Secure Routing Protocol for Low Power and Lossy Networks Against Rank Attack: A Systematic Review

—The Internet of Things (IoT) is witnessing massive widespread along in almost all aspects of life. IoT is defined as a network of interconnected devices applied in various environments including smart cities, transportation, health, industries, military, and agriculture. Its main purpose is to simplify the exchange and collect data from and to deployment environments. Due to their small size and cost-effectiveness, Wireless Sensor Networks (WSN) form one of the core technologies deployed in IoT. Yet, things interconnected with each other and exchanging data are prone to different kinds of security attacks. As a result, it is possible to compromise data while transmitted from source to destination through nodes. Routing Protocol for Low Power and Lossy Networks (RPL) offers only slight protection against routing attacks, but having a network with limited energy sources, processors, and memory, besides being deployed in unattended nature and hostile environment requires more scalable security measures. This paper focuses on investigating the problem of security provisioning in RPL. As such, a Systematic Literature Review (SLR) of security mechanisms proposed for RPL will be discussed. An extensive search was conducted on various online databases, then findings were filtered by reviewing abstracts, introduction, and conclusion. Finally, a summary of recent research work is presented. This work is important to highlight various aspects of securing RPL and get an initial insight for studying them.


I. INTRODUCTION
Internet of Things (IoT) emergence was led by the assistance of existing wireless communications along with Radio-Frequency Identification (RFID), Wireless Sensor Network (WSN) technologies besides new emerging technologies such as Information-Centric Network (ICN) and Named Data Networks (NDN) [1]. So, data is easily transmitted between various devices and associative things regardless of time and place through network standards and protocols. Every device and thing in IoT is assigned a unique Internet Protocol (IP) address, by which they can sense and collect data from the deployment environment for both processing and decision making. IoT is contributing significantly to various domains like smart cities, building, healthcare, and agriculture and has a vital impact on improving people's daily life [2].
IoT architecture is presented in the literature as mentioned by [3]- [5] consisting of three main layers, namely, perception, network, and application layers. As a hot research topic, many researchers found the three layers architecture very basic and is suitable for defining the main terminology of IoT and cannot be used for research that digs into further components of IoT. This is when the five layers architecture was introduced as [3] explained, it included processing and business as additional layers. Fig. 1 shows both three-and five-layers architecture.
The network layer is responsible for communication and information exchange employing techniques, standards, and protocols to simplify the task such as Internet Protocol Version 4 (IPv4), Internet Protocol Version 6 (IPv6), Constrained Application Protocol (CoAP), Wireless Personal Area Network (WPAN), IPv6 over Low Power Wireless Personal Area Network (6LoWPAN), User Datagram Protocol (UDP) and Transmission Control Protocol (TCP). Securing data transmitted between the perception layer and the application layer is facilitated by the network layer as well [6].
