Available via license: CC BY-NC-SA 4.0
Content may be subject to copyright.
arXiv:2303.00260v1 [cs.CR] 1 Mar 2023
Addressing DAO Insider Attacks in IPv6-Based
Low-Power and Lossy Networks
Sachin Kumar Verma
Department of CSE
PDPM IIITDM Jabalpur, India
20mcs013@iiitdmj.ac.in
Abhishek Verma*
Department of CSE
PDPM IIITDM Jabalpur, India
abhiverma@iiitdmj.ac.in
Avinash Chandra Pandey
Department of CSE
PDPM IIITDM Jabalpur, India
avish.p@iiitdmj.ac.in
Abstract—Low-Power and Lossy Networks (LLNs) run on
resource-constrained devices and play a key role in many
Industrial Internet of Things and Cyber-Physical Systems based
applications. But, achieving an energy-efficient routing in LLNs
is a major challenge nowadays. This challenge is addressed by
Routing Protocol for Low-power Lossy Networks (RPL), which
is specified in RFC 6550 as a “Proposed Standard” at present.
In RPL, a client node uses Destination Advertisement Object
(DAO) control messages to pass on the destination information
towards the root node. An attacker may exploit the DAO
sending mechanism of RPL to perform a DAO Insider attack
in LLNs. In this paper, it is shown that an aggressive attacker
can drastically degrade the network performance. To address
DAO Insider attack, a lightweight defense solution is proposed.
The proposed solution uses an early blacklisting strategy to
significantly mitigate the attack and restore RPL performance.
The proposed solution is implemented and tested on Cooja
Simulator.
Index Terms—IoT, LLNs, IDS, 6LoWPAN, DAO Insider
Attack, RPL.
I. INTRO DUC TIO N
The IoT [1] has a large number of applications which
make human life better. IoT applications like smart grid,
smart healthcare, and smart agriculture require an infras-
tructure which has minimum implementation cost [2] and
also supports longer operation time. LLNs are the best for
such applications as LLNs provide and infrastructure with a
minimum implementation cost [3] and has longer operation
time. In LLNs, there are various security and privacy risks
that may put user’s security and privacy at risk. For example,
auto-configuration, vulnerabilities of supporting devices and
wireless communication may be explored by an attacker to
access the confidential or private information of the users’. In
addition, an attacker may target LLNs with Denial-of-Service
attack and disturb the network’s performance. To achieve
minimum implementation cost and longer operation time,
resource-constrained nodes are utilized . These nodes have
very limited processing, storage, communication, and energy
source capabilities. LLNs require an energy-efficient routing
protocol for network layer for supporting longer operation
time. To address the problem of achieving energy-efficient
routing in LLNs the IETF’s Routing Over Low power
and Lossy networks i.e. RoLL working group proposed a
standard the RPL protocol. RPL is specified in RFC 6550
Fig. 1. Routing attacks against RPL protocol
[4]. Although RPL solves major problems faced by LLNs,
there are some LLNs characteristics(i.e., self-healing, self-
organization, and resource-constrained behavior of nodes)
which expose RPL to various outsider and insider attacks.
Theses attacks may compromise user’s privacy and security
and limit the growth of IoT drastically. RPL has many
discovered and undiscovered vulnerabilities which may be
exploited by the attackers to compromise the network. An
attacker may compromise resource-constrained devices and
reprogram them to exploit vulnerable RPL features to disrupt
the normal working of other legitimate nodes. In this manner,
the attacker can continuously degrade the network’s overall
performance. Fig. 1 indicates various attacks (WSN based
and RPL specific) that can be performed on RPL based LLNs.
Many of the attacks on RPL are very difficult to detect and
mitigate. Fig. 1 shows some of the the most common attacks
against RPL protocol.
