Conclusion

In this blog post, the Flooding Attack, Decreased Rank Attack and Version Number Increase Attack in the RPL protocol were trained and detected by “Decision Tree”, “Logistic Regression”, “Random Forest”, “Naive Bayes”, “K Nearest Neighbor” and “Artificial Neural Networks” algorithms.

The test results for the attacks were compared, as a result of the comparison, the Artificial Neural Networks algorithm with an accuracy rate of 97.2% in the detection of Flooding Attacks, the K Nearest Neighbor algorithm with an accuracy rate of 81% in the detection of Version Number Increase Attacks, and the Artificial Neural Networks with an accuracy rate of 58% in the detection of Decreased Rank attacks algorithm has been found to show success.

Interpretation of Machine Learning Values

I continue to share how I did my master’s thesis titled Comparison of Machine Learning Algorithms for the Detection of Vulnerability of RPL-Based IoT Devices, my experiences in this process, and the codes in this thesis in a series of articles on my blog.

So far, I have provided detailed information about the RPL protocol and the attacks that take place in the RPL protocol. Then, I experimented with Flooding Attacks, Version Number Increased Attack, and Decreased Rank Attack, extracting the raw data and making sense of that raw data. I compared the results of experiments with weak knots with statistical methods.

In this section, I will interpret the numerical results of the attacks we detect with machine learning algorithms.

Statistical Analysis

I explained my master’s thesis titled ” Comparison of Machine Learning Algorithms for the Detection of RPL-Based IoT Devices Vulnerability” by using this blog page. So far, I have provided detailed information about the RPL protocol and the attacks that take place in the RPL protocol. Then, I experimented with Flooding Attack, Version Number Increase Attack, and Decreased Rank Attack, extracting the raw data, and making meaning of that raw data. In this section, I will compare the results of experiments with weak motes with statistical methods. Statistical methods will tell us if machine learning methods are working properly.

Experiments and Experiment Results

I continue to share how I did my master’s thesis titled Comparison of Machine Learning Algorithms for the Detection of Vulnerability of RPL-Based IoT Devices, my experiences in this process, and the codes in this thesis in a series of articles on my blog.

In this article, we will train the processed data and detect the attack with machine learning algorithms in the RPL protocol.

Machine Learning Algorithms Used in Attack Detection

While making the raw data meaningful, the data set obtained from the simulation with the malicious node was labeled with 1 and the simulation with normal nodes was labeled with 0, and these two data sets were combined. This new data set will be compared with the “classification” algorithms. The definitions of machine learning algorithms to be compared are explained in this page.

Making Raw Data Meaningful

The information obtained from the raw data set will not be enough to apply machine learning. The raw data obtained from simulations containing weak nodes is completely different from the raw data obtained from simulations containing normal motes. It has been observed that this difference is the number of packets, message types, total packet lengths and rates. To detect this anomaly, the raw data is divided into 1-second frames. Within frames of each second, the following values were calculated, and a new data set was created.

Simulation and Raw Data

In the previous article, I explained how to obtain nodes created for Flooding Attacks, Decreased Rank Attacks, and Version Number Increase Attacks from the RPL Attacks Framework that D’Hondt and others have done.

In this article, I will simulate these nodes using Cooja and obtain network data.
For machine learning, we will need two classified data sets. One of them is the data generated from the simulation with completely normal IoT nodes that do not contain vulnerable nodes. The other is the data generated from simulation with normal IoT nodes containing vulnerable nodes. Thus, we will classify these two data sets and detect the anomaly with classification algorithms.

Obtaining Nodes

In my previous article, Contiki ve Cooja, I described how to set up Cooja to simulate IoT devices on a virtual computer with the Ubuntu 18.04 operating system. With this virtual computer, we will simulate the data transfer of benign and malicious IoT devices and get network information. Of course, we need ” benign ” and ” malicious ” nodes to do this simulation. I explained how to install the framework that D’Hondt et al. (2015) did under the heading D’Hondt’s RPL Framework to obtain these vulnerable nor normal nodes.
In this article, I will explain how we obtain the weak nodes and normal nodes where “Hello Flood”, “Decreased Rank” and “Version Number Increase” attacks will be made from the work done by D’Hondt and others (2015).

D’Hondt’s RPL Framework

In an academic report by D’Hondt et al. (2015), they were able to simulate Flooding Attacks, Version Number Increase Attacks, and Decreased Rank Attacks on the RPL protocol using the Cooja IoT simulator. Here you can find information about how to set up D’Hondt’s RPL Attack Framework.