The Routing Protocol for Low-Power and Lossy Networks (RPL) was developed by the Internet Engineering Task Force (IETF) to fit into Wireless Sensor Networks (WSNs) and the Internet of Things (IoT) domains. As a simple networking protocol, RPL was designed as an interoperable protocol that handles resource-constrained devices connected via multi-hop networks. It enables efficient use of smart devices' energy along with the establishment of flexible topology and routing of data [7].
Nevertheless, the RPL protocol since its inception suffers from a lack of security measures at the network layer as stated by [8]. RPL and its improved versions suffer from a severe performance gap towards network attacks especially ranking attacks [9]. Securing IoT routing should be studied considering WSN features as they are inherited into the IoT environment [10]. Moreover, other metrics in RPL should be taken into consideration such as power consumption as a major challenge facing IoT and controls network lifetime [11].
Cryptography, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), authentication, trust-based mitigation techniques, and much more, have all been introduced to solve security vulnerabilities in LLNs [12]. In the application, transport, network, and physical levels, IoT devices and traditional PCs share some similar protocols. The biggest impediment to LLN devices implementing existing security methods at IoT interfaces is their limited computational and energy resources [13]. LLN devices produce massive amounts of data, but they lack the resources to store and process it.
Since in IoT, RPL plays a vital and broad role in service providing, it's a clear target for attackers and a crucial candidate for defense as well. To overcome security issues and challenges in RPL routing, further research is required as per [14], and how intrusions on RPL can be detected is one facet of defense that must now be examined. As a result, this forms a starting point to investigate, propose, and implement mitigation mechanisms for network layer attacks [15].
The main goal of this study is to show the impact that rank attacks (RA) can have on RPL networks. Also, to study and compare the available research that support RPL security and counter the effect of these attacks in terms of the security techniques utilized and their performance. To point up the flaws in the available solutions suggested by existing studies. To suggest some potential methods to address the existing flaws and increase RPL security in IoT networks by limiting the effects of RA. Also, discuss some open challenges in this study area that require more attention.
This paper presents an SLR of security mechanisms proposed for RPL RA specifically being one of the most destructive attacks targeting RPL topology. Starting with RPL in-depth explanation. Followed by a discussion on RPL attacks along with a suitable taxonomy. A focus on rank attacks is presented afterward. Finally, a summary of the selected studies is presented. The remainder of this paper is organized as follows: Section 2 defines and explains preliminaries. Then, Section 3 identifies and explains the following SLR methodology. Section 4 discusses the results found thoroughly. Finally, Section 5 summarizes selected research papers and therefore compares the approaches used by the researchers.

