Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Computer Communications 98 (2017) 52–71
Contents lists available at ScienceDirect
Computer Communications
journal homepage: www.elsevier.com/locate/comcom
Hybrid of anomaly-based and specification-based IDS for Internet of
Things using unsupervised OPF based on MapReduce approach
Hamid Bostani a , Mansour Sheikhan
b , ∗
a Department of Computer Engineering, Islamic Azad University, South Tehran Branch, Tehran, Iran b Department of Communication Engineering, Islamic Azad University, South Tehran Branch, Tehran, Iran
a r t i c l e i n f o
Article history:
Received 21 November 2015
Revised 14 June 2016
Accepted 1 December 2016
Available online 2 December 2016
Keywords:
Internet of Things
Unsupervised optimum-path forest
Anomaly-based intrusion detection
Specification-based intrusion detection
MapReduce
a b s t r a c t
Internet of Things (IoT) is a novel paradigm in computer networks in which resource-constrained objects
connect to unreliable Internet by using a wide range of technologies. The insecure nature of the Inter-
net and wireless sensor networks, that are the main components of IoT, make IoT vulnerable to different
attacks, especially routing attacks (as insider attacks). A novel real-time hybrid intrusion detection frame-
work is proposed in this study that consists of anomaly-based and specification-based intrusion detection
modules for detecting two well-known routing attacks in IoT called sinkhole and selective-forwarding at-
tacks. For this purpose, the specification-based intrusion detection agents, that are located in the router
nodes, analyze the behavior of their host nodes and send their local results to the root node through
normal data packets. In addition, an anomaly-based intrusion detection agent, that is located in the root
node, employs the unsupervised optimum-path forest algorithm for projecting clustering models by us-
ing incoming data packets. This agent, which is based on the MapReduce architecture, can work in a
distributed platform for projecting clustering models and consequently parallel detecting of anomalies
as a global detection approach. The proposed method makes decision about suspicious behavior by us-
ing a voting mechanism. Notably, the proposed method is also extended to detect wormhole attack. The
deployment of the hybrid proposed model is investigated in a smart-city scenario by an existing plat-
form, as well. The free network’s scale and the ability to identify malicious nodes are two key features
of the proposed framework that are evaluated through different experiments in this study. The experi-
mental results of simulated scenarios showed that the proposed hybrid method can achieve true positive
rate of 76.19% and false positive rate of 5.92% when both sinkhole and selective-forwarding attacks were
launched simultaneously. These rates in detecting wormhole attack are 96.02% and 2.08%, respectively.
© 2016 Elsevier B.V. All rights reserved.
t
s
T
s
i
t
a
T
t
P
g
W
1. Introduction
Internet of Things (IoT) is a network by which identifiable het-
erogeneous objects such as smart phones, laptops, and smart sen-
sors can connect to the Internet by using a wide range of technolo-
gies. The basic idea of IoT is creation of an autonomous world us-
ing smart objects that are accessible from anywhere and have abil-
ity to connect, exchange information, and even make decisions on
behalf of users [1] . Along with the rapid progress in technologies
(e.g., radio frequency identification, embedded sensors, and minia-
ture actuators), a wide range of potential applications of IoT have
been proposed in real-life, such as smart cities, home automation,
and health care monitoring [2] . In other words, large number of
smart interconnected devices in IoT can result in valuable services
∗ Corresponding author.
E-mail addresses: [email protected] (H. Bostani), [email protected] (M.
Sheikhan).
r
n
n
I
a
http://dx.doi.org/10.1016/j.comcom.2016.12.001
0140-3664/© 2016 Elsevier B.V. All rights reserved.
o the society and individual citizens [3] . IoT can be supported by
atellite communication systems for the case of Internet of Remote
hings (IoRT) in which Internet Protocol version 6 (IPv6) should be
upported over satellite [4] . Internet of Multimedia Things (IoMT)
s also introduced for interaction and cooperation of smart mul-
imedia things connected to the Internet [5] . For example, Yu et
l. [6] proposed a convergent platform of adaptive IoT and Web of
hings (WoT) for dynamic implementation of the smart WoT.
One of the main effort s to make the concept of real IoT is
he IPv6 over Low-Power Wireless Personal Area Networks (6LoW-
ANs) which is proposed and standardized by the Internet En-
ineering Task Force (IETF) workgroup [7] . The 6LoWPAN is a
ireless Sensor Network (WSN) which allows the connection of
esource-constrained devices, such as sensor nodes, to the Inter-
et through the 6LoWPAN Border Router (6BR) [8,9] . The 6LoWPAN
etwork employs compressed IPv6 protocol for networking and
EEE 802.15.4 as data-link and physical layers protocol. Hennebert
nd Dos Santos [10] described the popular protocols and secu-
H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 53
r
p
c
L
w
(
t
c
e
b
t
n
i
r
I
v
o
o
n
i
t
t
b
m
a
o
t
p
e
s
I
e
s
a
i
p
C
b
a
[
d
r
a
a
i
i
c
a
a
t
b
T
i
p
a
T
d
2
w
a
c
a
s
a
e
S
T
t
e
t
o
s
a
t
[
p
a
f
h
c
s
n
T
E
p
t
m
e
d
a
p
t
p
r
t
h
T
f
e
i
i
s
L
s
t
t
w
t
h
t
m
t
o
p
r
i
t
c
S
b
o
s
ity solutions deployed in small constrained objects of IoT. For this
urpose, the security extension of IEEE 802.15.4e in time-slotted
hannel hopping mode, compressed IPsec, and Datagram Transport
ayer Security (DTLS) (which embedded into the 6LoWPAN stack)
ere analyzed.
The main security requirements for the IoT are as follows [11] :
a) data confidentiality and authentication and (b) privacy and
rust among users and things. In other words, securing data ex-
hange in WSNs (as vital components of IoT) is necessary for smart
nvironments [12] . The communication in the IoT can be secured
y using standard mechanisms such as cryptography and authen-
ication techniques; however, these preventive mechanisms can-
ot detect all possible attacks, especially insider attacks (e.g., rout-
ng attacks), because of the nature of wireless communication. The
esource-constrained devices are directly connected to unreliable
nternet via IPv6 and 6LoWPAN networks in the IoT; so, they are
ulnerable to intrusions; both from the Internet and WSNs [8] .
There are three major challenges for securing smart physical
bjects (also called cyber-entities) in the IoT: (a) expanding scope
f the cyber-entities in IoT as compared to the Internet; (b) dy-
amic activity cycle of the cyber-entities; and (c) heterogeneous
nteractions of cyber-entities [13] . Ning et al. [13] proposed a sys-
em architecture called Unit and Ubiquitous IoT (U2IoT) to address
hese challenges. Leveraging IP-based security protocols has also
een proposed for IoT, after considering WSN’s constraints through
essage compression or computational-load distribution. For ex-
mple, Sahraoui and Bilami [14] proposed a 6LoWPAN compression
f the Host Identity Protocol (HIP) packets’ header and a distribu-
ion technique in Base Exchange (HIP-BEX). Neisse et al. [15] pro-
osed a model-based security toolkit for IoT devices which can be
mployed in a smart-city scenario [16] . Jing et al. [17] analyzed the
ecurity problems of the following three layers contained in the
oT: (a) perception; (b) transportation; and (c) application. Benson
t al. [18] proposed a cyber-physical system leveraging the perva-
ive IoT called Safe Community Awareness and Alerting Network at
low incremental cost. Nguyen et al. [19] discussed the applicabil-
ty and limitations of existing Internet and WSN suitable security
rotocols for the IoT. It is accepted that IoT devices employ the
onstrained Application Protocol (CoAP). Using DTLS is mandated
y secure CoAP as the security protocol. The integration of DTLS
nd CoAP was performed for the IoT and presented by Raza et al.
20] entitled as Lithe.
Therefore, an Intrusion Detection System (IDS) is required for
etecting malicious activities in the IoT besides the standard secu-
ity mechanisms. The constrained devices in IoT are identified by
n IP address, while end-to-end message security is a requirement
nd the 6BR is always accessible [9] . So, designing IDSs for the IoT
s necessary to provide security.
The rest of this paper is organized as follows: the related work
s reported in Section 2 . The foundations of IDS, Routing Proto-
ol for Low Power and Lossy Networks (RPL), selective-forwarding
nd sinkhole attacks, unsupervised OPF, and MapReduce approach
re reviewed briefly in Section 3 . The proposed intrusion detec-
ion model, which is a hybrid of anomaly-based and specification-
ased intrusion detection approaches, is introduced in Section 4 .
he performance of the proposed model in the simulated scenar-
os is presented in Section 5 by reporting simulation results. The
ossibility of detecting additional attacks (such as blackhole, rank,
nd wormhole) by the proposed model is investigated in Section 6 .
he deployment of proposed IDS in real-world IoT applications is
etailed in Section 7 . The paper is concluded in Section 8 .
. Related work
As mentioned earlier, sensor nodes in the IoT are exposed to
ireless attacks from the Internet and WSN. So, IDSs and firewalls
re needed [2] . Mitchell and Chen [21] summarized the pros and
ons of different wireless IDSs in various wireless networks such
s WSNs, Wireless Local Area Networks (WLANs), Wireless Per-
onal Area Networks (WPANs), Wireless Mesh Networks (WMNs),
d hoc networks, and Cyber Physical Systems (CPSs). Turkanovi ́c
t al. [22] proposed a User Authentication and Key Agreement
cheme (UAKAS) for heterogeneous WSN based on the IoT notion.
o improve the security of this scheme against cryptographic at-
acks, an enhanced UAKAS has been proposed by Sabzinejad Farash
t al. [23] .
Several IDSs have been proposed for WSNs; however, most of
hem are not applicable in IP-based WSNs, because they were not
riginally designed for IoT technologies such as 6LoWPAN. So, de-
igning IDS for IoT is still a new and on-going research subject,
nd to the best knowledge of the authors a few researchers in
he security field work on this context. For example, Raza et al.
8] proposed a novel real-time IDS for IoT called SVELTE. They im-
lemented the proposed model in the Contiki operating system
nd targeted only routing attacks such as sinkhole and selective-
orwarding. They showed through simulated scenarios that SVELTE
as a small overhead to deploy on the constrained nodes and
an detect most of malicious nodes that launch sinkhole and/or
elective-forwarding attacks. Kasinathan et al. [24] introduced De-
ial of Service (DoS) attacks detection architecture for 6LoWPAN.
hey integrated IDS into a framework which was developed in the
uropean Business-Based Internet of Things and Services (EBBITS)
roject [25] . Their simulation results showed the capability of
he proposed architecture in detecting DoS attacks. One of the
ain goals followed by employing IDS in the IoT is fast security
vent-processing that results in detecting network attacks, imme-
iately. The Complex Event-Processing (CEP) [26] is an appropri-
te solution to achieve real-time IDS for IoT. The CEP is an event-
rocessing method that analyzes the stream of information for fil-
ering and processing of events in real-time scenarios. For this pur-
ose, June and Chi [27] designed a CEP-based IDS in the IoT envi-
onments to achieve better performance in real-time data compu-
ations.
Each layer in the 6LoWPAN is vulnerable to security threats;
owever, most of these threats focus on the network layer [2] .
hese kinds of attacks allow adversaries to take the control of in-
ormation flow in the network [28] . All the network layer intrud-
rs of WSNs can threat RPL [2] . RPL is a distance-vector rout-
ng protocol which was introduced and standardized by Rout-
ng over Low power and Lossy networks (ROLL) workgroup as a
pecific routing protocol for the network layer of 6LoWPAN [29] .
e et al. [30] worked on security aspects of RPL by introducing
pecification-based IDS for detecting a new type of threat called
opology attack. This type of attack, which was originally applied
o RPL, changes the node operation for breaking the optimized net-
ork topology. The experimental results showed effective detec-
ion of RPL topology attacks with a reasonable overhead.
Among several attacks, which can target the RPL, DoS attacks
ave a great effect on the availability of the 6LoWPANs. Each event
hat prevents accessing the services, provided by disrupting com-
unication between network devices, is categorized as a DoS at-
ack [24] . The DoS attacks are popular and simple to implement
n networks; however, they have different forms. So, detection and
revention of them are very difficult [1] . In addition, Sybil attacks
esult in generating wrong reports by the IoT systems, and receiv-
ng spams by the users. Zhang et al. [31] defined three Sybil attack
ypes. They also presented three Sybil detection schemes: (a) so-
ial graph-based; (b) behavior classification-based; and (c) mobile
ybil detection. Furthermore, Intentional attacks disrupt a network
y paralyzing a fraction of nodes, and therefore deteriorating IoT
perations [32] . Chen et al. [32] proposed a fusion-based defense
ystem in which each node feed-backed local decision to the fu-
54 H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71
I
h
i
f
s
f
o
S
d
a
a
i
I
t
M
a
t
e
p
p
a
b
l
e
a
a
a
i
p
n
a
C
a
i
d
t
m
b
e
t
t
t
t
d
t
p
c
m
3
O
v
R
t
t
i
a
d
r
t
c
t
6
sion center in order to inference attacks. They formulated the at-
tack and defense strategy as a zero-sum game to enhance the ro-
bustness of IoT.
