious node.

b) Identifying suspicious nodes launching selective-forwarding

attack: according to the selective-forwarding action which was

mentioned in Section 3.3 , Fig. 5 shows the influence of mali-

cious node S on node A in the DODAG.

When a malicious node wants to launch a selective-forwarding

ttack, it selectively forwards packets to the root. So, a preferred

arent node can identify the suspicious node by knowing the ap-

roximate number of packets received from each node (such as

ode S in Fig. 5 ). In the proposed model, SA-IDS which is located

n a router node (such as A ) computes the packet receiving rate

nd the last packet received time at each time-slot �w (as the

raffic-related features) for each child node for identifying suspi-

ious node. For each child node such as S , if the packet receiving

ate is smaller than a predefined threshold, and the last packet re-

eived time stamp is greater than a predefined threshold, then the

A-IDS will introduce node S as a suspicious node. The following

seudo-code describes how a suspicious node (i.e., the agent of

elective-forwarding attack) is identified by its upper node in the

A-IDS agent ( Algorithm 2 ):

In step 2 of Algorithm 2 , getPacket () represents a function that

eturns the current received packet information. Notably, we de-

ign and implement a WSN based on the RPL routing protocol in

his study for simulating 6LoWPAN functionality (see Section 5 ).

enerally, the structure of data packets in the simulations consists

f two main parts (as shown in Fig. 6 ): (a) data (fields) and (b)

ata access interface (functions).

In Fig. 6 , SrcID and SrcTimeStamp represent the ID of source

ode and the time of packet sending by the source node, re-

pectively. RouterID and RouterTimeStamp represent the ID of the

ast router node (before the current node) and its forwarding

acket time, respectively. RouterID and RouterTimeStamp are ob-

ained by using getRouterID () and getRouterTimeStamp () functions,

espectively. HopCount shows the number of hops taken by the

ackets and each router node increments it by incHopCount () func-

ion. One of the main fields used by the SA-IDS agent is Suspi-

iousList . In fact, when SA-IDS identifies a suspicious node, then


Fig. 3. Block diagram of the proposed intrusion detection framework.

Fig. 4. Sinkhole attack action in the DODAG.

c

r

a

p

t

O

SA-IDS adds an item with format 〈 SID, Type, TimeStamp 〉 (as the

suspicious node information) to the SuspiciousList by using addSus-

piciousList () function. The SID, Type , and TimeStamp represent the

suspicious node’s ID, the type of possible attack, and the identifi-

cation time of suspicious nodes, respectively. We assume that the

router node cannot access the Data and SuspiciousList with the aim

of manipulating values.

Stage 2 (anomaly detection in 6BR): in this stage, the AA-IDS

reates a sample for each source node by extracting four traffic-

elated features from the raw received packet of the source node

t each time-slot �w : (a) packet receiving rate; (b) packet drop-

ing rate; (c) average latency; and (d) maximum hop-count. Then,

he AA-IDS projects a clustering model based on an unsupervised

PF algorithm for each source node by using its generated sam-


Algorithm 1 Detecting sinkhole suspicious node.

Input: ParentSetThreshold and PreferredParentThreshold which represent the threshold for detecting anomaly behavior in the parent set and the preferred

parent, respectively. �w and t 0 represent the length of time window and the current time, respectively.

Output: SID represents the ID of suspicious node.

Auxiliary: cnt 1 and cnt 2 represent the count of change in length of the parent set and the preferred parent, respectively. CurrentLength and

CurrentPreferredParnet represent the current length of parent set and the ID of current preferred parent, respectively. PHList represents the preferred parent

history list (with the < PID, timeSpan > item list structure where PID represents the ID of the node that becomes a parent and timeSpan shows the duration

of this event). LastChangeTime represents the time of the last change in the preferred parent.

Initialization:

• Set t = t 0 , cnt 1 = 0, cnt 2 = 0, SID = nil and LastChangeTime = t 0 ;

• Set CurrentLength = Length ( ParentList ) and CurrentPreferredParnet = PreferredParent ;

Steps:

(1) while t < t 0 +�w, do

(2) if CurrentLength � = Length ( ParentList ) then

(3) Set cnt 1 =cnt 1 +1;

(4) Set CurrentLength = Length ( ParentList )

(5) end

(6) if CurrentPreferredParnet � = PreferredParent then

(7) Set cnt 2 =cnt 2 +1;

(8) Set timeSpan = t −LastChangeTime ;

(9) Add < CurrentPreferredParnet, timeSpan > to PHList ;

(10) Set CurrentPreferredParnet = PreferredParent ;

(11) Set LastChangeTime = t ;

(12) end

(13) Set t = t + �t ;

(14) end

(15) if cnt 1 / �w > ParentSetThreshold and cnt 2 / �w > PreferredParentThreshold then

(16) Compute the total duration of each PID in PHList and add them as an ordered pair ( PID, timeSpan ) to a tempList ;

(17) Sort tempList according to the timeSpan of node’s ID and set SID as the node’s ID with the minimum value;

(18) end

(19) return SID ;

Fig. 5. Selective-forwarding attack action in the DODAG.

Fig. 6. Structure of data packets in the simulated WSN.

p

s

j

j

c

m

u

w

p

a

I

p

b

a

b

t

e

i

n

k

a

b

m

i

c

s

〈

les. The algorithm selects a cluster (or clusters) including a few

amples and then labels the samples as anomalous for each pro-

ected model.

By increasing the number of source nodes, the sequential pro-

ection of clustering models will be time-consuming that is not ac-

eptable for a real-time model. The proposed anomaly detection

ethod has the capability of parallelism, because projecting and

sing clustering models are independent processes. In this study,

e inspired from MapReduce approach for improving the speed of

rojecting models and anomaly detection. In fact, we proposed an

nomaly detection method based on the MapReduce architecture.

n other words, if an appropriate platform (hardware/software) is

repared, then the model can run in parallel on a distributed space

ased on the MapReduce architecture. Fig. 7 shows the general

rchitecture of the proposed anomaly detection model which is

ased on the MapReduce approach.

As seen in Fig. 7 , the root node (i.e., the 6BR) extracts men-

ioned traffic-related features from the receiving raw packets in

ach time-slot and creates a new sample for source nodes. Then,

t sends the sample’s information with key-value pair format to a

ode (i.e., the reducer) that is responsible to work with a special

ey. This format includes source ID as the key and feature vector

s the value. Then, the reducer node projects a clustering model

y using its samples which are received from the mapper node. As

entioned earlier, we assume that a cluster with fewer samples

s anomaly; hence, if the new sample belongs to this cluster, it is

lassified as anomalous and otherwise, it is classified as a normal

ample. So, the reducer node returns a new key-value pair with

SID, Label 〉 format (in response to the incoming key-value pair) to


Algorithm 2 Detecting selective-forwarding suspicious node.

Input: PacketReceivingThreshold and TimeDelayThreshold represent the threshold for detecting anomalous behavior in packet receiving rate and the last packet

receiving time stamp, respectively. �w and t 0 denote the length of time window and the current time, respectively.

Output: SIDList represents the list of suspicious node IDs.

Auxiliary: packetItem with the format of the packet introduced in Fig. 6 . ChildList with the < ID, TimeStamp , PacketReceiving > item list structure which used

the child’s packet information; where TimeStamp shows the last time that a packet is received, and PacketReceiving represents the number of packets that

have been received.

Initialization:

• Set t = t 0 , SIDList = nil and childList = nil ;

Steps:

(1) while t < t 0 +�w, do

(2) Set packetItem = getPacket ();

(3) Set NodeID = packetItem.getRouterID ();

(4) Set TimeStamp = packetItem.getRouterTimeStamp ();

(5) if ChildList has an item with a key equals to NodeID then

(6) Set index = index of an item in ChildList that has a key equals to NodeID

(7) Set ChildList [ index ]. TimeStamp = t −ChildList [ index ]. TimeStamp ;

(8) Set ChildList [ index ]. PacketReceiving = ChildList [ index ]. PacketReceiving + 1;

(9) end

(10) else

(11) ChildList.Add ( < NodeID, t − t 0 , 1 > ) ;

(12) end

(13) Set t = t + �t ;

(14) end

(15) for each item in ChildList do

(16) if item.PacketReceiving / �w < PacketReceivingThreshold and item . TimeStamp > TimeDelayThreshold

then

(17) SIDList.Add ( item.NodeID )

(18) end

(19) end

(20) return SIDList ;

Fig. 7. General architecture of anomaly detection model based on the MapReduce

approach.

