Detecting the RPL Version Number Attack in IoT Networks using Deep Learning Models

—This research presents a novel approach for detecting the highly perilous RPL version number attack in IoT networks using deep learning models, specifically Long Short-Term Memory (LSTM) and Deep Neural Networks (DNN). The study employs the Cooja simulator to create a comprehensive dataset for simulating the attack. By training LSTM and DNN models on this dataset, intricate attack patterns are learned for effective detection. The urgency of this work is underscored by the critical need to bolster IoT network security. IoT networks have become increasingly integral in various domains, including healthcare, smart cities, and industrial automation. Any compromise in their security could result in severe consequences, including data breaches and potential harm. Traditional intrusion detection systems often struggle to counter advanced attacks like the RPL version number attack, which could lead to unauthorized access and disruption of essential services. Experimental results in this research showcase outstanding accuracy rates, surpassing traditional machine learning algorithms used in IoT network intrusion detection. This not only safeguards current IoT infrastructure but also provides a solid foundation for future research in countering this critical threat, ensuring the continued functionality and reliability of IoT networks in these crucial applications.


INTRODUCTION
The Internet of Things (IoT) refers to a network of physical and virtual objects and the associated services they provide [1].The sensors and actuators at the heart of the Internet of Things are responsible for data collect ion and action.Bluetooth, Wi-Fi, Lo Ra, IEEE802.15.4, etc. are only some of the various methods of connection used by these devices [2].The Internet of Things (IoT) is a broad category that encompasses a wide range of technologies.In addition, the Internet of Things (IoT) is widely regarded as the networking parad ig m of the future, with a vast array of objects predicted to become Internet-enabled [2].
Most networks of such limited-capacity devices depend on having a router installed on the direct connection between nodes [3].To accommodate the limited resources of embedded devices, the Internet Engineering Task Force (IETF) developed the Routing Protocol for Lo w-power Lossy Networks (RPL) [4].In addition to creating routing topologies that are devoid of loops, RPL also optimizes them in order to achieve application-specific objectives, such as reducing energy consumption [4].Malicious nodes may pose a threat to the network by abusing the same capabilities that make RPL so adaptable [5].
The impacts of RPL version number attacks are examined in this article.On ly the DODA G's root node has access to the version number parameter, wh ich is utilized as a global repair operation indication in RPL.Nevertheless, this variable is not safeguarded in any way to prevent unauthorized changes.Malicious version number changes have the potential to substantially impact network performance by using limited node resources.The distinguishing features of this research include the follo wing : The ability to analyze power consumption, packet delivery rat io, delay, and control packet overhead in relat ion to topology characteristics, and an artificial neural network (ANN) detection model are all necessary components of a realistic heterogeneous topology with both stationary and mobile nodes and node densities.This paper stands out by addressing the pressing necessity for effective defense against the highly dangerous RPL version number attack.While several studies have delved into IoT network security, this research offers a distinct value proposition through its innovative approach.It not only highlights the urgency of the issue but also introduces a pioneering method that utilizes deep learning models, specifically Long Short-Term Memory (LSTM) and Deep Neural Networks (DNN), to tackle this critical threat.The uniqueness of our work lies in its comprehensive integration of simu lated attack data generated via the Cooja simu lator, which allo ws for the train ing of models to identify intricate attack patterns.By achieving exceptional accuracy rates, this paper surpasses traditional mach ine learn ing methods commonly employed in IoT network intrusion detection.Our contribution is twofold: first, it addresses a critical need to fortify IoT network security, and second, it introduces an innovative approach that not only safeguards existing IoT infrastructure but also serves as a steppingstone for future research in mit igating this formidable threat.Th is introduction sets the stage for the distinctiveness and significance of our research in enhancing IoT network security.The paper will proceed as indicated below.Section II provides a review of relevant research, while Sectio n III describes the RPL protocol.Sect ion IV describes proposed solution in depth.Section V provides the experimental results analysis.Section VI concludes the paper.