In this work, we proposed a novel real-time hybrid intrusion
detection framework for detecting malicious behaviors of sinkhole
and selective-forwarding attacks (as the severe DoS attacks) in
6LoWPAN. Moreover, the proposed method can find and introduce
the sources of these attacks as malicious nodes in real-time. The
proposed framework consists of a centralized anomaly-based intru-
sion detection, which is located in the root of 6LoWPAN, and some
specification-based agents which are located in the router nodes.
Each specification-based agent works as a local intrusion detection
agent and sends its analysis results to the root. The anomaly-based
agent, as a global intrusion detection module, uses unsupervised
Optimum-Path Forest (OPF) algorithm [33] for projecting cluster-
ing models based on the MapReduce architecture [34] for detecting
anomalous behaviors. According to the local and global results of
specification-based and anomaly-based intrusion detection agents,
the root makes a general decision about the occurred anomalies in
the network by using a voting mechanism.
3. Preliminaries
In this section, we briefly review the foundations of IDS, RPL,
selective-forwarding and sinkhole attacks, unsupervised OPF, and
MapReduce architecture as the fundamental concepts in the pro-
posed framework.
3.1. Intrusion detection system
IDS is an effective tool or mechanism which gathers network
traffic as input data for detecting intruders or malicious behaviors
that are trying to threat the network. IDSs are classified into dif-
ferent categories based on: (a) analysis methods; (b) data sources;
and (c) system architectures. Depending on the analysis methods,
the computer security community has classified IDSs into three
main categories: (a) misuse detection; (b) anomaly detection; and
(c) specification-based systems. In the misuse detection systems,
the predefined attack patterns are profiled in a signature database
as a reference of intrusion patterns to match against system behav-
ior or network traffic for detecting intrusions [35] . The misuse de-
tection techniques are simple to use; however, specific knowledge
of each attack is required and consequently, unknown abnormal-
ities are not detectable. On the other hand, all of known attacks
can be detected with low False Alarm Rate (FAR), and the stor-
age costs grow with the number of attacks, because a signature
of each known attack should be stored [8] . An anomaly detection
system, which focuses on normal system behavior or network traf-
fic, builds usually one of the following models as a baseline for
describing ordinary behavior: (a) statistical; (b) knowledge-based;
and (c) machine-learning [36] . In the observed data, any deviation
from this model can be considered as an anomaly. The anomaly
detection algorithms are useful for new intrusions; however, they
suffer from a high rate of false positive (unlike, the misuse detec-
tion models). The specification-based systems work by the same
way, as well. However, user guidance is required to extract legiti-
mate system behavior or network traffic for developing a model of
normal behavior in these systems in addition to employing statisti-
cal, knowledge-based, or machine learning techniques [37] . Accord-
ing to the data sources, IDSs take one of the following approaches
for recognizing attacks: (a) host-based; (b) network-based; and (c)
hybrid [38] . In the host-based approach, only host events are con-
sidered for detecting attacks. Therefore, the data for host-based IDS
is provided by different activities of hosts such as audit records of
operating system and system logs; however, in the network-based
IDS, data is mainly collected from the network segments such as
nternet packets [35] . In the hybrid approach, data provided by the
ost events and the network segments are considered in develop-
ng an IDS.
The system architecture of IDS has a great effect on the per-
ormance of IDS in the WSNs such as 6LoWPAN. According to the
ystem architecture, IDSs in the RPL-based WSNs are classified into
our main categories [38] : (a) stand-alone; (b) distributed and co-
perative; (c) distributed and hierarchical; and (d) mobile agent.
ome nodes, which have Low-power and Lossy Networks (LLNs)
evices or high-performance devices called Monitor Nodes (MNs),
re used for monitoring the events in WSNs [38] . In the stand-
lone architecture, each MN performs intrusion detection based on
ts own collected data, independently. The MNs in the stand-alone
DS are classified into two schemes: (a) centralized and (b) dis-
ributed. In the centralized scheme, each node is considered as an
N, and in the distributed scheme, multiple MNs are deployed on
WSN to cover the network [38] . In the distributed and coopera-
ive architecture, intrusion detection is accomplished by the coop-
ration of MNs such that each MN performs as an IDS agent and
articipates in intrusion detection [38] . In this approach, IDS is ap-
lied as a local-agent or a neighbor-agent to a two-level coordinate
rchitecture, where a local-agent can alert intrusion independently
y detecting a threat with sufficient evidence. However, when a
ocal-agent detects intrusion with weak evidence, it starts a coop-
rative detection procedure in an interaction with the neighbor-
gents for global detection [38] . This kind of architecture is suit-
ble for small-scale and flat network infrastructures; however, in
large-scale network, the distributed and hierarchical architecture
s adequate for detecting an intrusion [38] . According to this ap-
roach, the network is partitioned into some clusters with a sink
ode as a Cluster Head (CH). The IDS in a distributed and hier-
rchical architecture is composed of two levels. At the first level,
H-agents, which are responsible to monitor the covered nodes
nd make the global intrusion detection decisions, are embedded
n the sink nodes. At the second level, the local-agents, which are
esigned based on the stand-alone IDS, are deployed in each clus-
er to report the detection results to the CH-agents [38] . The last
entioned IDS architecture in WSNs is the mobile agent. The mo-
ile agent, as a self-controlling program segment, is a specific ex-
cutable code which traverses from a node to another one [39] . In
his agent migration, which means moving an agent from a node
o another selected node, the computation is performed in addi-
ion to data transmission [39] . The mobile agents are assigned to
he selected nodes for performing a monitoring task and intrusion
etection [38] . The selection of agents may be changed after a cer-
ain period of time or after the task is completed. By moving the
rocessing function to the data instead of bringing the data to a
entral processor, the mobile agents can greatly reduce the com-
unication cost in the links with low bandwidths.
.2. Routing protocol for low power and lossy networks
The RPL, which is based on the construction of a Destination-
riented Directed Acyclic Graph (DODAG), is an IP-based distance
ector and hop-by-hop routing protocol that is designed by the
OLL workgroup (which is a workgroup in IETF) to overcome
he routing problems in the LLNs. RPL enables one-to-one, one-
o-many, and many-to-many communication traffic by support-
ng different operations such as the unidirectional traffic towards
DODAG root, bidirectional traffic between resource-constrained
evices (i.e., 6LoWPAN nodes), and bidirectional traffic between
esource-constrained devices and the DODAG root [9] . According
o the DODAG architecture, the nodes are organized in a hierar-
hical tree structure and routed at a single root, as the destina-
ion and called 6BR, to avoid creating any network loop [1] . The
BR, which connects 6LoWPAN to the Internet through the back-
H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 55
Fig. 1. DODAG scheme including nodes with unique ranks and IPv6 addresses.
b
n
6
t
a
a
a
r
w
i
n
w
b
t
t
P
c
c
b
v
m
a
v
e
m
m
(
c
i
u
o
t
t
t
c
p
c
D
r
a
t
D
f
e
f
w
t
c
D
r
t
c
D
[
3
r
t
d
m
[
e
t
b
t
a
s
e
one, is the root of DODAG and is responsible for management of
odes [1,2] . Fig. 1 shows a typical RPL which consists of different
LoWPAN nodes that are connected together based on the DODAG
opology. Three types of nodes are shown in Fig. 1: (a) leaf nodes
s the source nodes that generate and send data; (b) router nodes;
nd (c) root node. Each node has an ID based on an IPv6 address,
special rank, a set of neighbors, and one (or more) parent(s). The
ank of each node determines the relative position of that node
ith respect to the DODAG root. This rank is strictly increasing
n the top-down direction from the DODAG root toward the leaf
odes, and in opposition decreasing in the bottom-up direction to-
ard the DODAG root [8,9] .
The nodes in a DODAG use an objective function, represented
y an Objective Code Point (OCP), based on some optimization cri-
eria (such as link reliability, latency, hop-count, and node energy)
o optimize the paths toward the DODAG root [2] . A single 6LoW-
AN network may include multiple RPL instances which work con-
urrently with different optimization criteria, where each instance
onsists of one (or more) DODAG(s). Hence, a 6LoWPAN node can
elong to more than one DODAG in an RPL instance [29] . To pre-
ent probable loops created on the network, the message trans-
ission is based on the rank rule (that means the node ranks
re strictly decreasing along with the upstream transmission and
ice versa) [2] . To exchange routing graph information for RPL op-
rations, such as constructing DODAG, the RPL defines three new
essage types: (a) DAG Information Object (DIO); (b) DAG Infor-
ation Solicitation (DIS); and (c) Destination Advertisement Object
DAO). DIO messages carry information which is used for DODAG
onstruction (by allowing a node to determine parents and select-
ng the best one as the preferred parent). The DIS messages are
sed to solicit graph-related information (i.e., DODAG information
bject) from the neighbor nodes [9] . The RPL supports downward
raffic toward the leaf nodes by using DAO messages which adver-
ise required information and also propagate destination informa-
ion upward along the DODAG [29] .
In the process of DODAG construction, DIO messages (which
ontain important information such as rank, DAG-ID, and OCP) are
teriodically broadcasted by the DODAG root [2] . The nodes that re-
eive DIO are considered as the neighbors of DODAG root. They use
IO message information to join the DODAG and select the DODAG
oot as the parent. According to a specific objective function (such
s min-hop), the neighbors set their rank to 1 (the parent’s rank
hat is 0; is incremented by 1), and start broadcasting their own
IO. When a node receives a DIO message, it calculates its rank
rom the OCP specified in a received DIO and forms a list of par-
nts. Then, according to the OCP, the preferred parent is selected
rom the parent-list and broadcasts its own DIO. This procedure
ill be continued until the topology construction is completed (i.e.,
he best path to the DODAG root is identified for each node ac-
ording to the objective function). To handle inconsistencies in the
ODAG, RPL uses a trickle timer for determining the transmission
ate of DIO messages. In a network with stable topology, the trickle
imer interval is large, so the DIO messages will be rare. When in-
onsistencies are occurred, the trickle timer will be reset and more
IO messages are sent from the nodes that cause inconsistencies
9] .
.3. Selective-forwarding and sinkhole attacks
In selective-forwarding attacks, which primarily disrupt the
outing path, malicious nodes selectively forward packets in order
o remove some packets based on the importance of data or ran-
omly [1,9] . For example, a malicious node forwards only routing
essages and removes other packets for disrupting the network
8] . In sinkhole attacks, a malicious node represents itself to oth-
rs as an optimal routing path for attracting nearby nodes to route
raffic through it. In RPL, an intruder launches a sinkhole attack
y propagating its rank as a better rank to make nodes down in
he DODAG by selecting it as a preferred parent [8] . Fig. 2 shows
screenshot of the sinkhole attack operation on a 6LoWPAN. The
inkhole attacks may not necessarily threaten the network; how-
ver, they make serious problems when they couple with other at-
acks such as selective-forwarding attack [9] .
56 H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71
Fig. 2. A screenshot of sinkhole attack by node 6 in DODAG as a malicious node.
n
t
t
a
f
s
A
O
t
v
w
=
w
o
s
e
t
p
m
i
v
t
∈
T
t
v
c
3
r
y
p
a
a
G
f
t
t
t
m
r
m
a
s
c
t
a
o
f
M
c
3.4. Unsupervised optimum-path forest
In 2009, Rocha et al. [33] introduced an unsupervised machine-
learning algorithm for data clustering based on the graph theory
called Optimum-Path Forest Clustering (OPFC). They reduce the
clustering problem, as a pattern recognition problem, into optimal
graph partitioning in a given feature space. In the OPFC, each sam-
ple in the dataset (represented by a feature vector) is shown as
a node in the k-nearest neighbors graph ( G k −nn ) that is connected
with its k best neighbors in a given feature space [40] . In OPFC, the
arcs are weighted by the distance between each pair of nodes and
the nodes are weighted by the probability density function (pdf) of
each node that is based on the distance between the samples and
their k-nearest neighbors [40] . When G k −nn is created, the OPFC
algorithm will find one sample (node) at each maximum pdf as
a root of a dome or cluster which includes dense samples in the
feature space. Then, an Optimum-Path Tree (OPT) will be created
from each root to every node in the influence zone (cluster) such
that each OPT node will be strongly connected to its root as com-
pared to other obtained roots in the G k −nn [33] . The OPF will be
composed by a union of the OPTs.