∀

r

t

a

s

s

c

a

r

5

p

Algorithm 3 Voting mechanism for making decision about intrusion detection.

Input: AR and SR represent anomaly-based and specification-based

detection results list with the 〈 SrcID, Label 〉 and 〈 SID, AttckType 〉 item list

structures, respectively.

Output: AttackList represents the list of detected attacks.

Steps:

(1) for each 〈 SrcID i , Label i 〉 ∈ AR do

(2) if Label i =anomalous then

(3) Set index = index of SR where SrcID = SrcID i (4) if index � = nil then

(5) Set AttackList = 〈 SrcID i , SR.SID, SR.AttckType 〉 ; (6) end

(7) end

(8) end

(9) return AttackList ;

the root node. It is noted that the key and the value are source ID’s

sample and its label (i.e., anomalous/normal), respectively. The pro-

jecting of a clustering model in reducer continues until the number

of samples for each source becomes equal to a threshold. Then, the

reducer works as a classifier that means if the new received sam-

ple (from the mapper) belongs to the anomalous cluster(s), it will

be introduced as an anomalous sample. In the step of extracting

features for producing a new sample for each source node, such

as A , the packet dropping rate is computed based on the following

steps at each time-slot:

1) Sort the received packets from node A based on its Sequen-

ceNumber .

2) Calculate the sum of the distances between each two consec-

utive packets (based on SequenceNumber ) and return the result

as the packet dropping rate (for simplicity, we assume that each

packet is sent only once).

Moreover, other features such as the maximum hop-count and

the average latency are computed as follows:

∀ i ∈ L : MaxHopCount = Max (

packet i j .getHopCount ( ) ) | j ∈ P i

(6)

i ∈ L : A v eragelatency

=

∑

j∈ P i packet i j .getRecei v ingT imeStamp( ) − packet i

j .getSrcT imeStamp( ) ∥∥P i

∥∥(7)

where L is the set of source nodes in the network, P i is the set of

eceived packets from the i th source in time-slot �w , and ‖ P i ‖ is

he number of its members.

Stage 3 (anomaly detection decision based on a voting mech-

nism): in this stage, the proposed framework employs the first

tage results to make a decision about abnormities detected in the

econd stage. The following pseudo-code describes the voting pro-

ess at this stage ( Algorithm 3 ).

So, Algorithm 3 returns a list which includes the information

bout source node ID, malicious node ID, and the type of attack,

espectively (by this format: 〈 SrcID, AttckNodeID, AttckType 〉 ).

. Simulation and experimental results

This section presents simulation-based evaluations of the pro-

osed method in different scenarios. The proposed model is based


Table 2

Assumptions in the developed simulator in this study.

Parameter Value

Network scale 100 m × 100 m [44]

Routing protocol RPL

Transmission range 10 m [44]

Packet size 127 bytes

DIO size 24 bytes [45]

�w 30 s [39]

o

c

v

t

p

d

s

s

n

t

L

t

a

r

i

p

M

p

u

c

t

5

t

e

f

n

c

s

m

t

n

s

a

n

n

m

o

(

[

f

t

s

R

v

t

s

t

A

Table 3

Assumptions in the first simulation (shown in Fig. 8 a).

Parameter Value

Number of source nodes 3 (IDs: {4, 6, 8})

Number of router nodes 4 (IDs: {2, 3, 5, 7})

Root’s ID {1}

Malicious node’s ID {3} (as the selective-forwarding agent)

Simulation time (min) 20

Table 4

Assumptions in the second simulation (shown in Fig. 8 b).

Parameter Value

Number of source nodes 2 (IDs: {8, 9})

Number of router nodes 6 (IDs: {2, 3, 4, 5, 6, 7})

Root’s ID {1}

Malicious node’s ID {6} (as the sinkhole agent)


Table 5

Assumptions in the third simulation (shown in Fig. 8 c).

Feature Value


Number of router nodes 6 (IDs: {2, 3, 5, 7, 9, 10})

Root’s ID {1}

Malicious nodes’ ID {3} (as the sinkhole agent) and {10}

(as the selective-forwarding agent)


i

t

p

o

c

o

t

P

o

t

2

P

5

e

(

i

a

s

o

o

o

w

s

t

f

t

t

s

i

c

c

n

n the agent programming (i.e., SA-IDS and AA-IDS agents are lo-

ated at the router nodes and the 6BR, respectively); so, we de-

eloped a special WSN simulator in this study that is based on

he RPL protocol using .Net Framework technology and C#.Net

rogramming. So, a flexible evaluation platform was provided for

eveloping the proposed intrusion detection framework, and also

imulating the selective-forwarding and sinkhole attacks. The as-

umptions in the developed simulator are given in Table 2.

Notably, the data generation rate of sensing nodes (i.e., source

odes) is assumed to be 250 kbps [46] . In the 6BR implementa-

ion, which was based on the MapReduce architecture, the MAT-

AB server was used as the reducer node for projecting the clus-

ering models with the aim of anomaly detection. We implemented

n anomaly detection method that was based on the OPFC algo-

ithm using MATLAB R2014a on a PC with an Intel(R) Core (TM)

5-4460, CPU 3.20 GHz, and 8GB RAM. The anomaly detection was

erformed by the 6BR in which the corresponding reducer (i.e.,

ATLAB server) received a new sample of source i from the map-

er (i.e., the 6BR). Then, a new clustering model was projected by

sing this new sample and other old samples. According to the

lustering result, the label of the new sample was determined by

he reducer.

.1. Experimental setup

In this section, we briefly discuss about some assumptions in

he proposed simulator. It is noted that we did not study the en-

rgy overhead of the proposed framework in this study. There-

ore, we assumed that the energy of all kinds of nodes was infi-

ite, which means they were not constrained in terms of energy

onsumption. Moreover, we assumed that the network structure is

tatic in all simulations. In other words, the sensor nodes were ho-

ogenous and distributed uniformly in the environment. As men-

ioned earlier, we categorized the nodes into source nodes, router

odes, and a 6BR in the simulations. The source nodes were re-

ponsible to generate data (e.g., sensing the ambient temperature)

nd sending them through the router nodes to the 6BR. The router

odes were responsible for routing and forwarding packets in the

etwork.

As mentioned earlier, some intruder nodes, which seem as nor-

al nodes, threat the network in our simulations frequently. In

ther words, a malicious node switches between two behaviors:

a) an intruder (based on the considered attacks) and (b) normal

47] . In our simulations, we assumed that the malicious nodes per-

orm as intruders 1 to 50% of the time.

One of the challenging issues in the OPFC algorithm is finding

he appropriate value of parameter k . Generally, the value of k is

elected in [k min , k max ] interval, where 1 ≤ k min < k max ≤ | Z | [33] .

ocha et al. [33] used a graph-cut metric for finding the optimum

alue of k . The proposed anomaly detection should work in real-

ime; so, we experimentally assumed that k = � # samples 3 � at the

tart of projecting the OPFC model in this study.

As mentioned earlier, the specification-based agents used some

hresholds (i.e., ParentSetThreshold and PreferredParentThreshold in

lgorithm 1 , and PacketReceivingThreshold and TimeDelayThreshold

n Algorithm 2 ) in detecting sinkhole and selective-forwarding at-

acks. The nodes were different in the network (according to their

ositions, children, and parents); so, each node had its own thresh-

lds that should be defined at runtime. We assumed that the mali-

ious nodes begin to launch attacks after 2 min; hence, the thresh-

lds of each node were specified in opening 2 min of the simula-

ion based on the normal behavior. For example, to determine the

arentSetThreshold (which specifies the rate of change in parent set

f a router node at each time-slot �w ), the algorithm computed

he rate of change in router’s parent set at each �w in opening

min; then, the average of computed values was returned as the

arentSetThreshold .

.2. Simulation scenarios and performance analysis

In this study, the performance of the proposed method was

valuated in two main experiments in terms of True Positive Rate

TPR), False Positive Rate (FPR), and Accuracy Rate (AR) of detect-

ng malicious nodes. The first experiment was conducted for evalu-

ting the performance of the proposed framework to deal with the

elective-forwarding attack, sinkhole attack, and joint occurrence

f both attacks. The scale of the network, such as the number

f malicious nodes, was considered in the second experiment. In

ther words, we evaluated the proposed method in different net-

ork scales.