One of the catastrophic attacks against RPL is known as
DAO Insider attack. In this an attacker node can disrupt
the network’s performance by continuously sending DAO
messages to its preferred parent node. As RPL does not
has any inbuilt functionality to identify illegitimate control
packets, therefore it becomes victim of such attack. To secure
the network from DAO insider attacks, an Intrusion Detection
System (IDS) is required. IDS may help RPL to detect the
attack and mitigate it. Our contributions are summarized
below:
1) A defense solution to address the DAO insider attack
is proposed.978-1-6654-6658-5/22/$31.00 ©2022 IEEE
2) The effectiveness of our proposed solution is analyzed
on the Cooja simulator.
Further the paper is structured as follows. Section II
overview’s the RPL protocol. Section III discusses the DAO
Insider attack. Related works are discussed in Section IV.
Our proposed defense solution is described in Section V.
Performance evaluation of the proposed solution is depicted
in Section VI. Lastly, the Section VII concludes the paper
and indicates the future work.
II. OVE RVI EW OF RPL PROTOC OL
RPL is a proactive routing protocol based on distance
vectors and source routing concepts. RPL is specified as a
“Proposed Standard” in RPL 6550 [4]. RPL is considered as
an energy-efficient protocol because it requires less energy
to create and maintain network topology [5]. It uses distance
vector protocol for routing. RPL runs on top of IEEE
802.15.4MAC. RPL forms Destination Oriented Directed
Acyclic Graph (DODAG) based topology over LLN devices.
DODAG is loop-free and tree-like structure in which root
node is assumed as the destination for all the nodes. The
network may be running several DODAGs at the particu-
lar instance of time which together are unidentified as an
RPLInstance.RPLInstance is identified by a unique IPv6
address, i.e., RPLInstanceID. In RPL, multiple RPLInstance
may be concurrently at the same time to support various
services. Each LLN node is assigned a rank value which is
a 16-bit integer and indicates the node’s position relative to
DODAG root node. RPL protocol defines a very strict rank
rule. According to this rule, the rank of a nodes increases in
a downward direction and decreases in an upward direction
towards DODAG root. The concept of rank is used for
following reasons:
•To recover the broken links.
•To differentiate between siblings and parents.
•To detect and resolve the routing loops.
•To create a relationship between parent and child.
RPL supports four types of control messages, i.e., DODAG
Information Solicitation (DIS), DODAG Information Object
(DIO), Destination Advertisement Object (DAO), and Desti-
nation Advertisement Object Acknowledgment (DAO-ACK).
RF defines Objective Function (OF) for rank calculation [6].
OF is used to select optimal parent that that has shortest path
towards DODAG root node. To reduce the number of control
messages transmission RPL uses “Trickle timer” concept [7].
III. DAO INSI DE R ATTACK
To enable bi-directional communication, RPL uses DAO
control messages. DAO messages are used to create down-
ward paths so that DODAG root can route packets destined
towards leaf nodes. DAOs are forwarded by each intermedi-
ate node that lies along the path between child node and
DODAG root. Unicast DAO-ACK message is sent by a
DAO Recipients that lie along the path. The standard RPL
specification has not provided any information on when and
how often these DAO messages must be transmitted. That
is why different RPL implementations (i.e., ContikiRPL,
OpenWSN, RIOT, Contiki-NG, OMNeT++, NetSim) choose
different mechanisms to control DAO transmission rate. We
have considered the most widely used RPL implementation,
i.e., ContikiRPL in this paper. In ContikiRPL, DAO messages
are transmitted using Trickle Timer. In RPL, DAO messages
are unicast by the child node to parent node basically on
three occasions:
1) When a node receives DIO message from a parent
node.
2) When a node changes its preferred parent.
3) When a node detects some routing error.
An important point related to DAO messages is that when
a child node sends a DAO message with DODAG root as
a destination, in response to a single DAO transmission
multiple DAO messages are generated by intermediate nodes
that are present along the path. Consider a path from child
node to root node that consists of nintermediate nodes,
then the total number of DAO messages that are transmitted
along the path is equal to n, as shown in Fig. 2. An
attacker node may exploit this feature to disrupt the normal
network’s performance by simply transmitting malformed or
eavesdropped DAO message frequently to its preferred parent
node. The best case scenario for an attacker will be to launch
the attack from the edge of the network as this will increase
the control packet overhead in terms of DAO messages.