II.
RELATED WORKS www.ijacsa.thesai.org In [6], the authors addressed security issues in the Routing Protocol for Low Power and Lossy Networks (RPL) used in IoT devices.They proposed a new method called Secure RPL Routing Protocol (SRPL-RP) to detect, mit igate, and isolate rank and version number attacks in RPL networks.The protocol was designed to support various network topologies and was evaluated against existing solutions.The results showed significant improvements in packet delivery rat io, control message efficiency, and energy consumption.SRPL-RP achieved a high accuracy rate in detecting attacks.
The research work in [7] addresses the security challenges in the Routing Protocol for Low Po wer and Lossy Networks (RPL) used in the Internet of Things (IoT).Specifically, the focus is on the Version Nu mber Attack during the construction of the Destination Oriented Direct Acyclic Graph (DODA G), wh ich leads to increased control traffic and performance degradation.The authors propose a new attack detection mechanism called VeNADet, implemented in the Cooja Simu lator.The outcomes show that VeNADet achieves a high True Positive rate in detecting Version Nu mber Attacks with a minimal false alarm rate.
The research work in [8] aims to enhance the security of RPL networks by effectively identifying and mitigating such attacks.
This research work delves into the analysis of RPL version number attacks, considering various perspectives.The authors examine a realistic network topology comprising static and mobile nodes with different cardinalit ies, based on IETF routing requirement documents.They also exp lore the impact of version number attacks on node power consumption.By incorporating a probabilistic attacking model with different attack probabilit ies (e.g., 0, 0.3, 0.5, 0.7, 1), they assess the performance of the network.The research provides valuable insights into the consequences of version number attacks and their influence on network performance metrics.
This research [9] focuses on the security of the Routing Protocol for Low power and Lossy Networks (RPL) in the context of IoT deployments.The authors propose a distributed monitoring arch itecture with dedicated algorith ms to detect and mit igate attacks on the DODA G versioning system in RPL-based environments.Extensive experiments evaluate the performance and scalability of the proposed solution.Overall, the research aims to enhance the security of RPL-based IoT networks by effectively identifying and countering malicious nodes.
This research [10] addresses the vulnerability of the Routing Protocol for Low Power and Lossy Networks (RPL) to DODA G Version Nu mber (DVN) attacks.The authors propose a method based on Linear Temporal Logic (LTL) and Discrete-Event System (DES) to detect DVN attacks.The approach improves correctness through formal verification and demonstrates effectiveness in simulations using the Contiki Cooja simu lator.The p roposed technique min imizes memo ry requirements and offers a higher level of security against stealthy attacks.
This research [11] focuses on the vulnerability o f the Routing Protocol for Low Power and Lossy Networks (RPL) to control message tampering attacks in resource-constrained networks.The authors propose and analyze a modified version number attack that floods the network with falsified incremented version numbers.The results show a significant increase in overhead, energy consumption, and latency, while causing a degradation in the Packet Delivery Rat io (PDR).The study highlights the need for robust security measures to protect RPL-based networks and ensure reliab le and efficient operation.
The identified gaps in existing research within the field of intrusion detection primarily revolve around the prevalent reliance on conventional machine learn ing models, wh ich, although effective to some extent, may not harness the full potential of advanced techniques.Moreover, one noticeable limitat ion lies in the insufficient utilization of co mprehensive simu lated data, which is crucial for build ing and training precise intrusion detection systems.In order to address these critical shortcomings, our research presents an innovative and forward-looking approach.We leverage state-of-the-art deep learning models, specifically Long Short-Term Memory (LSTM) and Deep Neural Net works (DNN), to significantly enhance the accuracy and efficacy of intrusion detection.Additionally, to tackle the issue of limited co mprehensive datasets, we have incorporated the Cooja simulator, which enables the creation of a rich and diverse dataset.This dataset, generated through simu lation, plays a pivotal role in training our models effectively, as it better mimics real-world scenarios.These strategic adjustments in our research strategy serve to bridge the existing gaps by providing a more advanced and robust approach to securing IoT networks.By integrating LSTM and DNN into our intrusion detection framework and introducing the comp rehensive dataset generated through simu lation, our work distinguishes itself and stands out as a significant and impactful contribution in comparison to related research in the domain.