Three simulations were performed in the first experiment. The

creenshots of these simulations are shown in Figs 8 a–c, respec-

ively. Through these simulations, the performance of the proposed

ramework was evaluated to deal with the selective-forwarding at-

ack ( Fig. 8 a), the sinkhole attack ( Fig. 8 b), and joint occurrence of

hese attacks ( Fig. 8 c) in the 6LoWPAN. The assumptions in these

imulations are given in Tables 3–5 , respectively.

The performance of the proposed model in these simulations

s reported in Tables 6–8 , respectively. Notably, the AR metric is

alculated as division of the total number of malicious nodes (ac-

ording to each sample) that are identified correctly to the total

umber of attack samples that are classified correctly.


Fig. 8. Screenshots of three simulations in the first experiment; (a) selective-forwarding attack launched by node 3, (b) sinkhole attack launched by node 6, (c) selective-

forwarding and sinkhole attacks launched simultaneously by node 10 and node 3, respectively.

Table 6

Performance of the proposed model in the first simulation (shown in Fig. 8 a).

Method TPR (%) FPR (%)

AR in detecting

malicious nodes (%)

Anomaly-based detection 92 .68 10 .12 NA ∗

Hybrid (Anomaly-based +

Specification-based)

detection

85 .36 1 .26 91 .43

∗ Not-Applicable

Table 7

Performance of the proposed model in the second simulation (shown in Fig. 8 b).


AR in detecting

malicious nodes (%)

Anomaly-based detection 100 5 .97 NA ∗



detection

100 2 .98 69 .23

∗ Not-Applicable

Table 8

Performance of the proposed model in the third simulation (shown in Fig. 8 c).


AR in detecting

malicious nodes (%)




detection

76 .19 5 .92 87 .50

∗ Not-Applicable

t

r

T

t

p

f

T

e

c

s

c

t

t

u

(

i

6

t

s

t

t

1

i

e

p

i

p

w

w

t

e

p

s

o

m

w

s

t

s

e

t

t

As seen in Tables 6 and 8 , the TPR of the proposed hy-

brid method is lower than the anomaly-based detection method

(performed by the AA-IDS agent); however, the FPR is improved

considerably when employing the hybrid model in which the

specification-based detection is also performed by the SA-IDS

agents besides the anomaly-based detection. Another advantage of

using the specification-based detection in the proposed framework

is the ability to detect malicious nodes as the cause of IoT’s insider

attacks (as shown in the last column of Tables 6–8 ).

Table 7 shows that TPR of the anomaly-based detection and

the hybrid detection methods in the second simulation is 100%

(when the sinkhole attack is launched). However, as shown in

Table 6 , TPR of the anomaly-based detection and the hybrid de-

ection methods in the first simulation was 92.68% and 85.36%,

espectively (when the selective-forwarding attack was launched).

his refers to the behavior of sinkhole and selective-forwarding at-

acks. As mentioned earlier, the AA-IDS agent creates a new sam-

le for each source node by extracting four traffic-related features

rom the raw received packet of the source node in each time-slot.

hese features are packet receiving rate, packet dropping rate, av-

rage latency, and maximum hop-count. The sinkhole attack has

onsiderable effect on the maximum hop-count feature, while the

elective-forwarding attack changes the packet dropping rate, and

onsequently the packet receiving rate. Packet dropping is one of

he popular events in the networks (e.g., because of the conges-

ion); so, distinguishing the valid packet dropping (due to the pop-

lar behavior of the networks) from the invalid packet dropping

due to the malicious behavior of the selective-forwarding attack)

s hard for the proposed anomaly detection model. As seen in Table

, it caused the TPR reduction of the proposed hybrid model in

he first simulation as compared to the second simulation in which

inkhole attack was launched ( Table 7 ). Notably, the low AR in de-

ecting malicious nodes in Table 7 is caused by the process of de-

ecting the sinkhole attack in Algorithm 1 . According to Algorithm

, the detection of a suspicious node is based on the rate of change

n preferred parent and also the rate of change in parent set at

ach time-slot. In some cases, it may cause mistakes about a valid

arent or an invalid parent. For example, the SA-IDS agent located

n node 7 ( Fig. 8 b) may select node 5 (i.e., a valid parent) as a sus-

icious node instead of the actual malicious node (i.e., node 6).

One of the key features of the proposed framework is the net-

ork’s scale-free property. In other words, the proposed frame-

ork is approximately size-independent. To evaluate this feature,

he network scale was considered in the second experiment. To

valuate the efficiency of the proposed method in the second ex-

eriment, only selective-forwarding attack was considered in the

imulations. To study the network’s scale-free property, two types

f network-size were considered in simulations: (a) small and (b)

edium. For small-size networks, three networks were simulated

ith different scales in which some malicious nodes launched

elective-forwarding attacks randomly ( Fig. 9 ). The assumptions in

he simulations shown in Figs. 9 a–c are given in Tables 9–11 , re-

pectively.

Notably, the number of source nodes in Tables 9–11 is assumed

qual for fair comparison of the simulation results. Moreover, since

he attack launching is a random process (i.e., the number of times

hat the attacks are occurred in a network may be different in each


Fig. 9. Screenshots of three simulations in the second experiment for small-size networks; (a) selective-forwarding attack launched by node 3, (b) selective-forwarding attack

launched by nodes 4 and 7, (c) selective-forwarding attack launched by nodes 5, 10, and 11.

Table 9

Assumptions in the fourth simulation (shown

in Fig. 9 a).

Parameter Value


Number of router nodes 2 (IDs: {2, 3})

Root’s ID {1}

Malicious node’s ID {3}


Table 10

Assumptions in the fifth simulation (shown in Fig. 9 b).

Parameter Value


Number of router nodes 7 (IDs: {2, 3, 4, 6, 7, 8, 10})

Root’s ID {1}

Malicious nodes’ ID {4, 7}


Table 11

Assumptions in the sixth simulation (shown in Fig. 9 c).

Parameter Value


Number of router nodes 12 (IDs: {2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 15})

Root’s ID {1}

Malicious nodes’ ID {5, 10, 11}


s

i

m

A

w

a

(

i

a

c

s

i

n

Fig. 10. AR in three simulations for small-size networks using the proposed frame-

work (with different network sizes).

Table 12

Assumptions in the seventh simulation (medium-size network).

Parameter Value

Number of source nodes 5 (IDs: {6, 10, 14, 17, 20})

Number of router nodes 14 (IDs: {2, 3, 4, 5, 7, 8, 9, 11, 12, 13, 15, 16, 18, 19})

Root’s ID {1}

Malicious nodes’ ID {5, 8, 12}


Table 13

Assumptions in the eighth simulation (medium-size network).

Parameter Value


Number of router nodes 29 (IDs: {2, 3, 4, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16,

17, 18, 20, 21, 22, 23, 24, 25, 26, 27, 29, 30,

32, 33, 34, 35})

Root’s ID {1}

Malicious nodes’ ID {3 ,14, 21, 26}


t

t

f

l

i

t

imulation); hence, the AR (as defined in Eq. (8 )) was considered

nstead of TPR and FPR for comparing the performance of proposed

ethod in different network sizes:

R =

( T P + T N )

( T P + T N + F P + F N ) (8)

here TP is the number of the positive instances (i.e., attacks) that

re classified correctly, and TN is the number negative instances

i.e., normal instances) that are classified correctly. Moreover, FN

s the number of positive instances that are classified incorrectly,

nd FP is the number of negative instances that are classified in-

orrectly.

The AR of the proposed framework in the fourth, fifth, and sixth

imulations for small-size networks (shown in Fig. 9 ) is reported

n Fig. 10 for different number of nodes and malicious nodes. It is

oted that the number of malicious nodes is given in the paren-

hesis. As seen in Fig. 10 , the AR is approximately independent of

he network size.

Similarly, three networks were simulated with different scales

or medium-size networks in which some malicious nodes

aunched selective-forwarding attack randomly. The assumptions

n the simulations of this part are given in Tables 12–14 , respec-

ively. The screenshot of a simulation that was based on assump-


Fig. 11. Screenshot of a simulation for medium-size network in which selective-forwarding attack launched by nodes 3, 6, 9, 18, and 49.

Table 14

Assumptions in the ninth simulation (medium-size network shown in Fig. 11 ).