DAO Insider attack significantly decreases the PDR (packet
delivery ratio), increases AE2ED (average en-to-end delay)
and avearge power consumption of the network. There are
multiple ways to launch the DAO Insider attack. One way
is to is send malformed DAO packets to the root node (i.e.,
insider attack). Another way is to transmit an eavesdropped
DAO captured from legitimate node (i.e., outsider attack).
In Fig. 2 it is shown that the attacker with Node Id 10 is
repeatedly transmitting the DAO message to the preferred
parent node, i.e., Node Id 7. All intermediate nodes forward
the DAO message to their parent until it received by the root
node.
IV. RELATED WOR K
Sheibani et al. [8] proposed an algorithm for mitigating
Dropped DAO (DDAO) attack. They used a watchdog ap-
proach to monitor the forwarding behaviour of its parent.
Raza et al. [9] suggested a real-time IDS called SVELTE
which is based on Contiki platform. SVELTE detects three
types of attacks, i.e., Sinkhole, Selective Forwarding, and
Spoofing. It uses three different procedures to detect attack
in real-time: (1) collects traffic information, (2) identifies in-
trusion, (3) provides a small distributed firewall for blocking
illegitimate traffic coming from outsider networks. Verma et
al. [10] carried out a detailed survey on various existing at-
tacks and countermeasures for RPL. Mayzaud et al. [11] pro-
posed a distributed monitoring algorithm to secure RPL from
version number attacks. In [12], the focused on designing
an IDS to protect the network from outsider attackers. They
proposed a signature-based intrusion detection approach to
secure the network from version number modification and
“Hello” flooding attacks. In [13], an attack classification
Fig. 2. An illustration of DAO Insider Attack
model based on Gated Recurrent Unit network is developed
for identification of “Hello Flooding” attack. Ghaleb et al.
[14] proposed and addressed the DAO Insider attack. The
authors implemented a defense mechanism named SecRPL
to secure the LLNs. Verma et al. [15] proposed a lightweight
security scheme for the defending RPL against DIS flooding
attacks. They analyzed the network and put a safety threshold
on the RPL protocol. In this [16] paper Farzaneh et al.
proposed an anomaly based IDS based on threshold values
for detection of attacks in RPL. Ariehrour et al. [17] proposed
SecTrust-RPL solution to secure RPL against Sybil and rank
attacks. AN IDS named SIEWE is proposed by Patel et
al. by Patel et al. [18]. In [19], the authors proposed a
lightweight mechanism that adjusts thresholds value to detect
and mitigate DIS attacks. From the literature, we identified
that various RPL based attacks have been countered using
different types of security solutions. As far as the literature
is concerned there is only one solution for defending DAO
Insider attacks [14], this leave a lot of scope. In this paper
we have addressed DAO Insider attack using Blacklisting
technique.
V. PRO PO SED SO L UT ION
The proposed defense solution is based on the idea of
analyzing node’s behavior to identify whether it is legitimate
or illegitimate. We performed multiple experiments consid-
ering different non-attack and attack scenarios to analyze
the illegitimate node behavior. The behavior of the node is
analyzed in form of the number of DAO messages being
transmitted and received by the nodes across the network.