A. Routing Protocol for Low-Power and Lossy Networks (RPL)
Since Low-Power and Lossy Networks (LLN) consist of highly constrained devices in terms of memory, processing capabilities, and energy resources, RPL was designed as an IPV6 distance vector protocol to support communication among LLN devices such IoT. It was mentioned by [16] and [17] that such networks suffer from low data and packet delivery rates along with lossy connection which RPL was designed to be flexible enough for network conditions' adaptation and provide suitable alternative routes when default ones are not available for any reason at any time.
RPL can be defined as a proactive routing protocol that relies on the distance between nodes and sink node to form a topology. The following explanation of the RPL hierarchy is based on [18]- [21]: 1) Hierarchy: Using the distance vector procedure RPL exploits Directed Acyclic Graphs (DAG) mechanism to construct a structure tree or DODAG (Destination Oriented Directed acyclic graph) that controls available nodes' connections with each other. This will enable multi-hop communication via the closest nodes.
RPL methods for establishing connections include point-topoint (P2P), point-to-multipoint (P2MP), and multipoint-tomultipoint (MP2P) communications. While types of nodes for constructing topology are, the source that are responsible nodes for gathering information, leaf nodes that do not perform any task and sink nodes which are the most significant with capabilities of energy and processing to compile whole network information. Hence, two major terms are required here, Control Messages (CM) by which connections are initiated and maintained along with topology formation, and Objective Functions (OF) for routing decision making through the network.
Four types of CM are used to exchange information between nodes in RPL:  DODAG Information Solicitation (DIS): it is used to request passing the DIO to network neighbors.
 DODAG Information Object (DIO): Stores pertinent information needed to build upward DODAGs route such as RPLInstanceID, configuration parameters, candidate parent information, DODAG maintenance, and more.
 Destination Advertisement Object (DAO): sends information to register every node visited on the downward route.
 Destination Advertisement Object Acknowledgement (DAO-ACK): confirms safe receipt of sent DAO message to the sender node.
2) Objective function (OF): OF was described as the basic element that is handling several vital definitions;(1) computing link cost, (2) parent node selection (when, who, and how many candidates), and (3) computing rank cost, fourth: advertising path cost. There are two defaults OF with RPL, MRHOF (Minimum Rank with Hysteresis Objective Function) and OF0 (Objective Function Zero), and the following are their definitions as per [22]- [24]:  OF0: This OF adds a specifically predefined value to the previous rank. It takes hop count as a routing metric and selects the best parent node from available candidates based on that. While building the DODAG, nodes should consider hop count to get the shortest path for reaching the grounded root. The rank increases www.ijacsa.thesai.org while going down from root to candidate nodes. However, reliance on node metrics will cause poor link quality. Also, selecting the shortest path in terms of minimum hop count may lead to more retransmissions along with increased packet loss if the path was unreliable. Additionally, this same shortest path may cause more node failure which will definitely decrease network lifetime.
 MRHOF: This OF was designed to overcome the shortcoming of OF0 which depends on a single node metric to compute rank and choose the best parent node. It relies on the expected transmission count (ETX) as a dynamic link metric to stabilize the rank. Still, it chooses the lowest-cost path and avoids network churn overflow using two mechanisms. First, choose a lowrank path, and second hysteresis mechanism ensures changing rank to a lower one only if there exists a rank that is less than the current one. Literature has two main implementations of MRHOF, one that relies on ETX and the other relies on energy.
3) Routing metrics: Routing metrics are essential to evaluate path cost and then choose the lowest cost path. There are too many implementations in literature for OF, some take a single metric to calculate rank, while others consider more than one metric. As a matter of fact, metrics can be categorized based on their characteristics into node and link, dynamic and static, quality and quantity routing nodes [25]. Both routing metrics and constraints are used to form a criterion to choose the optimal path. Yet, the main difference between them is that constraint is used to restrict options such as avoiding unreliable links, while metrics define a certain level of reliability to include links that give the optimal path. As a result, both metrics and constraints are used and deployed as per RPL implementation requirements [26]. Moreover, dynamicity is a vital characteristic of metrics, since RPL operating environment is rapidly changing which results in instability of both node and link metrics [27].
The following list summarizes metrics of both link and nodes (refer to Fig. 2):  Link metrics: a) RSSI and LQI: main radio link estimators are the Received Signal Strength Indicator (RSSI) and the Link Quality Indicator (LQI). The former indicates the level of power received by an antenna that is a high level of RSSI means a stronger radio signal which indicates a closer destination. While the latter measures the quality of the link using a range of values between 0 to 7. b) ETX: Expected Transmission Count indicates the reliability of the network and gives the required number of transmissions for receiving acknowledgment from the destination.
 Node metrics: a) Energy: represents the energy consumed by nodes through network operations. b) Hop count: it is a measure of path link that is used extensively in wireless networks and the main drawback is to get the shortest path with the lowest hop count regardless of link quality. c) End-to-end delay: a vital metric for building route in RPL and it indicates the needed time to deliver packets to the sink from sender nodes.