Suppose Z as a clustering dataset such that each s ∈ Z is shown
by � v (s ) in the given feature space. The G k −nn = ( Z, A k ) is defined
such that the arcs in A k connect k-nearest neighbors in the fea-
ture space [33] . In G k −nn , each arc ( s, t ) ∈ A k is shown by d(s, t) =| →
v (t) − →
v (s ) | which denotes the Euclidean distance between the
corresponding feature vectors of s and t . As mentioned earlier, each
s ∈ Z is weighted by a probability density function defined as fol-
lows [33] :
p ( s ) =
1 √
2 πσ 2 | A k ( s ) | ∑
∀ t∈ A k ( s ) exp
(−d 2 ( s, t )
2 σ 2
)(1)
where | A k ( s )| = k , σ =
d f 3 , and d f is the maximum arc weight in
G k −nn . It is noted that A k ( s ) is the neighbor set of s ∈ Z . Since
the arcs in A k are asymmetric; hence, the symmetric arcs should
be added to the plateaus of pdf as given in Eq. (2) to guarantee a
single root per maximum (cluster) [33] :
i f t ∈ A k ( s ) , s / ∈ A k ( t ) and p ( s ) = p ( t ) then A k ( t ) = A k ( t ) ∪ { s } (2)
In OPFC, a path π t that includes a sequence of distinct adjacent
odes, starts from root of t ( R ( t )) and is terminated with t . Note
hat a path with one sample like π t =〈 t 〉 called trivial and π s . 〈 s,
〉 represents the concatenation of π s and 〈 s, t 〉 denoting a path
nd an arc, respectively [40] . In the OPFC algorithm, a connectivity
unction f ( π t ) assigns a path cost to each path π t . For other paths,
uch as τ t , if f ( π t ) ≥ f ( τ t ), then π t will be an optimum path [40] .
mong all possible paths from a root in the maxima of the pdf, the
PFC will assign a path as optimum path P ∗( t ) to the t ∈ Z , such
hat the minimum density value along the path is maximum [40] :
( t ) =
max ∀ πt ∈ ( Z, A k )
{ f min ( πt ) } (3)
here f min ( π t ) is defined as follows:
f min ( 〈 t〉 )
{p ( t ) ; t ∈ R
p ( t ) − δ; otherwise , f min ( πs . 〈 s, t〉 ) = min { f min ( πs ) , p ( t ) }
(4)
here δ = mi n ∀ ( s,t ) ∈ A k | p(t) � = p(s ) | p(t) − p(s ) | (Notably, larger values
f δ will lead to the reduction of maxima’s number) and R is the
et of OPF’s root which is found on-the-fly with one element per
ach maximum of the pdf [40] . The algorithm tries to maximize
he connectivity map v ( t ) b y computing an OPF, which assigns the
redecessor p ( t ) to each sample t �∈ R or mark nil when t ∈ R . To see
ore details about the OPFC algorithm, refer to [40] .
An OPFC model classifies a new sample to a special cluster (that
s created in the OPFC algorithm), by finding a root which pro-
ides the optimum path to the new sample. Therefore, in order
o classify a new sample t ∈ Z ’ \ Z according to the neighbors of t ( s
A k ( t ) ⊂Z ’), the algorithm computes the pdf of t by using Eq. (1) .
hen, the optimum path can be found incrementally by evaluating
he optimum cost as follows [33] :
( t ) =
max ∀ ( s,t ) ∈ A k { min { v ( s ) , p ( t ) } } (5)
Suppose s ∗ ∈ Z is the best node that satisfies Eq. (5) , so the
lassifier selects the cluster of s ∗ as the class of t .
.5. MapReduce approach
Today, one of the main challenges of the well-known corpo-
ations, such as Google or Yahoo, is the maintenance and anal-
sis of big data for extracting useful knowledge. MapReduce ap-
roach [34] is an efficient solution for the big data problem. This
pproach employs algorithms that have parallelism capabilities in
parallel space. The MapReduce, which was firstly presented by
oogle, is a parallel programming model that is inspired from a
unctional programming language such as Lisp. This approach hides
he details and complexity of parallel computation, data distribu-
ion, and fault tolerance [34] . In this approach, a big dataset is split
o smaller datasets and stored on different machines. Then, these
achines process the smaller datasets in parallel and finally, the
esults will be integrated. In fact, this algorithm reduces the inter-
ediate space to the final solution space.
The MapReduce approach includes two main phases: (a) Map
nd (b) Reduce. In the Map phase, input data is split to smaller
egments named chunk. Then, they are delivered to some ma-
hines called mappers that are responsible for the mapping opera-
ion [41] . Then, each mapper converts the content of the chunk to
sequence of key-value pairs and consequently for each pair, a list
f key-value pairs is generated by calling the user-defined “map”
unction ( map ( k 1 , v 1 ) → list ( k 2 , v 2 )) [34,41] . In the Reduce phase,
apReduce framework performs sorting based on the keys and
ollects each key-value pair with the same key and sends them to
H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 57
Table 1
Comparison of two attacks in a WSN [43] .
Attack name Behavior
Selective-forwarding Data forwarding misbehavior
Sinkhole Route updating misbehavior
t
h
g
f
i
t
l
4
s
s
P
p
n
o
a
r
p
t
b
t
l
b
o
i
s
a
o
A
n
t
s
t
m
d
t
t
c
a
m
n
t
f
i
s
p
f
n
a
s
t
e
d
t
fi
a
s
n
a
l
i
e
f
a
t
d
i
m
t
n
1
d
t
(
r
s
a
p
p
n
i
a
t
c
r
c
S
p
s
S
r
s
t
G
o
d
n
s
l
p
t
r
p
t
c
he reducer node. In fact, a group consists of key-value pairs, which
ave the same key, will be produced in the Reduce phase for each
enerated key in the Map phase. Then, the user-defined “reduce”
unction accepts the mediate keys with a set of values represent-
ng the dimension of keys, and merges the values by converting
hem to a smaller value (i.e., reducing the dimension) ( reduce ( k 2 ,
ist ( v 2 )) → list ( v 3 )) [34] .
. Proposed model
As mentioned earlier, this study concentrates on detecting
elective-forwarding and sinkhole attacks as the well-known in-
ider attacks in IoT which can get the control of data flow in 6LoW-
AN. In this study, the intrusion detection task in the 6LoWPAN is
resented as the following problem:
Suppose a 6LoWPAN network, which includes m + n homoge-
eous sensor nodes ( S = L ∪ R | L = { l 1 , …, l m
}, R = { r 1 , …, r n }) and
ne power root node as the 6BR. It is noted that L and R are leaf
nd router sets, respectively. Assume that only m leaf nodes are
esponsible to generate data (e.g., by sensing the ambient tem-
erature) as the source nodes and sending them (in packet form)
hrough n router nodes to the root node. The routing packets are
ased on the RPL protocol by using the DODAG graph. We assume
hat the RPL protocol supports solely unidirectional traffic from the
eaves (sources) to the root. In this network, the attacks are caused
y malicious nodes ( s a ∈ R ) that perform as valid nodes. The goal
f proposed model is detecting outlier behaviors (as attacks) and
dentifying the malicious nodes that cause these behaviors.
Fig. 3 shows the block diagram of the proposed framework. As
een, the proposed model is a hybrid method based on centralized
nd distributed intrusion detection models. This model consists
f an Anomaly Agent-based IDS (AA-IDS) and some Specification
gent-based IDSs (SA-IDSs). In the proposed model, each router
ode monitors the input/output traffic and identifies the poten-
ial malicious nodes by using the SA-IDS, independently. Then, they
end analysis results to the 6BR by embedding them into packets
o be forwarded. In the 6BR, the AA-IDS projects some clustering
odels (based on the OPFC algorithm) for clustering the collected
ata and detecting anomalies. The task is performed based on fea-
ures of each source node that were extracted from the incoming
raffic. Then, the algorithm makes a final decision based on the lo-
al results of SA-IDS agents (which are hosted in the router nodes)
nd the global analysis results of the AA-IDS agent. In the proposed
odel, it is assumed that the attack traffic is much less than the
ormal traffic [42] . In the proposed framework, the intrusion de-
ection and the malicious nodes identification are performed in the
ollowing three stages:
Stage 1 (identifying malicious nodes): the goal of this stage
s identifying the suspicious nodes that may cause sinkhole and
elective-forwarding attacks in the 6LoWPAN. Identifying the sus-
icious nodes is based on a stand-alone architecture and is per-
ormed by using some light SA-IDSs that are located in the router
odes. Table 1 reviews the operation of the selective-forwarding
nd sinkhole attacks in a WSN [43] . As seen in Table 1 , the
elective-forwarding attack influences packet transmission, while
he sinkhole attack has an adverse effect on the routing of pack-
ts.
In the proposed model, the SA-IDS works as detailed below to
etect these attacks:
a) Identifying suspicious nodes launching sinkhole attack: ac-
cording to the sinkhole action which was mentioned in Section
3.3 , Fig. 4 shows the influence of malicious node S on node A
in the DODAG.
As seen in Fig. 4 , when node S (as a sinkhole attacker) wants
o launch a sinkhole attack, it attracts node A to route the traf-
c through node S . Hence, node A adds node S to the parent set
nd selects it as a preferred parent for routing its packets. After a
hort time, node S resumes again its normal behavior. Therefore,
ode A removes it from the parent set and selects node B again
s the preferred parent. Based on this action, the SA-IDS which is
ocated in the router node (such as A ) computes the rate of change
n preferred parent and also the rate of change in parent set at
ach time-slot �w (as the non-traffic-related features) for identi-
ying suspicious node (based on the routing table). If these values
re greater than a predefined threshold, then the SA-IDS will iden-
ify and introduce the suspicious node. The following pseudo-code
escribes how a suspicious node (i.e., the agent of sinkhole attack)
s identified by its lower node in the SA-IDS agent ( Algorithm 1 ):
In the proposed model, we assume that the time interval that a
alicious node is selected as the preferred parent is shorter than
he corresponding time interval for other nodes (presenting the
ormal behavior). Therefore, as seen in steps 15 to 17 of Algorithm
, if the non-traffic-related feature values are greater than the pre-
efined thresholds, then the algorithm computes the total duration
hat each node was selected as a preferred parent of the host node
a node which the SA-IDS is located in it). Then, a node which cor-
esponds to the minimum time interval will be introduced as a
uspicious node.
b) Identifying suspicious nodes launching selective-forwarding
attack: according to the selective-forwarding action which was
mentioned in Section 3.3 , Fig. 5 shows the influence of mali-
cious node S on node A in the DODAG.
When a malicious node wants to launch a selective-forwarding
ttack, it selectively forwards packets to the root. So, a preferred
arent node can identify the suspicious node by knowing the ap-
roximate number of packets received from each node (such as
ode S in Fig. 5 ). In the proposed model, SA-IDS which is located
n a router node (such as A ) computes the packet receiving rate
nd the last packet received time at each time-slot �w (as the
raffic-related features) for each child node for identifying suspi-
ious node. For each child node such as S , if the packet receiving
ate is smaller than a predefined threshold, and the last packet re-
eived time stamp is greater than a predefined threshold, then the
A-IDS will introduce node S as a suspicious node. The following
seudo-code describes how a suspicious node (i.e., the agent of
elective-forwarding attack) is identified by its upper node in the
A-IDS agent ( Algorithm 2 ):
In step 2 of Algorithm 2 , getPacket () represents a function that
eturns the current received packet information. Notably, we de-
ign and implement a WSN based on the RPL routing protocol in
his study for simulating 6LoWPAN functionality (see Section 5 ).
enerally, the structure of data packets in the simulations consists
f two main parts (as shown in Fig. 6 ): (a) data (fields) and (b)
ata access interface (functions).
In Fig. 6 , SrcID and SrcTimeStamp represent the ID of source
ode and the time of packet sending by the source node, re-
pectively. RouterID and RouterTimeStamp represent the ID of the
ast router node (before the current node) and its forwarding
acket time, respectively. RouterID and RouterTimeStamp are ob-
ained by using getRouterID () and getRouterTimeStamp () functions,
espectively. HopCount shows the number of hops taken by the
ackets and each router node increments it by incHopCount () func-
ion. One of the main fields used by the SA-IDS agent is Suspi-
iousList . In fact, when SA-IDS identifies a suspicious node, then
58 H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71
Fig. 3. Block diagram of the proposed intrusion detection framework.
Fig. 4. Sinkhole attack action in the DODAG.
c
r
a
p
t
O
SA-IDS adds an item with format 〈 SID, Type, TimeStamp 〉 (as the
suspicious node information) to the SuspiciousList by using addSus-
piciousList () function. The SID, Type , and TimeStamp represent the
suspicious node’s ID, the type of possible attack, and the identifi-
cation time of suspicious nodes, respectively. We assume that the
router node cannot access the Data and SuspiciousList with the aim
of manipulating values.
Stage 2 (anomaly detection in 6BR): in this stage, the AA-IDS
reates a sample for each source node by extracting four traffic-
elated features from the raw received packet of the source node
t each time-slot �w : (a) packet receiving rate; (b) packet drop-
ing rate; (c) average latency; and (d) maximum hop-count. Then,
he AA-IDS projects a clustering model based on an unsupervised
PF algorithm for each source node by using its generated sam-
H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 59
Algorithm 1 Detecting sinkhole suspicious node.