III. RPL PROTOCOL
A. RPL Overview Destination oriented directed acyclic graphs (DODA Gs) are sequence topologies formed using RPL [12].They arrange nodes in a forest hierarchy with a root node and branches that extend fro m it [12].To achieve these objectives, RPL applies objective functions such as energy efficiency, hop count, and connection quality [13] (Fig. 1).
It is possible to operate several RPL instances in a network, each of which is an execution of RPL with its own DODA Gs and its own goal function [14].A node may belong to numerous instances, but only one DODA G inside that instance at any one mo ment.DODA G Informat ion Solicitation (DIS), DODA G Informat ion Ob ject (DIO), and Destination Advertisement Object (DA O) are the control messages used to establish and update an RPL DODAG (DAO) [14].www.ijacsa.thesai.orgA node that wants to join a network will first forward DIS messages.Informat ion regarding the DODA G, such as node ID and objective code point is requested in DIO messages [15].
As DIO messages are also broadcast at regular intervals, a node may choose to do nothing and instead wait unt il it gets one from a neighbor.
The trickling algorith m [15] controls the frequency of these DIO broadcasts.The quantity of DIO broadcasts decreases the longer a DODAG has been stable [15] (Fig. 2).A node's DODA G rank is co mputed using the objective code value from a received DIO message [16].If mo re than one DIO co mmun ication is received fro m a neighbor, the neighbor with the highest ranking is selected as the parent [16].
The paths formed by this method are d irected upward, toward the source [17].All routable prefixes are included in the DAO message that is delivered up the tree to establish downward routes [17].
Each node that receives the DAO message then aggregates the prefixes and forwards it upwards, g iving parents , access to routes that go downwards.
Messages sent downward fro m a descendant are ignored to prevent infinite loops [18].In addition, nodes may often only switch their parents if doing so would increase their ran k [18] .Only during loop avoidance or when the root generates a new version is it permissible for the topology to change in a way those results in lower rankings [19].
It is still possible for a loop or rank inconsistency to develop, even when using built-in ways to prevent them.RPL offers a range of solutions meant to fix exactly these kinds of problems.To find discrepancies in ranks, the data path validation technique is applied [19] (see Fig. 3).

B. RPL Attacks
The RPL p rotocol is vulnerab le to a wide range of security concerns [20].Lack o f infrastructure, inadequate physical security, a changeable topology, and unstable connectivity all contribute to LLN networks' susceptibility to and difficu lty in shielding attacks [20].
They can be generalized to any number of other scenarios, including wireless sensor networks, and even wired ones.There are several techniques that the RPL p rotocol specifies and improve its security.RPL protocol is vulnerable a wide range of routing attacks.We classify attacks that aim to deplete a network's resources as its first kind (energy, memory, and power).
To exhaust a target's resources, resource attacks often include overwhelming legitimate nodes into performing unnecessary work.Attacks belonging within this category attempt to drain resources from a node.
Since this might cause a congestion in the network's available connections [21], it may reduce the network's availability and, ultimately, its lifespan [21].Two types of resource attacks are distinguished.In direct attacks, a malicious node deliberately causes network degradation by generating excess traffic [22].
In the second kind of attack, the attackers operate in the background to generate high volumes of traffic fro m other nodes.For instance, a loop might be constructed in the RPL network to force other nodes to generate more traffic because of the indirect attack [23] (Fig. 4).www.ijacsa.thesai.org

