With this thesis study, to detect flooding, version number increase and decreased rank attacks that will take place in the RPL protocol, IoT devices were simulated in the Cooja simulator with completely normal nodes and normal nodes containing a vulnerable node. At the end of the simulation, a raw data set was created, and this raw data set was made meaningful and labeled as vulnerable and normal. The new data set that was made meaningful, was separated as 1/3 test and 2/3 training data set, and the training data set was trained and tested with “Decision Tree”, “Logistic Regression”, “Random Forest”, “Naive Bayes”, “K Nearest Neighbor” and “Artificial Neural Networks” algorithms. The test results for the attacks were compared, as a result of the comparison, the Artificial Neural Networks algorithm with an accuracy rate of 97.2% in the detection of Flooding Attacks, the K Nearest Neighbor algorithm with an accuracy rate of 81% in the detection of Version Number Increase Attacks, and the Artificial Neural Networks with an accuracy rate of 58% in the detection of Decreased Rank attacks algorithm has been found to show success.

With this thesis study, a fast, reliable, simple model that can detect Flooding and Version Number increase attacks has been created and the machine learning algorithm that can give the best result with this model has been determined. As a result of the experiments, the stage of making sense of the data was made by directly analyzing the network packets.

(Yavuz, 2018) ¹, after “enriching” the raw data with the method it presents, it detected Decreased Rank Attacks with an accuracy rate of 94.7%, Overflow Attacks by 99%, Version Number Increase Attacks by 95% with only the deep learning algorithm. However, he carried out the experiments in the Cooja simulator with motes ranging from 100-1000. The simulator, which is operated more than 250 nodes, both overtires the processor and consumes memory resources. For these reasons, it is considered that the accuracy of the simulator’s data should be reconsidered. Therefore, the result obtained from this study should be re-concluded with fewer nodes.

(Müller, Debus, Kowatsch, & Böttinger, 2019) ² detected the Decreased Rank Attack in RPL with an accuracy rate of 68%, the Flooding Attack by 90%, the Version Number Increase Attack by 96%. With the technique presented in this thesis study, the decreased rank attack was detected in the same proportion, while the flooding attacks were detected with a better performance. The solution offered by Müller et al. was more successful in detecting version number boost attacks.

(Verma & Ranga, 2019), ³ detected Sinkhole, Black Hole, Sybil, Clone ID, Selective Forwarding, Hello Flooding and Local Repair attacks with 94.5% accuracy rate with the method called ELNIDS. However, it is mentioned that the data set they use in their studies contains 20 features, and it is not mentioned what these 20 features are. In this thesis study, only the data set consisting of network packet data was used.

(Neerugatti & Reddy, 2019), ⁴ rank attacks with the MLTKNN algorithm, a KNN-based machine learning algorithm, with a different number of nodes (5-30) with an accuracy rate of 90% or more. However, it is not known whether the rank attack mentioned in the related article is an increased rank attack or a decreased rank attack.

Belavagi (2020) and Çakır (2020) ⁵ used other parameters besides network packets in their studies. (Such as Power Consumption, Processor Density) In practice, receiving and processing these values will require a separate cost in the network. However, with the data interpretation and appropriate machine learning methods presented in this thesis study, a fast and effective solution was found with less cost. At the same time, the detection of attacks was not carried out with a single machine learning, and the most appropriate machine learning method was determined by comparing fast and reliable algorithms.

To detect Flooding, Version Number Increase and Decreased Rank attacks, the packets formed in the network can be trained and used with the Random Forest algorithm after being summarized directly with the data interpretation method presented in this thesis study. The Random Forest algorithm can detect all three attacks with high accuracy.

The detection of Decreased Rank attacks with the presented method is quite low compared to other attacks. (Seth, Biswas, & Dhar, 2020) ⁶ He developed a model for detecting Decreased Rank Attacks using Round-Trip Times. However, this study has not been done with a summary of layer 3 network packets. When Table 3.5 is re-examined, the network packets generated in the Decreased Rank attack are summarized with many more rows than other attacks after the data interpretation process. This is a sign that something abnormal is happening, but machine learning algorithms have not been able to detect this attack with high accuracy with the current model. In the future, it is considered that a model can be developed that can detect a Reduced Rank attack by processing layer 3 network packets.