Parameter Value


Number of router nodes 44 (IDs: {2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15,

16, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28,

30, 31, 32, 34, 35, 37, 38, 39, 40, 41, 42, 43,

44, 45, 46, 47, 48, 49, 50})

Root’s ID {1}

Malicious nodes’ ID {3, 6, 9, 18, 49}


6

6

t

a

a

[

T

t

c

[

a

t

T

h

b

p

a

tions given in Table 14 (i.e., 50 nodes and 5 malicious nodes) is

depicted in Fig. 11.

The AR of the proposed framework in the seventh, eighth, and

ninth simulations for medium-size networks is reported in Fig. 12

for different number of nodes and malicious nodes. As seen in Fig.

12 , the AR is approximately independent of the network size for

medium-size networks, as well.
a
. Investigation of detecting additional attacks in IoT

Due to the insecure nature of communication in WSNs, such as

LoWPAN, they can be targeted from a wide range of security at-

acks. As mentioned earlier, each layer in the 6LoWPAN is vulner-

ble to security threats; however, the network layer attacks allow

dversaries to take the control of information flow in the network

28] . So, most of the threats are focused on the network layer [2] .

herefore, the security threats of network layer were considered in

his study.

Generally, RPL (as the routing protocol in the network layer)

annot be protected in 6LoWPAN against internal attackers

48] who are the internal legitimate users that their behavior can

ffect other legitimate nodes [49] . Some well-known internal at-

acks, as the attacks against RPL, and their description are listed in

able 15.

Selective-forwarding, sinkhole, blackhole, HELLO flood, worm-

ole, clone ID, and Sybil attacks are routing attacks which have

een studied by many security researchers for different routing

rotocols (e.g., RPL). However, rank, local repair, DIS, and overload

ttacks (as new threats exploiting some functioning rules in RPL)

re RPL inconsistency attacks [48] . On the other hand, selective-


Table 15

Some well-known internal attacks in 6LoWPAN.

Type of attack(s) Description

Selective-forwarding In order to disrupt the routing path, malicious nodes selectively forward packets for removing some packets randomly or based

on the importance of data [1,9] .

Sinkhole A malicious node represents itself to others as an optimal routing path for attracting nearby nodes to route traffic through it.

Blackhole One or more malicious nodes advertise themselves as the best routes for dropping data packets being routed through them

(partially or fully), in order to make disruption in the normal data flow of the network [50] .

HELLO flood A malicious node broadcasts a “HELLO” message with strong signal power to introduce itself as a neighbor to many nodes for

routing their packets through it [9] . It leads to loss of those packets [1] .

Wormhole At least two malicious nodes communicate by using a separate wired or wireless link called “tunnel” to forward packets faster

than normal paths [1,9] .

Clone ID and Sybil These types of attacks are known as Identity attacks. In a clone ID attack, an attacker copies the identity of a valid node on

several physical nodes; however, an attacker copies several logical identities on one physical node in a Sybil attack [9,48] .

Rank The attacker uses a random parent (that is not optimized) as a preferred parent in order to create a non-optimized path or loop

path [48] .

Local repair Malicious nodes can repeatedly operate the local repair mechanism by changing the DODAG ID field or broadcasting infinite rank

for unnecessary network topology updating. It leads to consume more resources [48] .

DIS In order to exhaust network’s resources, malicious nodes send DIS messages (see section 3.2 ) for generating overhead in control

messages [48] .

Overload Malicious nodes overload the network with irrelevant traffic for draining the nodes’ energy store more quickly [51] .

Fig. 12. AR in three simulations for medium-size networks using the proposed

framework (with different network sizes).

f

n

S

t

o

f

t

t

h

o

w

b

t

f

c

e

a

t

t

a

f

w

h

(

h

t

t

e

i

w

A

e

w

c

n

[

p

u

a

f

c

f

h

t

h

g

p

b

p

i

c

b

p

t

w

a

c

w

h

l

l

t

w

i

3

t

orwarding, sinkhole, blackhole, and wormhole attacks are called

etwork traffic forwarding disruption, while HELLO flood, clone ID,

ybil, DIS, and overload attacks are called node resource exhaus-

ion [51] .

Designing a flexible architecture for intrusion detection was

ne of the main goals in this study. The sinkhole and selective-

orwarding attacks are two well-known routing attacks on a WSN

hat were considered in our work. As seen in Table 15 , these at-

acks threaten the routing protocol in WSNs such as 6LoWPAN;

ence, for dealing with them, we studied their malicious behavior

n the RPL, and a specification-based intrusion detection method

as proposed ( Algorithms 1 and 2 in Section 4 ) for detecting their

ehavior and also specifying the malicious nodes as the sources of

hem. The proposed intrusion detection framework was primarily

ocused on sinkhole and selective-forwarding attacks; however, it

an be employed for detecting similar attacks in practice or can be

xtended conceptually for identifying other attacks. For example,

s seen in Table 15 , the functionality of blackhole attack is same as

he sinkhole attack. Moreover, both of sinkhole and blackhole at-

acks are similar to the rank attack in the context of RPL in which

malicious node advertises an artificial beneficial rank [48] . There-

ore, the proposed IDS, which was originally proposed for dealing

ith sinkhole attack, can be easily employed for detecting black-

ole and rank attacks, as well. The functionality of other attacks

e.g., clone ID and wormhole attacks) is different from the sink-

ole and selective-forwarding attacks as given in Table 15 . Hence,

he proposed IDS should be conceptually extended for detecting

hese types of attacks. In other words, the proposed model can be

xtended for detecting other attacks by considering the functional-

ty of other internal attacks.

For example, we extend the proposed model for detecting

ormhole attack as one of the most dangerous attacks in WSNs.

s mentioned in Table 15 , a malicious node forwards the pack-

ts to an accessory malicious node (in a distant point of the net-

ork) by using a high-speed link (called tunnel). Notably, in the

ontext of RPL, the 6BR can be bypassed by using a constrained

ode in a 6LoWPAN network and a typical device on the Internet

9] . Moreover, the detection of wormhole attack is very hard, es-

ecially when it is systematically switched on and off [9] . For sim-

lating the wormhole attack in the proposed simulator, two nodes

re added on opposite sides of the network with a separate link

or their communication ( Fig. 13 ). Using RPL, the wormhole attack

hanges the number of hops that the packets should be traversed

rom their source node to 6BR. Based on this reality, as the worm-

ole functionality in RPL, we can develop the proposed IDS for de-

ecting the wormhole attack. Hence, for dealing with the worm-

ole attack, a new field and a new function named SrcRank and

etSrcRank () should be added to the proposed structure of data

ackets shown in Fig. 6 , respectively. In each packet, SrcRank will

e used for holding the rank of its source node that generates the

acket and sends it. By using getSrcRank (), each router node can be

nformed about the SrcRank of packets.

The pseudo-code given in Algorithm 4 , describes how a suspi-

ious node (i.e., the agent of wormhole attack) will be identified

ased on packet’s SrcRank .

In step 1 of Algorithm 4 , getPacket () returns the current received

acket information. Moreover, hostRank is the rank of a router node

hat is the host of current SA-IDS. As shown in Algorithm 4 , the

ormhole detection in local specification-based intrusion detection

gent is based on the comparison between realHopCount and logi-

HopCount . Notably, if the network works normally, logicHopCount

ill be equal to realHopConut . As seen in Fig. 13 , the number of

ops (as realHopCount ) in traversing packets from node 11 (as a

eaf node) to node 2 (as a router node) is 2, which is equal to

ogicHopCount (Step 4 in Algorithm 4 ). However, the wormhole at-

ack changes the hops by using a tunnel in routing. For example,

hen the network is under wormhole attack, the number of hops

n traversing packets from node 8 to node 2 (as realHopCount ) is

, while the logicHopCount is 5 ( Fig. 13 ). According to the RPL pro-

ocol, the optimum path for forwarding the packets of node 8 is


Fig. 13. Screenshot of simulating the wormhole attack launched by cooperating of nodes 7 and 9.

Algorithm 4 Detecting wormhole suspicious node.

Output: detectedNodeID represents the ID of suspicious node.

Steps:

(1) Set packetItem = getPacket ();

(2) Set sourceRank = packetItem.getSrcRank ();

(3) Set realHopCount = packetItem.getHopCount ();

(4) Set logicHopCount = sourceRank −hostRank ;

(5) if realHopCount � = logicHopCount then

(6) if anySuspiciousList ( wormhole ) � = true then

(7) Set detectedNodeID = packetItem.getRouterID ();

(8) end

(9) else

(10) Set detectedNodeID = nil ;

(11) end

(12) end

(13) return detectedNodeID ;

Table 16

Assumptions in the wormhole attack simulation (shown in Fig. 13 ).