C. Version Number Attack
The RPL network architecture is vulnerable to a version number attack, in which a malicious node fraudulently increases the root node's DODA G version nu mber before forwarding the DIO message to its neighbors [24] (Fig. 5).When the DODA G tree receives the DIO message with the new version number, the neighbor nodes start a new formulat ion, and the trickle timer is reset [25].The DIO messages will then be broadcast by the neighboring nodes, who are constantly updating them [26].Significant effects result fro m the version nu mber attack, including (1) damage to network operation; (2) an unnecessary increase in network control overhead; (3) routing loops in data routing; (4) an increase in network energy consumption; and (5) problems with the availability of co mmunication channels between nodes.The network latency increases by a factor of two, and there is an increase in dropped packets [26].IV.
PROPOSED DEEP LEARNING BASED SOLUTION

A. Machine and Deep Learning
Machine and deep learning are two rapidly gro wing fields of artificial intelligence that have the potential to revolutionize various industries [27].Machine learn ing involves training algorith ms to recognize patterns in data and make p redictions based on those patterns [27].This can be useful in a wide range of applications, fro m forecasting consumer behavior to identifying fraud in financial transactions and detecting cyberattacks [28][29][30][31].
Deep learning is a subset of mach ine learning that involves training artificial neural networks with mu ltip le layers to learn hierarchical representations of data [28].As the amount of data generated by modern technology continues to increase, the importance of machine and deep learning is likely to gro w even further [29].Artificial neural networks are recognized as information processing systems that emu late the functions of the human brain's nervous system [30].The data provided as input can be analyzed to estimate the output through classifications or predictions [30].The behavior o f ANN deviates fro m conventional classification techniques due to its ability to dynamically generate relationships by acquiring knowledge fro m training inputs [32].Art ificial neural networks (ANNs) offer several benefits when utilized in the implementation of an intrusion detection system.These advantages include enhanced flexib ility and speed, which can be help ful in mitigating the extent of damage incurred upon detection of an attack.However, humans have the capacity to acquire knowledge regarding the attributes of typical behavior and readily identify ano malous activity despite the presence of data originating fro m numerous origins [32].Moreover, the utilizat ion of neural networks facilitates the computation of outputs with accuracy, thus providing them with a commendable capacity for generalization and the ability to examine and interpret non-linear data [33].
Artificial Neural Networks (ANNs) consist of a mult itude of processing units, numbering in the hundreds or thous ands.These units are interconnected through unidirectional branches, with the aim of transforming a given set of inputs www.ijacsa.thesai.orginto a corresponding set of desired outputs [33] (refer to Fig. 6).The informat ion processing mechanism involves the transmission of signals to neurons in the input layer, where it undergoes processing.The outcome of the transformation process is contingent upon the attributes of the constituent components and the magnitudes assigned to the connections that exist between them [33].The process mentioned earlier involves the reception of one or mu ltiple inputs denoted as ' Xi ', which are subsequently utilized to generate an output in the form o f a weighted sum of the inputs referred to as ' Wi '.Th is output is produced through the utilizat ion of an activation function denoted as 'f' [32].Eq .( 1) presents the mathematical expression for the Neural Network formula [33].
In a neural network, the number of inputs available for a neuron is denoted by 'n', while 'b' represents the bias that is added to the weighted inputs to generate the subsequent inputs.
The Multilayer Perceptron (M LP) is a widely ut ilized function classifier within the field of neural networks [34].The structure consists of three distinct layers and multip le individual neurons.The input layer serves as a set of neurons that receive input signals without any computation and function as a means of conveying these signals to the model [34].The synapses weight (Wi) determines their weighting [34].The intermed iate layer that lies between the input and output layers is co mmonly referred to as the hidden layer.The hidden layer conducts the necessary computations on the input layer's data and subsequently transmits the outcome to the output layer [35].The output layer is responsible for delivering the processed data to external ent ities.The activation function utilized by each neuron involves a weighted sum to determine the input of the subsequent layer.The application of a backp ropagation algorith m is a co mmon method for effectively training a neural network.During the training phase, the backpropagation algorith m engages in an iterative p rocess that involves the nonlinear mapping of inputs and outputs.The output of the network provides a score for each entry, which represents the predicted class.