With a detailed analysis, we come to a conclusion that each
node in RPL based LLNs receives and transmits similar
number of DAOs messages in the network under non-attack
scenarios. Whereas, in case of attack, victim node receives
large amount of DAOs from a malicious node as compared
to neighbor legitimate nodes. To address DAO Insider attack,
we proposed a defense solution that puts limits on the the
number of DAOs messages sent by any child node. The
key idea is to distinguish between original attacker node
and victim node in order to minimize false positives. The
proposed solution is based on distributed detection strategy
in which every individual node maintains two tables, i.e.,
a neighbor table for storing information about neighbors,
a blacklist table to store information about blacklisted or
attacker nodes. The usage of blacklist table helps in energy
saving because attack is mitigated quickly without additional
processing of illegitimate DAO packet. A threshold, i.e.,
DAO recv threshold is used to put a cap on the maximum
allowed DAO transmissions by any child node. The value of
DAO recv threshold is chosen based on the analysis of mul-
tiple non-attack scenarios. The detection algorithm starts with
the initialization of DAO recv threshold, Neighbor Table,
and Blacklist Table. The parent node, upon receiving a
DAO message from a child node or DAO sender checks
whether the DAO sender’s address is already present in the
Blacklist Table or not. If DAO sender’s address matches with
any blacklisted node’s address, this means that parent had
already detected that DAO sender as an attacker node earlier,
and it simply discards received DAO message without any
further processing. This not only saves energy of nodes but
also helps in quick mitigation of attack. In case the DAO
sender’s address is not present in Blacklist Table, then the
algorithm starts checking the Neighbor Table to find out the
DAO sender’s address. If DAO sender’s address is not present
in the Neighbor Table, then it means that DAO sender is a
new child node which has sent the DAO message first time.
Then, a new node entry in the Neighbor Table is created and
DAO sender’s information is added to the Neighbor Table.
In this case the Neighbor Table stores three values:
1) DAO sender address(Node[source id])
2) Child’s Global address or
DAO Prefix(Node[global id])
3) Child’s DAO counter
Based on these entries, the detection algorithm decides
whether a DAO sender node is an attacker or not. It is
important to note that whenever a node generates a DAO
message, it also transfers the global ID in the DAO message.
In RPL, DAO sender’s global ID is represented as the DAO
prefix. In our solution, we use the DAO prefix to increment
the DAO counter value (i.e., DAO count). Whenever any
parent node receives a DAO message from its child node
there are two cases which are handled differently. In first
case, if DAO sender or child is the DAO originator (i.e.,
DAO Prefix equals child’s global id), then DAO count value
corresponding to that child node is incremented, and the DAO
message is forwarded. In second case, when the child is
not the DAO originator (i.e., DAO Prefix not equals child’s
global id), the value of DAO count is not incremented, and
DAO message is forwarded to the preferred parent. With this
approach, the algorithm detects attacker node present in the
network without blacklisting legitimate nodes. If any node
is sending a lot of DAO message, then the parent of that
child node will increment the DAO Counter corresponding
to that child node. After reaching the DAO recv threshold,
the parent blocks the abnormally behaving child and add its
information in the Blacklist Table (i.e., blacklisting). The
main benefit of this approach is that it does not involve
usage of any resource consuming methods like encryption,
decryption, hashing, or key management. The detection logic
simply puts thresholds of RPL parameters which makes
it lightweight and suitable for LLNs. Pseudocode of the
proposed solution is depicted in Algorithm 1.
Algorithm 1 Pseudocode of proposed solution
1: procedure INIT I AL I ZAT IO N
2: set DAO recv threshold
3: create empty Neighbor Table ⊲To create a neighbor table
on node start
4: create empty Blacklist Table ⊲To create a blacklist table
on node start
5: end procedure
6: procedure ONDAO RE CE I VE
7: if (DAO sender address is present in Blacklist Table) then
8: return ⊲In case the sender node was already
blacklisted
9: end if
10: for Each Node in Neighbor Table do
11: if (DAO sender address equals Node.source id) then
12: if (DAO Prefix equals Node.global id) then
13: if (Node.DAO count is less than
DAO recv threshold) then
14: Node.DAO count++
15: Forward DAO to preferred parent
16: else
17: Add DAO sender in Blacklist Table
18: end if
19: else
20: Forward DAO to preferred parent
21: end if
22: else
23: Add new DAO sender’s information in Neigh-
bor Table
24: end if
25: end for
26: end procedure
VI. PE RFO RMA NC E EVALUATION
We implemented our proposed defense solution in Contiki
[20] which is one of the widely used embedded operating sys-
Fig. 3. Simulation Parameters
tem for resource constrained nodes. The popular ContikiRPL
is modified and the proposed solution is integrated with it.