Parameter Value


Number of router nodes 12 (IDs: {2, 3, 4, 5, 6, 7, 9, 10, 12, 14, 15, 16})

Root’s ID {1}

Malicious nodes’ ID {7, 9}


T

L

N

r

o

(

o

a

T

1

o

f

T

a

t

t

as follows: IDs: {8, 7, 6, 5, 4, 3, 1}. Moreover, as seen in steps 5

to 11 of Algorithm 4 , when the network is under wormhole attack,

the first normal router node can detect the malicious node. So, the

wormhole attack has been identified by this node and checking the

wormhole attack by other nodes is not necessary. In other words,

when the first node detects the wormhole attack, the other router

nodes ignore it (step 10 of Algorithm 4 ), because this type of attack

has already been detected by the mentioned first node. Notably,

getRouterID () (step 7 of Algorithm 4 ) returns the ID of the last

router node (before the current node). As mentioned earlier, when

SA-IDS identifies a suspicious node (a malicious node which partic-

ipates in wormhole attack), it adds an item with format 〈 SID, Type,

imeStamp 〉 (as the suspicious node information) to the Suspicious-

ist by using addSuspiciousList () function where Type is wormhole.

otably, anySuspiciousList ( Type ) (step 6 of Algorithm 4 ) is a new

ead-only function (that should be added to the proposed structure

f data packets) that checks whether an attack with kind of Type

e.g., wormhole) was happened or not. Moreover, the remainder

f detection process is same as sinkhole and selective-forwarding

ttacks. The assumptions in this simulation ( Fig. 13 ) are given in

able 16.

The experimental results of wormhole attack simulation ( Fig.

3 ) show that the extended proposed hybrid IDS can achieve TPR

f 96.02% and FPR of 2.08% in detecting wormhole attacks. The per-

ormance of the proposed model in this simulation is reported in

able 17.

According to the wormhole attack functionality, the wormhole

ttack has considerable effect on the maximum hop-count feature;

herefore, TPR of the anomaly-based detection and the hybrid de-

ection methods in this simulation are acceptable values.


Table 17

Performance of the proposed model in the wormhole attack simulation

(shown in Fig. 13 ).


AR in detecting

malicious nodes (%)




detection

96 .02 2 .08 100

∗ Not-Applicable

n

I

H

t

e

(

t

t

d

c

c

b

t

i

7

s

c

c

s

v

i

i

I

I

p

t

t

w

s

t

i

s

m

a

b

s

w

h

s

(

b

s

T

v

s

R

g

P

Table 18

Specifications of Waspmote Mote Runner’s hard-

ware.

Feature Value

Microcontroller ATmega1281

Frequency 14 MHz

SRAM 8 KB

EEPROM 4 KB

FLASH 128 KB

SD card 2GB

Weight 20 g

Dimensions 73.5 × 51 × 13 mm

Temperature range [ −10 °C, + 65 °C]

Programming language Java or C#

a

i

w

a

T

[

i

c

q

M

s

p

c

t

t

a

f

c

p

o

M

i

p

n

t

p

t

M

w

t

s

t

t

A

k

S

q

E

p

M

i

b

a

d

c

n

c

r

In IoT, the things (i.e., the resource-constrained devices) are vul-

erable to intrusions from both sides of the Internet and WSN.

n this study, we particularly worked on internal (insider) attacks.

owever, the proposed architecture has the capability to deal with

he external (cyber) attacks from the Internet side. As mentioned

arlier, the proposed anomaly detection method in the global agent

which will be hosted on 6BR) is based on the MapReduce archi-

ecture. In this approach, the root node sends the value of ex-

racted traffic features of the source nodes to corresponding re-

ucer nodes for anomaly detection. According to this approach, we

an add a new reducer node, that is a host of special IDS (which is

ompatible with Internet), to the proposed framework. Therefore,

y sending the values of Internet traffic features from root node to

he new reducer node, our framework can be employed for detect-

ng the cyber attacks from Internet side.

. Employing proposed IDS in real-world IoT applications

The applications of IoT are becoming widely used in real-life,

uch as smart-city [52] , smart-home [53] , smart-grid [54] , health

are monitoring [55–57] , speech streaming services [58] , and lo-

alization services [59] . The proposed IoT middleware solutions

hould meet the requirements of device providers, application de-

elopers, and end-users [60–62] . As mentioned earlier, 6LoWPAN

s one of the main effort s to make the concept of real IoT which

s proposed and standardized by the IETF workgroup. Recently,

BM and Libelium offer a unique IPv6 development platform for

oT based on IETF standards [63] . They proposed a development

latform called Waspmote Mote Runner as a tool for developing

he real applications which use the 6LoWPAN/IPv6 connectivity for

he IoT [63] . In fact, they integrated the IBM Mote Runner Soft-

are Development Kit (SDK) on top of Libelium Waspmote sen-

or platform for allowing the developers and researchers to study

he 6LoWPAN protocol in order to improve it and test new rout-

ng algorithms [63] . Notably, Waspmote is an open source wireless

ensor platform based on the implementation of low consumption

odes which allows the sensor nodes ("motes") to be completely

utonomous.

In this study, we have tried to propose an IDS that is applica-

le to most of the real-world IoT. The proposed model consists of

imple modules (i.e., local agents) that can be employed in real-

orld IoT scenarios such as smart-city without considerable over-

ead in software/hardware. In this section, we review the general

pecifications of Waspmote Mote Runner and then a real scenario

which can be developed by Waspmote Mote Runner platform) will

e studied with the aim of using the proposed IDS. The general

pecifications of Waspmote Mote Runner’s hardware are listed in

able 18 [64] .

The Waspmote Mote Runner can communicate with other de-

ices through the communication modules (wireless interfaces)

uch as 6LoWPAN radios [63] . As seen in Fig. 14 , Waspmote Mote

unner platform includes two types of nodes: (a) end node and (b)

ateway (GW). The end nodes, which are equipped with a 6LoW-

AN radio, sensors and a battery, are used to gather information

nd send them to the GW or forwarding the packets of other nodes

n order to make information reach to the GW [64] . Moreover, GW,

hich is equipped with a 6LoWPAN radio, an Ethernet interface

nd a battery, sends information taken from the end nodes to the

unneling IPv4/IPv6 server by using the Ethernet IPv4 interface

64] .

One of the main applications that can be developed by us-

ng Waspmote Mote Runner platform is the smart-city which in-

ludes smart lighting, acoustic noise maps, structural health, air

uality monitoring, and waste management [64] . The Waspmote

ote Runner has a "smart cities board" includes: (a) hardware; (b)

ensors (e.g., humidity and temperature); and (c) Waspmote Ap-

lication Programming Interface (API) libraries that designed to fa-

ilitate the management of all the resources of the board in order

o extend the monitoring functionalities from indoor environments

o outdoor locations [65] . For example, particle and dust sensor is

n optical sensor whose operation is based on the detection of in-

rared light emitted by a LED, reflected by the dust particles and

aptured by means of a phototransistor [65] . The example of ap-

lication for the particle sensor and a schema of smart-city devel-

pment are depicted in Fig. 15 . As seen in Fig. 15 b, the Waspmote

ote Runner platform has the capability to host the proposed IDS

n this study. As mentioned earlier, 6LoWPAN nodes in the pro-

osed model are classified into leaf (source), router, and root (6BR)

odes with the aim of generating and sending data (e.g., sensing

he dust particles in ambient), routing the packets and taking the

ackets which were sent by leaf nodes, respectively. The role of

hese nodes is similar to the end nodes and the GW in Waspmote

ote Runner platform. Therefore, the SA-IDS and AA-IDS agents

hich are used in router nodes and root node can be hosted on

he end nodes and the GW for detecting malicious behaviors, re-

pectively.

