• mukiraz@mukiraz.com

Türkçe için buraya tıklayın

Comparison of Machine Learning Algorithms to Detect RPL-Based IoT Devices Vulnerability

Table of Contents

Attacks on the RPL Protocol

In the protocol layers section of the thesis, we gave detailed information about the RPL protocol. The section will address the attacks implemented in the RPL protocol.Designed for the 6LoWPAN protocol, RPL aims to optimize power consumption in the communication of many complex IoT devices with each other. Since the optimum use of energy is important for cost-effectiveness, the flawless operation of the RPL protocol is vital. However, the inherent complexity of the RPL protocol and the low security nature of 6LoWPAN devices make it vulnerable to attacks that may occur from inside or outside the network. (Le, Loo, Luo, & Lasebae, 2011 1 )Ultimately, a vulnerability in any node in the DODAG structure will affect the entire system.The RPL protocol contains a security system in itself. These can be listed as follows:
  1. Unsafe Mode: In this security mode, RPL uses basic DIS, DIO, DAO, and DAO-ACK messages that have no security sections. Just because a network may be using other security mechanisms, such as link-layer security, insecure mode does not mean that all messages are sent without any protection.
  2. Preinstalled Mode withIn this safety mode, RPL uses secure messages. In order to participate in an RPL Instance, a node must have a key preinstalled. Nodes use this to ensure message confidentiality, integrity, and authenticity. A node can join the RPL network as a host or a router by using this preinstalled switch.
  3. Authentication Mode: In this security mode, in addition to the preinstalled mode, a node must receive a second key from a switch authority in order for the node to join the network as a router. This key authority can verify that the client is allowed to be the router before providing the second key. Symmetric algorithms cannot support authenticated mode. As of the writing of this specification, RPL supports only symmetric algorithms: authenticated mode is included for the benefit of potential cryptographic primitives in the future. (Winter, et al., March 2012 2)
Attacks will occur when “insecure mode” is used from the security measures listed above or when the security policies of other verification modes are circumvented.

(Mayzaud, Badonnel, & Chrisment, 2016 3) classified the attacks as shown in Figure 2.15 in their article on attacks on the RPL protocol.

Figure 2.15: RPL Attacks.

Attacks on Resources

Attacks on resources result in unnecessary operations to consume the resources of normal nodes through vulnerable nodes or nodes in DODAG. With this attack, the energy or memory on the node is consumed, or the processor is run out of steam. With this type of attack, the life of the network is exhausted in a very short time than desired. (Mayzaud, Badonnel, & Chrisment, 20163))

Direct Attacks

In direct attacks, the vulnerable node is directly responsible for the depletion of resources. Typically, this can be done when storage mode is enabled, by performing flooding attacks or by performing overload attacks based on routing tables. (Mayzaud, Badonnel, & Chrisment, 2016 3)

Routing Table Overload Attack

This attack is done by announcing fake routes using DAO messages that fill the routing table of the targeted node. This saturation prevents the creation of new normal pathways and affects the functioning of the network. (Mayzaud, Badonnel, & Chrisment, 20163)

Flooding Attacks

Overflow attacks involve generating significant traffic on a network and rendering nodes and connections unavailable. All or some network nodes can run out of resources in these attacks. These types of messages can also be called a HELLO-Flood attack. We can carry it out in two ways:

  • An attacking node constantly sends DIS messages to the entire network. The trickle timers of the nodes receiving the message are reset (reset). The attack is described in Figure-2.16.
  • An attacking node sends DIS messages to a specific node. The node that receives the message responds with the DIO message.

Both situations lead to network congestion, as well as saturation of RPL nodes. (Mayzaud, Badonnel, & Chrisment, 20163)

Şekil 2.16: HELLO-Flood Attack.

Indirect Attacks

Malicious node attacks cause other nodes to overload the network.

Increased Rank Attack

In the RPL network, each node is associated with a sequence value and corresponds to its position in the graph structure relative to the root node. As mentioned in the second section, the node order is always increasing downstream to maintain the non-cyclical structure of DODAG. Therefore, the rank of a node must always be greater than the rank of the parent node. This type of attack occurs when the vulnerable node reports a higher queue value than it should. (Mayzaud, Badonnel, & Chrisment, 20163)

DAG Inconsistency

The purpose of this attack is to force the vulnerable node to reset the DIO drip timer of the targeted node. In this case, this node begins to transmit DIO messages more often, creating local instability in the RPL network. This also consumes the battery of the nodes and affects the availability of connections. (Mayzaud, Badonnel, & Chrisment, 20163)