Input: ParentSetThreshold and PreferredParentThreshold which represent the threshold for detecting anomaly behavior in the parent set and the preferred
parent, respectively. �w and t 0 represent the length of time window and the current time, respectively.
Output: SID represents the ID of suspicious node.
Auxiliary: cnt 1 and cnt 2 represent the count of change in length of the parent set and the preferred parent, respectively. CurrentLength and
CurrentPreferredParnet represent the current length of parent set and the ID of current preferred parent, respectively. PHList represents the preferred parent
history list (with the < PID, timeSpan > item list structure where PID represents the ID of the node that becomes a parent and timeSpan shows the duration
of this event). LastChangeTime represents the time of the last change in the preferred parent.
Initialization:
• Set t = t 0 , cnt 1 = 0, cnt 2 = 0, SID = nil and LastChangeTime = t 0 ;
• Set CurrentLength = Length ( ParentList ) and CurrentPreferredParnet = PreferredParent ;
Steps:
(1) while t < t 0 +�w, do
(2) if CurrentLength � = Length ( ParentList ) then
(3) Set cnt 1 =cnt 1 +1;
(4) Set CurrentLength = Length ( ParentList )
(5) end
(6) if CurrentPreferredParnet � = PreferredParent then
(7) Set cnt 2 =cnt 2 +1;
(8) Set timeSpan = t −LastChangeTime ;
(9) Add < CurrentPreferredParnet, timeSpan > to PHList ;
(10) Set CurrentPreferredParnet = PreferredParent ;
(11) Set LastChangeTime = t ;
(12) end
(13) Set t = t + �t ;
(14) end
(15) if cnt 1 / �w > ParentSetThreshold and cnt 2 / �w > PreferredParentThreshold then
(16) Compute the total duration of each PID in PHList and add them as an ordered pair ( PID, timeSpan ) to a tempList ;
(17) Sort tempList according to the timeSpan of node’s ID and set SID as the node’s ID with the minimum value;
(18) end
(19) return SID ;
Fig. 5. Selective-forwarding attack action in the DODAG.
Fig. 6. Structure of data packets in the simulated WSN.
p
s
j
j
c
m
u
w
p
a
I
p
b
a
b
t
e
i
n
k
a
b
m
i
c
s
〈
les. The algorithm selects a cluster (or clusters) including a few
amples and then labels the samples as anomalous for each pro-
ected model.
By increasing the number of source nodes, the sequential pro-
ection of clustering models will be time-consuming that is not ac-
eptable for a real-time model. The proposed anomaly detection
ethod has the capability of parallelism, because projecting and
sing clustering models are independent processes. In this study,
e inspired from MapReduce approach for improving the speed of
rojecting models and anomaly detection. In fact, we proposed an
nomaly detection method based on the MapReduce architecture.
n other words, if an appropriate platform (hardware/software) is
repared, then the model can run in parallel on a distributed space
ased on the MapReduce architecture. Fig. 7 shows the general
rchitecture of the proposed anomaly detection model which is
ased on the MapReduce approach.
As seen in Fig. 7 , the root node (i.e., the 6BR) extracts men-
ioned traffic-related features from the receiving raw packets in
ach time-slot and creates a new sample for source nodes. Then,
t sends the sample’s information with key-value pair format to a
ode (i.e., the reducer) that is responsible to work with a special
ey. This format includes source ID as the key and feature vector
s the value. Then, the reducer node projects a clustering model
y using its samples which are received from the mapper node. As
entioned earlier, we assume that a cluster with fewer samples
s anomaly; hence, if the new sample belongs to this cluster, it is
lassified as anomalous and otherwise, it is classified as a normal
ample. So, the reducer node returns a new key-value pair with
SID, Label 〉 format (in response to the incoming key-value pair) to
60 H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71
Algorithm 2 Detecting selective-forwarding suspicious node.
Input: PacketReceivingThreshold and TimeDelayThreshold represent the threshold for detecting anomalous behavior in packet receiving rate and the last packet
receiving time stamp, respectively. �w and t 0 denote the length of time window and the current time, respectively.
Output: SIDList represents the list of suspicious node IDs.
Auxiliary: packetItem with the format of the packet introduced in Fig. 6 . ChildList with the < ID, TimeStamp , PacketReceiving > item list structure which used
the child’s packet information; where TimeStamp shows the last time that a packet is received, and PacketReceiving represents the number of packets that
have been received.
Initialization:
• Set t = t 0 , SIDList = nil and childList = nil ;
Steps:
(1) while t < t 0 +�w, do
(2) Set packetItem = getPacket ();
(3) Set NodeID = packetItem.getRouterID ();
(4) Set TimeStamp = packetItem.getRouterTimeStamp ();
(5) if ChildList has an item with a key equals to NodeID then
(6) Set index = index of an item in ChildList that has a key equals to NodeID
(7) Set ChildList [ index ]. TimeStamp = t −ChildList [ index ]. TimeStamp ;
(8) Set ChildList [ index ]. PacketReceiving = ChildList [ index ]. PacketReceiving + 1;
(9) end
(10) else
(11) ChildList.Add ( < NodeID, t − t 0 , 1 > ) ;
(12) end
(13) Set t = t + �t ;
(14) end
(15) for each item in ChildList do
(16) if item.PacketReceiving / �w < PacketReceivingThreshold and item . TimeStamp > TimeDelayThreshold
then
(17) SIDList.Add ( item.NodeID )
(18) end
(19) end
(20) return SIDList ;
Fig. 7. General architecture of anomaly detection model based on the MapReduce
approach.
∀
r
t
a
s
s
c
a
r
5
p
Algorithm 3 Voting mechanism for making decision about intrusion detection.
Input: AR and SR represent anomaly-based and specification-based
detection results list with the 〈 SrcID, Label 〉 and 〈 SID, AttckType 〉 item list
structures, respectively.
Output: AttackList represents the list of detected attacks.
Steps:
(1) for each 〈 SrcID i , Label i 〉 ∈ AR do
(2) if Label i =anomalous then
(3) Set index = index of SR where SrcID = SrcID i (4) if index � = nil then
(5) Set AttackList = 〈 SrcID i , SR.SID, SR.AttckType 〉 ; (6) end
(7) end
(8) end
(9) return AttackList ;
the root node. It is noted that the key and the value are source ID’s
sample and its label (i.e., anomalous/normal), respectively. The pro-
jecting of a clustering model in reducer continues until the number
of samples for each source becomes equal to a threshold. Then, the
reducer works as a classifier that means if the new received sam-
ple (from the mapper) belongs to the anomalous cluster(s), it will
be introduced as an anomalous sample. In the step of extracting
features for producing a new sample for each source node, such
as A , the packet dropping rate is computed based on the following
steps at each time-slot:
1) Sort the received packets from node A based on its Sequen-
ceNumber .
2) Calculate the sum of the distances between each two consec-
utive packets (based on SequenceNumber ) and return the result
as the packet dropping rate (for simplicity, we assume that each
packet is sent only once).
Moreover, other features such as the maximum hop-count and
the average latency are computed as follows:
∀ i ∈ L : MaxHopCount = Max (
packet i j .getHopCount ( ) ) | j ∈ P i
(6)
i ∈ L : A v eragelatency
=
∑
j∈ P i packet i j .getRecei v ingT imeStamp( ) − packet i
j .getSrcT imeStamp( ) ∥∥P i
∥∥(7)
where L is the set of source nodes in the network, P i is the set of
eceived packets from the i th source in time-slot �w , and ‖ P i ‖ is
he number of its members.
Stage 3 (anomaly detection decision based on a voting mech-
nism): in this stage, the proposed framework employs the first
tage results to make a decision about abnormities detected in the
econd stage. The following pseudo-code describes the voting pro-
ess at this stage ( Algorithm 3 ).
So, Algorithm 3 returns a list which includes the information
bout source node ID, malicious node ID, and the type of attack,
espectively (by this format: 〈 SrcID, AttckNodeID, AttckType 〉 ).
. Simulation and experimental results
This section presents simulation-based evaluations of the pro-
osed method in different scenarios. The proposed model is based
H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 61
Table 2
Assumptions in the developed simulator in this study.
Parameter Value
Network scale 100 m × 100 m [44]
Routing protocol RPL
Transmission range 10 m [44]
Packet size 127 bytes
DIO size 24 bytes [45]
�w 30 s [39]
o
c
v
t
p
d
s
s
n
t
L
t
a
r
i
p
M
p
u
c
t
5
t
e
f
n
c
s
m
t
n
s
a
n
n
m
o
(
[
f
t
s
R
v
t
s
t
A
Table 3
Assumptions in the first simulation (shown in Fig. 8 a).
Parameter Value
Number of source nodes 3 (IDs: {4, 6, 8})
Number of router nodes 4 (IDs: {2, 3, 5, 7})
Root’s ID {1}
Malicious node’s ID {3} (as the selective-forwarding agent)
Simulation time (min) 20
Table 4
Assumptions in the second simulation (shown in Fig. 8 b).
Parameter Value
Number of source nodes 2 (IDs: {8, 9})
Number of router nodes 6 (IDs: {2, 3, 4, 5, 6, 7})
Root’s ID {1}
Malicious node’s ID {6} (as the sinkhole agent)
Simulation time (min) 20
Table 5
Assumptions in the third simulation (shown in Fig. 8 c).
Feature Value
Number of source nodes 3 (IDs: {6, 8, 11})
Number of router nodes 6 (IDs: {2, 3, 5, 7, 9, 10})
Root’s ID {1}
Malicious nodes’ ID {3} (as the sinkhole agent) and {10}
(as the selective-forwarding agent)
Simulation time (min) 30
i
t
p
o
c
o
t
P
o
t
2
P
5
e
(
i
a
s
o
o
o
w
s
t
f
t
t
s
i
c
c
n
n the agent programming (i.e., SA-IDS and AA-IDS agents are lo-
ated at the router nodes and the 6BR, respectively); so, we de-
eloped a special WSN simulator in this study that is based on
he RPL protocol using .Net Framework technology and C#.Net
rogramming. So, a flexible evaluation platform was provided for
eveloping the proposed intrusion detection framework, and also
imulating the selective-forwarding and sinkhole attacks. The as-
umptions in the developed simulator are given in Table 2.
Notably, the data generation rate of sensing nodes (i.e., source
odes) is assumed to be 250 kbps [46] . In the 6BR implementa-
ion, which was based on the MapReduce architecture, the MAT-
AB server was used as the reducer node for projecting the clus-
ering models with the aim of anomaly detection. We implemented
n anomaly detection method that was based on the OPFC algo-
ithm using MATLAB R2014a on a PC with an Intel(R) Core (TM)
5-4460, CPU 3.20 GHz, and 8GB RAM. The anomaly detection was
erformed by the 6BR in which the corresponding reducer (i.e.,
ATLAB server) received a new sample of source i from the map-
er (i.e., the 6BR). Then, a new clustering model was projected by
sing this new sample and other old samples. According to the
lustering result, the label of the new sample was determined by
he reducer.
.1. Experimental setup
In this section, we briefly discuss about some assumptions in
he proposed simulator. It is noted that we did not study the en-
rgy overhead of the proposed framework in this study. There-
ore, we assumed that the energy of all kinds of nodes was infi-
ite, which means they were not constrained in terms of energy
onsumption. Moreover, we assumed that the network structure is
tatic in all simulations. In other words, the sensor nodes were ho-
ogenous and distributed uniformly in the environment. As men-
ioned earlier, we categorized the nodes into source nodes, router
odes, and a 6BR in the simulations. The source nodes were re-
ponsible to generate data (e.g., sensing the ambient temperature)
nd sending them through the router nodes to the 6BR. The router
odes were responsible for routing and forwarding packets in the
etwork.
As mentioned earlier, some intruder nodes, which seem as nor-
al nodes, threat the network in our simulations frequently. In
ther words, a malicious node switches between two behaviors:
a) an intruder (based on the considered attacks) and (b) normal
47] . In our simulations, we assumed that the malicious nodes per-
orm as intruders 1 to 50% of the time.
One of the challenging issues in the OPFC algorithm is finding
he appropriate value of parameter k . Generally, the value of k is
elected in [k min , k max ] interval, where 1 ≤ k min < k max ≤ | Z | [33] .
ocha et al. [33] used a graph-cut metric for finding the optimum
alue of k . The proposed anomaly detection should work in real-
ime; so, we experimentally assumed that k = � # samples 3 � at the
tart of projecting the OPFC model in this study.
As mentioned earlier, the specification-based agents used some
hresholds (i.e., ParentSetThreshold and PreferredParentThreshold in
lgorithm 1 , and PacketReceivingThreshold and TimeDelayThreshold
n Algorithm 2 ) in detecting sinkhole and selective-forwarding at-
acks. The nodes were different in the network (according to their
ositions, children, and parents); so, each node had its own thresh-
lds that should be defined at runtime. We assumed that the mali-
ious nodes begin to launch attacks after 2 min; hence, the thresh-
lds of each node were specified in opening 2 min of the simula-
ion based on the normal behavior. For example, to determine the
arentSetThreshold (which specifies the rate of change in parent set
f a router node at each time-slot �w ), the algorithm computed
he rate of change in router’s parent set at each �w in opening
min; then, the average of computed values was returned as the
arentSetThreshold .