B. RPL Attacks Classification
RPL is vulnerable to various kinds of attacks and does not have a solid security measure that can prevent such attacks [28]. There are several taxonomies proposed for attacks targeting RPL in different studies, such as Almusaylim et al. [17] in which three main types of attacks were explained namely; against resources that consume nodes resources, topology in which try to cause damage in the construction process and traffic which aim at capturing as much traffic as possible. Also, Avila et al. [10] categorized attacks into passive and active attacks, where passive attacks aim to gather information after accessing the system and comprise confidentiality, and active ones sabotage the system by data alteration, disabling nodes, or giving access to unauthorized users. An interesting categorization was presented by Raoof et al. [29], in which attacks were classified based on their origin into RPL Specific and WSN inherited as Fig. 3 shows.    Kitchenham [30]. This consists of a set of well-defined stages conducted in line with a predefined protocol. SLR consists of three phases: planning, conducting, and reporting the reviews according to Shaffril et al. [31]. These phases consist of the following processes: (1) identifying RQs; (2) developing a review protocol; (3) determining both exclusion and inclusion criteria; (4) selecting search strategy and study process; (5) quality assessment (QA); and (6) extracting and synthesizing data.

A. Identifying Research Questions (RQs)Text
To achieve the main objectives of this study, primary studies should be assessed and reviewed thoroughly. As a result, the following research questions are proposed based on Population, Intervention, Comparison, Outcomes, and Context (PICOC) as per [30]:  RQ1: What is the impact of the rank attack and to which extent do they damage the network?
 RQ2: What are the proposed approaches that monitor the network to handle attacks targeting RPL?
 RQ3: What are the technical performance metrics of the research in this field?
 RQ4: What are the advantages and disadvantages of each proposed approach?

B. Developing a Review Protocol
A vital step that makes SLR different from traditional methods of reviewing the literature. Because it decreases study bias as discussed by Shaffril et al. [32]. The review protocol categorizes review background, search strategy, development of RQs, extraction of data, criteria for study selection, and data synthesis.

C. Search Strategy
The search strategy started with choosing E-digital libraries and online databases as the following list shows, taking into consideration selecting only high-impact-factor publications: Afterward, the search string is required to conduct an indepth search through selected E-digital libraries. The following steps were applied to define the used search string as per [30]:  Define major keywords depending on identified research questions.
 Consider linguistic synonyms, alternatives, and interchangeable terms for each keyword.
 Use conjunction operators (AND, OR) when needed to produce the full search string.
As a result, keywords included for the search were -IoT‖ OR -Internet of Things‖ AND -RPL‖ OR -Routing Protocol for Low-Power and Lossy Networks‖ AND -rank attack detection‖ OR -mitigation‖. All available papers relating to specified keywords 2022 were collected from digital libraries.
Afterward, a manual search was applied to the results of the automatic search by filtering each paper's title, abstract and content. This is to ensure that the selected paper supports answering the defined QAs and Fig. 4 illustrates the overall search phases.

D. Inclusion and Exclusion Criteria
Search results are filtered in terms of the following inclusion and exclusion criteria: Afterward, a manual filtration process was conducted by reviewing the title, abstract, and conclusion to get papers that meet the set criteria of found papers. This eliminated the number of found papers from 1061 to 9 only, given that only papers published between 2017 to 2022 and studied RA in RPL only.

E. Applying Quality Assessment (QA)
The related studies' quality was assessed using QA as recommended by Kitchenham [30]. All found studies were assessed concerning every single research question. QA criteria used for the assessment process were as follows:  QA1: Is the topic addressed in the paper related to securing RPL?
 QA2: Is there any mechanism proposed to detect rank attack detection in RPL?
 QA3: Is there a sufficient explanation of the background in which the study was performed?
 QA4: Is there a clear declaration concerning methods used to validate the applied mechanism?
The reliability of articles and studies found was tested through the four QA criteria and has three categories low, medium, and high as by Shaffril et al. [31] and [32]. Each QA had a score of 2 points and each paper that meets the defined QA earns a score of 2, 1 is earned when the paper partially meets the QA criteria and 0 when it does not satisfy the QA criteria at all. Papers scored more than 5 are discussed in the next section and are categorized based on the technique used and Table II

F. Data Extraction and Synthesis
For accurate data extraction and synthesis, a form was developed to conduct this step. Details of each study related to the reference, year of publication, methodology, and comments were extracted. A tabular form was used to register this information about each study. Table I illustrates the details registered for each paper.

IV. RESULTS
This section discusses rank attacks against RPL and analyzes the application of detection and mitigation techniques towards it. The methods analyzed herein are ones that were proposed to secure RPL against RA. The goal is to present their performance in terms of the chosen performance metrics which will be discussed here as well.