B. Solution Description
Our proposed approach in Fig. 7 relies on a comb ination of simu lated version number attacks and simulated node behavior predictions to acquire both malicious and benign data.Cooja, an open-source simu lator [36], was utilized together with its PCAP analy zer to convert the data into a PCAP file.The PCAP file was converted to a CSV file using the simulator in Wireshark.Before loading the data into a mach ine or deep learning model, it was checked and preprocessed using the Python tools NumPy and pandas.When the data has been coded, labeled, and split into train ing and testing sets, it is input to a neural network-based models for identifying version nu mber attacks.We'll examine these lev els in further depth in the next sections.

C. Simulations and Analysis 1) Normal simulation phase:
The information gathered in this phase will be used to train our machine and Deep learning models fo r detection in later stages.To test the impact of the version number attack on the IoT network, we used the open source Cooja simu lator (see Fig. 8).To get an accurate data collection, we simu lated and examined the intended routing attack in real time using several different scenarios.We created a packet capture file, or .PCAP file, at the end of the simu lation, wh ich will be converted to a.CSV file by the widely used traffic analyzer Wireshark.I.
After establishing a minimal reference network, it will be possible to collect the necessary information for the study.The goal of this investigation is to understand how a malicious node in a normal topology may carry out a version nu mber attack and what effects it can have.The data presented in Fig. 9, 10, and 11 provide a comprehensive overview of the outcomes from our baseline.As can be seen in the graph in Fig. 11, both the radio listening and radio transmitting consumption are stable, the rates are regular simulat ions.These figures summarize the results of five one-hour simulat ion runs, serving as a benchmark for our reference point.Fig. 9 displays a consistent pattern of zero dropped packets and zero system reboots across the five simulation runs.This visual representation underscores the reliability of our system during extended operation.Fig. 10 depicts the average power consumption of approximately 1.074 milliwatts (mw) across all nodes.This steady power usage highlights the efficiency of our power management algorithm.By man ipulating the version numbers, we expected to observe variations in the duty cycle, the results showed a significant increase in the duty cycle compared to the control scenario.
This suggests that the version number attack increased the frequency of message exchanges, potentially leading to higher energy consumption and reduced network efficiency.Fig. 12 shows a higher average radio consumption.www.ijacsa.thesai.orgThe average power consumption graph in Fig. 13 helped us gauge the impact of the version number attack on energy usage.Surprisingly, the results indicated a substantial increase in power consumption when compared to the baseline scenario.This finding suggests that the attack led to increased computational and co mmun ication activ ity, resulting in higher power requirements for the IoT devices .The lost packets graph in Fig. 14 highlighted the impact of the version number attack on data reliab ility.In this case, we observed the loss of four packets during the simulat ion.Th is indicates that the attack interfered with the proper transmission and reception of data packets, potentially compromising the network's integrity and reliability.

A. DNN Model
The results of our study demonstrate the effectiveness of utilizing a deep neural network (DNN) model for detecting RPL version number attacks.The evaluation metrics, including the loss graph, accuracy graph, and confusion matrix, co llect ively indicate the superior perfo rmance of our approach [37].
The accuracy graph in Fig. 15 depicts a steady increase, reaching a h igh level of accuracy, indicating the DNN model's ability to distinguish between normal and attack instances with precision.The loss graph in Fig. 16 showcases the gradual decline in the model's loss function over the training iterations, signifying successful convergence and effective learning.Additionally, the DNN confusion matrix in Fig. 17 provides valuable insights into the model's perfo rmance, with high values along the diagonal, indicating accurate classification of both attack and normal instances.These results highlight the robustness and efficacy of our proposed approach in accurately detecting RPL version number attacks, underscoring its potential as a valuable tool in enhancing network security: www.ijacsa.thesai.org