.2. Simulation scenarios and performance analysis
In this study, the performance of the proposed method was
valuated in two main experiments in terms of True Positive Rate
TPR), False Positive Rate (FPR), and Accuracy Rate (AR) of detect-
ng malicious nodes. The first experiment was conducted for evalu-
ting the performance of the proposed framework to deal with the
elective-forwarding attack, sinkhole attack, and joint occurrence
f both attacks. The scale of the network, such as the number
f malicious nodes, was considered in the second experiment. In
ther words, we evaluated the proposed method in different net-
ork scales.
Three simulations were performed in the first experiment. The
creenshots of these simulations are shown in Figs 8 a–c, respec-
ively. Through these simulations, the performance of the proposed
ramework was evaluated to deal with the selective-forwarding at-
ack ( Fig. 8 a), the sinkhole attack ( Fig. 8 b), and joint occurrence of
hese attacks ( Fig. 8 c) in the 6LoWPAN. The assumptions in these
imulations are given in Tables 3–5 , respectively.
The performance of the proposed model in these simulations
s reported in Tables 6–8 , respectively. Notably, the AR metric is
alculated as division of the total number of malicious nodes (ac-
ording to each sample) that are identified correctly to the total
umber of attack samples that are classified correctly.
62 H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71
Fig. 8. Screenshots of three simulations in the first experiment; (a) selective-forwarding attack launched by node 3, (b) sinkhole attack launched by node 6, (c) selective-
forwarding and sinkhole attacks launched simultaneously by node 10 and node 3, respectively.
Table 6
Performance of the proposed model in the first simulation (shown in Fig. 8 a).
Method TPR (%) FPR (%)
AR in detecting
malicious nodes (%)
Anomaly-based detection 92 .68 10 .12 NA ∗
Hybrid (Anomaly-based +
Specification-based)
detection
85 .36 1 .26 91 .43
∗ Not-Applicable
Table 7
Performance of the proposed model in the second simulation (shown in Fig. 8 b).
Method TPR (%) FPR (%)
AR in detecting
malicious nodes (%)
Anomaly-based detection 100 5 .97 NA ∗
Hybrid (Anomaly-based +
Specification-based)
detection
100 2 .98 69 .23
∗ Not-Applicable
Table 8
Performance of the proposed model in the third simulation (shown in Fig. 8 c).
Method TPR (%) FPR (%)
AR in detecting
malicious nodes (%)
Anomaly-based detection 80 .95 29 .63 NA ∗
Hybrid (Anomaly-based +
Specification-based)
detection
76 .19 5 .92 87 .50
∗ Not-Applicable
t
r
T
t
p
f
T
e
c
s
c
t
t
u
(
i
6
t
s
t
t
1
i
e
p
i
p
w
w
t
e
p
s
o
m
w
s
t
s
e
t
t
As seen in Tables 6 and 8 , the TPR of the proposed hy-
brid method is lower than the anomaly-based detection method
(performed by the AA-IDS agent); however, the FPR is improved
considerably when employing the hybrid model in which the
specification-based detection is also performed by the SA-IDS
agents besides the anomaly-based detection. Another advantage of
using the specification-based detection in the proposed framework
is the ability to detect malicious nodes as the cause of IoT’s insider
attacks (as shown in the last column of Tables 6–8 ).
Table 7 shows that TPR of the anomaly-based detection and
the hybrid detection methods in the second simulation is 100%
(when the sinkhole attack is launched). However, as shown in
Table 6 , TPR of the anomaly-based detection and the hybrid de-
ection methods in the first simulation was 92.68% and 85.36%,
espectively (when the selective-forwarding attack was launched).
his refers to the behavior of sinkhole and selective-forwarding at-
acks. As mentioned earlier, the AA-IDS agent creates a new sam-
le for each source node by extracting four traffic-related features
rom the raw received packet of the source node in each time-slot.
hese features are packet receiving rate, packet dropping rate, av-
rage latency, and maximum hop-count. The sinkhole attack has
onsiderable effect on the maximum hop-count feature, while the
elective-forwarding attack changes the packet dropping rate, and
onsequently the packet receiving rate. Packet dropping is one of
he popular events in the networks (e.g., because of the conges-
ion); so, distinguishing the valid packet dropping (due to the pop-
lar behavior of the networks) from the invalid packet dropping
due to the malicious behavior of the selective-forwarding attack)
s hard for the proposed anomaly detection model. As seen in Table
, it caused the TPR reduction of the proposed hybrid model in
he first simulation as compared to the second simulation in which
inkhole attack was launched ( Table 7 ). Notably, the low AR in de-
ecting malicious nodes in Table 7 is caused by the process of de-
ecting the sinkhole attack in Algorithm 1 . According to Algorithm
, the detection of a suspicious node is based on the rate of change
n preferred parent and also the rate of change in parent set at
ach time-slot. In some cases, it may cause mistakes about a valid
arent or an invalid parent. For example, the SA-IDS agent located
n node 7 ( Fig. 8 b) may select node 5 (i.e., a valid parent) as a sus-
icious node instead of the actual malicious node (i.e., node 6).
One of the key features of the proposed framework is the net-
ork’s scale-free property. In other words, the proposed frame-
ork is approximately size-independent. To evaluate this feature,
he network scale was considered in the second experiment. To
valuate the efficiency of the proposed method in the second ex-
eriment, only selective-forwarding attack was considered in the
imulations. To study the network’s scale-free property, two types
f network-size were considered in simulations: (a) small and (b)
edium. For small-size networks, three networks were simulated
ith different scales in which some malicious nodes launched
elective-forwarding attacks randomly ( Fig. 9 ). The assumptions in
he simulations shown in Figs. 9 a–c are given in Tables 9–11 , re-
pectively.
Notably, the number of source nodes in Tables 9–11 is assumed
qual for fair comparison of the simulation results. Moreover, since
he attack launching is a random process (i.e., the number of times
hat the attacks are occurred in a network may be different in each
H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 63
Fig. 9. Screenshots of three simulations in the second experiment for small-size networks; (a) selective-forwarding attack launched by node 3, (b) selective-forwarding attack
launched by nodes 4 and 7, (c) selective-forwarding attack launched by nodes 5, 10, and 11.
Table 9
Assumptions in the fourth simulation (shown
in Fig. 9 a).
Parameter Value
Number of source nodes 2 (IDs: {4, 5})
Number of router nodes 2 (IDs: {2, 3})
Root’s ID {1}
Malicious node’s ID {3}
Simulation time (min) 20
Table 10
Assumptions in the fifth simulation (shown in Fig. 9 b).
Parameter Value
Number of source nodes 2 (IDs: {5, 9})
Number of router nodes 7 (IDs: {2, 3, 4, 6, 7, 8, 10})
Root’s ID {1}
Malicious nodes’ ID {4, 7}
Simulation time (min) 20
Table 11
Assumptions in the sixth simulation (shown in Fig. 9 c).
Parameter Value
Number of source nodes 2 (IDs: {7, 12})
Number of router nodes 12 (IDs: {2, 3, 4, 5, 6, 8, 9, 10, 11, 13, 14, 15})
Root’s ID {1}
Malicious nodes’ ID {5, 10, 11}
Simulation time (min) 20
s
i
m
A
w
a
(
i
a
c
s
i
n
Fig. 10. AR in three simulations for small-size networks using the proposed frame-
work (with different network sizes).
Table 12
Assumptions in the seventh simulation (medium-size network).
Parameter Value
Number of source nodes 5 (IDs: {6, 10, 14, 17, 20})
Number of router nodes 14 (IDs: {2, 3, 4, 5, 7, 8, 9, 11, 12, 13, 15, 16, 18, 19})
Root’s ID {1}
Malicious nodes’ ID {5, 8, 12}
Simulation time (min) 20
Table 13
Assumptions in the eighth simulation (medium-size network).
Parameter Value
Number of source nodes 5 (IDs: {5, 11, 19, 28, 31})
Number of router nodes 29 (IDs: {2, 3, 4, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16,
17, 18, 20, 21, 22, 23, 24, 25, 26, 27, 29, 30,
32, 33, 34, 35})
Root’s ID {1}
Malicious nodes’ ID {3 ,14, 21, 26}
Simulation time (min) 20
t
t
f
l
i
t
imulation); hence, the AR (as defined in Eq. (8 )) was considered
nstead of TPR and FPR for comparing the performance of proposed
ethod in different network sizes:
R =
( T P + T N )
( T P + T N + F P + F N ) (8)
here TP is the number of the positive instances (i.e., attacks) that
re classified correctly, and TN is the number negative instances
i.e., normal instances) that are classified correctly. Moreover, FN
s the number of positive instances that are classified incorrectly,
nd FP is the number of negative instances that are classified in-
orrectly.
The AR of the proposed framework in the fourth, fifth, and sixth
imulations for small-size networks (shown in Fig. 9 ) is reported
n Fig. 10 for different number of nodes and malicious nodes. It is
oted that the number of malicious nodes is given in the paren-
hesis. As seen in Fig. 10 , the AR is approximately independent of
he network size.
Similarly, three networks were simulated with different scales
or medium-size networks in which some malicious nodes
aunched selective-forwarding attack randomly. The assumptions
n the simulations of this part are given in Tables 12–14 , respec-
ively. The screenshot of a simulation that was based on assump-
64 H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71
Fig. 11. Screenshot of a simulation for medium-size network in which selective-forwarding attack launched by nodes 3, 6, 9, 18, and 49.
Table 14
Assumptions in the ninth simulation (medium-size network shown in Fig. 11 ).
Parameter Value
Number of source nodes 5 (IDs: {7, 17, 29, 33, 36})
Number of router nodes 44 (IDs: {2, 3, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15,
16, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28,
30, 31, 32, 34, 35, 37, 38, 39, 40, 41, 42, 43,
44, 45, 46, 47, 48, 49, 50})
Root’s ID {1}
Malicious nodes’ ID {3, 6, 9, 18, 49}
Simulation time (min) 20
6
6
t
a
a
[
T
t
c
[
a
t
T
h
b
p
a
tions given in Table 14 (i.e., 50 nodes and 5 malicious nodes) is
depicted in Fig. 11.
The AR of the proposed framework in the seventh, eighth, and
ninth simulations for medium-size networks is reported in Fig. 12
for different number of nodes and malicious nodes. As seen in Fig.
12 , the AR is approximately independent of the network size for
medium-size networks, as well.
a. Investigation of detecting additional attacks in IoT
Due to the insecure nature of communication in WSNs, such as
LoWPAN, they can be targeted from a wide range of security at-
acks. As mentioned earlier, each layer in the 6LoWPAN is vulner-
ble to security threats; however, the network layer attacks allow
dversaries to take the control of information flow in the network
28] . So, most of the threats are focused on the network layer [2] .
herefore, the security threats of network layer were considered in
his study.
Generally, RPL (as the routing protocol in the network layer)
annot be protected in 6LoWPAN against internal attackers
48] who are the internal legitimate users that their behavior can
ffect other legitimate nodes [49] . Some well-known internal at-
acks, as the attacks against RPL, and their description are listed in
able 15.
Selective-forwarding, sinkhole, blackhole, HELLO flood, worm-
ole, clone ID, and Sybil attacks are routing attacks which have
een studied by many security researchers for different routing
rotocols (e.g., RPL). However, rank, local repair, DIS, and overload
ttacks (as new threats exploiting some functioning rules in RPL)
re RPL inconsistency attacks [48] . On the other hand, selective-
H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 65
Table 15
Some well-known internal attacks in 6LoWPAN.
Type of attack(s) Description
Selective-forwarding In order to disrupt the routing path, malicious nodes selectively forward packets for removing some packets randomly or based
on the importance of data [1,9] .
Sinkhole A malicious node represents itself to others as an optimal routing path for attracting nearby nodes to route traffic through it.
Blackhole One or more malicious nodes advertise themselves as the best routes for dropping data packets being routed through them
(partially or fully), in order to make disruption in the normal data flow of the network [50] .
HELLO flood A malicious node broadcasts a “HELLO” message with strong signal power to introduce itself as a neighbor to many nodes for
routing their packets through it [9] . It leads to loss of those packets [1] .
Wormhole At least two malicious nodes communicate by using a separate wired or wireless link called “tunnel” to forward packets faster
than normal paths [1,9] .
Clone ID and Sybil These types of attacks are known as Identity attacks. In a clone ID attack, an attacker copies the identity of a valid node on
several physical nodes; however, an attacker copies several logical identities on one physical node in a Sybil attack [9,48] .
Rank The attacker uses a random parent (that is not optimized) as a preferred parent in order to create a non-optimized path or loop
path [48] .