A. Rank Attack (RA) (RQ1)
This attack aims at attracting network traffic to a specified node. Ul Hassan et al. [34] defined RA as an attack that occurs when the malicious node sends information of a lower range, to be closer than others to the root. This scenario will have a consequence that makes malicious nodes able to capture as much traffic as possible. Hashemi and Aliee [35] mentioned that RA is considered the most destructive attack among other types, this is because it intentionally aims at downgrading the network performance by tampering with the rank. By which a rank is decreased to make the malicious node closer to the www.ijacsa.thesai.org chosen parent, so a massive amount of passing packets through it may be manipulated.
RA workflow starts when a malicious node sends a fake rank through an RPL control message or advertises a fake route across the root node to mislead close nodes to make them transmit packets through it [36]. In other words, RA exposes ranks of child nodes in the RPL network topology, then modifies the way of processing DIO messages by neighboring nodes. The worst part will occur when a malicious node with a fake rank is chosen as the preferred parent node while operating, which will result in creating more traffic for data packets to go through the malicious node as un-optimized routing occurs due to network topology OF is not completely achieved as discussed [37].
Mishra and Pandya [38] added another scenario for rank attacks by which an attacker node advertises a better routing metric to other neighboring nodes although it's fake, it misleads network flow to be passing through it. Besides, this may lead to significant increasing latency and decreasing throughput in the network. Fig. 5 illustrates an example of RA.
RA may affect the network and causes several issues as discussed by Nandhini and Mehtre [39]: first, form an unoptimized route. The second is unrecognized loop formation. Third, RPL network topology never uses the optimized route. Fourth, the decreased packet delivery ratio affects the delay increase. Fifth, network topology changes rapidly causing DIO messages number to increase. Some network restricted resource properties would be affected such as energy consumption, throughput, latency, and data rate.
As a result, RPL security forms a major concern that should be considered and further investigated, especially when RA is the topic. This is because routed data shouldn't be accessed by a third party or attacker.

B. RPL Rank Attack (RA) Countermeasures (RQ2)
Many papers categorized countermeasures deployed to secure RPL against attacks, Raoof et al. [29] classified detection and mitigation mechanisms into Acknowledgmentbased which depends on sending and receiving acknowledgment messages to prevent any suspicious alteration, and Trust-based depending on the node to monitor neighboring nodes by rating them and consider a ratio to accept, Location-based considering physical location of nodes and Statistical/Mathematical-based by which a mathematical calculation is considered to detect attacks.
Further classification is presented by Verma and Ranga [37] added to the above mentioned, Intrusion Detection Systems (IDS) that consists of signature-based IDS, anomalybased IDS, and specification-based IDS. It is defined by [40] as, a complete system that may be deployed either in a standalone computer system or a network. Its main role is to monitor activities and analyze them to specify any incident which targets security policies integrity, availability, or confidentiality and report it as unauthorized or malicious activity.
Muzammal et al. [41] also mentioned IDS as a significant method that is used to mitigate attacks of RPL in addition to all previously stated ones. Besides many alterations to OF by combining various previously explained link and nodes metrics with adopting additional methods such as fuzzy logic.
Moreover, Tasneem and Wahid [42] classified proposed defense methods for RPL into reactive approaches that include cryptography-based, trust-based, and threshold-based methods, and proactive approaches which consist of time-based and energy-based methods. Finally, countermeasures proposed for RPL against RA were classified by Almusaylim et al. [17] into modification techniques by which some alterations may be applied to a certain component of RPL such as DODAG, OF, or ranking policies and IDS.

C. Performance Metrics (RQ3)
Various metrics were used for measuring the performance of the proposed methods. Yet, many studies like [7], [9], and [14] mentioned using node and link metrics discussed previously such as power consumption, ETX, and PDR. In addition, accuracy metrics including True Positive Rate (TPR), False Positive Rate (FPR), and Detection Rate (DR) were mentioned to be used as well, and below are their formulas as per [43]- [47]:  Detection Rate (DR): Refers to the ability of the model to rank patterns, and its ability to select a threshold in the ranking used to classify patterns as normal if above the threshold and abnormal if below. It is calculated using Equation 1 below: (1) where All = TPR + TNR + FPR + FNR  TPR: Also called sensitivity and it measures the truly predicted positive and were correctly identified. It is calculated as in Equation 3: Where FNR is calculated as follows: (3)  FPR: Refers to the probability of a False Alarm. That is, the percentage of actual abnormal flows predicted as normal flows and it is calculated as in Equation 4: Where TNR is calculated as follows:

D. Summary of Shortlisted Studies (RQ4)
This section discusses thoroughly found nine studies that proposed techniques to detect and mitigate RA targeting RPL and strictly meet the criteria defined in the SLR methodology section along with a summary presented in Table II. A Secure RPL Routing Protocol (SRPL-RP) for rank and version number attacks was proposed by Almusaylim et al. [48] in which a timestamp is added to ensure the legitimacy of sending nodes. A monitoring table is included through the process of constructing DODAG which collects all information about existing nodes. A blacklist and alert tables were added to simplify the procedures of mitigating and isolating both types of studied attacks. Several conditions were added to control the current rank of nodes and parent nodes to maintain a safe network. Simulations were conducted using the Cooja simulator and results showed that the proposed SRPL-RP had a higher PDR and a lower control message value compared to methods previously proposed in literature along with 95% accuracy in all kinds of tested network topologies.
Shafique et al. [49] proposed a novel sink-based IDS (SBIDS) by which a timespan is added to the DAO message for ensuring its freshness. Then several detection steps are followed to detect any violence in rank, especially a rule that compares node current rank (NCR) to node parent rank NPR. Simulations were conducted using the Cooja simulator and performance metrics were percentage of accuracy, TP, TN, FP, FN, and confidence interval (CI) under mobility conditions. Results showed that SBIDS had 100% detection accuracy under normal circumstances, yet it decreased with the number of nodes with mobility increased. Boudouaia et al. [50] proposed a security scheme that uses a rank property to choose a preferred parent in RPL topology, so any malicious behavior in terms of rank may be detected. Afterward, when the DIO message arrives two values will be calculated to indicate the minimum rank threshold and maximum rank threshold depending on the neighboring rank. As a result, nodes that do not match threshold criteria are blacklisted and the selection process will be held upon legitimate nodes only. Experiments were done using the cooja simulator, 4 scenarios, and performance evaluations were conducted in terms of successful detection rate, the average network hops, and the global energy consumption.
Another solution was proposed by Nair and BJ [51] in which both spatial correlation function (SCF) and Dijkstra's algorithm were applied to select the preferred parent nodes using proactive routing in terms of throughput and energy as selection parameters. For experiments, the NS-2 simulator was used, and performance evaluation was based on throughput and PDR.
An interesting study by Karmakar, Sengupta, and Bit [52] combined several methods to secure RPL against RA. First, the algorithm forming DODAG was modified to be able to detect RA during building and maintaining the topology. Second, two modules were added, distributed at all nodes, and centralized at the sink node. Third, the DAO control message was modified to lower overhead levels and a lightweight Message Authentication Code (HMAC-LOCHA) was used to verify exchanged message's integrity and authenticity. Cooja simulator was used to conduct experiments and multiple test case scenarios were applied. detection accuracy, false positive/negative rate, and energy consumption.
Zarzoor [53] proposed a security mechanism that relies on the layering principle. It consists of three main phases: first, nodes are categorized into layers. Second, calculate the trust value for the path. Third, detect and mitigate the RA. For implementation Cooja simulator was used and performance evaluation was conducted based on latency, nodes' energy consumption, and accuracy of malicious node detection.
A further three-phase mechanism called E2V was proposed by Stephen and Arockiam [54] which starts with rank calculation, substantiation, and elimination. Where the malicious node is detected at the substantiation phase by the defined IDS. Then, in the elimination phase, malicious nodes will be eliminated by either local repair or global repair. The Cooja simulator is used for implementation purposes and evaluation in terms of network parameters such as network convergence delay, energy consumption, and attacker identification delay.
Seth et al. [55] used round trip time (RTT) to detect verify and isolate malicious nodes from the network in RPL. Cooja simulator was used for implementation and performance was evaluated in terms of accuracy where the proposed scheme was found to be better than previous ones.
Althubaity, Gong, and Raymond [56] proposed a fully distributed specification-based IDS (FORCE). The type of node forms a significant issue for FORCE, yet it was designed so that every single node can analyze and receive control messages and in case of any attack detection an alert will be generated directly. Evaluation metrics used were detection rates and overheads incurred on the nodes' resources and experiments were conducted using the Cooja simulator.