B. LSTM Model
For the LSTM model also, the outcomes of our investigation demonstrate the efficacy of emp loying an LSTM (Long Short-Term Memory) model fo r the detection of RPL version number attacks.
Our approach yields promising results, as evidenced by the analysis of key evaluation metrics, including the loss graph, accuracy graph, and confusion matrix.
The LSTM accuracy graph in Fig. 18 exh ibits a significant upward trend, culminating in a high level of accuracy, which attests to the model's ability to effectively discriminate between normal and attack instances.Moreover, the LSTM confusion matrix in Fig. 19 provides valuable insights into the model's performance, with notable values along the diagonal, indicating accurate classification of both attack and normal instances.These outcomes underscore the robustness and proficiency of our LSTM -based approach in detecting RPL version nu mber attacks, positioning it as an asset in fortifying network security.

C. Comparison of Results
Our research endeavors involved an extensive commit ment of time and computational resources towards the training of deep learning models, part icularly the Long Short-Term Memory (LSTM ) and Deep Neural Network (DNN).Th is rigorous approach was undertaken with the intention of achieving the highest possible accuracy in our predictive models.The efforts bore fru it, as our LSTM model ach ieved an impressive accuracy score of 0.963605, while the DNN model was not far behind, with an accuracy of 0.963106.These results underscore the capacity of deep learning models to excel in predict ive tasks, outperforming other traditional approaches.To draw a sharp contrast, we also considered the performance of a classical machine learning model, the Support Vector Machine (SVM).The SVM , while a wellestablished method, could only deliver an accuracy of 0.924119 in our experiments.This clear difference in accuracy metrics emphasizes the advantage of adopting deep learning www.ijacsa.thesai.orgmodels for the specific task at hand.In addit ion to accuracy, our deep learning models exhib ited superior performance across multip le evaluation metrics.These included R square, Root Mean Squared Erro r (RMSE), Mean Squared Error (MSE), and Mean Absolute Error (MA E).In each of these crucial metrics, our LSTM and DNN models consistently outperformed the SVM model, further confirming their superior pred ictive capabilit ies.For a v isual representation of these findings, please consult Fig. 20 within this paper.Fig. 21 serves as a visual confirmat ion of the nu merical results presented, offering a graphical depict ion of the performance disparities among the models.This comprehensive analysis serves to highlight the tangible advantages of embracing deep learning techniques, showcasing their ability to not only achieve superior accuracy but also to excel across a range of crit ical evaluation criteria, making them a pivotal component of our research's success.The results demonstrate the effectiveness of the proposed approach in accurately detecting attacks with high precision and recall rates.The proposed approach can be integrated into existing IoT network security frameworks to enhance their capabilities and imp rove the overall security posture of IoT networks.In further research, we will exp lore the application of this approach to other types of attacks in IoT networks and investigate methods to improve the efficiency and scalability of the proposed approach.

Fig. 6
Fig. 6 illustrates a standard model of a neural network.

Fig. 11
Fig. 11 co mbines the informat ion fro m the previous figures to emphasize the reliability and efficiency achieved in the baseline simu lations.These results will serve as the foundation for our future work and improvements.

Fig. 11 .
Fig. 11.Radio consumption graph during normal simulation.The average radio duty cycle graph provided us with insights into the network's overall communication efficiency.

Fig. 18 .
Fig. 18.LST M accuracy convergence graph.The LSTM loss graph in Fig. 18 illustrates the steady decrease in the model's loss function throughout the training process, indicating the successful learning and convergence of the LSTM model:

Fig. 21 .
Fig. 21.Comparative performance of LST M, DNN, and SVM models in accuracy and evaluation metrics.
VI.CONCLUSION In conclusion, the detection of RPL version number attacks in IoT networks is critical to ensuring the security and integrity of the network.Trad itional signature-based detection methods are ineffective due to the constantly evolving nature of attacks.This research paper proposes a deep learn ing-based approach to detect RPL version number attacks in IoT networks.