As seen in Algorithms 1 and 2 , the process of intrusion detec-

ion in the SA-IDS was performed in each time-slot �w . In this

ime-slot, some variables (e.g., PHList in Algorithm 1 or ChildList in

lgorithm 2 ) which show the status of a router node should be

ept in memory. As seen in Table 18 , the memory capacity (e.g.,

RAM, EEPROM, and SD card) of the end node can handle this re-

uirement by keeping this variable in SRAM or storing them in

EPROM (when the end node is switched off) [63] . Notably, the

ackets in the 6LoWPAN should be routed based on RPL protocol.

oreover, the ability to access the required fields which mentioned

n the proposed structure of data packets (shown in Fig. 6 ) should

e obtained by Waspmote API libraries. In the proposed model, we

ssumed that the root node (which is responsible for the anomaly

etection and final decision) is not constrained; however, GW is a

onstrained device. For dealing with this challenge, the PC (Tun-

eling machine in Fig. 15 b) can be responsible for the related pro-

essings of global agent and the GW will be only responsible for

eceiving packets (from the end nodes) and sending them to PC.


Fig. 14. Waspmote Mote Runner’s nodes; (a) end node, (b) gateway [64] .

Fig. 15. Smart-city scenario; (a) application for the particle sensor, (b) general schema for development [64,65] .

c

k

o

p

s

s

l

T

p

However, GW and the tunneling machine are intended to be a sin-

gle device in the future [64] .

8. Conclusion and future work

In this study, a novel real-time hybrid intrusion detection

framework was proposed which was based on anomaly- and

specification-based intrusion detection. The ability of proposed

model was investigated in detecting two insider attacks in IoT

alled sinkhole and selective-forwarding attacks (as two well-

nown routing attacks in 6LoWPAN). In addition, the possibility

f detecting blackhole, rank, and wormhole attacks by the pro-

osed model was also investigated. In the proposed model, the

pecification-based intrusion detection module (as the local intru-

ion detection agents that were located in the router nodes) ana-

yzes the traffic- and non-traffic-related features of the host nodes.

hen, the local results were sent to the root node through data

ackets (that were routed by the router nodes). Notably, the ob-


Table 19

Comparison of some intrusion detection methods for IoT.

Method Highlights Requirements

Additional control messages Monitor nodes

SVELTE [8] Hybrid detection (a host-based IDS that employs RPL’s network information) √

✗

Specification-based IDS for RPL

(IP-based WSNs) [30]

Specification-based detection (a finite-state machine design for detecting

RPL-based attacks)

✗ √

DoS detection in 6LoWPAN [24] Signature-based detection (DoS detection architecture that integrates an IDS

into the network framework developed in EBBITS project)

✗ √

Decentralized intrusion

detection in WSNs [47]

Specification-based detection (IDSs are distributed on the WSN for

decentralized detection)

✗ √

Proposed method Hybrid detection ✗ ✗

j

o

t

t

a

s

s

s

t

e

a

g

i

c

F

s

P

m

c

p

p

c

t

c

6

n

[

m

c

t

s

t

t

t

s

i

t

t

t

s

o

m

o

e

s

c

i

f

s

h

c

w

f

u

w

p

s

s

a

t

i

e

u

i

w

t

p

2

b

f

t

m

c

p

l

i

m

o

R

ects in 6LoWPAN are usually constrained (e.g., in terms of mem-

ry and processing power), so the proposed specification-based in-

rusion detection module is a light IDS agent that will eliminate

he local analysis results after sending them to the root node. The

nomaly-based intrusion detection module (as the global intru-

ion detection agent that was located in the root node) projects

ome anomaly detection models (corresponding to the number of

ource nodes in the network) based on an unsupervised OPF using

he traffic-related features extracted from the incoming data pack-

ts. According to the local and global results of specification- and

nomaly-based intrusion detection agents, the root node made a

eneral decision about the occurred anomalies in the network us-

ng a voting mechanism.

Generally, the main challenge of intrusion detection in the WSN

ontext, such as 6LoWPAN, is to achieve an appropriate TPR and

PR in real-time with minimum resource consumption. In this

tudy, we proposed a hybrid intrusion detection method for 6LoW-

AN which was based on an efficient architecture and the above

entioned aims. Some existing IDSs for 6LoWPANs and WSNs are

ompared in Table 19.

As seen in Table 19 , one of the major differences between the

roposed method and other mentioned methods is that the pro-

osed framework detects intrusion without employing additional

ontrol messages and monitor nodes. For example in SVELTE [8] ,

he intrusions were detected in the 6BR based on detecting the in-

onsistencies in the RPL networks. Thus, it used a module, called

LoWPAN Mapper (6Mapper), to gather information about the RPL

etwork (DODAG) and reconstructed the network in 6BR. In SVELTE

8] , the 6Mapper sent mapping requests (as additional control

essages) to the nodes at regular intervals. When the nodes re-

eived mapping requests, they sent mapping responses (as addi-

ional control messages) to the 6BR. By using the mapping re-

ponses, the 6BR reconstructed the DODAG for detecting inconsis-

encies (i.e., intrusions). Unlike SVELTE, the proposed method sends

he analysis results of local agents to the 6BR at regular intervals

hrough normal data packets without using additional control mes-

ages. It is clear that this approach can lead to significant reduction

n the cost of communication.

Another advantage of the proposed method is its data acquisi-

ion approach for extracting appropriate features. Most of methods

hat are reported in Table 19 , use some monitor nodes to listen the

raffic of network in promiscuous mode and send the local analy-

is results to the border router in 6LoWPANs (i.e., cluster heads

r base-station in WSNs). For example, Kasinathan et al. [24] used

ultiple components, called IDS_Probe, that were external to the

perating 6LoWPAN for listening 6LoWPAN network traffic. How-

ver, our proposed method did not use additional infrastructure to

niff the transmissions among objects in 6LoWPAN, because the lo-

al agents that were located in the router nodes analyzed incom-

ng/outgoing packets for extracting traffic- and non-traffic-related

eatures of their host nodes. This approach reduced the costs of

etting up a 6LoWPAN, in addition to reduction of the traffic over-

ead, as well.

The network’s scale-free and the ability to identify the mali-

ious nodes are two key features of the proposed framework which

ere evaluated in different experiments. In this study, three dif-

erent experiments were conducted which consisted of 10 sim-

lations for evaluating the performance of the proposed frame-

ork. The goal of the first experiment was the evaluation of the

roposed method in terms of TPR and FPR for dealing with the

inkhole and selective-forwarding attacks. The simulation results

howed that an acceptable TPR, an appropriate FPR, and accept-

ble AR values (in detecting malicious nodes) were achievable by

he proposed framework. However, the goal of the second exper-

ment was the evaluation of the proposed method under differ-

nt scales of the small-size and medium-size networks. The sim-

lation results showed that the proposed method is approximately

ndependent of the network size. The goal of the third experiment

as the evaluation of the proposed method in detecting other at-

acks such as wormhole. The simulation results showed that the

roposed hybrid model can achieve the TPR of 96.02% and FPR of

.08% in detecting wormhole attack, respectively.

In this study, the proposed anomaly detection method was

ased on the MapReduce architecture. So, if an appropriate plat-

orm be prepared, the proposed model can run in parallel on a dis-

ributed space based on the MapReduce architecture. The deploy-

ent of the hybrid proposed model was investigated in a smart-

ity scenario by a recently released platform, as well.

On the other hand, several studies have been focused on em-

loying data mining methods for the IoT to make it more intel-

igent and providing smarter devices and services [66] . So, apply-

ng data mining techniques and computational intelligence-based

ethods [67,68] are other candidates for future work with the aim

f improving the performance of proposed hybrid IDS framework.

eferences

[1] A . Rghioui, A . Khannous, M. Bouhorma, Denial-of-service attacks on 6LoWPAN-

RPL networks: threats and an intrusion detection system proposition, J. Adv.

Comput. Sci. Technol. 3 (2014) 143–153, doi: 10.14419/jacst.v3i2.3321 . [2] S. Raza , Lightweight Security Solutions for the Internet of Things, Ph.D. Thesis,

School of Innovation, Design and Engineering, Mälardalen University, Västerås,Sweden, 2013 .

[3] E. Borgia, The Internet of things: key features, applications and open issues,Comput. Commun. 54 (2014) 1–31, doi: 10.1016/j.comcom.2014.09.008 .

[4] M. De Sanctis, E. Cianca, G. Araniti, I. Bisio, R. Prasad, Satellite communications

supporting Internet of remote things, IEEE Internet Things J. 3 (2016) 113–123,doi: 10.1109/JIOT.2015.2487046 .