V. DISCUSSION
The main goal of this part is to understand the obstacles and current research for detecting RA in RPL routing protocols, as well as several flaws that require more research. RPL routing protocols provide for more efficient use of smart devices, resources, and data routing. Because of the characteristics that distinguish this network from others, developing secure routing algorithms for IoT networks is a difficult task. Secure routing techniques for IoT devices have received a lot of attention in recent years. However, they all rely on traditional cryptographic operations, which deplete device resources and have a significant impact on the performance of limited IoT devices. They are vulnerable to a wide range of security threats. The absence of infrastructure, inconsistent links, resource limits, poor physical security, and changing topology of PRLs make them vulnerable to attacks and difficult to defend against.

A. Limitations
Based on reviewed studies it was found that current security features of RPL may be defined but not actually used either in real applications or in research as they are marked as optional features. This puts security as a significant concern of RPL especially since it's being deployed and used widely in IoT environments which are witnessing massive growth globally.
As RPL is vulnerable to several attacks, RA is one of the major attacks that were found to compromise RPL, yet a lower amount of research conducted to specifically target it. Also, these studies had several shortcomings which should be addressed to overcome their consequences.
As a result, it was found from this review: that first, most studies considered either selection or mitigation, but only a few of them investigated both schemes. Second, mainly one type of network topology was selected to test and measure the performance of the proposed scheme. Third, most research studies tend to evaluate their proposed schemes by taking small IoT Networks (<100 nodes) which are considered impractical because the impact of network size on both attacks and security mechanisms remains unknown. Fourth, many schemes encountered an increased number of control messages for acknowledgment purposes which may cause both complexities and increased overhead and are considered inefficient.

B. Comparison
Based on provided review and summery in Table II, it can be concluded that most chosen metrics for performance evaluation were DR and energy consumption as in [50], [52], [53] and [56]. As DR indicated to which extent the proposed mechanism was able to detect threats and energy consumption represented a measure of keeping devices resources available. IDS was chosen as a detection solution in three papers [49], [54] and [56], while the rest choose to modify the main protocol policies and add certain solutions to improve its www.ijacsa.thesai.org security measures. None of found studies tented to combine IDS with protocol policy improvements. Also, none of them included integration with other recently hot fields such as fuzzy logic as a solution.
Studies discussed securing RPL against RA were 5 conference papers to 4 journal papers within period 2017 to 2022, which means this kind of attacks require more powerful solutions are to be proposed in order to provide efficient solution.
Finally, experiments of all founded papers showed that the Cooja simulator usage is dominant in RPL studies where all of them implemented proposed solutions using it.

VI. CONCLUSION
This paper studied applied methods for RA detection in RPL thoroughly to address limitations in this field. An SLR was conducted to determine the required studies to be conducted for improving security measures deployed in this regard. Definitions of required terms starting from IoT, RPL architecture, and security attacks, to detection and mitigation techniques, are presented to help researchers have a brief explanation of them. Also, a summary of recent studies is presented. It was found that many of the currently applied mechanisms in literature have weak points, cryptographicbased methods may provide security, but it definitely consumes nodes' restricted resources. While trust-based may solve the resource restrictions, it may cause other issues regarding network performance such as latency. IDS, it's considered the most effective solution among all proposed ones, but it requires collaboration, and many aspects in this regard should be taken into consideration such as placement. Finally, a hybrid IDS is highly recommended as a solution for securing RPL as it is used by IoT and keeping it safe will definitely be reflected in the overall IoT environment.

VII. FUTURE WORK
Future research aims at extending this review to examine and build better detection and mitigation measures for RPL. This will primarily be addressing RPL rank vulnerabilities.