The performance of the proposed solution is evaluated on
Cooja simulator [21]. Further part of this section provides
the details of experimental setup, performance indicators, and
experimental results.
A. Experimental Setup
The proposed solution is implemented by modifying the
core files of ContikiRPL. We performed the experiments for
evaluation of proposed solution on Cooja Simulator. Z1 mote
platform is used for running Contiki. The simulation param-
eters mentioned in Fig 3 are considered for experiments.
In all the experiments, the Unit Disk Graph Radio Medium
(UDGM) is considered. To mount the DAO insider attack, an
attacker node can compromise the legitimate node and repro-
grammed it to capture the DAO message and then transmit
the captured DAO message in a fixed time of interval. The
DAO attack is launched after receiving a DIO message from
any parent node. The detection approach of the proposed
solution is activated upon network initialization. The mean
values of PDR and AE2ED have been used for analysis
to eliminate the effect the biased results. We performed 10
independent experiments with different random seed values
and computed the errors at a 95 percent confidence interval.
B. Performance Indicators
1) Packet Delivery Ratio (PDR): Represents ratio of the
total amount of data packets received to the total
amount of data packets sent by any node to the
DODAG root node.
2) Average End-to-End Delay (AE2ED): The average
time taken to deliver all the data packet from source
to DODAG node.
3) Throughput: It indicates the amount of data moved
successfully from sender to receiver in a given period
of time. It is expressed in terms of bits per second
(bps).
4) Implementation Overhead: It represents total RAM and
ROM usage by the proposed solution over resource
constraints nodes.
C. Simulation Results
We have considered three cases for making comparisons,
i.e., RP L,RP LU nderAttack , and RP LSecur e. Where, RP L
represents standard RPL without defense mechanism imple-
mented on it, RP L UnderAttack is the scenario in which
standard RP L is under attack, and R P LSecure represents
the secure version of standard RP L which has our defense
solution incorporated in it. In this section, the simulation
results are discussed.
D. Impact on PDR
Fig. 4 represents the impact of PDR on RP L ,
RP LU nderAttack ,RP LS ecure. It has been observed from
the figure that the attacker lowers the network’s performance.
Under RP LU nderAttack scenario, the attacker node is pro-
grammed to transmit a large number of DAO messages to
the preferred parent node. The attacker node increases the
control packet overhead of the network. upon receiving a
DAO message a parent must processes all DAOs and sends
acknowledgement in DAO-ACK message to the DAO sender
node. In RP LU nder Attack case the processing overhead
increases drastically which consequently leads to data packet
loss. Fig. 4 clearly indicates how the PDR is affected in
RP LU nderAttack scenario. Moreover, it can also be analyzed
that the aggressive DAO attacker (i.e., attacker sending DAO
at 1, 2 second replay interval) have high impact on PDR as
compared to non-aggressive attackers ((i.e., attacker sending
DAO at 4, 8 second replay interval)). In case of RP LS ecure ,
whenever a parent node receives DAO messages greater than
threshold value, the parent node will block the DAO sender
node and discard the further received DAOs from that node.
RP LSecur e is able to improve the network performance and
reduces the impact of attack. The effectiveness of proposed
solution is clearly visible from the values achieved in case
of RP LSecur e as shown in the Fig. 4.
1 2 4 8
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
Packet Delivery Ratio
Replay Interval (seconds)
RPL
RPL
Under Attack
RPL
Secure
Fig. 4. PDR values obtained in different scenarios
E. Impact on AE2ED
The impact of AE2ED in different scenarios (RP L,
RP LU nderAttack ,RP LS ecure) is indicated in Fig. 5. It can
be observed that AE2ED is severely affected under attack
scenario as compared to RP L. The reason is that the parent
node receives a lot of DAO messages from the attacker node
and this keeps them busy. Busy parent nodes take a lot of time
to process data packets, therefore AE2ED increases. Like,
PDR results in this case also, it can also be analyzed that
the aggressive DAO attacker have major impact on AE2ED
of the network as compared to non-aggressive attackers .