[5] S.A. Alvi, B. Afzal, G.A. Shah, L. Atzori, W. Mahmood, Internet of multimediathings: vision and challenges, Ad Hoc Netw. 33 (2015) 87–111, doi: 10.1016/j.

adhoc.2015.04.006 . [6] J. Yu, H.C. Bang, H. Lee, Y.S. Lee, Adaptive Internet of things and web of things

convergence platform for Internet of reality services, J. Supercomput. 72 (2016)84–102, doi: 10.1007/s11227-015-1489-6 .

[7] T. Kushalnagar, G. Montenegro, C. Schumacher, IPv6 over Low-power Wireless

Personal Area Networks (6LoWPANs): Overview, Assumptions, Problem State-ment, and Goals, RFC 4919 (2007).

[8] S. Raza, L. Wallgren, T. Voigt, SVELTE: real-time intrusion detection in the In-ternet of things, Ad Hoc Netw. 11 (2013) 2661–2674, doi: 10.1016/j.adhoc.2013.

04.014 .


[

[9] L. Wallgren, S. Raza, T. Voigt, Routing attacks and countermeasures in the RPL-based Internet of things, Int. J. Distribu. Sensor Networks (2013) 1–11, doi: 10.

1155/2013/794326 . [10] C. Hennebert, J. Dos Santos, Security protocols and privacy issues into 6LoW-

PAN stack: a synthesis, IEEE Internet Things J. 1 (2014) 384–398, doi: 10.1109/JIOT.2014.2359538 .

[11] S. Sicari, A . Rizzardi, L.A . Grieco, A . Coen-Porisini, Security, privacy and trust inInternet of things: the road ahead, Comput. Netw. 76 (2015) 146–164, doi: 10.

1016/j.comnet.2014.11.008 .

[12] M. Ghadi, L. Laouamer, T. Moulahi, Securing data exchange in wireless multi-media sensor networks: perspectives and challenges, Multimedia Tools Appl.

75 (2016) 3425–3451, doi: 10.1007/s11042- 014- 2443- y . [13] H. Ning, H. Liu, L.T. Yang, Cyberentity security in the Internet of things, IEEE

Comput. Mag. 46 (2013) 46–53, doi: 10.1109/MC.2013.74 . [14] S. Sahraoui, A. Bilami, Efficient HIP-based approach to ensure lightweight end-

to-end security in the Internet of things, Comput. Netw. 91 (2015) 26–45,

doi: 10.1016/j.comnet.2015.08.002 . [15] R. Neisse, G. Steri, I. Nai Fovino, G. Baldini, SecKit: A model-based security

toolkit for the Internet of things, Comput. Secur. 54 (2015) 60–76, doi: 10.1016/j.cose.2015.06.002 .

[16] M. Mazhar Rathore, A. Paul, A. Ahmad, S. Rho, Urban planning and buildingsmart cities based on the Internet of things using big data analytics, Comput.

Netw. 101 (2016) 63–80, doi: 10.1016/j.comnet.2015.12.023 .

[17] Q. Jing, A.V. Vasilakos, J. Wan, J. Lu, D. Qiu, Security of the Internet of things:perspectives and challenges, Wireless Netw. 20 (2014) 2481–2501, doi: 10.1007/

s11276- 014- 0761- 7 . [18] K. Benson, C. Fracchia, G. Wang, Q. Zhu, S. Almomen, et al., SCALE: Safe com-

munity awareness and alerting leveraging the Internet of things, IEEE Com-mun. Mag. 53 (2015) 27–34, doi: 10.1109/MCOM.2015.7355581 .

[19] K.T. Nguyen, M. Laurent, N. Oualha, Survey on secure communication protocols

for the Internet of things, Ad Hoc Netw. 32 (2015) 17–31, doi: 10.1016/j.adhoc.2015.01.006 .

[20] S. Raza, H. Shafagh, K. Hewage, R. Hummen, T. Voigt, Lithe: Lightweight secureCoAP for the Internet of things, IEEE Sensors J. 13 (2013) 3711–3720, doi: 10.

1109/JSEN.2013.2277656 . [21] R. Mitchell, I.R. Chen, A survey of intrusion detection in wireless network ap-

plications, Comput. Commun. 42 (2014) 1–23, doi: 10.1016/j.comcom.2014.01.

012 . [22] M. Turkanovi ́c, B. Brumen, M. Hölbl, A novel user authentication and key

agreement scheme for heterogeneous ad hoc wireless sensor networks, basedon the Internet of things notion, Ad Hoc Netw. 20 (2014) 96–112, doi: 10.1016/

j.adhoc.2014.03.009 . [23] M. Sabzinejad Farash, M. Turkanovi ́c, S. Kumari, M. Hölbl, An efficient user

authentication and key agreement scheme for heterogeneous wireless sen-

sor network tailored for the Internet of things environment, Ad Hoc Netw. 36(2016) 152–176, doi: 10.1016/j.adhoc.2015.05.014 .

[24] P. Kasinathan, C. Pastrone, M.A. Spirito, M. Vinkovits, Denial-of-service detec-tion in 6LoWPAN based Internet of things, in: Proceedings of 9th International

Conference on Wireless and Mobile Computing, Networking and Communica-tions, Lyon, France, 2013, doi: 10.1109/WiMOB.2013.6673419 .

[25] European project- Enabling the business-based Internet of things and servicesAccessed 2 June 2015. http://www.ebbits-project.eu/news.php .

[26] G. Cugola, A. Margara, Processing follows of information: form data stream to

complex event processing, in: Proceedings of 5th ACM International Confer-ence on Distributed Event-Based Systems, New York, USA, 2011, doi: 10.1145/

20 02259.20 02307 . [27] C. Jun, C. Chi, Design of complex event-processing IDS in Internet of things,

in: Proceedings of 6th International Conference on Measuring Technology andMechatronics Automation, Zhangjiajie, China, 2011, doi: 10.1109/ICMTMA.2014.

57 .

[28] K. Ioannis , T. Dimitriou , F.C. Freiling , Towards intrusion detection in wirelesssensor networks, in: Proceedings of 13th European Wireless Conference, Paris,

France, 2007 . [29] T. Winter, P. Thubert, A. Brandt, J. Hui, R. Kelsey, P. Levis, K. Pister, R. Struik,

J. Vasseur, R. Alexander, RPL: IPv6 Routing Protocol for Low-Power and LossyNetworks, RFC 6550 (2012).

[30] A. Le, J. Loo, Y. Luo, A. Lasebae, Specification-based IDS for securing RPL from

topology attacks, in: Proceedings of the Wireless Days, Niagara Falls, Canada,2011, doi: 10.1109/WD.2011.6098218 .

[31] K. Zhang, X. Liang, R. Lu, X. Shen, Sybil attacks and their defenses in the Inter-net of things, IEEE Internet Things J. 1 (2014) 372–383, doi: 10.1109/JIOT.2014.

2344013 . [32] P.Y. Chen, S.M. Cheng, K.C. Chen, Information fusion to defend intentional at-

tack in Internet of things, IEEE Internet Things J. 1 (2014) 337–348, doi: 10.

1109/JIOT.2014.2337018 . [33] L.M. Rocha, F.A.M. Cappabianco, A.X. Falcão, Data clustering as an optimum-

path forest problem with applications in image analysis, Int. J. Imaging Syst.Technol. 19 (2009) 50–68, doi: 10.1002/ima.20191 .

[34] J. Dean , S. Ghemawat , MapReduce: simplified data processing on large clusters,in: Proceeding of 6th Symposium on Operating Systems Design and Implemen-

tation, San Francisco, USA, 2004 .

[35] S.Y. Wu, E. Yes, Data mining-based intrusion detectors, Expert Syst. Appl. 36(2009) 5605–5612, doi: 10.1016/j.eswa.2008.06.138 .

[36] V. Golmah , An efficient hybrid intrusion detection system based on C5.0 andSVM, Int. J. Database Theory Appl. 7 (2014) 59–70 .

[37] N. Stakhanova, S. Basu, J. Wong, On the symbiosis of specification-based andanomaly-based detection, Comput. Secur. 29 (2010) 253–268, doi: 10.1016/j.

cose.20 09.08.0 07 . [38] L. Zhang, G. Feng, S. Qin Intrusion detection system for low-power and

lossy networks, Internet Draft, November 2013. https://tools.ietf.org/html/draft- zhang- roll- rpl- intrusion- defence- 00 .