Local repair Malicious nodes can repeatedly operate the local repair mechanism by changing the DODAG ID field or broadcasting infinite rank
for unnecessary network topology updating. It leads to consume more resources [48] .
DIS In order to exhaust network’s resources, malicious nodes send DIS messages (see section 3.2 ) for generating overhead in control
messages [48] .
Overload Malicious nodes overload the network with irrelevant traffic for draining the nodes’ energy store more quickly [51] .
Fig. 12. AR in three simulations for medium-size networks using the proposed
framework (with different network sizes).
f
n
S
t
o
f
t
t
h
o
w
b
t
f
c
e
a
t
t
a
f
w
h
(
h
t
t
e
i
w
A
e
w
c
n
[
p
u
a
f
c
f
h
t
h
g
p
b
p
i
c
b
p
t
w
a
c
w
h
l
l
t
w
i
3
t
orwarding, sinkhole, blackhole, and wormhole attacks are called
etwork traffic forwarding disruption, while HELLO flood, clone ID,
ybil, DIS, and overload attacks are called node resource exhaus-
ion [51] .
Designing a flexible architecture for intrusion detection was
ne of the main goals in this study. The sinkhole and selective-
orwarding attacks are two well-known routing attacks on a WSN
hat were considered in our work. As seen in Table 15 , these at-
acks threaten the routing protocol in WSNs such as 6LoWPAN;
ence, for dealing with them, we studied their malicious behavior
n the RPL, and a specification-based intrusion detection method
as proposed ( Algorithms 1 and 2 in Section 4 ) for detecting their
ehavior and also specifying the malicious nodes as the sources of
hem. The proposed intrusion detection framework was primarily
ocused on sinkhole and selective-forwarding attacks; however, it
an be employed for detecting similar attacks in practice or can be
xtended conceptually for identifying other attacks. For example,
s seen in Table 15 , the functionality of blackhole attack is same as
he sinkhole attack. Moreover, both of sinkhole and blackhole at-
acks are similar to the rank attack in the context of RPL in which
malicious node advertises an artificial beneficial rank [48] . There-
ore, the proposed IDS, which was originally proposed for dealing
ith sinkhole attack, can be easily employed for detecting black-
ole and rank attacks, as well. The functionality of other attacks
e.g., clone ID and wormhole attacks) is different from the sink-
ole and selective-forwarding attacks as given in Table 15 . Hence,
he proposed IDS should be conceptually extended for detecting
hese types of attacks. In other words, the proposed model can be
xtended for detecting other attacks by considering the functional-
ty of other internal attacks.
For example, we extend the proposed model for detecting
ormhole attack as one of the most dangerous attacks in WSNs.
s mentioned in Table 15 , a malicious node forwards the pack-
ts to an accessory malicious node (in a distant point of the net-
ork) by using a high-speed link (called tunnel). Notably, in the
ontext of RPL, the 6BR can be bypassed by using a constrained
ode in a 6LoWPAN network and a typical device on the Internet
9] . Moreover, the detection of wormhole attack is very hard, es-
ecially when it is systematically switched on and off [9] . For sim-
lating the wormhole attack in the proposed simulator, two nodes
re added on opposite sides of the network with a separate link
or their communication ( Fig. 13 ). Using RPL, the wormhole attack
hanges the number of hops that the packets should be traversed
rom their source node to 6BR. Based on this reality, as the worm-
ole functionality in RPL, we can develop the proposed IDS for de-
ecting the wormhole attack. Hence, for dealing with the worm-
ole attack, a new field and a new function named SrcRank and
etSrcRank () should be added to the proposed structure of data
ackets shown in Fig. 6 , respectively. In each packet, SrcRank will
e used for holding the rank of its source node that generates the
acket and sends it. By using getSrcRank (), each router node can be
nformed about the SrcRank of packets.
The pseudo-code given in Algorithm 4 , describes how a suspi-
ious node (i.e., the agent of wormhole attack) will be identified
ased on packet’s SrcRank .
In step 1 of Algorithm 4 , getPacket () returns the current received
acket information. Moreover, hostRank is the rank of a router node
hat is the host of current SA-IDS. As shown in Algorithm 4 , the
ormhole detection in local specification-based intrusion detection
gent is based on the comparison between realHopCount and logi-
HopCount . Notably, if the network works normally, logicHopCount
ill be equal to realHopConut . As seen in Fig. 13 , the number of
ops (as realHopCount ) in traversing packets from node 11 (as a
eaf node) to node 2 (as a router node) is 2, which is equal to
ogicHopCount (Step 4 in Algorithm 4 ). However, the wormhole at-
ack changes the hops by using a tunnel in routing. For example,
hen the network is under wormhole attack, the number of hops
n traversing packets from node 8 to node 2 (as realHopCount ) is
, while the logicHopCount is 5 ( Fig. 13 ). According to the RPL pro-
ocol, the optimum path for forwarding the packets of node 8 is
66 H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71
Fig. 13. Screenshot of simulating the wormhole attack launched by cooperating of nodes 7 and 9.
Algorithm 4 Detecting wormhole suspicious node.
Output: detectedNodeID represents the ID of suspicious node.
Steps:
(1) Set packetItem = getPacket ();
(2) Set sourceRank = packetItem.getSrcRank ();
(3) Set realHopCount = packetItem.getHopCount ();
(4) Set logicHopCount = sourceRank −hostRank ;
(5) if realHopCount � = logicHopCount then
(6) if anySuspiciousList ( wormhole ) � = true then
(7) Set detectedNodeID = packetItem.getRouterID ();
(8) end
(9) else
(10) Set detectedNodeID = nil ;
(11) end
(12) end
(13) return detectedNodeID ;
Table 16
Assumptions in the wormhole attack simulation (shown in Fig. 13 ).
Parameter Value
Number of source nodes 3 (IDs: {8, 11, 13})
Number of router nodes 12 (IDs: {2, 3, 4, 5, 6, 7, 9, 10, 12, 14, 15, 16})
Root’s ID {1}
Malicious nodes’ ID {7, 9}
Simulation time (min) 30
T
L
N
r
o
(
o
a
T
1
o
f
T
a
t
t
as follows: IDs: {8, 7, 6, 5, 4, 3, 1}. Moreover, as seen in steps 5
to 11 of Algorithm 4 , when the network is under wormhole attack,
the first normal router node can detect the malicious node. So, the
wormhole attack has been identified by this node and checking the
wormhole attack by other nodes is not necessary. In other words,
when the first node detects the wormhole attack, the other router
nodes ignore it (step 10 of Algorithm 4 ), because this type of attack
has already been detected by the mentioned first node. Notably,
getRouterID () (step 7 of Algorithm 4 ) returns the ID of the last
router node (before the current node). As mentioned earlier, when
SA-IDS identifies a suspicious node (a malicious node which partic-
ipates in wormhole attack), it adds an item with format 〈 SID, Type,
imeStamp 〉 (as the suspicious node information) to the Suspicious-
ist by using addSuspiciousList () function where Type is wormhole.
otably, anySuspiciousList ( Type ) (step 6 of Algorithm 4 ) is a new
ead-only function (that should be added to the proposed structure
f data packets) that checks whether an attack with kind of Type
e.g., wormhole) was happened or not. Moreover, the remainder
f detection process is same as sinkhole and selective-forwarding
ttacks. The assumptions in this simulation ( Fig. 13 ) are given in
able 16.
The experimental results of wormhole attack simulation ( Fig.
3 ) show that the extended proposed hybrid IDS can achieve TPR
f 96.02% and FPR of 2.08% in detecting wormhole attacks. The per-
ormance of the proposed model in this simulation is reported in
able 17.
According to the wormhole attack functionality, the wormhole
ttack has considerable effect on the maximum hop-count feature;
herefore, TPR of the anomaly-based detection and the hybrid de-
ection methods in this simulation are acceptable values.
H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 67
Table 17
Performance of the proposed model in the wormhole attack simulation
(shown in Fig. 13 ).
Method TPR (%) FPR (%)
AR in detecting
malicious nodes (%)
Anomaly-based detection 97 .53 8 .85 NA ∗
Hybrid (Anomaly-based +
Specification-based)
detection
96 .02 2 .08 100
∗ Not-Applicable
n
I
H
t
e
(
t
t
d
c
c
b
t
i
7
s
c
c
s
v
i
i
I
I
p
t
t
w
s
t
i
s
m
a
b
s
w
h
s
(
b
s
T
v
s
R
g
P
Table 18
Specifications of Waspmote Mote Runner’s hard-
ware.
Feature Value
Microcontroller ATmega1281
Frequency 14 MHz
SRAM 8 KB
EEPROM 4 KB
FLASH 128 KB
SD card 2GB
Weight 20 g
Dimensions 73.5 × 51 × 13 mm
Temperature range [ −10 °C, + 65 °C]
Programming language Java or C#
a
i
w
a
T
[
i
c
q
M
s
p
c
t
t
a
f
c
p
o
M
i
p
n
t
p
t
M
w
t
s
t
t
A
k
S
q
E
p
M
i
b
a
d
c
n
c
r
In IoT, the things (i.e., the resource-constrained devices) are vul-
erable to intrusions from both sides of the Internet and WSN.
n this study, we particularly worked on internal (insider) attacks.
owever, the proposed architecture has the capability to deal with
he external (cyber) attacks from the Internet side. As mentioned
arlier, the proposed anomaly detection method in the global agent
which will be hosted on 6BR) is based on the MapReduce archi-
ecture. In this approach, the root node sends the value of ex-
racted traffic features of the source nodes to corresponding re-
ucer nodes for anomaly detection. According to this approach, we
an add a new reducer node, that is a host of special IDS (which is
ompatible with Internet), to the proposed framework. Therefore,
y sending the values of Internet traffic features from root node to
he new reducer node, our framework can be employed for detect-
ng the cyber attacks from Internet side.
. Employing proposed IDS in real-world IoT applications
The applications of IoT are becoming widely used in real-life,
uch as smart-city [52] , smart-home [53] , smart-grid [54] , health
are monitoring [55–57] , speech streaming services [58] , and lo-
alization services [59] . The proposed IoT middleware solutions
hould meet the requirements of device providers, application de-
elopers, and end-users [60–62] . As mentioned earlier, 6LoWPAN
s one of the main effort s to make the concept of real IoT which
s proposed and standardized by the IETF workgroup. Recently,
BM and Libelium offer a unique IPv6 development platform for
oT based on IETF standards [63] . They proposed a development
latform called Waspmote Mote Runner as a tool for developing
he real applications which use the 6LoWPAN/IPv6 connectivity for
he IoT [63] . In fact, they integrated the IBM Mote Runner Soft-
are Development Kit (SDK) on top of Libelium Waspmote sen-
or platform for allowing the developers and researchers to study
he 6LoWPAN protocol in order to improve it and test new rout-
ng algorithms [63] . Notably, Waspmote is an open source wireless
ensor platform based on the implementation of low consumption
odes which allows the sensor nodes ("motes") to be completely
utonomous.
In this study, we have tried to propose an IDS that is applica-
le to most of the real-world IoT. The proposed model consists of
imple modules (i.e., local agents) that can be employed in real-
orld IoT scenarios such as smart-city without considerable over-
ead in software/hardware. In this section, we review the general
pecifications of Waspmote Mote Runner and then a real scenario
which can be developed by Waspmote Mote Runner platform) will
e studied with the aim of using the proposed IDS. The general
pecifications of Waspmote Mote Runner’s hardware are listed in
able 18 [64] .
The Waspmote Mote Runner can communicate with other de-
ices through the communication modules (wireless interfaces)
uch as 6LoWPAN radios [63] . As seen in Fig. 14 , Waspmote Mote
unner platform includes two types of nodes: (a) end node and (b)
ateway (GW). The end nodes, which are equipped with a 6LoW-
AN radio, sensors and a battery, are used to gather information
nd send them to the GW or forwarding the packets of other nodes
n order to make information reach to the GW [64] . Moreover, GW,
hich is equipped with a 6LoWPAN radio, an Ethernet interface
nd a battery, sends information taken from the end nodes to the
unneling IPv4/IPv6 server by using the Ethernet IPv4 interface
64] .
One of the main applications that can be developed by us-
ng Waspmote Mote Runner platform is the smart-city which in-
ludes smart lighting, acoustic noise maps, structural health, air
uality monitoring, and waste management [64] . The Waspmote
ote Runner has a "smart cities board" includes: (a) hardware; (b)
ensors (e.g., humidity and temperature); and (c) Waspmote Ap-
lication Programming Interface (API) libraries that designed to fa-
ilitate the management of all the resources of the board in order
o extend the monitoring functionalities from indoor environments
o outdoor locations [65] . For example, particle and dust sensor is
n optical sensor whose operation is based on the detection of in-
rared light emitted by a LED, reflected by the dust particles and
aptured by means of a phototransistor [65] . The example of ap-
lication for the particle sensor and a schema of smart-city devel-
pment are depicted in Fig. 15 . As seen in Fig. 15 b, the Waspmote
ote Runner platform has the capability to host the proposed IDS
n this study. As mentioned earlier, 6LoWPAN nodes in the pro-
osed model are classified into leaf (source), router, and root (6BR)
odes with the aim of generating and sending data (e.g., sensing
he dust particles in ambient), routing the packets and taking the
ackets which were sent by leaf nodes, respectively. The role of
hese nodes is similar to the end nodes and the GW in Waspmote
ote Runner platform. Therefore, the SA-IDS and AA-IDS agents
hich are used in router nodes and root node can be hosted on
he end nodes and the GW for detecting malicious behaviors, re-
pectively.