Our proposed solution (RP L Secure) is able to decrease the
impact of attack and this is clearly visible in Fig. 5. This
is because the proposed solution discards malicious DAOs,
which consequently reduces processing time of data packets.
1 2 4 8
0.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
Average End-to-End Delay (seconds)
Replay Interval (seconds)
RPL
RPL
Under Attack
RPL
Secure
Fig. 5. AE2ED values obtained in different scenarios
F. Impact on Throughput
It can be observed from the results shown in Fig. 6 that
RP LSecur e is able to improve the throughout (data packet
bits delivered) of the network which is decreased due to effect
of attack (RP LU nderAttack ). The proposed solution reduces
the effect of DAO insider attack and therefore the number
of data packets successfully delivered are increases which
consequently increases throughput of the network.
1 2 4 8
0
20
40
60
80
Throughput (bps)
Replay Interval (seconds)
RPL
RPLUnder Attack
RPLSecure
Fig. 6. Throughput values obtained in different scenarios
G. Implementation Overhead
Fig. 7 shows the memory requirements of proposed de-
fense solution. The proposed solution requires very little
amount of memory hence it becomes a lightweight defense
solution. The standard Z1 motes have 92 KB of ROM, and
8 KB of RAM. Fig. 7 shows that Contiki with our proposed
solution implemented on it easily fits into Z1 motes without
imposing significant overhead. Thus, the implementation
overhead of proposed solution makes it lightweight solution.
Standard Z1 Node IDS-Z1 node IDS-Z1 6BR
0
20
40
60
80
100
Memory size in Kilobytes (kB)
ROM
RAM
Fig. 7. Memory requirements of proposed solution
H. Time complexity of Proposed Approach
•The time complexity of the INITIALIZATION proce-
dure is O(1) as it defines the neighbor and blacklist
table.
•ON DAO Receive procedure explores the blacklist ta-
ble to determine whether unauthorized senders are al-
ready blacklisted or not. If the size of the blacklist
table is Btand unauthorized senders are present in
the blacklist table, then the time taken to explore the
entire blacklist table will be O(Bt). The neighbor table
is explored to discover the unauthorized senders if the
senders are not present in the blacklist table. After
identifying the unauthorized senders, it is added to
the blacklist table. If the size of the neighbor table
is Nt, then the time complexity to discover and add
an unauthorized sender to the blacklist table will be
O(Bt) + O(Nt)because the neighbor table is explored
after examining the entire blacklist table.
The time complexity of the proposed approach will be
O(Bt) + O(Nt) + O(1), i.e., O(Bt) + O(Nt), since the
time taken by the initialization procedure is O(1), and
ON DAO Receive procedure is O(Bt) + O(Nt).
VII. CONC LUS ION A ND FUT URE SCOP E
In this paper, we have proposed a lightweight defense
solution to address DAO Insider attacks in LLNs. The exper-
imental results indicate that our proposed solution effectively
detects and mitigates the attack while taking care of the
resource nature of LLN nodes. In future, we aim to test
our proposed approach in dynamic network scenarios and
perform tested experiments.
REF ERE NC ES
[1] K. Ashton et al., “That ‘internet of things’ thing,” RFID journal,
vol. 22, no. 7, pp. 97–114, 2009.
[2] P. Sethi and S. R. Sarangi, “Internet of things: architectures, protocols,
and applications,” Journal of Electrical and Computer Engineering,
vol. 2017, 2017.
[3] J. V. Sobral, J. J. Rodrigues, R. A. Rabˆelo, J. Al-Muhtadi, and
V. Korotaev, “Routing protocols for low power and lossy networks
in internet of things applications,” Sensors, vol. 19, no. 9, p. 2144,
2019.
[4] R. Alexander, A. Brandt, J. Vasseur, J. Hui, K. Pister, P. Thubert,
P. Levis, R. Struik, R. Kelsey, and T. Winter, “RPL: IPv6 Routing
Protocol for Low-Power and Lossy Networks,” RFC 6550, Mar. 2012.