Version Number Modification

The DODAG version number is an ordered counter that is incremented by the root to create a new version of a DODAG. A DODAG Version is uniquely identified by its title (in the RPL Event ID, DODAG ID, DODAG Version Number). The version number is incremented only by the root. DODAG needs to be restructured when it is increased, which is also called general repair. An older value indicates that the node has not been moved to the new DODAG graph and cannot be used as a parent node. When a vulnerable node changes the version number and forwards it to its neighbors, the entire DODAG graph is unnecessarily regenerated. Successive unnecessary reconfigurations of DODAG significantly increase message overhead, consume node resources as shown in figure 2.17, and clog up the network. (Mayzaud, Badonnel, & Chrisment, 20163)

Şekil 2.17: Version Number Modification Attack.

Topolojiye Yapılan Saldırılar

Attacks on the RPL protocol can also target the network topology.

Sub-Optimization Attacks

Sub-optimization attacks are attacks that prevent optimal DODAG formation.

Routing Table Falsification

It is accomplished by having the vulnerable node declare routes to nodes that are not in the sub-DODAG. Therefore, it can cause longer network latency, packet drops, or network congestion. (Mayzaud, Badonnel, & Chrisment, 20163)

Sinkhole

Such an attack takes place in two steps. First, the malicious node manages to attract a lot of traffic by advertising fake information data (for example, uplinks and downlinks of superior quality). Then, after receiving the traffic illegitimately, it changes or leaves it. (Mayzaud, Badonnel, & Chrisment, 20163)

Wormhole

Wormhole attacks can be defined as the use of a pair of RPL attacker nodes (nodes A and B) that are interconnected by a private network connection. an example is shown in Figure 2.18. In this scenario, each packet received by node 4 is forwarded to node 5 through the wormhole for later replay. Because the tasks are interchangeable, node 4 can perform the same operations as node 5. In the case of wireless networks, it is easier to carry out this attack. This attack disrupts the routing path. If an attacker tunnels routing information to another part of the network, that is, to nodes that are actually far away, they will see each other as if they were side by side. As a result, they can create routes that are not optimized according to the purpose function. (Mayzaud, Badonnel, & Chrisment, 20163)

Figure 2. 18: Wormhole Attack.

Worst Parent Attack

This attack occurs when the vulnerable node chooses the most costly parent and connects to it. This connection increases power consumption and disrupts the optimal network path.

Routing Information Reply Attack

This attack occurs when a vulnerable node records valid control messages from other nodes and then forwards them to the network. (Mayzaud, Badonnel, & Chrisment, 2016 3)

Isolation Attacks

Isolation attacks are on the inability of any node or group of nodes in DODAG to communicate with other nodes.

Black Hole Attacks

In a black hole attack, the vulnerable node, as depicted in figure 2.19, drops all the packets it needs to transmit. This attack can be very damaging when combined with a sinkhole attack that causes a large portion of traffic to be lost. It can be seen as a type of denial of service (DoS) attack. If the attacker is strategically located in the graph, he can isolate several nodes from the network. (Mayzaud, Badonnel, & Chrisment, 2016)

Figure 2. 19: Black Hole Attack.

DAO Inconsistency Attacks

At the time DODAG occurs, a node may have a downward route previously learned from a DAO message, but this route may no longer be valid in the child node’s routing table. In this case, RPL provides a mechanism called DAO inconsistency loop recovery to resolve DAO message inconsistencies. This attack occurs through the abuse of this mechanism. (Mayzaud, Badonnel, & Chrisment, 2016 3)

Traffic Attacks

RPL relates to attacks that target network traffic.

Eavesdropping Attacks

The pervasive nature of RPL networks can facilitate the deployment of malicious nodes that perform eavesdropping activities such as sniffing and analyzing network traffic. (Mayzaud, Badonnel, & Chrisment, 20163)

Sniffing Attacks h4

Sniffing attack consists of listening for packets transmitted over the network. This attack is very common in wired and wireless networks and compromises the confidentiality of communication , which is difficult to detect due to the passive nature of this attack. The only way to prevent sniff is through encryption. (Mayzaud, Badonnel, & Chrisment, 20163)

Traffic Analysis

Traffic analysis aims to retrieve routing information using the characteristics and patterns of traffic on a link. This attack can be carried out even if the packets are encrypted. The goal is to gather information about the RPL network, such as a partial view of the topology, by identifying parent/child relationships, such as sniffing attacks. Thanks to this attack, a malicious node can probably carry out other attacks with the information collected. The results depend on the degree of the attacker. If this is close to the root node, it can handle a large amount of traffic and therefore receive more information than if the node is located on the edge of a child DODAG. (Mayzaud, Badonnel, & Chrisment, 20163)