As seen in Algorithms 1 and 2 , the process of intrusion detec-
ion in the SA-IDS was performed in each time-slot �w . In this
ime-slot, some variables (e.g., PHList in Algorithm 1 or ChildList in
lgorithm 2 ) which show the status of a router node should be
ept in memory. As seen in Table 18 , the memory capacity (e.g.,
RAM, EEPROM, and SD card) of the end node can handle this re-
uirement by keeping this variable in SRAM or storing them in
EPROM (when the end node is switched off) [63] . Notably, the
ackets in the 6LoWPAN should be routed based on RPL protocol.
oreover, the ability to access the required fields which mentioned
n the proposed structure of data packets (shown in Fig. 6 ) should
e obtained by Waspmote API libraries. In the proposed model, we
ssumed that the root node (which is responsible for the anomaly
etection and final decision) is not constrained; however, GW is a
onstrained device. For dealing with this challenge, the PC (Tun-
eling machine in Fig. 15 b) can be responsible for the related pro-
essings of global agent and the GW will be only responsible for
eceiving packets (from the end nodes) and sending them to PC.
68 H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71
Fig. 14. Waspmote Mote Runner’s nodes; (a) end node, (b) gateway [64] .
Fig. 15. Smart-city scenario; (a) application for the particle sensor, (b) general schema for development [64,65] .
c
k
o
p
s
s
l
T
p
However, GW and the tunneling machine are intended to be a sin-
gle device in the future [64] .
8. Conclusion and future work
In this study, a novel real-time hybrid intrusion detection
framework was proposed which was based on anomaly- and
specification-based intrusion detection. The ability of proposed
model was investigated in detecting two insider attacks in IoT
alled sinkhole and selective-forwarding attacks (as two well-
nown routing attacks in 6LoWPAN). In addition, the possibility
f detecting blackhole, rank, and wormhole attacks by the pro-
osed model was also investigated. In the proposed model, the
pecification-based intrusion detection module (as the local intru-
ion detection agents that were located in the router nodes) ana-
yzes the traffic- and non-traffic-related features of the host nodes.
hen, the local results were sent to the root node through data
ackets (that were routed by the router nodes). Notably, the ob-
H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 69
Table 19
Comparison of some intrusion detection methods for IoT.
Method Highlights Requirements
Additional control messages Monitor nodes
SVELTE [8] Hybrid detection (a host-based IDS that employs RPL’s network information) √
✗
Specification-based IDS for RPL
(IP-based WSNs) [30]
Specification-based detection (a finite-state machine design for detecting
RPL-based attacks)
✗ √
DoS detection in 6LoWPAN [24] Signature-based detection (DoS detection architecture that integrates an IDS
into the network framework developed in EBBITS project)
✗ √
Decentralized intrusion
detection in WSNs [47]
Specification-based detection (IDSs are distributed on the WSN for
decentralized detection)
✗ √
Proposed method Hybrid detection ✗ ✗
j
o
t
t
a
s
s
s
t
e
a
g
i
c
F
s
P
m
c
p
p
c
t
c
6
n
[
m
c
t
s
t
t
t
s
i
t
t
t
s
o
m
o
e
s
c
i
f
s
h
c
w
f
u
w
p
s
s
a
t
i
e
u
i
w
t
p
2
b
f
t
m
c
p
l
i
m
o
R
ects in 6LoWPAN are usually constrained (e.g., in terms of mem-
ry and processing power), so the proposed specification-based in-
rusion detection module is a light IDS agent that will eliminate
he local analysis results after sending them to the root node. The
nomaly-based intrusion detection module (as the global intru-
ion detection agent that was located in the root node) projects
ome anomaly detection models (corresponding to the number of
ource nodes in the network) based on an unsupervised OPF using
he traffic-related features extracted from the incoming data pack-
ts. According to the local and global results of specification- and
nomaly-based intrusion detection agents, the root node made a
eneral decision about the occurred anomalies in the network us-
ng a voting mechanism.
Generally, the main challenge of intrusion detection in the WSN
ontext, such as 6LoWPAN, is to achieve an appropriate TPR and
PR in real-time with minimum resource consumption. In this
tudy, we proposed a hybrid intrusion detection method for 6LoW-
AN which was based on an efficient architecture and the above
entioned aims. Some existing IDSs for 6LoWPANs and WSNs are
ompared in Table 19.
As seen in Table 19 , one of the major differences between the
roposed method and other mentioned methods is that the pro-
osed framework detects intrusion without employing additional
ontrol messages and monitor nodes. For example in SVELTE [8] ,
he intrusions were detected in the 6BR based on detecting the in-
onsistencies in the RPL networks. Thus, it used a module, called
LoWPAN Mapper (6Mapper), to gather information about the RPL
etwork (DODAG) and reconstructed the network in 6BR. In SVELTE
8] , the 6Mapper sent mapping requests (as additional control
essages) to the nodes at regular intervals. When the nodes re-
eived mapping requests, they sent mapping responses (as addi-
ional control messages) to the 6BR. By using the mapping re-
ponses, the 6BR reconstructed the DODAG for detecting inconsis-
encies (i.e., intrusions). Unlike SVELTE, the proposed method sends
he analysis results of local agents to the 6BR at regular intervals
hrough normal data packets without using additional control mes-
ages. It is clear that this approach can lead to significant reduction
n the cost of communication.
Another advantage of the proposed method is its data acquisi-
ion approach for extracting appropriate features. Most of methods
hat are reported in Table 19 , use some monitor nodes to listen the
raffic of network in promiscuous mode and send the local analy-
is results to the border router in 6LoWPANs (i.e., cluster heads
r base-station in WSNs). For example, Kasinathan et al. [24] used
ultiple components, called IDS_Probe, that were external to the
perating 6LoWPAN for listening 6LoWPAN network traffic. How-
ver, our proposed method did not use additional infrastructure to
niff the transmissions among objects in 6LoWPAN, because the lo-
al agents that were located in the router nodes analyzed incom-
ng/outgoing packets for extracting traffic- and non-traffic-related
eatures of their host nodes. This approach reduced the costs of
etting up a 6LoWPAN, in addition to reduction of the traffic over-
ead, as well.
The network’s scale-free and the ability to identify the mali-
ious nodes are two key features of the proposed framework which
ere evaluated in different experiments. In this study, three dif-
erent experiments were conducted which consisted of 10 sim-
lations for evaluating the performance of the proposed frame-
ork. The goal of the first experiment was the evaluation of the
roposed method in terms of TPR and FPR for dealing with the
inkhole and selective-forwarding attacks. The simulation results
howed that an acceptable TPR, an appropriate FPR, and accept-
ble AR values (in detecting malicious nodes) were achievable by
he proposed framework. However, the goal of the second exper-
ment was the evaluation of the proposed method under differ-
nt scales of the small-size and medium-size networks. The sim-
lation results showed that the proposed method is approximately
ndependent of the network size. The goal of the third experiment
as the evaluation of the proposed method in detecting other at-
acks such as wormhole. The simulation results showed that the
roposed hybrid model can achieve the TPR of 96.02% and FPR of
.08% in detecting wormhole attack, respectively.
In this study, the proposed anomaly detection method was
ased on the MapReduce architecture. So, if an appropriate plat-
orm be prepared, the proposed model can run in parallel on a dis-
ributed space based on the MapReduce architecture. The deploy-
ent of the hybrid proposed model was investigated in a smart-
ity scenario by a recently released platform, as well.
On the other hand, several studies have been focused on em-
loying data mining methods for the IoT to make it more intel-
igent and providing smarter devices and services [66] . So, apply-
ng data mining techniques and computational intelligence-based
ethods [67,68] are other candidates for future work with the aim
f improving the performance of proposed hybrid IDS framework.
eferences
[1] A . Rghioui, A . Khannous, M. Bouhorma, Denial-of-service attacks on 6LoWPAN-
RPL networks: threats and an intrusion detection system proposition, J. Adv.
Comput. Sci. Technol. 3 (2014) 143–153, doi: 10.14419/jacst.v3i2.3321 . [2] S. Raza , Lightweight Security Solutions for the Internet of Things, Ph.D. Thesis,
School of Innovation, Design and Engineering, Mälardalen University, Västerås,Sweden, 2013 .
[3] E. Borgia, The Internet of things: key features, applications and open issues,Comput. Commun. 54 (2014) 1–31, doi: 10.1016/j.comcom.2014.09.008 .
[4] M. De Sanctis, E. Cianca, G. Araniti, I. Bisio, R. Prasad, Satellite communications
supporting Internet of remote things, IEEE Internet Things J. 3 (2016) 113–123,doi: 10.1109/JIOT.2015.2487046 .
[5] S.A. Alvi, B. Afzal, G.A. Shah, L. Atzori, W. Mahmood, Internet of multimediathings: vision and challenges, Ad Hoc Netw. 33 (2015) 87–111, doi: 10.1016/j.
adhoc.2015.04.006 . [6] J. Yu, H.C. Bang, H. Lee, Y.S. Lee, Adaptive Internet of things and web of things
convergence platform for Internet of reality services, J. Supercomput. 72 (2016)84–102, doi: 10.1007/s11227-015-1489-6 .
[7] T. Kushalnagar, G. Montenegro, C. Schumacher, IPv6 over Low-power Wireless
Personal Area Networks (6LoWPANs): Overview, Assumptions, Problem State-ment, and Goals, RFC 4919 (2007).
[8] S. Raza, L. Wallgren, T. Voigt, SVELTE: real-time intrusion detection in the In-ternet of things, Ad Hoc Netw. 11 (2013) 2661–2674, doi: 10.1016/j.adhoc.2013.
04.014 .
70 H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71
[
[9] L. Wallgren, S. Raza, T. Voigt, Routing attacks and countermeasures in the RPL-based Internet of things, Int. J. Distribu. Sensor Networks (2013) 1–11, doi: 10.
1155/2013/794326 . [10] C. Hennebert, J. Dos Santos, Security protocols and privacy issues into 6LoW-
PAN stack: a synthesis, IEEE Internet Things J. 1 (2014) 384–398, doi: 10.1109/JIOT.2014.2359538 .
[11] S. Sicari, A . Rizzardi, L.A . Grieco, A . Coen-Porisini, Security, privacy and trust inInternet of things: the road ahead, Comput. Netw. 76 (2015) 146–164, doi: 10.
1016/j.comnet.2014.11.008 .
[12] M. Ghadi, L. Laouamer, T. Moulahi, Securing data exchange in wireless multi-media sensor networks: perspectives and challenges, Multimedia Tools Appl.
75 (2016) 3425–3451, doi: 10.1007/s11042- 014- 2443- y . [13] H. Ning, H. Liu, L.T. Yang, Cyberentity security in the Internet of things, IEEE
Comput. Mag. 46 (2013) 46–53, doi: 10.1109/MC.2013.74 . [14] S. Sahraoui, A. Bilami, Efficient HIP-based approach to ensure lightweight end-
to-end security in the Internet of things, Comput. Netw. 91 (2015) 26–45,
doi: 10.1016/j.comnet.2015.08.002 . [15] R. Neisse, G. Steri, I. Nai Fovino, G. Baldini, SecKit: A model-based security
toolkit for the Internet of things, Comput. Secur. 54 (2015) 60–76, doi: 10.1016/j.cose.2015.06.002 .
[16] M. Mazhar Rathore, A. Paul, A. Ahmad, S. Rho, Urban planning and buildingsmart cities based on the Internet of things using big data analytics, Comput.
Netw. 101 (2016) 63–80, doi: 10.1016/j.comnet.2015.12.023 .
[17] Q. Jing, A.V. Vasilakos, J. Wan, J. Lu, D. Qiu, Security of the Internet of things:perspectives and challenges, Wireless Netw. 20 (2014) 2481–2501, doi: 10.1007/
s11276- 014- 0761- 7 . [18] K. Benson, C. Fracchia, G. Wang, Q. Zhu, S. Almomen, et al., SCALE: Safe com-
munity awareness and alerting leveraging the Internet of things, IEEE Com-mun. Mag. 53 (2015) 27–34, doi: 10.1109/MCOM.2015.7355581 .
[19] K.T. Nguyen, M. Laurent, N. Oualha, Survey on secure communication protocols
for the Internet of things, Ad Hoc Netw. 32 (2015) 17–31, doi: 10.1016/j.adhoc.2015.01.006 .