[Online]. Available: https://rfc-editor.org/rfc/rfc6550.txt
[5] O. Gaddour and A. Koubˆaa, “RPL in a nutshell: A survey,” Computer
Networks, vol. 56, no. 14, pp. 3163–3178, 2012.
[6] H. Lamaazi and N. Benamar, “A comprehensive survey on enhance-
ments and limitations of the RPL protocol: A focus on the objective
function,” Ad Hoc Networks, vol. 96, p. 102001, 2020.
[7] P. Levis, T. Clausen, J. Hui, O. Gnawali, and J. Ko, “The trickle
algorithm,” Internet Engineering Task Force, RFC6206, pp. 1–13,
2011.
[8] M. Sheibani, B. Barekatein, and E. Arvan, “A lightweight distributed
detection algorithm for ddao attack on rpl routing protocol in internet
of things,” Pervasive and Mobile Computing, p. 101525, 2022.
[9] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: Real-time intrusion
detection in the Internet of Things,” Ad hoc networks, vol. 11, no. 8,
pp. 2661–2674, 2013.
[10] A. Verma and V. Ranga, “Security of RPL based 6LoWPAN Networks
in the Internet of Things: A Review,” IEEE Sensors Journal, vol. 20,
no. 11, pp. 5666–5690, 2020.
[11] A. Mayzaud, R. Badonnel, and I. Chrisment, “A distributed monitoring
strategy for detecting version number attacks in RPL-based networks,”
IEEE transactions on network and service management, vol. 14, no. 2,
pp. 472–486, 2017.
[12] P. Ioulianou, V. Vasilakis, I. Moscholios, and M. Logothetis, “A
signature-based intrusion detection system for the Internet of Things,”
Information and Communication Technology Form, 2018.
[13] S. Cakir, S. Toklu, and N. Yalcin, “Rpl attack detection and prevention
in the internet of things networks using a gru based deep learning,”
IEEE Access, vol. 8, pp. 183 678–183 689, 2020.
[14] B. Ghaleb, A. Al-Dubai, E. Ekonomou, M. Qasem, I. Romdhani, and
L. Mackenzie, “Addressing the DAO insider attack in RPL’s Internet
of Things networks,” IEEE Communications Letters, vol. 23, no. 1,
pp. 68–71, 2018.
[15] A. Verma and V. Ranga, “Mitigation of DIS flooding attacks in RPL-
based 6LoWPAN networks,” Transactions on emerging telecommuni-
cations technologies, vol. 31, no. 2, p. e3802, 2020.
[16] B. Farzaneh, M. A. Montazeri, and S. Jamali, “An anomaly-based
ids for detecting attacks in rpl-based internet of things,” in 2019 5th
International Conference on Web Research (ICWR), 2019, pp. 61–66.
[17] D. Airehrour, J. A. Gutierrez, and S. K. Ray, “SecTrust-RPL: A
secure trust-aware RPL routing protocol for Internet of Things,” Future
Generation Computer Systems, vol. 93, pp. 860–876, 2019.
[18] H. B. Patel and D. C. Jinwala, “Blackhole detection in 6LoWPAN
based internet of things: an anomaly based approach,” in TENCON
2019-2019 IEEE Region 10 Conference (TENCON). IEEE, 2019, pp.
947–954.
[19] G. Guo, “A Lightweight Countermeasure to DIS Attack in RPL
Routing Protocol,” in 2021 IEEE 11th Annual Computing and Com-
munication Workshop and Conference (CCWC). IEEE, 2021, pp.
0753–0758.
[20] A. Dunkels, B. Gronvall, and T. Voigt, “Contiki-a lightweight and
flexible operating system for tiny networked sensors,” in 29th annual
IEEE international conference on local computer networks. IEEE,
2004, pp. 455–462.
[21] F. Osterlind, A. Dunkels, J. Eriksson, N. Finne, and T. Voigt, “Cross-
level sensor network simulation with cooja,” in Proceedings. 2006 31st
IEEE conference on local computer networks. IEEE, 2006, pp. 641–
648.