Misappropriation Attacks

Misappropriation attacks usurp the identity of a legitimate node or demand excessive performance. These attacks are not very harmful to the RPL network per se. However, they are often used as a first step for other attacks, such as those seen in the previous two main categories. They allow the attacker to better understand the network and its topology, gain better access, or intercept a large portion of traffic. (Mayzaud, Badonnel, & Chrisment, 20163)

Decreased Rank Attack

When a malicious node announces an abnormally lower rank, it will exceed its performance. As a result, many legitimate nodes are connected to the DODAG graph through the attacker. (Mayzaud, Badonnel, & Chrisment, 20163)

This attack does not harm a network, but combining it with other building blocks can be very effective because it allows the attacker to tunnel some traffic through the malicious node (for example, eavesdropping).

Identitiy Attack

An attacker could sniff network traffic to determine the root node. When this identification is carried out, DODAG can spoof the address of its root and take control over the network. (Mayzaud, Badonnel, & Chrisment, 20163)

References

1. Le, A., Loo, J., Luo, Y., & Lasebae, A. (2011). Specification-based IDS for securing RPL from topology attacks. 2011 IFIP Wireless Days (WD), 1-3. doi:10.1109/WD.2011.6098218 (Back)

2. Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., Levis, P., . . . Alexander, R. (Mart 2012). RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks. Internet Engineering Task Force. https://www.hjp.at/doc/rfc/rfc6550.html adresinden alındı (Back)

3. Mayzaud, A., Badonnel, R., & Chrisment, I. (2016). A Taxonomy of Attacks in RPL-based Internet. International Journal of Network Security, ACEEE a Division of Engineers Network, 459 – 473. https://hal.inria.fr/hal-01207859/document (Back)

Blog summary

Detailed information about the RPL protocol is given in the protocol layers section of the thesis. In this section, the attacks implemented in the RPL protocol will be discussed. RPL has many parameters due to its structure. DIS messages, DAO Messages, Version number, tree structure etc. Any change in these protocol parameters will be an attack as it will prevent the system from functioning properly. This section shows the attacks made on the RPL protocol.

About the Author

Picture of Murat Ugur KIRAZ

Murat Ugur KIRAZ

Self-disciplined, systematic, productive, hardworking, adaptable, and focused web programmer who has gained all these abilities while working as a military electronics communication officer for 12 years in real operations and multinational areas, offering 10 years of software development experience and more than three years of experience providing high-impact web development solutions with React, Angular, JavaScript, UX, UI, Django, Flask, .NET Core, and .NET. Skilled in designing, developing, and testing web-based applications.

Other Posts

My Thesis
Murat Ugur KIRAZ

Conclusion

In this blog post, the Flooding Attack, Decreased Rank Attack and Version Number Increase Attack in the RPL protocol were trained and detected by “Decision Tree”, “Logistic Regression”, “Random Forest”, “Naive Bayes”, “K Nearest Neighbor” and “Artificial Neural Networks” algorithms.

The test results for the attacks were compared, as a result of the comparison, the Artificial Neural Networks algorithm with an accuracy rate of 97.2% in the detection of Flooding Attacks, the K Nearest Neighbor algorithm with an accuracy rate of 81% in the detection of Version Number Increase Attacks, and the Artificial Neural Networks with an accuracy rate of 58% in the detection of Decreased Rank attacks algorithm has been found to show success.

Read More »
October 3, 2022 No Comments
My Thesis
Murat Ugur KIRAZ

Interpretation of Machine Learning Values

I continue to share how I did my master’s thesis titled Comparison of Machine Learning Algorithms for the Detection of Vulnerability of RPL-Based IoT Devices, my experiences in this process, and the codes in this thesis in a series of articles on my blog.

So far, I have provided detailed information about the RPL protocol and the attacks that take place in the RPL protocol. Then, I experimented with Flooding Attacks, Version Number Increased Attack, and Decreased Rank Attack, extracting the raw data and making sense of that raw data. I compared the results of experiments with weak knots with statistical methods.

In this section, I will interpret the numerical results of the attacks we detect with machine learning algorithms.

Read More »
September 4, 2022 No Comments

Share this post

LinkedIn
Twitter

SOCIAL MEDIA

Github Twitter Youtube Linkedin-in Instagram

Subscribe to my newsletter