[20] S. Raza, H. Shafagh, K. Hewage, R. Hummen, T. Voigt, Lithe: Lightweight secureCoAP for the Internet of things, IEEE Sensors J. 13 (2013) 3711–3720, doi: 10.
1109/JSEN.2013.2277656 . [21] R. Mitchell, I.R. Chen, A survey of intrusion detection in wireless network ap-
plications, Comput. Commun. 42 (2014) 1–23, doi: 10.1016/j.comcom.2014.01.
012 . [22] M. Turkanovi ́c, B. Brumen, M. Hölbl, A novel user authentication and key
agreement scheme for heterogeneous ad hoc wireless sensor networks, basedon the Internet of things notion, Ad Hoc Netw. 20 (2014) 96–112, doi: 10.1016/
j.adhoc.2014.03.009 . [23] M. Sabzinejad Farash, M. Turkanovi ́c, S. Kumari, M. Hölbl, An efficient user
authentication and key agreement scheme for heterogeneous wireless sen-
sor network tailored for the Internet of things environment, Ad Hoc Netw. 36(2016) 152–176, doi: 10.1016/j.adhoc.2015.05.014 .
[24] P. Kasinathan, C. Pastrone, M.A. Spirito, M. Vinkovits, Denial-of-service detec-tion in 6LoWPAN based Internet of things, in: Proceedings of 9th International
Conference on Wireless and Mobile Computing, Networking and Communica-tions, Lyon, France, 2013, doi: 10.1109/WiMOB.2013.6673419 .
[25] European project- Enabling the business-based Internet of things and servicesAccessed 2 June 2015. http://www.ebbits-project.eu/news.php .
[26] G. Cugola, A. Margara, Processing follows of information: form data stream to
complex event processing, in: Proceedings of 5th ACM International Confer-ence on Distributed Event-Based Systems, New York, USA, 2011, doi: 10.1145/
20 02259.20 02307 . [27] C. Jun, C. Chi, Design of complex event-processing IDS in Internet of things,
in: Proceedings of 6th International Conference on Measuring Technology andMechatronics Automation, Zhangjiajie, China, 2011, doi: 10.1109/ICMTMA.2014.
57 .
[28] K. Ioannis , T. Dimitriou , F.C. Freiling , Towards intrusion detection in wirelesssensor networks, in: Proceedings of 13th European Wireless Conference, Paris,
France, 2007 . [29] T. Winter, P. Thubert, A. Brandt, J. Hui, R. Kelsey, P. Levis, K. Pister, R. Struik,
J. Vasseur, R. Alexander, RPL: IPv6 Routing Protocol for Low-Power and LossyNetworks, RFC 6550 (2012).
[30] A. Le, J. Loo, Y. Luo, A. Lasebae, Specification-based IDS for securing RPL from
topology attacks, in: Proceedings of the Wireless Days, Niagara Falls, Canada,2011, doi: 10.1109/WD.2011.6098218 .
[31] K. Zhang, X. Liang, R. Lu, X. Shen, Sybil attacks and their defenses in the Inter-net of things, IEEE Internet Things J. 1 (2014) 372–383, doi: 10.1109/JIOT.2014.
2344013 . [32] P.Y. Chen, S.M. Cheng, K.C. Chen, Information fusion to defend intentional at-
tack in Internet of things, IEEE Internet Things J. 1 (2014) 337–348, doi: 10.
1109/JIOT.2014.2337018 . [33] L.M. Rocha, F.A.M. Cappabianco, A.X. Falcão, Data clustering as an optimum-
path forest problem with applications in image analysis, Int. J. Imaging Syst.Technol. 19 (2009) 50–68, doi: 10.1002/ima.20191 .
[34] J. Dean , S. Ghemawat , MapReduce: simplified data processing on large clusters,in: Proceeding of 6th Symposium on Operating Systems Design and Implemen-
tation, San Francisco, USA, 2004 .
[35] S.Y. Wu, E. Yes, Data mining-based intrusion detectors, Expert Syst. Appl. 36(2009) 5605–5612, doi: 10.1016/j.eswa.2008.06.138 .
[36] V. Golmah , An efficient hybrid intrusion detection system based on C5.0 andSVM, Int. J. Database Theory Appl. 7 (2014) 59–70 .
[37] N. Stakhanova, S. Basu, J. Wong, On the symbiosis of specification-based andanomaly-based detection, Comput. Secur. 29 (2010) 253–268, doi: 10.1016/j.
cose.20 09.08.0 07 . [38] L. Zhang, G. Feng, S. Qin Intrusion detection system for low-power and
lossy networks, Internet Draft, November 2013. https://tools.ietf.org/html/draft- zhang- roll- rpl- intrusion- defence- 00 .
[39] S. Hamedheidari, R. Rafeh, A novel agent-based approach to detect sinkholeattacks in wireless sensor networks, Comput. Secur. 37 (2013) 1–14, doi: 10.
1016/j.cose.2013.04.002 .
[40] K.A .P. Costa, L.A .M. Pereira, R.Y.M. Nakamura, C.R. Pereira, J.P. Papa, A.X. Falcão,A nature-inspired approach to speed up optimum-path forest clustering and
its application to intrusion detection in computer networks, Inf. Sci. 294 (2015)95–108, doi: 10.1016/j.ins.2014.09.025 .
[41] S. Aridhi, P. Lacomme, L. Ren, B. Vincent, A MapReduce-based approach forshortest path problem in large-scale networks, Eng. Appl. Artif. Intell. 41
(2015) 151–165, doi: 10.1016/j.engappai.2015.02.008 .
[42] C.E. Loo, M.Y. Ng, C. Leckie, M. Palaniswami, Intrusion detection for routingattacks in sensor networks, Int. J. Distrib. Sensor Netw. 2 (2006) 313–332,
doi: 10.1080/15501320600692044 . [43] K.Q. Yan, S.C. Wang, S.S. Wang, C.W. Liu, Hybrid intrusion detection system
for enhancing the security of a cluster-based wireless sensor network, in: Pro-ceedings of 3rd IEEE International Conference on Computer Science and Infor-
mation Technology, Chengdu, China, 2010, doi: 10.1109/ICCSIT.2010.5563886 .
44] S. Kaplantzis, A. Shilton, N. Mani, Y.A. Sekercioglu, Detecting selective forward-ing attacks in wireless sensor networks using support vector machines, in:
Proceedings of 3rd International Conference on Intelligent Sensors, Sensor Net-works and Information, Melbourne, Australia, 2007, doi: 10.1109/ISSNIP.2007.
44 96 866 . [45] T. Tsvetkov , RPL: IPv6 routing protocol for low power and lossy networks, in:
Proceedings of the Seminar Sensor Nodes-Operation, Network and Application,
Munich, Germany, 2011 . [46] L. Yanfei, W. Cheng, Q. Xiaojun, Z. Yunhe, Y. Chengbo, An improved design of
ZigBee wireless sensor network, in: Proceedings of 2nd IEEE International Con-ference on Computer Science and Information Technology, Beijing, China, 2009,
doi: 10.1109/ICCSIT.2009.5234655 . [47] A.P.R. Da Silva, M.H.T. Martins, B.P.S. Rocha, A .A .F. Loureiro, L.B. Ruiz,
H.C. Wong, Decentralized intrusion detection in wireless sensor networks, in:
Proceedings of 1st ACM International Workshop on Quality of Service & Se-curity in Wireless and Mobile Networks, Montreal, Canada, 2005, doi: 10.1145/
1089761.1089765 . [48] F. Medjek, D. Tandjaoui, M.R. Abdmeziem, N. Djedjig, Analytical evaluation of
the impacts of Sybil attacks against RPL under mobility, in: Proceedings of 12thInternational Symposium on Programming and Systems, Algiers, Algeria, 2015,
doi: 10.1109/ISPS.2015.7244960 .
[49] A. Le, J. Loo, Y. Luo, A. Lasebae, The impacts of internal threats towards rout-ing protocol for low power and lossy network performance, in: Proceedings of
the IEEE Symposium on Computers and Communications, Split, Croatia, 2013,doi: 10.1109/ISCC.2013.6755045 .
[50] K. Chugh , A. Lasebae , J. Loo , Case study of a black hole attack on 6LoW-PAN-RPL, in: Proceedings of 6th International Conference on Emerging Security
Information, Systems and Technologies, Rome, Italy, 2012, pp. 157–162 . [51] T. Tsao, R. Alexander, M. Dohler, V. Daza, A. Lozano, M. Richardson, A Security
Threat Analysis for the Routing Protocol for Low-Power and Lossy Networks
(RPL), RFC 7416 (2015). [52] Y. Qin, Q.Z. Sheng, N.J.G. Falkner, S. Dustdar, H. Wang, A.V. Vasilakos, When
things matter: a survey on data-centric Internet of things, J. Netw. Comput.Appl. 64 (2016) 137–153, doi: 10.1016/j.jnca.2015.12.016 .
[53] A. Sivieri, L. Mottola, G. Cugola, Building Internet of things software with ELIoT,Comput. Commun. 89-90 (2016) 141–153, doi: 10.1016/j.comcom.2016.02.004 .
[54] M. Díaz, C. Martín, B. Rubio, State-of-the-art, challenges, and open issues in
the integration of Internet of things and cloud computing, J. Netw. Comput.Appl. 67 (2016) 99–117, doi: 10.1016/j.jnca.2016.01.010 .
[55] Y. Zeng, X. Chen, Y. Fan, The Internet of things in healthcare: an overview, J.Ind. Inf. Integr. 1 (2016) 3–13, doi: 10.1016/j.jii.2016.03.004 .
[56] S.M. Seo, S.W. Kim, J.W. Jeon, J.H. Kim, H.S. Kim, J.H. Cho, W.H. Lee, S.H. Paek,Food contamination monitoring via Internet of things, exemplified by using
pocket-sized immunosensor as terminal unit, Sens. Actuators B 233 (2016)
148–156, doi: 10.1016/j.snb.2016.04.061 . [57] S. Rahimi Moosavi, T.N. Gia, E. Nigissie, A.M. Rahmani, S. Virtanen, H. Ten-
hunen, J. Isoaho, End-to-end security scheme for mobility enabled healthcareInternet of things, Future Gener. Comput. Syst. 64 (2016) 108–124, doi: 10.1016/
j.future.2016.02.020 . [58] M. Gentili, R. Sannino, M. Petracca, BlueVoice: Voice communications over
Bluetooth low energy in the Internet of things scenario, Comput. Commun.
89-90 (2016) 51–59, doi: 10.1016/j.comcom.2016.03.004 . [59] K. Lin, W. Wang, Y. Bi, M. Qiu, M.M. Hassan, Human localization based on iner-
tial sensors and fingerprints in the industrial Internet of things, Comput. Netw.101 (2016) 113–126, doi: 10.1016/j.comnet.2015.11.012 .
[60] J. Mineraud, O. Mazhelis, X. Su, S. Tarkoma, A gap analysis of Internet-of-thingsplatforms, Comput. Commun. 89-90 (2016) 5–16, doi: 10.1016/j.comcom.2016.
03.015 .
[61] S. Sicari, A. Rizzardi, D. Miorandi, C. Cappiello, A. Coen-Porisini, A secure andquality-aware prototypical architecture for the Internet of things, Inf. Syst. 58
(2016) 43–55, doi: 10.1016/j.is.2016.02.003 .
H. Bostani, M. Sheikhan / Computer Communications 98 (2017) 52–71 71
[
[
[
[
[
[
62] L. Malina, J. Hajny, R. Fujdiak, J. Hosek, On perspective of security and privacy-preserving solutions in the Internet of things, Comput. Netw. 102 (2016) 83–
95, doi: 10.1016/j.comnet.2016.03.011 . 63] Libelium Comunicaciones Distribuidas S.L., Waspmote, Mote Runner Technical
Guide, Document version: v4.2, Mar. 2015. 64] Libelium, Waspmote Mote Runner: 6LoWPAN Development Plat-
form Accessed 20 May 2016. http://www.libelium.com/products/waspmote-mote- runner- 6lowpan/ .
65] Libelium Comunicaciones Distribuidas S.L., Smart Cities Board Technical Guide,
Document version: v5.4, Jan. 2016.
66] C.W. Tsai, C.F. Lai, M.C. Chiang, L.T. Yang, Data mining for Internet of things: asurvey, IEEE Commun. Surv. Tutorials 16 (2014) 77–97, doi: 10.1109/SURV.2013.
103013.00206 . [67] M. Sheikhan, Artificial neural network models for intrusion detection, in: Ency-
clopedia of Information Assurance, Taylor & Francis, New York, 2014, pp. 1–12,doi: 10.1081/E- EIA- 120051983 .
68] M. Sheikhan, Fuzzy models for intrusion detection, in: Encyclopedia of Infor-mation Assurance, Taylor & Francis, New York, 2015, pp. 1–13, doi: 10.1081/
E- EIA- 120051982 .