[39] S. Hamedheidari, R. Rafeh, A novel agent-based approach to detect sinkholeattacks in wireless sensor networks, Comput. Secur. 37 (2013) 1–14, doi: 10.

1016/j.cose.2013.04.002 .

[40] K.A .P. Costa, L.A .M. Pereira, R.Y.M. Nakamura, C.R. Pereira, J.P. Papa, A.X. Falcão,A nature-inspired approach to speed up optimum-path forest clustering and

its application to intrusion detection in computer networks, Inf. Sci. 294 (2015)95–108, doi: 10.1016/j.ins.2014.09.025 .

[41] S. Aridhi, P. Lacomme, L. Ren, B. Vincent, A MapReduce-based approach forshortest path problem in large-scale networks, Eng. Appl. Artif. Intell. 41

(2015) 151–165, doi: 10.1016/j.engappai.2015.02.008 .

[42] C.E. Loo, M.Y. Ng, C. Leckie, M. Palaniswami, Intrusion detection for routingattacks in sensor networks, Int. J. Distrib. Sensor Netw. 2 (2006) 313–332,

doi: 10.1080/15501320600692044 . [43] K.Q. Yan, S.C. Wang, S.S. Wang, C.W. Liu, Hybrid intrusion detection system

for enhancing the security of a cluster-based wireless sensor network, in: Pro-ceedings of 3rd IEEE International Conference on Computer Science and Infor-

mation Technology, Chengdu, China, 2010, doi: 10.1109/ICCSIT.2010.5563886 .

44] S. Kaplantzis, A. Shilton, N. Mani, Y.A. Sekercioglu, Detecting selective forward-ing attacks in wireless sensor networks using support vector machines, in:

Proceedings of 3rd International Conference on Intelligent Sensors, Sensor Net-works and Information, Melbourne, Australia, 2007, doi: 10.1109/ISSNIP.2007.

44 96 866 . [45] T. Tsvetkov , RPL: IPv6 routing protocol for low power and lossy networks, in:

Proceedings of the Seminar Sensor Nodes-Operation, Network and Application,

Munich, Germany, 2011 . [46] L. Yanfei, W. Cheng, Q. Xiaojun, Z. Yunhe, Y. Chengbo, An improved design of

ZigBee wireless sensor network, in: Proceedings of 2nd IEEE International Con-ference on Computer Science and Information Technology, Beijing, China, 2009,

doi: 10.1109/ICCSIT.2009.5234655 . [47] A.P.R. Da Silva, M.H.T. Martins, B.P.S. Rocha, A .A .F. Loureiro, L.B. Ruiz,

H.C. Wong, Decentralized intrusion detection in wireless sensor networks, in:

Proceedings of 1st ACM International Workshop on Quality of Service & Se-curity in Wireless and Mobile Networks, Montreal, Canada, 2005, doi: 10.1145/

1089761.1089765 . [48] F. Medjek, D. Tandjaoui, M.R. Abdmeziem, N. Djedjig, Analytical evaluation of

the impacts of Sybil attacks against RPL under mobility, in: Proceedings of 12thInternational Symposium on Programming and Systems, Algiers, Algeria, 2015,

doi: 10.1109/ISPS.2015.7244960 .

[49] A. Le, J. Loo, Y. Luo, A. Lasebae, The impacts of internal threats towards rout-ing protocol for low power and lossy network performance, in: Proceedings of

the IEEE Symposium on Computers and Communications, Split, Croatia, 2013,doi: 10.1109/ISCC.2013.6755045 .

[50] K. Chugh , A. Lasebae , J. Loo , Case study of a black hole attack on 6LoW-PAN-RPL, in: Proceedings of 6th International Conference on Emerging Security

Information, Systems and Technologies, Rome, Italy, 2012, pp. 157–162 . [51] T. Tsao, R. Alexander, M. Dohler, V. Daza, A. Lozano, M. Richardson, A Security

Threat Analysis for the Routing Protocol for Low-Power and Lossy Networks

(RPL), RFC 7416 (2015). [52] Y. Qin, Q.Z. Sheng, N.J.G. Falkner, S. Dustdar, H. Wang, A.V. Vasilakos, When

things matter: a survey on data-centric Internet of things, J. Netw. Comput.Appl. 64 (2016) 137–153, doi: 10.1016/j.jnca.2015.12.016 .

[53] A. Sivieri, L. Mottola, G. Cugola, Building Internet of things software with ELIoT,Comput. Commun. 89-90 (2016) 141–153, doi: 10.1016/j.comcom.2016.02.004 .

[54] M. Díaz, C. Martín, B. Rubio, State-of-the-art, challenges, and open issues in

the integration of Internet of things and cloud computing, J. Netw. Comput.Appl. 67 (2016) 99–117, doi: 10.1016/j.jnca.2016.01.010 .

[55] Y. Zeng, X. Chen, Y. Fan, The Internet of things in healthcare: an overview, J.Ind. Inf. Integr. 1 (2016) 3–13, doi: 10.1016/j.jii.2016.03.004 .

[56] S.M. Seo, S.W. Kim, J.W. Jeon, J.H. Kim, H.S. Kim, J.H. Cho, W.H. Lee, S.H. Paek,Food contamination monitoring via Internet of things, exemplified by using

pocket-sized immunosensor as terminal unit, Sens. Actuators B 233 (2016)

148–156, doi: 10.1016/j.snb.2016.04.061 . [57] S. Rahimi Moosavi, T.N. Gia, E. Nigissie, A.M. Rahmani, S. Virtanen, H. Ten-

hunen, J. Isoaho, End-to-end security scheme for mobility enabled healthcareInternet of things, Future Gener. Comput. Syst. 64 (2016) 108–124, doi: 10.1016/

j.future.2016.02.020 . [58] M. Gentili, R. Sannino, M. Petracca, BlueVoice: Voice communications over

Bluetooth low energy in the Internet of things scenario, Comput. Commun.

89-90 (2016) 51–59, doi: 10.1016/j.comcom.2016.03.004 . [59] K. Lin, W. Wang, Y. Bi, M. Qiu, M.M. Hassan, Human localization based on iner-

tial sensors and fingerprints in the industrial Internet of things, Comput. Netw.101 (2016) 113–126, doi: 10.1016/j.comnet.2015.11.012 .

[60] J. Mineraud, O. Mazhelis, X. Su, S. Tarkoma, A gap analysis of Internet-of-thingsplatforms, Comput. Commun. 89-90 (2016) 5–16, doi: 10.1016/j.comcom.2016.

03.015 .

[61] S. Sicari, A. Rizzardi, D. Miorandi, C. Cappiello, A. Coen-Porisini, A secure andquality-aware prototypical architecture for the Internet of things, Inf. Syst. 58

(2016) 43–55, doi: 10.1016/j.is.2016.02.003 .


[

[

[

[

[

[

62] L. Malina, J. Hajny, R. Fujdiak, J. Hosek, On perspective of security and privacy-preserving solutions in the Internet of things, Comput. Netw. 102 (2016) 83–

95, doi: 10.1016/j.comnet.2016.03.011 . 63] Libelium Comunicaciones Distribuidas S.L., Waspmote, Mote Runner Technical

Guide, Document version: v4.2, Mar. 2015. 64] Libelium, Waspmote Mote Runner: 6LoWPAN Development Plat-

form Accessed 20 May 2016. http://www.libelium.com/products/waspmote-mote- runner- 6lowpan/ .

65] Libelium Comunicaciones Distribuidas S.L., Smart Cities Board Technical Guide,

Document version: v5.4, Jan. 2016.

66] C.W. Tsai, C.F. Lai, M.C. Chiang, L.T. Yang, Data mining for Internet of things: asurvey, IEEE Commun. Surv. Tutorials 16 (2014) 77–97, doi: 10.1109/SURV.2013.

103013.00206 . [67] M. Sheikhan, Artificial neural network models for intrusion detection, in: Ency-

clopedia of Information Assurance, Taylor & Francis, New York, 2014, pp. 1–12,doi: 10.1081/E- EIA- 120051983 .

68] M. Sheikhan, Fuzzy models for intrusion detection, in: Encyclopedia of Infor-mation Assurance, Taylor & Francis, New York, 2015, pp. 1–13, doi: 10.1081/

E- EIA- 120051982 .

Documents

Computer Communications - AMAN Systemamansystem.com/apps/people/sallay/NS/slides/paper4.pdfof the cyber-entities in IoT as compared to the Internet; (b) dy- namic activity cycle of